From 253faaf02372ec0ce198e2ee480de4a59986d8a6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20Garc=C3=ADa?=
 <dani-garcia@users.noreply.github.com>
Date: Mon, 15 Apr 2019 13:06:42 +0200
Subject: [PATCH] Use users duo host when required, instead of always using the
 global one

---
 src/api/core/two_factor.rs | 14 +++++++-------
 src/api/identity.rs        |  4 ++--
 2 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/src/api/core/two_factor.rs b/src/api/core/two_factor.rs
index 635c74e..7cbec5d 100644
--- a/src/api/core/two_factor.rs
+++ b/src/api/core/two_factor.rs
@@ -936,25 +936,25 @@ fn get_user_duo_data(uuid: &str, conn: &DbConn) -> DuoStatus {
     DuoStatus::Disabled(false)
 }
 
-// let (ik, sk, ak) = get_duo_keys();
-fn get_duo_keys_email(email: &str, conn: &DbConn) -> ApiResult<(String, String, String)> {
+// let (ik, sk, ak, host) = get_duo_keys();
+fn get_duo_keys_email(email: &str, conn: &DbConn) -> ApiResult<(String, String, String, String)> {
     let data = User::find_by_mail(email, &conn)
         .and_then(|u| get_user_duo_data(&u.uuid, &conn).data())
         .or_else(|| DuoData::global())
         .map_res("Can't fetch Duo keys")?;
 
-    Ok((data.ik, data.sk, CONFIG.get_duo_akey()))
+    Ok((data.ik, data.sk, CONFIG.get_duo_akey(), data.host))
 }
 
-pub fn generate_duo_signature(email: &str, conn: &DbConn) -> ApiResult<String> {
+pub fn generate_duo_signature(email: &str, conn: &DbConn) -> ApiResult<(String, String)> {
     let now = Utc::now().timestamp();
 
-    let (ik, sk, ak) = get_duo_keys_email(email, conn)?;
+    let (ik, sk, ak, host) = get_duo_keys_email(email, conn)?;
 
     let duo_sign = sign_duo_values(&sk, email, &ik, DUO_PREFIX, now + DUO_EXPIRE);
     let app_sign = sign_duo_values(&ak, email, &ik, APP_PREFIX, now + APP_EXPIRE);
 
-    Ok(format!("{}:{}", duo_sign, app_sign))
+    Ok((format!("{}:{}", duo_sign, app_sign), host))
 }
 
 fn sign_duo_values(key: &str, email: &str, ikey: &str, prefix: &str, expire: i64) -> String {
@@ -975,7 +975,7 @@ pub fn validate_duo_login(email: &str, response: &str, conn: &DbConn) -> EmptyRe
 
     let now = Utc::now().timestamp();
 
-    let (ik, sk, ak) = get_duo_keys_email(email, conn)?;
+    let (ik, sk, ak, _host) = get_duo_keys_email(email, conn)?;
 
     let auth_user = parse_duo_values(&sk, auth_sig, &ik, AUTH_PREFIX, now)?;
     let app_user = parse_duo_values(&ak, app_sig, &ik, APP_PREFIX, now)?;
diff --git a/src/api/identity.rs b/src/api/identity.rs
index 3e7b526..0645dad 100644
--- a/src/api/identity.rs
+++ b/src/api/identity.rs
@@ -248,10 +248,10 @@ fn _json_err_twofactor(providers: &[i32], user_uuid: &str, conn: &DbConn) -> Api
                     None => err!("User does not exist"),
                 };
 
-                let signature = two_factor::generate_duo_signature(&email, conn)?;
+                let (signature, host) = two_factor::generate_duo_signature(&email, conn)?;
 
                 result["TwoFactorProviders2"][provider.to_string()] = json!({
-                    "Host": CONFIG.duo_host(),
+                    "Host": host,
                     "Signature": signature,
                 });
             }