GUACAMOLE-197: Collapse authenticate methods together into single method, add minimal method for challenge/response.
Project: http://git-wip-us.apache.org/repos/asf/guacamole-client/repo Commit: http://git-wip-us.apache.org/repos/asf/guacamole-client/commit/fa820cb4 Tree: http://git-wip-us.apache.org/repos/asf/guacamole-client/tree/fa820cb4 Diff: http://git-wip-us.apache.org/repos/asf/guacamole-client/diff/fa820cb4 Branch: refs/heads/master Commit: fa820cb46f5abffd57b73a558db4cbedd7e6b065 Parents: 84276af Author: Nick Couchman <vn...@apache.org> Authored: Sun Jul 16 14:25:55 2017 -0400 Committer: Nick Couchman <vn...@apache.org> Committed: Mon Jan 29 17:08:11 2018 -0500 ---------------------------------------------------------------------- .../radius/AuthenticationProviderService.java | 8 +- .../auth/radius/RadiusConnectionService.java | 120 ++++--------------- 2 files changed, 30 insertions(+), 98 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/guacamole-client/blob/fa820cb4/extensions/guacamole-auth-radius/src/main/java/org/apache/guacamole/auth/radius/AuthenticationProviderService.java ---------------------------------------------------------------------- diff --git a/extensions/guacamole-auth-radius/src/main/java/org/apache/guacamole/auth/radius/AuthenticationProviderService.java b/extensions/guacamole-auth-radius/src/main/java/org/apache/guacamole/auth/radius/AuthenticationProviderService.java index fdb7737..530de15 100644 --- a/extensions/guacamole-auth-radius/src/main/java/org/apache/guacamole/auth/radius/AuthenticationProviderService.java +++ b/extensions/guacamole-auth-radius/src/main/java/org/apache/guacamole/auth/radius/AuthenticationProviderService.java @@ -153,7 +153,7 @@ public class AuthenticationProviderService { try { radPack = radiusService.authenticate(credentials.getUsername(), - credentials.getPassword()); + credentials.getPassword(), null); } catch (GuacamoleException e) { logger.error("Cannot configure RADIUS server: {}", e.getMessage()); @@ -168,9 +168,9 @@ public class AuthenticationProviderService { // This is a response to a previous challenge, authenticate with that. else { try { - radPack = radiusService.authenticate(credentials.getUsername(), - request.getParameter(RadiusStateField.PARAMETER_NAME), - challengeResponse); + radPack = radiusService.sendChallengeResponse(credentials.getUsername(), + challengeResponse, + request.getParameter(RadiusStateField.PARAMETER_NAME)); } catch (GuacamoleException e) { logger.error("Cannot configure RADIUS server: {}", e.getMessage()); http://git-wip-us.apache.org/repos/asf/guacamole-client/blob/fa820cb4/extensions/guacamole-auth-radius/src/main/java/org/apache/guacamole/auth/radius/RadiusConnectionService.java ---------------------------------------------------------------------- diff --git a/extensions/guacamole-auth-radius/src/main/java/org/apache/guacamole/auth/radius/RadiusConnectionService.java b/extensions/guacamole-auth-radius/src/main/java/org/apache/guacamole/auth/radius/RadiusConnectionService.java index c3524cd..22c8d82 100644 --- a/extensions/guacamole-auth-radius/src/main/java/org/apache/guacamole/auth/radius/RadiusConnectionService.java +++ b/extensions/guacamole-auth-radius/src/main/java/org/apache/guacamole/auth/radius/RadiusConnectionService.java @@ -165,54 +165,57 @@ public class RadiusConnectionService { } /** - * Authenticate to the RADIUS server and return the response from the - * server. + * Authenticate to the RADIUS server using existing state and a response * * @param username - * The username for authentication. - * @param password - * The password for authentication. + * The username for the authentication + * @param state + * The previous state of the RADIUS connection + * @param response + * The response to the RADIUS challenge * * @return * A RadiusPacket with the response of the server. * * @throws GuacamoleException - * If an error occurs while talking to the server. + * If an error occurs while talking to the server. */ - public RadiusPacket authenticate(String username, String password) + public RadiusPacket authenticate(String username, String secret, String state) throws GuacamoleException { - // If a username hasn't been provided, stop + // If a username wasn't passed, we quit if (username == null || username.isEmpty()) { logger.warn("Anonymous access not allowed with RADIUS client."); return null; } - // If a password hasn't been provided, stop - if (password == null || password.isEmpty()) { - logger.warn("Password required for RADIUS authentication."); + // If secret wasn't passed, we quit + if (secret == null || secret.isEmpty()) { + logger.warn("Password/secret required for RADIUS authentication."); return null; } - // Create the connection and load the attribute dictionary + // Create the RADIUS connection and set up the dictionary createRadiusConnection(); AttributeFactory.loadAttributeDictionary("net.jradius.dictionary.AttributeDictionaryImpl"); - // If the client is null, we return null - something has gone wrong + // Client failed to set up, so we return null if (radiusClient == null) return null; + // Set up the RadiusAuthenticator RadiusAuthenticator radAuth = setupRadiusAuthenticator(); - if (radAuth == null) throw new GuacamoleException("Unknown RADIUS authentication protocol."); - // Set up attributes, create the access request, and send the packet - try { + // Add attributes to the connection and send the packet + try { AttributeList radAttrs = new AttributeList(); radAttrs.add(new Attr_UserName(username)); - radAttrs.add(new Attr_UserPassword(password)); - radAttrs.add(new Attr_CleartextPassword(password)); + if (state != null && !state.isEmpty()) + radAttrs.add(new Attr_State(state)); + radAttrs.add(new Attr_UserPassword(secret)); + radAttrs.add(new Attr_CleartextPassword(secret)); AccessRequest radAcc = new AccessRequest(radiusClient); @@ -235,13 +238,11 @@ public class RadiusConnectionService { } return reply; } - catch (RadiusException e) { logger.error("Unable to complete authentication.", e.getMessage()); logger.debug("Authentication with RADIUS failed.", e); return null; } - catch (NoSuchAlgorithmException e) { logger.error("No such RADIUS algorithm: {}", e.getMessage()); logger.debug("Unknown RADIUS algorithm.", e); @@ -249,95 +250,26 @@ public class RadiusConnectionService { } } - /** - * Authenticate to the RADIUS server using existing state and a response - * - * @param username - * The username for the authentication - * @param state - * The previous state of the RADIUS connection - * @param response - * The response to the RADIUS challenge - * - * @return - * A RadiusPacket with the response of the server. - * - * @throws GuacamoleException - * If an error occurs while talking to the server. - */ - public RadiusPacket authenticate(String username, String state, String response) + public RadiusPacket sendChallengeResponse(String username, String response, String state) throws GuacamoleException { - // If a username wasn't passed, we quit if (username == null || username.isEmpty()) { - logger.warn("Anonymous access not allowed with RADIUS client."); + logger.error("Challenge/response to RADIUS requires a username."); return null; } - // If the state wasn't passed, we quit if (state == null || state.isEmpty()) { - logger.warn("This method needs a previous RADIUS state to respond to."); + logger.error("Challenge/response to RADIUS requires a prior state."); return null; } - // If the response wasn't passed, we quit if (response == null || response.isEmpty()) { - logger.warn("Response required for RADIUS authentication."); + logger.error("Challenge/response to RADIUS requires a response."); return null; } - // Create the RADIUS connection and set up the dictionary - createRadiusConnection(); - AttributeFactory.loadAttributeDictionary("net.jradius.dictionary.AttributeDictionaryImpl"); - - // Client failed to set up, so we return null - if (radiusClient == null) - return null; - - // Set up the RadiusAuthenticator - RadiusAuthenticator radAuth = setupRadiusAuthenticator(); - if (radAuth == null) - throw new GuacamoleException("Unknown RADIUS authentication protocol."); + return authenticate(username,response,state); - // Add attributes to the connection and send the packet - try { - AttributeList radAttrs = new AttributeList(); - radAttrs.add(new Attr_UserName(username)); - radAttrs.add(new Attr_State(state)); - radAttrs.add(new Attr_UserPassword(response)); - radAttrs.add(new Attr_CleartextPassword(response)); - - AccessRequest radAcc = new AccessRequest(radiusClient); - - // EAP-TTLS tunnels protected attributes inside the TLS layer - if (radAuth instanceof EAPTTLSAuthenticator) { - radAuth.setUsername(new Attr_UserName(username)); - ((EAPTTLSAuthenticator)radAuth).setTunneledAttributes(radAttrs); - } - else - radAcc.addAttributes(radAttrs); - - radAuth.setupRequest(radiusClient, radAcc); - radAuth.processRequest(radAcc); - RadiusResponse reply = radiusClient.sendReceive(radAcc, confService.getRadiusRetries()); - - // We receive a Challenge not asking for user input, so silently process the challenge - while((reply instanceof AccessChallenge) && (reply.findAttribute(Attr_ReplyMessage.TYPE) == null)) { - radAuth.processChallenge(radAcc, reply); - reply = radiusClient.sendReceive(radAcc, confService.getRadiusRetries()); - } - return reply; - } - catch (RadiusException e) { - logger.error("Unable to complete authentication.", e.getMessage()); - logger.debug("Authentication with RADIUS failed.", e); - return null; - } - catch (NoSuchAlgorithmException e) { - logger.error("No such RADIUS algorithm: {}", e.getMessage()); - logger.debug("Unknown RADIUS algorithm.", e); - return null; - } } /**