safebox/guacamole-client
4
0
Fork 0
mirror of https://github.com/gyurix1968/guacamole-client.git synced 2025-09-06 05:07:41 +00:00
Code Issues Packages Projects Releases Wiki Activity

GUACAMOLE-1289: Handle resumable state for duo authentication.

Browse Source
This commit is contained in:
Alex Leitner
2024-03-25 01:27:11 +00:00
parent 7807bb9c11
commit b0e5ecd33e
8 changed files with 243 additions and 148 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
extensions/guacamole-auth-duo/src/main/java/org/apache/guacamole/auth/duo/DuoAuthenticationProviderModule.java
View File

@@ -42,11 +42,6 @@ public class DuoAuthenticationProviderModule extends AbstractModule {
*/
private final AuthenticationProvider authProvider;
/**
* The session manager that stores authentication attempts.
*/
private final DuoAuthenticationSessionManager authSessionManager;
/**
* Creates a new Duo authentication provider module which configures
* injection for the DuoAuthenticationProvider.
@@ -66,10 +61,6 @@ public class DuoAuthenticationProviderModule extends AbstractModule {
// Store associated auth provider
this.authProvider = authProvider;
// Create a new session manager
this.authSessionManager = new DuoAuthenticationSessionManager();
}
@Override
@@ -80,11 +71,9 @@ public class DuoAuthenticationProviderModule extends AbstractModule {
bind(Environment.class).toInstance(environment);
// Bind Duo-specific services
bind(DuoAuthenticationSessionManager.class).toInstance(authSessionManager);
bind(ConfigurationService.class);
bind(UserVerificationService.class);
}
}

74
extensions/guacamole-auth-duo/src/main/java/org/apache/guacamole/auth/duo/DuoAuthenticationSession.java
View File

@@ -1,74 +0,0 @@
/*
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/
package org.apache.guacamole.auth.duo;
import org.apache.guacamole.net.auth.AuthenticationSession;
/**
* An AuthenticationSession that stores the information required for an
* in-progress Duo authentication attempt.
*/
public class DuoAuthenticationSession extends AuthenticationSession {
/**
* The session state generated by the Duo client, which is used to track
* the session through the redirect and return process.
*/
private final String state;
/**
* The username of the user who is authenticating with this session.
*/
private final String username;
/**
* Create a new instance of this authenticaiton session, having the given length of time
* for expriation and the state generated by the Duo Client.
*
* @param expires
* The number of milliseconds before this session is invalid.
*
* @param state
* The session state, as generated by the Duo Client.
*
* @param username
* The username of the user who is attempting authentication with Duo.
*/
public DuoAuthenticationSession(long expires, String state, String username) {
super(expires);
this.state = state;
this.username = username;
}
/**
* Return the stored session state.
*
* @return
* The stored session state.
*/
public String getState() {
return state;
}
public String getUsername() {
return username;
}
}

34
extensions/guacamole-auth-duo/src/main/java/org/apache/guacamole/auth/duo/DuoAuthenticationSessionManager.java
View File

@@ -1,34 +0,0 @@
/*
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/
package org.apache.guacamole.auth.duo;
import com.google.inject.Singleton;
import org.apache.guacamole.net.auth.AuthenticationSessionManager;
/**
* An AuthenticationSessionManager implementation that temporarily stores
* authentication attempts for Duo MFA while they are underway.
*/
@Singleton
public class DuoAuthenticationSessionManager extends AuthenticationSessionManager<DuoAuthenticationSession> {
// Nothing to see here.
}

33
extensions/guacamole-auth-duo/src/main/java/org/apache/guacamole/auth/duo/UserVerificationService.java
View File

@@ -45,7 +45,7 @@ import org.slf4j.LoggerFactory;
*/
public class UserVerificationService {
private static final Logger LOGGER = LoggerFactory.getLogger(UserVerificationService.class);
private static final Logger logger = LoggerFactory.getLogger(UserVerificationService.class);
/**
* The name of the parameter which Duo will return in it's GET call-back
@@ -63,7 +63,7 @@ public class UserVerificationService {
* The value that will be returned in the token if Duo authentication
* was successful.
*/
private static final String DUO_TOKEN_SUCCESS_VALUE = "ALLOW";
private static final String DUO_TOKEN_SUCCESS_VALUE = "allow";
/**
* Service for retrieving Duo configuration information.
@@ -71,13 +71,6 @@ public class UserVerificationService {
@Inject
private ConfigurationService confService;
/**
* The authentication session manager that temporarily stores in-progress
* authentication attempts.
*/
@Inject
private DuoAuthenticationSessionManager duoSessionManager;
/**
* Verifies the identity of the given user via the Duo multi-factor
* authentication service. If a signed response from Duo has not already
@@ -116,8 +109,7 @@ public class UserVerificationService {
confService.getRedirectUrl().toString())
.build();
duoClient.healthCheck();
duoClient.healthCheck();
// Retrieve signed Duo Code and State from the request
String duoCode = request.getParameter(DUO_CODE_PARAMETER_NAME);
@@ -128,10 +120,7 @@ public class UserVerificationService {
// Get a new session state from the Duo client
duoState = duoClient.generateState();
LOGGER.debug(">>> DUO <<< STATE DEFER: {}", duoState);
// Add this session
duoSessionManager.defer(new DuoAuthenticationSession(confService.getAuthTimeout(), duoState, username), duoState);
long expirationTimestamp = System.currentTimeMillis() + (confService.getAuthTimeout() * 1000L);
// Request additional credentials
throw new TranslatableGuacamoleInsufficientCredentialsException(
@@ -143,27 +132,21 @@ public class UserVerificationService {
new URI(duoClient.createAuthUrl(username, duoState)),
new TranslatableMessage("LOGIN.INFO_DUO_REDIRECT_PENDING")
)
))
)),
duoState,
expirationTimestamp
);
}
LOGGER.debug(">>> DUO <<< STATE RESUME: {}", duoState);
// Retrieve the deferred authenticaiton attempt
DuoAuthenticationSession duoSession = duoSessionManager.resume(duoState);
if (duoSession == null)
throw new GuacamoleServerException("Failed to resume Duo authentication session.");
// Get the token from the DuoClient using the code and username, and check status
Token token = duoClient.exchangeAuthorizationCodeFor2FAResult(duoCode, duoSession.getUsername());
Token token = duoClient.exchangeAuthorizationCodeFor2FAResult(duoCode, username);
if (token == null
|| token.getAuth_result() == null
|| !DUO_TOKEN_SUCCESS_VALUE.equals(token.getAuth_result().getStatus()))
throw new TranslatableGuacamoleClientException("Provided Duo "
+ "validation code is incorrect.",
"LOGIN.INFO_DUO_VALIDATION_CODE_INCORRECT");
}
catch (DuoException e) {
throw new GuacamoleServerException("Duo Client error.", e);

32
guacamole-ext/src/main/java/org/apache/guacamole/language/TranslatableGuacamoleInsufficientCredentialsException.java
View File

@@ -136,6 +136,38 @@ public class TranslatableGuacamoleInsufficientCredentialsException
this(message, new TranslatableMessage(key), credentialsInfo);
}
/**
* Creates a new TranslatableGuacamoleInsufficientCredentialsException with the specified message,
* translation key, the credential information required for authentication, the state token, and
* an expiration timestamp for the state token. The message is provided in both a non-translatable
* form and as a translatable key which can be used to retrieve the localized message.
*
* @param message
* A human-readable description of the exception that occurred. This
* message should be readable on its own and as-written, without
* requiring a translation service.
*
* @param key
* The arbitrary key which can be used to look up the message to be
* displayed in the user's native language.
*
* @param credentialsInfo
* Information describing the form of valid credentials.
*
* @param state
* An opaque value that may be used by a client to maintain state across requests which are part
* of the same authentication transaction.
*
* @param expires
* The timestamp after which the state token associated with the authentication process expires,
* specified as the number of milliseconds since the UNIX epoch.
*/
public TranslatableGuacamoleInsufficientCredentialsException(String message,
String key, CredentialsInfo credentialsInfo, String state, long expires) {
super(message, credentialsInfo, state, expires);
this.translatableMessage = new TranslatableMessage(key);
}
@Override
public TranslatableMessage getTranslatableMessage() {
return translatableMessage;

78
guacamole-ext/src/main/java/org/apache/guacamole/net/auth/credentials/GuacamoleInsufficientCredentialsException.java
View File

@@ -28,6 +28,57 @@ package org.apache.guacamole.net.auth.credentials;
*/
public class GuacamoleInsufficientCredentialsException extends GuacamoleCredentialsException {
/**
* The default state token to use when no specific state information is provided.
*/
private static final String DEFAULT_STATE = "";
/**
* The default expiration timestamp to use when no specific expiration is provided,
* effectively indicating that the state token does not expire.
*/
private static final long DEFAULT_EXPIRES = -1L;
/**
* An opaque value that may be used by a client to maintain state across requests
* which are part of the same authentication transaction.
*/
protected final String state;
/**
* The timestamp after which the state token associated with the authentication process
* should no longer be considered valid, expressed as the number of milliseconds since
* UNIX epoch.
*/
protected final long expires;
/**
* Creates a new GuacamoleInsufficientCredentialsException with the specified
* message, the credential information required for authentication, the state
* token associated with the authentication process, and an expiration timestamp.
*
* @param message
* A human-readable description of the exception that occurred.
*
* @param credentialsInfo
* Information describing the form of valid credentials.
*
* @param state
* An opaque value that may be used by a client to maintain state
* across requests which are part of the same authentication transaction.
*
* @param expires
* The timestamp after which the state token associated with the
* authentication process should no longer be considered valid, expressed
* as the number of milliseconds since UNIX epoch.
*/
public GuacamoleInsufficientCredentialsException(String message,
CredentialsInfo credentialsInfo, String state, long expires) {
super(message, credentialsInfo);
this.state = state;
this.expires = expires;
}
/**
* Creates a new GuacamoleInsufficientCredentialsException with the given
* message, cause, and associated credential information.
@@ -44,6 +95,8 @@ public class GuacamoleInsufficientCredentialsException extends GuacamoleCredenti
public GuacamoleInsufficientCredentialsException(String message, Throwable cause,
CredentialsInfo credentialsInfo) {
super(message, cause, credentialsInfo);
this.state = DEFAULT_STATE;
this.expires = DEFAULT_EXPIRES;
}
/**
@@ -58,6 +111,8 @@ public class GuacamoleInsufficientCredentialsException extends GuacamoleCredenti
*/
public GuacamoleInsufficientCredentialsException(String message, CredentialsInfo credentialsInfo) {
super(message, credentialsInfo);
this.state = DEFAULT_STATE;
this.expires = DEFAULT_EXPIRES;
}
/**
@@ -72,6 +127,29 @@ public class GuacamoleInsufficientCredentialsException extends GuacamoleCredenti
*/
public GuacamoleInsufficientCredentialsException(Throwable cause, CredentialsInfo credentialsInfo) {
super(cause, credentialsInfo);
this.state = DEFAULT_STATE;
this.expires = DEFAULT_EXPIRES;
}
/**
* Retrieves the state token associated with the authentication process.
*
* @return The opaque state token used to maintain consistency across multiple
* requests in the same authentication transaction.
*/
public String getState() {
return state;
}
/**
* Retrieves the expiration timestamp of the state token, specified as the
* number of milliseconds since the UNIX epoch.
*
* @return The expiration timestamp of the state token, or a negative value if
* the token does not expire.
*/
public long getExpires() {
return expires;
}
}

48
guacamole/src/main/java/org/apache/guacamole/rest/auth/AuthenticationService.java
View File

@@ -21,11 +21,14 @@ package org.apache.guacamole.rest.auth;
import java.util.ArrayList;
import java.util.List;
import java.util.Map;
import java.util.concurrent.ConcurrentHashMap;
import javax.inject.Inject;
import javax.servlet.http.HttpServletRequest;
import org.apache.guacamole.GuacamoleException;
import org.apache.guacamole.GuacamoleSecurityException;
import org.apache.guacamole.GuacamoleServerException;
import org.apache.guacamole.GuacamoleUnauthorizedException;
import org.apache.guacamole.GuacamoleSession;
import org.apache.guacamole.net.auth.AuthenticatedUser;
@@ -43,9 +46,12 @@ import org.glassfish.jersey.server.ContainerRequest;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import com.google.inject.Singleton;
/**
* A service for performing authentication checks in REST endpoints.
*/
@Singleton
public class AuthenticationService {
/**
@@ -96,6 +102,11 @@ public class AuthenticationService {
*/
public static final String TOKEN_PARAMETER_NAME = "token";
/**
* Map to store resumable authentication states with an expiration time.
*/
private Map<String, ResumableAuthenticationState> resumableStateMap = new ConcurrentHashMap<>();
/**
* Attempts authentication against all AuthenticationProviders, in order,
* using the provided credentials. The first authentication failure takes
@@ -310,6 +321,17 @@ public class AuthenticationService {
try {
userContext = authProvider.getUserContext(authenticatedUser);
}
catch (GuacamoleInsufficientCredentialsException e) {
// Store state and expiration
String state = e.getState();
long expiration = e.getExpires();
resumableStateMap.put(state, new ResumableAuthenticationState(expiration, credentials));
throw new GuacamoleAuthenticationProcessException("User "
+ "authentication aborted during initial "
+ "UserContext creation.", authProvider, e);
}
catch (GuacamoleException | RuntimeException | Error e) {
throw new GuacamoleAuthenticationProcessException("User "
+ "authentication aborted during initial "
@@ -366,12 +388,30 @@ public class AuthenticationService {
AuthenticatedUser authenticatedUser;
String authToken;
Credentials actualCredentials = credentials;
String state;
ResumableAuthenticationState resumableState = null;
// Retrieve signed State from the request
HttpServletRequest request = credentials.getRequest();
// If state is provided, attempt to resume authentication
if ((state = request.getParameter("state")) != null && (resumableState = resumableStateMap.get(state)) != null) {
// The resumableState is removed as it should be a single-use token
resumableStateMap.remove(state);
// Check if the resumableState has expired
if (!resumableState.isExpired()) {
actualCredentials = resumableState.getCredentials();
actualCredentials.setRequest(request);
}
}
try {
// Get up-to-date AuthenticatedUser and associated UserContexts
authenticatedUser = getAuthenticatedUser(existingSession, credentials);
List<DecoratedUserContext> userContexts = getUserContexts(existingSession, authenticatedUser, credentials);
authenticatedUser = getAuthenticatedUser(existingSession, actualCredentials);
List<DecoratedUserContext> userContexts = getUserContexts(existingSession, authenticatedUser, actualCredentials);
// Update existing session, if it exists
if (existingSession != null) {
@@ -401,7 +441,7 @@ public class AuthenticationService {
// Log and rethrow any authentication errors
catch (GuacamoleAuthenticationProcessException e) {
listenerService.handleEvent(new AuthenticationFailureEvent(credentials,
listenerService.handleEvent(new AuthenticationFailureEvent(actualCredentials,
e.getAuthenticationProvider(), e.getCause()));
// Rethrow exception

81
guacamole/src/main/java/org/apache/guacamole/rest/auth/ResumableAuthenticationState.java Normal file
View File

@@ -0,0 +1,81 @@
/*
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/
package org.apache.guacamole.rest.auth;
import org.apache.guacamole.net.auth.Credentials;
/**
* Encapsulates the state information required for resuming an authentication
* process. This includes an expiration timestamp to determine state validity
* and the original credentials submitted by the user.
*/
public class ResumableAuthenticationState {
/**
* The timestamp at which this state should no longer be considered valid,
* measured in milliseconds since the Unix epoch.
*/
private long expirationTimestamp;
/**
* The original user credentials that were submitted at the start of the
* authentication process.
*/
private Credentials credentials;
/**
* Constructs a new ResumableAuthenticationState object with the specified
* expiration timestamp and user credentials.
*
* @param expirationTimestamp
* The timestamp in milliseconds since the Unix epoch when this state
* expires and can no longer be used to resume authentication.
*
* @param credentials
* The Credentials object initially submitted by the user and associated
* with this resumable state.
*/
public ResumableAuthenticationState(long expirationTimestamp, Credentials credentials) {
this.expirationTimestamp = expirationTimestamp;
this.credentials = credentials;
}
/**
* Checks if this resumable state has expired based on the stored expiration
* timestamp and the current system time.
*
* @return
* True if the current system time is after the expiration timestamp,
* indicating that the state is expired; false otherwise.
*/
public boolean isExpired() {
return System.currentTimeMillis() > expirationTimestamp;
}
/**
* Retrieves the original credentials associated with this resumable state.
*
* @return
* The Credentials object containing user details that were submitted
* when the state was created.
*/
public Credentials getCredentials() {
return this.credentials;
}
}