safebox/guacamole-client
4
0
Fork 0
mirror of https://github.com/gyurix1968/guacamole-client.git synced 2025-09-06 13:17:41 +00:00
Code Issues Packages Projects Releases Wiki Activity

GUACAMOLE-1289: Merge upgrade to Duo API v4.

Browse Source
This commit is contained in:
James Muehlner
2024-04-05 10:14:43 -07:00
committed by GitHub
parent 83f0f193bd 9f1a8e6686
commit e182073c33
75 changed files with 2315 additions and 1724 deletions
Download Patch File Download Diff File Expand all files Collapse all files

115
guacamole/src/main/java/org/apache/guacamole/rest/auth/AuthenticationService.java
View File

@@ -21,11 +21,14 @@ package org.apache.guacamole.rest.auth;
import java.util.ArrayList;
import java.util.List;
import java.util.Map;
import java.util.concurrent.ConcurrentHashMap;
import javax.inject.Inject;
import javax.servlet.http.HttpServletRequest;
import org.apache.guacamole.GuacamoleException;
import org.apache.guacamole.GuacamoleSecurityException;
import org.apache.guacamole.GuacamoleServerException;
import org.apache.guacamole.GuacamoleUnauthorizedException;
import org.apache.guacamole.GuacamoleSession;
import org.apache.guacamole.net.auth.AuthenticatedUser;
@@ -43,9 +46,13 @@ import org.glassfish.jersey.server.ContainerRequest;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import com.google.inject.Singleton;
import java.util.Iterator;
/**
* A service for performing authentication checks in REST endpoints.
*/
@Singleton
public class AuthenticationService {
/**
@@ -96,6 +103,11 @@ public class AuthenticationService {
*/
public static final String TOKEN_PARAMETER_NAME = "token";
/**
* Map to store resumable authentication states with an expiration time.
*/
private Map<String, ResumableAuthenticationState> resumableStateMap = new ConcurrentHashMap<>();
/**
* Attempts authentication against all AuthenticationProviders, in order,
* using the provided credentials. The first authentication failure takes
@@ -310,6 +322,20 @@ public class AuthenticationService {
try {
userContext = authProvider.getUserContext(authenticatedUser);
}
catch (GuacamoleInsufficientCredentialsException e) {
// Store state and expiration
String state = e.getState();
long expiration = e.getExpires();
String queryIdentifier = e.getQueryIdentifier();
String providerIdentifier = e.getProviderIdentifier();
resumableStateMap.put(state, new ResumableAuthenticationState(providerIdentifier,
queryIdentifier, expiration, credentials));
throw new GuacamoleAuthenticationProcessException("User "
+ "authentication aborted during initial "
+ "UserContext creation.", authProvider, e);
}
catch (GuacamoleException | RuntimeException | Error e) {
throw new GuacamoleAuthenticationProcessException("User "
+ "authentication aborted during initial "
@@ -328,6 +354,82 @@ public class AuthenticationService {
return userContexts;
}
/**
* Resumes authentication using given credentials if a matching resumable
* state is found.
*
* @param credentials
* The initial credentials containing the request object.
*
* @return
* Resumed credentials if a valid resumable state is found; otherwise,
* returns null.
*/
private Credentials resumeAuthentication(Credentials credentials) {
Credentials resumedCredentials = null;
// Retrieve signed State from the request
HttpServletRequest request = credentials.getRequest();
// Retrieve the provider id from the query parameters
String resumableProviderId = request.getParameter(Credentials.RESUME_QUERY);
// Check if a provider id is set
if (resumableProviderId == null || resumableProviderId.isEmpty()) {
// Return if a provider id is not set
return null;
}
// Use an iterator to safely remove entries while iterating
Iterator<Map.Entry<String, ResumableAuthenticationState>> iterator = resumableStateMap.entrySet().iterator();
while (iterator.hasNext()) {
Map.Entry<String, ResumableAuthenticationState> entry = iterator.next();
ResumableAuthenticationState resumableState = entry.getValue();
// Check if the provider ID from the request matches the one in the map entry
boolean providerMatches = resumableProviderId.equals(resumableState.getProviderIdentifier());
if (!providerMatches) {
// If the provider doesn't match, skip to the next entry
continue;
}
// Use the query identifier from the entry to retrieve the corresponding state parameter
String stateQueryParameter = resumableState.getQueryIdentifier();
String stateFromParameter = request.getParameter(stateQueryParameter);
// Check if a state parameter is set
if (stateFromParameter == null || stateFromParameter.isEmpty()) {
// Remove and continue if`state is not provided or is empty
iterator.remove();
continue;
}
// If the key in the entry (state) matches the state parameter provided in the request
if (entry.getKey().equals(stateFromParameter)) {
// Remove the current entry from the map
iterator.remove();
// Check if the resumableState has expired
if (!resumableState.isExpired()) {
// Set the actualCredentials to the credentials from the matched entry
resumedCredentials = resumableState.getCredentials();
if (resumedCredentials != null) {
resumedCredentials.setRequest(request);
}
}
// Exit the loop since we've found the matching state and it's unique
break;
}
}
return resumedCredentials;
}
/**
* Authenticates a user using the given credentials and optional
@@ -367,11 +469,16 @@ public class AuthenticationService {
AuthenticatedUser authenticatedUser;
String authToken;
// Retrieve credentials if resuming authentication
Credentials actualCredentials = resumeAuthentication(credentials);
if (actualCredentials == null)
actualCredentials = credentials;
try {
// Get up-to-date AuthenticatedUser and associated UserContexts
authenticatedUser = getAuthenticatedUser(existingSession, credentials);
List<DecoratedUserContext> userContexts = getUserContexts(existingSession, authenticatedUser, credentials);
authenticatedUser = getAuthenticatedUser(existingSession, actualCredentials);
List<DecoratedUserContext> userContexts = getUserContexts(existingSession, authenticatedUser, actualCredentials);
// Update existing session, if it exists
if (existingSession != null) {
@@ -401,7 +508,7 @@ public class AuthenticationService {
// Log and rethrow any authentication errors
catch (GuacamoleAuthenticationProcessException e) {
listenerService.handleEvent(new AuthenticationFailureEvent(credentials,
listenerService.handleEvent(new AuthenticationFailureEvent(actualCredentials,
e.getAuthenticationProvider(), e.getCause()));
// Rethrow exception

128
guacamole/src/main/java/org/apache/guacamole/rest/auth/ResumableAuthenticationState.java Normal file
View File

@@ -0,0 +1,128 @@
/*
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/
package org.apache.guacamole.rest.auth;
import org.apache.guacamole.net.auth.Credentials;
/**
* Encapsulates the state information required for resuming an authentication
* process. This includes an expiration timestamp to determine state validity
* and the original credentials submitted by the user.
*/
public class ResumableAuthenticationState {
/**
* The timestamp at which this state should no longer be considered valid,
* measured in milliseconds since the Unix epoch.
*/
private long expirationTimestamp;
/**
* The original user credentials that were submitted at the start of the
* authentication process.
*/
private Credentials credentials;
/**
* A unique string identifying the authentication provider related to the state.
* This field allows the client to know which provider's authentication process
* should be resumed using this state.
*/
private String providerIdentifier;
/**
* A unique string that can be used to identify a specific query within the
* authentication process for the identified provider. This identifier can
* help the resumption of an authentication process.
*/
private String queryIdentifier;
/**
* Constructs a new ResumableAuthenticationState object with the specified
* expiration timestamp and user credentials.
*
* @param providerIdentifier
* The identifier of the authentication provider to which this resumable state pertains.
*
* @param queryIdenifier
* The identifier of the specific query within the provider's
* authentication process that this state corresponds to.
*
* @param expirationTimestamp
* The timestamp in milliseconds since the Unix epoch when this state
* expires and can no longer be used to resume authentication.
*
* @param credentials
* The Credentials object initially submitted by the user and associated
* with this resumable state.
*/
public ResumableAuthenticationState(String providerIdentifier, String queryIdentifier,
long expirationTimestamp, Credentials credentials) {
this.expirationTimestamp = expirationTimestamp;
this.credentials = credentials;
this.providerIdentifier = providerIdentifier;
this.queryIdentifier = queryIdentifier;
}
/**
* Checks if this resumable state has expired based on the stored expiration
* timestamp and the current system time.
*
* @return
* True if the current system time is after the expiration timestamp,
* indicating that the state is expired; false otherwise.
*/
public boolean isExpired() {
return System.currentTimeMillis() >= expirationTimestamp;
}
/**
* Retrieves the original credentials associated with this resumable state.
*
* @return
* The Credentials object containing user details that were submitted
* when the state was created.
*/
public Credentials getCredentials() {
return this.credentials;
}
/**
* Retrieves the identifier of the authentication provider associated with this state.
*
* @return
* The identifier of the authentication provider, providing context for this state
* within the overall authentication sequence.
*/
public String getProviderIdentifier() {
return this.providerIdentifier;
}
/**
* Retrieves the identifier for a specific query in the authentication
* process that is associated with this state.
*
* @return
* The query identifier used for retrieving a value representing the state within
* the provider's authentication process that should be resumed.
*/
public String getQueryIdentifier() {
return this.queryIdentifier;
}
}