GUACAMOLE-1289: Ensure updates to credentials are accurately represented in failure events.

2025-09-06 05:07:41 +00:00 · 2024-04-25 18:10:18 -07:00
parent 13bb5f0e30
commit 4a0e9f310f
1 changed files with 31 additions and 52 deletions
--- a/guacamole/src/main/java/org/apache/guacamole/rest/auth/AuthenticationService.java
+++ b/guacamole/src/main/java/org/apache/guacamole/rest/auth/AuthenticationService.java
@@ -332,43 +332,6 @@ public class AuthenticationService {
    }
    /**
     * Performs arbitrary and optional updates to the credentials supplied by
     * the authenticating user as dictated by the {@link AuthenticationProvider#updateCredentials(org.apache.guacamole.net.auth.Credentials)}
     * functions of any installed AuthenticationProvider. Each installed
     * AuthenticationProvider is given the opportunity, in order, to make
     * updates to the supplied credentials.
     *
     * @param credentials
     *     The credentials to be updated.
     *
     * @return
     *     The set of credentials that should be provided to all
     *     AuthenticationProviders during authentication, now possibly updated
     *     (or even replaced) by any number of installed
     *     AuthenticationProviders.
     *
     * @throws GuacamoleAuthenticationProcessException 
     *     If an error occurs while updating the supplied credentials.
     */
    private Credentials getUpdatedCredentials(Credentials credentials)
            throws GuacamoleAuthenticationProcessException {
        for (AuthenticationProvider authProvider : authProviders) {
            try {
                credentials = authProvider.updateCredentials(credentials);
            }
            catch (GuacamoleException | RuntimeException | Error e) {
                throw new GuacamoleAuthenticationProcessException("User "
                        + "authentication aborted during credential "
                        + "update/revision.", authProvider, e);
            }
        }
        return credentials;
    }
    /**
     * Authenticates a user using the given credentials and optional
     * authentication token, returning the authentication token associated with
@@ -394,27 +357,38 @@ public class AuthenticationService {
    public String authenticate(Credentials credentials, String token)
            throws GuacamoleException {
        // Fire pre-authentication event before ANY authn/authz occurs at all
        listenerService.handleEvent((AuthenticationRequestReceivedEvent) () -> credentials);
        // Pull existing session if token provided
        GuacamoleSession existingSession;
        if (token != null)
            existingSession = tokenSessionMap.get(token);
        else
            existingSession = null;
        AuthenticatedUser authenticatedUser;
        String authToken;
        try {
            // Allow extensions to make updated to credentials prior to
-            // actual authentication
+            // actual authentication (NOTE: We do this here instead of in a
-            Credentials updatedCredentials = getUpdatedCredentials(credentials);
+            // separate function to ensure that failure events accurately
            // represent the credentials that failed when a chain of credential
            // updates is involved)
            for (AuthenticationProvider authProvider : authProviders) {
                try {
                    credentials = authProvider.updateCredentials(credentials);
                }
                catch (GuacamoleException | RuntimeException | Error e) {
                    throw new GuacamoleAuthenticationProcessException("User "
                            + "authentication aborted during credential "
                            + "update/revision.", authProvider, e);
                }
            }
            // Fire pre-authentication event before ANY authn/authz occurs at all
            final Credentials updatedCredentials = credentials;
            listenerService.handleEvent((AuthenticationRequestReceivedEvent) () -> updatedCredentials);
            // Pull existing session if token provided
            GuacamoleSession existingSession;
            if (token != null)
                existingSession = tokenSessionMap.get(token);
            else
                existingSession = null;
            // Get up-to-date AuthenticatedUser and associated UserContexts
-            authenticatedUser = getAuthenticatedUser(existingSession, updatedCredentials);
+            AuthenticatedUser authenticatedUser = getAuthenticatedUser(existingSession, updatedCredentials);
            List<DecoratedUserContext> userContexts = getUserContexts(existingSession, authenticatedUser, updatedCredentials);
            // Update existing session, if it exists
@@ -445,6 +419,11 @@ public class AuthenticationService {
        // Log and rethrow any authentication errors
        catch (GuacamoleAuthenticationProcessException e) {
            // NOTE: The credentials referenced here are intentionally NOT the
            // final updatedCredentials reference (though they may often be
            // equivalent) to ensure that failure events accurately represent
            // the credentials that failed if that failure occurs in the middle
            // of a chain of credential updates via updateCredentials()
            listenerService.handleEvent(new AuthenticationFailureEvent(credentials,
                    e.getAuthenticationProvider(), e.getCause()));