GUACAMOLE-1289: Handle resumable state for duo authentication.

2025-09-06 13:17:41 +00:00 · 2024-03-25 01:27:11 +00:00
parent 7807bb9c11
commit b0e5ecd33e
8 changed files with 243 additions and 148 deletions
--- a/extensions/guacamole-auth-duo/src/main/java/org/apache/guacamole/auth/duo/DuoAuthenticationProviderModule.java
+++ b/extensions/guacamole-auth-duo/src/main/java/org/apache/guacamole/auth/duo/DuoAuthenticationProviderModule.java
@@ -41,11 +41,6 @@ public class DuoAuthenticationProviderModule extends AbstractModule {
     * module has configured injection.
     */
    private final AuthenticationProvider authProvider;
-    
-    /**
-     * The session manager that stores authentication attempts.
-     */
-    private final DuoAuthenticationSessionManager authSessionManager;

    /**
     * Creates a new Duo authentication provider module which configures
@@ -66,10 +61,6 @@ public class DuoAuthenticationProviderModule extends AbstractModule {

        // Store associated auth provider
        this.authProvider = authProvider;
-        
-        // Create a new session manager
-        this.authSessionManager = new DuoAuthenticationSessionManager();
-
    }

    @Override
@@ -80,11 +71,9 @@ public class DuoAuthenticationProviderModule extends AbstractModule {
        bind(Environment.class).toInstance(environment);

        // Bind Duo-specific services
-        bind(DuoAuthenticationSessionManager.class).toInstance(authSessionManager);
        bind(ConfigurationService.class);
        bind(UserVerificationService.class);
        
-
    }

 }
--- a/extensions/guacamole-auth-duo/src/main/java/org/apache/guacamole/auth/duo/DuoAuthenticationSession.java
+++ b/extensions/guacamole-auth-duo/src/main/java/org/apache/guacamole/auth/duo/DuoAuthenticationSession.java
@@ -1,74 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements.  See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership.  The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License.  You may obtain a copy of the License at
- *
- *   http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied.  See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-package org.apache.guacamole.auth.duo;
-
-import org.apache.guacamole.net.auth.AuthenticationSession;
-
-/**
- * An AuthenticationSession that stores the information required for an
- * in-progress Duo authentication attempt.
- */
-public class DuoAuthenticationSession extends AuthenticationSession {
-    
-    /**
-     * The session state generated by the Duo client, which is used to track
-     * the session through the redirect and return process.
-     */
-    private final String state;
-    
-    /**
-     * The username of the user who is authenticating with this session.
-     */
-    private final String username;
-    
-    /**
-     * Create a new instance of this authenticaiton session, having the given length of time
-     * for expriation and the state generated by the Duo Client.
-     * 
-     * @param expires
-     *     The number of milliseconds before this session is invalid.
-     * 
-     * @param state 
-     *     The session state, as generated by the Duo Client.
-     * 
-     * @param username
-     *     The username of the user who is attempting authentication with Duo.
-     */
-    public DuoAuthenticationSession(long expires, String state, String username) {
-        super(expires);
-        this.state = state;
-        this.username = username;
-    }
-    
-    /**
-     * Return the stored session state.
-     * 
-     * @return 
-     *     The stored session state.
-     */
-    public String getState() {
-        return state;
-    }
-    
-    public String getUsername() {
-        return username;
-    }
-    
-}
--- a/extensions/guacamole-auth-duo/src/main/java/org/apache/guacamole/auth/duo/DuoAuthenticationSessionManager.java
+++ b/extensions/guacamole-auth-duo/src/main/java/org/apache/guacamole/auth/duo/DuoAuthenticationSessionManager.java
@@ -1,34 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements.  See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership.  The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License.  You may obtain a copy of the License at
- *
- *   http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied.  See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-package org.apache.guacamole.auth.duo;
-
-import com.google.inject.Singleton;
-import org.apache.guacamole.net.auth.AuthenticationSessionManager;
-
-/**
- * An AuthenticationSessionManager implementation that temporarily stores
- * authentication attempts for Duo MFA while they are underway.
- */
-@Singleton
-public class DuoAuthenticationSessionManager extends AuthenticationSessionManager<DuoAuthenticationSession> {
-    
-    // Nothing to see here.
-    
-}
--- a/extensions/guacamole-auth-duo/src/main/java/org/apache/guacamole/auth/duo/UserVerificationService.java
+++ b/extensions/guacamole-auth-duo/src/main/java/org/apache/guacamole/auth/duo/UserVerificationService.java
@@ -45,7 +45,7 @@ import org.slf4j.LoggerFactory;
 */
 public class UserVerificationService {

-    private static final Logger LOGGER = LoggerFactory.getLogger(UserVerificationService.class);
+    private static final Logger logger = LoggerFactory.getLogger(UserVerificationService.class);
    
    /**
     * The name of the parameter which Duo will return in it's GET call-back
@@ -63,7 +63,7 @@ public class UserVerificationService {
     * The value that will be returned in the token if Duo authentication
     * was successful.
     */
-    private static final String DUO_TOKEN_SUCCESS_VALUE = "ALLOW";
+    private static final String DUO_TOKEN_SUCCESS_VALUE = "allow";
    
    /**
     * Service for retrieving Duo configuration information.
@@ -71,13 +71,6 @@ public class UserVerificationService {
    @Inject
    private ConfigurationService confService;

-    /**
-     * The authentication session manager that temporarily stores in-progress
-     * authentication attempts.
-     */
-    @Inject
-    private DuoAuthenticationSessionManager duoSessionManager;
-
    /**
     * Verifies the identity of the given user via the Duo multi-factor
     * authentication service. If a signed response from Duo has not already
@@ -116,8 +109,7 @@ public class UserVerificationService {
                confService.getRedirectUrl().toString())
                .build();
        
-            duoClient.healthCheck();
-        
+        duoClient.healthCheck();
        
        // Retrieve signed Duo Code and State from the request
        String duoCode = request.getParameter(DUO_CODE_PARAMETER_NAME);
@@ -128,10 +120,7 @@ public class UserVerificationService {

            // Get a new session state from the Duo client
            duoState = duoClient.generateState();
-            LOGGER.debug(">>> DUO <<< STATE DEFER: {}", duoState);
-            
-            // Add this session 
-            duoSessionManager.defer(new DuoAuthenticationSession(confService.getAuthTimeout(), duoState, username), duoState);
+            long expirationTimestamp = System.currentTimeMillis() + (confService.getAuthTimeout() * 1000L);

            // Request additional credentials
            throw new TranslatableGuacamoleInsufficientCredentialsException(
@@ -143,27 +132,21 @@ public class UserVerificationService {
                            new URI(duoClient.createAuthUrl(username, duoState)),
                            new TranslatableMessage("LOGIN.INFO_DUO_REDIRECT_PENDING")
                    )
-                ))
+                )),
+                duoState,
+                expirationTimestamp
            );

        }
        
-        LOGGER.debug(">>> DUO <<< STATE RESUME: {}", duoState);
-
-        // Retrieve the deferred authenticaiton attempt
-        DuoAuthenticationSession duoSession = duoSessionManager.resume(duoState);
-        if (duoSession == null)
-            throw new GuacamoleServerException("Failed to resume Duo authentication session.");
-        
        // Get the token from the DuoClient using the code and username, and check status
-        Token token = duoClient.exchangeAuthorizationCodeFor2FAResult(duoCode, duoSession.getUsername());
+        Token token = duoClient.exchangeAuthorizationCodeFor2FAResult(duoCode, username);
        if (token == null 
                || token.getAuth_result() == null 
                || !DUO_TOKEN_SUCCESS_VALUE.equals(token.getAuth_result().getStatus()))
            throw new TranslatableGuacamoleClientException("Provided Duo "
                    + "validation code is incorrect.",
                    "LOGIN.INFO_DUO_VALIDATION_CODE_INCORRECT");
-
        }
        catch (DuoException e) {
            throw new GuacamoleServerException("Duo Client error.", e);