[GitHub] guacamole-client pull request #254: GUACAMOLE-103: Implement SAML Authentica...

2018-12-24 Thread necouchman 
Github user necouchman commented on a diff in the pull request:

https://github.com/apache/guacamole-client/pull/254#discussion_r243860177
  
--- Diff: 
extensions/guacamole-auth-saml/src/main/java/org/apache/guacamole/auth/saml/AuthenticationProviderService.java
 ---
@@ -0,0 +1,202 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.guacamole.auth.saml;
+
+import com.google.inject.Inject;
+import com.google.inject.Provider;
+import com.onelogin.saml2.authn.AuthnRequest;
+import com.onelogin.saml2.authn.SamlResponse;
+import com.onelogin.saml2.exception.SettingsException;
+import com.onelogin.saml2.exception.ValidationError;
+import com.onelogin.saml2.http.HttpRequest;
+import com.onelogin.saml2.servlet.ServletUtils;
+import com.onelogin.saml2.settings.Saml2Settings;
+import com.onelogin.saml2.util.Util;
+import java.io.IOException;
+import java.util.Arrays;
+import javax.servlet.http.HttpServletRequest;
+import javax.xml.parsers.ParserConfigurationException;
+import javax.xml.xpath.XPathExpressionException;
+import org.apache.guacamole.auth.saml.conf.ConfigurationService;
+import org.apache.guacamole.auth.saml.form.SAMLRedirectField;
+import org.apache.guacamole.auth.saml.user.AuthenticatedUser;
+import org.apache.guacamole.GuacamoleException;
+import org.apache.guacamole.form.Field;
+import org.apache.guacamole.net.auth.Credentials;
+import org.apache.guacamole.net.auth.credentials.CredentialsInfo;
+import 
org.apache.guacamole.net.auth.credentials.GuacamoleInvalidCredentialsException;
+import 
org.apache.guacamole.net.auth.credentials.GuacamoleInsufficientCredentialsException;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.xml.sax.SAXException;
+
+/**
+ * Class that provides services for use by the SAML Authentication 
Provider class.
+ */
+public class AuthenticationProviderService {
+
+/**
+ * Logger for this class.
+ */
+private final Logger logger = 
LoggerFactory.getLogger(AuthenticationProviderService.class);
+
+/**
+ * Service for retrieving SAML configuration information.
+ */
+@Inject
+private ConfigurationService confService;
+
+/**
+ * Provider for AuthenticatedUser objects.
+ */
+@Inject
+private Provider authenticatedUserProvider;
+
+/**
+ * Returns an AuthenticatedUser representing the user authenticated by 
the
+ * given credentials.
+ *
+ * @param credentials
+ * The credentials to use for authentication.
+ *
+ * @return
+ * An AuthenticatedUser representing the user authenticated by the
+ * given credentials.
+ *
+ * @throws GuacamoleException
+ * If an error occurs while authenticating the user, or if access 
is
+ * denied.
+ */
+public AuthenticatedUser authenticateUser(Credentials credentials)
+throws GuacamoleException {
+
+HttpServletRequest request = credentials.getRequest();
+
+// Initialize and configure SAML client.
+Saml2Settings samlSettings = confService.getSamlSettings();
+
+if (request != null) {
+
+// Look for the SAML Response parameter.
+String samlResponseParam = 
request.getParameter("SAMLResponse");
+
+if (samlResponseParam != null) {
+
+// Convert the SAML response into the version needed for 
the client.
+HttpRequest httpRequest = 
ServletUtils.makeHttpRequest(request);
+try {
+
+// Generate the response object
+SamlResponse samlResponse = new 
SamlResponse(samlSettings, httpRequest);
+
+if (!samlResponse.validateNumAssertions()) {
+logger.warn("SAML

[GitHub] guacamole-client pull request #254: GUACAMOLE-103: Implement SAML Authentica...

2018-06-28 Thread necouchman 
Github user necouchman commented on a diff in the pull request:

https://github.com/apache/guacamole-client/pull/254#discussion_r198765764
  
--- Diff: 
extensions/guacamole-auth-saml/src/main/java/org/apache/guacamole/auth/saml/conf/ConfigurationService.java
 ---
@@ -0,0 +1,223 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.guacamole.auth.saml.conf;
+
+import com.google.inject.Inject;
+import com.onelogin.saml2.settings.Saml2Settings;
+import com.onelogin.saml2.settings.SettingsBuilder;
+import java.io.File;
+import java.net.URL;
+import java.util.HashMap;
+import java.util.Map;
+import org.apache.guacamole.GuacamoleException;
+import org.apache.guacamole.environment.Environment;
+import org.apache.guacamole.properties.FileGuacamoleProperty;
+import org.apache.guacamole.properties.StringGuacamoleProperty;
+import org.apache.guacamole.properties.UrlGuacamoleProperty;
+
+/**
+ * Service for retrieving configuration information regarding the SAML
+ * authentication module.
+ */
+public class ConfigurationService {
+
+/**
+ * The file containing the XML Metadata associated with the SAML IdP.
+ */
+private static final FileGuacamoleProperty SAML_IDP_METADATA =
+new FileGuacamoleProperty() {
+
+@Override
+public String getName() { return "saml-idp-metadata"; }
--- End diff --

This is now implemented - OneLogin released version 2.3.0 of their Java 
SAML client, which includes this capability.


---

[GitHub] guacamole-client pull request #254: GUACAMOLE-103: Implement SAML Authentica...

2018-02-16 Thread necouchman 
Github user necouchman commented on a diff in the pull request:

https://github.com/apache/guacamole-client/pull/254#discussion_r168861891
  
--- Diff: 
extensions/guacamole-auth-saml/src/licenses/bundled/saml-client-1.2.0/LICENSE 
---
@@ -0,0 +1,20 @@
+The MIT License (MIT)
+Copyright (c) 2016 Coveo
+
+Permission is hereby granted, free of charge, to any person obtaining a
+copy of this software and associated documentation files (the "Software"),
+to deal in the Software without restriction, including without limitation
+the rights to use, copy, modify, merge, publish, distribute, sublicense,
+and/or sell copies of the Software, and to permit persons to whom the
+Software is furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES
+OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
+HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR
+IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 
SOFTWARE.
--- End diff --

Wrong SAML client.


---

[GitHub] guacamole-client pull request #254: GUACAMOLE-103: Implement SAML Authentica...

2018-02-16 Thread necouchman 
Github user necouchman commented on a diff in the pull request:

https://github.com/apache/guacamole-client/pull/254#discussion_r168859198
  
--- Diff: 
extensions/guacamole-auth-saml/src/main/java/org/apache/guacamole/auth/saml/conf/ConfigurationService.java
 ---
@@ -0,0 +1,223 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.guacamole.auth.saml.conf;
+
+import com.google.inject.Inject;
+import com.onelogin.saml2.settings.Saml2Settings;
+import com.onelogin.saml2.settings.SettingsBuilder;
+import java.io.File;
+import java.net.URL;
+import java.util.HashMap;
+import java.util.Map;
+import org.apache.guacamole.GuacamoleException;
+import org.apache.guacamole.environment.Environment;
+import org.apache.guacamole.properties.FileGuacamoleProperty;
+import org.apache.guacamole.properties.StringGuacamoleProperty;
+import org.apache.guacamole.properties.UrlGuacamoleProperty;
+
+/**
+ * Service for retrieving configuration information regarding the SAML
+ * authentication module.
+ */
+public class ConfigurationService {
+
+/**
+ * The file containing the XML Metadata associated with the SAML IdP.
+ */
+private static final FileGuacamoleProperty SAML_IDP_METADATA =
+new FileGuacamoleProperty() {
+
+@Override
+public String getName() { return "saml-idp-metadata"; }
--- End diff --

Unfortunately this option has no effect right now, because the OneLogin 
SAML client has not released the version that implements pulling settings from 
the IdP Metadata.  Hopefully it'll be out, soon, but the lead developer hasn't 
been very responsive.


---

[GitHub] guacamole-client pull request #254: GUACAMOLE-103: Implement SAML Authentica...

2018-02-16 Thread necouchman 
Github user necouchman commented on a diff in the pull request:

https://github.com/apache/guacamole-client/pull/254#discussion_r168859454
  
--- Diff: 
extensions/guacamole-auth-saml/src/main/java/org/apache/guacamole/auth/saml/conf/ConfigurationService.java
 ---
@@ -0,0 +1,223 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.guacamole.auth.saml.conf;
+
+import com.google.inject.Inject;
+import com.onelogin.saml2.settings.Saml2Settings;
+import com.onelogin.saml2.settings.SettingsBuilder;
+import java.io.File;
+import java.net.URL;
+import java.util.HashMap;
+import java.util.Map;
+import org.apache.guacamole.GuacamoleException;
+import org.apache.guacamole.environment.Environment;
+import org.apache.guacamole.properties.FileGuacamoleProperty;
+import org.apache.guacamole.properties.StringGuacamoleProperty;
+import org.apache.guacamole.properties.UrlGuacamoleProperty;
+
+/**
+ * Service for retrieving configuration information regarding the SAML
+ * authentication module.
+ */
+public class ConfigurationService {
+
+/**
+ * The file containing the XML Metadata associated with the SAML IdP.
+ */
+private static final FileGuacamoleProperty SAML_IDP_METADATA =
+new FileGuacamoleProperty() {
+
+@Override
+public String getName() { return "saml-idp-metadata"; }
+
+};
+
+/**
+ * The URL of the SAML IdP.
+ */
+private static final UrlGuacamoleProperty SAML_IDP_URL =
+new UrlGuacamoleProperty() {
+
+@Override
+public String getName() { return "saml-idp-url"; }
+
+};
+
+/**
+ * The identifier for this SAML client.  The default is
+ * "Apache Guacamole"
+ */
+private static final StringGuacamoleProperty SAML_ENTITY_ID =
+new StringGuacamoleProperty() {
+
+@Override
+public String getName() { return "saml-entity-id"; }
+
+};
+
+/**
+ * The callback URL to use for SAML IdP, normally the base
+ * of the Guacamole install.
+ */
+private static final UrlGuacamoleProperty SAML_CALLBACK_URL =
+new UrlGuacamoleProperty() {
+
+@Override
+public String getName() { return "saml-callback-url"; }
+
+};
+
+/**
+ * The single logout redirect URL.
+ */
+private static final UrlGuacamoleProperty SAML_LOGOUT_URL =
+new UrlGuacamoleProperty() {
+
+@Override
+public String getName() { return "saml-logout-url"; }
+
+};
+
+/**
+ * The Guacamole server environment.
+ */
+@Inject
+private Environment environment;
+
+/**
+ * Returns the client ID which should be submitted to the SAML IdP,
+ * as configured with guacamole.properties.  The default value is
+ * "Apache Guacamole".
+ *
+ * @return
+ * The client ID to use when communicating with the SAML IdP,
+ * as configured with guacamole.properties, or the default
+ * of "Apache Guacamole" if not specified.
+ *
+ * @throws GuacamoleException
+ * If guacamole.properties cannot be parsed, or if the client ID
+ * property is missing.
+ */
+private String getEntityId() throws GuacamoleException {
+return environment.getProperty(
+SAML_ENTITY_ID,
+"Apache Guacamole"
+);
+}
+
+/**
+ * The file that contains the metadata that the SAML client should
+ * use to communicate with the SAML IdP.  This is generated by the
+ * SAML IdP and should be uploaded to the system where the Guacamole
+ * client is running.
+ *
+ * @return
+ * The file containinging the

[GitHub] guacamole-client pull request #254: GUACAMOLE-103: Implement SAML Authentica...

2018-02-16 Thread necouchman 
GitHub user necouchman opened a pull request:

https://github.com/apache/guacamole-client/pull/254

GUACAMOLE-103: Implement SAML Authentication Extension

Initial cut at a SAML authentication extension.  Plenty of room for 
improvement, I'm sure - I welcome all comments/suggestions/changes.  I'll kick 
off my own review, here, shortly.

You can merge this pull request into a Git repository by running:

$ git pull https://github.com/necouchman/guacamole-client GUACAMOLE-103

Alternatively you can review and apply these changes as the patch at:

https://github.com/apache/guacamole-client/pull/254.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

This closes #254


commit 444ac702a4c1486e5b23620ec328b5dfa2e3836a
Author: Nick Couchman 
Date:   2018-02-14T18:26:08Z

GUACAMOLE-103: Implement URL property type.

commit 7b016d3a2155e9f2427c7a93f3f91eecb6c6b4be
Author: Nick Couchman 
Date:   2017-11-02T19:06:39Z

GUACAMOLE-103: Implementation of SAML authentication extension, using 
OpenID as a template.

commit d236e1304b781cd4a34a8f1ff640e074d58d9e7b
Author: Nick Couchman 
Date:   2018-02-16T18:47:14Z

GUACAMOLE-103: Code cleanup - fix style issues, remove debug.

commit 33f0ba36be4399471e004ce52ab7a7ec520db40f
Author: Nick Couchman 
Date:   2018-02-16T19:59:51Z

GUACAMOLE-103: Minimal validation for SAML response.




---