duo_universal_atlassian's Introduction

Deprecation Notice

This repository is deprecated by Duo Security, since Atlassian has ended support for the on-premises Jira and Confluence Server products. The repository will remain public and visible, and integrations built using this repository's code will continue to work. You can also continue to fork, clone, or pull from this repository.

However, Duo will not provide any further releases or enhancements.

For cloud-based Atlassian products, Duo recommends its SSO solution for multifactor authentication.

Duo Atlassian Plugin

Overview

Duo two-factor authentication plugin for Jira and Confluence with Duo Universal Prompt .

Compatibility Notes

Certain Confluence plugin combinations can result in Jackson dependency conflicts with the duo_universal_atlassian plugin. Please use this modified release if you encounter jar dependency errors in Confluence.
Confluence 7.14.1 and later include a significantly different and minimal web.xml file. For these versions, you can insert the Duo <filter> and <filter-mapping> sections anywhere within the main web-app block.

Usage

Installation documents:

Confluence: https://duo.com/docs/confluence
Jira: https://duo.com/docs/jira

TLS 1.2 and 1.3 Support

Duo_universal_atlassian uses the Java cryptography libraries for TLS operations. Both TLS 1.2 and 1.3 are supported by Java 8 and later versions.

Development Prerequisites

The following are steps for the open source community to build and contribute to this plugin.

Install the Atlassian SDK
A working Java environment (Tested with Java 8)
The Duo Universal Prompt repository for the Java language duo_universal_java

Development Installation

Inside of duo_universal_java run atlas-mvn clean install
Inside of duo_atlassian_plugin run atlas-mvn package
For Jira Development
- Copy duo_seraph_filter/target/duo-filter-$VERSION-jar-with-dependencies.jar to $JIRA_DIR/atlassian-jira/WEB-INF/lib/
- Restart Jira sudo /etc/init.d/jira stop ; sudo /etc/init.d/jira start
For Confluence Development
- Copy duo_seraph_filter/target/duo-filter-$VERSION-jar-with-dependencies.jar to $CONFLUENCE_DIR/confluence/WEB-INF/lib/
- Restart Confluence sudo /etc/init.d/confluence stop ; sudo /etc/init.d/confluence start

Automated Testing

From inside of duo_atlassian_plugin run:

atlas-mvn test

Linting

From inside of duo_atlassian_plugin run:

atlas-mvn checkstyle:check

Support

Please report any bugs, feature requests, or issues to us directly at [email protected].

Have fun!

http://www.duosecurity.com/

duo_universal_atlassian's People

Contributors

Stargazers

Watchers

duo_universal_atlassian's Issues

Provide IP whitelisting option for application link support

Now that duosecurity/duo_confluence#7 is closed due to the repo being deprecated, let's continue this issue here.

I don't expect this to be ever resolved due to DUO apparently not caring enough about paying customers, considering that a solution for this issue has been presented almost 4 years ago and being rejected with

Every hole we purposely make in the plugin creates that much more of a vulnerability.

while at the same time suggesting to

bypass[es] Duo for all listed endpoints

in the official support article https://help.duo.com/s/article/1364, without the option of restricting that to IPs.

This is a crucial requirement to be able to use application links between applications securely without exposing endpoints without DUO to all other clients.

Constantly (well, often) loosing data

Out company setup Duo with confluence server. Now, I'll have a document in process, and Duo will somehow decide it needs to 'updated' -- it does not even require me to login (I'll have already done that today), but when it does this, I loose all of my content in progress. There is no way to recover it!!

I've never lost content with Confluence before.. Is this a known issue? Is this a possible configuration issue? Is there a fix?????

Upgrade duo_universal_sdk to latest release

duo_seraph_filter/pom.xml includes duo_universal_sdk version 1.0.3 as a dependency. This version is quite out of date, and hosts some security vulnerabilities that I patched in a recent PR. We should bump duo_universal_sdk to the latest release; this is currently 1.1.3, though I'd suggest releasing 1.1.4 soon, given that 1.1.3 still contains security vulnerabilities.

Recommend Projects

duosecurity / duo_universal_atlassian Goto Github PK