def connect(self, params={}): self.logger.info("Connect: Connecting..") self.auth_api = duo_client.Auth( ikey=params.get(Input.INTEGRATION_KEY).get('secretKey'), skey=params.get(Input.SECRET_KEY).get('secretKey'), host=params.get(Input.HOSTNAME))
def main(): parser = argparse.ArgumentParser( description="Check Authentication Params to DUO.") parser.add_argument("--ikey", help="Integration Key") parser.add_argument("host", help="API Hostname [api-xx.duosecurity.com]") parser.add_argument("--method", help="API Method") parser.add_argument("--user", nargs='+', help="Username") parser.add_argument("--factor", help="2FA Factor [push, sms, phone]") pargs = parser.parse_args() skey = getpass.getpass("API Secret key:") auth_api = duo_client.Auth(pargs.ikey, skey, pargs.host) if not pargs.factor and "check" not in pargs.method: raise RuntimeError('Must provide factor') elif 'check' in pargs.method: check_auth(auth_api) elif 'auth' in pargs.method: duo_auth(pargs, auth_api) elif 'preauth' in pargs.method: preauth(pargs, auth_api) elif 'stat' in pargs.method: auth_stat(pargs, auth_api) else: raise RuntimeError('Invalid Method')
def two_factor(username): # if Duo is not configured, return success if not get_config_item('duo_api_host') or \ not get_config_item('duo_ikey') or \ not get_config_item('duo_skey'): logger.info("Duo not configured") return True auth_api = duo_client.Auth( ikey=get_config_item('duo_ikey'), skey=get_config_item('duo_skey'), host=get_config_item('duo_api_host') ) response = auth_api.auth('push', username=username, device='auto', async=False) # success returns: # {u'status': u'allow', u'status_msg': u'Success. Logging you in...', u'result': u'allow'} # deny returns: # {u'status': u'deny', u'status_msg': u'Login request denied.', u'result': u'deny'} if response and response['result'] == 'allow': return True logger.info("Duo failed") return False
def _get_duo_api_client(api_host, skey="", ikey="", ca_path="", timeout=DEFAULT_TIMEOUT, http_proxy=None): """ Build a Duo api client to be used for connectivity checks Args: api_host (str): a Duo host skey (str): a Duo skey ikey (str): a Duo ikey ca_path (str): path to ca certs timeout (float): desired timeout, in seconds, of any api calls Returns: duo_client.Auth: duo api client """ user_agent = "duoauthproxy connectivity tool/{0}; ({1})".format( duoauthproxy.__version__, platform.platform()) client = duo_client.Auth(ikey, skey, api_host, user_agent=user_agent, ca_certs=ca_path, timeout=timeout) if http_proxy: proxy_host, proxy_port = http_proxy client.set_proxy(proxy_host, proxy_port) return client
def connect(self, params={}): self.logger.info("Connect: Connecting..") self.auth_api = duo_client.Auth( ikey=params.get('integration_key').get('secretKey'), skey=params.get('secret_key').get('secretKey'), host=params.get('hostname') )
def duo_auth_check(integration_key: str, secret_key: str, host: str) -> dict: """ Calls the Duo auth check api :param integration_key: The Duo integration key :type integration_key: str :param secret_key: The Duo secret key :type secret_key: str :param host: The Duo host :type host: str :return: The check with the error details or the time :rtype: dict """ try: auth_api = duo_client.Auth( ikey=integration_key, skey=secret_key, host=host, ) if settings.DUO_PROXY_TYPE: auth_api.set_proxy( host=settings.DUO_PROXY_HOST, port=settings.DUO_PROXY_PORT, headers=settings.DUO_PROXY_HEADERS, proxy_type=settings.DUO_PROXY_TYPE ) check = auth_api.check() except gaierror: return { 'error': 'Host incorrect: Could not be found' } except SSLError: return { 'error': 'Host incorrect: SSL Certificate Error' } except RuntimeError as e: if 'Invalid integration key' in str(e): return { 'error': 'Invalid integration key' } if 'Invalid signature' in str(e): return { 'error': 'Invalid secret key' } return { 'error': str(e) } except Exception as e: logger.error(e) return { 'error': 'Duo offline. Try again later.' } return check
def __init__(self, config): super(AuthAction, self).__init__(config) try: ikey = self.config['auth']['ikey'] skey = self.config['auth']['skey'] host = self.config['auth']['host'] except KeyError: raise ValueError("Duo config not found in config.") self.duo_auth = duo_client.Auth(ikey=ikey, skey=skey, host=host)
def __init__(self, config): super(AuthBaseAction, self).__init__(config) try: _host = self.config['auth_host'] _ikey = self.config['auth_ikey'] _skey = self.config['auth_skey'] except KeyError: raise ValueError("Duo config not found in config.") self.duo_auth = duo_client.Auth(ikey=_ikey, skey=_skey, host=_host)
def duo_auth_enroll(integration_key: str, secret_key: str, host: str, username: str) -> dict: """ Anonymous enrollment of a new device :param integration_key: The Duo integration key :type integration_key: str :param secret_key: The Duo secret key :type secret_key: str :param host: The Duo host :type host: str :param username: The Duo host :type username: str :return: The check with the error details or the time :rtype: dict """ try: auth_api = duo_client.Auth( ikey=integration_key, skey=secret_key, host=host, ) pre_auth = auth_api.preauth(username=username) if pre_auth['result'] == 'deny': return {'error': 'User denied by DUO'} enrollment = {} # type: Dict if pre_auth['result'] == 'enroll': enrollment = auth_api.enroll(username=username) except gaierror: return {'error': 'Host incorrect: Could not be found'} except SSLError: return {'error': 'Host incorrect: SSL Certificate Error'} except RuntimeError as e: if 'Invalid integration key' in str(e): return {'error': 'Invalid integration key'} if 'Invalid signature' in str(e): return {'error': 'Invalid secret key'} if 'username already exists' in str(e): return {'error': 'Username already exists in Duo.'} return {'error': str(e)} except Exception as e: logger.error(e) return {'error': 'Duo offline. Try again later.'} return enrollment
def authenticate_intent(): try: auth_client = duo_client.Auth( ikey='DI2915C2QQOW6T1TAOBU', skey='QsufyeqbDYdI5Sh4EMkroCorfcANCMMoF3E5F10l', host="api-53df2292.duosecurity.com", ) status = auth_client.auth(device="auto", factor="push", username="******") return status['status'] except: return "deny"
def __init__(self, connection_config, username="") -> None: ''' Args: connection_config (Dict): Parameters required to connect tothe Duo API username (str): The username of the person authorized through this object. ''' super().__init__() self.client = duo_client.Auth(**connection_config) self.username: str = username self.txid: str = None self.auth_time = datetime.min self.reauth_time = config['auth']['reauth_time'] self.state = AuthStates.NONE
def main(): init() init_sql() # Create components needed for Securitybot duo_api = duo_client.Auth(ikey=DUO_INTEGRATION, skey=DUO_SECRET, host=DUO_ENDPOINT) duo_builder = lambda name: DuoAuth(duo_api, name) chat = Slack('securitybot', SLACK_KEY, ICON_URL) tasker = SQLTasker() sb = SecurityBot(chat, tasker, duo_builder, REPORTING_CHANNEL, 'config/bot.yaml') sb.run()
def duo_auth_enroll_status(integration_key: str, secret_key: str, host: str, user_id: str, activation_code: str) -> dict: """ Anonymous enrollment of a new device :param integration_key: The Duo integration key :type integration_key: str :param secret_key: The Duo secret key :type secret_key: str :param host: The Duo host :type host: str :param user_id: The Duo user id :type user_id: str :param activation_code: The Duo activation code :type activation_code: str :return: The check with the error details or the time :rtype: dict """ try: auth_api = duo_client.Auth( ikey=integration_key, skey=secret_key, host=host, ) enrollment_status = auth_api.enroll_status( user_id=user_id, activation_code=activation_code) except gaierror: return {'error': 'Host incorrect: Could not be found'} except SSLError: return {'error': 'Host incorrect: SSL Certificate Error'} except RuntimeError as e: if 'Invalid integration key' in str(e): return {'error': 'Invalid integration key'} if 'Invalid signature' in str(e): return {'error': 'Invalid secret key'} return {'error': str(e)} except Exception as e: logger.error(e) return {'error': 'Duo offline. Try again later.'} return enrollment_status
def duo_auth(user): # Configuration and information about objects to create. #TODO put these to env variables ikey = 'xxxxxxxxxxxxxx' skey = 'yyyyyyyyyyyyyy' akey = 'zzzzzzzzzzzzz' host = 'aaaaaaaaaaaaa' auth_api = duo_client.Auth(ikey, skey, host) # Retrieve user info from API: ping_result = auth_api.ping() print('ping result :' + json.dumps(ping_result)) # Retrieve user info from API: preauth_result = auth_api.preauth(username=user) print('preauth result :' + json.dumps(preauth_result)) # Retrieve user info from API: if preauth_result['result'] == 'auth': auth_result = auth_api.auth(username=user, factor='push', device='auto') elif preauth_result['result'] == 'enroll': r = send_enrolement_to_webexteams(preauth_result['enroll_portal_url'], user) print('This user must enroll to DUO') status = 'enroll' return status else: print(preauth_result['status_msg']) status = 'error' #TODO do enrole here and send enrolment process over webex (see json response for unrecongnized user) return status print('auth result :' + json.dumps(auth_result)) if auth_result['status'] == 'allow': status = auth_result['status'] else: status = "error" return status
def duo_auth(user): blink_led(7,5) GPIO.output(3, GPIO.HIGH) # Turn on GPIO.output(7, GPIO.HIGH) # Turn on # Configuration and information about objects to create. #TODO put these to env variables ikey = 'iiiiiiiiiiiiiiiiiiiiii' skey = 'ssssssssssssssssssssss' akey = 'aaaaaaaaaaaaaaaaaaaaaa' host = 'hhhhhhhhhhhhhhhhhhhhhh' auth_api = duo_client.Auth( ikey, skey, host ) # Retrieve user info from DUO API: ping_result = auth_api.ping() print('ping result :' + json.dumps(ping_result)) # Retrieve user info from DUO API: preauth_result = auth_api.preauth(username=user) print('preauth result :' + json.dumps(preauth_result)) if preauth_result['result']=='auth': auth_result = auth_api.auth(username=user,factor='push',device='auto') elif preauth_result['result']=='enroll': status='enroll' return status else: print(preauth_result['status_msg']) status='error' return status print('auth result :'+ json.dumps(auth_result)) if auth_result['status']: status= auth_result['status'] else: status= "error" return status
def main(): init() logging.warning("Securitybot [bot] restarted.") init_sql() # Create components needed for Securitybot auth_builder = None if DUO_INTEGRATION and DUO_SECRET and DUO_ENDPOINT: duo_api = duo_client.Auth( ikey=DUO_INTEGRATION, skey=DUO_SECRET, host=DUO_ENDPOINT ) auth_builder = lambda name: DuoAuth(duo_api, name) chat = Slack('securitybot', SLACK_KEY, ICON_URL) tasker = SQLTasker() sb = SecurityBot(chat, tasker, auth_builder, REPORTING_CHANNEL, 'config/bot.yaml') sb.run()
def main(): init() # init_sql() # Create components needed for SecurityBot duo_api = duo_client.Auth(ikey=config['duo']['ikey'], skey=config['duo']['skey'], host=config['duo']['endpoint']) duo_builder = lambda name: DuoAuth(duo_api, name) try: # Initialise DbEngine here DbEngine(config['database']) except KeyError: logging.error('No database configuration') raise chat = Slack(config['slack']) tasker = Tasker() sb = SecurityBot(chat, tasker, duo_builder, config['slack']['reporting_channel']) sb.run()
def two_factor(username): # if Duo is not configured, return success if not radius_agent_config.DUO_API_HOST or \ not radius_agent_config.DUO_IKEY or \ not radius_agent_config.DUO_SKEY: return True auth_api = duo_client.Auth(ikey=radius_agent_config.DUO_IKEY, skey=radius_agent_config.DUO_SKEY, host=radius_agent_config.DUO_API_HOST) response = auth_api.auth('push', username=username, device='auto', async=False) # success returns: # {u'status': u'allow', u'status_msg': u'Success. Logging you in...', u'result': u'allow'} # deny returns: # {u'status': u'deny', u'status_msg': u'Login request denied.', u'result': u'deny'} return response and response['status'] == 'allow'
def duo_auth_check(integration_key: str, secret_key: str, host: str) -> dict: """ Calls the Duo auth check api :param integration_key: The Duo integration key :type integration_key: str :param secret_key: The Duo secret key :type secret_key: str :param host: The Duo host :type host: str :return: The check with the error details or the time :rtype: dict """ try: auth_api = duo_client.Auth( ikey=integration_key, skey=secret_key, host=host, ) check = auth_api.check() except gaierror: return {'error': 'Host incorrect: Could not be found'} except SSLError: return {'error': 'Host incorrect: SSL Certificate Error'} except RuntimeError as e: if 'Invalid integration key' in str(e): return {'error': 'Invalid integration key'} if 'Invalid signature' in str(e): return {'error': 'Invalid secret key'} return {'error': str(e)} except: return {'error': 'Duo offline. Try again later.'} return check
def lambda_handler(event, context): s3 = boto3.resource('s3') config = ConfigParser.RawConfigParser() config.readfp(StringIO.StringIO(s3.Object('yourbucketname', 'duo.conf').get()['Body'].read())) auth_api = duo_client.Auth( ikey = config.get('duo', 'ikey'), skey = config.get('duo', 'skey'), host = config.get('duo', 'host'), ) response = auth_api.auth( username=event['user'], device='auto', factor='push', ) if response['result'] == 'allow': response['key'] = s3.Object('yourbucketname', 'keys/' + event['key']).get()['Body'].read() return response
skey = config.get('duo', 'skey') host = config.get('duo', 'host') return {'ikey': ikey, 'skey': skey, 'host': host} duo_keys = grab_keys() # You can find this information in the integrations section # where you signed up for Duo. # instantiate an Auth instance verify_api = duo_client.Verify( ikey=duo_keys['ikey'], skey=duo_keys['skey'], host=duo_keys['host'], ) auth_api = duo_client.Auth( ikey=duo_keys['ikey'], skey=duo_keys['skey'], host=duo_keys['host'], ) # perform a preauth call on a username def select_user(): response = '' while response != 'q': try: response = input("Type the user's name in Duo: ") devices = auth_api.preauth(username=response) return (response, devices) except: if response != 'q': print("\nUsername \"" + response + "\" was not found.")
def __init__(self, **kwargs): """Initiates the Authy parameters""" self.auth_api = duo_client.Auth(ikey=kwargs['ikey'], skey=kwargs['skey'], host=kwargs['host'])
:param device: The Duo device :type device: str :param pushinfo: The pushinfo :type pushinfo: str :param passcode: The passcode :type passcode: str :param async: The Duo async flag :type async: bool :return: The check with the error details or the time :rtype: dict """ try: auth_api = duo_client.Auth( ikey=integration_key, skey=secret_key, host=host, ) auth = auth_api.auth(user_id=user_id, factor=factor, device=device, pushinfo=pushinfo, passcode=passcode, async=async) except gaierror: return {'error': 'Host incorrect: Could not be found'} except SSLError: return {'error': 'Host incorrect: SSL Certificate Error'} except RuntimeError as e: if 'Invalid integration key' in str(e): return {'error': 'Invalid integration key'}
import sys enable_duo = {{ enable_duo }} duo_ikey = '{{ duo_ikey }}' duo_skey = '{{ duo_skey }}' duo_host = '{{ duo_host }}' pam_authenticator = pam.pam() remote_ip = os.environ.get('untrusted_ip') remote_login = os.environ.get('username') remote_password = os.environ.get('password') local_login = remote_login if enable_duo: duo_authenticator = duo_client.Auth(ikey=duo_ikey, skey=duo_skey, host=duo_host) try: local_password = remote_password.split(',')[0] duo_passcode = remote_password.split(',')[1] except: raise Exception('ivalid password format') else: local_password = remote_password if pam_authenticator.authenticate(local_login, local_password): print('local auth OK') if enable_duo: if duo_authenticator.auth('passcode', username=local_login, ipaddr=remote_ip, passcode=duo_passcode)['result'] != 'allow': print('duo auth FAILED') sys.exit(1) else:
# main file for the Duo API calls import duo_client import json import sys # Constants for Duo Admin API calls from keys_duo import * # authorization information for Duo API call Admin = duo_client.Admin(ikey=DUO_ADMINAPI_IKEY, skey=DUO_ADMINAPI_SKEY, host=DUO_ADMINAPI_APIHOSTNAME) Auth = duo_client.Auth(ikey=DUO_AUTHAPI_IKEY, skey=DUO_AUTHAPI_SKEY, host=DUO_AUTHAPI_APIHOSTNAME) def clean(x, indent=2): print(json.dumps(x, indent=indent)) print("Welcome to the DuoAPI Playground!") print("Use clean() on compact JSON to get a human-readable version")
def handle(self, *args, **options): integration_key = str(options['integration_key'][0]) secret_key = str(options['secret_key'][0]) host = str(options['host'][0]) username = str(options['username'][0]) if username: print('Testing username format:') if '@' not in username: error = ' - Error: Username malformed. A real psono username looks similar to an email address.' self.stdout.write(error) return if len(username.split("@")) > 2: error = ' - Error: Username malformed. A real psono username looks similar to an email address and may not contain two @ chars.' self.stdout.write(error) return print(' - Success: Username format seems to be correct') print('Testing API credentials:') try: auth_api = duo_client.Auth( ikey=integration_key, skey=secret_key, host=host, ) if settings.DUO_PROXY_TYPE: auth_api.set_proxy(host=settings.DUO_PROXY_HOST, port=settings.DUO_PROXY_PORT, headers=settings.DUO_PROXY_HEADERS, proxy_type=settings.DUO_PROXY_TYPE) auth_api.check() except gaierror: error = ' - Error: Host incorrect: Could not be found' self.stdout.write(error) return except SSLError: error = ' - Error: Host incorrect: SSL Certificate Error' self.stdout.write(error) return except RuntimeError as e: if 'Invalid integration key' in str(e): error = ' - Error: Invalid integration key' self.stdout.write(error) return if 'Invalid signature' in str(e): error = ' - Error: Invalid secret key' self.stdout.write(error) return error = str(e) self.stdout.write(error) return print(' - Success: API credentials seem to be correct') if username: username, domain = username.split("@") print('Testing push authentication: ') print( 'Registration of a user / device with QR code on the console would be too hard, therefore we assume ' 'here that a user with the username "' + username + '" exists and has a device with PUSH support ' 'registered. If not you can expect this test to fail, yet this failure then would be meaningless. ' 'You would see some error like: "Received 400 Invalid request parameters (username)"' ) try: auth_api = duo_client.Auth( ikey=integration_key, skey=secret_key, host=host, ) if settings.DUO_PROXY_TYPE: auth_api.set_proxy(host=settings.DUO_PROXY_HOST, port=settings.DUO_PROXY_PORT, headers=settings.DUO_PROXY_HEADERS, proxy_type=settings.DUO_PROXY_TYPE) auth_api.auth(username=username, factor='push', device='auto', pushinfo=urlencode({'Host': domain}), passcode=None, async_txn=False) except gaierror: error = ' - Error: Host incorrect: Could not be found' self.stdout.write(error) return except SSLError: error = ' - Error: Host incorrect: SSL Certificate Error' self.stdout.write(error) return except RuntimeError as e: if 'Invalid integration key' in str(e): error = ' - Error: Invalid integration key' self.stdout.write(error) return if 'Invalid signature' in str(e): error = ' - Error: Invalid secret key' self.stdout.write(error) return error = str(e) self.stdout.write(error) return print(' - Success: API credentials seem to be correct')
def duo_auth_auth(integration_key: str, secret_key: str, host: str, username: str, factor: str, device: str = None, pushinfo: str = None, passcode: str = None, async_txn: bool = False) -> dict: """ Auth call with the user id :param integration_key: The Duo integration key :type integration_key: str :param secret_key: The Duo secret key :type secret_key: str :param host: The Duo host :type host: str :param username: The Duo username :type username: str :param factor: The Duo factor :type factor: str :param device: The Duo device :type device: str :param pushinfo: The pushinfo :type pushinfo: str :param passcode: The passcode :type passcode: str :param async_txn: The Duo async flag :type async_txn: bool :return: The check with the error details or the time :rtype: dict """ try: auth_api = duo_client.Auth( ikey=integration_key, skey=secret_key, host=host, ) if settings.DUO_PROXY_TYPE: auth_api.set_proxy( host=settings.DUO_PROXY_HOST, port=settings.DUO_PROXY_PORT, headers=settings.DUO_PROXY_HEADERS, proxy_type=settings.DUO_PROXY_TYPE ) auth = auth_api.auth(username=username, factor=factor, device=device, pushinfo=pushinfo, passcode=passcode, async_txn=async_txn) except gaierror: return { 'error': 'Host incorrect: Could not be found' } except SSLError: return { 'error': 'Host incorrect: SSL Certificate Error' } except RuntimeError as e: if 'Invalid integration key' in str(e): return { 'error': 'Invalid integration key' } if 'Invalid signature' in str(e): return { 'error': 'Invalid secret key' } return { 'error': str(e) } except Exception as e: logger.error(e) return { 'error': 'Duo offline. Try again later.' } return auth