GUACAMOLE-1289: Redirect back to Duo in case of unexpected failures or invalid tokens.

2025-09-07 13:41:21 +00:00 · 2024-04-25 18:43:00 -07:00
parent 4a0e9f310f
commit ed4c0ab779
1 changed files with 87 additions and 54 deletions
--- a/extensions/guacamole-auth-duo/src/main/java/org/apache/guacamole/auth/duo/UserVerificationService.java
+++ b/extensions/guacamole-auth-duo/src/main/java/org/apache/guacamole/auth/duo/UserVerificationService.java
@@ -31,18 +31,25 @@ import org.apache.guacamole.GuacamoleException;
 import org.apache.guacamole.GuacamoleServerException;
 import org.apache.guacamole.auth.duo.conf.ConfigurationService;
 import org.apache.guacamole.form.RedirectField;
-import org.apache.guacamole.language.TranslatableGuacamoleClientException;
 import org.apache.guacamole.language.TranslatableGuacamoleInsufficientCredentialsException;
 import org.apache.guacamole.language.TranslatableMessage;
 import org.apache.guacamole.net.auth.AuthenticatedUser;
 import org.apache.guacamole.net.auth.Credentials;
 import org.apache.guacamole.net.auth.credentials.CredentialsInfo;
+import org.apache.guacamole.net.auth.credentials.GuacamoleInvalidCredentialsException;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;

 /**
 * Service for verifying the identity of a user against Duo.
 */
 public class UserVerificationService {

+    /**
+     * Logger for this class.
+     */
+    private static final Logger logger = LoggerFactory.getLogger(UserVerificationService.class);
+
    /**
     * The name of the HTTP parameter that Duo will use to communicate the
     * result of the user's attempt to authenticate with their service. This
@@ -143,7 +150,51 @@ public class UserVerificationService {

        // Redirect to Duo to obtain an authentication code if that redirect
        // has not yet occurred
-        if (duoCode == null || duoState == null) {
+        if (duoCode != null && duoState != null) {
+
+            // Validate that the user has successfully verified their identify with
+            // the Duo service
+            try {
+
+                // Note unexpected behavior (Duo is expected to always return
+                // a token)
+                Token token = duoClient.exchangeAuthorizationCodeFor2FAResult(duoCode, username);
+                if (token == null) {
+                    logger.warn("Duo did not return an authentication result "
+                            + "at all for the authentication attempt by user "
+                            + "\"{}\". This is unexpected behavior and may be "
+                            + "a bug in the Duo service or the Duo SDK. "
+                            + "Guacamole will attempt to automatically work "
+                            + "around the issue by making a fresh Duo "
+                            + "authentication request.", username);
+                }
+
+                // Warn if Duo explicitly denies authentication
+                else if (token.getAuth_result() == null || !DUO_TOKEN_SUCCESS_VALUE.equals(token.getAuth_result().getStatus())) {
+                    logger.warn("Duo did not return an explicitly successful "
+                            + "authentication result for the authentication "
+                            + "attempt by user \"{}\". The user will now be "
+                            + "redirected back to the Duo service to reattempt"
+                            + "authentication.", username);
+                }
+
+                // Allow user to continue authenticating with Guacamole only if
+                // Duo has validated their identity
+                else
+                    return;
+
+            }
+            catch (DuoException e) {
+                logger.debug("The Duo client failed internally while "
+                        + "attempting to validate the identity of user "
+                        + "\"{}\". This is commonly caused by stale query "
+                        + "parameters from an older Duo request remaining "
+                        + "present in the Guacamole URL. The user will now be "
+                        + "redirected back to the Duo service to reattempt "
+                        + "authentication.", e);
+            }
+
+        }

        // Store received credentials for later retrieval leveraging Duo's
        // opaque session state identifier (we need to maintain these
@@ -193,22 +244,4 @@ public class UserVerificationService {

    }

-        // Validate that the user has successfully verified their identify with
-        // the Duo service
-        try {
-            Token token = duoClient.exchangeAuthorizationCodeFor2FAResult(duoCode, username);
-            if (token == null || token.getAuth_result() == null
-                    || !DUO_TOKEN_SUCCESS_VALUE.equals(token.getAuth_result().getStatus()))
-                throw new TranslatableGuacamoleClientException("Provided Duo "
-                        + "validation code is incorrect.",
-                        "LOGIN.INFO_DUO_VALIDATION_CODE_INCORRECT");
-        }
-        catch (DuoException e) {
-            throw new GuacamoleServerException("Duo client refused to verify "
-                    + "the identity of the authenticating user due to an "
-                    + "underlying error condition.", e);
-        }
-
-    }
-
 }