2015-07-27 18:23:34 +00:00
|
|
|
package duo
|
|
|
|
|
|
|
|
import (
|
|
|
|
"fmt"
|
|
|
|
"net/url"
|
|
|
|
|
|
|
|
"github.com/duosecurity/duo_api_golang/authapi"
|
|
|
|
"github.com/hashicorp/vault/logical"
|
|
|
|
"github.com/hashicorp/vault/logical/framework"
|
|
|
|
)
|
|
|
|
|
|
|
|
func DuoPaths() []*framework.Path {
|
|
|
|
return []*framework.Path{
|
|
|
|
pathDuoConfig(),
|
|
|
|
pathDuoAccess(),
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func DuoPathsSpecial() []string {
|
|
|
|
return []string {
|
|
|
|
"duo/access",
|
|
|
|
"duo/config",
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func DuoHandler(req *logical.Request, d *framework.FieldData, resp *logical.Response) (
|
|
|
|
*logical.Response, error) {
|
2015-07-28 01:05:06 +00:00
|
|
|
duoConfig, err := GetDuoConfig(req)
|
|
|
|
if err != nil || duoConfig == nil {
|
2015-07-27 18:23:34 +00:00
|
|
|
return logical.ErrorResponse("Could not load Duo configuration"), nil
|
|
|
|
}
|
|
|
|
|
2015-07-28 01:05:06 +00:00
|
|
|
duoAuthClient, err := GetDuoAuthClient(req, duoConfig)
|
2015-07-27 18:23:34 +00:00
|
|
|
if err != nil {
|
|
|
|
return logical.ErrorResponse(err.Error()), nil
|
|
|
|
}
|
|
|
|
|
|
|
|
username, ok := resp.Auth.Metadata["username"]
|
|
|
|
if !ok {
|
|
|
|
return logical.ErrorResponse("Could not read username for MFA"), nil
|
|
|
|
}
|
|
|
|
|
2015-07-28 01:05:06 +00:00
|
|
|
method := d.Get("method").(string)
|
|
|
|
passcode := d.Get("passcode").(string)
|
|
|
|
|
|
|
|
return duoHandler(duoConfig, duoAuthClient, resp,
|
|
|
|
username, method, passcode, req.Connection.RemoteAddr)
|
|
|
|
}
|
|
|
|
|
|
|
|
func duoHandler(
|
|
|
|
duoConfig *DuoConfig, duoAuthClient AuthClient, successResp *logical.Response,
|
|
|
|
username string, method string, passcode string, ipAddr string) (*logical.Response, error) {
|
2015-07-27 18:23:34 +00:00
|
|
|
|
2015-07-28 01:05:06 +00:00
|
|
|
duoUser := fmt.Sprintf(duoConfig.UsernameFormat, username)
|
|
|
|
|
|
|
|
preauth, err := duoAuthClient.Preauth(
|
|
|
|
authapi.PreauthUsername(duoUser),
|
|
|
|
authapi.PreauthIpAddr(ipAddr),
|
2015-07-27 18:23:34 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
if preauth.StatResult.Stat != "OK" {
|
2015-07-28 03:38:49 +00:00
|
|
|
errorMsg := "Could not look up Duo user information"
|
|
|
|
if preauth.StatResult.Message != nil {
|
|
|
|
errorMsg = errorMsg + ": " + *preauth.StatResult.Message
|
|
|
|
}
|
|
|
|
if preauth.StatResult.Message_Detail != nil {
|
|
|
|
errorMsg = errorMsg + " (" + *preauth.StatResult.Message_Detail + ")"
|
|
|
|
}
|
|
|
|
return logical.ErrorResponse(errorMsg), nil
|
2015-07-27 18:23:34 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
switch preauth.Response.Result {
|
|
|
|
case "allow":
|
2015-07-28 01:05:06 +00:00
|
|
|
return successResp, err
|
2015-07-27 18:23:34 +00:00
|
|
|
case "deny":
|
|
|
|
return logical.ErrorResponse(preauth.Response.Status_Msg), nil
|
|
|
|
case "enroll":
|
2015-07-28 04:12:11 +00:00
|
|
|
return logical.ErrorResponse(fmt.Sprintf("%s (%s)",
|
|
|
|
preauth.Response.Status_Msg,
|
|
|
|
preauth.Response.Enroll_Portal_Url)), nil
|
2015-07-27 18:23:34 +00:00
|
|
|
case "auth":
|
|
|
|
break
|
|
|
|
}
|
|
|
|
|
2015-07-28 01:05:06 +00:00
|
|
|
options := []func(*url.Values){authapi.AuthUsername(duoUser)}
|
2015-07-27 18:23:34 +00:00
|
|
|
if method == "" {
|
|
|
|
method = "auto"
|
|
|
|
}
|
|
|
|
if passcode != "" {
|
|
|
|
method = "passcode"
|
|
|
|
options = append(options, authapi.AuthPasscode(passcode))
|
|
|
|
} else {
|
|
|
|
options = append(options, authapi.AuthDevice("auto"))
|
|
|
|
}
|
|
|
|
|
2015-07-28 01:05:06 +00:00
|
|
|
result, err := duoAuthClient.Auth(method, options...)
|
2015-07-27 18:23:34 +00:00
|
|
|
|
|
|
|
if err != nil {
|
|
|
|
return logical.ErrorResponse("Could not call Duo auth"), nil
|
|
|
|
}
|
|
|
|
|
|
|
|
if result.StatResult.Stat != "OK" {
|
2015-07-28 03:38:49 +00:00
|
|
|
errorMsg := "Could not authenticate Duo user"
|
|
|
|
if result.StatResult.Message != nil {
|
|
|
|
errorMsg = errorMsg + ": " + *result.StatResult.Message
|
|
|
|
}
|
|
|
|
if result.StatResult.Message_Detail != nil {
|
|
|
|
errorMsg = errorMsg + " (" + *result.StatResult.Message_Detail + ")"
|
|
|
|
}
|
|
|
|
return logical.ErrorResponse(errorMsg), nil
|
2015-07-27 18:23:34 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
if result.Response.Result != "allow" {
|
|
|
|
return logical.ErrorResponse(result.Response.Status_Msg), nil
|
|
|
|
}
|
|
|
|
|
2015-07-28 01:05:06 +00:00
|
|
|
return successResp, err
|
2015-07-27 18:23:34 +00:00
|
|
|
}
|