GUACAMOLE-1289: Resolve bug with relogging in. Remove spring dependen…

…cy and update dependencies with vulnerabilities.

doc/licenses/okhttp-4.9.1/NOTICE → doc/licenses/okhttp-4.12.0/NOTICE

@@ -1,4 +1,4 @@
-Copyright 2021 Square, Inc.
+Copyright 2023 Square, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.

doc/licenses/okhttp-4.9.1/README → doc/licenses/okhttp-4.12.0/README

@@ -1,7 +1,7 @@
 okhttp (https://square.github.io/okhttp/)
 ---------------------------------------------
 
-    Version: 4.9.1
+    Version: 4.12.0
     From: 'Square Inc'
     License(s):
         Apache 2.0

doc/licenses/okhttp-4.12.0/dep-coordinates.txt

@@ -0,0 +1,2 @@
+com.squareup.okhttp3:okhttp:jar:4.12.0
+com.squareup.okhttp3:logging-interceptor:jar:4.12.0

doc/licenses/okio-2.8.0/NOTICE → doc/licenses/okio-3.6.0/NOTICE

@@ -1,4 +1,4 @@
-Copyright 2020 Square, Inc.
+Copyright 2023 Square, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.

doc/licenses/okio-2.8.0/README → doc/licenses/okio-3.6.0/README

@@ -1,7 +1,7 @@
 okio (https://square.github.io/okio/)
 ---------------------------------------------
 
-    Version: 2.8.0
+    Version: 3.6.0
     From: 'Square Inc'
     License(s):
         Apache 2.0 (bundled/retrofit-2.9.0/LICENSE.txt)

doc/licenses/okio-3.6.0/dep-coordinates.txt

@@ -0,0 +1,2 @@
+com.squareup.okio:okio:jar:3.6.0
+com.squareup.okio:okio-jvm:jar:3.6.0

doc/licenses/spring-web-5.3.25/README → doc/licenses/spring-web-5.3.33/README

@@ -1,7 +1,7 @@
 Spring Framework (https://spring.io/projects/spring-framework)
 --------------------------------------------------------------
 
-    Version: 5.3.25
+    Version: 5.3.33
     From: 'Spring' (https://spring.io/)
     License(s):
         Apache v2.0

doc/licenses/spring-web-5.3.33/dep-coordinates.txt

@@ -0,0 +1,4 @@
+org.springframework:spring-web:jar:5.3.33
+org.springframework:spring-beans:jar:5.3.33
+org.springframework:spring-core:jar:5.3.33
+org.springframework:spring-jcl:jar:5.3.33

extensions/guacamole-auth-duo/pom.xml

@@ -47,20 +47,32 @@
             <dependency>
                 <groupId>com.squareup.okhttp3</groupId>
                 <artifactId>okhttp</artifactId>
-                <version>4.9.1</version> <!-- Specify the desired version -->
+                <version>4.12.0</version> <!-- Specify the desired version -->
+            </dependency>
+
+            <dependency>
+                <groupId>com.squareup.okhttp3</groupId>
+                <artifactId>logging-interceptor</artifactId>
+                <version>4.12.0</version>
             </dependency>
 
             <!-- Force the use of a consistent version of Kotlin standard library common -->
             <dependency>
                 <groupId>org.jetbrains.kotlin</groupId>
                 <artifactId>kotlin-stdlib-common</artifactId>
-                <version>1.4.10</version>
+                <version>1.9.23</version>
             </dependency>
 
             <dependency>
                 <groupId>org.jetbrains.kotlin</groupId>
                 <artifactId>kotlin-stdlib</artifactId>
-                <version>1.4.10</version>
+                <version>1.9.23</version>
+            </dependency>
+
+            <dependency>
+                <groupId>org.jetbrains.kotlin</groupId>
+                <artifactId>kotlin-stdlib-jdk8</artifactId>
+                <version>1.9.23</version>
             </dependency>
 
         </dependencies>
@@ -95,20 +107,20 @@
             <version>2.5</version>
             <scope>provided</scope>
         </dependency>
+
+        <dependency>
+            <groupId>jakarta.ws.rs</groupId>
+            <artifactId>jakarta.ws.rs-api</artifactId>
+            <version>2.1.6</version>
+            <scope>provided</scope>
+        </dependency>
 
         <!-- Duo SDK -->
         <dependency>
             <groupId>com.duosecurity</groupId>
             <artifactId>duo-universal-sdk</artifactId>
             <version>1.1.3</version>
         </dependency>
-
-        <!-- spring-web -->
-        <dependency>
-            <groupId>org.springframework</groupId>
-            <artifactId>spring-web</artifactId>
-            <version>5.3.25</version>
-        </dependency>
 
     </dependencies>
 

extensions/guacamole-auth-duo/src/main/java/org/apache/guacamole/auth/duo/UserVerificationService.java

@@ -27,6 +27,7 @@
 import java.net.URISyntaxException;
 import java.util.Collections;
 import javax.servlet.http.HttpServletRequest;
+import javax.ws.rs.core.UriBuilder;
 import org.apache.guacamole.GuacamoleException;
 import org.apache.guacamole.GuacamoleServerException;
 import org.apache.guacamole.auth.duo.conf.ConfigurationService;
@@ -39,7 +40,6 @@
 import org.apache.guacamole.net.auth.credentials.CredentialsInfo;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
-import org.springframework.web.util.UriComponentsBuilder;
 
 /**
  * Service for verifying the identity of a user against Duo.
@@ -102,13 +102,9 @@ public void verifyAuthenticatedUser(AuthenticatedUser authenticatedUser)
 
         try {
 
-            String redirectUrl = confService.getRedirectUri().toString();
-
-            String builtUrl = UriComponentsBuilder
-                    .fromUriString(redirectUrl)
+            String builtUrl = UriBuilder.fromUri(confService.getRedirectUri().toString())
                     .queryParam(Credentials.RESUME_QUERY, DuoAuthenticationProvider.PROVIDER_IDENTIFER)
-                    .build()
-                    .toUriString();
+                    .build().toString();
 
             // Set up the Duo Client
             Client duoClient = new Client.Builder(
@@ -120,15 +116,10 @@ public void verifyAuthenticatedUser(AuthenticatedUser authenticatedUser)
 
             duoClient.healthCheck();
 
-            // Retrieve signed Duo Code and State from the request
-            String duoCode = request.getParameter(DUO_CODE_PARAMETER_NAME);
-            String duoState = request.getParameter(DUO_STATE_PARAMETER_NAME);
-
-            // If no code or state is received, assume Duo MFA redirect has not occured and do it
-            if (duoCode == null || duoState == null) {
+            if (!credentials.isAuthenticationResumed()) {
 
                 // Get a new session state from the Duo client
-                duoState = duoClient.generateState();
+                String duoState = duoClient.generateState();
                 long expirationTimestamp = System.currentTimeMillis() + (confService.getAuthTimeout() * 1000L);
 
                 // Request additional credentials
@@ -147,6 +138,9 @@ public void verifyAuthenticatedUser(AuthenticatedUser authenticatedUser)
                 );
 
             }
+
+            // Retrieve signed Duo Code and State from the request
+            String duoCode = request.getParameter(DUO_CODE_PARAMETER_NAME);
 
             // Get the token from the DuoClient using the code and username, and check status
             Token token = duoClient.exchangeAuthorizationCodeFor2FAResult(duoCode, username);

guacamole-ext/src/main/java/org/apache/guacamole/net/auth/Credentials.java

@@ -48,6 +48,12 @@ public class Credentials implements Serializable {
      * Unique identifier associated with this specific version of Credentials.
      */
     private static final long serialVersionUID = 1L;
+
+    /**
+     * Flag indicating whether these credentials are part of an ongoing
+     * authentication process that is to be resumed.
+     */
+    private Boolean authenticationResumed;
 
     /**
      * An arbitrary username.
@@ -84,9 +90,9 @@ public class Credentials implements Serializable {
 
     /**
      * Construct a Credentials object with the given username, password,
-     * and HTTP request.  The information is assigned to the various
-     * storage objects, and the remote hostname and address is parsed out
-     * of the request object.
+     * HTTP request. The information is assigned to 
+     * the various storage objects, and the remote hostname and address is 
+     * parsed out of the request object.
      * 
      * @param username
      *     The username that was provided for authentication.
@@ -98,20 +104,43 @@ public class Credentials implements Serializable {
      *     The HTTP request associated with the authentication
      *     request.
      */
-    public Credentials(String username, String password, HttpServletRequest request) {
+    public Credentials(String username, String password, 
+            HttpServletRequest request) {
         this.username = username;
         this.password = password;
         this.request = request;
+        this.authenticationResumed = false;
+
+        if (request != null) {
+            // Set the remote address
+            this.remoteAddress = request.getRemoteAddr();
 
-        // Set the remote address
-        this.remoteAddress = request.getRemoteAddr();
+            // Get the remote hostname
+            this.remoteHostname = request.getRemoteHost();
 
-        // Get the remote hostname
-        this.remoteHostname = request.getRemoteHost();
+            // If session exists get it, but don't create a new one.
+            this.session = request.getSession(false);
+        }
 
-        // If session exists get it, but don't create a new one.
-        this.session = request.getSession(false);
+    }
+
+    /**
+     * Checks if the current authentication process is a resumed one.
+     *
+     * @return True if authentication is resumed, otherwise false.
+     */
+    public Boolean isAuthenticationResumed() {
+        return authenticationResumed;
+    }
 
+    /**
+     * Sets the flag indicating whether the authentication process should be 
+     * resumed.
+     *
+     * @param authenticationResumed the flag indicating whether to resume authentication.
+     */
+    public void setAuthenticationResumed(Boolean authenticationResumed) {
+        this.authenticationResumed = authenticationResumed;
     }
 
     /**

guacamole/src/main/java/org/apache/guacamole/rest/auth/AuthenticationService.java

@@ -328,6 +328,7 @@ private List<DecoratedUserContext> getUserContexts(GuacamoleSession existingSess
                     long expiration = e.getExpires();
                     String queryIdentifier = e.getQueryIdentifier();
                     String providerIdentifier = e.getProviderIdentifier();
+                    credentials.setAuthenticationResumed(true);
 
                     resumableStateMap.put(state, new ResumableAuthenticationState(providerIdentifier, 
                             queryIdentifier, expiration, credentials));