Github user necouchman commented on a diff in the pull request:
https://github.com/apache/incubator-guacamole-client/pull/183#discussion_r142038882
--- Diff:
extensions/guacamole-auth-cas/src/main/java/org/apache/guacamole/auth/cas/ticket/TicketValidationService.java
---
@@ -70,14 +85,93 @@ public String processUsername(String ticket) throws
GuacamoleException {
try {
String confRedirectURI = confService.getRedirectURI();
Assertion a = validator.validate(ticket, confRedirectURI);
- principal = a.getPrincipal();
+ AttributePrincipal principal = a.getPrincipal();
+
+ // Retrieve username and set the credentials.
+ String username = principal.getName();
+ if (username != null)
+ credentials.setUsername(username);
+
+ // Retrieve password, attempt decryption, and set credentials.
+ Object credObj = principal.getAttributes().get("credential");
+ if (credObj != null) {
+ String clearPass = decryptPassword(credObj.toString());
+ if (clearPass != null && !clearPass.isEmpty())
+ credentials.setPassword(clearPass);
+ }
+
+ return username;
+
}
catch (TicketValidationException e) {
throw new GuacamoleException("Ticket validation failed.", e);
}
- // Return the principal name as the username.
- return principal.getName();
+ }
+
+ /**
+ * Takes an encrypted string representing a password provided by
+ * the CAS ClearPass service and decrypts it using the private
+ * key configured for this extension. Returns null if it is
+ * unable to decrypt the password.
+ *
+ * @param encryptedPassword
+ * A string with the encrypted password provided by the
+ * CAS service.
+ *
+ * @return
+ * The decrypted password, or null if it is unable to
+ * decrypt the password.
+ *
+ * @throws GuacamoleException
+ * If unable to get Guacamole configuration data
+ */
+ private final String decryptPassword(String encryptedPassword)
+ throws GuacamoleException {
+
+ // If we get nothing, we return nothing.
+ if (encryptedPassword == null || encryptedPassword.isEmpty()) {
+ logger.warn("No or empty encrypted password, no password will
be available.");
+ return null;
+ }
+
+ final PrivateKey clearpassKey = confService.getClearpassKey();
+ if (clearpassKey == null) {
+ logger.warn("No private key available to decrypt password.");
--- End diff --
I changed the warn to debug. My thought process is that, if you are
setting up both CAS and Guacamole and you're looking for hints as to why it
isn't working, you want a message that indicates that the private key isn't
loading. I don't know that the order of these first two statements makes all
that much difference - I can have the check for private key come, first, if
that's more desirable, but either way it needs to check for both the presence
of the encrypted password and the private key before continuing.
---
