safebox/guacamole-client
4
0
Fork 0
mirror of https://github.com/gyurix1968/guacamole-client.git synced 2025-09-06 21:27:40 +00:00
Code Issues Packages Projects Releases Wiki Activity

GUACAMOLE-839: Move authentication session management service to internal common SSO library.

Browse Source
This commit is contained in:
Michael Jumper
2023-01-26 09:43:49 -08:00
parent 1015df6b47
commit f2c7d746ea
10 changed files with 188 additions and 84 deletions
Download Patch File Download Diff File Expand all files Collapse all files

58
extensions/guacamole-auth-sso/modules/guacamole-auth-sso-base/src/main/java/org/apache/guacamole/auth/sso/AuthenticationSession.java Normal file
View File

@@ -0,0 +1,58 @@
/*
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/
package org.apache.guacamole.auth.sso;
/**
* Representation of an in-progress authentication attempt.
*/
public class AuthenticationSession {
/**
* The absolute point in time after which this authentication session is
* invalid. This value is a UNIX epoch timestamp, as may be returned by
* {@link System#currentTimeMillis()}.
*/
private final long expirationTimestamp;
/**
* Creates a new AuthenticationSession representing an in-progress
* authentication attempt.
*
* @param expires
* The number of milliseconds that may elapse before this session must
* be considered invalid.
*/
public AuthenticationSession(long expires) {
this.expirationTimestamp = System.currentTimeMillis() + expires;
}
/**
* Returns whether this authentication session is still valid (has not yet
* expired).
*
* @return
* true if this authentication session is still valid, false if it has
* expired.
*/
public boolean isValid() {
return System.currentTimeMillis() < expirationTimestamp;
}
}

151
extensions/guacamole-auth-sso/modules/guacamole-auth-sso-base/src/main/java/org/apache/guacamole/auth/sso/AuthenticationSessionManager.java Normal file
View File

@@ -0,0 +1,151 @@
/*
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/
package org.apache.guacamole.auth.sso;
import com.google.common.base.Predicates;
import com.google.inject.Inject;
import com.google.inject.Singleton;
import java.util.concurrent.ConcurrentHashMap;
import java.util.concurrent.ConcurrentMap;
import java.util.concurrent.Executors;
import java.util.concurrent.ScheduledExecutorService;
import java.util.concurrent.TimeUnit;
/**
* Manager service that temporarily stores a user's authentication status while
* the authentication flow is underway. Authentication attempts are represented
* as temporary authentication sessions, allowing authentication attempts to
* span multiple requests, redirects, etc. Invalid or stale authentication
* sessions are automatically purged from storage.
*
* @param <T>
* The type of sessions managed by this session manager.
*/
@Singleton
public class AuthenticationSessionManager<T extends AuthenticationSession> {
/**
* Generator of arbitrary, unique, unpredictable identifiers.
*/
@Inject
private IdentifierGenerator idGenerator;
/**
* Map of authentication session identifiers to their associated
* {@link AuthenticationSession}.
*/
private final ConcurrentMap<String, T> sessions = new ConcurrentHashMap<>();
/**
* Executor service which runs the periodic cleanup task
*/
private final ScheduledExecutorService executor =
Executors.newScheduledThreadPool(1);
/**
* Creates a new AuthenticationSessionManager that manages in-progress
* authentication attempts. Invalid, stale sessions are automatically
* cleaned up.
*/
public AuthenticationSessionManager() {
executor.scheduleAtFixedRate(() -> {
sessions.values().removeIf(Predicates.not(AuthenticationSession::isValid));
}, 1, 1, TimeUnit.MINUTES);
}
/**
* Resumes the Guacamole side of the authentication process that was
* previously deferred through a call to defer(). Once invoked, the
* provided value ceases to be valid for future calls to resume().
*
* @param identifier
* The unique string returned by the call to defer(). For convenience,
* this value may safely be null.
*
* @return
* The {@link AuthenticationSession} originally provided when defer()
* was invoked, or null if the session is no longer valid or no such
* value was returned by defer().
*/
public T resume(String identifier) {
if (identifier != null) {
T session = sessions.remove(identifier);
if (session != null && session.isValid())
return session;
}
return null;
}
/**
* Defers the Guacamole side of authentication for the user having the
* given authentication session such that it may be later resumed through a
* call to resume(). If authentication is never resumed, the session will
* automatically be cleaned up after it ceases to be valid.
*
* This method will automatically generate a new identifier.
*
* @param session
* The {@link AuthenticationSession} representing the in-progress
* authentication attempt.
*
* @return
* A unique and unpredictable string that may be used to represent the
* given session when calling resume().
*/
public String defer(T session) {
String identifier = idGenerator.generateIdentifier();
sessions.put(identifier, session);
return identifier;
}
/**
* Defers the Guacamole side of authentication for the user having the
* given authentication session such that it may be later resumed through a
* call to resume(). If authentication is never resumed, the session will
* automatically be cleaned up after it ceases to be valid.
*
* This method accepts an externally generated ID, which should be a UUID
* or similar unique identifier.
*
* @param session
* The {@link AuthenticationSession} representing the in-progress
* authentication attempt.
*
* @param identifier
* A unique and unpredictable string that may be used to represent the
* given session when calling resume().
*/
public void defer(T session, String identifier) {
sessions.put(identifier, session);
}
/**
* Shuts down the executor service that periodically removes all invalid
* authentication sessions. This must be invoked when the auth extension is
* shut down in order to avoid resource leaks.
*/
public void shutdown() {
executor.shutdownNow();
}
}

71
extensions/guacamole-auth-sso/modules/guacamole-auth-sso-base/src/main/java/org/apache/guacamole/auth/sso/IdentifierGenerator.java Normal file
View File

@@ -0,0 +1,71 @@
/*
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/
package org.apache.guacamole.auth.sso;
import com.google.common.io.BaseEncoding;
import com.google.inject.Singleton;
import java.security.SecureRandom;
/**
* Generator of unique and unpredictable identifiers. Each generated identifier
* is an arbitrary, random string produced using a cryptographically-secure
* random number generator.
*/
@Singleton
public class IdentifierGenerator {
/**
* Cryptographically-secure random number generator for generating unique
* identifiers.
*/
private final SecureRandom secureRandom = new SecureRandom();
/**
* Generates a unique and unpredictable identifier. Each identifier is at
* least 256-bit and produced using a cryptographically-secure random
* number generator.
*
* @return
* A unique and unpredictable identifier with at least 256 bits of
* entropy.
*/
public String generateIdentifier() {
return generateIdentifier(256);
}
/**
* Generates a unique and unpredictable identifier having at least the
* given number of bits of entropy. The resulting identifier may have more
* than the number of bits required.
*
* @param minBits
* The number of bits of entropy that the identifier should contain.
*
* @return
* A unique and unpredictable identifier with at least the given number
* of bits of entropy.
*/
public String generateIdentifier(int minBits) {
byte[] bytes = new byte[(minBits + 23) / 24 * 3]; // Round up to nearest multiple of 3 bytes, as base64 encodes blocks of 3 bytes at a time
secureRandom.nextBytes(bytes);
return BaseEncoding.base64().encode(bytes);
}
}

18
extensions/guacamole-auth-sso/modules/guacamole-auth-sso-base/src/main/java/org/apache/guacamole/auth/sso/NonceService.java
View File

@@ -19,9 +19,8 @@
package org.apache.guacamole.auth.sso;
import com.google.inject.Inject;
import com.google.inject.Singleton;
import java.math.BigInteger;
import java.security.SecureRandom;
import java.util.Iterator;
import java.util.Map;
import java.util.concurrent.ConcurrentHashMap;
@@ -33,23 +32,28 @@ import java.util.concurrent.ConcurrentHashMap;
public class NonceService {
/**
* Cryptographically-secure random number generator for generating the
* required nonce.
* Generator of arbitrary, unique, unpredictable identifiers.
*/
private final SecureRandom random = new SecureRandom();
@Inject
private IdentifierGenerator idGenerator;
/**
* Map of all generated nonces to their corresponding expiration timestamps.
* This Map must be periodically swept of expired nonces to avoid growing
* without bound.
*/
private final Map<String, Long> nonces = new ConcurrentHashMap<String, Long>();
private final Map<String, Long> nonces = new ConcurrentHashMap<>();
/**
* The timestamp of the last expired nonce sweep.
*/
private long lastSweep = System.currentTimeMillis();
/**
* The minimum number of bits of entropy to include in each nonce.
*/
private static final int NONCE_BITS = 128;
/**
* The minimum amount of time to wait between sweeping expired nonces from
* the Map.
@@ -102,7 +106,7 @@ public class NonceService {
sweepExpiredNonces();
// Generate and store nonce, along with expiration timestamp
String nonce = new BigInteger(130, random).toString(32);
String nonce = idGenerator.generateIdentifier(NONCE_BITS);
nonces.put(nonce, System.currentTimeMillis() + maxAge);
return nonce;