From e196d28ed6f86ddb0c5ddb88601948e080b3ade8 Mon Sep 17 00:00:00 2001 From: Virtually Nick Date: Tue, 26 Sep 2023 17:16:02 -0400 Subject: [PATCH] GUACAMOLE-1855: Implement bypass and enforcement options in the Duo 2FA module. --- extensions/guacamole-auth-duo/pom.xml | 8 ++ .../auth/duo/UserVerificationService.java | 58 ++++++++++++++ .../auth/duo/conf/ConfigurationService.java | 75 +++++++++++++++++++ 3 files changed, 141 insertions(+) diff --git a/extensions/guacamole-auth-duo/pom.xml b/extensions/guacamole-auth-duo/pom.xml index a321351283..2cd31d295a 100644 --- a/extensions/guacamole-auth-duo/pom.xml +++ b/extensions/guacamole-auth-duo/pom.xml @@ -155,6 +155,14 @@ 2.5 provided + + + + com.github.seancfoley + ipaddress + 5.4.0 + provided + diff --git a/extensions/guacamole-auth-duo/src/main/java/org/apache/guacamole/auth/duo/UserVerificationService.java b/extensions/guacamole-auth-duo/src/main/java/org/apache/guacamole/auth/duo/UserVerificationService.java index abcb486057..7c6c70c5d6 100644 --- a/extensions/guacamole-auth-duo/src/main/java/org/apache/guacamole/auth/duo/UserVerificationService.java +++ b/extensions/guacamole-auth-duo/src/main/java/org/apache/guacamole/auth/duo/UserVerificationService.java @@ -20,7 +20,9 @@ package org.apache.guacamole.auth.duo; import com.google.inject.Inject; +import inet.ipaddr.IPAddressString; import java.util.Collections; +import java.util.List; import javax.servlet.http.HttpServletRequest; import org.apache.guacamole.GuacamoleException; import org.apache.guacamole.auth.duo.api.DuoService; @@ -71,10 +73,66 @@ public void verifyAuthenticatedUser(AuthenticatedUser authenticatedUser) // Pull the original HTTP request used to authenticate Credentials credentials = authenticatedUser.getCredentials(); HttpServletRequest request = credentials.getRequest(); + IPAddressString clientAddr = new IPAddressString(request.getRemoteAddr()); // Ignore anonymous users if (authenticatedUser.getIdentifier().equals(AuthenticatedUser.ANONYMOUS_IDENTIFIER)) return; + + // We enforce by default + boolean enforceHost = true; + + // Check for a list of addresses that should be bypassed and iterate + List bypassAddresses = confService.getBypassHosts(); + if (bypassAddresses != null && !bypassAddresses.isEmpty()) { + for (int i = 0; i < bypassAddresses.size(); i++) { + + IPAddressString bypassAddr = bypassAddresses.get(i); + + // If the address contains current client address, flip enforce flag + // and break out + if (clientAddr != null && clientAddr.isIPAddress() + && bypassAddr.getIPVersion().equals(clientAddr.getIPVersion()) + && bypassAddr.getAddress().contains(clientAddr.getAddress())) { + enforceHost = false; + break; + } + } + } + + // Check for a list of addresses that should be enforced and iterate + List enforceAddresses = confService.getEnforceHosts(); + + // Only continue processing if the list is not empty + if (enforceAddresses != null && !enforceAddresses.isEmpty()) { + + // If client address is not available or invalid, MFA will + // be enforced. + if (clientAddr == null || !clientAddr.isIPAddress()) { + enforceHost = true; + } + + else { + // With addresses set, this default changes to false. + enforceHost = false; + + for (int i = 0; i < enforceAddresses.size(); i++) { + + IPAddressString enforceAddr = enforceAddresses.get(i); + + // If there's a match, flip the enforce flag and break out of the loop + if (enforceAddr.getIPVersion().equals(clientAddr.getIPVersion()) + && enforceAddr.getAddress().contains(clientAddr.getAddress())) { + enforceHost = true; + break; + } + } + } + } + + // If the enforce flag has been changed, exit, bypassing Duo MFA. + if (!enforceHost) + return; // Retrieve signed Duo response from request String signedResponse = request.getParameter(DuoSignedResponseField.PARAMETER_NAME); diff --git a/extensions/guacamole-auth-duo/src/main/java/org/apache/guacamole/auth/duo/conf/ConfigurationService.java b/extensions/guacamole-auth-duo/src/main/java/org/apache/guacamole/auth/duo/conf/ConfigurationService.java index 40ccde9e00..94c6c95dee 100644 --- a/extensions/guacamole-auth-duo/src/main/java/org/apache/guacamole/auth/duo/conf/ConfigurationService.java +++ b/extensions/guacamole-auth-duo/src/main/java/org/apache/guacamole/auth/duo/conf/ConfigurationService.java @@ -20,8 +20,11 @@ package org.apache.guacamole.auth.duo.conf; import com.google.inject.Inject; +import inet.ipaddr.IPAddressString; +import java.util.List; import org.apache.guacamole.GuacamoleException; import org.apache.guacamole.environment.Environment; +import org.apache.guacamole.properties.IPAddressStringListProperty; import org.apache.guacamole.properties.StringGuacamoleProperty; /** @@ -90,6 +93,40 @@ public class ConfigurationService { public String getName() { return "duo-application-key"; } }; + + /** + * The optional property that contains a comma-separated list of IP addresses + * or CIDRs for which the MFA requirement should be bypassed. If the Duo + * extension is installed, any/all users authenticating from clients that + * match this list will be able to successfully log in without fulfilling + * the MFA requirement. If this option is omitted or is empty, and the + * Duo module is installed, all users from all hosts will have Duo MFA + * enforced. + */ + private static final IPAddressStringListProperty DUO_BYPASS_HOSTS = + new IPAddressStringListProperty() { + + @Override + public String getName() { return "duo-bypass-hosts"; } + + }; + + /** + * The optional property that contains a comma-separated list of IP addresses + * or CIDRs for which the MFA requirement should be explicitly enforced. If + * the Duo module is enabled and this property is specified, users that log + * in from hosts that match the items in this list will have Duo MFA required, + * and all users from hosts that do not match this list will be able to log + * in without the MFA requirement. If this option is missing or empty and + * the Duo module is installed, MFA will be enforced for all users. + */ + private static final IPAddressStringListProperty DUO_ENFORCE_HOSTS = + new IPAddressStringListProperty() { + + @Override + public String getName() { return "duo-enforce-hosts"; } + + }; /** * Returns the hostname of the Duo API endpoint to be used to verify user @@ -156,5 +193,43 @@ public String getSecretKey() throws GuacamoleException { public String getApplicationKey() throws GuacamoleException { return environment.getRequiredProperty(DUO_APPLICATION_KEY); } + + /** + * Returns the list of IP addresses and subnets defined in guacamole.properties + * for which Duo MFA should _not_ be enforced. Users logging in from hosts + * contained in this list will be logged in without the MFA requirement. + * + * @return + * A list of IP addresses and subnets for which Duo MFA should not be + * enforced. + * + * @throws GuacamoleException + * If guacamole.properties cannot be parsed, or if an invalid IP address + * or subnet is specified. + */ + public List getBypassHosts() throws GuacamoleException { + return environment.getProperty(DUO_BYPASS_HOSTS); + } + + /** + * Returns the list of IP addresses and subnets defined in guacamole.properties + * for which Duo MFA should explicitly be enforced, while logins from all + * other hosts should not enforce MFA. Users logging in from hosts + * contained in this list will be required to complete the Duo MFA authentication, + * while users from all other hosts will be logged in without the MFA requirement. + * + * @return + * A list of IP addresses and subnets for which Duo MFA should be + * explicitly enforced. + * + * @throws GuacamoleException + * If guacamole.properties cannot be parsed, or if an invalid IP address + * or subnet is specified. + */ + public List getEnforceHosts() throws GuacamoleException { + return environment.getProperty(DUO_ENFORCE_HOSTS); + } + + }