1
0
Fork 0

Use users duo host when required, instead of always using the global one

Dieser Commit ist enthalten in:
Daniel García 2019-04-15 13:06:42 +02:00
Ursprung 3d843a6a51
Commit 253faaf023
Es konnte kein GPG-Schlüssel zu dieser Signatur gefunden werden
GPG-Schlüssel-ID: FC8A7D14C3CD543A
2 geänderte Dateien mit 9 neuen und 9 gelöschten Zeilen

Datei anzeigen

@ -936,25 +936,25 @@ fn get_user_duo_data(uuid: &str, conn: &DbConn) -> DuoStatus {
DuoStatus::Disabled(false) DuoStatus::Disabled(false)
} }
// let (ik, sk, ak) = get_duo_keys(); // let (ik, sk, ak, host) = get_duo_keys();
fn get_duo_keys_email(email: &str, conn: &DbConn) -> ApiResult<(String, String, String)> { fn get_duo_keys_email(email: &str, conn: &DbConn) -> ApiResult<(String, String, String, String)> {
let data = User::find_by_mail(email, &conn) let data = User::find_by_mail(email, &conn)
.and_then(|u| get_user_duo_data(&u.uuid, &conn).data()) .and_then(|u| get_user_duo_data(&u.uuid, &conn).data())
.or_else(|| DuoData::global()) .or_else(|| DuoData::global())
.map_res("Can't fetch Duo keys")?; .map_res("Can't fetch Duo keys")?;
Ok((data.ik, data.sk, CONFIG.get_duo_akey())) Ok((data.ik, data.sk, CONFIG.get_duo_akey(), data.host))
} }
pub fn generate_duo_signature(email: &str, conn: &DbConn) -> ApiResult<String> { pub fn generate_duo_signature(email: &str, conn: &DbConn) -> ApiResult<(String, String)> {
let now = Utc::now().timestamp(); let now = Utc::now().timestamp();
let (ik, sk, ak) = get_duo_keys_email(email, conn)?; let (ik, sk, ak, host) = get_duo_keys_email(email, conn)?;
let duo_sign = sign_duo_values(&sk, email, &ik, DUO_PREFIX, now + DUO_EXPIRE); let duo_sign = sign_duo_values(&sk, email, &ik, DUO_PREFIX, now + DUO_EXPIRE);
let app_sign = sign_duo_values(&ak, email, &ik, APP_PREFIX, now + APP_EXPIRE); let app_sign = sign_duo_values(&ak, email, &ik, APP_PREFIX, now + APP_EXPIRE);
Ok(format!("{}:{}", duo_sign, app_sign)) Ok((format!("{}:{}", duo_sign, app_sign), host))
} }
fn sign_duo_values(key: &str, email: &str, ikey: &str, prefix: &str, expire: i64) -> String { fn sign_duo_values(key: &str, email: &str, ikey: &str, prefix: &str, expire: i64) -> String {
@ -975,7 +975,7 @@ pub fn validate_duo_login(email: &str, response: &str, conn: &DbConn) -> EmptyRe
let now = Utc::now().timestamp(); let now = Utc::now().timestamp();
let (ik, sk, ak) = get_duo_keys_email(email, conn)?; let (ik, sk, ak, _host) = get_duo_keys_email(email, conn)?;
let auth_user = parse_duo_values(&sk, auth_sig, &ik, AUTH_PREFIX, now)?; let auth_user = parse_duo_values(&sk, auth_sig, &ik, AUTH_PREFIX, now)?;
let app_user = parse_duo_values(&ak, app_sig, &ik, APP_PREFIX, now)?; let app_user = parse_duo_values(&ak, app_sig, &ik, APP_PREFIX, now)?;

Datei anzeigen

@ -248,10 +248,10 @@ fn _json_err_twofactor(providers: &[i32], user_uuid: &str, conn: &DbConn) -> Api
None => err!("User does not exist"), None => err!("User does not exist"),
}; };
let signature = two_factor::generate_duo_signature(&email, conn)?; let (signature, host) = two_factor::generate_duo_signature(&email, conn)?;
result["TwoFactorProviders2"][provider.to_string()] = json!({ result["TwoFactorProviders2"][provider.to_string()] = json!({
"Host": CONFIG.duo_host(), "Host": host,
"Signature": signature, "Signature": signature,
}); });
} }