1c190d4bda
* Start work on passing context to backends * More work on passing context * Unindent logical system * Unindent token store * Unindent passthrough * Unindent cubbyhole * Fix tests * use requestContext in rollback and expiration managers
110 lines
2.7 KiB
Go
110 lines
2.7 KiB
Go
package duo
|
|
|
|
import (
|
|
"context"
|
|
"fmt"
|
|
"net/url"
|
|
|
|
"github.com/duosecurity/duo_api_golang"
|
|
"github.com/duosecurity/duo_api_golang/authapi"
|
|
"github.com/hashicorp/vault/logical"
|
|
"github.com/hashicorp/vault/logical/framework"
|
|
)
|
|
|
|
type AuthClient interface {
|
|
Preauth(options ...func(*url.Values)) (*authapi.PreauthResult, error)
|
|
Auth(factor string, options ...func(*url.Values)) (*authapi.AuthResult, error)
|
|
}
|
|
|
|
func pathDuoAccess() *framework.Path {
|
|
return &framework.Path{
|
|
Pattern: `duo/access`,
|
|
Fields: map[string]*framework.FieldSchema{
|
|
"skey": &framework.FieldSchema{
|
|
Type: framework.TypeString,
|
|
Description: "Duo secret key",
|
|
},
|
|
"ikey": &framework.FieldSchema{
|
|
Type: framework.TypeString,
|
|
Description: "Duo integration key",
|
|
},
|
|
"host": &framework.FieldSchema{
|
|
Type: framework.TypeString,
|
|
Description: "Duo api host",
|
|
},
|
|
},
|
|
|
|
Callbacks: map[logical.Operation]framework.OperationFunc{
|
|
logical.UpdateOperation: pathDuoAccessWrite,
|
|
},
|
|
|
|
HelpSynopsis: pathDuoAccessHelpSyn,
|
|
HelpDescription: pathDuoAccessHelpDesc,
|
|
}
|
|
}
|
|
|
|
func GetDuoAuthClient(req *logical.Request, config *DuoConfig) (AuthClient, error) {
|
|
entry, err := req.Storage.Get("duo/access")
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
if entry == nil {
|
|
return nil, fmt.Errorf(
|
|
"Duo access credentials haven't been configured. Please configure\n" +
|
|
"them at the 'duo/access' endpoint")
|
|
}
|
|
var access DuoAccess
|
|
if err := entry.DecodeJSON(&access); err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
duoClient := duoapi.NewDuoApi(
|
|
access.IKey,
|
|
access.SKey,
|
|
access.Host,
|
|
config.UserAgent,
|
|
)
|
|
duoAuthClient := authapi.NewAuthApi(*duoClient)
|
|
check, err := duoAuthClient.Check()
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
if check.StatResult.Stat != "OK" {
|
|
return nil, fmt.Errorf("Could not connect to Duo: %s (%s)", *check.StatResult.Message, *check.StatResult.Message_Detail)
|
|
}
|
|
return duoAuthClient, nil
|
|
}
|
|
|
|
func pathDuoAccessWrite(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
|
|
entry, err := logical.StorageEntryJSON("duo/access", DuoAccess{
|
|
SKey: d.Get("skey").(string),
|
|
IKey: d.Get("ikey").(string),
|
|
Host: d.Get("host").(string),
|
|
})
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
if err := req.Storage.Put(entry); err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
return nil, nil
|
|
}
|
|
|
|
type DuoAccess struct {
|
|
SKey string `json:"skey"`
|
|
IKey string `json:"ikey"`
|
|
Host string `json:"host"`
|
|
}
|
|
|
|
const pathDuoAccessHelpSyn = `
|
|
Configure the access keys and host for Duo API connections.
|
|
`
|
|
|
|
const pathDuoAccessHelpDesc = `
|
|
To authenticate users with Duo, the backend needs to know what host to connect to
|
|
and must authenticate with an integration key and secret key. This endpoint is used
|
|
to configure that information.
|
|
`
|