static akey

Author: Chris Byron

pom.xml

@@ -6,29 +6,33 @@
 
     <groupId>com.mulesoft</groupId>
     <artifactId>keycloak-duo-spi</artifactId>
-    <version>1.0</version>
+    <version>1.1</version>
 
     <name>Duo Mfa Keycloak</name>
     <description/>
     <packaging>jar</packaging>
 
+    <properties>
+        <keycloak.version>3.4.3.Final</keycloak.version>
+    </properties>
+
     <dependencies>
         <dependency>
             <groupId>org.keycloak</groupId>
             <artifactId>keycloak-server-spi</artifactId>
-            <version>3.3.0.CR2</version>
+            <version>${keycloak.version}</version>
             <scope>provided</scope>
         </dependency>
         <dependency>
             <groupId>org.keycloak</groupId>
             <artifactId>keycloak-server-spi-private</artifactId>
-            <version>3.3.0.CR2</version>
+            <version>${keycloak.version}</version>
             <scope>provided</scope>
         </dependency>
         <dependency>
             <groupId>org.keycloak</groupId>
             <artifactId>keycloak-core</artifactId>
-            <version>3.3.0.CR2</version>
+            <version>${keycloak.version}</version>
             <scope>provided</scope>
         </dependency>
         <dependency>

src/main/java/com/mulesoft/keycloak/auth/spi/duo/DuoMfaAuthenticator.java

@@ -41,20 +41,7 @@
 
 public class DuoMfaAuthenticator implements Authenticator{
 
-    private String akey;
-
-    public DuoMfaAuthenticator() {
-        try {
-            // yay java `hashlib.sha256(os.urandom(32))`
-            int r = new Random().nextInt();
-            byte[] b = ByteBuffer.allocate(4).putInt(r).array();
-            byte[] d = MessageDigest.getInstance("SHA-256").digest(b);
-            byte[] e = Base64.getEncoder().encode(d);
-            akey = new String(e);
-        } catch (NoSuchAlgorithmException ex) {
-            throw new AuthenticationFlowException("Error initializing sha256: " + ex.getMessage(), AuthenticationFlowError.INTERNAL_ERROR);
-        }
-    }
+    public DuoMfaAuthenticator() {}
 
     @Override
     public boolean requiresUser() {
@@ -74,7 +61,7 @@ public void setRequiredActions(KeycloakSession session, RealmModel realm, UserMo
     }
 
     private Response createDuoForm(AuthenticationFlowContext context, String error) {
-        String sig_request = DuoWeb.signRequest(duoIkey(context), duoSkey(context), akey, context.getUser().getUsername());
+        String sig_request = DuoWeb.signRequest(duoIkey(context), duoSkey(context), duoAkey(context), context.getUser().getUsername());
         LoginFormsProvider form = context.form()
                 .setAttribute("sig_request", sig_request)
                 .setAttribute("apihost", duoApihost(context));
@@ -106,7 +93,7 @@ public void action(AuthenticationFlowContext context) {
         String sig_response = formData.getFirst("sig_response");
         String authenticated_username = null;
         try {
-            authenticated_username = DuoWeb.verifyResponse(duoIkey(context), duoSkey(context), akey, sig_response);
+            authenticated_username = DuoWeb.verifyResponse(duoIkey(context), duoSkey(context), duoAkey(context), sig_response);
         } catch (Exception ex) {
             context.failureChallenge(AuthenticationFlowError.INVALID_CREDENTIALS, createDuoForm(context, ex.getMessage()));
             return;
@@ -132,6 +119,11 @@ private String duoSkey(AuthenticationFlowContext context) {
         if (config == null) return "";
         return String.valueOf(config.getConfig().get(PROP_SKEY));
     }
+    private String duoAkey(AuthenticationFlowContext context) {
+        AuthenticatorConfigModel config = context.getAuthenticatorConfig();
+        if (config == null) return "";
+        return String.valueOf(config.getConfig().get(PROP_AKEY));
+    }
     private String duoApihost(AuthenticationFlowContext context) {
         AuthenticatorConfigModel config = context.getAuthenticatorConfig();
         if (config == null) return "";

src/main/java/com/mulesoft/keycloak/auth/spi/duo/DuoMfaAuthenticatorFactory.java

@@ -32,6 +32,7 @@ public class DuoMfaAuthenticatorFactory implements AuthenticatorFactory{
     private static final DuoMfaAuthenticator SINGLETON = new DuoMfaAuthenticator();
     public static final String PROP_IKEY = "duomfa.ikey";
     public static final String PROP_SKEY = "duomfa.skey";
+    public static final String PROP_AKEY = "duomfa.akey";
     public static final String PROP_APIHOST = "duomfa.apihost";
 
     @Override
@@ -80,6 +81,13 @@ public boolean isConfigurable() {
         skey.setHelpText("Secret key from Duo admin portal");
         configProperties.add(skey);
 
+        ProviderConfigProperty akey = new ProviderConfigProperty();
+        akey.setName(PROP_AKEY);
+        akey.setLabel("Challenge nonce");
+        akey.setType(ProviderConfigProperty.STRING_TYPE);
+        akey.setHelpText("Any random alpha-numeric string, 40 characters or more. You can generate this yourself");
+        configProperties.add(akey);
+
         ProviderConfigProperty api_host = new ProviderConfigProperty();
         api_host.setName(PROP_APIHOST);
         api_host.setLabel("Duo WebSDK API host");

src/test/java/com/mulesoft/keycloak/auth/spi/duo/DuoMfaAuthenticatorTest.java

@@ -30,6 +30,7 @@ public void testAuthenticate() {
         Map<String, String> m = new HashMap<>(3);
         m.put(PROP_IKEY, "XXXXXXXXXXXXXXXXXXXX");
         m.put(PROP_SKEY, "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx");
+        m.put(PROP_AKEY, "yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy");
         m.put(PROP_APIHOST, "api-99999999.duosecurity.com");
 
         AuthenticatorConfigModel t = mock(AuthenticatorConfigModel.class);
@@ -80,4 +81,4 @@ public void testAction() {
         verify(lfp, never()).setError(anyString());
     }
     */
-}
+}