open-vault/helper/mfa/duo/duo.go

119 lines
3 KiB
Go
Raw Normal View History

package duo
import (
"fmt"
"net/url"
"github.com/duosecurity/duo_api_golang/authapi"
"github.com/hashicorp/vault/logical"
"github.com/hashicorp/vault/logical/framework"
)
func DuoPaths() []*framework.Path {
return []*framework.Path{
pathDuoConfig(),
pathDuoAccess(),
}
}
func DuoPathsSpecial() []string {
return []string {
"duo/access",
"duo/config",
}
}
func DuoHandler(req *logical.Request, d *framework.FieldData, resp *logical.Response) (
*logical.Response, error) {
2015-07-28 01:05:06 +00:00
duoConfig, err := GetDuoConfig(req)
if err != nil || duoConfig == nil {
return logical.ErrorResponse("Could not load Duo configuration"), nil
}
2015-07-28 01:05:06 +00:00
duoAuthClient, err := GetDuoAuthClient(req, duoConfig)
if err != nil {
return logical.ErrorResponse(err.Error()), nil
}
username, ok := resp.Auth.Metadata["username"]
if !ok {
return logical.ErrorResponse("Could not read username for MFA"), nil
}
2015-07-28 01:05:06 +00:00
method := d.Get("method").(string)
passcode := d.Get("passcode").(string)
return duoHandler(duoConfig, duoAuthClient, resp,
username, method, passcode, req.Connection.RemoteAddr)
}
func duoHandler(
duoConfig *DuoConfig, duoAuthClient AuthClient, successResp *logical.Response,
username string, method string, passcode string, ipAddr string) (*logical.Response, error) {
2015-07-28 01:05:06 +00:00
duoUser := fmt.Sprintf(duoConfig.UsernameFormat, username)
preauth, err := duoAuthClient.Preauth(
authapi.PreauthUsername(duoUser),
authapi.PreauthIpAddr(ipAddr),
)
if preauth.StatResult.Stat != "OK" {
2015-07-28 03:38:49 +00:00
errorMsg := "Could not look up Duo user information"
if preauth.StatResult.Message != nil {
errorMsg = errorMsg + ": " + *preauth.StatResult.Message
}
if preauth.StatResult.Message_Detail != nil {
errorMsg = errorMsg + " (" + *preauth.StatResult.Message_Detail + ")"
}
return logical.ErrorResponse(errorMsg), nil
}
switch preauth.Response.Result {
case "allow":
2015-07-28 01:05:06 +00:00
return successResp, err
case "deny":
return logical.ErrorResponse(preauth.Response.Status_Msg), nil
case "enroll":
return logical.ErrorResponse(fmt.Sprintf("%s (%s)",
preauth.Response.Status_Msg,
preauth.Response.Enroll_Portal_Url)), nil
case "auth":
break
}
2015-07-28 01:05:06 +00:00
options := []func(*url.Values){authapi.AuthUsername(duoUser)}
if method == "" {
method = "auto"
}
if passcode != "" {
method = "passcode"
options = append(options, authapi.AuthPasscode(passcode))
} else {
options = append(options, authapi.AuthDevice("auto"))
}
2015-07-28 01:05:06 +00:00
result, err := duoAuthClient.Auth(method, options...)
if err != nil {
return logical.ErrorResponse("Could not call Duo auth"), nil
}
if result.StatResult.Stat != "OK" {
2015-07-28 03:38:49 +00:00
errorMsg := "Could not authenticate Duo user"
if result.StatResult.Message != nil {
errorMsg = errorMsg + ": " + *result.StatResult.Message
}
if result.StatResult.Message_Detail != nil {
errorMsg = errorMsg + " (" + *result.StatResult.Message_Detail + ")"
}
return logical.ErrorResponse(errorMsg), nil
}
if result.Response.Result != "allow" {
return logical.ErrorResponse(result.Response.Status_Msg), nil
}
2015-07-28 01:05:06 +00:00
return successResp, err
}