From 351cd105c8a5750d0a7b68324077065bdb97e77b Mon Sep 17 00:00:00 2001 From: Virtually Nick Date: Tue, 26 Sep 2023 17:16:25 -0400 Subject: [PATCH] GUACAMOLE-1855: Implement bypass and enforcement options in the TOTP module. --- extensions/guacamole-auth-totp/pom.xml | 8 +++ .../auth/totp/conf/ConfigurationService.java | 67 +++++++++++++++++ .../totp/user/UserVerificationService.java | 72 +++++++++++++++++-- 3 files changed, 143 insertions(+), 4 deletions(-) diff --git a/extensions/guacamole-auth-totp/pom.xml b/extensions/guacamole-auth-totp/pom.xml index 9d041e3f92..6fa98f94e3 100644 --- a/extensions/guacamole-auth-totp/pom.xml +++ b/extensions/guacamole-auth-totp/pom.xml @@ -177,6 +177,14 @@ 2.0 provided + + + + com.github.seancfoley + ipaddress + 5.4.0 + provided + diff --git a/extensions/guacamole-auth-totp/src/main/java/org/apache/guacamole/auth/totp/conf/ConfigurationService.java b/extensions/guacamole-auth-totp/src/main/java/org/apache/guacamole/auth/totp/conf/ConfigurationService.java index 06984ce40c..74d057f0b6 100644 --- a/extensions/guacamole-auth-totp/src/main/java/org/apache/guacamole/auth/totp/conf/ConfigurationService.java +++ b/extensions/guacamole-auth-totp/src/main/java/org/apache/guacamole/auth/totp/conf/ConfigurationService.java @@ -20,10 +20,13 @@ package org.apache.guacamole.auth.totp.conf; import com.google.inject.Inject; +import inet.ipaddr.IPAddressString; +import java.util.List; import org.apache.guacamole.GuacamoleException; import org.apache.guacamole.GuacamoleServerException; import org.apache.guacamole.environment.Environment; import org.apache.guacamole.properties.EnumGuacamoleProperty; +import org.apache.guacamole.properties.IPAddressStringListProperty; import org.apache.guacamole.properties.IntegerGuacamoleProperty; import org.apache.guacamole.properties.StringGuacamoleProperty; import org.apache.guacamole.totp.TOTPGenerator; @@ -88,6 +91,36 @@ public class ConfigurationService { public String getName() { return "totp-mode"; } }; + + /** + * A property that contains a list of IP addresses and/or subnets for which + * MFA via the TOTP module should be bypassed. Users logging in from addresses + * contained in this list will not be prompted for a second authentication + * factor. If this property is empty or not defined, and the TOTP module + * is installed, all users will be prompted for MFA. + */ + private static final IPAddressStringListProperty TOTP_BYPASS_HOSTS = + new IPAddressStringListProperty() { + + @Override + public String getName() { return "totp-bypass-hosts"; } + + }; + + /** + * A property that contains a list of IP addresses and/or subnets for which + * MFA via the TOTP module should explicitly be enabled. If this property is defined, + * and the TOTP module is installed, users logging in from hosts contained + * in this list will be prompted for MFA, and users logging in from all + * other hosts will not be prompted for MFA. + */ + private static final IPAddressStringListProperty TOTP_ENFORCE_HOSTS = + new IPAddressStringListProperty() { + + @Override + public String getName() { return "totp-enforce-hosts"; } + + }; /** * Returns the human-readable name of the entity issuing user accounts. If @@ -158,5 +191,39 @@ public int getPeriod() throws GuacamoleException { public TOTPGenerator.Mode getMode() throws GuacamoleException { return environment.getProperty(TOTP_MODE, TOTPGenerator.Mode.SHA1); } + + /** + * Return the list of IP addresses and/or subnets for which MFA authentication via the + * TOTP module should be bypassed, allowing users from those addresses to log in + * without the MFA requirement. + * + * @return + * A list of IP addresses and/or subnets for which MFA authentication + * should be bypassed. + * + * @throws GuacamoleException + * If guacamole.properties cannot be parsed, or an invalid IP address + * or subnet is specified. + */ + public List getBypassHosts() throws GuacamoleException { + return environment.getProperty(TOTP_BYPASS_HOSTS); + } + + /** + * Return the list of IP addresses and/or subnets for which MFA authentication via the TOTP + * module should be explicitly enabled, requiring users logging in from hosts specified in + * the list to complete MFA. + * + * @return + * A list of IP addresses and/or subnets for which MFA authentication + * should be explicitly enabled. + * + * @throws GuacamoleException + * If guacamole.properties cannot be parsed, or an invalid IP address + * or subnet is specified. + */ + public List getEnforceHosts() throws GuacamoleException { + return environment.getProperty(TOTP_ENFORCE_HOSTS); + } } diff --git a/extensions/guacamole-auth-totp/src/main/java/org/apache/guacamole/auth/totp/user/UserVerificationService.java b/extensions/guacamole-auth-totp/src/main/java/org/apache/guacamole/auth/totp/user/UserVerificationService.java index 027a228cdc..b667dd0bc9 100644 --- a/extensions/guacamole-auth-totp/src/main/java/org/apache/guacamole/auth/totp/user/UserVerificationService.java +++ b/extensions/guacamole-auth-totp/src/main/java/org/apache/guacamole/auth/totp/user/UserVerificationService.java @@ -22,9 +22,11 @@ import com.google.common.io.BaseEncoding; import com.google.inject.Inject; import com.google.inject.Provider; +import inet.ipaddr.IPAddressString; import java.security.InvalidKeyException; import java.util.Collections; import java.util.HashMap; +import java.util.List; import java.util.Map; import java.util.Set; import javax.servlet.http.HttpServletRequest; @@ -288,6 +290,72 @@ private boolean totpDisabled(UserContext context, public void verifyIdentity(UserContext context, AuthenticatedUser authenticatedUser) throws GuacamoleException { + // Pull the original HTTP request used to authenticate + Credentials credentials = authenticatedUser.getCredentials(); + HttpServletRequest request = credentials.getRequest(); + + // Get the current client address + IPAddressString clientAddr = new IPAddressString(request.getRemoteAddr()); + + // Ignore anonymous users + if (authenticatedUser.getIdentifier().equals(AuthenticatedUser.ANONYMOUS_IDENTIFIER)) + return; + + // We enforce by default + boolean enforceHost = true; + + // Check for a list of addresses that should be bypassed and iterate + List bypassAddresses = confService.getBypassHosts(); + if (bypassAddresses != null && !bypassAddresses.isEmpty()) { + for (int i = 0; i < bypassAddresses.size(); i++) { + + IPAddressString bypassAddr = bypassAddresses.get(i); + + // If the address contains current client address, flip enforce flag + // and break out + if (clientAddr != null && clientAddr.isIPAddress() + && bypassAddr.getIPVersion().equals(clientAddr.getIPVersion()) + && bypassAddr.getAddress().contains(clientAddr.getAddress())) { + enforceHost = false; + break; + } + } + } + + // Check for a list of addresses that should be enforced and iterate + List enforceAddresses = confService.getEnforceHosts(); + + // Only continue processing if the list is not empty + if (enforceAddresses != null && !enforceAddresses.isEmpty()) { + + if (clientAddr == null || !clientAddr.isIPAddress()) { + logger.warn("Client address is not valid, " + + "MFA will be enforced."); + enforceHost = true; + } + + else { + // With addresses set, this default changes to false. + enforceHost = false; + + for (int i = 0; i < enforceAddresses.size(); i++) { + + IPAddressString enforceAddr = enforceAddresses.get(i); + + // If there's a match, flip the enforce flag and break out of the loop + if (enforceAddr.getIPVersion().equals(clientAddr.getIPVersion()) + && enforceAddr.getAddress().contains(clientAddr.getAddress())) { + enforceHost = true; + break; + } + } + } + } + + // If the enforce flag has been changed, exit, bypassing TOTP MFA. + if (!enforceHost) + return; + // Ignore anonymous users String username = authenticatedUser.getIdentifier(); if (username.equals(AuthenticatedUser.ANONYMOUS_IDENTIFIER)) @@ -302,10 +370,6 @@ public void verifyIdentity(UserContext context, if (key == null) return; - // Pull the original HTTP request used to authenticate - Credentials credentials = authenticatedUser.getCredentials(); - HttpServletRequest request = credentials.getRequest(); - // Retrieve TOTP from request String code = request.getParameter(AuthenticationCodeField.PARAMETER_NAME);