GUACAMOLE-1855: Implement bypass and enforcement options in the Duo 2…

…FA module.

extensions/guacamole-auth-duo/pom.xml

@@ -155,6 +155,13 @@
             <version>2.5</version>
             <scope>provided</scope>
         </dependency>
+
+        <!-- Library for unified IPv4/6 parsing and validation -->
+        <dependency>
+            <groupId>com.github.seancfoley</groupId>
+            <artifactId>ipaddress</artifactId>
+            <version>5.4.0</version>
+        </dependency>
 
     </dependencies>
 

extensions/guacamole-auth-duo/src/main/java/org/apache/guacamole/auth/duo/UserVerificationService.java

@@ -20,7 +20,9 @@
 package org.apache.guacamole.auth.duo;
 
 import com.google.inject.Inject;
+import inet.ipaddr.IPAddressString;
 import java.util.Collections;
+import java.util.List;
 import javax.servlet.http.HttpServletRequest;
 import org.apache.guacamole.GuacamoleException;
 import org.apache.guacamole.auth.duo.api.DuoService;
@@ -71,10 +73,66 @@ public void verifyAuthenticatedUser(AuthenticatedUser authenticatedUser)
         // Pull the original HTTP request used to authenticate
         Credentials credentials = authenticatedUser.getCredentials();
         HttpServletRequest request = credentials.getRequest();
+        IPAddressString clientAddr = new IPAddressString(request.getRemoteAddr());
 
         // Ignore anonymous users
         if (authenticatedUser.getIdentifier().equals(AuthenticatedUser.ANONYMOUS_IDENTIFIER))
             return;
+
+        // We enforce by default
+        boolean enforceHost = true;
+
+        // Check for a list of addresses that should be bypassed and iterate
+        List<IPAddressString> bypassAddresses = confService.getBypassHosts();
+        if (bypassAddresses != null && !bypassAddresses.isEmpty()) {
+            for (int i = 0; i < bypassAddresses.size(); i++) {
+
+                IPAddressString bypassAddr = bypassAddresses.get(i);
+
+                // If the address contains current client address, flip enforce flag
+                // and break out
+                if (clientAddr != null && clientAddr.isIPAddress()
+                        && bypassAddr.getIPVersion().equals(clientAddr.getIPVersion())
+                        && bypassAddr.getAddress().contains(clientAddr.getAddress())) {
+                    enforceHost = false;
+                    break;
+                }
+            }
+        }
+
+        // Check for a list of addresses that should be enforced and iterate
+        List<IPAddressString> enforceAddresses = confService.getEnforceHosts();
+
+        // Only continue processing if the list is not empty
+        if (enforceAddresses != null && !enforceAddresses.isEmpty()) {
+
+            // If client address is not available or invalid, MFA will
+            // be enforced.
+            if (clientAddr == null || !clientAddr.isIPAddress()) {
+                enforceHost = true;
+            }
+
+            else {
+                // With addresses set, this default changes to false.
+                enforceHost = false;
+
+                for (int i = 0; i < enforceAddresses.size(); i++) {
+
+                    IPAddressString enforceAddr = enforceAddresses.get(i);
+
+                    // If there's a match, flip the enforce flag and break out of the loop
+                    if (enforceAddr.getIPVersion().equals(clientAddr.getIPVersion())
+                            && enforceAddr.getAddress().contains(clientAddr.getAddress())) {
+                        enforceHost = true;
+                        break;
+                    }
+                }
+            }
+        }
+
+        // If the enforce flag has been changed, exit, bypassing Duo MFA.
+        if (!enforceHost)
+            return;
 
         // Retrieve signed Duo response from request
         String signedResponse = request.getParameter(DuoSignedResponseField.PARAMETER_NAME);

extensions/guacamole-auth-duo/src/main/java/org/apache/guacamole/auth/duo/conf/ConfigurationService.java

@@ -20,8 +20,11 @@
 package org.apache.guacamole.auth.duo.conf;
 
 import com.google.inject.Inject;
+import inet.ipaddr.IPAddressString;
+import java.util.List;
 import org.apache.guacamole.GuacamoleException;
 import org.apache.guacamole.environment.Environment;
+import org.apache.guacamole.properties.IPAddressStringListProperty;
 import org.apache.guacamole.properties.StringGuacamoleProperty;
 
 /**
@@ -90,6 +93,40 @@ public class ConfigurationService {
         public String getName() { return "duo-application-key"; }
 
     };
+
+    /**
+     * The optional property that contains a comma-separated list of IP addresses
+     * or CIDRs for which the MFA requirement should be bypassed. If the Duo
+     * extension is installed, any/all users authenticating from clients that
+     * match this list will be able to successfully log in without fulfilling
+     * the MFA requirement. If this option is omitted or is empty, and the
+     * Duo module is installed, all users from all hosts will have Duo MFA
+     * enforced.
+     */
+    private static final IPAddressStringListProperty DUO_BYPASS_HOSTS =
+            new IPAddressStringListProperty() {
+
+        @Override
+        public String getName() { return "duo-bypass-hosts"; }
+
+    };
+
+    /**
+     * The optional property that contains a comma-separated list of IP addresses
+     * or CIDRs for which the MFA requirement should be explicitly enforced. If
+     * the Duo module is enabled and this property is specified, users that log
+     * in from hosts that match the items in this list will have Duo MFA required,
+     * and all users from hosts that do not match this list will be able to log
+     * in without the MFA requirement. If this option is missing or empty and
+     * the Duo module is installed, MFA will be enforced for all users.
+     */
+    private static final IPAddressStringListProperty DUO_ENFORCE_HOSTS =
+            new IPAddressStringListProperty() {
+
+        @Override
+        public String getName() { return "duo-enforce-hosts"; }
+
+    };
 
     /**
      * Returns the hostname of the Duo API endpoint to be used to verify user
@@ -156,5 +193,43 @@ public String getSecretKey() throws GuacamoleException {
     public String getApplicationKey() throws GuacamoleException {
         return environment.getRequiredProperty(DUO_APPLICATION_KEY);
     }
+
+    /**
+     * Returns the list of IP addresses and subnets defined in guacamole.properties
+     * for which Duo MFA should _not_ be enforced. Users logging in from hosts
+     * contained in this list will be logged in without the MFA requirement.
+     * 
+     * @return
+     *     A list of IP addresses and subnets for which Duo MFA should not be
+     *     enforced.
+     * 
+     * @throws GuacamoleException 
+     *     If guacamole.properties cannot be parsed, or if an invalid IP address
+     *     or subnet is specified.
+     */
+    public List<IPAddressString> getBypassHosts() throws GuacamoleException {
+        return environment.getProperty(DUO_BYPASS_HOSTS);
+    }
+
+    /**
+     * Returns the list of IP addresses and subnets defined in guacamole.properties
+     * for which Duo MFA should explicitly be enforced, while logins from all
+     * other hosts should not enforce MFA. Users logging in from hosts
+     * contained in this list will be required to complete the Duo MFA authentication,
+     * while users from all other hosts will be logged in without the MFA requirement.
+     * 
+     * @return
+     *     A list of IP addresses and subnets for which Duo MFA should be
+     *     explicitly enforced.
+     * 
+     * @throws GuacamoleException 
+     *     If guacamole.properties cannot be parsed, or if an invalid IP address
+     *     or subnet is specified.
+     */
+    public List<IPAddressString> getEnforceHosts() throws GuacamoleException {
+        return environment.getProperty(DUO_ENFORCE_HOSTS);
+    }
+
+
 
 }