safebox/guacamole-client
4
0
Fork 0
mirror of https://github.com/gyurix1968/guacamole-client.git synced 2025-09-06 13:17:41 +00:00
Code Issues Packages Projects Releases Wiki Activity

GUACAMOLE-1855: Use common code for checking for IP in list.

Browse Source
This commit is contained in:
Virtually Nick
2023-11-18 19:14:02 -05:00
parent 614cd550bd
commit 2ecad02fe1
2 changed files with 30 additions and 70 deletions
Download Patch File Download Diff File Expand all files Collapse all files

47
extensions/guacamole-auth-duo/src/main/java/org/apache/guacamole/auth/duo/UserVerificationService.java
View File

@@ -40,6 +40,7 @@ import org.apache.guacamole.language.TranslatableMessage;
import org.apache.guacamole.net.auth.AuthenticatedUser; import org.apache.guacamole.net.auth.AuthenticatedUser;
import org.apache.guacamole.net.auth.Credentials; import org.apache.guacamole.net.auth.Credentials;
import org.apache.guacamole.net.auth.credentials.CredentialsInfo; import org.apache.guacamole.net.auth.credentials.CredentialsInfo;
import org.apache.guacamole.properties.IPAddressListProperty;
import org.slf4j.Logger; import org.slf4j.Logger;
import org.slf4j.LoggerFactory; import org.slf4j.LoggerFactory;
@@ -120,52 +121,30 @@ public class UserVerificationService {
if (username == null || username.equals(AuthenticatedUser.ANONYMOUS_IDENTIFIER)) if (username == null || username.equals(AuthenticatedUser.ANONYMOUS_IDENTIFIER))
return; return;
// We enforce by default // Pull address lists to check from configuration. Note that the enforce
boolean enforceHost = true; // list will override the bypass list, which means that, if the client
// address happens to be in both lists, Duo MFA will be enforced.
// Check for a list of addresses that should be bypassed and iterate
List<IPAddress> bypassAddresses = confService.getBypassHosts(); List<IPAddress> bypassAddresses = confService.getBypassHosts();
for (IPAddress bypassAddr : bypassAddresses) {
// If the address contains current client address, flip enforce flag
// and break out
if (clientAddr != null && clientAddr.isIPAddress()
&& bypassAddr.getIPVersion().equals(clientAddr.getIPVersion())
&& bypassAddr.contains(clientAddr)) {
enforceHost = false;
break;
}
}
// Check for a list of addresses that should be enforced and iterate
List<IPAddress> enforceAddresses = confService.getEnforceHosts(); List<IPAddress> enforceAddresses = confService.getEnforceHosts();
// Check if the bypass list contains the client address, and set the
// enforce flag to the opposite.
boolean enforceHost = !(IPAddressListProperty.addressListContains(bypassAddresses, clientAddr));
// Only continue processing if the list is not empty // Only continue processing if the list is not empty
if (!enforceAddresses.isEmpty()) { if (!enforceAddresses.isEmpty()) {
// If client address is not available or invalid, MFA will // If client address is not available or invalid, MFA will
// be enforced. // be enforced.
if (clientAddr == null || !clientAddr.isIPAddress()) { if (clientAddr == null || !clientAddr.isIPAddress())
enforceHost = true; enforceHost = true;
}
else { // Check the enforce list for the client address and set enforcement flag.
// With addresses set, this default changes to false. else
enforceHost = false; enforceHost = IPAddressListProperty.addressListContains(enforceAddresses, clientAddr);
for (IPAddress enforceAddr : enforceAddresses) {
// If there's a match, flip the enforce flag and break out of the loop
if (enforceAddr.getIPVersion().equals(clientAddr.getIPVersion())
&& enforceAddr.contains(clientAddr)) {
enforceHost = true;
break;
}
}
}
} }
// If the enforce flag has been changed, exit, bypassing Duo MFA. // If the enforce flag is not true, bypass Duo MFA.
if (!enforceHost) if (!enforceHost)
return; return;

53
extensions/guacamole-auth-totp/src/main/java/org/apache/guacamole/auth/totp/user/UserVerificationService.java
View File

@@ -47,6 +47,7 @@ import org.apache.guacamole.net.auth.User;
import org.apache.guacamole.net.auth.UserContext; import org.apache.guacamole.net.auth.UserContext;
import org.apache.guacamole.net.auth.UserGroup; import org.apache.guacamole.net.auth.UserGroup;
import org.apache.guacamole.net.auth.credentials.CredentialsInfo; import org.apache.guacamole.net.auth.credentials.CredentialsInfo;
import org.apache.guacamole.properties.IPAddressListProperty;
import org.apache.guacamole.totp.TOTPGenerator; import org.apache.guacamole.totp.TOTPGenerator;
import org.slf4j.Logger; import org.slf4j.Logger;
import org.slf4j.LoggerFactory; import org.slf4j.LoggerFactory;
@@ -319,57 +320,37 @@ public class UserVerificationService {
HttpServletRequest request = credentials.getRequest(); HttpServletRequest request = credentials.getRequest();
// Get the current client address // Get the current client address
IPAddressString clientAddr = new IPAddressString(request.getRemoteAddr()); IPAddress clientAddr = new IPAddressString(request.getRemoteAddr()).getAddress();
// Ignore anonymous users // Ignore anonymous users
if (authenticatedUser.getIdentifier().equals(AuthenticatedUser.ANONYMOUS_IDENTIFIER)) if (authenticatedUser.getIdentifier().equals(AuthenticatedUser.ANONYMOUS_IDENTIFIER))
return; return;
// We enforce by default // Pull address lists to check from configuration. Note that the enforce
boolean enforceHost = true; // list will override the bypass list, which means that, if the client
// address happens to be in both lists, Duo MFA will be enforced.
// Check for a list of addresses that should be bypassed and iterate
List<IPAddress> bypassAddresses = confService.getBypassHosts(); List<IPAddress> bypassAddresses = confService.getBypassHosts();
for (IPAddress bypassAddr : bypassAddresses) {
// If the address contains current client address, flip enforce flag
// and break out
if (clientAddr != null && clientAddr.isIPAddress()
&& bypassAddr.getIPVersion().equals(clientAddr.getIPVersion())
&& bypassAddr.contains(clientAddr.getAddress())) {
enforceHost = false;
break;
}
}
// Check for a list of addresses that should be enforced and iterate
List<IPAddress> enforceAddresses = confService.getEnforceHosts(); List<IPAddress> enforceAddresses = confService.getEnforceHosts();
// Check the bypass list for the client address, and set the enforce
// flag to the opposite.
boolean enforceHost = !(IPAddressListProperty.addressListContains(bypassAddresses, clientAddr));
// Only continue processing if the list is not empty // Only continue processing if the list is not empty
if (!enforceAddresses.isEmpty()) { if (!enforceAddresses.isEmpty()) {
if (clientAddr == null || !clientAddr.isIPAddress()) { // If client address is not available or invalid, MFA will
logger.warn("Client address is not valid, " // be enforced.
+ "MFA will be enforced."); if (clientAddr == null || !clientAddr.isIPAddress())
enforceHost = true; enforceHost = true;
}
else { // Check the enforce list and set the flag if the client address
// With addresses set, this default changes to false. // is found in the list.
enforceHost = false; else
enforceHost = IPAddressListProperty.addressListContains(enforceAddresses, clientAddr);
for (IPAddress enforceAddr : enforceAddresses) {
// If there's a match, flip the enforce flag and break out of the loop
if (enforceAddr.getIPVersion().equals(clientAddr.getIPVersion())
&& enforceAddr.contains(clientAddr.getAddress())) {
enforceHost = true;
break;
}
}
}
} }
// If the enforce flag has been changed, exit, bypassing TOTP MFA. // If the enforce flag is not true, bypass TOTP MFA.
if (!enforceHost) if (!enforceHost)
return; return;