feat: desktop client MFA (#502)

* setup mfa service endpoints * add mfa start response * implement login start endpoint logic * store client login sessions * implement login finish handler * handle devices which never connected * fix tests * review fixes * use a JWT for auth * validate TOTP code * update protos --------- Co-authored-by: Maciej Wójcik <[email protected]>
DefGuard · Jan 17, 2024 · 79b3f03 · 79b3f03
1 parent 71f3f4d
commit 79b3f03
Show file tree

Hide file tree

Showing 16 changed files with 348 additions and 80 deletions.
diff --git a/...d907893fedd70f7d752521d515230397f3ee.json → ...073400544f1ce454d059ac13b24b32cbdbf4.json b/...d907893fedd70f7d752521d515230397f3ee.json → ...073400544f1ce454d059ac13b24b32cbdbf4.json
diff --git a/proto b/proto
diff --git a/src/auth/mod.rs b/src/auth/mod.rs
@@ -37,6 +37,7 @@ pub enum ClaimsType {
     Auth,
     Gateway,
     YubiBridge,
+    DesktopClient,
 }
 
 /// Standard claims: https://www.iana.org/assignments/jwt/jwt.xhtml
@@ -85,6 +86,7 @@ impl Claims {
             ClaimsType::Auth => AUTH_SECRET_ENV,
             ClaimsType::Gateway => GATEWAY_SECRET_ENV,
             ClaimsType::YubiBridge => YUBIBRIDGE_SECRET_ENV,
+            ClaimsType::DesktopClient => AUTH_SECRET_ENV,
         };
         env::var(env_var).unwrap_or_default()
     }

diff --git a/src/db/models/device.rs b/src/db/models/device.rs
@@ -491,7 +491,6 @@ impl Device {
     pub async fn add_to_all_networks(
         &self,
         transaction: &mut PgConnection,
-        admin_group_name: &str,
     ) -> Result<(Vec<DeviceNetworkInfo>, Vec<DeviceConfig>), DeviceError> {
         info!("Adding device {} to all existing networks", self.name);
         let networks = WireguardNetwork::all(&mut *transaction).await?;
@@ -528,7 +527,7 @@ impl Device {
             }
 
             if let Ok(wireguard_network_device) = network
-                .add_device_to_network(&mut *transaction, self, admin_group_name, None)
+                .add_device_to_network(&mut *transaction, self, None)
                 .await
             {
                 debug!(

diff --git a/src/db/models/group.rs b/src/db/models/group.rs
@@ -1,7 +1,10 @@
 use model_derive::Model;
 use sqlx::{query, query_as, query_scalar, Error as SqlxError, PgConnection, PgExecutor};
 
-use crate::db::{models::error::ModelError, User, WireguardNetwork};
+use crate::{
+    db::{models::error::ModelError, User, WireguardNetwork},
+    SERVER_CONFIG,
+};
 
 #[derive(Model)]
 pub struct Group {
@@ -97,9 +100,12 @@ impl WireguardNetwork {
     pub async fn get_allowed_groups(
         &self,
         transaction: &mut PgConnection,
-        admin_group_name: &str,
     ) -> Result<Option<Vec<String>>, ModelError> {
         debug!("Returning a list of allowed groups for network {self}");
+        let admin_group_name = &SERVER_CONFIG
+            .get()
+            .expect("defguard config not found")
+            .admin_groupname;
         // get allowed groups from DB
         let mut groups = self.fetch_allowed_groups(&mut *transaction).await?;
 

diff --git a/src/db/models/wireguard.rs b/src/db/models/wireguard.rs
@@ -302,11 +302,10 @@ impl WireguardNetwork {
     async fn get_allowed_devices(
         &self,
         transaction: &mut PgConnection,
-        admin_group_name: &str,
     ) -> Result<Vec<Device>, ModelError> {
         debug!("Fetching all allowed devices for network {}", self);
         let devices = match self
-            .get_allowed_groups(&mut *transaction, admin_group_name)
+            .get_allowed_groups(&mut *transaction)
             .await? {
             // devices need to be filtered by allowed group
             Some(allowed_groups) => {
@@ -338,15 +337,12 @@ impl WireguardNetwork {
     pub async fn add_all_allowed_devices(
         &self,
         transaction: &mut PgConnection,
-        admin_group_name: &str,
     ) -> Result<(), ModelError> {
         info!(
             "Assigning IPs in network {} for all existing devices ",
             self
         );
-        let devices = self
-            .get_allowed_devices(&mut *transaction, admin_group_name)
-            .await?;
+        let devices = self.get_allowed_devices(&mut *transaction).await?;
         for device in devices {
             device
                 .assign_network_ip(&mut *transaction, self, None)
@@ -360,13 +356,10 @@ impl WireguardNetwork {
         &self,
         transaction: &mut PgConnection,
         device: &Device,
-        admin_group_name: &str,
         reserved_ips: Option<&[IpAddr]>,
     ) -> Result<WireguardNetworkDevice, WireguardNetworkError> {
         info!("Assigning IP in network {self} for {device}");
-        let allowed_devices = self
-            .get_allowed_devices(&mut *transaction, admin_group_name)
-            .await?;
+        let allowed_devices = self.get_allowed_devices(&mut *transaction).await?;
         let allowed_device_ids: Vec<i64> =
             allowed_devices.iter().filter_map(|dev| dev.id).collect();
         if allowed_device_ids.contains(&device.get_id()?) {
@@ -389,14 +382,11 @@ impl WireguardNetwork {
     pub async fn sync_allowed_devices(
         &self,
         transaction: &mut PgConnection,
-        admin_group_name: &str,
         reserved_ips: Option<&[IpAddr]>,
     ) -> Result<Vec<GatewayEvent>, WireguardNetworkError> {
         info!("Synchronizing IPs in network {self} for all allowed devices ");
         // list all allowed devices
-        let allowed_devices = self
-            .get_allowed_devices(&mut *transaction, admin_group_name)
-            .await?;
+        let allowed_devices = self.get_allowed_devices(&mut *transaction).await?;
         // convert to a map for easier processing
         let mut allowed_devices: HashMap<i64, Device> = allowed_devices
             .into_iter()
@@ -485,12 +475,9 @@ impl WireguardNetwork {
         &self,
         transaction: &mut PgConnection,
         imported_devices: Vec<ImportedDevice>,
-        admin_group_name: &str,
     ) -> Result<(Vec<ImportedDevice>, Vec<GatewayEvent>), WireguardNetworkError> {
         let network_id = self.get_id()?;
-        let allowed_devices = self
-            .get_allowed_devices(&mut *transaction, admin_group_name)
-            .await?;
+        let allowed_devices = self.get_allowed_devices(&mut *transaction).await?;
         // convert to a map for easier processing
         let allowed_devices: HashMap<i64, Device> = allowed_devices
             .into_iter()
@@ -551,14 +538,11 @@ impl WireguardNetwork {
         &self,
         transaction: &mut PgConnection,
         mapped_devices: Vec<MappedDevice>,
-        admin_group_name: &str,
     ) -> Result<Vec<GatewayEvent>, WireguardNetworkError> {
         info!("Mapping user devices for network {}", self);
         let network_id = self.get_id()?;
         // get allowed groups for network
-        let allowed_groups = self
-            .get_allowed_groups(&mut *transaction, admin_group_name)
-            .await?;
+        let allowed_groups = self.get_allowed_groups(&mut *transaction).await?;
 
         let mut events = Vec::new();
         // use a helper hashmap to avoid repeated queries
@@ -629,9 +613,8 @@ impl WireguardNetwork {
             }
 
             // assign IPs in other networks
-            let (mut all_network_info, _configs) = device
-                .add_to_all_networks(&mut *transaction, admin_group_name)
-                .await?;
+            let (mut all_network_info, _configs) =
+                device.add_to_all_networks(&mut *transaction).await?;
 
             network_info.append(&mut all_network_info);