Re: [PR] GUACAMOLE-1855: Allow MFA modules to be configured to bypass or enforce for specific hosts. [guacamole-client]

via GitHub Thu, 18 Jan 2024 13:33:09 -0800


necouchman commented on code in PR #911:
URL: https://github.com/apache/guacamole-client/pull/911#discussion_r1457999132



##########
extensions/guacamole-auth-duo/src/main/java/org/apache/guacamole/auth/duo/UserVerificationService.java:
##########
@@ -71,10 +75,38 @@ public void verifyAuthenticatedUser(AuthenticatedUser 
authenticatedUser)
         // Pull the original HTTP request used to authenticate
         Credentials credentials = authenticatedUser.getCredentials();
         HttpServletRequest request = credentials.getRequest();
+        IPAddress clientAddr = new 
IPAddressString(request.getRemoteAddr()).getAddress();
 
         // Ignore anonymous users
         if 
(authenticatedUser.getIdentifier().equals(AuthenticatedUser.ANONYMOUS_IDENTIFIER))
             return;
+        
+        // Pull address lists to check from configuration. Note that the 
enforce
+        // list will override the bypass list, which means that, if the client
+        // address happens to be in both lists, Duo MFA will be enforced.
+        List<IPAddress> bypassAddresses = confService.getBypassHosts();
+        List<IPAddress> enforceAddresses = confService.getEnforceHosts();
+        
+        // Check if the bypass list contains the client address, and set the
+        // enforce flag to the opposite.
+        boolean enforceHost = 
!(IPAddressUtil.addressListContains(bypassAddresses, clientAddr));
+        
+        // Only continue processing if the list is not empty
+        if (enforceAddresses != null && !enforceAddresses.isEmpty()) {

Review Comment:
   Removed `null` check via rebase.



##########
extensions/guacamole-auth-totp/src/main/java/org/apache/guacamole/auth/totp/user/UserVerificationService.java:
##########
@@ -288,6 +292,45 @@ private boolean totpDisabled(UserContext context,
     public void verifyIdentity(UserContext context,
             AuthenticatedUser authenticatedUser) throws GuacamoleException {
 
+        // Pull the original HTTP request used to authenticate
+        Credentials credentials = authenticatedUser.getCredentials();
+        HttpServletRequest request = credentials.getRequest();
+        
+        // Get the current client address
+        IPAddress clientAddr = new 
IPAddressString(request.getRemoteAddr()).getAddress();
+
+        // Ignore anonymous users
+        if 
(authenticatedUser.getIdentifier().equals(AuthenticatedUser.ANONYMOUS_IDENTIFIER))
+            return;
+        
+        // Pull address lists to check from configuration. Note that the 
enforce
+        // list will override the bypass list, which means that, if the client
+        // address happens to be in both lists, Duo MFA will be enforced.
+        List<IPAddress> bypassAddresses = confService.getBypassHosts();
+        List<IPAddress> enforceAddresses = confService.getEnforceHosts();
+        
+        // Check the bypass list for the client address, and set the enforce
+        // flag to the opposite.
+        boolean enforceHost = 
!(IPAddressUtil.addressListContains(bypassAddresses, clientAddr));
+        
+        // Only continue processing if the list is not empty
+        if (enforceAddresses != null && !enforceAddresses.isEmpty()) {

Review Comment:
   Removed `null` check via rebase.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscr...@guacamole.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

Re: [PR] GUACAMOLE-1855: Allow MFA modules to be configured to bypass or enforce for specific hosts. [guacamole-client]

Reply via email to