Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

GUACAMOLE-1949 Nextcloud JWT Auth extension #984

Open
wants to merge 43 commits into
base: main
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
43 commits
Select commit Hold shift + click to select a range
05bec22
GUACAMOLE-1949: Add Auth0 licence information
May 5, 2024
15f83d1
GUACAMOLE-1949: Initial commit auth-nextcloud
May 5, 2024
d2fb482
GUACAMOLE-1949: Add auth-nextcloud extension in parent pom
May 5, 2024
b85b18d
GUACAMOLE-1949: Remove unused and obsolete classes
May 24, 2024
69cda3d
GUACAMOLE-1949: Add missing Javadoc to methods and properties
May 24, 2024
26c277a
GUACAMOLE-1949: Remove blank lines in imports
Jun 1, 2024
3f8d313
GUACAMOLE-1949: Remove unused import
Jun 1, 2024
462f42d
GUACAMOLE-1949: Add Javadoc for MINUTES_TOKEN_VALID constant
Jun 1, 2024
ff4ebe0
GUACAMOLE-1949: Correct formatting in documentation
Jun 1, 2024
c4a32ba
GUACAMOLE-1949: Add documentation for isUserAllowed method
Jun 1, 2024
5f1c906
GUACAMOLE-1949: Define and document constant NC_TOKEN
Jun 1, 2024
8b312d9
GUACAMOLE-1949: Fix wrong order of athentification extensions
Jun 1, 2024
d3ecdf7
GUACAMOLE-1949: Bump extension version to 1.5.5
Jun 1, 2024
5190357
GUACAMOLE-1949: Bump version of dependency ipaddress
Jun 1, 2024
fb65f8e
GUACAMOLE-1949: Add more Javadoc for instance variables and methods
Jun 1, 2024
615f3e6
GUACAMOLE-1949: Fix formatting in documentation
Jun 1, 2024
c850496
GUACAMOLE-1949: Add documentation in isValidJWT method
Jun 1, 2024
5d524db
GUACAMOLE-1949: Move lines of isValidJWT method for better readability
Jun 1, 2024
9c3d824
GUACAMOLE-1949: Improve exception message
Jun 1, 2024
ea80a50
GUACAMOLE-1949: Fix formatting in documentation
Jun 1, 2024
ef33594
GUACAMOLE-1949: Fix typo in Javadoc
Jun 1, 2024
d1e022e
GUACAMOLE-1949: Add configurable parameter name for jwt token
Jun 8, 2024
663fd49
GUACAMOLE-1949: Modify isUserAllowed to permit all users if list is e…
Jun 8, 2024
acf02a2
GUACAMOLE-1949: Modify validIpAddress to permit all IPs if list is empty
Jun 8, 2024
b849cd0
GUACAMOLE-1949: Change name of the token property
Jun 8, 2024
f6e0ae7
GUACAMOLE-1949: Remove cuddling braces
Jun 9, 2024
6e5388f
GUACAMOLE-1949: Add empty lines in Javadoc
Jun 9, 2024
1cadb00
GUACAMOLE-1949: Remove empty line
Jun 9, 2024
dbda2e2
GUACAMOLE-1949: Remove unused exception from catch block
Jun 9, 2024
93b5bdc
GUACAMOLE-1949: Use more specific exceptions
Jun 9, 2024
8244ea8
GUACAMOLE-1949: Add more documentation
Jun 9, 2024
35b66bc
GUACAMOLE-1949: Add missing logging
Jun 9, 2024
6465274
GUACAMOLE-1949: Improve exceptions in isUserAllowed
Jun 9, 2024
8260fc8
GUACAMOLE-1949: Rename variable of token name
Jun 9, 2024
d1a92a2
GUACAMOLE-1949: Improve Javadoc NEXTCLOUD_JWT_TOKEN_NAME
Jun 9, 2024
0de8fa6
GUACAMOLE-1949: Remove unnecessary try catch block
Jun 15, 2024
6cccdd1
GUACAMOLE-1949: Exceptions improved
Jun 15, 2024
1b8ae70
GUACAMOLE-1949: Add NextcloudJwtUserContext.java
Jun 17, 2024
59252ab
GUACAMOLE-1949: Add AuthenticatedUser.java
Jun 17, 2024
fcf1f15
GUACAMOLE-1949: Implement automatically login in Guacamole
Jun 17, 2024
26cc2cd
GUACAMOLE-1949: Update Javadoc
Jun 17, 2024
6b5480d
GUACAMOLE-1949: Add Javadoc for getDecodedJWT and getUserId method
Jun 17, 2024
38ef1a1
GUACAMOLE-1949: Add README.md
Jun 19, 2024
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
21 changes: 21 additions & 0 deletions doc/licenses/com.auth0:java-jwt:jar:4.3.0/LICENSE
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
The MIT License (MIT)

Copyright (c) 2015 Auth0, Inc. <support@auth0.com> (http://auth0.com)

Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
7 changes: 7 additions & 0 deletions doc/licenses/com.auth0:java-jwt:jar:4.3.0/README
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
Auth0 JWT (https://github.com/auth0/java-jwt)
----------------------------------------------------------

Version: 4.3.0
From: 'Okta'
License(s):
MIT
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
com.auth0:java-jwt:jar:4.3.0
Empty file.
46 changes: 46 additions & 0 deletions extensions/guacamole-auth-nextcloud/doc/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,46 @@
guacamole-auth-nextcloud
===================

guacamole-auth-nextcloud is an authentication extension for [Apache
Guacamole](http://guacamole.apache.org/) that authenticates users using
a JWT. This token will be generated by the Nextcloud extension [External
sites](https://apps.nextcloud.com/apps/external) and will be sent
automatically when the Guacamole login page is integrated into your
Nextcloud.

Prepare your Nextcloud
----------------------

Make sure that the [External sites](https://apps.nextcloud.com/apps/external)
plugin is already installed. Use the following [occ](https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/occ_command.html)
command to get the required public key. Remove all line breaks and
comments and add it to your properties file.

$ occ config:app:get external jwt_token_pubkey_es256

Now you have to add a new website in the plugin settings. There you have
to define a URL, which can look like this:

https://my-nextcloud.com/guacamole/?nctoken={jwt}

The GET parameter can have any name, by default it is `nctoken`. If you
want to set a different name, you must also set it in the properties file.

Properties
-----------

Property name | Type | Description
--------------|----------|------------
`nextcloud-jwt-token-name` | `string` | The key of the GET parameter which contains the JWT token as a value. Default is `nctoken`.
`nextcloud-jwt-allowed-user` | `string` | An optional list of Nextcloud users who are allowed to open the login page with a valid JWT. Make sure that you use the `uid` and not the displayed name. If the list is empty, all users are allowed, but they still need a valid JWT.
`nextcloud-jwt-public-key` | `string` | The public key which will be visible with the `occ` command in your Nextcloud instance via the console. Insert the key without line breaks and comments.
`nextcloud-jwt-trusted-networks` | `string` | An optional comma-separated list of permitted IP addresses. An empty list means that all IP addresses are permitted without JWT validation. If the request comes from a trusted network (e.g. local network), the JWT validation will be skipped. The users must authenticate normally with their Guacamole username and password.

Example
-------

nextcloud-jwt-token-name: mytoken
nextcloud-jwt-allowed-user: JohnDoe,JaneDoe
nextcloud-jwt-public-key: MFkwEwYHKoZIzj0....st5CuQ==
nextcloud-jwt-trusted-networks: 10.8.0.27,10.8.0.41

98 changes: 98 additions & 0 deletions extensions/guacamole-auth-nextcloud/pom.xml
Original file line number Diff line number Diff line change
@@ -0,0 +1,98 @@
<?xml version="1.0" encoding="UTF-8"?>
<!--
Licensed to the Apache Software Foundation (ASF) under one
or more contributor license agreements. See the NOTICE file
distributed with this work for additional information
regarding copyright ownership. The ASF licenses this file
to you under the Apache License, Version 2.0 (the
"License"); you may not use this file except in compliance
with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing,
software distributed under the License is distributed on an
"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
KIND, either express or implied. See the License for the
specific language governing permissions and limitations
under the License.
-->
<project xmlns="http://maven.apache.org/POM/4.0.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0
http://maven.apache.org/maven-v4_0_0.xsd">

<modelVersion>4.0.0</modelVersion>
<groupId>org.apache.guacamole</groupId>
<artifactId>guacamole-auth-nextcloud</artifactId>
<packaging>jar</packaging>
<version>1.5.5</version>
<name>guacamole-auth-nextcloud</name>
<url>http://guacamole.apache.org/</url>

<parent>
<groupId>org.apache.guacamole</groupId>
<artifactId>extensions</artifactId>
<version>1.5.5</version>
<relativePath>../</relativePath>
</parent>

<dependencies>

<!-- Guacamole Extension API -->
<dependency>
<groupId>org.apache.guacamole</groupId>
<artifactId>guacamole-ext</artifactId>
<version>1.5.5</version>
<scope>provided</scope>
</dependency>

<!-- Guice -->
<dependency>
<groupId>com.google.inject</groupId>
<artifactId>guice</artifactId>
</dependency>

<!-- Jackson for JSON support -->
<dependency>
<groupId>com.fasterxml.jackson.core</groupId>
<artifactId>jackson-databind</artifactId>
</dependency>

<!-- Guava Base Libraries -->
<dependency>
<groupId>com.google.guava</groupId>
<artifactId>guava</artifactId>
</dependency>

<!-- Java servlet API -->
<dependency>
<groupId>javax.servlet</groupId>
<artifactId>servlet-api</artifactId>
<version>2.5</version>
<scope>provided</scope>
</dependency>

<!-- IPAddress (required for IP address matching) -->
<dependency>
<groupId>com.github.seancfoley</groupId>
<artifactId>ipaddress</artifactId>
<version>5.5.0</version>
</dependency>

<dependency>
<groupId>com.auth0</groupId>
<artifactId>java-jwt</artifactId>
<version>4.3.0</version>
</dependency>

<!-- JUnit -->
<dependency>
<groupId>junit</groupId>
<artifactId>junit</artifactId>
<scope>test</scope>
</dependency>

</dependencies>

</project>
Original file line number Diff line number Diff line change
@@ -0,0 +1,162 @@
/*
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/

package org.apache.guacamole.auth.nextcloud;

import com.google.inject.Inject;
import java.util.Collection;
import java.util.Collections;
import org.apache.guacamole.GuacamoleException;
import org.apache.guacamole.environment.Environment;
import org.apache.guacamole.properties.StringGuacamoleProperty;
import org.apache.guacamole.properties.StringListProperty;

/**
* Service for retrieving configuration information regarding the Nextcloud JWT
* authentication provider.
*/
public class ConfigurationService {

/**
* The Guacamole server environment.
*/
@Inject
private Environment environment;

/**
* The encryption key to use for all decryption and signature verification.
*/
private static final StringGuacamoleProperty NEXTCLOUD_JWT_PUBLIC_KEY = new StringGuacamoleProperty() {
@Override
public String getName() {
return "nextcloud-jwt-public-key";
}

};

/**
* A comma-separated list of all IP addresses or CIDR subnets which should
* be allowed to perform authentication. If not specified, ALL address will
* be allowed.
*/
private static final StringListProperty NEXTCLOUD_JWT_TRUSTED_NETWORKS = new StringListProperty() {

@Override
public String getName() {
return "nextcloud-jwt-trusted-networks";
}

};

/**
* Property for retrieving the list of users allowed to authenticate via JWT.
*
* This property defines a configuration setting that specifies the users permitted
* to use JWT for authentication.
*/
private static final StringListProperty NEXTCLOUD_JWT_ALLOWED_USER = new StringListProperty() {
pp7En marked this conversation as resolved.
Show resolved Hide resolved

@Override
public String getName() {
return "nextcloud-jwt-allowed-user";
}

};

/**
* Property for retrieving the name of the token used for authentication.
*
* This property defines a configuration setting that specifies the name of the
* token to be used for authentication purposes. The key of the GET parameter is
* defined by this property, and the value of the GET parameter contains the token.
*/
private static final StringGuacamoleProperty NEXTCLOUD_JWT_TOKEN_NAME = new StringGuacamoleProperty() {
@Override
public String getName() {
return "nextcloud-jwt-token-name";
}

};

/**
* Returns the symmetric key which will be used to encrypt and sign all
* JSON data and should be used to decrypt and verify any received JSON
* data. This is dictated by the "nextcloud-jwt-public-key" property specified
* within guacamole.properties.
*
* @return
* The key which should be used to decrypt received JSON data.
*
* @throws GuacamoleException
* If guacamole.properties cannot be parsed, or if the
* "nextcloud-jwt-public-key" property is missing.
*/
public String getPublicKey() throws GuacamoleException {
return environment.getRequiredProperty(NEXTCLOUD_JWT_PUBLIC_KEY);
}

/**
* Returns a collection of all IP address or CIDR subnets which should be
* allowed to submit authentication requests. If empty, authentication
* attempts will be allowed through without restriction.
*
* @return
* A collection of all IP address or CIDR subnets which should be
* allowed to submit authentication requests.
*
* @throws GuacamoleException
* If guacamole.properties cannot be parsed.
*/
public Collection<String> getTrustedNetworks() throws GuacamoleException {
return environment.getProperty(NEXTCLOUD_JWT_TRUSTED_NETWORKS, Collections.<String>emptyList());
}

/**
* Retrieves the collection of users allowed to authenticate via JWT.
*
* This method fetches the list of allowed users from the environment properties.
* If the property is not set, it returns an empty list.
*
* @return
* A collection of allowed user identifiers.
*
* @throws GuacamoleException
* If there is an issue retrieving the property.
*/
public Collection<String> getAllowedUser() throws GuacamoleException {
pp7En marked this conversation as resolved.
Show resolved Hide resolved
return environment.getProperty(NEXTCLOUD_JWT_ALLOWED_USER, Collections.<String>emptyList());
}

/**
* Retrieves the name of the token used for authentication.
*
* This method fetches the token name from the environment properties.
* If the property is not set, it returns the default value "nctoken".
*
* @return
* The name of the token used for authentication.
*
* @throws GuacamoleException
* If there is an issue retrieving the property.
*/
public String getTokenName() throws GuacamoleException {
return environment.getProperty(NEXTCLOUD_JWT_TOKEN_NAME, "nctoken");
}

}
Loading