GUACAMOLE-1780: Merge changes adding MFA compatibility to SSO support.

2025-09-06 05:07:41 +00:00 · 2023-07-06 08:27:31 -07:00
parent 28ce49f8ec 97f93fa5c5
commit e46d06e6b8
11 changed files with 400 additions and 17 deletions
--- a/extensions/guacamole-auth-sso/modules/guacamole-auth-sso-base/src/main/java/org/apache/guacamole/auth/sso/AuthenticationSessionManager.java
+++ b/extensions/guacamole-auth-sso/modules/guacamole-auth-sso-base/src/main/java/org/apache/guacamole/auth/sso/AuthenticationSessionManager.java
@@ -19,8 +19,10 @@

 package org.apache.guacamole.auth.sso;

-import com.google.common.base.Predicates;
 import com.google.inject.Inject;
+import com.google.inject.Singleton;
+
+import java.util.Map;
 import java.util.concurrent.ConcurrentHashMap;
 import java.util.concurrent.ConcurrentMap;
 import java.util.concurrent.Executors;
@@ -37,6 +39,7 @@ import java.util.concurrent.TimeUnit;
 * @param <T>
 *     The type of sessions managed by this session manager.
 */
+@Singleton
 public class AuthenticationSessionManager<T extends AuthenticationSession> {

    /**
@@ -51,6 +54,16 @@ public class AuthenticationSessionManager<T extends AuthenticationSession> {
     */
    private final ConcurrentMap<String, T> sessions = new ConcurrentHashMap<>();

+    /**
+     * Set of identifiers of all sessions that are in a pending state, meaning
+     * that the session was successfully created, but the overall auth result
+     * has not yet been determined.
+     *
+     * Exposed as a ConcurrentMap instead of a Set because there is no
+     * ConcurrentSet class offering the required atomic operations.
+     */
+    private final ConcurrentMap<String, Boolean> pendingSessions = new ConcurrentHashMap<>();
+
    /**
     * Executor service which runs the periodic cleanup task
     */
@@ -64,7 +77,13 @@ public class AuthenticationSessionManager<T extends AuthenticationSession> {
     */
    public AuthenticationSessionManager() {
        executor.scheduleAtFixedRate(() -> {
-            sessions.values().removeIf(Predicates.not(AuthenticationSession::isValid));
+
+            // Invalidate any stale sessions
+            for (Map.Entry<String, T> entry : sessions.entrySet()) {
+                if (!entry.getValue().isValid()) 
+                    invalidateSession(entry.getKey());
+            }
+
        }, 1, 1, TimeUnit.MINUTES);
    }

@@ -82,6 +101,43 @@ public class AuthenticationSessionManager<T extends AuthenticationSession> {
        return idGenerator.generateIdentifier();
    }

+    /**
+     * Remove the session associated with the given identifier, if any, from the
+     * map of sessions, and the set of pending sessions.
+     *
+     * @param identifier
+     *     The identifier of the session to remove, if one exists.
+     */
+    public void invalidateSession(String identifier) {
+
+        // Do not attempt to remove a null identifier
+        if (identifier == null)
+            return;
+
+        // Remove from the overall list of sessions
+        sessions.remove(identifier);
+
+        // Remove from the set of pending sessions
+        pendingSessions.remove(identifier);
+
+    }
+
+    /**
+     * Reactivate (remove from pending) the session associated with the given
+     * session identifier, if any. After calling this method, any session with
+     * the given identifier will be ready to be resumed again.
+     * 
+     * @param identifier
+     *     The identifier of the session to reactivate, if one exists.
+     */
+    public void reactivateSession(String identifier) {
+
+        // Remove from the set of pending sessions to reactivate
+        if (identifier != null)
+            pendingSessions.remove(identifier);
+
+    }
+
    /**
     * Resumes the Guacamole side of the authentication process that was
     * previously deferred through a call to defer(). Once invoked, the
@@ -97,9 +153,21 @@ public class AuthenticationSessionManager<T extends AuthenticationSession> {
     *     value was returned by defer().
     */
    public T resume(String identifier) {
-
        if (identifier != null) {
-            T session = sessions.remove(identifier);
+
+            T session = sessions.get(identifier);
+
+            // Mark the session as pending. NOTE: Unless explicitly removed
+            // from pending status via a call to reactivateSession(),
+            // the next attempt to resume this session will fail
+            if (pendingSessions.putIfAbsent(identifier, true) != null) {
+
+                // If the session was already marked as pending, invalidate it
+                invalidateSession(identifier);
+                return null;
+
+            }
+
            if (session != null && session.isValid())
                return session;
        }
--- a/extensions/guacamole-auth-sso/modules/guacamole-auth-sso-base/src/main/java/org/apache/guacamole/auth/sso/SSOAuthenticationEventListener.java
+++ b/extensions/guacamole-auth-sso/modules/guacamole-auth-sso-base/src/main/java/org/apache/guacamole/auth/sso/SSOAuthenticationEventListener.java
@@ -0,0 +1,115 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.guacamole.auth.sso;
+
+import org.apache.guacamole.GuacamoleClientException;
+import org.apache.guacamole.GuacamoleException;
+import org.apache.guacamole.GuacamoleSecurityException;
+import org.apache.guacamole.net.auth.Credentials;
+import org.apache.guacamole.net.auth.credentials.GuacamoleInsufficientCredentialsException;
+import org.apache.guacamole.net.event.AuthenticationFailureEvent;
+import org.apache.guacamole.net.event.AuthenticationRequestReceivedEvent;
+import org.apache.guacamole.net.event.CredentialEvent;
+import org.apache.guacamole.net.event.listener.Listener;
+
+/**
+ * A Listener that will reactivate or invalidate SSO auth sessions depending on
+ * overall auth success or failure.
+ */
+public abstract class SSOAuthenticationEventListener implements Listener {
+
+    @Override
+    public void handleEvent(Object event) throws GuacamoleException {
+
+        // If the authentication attempt is incomplete or credentials cannot be
+        // extracted, there's nothing to do
+        if (event instanceof AuthenticationRequestReceivedEvent
+                || !(event instanceof CredentialEvent))
+            return;
+
+        // Look for a session identifier associated with these credentials
+        String sessionIdentifier = getSessionIdentifier(
+                ((CredentialEvent) event).getCredentials());
+
+        // If no session is associated with these credentials, there's
+        // nothing to do
+        if (sessionIdentifier == null)
+            return;
+
+        // If the SSO auth succeeded, but other auth providers failed to
+        // authenticate the user associated with the credentials in this
+        // failure event, they may wish to make another login attempt. To
+        // avoid an infinite login attempt loop, re-enable the session
+        // associated with these credentials, allowing the auth attempt to be
+        // resumed without requiring another round trip to the SSO service.
+        if (event instanceof AuthenticationFailureEvent) {
+            Throwable failure = ((AuthenticationFailureEvent) event).getFailure();
+
+            // If and only if the failure was associated with missing or
+            // credentials, or a non-security related request issue,
+            // reactivate the session
+            if (failure instanceof GuacamoleInsufficientCredentialsException
+                    || ((failure instanceof GuacamoleClientException)
+                    && !(failure instanceof GuacamoleSecurityException))) {
+
+                reactivateSession(sessionIdentifier);
+                return;
+
+            }
+
+        }
+
+        // Invalidate the session in all other cases
+        invalidateSession(sessionIdentifier);
+
+    }
+
+    /**
+     * Get the session identifier associated with the provided credentials,
+     * if any. If no session is associated with the credentials, null will
+     * be returned.
+     *
+     * @param credentials
+     *     The credentials assoociated with the deferred SSO authentication
+     *     session to reactivate.
+     *
+     * @return
+     *     The session identifier associated with the provided credentials,
+     *     or null if no session is found.
+     */
+    protected abstract String getSessionIdentifier(Credentials credentials);
+
+    /**
+     * Reactivate the session identified by the provided identifier, if any.
+     *
+     * @param sessionIdentifier
+     *     The identifier of the session to reactivate.
+     */
+    protected abstract void reactivateSession(String sessionIdentifier);
+
+    /**
+     * Invalidate the session identified by the provided identifier, if any.
+     *
+     * @param sessionIdentifier
+     *     The identifier of the session to invalidate.
+     */
+    protected abstract void invalidateSession(String sessionIdentifier);
+
+}