pp7En commented on code in PR #984: URL: https://github.com/apache/guacamole-client/pull/984#discussion_r1643071874
########## extensions/guacamole-auth-nextcloud/src/main/java/org/apache/guacamole/auth/nextcloud/NextcloudJwtAuthenticationProvider.java: ########## @@ -0,0 +1,269 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.guacamole.auth.nextcloud; + +import com.auth0.jwt.JWT; +import com.auth0.jwt.JWTVerifier; +import com.auth0.jwt.algorithms.Algorithm; +import com.auth0.jwt.interfaces.DecodedJWT; +import com.fasterxml.jackson.core.JsonProcessingException; +import com.fasterxml.jackson.databind.JsonNode; +import com.fasterxml.jackson.databind.ObjectMapper; +import com.google.inject.Guice; +import com.google.inject.Inject; +import com.google.inject.Injector; +import java.nio.charset.StandardCharsets; +import java.security.KeyFactory; +import java.security.NoSuchAlgorithmException; +import java.security.interfaces.ECPublicKey; +import java.security.spec.InvalidKeySpecException; +import java.security.spec.X509EncodedKeySpec; +import java.util.Base64; +import java.util.Date; +import javax.servlet.http.HttpServletRequest; +import org.apache.guacamole.GuacamoleException; +import org.apache.guacamole.GuacamoleSecurityException; +import org.apache.guacamole.net.auth.AbstractAuthenticationProvider; +import org.apache.guacamole.net.auth.AuthenticatedUser; +import org.apache.guacamole.net.auth.Credentials; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +/** + * Allows a pre-check of users with encrypted Nextcloud JWT data blocks. + * The username in the JWT will be compared with a list in guacamole.properties. + * The JWT will be verified with the public key. If the JWT is valid, the login + * page will be loaded. If the JWT is missing or invalid, an exception message + * will be displayed. + */ +public class NextcloudJwtAuthenticationProvider extends AbstractAuthenticationProvider { + + /** + * The duration in minutes for which a token remains valid. + * + * This short validity period increases security, as the time window for potential misuse, + * e.g. by stolen tokens, is limited. Nextcloud always generates a new valid token when the + * Guacamole login screen will be open through the Nextcloud plugin “External sites”. + */ + private static final int MINUTES_TOKEN_VALID = 1; + + /** + * Injector which will manage the object graph of this authentication + * provider. + */ + private final Injector injector; + + /** + * The configuration service for this module. + */ + @Inject + private ConfigurationService confService; + + /** + * Logger for this class. + */ + private static final Logger logger = LoggerFactory.getLogger(NextcloudJwtAuthenticationProvider.class); + + /** + * Creates a new NextcloudJwtAuthenticationProvider that authenticates user. + * + * @throws GuacamoleException + * If a required property is missing, or an error occurs while parsing + * a property. + */ + public NextcloudJwtAuthenticationProvider() throws GuacamoleException { + + // Set up Guice injector. + injector = Guice.createInjector(new NextcloudJwtAuthenticationProviderModule(this)); + + } + + @Override + public String getIdentifier() { + return "nextcloud"; + } + + /** + * Authenticates a user based on the provided credentials. + * + * @param + * credentials The credentials containing the user's authentication data. + * + * @return + * AuthenticatedUser The authenticated user, or null if the request is from a local address. + * + * @throws + * GuacamoleException If there is an issue with the authentication process. + * + * @throws + * GuacamoleSecurityException If the JWT is invalid. + */ + @Override + public AuthenticatedUser authenticateUser(Credentials credentials) throws GuacamoleException { + + // Retrieve the HTTP request and extract the token and ip address. + HttpServletRequest request = credentials.getRequest(); + String token = request.getParameter(confService.getTokenName()); + String ipaddr = request.getRemoteAddr(); + + // If the request from ip address is allowed, jwt authentication is not required. + boolean localAddr = this.validIpAddress(ipaddr); + if (localAddr) { + logger.info("Request from local address {}", ipaddr); + return null; + } + + // Fails if the token is not present or has not been found. + if (token == null) { + throw new GuacamoleException("Missing token."); + } + + try { + this.validateJwt(token); + logger.info("Token valid."); + } + catch (final GuacamoleException ex) { + logger.error("Token validation failed.", ex); + throw new GuacamoleException(ex.getMessage()); + } + return null; Review Comment: I think you're right. Although a user won't be completely logged in if 2FA enabled with the "Nextcloud JWT" extension, a second factor is a second factor. I don't think it should be bypassed (if possible at all). If this bothers anyone, can deactivate the 2FA. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@guacamole.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
