open-vault/helper/mfa/duo/duo.go

// Package duo provides a Duo MFA handler to authenticate users
// with Duo. This handler is registered as the "duo" type in
// mfa_config.
package duo

import (
	"context"
	"fmt"
	"net/url"

	"github.com/duosecurity/duo_api_golang/authapi"
	"github.com/hashicorp/vault/logical"
	"github.com/hashicorp/vault/logical/framework"
)

// DuoPaths returns path functions to configure Duo.
func DuoPaths() []*framework.Path {
	return []*framework.Path{
		pathDuoConfig(),
		pathDuoAccess(),
	}
}

// DuoRootPaths returns the paths that are used to configure Duo.
func DuoRootPaths() []string {
	return []string{
		"duo/access",
		"duo/config",
	}
}

// DuoHandler interacts with the Duo Auth API to authenticate a user
// login request. If successful, the original response from the login
// backend is returned.
func DuoHandler(ctx context.Context, req *logical.Request, d *framework.FieldData, resp *logical.Response) (
	*logical.Response, error) {
	duoConfig, err := GetDuoConfig(ctx, req)
	if err != nil || duoConfig == nil {
		return logical.ErrorResponse("Could not load Duo configuration"), nil
	}

	duoAuthClient, err := GetDuoAuthClient(ctx, req, duoConfig)
	if err != nil {
		return logical.ErrorResponse(err.Error()), nil
	}

	username, ok := resp.Auth.Metadata["username"]
	if !ok {
		return logical.ErrorResponse("Could not read username for MFA"), nil
	}

	var request *duoAuthRequest = &duoAuthRequest{}
	request.successResp = resp
	request.username = username
	request.method = d.Get("method").(string)
	request.passcode = d.Get("passcode").(string)
	request.ipAddr = req.Connection.RemoteAddr

	return duoHandler(duoConfig, duoAuthClient, request)
}

type duoAuthRequest struct {
	successResp *logical.Response
	username    string
	method      string
	passcode    string
	ipAddr      string
}

func duoHandler(duoConfig *DuoConfig, duoAuthClient AuthClient, request *duoAuthRequest) (
	*logical.Response, error) {

	duoUser := fmt.Sprintf(duoConfig.UsernameFormat, request.username)

	preauth, err := duoAuthClient.Preauth(
		authapi.PreauthUsername(duoUser),
		authapi.PreauthIpAddr(request.ipAddr),
	)

	if err != nil || preauth == nil {
		return logical.ErrorResponse("Could not call Duo preauth"), nil
	}

	if preauth.StatResult.Stat != "OK" {
		errorMsg := "Could not look up Duo user information"
		if preauth.StatResult.Message != nil {
			errorMsg = errorMsg + ": " + *preauth.StatResult.Message
		}
		if preauth.StatResult.Message_Detail != nil {
			errorMsg = errorMsg + " (" + *preauth.StatResult.Message_Detail + ")"
		}
		return logical.ErrorResponse(errorMsg), nil
	}

	switch preauth.Response.Result {
	case "allow":
		return request.successResp, err
	case "deny":
		return logical.ErrorResponse(preauth.Response.Status_Msg), nil
	case "enroll":
		return logical.ErrorResponse(fmt.Sprintf("%s (%s)",
			preauth.Response.Status_Msg,
			preauth.Response.Enroll_Portal_Url)), nil
	case "auth":
		break
	default:
		return logical.ErrorResponse(fmt.Sprintf("Invalid Duo preauth response: %s",
			preauth.Response.Result)), nil
	}

	options := []func(*url.Values){authapi.AuthUsername(duoUser)}
	if request.method == "" {
		request.method = "auto"
	}
	if request.method == "auto" || request.method == "push" {
		if duoConfig.PushInfo != "" {
			options = append(options, authapi.AuthPushinfo(duoConfig.PushInfo))
		}
	}
	if request.passcode != "" {
		request.method = "passcode"
		options = append(options, authapi.AuthPasscode(request.passcode))
	} else {
		options = append(options, authapi.AuthDevice("auto"))
	}

	result, err := duoAuthClient.Auth(request.method, options...)

	if err != nil || result == nil {
		return logical.ErrorResponse("Could not call Duo auth"), nil
	}

	if result.StatResult.Stat != "OK" {
		errorMsg := "Could not authenticate Duo user"
		if result.StatResult.Message != nil {
			errorMsg = errorMsg + ": " + *result.StatResult.Message
		}
		if result.StatResult.Message_Detail != nil {
			errorMsg = errorMsg + " (" + *result.StatResult.Message_Detail + ")"
		}
		return logical.ErrorResponse(errorMsg), nil
	}

	if result.Response.Result != "allow" {
		return logical.ErrorResponse(result.Response.Status_Msg), nil
	}

	return request.successResp, nil
}
Clean up naming and add documentation 2015-07-31 00:16:53 +00:00			`// Package duo provides a Duo MFA handler to authenticate users`
			`// with Duo. This handler is registered as the "duo" type in`
			`// mfa_config.`
mfa: add MFA wrapper with Duo second factor 2015-07-27 18:23:34 +00:00			`package duo`

			`import (`
Add context to storage backends and wire it through a lot of places (#3817) 2018-01-19 06:44:44 +00:00			`"context"`
mfa: add MFA wrapper with Duo second factor 2015-07-27 18:23:34 +00:00			`"fmt"`
			`"net/url"`

			`"github.com/duosecurity/duo_api_golang/authapi"`
			`"github.com/hashicorp/vault/logical"`
			`"github.com/hashicorp/vault/logical/framework"`
			`)`

Clean up naming and add documentation 2015-07-31 00:16:53 +00:00			`// DuoPaths returns path functions to configure Duo.`
mfa: add MFA wrapper with Duo second factor 2015-07-27 18:23:34 +00:00			`func DuoPaths() []*framework.Path {`
			`return []*framework.Path{`
			`pathDuoConfig(),`
			`pathDuoAccess(),`
			`}`
			`}`

Clean up naming and add documentation 2015-07-31 00:16:53 +00:00			`// DuoRootPaths returns the paths that are used to configure Duo.`
			`func DuoRootPaths() []string {`
gofmt 2016-08-19 20:48:32 +00:00			`return []string{`
mfa: add MFA wrapper with Duo second factor 2015-07-27 18:23:34 +00:00			`"duo/access",`
			`"duo/config",`
			`}`
			`}`

Clean up naming and add documentation 2015-07-31 00:16:53 +00:00			`// DuoHandler interacts with the Duo Auth API to authenticate a user`
			`// login request. If successful, the original response from the login`
			`// backend is returned.`
Add context to storage backends and wire it through a lot of places (#3817) 2018-01-19 06:44:44 +00:00			`func DuoHandler(ctx context.Context, req logical.Request, d framework.FieldData, resp *logical.Response) (`
mfa: add MFA wrapper with Duo second factor 2015-07-27 18:23:34 +00:00			`*logical.Response, error) {`
Add context to storage backends and wire it through a lot of places (#3817) 2018-01-19 06:44:44 +00:00			`duoConfig, err := GetDuoConfig(ctx, req)`
mfa: add test cases for MFA, Duo 2015-07-28 01:05:06 +00:00			`if err != nil \|\| duoConfig == nil {`
mfa: add MFA wrapper with Duo second factor 2015-07-27 18:23:34 +00:00			`return logical.ErrorResponse("Could not load Duo configuration"), nil`
			`}`

Add context to storage backends and wire it through a lot of places (#3817) 2018-01-19 06:44:44 +00:00			`duoAuthClient, err := GetDuoAuthClient(ctx, req, duoConfig)`
mfa: add MFA wrapper with Duo second factor 2015-07-27 18:23:34 +00:00			`if err != nil {`
			`return logical.ErrorResponse(err.Error()), nil`
			`}`

			`username, ok := resp.Auth.Metadata["username"]`
			`if !ok {`
			`return logical.ErrorResponse("Could not read username for MFA"), nil`
			`}`

mfa: code cleanup 2015-07-28 18:55:46 +00:00			`var request *duoAuthRequest = &duoAuthRequest{}`
			`request.successResp = resp`
			`request.username = username`
			`request.method = d.Get("method").(string)`
			`request.passcode = d.Get("passcode").(string)`
			`request.ipAddr = req.Connection.RemoteAddr`

			`return duoHandler(duoConfig, duoAuthClient, request)`
			`}`
mfa: add test cases for MFA, Duo 2015-07-28 01:05:06 +00:00
mfa: code cleanup 2015-07-28 18:55:46 +00:00			`type duoAuthRequest struct {`
			`successResp *logical.Response`
gofmt 2016-08-19 20:48:32 +00:00			`username string`
			`method string`
			`passcode string`
			`ipAddr string`
mfa: add test cases for MFA, Duo 2015-07-28 01:05:06 +00:00			`}`

mfa: code cleanup 2015-07-28 18:55:46 +00:00			`func duoHandler(duoConfig DuoConfig, duoAuthClient AuthClient, request duoAuthRequest) (`
			`*logical.Response, error) {`
mfa: add MFA wrapper with Duo second factor 2015-07-27 18:23:34 +00:00
mfa: code cleanup 2015-07-28 18:55:46 +00:00			`duoUser := fmt.Sprintf(duoConfig.UsernameFormat, request.username)`
mfa: add test cases for MFA, Duo 2015-07-28 01:05:06 +00:00
			`preauth, err := duoAuthClient.Preauth(`
			`authapi.PreauthUsername(duoUser),`
mfa: code cleanup 2015-07-28 18:55:46 +00:00			`authapi.PreauthIpAddr(request.ipAddr),`
mfa: add MFA wrapper with Duo second factor 2015-07-27 18:23:34 +00:00			`)`

mfa: code cleanup 2015-07-28 18:55:46 +00:00			`if err != nil \|\| preauth == nil {`
			`return logical.ErrorResponse("Could not call Duo preauth"), nil`
			`}`

mfa: add MFA wrapper with Duo second factor 2015-07-27 18:23:34 +00:00			`if preauth.StatResult.Stat != "OK" {`
mfa duo: better error messages 2015-07-28 03:38:49 +00:00			`errorMsg := "Could not look up Duo user information"`
			`if preauth.StatResult.Message != nil {`
			`errorMsg = errorMsg + ": " + *preauth.StatResult.Message`
			`}`
			`if preauth.StatResult.Message_Detail != nil {`
			`errorMsg = errorMsg + " (" + *preauth.StatResult.Message_Detail + ")"`
			`}`
			`return logical.ErrorResponse(errorMsg), nil`
mfa: add MFA wrapper with Duo second factor 2015-07-27 18:23:34 +00:00			`}`

			`switch preauth.Response.Result {`
			`case "allow":`
mfa: code cleanup 2015-07-28 18:55:46 +00:00			`return request.successResp, err`
mfa: add MFA wrapper with Duo second factor 2015-07-27 18:23:34 +00:00			`case "deny":`
			`return logical.ErrorResponse(preauth.Response.Status_Msg), nil`
			`case "enroll":`
mfa: improve edge cases and documentation 2015-07-28 04:12:11 +00:00			`return logical.ErrorResponse(fmt.Sprintf("%s (%s)",`
			`preauth.Response.Status_Msg,`
			`preauth.Response.Enroll_Portal_Url)), nil`
mfa: add MFA wrapper with Duo second factor 2015-07-27 18:23:34 +00:00			`case "auth":`
			`break`
mfa: code cleanup 2015-07-28 18:55:46 +00:00			`default:`
			`return logical.ErrorResponse(fmt.Sprintf("Invalid Duo preauth response: %s",`
			`preauth.Response.Result)), nil`
mfa: add MFA wrapper with Duo second factor 2015-07-27 18:23:34 +00:00			`}`

mfa: add test cases for MFA, Duo 2015-07-28 01:05:06 +00:00			`options := []func(*url.Values){authapi.AuthUsername(duoUser)}`
mfa: code cleanup 2015-07-28 18:55:46 +00:00			`if request.method == "" {`
			`request.method = "auto"`
mfa: add MFA wrapper with Duo second factor 2015-07-27 18:23:34 +00:00			`}`
Add Duo pushinfo capabilities (#2118) 2016-12-19 20:37:44 +00:00			`if request.method == "auto" \|\| request.method == "push" {`
			`if duoConfig.PushInfo != "" {`
			`options = append(options, authapi.AuthPushinfo(duoConfig.PushInfo))`
			`}`
			`}`
mfa: code cleanup 2015-07-28 18:55:46 +00:00			`if request.passcode != "" {`
			`request.method = "passcode"`
			`options = append(options, authapi.AuthPasscode(request.passcode))`
mfa: add MFA wrapper with Duo second factor 2015-07-27 18:23:34 +00:00			`} else {`
			`options = append(options, authapi.AuthDevice("auto"))`
			`}`

mfa: code cleanup 2015-07-28 18:55:46 +00:00			`result, err := duoAuthClient.Auth(request.method, options...)`
mfa: add MFA wrapper with Duo second factor 2015-07-27 18:23:34 +00:00
mfa: code cleanup 2015-07-28 18:55:46 +00:00			`if err != nil \|\| result == nil {`
mfa: add MFA wrapper with Duo second factor 2015-07-27 18:23:34 +00:00			`return logical.ErrorResponse("Could not call Duo auth"), nil`
			`}`

			`if result.StatResult.Stat != "OK" {`
mfa duo: better error messages 2015-07-28 03:38:49 +00:00			`errorMsg := "Could not authenticate Duo user"`
			`if result.StatResult.Message != nil {`
			`errorMsg = errorMsg + ": " + *result.StatResult.Message`
			`}`
			`if result.StatResult.Message_Detail != nil {`
			`errorMsg = errorMsg + " (" + *result.StatResult.Message_Detail + ")"`
			`}`
			`return logical.ErrorResponse(errorMsg), nil`
mfa: add MFA wrapper with Duo second factor 2015-07-27 18:23:34 +00:00			`}`

			`if result.Response.Result != "allow" {`
			`return logical.ErrorResponse(result.Response.Status_Msg), nil`
			`}`

mfa: code cleanup 2015-07-28 18:55:46 +00:00			`return request.successResp, nil`
mfa: add MFA wrapper with Duo second factor 2015-07-27 18:23:34 +00:00			`}`