GUACAMOLE-136: Rename overly-generic AuthenticationProviderService to UserVerificationService.
Project: http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/commit/e6f0b7df Tree: http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/tree/e6f0b7df Diff: http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/diff/e6f0b7df Branch: refs/heads/master Commit: e6f0b7df179266ba2b023b5cbaa24951c7b5d6ac Parents: c3c553a Author: Michael Jumper <[email protected]> Authored: Mon Dec 5 21:33:50 2016 -0800 Committer: Michael Jumper <[email protected]> Committed: Mon Dec 5 22:19:46 2016 -0800 ---------------------------------------------------------------------- .../auth/duo/AuthenticationProviderService.java | 109 ------------------- .../auth/duo/DuoAuthenticationProvider.java | 6 +- .../duo/DuoAuthenticationProviderModule.java | 2 +- .../auth/duo/UserVerificationService.java | 108 ++++++++++++++++++ 4 files changed, 112 insertions(+), 113 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/blob/e6f0b7df/extensions/guacamole-auth-duo/src/main/java/org/apache/guacamole/auth/duo/AuthenticationProviderService.java ---------------------------------------------------------------------- diff --git a/extensions/guacamole-auth-duo/src/main/java/org/apache/guacamole/auth/duo/AuthenticationProviderService.java b/extensions/guacamole-auth-duo/src/main/java/org/apache/guacamole/auth/duo/AuthenticationProviderService.java deleted file mode 100644 index c3dd8ee..0000000 --- a/extensions/guacamole-auth-duo/src/main/java/org/apache/guacamole/auth/duo/AuthenticationProviderService.java +++ /dev/null @@ -1,109 +0,0 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ - -package org.apache.guacamole.auth.duo; - -import com.google.inject.Inject; -import java.util.Collections; -import javax.servlet.http.HttpServletRequest; -import org.apache.guacamole.GuacamoleClientException; -import org.apache.guacamole.GuacamoleException; -import org.apache.guacamole.auth.duo.conf.ConfigurationService; -import org.apache.guacamole.auth.duo.form.DuoSignedResponseField; -import org.apache.guacamole.form.Field; -import org.apache.guacamole.net.auth.AuthenticatedUser; -import org.apache.guacamole.net.auth.Credentials; -import org.apache.guacamole.net.auth.credentials.CredentialsInfo; -import org.apache.guacamole.net.auth.credentials.GuacamoleInsufficientCredentialsException; - -/** - * Service providing convenience functions for the Duo AuthenticationProvider - * implementation. - */ -public class AuthenticationProviderService { - - /** - * Service for retrieving Duo configuration information. - */ - @Inject - private ConfigurationService confService; - - /** - * Service for verifying users with the DuoWeb API. - */ - @Inject - private DuoWebService duoWebService; - - /** - * Verifies the identity of the given user via the Duo multi-factor - * authentication service. If a signed response from Duo has not already - * been provided, a signed response from Duo is requested in the - * form of additional expected credentials. Any provided signed response - * is cryptographically verified. If no signed response is present, or the - * signed response is invalid, an exception is thrown. - * - * @param authenticatedUser - * The user whose identity should be verified against Duo. - * - * @throws GuacamoleException - * If required Duo-specific configuration options are missing or - * malformed, or if the user's identity cannot be verified. - */ - public void verifyAuthenticatedUser(AuthenticatedUser authenticatedUser) - throws GuacamoleException { - - // Pull the original HTTP request used to authenticate - Credentials credentials = authenticatedUser.getCredentials(); - HttpServletRequest request = credentials.getRequest(); - - // Ignore anonymous users - if (authenticatedUser.getIdentifier().equals(AuthenticatedUser.ANONYMOUS_IDENTIFIER)) - return; - - // Retrieve signed Duo response from request - String signedResponse = request.getParameter(DuoSignedResponseField.PARAMETER_NAME); - - // If no signed response, request one - if (signedResponse == null) { - - // Create field which requests a signed response from Duo that - // verifies the identity of the given user via the configured - // Duo API endpoint - Field signedResponseField = new DuoSignedResponseField( - confService.getAPIHostname(), - duoWebService.createSignedRequest(authenticatedUser)); - - // Create an overall description of the additional credentials - // required to verify identity - CredentialsInfo expectedCredentials = new CredentialsInfo( - Collections.singletonList(signedResponseField)); - - // Request additional credentials - throw new GuacamoleInsufficientCredentialsException( - "LOGIN.INFO_DUO_AUTH_REQUIRED", expectedCredentials); - - } - - // If signed response does not verify this user's identity, abort auth - if (!duoWebService.isValidSignedResponse(authenticatedUser, signedResponse)) - throw new GuacamoleClientException("LOGIN.INFO_DUO_VALIDATION_CODE_INCORRECT"); - - } - -} http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/blob/e6f0b7df/extensions/guacamole-auth-duo/src/main/java/org/apache/guacamole/auth/duo/DuoAuthenticationProvider.java ---------------------------------------------------------------------- diff --git a/extensions/guacamole-auth-duo/src/main/java/org/apache/guacamole/auth/duo/DuoAuthenticationProvider.java b/extensions/guacamole-auth-duo/src/main/java/org/apache/guacamole/auth/duo/DuoAuthenticationProvider.java index bcf8c83..ccb1c40 100644 --- a/extensions/guacamole-auth-duo/src/main/java/org/apache/guacamole/auth/duo/DuoAuthenticationProvider.java +++ b/extensions/guacamole-auth-duo/src/main/java/org/apache/guacamole/auth/duo/DuoAuthenticationProvider.java @@ -78,11 +78,11 @@ public class DuoAuthenticationProvider implements AuthenticationProvider { public UserContext getUserContext(AuthenticatedUser authenticatedUser) throws GuacamoleException { - AuthenticationProviderService authProviderService = - injector.getInstance(AuthenticationProviderService.class); + UserVerificationService verificationService = + injector.getInstance(UserVerificationService.class); // Verify user against Duo service - authProviderService.verifyAuthenticatedUser(authenticatedUser); + verificationService.verifyAuthenticatedUser(authenticatedUser); // User has been verified, and authentication should be allowed to // continue http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/blob/e6f0b7df/extensions/guacamole-auth-duo/src/main/java/org/apache/guacamole/auth/duo/DuoAuthenticationProviderModule.java ---------------------------------------------------------------------- diff --git a/extensions/guacamole-auth-duo/src/main/java/org/apache/guacamole/auth/duo/DuoAuthenticationProviderModule.java b/extensions/guacamole-auth-duo/src/main/java/org/apache/guacamole/auth/duo/DuoAuthenticationProviderModule.java index c3c129c..2dfc4eb 100644 --- a/extensions/guacamole-auth-duo/src/main/java/org/apache/guacamole/auth/duo/DuoAuthenticationProviderModule.java +++ b/extensions/guacamole-auth-duo/src/main/java/org/apache/guacamole/auth/duo/DuoAuthenticationProviderModule.java @@ -72,9 +72,9 @@ public class DuoAuthenticationProviderModule extends AbstractModule { bind(Environment.class).toInstance(environment); // Bind Duo-specific services - bind(AuthenticationProviderService.class); bind(ConfigurationService.class); bind(DuoWebService.class); + bind(UserVerificationService.class); } http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/blob/e6f0b7df/extensions/guacamole-auth-duo/src/main/java/org/apache/guacamole/auth/duo/UserVerificationService.java ---------------------------------------------------------------------- diff --git a/extensions/guacamole-auth-duo/src/main/java/org/apache/guacamole/auth/duo/UserVerificationService.java b/extensions/guacamole-auth-duo/src/main/java/org/apache/guacamole/auth/duo/UserVerificationService.java new file mode 100644 index 0000000..3209be2 --- /dev/null +++ b/extensions/guacamole-auth-duo/src/main/java/org/apache/guacamole/auth/duo/UserVerificationService.java @@ -0,0 +1,108 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.guacamole.auth.duo; + +import com.google.inject.Inject; +import java.util.Collections; +import javax.servlet.http.HttpServletRequest; +import org.apache.guacamole.GuacamoleClientException; +import org.apache.guacamole.GuacamoleException; +import org.apache.guacamole.auth.duo.conf.ConfigurationService; +import org.apache.guacamole.auth.duo.form.DuoSignedResponseField; +import org.apache.guacamole.form.Field; +import org.apache.guacamole.net.auth.AuthenticatedUser; +import org.apache.guacamole.net.auth.Credentials; +import org.apache.guacamole.net.auth.credentials.CredentialsInfo; +import org.apache.guacamole.net.auth.credentials.GuacamoleInsufficientCredentialsException; + +/** + * Service for verifying the identity of a user against Duo. + */ +public class UserVerificationService { + + /** + * Service for retrieving Duo configuration information. + */ + @Inject + private ConfigurationService confService; + + /** + * Service for verifying users with the DuoWeb API. + */ + @Inject + private DuoWebService duoWebService; + + /** + * Verifies the identity of the given user via the Duo multi-factor + * authentication service. If a signed response from Duo has not already + * been provided, a signed response from Duo is requested in the + * form of additional expected credentials. Any provided signed response + * is cryptographically verified. If no signed response is present, or the + * signed response is invalid, an exception is thrown. + * + * @param authenticatedUser + * The user whose identity should be verified against Duo. + * + * @throws GuacamoleException + * If required Duo-specific configuration options are missing or + * malformed, or if the user's identity cannot be verified. + */ + public void verifyAuthenticatedUser(AuthenticatedUser authenticatedUser) + throws GuacamoleException { + + // Pull the original HTTP request used to authenticate + Credentials credentials = authenticatedUser.getCredentials(); + HttpServletRequest request = credentials.getRequest(); + + // Ignore anonymous users + if (authenticatedUser.getIdentifier().equals(AuthenticatedUser.ANONYMOUS_IDENTIFIER)) + return; + + // Retrieve signed Duo response from request + String signedResponse = request.getParameter(DuoSignedResponseField.PARAMETER_NAME); + + // If no signed response, request one + if (signedResponse == null) { + + // Create field which requests a signed response from Duo that + // verifies the identity of the given user via the configured + // Duo API endpoint + Field signedResponseField = new DuoSignedResponseField( + confService.getAPIHostname(), + duoWebService.createSignedRequest(authenticatedUser)); + + // Create an overall description of the additional credentials + // required to verify identity + CredentialsInfo expectedCredentials = new CredentialsInfo( + Collections.singletonList(signedResponseField)); + + // Request additional credentials + throw new GuacamoleInsufficientCredentialsException( + "LOGIN.INFO_DUO_AUTH_REQUIRED", expectedCredentials); + + } + + // If signed response does not verify this user's identity, abort auth + if (!duoWebService.isValidSignedResponse(authenticatedUser, signedResponse)) + throw new GuacamoleClientException("LOGIN.INFO_DUO_VALIDATION_CODE_INCORRECT"); + + } + +}
