safebox/guacamole-client
4
0
Fork 0
mirror of https://github.com/gyurix1968/guacamole-client.git synced 2025-09-06 13:17:41 +00:00
Code Issues Packages Projects Releases Wiki Activity

GUACAMOLE-1855: Implement bypass and enforcement options in the Duo 2FA module.

Browse Source
This commit is contained in:
Virtually Nick
2023-09-26 17:16:02 -04:00
parent 8d1a9fdf42
commit 9139bdef02
3 changed files with 143 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

66
extensions/guacamole-auth-duo/src/main/java/org/apache/guacamole/auth/duo/UserVerificationService.java
View File

@@ -23,10 +23,13 @@ import com.duosecurity.Client;
import com.duosecurity.exception.DuoException;
import com.duosecurity.model.Token;
import com.google.inject.Inject;
import inet.ipaddr.IPAddress;
import inet.ipaddr.IPAddressString;
import java.net.URI;
import java.net.URISyntaxException;
import java.util.Collections;
import java.util.concurrent.TimeUnit;
import java.util.List;
import javax.servlet.http.HttpServletRequest;
import org.apache.guacamole.GuacamoleException;
import org.apache.guacamole.GuacamoleServerException;
@@ -107,9 +110,63 @@ public class UserVerificationService {
public void verifyAuthenticatedUser(AuthenticatedUser authenticatedUser)
throws GuacamoleException {
// Ignore anonymous users (unverifiable)
// Pull the original HTTP request used to authenticate
Credentials credentials = authenticatedUser.getCredentials();
HttpServletRequest request = credentials.getRequest();
IPAddress clientAddr = new IPAddressString(request.getRemoteAddr()).getAddress();
// Ignore anonymous users
String username = authenticatedUser.getIdentifier();
if (username.equals(AuthenticatedUser.ANONYMOUS_IDENTIFIER))
if (username == null || username.equals(AuthenticatedUser.ANONYMOUS_IDENTIFIER))
return;
// We enforce by default
boolean enforceHost = true;
// Check for a list of addresses that should be bypassed and iterate
List<IPAddress> bypassAddresses = confService.getBypassHosts();
for (IPAddress bypassAddr : bypassAddresses) {
// If the address contains current client address, flip enforce flag
// and break out
if (clientAddr != null && clientAddr.isIPAddress()
&& bypassAddr.getIPVersion().equals(clientAddr.getIPVersion())
&& bypassAddr.contains(clientAddr)) {
enforceHost = false;
break;
}
}
// Check for a list of addresses that should be enforced and iterate
List<IPAddress> enforceAddresses = confService.getEnforceHosts();
// Only continue processing if the list is not empty
if (!enforceAddresses.isEmpty()) {
// If client address is not available or invalid, MFA will
// be enforced.
if (clientAddr == null || !clientAddr.isIPAddress()) {
enforceHost = true;
}
else {
// With addresses set, this default changes to false.
enforceHost = false;
for (IPAddress enforceAddr : enforceAddresses) {
// If there's a match, flip the enforce flag and break out of the loop
if (enforceAddr.getIPVersion().equals(clientAddr.getIPVersion())
&& enforceAddr.contains(clientAddr)) {
enforceHost = true;
break;
}
}
}
}
// If the enforce flag has been changed, exit, bypassing Duo MFA.
if (!enforceHost)
return;
// Obtain a Duo client for redirecting the user to the Duo service and
@@ -137,11 +194,6 @@ public class UserVerificationService {
+ "not currently available (failed health check).", e);
}
// Pull the original HTTP request used to authenticate, as well as any
// associated credentials
Credentials credentials = authenticatedUser.getCredentials();
HttpServletRequest request = credentials.getRequest();
// Retrieve signed Duo authentication code and session state from the
// request (these will be absent if this is an initial authentication
// attempt and not a redirect back from Duo)

76
extensions/guacamole-auth-duo/src/main/java/org/apache/guacamole/auth/duo/conf/ConfigurationService.java
View File

@@ -20,10 +20,14 @@
package org.apache.guacamole.auth.duo.conf;
import com.google.inject.Inject;
import inet.ipaddr.IPAddress;
import java.net.URI;
import java.util.Collections;
import java.util.List;
import org.apache.guacamole.GuacamoleException;
import org.apache.guacamole.environment.Environment;
import org.apache.guacamole.properties.IntegerGuacamoleProperty;
import org.apache.guacamole.properties.IPAddressListProperty;
import org.apache.guacamole.properties.StringGuacamoleProperty;
import org.apache.guacamole.properties.URIGuacamoleProperty;
@@ -105,6 +109,40 @@ public class ConfigurationService {
public String getName() { return "duo-auth-timeout"; }
};
/**
* The optional property that contains a comma-separated list of IP addresses
* or CIDRs for which the MFA requirement should be bypassed. If the Duo
* extension is installed, any/all users authenticating from clients that
* match this list will be able to successfully log in without fulfilling
* the MFA requirement. If this option is omitted or is empty, and the
* Duo module is installed, all users from all hosts will have Duo MFA
* enforced.
*/
private static final IPAddressListProperty DUO_BYPASS_HOSTS =
new IPAddressListProperty() {
@Override
public String getName() { return "duo-bypass-hosts"; }
};
/**
* The optional property that contains a comma-separated list of IP addresses
* or CIDRs for which the MFA requirement should be explicitly enforced. If
* the Duo module is enabled and this property is specified, users that log
* in from hosts that match the items in this list will have Duo MFA required,
* and all users from hosts that do not match this list will be able to log
* in without the MFA requirement. If this option is missing or empty and
* the Duo module is installed, MFA will be enforced for all users.
*/
private static final IPAddressListProperty DUO_ENFORCE_HOSTS =
new IPAddressListProperty() {
@Override
public String getName() { return "duo-enforce-hosts"; }
};
/**
* Returns the hostname of the Duo API endpoint to be used to verify user
@@ -188,5 +226,43 @@ public class ConfigurationService {
public int getAuthenticationTimeout() throws GuacamoleException {
return environment.getProperty(DUO_AUTH_TIMEOUT, 5);
}
/**
* Returns the list of IP addresses and subnets defined in guacamole.properties
* for which Duo MFA should _not_ be enforced. Users logging in from hosts
* contained in this list will be logged in without the MFA requirement.
*
* @return
* A list of IP addresses and subnets for which Duo MFA should not be
* enforced.
*
* @throws GuacamoleException
* If guacamole.properties cannot be parsed, or if an invalid IP address
* or subnet is specified.
*/
public List<IPAddress> getBypassHosts() throws GuacamoleException {
return environment.getProperty(DUO_BYPASS_HOSTS, Collections.emptyList());
}
/**
* Returns the list of IP addresses and subnets defined in guacamole.properties
* for which Duo MFA should explicitly be enforced, while logins from all
* other hosts should not enforce MFA. Users logging in from hosts
* contained in this list will be required to complete the Duo MFA authentication,
* while users from all other hosts will be logged in without the MFA requirement.
*
* @return
* A list of IP addresses and subnets for which Duo MFA should be
* explicitly enforced.
*
* @throws GuacamoleException
* If guacamole.properties cannot be parsed, or if an invalid IP address
* or subnet is specified.
*/
public List<IPAddress> getEnforceHosts() throws GuacamoleException {
return environment.getProperty(DUO_ENFORCE_HOSTS, Collections.emptyList());
}
}