From 13494baa4a298ef287d533ffdac24ecce9b86bb3 Mon Sep 17 00:00:00 2001 From: Virtually Nick Date: Thu, 5 Oct 2023 17:08:11 -0400 Subject: [PATCH 1/7] GUACAMOLE-1289: Move AuthenticationSession components to guacamole-exit. --- .../guacamole/auth/sso/NonceService.java | 10 ++-------- .../saml/acs/SAMLAuthenticationSession.java | 2 +- .../acs/SAMLAuthenticationSessionManager.java | 2 +- .../guacamole/auth/saml/acs/SAMLService.java | 10 ++-------- .../auth/saml/conf/ConfigurationService.java | 1 - .../ssl/SSLAuthenticationEventListener.java | 6 ------ .../auth/ssl/SSLAuthenticationSession.java | 2 +- .../ssl/SSLAuthenticationSessionManager.java | 2 +- .../net/auth}/AuthenticationSession.java | 2 +- .../auth}/AuthenticationSessionManager.java | 18 ++++-------------- .../net/auth}/IdentifierGenerator.java | 12 +++++------- 11 files changed, 18 insertions(+), 49 deletions(-) rename {extensions/guacamole-auth-sso/modules/guacamole-auth-sso-base/src/main/java/org/apache/guacamole/auth/sso => guacamole-ext/src/main/java/org/apache/guacamole/net/auth}/AuthenticationSession.java (97%) rename {extensions/guacamole-auth-sso/modules/guacamole-auth-sso-base/src/main/java/org/apache/guacamole/auth/sso => guacamole-ext/src/main/java/org/apache/guacamole/net/auth}/AuthenticationSessionManager.java (94%) rename {extensions/guacamole-auth-sso/modules/guacamole-auth-sso-base/src/main/java/org/apache/guacamole/auth/sso => guacamole-ext/src/main/java/org/apache/guacamole/net/auth}/IdentifierGenerator.java (92%) diff --git a/extensions/guacamole-auth-sso/modules/guacamole-auth-sso-base/src/main/java/org/apache/guacamole/auth/sso/NonceService.java b/extensions/guacamole-auth-sso/modules/guacamole-auth-sso-base/src/main/java/org/apache/guacamole/auth/sso/NonceService.java index 5717794fd..d43a0047b 100644 --- a/extensions/guacamole-auth-sso/modules/guacamole-auth-sso-base/src/main/java/org/apache/guacamole/auth/sso/NonceService.java +++ b/extensions/guacamole-auth-sso/modules/guacamole-auth-sso-base/src/main/java/org/apache/guacamole/auth/sso/NonceService.java @@ -19,11 +19,11 @@ package org.apache.guacamole.auth.sso; -import com.google.inject.Inject; import java.util.Iterator; import java.util.Locale; import java.util.Map; import java.util.concurrent.ConcurrentHashMap; +import org.apache.guacamole.net.auth.IdentifierGenerator; /** * Service for generating and validating single-use random tokens (nonces). @@ -31,12 +31,6 @@ import java.util.concurrent.ConcurrentHashMap; */ public class NonceService { - /** - * Generator of arbitrary, unique, unpredictable identifiers. - */ - @Inject - private IdentifierGenerator idGenerator; - /** * Map of all generated nonces to their corresponding expiration timestamps. * This Map must be periodically swept of expired nonces to avoid growing @@ -107,7 +101,7 @@ public class NonceService { sweepExpiredNonces(); // Generate and store nonce, along with expiration timestamp - String nonce = idGenerator.generateIdentifier(NONCE_BITS, false); + String nonce = IdentifierGenerator.generateIdentifier(NONCE_BITS, false); nonces.put(nonce, System.currentTimeMillis() + maxAge); return nonce; diff --git a/extensions/guacamole-auth-sso/modules/guacamole-auth-sso-saml/src/main/java/org/apache/guacamole/auth/saml/acs/SAMLAuthenticationSession.java b/extensions/guacamole-auth-sso/modules/guacamole-auth-sso-saml/src/main/java/org/apache/guacamole/auth/saml/acs/SAMLAuthenticationSession.java index bbd74e2a9..f89502de4 100644 --- a/extensions/guacamole-auth-sso/modules/guacamole-auth-sso-saml/src/main/java/org/apache/guacamole/auth/saml/acs/SAMLAuthenticationSession.java +++ b/extensions/guacamole-auth-sso/modules/guacamole-auth-sso-saml/src/main/java/org/apache/guacamole/auth/saml/acs/SAMLAuthenticationSession.java @@ -19,7 +19,7 @@ package org.apache.guacamole.auth.saml.acs; -import org.apache.guacamole.auth.sso.AuthenticationSession; +import org.apache.guacamole.net.auth.AuthenticationSession; /** * Representation of an in-progress SAML authentication attempt. diff --git a/extensions/guacamole-auth-sso/modules/guacamole-auth-sso-saml/src/main/java/org/apache/guacamole/auth/saml/acs/SAMLAuthenticationSessionManager.java b/extensions/guacamole-auth-sso/modules/guacamole-auth-sso-saml/src/main/java/org/apache/guacamole/auth/saml/acs/SAMLAuthenticationSessionManager.java index 4adf82f2c..2371bb54d 100644 --- a/extensions/guacamole-auth-sso/modules/guacamole-auth-sso-saml/src/main/java/org/apache/guacamole/auth/saml/acs/SAMLAuthenticationSessionManager.java +++ b/extensions/guacamole-auth-sso/modules/guacamole-auth-sso-saml/src/main/java/org/apache/guacamole/auth/saml/acs/SAMLAuthenticationSessionManager.java @@ -20,7 +20,7 @@ package org.apache.guacamole.auth.saml.acs; import com.google.inject.Singleton; -import org.apache.guacamole.auth.sso.AuthenticationSessionManager; +import org.apache.guacamole.net.auth.AuthenticationSessionManager; /** * Manager service that temporarily stores SAML authentication attempts while diff --git a/extensions/guacamole-auth-sso/modules/guacamole-auth-sso-saml/src/main/java/org/apache/guacamole/auth/saml/acs/SAMLService.java b/extensions/guacamole-auth-sso/modules/guacamole-auth-sso-saml/src/main/java/org/apache/guacamole/auth/saml/acs/SAMLService.java index 2fe6da4c8..37d7fa920 100644 --- a/extensions/guacamole-auth-sso/modules/guacamole-auth-sso-saml/src/main/java/org/apache/guacamole/auth/saml/acs/SAMLService.java +++ b/extensions/guacamole-auth-sso/modules/guacamole-auth-sso-saml/src/main/java/org/apache/guacamole/auth/saml/acs/SAMLService.java @@ -36,7 +36,7 @@ import org.apache.guacamole.GuacamoleException; import org.apache.guacamole.GuacamoleSecurityException; import org.apache.guacamole.GuacamoleServerException; import org.apache.guacamole.auth.saml.conf.ConfigurationService; -import org.apache.guacamole.auth.sso.IdentifierGenerator; +import org.apache.guacamole.net.auth.IdentifierGenerator; import org.xml.sax.SAXException; /** @@ -58,12 +58,6 @@ public class SAMLService { @Inject private SAMLAuthenticationSessionManager sessionManager; - /** - * Generator of arbitrary, unique, unpredictable identifiers. - */ - @Inject - private IdentifierGenerator idGenerator; - /** * Creates a new SAML request, beginning the overall authentication flow * that will ultimately result in an asserted user identity if the user is @@ -89,7 +83,7 @@ public class SAMLService { Auth auth = new Auth(samlSettings, null, null); // Generate a unique ID to use for the relay state - String identifier = idGenerator.generateIdentifier(); + String identifier = IdentifierGenerator.generateIdentifier(); // Create the request URL for the SAML IdP String requestUrl = auth.login( diff --git a/extensions/guacamole-auth-sso/modules/guacamole-auth-sso-saml/src/main/java/org/apache/guacamole/auth/saml/conf/ConfigurationService.java b/extensions/guacamole-auth-sso/modules/guacamole-auth-sso-saml/src/main/java/org/apache/guacamole/auth/saml/conf/ConfigurationService.java index d2a73c46a..47ead8820 100644 --- a/extensions/guacamole-auth-sso/modules/guacamole-auth-sso-saml/src/main/java/org/apache/guacamole/auth/saml/conf/ConfigurationService.java +++ b/extensions/guacamole-auth-sso/modules/guacamole-auth-sso-saml/src/main/java/org/apache/guacamole/auth/saml/conf/ConfigurationService.java @@ -24,7 +24,6 @@ import com.onelogin.saml2.settings.IdPMetadataParser; import com.onelogin.saml2.settings.Saml2Settings; import com.onelogin.saml2.settings.SettingsBuilder; import com.onelogin.saml2.util.Constants; - import java.io.File; import java.io.IOException; import java.net.URI; diff --git a/extensions/guacamole-auth-sso/modules/guacamole-auth-sso-ssl/src/main/java/org/apache/guacamole/auth/ssl/SSLAuthenticationEventListener.java b/extensions/guacamole-auth-sso/modules/guacamole-auth-sso-ssl/src/main/java/org/apache/guacamole/auth/ssl/SSLAuthenticationEventListener.java index 26769ced9..2d353b58e 100644 --- a/extensions/guacamole-auth-sso/modules/guacamole-auth-sso-ssl/src/main/java/org/apache/guacamole/auth/ssl/SSLAuthenticationEventListener.java +++ b/extensions/guacamole-auth-sso/modules/guacamole-auth-sso-ssl/src/main/java/org/apache/guacamole/auth/ssl/SSLAuthenticationEventListener.java @@ -20,14 +20,8 @@ package org.apache.guacamole.auth.ssl; import com.google.inject.Inject; -import com.google.inject.Singleton; -import org.apache.guacamole.GuacamoleException; -import org.apache.guacamole.auth.ssl.SSLAuthenticationSessionManager; import org.apache.guacamole.auth.sso.SSOAuthenticationEventListener; import org.apache.guacamole.net.auth.Credentials; -import org.apache.guacamole.net.event.AuthenticationFailureEvent; -import org.apache.guacamole.net.event.AuthenticationSuccessEvent; -import org.apache.guacamole.net.event.listener.Listener; /** * A Listener that will reactivate or invalidate SSL auth sessions depending on diff --git a/extensions/guacamole-auth-sso/modules/guacamole-auth-sso-ssl/src/main/java/org/apache/guacamole/auth/ssl/SSLAuthenticationSession.java b/extensions/guacamole-auth-sso/modules/guacamole-auth-sso-ssl/src/main/java/org/apache/guacamole/auth/ssl/SSLAuthenticationSession.java index 4a4c9ce8f..41813a462 100644 --- a/extensions/guacamole-auth-sso/modules/guacamole-auth-sso-ssl/src/main/java/org/apache/guacamole/auth/ssl/SSLAuthenticationSession.java +++ b/extensions/guacamole-auth-sso/modules/guacamole-auth-sso-ssl/src/main/java/org/apache/guacamole/auth/ssl/SSLAuthenticationSession.java @@ -19,7 +19,7 @@ package org.apache.guacamole.auth.ssl; -import org.apache.guacamole.auth.sso.AuthenticationSession; +import org.apache.guacamole.net.auth.AuthenticationSession; /** * Representation of an in-progress SSL/TLS authentication attempt. diff --git a/extensions/guacamole-auth-sso/modules/guacamole-auth-sso-ssl/src/main/java/org/apache/guacamole/auth/ssl/SSLAuthenticationSessionManager.java b/extensions/guacamole-auth-sso/modules/guacamole-auth-sso-ssl/src/main/java/org/apache/guacamole/auth/ssl/SSLAuthenticationSessionManager.java index fc1b0842f..252a2c94e 100644 --- a/extensions/guacamole-auth-sso/modules/guacamole-auth-sso-ssl/src/main/java/org/apache/guacamole/auth/ssl/SSLAuthenticationSessionManager.java +++ b/extensions/guacamole-auth-sso/modules/guacamole-auth-sso-ssl/src/main/java/org/apache/guacamole/auth/ssl/SSLAuthenticationSessionManager.java @@ -20,7 +20,7 @@ package org.apache.guacamole.auth.ssl; import com.google.inject.Singleton; -import org.apache.guacamole.auth.sso.AuthenticationSessionManager; +import org.apache.guacamole.net.auth.AuthenticationSessionManager; /** * Manager service that temporarily stores SSL/TLS authentication attempts diff --git a/extensions/guacamole-auth-sso/modules/guacamole-auth-sso-base/src/main/java/org/apache/guacamole/auth/sso/AuthenticationSession.java b/guacamole-ext/src/main/java/org/apache/guacamole/net/auth/AuthenticationSession.java similarity index 97% rename from extensions/guacamole-auth-sso/modules/guacamole-auth-sso-base/src/main/java/org/apache/guacamole/auth/sso/AuthenticationSession.java rename to guacamole-ext/src/main/java/org/apache/guacamole/net/auth/AuthenticationSession.java index 89d75df70..8d13e6111 100644 --- a/extensions/guacamole-auth-sso/modules/guacamole-auth-sso-base/src/main/java/org/apache/guacamole/auth/sso/AuthenticationSession.java +++ b/guacamole-ext/src/main/java/org/apache/guacamole/net/auth/AuthenticationSession.java @@ -17,7 +17,7 @@ * under the License. */ -package org.apache.guacamole.auth.sso; +package org.apache.guacamole.net.auth; /** * Representation of an in-progress authentication attempt. diff --git a/extensions/guacamole-auth-sso/modules/guacamole-auth-sso-base/src/main/java/org/apache/guacamole/auth/sso/AuthenticationSessionManager.java b/guacamole-ext/src/main/java/org/apache/guacamole/net/auth/AuthenticationSessionManager.java similarity index 94% rename from extensions/guacamole-auth-sso/modules/guacamole-auth-sso-base/src/main/java/org/apache/guacamole/auth/sso/AuthenticationSessionManager.java rename to guacamole-ext/src/main/java/org/apache/guacamole/net/auth/AuthenticationSessionManager.java index 11ef307e2..d8a47f4ef 100644 --- a/extensions/guacamole-auth-sso/modules/guacamole-auth-sso-base/src/main/java/org/apache/guacamole/auth/sso/AuthenticationSessionManager.java +++ b/guacamole-ext/src/main/java/org/apache/guacamole/net/auth/AuthenticationSessionManager.java @@ -17,10 +17,7 @@ * under the License. */ -package org.apache.guacamole.auth.sso; - -import com.google.inject.Inject; -import com.google.inject.Singleton; +package org.apache.guacamole.net.auth; import java.util.Map; import java.util.concurrent.ConcurrentHashMap; @@ -39,14 +36,7 @@ import java.util.concurrent.TimeUnit; * @param * The type of sessions managed by this session manager. */ -@Singleton -public class AuthenticationSessionManager { - - /** - * Generator of arbitrary, unique, unpredictable identifiers. - */ - @Inject - private IdentifierGenerator idGenerator; +public abstract class AuthenticationSessionManager { /** * Map of authentication session identifiers to their associated @@ -98,7 +88,7 @@ public class AuthenticationSessionManager { * token. */ public String generateInvalid() { - return idGenerator.generateIdentifier(); + return IdentifierGenerator.generateIdentifier(); } /** @@ -193,7 +183,7 @@ public class AuthenticationSessionManager { * given session when calling resume(). */ public String defer(T session) { - String identifier = idGenerator.generateIdentifier(); + String identifier = IdentifierGenerator.generateIdentifier(); sessions.put(identifier, session); return identifier; } diff --git a/extensions/guacamole-auth-sso/modules/guacamole-auth-sso-base/src/main/java/org/apache/guacamole/auth/sso/IdentifierGenerator.java b/guacamole-ext/src/main/java/org/apache/guacamole/net/auth/IdentifierGenerator.java similarity index 92% rename from extensions/guacamole-auth-sso/modules/guacamole-auth-sso-base/src/main/java/org/apache/guacamole/auth/sso/IdentifierGenerator.java rename to guacamole-ext/src/main/java/org/apache/guacamole/net/auth/IdentifierGenerator.java index 82538c6a9..fcc365a9b 100644 --- a/extensions/guacamole-auth-sso/modules/guacamole-auth-sso-base/src/main/java/org/apache/guacamole/auth/sso/IdentifierGenerator.java +++ b/guacamole-ext/src/main/java/org/apache/guacamole/net/auth/IdentifierGenerator.java @@ -17,10 +17,9 @@ * under the License. */ -package org.apache.guacamole.auth.sso; +package org.apache.guacamole.net.auth; import com.google.common.io.BaseEncoding; -import com.google.inject.Singleton; import java.math.BigInteger; import java.security.SecureRandom; @@ -29,14 +28,13 @@ import java.security.SecureRandom; * is an arbitrary, random string produced using a cryptographically-secure * random number generator. */ -@Singleton public class IdentifierGenerator { /** * Cryptographically-secure random number generator for generating unique * identifiers. */ - private final SecureRandom secureRandom = new SecureRandom(); + private static final SecureRandom secureRandom = new SecureRandom(); /** * Generates a unique and unpredictable identifier. Each identifier is at @@ -48,7 +46,7 @@ public class IdentifierGenerator { * A unique and unpredictable identifier with at least 256 bits of * entropy. */ - public String generateIdentifier() { + public static String generateIdentifier() { return generateIdentifier(256); } @@ -65,7 +63,7 @@ public class IdentifierGenerator { * A unique and unpredictable identifier with at least the given number * of bits of entropy. */ - public String generateIdentifier(int minBits) { + public static String generateIdentifier(int minBits) { return generateIdentifier(minBits, true); } @@ -87,7 +85,7 @@ public class IdentifierGenerator { * A unique and unpredictable identifier with at least the given number * of bits of entropy. */ - public String generateIdentifier(int minBits, boolean caseSensitive) { + public static String generateIdentifier(int minBits, boolean caseSensitive) { // Generate a base64 identifier if we're allowed to vary by case if (caseSensitive) { From e8860e4dd8f8d769b9877c3570a0407633f9bf74 Mon Sep 17 00:00:00 2001 From: Virtually Nick Date: Thu, 5 Oct 2023 17:09:32 -0400 Subject: [PATCH 2/7] GUACAMOLE-1289: Update the Duo extension to the v4 API --- extensions/guacamole-auth-duo/pom.xml | 100 +---- .../duo/DuoAuthenticationProviderModule.java | 3 +- .../auth/duo/DuoAuthenticationSession.java | 74 ++++ .../duo/DuoAuthenticationSessionManager.java} | 22 +- .../auth/duo/UserVerificationService.java | 102 +++-- .../guacamole/auth/duo/api/DuoCookie.java | 245 ------------ .../guacamole/auth/duo/api/DuoService.java | 205 ---------- .../auth/duo/api/SignedDuoCookie.java | 332 ---------------- .../auth/duo/conf/ConfigurationService.java | 107 +++-- .../auth/duo/form/DuoSignedResponseField.java | 98 ----- .../src/main/resources/config/duoConfig.js | 33 -- .../duoSignedResponseController.js | 86 ---- .../src/main/resources/guac-manifest.json | 14 +- .../main/resources/lib/DuoWeb/Duo-Web-v2.js | 366 ------------------ .../src/main/resources/lib/DuoWeb/LICENSE.js | 27 -- .../src/main/resources/styles/duo.css | 62 --- .../templates/duoSignedResponseField.html | 6 - 17 files changed, 251 insertions(+), 1631 deletions(-) create mode 100644 extensions/guacamole-auth-duo/src/main/java/org/apache/guacamole/auth/duo/DuoAuthenticationSession.java rename extensions/guacamole-auth-duo/src/main/{resources/duoModule.js => java/org/apache/guacamole/auth/duo/DuoAuthenticationSessionManager.java} (64%) delete mode 100644 extensions/guacamole-auth-duo/src/main/java/org/apache/guacamole/auth/duo/api/DuoCookie.java delete mode 100644 extensions/guacamole-auth-duo/src/main/java/org/apache/guacamole/auth/duo/api/DuoService.java delete mode 100644 extensions/guacamole-auth-duo/src/main/java/org/apache/guacamole/auth/duo/api/SignedDuoCookie.java delete mode 100644 extensions/guacamole-auth-duo/src/main/java/org/apache/guacamole/auth/duo/form/DuoSignedResponseField.java delete mode 100644 extensions/guacamole-auth-duo/src/main/resources/config/duoConfig.js delete mode 100644 extensions/guacamole-auth-duo/src/main/resources/controllers/duoSignedResponseController.js delete mode 100644 extensions/guacamole-auth-duo/src/main/resources/lib/DuoWeb/Duo-Web-v2.js delete mode 100644 extensions/guacamole-auth-duo/src/main/resources/lib/DuoWeb/LICENSE.js delete mode 100644 extensions/guacamole-auth-duo/src/main/resources/styles/duo.css delete mode 100644 extensions/guacamole-auth-duo/src/main/resources/templates/duoSignedResponseField.html diff --git a/extensions/guacamole-auth-duo/pom.xml b/extensions/guacamole-auth-duo/pom.xml index 7d6ab3b23..0614cb47d 100644 --- a/extensions/guacamole-auth-duo/pom.xml +++ b/extensions/guacamole-auth-duo/pom.xml @@ -39,93 +39,9 @@ UTF-8 + true - - - - - - com.keithbranton.mojo - angular-maven-plugin - 0.3.4 - - - generate-resources - - html2js - - - - - ${basedir}/src/main/resources - **/*.html - ${basedir}/src/main/resources/generated/templates-main/templates.js - app/ext/duo - - - - - - com.github.buckelieg - minify-maven-plugin - - - default-cli - - UTF-8 - - ${basedir}/src/main/resources - ${project.build.directory}/classes - - / - / - duo.css - - - license.txt - - - - **/*.css - - - / - / - duo.js - - - license.txt - lib/DuoWeb/LICENSE.js - - - - **/*.js - - - - - **/*.test.js - - CLOSURE - - - - OFF - OFF - - - - - minify - - - - - - - - @@ -155,6 +71,20 @@ 2.5 provided + + + + com.duosecurity + duo-universal-sdk + 1.1.3 + + + + + org.jetbrains.kotlin + kotlin-stdlib-common + 1.4.10 + diff --git a/extensions/guacamole-auth-duo/src/main/java/org/apache/guacamole/auth/duo/DuoAuthenticationProviderModule.java b/extensions/guacamole-auth-duo/src/main/java/org/apache/guacamole/auth/duo/DuoAuthenticationProviderModule.java index a60523bf8..c50e1039d 100644 --- a/extensions/guacamole-auth-duo/src/main/java/org/apache/guacamole/auth/duo/DuoAuthenticationProviderModule.java +++ b/extensions/guacamole-auth-duo/src/main/java/org/apache/guacamole/auth/duo/DuoAuthenticationProviderModule.java @@ -21,7 +21,6 @@ package org.apache.guacamole.auth.duo; import com.google.inject.AbstractModule; import org.apache.guacamole.GuacamoleException; -import org.apache.guacamole.auth.duo.api.DuoService; import org.apache.guacamole.auth.duo.conf.ConfigurationService; import org.apache.guacamole.environment.Environment; import org.apache.guacamole.environment.LocalEnvironment; @@ -74,8 +73,8 @@ public class DuoAuthenticationProviderModule extends AbstractModule { // Bind Duo-specific services bind(ConfigurationService.class); - bind(DuoService.class); bind(UserVerificationService.class); + bind(DuoAuthenticationSessionManager.class); } diff --git a/extensions/guacamole-auth-duo/src/main/java/org/apache/guacamole/auth/duo/DuoAuthenticationSession.java b/extensions/guacamole-auth-duo/src/main/java/org/apache/guacamole/auth/duo/DuoAuthenticationSession.java new file mode 100644 index 000000000..8dd3e8db1 --- /dev/null +++ b/extensions/guacamole-auth-duo/src/main/java/org/apache/guacamole/auth/duo/DuoAuthenticationSession.java @@ -0,0 +1,74 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.guacamole.auth.duo; + +import org.apache.guacamole.net.auth.AuthenticationSession; + +/** + * An AuthenticationSession that stores the information required for an + * in-progress Duo authentication attempt. + */ +public class DuoAuthenticationSession extends AuthenticationSession { + + /** + * The session state generated by the Duo client, which is used to track + * the session through the redirect and return process. + */ + private final String state; + + /** + * The username of the user who is authenticating with this session. + */ + private final String username; + + /** + * Create a new instance of this authenticaiton session, having the given length of time + * for expriation and the state generated by the Duo Client. + * + * @param expires + * The number of milliseconds before this session is invalid. + * + * @param state + * The session state, as generated by the Duo Client. + * + * @param username + * The username of the user who is attempting authentication with Duo. + */ + public DuoAuthenticationSession(long expires, String state, String username) { + super(expires); + this.state = state; + this.username = username; + } + + /** + * Return the stored session state. + * + * @return + * The stored session state. + */ + public String getState() { + return state; + } + + public String getUsername() { + return username; + } + +} diff --git a/extensions/guacamole-auth-duo/src/main/resources/duoModule.js b/extensions/guacamole-auth-duo/src/main/java/org/apache/guacamole/auth/duo/DuoAuthenticationSessionManager.java similarity index 64% rename from extensions/guacamole-auth-duo/src/main/resources/duoModule.js rename to extensions/guacamole-auth-duo/src/main/java/org/apache/guacamole/auth/duo/DuoAuthenticationSessionManager.java index 49a342f84..9bfbcc466 100644 --- a/extensions/guacamole-auth-duo/src/main/resources/duoModule.js +++ b/extensions/guacamole-auth-duo/src/main/java/org/apache/guacamole/auth/duo/DuoAuthenticationSessionManager.java @@ -17,12 +17,18 @@ * under the License. */ -/** - * Module which provides handling for Duo multi-factor authentication. - */ -angular.module('guacDuo', [ - 'form' -]); +package org.apache.guacamole.auth.duo; -// Ensure the guacDuo module is loaded along with the rest of the app -angular.module('index').requires.push('guacDuo'); +import com.google.inject.Singleton; +import org.apache.guacamole.net.auth.AuthenticationSessionManager; + +/** + * An AuthenticationSessionManager implementation that temporarily stores + * authentication attempts for Duo MFA while they are underway. + */ +@Singleton +public class DuoAuthenticationSessionManager extends AuthenticationSessionManager { + + // Nothing to see here. + +} diff --git a/extensions/guacamole-auth-duo/src/main/java/org/apache/guacamole/auth/duo/UserVerificationService.java b/extensions/guacamole-auth-duo/src/main/java/org/apache/guacamole/auth/duo/UserVerificationService.java index abcb48605..7ac16d51a 100644 --- a/extensions/guacamole-auth-duo/src/main/java/org/apache/guacamole/auth/duo/UserVerificationService.java +++ b/extensions/guacamole-auth-duo/src/main/java/org/apache/guacamole/auth/duo/UserVerificationService.java @@ -19,16 +19,21 @@ package org.apache.guacamole.auth.duo; +import com.duosecurity.Client; +import com.duosecurity.exception.DuoException; +import com.duosecurity.model.Token; import com.google.inject.Inject; +import java.net.URI; +import java.net.URISyntaxException; import java.util.Collections; import javax.servlet.http.HttpServletRequest; import org.apache.guacamole.GuacamoleException; -import org.apache.guacamole.auth.duo.api.DuoService; +import org.apache.guacamole.GuacamoleServerException; import org.apache.guacamole.auth.duo.conf.ConfigurationService; -import org.apache.guacamole.auth.duo.form.DuoSignedResponseField; -import org.apache.guacamole.form.Field; +import org.apache.guacamole.form.RedirectField; import org.apache.guacamole.language.TranslatableGuacamoleClientException; import org.apache.guacamole.language.TranslatableGuacamoleInsufficientCredentialsException; +import org.apache.guacamole.language.TranslatableMessage; import org.apache.guacamole.net.auth.AuthenticatedUser; import org.apache.guacamole.net.auth.Credentials; import org.apache.guacamole.net.auth.credentials.CredentialsInfo; @@ -38,6 +43,24 @@ import org.apache.guacamole.net.auth.credentials.CredentialsInfo; */ public class UserVerificationService { + /** + * The name of the parameter which Duo will return in it's GET call-back + * that contains the code that the client will use to generate a token. + */ + private static final String DUO_CODE_PARAMETER_NAME = "duo_code"; + + /** + * The name of the parameter that will be used in the GET call-back that + * contains the session state. + */ + private static final String DUO_STATE_PARAMETER_NAME = "state"; + + /** + * The value that will be returned in the token if Duo authentication + * was successful. + */ + private static final String DUO_TOKEN_SUCCESS_VALUE = "ALLOW"; + /** * Service for retrieving Duo configuration information. */ @@ -45,10 +68,11 @@ public class UserVerificationService { private ConfigurationService confService; /** - * Service for verifying users against Duo. + * The authentication session manager that temporarily stores in-progress + * authentication attempts. */ @Inject - private DuoService duoService; + private DuoAuthenticationSessionManager duoSessionManager; /** * Verifies the identity of the given user via the Duo multi-factor @@ -75,39 +99,69 @@ public class UserVerificationService { // Ignore anonymous users if (authenticatedUser.getIdentifier().equals(AuthenticatedUser.ANONYMOUS_IDENTIFIER)) return; + + String username = authenticatedUser.getIdentifier(); - // Retrieve signed Duo response from request - String signedResponse = request.getParameter(DuoSignedResponseField.PARAMETER_NAME); + try { - // If no signed response, request one - if (signedResponse == null) { + // Set up the Duo Client + Client duoClient = new Client.Builder( + confService.getClientId(), + confService.getClientSecret(), + confService.getAPIHostname(), + confService.getRedirectUrl().toString()) + .build(); + + duoClient.healthCheck(); + + + // Retrieve signed Duo Code and State from the request + String duoCode = request.getParameter(DUO_CODE_PARAMETER_NAME); + String duoState = request.getParameter(DUO_STATE_PARAMETER_NAME); - // Create field which requests a signed response from Duo that - // verifies the identity of the given user via the configured - // Duo API endpoint - Field signedResponseField = new DuoSignedResponseField( - confService.getAPIHostname(), - duoService.createSignedRequest(authenticatedUser)); + // If no code or state is received, assume Duo MFA redirect has not occured and do it. + if (duoCode == null || duoState == null) { - // Create an overall description of the additional credentials - // required to verify identity - CredentialsInfo expectedCredentials = new CredentialsInfo( - Collections.singletonList(signedResponseField)); + // Get a new session state from the Duo client + duoState = duoClient.generateState(); + + // Add this session + duoSessionManager.defer(new DuoAuthenticationSession(confService.getAuthTimeout(), duoState, username), duoState); // Request additional credentials throw new TranslatableGuacamoleInsufficientCredentialsException( - "Verification using Duo is required before authentication " - + "can continue.", "LOGIN.INFO_DUO_AUTH_REQUIRED", - expectedCredentials); + "Verification using Duo is required before authentication " + + "can continue.", "LOGIN.INFO_DUO_AUTH_REQUIRED", + new CredentialsInfo(Collections.singletonList( + new RedirectField( + DUO_CODE_PARAMETER_NAME, + new URI(duoClient.createAuthUrl(username, duoState)), + new TranslatableMessage("LOGIN.INFO_DUO_REDIRECT_PENDING") + ) + )) + ); } - // If signed response does not verify this user's identity, abort auth - if (!duoService.isValidSignedResponse(authenticatedUser, signedResponse)) + // Retrieve the deferred authenticaiton attempt + DuoAuthenticationSession duoSession = duoSessionManager.resume(duoState); + + // Get the token from the DuoClient using the code and username, and check status + Token token = duoClient.exchangeAuthorizationCodeFor2FAResult(duoCode, duoSession.getUsername()); + if (token == null + || token.getAuth_result() == null + || !DUO_TOKEN_SUCCESS_VALUE.equals(token.getAuth_result().getStatus())) throw new TranslatableGuacamoleClientException("Provided Duo " + "validation code is incorrect.", "LOGIN.INFO_DUO_VALIDATION_CODE_INCORRECT"); + } + catch (DuoException e) { + throw new GuacamoleServerException("Duo Client error.", e); + } + catch (URISyntaxException e) { + throw new GuacamoleServerException("Error creating URI from Duo Authentication URL.", e); + } } } diff --git a/extensions/guacamole-auth-duo/src/main/java/org/apache/guacamole/auth/duo/api/DuoCookie.java b/extensions/guacamole-auth-duo/src/main/java/org/apache/guacamole/auth/duo/api/DuoCookie.java deleted file mode 100644 index 6fa2a88c4..000000000 --- a/extensions/guacamole-auth-duo/src/main/java/org/apache/guacamole/auth/duo/api/DuoCookie.java +++ /dev/null @@ -1,245 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ - -package org.apache.guacamole.auth.duo.api; - -import com.google.common.io.BaseEncoding; -import java.io.UnsupportedEncodingException; -import java.util.regex.Matcher; -import java.util.regex.Pattern; -import org.apache.guacamole.GuacamoleClientException; -import org.apache.guacamole.GuacamoleException; - -/** - * Data which describes the identity of the user being verified by Duo. - */ -public class DuoCookie { - - /** - * Pattern which matches valid cookies. Each cookie is made up of three - * sections, separated from each other by pipe symbols ("|"). - */ - private static final Pattern COOKIE_FORMAT = Pattern.compile("([^|]+)\\|([^|]+)\\|([0-9]+)"); - - /** - * The index of the capturing group within COOKIE_FORMAT which contains the - * username. - */ - private static final int USERNAME_GROUP = 1; - - /** - * The index of the capturing group within COOKIE_FORMAT which contains the - * integration key. - */ - private static final int INTEGRATION_KEY_GROUP = 2; - - /** - * The index of the capturing group within COOKIE_FORMAT which contains the - * expiration timestamp. - */ - private static final int EXPIRATION_TIMESTAMP_GROUP = 3; - - /** - * The username of the user being verified. - */ - private final String username; - - /** - * The integration key provided by Duo and specific to this deployment of - * Guacamole. - */ - private final String integrationKey; - - /** - * The time that this cookie expires, in seconds since midnight of - * 1970-01-01 (UTC). - */ - private final long expires; - - /** - * Creates a new DuoCookie which describes the identity of a user being - * verified. - * - * @param username - * The username of the user being verified. - * - * @param integrationKey - * The integration key provided by Duo and specific to this deployment - * of Guacamole. - * - * @param expires - * The time that this cookie expires, in seconds since midnight of - * 1970-01-01 (UTC). - */ - public DuoCookie(String username, String integrationKey, long expires) { - this.username = username; - this.integrationKey = integrationKey; - this.expires = expires; - } - - /** - * Returns the username of the user being verified. - * - * @return - * The username of the user being verified. - */ - public String getUsername() { - return username; - } - - /** - * Returns the integration key provided by Duo and specific to this - * deployment of Guacamole. - * - * @return - * The integration key provided by Duo and specific to this deployment - * of Guacamole. - */ - public String getIntegrationKey() { - return integrationKey; - } - - /** - * Returns the time that this cookie expires. The expiration time is - * represented in seconds since midnight of 1970-01-01 (UTC). - * - * @return - * The time that this cookie expires, in seconds since midnight of - * 1970-01-01 (UTC). - */ - public long getExpirationTimestamp(){ - return expires; - } - - /** - * Returns the current time as the number of seconds elapsed since - * midnight of 1970-01-01 (UTC). - * - * @return - * The current time as the number of seconds elapsed since midnight of - * 1970-01-01 (UTC). - */ - public static long currentTimestamp() { - return System.currentTimeMillis() / 1000; - } - - /** - * Returns whether this cookie has expired (the current time has met or - * exceeded the expiration timestamp). - * - * @return - * true if this cookie has expired, false otherwise. - */ - public boolean isExpired() { - return currentTimestamp() >= expires; - } - - /** - * Parses a base64-encoded Duo cookie, producing a new DuoCookie object - * containing the data therein. If the given string is not a valid Duo - * cookie, an exception is thrown. Note that the cookie may be expired, and - * must be checked for expiration prior to actual use. - * - * @param str - * The base64-encoded Duo cookie to parse. - * - * @return - * A new DuoCookie object containing the same data as the given - * base64-encoded Duo cookie string. - * - * @throws GuacamoleException - * If the given string is not a valid base64-encoded Duo cookie. - */ - public static DuoCookie parseDuoCookie(String str) throws GuacamoleException { - - // Attempt to decode data as base64 - String data; - try { - data = new String(BaseEncoding.base64().decode(str), "UTF-8"); - } - - // Bail if invalid base64 is provided - catch (IllegalArgumentException e) { - throw new GuacamoleClientException("Username is not correctly " - + "encoded as base64.", e); - } - - // Throw hard errors if standard pieces of Java are missing - catch (UnsupportedEncodingException e) { - throw new UnsupportedOperationException("Unexpected lack of " - + "UTF-8 support.", e); - } - - // Verify format of provided data - Matcher matcher = COOKIE_FORMAT.matcher(data); - if (!matcher.matches()) - throw new GuacamoleClientException("Format of base64-encoded " - + "username is invalid."); - - // Get username and key (simple strings) - String username = matcher.group(USERNAME_GROUP); - String key = matcher.group(INTEGRATION_KEY_GROUP); - - // Parse expiration time - long expires; - try { - expires = Long.parseLong(matcher.group(EXPIRATION_TIMESTAMP_GROUP)); - } - - // Bail if expiration timestamp is not a valid long - catch (NumberFormatException e) { - throw new GuacamoleClientException("Expiration timestamp is " - + "not valid.", e); - } - - // Return parsed cookie - return new DuoCookie(username, key, expires); - - } - - /** - * Returns the base64-encoded string representation of this DuoCookie. The - * format used is identical to that required by the Duo service: the - * username, integration key, and expiration timestamp separated by pipe - * symbols ("|") and encoded with base64. - * - * @return - * The base64-encoded string representation of this DuoCookie. - */ - @Override - public String toString() { - - try { - - // Separate each cookie field with pipe symbols - String data = username + "|" + integrationKey + "|" + expires; - - // Encode resulting cookie string with base64 - return BaseEncoding.base64().encode(data.getBytes("UTF-8")); - - } - - // Throw hard errors if standard pieces of Java are missing - catch (UnsupportedEncodingException e) { - throw new UnsupportedOperationException("Unexpected lack of UTF-8 support.", e); - } - - } - -} diff --git a/extensions/guacamole-auth-duo/src/main/java/org/apache/guacamole/auth/duo/api/DuoService.java b/extensions/guacamole-auth-duo/src/main/java/org/apache/guacamole/auth/duo/api/DuoService.java deleted file mode 100644 index 11cca13c5..000000000 --- a/extensions/guacamole-auth-duo/src/main/java/org/apache/guacamole/auth/duo/api/DuoService.java +++ /dev/null @@ -1,205 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ - -package org.apache.guacamole.auth.duo.api; - -import com.google.inject.Inject; -import java.util.regex.Matcher; -import java.util.regex.Pattern; -import org.apache.guacamole.GuacamoleException; -import org.apache.guacamole.auth.duo.conf.ConfigurationService; -import org.apache.guacamole.net.auth.AuthenticatedUser; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; - -/** - * Service which produces signed requests and parses/verifies signed responses - * as required by Duo's API. - */ -public class DuoService { - - /** - * Logger for this class. - */ - private static final Logger logger = LoggerFactory.getLogger(DuoService.class); - - /** - * Pattern which matches valid Duo responses. Each response is made up of - * two sections, separated from each other by a colon, where each section - * is a signed Duo cookie. - */ - private static final Pattern RESPONSE_FORMAT = Pattern.compile("([^:]+):([^:]+)"); - - /** - * The index of the capturing group within RESPONSE_FORMAT which - * contains the DUO_RESPONSE cookie signed by the secret key. - */ - private static final int DUO_COOKIE_GROUP = 1; - - /** - * The index of the capturing group within RESPONSE_FORMAT which - * contains the APPLICATION cookie signed by the application key. - */ - private static final int APP_COOKIE_GROUP = 2; - - /** - * The amount of time that each generated cookie remains valid, in seconds. - */ - private static final int COOKIE_EXPIRATION_TIME = 300; - - /** - * Service for retrieving Duo configuration information. - */ - @Inject - private ConfigurationService confService; - - /** - * Creates and signs a new request to verify the identity of the given - * user. This request may ultimately be sent to Duo, resulting in a signed - * response from Duo if that verification succeeds. - * - * @param authenticatedUser - * The user whose identity should be verified. - * - * @return - * A signed user verification request which can be sent to Duo. - * - * @throws GuacamoleException - * If required Duo-specific configuration options are missing or - * invalid, or if an error prevents generation of the signature. - */ - public String createSignedRequest(AuthenticatedUser authenticatedUser) - throws GuacamoleException { - - // Generate a cookie associating the username with the integration key - DuoCookie cookie = new DuoCookie(authenticatedUser.getIdentifier(), - confService.getIntegrationKey(), - DuoCookie.currentTimestamp() + COOKIE_EXPIRATION_TIME); - - // Sign cookie with secret key - SignedDuoCookie duoCookie = new SignedDuoCookie(cookie, - SignedDuoCookie.Type.DUO_REQUEST, - confService.getSecretKey()); - - // Sign cookie with application key - SignedDuoCookie appCookie = new SignedDuoCookie(cookie, - SignedDuoCookie.Type.APPLICATION, - confService.getApplicationKey()); - - // Return signed request containing both signed cookies, separated by - // a colon (as required by Duo) - return duoCookie + ":" + appCookie; - - } - - /** - * Returns whether the given signed response is a valid response from Duo - * which verifies the identity of the given user. If the given response is - * invalid or does not verify the identity of the given user (including if - * it is a valid response which verifies the identity of a DIFFERENT user), - * false is returned. - * - * @param authenticatedUser - * The user that the given signed response should verify. - * - * @param signedResponse - * The signed response received from Duo in response to a signed - * request. - * - * @return - * true if the signed response is a valid response from Duo AND verifies - * the identity of the given user, false otherwise. - * - * @throws GuacamoleException - * If required Duo-specific configuration options are missing or - * invalid, or if an error occurs prevents validation of the signature. - */ - public boolean isValidSignedResponse(AuthenticatedUser authenticatedUser, - String signedResponse) throws GuacamoleException { - - SignedDuoCookie duoCookie; - SignedDuoCookie appCookie; - - // Retrieve username from externally-authenticated user - String username = authenticatedUser.getIdentifier(); - - // Retrieve Duo-specific keys from configuration - String applicationKey = confService.getApplicationKey(); - String integrationKey = confService.getIntegrationKey(); - String secretKey = confService.getSecretKey(); - - try { - - // Verify format of response - Matcher matcher = RESPONSE_FORMAT.matcher(signedResponse); - if (!matcher.matches()) { - logger.debug("Duo response is not in correct format."); - return false; - } - - // Parse signed cookie defining the user verified by Duo - duoCookie = SignedDuoCookie.parseSignedDuoCookie(secretKey, - matcher.group(DUO_COOKIE_GROUP)); - - // Parse signed cookie defining the user this application - // originally requested - appCookie = SignedDuoCookie.parseSignedDuoCookie(applicationKey, - matcher.group(APP_COOKIE_GROUP)); - - } - - // Simply return false if signature fails to verify - catch (GuacamoleException e) { - logger.debug("Duo signature verification failed.", e); - return false; - } - - // Verify neither cookie is expired - if (duoCookie.isExpired() || appCookie.isExpired()) { - logger.debug("Duo response contained expired cookie(s)."); - return false; - } - - // Verify the cookies in the response have the correct types - if (duoCookie.getType() != SignedDuoCookie.Type.DUO_RESPONSE - || appCookie.getType() != SignedDuoCookie.Type.APPLICATION) { - logger.debug("Duo response did not contain correct cookie type(s)."); - return false; - } - - // Verify integration key matches both cookies - if (!duoCookie.getIntegrationKey().equals(integrationKey) - || !appCookie.getIntegrationKey().equals(integrationKey)) { - logger.debug("Integration key of Duo response is incorrect."); - return false; - } - - // Verify both cookies are for the current user - if (!duoCookie.getUsername().equals(username) - || !appCookie.getUsername().equals(username)) { - logger.debug("Username of Duo response is incorrect."); - return false; - } - - // All verifications tests pass - return true; - - } - -} diff --git a/extensions/guacamole-auth-duo/src/main/java/org/apache/guacamole/auth/duo/api/SignedDuoCookie.java b/extensions/guacamole-auth-duo/src/main/java/org/apache/guacamole/auth/duo/api/SignedDuoCookie.java deleted file mode 100644 index c959acdd1..000000000 --- a/extensions/guacamole-auth-duo/src/main/java/org/apache/guacamole/auth/duo/api/SignedDuoCookie.java +++ /dev/null @@ -1,332 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ - -package org.apache.guacamole.auth.duo.api; - -import com.google.common.io.BaseEncoding; -import java.io.UnsupportedEncodingException; -import java.security.InvalidKeyException; -import java.security.NoSuchAlgorithmException; -import java.util.regex.Matcher; -import java.util.regex.Pattern; -import javax.crypto.Mac; -import javax.crypto.spec.SecretKeySpec; -import org.apache.guacamole.GuacamoleClientException; -import org.apache.guacamole.GuacamoleException; -import org.apache.guacamole.GuacamoleServerException; - -/** - * A DuoCookie which is cryptographically signed with a provided key using - * HMAC-SHA1. - */ -public class SignedDuoCookie extends DuoCookie { - - /** - * Pattern which matches valid signed cookies. Like unsigned cookies, each - * signed cookie is made up of three sections, separated from each other by - * pipe symbols ("|"). - */ - private static final Pattern SIGNED_COOKIE_FORMAT = Pattern.compile("([^|]+)\\|([^|]+)\\|([0-9a-f]+)"); - - /** - * The index of the capturing group within SIGNED_COOKIE_FORMAT which - * contains the cookie type prefix. - */ - private static final int PREFIX_GROUP = 1; - - /** - * The index of the capturing group within SIGNED_COOKIE_FORMAT which - * contains the cookie's base64-encoded data. - */ - private static final int DATA_GROUP = 2; - - /** - * The index of the capturing group within SIGNED_COOKIE_FORMAT which - * contains the signature. - */ - private static final int SIGNATURE_GROUP = 3; - - /** - * The signature algorithm that should be used to sign the cookie, as - * defined by: - * http://docs.oracle.com/javase/7/docs/technotes/guides/security/StandardNames.html#Mac - */ - private static final String SIGNATURE_ALGORITHM = "HmacSHA1"; - - /** - * The type of a signed Duo cookie. Each signed Duo cookie has an - * associated type which determines the prefix included in the string - * representation of that cookie. As that type is included in the data - * that is signed, different types will result in different signatures, - * even if the data portion of the cookie is otherwise identical. - */ - public enum Type { - - /** - * A Duo cookie which has been signed with the secret key for inclusion - * in a Duo request. - */ - DUO_REQUEST("TX"), - - /** - * A Duo cookie which has been signed with the secret key by Duo and - * was included in a Duo response. - */ - DUO_RESPONSE("AUTH"), - - /** - * A Duo cookie which has been signed with the application key for - * inclusion in a Duo request. Such cookies are also included in Duo - * responses, for verification by the application. - */ - APPLICATION("APP"); - - /** - * The prefix associated with the Duo cookie type. This prefix will - * be included in the string representation of the cookie. - */ - private final String prefix; - - /** - * Creates a new Duo cookie type associated with the given string - * prefix. This prefix will be included in the string representation of - * the cookie. - * - * @param prefix - * The prefix to associated with the Duo cookie type. - */ - Type(String prefix) { - this.prefix = prefix; - } - - /** - * Returns the prefix associated with the Duo cookie type. - * - * @return - * The prefix to associated with this Duo cookie type. - */ - public String getPrefix() { - return prefix; - } - - /** - * Returns the cookie type associated with the given prefix. If no such - * cookie type exists, null is returned. - * - * @param prefix - * The prefix of the cookie type to search for. - * - * @return - * The cookie type associated with the given prefix, or null if no - * such cookie type exists. - */ - public static Type fromPrefix(String prefix) { - - // Search through all defined cookie types for the given prefix - for (Type type : Type.values()) { - if (type.getPrefix().equals(prefix)) - return type; - } - - // No such cookie type exists - return null; - - } - - } - - /** - * The type of this Duo cookie. - */ - private final Type type; - - /** - * The signature produced when the cookie was signed with HMAC-SHA1. The - * signature covers the prefix of the type and the cookie's base64-encoded - * data, separated by a pipe symbol. - */ - private final String signature; - - /** - * Creates a new SignedDuoCookie which describes the identity of a user - * being verified and is cryptographically signed with HMAC-SHA1 by a given - * key. - * - * @param cookie - * The cookie defining the identity being verified. - * - * @param type - * The type of the cookie being created. - * - * @param key - * The key to use to generate the cryptographic signature. This key - * will not be stored within the cookie. - * - * @throws GuacamoleException - * If the given signing key is invalid. - */ - public SignedDuoCookie(DuoCookie cookie, Type type, String key) - throws GuacamoleException { - - // Init underlying cookie - super(cookie.getUsername(), cookie.getIntegrationKey(), - cookie.getExpirationTimestamp()); - - // Store cookie type and signature - this.type = type; - this.signature = sign(key, type.getPrefix() + "|" + cookie.toString()); - - } - - /** - * Signs the given arbitrary string data with the given key using the - * algorithm defined by SIGNATURE_ALGORITHM. Both the data and the key will - * be interpreted as UTF-8 bytes. - * - * @param key - * The key which should be used to sign the given data. - * - * @param data - * The data being signed. - * - * @return - * The signature produced by signing the given data with the given key, - * encoded as lowercase hexadecimal. - * - * @throws GuacamoleException - * If the given signing key is invalid. - */ - private static String sign(String key, String data) throws GuacamoleException { - - try { - - // Attempt to sign UTF-8 bytes of provided data - Mac mac = Mac.getInstance(SIGNATURE_ALGORITHM); - mac.init(new SecretKeySpec(key.getBytes("UTF-8"), SIGNATURE_ALGORITHM)); - - // Return signature as hex - return BaseEncoding.base16().lowerCase().encode(mac.doFinal(data.getBytes("UTF-8"))); - - } - - // Re-throw any errors which prevent signature - catch (InvalidKeyException e){ - throw new GuacamoleServerException("Signing key is invalid.", e); - } - - // Throw hard errors if standard pieces of Java are missing - catch (UnsupportedEncodingException e) { - throw new UnsupportedOperationException("Unexpected lack of UTF-8 support.", e); - } - catch (NoSuchAlgorithmException e) { - throw new UnsupportedOperationException("Unexpected lack of support " - + "for required signature algorithm " - + "\"" + SIGNATURE_ALGORITHM + "\".", e); - } - - } - - /** - * Returns the type of this Duo cookie. The Duo cookie type is dictated - * by the context of the cookie's use, and is included with the cookie's - * underlying data when generating the signature. - * - * @return - * The type of this Duo cookie. - */ - public Type getType() { - return type; - } - - /** - * Returns the signature produced when the cookie was signed with HMAC-SHA1. - * The signature covers the prefix of the cookie's type and the cookie's - * base64-encoded data, separated by a pipe symbol. - * - * @return - * The signature produced when the cookie was signed with HMAC-SHA1. - */ - public String getSignature() { - return signature; - } - - /** - * Parses a signed Duo cookie string, such as that produced by the - * toString() function or received from the Duo service, producing a new - * SignedDuoCookie object containing the associated cookie data and - * signature. If the given string is not a valid Duo cookie, or if the - * signature is incorrect, an exception is thrown. Note that the cookie may - * be expired, and must be checked for expiration prior to actual use. - * - * @param key - * The key that was used to sign the Duo cookie. - * - * @param str - * The Duo cookie string to parse. - * - * @return - * A new SignedDuoCookie object containing the same data and signature - * as the given Duo cookie string. - * - * @throws GuacamoleException - * If the given string is not a valid Duo cookie string, or if the - * signature of the cookie is invalid. - */ - public static SignedDuoCookie parseSignedDuoCookie(String key, String str) - throws GuacamoleException { - - // Verify format of provided data - Matcher matcher = SIGNED_COOKIE_FORMAT.matcher(str); - if (!matcher.matches()) - throw new GuacamoleClientException("Format of signed Duo cookie " - + "is invalid."); - - // Parse type from prefix - Type type = Type.fromPrefix(matcher.group(PREFIX_GROUP)); - if (type == null) - throw new GuacamoleClientException("Invalid Duo cookie prefix."); - - // Parse cookie from base64-encoded data - DuoCookie cookie = DuoCookie.parseDuoCookie(matcher.group(DATA_GROUP)); - - // Verify signature of cookie - SignedDuoCookie signedCookie = new SignedDuoCookie(cookie, type, key); - if (!signedCookie.getSignature().equals(matcher.group(SIGNATURE_GROUP))) - throw new GuacamoleClientException("Duo cookie has incorrect signature."); - - // Cookie has valid signature and has parsed successfully - return signedCookie; - - } - - /** - * Returns the string representation of this SignedDuoCookie. The format - * used is identical to that required by the Duo service: the type prefix, - * base64-encoded cookie data, and HMAC-SHA1 signature separated by pipe - * symbols ("|"). - * - * @return - * The string representation of this SignedDuoCookie. - */ - @Override - public String toString() { - return type.getPrefix() + "|" + super.toString() + "|" + signature; - } - -} diff --git a/extensions/guacamole-auth-duo/src/main/java/org/apache/guacamole/auth/duo/conf/ConfigurationService.java b/extensions/guacamole-auth-duo/src/main/java/org/apache/guacamole/auth/duo/conf/ConfigurationService.java index 40ccde9e0..212b4a618 100644 --- a/extensions/guacamole-auth-duo/src/main/java/org/apache/guacamole/auth/duo/conf/ConfigurationService.java +++ b/extensions/guacamole-auth-duo/src/main/java/org/apache/guacamole/auth/duo/conf/ConfigurationService.java @@ -20,9 +20,12 @@ package org.apache.guacamole.auth.duo.conf; import com.google.inject.Inject; +import java.net.URI; import org.apache.guacamole.GuacamoleException; import org.apache.guacamole.environment.Environment; +import org.apache.guacamole.properties.IntegerGuacamoleProperty; import org.apache.guacamole.properties.StringGuacamoleProperty; +import org.apache.guacamole.properties.URIGuacamoleProperty; /** * Service for retrieving configuration information regarding the Duo @@ -56,11 +59,11 @@ public class ConfigurationService { * key received from Duo for verifying Guacamole users. This value MUST be * exactly 20 characters. */ - private static final StringGuacamoleProperty DUO_INTEGRATION_KEY = + private static final StringGuacamoleProperty DUO_CLIENT_ID = new StringGuacamoleProperty() { @Override - public String getName() { return "duo-integration-key"; } + public String getName() { return "duo-client-id"; } }; @@ -69,26 +72,38 @@ public class ConfigurationService { * received from Duo for verifying Guacamole users. This value MUST be * exactly 40 characters. */ - private static final StringGuacamoleProperty DUO_SECRET_KEY = + private static final StringGuacamoleProperty DUO_CLIENT_SECRET = new StringGuacamoleProperty() { @Override - public String getName() { return "duo-secret-key"; } + public String getName() { return "duo-client-secret"; } }; - + /** - * The property within guacamole.properties which defines the arbitrary - * random key which was generated for Guacamole. Note that this value is not - * provided by Duo, but is expected to be generated by the administrator of - * the system hosting Guacamole. This value MUST be at least 40 characters. + * The property within guacamole.properties which defines the redirect URL + * that Duo will call after the second factor has been completed. This + * should be the URL used to access Guacamole. */ - private static final StringGuacamoleProperty DUO_APPLICATION_KEY = - new StringGuacamoleProperty() { - + private static final URIGuacamoleProperty DUO_REDIRECT_URL = + new URIGuacamoleProperty() { + @Override - public String getName() { return "duo-application-key"; } - + public String getName() { return "duo-redirect-url"; } + + }; + + /** + * The property that configures the timeout, in seconds, of in-progress + * Duo authentication attempts. Authentication attempts that take longer + * than this period of time will be invalidated. + */ + private static final IntegerGuacamoleProperty DUO_AUTH_TIMEOUT = + new IntegerGuacamoleProperty() { + + @Override + public String getName() { return "duo-auth-timeout"; } + }; /** @@ -110,51 +125,65 @@ public class ConfigurationService { } /** - * Returns the integration key received from Duo for verifying Guacamole - * users, as defined in guacamole.properties by the "duo-integration-key" + * Returns the Duo client id received from Duo for verifying Guacamole + * users, as defined in guacamole.properties by the "duo-client-id" * property. This value MUST be exactly 20 characters. * * @return - * The integration key received from Duo for verifying Guacamole - * users. + * The client id received from Duo for verifying Guacamole users. * * @throws GuacamoleException * If the associated property within guacamole.properties is missing. */ - public String getIntegrationKey() throws GuacamoleException { - return environment.getRequiredProperty(DUO_INTEGRATION_KEY); + public String getClientId() throws GuacamoleException { + return environment.getRequiredProperty(DUO_CLIENT_ID); } /** - * Returns the secret key received from Duo for verifying Guacamole users, - * as defined in guacamole.properties by the "duo-secret-key" property. This - * value MUST be exactly 20 characters. + * Returns the client secert received from Duo for verifying Guacamole users, + * as defined in guacamole.properties by the "duo-client-secert" property. + * This value MUST be exactly 20 characters. * * @return - * The secret key received from Duo for verifying Guacamole users. + * The client secret received from Duo for verifying Guacamole users. * * @throws GuacamoleException * If the associated property within guacamole.properties is missing. */ - public String getSecretKey() throws GuacamoleException { - return environment.getRequiredProperty(DUO_SECRET_KEY); + public String getClientSecret() throws GuacamoleException { + return environment.getRequiredProperty(DUO_CLIENT_SECRET); } - + /** - * Returns the arbitrary random key which was generated for Guacamole, as - * defined in guacamole.properties by the "duo-application-key" property. - * Note that this value is not provided by Duo, but is expected to be - * generated by the administrator of the system hosting Guacamole. This - * value MUST be at least 40 characters. - * + * Return the callback URL that will be called by Duo after authentication + * with Duo has been completed. This should be the URL to return the user + * to the Guacamole interface, and will be a full URL. + * * @return - * The arbitrary random key which was generated for Guacamole. - * - * @throws GuacamoleException - * If the associated property within guacamole.properties is missing. + * The URL for Duo to use to callback to the Guacamole interface after + * authentication has been completed. + * + * @throws GuacamoleException + * If guacamole.properties cannot be read, or if the property is not + * defined. */ - public String getApplicationKey() throws GuacamoleException { - return environment.getRequiredProperty(DUO_APPLICATION_KEY); + public URI getRedirectUrl() throws GuacamoleException { + return environment.getRequiredProperty(DUO_REDIRECT_URL); + } + + /** + * Return the number of seconds after which in-progress authentication attempts with + * Duo should be invalidated. The default is 30 seconds. + * + * @return + * The number of seconds after which in-progress Duo MFA attempts should + * be invalidated. + * + * @throws GuacamoleException + * If guacamole.properties cannot be parsed. + */ + public int getAuthTimeout() throws GuacamoleException { + return environment.getProperty(DUO_AUTH_TIMEOUT, 30); } } diff --git a/extensions/guacamole-auth-duo/src/main/java/org/apache/guacamole/auth/duo/form/DuoSignedResponseField.java b/extensions/guacamole-auth-duo/src/main/java/org/apache/guacamole/auth/duo/form/DuoSignedResponseField.java deleted file mode 100644 index df46a3122..000000000 --- a/extensions/guacamole-auth-duo/src/main/java/org/apache/guacamole/auth/duo/form/DuoSignedResponseField.java +++ /dev/null @@ -1,98 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ - -package org.apache.guacamole.auth.duo.form; - -import org.apache.guacamole.form.Field; - -/** - * A custom field type which uses the DuoWeb API to produce a signed response - * for a particular user. The signed response serves as an additional - * authentication factor, as it cryptographically verifies possession of the - * physical device associated with that user's Duo account. - */ -public class DuoSignedResponseField extends Field { - - /** - * The name of the HTTP parameter which an instance of this field will - * populate within a user's credentials. - */ - public static final String PARAMETER_NAME = "guac-duo-signed-response"; - - /** - * The unique name associated with this field type. - */ - private static final String FIELD_TYPE_NAME = "GUAC_DUO_SIGNED_RESPONSE"; - - /** - * The hostname of the DuoWeb API endpoint. - */ - private final String apiHost; - - /** - * The signed request generated by a call to DuoWeb.signRequest(). - */ - private final String signedRequest; - - /** - * Creates a new field which uses the DuoWeb API to prompt the user for - * additional credentials. The provided credentials, if valid, will - * ultimately be verified by Duo's service, resulting in a signed response - * which can be cryptographically verified. - * - * @param apiHost - * The hostname of the DuoWeb API endpoint. - * - * @param signedRequest - * A signed request generated for the user in question by a call to - * DuoWeb.signRequest(). - */ - public DuoSignedResponseField(String apiHost, String signedRequest) { - - // Init base field type properties - super(PARAMETER_NAME, FIELD_TYPE_NAME); - - // Init Duo-specific properties - this.apiHost = apiHost; - this.signedRequest = signedRequest; - - } - - /** - * Returns the hostname of the DuoWeb API endpoint. - * - * @return - * The hostname of the DuoWeb API endpoint. - */ - public String getApiHost() { - return apiHost; - } - - /** - * Returns the signed request string, which must have been generated by a - * call to DuoWeb.signRequest(). - * - * @return - * The signed request generated by a call to DuoWeb.signRequest(). - */ - public String getSignedRequest() { - return signedRequest; - } - -} diff --git a/extensions/guacamole-auth-duo/src/main/resources/config/duoConfig.js b/extensions/guacamole-auth-duo/src/main/resources/config/duoConfig.js deleted file mode 100644 index 43c37dc0c..000000000 --- a/extensions/guacamole-auth-duo/src/main/resources/config/duoConfig.js +++ /dev/null @@ -1,33 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ - -/** - * Config block which registers Duo-specific field types. - */ -angular.module('guacDuo').config(['formServiceProvider', - function guacDuoConfig(formServiceProvider) { - - // Define field for the signed response from the Duo service - formServiceProvider.registerFieldType('GUAC_DUO_SIGNED_RESPONSE', { - module : 'guacDuo', - controller : 'duoSignedResponseController', - templateUrl : 'app/ext/duo/templates/duoSignedResponseField.html' - }); - -}]); diff --git a/extensions/guacamole-auth-duo/src/main/resources/controllers/duoSignedResponseController.js b/extensions/guacamole-auth-duo/src/main/resources/controllers/duoSignedResponseController.js deleted file mode 100644 index b4ca4f360..000000000 --- a/extensions/guacamole-auth-duo/src/main/resources/controllers/duoSignedResponseController.js +++ /dev/null @@ -1,86 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ - -/** - * Controller for the "GUAC_DUO_SIGNED_RESPONSE" field which uses the DuoWeb - * API to prompt the user for additional credentials, ultimately receiving a - * signed response from the Duo service. - */ -angular.module('guacDuo').controller('duoSignedResponseController', ['$scope', '$element', - function duoSignedResponseController($scope, $element) { - - /** - * The iframe which contains the Duo authentication interface. - * - * @type HTMLIFrameElement - */ - var iframe = $element.find('iframe')[0]; - - /** - * The submit button which should be used to submit the login form once - * the Duo response has been received. - * - * @type HTMLInputElement - */ - var submit = $element.find('input[type="submit"]')[0]; - - /** - * Whether the Duo interface has finished loading within the iframe. - * - * @type Boolean - */ - $scope.duoInterfaceLoaded = false; - - /** - * Submits the signed response from Duo once the user has authenticated. - * This is a callback invoked by the DuoWeb API after the user has been - * verified and the signed response has been received. - * - * @param {HTMLFormElement} form - * The form element provided by the DuoWeb API containing the signed - * response as the value of an input field named "sig_response". - */ - var submitSignedResponse = function submitSignedResponse(form) { - - // Update model to match received response - $scope.$apply(function updateModel() { - $scope.model = form.elements['sig_response'].value; - }); - - // Submit updated credentials - submit.click(); - - }; - - // Update Duo loaded state when iframe finishes loading - iframe.onload = function duoLoaded() { - $scope.$apply(function updateLoadedState() { - $scope.duoInterfaceLoaded = true; - }); - }; - - // Initialize Duo interface within iframe - Duo.init({ - iframe : iframe, - host : $scope.field.apiHost, - sig_request : $scope.field.signedRequest, - submit_callback : submitSignedResponse - }); - -}]); diff --git a/extensions/guacamole-auth-duo/src/main/resources/guac-manifest.json b/extensions/guacamole-auth-duo/src/main/resources/guac-manifest.json index 5d98adca4..2a9d727a9 100644 --- a/extensions/guacamole-auth-duo/src/main/resources/guac-manifest.json +++ b/extensions/guacamole-auth-duo/src/main/resources/guac-manifest.json @@ -20,18 +20,6 @@ "translations/pt.json", "translations/ru.json", "translations/zh.json" - ], - - "js" : [ - "duo.min.js" - ], - - "css" : [ - "duo.min.css" - ], - - "resources" : { - "templates/duoSignedResponseField.html" : "text/html" - } + ] } diff --git a/extensions/guacamole-auth-duo/src/main/resources/lib/DuoWeb/Duo-Web-v2.js b/extensions/guacamole-auth-duo/src/main/resources/lib/DuoWeb/Duo-Web-v2.js deleted file mode 100644 index a02a95756..000000000 --- a/extensions/guacamole-auth-duo/src/main/resources/lib/DuoWeb/Duo-Web-v2.js +++ /dev/null @@ -1,366 +0,0 @@ -/** - * Duo Web SDK v2 - * Copyright 2015, Duo Security - */ -window.Duo = (function(document, window) { - var DUO_MESSAGE_FORMAT = /^(?:AUTH|ENROLL)+\|[A-Za-z0-9\+\/=]+\|[A-Za-z0-9\+\/=]+$/; - var DUO_ERROR_FORMAT = /^ERR\|[\w\s\.\(\)]+$/; - - var iframeId = 'duo_iframe', - postAction = '', - postArgument = 'sig_response', - host, - sigRequest, - duoSig, - appSig, - iframe, - submitCallback; - - function throwError(message, url) { - throw new Error( - 'Duo Web SDK error: ' + message + - (url ? ('\n' + 'See ' + url + ' for more information') : '') - ); - } - - function hyphenize(str) { - return str.replace(/([a-z])([A-Z])/, '$1-$2').toLowerCase(); - } - - // cross-browser data attributes - function getDataAttribute(element, name) { - if ('dataset' in element) { - return element.dataset[name]; - } else { - return element.getAttribute('data-' + hyphenize(name)); - } - } - - // cross-browser event binding/unbinding - function on(context, event, fallbackEvent, callback) { - if ('addEventListener' in window) { - context.addEventListener(event, callback, false); - } else { - context.attachEvent(fallbackEvent, callback); - } - } - - function off(context, event, fallbackEvent, callback) { - if ('removeEventListener' in window) { - context.removeEventListener(event, callback, false); - } else { - context.detachEvent(fallbackEvent, callback); - } - } - - function onReady(callback) { - on(document, 'DOMContentLoaded', 'onreadystatechange', callback); - } - - function offReady(callback) { - off(document, 'DOMContentLoaded', 'onreadystatechange', callback); - } - - function onMessage(callback) { - on(window, 'message', 'onmessage', callback); - } - - function offMessage(callback) { - off(window, 'message', 'onmessage', callback); - } - - /** - * Parse the sig_request parameter, throwing errors if the token contains - * a server error or if the token is invalid. - * - * @param {String} sig Request token - */ - function parseSigRequest(sig) { - if (!sig) { - // nothing to do - return; - } - - // see if the token contains an error, throwing it if it does - if (sig.indexOf('ERR|') === 0) { - throwError(sig.split('|')[1]); - } - - // validate the token - if (sig.indexOf(':') === -1 || sig.split(':').length !== 2) { - throwError( - 'Duo was given a bad token. This might indicate a configuration ' + - 'problem with one of Duo\'s client libraries.', - 'https://www.duosecurity.com/docs/duoweb#first-steps' - ); - } - - var sigParts = sig.split(':'); - - // hang on to the token, and the parsed duo and app sigs - sigRequest = sig; - duoSig = sigParts[0]; - appSig = sigParts[1]; - - return { - sigRequest: sig, - duoSig: sigParts[0], - appSig: sigParts[1] - }; - } - - /** - * This function is set up to run when the DOM is ready, if the iframe was - * not available during `init`. - */ - function onDOMReady() { - iframe = document.getElementById(iframeId); - - if (!iframe) { - throw new Error( - 'This page does not contain an iframe for Duo to use.' + - 'Add an element like ' + - 'to this page. ' + - 'See https://www.duosecurity.com/docs/duoweb#3.-show-the-iframe ' + - 'for more information.' - ); - } - - // we've got an iframe, away we go! - ready(); - - // always clean up after yourself - offReady(onDOMReady); - } - - /** - * Validate that a MessageEvent came from the Duo service, and that it - * is a properly formatted payload. - * - * The Google Chrome sign-in page injects some JS into pages that also - * make use of postMessage, so we need to do additional validation above - * and beyond the origin. - * - * @param {MessageEvent} event Message received via postMessage - */ - function isDuoMessage(event) { - return Boolean( - event.origin === ('https://' + host) && - typeof event.data === 'string' && - ( - event.data.match(DUO_MESSAGE_FORMAT) || - event.data.match(DUO_ERROR_FORMAT) - ) - ); - } - - /** - * Validate the request token and prepare for the iframe to become ready. - * - * All options below can be passed into an options hash to `Duo.init`, or - * specified on the iframe using `data-` attributes. - * - * Options specified using the options hash will take precedence over - * `data-` attributes. - * - * Example using options hash: - * ```javascript - * Duo.init({ - * iframe: "some_other_id", - * host: "api-main.duo.test", - * sig_request: "...", - * post_action: "/auth", - * post_argument: "resp" - * }); - * ``` - * - * Example using `data-` attributes: - * ``` - * - * ``` - * - * @param {Object} options - * @param {String} options.iframe The iframe, or id of an iframe to set up - * @param {String} options.host Hostname - * @param {String} options.sig_request Request token - * @param {String} [options.post_action=''] URL to POST back to after successful auth - * @param {String} [options.post_argument='sig_response'] Parameter name to use for response token - * @param {Function} [options.submit_callback] If provided, duo will not submit the form instead execute - * the callback function with reference to the "duo_form" form object - * submit_callback can be used to prevent the webpage from reloading. - */ - function init(options) { - if (options) { - if (options.host) { - host = options.host; - } - - if (options.sig_request) { - parseSigRequest(options.sig_request); - } - - if (options.post_action) { - postAction = options.post_action; - } - - if (options.post_argument) { - postArgument = options.post_argument; - } - - if (options.iframe) { - if ('tagName' in options.iframe) { - iframe = options.iframe; - } else if (typeof options.iframe === 'string') { - iframeId = options.iframe; - } - } - - if (typeof options.submit_callback === 'function') { - submitCallback = options.submit_callback; - } - } - - // if we were given an iframe, no need to wait for the rest of the DOM - if (iframe) { - ready(); - } else { - // try to find the iframe in the DOM - iframe = document.getElementById(iframeId); - - // iframe is in the DOM, away we go! - if (iframe) { - ready(); - } else { - // wait until the DOM is ready, then try again - onReady(onDOMReady); - } - } - - // always clean up after yourself! - offReady(init); - } - - /** - * This function is called when a message was received from another domain - * using the `postMessage` API. Check that the event came from the Duo - * service domain, and that the message is a properly formatted payload, - * then perform the post back to the primary service. - * - * @param event Event object (contains origin and data) - */ - function onReceivedMessage(event) { - if (isDuoMessage(event)) { - // the event came from duo, do the post back - doPostBack(event.data); - - // always clean up after yourself! - offMessage(onReceivedMessage); - } - } - - /** - * Point the iframe at Duo, then wait for it to postMessage back to us. - */ - function ready() { - if (!host) { - host = getDataAttribute(iframe, 'host'); - - if (!host) { - throwError( - 'No API hostname is given for Duo to use. Be sure to pass ' + - 'a `host` parameter to Duo.init, or through the `data-host` ' + - 'attribute on the iframe element.', - 'https://www.duosecurity.com/docs/duoweb#3.-show-the-iframe' - ); - } - } - - if (!duoSig || !appSig) { - parseSigRequest(getDataAttribute(iframe, 'sigRequest')); - - if (!duoSig || !appSig) { - throwError( - 'No valid signed request is given. Be sure to give the ' + - '`sig_request` parameter to Duo.init, or use the ' + - '`data-sig-request` attribute on the iframe element.', - 'https://www.duosecurity.com/docs/duoweb#3.-show-the-iframe' - ); - } - } - - // if postAction/Argument are defaults, see if they are specified - // as data attributes on the iframe - if (postAction === '') { - postAction = getDataAttribute(iframe, 'postAction') || postAction; - } - - if (postArgument === 'sig_response') { - postArgument = getDataAttribute(iframe, 'postArgument') || postArgument; - } - - // point the iframe at Duo - iframe.src = [ - 'https://', host, '/frame/web/v1/auth?tx=', duoSig, - '&parent=', encodeURIComponent(document.location.href), - '&v=2.3' - ].join(''); - - // listen for the 'message' event - onMessage(onReceivedMessage); - } - - /** - * We received a postMessage from Duo. POST back to the primary service - * with the response token, and any additional user-supplied parameters - * given in form#duo_form. - */ - function doPostBack(response) { - // create a hidden input to contain the response token - var input = document.createElement('input'); - input.type = 'hidden'; - input.name = postArgument; - input.value = response + ':' + appSig; - - // user may supply their own form with additional inputs - var form = document.getElementById('duo_form'); - - // if the form doesn't exist, create one - if (!form) { - form = document.createElement('form'); - - // insert the new form after the iframe - iframe.parentElement.insertBefore(form, iframe.nextSibling); - } - - // make sure we are actually posting to the right place - form.method = 'POST'; - form.action = postAction; - - // add the response token input to the form - form.appendChild(input); - - // away we go! - if (typeof submitCallback === "function") { - submitCallback.call(null, form); - } else { - form.submit(); - } - } - - // when the DOM is ready, initialize - // note that this will get cleaned up if the user calls init directly! - onReady(init); - - return { - init: init, - _parseSigRequest: parseSigRequest, - _isDuoMessage: isDuoMessage, - _doPostBack: doPostBack - }; -}(document, window)); diff --git a/extensions/guacamole-auth-duo/src/main/resources/lib/DuoWeb/LICENSE.js b/extensions/guacamole-auth-duo/src/main/resources/lib/DuoWeb/LICENSE.js deleted file mode 100644 index 58ead2175..000000000 --- a/extensions/guacamole-auth-duo/src/main/resources/lib/DuoWeb/LICENSE.js +++ /dev/null @@ -1,27 +0,0 @@ -/* - * Copyright (c) 2011, Duo Security, Inc. - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. The name of the author may not be used to endorse or promote products - * derived from this software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ \ No newline at end of file diff --git a/extensions/guacamole-auth-duo/src/main/resources/styles/duo.css b/extensions/guacamole-auth-duo/src/main/resources/styles/duo.css deleted file mode 100644 index 6d01a85cd..000000000 --- a/extensions/guacamole-auth-duo/src/main/resources/styles/duo.css +++ /dev/null @@ -1,62 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ - - -.duo-signature-response-field-container { - height: 100%; - width: 100%; - position: fixed; - left: 0; - top: 0; - display: table; - background: white; -} - -.duo-signature-response-field { - width: 100%; - display: table-cell; - vertical-align: middle; -} - -.duo-signature-response-field input[type="submit"] { - display: none !important; -} - -.duo-signature-response-field iframe { - width: 100%; - max-width: 620px; - height: 330px; - border: none; - box-shadow: 4px 4px 8px rgba(0, 0, 0, 0.5); - display: block; - margin: 1.5em auto; -} - -.duo-signature-response-field iframe { - opacity: 1; - -webkit-transition: opacity 0.125s; - -moz-transition: opacity 0.125s; - -ms-transition: opacity 0.125s; - -o-transition: opacity 0.125s; - transition: opacity 0.125s; -} - -.duo-signature-response-field.loading iframe { - opacity: 0; -} diff --git a/extensions/guacamole-auth-duo/src/main/resources/templates/duoSignedResponseField.html b/extensions/guacamole-auth-duo/src/main/resources/templates/duoSignedResponseField.html deleted file mode 100644 index e51e1900b..000000000 --- a/extensions/guacamole-auth-duo/src/main/resources/templates/duoSignedResponseField.html +++ /dev/null @@ -1,6 +0,0 @@ -
-
- - -
-
From cbd7f60f5d2bdd7d1c10292fa620e39151042fde Mon Sep 17 00:00:00 2001 From: Virtually Nick Date: Thu, 5 Oct 2023 17:10:16 -0400 Subject: [PATCH 3/7] GUACAMOLE-1289: Licenses for updated Duo components. --- doc/licenses/apache-commons-codec-1.11/NOTICE | 17 ++ doc/licenses/apache-commons-codec-1.11/README | 8 + .../dep-coordinates.txt | 1 + doc/licenses/duo-universal-sdk-1.1.3/LICENSE | 25 +++ doc/licenses/duo-universal-sdk-1.1.3/README | 8 + .../dep-coordinates.txt | 1 + doc/licenses/java-jwt-3.3.0/LICENSE | 21 ++ doc/licenses/java-jwt-3.3.0/README | 8 + .../java-jwt-3.3.0/dep-coordinates.txt | 1 + doc/licenses/kotlin-1.4.10/NOTICE.txt | 2 + doc/licenses/kotlin-1.4.10/README | 8 + .../kotlin-1.4.10/dep-coordinates.txt | 5 + .../logging-interceptor-4.9.1/LICENSE.txt | 201 ++++++++++++++++++ doc/licenses/logging-interceptor-4.9.1/NOTICE | 13 ++ doc/licenses/logging-interceptor-4.9.1/README | 8 + .../dep-coordinates.txt | 1 + doc/licenses/okhttp-3.14.9/LICENSE.txt | 201 ++++++++++++++++++ doc/licenses/okhttp-3.14.9/NOTICE | 13 ++ doc/licenses/okhttp-3.14.9/README | 8 + .../okhttp-3.14.9/dep-coordinates.txt | 1 + doc/licenses/okio-1.17.2/LICENSE.txt | 201 ++++++++++++++++++ doc/licenses/okio-1.17.2/NOTICE | 13 ++ doc/licenses/okio-1.17.2/README | 8 + doc/licenses/okio-1.17.2/dep-coordinates.txt | 1 + doc/licenses/retrofit-2.9.0/LICENSE.txt | 201 ++++++++++++++++++ doc/licenses/retrofit-2.9.0/NOTICE | 13 ++ doc/licenses/retrofit-2.9.0/README | 8 + .../retrofit-2.9.0/dep-coordinates.txt | 2 + 28 files changed, 998 insertions(+) create mode 100644 doc/licenses/apache-commons-codec-1.11/NOTICE create mode 100644 doc/licenses/apache-commons-codec-1.11/README create mode 100644 doc/licenses/apache-commons-codec-1.11/dep-coordinates.txt create mode 100644 doc/licenses/duo-universal-sdk-1.1.3/LICENSE create mode 100644 doc/licenses/duo-universal-sdk-1.1.3/README create mode 100644 doc/licenses/duo-universal-sdk-1.1.3/dep-coordinates.txt create mode 100644 doc/licenses/java-jwt-3.3.0/LICENSE create mode 100644 doc/licenses/java-jwt-3.3.0/README create mode 100644 doc/licenses/java-jwt-3.3.0/dep-coordinates.txt create mode 100644 doc/licenses/kotlin-1.4.10/NOTICE.txt create mode 100644 doc/licenses/kotlin-1.4.10/README create mode 100644 doc/licenses/kotlin-1.4.10/dep-coordinates.txt create mode 100644 doc/licenses/logging-interceptor-4.9.1/LICENSE.txt create mode 100644 doc/licenses/logging-interceptor-4.9.1/NOTICE create mode 100644 doc/licenses/logging-interceptor-4.9.1/README create mode 100644 doc/licenses/logging-interceptor-4.9.1/dep-coordinates.txt create mode 100644 doc/licenses/okhttp-3.14.9/LICENSE.txt create mode 100644 doc/licenses/okhttp-3.14.9/NOTICE create mode 100644 doc/licenses/okhttp-3.14.9/README create mode 100644 doc/licenses/okhttp-3.14.9/dep-coordinates.txt create mode 100644 doc/licenses/okio-1.17.2/LICENSE.txt create mode 100644 doc/licenses/okio-1.17.2/NOTICE create mode 100644 doc/licenses/okio-1.17.2/README create mode 100644 doc/licenses/okio-1.17.2/dep-coordinates.txt create mode 100644 doc/licenses/retrofit-2.9.0/LICENSE.txt create mode 100644 doc/licenses/retrofit-2.9.0/NOTICE create mode 100644 doc/licenses/retrofit-2.9.0/README create mode 100644 doc/licenses/retrofit-2.9.0/dep-coordinates.txt diff --git a/doc/licenses/apache-commons-codec-1.11/NOTICE b/doc/licenses/apache-commons-codec-1.11/NOTICE new file mode 100644 index 000000000..9899d2108 --- /dev/null +++ b/doc/licenses/apache-commons-codec-1.11/NOTICE @@ -0,0 +1,17 @@ +Apache Commons Codec +Copyright 2002-2020 The Apache Software Foundation + +This product includes software developed at +The Apache Software Foundation (https://www.apache.org/). + +src/test/org/apache/commons/codec/language/DoubleMetaphoneTest.java +contains test data from http://aspell.net/test/orig/batch0.tab. +Copyright (C) 2002 Kevin Atkinson (kevina@gnu.org) + +=============================================================================== + +The content of package org.apache.commons.codec.language.bm has been translated +from the original php source code available at http://stevemorse.org/phoneticinfo.htm +with permission from the original authors. +Original source copyright: +Copyright (c) 2008 Alexander Beider & Stephen P. Morse. diff --git a/doc/licenses/apache-commons-codec-1.11/README b/doc/licenses/apache-commons-codec-1.11/README new file mode 100644 index 000000000..1c9959a73 --- /dev/null +++ b/doc/licenses/apache-commons-codec-1.11/README @@ -0,0 +1,8 @@ +Apache Commons Codec (http://commons.apache.org/proper/commons-codec/) +----------------------------------------------------------------------- + + Version: 1.11 + From: 'Apache Software Foundation' (https://www.apache.org/) + License(s): + Apache v2.0 + diff --git a/doc/licenses/apache-commons-codec-1.11/dep-coordinates.txt b/doc/licenses/apache-commons-codec-1.11/dep-coordinates.txt new file mode 100644 index 000000000..6eaa2d04e --- /dev/null +++ b/doc/licenses/apache-commons-codec-1.11/dep-coordinates.txt @@ -0,0 +1 @@ +commons-codec:commons-codec:jar:1.11 \ No newline at end of file diff --git a/doc/licenses/duo-universal-sdk-1.1.3/LICENSE b/doc/licenses/duo-universal-sdk-1.1.3/LICENSE new file mode 100644 index 000000000..369fbf813 --- /dev/null +++ b/doc/licenses/duo-universal-sdk-1.1.3/LICENSE @@ -0,0 +1,25 @@ +Copyright (c) 2022 Cisco Systems, Inc. and/or its affiliates +All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions +are met: + +1. Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. +2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. +3. The name of the author may not be used to endorse or promote products + derived from this software without specific prior written permission. + +THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR +IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES +OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. +IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, +INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT +NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF +THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. \ No newline at end of file diff --git a/doc/licenses/duo-universal-sdk-1.1.3/README b/doc/licenses/duo-universal-sdk-1.1.3/README new file mode 100644 index 000000000..5bc1049ae --- /dev/null +++ b/doc/licenses/duo-universal-sdk-1.1.3/README @@ -0,0 +1,8 @@ +Duo Universal SDK for Java (https://duo.com/docs/duoweb) +-------------------------------------------------------- + + Version: 1.1.3 + From: 'Cisco Systems' + License(s): + Duo License (bundled/duo-universal-sdk-1.1.3/LICENSE) + diff --git a/doc/licenses/duo-universal-sdk-1.1.3/dep-coordinates.txt b/doc/licenses/duo-universal-sdk-1.1.3/dep-coordinates.txt new file mode 100644 index 000000000..e89d39cd9 --- /dev/null +++ b/doc/licenses/duo-universal-sdk-1.1.3/dep-coordinates.txt @@ -0,0 +1 @@ +com.duosecurity:duo-universal-sdk:jar:1.1.3 \ No newline at end of file diff --git a/doc/licenses/java-jwt-3.3.0/LICENSE b/doc/licenses/java-jwt-3.3.0/LICENSE new file mode 100644 index 000000000..4a7a13ada --- /dev/null +++ b/doc/licenses/java-jwt-3.3.0/LICENSE @@ -0,0 +1,21 @@ +The MIT License (MIT) + +Copyright (c) 2015 Auth0, Inc. (http://auth0.com) + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. \ No newline at end of file diff --git a/doc/licenses/java-jwt-3.3.0/README b/doc/licenses/java-jwt-3.3.0/README new file mode 100644 index 000000000..f00c8aafd --- /dev/null +++ b/doc/licenses/java-jwt-3.3.0/README @@ -0,0 +1,8 @@ +Java JWT (https://github.com/auth0/java-jwt) +-------------------------------------------- + + Version: 3.3.0 + From: 'Auth0 by Okta' (https://www.auth0.com) + License(s): + MIT (bundled/java-jwt-3.3.0/LICENSE) + diff --git a/doc/licenses/java-jwt-3.3.0/dep-coordinates.txt b/doc/licenses/java-jwt-3.3.0/dep-coordinates.txt new file mode 100644 index 000000000..4ad3a6064 --- /dev/null +++ b/doc/licenses/java-jwt-3.3.0/dep-coordinates.txt @@ -0,0 +1 @@ +com.auth0:java-jwt:jar:3.3.0 \ No newline at end of file diff --git a/doc/licenses/kotlin-1.4.10/NOTICE.txt b/doc/licenses/kotlin-1.4.10/NOTICE.txt new file mode 100644 index 000000000..0f3e7c29d --- /dev/null +++ b/doc/licenses/kotlin-1.4.10/NOTICE.txt @@ -0,0 +1,2 @@ +Kotlin Compiler +Copyright 2010-2023 JetBrains s.r.o and respective authors and developers diff --git a/doc/licenses/kotlin-1.4.10/README b/doc/licenses/kotlin-1.4.10/README new file mode 100644 index 000000000..a89a5ceea --- /dev/null +++ b/doc/licenses/kotlin-1.4.10/README @@ -0,0 +1,8 @@ +Kotlin (https://kotlinlang.org/) +-------------------------------- + + Version: 1.4.10 + From: 'JetBrains s.r.o and respective authors and developers' + License(s): + Apache v2.0 + diff --git a/doc/licenses/kotlin-1.4.10/dep-coordinates.txt b/doc/licenses/kotlin-1.4.10/dep-coordinates.txt new file mode 100644 index 000000000..9eedc33fe --- /dev/null +++ b/doc/licenses/kotlin-1.4.10/dep-coordinates.txt @@ -0,0 +1,5 @@ +org.jetbrains.kotlin:kotlin-reflect:jar:1.4.10 +org.jetbrains.kotlin:kotlin-stdlib:jar:1.4.10 +org.jetbrains.kotlin:kotlin-stdlib-common:jar:1.4.10 +org.jetbrains.kotlin:kotlin-stdlib-jdk8:jar:1.4.10 +org.jetbrains.kotlin:kotlin-stdlib-jdk7:jar:1.4.10 diff --git a/doc/licenses/logging-interceptor-4.9.1/LICENSE.txt b/doc/licenses/logging-interceptor-4.9.1/LICENSE.txt new file mode 100644 index 000000000..f49a4e16e --- /dev/null +++ b/doc/licenses/logging-interceptor-4.9.1/LICENSE.txt @@ -0,0 +1,201 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright [yyyy] [name of copyright owner] + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. \ No newline at end of file diff --git a/doc/licenses/logging-interceptor-4.9.1/NOTICE b/doc/licenses/logging-interceptor-4.9.1/NOTICE new file mode 100644 index 000000000..d8bff2eef --- /dev/null +++ b/doc/licenses/logging-interceptor-4.9.1/NOTICE @@ -0,0 +1,13 @@ +Copyright 2019 Square, Inc. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. \ No newline at end of file diff --git a/doc/licenses/logging-interceptor-4.9.1/README b/doc/licenses/logging-interceptor-4.9.1/README new file mode 100644 index 000000000..4755b031c --- /dev/null +++ b/doc/licenses/logging-interceptor-4.9.1/README @@ -0,0 +1,8 @@ +okhttp logging-interceptor (https://square.github.io/okhttp/) +------------------------------------------------------------- + + Version: 4.9.1 + From: 'Square Inc' + License(s): + Apache v2.0 + diff --git a/doc/licenses/logging-interceptor-4.9.1/dep-coordinates.txt b/doc/licenses/logging-interceptor-4.9.1/dep-coordinates.txt new file mode 100644 index 000000000..aeab28247 --- /dev/null +++ b/doc/licenses/logging-interceptor-4.9.1/dep-coordinates.txt @@ -0,0 +1 @@ +com.squareup.okhttp3:logging-interceptor:jar:4.9.1 \ No newline at end of file diff --git a/doc/licenses/okhttp-3.14.9/LICENSE.txt b/doc/licenses/okhttp-3.14.9/LICENSE.txt new file mode 100644 index 000000000..f49a4e16e --- /dev/null +++ b/doc/licenses/okhttp-3.14.9/LICENSE.txt @@ -0,0 +1,201 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright [yyyy] [name of copyright owner] + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. \ No newline at end of file diff --git a/doc/licenses/okhttp-3.14.9/NOTICE b/doc/licenses/okhttp-3.14.9/NOTICE new file mode 100644 index 000000000..d8bff2eef --- /dev/null +++ b/doc/licenses/okhttp-3.14.9/NOTICE @@ -0,0 +1,13 @@ +Copyright 2019 Square, Inc. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. \ No newline at end of file diff --git a/doc/licenses/okhttp-3.14.9/README b/doc/licenses/okhttp-3.14.9/README new file mode 100644 index 000000000..7f343e7bd --- /dev/null +++ b/doc/licenses/okhttp-3.14.9/README @@ -0,0 +1,8 @@ +okhttp (https://square.github.io/okhttp/) +--------------------------------------------- + + Version: 3.14.9 + From: 'Square Inc' + License(s): + Apache 2.0 + diff --git a/doc/licenses/okhttp-3.14.9/dep-coordinates.txt b/doc/licenses/okhttp-3.14.9/dep-coordinates.txt new file mode 100644 index 000000000..ea402ee6b --- /dev/null +++ b/doc/licenses/okhttp-3.14.9/dep-coordinates.txt @@ -0,0 +1 @@ +com.squareup.okhttp3:okhttp:jar:3.14.9 \ No newline at end of file diff --git a/doc/licenses/okio-1.17.2/LICENSE.txt b/doc/licenses/okio-1.17.2/LICENSE.txt new file mode 100644 index 000000000..f49a4e16e --- /dev/null +++ b/doc/licenses/okio-1.17.2/LICENSE.txt @@ -0,0 +1,201 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright [yyyy] [name of copyright owner] + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. \ No newline at end of file diff --git a/doc/licenses/okio-1.17.2/NOTICE b/doc/licenses/okio-1.17.2/NOTICE new file mode 100644 index 000000000..25fdd5926 --- /dev/null +++ b/doc/licenses/okio-1.17.2/NOTICE @@ -0,0 +1,13 @@ +Copyright 2013 Square, Inc. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. \ No newline at end of file diff --git a/doc/licenses/okio-1.17.2/README b/doc/licenses/okio-1.17.2/README new file mode 100644 index 000000000..74976b808 --- /dev/null +++ b/doc/licenses/okio-1.17.2/README @@ -0,0 +1,8 @@ +okio (https://square.github.io/okio/) +--------------------------------------------- + + Version: 1.17.2 + From: 'Square Inc' + License(s): + Apache 2.0 (bundled/retrofit-2.9.0/LICENSE.txt) + diff --git a/doc/licenses/okio-1.17.2/dep-coordinates.txt b/doc/licenses/okio-1.17.2/dep-coordinates.txt new file mode 100644 index 000000000..566082a42 --- /dev/null +++ b/doc/licenses/okio-1.17.2/dep-coordinates.txt @@ -0,0 +1 @@ +com.squareup.okio:okio:jar:1.17.2 \ No newline at end of file diff --git a/doc/licenses/retrofit-2.9.0/LICENSE.txt b/doc/licenses/retrofit-2.9.0/LICENSE.txt new file mode 100644 index 000000000..f49a4e16e --- /dev/null +++ b/doc/licenses/retrofit-2.9.0/LICENSE.txt @@ -0,0 +1,201 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright [yyyy] [name of copyright owner] + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. \ No newline at end of file diff --git a/doc/licenses/retrofit-2.9.0/NOTICE b/doc/licenses/retrofit-2.9.0/NOTICE new file mode 100644 index 000000000..25fdd5926 --- /dev/null +++ b/doc/licenses/retrofit-2.9.0/NOTICE @@ -0,0 +1,13 @@ +Copyright 2013 Square, Inc. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. \ No newline at end of file diff --git a/doc/licenses/retrofit-2.9.0/README b/doc/licenses/retrofit-2.9.0/README new file mode 100644 index 000000000..8de113264 --- /dev/null +++ b/doc/licenses/retrofit-2.9.0/README @@ -0,0 +1,8 @@ +retrofit (https://square.github.io/retrofit/) +--------------------------------------------- + + Version: 2.9.0 + From: 'Square Inc' + License(s): + Apache 2.0 (bundled/retrofit-2.9.0/LICENSE.txt) + diff --git a/doc/licenses/retrofit-2.9.0/dep-coordinates.txt b/doc/licenses/retrofit-2.9.0/dep-coordinates.txt new file mode 100644 index 000000000..43f8e2898 --- /dev/null +++ b/doc/licenses/retrofit-2.9.0/dep-coordinates.txt @@ -0,0 +1,2 @@ +com.squareup.retrofit2:retrofit:jar:2.9.0 +com.squareup.retrofit2:converter-jackson:jar:2.9.0 \ No newline at end of file From 7807bb9c112b4c7969eceffc79ce842c5f35be1d Mon Sep 17 00:00:00 2001 From: Virtually Nick Date: Fri, 6 Oct 2023 14:22:27 -0400 Subject: [PATCH 4/7] GUACMAOLE-1289: Fixup and debugging. --- .../auth/duo/DuoAuthenticationProviderModule.java | 11 ++++++++++- .../guacamole/auth/duo/UserVerificationService.java | 9 +++++++++ 2 files changed, 19 insertions(+), 1 deletion(-) diff --git a/extensions/guacamole-auth-duo/src/main/java/org/apache/guacamole/auth/duo/DuoAuthenticationProviderModule.java b/extensions/guacamole-auth-duo/src/main/java/org/apache/guacamole/auth/duo/DuoAuthenticationProviderModule.java index c50e1039d..2b5e5d0b2 100644 --- a/extensions/guacamole-auth-duo/src/main/java/org/apache/guacamole/auth/duo/DuoAuthenticationProviderModule.java +++ b/extensions/guacamole-auth-duo/src/main/java/org/apache/guacamole/auth/duo/DuoAuthenticationProviderModule.java @@ -41,6 +41,11 @@ public class DuoAuthenticationProviderModule extends AbstractModule { * module has configured injection. */ private final AuthenticationProvider authProvider; + + /** + * The session manager that stores authentication attempts. + */ + private final DuoAuthenticationSessionManager authSessionManager; /** * Creates a new Duo authentication provider module which configures @@ -61,6 +66,9 @@ public class DuoAuthenticationProviderModule extends AbstractModule { // Store associated auth provider this.authProvider = authProvider; + + // Create a new session manager + this.authSessionManager = new DuoAuthenticationSessionManager(); } @@ -72,9 +80,10 @@ public class DuoAuthenticationProviderModule extends AbstractModule { bind(Environment.class).toInstance(environment); // Bind Duo-specific services + bind(DuoAuthenticationSessionManager.class).toInstance(authSessionManager); bind(ConfigurationService.class); bind(UserVerificationService.class); - bind(DuoAuthenticationSessionManager.class); + } diff --git a/extensions/guacamole-auth-duo/src/main/java/org/apache/guacamole/auth/duo/UserVerificationService.java b/extensions/guacamole-auth-duo/src/main/java/org/apache/guacamole/auth/duo/UserVerificationService.java index 7ac16d51a..d38a4c6c6 100644 --- a/extensions/guacamole-auth-duo/src/main/java/org/apache/guacamole/auth/duo/UserVerificationService.java +++ b/extensions/guacamole-auth-duo/src/main/java/org/apache/guacamole/auth/duo/UserVerificationService.java @@ -37,12 +37,16 @@ import org.apache.guacamole.language.TranslatableMessage; import org.apache.guacamole.net.auth.AuthenticatedUser; import org.apache.guacamole.net.auth.Credentials; import org.apache.guacamole.net.auth.credentials.CredentialsInfo; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; /** * Service for verifying the identity of a user against Duo. */ public class UserVerificationService { + private static final Logger LOGGER = LoggerFactory.getLogger(UserVerificationService.class); + /** * The name of the parameter which Duo will return in it's GET call-back * that contains the code that the client will use to generate a token. @@ -124,6 +128,7 @@ public class UserVerificationService { // Get a new session state from the Duo client duoState = duoClient.generateState(); + LOGGER.debug(">>> DUO <<< STATE DEFER: {}", duoState); // Add this session duoSessionManager.defer(new DuoAuthenticationSession(confService.getAuthTimeout(), duoState, username), duoState); @@ -142,9 +147,13 @@ public class UserVerificationService { ); } + + LOGGER.debug(">>> DUO <<< STATE RESUME: {}", duoState); // Retrieve the deferred authenticaiton attempt DuoAuthenticationSession duoSession = duoSessionManager.resume(duoState); + if (duoSession == null) + throw new GuacamoleServerException("Failed to resume Duo authentication session."); // Get the token from the DuoClient using the code and username, and check status Token token = duoClient.exchangeAuthorizationCodeFor2FAResult(duoCode, duoSession.getUsername()); From b0e5ecd33e9391782b984f889336630480afee5d Mon Sep 17 00:00:00 2001 From: Alex Leitner Date: Mon, 25 Mar 2024 01:27:11 +0000 Subject: [PATCH 5/7] GUACAMOLE-1289: Handle resumable state for duo authentication. --- .../duo/DuoAuthenticationProviderModule.java | 11 --- .../auth/duo/DuoAuthenticationSession.java | 74 ----------------- .../duo/DuoAuthenticationSessionManager.java | 34 -------- .../auth/duo/UserVerificationService.java | 33 ++------ ...amoleInsufficientCredentialsException.java | 32 ++++++++ ...amoleInsufficientCredentialsException.java | 78 ++++++++++++++++++ .../rest/auth/AuthenticationService.java | 48 ++++++++++- .../auth/ResumableAuthenticationState.java | 81 +++++++++++++++++++ 8 files changed, 243 insertions(+), 148 deletions(-) delete mode 100644 extensions/guacamole-auth-duo/src/main/java/org/apache/guacamole/auth/duo/DuoAuthenticationSession.java delete mode 100644 extensions/guacamole-auth-duo/src/main/java/org/apache/guacamole/auth/duo/DuoAuthenticationSessionManager.java create mode 100644 guacamole/src/main/java/org/apache/guacamole/rest/auth/ResumableAuthenticationState.java diff --git a/extensions/guacamole-auth-duo/src/main/java/org/apache/guacamole/auth/duo/DuoAuthenticationProviderModule.java b/extensions/guacamole-auth-duo/src/main/java/org/apache/guacamole/auth/duo/DuoAuthenticationProviderModule.java index 2b5e5d0b2..b9a37b070 100644 --- a/extensions/guacamole-auth-duo/src/main/java/org/apache/guacamole/auth/duo/DuoAuthenticationProviderModule.java +++ b/extensions/guacamole-auth-duo/src/main/java/org/apache/guacamole/auth/duo/DuoAuthenticationProviderModule.java @@ -41,11 +41,6 @@ public class DuoAuthenticationProviderModule extends AbstractModule { * module has configured injection. */ private final AuthenticationProvider authProvider; - - /** - * The session manager that stores authentication attempts. - */ - private final DuoAuthenticationSessionManager authSessionManager; /** * Creates a new Duo authentication provider module which configures @@ -66,10 +61,6 @@ public class DuoAuthenticationProviderModule extends AbstractModule { // Store associated auth provider this.authProvider = authProvider; - - // Create a new session manager - this.authSessionManager = new DuoAuthenticationSessionManager(); - } @Override @@ -80,11 +71,9 @@ public class DuoAuthenticationProviderModule extends AbstractModule { bind(Environment.class).toInstance(environment); // Bind Duo-specific services - bind(DuoAuthenticationSessionManager.class).toInstance(authSessionManager); bind(ConfigurationService.class); bind(UserVerificationService.class); - } } diff --git a/extensions/guacamole-auth-duo/src/main/java/org/apache/guacamole/auth/duo/DuoAuthenticationSession.java b/extensions/guacamole-auth-duo/src/main/java/org/apache/guacamole/auth/duo/DuoAuthenticationSession.java deleted file mode 100644 index 8dd3e8db1..000000000 --- a/extensions/guacamole-auth-duo/src/main/java/org/apache/guacamole/auth/duo/DuoAuthenticationSession.java +++ /dev/null @@ -1,74 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ - -package org.apache.guacamole.auth.duo; - -import org.apache.guacamole.net.auth.AuthenticationSession; - -/** - * An AuthenticationSession that stores the information required for an - * in-progress Duo authentication attempt. - */ -public class DuoAuthenticationSession extends AuthenticationSession { - - /** - * The session state generated by the Duo client, which is used to track - * the session through the redirect and return process. - */ - private final String state; - - /** - * The username of the user who is authenticating with this session. - */ - private final String username; - - /** - * Create a new instance of this authenticaiton session, having the given length of time - * for expriation and the state generated by the Duo Client. - * - * @param expires - * The number of milliseconds before this session is invalid. - * - * @param state - * The session state, as generated by the Duo Client. - * - * @param username - * The username of the user who is attempting authentication with Duo. - */ - public DuoAuthenticationSession(long expires, String state, String username) { - super(expires); - this.state = state; - this.username = username; - } - - /** - * Return the stored session state. - * - * @return - * The stored session state. - */ - public String getState() { - return state; - } - - public String getUsername() { - return username; - } - -} diff --git a/extensions/guacamole-auth-duo/src/main/java/org/apache/guacamole/auth/duo/DuoAuthenticationSessionManager.java b/extensions/guacamole-auth-duo/src/main/java/org/apache/guacamole/auth/duo/DuoAuthenticationSessionManager.java deleted file mode 100644 index 9bfbcc466..000000000 --- a/extensions/guacamole-auth-duo/src/main/java/org/apache/guacamole/auth/duo/DuoAuthenticationSessionManager.java +++ /dev/null @@ -1,34 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ - -package org.apache.guacamole.auth.duo; - -import com.google.inject.Singleton; -import org.apache.guacamole.net.auth.AuthenticationSessionManager; - -/** - * An AuthenticationSessionManager implementation that temporarily stores - * authentication attempts for Duo MFA while they are underway. - */ -@Singleton -public class DuoAuthenticationSessionManager extends AuthenticationSessionManager { - - // Nothing to see here. - -} diff --git a/extensions/guacamole-auth-duo/src/main/java/org/apache/guacamole/auth/duo/UserVerificationService.java b/extensions/guacamole-auth-duo/src/main/java/org/apache/guacamole/auth/duo/UserVerificationService.java index d38a4c6c6..560683686 100644 --- a/extensions/guacamole-auth-duo/src/main/java/org/apache/guacamole/auth/duo/UserVerificationService.java +++ b/extensions/guacamole-auth-duo/src/main/java/org/apache/guacamole/auth/duo/UserVerificationService.java @@ -45,7 +45,7 @@ import org.slf4j.LoggerFactory; */ public class UserVerificationService { - private static final Logger LOGGER = LoggerFactory.getLogger(UserVerificationService.class); + private static final Logger logger = LoggerFactory.getLogger(UserVerificationService.class); /** * The name of the parameter which Duo will return in it's GET call-back @@ -63,7 +63,7 @@ public class UserVerificationService { * The value that will be returned in the token if Duo authentication * was successful. */ - private static final String DUO_TOKEN_SUCCESS_VALUE = "ALLOW"; + private static final String DUO_TOKEN_SUCCESS_VALUE = "allow"; /** * Service for retrieving Duo configuration information. @@ -71,13 +71,6 @@ public class UserVerificationService { @Inject private ConfigurationService confService; - /** - * The authentication session manager that temporarily stores in-progress - * authentication attempts. - */ - @Inject - private DuoAuthenticationSessionManager duoSessionManager; - /** * Verifies the identity of the given user via the Duo multi-factor * authentication service. If a signed response from Duo has not already @@ -116,8 +109,7 @@ public class UserVerificationService { confService.getRedirectUrl().toString()) .build(); - duoClient.healthCheck(); - + duoClient.healthCheck(); // Retrieve signed Duo Code and State from the request String duoCode = request.getParameter(DUO_CODE_PARAMETER_NAME); @@ -128,10 +120,7 @@ public class UserVerificationService { // Get a new session state from the Duo client duoState = duoClient.generateState(); - LOGGER.debug(">>> DUO <<< STATE DEFER: {}", duoState); - - // Add this session - duoSessionManager.defer(new DuoAuthenticationSession(confService.getAuthTimeout(), duoState, username), duoState); + long expirationTimestamp = System.currentTimeMillis() + (confService.getAuthTimeout() * 1000L); // Request additional credentials throw new TranslatableGuacamoleInsufficientCredentialsException( @@ -143,27 +132,21 @@ public class UserVerificationService { new URI(duoClient.createAuthUrl(username, duoState)), new TranslatableMessage("LOGIN.INFO_DUO_REDIRECT_PENDING") ) - )) + )), + duoState, + expirationTimestamp ); } - LOGGER.debug(">>> DUO <<< STATE RESUME: {}", duoState); - - // Retrieve the deferred authenticaiton attempt - DuoAuthenticationSession duoSession = duoSessionManager.resume(duoState); - if (duoSession == null) - throw new GuacamoleServerException("Failed to resume Duo authentication session."); - // Get the token from the DuoClient using the code and username, and check status - Token token = duoClient.exchangeAuthorizationCodeFor2FAResult(duoCode, duoSession.getUsername()); + Token token = duoClient.exchangeAuthorizationCodeFor2FAResult(duoCode, username); if (token == null || token.getAuth_result() == null || !DUO_TOKEN_SUCCESS_VALUE.equals(token.getAuth_result().getStatus())) throw new TranslatableGuacamoleClientException("Provided Duo " + "validation code is incorrect.", "LOGIN.INFO_DUO_VALIDATION_CODE_INCORRECT"); - } catch (DuoException e) { throw new GuacamoleServerException("Duo Client error.", e); diff --git a/guacamole-ext/src/main/java/org/apache/guacamole/language/TranslatableGuacamoleInsufficientCredentialsException.java b/guacamole-ext/src/main/java/org/apache/guacamole/language/TranslatableGuacamoleInsufficientCredentialsException.java index 5b51d2ce9..648e15007 100644 --- a/guacamole-ext/src/main/java/org/apache/guacamole/language/TranslatableGuacamoleInsufficientCredentialsException.java +++ b/guacamole-ext/src/main/java/org/apache/guacamole/language/TranslatableGuacamoleInsufficientCredentialsException.java @@ -136,6 +136,38 @@ public class TranslatableGuacamoleInsufficientCredentialsException this(message, new TranslatableMessage(key), credentialsInfo); } + /** + * Creates a new TranslatableGuacamoleInsufficientCredentialsException with the specified message, + * translation key, the credential information required for authentication, the state token, and + * an expiration timestamp for the state token. The message is provided in both a non-translatable + * form and as a translatable key which can be used to retrieve the localized message. + * + * @param message + * A human-readable description of the exception that occurred. This + * message should be readable on its own and as-written, without + * requiring a translation service. + * + * @param key + * The arbitrary key which can be used to look up the message to be + * displayed in the user's native language. + * + * @param credentialsInfo + * Information describing the form of valid credentials. + * + * @param state + * An opaque value that may be used by a client to maintain state across requests which are part + * of the same authentication transaction. + * + * @param expires + * The timestamp after which the state token associated with the authentication process expires, + * specified as the number of milliseconds since the UNIX epoch. + */ + public TranslatableGuacamoleInsufficientCredentialsException(String message, + String key, CredentialsInfo credentialsInfo, String state, long expires) { + super(message, credentialsInfo, state, expires); + this.translatableMessage = new TranslatableMessage(key); + } + @Override public TranslatableMessage getTranslatableMessage() { return translatableMessage; diff --git a/guacamole-ext/src/main/java/org/apache/guacamole/net/auth/credentials/GuacamoleInsufficientCredentialsException.java b/guacamole-ext/src/main/java/org/apache/guacamole/net/auth/credentials/GuacamoleInsufficientCredentialsException.java index 06ae3ea5c..c7a903c95 100644 --- a/guacamole-ext/src/main/java/org/apache/guacamole/net/auth/credentials/GuacamoleInsufficientCredentialsException.java +++ b/guacamole-ext/src/main/java/org/apache/guacamole/net/auth/credentials/GuacamoleInsufficientCredentialsException.java @@ -28,6 +28,57 @@ package org.apache.guacamole.net.auth.credentials; */ public class GuacamoleInsufficientCredentialsException extends GuacamoleCredentialsException { +/** + * The default state token to use when no specific state information is provided. + */ +private static final String DEFAULT_STATE = ""; + +/** + * The default expiration timestamp to use when no specific expiration is provided, + * effectively indicating that the state token does not expire. + */ +private static final long DEFAULT_EXPIRES = -1L; + +/** + * An opaque value that may be used by a client to maintain state across requests + * which are part of the same authentication transaction. + */ +protected final String state; + +/** + * The timestamp after which the state token associated with the authentication process + * should no longer be considered valid, expressed as the number of milliseconds since + * UNIX epoch. + */ +protected final long expires; + + /** + * Creates a new GuacamoleInsufficientCredentialsException with the specified + * message, the credential information required for authentication, the state + * token associated with the authentication process, and an expiration timestamp. + * + * @param message + * A human-readable description of the exception that occurred. + * + * @param credentialsInfo + * Information describing the form of valid credentials. + * + * @param state + * An opaque value that may be used by a client to maintain state + * across requests which are part of the same authentication transaction. + * + * @param expires + * The timestamp after which the state token associated with the + * authentication process should no longer be considered valid, expressed + * as the number of milliseconds since UNIX epoch. + */ + public GuacamoleInsufficientCredentialsException(String message, + CredentialsInfo credentialsInfo, String state, long expires) { + super(message, credentialsInfo); + this.state = state; + this.expires = expires; + } + /** * Creates a new GuacamoleInsufficientCredentialsException with the given * message, cause, and associated credential information. @@ -44,6 +95,8 @@ public class GuacamoleInsufficientCredentialsException extends GuacamoleCredenti public GuacamoleInsufficientCredentialsException(String message, Throwable cause, CredentialsInfo credentialsInfo) { super(message, cause, credentialsInfo); + this.state = DEFAULT_STATE; + this.expires = DEFAULT_EXPIRES; } /** @@ -58,6 +111,8 @@ public class GuacamoleInsufficientCredentialsException extends GuacamoleCredenti */ public GuacamoleInsufficientCredentialsException(String message, CredentialsInfo credentialsInfo) { super(message, credentialsInfo); + this.state = DEFAULT_STATE; + this.expires = DEFAULT_EXPIRES; } /** @@ -72,6 +127,29 @@ public class GuacamoleInsufficientCredentialsException extends GuacamoleCredenti */ public GuacamoleInsufficientCredentialsException(Throwable cause, CredentialsInfo credentialsInfo) { super(cause, credentialsInfo); + this.state = DEFAULT_STATE; + this.expires = DEFAULT_EXPIRES; + } + + /** + * Retrieves the state token associated with the authentication process. + * + * @return The opaque state token used to maintain consistency across multiple + * requests in the same authentication transaction. + */ + public String getState() { + return state; + } + + /** + * Retrieves the expiration timestamp of the state token, specified as the + * number of milliseconds since the UNIX epoch. + * + * @return The expiration timestamp of the state token, or a negative value if + * the token does not expire. + */ + public long getExpires() { + return expires; } } diff --git a/guacamole/src/main/java/org/apache/guacamole/rest/auth/AuthenticationService.java b/guacamole/src/main/java/org/apache/guacamole/rest/auth/AuthenticationService.java index 305073de3..2946b1276 100644 --- a/guacamole/src/main/java/org/apache/guacamole/rest/auth/AuthenticationService.java +++ b/guacamole/src/main/java/org/apache/guacamole/rest/auth/AuthenticationService.java @@ -21,11 +21,14 @@ package org.apache.guacamole.rest.auth; import java.util.ArrayList; import java.util.List; +import java.util.Map; +import java.util.concurrent.ConcurrentHashMap; + import javax.inject.Inject; +import javax.servlet.http.HttpServletRequest; import org.apache.guacamole.GuacamoleException; import org.apache.guacamole.GuacamoleSecurityException; -import org.apache.guacamole.GuacamoleServerException; import org.apache.guacamole.GuacamoleUnauthorizedException; import org.apache.guacamole.GuacamoleSession; import org.apache.guacamole.net.auth.AuthenticatedUser; @@ -43,9 +46,12 @@ import org.glassfish.jersey.server.ContainerRequest; import org.slf4j.Logger; import org.slf4j.LoggerFactory; +import com.google.inject.Singleton; + /** * A service for performing authentication checks in REST endpoints. */ +@Singleton public class AuthenticationService { /** @@ -96,6 +102,11 @@ public class AuthenticationService { */ public static final String TOKEN_PARAMETER_NAME = "token"; + /** + * Map to store resumable authentication states with an expiration time. + */ + private Map resumableStateMap = new ConcurrentHashMap<>(); + /** * Attempts authentication against all AuthenticationProviders, in order, * using the provided credentials. The first authentication failure takes @@ -310,6 +321,17 @@ public class AuthenticationService { try { userContext = authProvider.getUserContext(authenticatedUser); } + catch (GuacamoleInsufficientCredentialsException e) { + // Store state and expiration + String state = e.getState(); + long expiration = e.getExpires(); + + resumableStateMap.put(state, new ResumableAuthenticationState(expiration, credentials)); + + throw new GuacamoleAuthenticationProcessException("User " + + "authentication aborted during initial " + + "UserContext creation.", authProvider, e); + } catch (GuacamoleException | RuntimeException | Error e) { throw new GuacamoleAuthenticationProcessException("User " + "authentication aborted during initial " @@ -366,12 +388,30 @@ public class AuthenticationService { AuthenticatedUser authenticatedUser; String authToken; + Credentials actualCredentials = credentials; + String state; + ResumableAuthenticationState resumableState = null; + + // Retrieve signed State from the request + HttpServletRequest request = credentials.getRequest(); + + // If state is provided, attempt to resume authentication + if ((state = request.getParameter("state")) != null && (resumableState = resumableStateMap.get(state)) != null) { + // The resumableState is removed as it should be a single-use token + resumableStateMap.remove(state); + + // Check if the resumableState has expired + if (!resumableState.isExpired()) { + actualCredentials = resumableState.getCredentials(); + actualCredentials.setRequest(request); + } + } try { // Get up-to-date AuthenticatedUser and associated UserContexts - authenticatedUser = getAuthenticatedUser(existingSession, credentials); - List userContexts = getUserContexts(existingSession, authenticatedUser, credentials); + authenticatedUser = getAuthenticatedUser(existingSession, actualCredentials); + List userContexts = getUserContexts(existingSession, authenticatedUser, actualCredentials); // Update existing session, if it exists if (existingSession != null) { @@ -401,7 +441,7 @@ public class AuthenticationService { // Log and rethrow any authentication errors catch (GuacamoleAuthenticationProcessException e) { - listenerService.handleEvent(new AuthenticationFailureEvent(credentials, + listenerService.handleEvent(new AuthenticationFailureEvent(actualCredentials, e.getAuthenticationProvider(), e.getCause())); // Rethrow exception diff --git a/guacamole/src/main/java/org/apache/guacamole/rest/auth/ResumableAuthenticationState.java b/guacamole/src/main/java/org/apache/guacamole/rest/auth/ResumableAuthenticationState.java new file mode 100644 index 000000000..3e24f4f04 --- /dev/null +++ b/guacamole/src/main/java/org/apache/guacamole/rest/auth/ResumableAuthenticationState.java @@ -0,0 +1,81 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.guacamole.rest.auth; + +import org.apache.guacamole.net.auth.Credentials; + +/** + * Encapsulates the state information required for resuming an authentication + * process. This includes an expiration timestamp to determine state validity + * and the original credentials submitted by the user. + */ +public class ResumableAuthenticationState { + + /** + * The timestamp at which this state should no longer be considered valid, + * measured in milliseconds since the Unix epoch. + */ + private long expirationTimestamp; + + /** + * The original user credentials that were submitted at the start of the + * authentication process. + */ + private Credentials credentials; + + /** + * Constructs a new ResumableAuthenticationState object with the specified + * expiration timestamp and user credentials. + * + * @param expirationTimestamp + * The timestamp in milliseconds since the Unix epoch when this state + * expires and can no longer be used to resume authentication. + * + * @param credentials + * The Credentials object initially submitted by the user and associated + * with this resumable state. + */ + public ResumableAuthenticationState(long expirationTimestamp, Credentials credentials) { + this.expirationTimestamp = expirationTimestamp; + this.credentials = credentials; + } + + /** + * Checks if this resumable state has expired based on the stored expiration + * timestamp and the current system time. + * + * @return + * True if the current system time is after the expiration timestamp, + * indicating that the state is expired; false otherwise. + */ + public boolean isExpired() { + return System.currentTimeMillis() > expirationTimestamp; + } + + /** + * Retrieves the original credentials associated with this resumable state. + * + * @return + * The Credentials object containing user details that were submitted + * when the state was created. + */ + public Credentials getCredentials() { + return this.credentials; + } +} From 7c49466c79a5e80d793aca970cf80036cd2946a2 Mon Sep 17 00:00:00 2001 From: Alex Leitner Date: Wed, 3 Apr 2024 01:28:15 +0000 Subject: [PATCH 6/7] GUACAMOLE-1289: Modify the Authentication Service to no longer explicitly compare state query string. --- doc/licenses/okhttp-3.14.9/NOTICE | 2 +- doc/licenses/okhttp-3.14.9/README | 1 - .../okhttp-3.14.9/dep-coordinates.txt | 2 +- doc/licenses/okhttp-4.9.1/LICENSE.txt | 201 +++++++++++++++++ doc/licenses/okhttp-4.9.1/NOTICE | 13 ++ doc/licenses/okhttp-4.9.1/README | 7 + doc/licenses/okhttp-4.9.1/dep-coordinates.txt | 1 + doc/licenses/okio-1.17.2/README | 1 - doc/licenses/okio-1.17.2/dep-coordinates.txt | 2 +- doc/licenses/okio-2.8.0/LICENSE.txt | 201 +++++++++++++++++ doc/licenses/okio-2.8.0/NOTICE | 13 ++ doc/licenses/okio-2.8.0/README | 7 + doc/licenses/okio-2.8.0/dep-coordinates.txt | 1 + doc/licenses/spring-web-5.3.25/LICENSE | 202 ++++++++++++++++++ doc/licenses/spring-web-5.3.25/README | 7 + .../spring-web-5.3.25/dep-coordinates.txt | 4 + extensions/guacamole-auth-duo/pom.xml | 34 ++- .../auth/duo/DuoAuthenticationProvider.java | 9 +- .../duo/DuoAuthenticationProviderModule.java | 1 - .../auth/duo/UserVerificationService.java | 19 +- ...amoleInsufficientCredentialsException.java | 14 +- .../guacamole/net/auth/Credentials.java | 10 + ...amoleInsufficientCredentialsException.java | 67 +++++- .../rest/auth/AuthenticationService.java | 107 ++++++++-- .../auth/ResumableAuthenticationState.java | 49 ++++- 25 files changed, 933 insertions(+), 42 deletions(-) create mode 100644 doc/licenses/okhttp-4.9.1/LICENSE.txt create mode 100644 doc/licenses/okhttp-4.9.1/NOTICE create mode 100644 doc/licenses/okhttp-4.9.1/README create mode 100644 doc/licenses/okhttp-4.9.1/dep-coordinates.txt create mode 100644 doc/licenses/okio-2.8.0/LICENSE.txt create mode 100644 doc/licenses/okio-2.8.0/NOTICE create mode 100644 doc/licenses/okio-2.8.0/README create mode 100644 doc/licenses/okio-2.8.0/dep-coordinates.txt create mode 100644 doc/licenses/spring-web-5.3.25/LICENSE create mode 100644 doc/licenses/spring-web-5.3.25/README create mode 100644 doc/licenses/spring-web-5.3.25/dep-coordinates.txt diff --git a/doc/licenses/okhttp-3.14.9/NOTICE b/doc/licenses/okhttp-3.14.9/NOTICE index d8bff2eef..48164b3fc 100644 --- a/doc/licenses/okhttp-3.14.9/NOTICE +++ b/doc/licenses/okhttp-3.14.9/NOTICE @@ -10,4 +10,4 @@ Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and -limitations under the License. \ No newline at end of file +limitations under the License. diff --git a/doc/licenses/okhttp-3.14.9/README b/doc/licenses/okhttp-3.14.9/README index 7f343e7bd..ed470799c 100644 --- a/doc/licenses/okhttp-3.14.9/README +++ b/doc/licenses/okhttp-3.14.9/README @@ -5,4 +5,3 @@ okhttp (https://square.github.io/okhttp/) From: 'Square Inc' License(s): Apache 2.0 - diff --git a/doc/licenses/okhttp-3.14.9/dep-coordinates.txt b/doc/licenses/okhttp-3.14.9/dep-coordinates.txt index ea402ee6b..eb6c3831b 100644 --- a/doc/licenses/okhttp-3.14.9/dep-coordinates.txt +++ b/doc/licenses/okhttp-3.14.9/dep-coordinates.txt @@ -1 +1 @@ -com.squareup.okhttp3:okhttp:jar:3.14.9 \ No newline at end of file +com.squareup.okhttp3:okhttp:jar:3.14.9 diff --git a/doc/licenses/okhttp-4.9.1/LICENSE.txt b/doc/licenses/okhttp-4.9.1/LICENSE.txt new file mode 100644 index 000000000..f49a4e16e --- /dev/null +++ b/doc/licenses/okhttp-4.9.1/LICENSE.txt @@ -0,0 +1,201 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright [yyyy] [name of copyright owner] + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. \ No newline at end of file diff --git a/doc/licenses/okhttp-4.9.1/NOTICE b/doc/licenses/okhttp-4.9.1/NOTICE new file mode 100644 index 000000000..7ab6fba62 --- /dev/null +++ b/doc/licenses/okhttp-4.9.1/NOTICE @@ -0,0 +1,13 @@ +Copyright 2021 Square, Inc. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. diff --git a/doc/licenses/okhttp-4.9.1/README b/doc/licenses/okhttp-4.9.1/README new file mode 100644 index 000000000..427724260 --- /dev/null +++ b/doc/licenses/okhttp-4.9.1/README @@ -0,0 +1,7 @@ +okhttp (https://square.github.io/okhttp/) +--------------------------------------------- + + Version: 4.9.1 + From: 'Square Inc' + License(s): + Apache 2.0 diff --git a/doc/licenses/okhttp-4.9.1/dep-coordinates.txt b/doc/licenses/okhttp-4.9.1/dep-coordinates.txt new file mode 100644 index 000000000..0215ca270 --- /dev/null +++ b/doc/licenses/okhttp-4.9.1/dep-coordinates.txt @@ -0,0 +1 @@ +com.squareup.okhttp3:okhttp:jar:4.9.1 diff --git a/doc/licenses/okio-1.17.2/README b/doc/licenses/okio-1.17.2/README index 74976b808..a8723ed5a 100644 --- a/doc/licenses/okio-1.17.2/README +++ b/doc/licenses/okio-1.17.2/README @@ -5,4 +5,3 @@ okio (https://square.github.io/okio/) From: 'Square Inc' License(s): Apache 2.0 (bundled/retrofit-2.9.0/LICENSE.txt) - diff --git a/doc/licenses/okio-1.17.2/dep-coordinates.txt b/doc/licenses/okio-1.17.2/dep-coordinates.txt index 566082a42..54ab8297c 100644 --- a/doc/licenses/okio-1.17.2/dep-coordinates.txt +++ b/doc/licenses/okio-1.17.2/dep-coordinates.txt @@ -1 +1 @@ -com.squareup.okio:okio:jar:1.17.2 \ No newline at end of file +com.squareup.okio:okio:jar:1.17.2 diff --git a/doc/licenses/okio-2.8.0/LICENSE.txt b/doc/licenses/okio-2.8.0/LICENSE.txt new file mode 100644 index 000000000..f49a4e16e --- /dev/null +++ b/doc/licenses/okio-2.8.0/LICENSE.txt @@ -0,0 +1,201 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright [yyyy] [name of copyright owner] + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. \ No newline at end of file diff --git a/doc/licenses/okio-2.8.0/NOTICE b/doc/licenses/okio-2.8.0/NOTICE new file mode 100644 index 000000000..9004e5d83 --- /dev/null +++ b/doc/licenses/okio-2.8.0/NOTICE @@ -0,0 +1,13 @@ +Copyright 2020 Square, Inc. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. diff --git a/doc/licenses/okio-2.8.0/README b/doc/licenses/okio-2.8.0/README new file mode 100644 index 000000000..cf4693dbd --- /dev/null +++ b/doc/licenses/okio-2.8.0/README @@ -0,0 +1,7 @@ +okio (https://square.github.io/okio/) +--------------------------------------------- + + Version: 2.8.0 + From: 'Square Inc' + License(s): + Apache 2.0 (bundled/retrofit-2.9.0/LICENSE.txt) diff --git a/doc/licenses/okio-2.8.0/dep-coordinates.txt b/doc/licenses/okio-2.8.0/dep-coordinates.txt new file mode 100644 index 000000000..88c8776ad --- /dev/null +++ b/doc/licenses/okio-2.8.0/dep-coordinates.txt @@ -0,0 +1 @@ +com.squareup.okio:okio:jar:2.8.0 diff --git a/doc/licenses/spring-web-5.3.25/LICENSE b/doc/licenses/spring-web-5.3.25/LICENSE new file mode 100644 index 000000000..ff7737963 --- /dev/null +++ b/doc/licenses/spring-web-5.3.25/LICENSE @@ -0,0 +1,202 @@ + + Apache License + Version 2.0, January 2004 + https://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "{}" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright {yyyy} {name of copyright owner} + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + https://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/doc/licenses/spring-web-5.3.25/README b/doc/licenses/spring-web-5.3.25/README new file mode 100644 index 000000000..f719e88ff --- /dev/null +++ b/doc/licenses/spring-web-5.3.25/README @@ -0,0 +1,7 @@ +Spring Framework (https://spring.io/projects/spring-framework) +-------------------------------------------------------------- + + Version: 5.3.25 + From: 'Spring' (https://spring.io/) + License(s): + Apache v2.0 diff --git a/doc/licenses/spring-web-5.3.25/dep-coordinates.txt b/doc/licenses/spring-web-5.3.25/dep-coordinates.txt new file mode 100644 index 000000000..0670c0fa8 --- /dev/null +++ b/doc/licenses/spring-web-5.3.25/dep-coordinates.txt @@ -0,0 +1,4 @@ +org.springframework:spring-web:jar:5.3.25 +org.springframework:spring-beans:jar:5.3.25 +org.springframework:spring-core:jar:5.3.25 +org.springframework:spring-jcl:jar:5.3.25 diff --git a/extensions/guacamole-auth-duo/pom.xml b/extensions/guacamole-auth-duo/pom.xml index 0614cb47d..f7f49563c 100644 --- a/extensions/guacamole-auth-duo/pom.xml +++ b/extensions/guacamole-auth-duo/pom.xml @@ -39,9 +39,33 @@ UTF-8 - true + + + + + com.squareup.okhttp3 + okhttp + 4.9.1 + + + + + org.jetbrains.kotlin + kotlin-stdlib-common + 1.4.10 + + + + org.jetbrains.kotlin + kotlin-stdlib + 1.4.10 + + + + + @@ -79,11 +103,11 @@ 1.1.3 - + - org.jetbrains.kotlin - kotlin-stdlib-common - 1.4.10 + org.springframework + spring-web + 5.3.25 diff --git a/extensions/guacamole-auth-duo/src/main/java/org/apache/guacamole/auth/duo/DuoAuthenticationProvider.java b/extensions/guacamole-auth-duo/src/main/java/org/apache/guacamole/auth/duo/DuoAuthenticationProvider.java index 0b1a33dfb..dc9999c98 100644 --- a/extensions/guacamole-auth-duo/src/main/java/org/apache/guacamole/auth/duo/DuoAuthenticationProvider.java +++ b/extensions/guacamole-auth-duo/src/main/java/org/apache/guacamole/auth/duo/DuoAuthenticationProvider.java @@ -33,6 +33,13 @@ import org.apache.guacamole.net.auth.UserContext; */ public class DuoAuthenticationProvider extends AbstractAuthenticationProvider { + /** + * The unique identifier for this authentication provider. This is used in + * various parts of the Guacamole client to distinguish this provider from + * others, particularly when multiple authentication providers are used. + */ + public static String PROVIDER_IDENTIFER = "duo"; + /** * Injector which will manage the object graph of this authentication * provider. @@ -58,7 +65,7 @@ public class DuoAuthenticationProvider extends AbstractAuthenticationProvider { @Override public String getIdentifier() { - return "duo"; + return PROVIDER_IDENTIFER; } @Override diff --git a/extensions/guacamole-auth-duo/src/main/java/org/apache/guacamole/auth/duo/DuoAuthenticationProviderModule.java b/extensions/guacamole-auth-duo/src/main/java/org/apache/guacamole/auth/duo/DuoAuthenticationProviderModule.java index b9a37b070..372bbcc39 100644 --- a/extensions/guacamole-auth-duo/src/main/java/org/apache/guacamole/auth/duo/DuoAuthenticationProviderModule.java +++ b/extensions/guacamole-auth-duo/src/main/java/org/apache/guacamole/auth/duo/DuoAuthenticationProviderModule.java @@ -73,7 +73,6 @@ public class DuoAuthenticationProviderModule extends AbstractModule { // Bind Duo-specific services bind(ConfigurationService.class); bind(UserVerificationService.class); - } } diff --git a/extensions/guacamole-auth-duo/src/main/java/org/apache/guacamole/auth/duo/UserVerificationService.java b/extensions/guacamole-auth-duo/src/main/java/org/apache/guacamole/auth/duo/UserVerificationService.java index 560683686..efd8a4357 100644 --- a/extensions/guacamole-auth-duo/src/main/java/org/apache/guacamole/auth/duo/UserVerificationService.java +++ b/extensions/guacamole-auth-duo/src/main/java/org/apache/guacamole/auth/duo/UserVerificationService.java @@ -39,6 +39,7 @@ import org.apache.guacamole.net.auth.Credentials; import org.apache.guacamole.net.auth.credentials.CredentialsInfo; import org.slf4j.Logger; import org.slf4j.LoggerFactory; +import org.springframework.web.util.UriComponentsBuilder; /** * Service for verifying the identity of a user against Duo. @@ -51,13 +52,13 @@ public class UserVerificationService { * The name of the parameter which Duo will return in it's GET call-back * that contains the code that the client will use to generate a token. */ - private static final String DUO_CODE_PARAMETER_NAME = "duo_code"; + public static final String DUO_CODE_PARAMETER_NAME = "duo_code"; /** * The name of the parameter that will be used in the GET call-back that * contains the session state. */ - private static final String DUO_STATE_PARAMETER_NAME = "state"; + public static final String DUO_STATE_PARAMETER_NAME = "state"; /** * The value that will be returned in the token if Duo authentication @@ -101,12 +102,20 @@ public class UserVerificationService { try { + String redirectUrl = confService.getRedirectUrl().toString(); + + String builtUrl = UriComponentsBuilder + .fromUriString(redirectUrl) + .queryParam(Credentials.RESUME_QUERY, DuoAuthenticationProvider.PROVIDER_IDENTIFER) + .build() + .toUriString(); + // Set up the Duo Client Client duoClient = new Client.Builder( confService.getClientId(), confService.getClientSecret(), confService.getAPIHostname(), - confService.getRedirectUrl().toString()) + builtUrl) .build(); duoClient.healthCheck(); @@ -133,8 +142,8 @@ public class UserVerificationService { new TranslatableMessage("LOGIN.INFO_DUO_REDIRECT_PENDING") ) )), - duoState, - expirationTimestamp + duoState, DuoAuthenticationProvider.PROVIDER_IDENTIFER, + DUO_STATE_PARAMETER_NAME, expirationTimestamp ); } diff --git a/guacamole-ext/src/main/java/org/apache/guacamole/language/TranslatableGuacamoleInsufficientCredentialsException.java b/guacamole-ext/src/main/java/org/apache/guacamole/language/TranslatableGuacamoleInsufficientCredentialsException.java index 648e15007..f0c27bc36 100644 --- a/guacamole-ext/src/main/java/org/apache/guacamole/language/TranslatableGuacamoleInsufficientCredentialsException.java +++ b/guacamole-ext/src/main/java/org/apache/guacamole/language/TranslatableGuacamoleInsufficientCredentialsException.java @@ -157,15 +157,23 @@ public class TranslatableGuacamoleInsufficientCredentialsException * @param state * An opaque value that may be used by a client to maintain state across requests which are part * of the same authentication transaction. + * + * @param providerIdentifier + * The identifier of the authentication provider that this exception pertains to. + * + * @param queryIdentifier + * The identifier of the specific query parameter within the + * authentication process that this exception pertains to. * * @param expires * The timestamp after which the state token associated with the authentication process expires, * specified as the number of milliseconds since the UNIX epoch. */ public TranslatableGuacamoleInsufficientCredentialsException(String message, - String key, CredentialsInfo credentialsInfo, String state, long expires) { - super(message, credentialsInfo, state, expires); - this.translatableMessage = new TranslatableMessage(key); + String key, CredentialsInfo credentialsInfo, String state, String providerIdentifier, + String queryIdentifier, long expires) { + super(message, credentialsInfo, state, providerIdentifier, queryIdentifier, expires); + this.translatableMessage = new TranslatableMessage(key); } @Override diff --git a/guacamole-ext/src/main/java/org/apache/guacamole/net/auth/Credentials.java b/guacamole-ext/src/main/java/org/apache/guacamole/net/auth/Credentials.java index 6ad0e240b..45eebe80d 100644 --- a/guacamole-ext/src/main/java/org/apache/guacamole/net/auth/Credentials.java +++ b/guacamole-ext/src/main/java/org/apache/guacamole/net/auth/Credentials.java @@ -34,6 +34,16 @@ import javax.servlet.http.HttpSession; */ public class Credentials implements Serializable { + /** + * The RESUME_QUERY is a query parameter key used to determine which + * authentication provider's process should be resumed during multi-step + * authentication. The auth provider will set this parameter before + * redirecting to an external service, and it is checked upon return to + * Guacamole to ensure the correct authentication state is continued + * without starting over. + */ + public static final String RESUME_QUERY = "provider_id"; + /** * Unique identifier associated with this specific version of Credentials. */ diff --git a/guacamole-ext/src/main/java/org/apache/guacamole/net/auth/credentials/GuacamoleInsufficientCredentialsException.java b/guacamole-ext/src/main/java/org/apache/guacamole/net/auth/credentials/GuacamoleInsufficientCredentialsException.java index c7a903c95..def5350b6 100644 --- a/guacamole-ext/src/main/java/org/apache/guacamole/net/auth/credentials/GuacamoleInsufficientCredentialsException.java +++ b/guacamole-ext/src/main/java/org/apache/guacamole/net/auth/credentials/GuacamoleInsufficientCredentialsException.java @@ -33,6 +33,20 @@ public class GuacamoleInsufficientCredentialsException extends GuacamoleCredenti */ private static final String DEFAULT_STATE = ""; +/** + * The default provider identifier to use when no specific provider is identified. + * This serves as a placeholder indicating that either no specific provider is + * responsible for the exception or the responsible provider has not been identified. + */ +private static final String DEFAULT_PROVIDER_IDENTIFIER = ""; + +/** + * The default query identifier to use when no specific query is identified. + * This serves as a placeholder and indicates that the specific query related to + * the provider's state resume operation has not been provided. + */ +private static final String DEFAULT_QUERY_IDENTIFIER = ""; + /** * The default expiration timestamp to use when no specific expiration is provided, * effectively indicating that the state token does not expire. @@ -45,6 +59,20 @@ private static final long DEFAULT_EXPIRES = -1L; */ protected final String state; + /** + * The identifier for the authentication provider that threw this exception. + * This is used to link the exception back to the originating source of the + * authentication attempt, allowing clients to determine which provider's + * authentication process should be resumed. + */ + protected final String providerIdentifier; + + /** + * An identifier for the specific query within the URL for this provider that can + * be checked to resume the authentication state. + */ + protected final String queryIdentifier; + /** * The timestamp after which the state token associated with the authentication process * should no longer be considered valid, expressed as the number of milliseconds since @@ -67,15 +95,25 @@ protected final long expires; * An opaque value that may be used by a client to maintain state * across requests which are part of the same authentication transaction. * + * @param providerIdentifier + * The identifier of the authentication provider that this exception pertains to. + * + * @param queryIdentifier + * The identifier of the specific query parameter within the + * authentication process that this exception pertains to. + * * @param expires * The timestamp after which the state token associated with the * authentication process should no longer be considered valid, expressed * as the number of milliseconds since UNIX epoch. */ public GuacamoleInsufficientCredentialsException(String message, - CredentialsInfo credentialsInfo, String state, long expires) { + CredentialsInfo credentialsInfo, String state, String providerIdentifier, String queryIdentifier, + long expires) { super(message, credentialsInfo); this.state = state; + this.providerIdentifier = providerIdentifier; + this.queryIdentifier = queryIdentifier; this.expires = expires; } @@ -96,6 +134,8 @@ protected final long expires; CredentialsInfo credentialsInfo) { super(message, cause, credentialsInfo); this.state = DEFAULT_STATE; + this.providerIdentifier = DEFAULT_PROVIDER_IDENTIFIER; + this.queryIdentifier = DEFAULT_QUERY_IDENTIFIER; this.expires = DEFAULT_EXPIRES; } @@ -112,6 +152,8 @@ protected final long expires; public GuacamoleInsufficientCredentialsException(String message, CredentialsInfo credentialsInfo) { super(message, credentialsInfo); this.state = DEFAULT_STATE; + this.providerIdentifier = DEFAULT_PROVIDER_IDENTIFIER; + this.queryIdentifier = DEFAULT_QUERY_IDENTIFIER; this.expires = DEFAULT_EXPIRES; } @@ -128,6 +170,8 @@ protected final long expires; public GuacamoleInsufficientCredentialsException(Throwable cause, CredentialsInfo credentialsInfo) { super(cause, credentialsInfo); this.state = DEFAULT_STATE; + this.providerIdentifier = DEFAULT_PROVIDER_IDENTIFIER; + this.queryIdentifier = DEFAULT_QUERY_IDENTIFIER; this.expires = DEFAULT_EXPIRES; } @@ -141,6 +185,27 @@ protected final long expires; return state; } + /** + * Retrieves the identifier of the authentication provider responsible for this exception. + * + * @return The identifier of the authentication provider, allowing clients to know + * which provider's process should be resumed in response to this exception. + */ + public String getProviderIdentifier() { + return providerIdentifier; + } + + /** + * Retrieves the specific query identifier associated with the URL for the provider + * that can be checked to resume the authentication state. + * + * @return The query identifier that serves as a reference to a specific point or + * transaction within the provider's authentication process. + */ + public String getQueryIdentifier() { + return queryIdentifier; + } + /** * Retrieves the expiration timestamp of the state token, specified as the * number of milliseconds since the UNIX epoch. diff --git a/guacamole/src/main/java/org/apache/guacamole/rest/auth/AuthenticationService.java b/guacamole/src/main/java/org/apache/guacamole/rest/auth/AuthenticationService.java index 2946b1276..1fafa4a30 100644 --- a/guacamole/src/main/java/org/apache/guacamole/rest/auth/AuthenticationService.java +++ b/guacamole/src/main/java/org/apache/guacamole/rest/auth/AuthenticationService.java @@ -47,6 +47,7 @@ import org.slf4j.Logger; import org.slf4j.LoggerFactory; import com.google.inject.Singleton; +import java.util.Iterator; /** * A service for performing authentication checks in REST endpoints. @@ -325,12 +326,15 @@ public class AuthenticationService { // Store state and expiration String state = e.getState(); long expiration = e.getExpires(); + String queryIdentifier = e.getQueryIdentifier(); + String providerIdentifier = e.getProviderIdentifier(); - resumableStateMap.put(state, new ResumableAuthenticationState(expiration, credentials)); + resumableStateMap.put(state, new ResumableAuthenticationState(providerIdentifier, + queryIdentifier, expiration, credentials)); throw new GuacamoleAuthenticationProcessException("User " - + "authentication aborted during initial " - + "UserContext creation.", authProvider, e); + + "authentication aborted during initial " + + "UserContext creation.", authProvider, e); } catch (GuacamoleException | RuntimeException | Error e) { throw new GuacamoleAuthenticationProcessException("User " @@ -350,6 +354,82 @@ public class AuthenticationService { return userContexts; } + + /** + * Resumes authentication using given credentials if a matching resumable + * state is found. + * + * @param credentials + * The initial credentials containing the request object. + * + * @return + * Resumed credentials if a valid resumable state is found; otherwise, + * returns {@code null}. + */ + private Credentials resumeAuthentication(Credentials credentials) { + + Credentials resumedCredentials = null; + + // Retrieve signed State from the request + HttpServletRequest request = credentials.getRequest(); + + // Retrieve the provider id from the query parameters. + String resumableProviderId = request.getParameter(Credentials.RESUME_QUERY); + // Check if a provider id is set. + if (resumableProviderId == null || resumableProviderId.isEmpty()) { + // return if a provider id is not set. + return null; + } + + // Use an iterator to safely remove entries while iterating + Iterator> iterator = resumableStateMap.entrySet().iterator(); + while (iterator.hasNext()) { + Map.Entry entry = iterator.next(); + ResumableAuthenticationState resumableState = entry.getValue(); + + // Check if the provider ID from the request matches the one in the map entry. + boolean providerMatches = resumableProviderId.equals(resumableState.getProviderIdentifier()); + if (!providerMatches) { + // If the provider doesn't match, skip to the next entry. + continue; + } + + // Use the query identifier from the entry to retrieve the corresponding state parameter. + String stateQueryParameter = resumableState.getQueryIdentifier(); + String stateFromParameter = request.getParameter(stateQueryParameter); + + // Check if the `state` parameter is set. + if (stateFromParameter == null || stateFromParameter.isEmpty()) { + // Remove and continue if `state` is not provided or is empty. + iterator.remove(); + continue; + } + + // If the key in the entry (state) matches the state parameter provided in the request. + if (entry.getKey().equals(stateFromParameter)) { + + // Remove the current entry from the map. + iterator.remove(); + + // Check if the resumableState has expired + if (!resumableState.isExpired()) { + + // Set the actualCredentials to the credentials from the matched entry. + resumedCredentials = resumableState.getCredentials(); + + if (resumedCredentials != null) { + resumedCredentials.setRequest(request); + } + + } + + // Exit the loop since we've found the matching state and it's unique. + break; + } + } + + return resumedCredentials; + } /** * Authenticates a user using the given credentials and optional @@ -388,24 +468,11 @@ public class AuthenticationService { AuthenticatedUser authenticatedUser; String authToken; - Credentials actualCredentials = credentials; - String state; - ResumableAuthenticationState resumableState = null; - // Retrieve signed State from the request - HttpServletRequest request = credentials.getRequest(); - - // If state is provided, attempt to resume authentication - if ((state = request.getParameter("state")) != null && (resumableState = resumableStateMap.get(state)) != null) { - // The resumableState is removed as it should be a single-use token - resumableStateMap.remove(state); - - // Check if the resumableState has expired - if (!resumableState.isExpired()) { - actualCredentials = resumableState.getCredentials(); - actualCredentials.setRequest(request); - } - } + // Retrieve credentials if resuming authentication + Credentials actualCredentials = resumeAuthentication(credentials); + if (actualCredentials == null) + actualCredentials = credentials; try { diff --git a/guacamole/src/main/java/org/apache/guacamole/rest/auth/ResumableAuthenticationState.java b/guacamole/src/main/java/org/apache/guacamole/rest/auth/ResumableAuthenticationState.java index 3e24f4f04..f295a8208 100644 --- a/guacamole/src/main/java/org/apache/guacamole/rest/auth/ResumableAuthenticationState.java +++ b/guacamole/src/main/java/org/apache/guacamole/rest/auth/ResumableAuthenticationState.java @@ -39,10 +39,31 @@ public class ResumableAuthenticationState { */ private Credentials credentials; + /** + * A unique string identifying the authentication provider related to the state. + * This field allows the client to know which provider's authentication process + * should be resumed using this state. + */ + private String providerIdentifier; + + /** + * A unique string that can be used to identify a specific query within the + * authentication process for the identified provider. This identifier can + * help the resumption of an authentication process. + */ + private String queryIdentifier; + /** * Constructs a new ResumableAuthenticationState object with the specified * expiration timestamp and user credentials. * + * @param providerIdentifier + * The identifier of the authentication provider to which this resumable state pertains. + * + * @param queryIdenifier + * The identifier of the specific query within the provider's + * authentication process that this state corresponds to. + * * @param expirationTimestamp * The timestamp in milliseconds since the Unix epoch when this state * expires and can no longer be used to resume authentication. @@ -51,9 +72,12 @@ public class ResumableAuthenticationState { * The Credentials object initially submitted by the user and associated * with this resumable state. */ - public ResumableAuthenticationState(long expirationTimestamp, Credentials credentials) { + public ResumableAuthenticationState(String providerIdentifier, String queryIdentifier, + long expirationTimestamp, Credentials credentials) { this.expirationTimestamp = expirationTimestamp; this.credentials = credentials; + this.providerIdentifier = providerIdentifier; + this.queryIdentifier = queryIdentifier; } /** @@ -78,4 +102,27 @@ public class ResumableAuthenticationState { public Credentials getCredentials() { return this.credentials; } + + /** + * Retrieves the identifier of the authentication provider associated with this state. + * + * @return + * The identifier of the authentication provider, providing context for this state + * within the overall authentication sequence. + */ + public String getProviderIdentifier() { + return this.providerIdentifier; + } + + /** + * Retrieves the identifier for a specific query in the authentication + * process that is associated with this state. + * + * @return + * The query identifier used for retrieving a value representing the state within + * the provider's authentication process that should be resumed. + */ + public String getQueryIdentifier() { + return this.queryIdentifier; + } } From 9f1a8e66862e319256917c347b249a11ff19cc97 Mon Sep 17 00:00:00 2001 From: Alex Leitner Date: Thu, 4 Apr 2024 01:32:48 +0000 Subject: [PATCH 7/7] GUACAMOLE-1289: Add new translations and guacamole properties. --- .../auth/duo/UserVerificationService.java | 96 +++++++++---------- .../auth/duo/conf/ConfigurationService.java | 32 +++---- .../src/main/resources/translations/en.json | 3 +- .../src/main/resources/translations/ja.json | 3 +- guacamole-docker/bin/start.sh | 22 ++--- ...amoleInsufficientCredentialsException.java | 70 +++++++------- .../rest/auth/AuthenticationService.java | 26 ++--- .../auth/ResumableAuthenticationState.java | 2 +- 8 files changed, 127 insertions(+), 127 deletions(-) diff --git a/extensions/guacamole-auth-duo/src/main/java/org/apache/guacamole/auth/duo/UserVerificationService.java b/extensions/guacamole-auth-duo/src/main/java/org/apache/guacamole/auth/duo/UserVerificationService.java index efd8a4357..26ab71221 100644 --- a/extensions/guacamole-auth-duo/src/main/java/org/apache/guacamole/auth/duo/UserVerificationService.java +++ b/extensions/guacamole-auth-duo/src/main/java/org/apache/guacamole/auth/duo/UserVerificationService.java @@ -102,60 +102,60 @@ public class UserVerificationService { try { - String redirectUrl = confService.getRedirectUrl().toString(); + String redirectUrl = confService.getRedirectUri().toString(); - String builtUrl = UriComponentsBuilder - .fromUriString(redirectUrl) - .queryParam(Credentials.RESUME_QUERY, DuoAuthenticationProvider.PROVIDER_IDENTIFER) - .build() - .toUriString(); + String builtUrl = UriComponentsBuilder + .fromUriString(redirectUrl) + .queryParam(Credentials.RESUME_QUERY, DuoAuthenticationProvider.PROVIDER_IDENTIFER) + .build() + .toUriString(); - // Set up the Duo Client - Client duoClient = new Client.Builder( - confService.getClientId(), - confService.getClientSecret(), - confService.getAPIHostname(), - builtUrl) - .build(); - - duoClient.healthCheck(); - - // Retrieve signed Duo Code and State from the request - String duoCode = request.getParameter(DUO_CODE_PARAMETER_NAME); - String duoState = request.getParameter(DUO_STATE_PARAMETER_NAME); + // Set up the Duo Client + Client duoClient = new Client.Builder( + confService.getClientId(), + confService.getClientSecret(), + confService.getAPIHostname(), + builtUrl) + .build(); - // If no code or state is received, assume Duo MFA redirect has not occured and do it. - if (duoCode == null || duoState == null) { + duoClient.healthCheck(); - // Get a new session state from the Duo client - duoState = duoClient.generateState(); - long expirationTimestamp = System.currentTimeMillis() + (confService.getAuthTimeout() * 1000L); + // Retrieve signed Duo Code and State from the request + String duoCode = request.getParameter(DUO_CODE_PARAMETER_NAME); + String duoState = request.getParameter(DUO_STATE_PARAMETER_NAME); - // Request additional credentials - throw new TranslatableGuacamoleInsufficientCredentialsException( - "Verification using Duo is required before authentication " - + "can continue.", "LOGIN.INFO_DUO_AUTH_REQUIRED", - new CredentialsInfo(Collections.singletonList( - new RedirectField( - DUO_CODE_PARAMETER_NAME, - new URI(duoClient.createAuthUrl(username, duoState)), - new TranslatableMessage("LOGIN.INFO_DUO_REDIRECT_PENDING") - ) - )), - duoState, DuoAuthenticationProvider.PROVIDER_IDENTIFER, - DUO_STATE_PARAMETER_NAME, expirationTimestamp - ); + // If no code or state is received, assume Duo MFA redirect has not occured and do it + if (duoCode == null || duoState == null) { - } - - // Get the token from the DuoClient using the code and username, and check status - Token token = duoClient.exchangeAuthorizationCodeFor2FAResult(duoCode, username); - if (token == null - || token.getAuth_result() == null - || !DUO_TOKEN_SUCCESS_VALUE.equals(token.getAuth_result().getStatus())) - throw new TranslatableGuacamoleClientException("Provided Duo " - + "validation code is incorrect.", - "LOGIN.INFO_DUO_VALIDATION_CODE_INCORRECT"); + // Get a new session state from the Duo client + duoState = duoClient.generateState(); + long expirationTimestamp = System.currentTimeMillis() + (confService.getAuthTimeout() * 1000L); + + // Request additional credentials + throw new TranslatableGuacamoleInsufficientCredentialsException( + "Verification using Duo is required before authentication " + + "can continue.", "LOGIN.INFO_DUO_AUTH_REQUIRED", + new CredentialsInfo(Collections.singletonList( + new RedirectField( + DUO_CODE_PARAMETER_NAME, + new URI(duoClient.createAuthUrl(username, duoState)), + new TranslatableMessage("LOGIN.INFO_DUO_REDIRECT_PENDING") + ) + )), + duoState, DuoAuthenticationProvider.PROVIDER_IDENTIFER, + DUO_STATE_PARAMETER_NAME, expirationTimestamp + ); + + } + + // Get the token from the DuoClient using the code and username, and check status + Token token = duoClient.exchangeAuthorizationCodeFor2FAResult(duoCode, username); + if (token == null + || token.getAuth_result() == null + || !DUO_TOKEN_SUCCESS_VALUE.equals(token.getAuth_result().getStatus())) + throw new TranslatableGuacamoleClientException("Provided Duo " + + "validation code is incorrect.", + "LOGIN.INFO_DUO_VALIDATION_CODE_INCORRECT"); } catch (DuoException e) { throw new GuacamoleServerException("Duo Client error.", e); diff --git a/extensions/guacamole-auth-duo/src/main/java/org/apache/guacamole/auth/duo/conf/ConfigurationService.java b/extensions/guacamole-auth-duo/src/main/java/org/apache/guacamole/auth/duo/conf/ConfigurationService.java index 212b4a618..f6bed8073 100644 --- a/extensions/guacamole-auth-duo/src/main/java/org/apache/guacamole/auth/duo/conf/ConfigurationService.java +++ b/extensions/guacamole-auth-duo/src/main/java/org/apache/guacamole/auth/duo/conf/ConfigurationService.java @@ -55,8 +55,8 @@ public class ConfigurationService { }; /** - * The property within guacamole.properties which defines the integration - * key received from Duo for verifying Guacamole users. This value MUST be + * The property within guacamole.properties which defines the client id + * received from Duo for verifying Guacamole users. This value MUST be * exactly 20 characters. */ private static final StringGuacamoleProperty DUO_CLIENT_ID = @@ -79,17 +79,17 @@ public class ConfigurationService { public String getName() { return "duo-client-secret"; } }; - + /** - * The property within guacamole.properties which defines the redirect URL + * The property within guacamole.properties which defines the redirect URI * that Duo will call after the second factor has been completed. This - * should be the URL used to access Guacamole. + * should be the URI used to access Guacamole. */ - private static final URIGuacamoleProperty DUO_REDIRECT_URL = + private static final URIGuacamoleProperty DUO_REDIRECT_URI = new URIGuacamoleProperty() { - + @Override - public String getName() { return "duo-redirect-url"; } + public String getName() { return "duo-redirect-uri"; } }; @@ -140,8 +140,8 @@ public class ConfigurationService { } /** - * Returns the client secert received from Duo for verifying Guacamole users, - * as defined in guacamole.properties by the "duo-client-secert" property. + * Returns the client secret received from Duo for verifying Guacamole users, + * as defined in guacamole.properties by the "duo-client-secret" property. * This value MUST be exactly 20 characters. * * @return @@ -153,11 +153,11 @@ public class ConfigurationService { public String getClientSecret() throws GuacamoleException { return environment.getRequiredProperty(DUO_CLIENT_SECRET); } - + /** - * Return the callback URL that will be called by Duo after authentication - * with Duo has been completed. This should be the URL to return the user - * to the Guacamole interface, and will be a full URL. + * Return the callback URI that will be called by Duo after authentication + * with Duo has been completed. This should be the URI to return the user + * to the Guacamole interface, and will be a full URI. * * @return * The URL for Duo to use to callback to the Guacamole interface after @@ -167,8 +167,8 @@ public class ConfigurationService { * If guacamole.properties cannot be read, or if the property is not * defined. */ - public URI getRedirectUrl() throws GuacamoleException { - return environment.getRequiredProperty(DUO_REDIRECT_URL); + public URI getRedirectUri() throws GuacamoleException { + return environment.getRequiredProperty(DUO_REDIRECT_URI); } /** diff --git a/extensions/guacamole-auth-duo/src/main/resources/translations/en.json b/extensions/guacamole-auth-duo/src/main/resources/translations/en.json index 8682cba35..877f538b6 100644 --- a/extensions/guacamole-auth-duo/src/main/resources/translations/en.json +++ b/extensions/guacamole-auth-duo/src/main/resources/translations/en.json @@ -7,7 +7,8 @@ "LOGIN" : { "FIELD_HEADER_GUAC_DUO_SIGNED_RESPONSE" : "", "INFO_DUO_VALIDATION_CODE_INCORRECT" : "Duo validation code incorrect.", - "INFO_DUO_AUTH_REQUIRED" : "Please authenticate with Duo to continue." + "INFO_DUO_AUTH_REQUIRED" : "Please authenticate with Duo to continue.", + "INFO_DUO_REDIRECT_PENDING" : "Please wait, redirecting to Duo..." } } diff --git a/extensions/guacamole-auth-duo/src/main/resources/translations/ja.json b/extensions/guacamole-auth-duo/src/main/resources/translations/ja.json index 37ddde234..d3acef824 100644 --- a/extensions/guacamole-auth-duo/src/main/resources/translations/ja.json +++ b/extensions/guacamole-auth-duo/src/main/resources/translations/ja.json @@ -2,7 +2,8 @@ "LOGIN" : { "INFO_DUO_VALIDATION_CODE_INCORRECT" : "Duoの認証コードが間違っています。", - "INFO_DUO_AUTH_REQUIRED" : "Duoで認証してください。" + "INFO_DUO_AUTH_REQUIRED" : "Duoで認証してください。", + "INFO_DUO_REDIRECT_PENDING" : "Duoへリダイレクトしています。" } } diff --git a/guacamole-docker/bin/start.sh b/guacamole-docker/bin/start.sh index 02687d861..4588c0eb4 100755 --- a/guacamole-docker/bin/start.sh +++ b/guacamole-docker/bin/start.sh @@ -845,14 +845,13 @@ associate_totp() { ## ## Adds properties to guacamole.properties which configure the Duo two-factor -## authentication service. Checks to see if all variables are defined and makes sure -## DUO_APPLICATION_KEY is >= 40 characters. +## authentication service. Checks to see if all variables are defined ## associate_duo() { # Verify required parameters are present - if [ -z "$DUO_INTEGRATION_KEY" ] || \ - [ -z "$DUO_SECRET_KEY" ] || \ - [ ${#DUO_APPLICATION_KEY} -lt 40 ] + if [ -z "$DUO_CLIENT_ID" ] || \ + [ -z "$DUO_CLIENT_SECRET" ] || \ + [ -z "$DUO_REDIRECT_URI" ] then cat < entry = iterator.next(); ResumableAuthenticationState resumableState = entry.getValue(); - // Check if the provider ID from the request matches the one in the map entry. + // Check if the provider ID from the request matches the one in the map entry boolean providerMatches = resumableProviderId.equals(resumableState.getProviderIdentifier()); if (!providerMatches) { - // If the provider doesn't match, skip to the next entry. + // If the provider doesn't match, skip to the next entry continue; } - // Use the query identifier from the entry to retrieve the corresponding state parameter. + // Use the query identifier from the entry to retrieve the corresponding state parameter String stateQueryParameter = resumableState.getQueryIdentifier(); String stateFromParameter = request.getParameter(stateQueryParameter); - // Check if the `state` parameter is set. + // Check if a state parameter is set if (stateFromParameter == null || stateFromParameter.isEmpty()) { - // Remove and continue if `state` is not provided or is empty. + // Remove and continue if`state is not provided or is empty iterator.remove(); continue; } - // If the key in the entry (state) matches the state parameter provided in the request. + // If the key in the entry (state) matches the state parameter provided in the request if (entry.getKey().equals(stateFromParameter)) { - // Remove the current entry from the map. + // Remove the current entry from the map iterator.remove(); // Check if the resumableState has expired if (!resumableState.isExpired()) { - // Set the actualCredentials to the credentials from the matched entry. + // Set the actualCredentials to the credentials from the matched entry resumedCredentials = resumableState.getCredentials(); if (resumedCredentials != null) { @@ -423,7 +423,7 @@ public class AuthenticationService { } - // Exit the loop since we've found the matching state and it's unique. + // Exit the loop since we've found the matching state and it's unique break; } } diff --git a/guacamole/src/main/java/org/apache/guacamole/rest/auth/ResumableAuthenticationState.java b/guacamole/src/main/java/org/apache/guacamole/rest/auth/ResumableAuthenticationState.java index f295a8208..1aaa7ea57 100644 --- a/guacamole/src/main/java/org/apache/guacamole/rest/auth/ResumableAuthenticationState.java +++ b/guacamole/src/main/java/org/apache/guacamole/rest/auth/ResumableAuthenticationState.java @@ -89,7 +89,7 @@ public class ResumableAuthenticationState { * indicating that the state is expired; false otherwise. */ public boolean isExpired() { - return System.currentTimeMillis() > expirationTimestamp; + return System.currentTimeMillis() >= expirationTimestamp; } /**