|
47 | 47 | import org.apache.guacamole.net.auth.UserContext; |
48 | 48 | import org.apache.guacamole.net.auth.UserGroup; |
49 | 49 | import org.apache.guacamole.net.auth.credentials.CredentialsInfo; |
| 50 | +import org.apache.guacamole.properties.IPAddressListProperty; |
50 | 51 | import org.apache.guacamole.totp.TOTPGenerator; |
51 | 52 | import org.slf4j.Logger; |
52 | 53 | import org.slf4j.LoggerFactory; |
@@ -296,57 +297,37 @@ public void verifyIdentity(UserContext context, |
296 | 297 | HttpServletRequest request = credentials.getRequest(); |
297 | 298 |
|
298 | 299 | // Get the current client address |
299 | | - IPAddressString clientAddr = new IPAddressString(request.getRemoteAddr()); |
| 300 | + IPAddress clientAddr = new IPAddressString(request.getRemoteAddr()).getAddress(); |
300 | 301 |
|
301 | 302 | // Ignore anonymous users |
302 | 303 | if (authenticatedUser.getIdentifier().equals(AuthenticatedUser.ANONYMOUS_IDENTIFIER)) |
303 | 304 | return; |
304 | 305 |
|
305 | | - // We enforce by default |
306 | | - boolean enforceHost = true; |
307 | | - |
308 | | - // Check for a list of addresses that should be bypassed and iterate |
| 306 | + // Pull address lists to check from configuration. Note that the enforce |
| 307 | + // list will override the bypass list, which means that, if the client |
| 308 | + // address happens to be in both lists, Duo MFA will be enforced. |
309 | 309 | List<IPAddress> bypassAddresses = confService.getBypassHosts(); |
310 | | - for (IPAddress bypassAddr : bypassAddresses) { |
311 | | - // If the address contains current client address, flip enforce flag |
312 | | - // and break out |
313 | | - if (clientAddr != null && clientAddr.isIPAddress() |
314 | | - && bypassAddr.getIPVersion().equals(clientAddr.getIPVersion()) |
315 | | - && bypassAddr.contains(clientAddr.getAddress())) { |
316 | | - enforceHost = false; |
317 | | - break; |
318 | | - } |
319 | | - } |
320 | | - |
321 | | - // Check for a list of addresses that should be enforced and iterate |
322 | 310 | List<IPAddress> enforceAddresses = confService.getEnforceHosts(); |
323 | 311 |
|
| 312 | + // Check the bypass list for the client address, and set the enforce |
| 313 | + // flag to the opposite. |
| 314 | + boolean enforceHost = !(IPAddressListProperty.addressListContains(bypassAddresses, clientAddr)); |
| 315 | + |
324 | 316 | // Only continue processing if the list is not empty |
325 | 317 | if (!enforceAddresses.isEmpty()) { |
326 | 318 |
|
327 | | - if (clientAddr == null || !clientAddr.isIPAddress()) { |
328 | | - logger.warn("Client address is not valid, " |
329 | | - + "MFA will be enforced."); |
| 319 | + // If client address is not available or invalid, MFA will |
| 320 | + // be enforced. |
| 321 | + if (clientAddr == null || !clientAddr.isIPAddress()) |
330 | 322 | enforceHost = true; |
331 | | - } |
332 | 323 |
|
333 | | - else { |
334 | | - // With addresses set, this default changes to false. |
335 | | - enforceHost = false; |
336 | | - |
337 | | - for (IPAddress enforceAddr : enforceAddresses) { |
338 | | - |
339 | | - // If there's a match, flip the enforce flag and break out of the loop |
340 | | - if (enforceAddr.getIPVersion().equals(clientAddr.getIPVersion()) |
341 | | - && enforceAddr.contains(clientAddr.getAddress())) { |
342 | | - enforceHost = true; |
343 | | - break; |
344 | | - } |
345 | | - } |
346 | | - } |
| 324 | + // Check the enforce list and set the flag if the client address |
| 325 | + // is found in the list. |
| 326 | + else |
| 327 | + enforceHost = IPAddressListProperty.addressListContains(enforceAddresses, clientAddr); |
347 | 328 | } |
348 | 329 |
|
349 | | - // If the enforce flag has been changed, exit, bypassing TOTP MFA. |
| 330 | + // If the enforce flag is not true, bypass TOTP MFA. |
350 | 331 | if (!enforceHost) |
351 | 332 | return; |
352 | 333 |
|
|
0 commit comments