From 282a9111c779ed62ded043cf70cbcecf6f91120f Mon Sep 17 00:00:00 2001 From: Alex Leitner Date: Thu, 11 Apr 2024 00:28:32 +0000 Subject: [PATCH] GUACAMOLE-1289: Resolve bug with relogging in. Remove spring dependency and update dependencies with vulnerabilities. --- .../LICENSE.txt | 0 .../{okhttp-4.9.1 => okhttp-4.12.0}/NOTICE | 2 +- .../{okhttp-4.9.1 => okhttp-4.12.0}/README | 2 +- .../okhttp-4.12.0/dep-coordinates.txt | 2 + doc/licenses/okhttp-4.9.1/dep-coordinates.txt | 1 - doc/licenses/okio-2.8.0/dep-coordinates.txt | 1 - .../{okio-2.8.0 => okio-3.6.0}/LICENSE.txt | 0 .../{okio-2.8.0 => okio-3.6.0}/NOTICE | 2 +- .../{okio-2.8.0 => okio-3.6.0}/README | 2 +- doc/licenses/okio-3.6.0/dep-coordinates.txt | 2 + doc/licenses/spring-web-5.3.25/LICENSE | 202 ------------------ doc/licenses/spring-web-5.3.25/README | 7 - .../spring-web-5.3.25/dep-coordinates.txt | 4 - extensions/guacamole-auth-duo/pom.xml | 32 ++- .../auth/duo/UserVerificationService.java | 22 +- .../guacamole/net/auth/Credentials.java | 45 +++- .../rest/auth/AuthenticationService.java | 1 + 17 files changed, 76 insertions(+), 251 deletions(-) rename doc/licenses/{okhttp-4.9.1 => okhttp-4.12.0}/LICENSE.txt (100%) rename doc/licenses/{okhttp-4.9.1 => okhttp-4.12.0}/NOTICE (94%) rename doc/licenses/{okhttp-4.9.1 => okhttp-4.12.0}/README (88%) create mode 100644 doc/licenses/okhttp-4.12.0/dep-coordinates.txt delete mode 100644 doc/licenses/okhttp-4.9.1/dep-coordinates.txt delete mode 100644 doc/licenses/okio-2.8.0/dep-coordinates.txt rename doc/licenses/{okio-2.8.0 => okio-3.6.0}/LICENSE.txt (100%) rename doc/licenses/{okio-2.8.0 => okio-3.6.0}/NOTICE (94%) rename doc/licenses/{okio-2.8.0 => okio-3.6.0}/README (90%) create mode 100644 doc/licenses/okio-3.6.0/dep-coordinates.txt delete mode 100644 doc/licenses/spring-web-5.3.25/LICENSE delete mode 100644 doc/licenses/spring-web-5.3.25/README delete mode 100644 doc/licenses/spring-web-5.3.25/dep-coordinates.txt diff --git a/doc/licenses/okhttp-4.9.1/LICENSE.txt b/doc/licenses/okhttp-4.12.0/LICENSE.txt similarity index 100% rename from doc/licenses/okhttp-4.9.1/LICENSE.txt rename to doc/licenses/okhttp-4.12.0/LICENSE.txt diff --git a/doc/licenses/okhttp-4.9.1/NOTICE b/doc/licenses/okhttp-4.12.0/NOTICE similarity index 94% rename from doc/licenses/okhttp-4.9.1/NOTICE rename to doc/licenses/okhttp-4.12.0/NOTICE index 7ab6fba62b..b3e81bd2ff 100644 --- a/doc/licenses/okhttp-4.9.1/NOTICE +++ b/doc/licenses/okhttp-4.12.0/NOTICE @@ -1,4 +1,4 @@ -Copyright 2021 Square, Inc. +Copyright 2023 Square, Inc. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. diff --git a/doc/licenses/okhttp-4.9.1/README b/doc/licenses/okhttp-4.12.0/README similarity index 88% rename from doc/licenses/okhttp-4.9.1/README rename to doc/licenses/okhttp-4.12.0/README index 4277242602..c322ec2a66 100644 --- a/doc/licenses/okhttp-4.9.1/README +++ b/doc/licenses/okhttp-4.12.0/README @@ -1,7 +1,7 @@ okhttp (https://square.github.io/okhttp/) --------------------------------------------- - Version: 4.9.1 + Version: 4.12.0 From: 'Square Inc' License(s): Apache 2.0 diff --git a/doc/licenses/okhttp-4.12.0/dep-coordinates.txt b/doc/licenses/okhttp-4.12.0/dep-coordinates.txt new file mode 100644 index 0000000000..8aeb660e82 --- /dev/null +++ b/doc/licenses/okhttp-4.12.0/dep-coordinates.txt @@ -0,0 +1,2 @@ +com.squareup.okhttp3:okhttp:jar:4.12.0 +com.squareup.okhttp3:logging-interceptor:jar:4.12.0 diff --git a/doc/licenses/okhttp-4.9.1/dep-coordinates.txt b/doc/licenses/okhttp-4.9.1/dep-coordinates.txt deleted file mode 100644 index 0215ca270b..0000000000 --- a/doc/licenses/okhttp-4.9.1/dep-coordinates.txt +++ /dev/null @@ -1 +0,0 @@ -com.squareup.okhttp3:okhttp:jar:4.9.1 diff --git a/doc/licenses/okio-2.8.0/dep-coordinates.txt b/doc/licenses/okio-2.8.0/dep-coordinates.txt deleted file mode 100644 index 88c8776ad2..0000000000 --- a/doc/licenses/okio-2.8.0/dep-coordinates.txt +++ /dev/null @@ -1 +0,0 @@ -com.squareup.okio:okio:jar:2.8.0 diff --git a/doc/licenses/okio-2.8.0/LICENSE.txt b/doc/licenses/okio-3.6.0/LICENSE.txt similarity index 100% rename from doc/licenses/okio-2.8.0/LICENSE.txt rename to doc/licenses/okio-3.6.0/LICENSE.txt diff --git a/doc/licenses/okio-2.8.0/NOTICE b/doc/licenses/okio-3.6.0/NOTICE similarity index 94% rename from doc/licenses/okio-2.8.0/NOTICE rename to doc/licenses/okio-3.6.0/NOTICE index 9004e5d831..b3e81bd2ff 100644 --- a/doc/licenses/okio-2.8.0/NOTICE +++ b/doc/licenses/okio-3.6.0/NOTICE @@ -1,4 +1,4 @@ -Copyright 2020 Square, Inc. +Copyright 2023 Square, Inc. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. diff --git a/doc/licenses/okio-2.8.0/README b/doc/licenses/okio-3.6.0/README similarity index 90% rename from doc/licenses/okio-2.8.0/README rename to doc/licenses/okio-3.6.0/README index cf4693dbd7..8dea3d581d 100644 --- a/doc/licenses/okio-2.8.0/README +++ b/doc/licenses/okio-3.6.0/README @@ -1,7 +1,7 @@ okio (https://square.github.io/okio/) --------------------------------------------- - Version: 2.8.0 + Version: 3.6.0 From: 'Square Inc' License(s): Apache 2.0 (bundled/retrofit-2.9.0/LICENSE.txt) diff --git a/doc/licenses/okio-3.6.0/dep-coordinates.txt b/doc/licenses/okio-3.6.0/dep-coordinates.txt new file mode 100644 index 0000000000..b785b2613d --- /dev/null +++ b/doc/licenses/okio-3.6.0/dep-coordinates.txt @@ -0,0 +1,2 @@ +com.squareup.okio:okio:jar:3.6.0 +com.squareup.okio:okio-jvm:jar:3.6.0 diff --git a/doc/licenses/spring-web-5.3.25/LICENSE b/doc/licenses/spring-web-5.3.25/LICENSE deleted file mode 100644 index ff77379631..0000000000 --- a/doc/licenses/spring-web-5.3.25/LICENSE +++ /dev/null @@ -1,202 +0,0 @@ - - Apache License - Version 2.0, January 2004 - https://www.apache.org/licenses/ - - TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION - - 1. Definitions. - - "License" shall mean the terms and conditions for use, reproduction, - and distribution as defined by Sections 1 through 9 of this document. - - "Licensor" shall mean the copyright owner or entity authorized by - the copyright owner that is granting the License. - - "Legal Entity" shall mean the union of the acting entity and all - other entities that control, are controlled by, or are under common - control with that entity. For the purposes of this definition, - "control" means (i) the power, direct or indirect, to cause the - direction or management of such entity, whether by contract or - otherwise, or (ii) ownership of fifty percent (50%) or more of the - outstanding shares, or (iii) beneficial ownership of such entity. - - "You" (or "Your") shall mean an individual or Legal Entity - exercising permissions granted by this License. - - "Source" form shall mean the preferred form for making modifications, - including but not limited to software source code, documentation - source, and configuration files. - - "Object" form shall mean any form resulting from mechanical - transformation or translation of a Source form, including but - not limited to compiled object code, generated documentation, - and conversions to other media types. - - "Work" shall mean the work of authorship, whether in Source or - Object form, made available under the License, as indicated by a - copyright notice that is included in or attached to the work - (an example is provided in the Appendix below). - - "Derivative Works" shall mean any work, whether in Source or Object - form, that is based on (or derived from) the Work and for which the - editorial revisions, annotations, elaborations, or other modifications - represent, as a whole, an original work of authorship. For the purposes - of this License, Derivative Works shall not include works that remain - separable from, or merely link (or bind by name) to the interfaces of, - the Work and Derivative Works thereof. - - "Contribution" shall mean any work of authorship, including - the original version of the Work and any modifications or additions - to that Work or Derivative Works thereof, that is intentionally - submitted to Licensor for inclusion in the Work by the copyright owner - or by an individual or Legal Entity authorized to submit on behalf of - the copyright owner. For the purposes of this definition, "submitted" - means any form of electronic, verbal, or written communication sent - to the Licensor or its representatives, including but not limited to - communication on electronic mailing lists, source code control systems, - and issue tracking systems that are managed by, or on behalf of, the - Licensor for the purpose of discussing and improving the Work, but - excluding communication that is conspicuously marked or otherwise - designated in writing by the copyright owner as "Not a Contribution." - - "Contributor" shall mean Licensor and any individual or Legal Entity - on behalf of whom a Contribution has been received by Licensor and - subsequently incorporated within the Work. - - 2. Grant of Copyright License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - copyright license to reproduce, prepare Derivative Works of, - publicly display, publicly perform, sublicense, and distribute the - Work and such Derivative Works in Source or Object form. - - 3. Grant of Patent License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - (except as stated in this section) patent license to make, have made, - use, offer to sell, sell, import, and otherwise transfer the Work, - where such license applies only to those patent claims licensable - by such Contributor that are necessarily infringed by their - Contribution(s) alone or by combination of their Contribution(s) - with the Work to which such Contribution(s) was submitted. If You - institute patent litigation against any entity (including a - cross-claim or counterclaim in a lawsuit) alleging that the Work - or a Contribution incorporated within the Work constitutes direct - or contributory patent infringement, then any patent licenses - granted to You under this License for that Work shall terminate - as of the date such litigation is filed. - - 4. Redistribution. You may reproduce and distribute copies of the - Work or Derivative Works thereof in any medium, with or without - modifications, and in Source or Object form, provided that You - meet the following conditions: - - (a) You must give any other recipients of the Work or - Derivative Works a copy of this License; and - - (b) You must cause any modified files to carry prominent notices - stating that You changed the files; and - - (c) You must retain, in the Source form of any Derivative Works - that You distribute, all copyright, patent, trademark, and - attribution notices from the Source form of the Work, - excluding those notices that do not pertain to any part of - the Derivative Works; and - - (d) If the Work includes a "NOTICE" text file as part of its - distribution, then any Derivative Works that You distribute must - include a readable copy of the attribution notices contained - within such NOTICE file, excluding those notices that do not - pertain to any part of the Derivative Works, in at least one - of the following places: within a NOTICE text file distributed - as part of the Derivative Works; within the Source form or - documentation, if provided along with the Derivative Works; or, - within a display generated by the Derivative Works, if and - wherever such third-party notices normally appear. The contents - of the NOTICE file are for informational purposes only and - do not modify the License. You may add Your own attribution - notices within Derivative Works that You distribute, alongside - or as an addendum to the NOTICE text from the Work, provided - that such additional attribution notices cannot be construed - as modifying the License. - - You may add Your own copyright statement to Your modifications and - may provide additional or different license terms and conditions - for use, reproduction, or distribution of Your modifications, or - for any such Derivative Works as a whole, provided Your use, - reproduction, and distribution of the Work otherwise complies with - the conditions stated in this License. - - 5. Submission of Contributions. Unless You explicitly state otherwise, - any Contribution intentionally submitted for inclusion in the Work - by You to the Licensor shall be under the terms and conditions of - this License, without any additional terms or conditions. - Notwithstanding the above, nothing herein shall supersede or modify - the terms of any separate license agreement you may have executed - with Licensor regarding such Contributions. - - 6. Trademarks. This License does not grant permission to use the trade - names, trademarks, service marks, or product names of the Licensor, - except as required for reasonable and customary use in describing the - origin of the Work and reproducing the content of the NOTICE file. - - 7. Disclaimer of Warranty. Unless required by applicable law or - agreed to in writing, Licensor provides the Work (and each - Contributor provides its Contributions) on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - implied, including, without limitation, any warranties or conditions - of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A - PARTICULAR PURPOSE. You are solely responsible for determining the - appropriateness of using or redistributing the Work and assume any - risks associated with Your exercise of permissions under this License. - - 8. Limitation of Liability. In no event and under no legal theory, - whether in tort (including negligence), contract, or otherwise, - unless required by applicable law (such as deliberate and grossly - negligent acts) or agreed to in writing, shall any Contributor be - liable to You for damages, including any direct, indirect, special, - incidental, or consequential damages of any character arising as a - result of this License or out of the use or inability to use the - Work (including but not limited to damages for loss of goodwill, - work stoppage, computer failure or malfunction, or any and all - other commercial damages or losses), even if such Contributor - has been advised of the possibility of such damages. - - 9. Accepting Warranty or Additional Liability. While redistributing - the Work or Derivative Works thereof, You may choose to offer, - and charge a fee for, acceptance of support, warranty, indemnity, - or other liability obligations and/or rights consistent with this - License. However, in accepting such obligations, You may act only - on Your own behalf and on Your sole responsibility, not on behalf - of any other Contributor, and only if You agree to indemnify, - defend, and hold each Contributor harmless for any liability - incurred by, or claims asserted against, such Contributor by reason - of your accepting any such warranty or additional liability. - - END OF TERMS AND CONDITIONS - - APPENDIX: How to apply the Apache License to your work. - - To apply the Apache License to your work, attach the following - boilerplate notice, with the fields enclosed by brackets "{}" - replaced with your own identifying information. (Don't include - the brackets!) The text should be enclosed in the appropriate - comment syntax for the file format. We also recommend that a - file or class name and description of purpose be included on the - same "printed page" as the copyright notice for easier - identification within third-party archives. - - Copyright {yyyy} {name of copyright owner} - - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at - - https://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. diff --git a/doc/licenses/spring-web-5.3.25/README b/doc/licenses/spring-web-5.3.25/README deleted file mode 100644 index f719e88ff7..0000000000 --- a/doc/licenses/spring-web-5.3.25/README +++ /dev/null @@ -1,7 +0,0 @@ -Spring Framework (https://spring.io/projects/spring-framework) --------------------------------------------------------------- - - Version: 5.3.25 - From: 'Spring' (https://spring.io/) - License(s): - Apache v2.0 diff --git a/doc/licenses/spring-web-5.3.25/dep-coordinates.txt b/doc/licenses/spring-web-5.3.25/dep-coordinates.txt deleted file mode 100644 index 0670c0fa8d..0000000000 --- a/doc/licenses/spring-web-5.3.25/dep-coordinates.txt +++ /dev/null @@ -1,4 +0,0 @@ -org.springframework:spring-web:jar:5.3.25 -org.springframework:spring-beans:jar:5.3.25 -org.springframework:spring-core:jar:5.3.25 -org.springframework:spring-jcl:jar:5.3.25 diff --git a/extensions/guacamole-auth-duo/pom.xml b/extensions/guacamole-auth-duo/pom.xml index f7f49563c2..31b239e6da 100644 --- a/extensions/guacamole-auth-duo/pom.xml +++ b/extensions/guacamole-auth-duo/pom.xml @@ -47,20 +47,32 @@ com.squareup.okhttp3 okhttp - 4.9.1 + 4.12.0 + + + + com.squareup.okhttp3 + logging-interceptor + 4.12.0 org.jetbrains.kotlin kotlin-stdlib-common - 1.4.10 + 1.9.23 org.jetbrains.kotlin kotlin-stdlib - 1.4.10 + 1.9.23 + + + + org.jetbrains.kotlin + kotlin-stdlib-jdk8 + 1.9.23 @@ -95,6 +107,13 @@ 2.5 provided + + + jakarta.ws.rs + jakarta.ws.rs-api + 2.1.6 + provided + @@ -102,13 +121,6 @@ duo-universal-sdk 1.1.3 - - - - org.springframework - spring-web - 5.3.25 - diff --git a/extensions/guacamole-auth-duo/src/main/java/org/apache/guacamole/auth/duo/UserVerificationService.java b/extensions/guacamole-auth-duo/src/main/java/org/apache/guacamole/auth/duo/UserVerificationService.java index 26ab71221e..918b7a28fa 100644 --- a/extensions/guacamole-auth-duo/src/main/java/org/apache/guacamole/auth/duo/UserVerificationService.java +++ b/extensions/guacamole-auth-duo/src/main/java/org/apache/guacamole/auth/duo/UserVerificationService.java @@ -27,6 +27,7 @@ import java.net.URISyntaxException; import java.util.Collections; import javax.servlet.http.HttpServletRequest; +import javax.ws.rs.core.UriBuilder; import org.apache.guacamole.GuacamoleException; import org.apache.guacamole.GuacamoleServerException; import org.apache.guacamole.auth.duo.conf.ConfigurationService; @@ -39,7 +40,6 @@ import org.apache.guacamole.net.auth.credentials.CredentialsInfo; import org.slf4j.Logger; import org.slf4j.LoggerFactory; -import org.springframework.web.util.UriComponentsBuilder; /** * Service for verifying the identity of a user against Duo. @@ -102,13 +102,9 @@ public void verifyAuthenticatedUser(AuthenticatedUser authenticatedUser) try { - String redirectUrl = confService.getRedirectUri().toString(); - - String builtUrl = UriComponentsBuilder - .fromUriString(redirectUrl) + String builtUrl = UriBuilder.fromUri(confService.getRedirectUri().toString()) .queryParam(Credentials.RESUME_QUERY, DuoAuthenticationProvider.PROVIDER_IDENTIFER) - .build() - .toUriString(); + .build().toString(); // Set up the Duo Client Client duoClient = new Client.Builder( @@ -120,15 +116,10 @@ public void verifyAuthenticatedUser(AuthenticatedUser authenticatedUser) duoClient.healthCheck(); - // Retrieve signed Duo Code and State from the request - String duoCode = request.getParameter(DUO_CODE_PARAMETER_NAME); - String duoState = request.getParameter(DUO_STATE_PARAMETER_NAME); - - // If no code or state is received, assume Duo MFA redirect has not occured and do it - if (duoCode == null || duoState == null) { + if (!credentials.isAuthenticationResumed()) { // Get a new session state from the Duo client - duoState = duoClient.generateState(); + String duoState = duoClient.generateState(); long expirationTimestamp = System.currentTimeMillis() + (confService.getAuthTimeout() * 1000L); // Request additional credentials @@ -147,6 +138,9 @@ public void verifyAuthenticatedUser(AuthenticatedUser authenticatedUser) ); } + + // Retrieve signed Duo Code and State from the request + String duoCode = request.getParameter(DUO_CODE_PARAMETER_NAME); // Get the token from the DuoClient using the code and username, and check status Token token = duoClient.exchangeAuthorizationCodeFor2FAResult(duoCode, username); diff --git a/guacamole-ext/src/main/java/org/apache/guacamole/net/auth/Credentials.java b/guacamole-ext/src/main/java/org/apache/guacamole/net/auth/Credentials.java index 45eebe80df..b54bd86929 100644 --- a/guacamole-ext/src/main/java/org/apache/guacamole/net/auth/Credentials.java +++ b/guacamole-ext/src/main/java/org/apache/guacamole/net/auth/Credentials.java @@ -48,6 +48,12 @@ public class Credentials implements Serializable { * Unique identifier associated with this specific version of Credentials. */ private static final long serialVersionUID = 1L; + + /** + * Flag indicating whether these credentials are part of an ongoing + * authentication process that is to be resumed. + */ + private Boolean authenticationResumed; /** * An arbitrary username. @@ -84,7 +90,7 @@ public class Credentials implements Serializable { /** * Construct a Credentials object with the given username, password, - * and HTTP request. The information is assigned to the various + * and HTTP request. The information is assigned to the various * storage objects, and the remote hostname and address is parsed out * of the request object. * @@ -98,20 +104,43 @@ public class Credentials implements Serializable { * The HTTP request associated with the authentication * request. */ - public Credentials(String username, String password, HttpServletRequest request) { + public Credentials(String username, String password, + HttpServletRequest request) { this.username = username; this.password = password; this.request = request; + this.authenticationResumed = false; + + if (request != null) { + // Set the remote address + this.remoteAddress = request.getRemoteAddr(); - // Set the remote address - this.remoteAddress = request.getRemoteAddr(); + // Get the remote hostname + this.remoteHostname = request.getRemoteHost(); - // Get the remote hostname - this.remoteHostname = request.getRemoteHost(); + // If session exists get it, but don't create a new one. + this.session = request.getSession(false); + } - // If session exists get it, but don't create a new one. - this.session = request.getSession(false); + } + + /** + * Checks if the current authentication process is a resumed one. + * + * @return True if authentication is resumed, otherwise false. + */ + public Boolean isAuthenticationResumed() { + return authenticationResumed; + } + /** + * Sets the flag indicating whether the authentication process should be + * resumed. + * + * @param authenticationResumed the flag indicating whether to resume authentication. + */ + public void setAuthenticationResumed(Boolean authenticationResumed) { + this.authenticationResumed = authenticationResumed; } /** diff --git a/guacamole/src/main/java/org/apache/guacamole/rest/auth/AuthenticationService.java b/guacamole/src/main/java/org/apache/guacamole/rest/auth/AuthenticationService.java index dc8d3bb7da..c13e734436 100644 --- a/guacamole/src/main/java/org/apache/guacamole/rest/auth/AuthenticationService.java +++ b/guacamole/src/main/java/org/apache/guacamole/rest/auth/AuthenticationService.java @@ -328,6 +328,7 @@ private List getUserContexts(GuacamoleSession existingSess long expiration = e.getExpires(); String queryIdentifier = e.getQueryIdentifier(); String providerIdentifier = e.getProviderIdentifier(); + credentials.setAuthenticationResumed(true); resumableStateMap.put(state, new ResumableAuthenticationState(providerIdentifier, queryIdentifier, expiration, credentials));