extensions/guacamole-auth-openid/src/main/java/org/apache/guacamole/auth/openid/conf/ConfigurationService.java - guacamole-client - Git at Google

 /*
  * Licensed to the Apache Software Foundation (ASF) under one
  * or more contributor license agreements.  See the NOTICE file
  * distributed with this work for additional information
  * regarding copyright ownership.  The ASF licenses this file
  * to you under the Apache License, Version 2.0 (the
  * "License"); you may not use this file except in compliance
  * with the License.  You may obtain a copy of the License at
  *
  *   http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing,
  * software distributed under the License is distributed on an
  * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
  * KIND, either express or implied.  See the License for the
  * specific language governing permissions and limitations
  * under the License.
  */

 package org.apache.guacamole.auth.openid.conf;

 import com.google.inject.Inject;
 import java.net.URI;
 import org.apache.guacamole.GuacamoleException;
 import org.apache.guacamole.environment.Environment;
 import org.apache.guacamole.properties.IntegerGuacamoleProperty;
 import org.apache.guacamole.properties.StringGuacamoleProperty;
 import org.apache.guacamole.properties.URIGuacamoleProperty;

 /**
  * Service for retrieving configuration information regarding the OpenID
  * service.
  */
 public class ConfigurationService {

     /**
      * The default claim type to use to retrieve an authenticated user's
      * username.
      */
     private static final String DEFAULT_USERNAME_CLAIM_TYPE = "email";

     /**
      * The default space-separated list of OpenID scopes to request.
      */
     private static final String DEFAULT_SCOPE = "openid email profile";

     /**
      * The default amount of clock skew tolerated for timestamp comparisons
      * between the Guacamole server and OpenID service clocks, in seconds.
      */
     private static final int DEFAULT_ALLOWED_CLOCK_SKEW = 30;

     /**
      * The default maximum amount of time that an OpenID token should remain
      * valid, in minutes.
      */
     private static final int DEFAULT_MAX_TOKEN_VALIDITY = 300;

     /**
      * The default maximum amount of time that a nonce generated by the
      * Guacamole server should remain valid, in minutes.
      */
     private static final int DEFAULT_MAX_NONCE_VALIDITY = 10;

     /**
      * The authorization endpoint (URI) of the OpenID service.
      */
     private static final URIGuacamoleProperty OPENID_AUTHORIZATION_ENDPOINT =
             new URIGuacamoleProperty() {

         @Override
         public String getName() { return "openid-authorization-endpoint"; }

     };

     /**
      * The endpoint (URI) of the JWKS service which defines how received ID
      * tokens (JWTs) shall be validated.
      */
     private static final URIGuacamoleProperty OPENID_JWKS_ENDPOINT =
             new URIGuacamoleProperty() {

         @Override
         public String getName() { return "openid-jwks-endpoint"; }

     };

     /**
      * The issuer to expect for all received ID tokens.
      */
     private static final StringGuacamoleProperty OPENID_ISSUER =
             new StringGuacamoleProperty() {

         @Override
         public String getName() { return "openid-issuer"; }

     };

     /**
      * The claim type which contains the authenticated user's username within
      * any valid JWT.
      */
     private static final StringGuacamoleProperty OPENID_USERNAME_CLAIM_TYPE =
             new StringGuacamoleProperty() {

         @Override
         public String getName() { return "openid-username-claim-type"; }

     };

     /**
      * The space-separated list of OpenID scopes to request.
      */
     private static final StringGuacamoleProperty OPENID_SCOPE =
             new StringGuacamoleProperty() {

         @Override
         public String getName() { return "openid-scope"; }

     };

     /**
      * The amount of clock skew tolerated for timestamp comparisons between the
      * Guacamole server and OpenID service clocks, in seconds.
      */
     private static final IntegerGuacamoleProperty OPENID_ALLOWED_CLOCK_SKEW =
             new IntegerGuacamoleProperty() {

         @Override
         public String getName() { return "openid-allowed-clock-skew"; }

     };

     /**
      * The maximum amount of time that an OpenID token should remain valid, in
      * minutes.
      */
     private static final IntegerGuacamoleProperty OPENID_MAX_TOKEN_VALIDITY =
             new IntegerGuacamoleProperty() {

         @Override
         public String getName() { return "openid-max-token-validity"; }

     };

     /**
      * The maximum amount of time that a nonce generated by the Guacamole server
      * should remain valid, in minutes. As each OpenID request has a unique
      * nonce value, this imposes an upper limit on the amount of time any
      * particular OpenID request can result in successful authentication within
      * Guacamole.
      */
     private static final IntegerGuacamoleProperty OPENID_MAX_NONCE_VALIDITY =
             new IntegerGuacamoleProperty() {

         @Override
         public String getName() { return "openid-max-nonce-validity"; }

     };

     /**
      * OpenID client ID which should be submitted to the OpenID service when
      * necessary. This value is typically provided by the OpenID service when
      * OpenID credentials are generated for your application.
      */
     private static final StringGuacamoleProperty OPENID_CLIENT_ID =
             new StringGuacamoleProperty() {

         @Override
         public String getName() { return "openid-client-id"; }

     };

     /**
      * The URI that the OpenID service should redirect to after the
      * authentication process is complete. This must be the full URL that a
      * user would enter into their browser to access Guacamole.
      */
     private static final URIGuacamoleProperty OPENID_REDIRECT_URI =
             new URIGuacamoleProperty() {

         @Override
         public String getName() { return "openid-redirect-uri"; }

     };

     /**
      * The Guacamole server environment.
      */
     @Inject
     private Environment environment;

     /**
      * Returns the authorization endpoint (URI) of the OpenID service as
      * configured with guacamole.properties.
      *
      * @return
      *     The authorization endpoint of the OpenID service, as configured with
      *     guacamole.properties.
      *
      * @throws GuacamoleException
      *     If guacamole.properties cannot be parsed, or if the authorization
      *     endpoint property is missing.
      */
     public URI getAuthorizationEndpoint() throws GuacamoleException {
         return environment.getRequiredProperty(OPENID_AUTHORIZATION_ENDPOINT);
     }

     /**
      * Returns the OpenID client ID which should be submitted to the OpenID
      * service when necessary, as configured with guacamole.properties. This
      * value is typically provided by the OpenID service when OpenID credentials
      * are generated for your application.
      *
      * @return
      *     The client ID to use when communicating with the OpenID service,
      *     as configured with guacamole.properties.
      *
      * @throws GuacamoleException
      *     If guacamole.properties cannot be parsed, or if the client ID
      *     property is missing.
      */
     public String getClientID() throws GuacamoleException {
         return environment.getRequiredProperty(OPENID_CLIENT_ID);
     }

     /**
      * Returns the URI that the OpenID service should redirect to after
      * the authentication process is complete, as configured with
      * guacamole.properties. This must be the full URL that a user would enter
      * into their browser to access Guacamole.
      *
      * @return
      *     The client secret to use when communicating with the OpenID service,
      *     as configured with guacamole.properties.
      *
      * @throws GuacamoleException
      *     If guacamole.properties cannot be parsed, or if the redirect URI
      *     property is missing.
      */
     public URI getRedirectURI() throws GuacamoleException {
         return environment.getRequiredProperty(OPENID_REDIRECT_URI);
     }

     /**
      * Returns the issuer to expect for all received ID tokens, as configured
      * with guacamole.properties.
      *
      * @return
      *     The issuer to expect for all received ID tokens, as configured with
      *     guacamole.properties.
      *
      * @throws GuacamoleException
      *     If guacamole.properties cannot be parsed, or if the issuer property
      *     is missing.
      */
     public String getIssuer() throws GuacamoleException {
         return environment.getRequiredProperty(OPENID_ISSUER);
     }

     /**
      * Returns the endpoint (URI) of the JWKS service which defines how
      * received ID tokens (JWTs) shall be validated, as configured with
      * guacamole.properties.
      *
      * @return
      *     The endpoint (URI) of the JWKS service which defines how received ID
      *     tokens (JWTs) shall be validated, as configured with
      *     guacamole.properties.
      *
      * @throws GuacamoleException
      *     If guacamole.properties cannot be parsed, or if the JWKS endpoint
      *     property is missing.
      */
     public URI getJWKSEndpoint() throws GuacamoleException {
         return environment.getRequiredProperty(OPENID_JWKS_ENDPOINT);
     }

     /**
      * Returns the claim type which contains the authenticated user's username
      * within any valid JWT, as configured with guacamole.properties. By
      * default, this will be "email".
      *
      * @return
      *     The claim type which contains the authenticated user's username
      *     within any valid JWT, as configured with guacamole.properties.
      *
      * @throws GuacamoleException
      *     If guacamole.properties cannot be parsed.
      */
     public String getUsernameClaimType() throws GuacamoleException {
         return environment.getProperty(OPENID_USERNAME_CLAIM_TYPE, DEFAULT_USERNAME_CLAIM_TYPE);
     }

     /**
      * Returns the space-separated list of OpenID scopes to request. By default,
      * this will be "openid email profile". The OpenID scopes determine the
      * information returned within the OpenID token, and thus affect what
      * values can be used as an authenticated user's username.
      *
      * @return
      *     The space-separated list of OpenID scopes to request when identifying
      *     a user.
      *
      * @throws GuacamoleException
      *     If guacamole.properties cannot be parsed.
      */
     public String getScope() throws GuacamoleException {
         return environment.getProperty(OPENID_SCOPE, DEFAULT_SCOPE);
     }

     /**
      * Returns the amount of clock skew tolerated for timestamp comparisons
      * between the Guacamole server and OpenID service clocks, in seconds. Too
      * much clock skew will affect token expiration calculations, possibly
      * allowing old tokens to be used. By default, this will be 30.
      *
      * @return
      *     The amount of clock skew tolerated for timestamp comparisons, in
      *     seconds.
      *
      * @throws GuacamoleException
      *     If guacamole.properties cannot be parsed.
      */
     public int getAllowedClockSkew() throws GuacamoleException {
         return environment.getProperty(OPENID_ALLOWED_CLOCK_SKEW, DEFAULT_ALLOWED_CLOCK_SKEW);
     }

     /**
      * Returns the maximum amount of time that an OpenID token should remain
      * valid, in minutes. A token received from an OpenID service which is
      * older than this amount of time will be rejected, even if it is otherwise
      * valid. By default, this will be 300 (5 hours).
      *
      * @return
      *     The maximum amount of time that an OpenID token should remain valid,
      *     in minutes.
      *
      * @throws GuacamoleException
      *     If guacamole.properties cannot be parsed.
      */
     public int getMaxTokenValidity() throws GuacamoleException {
         return environment.getProperty(OPENID_MAX_TOKEN_VALIDITY, DEFAULT_MAX_TOKEN_VALIDITY);
     }

     /**
      * Returns the maximum amount of time that a nonce generated by the
      * Guacamole server should remain valid, in minutes. As each OpenID request
      * has a unique nonce value, this imposes an upper limit on the amount of
      * time any particular OpenID request can result in successful
      * authentication within Guacamole. By default, this will be 10.
      *
      * @return
      *     The maximum amount of time that a nonce generated by the Guacamole
      *     server should remain valid, in minutes.
      *
      * @throws GuacamoleException
      *     If guacamole.properties cannot be parsed.
      */
     public int getMaxNonceValidity() throws GuacamoleException {
         return environment.getProperty(OPENID_MAX_NONCE_VALIDITY, DEFAULT_MAX_NONCE_VALIDITY);
     }

 }
	/*
	* Licensed to the Apache Software Foundation (ASF) under one
	* or more contributor license agreements. See the NOTICE file
	* distributed with this work for additional information
	* regarding copyright ownership. The ASF licenses this file
	* to you under the Apache License, Version 2.0 (the
	* "License"); you may not use this file except in compliance
	* with the License. You may obtain a copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing,
	* software distributed under the License is distributed on an
	* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
	* KIND, either express or implied. See the License for the
	* specific language governing permissions and limitations
	* under the License.
	*/

	package org.apache.guacamole.auth.openid.conf;

	import com.google.inject.Inject;
	import java.net.URI;
	import org.apache.guacamole.GuacamoleException;
	import org.apache.guacamole.environment.Environment;
	import org.apache.guacamole.properties.IntegerGuacamoleProperty;
	import org.apache.guacamole.properties.StringGuacamoleProperty;
	import org.apache.guacamole.properties.URIGuacamoleProperty;

	/**
	* Service for retrieving configuration information regarding the OpenID
	* service.
	*/
	public class ConfigurationService {

	/**
	* The default claim type to use to retrieve an authenticated user's
	* username.
	*/
	private static final String DEFAULT_USERNAME_CLAIM_TYPE = "email";

	/**
	* The default space-separated list of OpenID scopes to request.
	*/
	private static final String DEFAULT_SCOPE = "openid email profile";

	/**
	* The default amount of clock skew tolerated for timestamp comparisons
	* between the Guacamole server and OpenID service clocks, in seconds.
	*/
	private static final int DEFAULT_ALLOWED_CLOCK_SKEW = 30;

	/**
	* The default maximum amount of time that an OpenID token should remain
	* valid, in minutes.
	*/
	private static final int DEFAULT_MAX_TOKEN_VALIDITY = 300;

	/**
	* The default maximum amount of time that a nonce generated by the
	* Guacamole server should remain valid, in minutes.
	*/
	private static final int DEFAULT_MAX_NONCE_VALIDITY = 10;

	/**
	* The authorization endpoint (URI) of the OpenID service.
	*/
	private static final URIGuacamoleProperty OPENID_AUTHORIZATION_ENDPOINT =
	new URIGuacamoleProperty() {

	@Override
	public String getName() { return "openid-authorization-endpoint"; }

	};

	/**
	* The endpoint (URI) of the JWKS service which defines how received ID
	* tokens (JWTs) shall be validated.
	*/
	private static final URIGuacamoleProperty OPENID_JWKS_ENDPOINT =
	new URIGuacamoleProperty() {

	@Override
	public String getName() { return "openid-jwks-endpoint"; }

	};

	/**
	* The issuer to expect for all received ID tokens.
	*/
	private static final StringGuacamoleProperty OPENID_ISSUER =
	new StringGuacamoleProperty() {

	@Override
	public String getName() { return "openid-issuer"; }

	};

	/**
	* The claim type which contains the authenticated user's username within
	* any valid JWT.
	*/
	private static final StringGuacamoleProperty OPENID_USERNAME_CLAIM_TYPE =
	new StringGuacamoleProperty() {

	@Override
	public String getName() { return "openid-username-claim-type"; }

	};

	/**
	* The space-separated list of OpenID scopes to request.
	*/
	private static final StringGuacamoleProperty OPENID_SCOPE =
	new StringGuacamoleProperty() {

	@Override
	public String getName() { return "openid-scope"; }

	};

	/**
	* The amount of clock skew tolerated for timestamp comparisons between the
	* Guacamole server and OpenID service clocks, in seconds.
	*/
	private static final IntegerGuacamoleProperty OPENID_ALLOWED_CLOCK_SKEW =
	new IntegerGuacamoleProperty() {

	@Override
	public String getName() { return "openid-allowed-clock-skew"; }

	};

	/**
	* The maximum amount of time that an OpenID token should remain valid, in
	* minutes.
	*/
	private static final IntegerGuacamoleProperty OPENID_MAX_TOKEN_VALIDITY =
	new IntegerGuacamoleProperty() {

	@Override
	public String getName() { return "openid-max-token-validity"; }

	};

	/**
	* The maximum amount of time that a nonce generated by the Guacamole server
	* should remain valid, in minutes. As each OpenID request has a unique
	* nonce value, this imposes an upper limit on the amount of time any
	* particular OpenID request can result in successful authentication within
	* Guacamole.
	*/
	private static final IntegerGuacamoleProperty OPENID_MAX_NONCE_VALIDITY =
	new IntegerGuacamoleProperty() {

	@Override
	public String getName() { return "openid-max-nonce-validity"; }

	};

	/**
	* OpenID client ID which should be submitted to the OpenID service when
	* necessary. This value is typically provided by the OpenID service when
	* OpenID credentials are generated for your application.
	*/
	private static final StringGuacamoleProperty OPENID_CLIENT_ID =
	new StringGuacamoleProperty() {

	@Override
	public String getName() { return "openid-client-id"; }

	};

	/**
	* The URI that the OpenID service should redirect to after the
	* authentication process is complete. This must be the full URL that a
	* user would enter into their browser to access Guacamole.
	*/
	private static final URIGuacamoleProperty OPENID_REDIRECT_URI =
	new URIGuacamoleProperty() {

	@Override
	public String getName() { return "openid-redirect-uri"; }

	};

	/**
	* The Guacamole server environment.
	*/
	@Inject
	private Environment environment;

	/**
	* Returns the authorization endpoint (URI) of the OpenID service as
	* configured with guacamole.properties.
	*
	* @return
	* The authorization endpoint of the OpenID service, as configured with
	* guacamole.properties.
	*
	* @throws GuacamoleException
	* If guacamole.properties cannot be parsed, or if the authorization
	* endpoint property is missing.
	*/
	public URI getAuthorizationEndpoint() throws GuacamoleException {
	return environment.getRequiredProperty(OPENID_AUTHORIZATION_ENDPOINT);
	}

	/**
	* Returns the OpenID client ID which should be submitted to the OpenID
	* service when necessary, as configured with guacamole.properties. This
	* value is typically provided by the OpenID service when OpenID credentials
	* are generated for your application.
	*
	* @return
	* The client ID to use when communicating with the OpenID service,
	* as configured with guacamole.properties.
	*
	* @throws GuacamoleException
	* If guacamole.properties cannot be parsed, or if the client ID
	* property is missing.
	*/
	public String getClientID() throws GuacamoleException {
	return environment.getRequiredProperty(OPENID_CLIENT_ID);
	}

	/**
	* Returns the URI that the OpenID service should redirect to after
	* the authentication process is complete, as configured with
	* guacamole.properties. This must be the full URL that a user would enter
	* into their browser to access Guacamole.
	*
	* @return
	* The client secret to use when communicating with the OpenID service,
	* as configured with guacamole.properties.
	*
	* @throws GuacamoleException
	* If guacamole.properties cannot be parsed, or if the redirect URI
	* property is missing.
	*/
	public URI getRedirectURI() throws GuacamoleException {
	return environment.getRequiredProperty(OPENID_REDIRECT_URI);
	}

	/**
	* Returns the issuer to expect for all received ID tokens, as configured
	* with guacamole.properties.
	*
	* @return
	* The issuer to expect for all received ID tokens, as configured with
	* guacamole.properties.
	*
	* @throws GuacamoleException
	* If guacamole.properties cannot be parsed, or if the issuer property
	* is missing.
	*/
	public String getIssuer() throws GuacamoleException {
	return environment.getRequiredProperty(OPENID_ISSUER);
	}

	/**
	* Returns the endpoint (URI) of the JWKS service which defines how
	* received ID tokens (JWTs) shall be validated, as configured with
	* guacamole.properties.
	*
	* @return
	* The endpoint (URI) of the JWKS service which defines how received ID
	* tokens (JWTs) shall be validated, as configured with
	* guacamole.properties.
	*
	* @throws GuacamoleException
	* If guacamole.properties cannot be parsed, or if the JWKS endpoint
	* property is missing.
	*/
	public URI getJWKSEndpoint() throws GuacamoleException {
	return environment.getRequiredProperty(OPENID_JWKS_ENDPOINT);
	}

	/**
	* Returns the claim type which contains the authenticated user's username
	* within any valid JWT, as configured with guacamole.properties. By
	* default, this will be "email".
	*
	* @return
	* The claim type which contains the authenticated user's username
	* within any valid JWT, as configured with guacamole.properties.
	*
	* @throws GuacamoleException
	* If guacamole.properties cannot be parsed.
	*/
	public String getUsernameClaimType() throws GuacamoleException {
	return environment.getProperty(OPENID_USERNAME_CLAIM_TYPE, DEFAULT_USERNAME_CLAIM_TYPE);
	}

	/**
	* Returns the space-separated list of OpenID scopes to request. By default,
	* this will be "openid email profile". The OpenID scopes determine the
	* information returned within the OpenID token, and thus affect what
	* values can be used as an authenticated user's username.
	*
	* @return
	* The space-separated list of OpenID scopes to request when identifying
	* a user.
	*
	* @throws GuacamoleException
	* If guacamole.properties cannot be parsed.
	*/
	public String getScope() throws GuacamoleException {
	return environment.getProperty(OPENID_SCOPE, DEFAULT_SCOPE);
	}

	/**
	* Returns the amount of clock skew tolerated for timestamp comparisons
	* between the Guacamole server and OpenID service clocks, in seconds. Too
	* much clock skew will affect token expiration calculations, possibly
	* allowing old tokens to be used. By default, this will be 30.
	*
	* @return
	* The amount of clock skew tolerated for timestamp comparisons, in
	* seconds.
	*
	* @throws GuacamoleException
	* If guacamole.properties cannot be parsed.
	*/
	public int getAllowedClockSkew() throws GuacamoleException {
	return environment.getProperty(OPENID_ALLOWED_CLOCK_SKEW, DEFAULT_ALLOWED_CLOCK_SKEW);
	}

	/**
	* Returns the maximum amount of time that an OpenID token should remain
	* valid, in minutes. A token received from an OpenID service which is
	* older than this amount of time will be rejected, even if it is otherwise
	* valid. By default, this will be 300 (5 hours).
	*
	* @return
	* The maximum amount of time that an OpenID token should remain valid,
	* in minutes.
	*
	* @throws GuacamoleException
	* If guacamole.properties cannot be parsed.
	*/
	public int getMaxTokenValidity() throws GuacamoleException {
	return environment.getProperty(OPENID_MAX_TOKEN_VALIDITY, DEFAULT_MAX_TOKEN_VALIDITY);
	}

	/**
	* Returns the maximum amount of time that a nonce generated by the
	* Guacamole server should remain valid, in minutes. As each OpenID request
	* has a unique nonce value, this imposes an upper limit on the amount of
	* time any particular OpenID request can result in successful
	* authentication within Guacamole. By default, this will be 10.
	*
	* @return
	* The maximum amount of time that a nonce generated by the Guacamole
	* server should remain valid, in minutes.
	*
	* @throws GuacamoleException
	* If guacamole.properties cannot be parsed.
	*/
	public int getMaxNonceValidity() throws GuacamoleException {
	return environment.getProperty(OPENID_MAX_NONCE_VALIDITY, DEFAULT_MAX_NONCE_VALIDITY);
	}

	}