safebox/guacamole-client
4
0
Fork 0
mirror of https://github.com/gyurix1968/guacamole-client.git synced 2025-09-06 13:17:41 +00:00
Code Issues Packages Projects Releases Wiki Activity

GUACAMOLE-1855: Merge configuration options for bypassing MFA based on client address.

Browse Source
This commit is contained in:
Mike Jumper
2024-08-29 00:16:29 -07:00
committed by GitHub
parent 086802ad2f 2ecad02fe1
commit f6c2787dc1
9 changed files with 362 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

45
extensions/guacamole-auth-duo/src/main/java/org/apache/guacamole/auth/duo/UserVerificationService.java
View File

@@ -23,10 +23,13 @@ import com.duosecurity.Client;
import com.duosecurity.exception.DuoException;
import com.duosecurity.model.Token;
import com.google.inject.Inject;
import inet.ipaddr.IPAddress;
import inet.ipaddr.IPAddressString;
import java.net.URI;
import java.net.URISyntaxException;
import java.util.Collections;
import java.util.concurrent.TimeUnit;
import java.util.List;
import javax.servlet.http.HttpServletRequest;
import org.apache.guacamole.GuacamoleException;
import org.apache.guacamole.GuacamoleServerException;
@@ -37,6 +40,7 @@ import org.apache.guacamole.language.TranslatableMessage;
import org.apache.guacamole.net.auth.AuthenticatedUser;
import org.apache.guacamole.net.auth.Credentials;
import org.apache.guacamole.net.auth.credentials.CredentialsInfo;
import org.apache.guacamole.properties.IPAddressListProperty;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -107,9 +111,41 @@ public class UserVerificationService {
public void verifyAuthenticatedUser(AuthenticatedUser authenticatedUser)
throws GuacamoleException {
// Ignore anonymous users (unverifiable)
// Pull the original HTTP request used to authenticate
Credentials credentials = authenticatedUser.getCredentials();
HttpServletRequest request = credentials.getRequest();
IPAddress clientAddr = new IPAddressString(request.getRemoteAddr()).getAddress();
// Ignore anonymous users
String username = authenticatedUser.getIdentifier();
if (username.equals(AuthenticatedUser.ANONYMOUS_IDENTIFIER))
if (username == null || username.equals(AuthenticatedUser.ANONYMOUS_IDENTIFIER))
return;
// Pull address lists to check from configuration. Note that the enforce
// list will override the bypass list, which means that, if the client
// address happens to be in both lists, Duo MFA will be enforced.
List<IPAddress> bypassAddresses = confService.getBypassHosts();
List<IPAddress> enforceAddresses = confService.getEnforceHosts();
// Check if the bypass list contains the client address, and set the
// enforce flag to the opposite.
boolean enforceHost = !(IPAddressListProperty.addressListContains(bypassAddresses, clientAddr));
// Only continue processing if the list is not empty
if (!enforceAddresses.isEmpty()) {
// If client address is not available or invalid, MFA will
// be enforced.
if (clientAddr == null || !clientAddr.isIPAddress())
enforceHost = true;
// Check the enforce list for the client address and set enforcement flag.
else
enforceHost = IPAddressListProperty.addressListContains(enforceAddresses, clientAddr);
}
// If the enforce flag is not true, bypass Duo MFA.
if (!enforceHost)
return;
// Obtain a Duo client for redirecting the user to the Duo service and
@@ -137,11 +173,6 @@ public class UserVerificationService {
+ "not currently available (failed health check).", e);
}
// Pull the original HTTP request used to authenticate, as well as any
// associated credentials
Credentials credentials = authenticatedUser.getCredentials();
HttpServletRequest request = credentials.getRequest();
// Retrieve signed Duo authentication code and session state from the
// request (these will be absent if this is an initial authentication
// attempt and not a redirect back from Duo)

76
extensions/guacamole-auth-duo/src/main/java/org/apache/guacamole/auth/duo/conf/ConfigurationService.java
View File

@@ -20,10 +20,14 @@
package org.apache.guacamole.auth.duo.conf;
import com.google.inject.Inject;
import inet.ipaddr.IPAddress;
import java.net.URI;
import java.util.Collections;
import java.util.List;
import org.apache.guacamole.GuacamoleException;
import org.apache.guacamole.environment.Environment;
import org.apache.guacamole.properties.IntegerGuacamoleProperty;
import org.apache.guacamole.properties.IPAddressListProperty;
import org.apache.guacamole.properties.StringGuacamoleProperty;
import org.apache.guacamole.properties.URIGuacamoleProperty;
@@ -105,6 +109,40 @@ public class ConfigurationService {
public String getName() { return "duo-auth-timeout"; }
};
/**
* The optional property that contains a comma-separated list of IP addresses
* or CIDRs for which the MFA requirement should be bypassed. If the Duo
* extension is installed, any/all users authenticating from clients that
* match this list will be able to successfully log in without fulfilling
* the MFA requirement. If this option is omitted or is empty, and the
* Duo module is installed, all users from all hosts will have Duo MFA
* enforced.
*/
private static final IPAddressListProperty DUO_BYPASS_HOSTS =
new IPAddressListProperty() {
@Override
public String getName() { return "duo-bypass-hosts"; }
};
/**
* The optional property that contains a comma-separated list of IP addresses
* or CIDRs for which the MFA requirement should be explicitly enforced. If
* the Duo module is enabled and this property is specified, users that log
* in from hosts that match the items in this list will have Duo MFA required,
* and all users from hosts that do not match this list will be able to log
* in without the MFA requirement. If this option is missing or empty and
* the Duo module is installed, MFA will be enforced for all users.
*/
private static final IPAddressListProperty DUO_ENFORCE_HOSTS =
new IPAddressListProperty() {
@Override
public String getName() { return "duo-enforce-hosts"; }
};
/**
* Returns the hostname of the Duo API endpoint to be used to verify user
@@ -188,5 +226,43 @@ public class ConfigurationService {
public int getAuthenticationTimeout() throws GuacamoleException {
return environment.getProperty(DUO_AUTH_TIMEOUT, 5);
}
/**
* Returns the list of IP addresses and subnets defined in guacamole.properties
* for which Duo MFA should _not_ be enforced. Users logging in from hosts
* contained in this list will be logged in without the MFA requirement.
*
* @return
* A list of IP addresses and subnets for which Duo MFA should not be
* enforced.
*
* @throws GuacamoleException
* If guacamole.properties cannot be parsed, or if an invalid IP address
* or subnet is specified.
*/
public List<IPAddress> getBypassHosts() throws GuacamoleException {
return environment.getProperty(DUO_BYPASS_HOSTS, Collections.emptyList());
}
/**
* Returns the list of IP addresses and subnets defined in guacamole.properties
* for which Duo MFA should explicitly be enforced, while logins from all
* other hosts should not enforce MFA. Users logging in from hosts
* contained in this list will be required to complete the Duo MFA authentication,
* while users from all other hosts will be logged in without the MFA requirement.
*
* @return
* A list of IP addresses and subnets for which Duo MFA should be
* explicitly enforced.
*
* @throws GuacamoleException
* If guacamole.properties cannot be parsed, or if an invalid IP address
* or subnet is specified.
*/
public List<IPAddress> getEnforceHosts() throws GuacamoleException {
return environment.getProperty(DUO_ENFORCE_HOSTS, Collections.emptyList());
}
}