|  | @ -6,21 +6,18 @@ use ring::digest::{digest, Digest, SHA512_256}; | 
			
		
	
		
		
			
				
					|  |  | use serde::Serialize; |  |  | use serde::Serialize; | 
			
		
	
		
		
			
				
					|  |  | use std::collections::HashMap; |  |  | use std::collections::HashMap; | 
			
		
	
		
		
			
				
					|  |  | 
 |  |  | 
 | 
			
		
	
		
		
			
				
					|  |  | use url::Url; |  |  |  | 
			
		
	
		
		
			
				
					|  |  | use crate::{ |  |  | use crate::{ | 
			
		
	
		
		
			
				
					|  |  |     api::{core::two_factor::duo::get_duo_keys_email, EmptyResult}, |  |  |     api::{core::two_factor::duo::get_duo_keys_email, EmptyResult}, | 
			
		
	
		
		
			
				
					|  |  |     crypto, |  |  |     crypto, | 
			
		
	
		
		
			
				
					
					|  |  |     db::{models::{ |  |  |     db::{ | 
			
				
				
			
		
	
		
		
			
				
					
					|  |  |             EventType, |  |  |         models::{EventType, TwoFactorDuoContext}, | 
			
				
				
			
		
	
		
		
			
				
					
					|  |  |             TwoFactorDuoContext, |  |  |         DbConn, DbPool, | 
			
				
				
			
		
	
		
		
			
				
					|  |  |         }, |  |  |  | 
			
		
	
		
		
			
				
					|  |  |          DbConn, |  |  |  | 
			
		
	
		
		
			
				
					|  |  |          DbPool, |  |  |  | 
			
		
	
		
		
	
		
		
	
		
		
	
		
		
			
				
					|  |  |     }, |  |  |     }, | 
			
		
	
		
		
			
				
					|  |  |     error::Error, |  |  |     error::Error, | 
			
		
	
		
		
			
				
					|  |  |     util::get_reqwest_client, |  |  |     util::get_reqwest_client, | 
			
		
	
		
		
			
				
					|  |  |     CONFIG, |  |  |     CONFIG, | 
			
		
	
		
		
			
				
					|  |  | }; |  |  | }; | 
			
		
	
		
		
			
				
					|  |  |  |  |  | use url::Url; | 
			
		
	
		
		
			
				
					|  |  | 
 |  |  | 
 | 
			
		
	
		
		
			
				
					|  |  | // State length must be at least 16 characters and at most 1024 characters.
 |  |  | // State length must be at least 16 characters and at most 1024 characters.
 | 
			
		
	
		
		
			
				
					|  |  | const STATE_LENGTH: usize = 64; |  |  | const STATE_LENGTH: usize = 64; | 
			
		
	
	
		
		
			
				
					|  | @ -128,10 +125,9 @@ struct DuoClient { | 
			
		
	
		
		
			
				
					|  |  | } |  |  | } | 
			
		
	
		
		
			
				
					|  |  | 
 |  |  | 
 | 
			
		
	
		
		
			
				
					|  |  | impl DuoClient { |  |  | impl DuoClient { | 
			
		
	
		
		
			
				
					|  |  | 
 |  |  |  | 
			
		
	
		
		
			
				
					|  |  |     // Construct a new DuoClient
 |  |  |     // Construct a new DuoClient
 | 
			
		
	
		
		
			
				
					|  |  |     fn new(client_id: String, client_secret: String, api_host: String, redirect_uri: String) -> DuoClient { |  |  |     fn new(client_id: String, client_secret: String, api_host: String, redirect_uri: String) -> DuoClient { | 
			
		
	
		
		
			
				
					
					|  |  |         return DuoClient { |  |  |         DuoClient { | 
			
				
				
			
		
	
		
		
	
		
		
			
				
					|  |  |             client_id, |  |  |             client_id, | 
			
		
	
		
		
			
				
					|  |  |             client_secret, |  |  |             client_secret, | 
			
		
	
		
		
			
				
					|  |  |             api_host, |  |  |             api_host, | 
			
		
	
	
		
		
			
				
					|  | @ -254,7 +250,7 @@ impl DuoClient { | 
			
		
	
		
		
			
				
					|  |  |         } |  |  |         } | 
			
		
	
		
		
			
				
					|  |  | 
 |  |  | 
 | 
			
		
	
		
		
			
				
					|  |  |         let final_auth_url = auth_url.to_string(); |  |  |         let final_auth_url = auth_url.to_string(); | 
			
		
	
		
		
			
				
					
					|  |  |         return Ok(final_auth_url); |  |  |         Ok(final_auth_url) | 
			
				
				
			
		
	
		
		
	
		
		
			
				
					|  |  |     } |  |  |     } | 
			
		
	
		
		
			
				
					|  |  | 
 |  |  | 
 | 
			
		
	
		
		
			
				
					|  |  |     // Exchange the authorization code obtained from an access token provided by the user
 |  |  |     // Exchange the authorization code obtained from an access token provided by the user
 | 
			
		
	
	
		
		
			
				
					|  | @ -345,12 +341,12 @@ struct DuoAuthContext { | 
			
		
	
		
		
			
				
					|  |  | async fn extract_context(state: &str, conn: &mut DbConn) -> Option<DuoAuthContext> { |  |  | async fn extract_context(state: &str, conn: &mut DbConn) -> Option<DuoAuthContext> { | 
			
		
	
		
		
			
				
					|  |  |     let ctx: TwoFactorDuoContext = match TwoFactorDuoContext::find_by_state(state, conn).await { |  |  |     let ctx: TwoFactorDuoContext = match TwoFactorDuoContext::find_by_state(state, conn).await { | 
			
		
	
		
		
			
				
					|  |  |         Some(c) => c, |  |  |         Some(c) => c, | 
			
		
	
		
		
			
				
					
					|  |  |         None => return None |  |  |         None => return None, | 
			
				
				
			
		
	
		
		
	
		
		
			
				
					|  |  |     }; |  |  |     }; | 
			
		
	
		
		
			
				
					|  |  | 
 |  |  | 
 | 
			
		
	
		
		
			
				
					|  |  |     if ctx.exp < Utc::now().timestamp() { |  |  |     if ctx.exp < Utc::now().timestamp() { | 
			
		
	
		
		
			
				
					|  |  |         ctx.delete(conn).await.ok(); |  |  |         ctx.delete(conn).await.ok(); | 
			
		
	
		
		
			
				
					
					|  |  |         return None |  |  |         return None; | 
			
				
				
			
		
	
		
		
	
		
		
			
				
					|  |  |     } |  |  |     } | 
			
		
	
		
		
			
				
					|  |  | 
 |  |  | 
 | 
			
		
	
		
		
			
				
					|  |  |     // Copy the context data, so that we can delete the context from
 |  |  |     // Copy the context data, so that we can delete the context from
 | 
			
		
	
	
		
		
			
				
					|  | @ -363,7 +359,7 @@ async fn extract_context(state: &str, conn: &mut DbConn) -> Option<DuoAuthContex | 
			
		
	
		
		
			
				
					|  |  |     }; |  |  |     }; | 
			
		
	
		
		
			
				
					|  |  | 
 |  |  | 
 | 
			
		
	
		
		
			
				
					|  |  |     ctx.delete(conn).await.ok(); |  |  |     ctx.delete(conn).await.ok(); | 
			
		
	
		
		
			
				
					
					|  |  |     return Some(ret_ctx) |  |  |     Some(ret_ctx) | 
			
				
				
			
		
	
		
		
	
		
		
			
				
					|  |  | } |  |  | } | 
			
		
	
		
		
			
				
					|  |  | 
 |  |  | 
 | 
			
		
	
		
		
			
				
					|  |  | // Task to clean up expired Duo authentication contexts that may have accumulated in the database.
 |  |  | // Task to clean up expired Duo authentication contexts that may have accumulated in the database.
 | 
			
		
	
	
		
		
			
				
					|  | @ -400,15 +396,17 @@ fn make_callback_url(client_name: &str) -> Result<String, Error> { | 
			
		
	
		
		
			
				
					|  |  |         let mut query_params = callback.query_pairs_mut(); |  |  |         let mut query_params = callback.query_pairs_mut(); | 
			
		
	
		
		
			
				
					|  |  |         query_params.append_pair("client", client_name); |  |  |         query_params.append_pair("client", client_name); | 
			
		
	
		
		
			
				
					|  |  |     } |  |  |     } | 
			
		
	
		
		
			
				
					
					|  |  |     return Ok(callback.to_string()); |  |  |     Ok(callback.to_string()) | 
			
				
				
			
		
	
		
		
	
		
		
			
				
					|  |  | } |  |  | } | 
			
		
	
		
		
			
				
					|  |  | 
 |  |  | 
 | 
			
		
	
		
		
			
				
					|  |  | // Pre-redirect first stage of the Duo WebSDKv4 authentication flow.
 |  |  | // Pre-redirect first stage of the Duo WebSDKv4 authentication flow.
 | 
			
		
	
		
		
			
				
					|  |  | // Returns the "AuthUrl" that should be returned to clients for MFA.
 |  |  | // Returns the "AuthUrl" that should be returned to clients for MFA.
 | 
			
		
	
		
		
			
				
					
					|  |  | pub async fn get_duo_auth_url(email: &str, |  |  | pub async fn get_duo_auth_url( | 
			
				
				
			
		
	
		
		
	
		
		
			
				
					|  |  |  |  |  |     email: &str, | 
			
		
	
		
		
			
				
					|  |  |     client_id: &String, |  |  |     client_id: &String, | 
			
		
	
		
		
			
				
					|  |  |     device_identifier: &String, |  |  |     device_identifier: &String, | 
			
		
	
		
		
			
				
					
					|  |  |                               conn: &mut DbConn) -> Result<String, Error> { |  |  |     conn: &mut DbConn, | 
			
				
				
			
		
	
		
		
	
		
		
			
				
					|  |  |  |  |  | ) -> Result<String, Error> { | 
			
		
	
		
		
			
				
					|  |  |     let (ik, sk, _, host) = get_duo_keys_email(email, conn).await?; |  |  |     let (ik, sk, _, host) = get_duo_keys_email(email, conn).await?; | 
			
		
	
		
		
			
				
					|  |  | 
 |  |  | 
 | 
			
		
	
		
		
			
				
					|  |  |     let callback_url = match make_callback_url(client_id.as_str()) { |  |  |     let callback_url = match make_callback_url(client_id.as_str()) { | 
			
		
	
	
		
		
			
				
					|  | @ -434,7 +432,7 @@ pub async fn get_duo_auth_url(email: &str, | 
			
		
	
		
		
			
				
					|  |  | 
 |  |  | 
 | 
			
		
	
		
		
			
				
					|  |  |     match TwoFactorDuoContext::save(state.as_str(), email, nonce.as_str(), CTX_VALIDITY_SECS, conn).await { |  |  |     match TwoFactorDuoContext::save(state.as_str(), email, nonce.as_str(), CTX_VALIDITY_SECS, conn).await { | 
			
		
	
		
		
			
				
					|  |  |         Ok(()) => client.make_authz_req_url(email, state, hash), |  |  |         Ok(()) => client.make_authz_req_url(email, state, hash), | 
			
		
	
		
		
			
				
					
					|  |  |         Err(e) => err!(format!("Error saving Duo authentication context: {e:?}")) |  |  |         Err(e) => err!(format!("Error saving Duo authentication context: {e:?}")), | 
			
				
				
			
		
	
		
		
	
		
		
			
				
					|  |  |     } |  |  |     } | 
			
		
	
		
		
			
				
					|  |  | } |  |  | } | 
			
		
	
		
		
			
				
					|  |  | 
 |  |  | 
 | 
			
		
	
	
		
		
			
				
					|  | 
 |