From 253faaf02372ec0ce198e2ee480de4a59986d8a6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20Garc=C3=ADa?= Date: Mon, 15 Apr 2019 13:06:42 +0200 Subject: [PATCH] Use users duo host when required, instead of always using the global one --- src/api/core/two_factor.rs | 14 +++++++------- src/api/identity.rs | 4 ++-- 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/src/api/core/two_factor.rs b/src/api/core/two_factor.rs index 635c74e8..7cbec5d0 100644 --- a/src/api/core/two_factor.rs +++ b/src/api/core/two_factor.rs @@ -936,25 +936,25 @@ fn get_user_duo_data(uuid: &str, conn: &DbConn) -> DuoStatus { DuoStatus::Disabled(false) } -// let (ik, sk, ak) = get_duo_keys(); -fn get_duo_keys_email(email: &str, conn: &DbConn) -> ApiResult<(String, String, String)> { +// let (ik, sk, ak, host) = get_duo_keys(); +fn get_duo_keys_email(email: &str, conn: &DbConn) -> ApiResult<(String, String, String, String)> { let data = User::find_by_mail(email, &conn) .and_then(|u| get_user_duo_data(&u.uuid, &conn).data()) .or_else(|| DuoData::global()) .map_res("Can't fetch Duo keys")?; - Ok((data.ik, data.sk, CONFIG.get_duo_akey())) + Ok((data.ik, data.sk, CONFIG.get_duo_akey(), data.host)) } -pub fn generate_duo_signature(email: &str, conn: &DbConn) -> ApiResult { +pub fn generate_duo_signature(email: &str, conn: &DbConn) -> ApiResult<(String, String)> { let now = Utc::now().timestamp(); - let (ik, sk, ak) = get_duo_keys_email(email, conn)?; + let (ik, sk, ak, host) = get_duo_keys_email(email, conn)?; let duo_sign = sign_duo_values(&sk, email, &ik, DUO_PREFIX, now + DUO_EXPIRE); let app_sign = sign_duo_values(&ak, email, &ik, APP_PREFIX, now + APP_EXPIRE); - Ok(format!("{}:{}", duo_sign, app_sign)) + Ok((format!("{}:{}", duo_sign, app_sign), host)) } fn sign_duo_values(key: &str, email: &str, ikey: &str, prefix: &str, expire: i64) -> String { @@ -975,7 +975,7 @@ pub fn validate_duo_login(email: &str, response: &str, conn: &DbConn) -> EmptyRe let now = Utc::now().timestamp(); - let (ik, sk, ak) = get_duo_keys_email(email, conn)?; + let (ik, sk, ak, _host) = get_duo_keys_email(email, conn)?; let auth_user = parse_duo_values(&sk, auth_sig, &ik, AUTH_PREFIX, now)?; let app_user = parse_duo_values(&ak, app_sig, &ik, APP_PREFIX, now)?; diff --git a/src/api/identity.rs b/src/api/identity.rs index 3e7b526b..0645dad1 100644 --- a/src/api/identity.rs +++ b/src/api/identity.rs @@ -248,10 +248,10 @@ fn _json_err_twofactor(providers: &[i32], user_uuid: &str, conn: &DbConn) -> Api None => err!("User does not exist"), }; - let signature = two_factor::generate_duo_signature(&email, conn)?; + let (signature, host) = two_factor::generate_duo_signature(&email, conn)?; result["TwoFactorProviders2"][provider.to_string()] = json!({ - "Host": CONFIG.duo_host(), + "Host": host, "Signature": signature, }); }