def connect(self, params={}):
self.logger.info("Connect: Connecting..")
self.auth_api = duo_client.Auth(
ikey=params.get(Input.INTEGRATION_KEY).get('secretKey'),
skey=params.get(Input.SECRET_KEY).get('secretKey'),
host=params.get(Input.HOSTNAME))
def main():
parser = argparse.ArgumentParser(
description="Check Authentication Params to DUO.")
parser.add_argument("--ikey", help="Integration Key")
parser.add_argument("host", help="API Hostname [api-xx.duosecurity.com]")
parser.add_argument("--method", help="API Method")
parser.add_argument("--user", nargs='+', help="Username")
parser.add_argument("--factor", help="2FA Factor [push, sms, phone]")
pargs = parser.parse_args()
skey = getpass.getpass("API Secret key:")
auth_api = duo_client.Auth(pargs.ikey, skey, pargs.host)
if not pargs.factor and "check" not in pargs.method:
raise RuntimeError('Must provide factor')
elif 'check' in pargs.method:
check_auth(auth_api)
elif 'auth' in pargs.method:
duo_auth(pargs, auth_api)
elif 'preauth' in pargs.method:
preauth(pargs, auth_api)
elif 'stat' in pargs.method:
auth_stat(pargs, auth_api)
else:
raise RuntimeError('Invalid Method')
def two_factor(username):
# if Duo is not configured, return success
if not get_config_item('duo_api_host') or \
not get_config_item('duo_ikey') or \
not get_config_item('duo_skey'):
logger.info("Duo not configured")
return True
auth_api = duo_client.Auth(
ikey=get_config_item('duo_ikey'),
skey=get_config_item('duo_skey'),
host=get_config_item('duo_api_host')
)
response = auth_api.auth('push',
username=username,
device='auto',
async=False)
# success returns:
# {u'status': u'allow', u'status_msg': u'Success. Logging you in...', u'result': u'allow'}
# deny returns:
# {u'status': u'deny', u'status_msg': u'Login request denied.', u'result': u'deny'}
if response and response['result'] == 'allow':
return True
logger.info("Duo failed")
return False
def _get_duo_api_client(api_host,
skey="",
ikey="",
ca_path="",
timeout=DEFAULT_TIMEOUT,
http_proxy=None):
"""
Build a Duo api client to be used for connectivity checks
Args:
api_host (str): a Duo host
skey (str): a Duo skey
ikey (str): a Duo ikey
ca_path (str): path to ca certs
timeout (float): desired timeout, in seconds, of any api calls
Returns:
duo_client.Auth: duo api client
"""
user_agent = "duoauthproxy connectivity tool/{0}; ({1})".format(
duoauthproxy.__version__, platform.platform())
client = duo_client.Auth(ikey,
skey,
api_host,
user_agent=user_agent,
ca_certs=ca_path,
timeout=timeout)
if http_proxy:
proxy_host, proxy_port = http_proxy
client.set_proxy(proxy_host, proxy_port)
return client
def connect(self, params={}):
self.logger.info("Connect: Connecting..")
self.auth_api = duo_client.Auth(
ikey=params.get('integration_key').get('secretKey'),
skey=params.get('secret_key').get('secretKey'),
host=params.get('hostname')
)
def duo_auth_check(integration_key: str, secret_key: str, host: str) -> dict:
"""
Calls the Duo auth check api
:param integration_key: The Duo integration key
:type integration_key: str
:param secret_key: The Duo secret key
:type secret_key: str
:param host: The Duo host
:type host: str
:return: The check with the error details or the time
:rtype: dict
"""
try:
auth_api = duo_client.Auth(
ikey=integration_key,
skey=secret_key,
host=host,
)
if settings.DUO_PROXY_TYPE:
auth_api.set_proxy(
host=settings.DUO_PROXY_HOST,
port=settings.DUO_PROXY_PORT,
headers=settings.DUO_PROXY_HEADERS,
proxy_type=settings.DUO_PROXY_TYPE
)
check = auth_api.check()
except gaierror:
return {
'error': 'Host incorrect: Could not be found'
}
except SSLError:
return {
'error': 'Host incorrect: SSL Certificate Error'
}
except RuntimeError as e:
if 'Invalid integration key' in str(e):
return {
'error': 'Invalid integration key'
}
if 'Invalid signature' in str(e):
return {
'error': 'Invalid secret key'
}
return {
'error': str(e)
}
except Exception as e:
logger.error(e)
return {
'error': 'Duo offline. Try again later.'
}
return check
def __init__(self, config):
super(AuthAction, self).__init__(config)
try:
ikey = self.config['auth']['ikey']
skey = self.config['auth']['skey']
host = self.config['auth']['host']
except KeyError:
raise ValueError("Duo config not found in config.")
self.duo_auth = duo_client.Auth(ikey=ikey, skey=skey, host=host)
def __init__(self, config):
super(AuthBaseAction, self).__init__(config)
try:
_host = self.config['auth_host']
_ikey = self.config['auth_ikey']
_skey = self.config['auth_skey']
except KeyError:
raise ValueError("Duo config not found in config.")
self.duo_auth = duo_client.Auth(ikey=_ikey, skey=_skey, host=_host)
def duo_auth_enroll(integration_key: str, secret_key: str, host: str,
username: str) -> dict:
"""
Anonymous enrollment of a new device
:param integration_key: The Duo integration key
:type integration_key: str
:param secret_key: The Duo secret key
:type secret_key: str
:param host: The Duo host
:type host: str
:param username: The Duo host
:type username: str
:return: The check with the error details or the time
:rtype: dict
"""
try:
auth_api = duo_client.Auth(
ikey=integration_key,
skey=secret_key,
host=host,
)
pre_auth = auth_api.preauth(username=username)
if pre_auth['result'] == 'deny':
return {'error': 'User denied by DUO'}
enrollment = {} # type: Dict
if pre_auth['result'] == 'enroll':
enrollment = auth_api.enroll(username=username)
except gaierror:
return {'error': 'Host incorrect: Could not be found'}
except SSLError:
return {'error': 'Host incorrect: SSL Certificate Error'}
except RuntimeError as e:
if 'Invalid integration key' in str(e):
return {'error': 'Invalid integration key'}
if 'Invalid signature' in str(e):
return {'error': 'Invalid secret key'}
if 'username already exists' in str(e):
return {'error': 'Username already exists in Duo.'}
return {'error': str(e)}
except Exception as e:
logger.error(e)
return {'error': 'Duo offline. Try again later.'}
return enrollment
def authenticate_intent():
try:
auth_client = duo_client.Auth(
ikey='DI2915C2QQOW6T1TAOBU',
skey='QsufyeqbDYdI5Sh4EMkroCorfcANCMMoF3E5F10l',
host="api-53df2292.duosecurity.com",
)
status = auth_client.auth(device="auto",
factor="push",
username="******")
return status['status']
except:
return "deny"
def __init__(self, connection_config, username="") -> None:
'''
Args:
connection_config (Dict):
Parameters required to connect tothe Duo API
username (str):
The username of the person authorized through
this object.
'''
super().__init__()
self.client = duo_client.Auth(**connection_config)
self.username: str = username
self.txid: str = None
self.auth_time = datetime.min
self.reauth_time = config['auth']['reauth_time']
self.state = AuthStates.NONE
def main():
init()
init_sql()
# Create components needed for Securitybot
duo_api = duo_client.Auth(ikey=DUO_INTEGRATION,
skey=DUO_SECRET,
host=DUO_ENDPOINT)
duo_builder = lambda name: DuoAuth(duo_api, name)
chat = Slack('securitybot', SLACK_KEY, ICON_URL)
tasker = SQLTasker()
sb = SecurityBot(chat, tasker, duo_builder, REPORTING_CHANNEL,
'config/bot.yaml')
sb.run()
def duo_auth_enroll_status(integration_key: str, secret_key: str, host: str,
user_id: str, activation_code: str) -> dict:
"""
Anonymous enrollment of a new device
:param integration_key: The Duo integration key
:type integration_key: str
:param secret_key: The Duo secret key
:type secret_key: str
:param host: The Duo host
:type host: str
:param user_id: The Duo user id
:type user_id: str
:param activation_code: The Duo activation code
:type activation_code: str
:return: The check with the error details or the time
:rtype: dict
"""
try:
auth_api = duo_client.Auth(
ikey=integration_key,
skey=secret_key,
host=host,
)
enrollment_status = auth_api.enroll_status(
user_id=user_id, activation_code=activation_code)
except gaierror:
return {'error': 'Host incorrect: Could not be found'}
except SSLError:
return {'error': 'Host incorrect: SSL Certificate Error'}
except RuntimeError as e:
if 'Invalid integration key' in str(e):
return {'error': 'Invalid integration key'}
if 'Invalid signature' in str(e):
return {'error': 'Invalid secret key'}
return {'error': str(e)}
except Exception as e:
logger.error(e)
return {'error': 'Duo offline. Try again later.'}
return enrollment_status
def duo_auth(user):
# Configuration and information about objects to create.
#TODO put these to env variables
ikey = 'xxxxxxxxxxxxxx'
skey = 'yyyyyyyyyyyyyy'
akey = 'zzzzzzzzzzzzz'
host = 'aaaaaaaaaaaaa'
auth_api = duo_client.Auth(ikey, skey, host)
# Retrieve user info from API:
ping_result = auth_api.ping()
print('ping result :' + json.dumps(ping_result))
# Retrieve user info from API:
preauth_result = auth_api.preauth(username=user)
print('preauth result :' + json.dumps(preauth_result))
# Retrieve user info from API:
if preauth_result['result'] == 'auth':
auth_result = auth_api.auth(username=user,
factor='push',
device='auto')
elif preauth_result['result'] == 'enroll':
r = send_enrolement_to_webexteams(preauth_result['enroll_portal_url'],
user)
print('This user must enroll to DUO')
status = 'enroll'
return status
else:
print(preauth_result['status_msg'])
status = 'error' #TODO do enrole here and send enrolment process over webex (see json response for unrecongnized user)
return status
print('auth result :' + json.dumps(auth_result))
if auth_result['status'] == 'allow':
status = auth_result['status']
else:
status = "error"
return status
def duo_auth(user):
blink_led(7,5)
GPIO.output(3, GPIO.HIGH) # Turn on
GPIO.output(7, GPIO.HIGH) # Turn on
# Configuration and information about objects to create.
#TODO put these to env variables
ikey = 'iiiiiiiiiiiiiiiiiiiiii'
skey = 'ssssssssssssssssssssss'
akey = 'aaaaaaaaaaaaaaaaaaaaaa'
host = 'hhhhhhhhhhhhhhhhhhhhhh'
auth_api = duo_client.Auth(
ikey,
skey,
host
)
# Retrieve user info from DUO API:
ping_result = auth_api.ping()
print('ping result :' + json.dumps(ping_result))
# Retrieve user info from DUO API:
preauth_result = auth_api.preauth(username=user)
print('preauth result :' + json.dumps(preauth_result))
if preauth_result['result']=='auth':
auth_result = auth_api.auth(username=user,factor='push',device='auto')
elif preauth_result['result']=='enroll':
status='enroll'
return status
else:
print(preauth_result['status_msg'])
status='error'
return status
print('auth result :'+ json.dumps(auth_result))
if auth_result['status']:
status= auth_result['status']
else:
status= "error"
return status
def main():
init()
logging.warning("Securitybot [bot] restarted.")
init_sql()
# Create components needed for Securitybot
auth_builder = None
if DUO_INTEGRATION and DUO_SECRET and DUO_ENDPOINT:
duo_api = duo_client.Auth(
ikey=DUO_INTEGRATION,
skey=DUO_SECRET,
host=DUO_ENDPOINT
)
auth_builder = lambda name: DuoAuth(duo_api, name)
chat = Slack('securitybot', SLACK_KEY, ICON_URL)
tasker = SQLTasker()
sb = SecurityBot(chat, tasker, auth_builder, REPORTING_CHANNEL, 'config/bot.yaml')
sb.run()
def main():
init()
# init_sql()
# Create components needed for SecurityBot
duo_api = duo_client.Auth(ikey=config['duo']['ikey'],
skey=config['duo']['skey'],
host=config['duo']['endpoint'])
duo_builder = lambda name: DuoAuth(duo_api, name)
try:
# Initialise DbEngine here
DbEngine(config['database'])
except KeyError:
logging.error('No database configuration')
raise
chat = Slack(config['slack'])
tasker = Tasker()
sb = SecurityBot(chat, tasker, duo_builder,
config['slack']['reporting_channel'])
sb.run()
def two_factor(username):
# if Duo is not configured, return success
if not radius_agent_config.DUO_API_HOST or \
not radius_agent_config.DUO_IKEY or \
not radius_agent_config.DUO_SKEY:
return True
auth_api = duo_client.Auth(ikey=radius_agent_config.DUO_IKEY,
skey=radius_agent_config.DUO_SKEY,
host=radius_agent_config.DUO_API_HOST)
response = auth_api.auth('push',
username=username,
device='auto',
async=False)
# success returns:
# {u'status': u'allow', u'status_msg': u'Success. Logging you in...', u'result': u'allow'}
# deny returns:
# {u'status': u'deny', u'status_msg': u'Login request denied.', u'result': u'deny'}
return response and response['status'] == 'allow'
def duo_auth_check(integration_key: str, secret_key: str, host: str) -> dict:
"""
Calls the Duo auth check api
:param integration_key: The Duo integration key
:type integration_key: str
:param secret_key: The Duo secret key
:type secret_key: str
:param host: The Duo host
:type host: str
:return: The check with the error details or the time
:rtype: dict
"""
try:
auth_api = duo_client.Auth(
ikey=integration_key,
skey=secret_key,
host=host,
)
check = auth_api.check()
except gaierror:
return {'error': 'Host incorrect: Could not be found'}
except SSLError:
return {'error': 'Host incorrect: SSL Certificate Error'}
except RuntimeError as e:
if 'Invalid integration key' in str(e):
return {'error': 'Invalid integration key'}
if 'Invalid signature' in str(e):
return {'error': 'Invalid secret key'}
return {'error': str(e)}
except:
return {'error': 'Duo offline. Try again later.'}
return check
def lambda_handler(event, context):
s3 = boto3.resource('s3')
config = ConfigParser.RawConfigParser()
config.readfp(StringIO.StringIO(s3.Object('yourbucketname', 'duo.conf').get()['Body'].read()))
auth_api = duo_client.Auth(
ikey = config.get('duo', 'ikey'),
skey = config.get('duo', 'skey'),
host = config.get('duo', 'host'),
)
response = auth_api.auth(
username=event['user'],
device='auto',
factor='push',
)
if response['result'] == 'allow':
response['key'] = s3.Object('yourbucketname', 'keys/' + event['key']).get()['Body'].read()
return response
skey = config.get('duo', 'skey')
host = config.get('duo', 'host')
return {'ikey': ikey, 'skey': skey, 'host': host}
duo_keys = grab_keys()
# You can find this information in the integrations section
# where you signed up for Duo.
# instantiate an Auth instance
verify_api = duo_client.Verify(
ikey=duo_keys['ikey'],
skey=duo_keys['skey'],
host=duo_keys['host'],
)
auth_api = duo_client.Auth(
ikey=duo_keys['ikey'],
skey=duo_keys['skey'],
host=duo_keys['host'],
)
# perform a preauth call on a username
def select_user():
response = ''
while response != 'q':
try:
response = input("Type the user's name in Duo: ")
devices = auth_api.preauth(username=response)
return (response, devices)
except:
if response != 'q':
print("\nUsername \"" + response + "\" was not found.")
def __init__(self, **kwargs):
"""Initiates the Authy parameters"""
self.auth_api = duo_client.Auth(ikey=kwargs['ikey'],
skey=kwargs['skey'],
host=kwargs['host'])
:param device: The Duo device
:type device: str
:param pushinfo: The pushinfo
:type pushinfo: str
:param passcode: The passcode
:type passcode: str
:param async: The Duo async flag
:type async: bool
:return: The check with the error details or the time
:rtype: dict
"""
try:
auth_api = duo_client.Auth(
ikey=integration_key,
skey=secret_key,
host=host,
)
auth = auth_api.auth(user_id=user_id,
factor=factor,
device=device,
pushinfo=pushinfo,
passcode=passcode,
async=async)
except gaierror:
return {'error': 'Host incorrect: Could not be found'}
except SSLError:
return {'error': 'Host incorrect: SSL Certificate Error'}
except RuntimeError as e:
if 'Invalid integration key' in str(e):
return {'error': 'Invalid integration key'}
import sys
enable_duo = {{ enable_duo }}
duo_ikey = '{{ duo_ikey }}'
duo_skey = '{{ duo_skey }}'
duo_host = '{{ duo_host }}'
pam_authenticator = pam.pam()
remote_ip = os.environ.get('untrusted_ip')
remote_login = os.environ.get('username')
remote_password = os.environ.get('password')
local_login = remote_login
if enable_duo:
duo_authenticator = duo_client.Auth(ikey=duo_ikey, skey=duo_skey, host=duo_host)
try:
local_password = remote_password.split(',')[0]
duo_passcode = remote_password.split(',')[1]
except:
raise Exception('ivalid password format')
else:
local_password = remote_password
if pam_authenticator.authenticate(local_login, local_password):
print('local auth OK')
if enable_duo:
if duo_authenticator.auth('passcode', username=local_login, ipaddr=remote_ip, passcode=duo_passcode)['result'] != 'allow':
print('duo auth FAILED')
sys.exit(1)
else:
# main file for the Duo API calls
import duo_client
import json
import sys
# Constants for Duo Admin API calls
from keys_duo import *
# authorization information for Duo API call
Admin = duo_client.Admin(ikey=DUO_ADMINAPI_IKEY,
skey=DUO_ADMINAPI_SKEY,
host=DUO_ADMINAPI_APIHOSTNAME)
Auth = duo_client.Auth(ikey=DUO_AUTHAPI_IKEY,
skey=DUO_AUTHAPI_SKEY,
host=DUO_AUTHAPI_APIHOSTNAME)
def clean(x, indent=2):
print(json.dumps(x, indent=indent))
print("Welcome to the DuoAPI Playground!")
print("Use clean() on compact JSON to get a human-readable version")
def handle(self, *args, **options):
integration_key = str(options['integration_key'][0])
secret_key = str(options['secret_key'][0])
host = str(options['host'][0])
username = str(options['username'][0])
if username:
print('Testing username format:')
if '@' not in username:
error = ' - Error: Username malformed. A real psono username looks similar to an email address.'
self.stdout.write(error)
return
if len(username.split("@")) > 2:
error = ' - Error: Username malformed. A real psono username looks similar to an email address and may not contain two @ chars.'
self.stdout.write(error)
return
print(' - Success: Username format seems to be correct')
print('Testing API credentials:')
try:
auth_api = duo_client.Auth(
ikey=integration_key,
skey=secret_key,
host=host,
)
if settings.DUO_PROXY_TYPE:
auth_api.set_proxy(host=settings.DUO_PROXY_HOST,
port=settings.DUO_PROXY_PORT,
headers=settings.DUO_PROXY_HEADERS,
proxy_type=settings.DUO_PROXY_TYPE)
auth_api.check()
except gaierror:
error = ' - Error: Host incorrect: Could not be found'
self.stdout.write(error)
return
except SSLError:
error = ' - Error: Host incorrect: SSL Certificate Error'
self.stdout.write(error)
return
except RuntimeError as e:
if 'Invalid integration key' in str(e):
error = ' - Error: Invalid integration key'
self.stdout.write(error)
return
if 'Invalid signature' in str(e):
error = ' - Error: Invalid secret key'
self.stdout.write(error)
return
error = str(e)
self.stdout.write(error)
return
print(' - Success: API credentials seem to be correct')
if username:
username, domain = username.split("@")
print('Testing push authentication: ')
print(
'Registration of a user / device with QR code on the console would be too hard, therefore we assume '
'here that a user with the username "' + username +
'" exists and has a device with PUSH support '
'registered. If not you can expect this test to fail, yet this failure then would be meaningless. '
'You would see some error like: "Received 400 Invalid request parameters (username)"'
)
try:
auth_api = duo_client.Auth(
ikey=integration_key,
skey=secret_key,
host=host,
)
if settings.DUO_PROXY_TYPE:
auth_api.set_proxy(host=settings.DUO_PROXY_HOST,
port=settings.DUO_PROXY_PORT,
headers=settings.DUO_PROXY_HEADERS,
proxy_type=settings.DUO_PROXY_TYPE)
auth_api.auth(username=username,
factor='push',
device='auto',
pushinfo=urlencode({'Host': domain}),
passcode=None,
async_txn=False)
except gaierror:
error = ' - Error: Host incorrect: Could not be found'
self.stdout.write(error)
return
except SSLError:
error = ' - Error: Host incorrect: SSL Certificate Error'
self.stdout.write(error)
return
except RuntimeError as e:
if 'Invalid integration key' in str(e):
error = ' - Error: Invalid integration key'
self.stdout.write(error)
return
if 'Invalid signature' in str(e):
error = ' - Error: Invalid secret key'
self.stdout.write(error)
return
error = str(e)
self.stdout.write(error)
return
print(' - Success: API credentials seem to be correct')
def duo_auth_auth(integration_key: str, secret_key: str, host: str, username: str, factor: str, device: str = None, pushinfo: str = None, passcode: str = None, async_txn: bool = False) -> dict:
"""
Auth call with the user id
:param integration_key: The Duo integration key
:type integration_key: str
:param secret_key: The Duo secret key
:type secret_key: str
:param host: The Duo host
:type host: str
:param username: The Duo username
:type username: str
:param factor: The Duo factor
:type factor: str
:param device: The Duo device
:type device: str
:param pushinfo: The pushinfo
:type pushinfo: str
:param passcode: The passcode
:type passcode: str
:param async_txn: The Duo async flag
:type async_txn: bool
:return: The check with the error details or the time
:rtype: dict
"""
try:
auth_api = duo_client.Auth(
ikey=integration_key,
skey=secret_key,
host=host,
)
if settings.DUO_PROXY_TYPE:
auth_api.set_proxy(
host=settings.DUO_PROXY_HOST,
port=settings.DUO_PROXY_PORT,
headers=settings.DUO_PROXY_HEADERS,
proxy_type=settings.DUO_PROXY_TYPE
)
auth = auth_api.auth(username=username, factor=factor, device=device, pushinfo=pushinfo, passcode=passcode, async_txn=async_txn)
except gaierror:
return {
'error': 'Host incorrect: Could not be found'
}
except SSLError:
return {
'error': 'Host incorrect: SSL Certificate Error'
}
except RuntimeError as e:
if 'Invalid integration key' in str(e):
return {
'error': 'Invalid integration key'
}
if 'Invalid signature' in str(e):
return {
'error': 'Invalid secret key'
}
return {
'error': str(e)
}
except Exception as e:
logger.error(e)
return {
'error': 'Duo offline. Try again later.'
}
return auth
