[CognitoUserPools] Add support for password verifier challenge in arbitrary flow

minbi · minbi · commit 2098c3c11fa2 · 2019-02-07T11:17:10.000-08:00
The password verifier challenge was previously thought to only occur in a certain flow, this changes that limitation
diff --git a/aws-android-sdk-cognitoidentityprovider/src/main/java/com/amazonaws/mobileconnectors/cognitoidentityprovider/CognitoUser.java b/aws-android-sdk-cognitoidentityprovider/src/main/java/com/amazonaws/mobileconnectors/cognitoidentityprovider/CognitoUser.java
@@ -2271,7 +2271,7 @@ public Runnable respondToChallenge(final RespondToAuthChallengeRequest challenge
             }
             final RespondToAuthChallengeResult challenge = cognitoIdentityProviderClient
                     .respondToAuthChallenge(challengeResponse);
-            return handleChallenge(challenge, callback, runInBackground);
+            return handleChallenge(challenge, null, callback, runInBackground);
         } catch (final ResourceNotFoundException rna) {
             final CognitoUser cognitoUser = this;
             if (rna.getMessage().contains("Device")) {
@@ -2334,7 +2334,7 @@ private Runnable startWithUserSrpAuth(final AuthenticationDetails authentication
                     return respondToChallenge(challengeRequest, callback, runInBackground);
                 }
             }
-            return handleChallenge(initiateAuthResult, callback, runInBackground);
+            return handleChallenge(initiateAuthResult, authenticationDetails, callback, runInBackground);
         } catch (final ResourceNotFoundException rna) {
             final CognitoUser cognitoUser = this;
             if (rna.getMessage().contains("Device")) {
@@ -2385,7 +2385,7 @@ private Runnable startWithCustomAuth(final AuthenticationDetails authenticationD
         try {
             final InitiateAuthResult initiateAuthResult = cognitoIdentityProviderClient
                     .initiateAuth(initiateAuthRequest);
-            return handleChallenge(initiateAuthResult, callback, runInBackground);
+            return handleChallenge(initiateAuthResult, authenticationDetails, callback, runInBackground);
         } catch (final Exception e) {
             return new Runnable() {
                 @Override
@@ -2412,13 +2412,16 @@ public void run() {
      *
      * @param challenge REQUIRED: Current challenge details,
      *            {@link RespondToAuthChallengeResult}.
+     * @param authenticationDetails OPTIONAL: This is used in the PASSWORD_VERIFIER challenge
      * @param callback REQUIRED: {@link AuthenticationDetails} callback.
      * @param runInBackground REQUIRED: Boolean to indicate the current
      *            threading.
      * @return {@link Runnable} for the next step in user authentication.
      */
     private Runnable handleChallenge(final RespondToAuthChallengeResult challenge,
-            final AuthenticationHandler callback, final boolean runInBackground) {
+                                     final AuthenticationDetails authenticationDetails,
+                                     final AuthenticationHandler callback,
+                                     final boolean runInBackground) {
         Runnable nextTask;
         final CognitoUser cognitoUser = this;
         nextTask = new Runnable() {
@@ -2471,7 +2474,25 @@ public void run() {
                 }
             }
         } else if (CognitoServiceConstants.CHLG_TYPE_USER_PASSWORD_VERIFIER.equals(challengeName)) {
-            return nextTask;
+            return new Runnable() {
+                @Override
+                public void run() {
+                    final AuthenticationHelper authenticationHelper = new AuthenticationHelper(
+                            pool.getUserPoolId());
+                    final Map<String, String> challengeParameters = challenge.getChallengeParameters();
+                    cognitoIdentityProviderClient.respondToAuthChallenge(userSrpAuthRequest(
+                            challengeParameters.get(CognitoServiceConstants.CHLG_PARAM_USERNAME),
+                            challengeParameters.get(CognitoServiceConstants.CHLG_PARAM_USER_ID_FOR_SRP),
+                            authenticationDetails.getPassword(),
+                            challengeParameters.get(CognitoServiceConstants.CHLG_PARAM_SRP_B),
+                            challengeParameters.get(CognitoServiceConstants.CHLG_PARAM_SALT),
+                            challengeParameters.get(CognitoServiceConstants.CHLG_PARAM_SECRET_BLOCK),
+                            challenge.getChallengeName(),
+                            challenge.getSession(),
+                            authenticationHelper
+                    ));
+                }
+            };
         } else if (CognitoServiceConstants.CHLG_TYPE_SMS_MFA.equals(challengeName)
                 || CognitoServiceConstants.CHLG_TYPE_SOFTWARE_TOKEN_MFA.equals(challengeName)) {
             final MultiFactorAuthenticationContinuation multiFactorAuthenticationContinuation = new MultiFactorAuthenticationContinuation(
@@ -2541,14 +2562,16 @@ public void run() {
      * @return {@link Runnable} for the next step in user authentication.
      */
     private Runnable handleChallenge(final InitiateAuthResult authResult,
-            final AuthenticationHandler callback, final boolean runInBackground) {
+                                     final AuthenticationDetails authenticationDetails,
+                                     final AuthenticationHandler callback,
+                                     final boolean runInBackground) {
         try {
             final RespondToAuthChallengeResult challenge = new RespondToAuthChallengeResult();
             challenge.setChallengeName(authResult.getChallengeName());
             challenge.setSession(authResult.getSession());
             challenge.setAuthenticationResult(authResult.getAuthenticationResult());
             challenge.setChallengeParameters(authResult.getChallengeParameters());
-            return handleChallenge(challenge, callback, runInBackground);
+            return handleChallenge(challenge, authenticationDetails, callback, runInBackground);
         } catch (final Exception e) {
             return new Runnable() {
                 @Override
@@ -2578,7 +2601,7 @@ private Runnable startWithUserPasswordAuth(final AuthenticationDetails authentic
                     .initiateAuth(initiateAuthRequest);
             this.usernameInternal = initiateAuthResult.getChallengeParameters()
                     .get(CognitoServiceConstants.CHLG_PARAM_USER_ID_FOR_SRP);
-            return handleChallenge(initiateAuthResult, callback, runInBackground);
+            return handleChallenge(initiateAuthResult, authenticationDetails, callback, runInBackground);
         } catch (final Exception e) {
             return new Runnable() {
                 @Override
@@ -2658,9 +2681,9 @@ private Runnable deviceSrpAuthentication(final RespondToAuthChallengeResult chal
                         authenticationHelper);
                 final RespondToAuthChallengeResult deviceSRPAuthResult = cognitoIdentityProviderClient
                         .respondToAuthChallenge(challengeResponse);
-                return handleChallenge(deviceSRPAuthResult, callback, runInBackground);
+                return handleChallenge(deviceSRPAuthResult, null, callback, runInBackground);
             } else {
-                return handleChallenge(initiateDeviceAuthResult, callback, runInBackground);
+                return handleChallenge(initiateDeviceAuthResult, null, callback, runInBackground);
             }
         } catch (final NotAuthorizedException na) {
             final CognitoUser cognitoUser = this;
@@ -2852,22 +2875,55 @@ private InitiateAuthRequest initiateRefreshTokenAuthRequest(CognitoUserSession c
     private RespondToAuthChallengeRequest userSrpAuthRequest(InitiateAuthResult challenge,
             AuthenticationDetails authenticationDetails,
             AuthenticationHelper authenticationHelper) {
-        final String userIdForSRP = challenge.getChallengeParameters()
-                .get(CognitoServiceConstants.CHLG_PARAM_USER_ID_FOR_SRP);
-        this.usernameInternal = challenge.getChallengeParameters()
-                .get(CognitoServiceConstants.CHLG_PARAM_USERNAME);
+        final Map<String, String> challengeParameters = challenge.getChallengeParameters();
+        return userSrpAuthRequest(
+                challengeParameters.get(CognitoServiceConstants.CHLG_PARAM_USERNAME),
+                challengeParameters.get(CognitoServiceConstants.CHLG_PARAM_USER_ID_FOR_SRP),
+                authenticationDetails.getPassword(),
+                challengeParameters.get(CognitoServiceConstants.CHLG_PARAM_SRP_B),
+                challengeParameters.get(CognitoServiceConstants.CHLG_PARAM_SALT),
+                challengeParameters.get(CognitoServiceConstants.CHLG_PARAM_SECRET_BLOCK),
+                challenge.getChallengeName(),
+                challenge.getSession(),
+                authenticationHelper
+                );
+    }
+
+    /**
+     * Creates response for the second step of the SRP authentication.
+     *
+     * @param userId returned by service
+     * @param userIdForSRP returned by service
+     * @param password maintained locally
+     * @param srpBString returned by service
+     * @param saltString returned by service
+     * @param secretBlockString returned by service
+     * @param challengeName returned by service
+     * @param session returned by service
+     * @return {@link RespondToAuthChallengeRequest}.
+     */
+    private RespondToAuthChallengeRequest userSrpAuthRequest(final String userId,
+                                                             final String userIdForSRP,
+                                                             final String password,
+                                                             final String srpBString,
+                                                             final String saltString,
+                                                             final String secretBlockString,
+                                                             final String challengeName,
+                                                             final String session,
+                                                             final AuthenticationHelper authenticationHelper) {
+        this.usernameInternal = userId;
         this.deviceKey = CognitoDeviceHelper.getDeviceKey(usernameInternal, pool.getUserPoolId(),
                 context);
         secretHash = CognitoSecretHash.getSecretHash(usernameInternal, clientId, clientSecret);
 
-        final BigInteger srpB = new BigInteger(challenge.getChallengeParameters().get("SRP_B"), 16);
+        final BigInteger srpB = new BigInteger(srpBString, 16);
         if (srpB.mod(AuthenticationHelper.N).equals(BigInteger.ZERO)) {
             throw new CognitoInternalErrorException("SRP error, B cannot be zero");
         }
 
-        final BigInteger salt = new BigInteger(challenge.getChallengeParameters().get("SALT"), 16);
+        final BigInteger salt = new BigInteger(saltString, 16);
         final byte[] key = authenticationHelper.getPasswordAuthenticationKey(userIdForSRP,
-                authenticationDetails.getPassword(), srpB, salt);
+                password, srpB, salt);
 
         final Date timestamp = new Date();
         byte[] hmac;
@@ -2879,7 +2935,7 @@ private RespondToAuthChallengeRequest userSrpAuthRequest(InitiateAuthResult chal
             mac.update(pool.getUserPoolId().split("_", 2)[1].getBytes(StringUtils.UTF8));
             mac.update(userIdForSRP.getBytes(StringUtils.UTF8));
             final byte[] secretBlock = Base64
-                    .decode(challenge.getChallengeParameters().get("SECRET_BLOCK"));
+                    .decode(secretBlockString);
             mac.update(secretBlock);
 
             final SimpleDateFormat simpleDateFormat = new SimpleDateFormat(
@@ -2895,8 +2951,7 @@ private RespondToAuthChallengeRequest userSrpAuthRequest(InitiateAuthResult chal
 
         final Map<String, String> srpAuthResponses = new HashMap<String, String>();
         srpAuthResponses.put(CognitoServiceConstants.CHLG_RESP_PASSWORD_CLAIM_SECRET_BLOCK,
-                challenge.getChallengeParameters()
-                        .get(CognitoServiceConstants.CHLG_PARAM_SECRET_BLOCK));
+                secretBlockString);
         srpAuthResponses.put(CognitoServiceConstants.CHLG_RESP_PASSWORD_CLAIM_SIGNATURE,
                 new String(Base64.encode(hmac), StringUtils.UTF8));
         srpAuthResponses.put(CognitoServiceConstants.CHLG_RESP_TIMESTAMP, dateString);
@@ -2905,9 +2960,9 @@ private RespondToAuthChallengeRequest userSrpAuthRequest(InitiateAuthResult chal
         srpAuthResponses.put(CognitoServiceConstants.CHLG_RESP_SECRET_HASH, secretHash);
 
         final RespondToAuthChallengeRequest authChallengeRequest = new RespondToAuthChallengeRequest();
-        authChallengeRequest.setChallengeName(challenge.getChallengeName());
+        authChallengeRequest.setChallengeName(challengeName);
         authChallengeRequest.setClientId(clientId);
-        authChallengeRequest.setSession(challenge.getSession());
+        authChallengeRequest.setSession(session);
         authChallengeRequest.setChallengeResponses(srpAuthResponses);
         final String pinpointEndpointId = pool.getPinpointEndpointId();
         if (pinpointEndpointId != null) {
