Example #1
0
    def _get_verdict(self, response):
        response_id = self._extract_info(response, "errorId")
        response_msg = self._extract_info(response, "errorMsg")

        if response_id == 200:
            logger.info("Authentication successful")
            return AAResponse.accept(reason="Authentication successful")

        logger.info("Authentication failure; id=%i, msg=%s", response_id, response_msg)
        return AAResponse.deny(reason=self._get_reason(response))
Example #2
0
    def do_authorize(self):
        target_hosts = self._resolve_ip(self.connection.target_server)

        if self._hosts_for_groups_match(
                target_hosts, self.connection.
                gateway_groups) or self._groups_for_hosts_match(
                    target_hosts, self.connection.gateway_groups):
            return AAResponse.accept()
        else:
            return AAResponse.deny()
 def otp_authenticate(self, username, otp):
     if otp == '1234':
         # The code may return an AAResponse (dict) which will be passed through to SPS
         return AAResponse.need_info('Are you sure?', 'confirm')
     else:
         # Contact the service at self.server_url and actually check the OTP
         # Returning True means returning ACCEPT as verdict
         return True
def test_otp_ask_for_new_otp_if_already_used(client, duo_user, interactive):
    otp = interactive.askforinput("Please enter the previous OTP")
    result = client.otp_authenticate(duo_user, otp)
    assert result == AAResponse.need_info(
        **{
            "key": "otp",
            "question": "This passcode has already been used. Please generate a new passcode and try again. ",
            "disable_echo": False,
        }
    )
Example #5
0
    def _select_device(self):
        if not self._selection:
            self.logger.info("Device selection disabled, rejecting connection")
            return AAResponse.deny(reason="Device selection disabled")

        devices = self._get_devices()
        if not devices:
            self.logger.info("No devices to select from, rejecting connection")
            return AAResponse.deny(reason="No devices to select from")

        message = ""
        self._device_index_map = {}
        for position, device in enumerate(devices, start=1):
            message += "{}) {}\n".format(position, device["nickname"])
            self._device_index_map[position] = device["deviceId"]

        message += "Please select a device: "

        self.logger.debug("Prompting user to select a device; device_ids=%s", self._device_index_map)
        return AAResponse.need_info(message, "selected_device")
Example #6
0
 def _check_auth_result(self, auth_result):
     msg = "This passcode has already been used. Please generate a new passcode and try again."
     if auth_result["status_msg"] == msg and not self._second_try:
         return AAResponse.need_info(
             **{
                 "key": "otp",
                 "question": msg + " ",
                 "disable_echo": self._disable_echo
             })
     if auth_result["result"] != "allow":
         raise MFAAuthenticationFailure(auth_result["status_msg"])
     return True
Example #7
0
    def do_authorize(self):
        ticket_id = self.mfa_password

        ticket_type_section = self._determine_section(ticket_id)
        if not ticket_type_section:
            return AAResponse.deny("Ticket ID doesn't match any patterns; ticket_id={}".format(ticket_id))

        table = self.plugin_configuration.get(ticket_type_section, "table", required=True).strip()
        templ = self.plugin_configuration.get(ticket_type_section, "query", required=True).strip()

        self.logger.debug("ServiceNow query template: {}".format(templ))
        query = Template(templ).substitute(Filter(self.connection), ticket_id=ticket_id, username=self.mfa_identity)
        self.logger.debug("ServiceNow query: {}".format(query))

        try:
            resource = ServiceNowClient.from_config(self.plugin_configuration).get_resource("/table/{}".format(table))
            response = resource.get(query=query, stream=True)
            result = response.first_or_none()
        except HTTPError as e:
            self.logger.debug(self.ERROR_MESSAGE_TEMPLATE.format(error=str(e), details=""))
            return AAResponse.deny(reason=self.DENY_REASON_TEMPLATE.format(ticket_id=ticket_id))
        except ResponseError as e:
            self.logger.debug(self.ERROR_MESSAGE_TEMPLATE.format(error=e.message, details=e.detail))
            return AAResponse.deny(reason=self.DENY_REASON_TEMPLATE.format(ticket_id=ticket_id))
        except Exception as e:
            self.logger.debug("Unknow error occured. Cannot verify ServiceNow request: {}".format(str(e)))
            return AAResponse.deny(reason=self.DENY_REASON_TEMPLATE.format(ticket_id=ticket_id))

        if result:
            self._update_service_now_ticket(resource, ticket_id)
            return AAResponse.accept(reason="Verified ServiceNow request: {}".format(ticket_id))
        else:
            return AAResponse.deny(
                reason="Ticket verification failed. No ServiceNow request matched by the provided query")
Example #8
0
    def do_authenticate(self):
        reason = None
        self._client = self._client or Client.from_config(
            self.plugin_configuration, self._get_device_id(), self._push_display_text
        )
        try:
            return self._dispatch()
        except InvalidDeviceSelection as e:
            self.logger.info("Invalid device selected: %s", e)
            reason = "Invalid device selected."
        except ResponseError as e:
            self.logger.error("Invalid response: %s", e, exc_info=self._stacktrace)
            reason = "Invalid response from PingID API."
        except Exception as e:
            self.logger.error("Unexpected error: %s: %s", type(e), e, exc_info=self._stacktrace)

        return AAResponse.deny(reason=reason)
Example #9
0
 def _log_bypass_and_create_aa_response(self):
     msg = "User configured as bypass user on Duo."
     logger.info(msg)
     return AAResponse.accept(reason=msg)
def test_bypass_auth_without_bypass_code_otp(client, duo_bypass_user, interactive):
    otp = interactive.askforinput("Please enter OTP whatever you like")
    result = client.otp_authenticate(duo_bypass_user, otp)
    assert result == AAResponse.accept(reason="User configured as bypass user on Duo.")
def test_bypass_auth_without_bypass_code_push(client, duo_bypass_user, interactive):
    result = client.push_authenticate(duo_bypass_user)
    assert result == AAResponse.accept(reason="User configured as bypass user on Duo.")
 def do_authenticate(self):
     return AAResponse.accept().with_cookie(
         {"push_details": self.create_push_details()})
 def do_authorize(self):
     return AAResponse.accept('the reason to accept')
 def do_authenticate(self):
     return AAResponse.accept('the reason to accept')