GUACAMOLE-1289: Handle resumable state for duo authentication.

2025-09-06 05:07:41 +00:00 · 2024-03-25 01:27:11 +00:00
parent 7807bb9c11
commit b0e5ecd33e
8 changed files with 243 additions and 148 deletions
--- a/guacamole/src/main/java/org/apache/guacamole/rest/auth/AuthenticationService.java
+++ b/guacamole/src/main/java/org/apache/guacamole/rest/auth/AuthenticationService.java
@@ -21,11 +21,14 @@ package org.apache.guacamole.rest.auth;

 import java.util.ArrayList;
 import java.util.List;
+import java.util.Map;
+import java.util.concurrent.ConcurrentHashMap;
+
 import javax.inject.Inject;
+import javax.servlet.http.HttpServletRequest;

 import org.apache.guacamole.GuacamoleException;
 import org.apache.guacamole.GuacamoleSecurityException;
-import org.apache.guacamole.GuacamoleServerException;
 import org.apache.guacamole.GuacamoleUnauthorizedException;
 import org.apache.guacamole.GuacamoleSession;
 import org.apache.guacamole.net.auth.AuthenticatedUser;
@@ -43,9 +46,12 @@ import org.glassfish.jersey.server.ContainerRequest;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;

+import com.google.inject.Singleton;
+
 /**
 * A service for performing authentication checks in REST endpoints.
 */
+@Singleton
 public class AuthenticationService {

    /**
@@ -96,6 +102,11 @@ public class AuthenticationService {
     */
    public static final String TOKEN_PARAMETER_NAME = "token";

+    /** 
+     * Map to store resumable authentication states with an expiration time.
+     */ 
+    private Map<String, ResumableAuthenticationState> resumableStateMap = new ConcurrentHashMap<>();
+
    /**
     * Attempts authentication against all AuthenticationProviders, in order,
     * using the provided credentials. The first authentication failure takes
@@ -310,6 +321,17 @@ public class AuthenticationService {
                try {
                    userContext = authProvider.getUserContext(authenticatedUser);
                }
+                catch (GuacamoleInsufficientCredentialsException e) {
+                    // Store state and expiration
+                    String state = e.getState();
+                    long expiration = e.getExpires();
+
+                    resumableStateMap.put(state, new ResumableAuthenticationState(expiration, credentials));
+
+                    throw new GuacamoleAuthenticationProcessException("User "
+                    + "authentication aborted during initial "
+                    + "UserContext creation.", authProvider, e);
+                }
                catch (GuacamoleException | RuntimeException | Error e) {
                    throw new GuacamoleAuthenticationProcessException("User "
                            + "authentication aborted during initial "
@@ -366,12 +388,30 @@ public class AuthenticationService {

        AuthenticatedUser authenticatedUser;
        String authToken;
+        Credentials actualCredentials = credentials;
+        String state;
+        ResumableAuthenticationState resumableState = null;
+
+        // Retrieve signed State from the request
+        HttpServletRequest request = credentials.getRequest();
+
+        // If state is provided, attempt to resume authentication
+        if ((state = request.getParameter("state")) != null && (resumableState = resumableStateMap.get(state)) != null) {
+            // The resumableState is removed as it should be a single-use token
+            resumableStateMap.remove(state);
+
+            // Check if the resumableState has expired
+            if (!resumableState.isExpired()) {
+                actualCredentials = resumableState.getCredentials();
+                actualCredentials.setRequest(request);
+            }
+        }

        try {

            // Get up-to-date AuthenticatedUser and associated UserContexts
-            authenticatedUser = getAuthenticatedUser(existingSession, credentials);
-            List<DecoratedUserContext> userContexts = getUserContexts(existingSession, authenticatedUser, credentials);
+            authenticatedUser = getAuthenticatedUser(existingSession, actualCredentials);
+            List<DecoratedUserContext> userContexts = getUserContexts(existingSession, authenticatedUser, actualCredentials);

            // Update existing session, if it exists
            if (existingSession != null) {
@@ -401,7 +441,7 @@ public class AuthenticationService {
        // Log and rethrow any authentication errors
        catch (GuacamoleAuthenticationProcessException e) {

-            listenerService.handleEvent(new AuthenticationFailureEvent(credentials,
+            listenerService.handleEvent(new AuthenticationFailureEvent(actualCredentials,
                    e.getAuthenticationProvider(), e.getCause()));

            // Rethrow exception
--- a/guacamole/src/main/java/org/apache/guacamole/rest/auth/ResumableAuthenticationState.java
+++ b/guacamole/src/main/java/org/apache/guacamole/rest/auth/ResumableAuthenticationState.java
@@ -0,0 +1,81 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.guacamole.rest.auth;
+
+import org.apache.guacamole.net.auth.Credentials;
+
+/**
+ * Encapsulates the state information required for resuming an authentication
+ * process. This includes an expiration timestamp to determine state validity
+ * and the original credentials submitted by the user.
+ */
+public class ResumableAuthenticationState {
+    
+    /**
+     * The timestamp at which this state should no longer be considered valid,
+     * measured in milliseconds since the Unix epoch.
+     */
+    private long expirationTimestamp;
+    
+    /**
+     * The original user credentials that were submitted at the start of the
+     * authentication process.
+     */
+    private Credentials credentials;
+
+    /**
+     * Constructs a new ResumableAuthenticationState object with the specified
+     * expiration timestamp and user credentials.
+     *
+     * @param expirationTimestamp
+     *     The timestamp in milliseconds since the Unix epoch when this state
+     *     expires and can no longer be used to resume authentication.
+     *
+     * @param credentials
+     *     The Credentials object initially submitted by the user and associated
+     *     with this resumable state.
+     */
+    public ResumableAuthenticationState(long expirationTimestamp, Credentials credentials) {
+        this.expirationTimestamp = expirationTimestamp;
+        this.credentials = credentials;
+    }
+
+    /**
+     * Checks if this resumable state has expired based on the stored expiration
+     * timestamp and the current system time.
+     *
+     * @return 
+     *     True if the current system time is after the expiration timestamp,
+     *     indicating that the state is expired; false otherwise.
+     */
+    public boolean isExpired() {
+        return System.currentTimeMillis() > expirationTimestamp;
+    }
+
+    /**
+     * Retrieves the original credentials associated with this resumable state.
+     *
+     * @return 
+     *     The Credentials object containing user details that were submitted
+     *     when the state was created.
+     */
+    public Credentials getCredentials() {
+        return this.credentials;
+    }
+}