def _get_verdict(self, response):
response_id = self._extract_info(response, "errorId")
response_msg = self._extract_info(response, "errorMsg")
if response_id == 200:
logger.info("Authentication successful")
return AAResponse.accept(reason="Authentication successful")
logger.info("Authentication failure; id=%i, msg=%s", response_id, response_msg)
return AAResponse.deny(reason=self._get_reason(response))
def do_authorize(self):
target_hosts = self._resolve_ip(self.connection.target_server)
if self._hosts_for_groups_match(
target_hosts, self.connection.
gateway_groups) or self._groups_for_hosts_match(
target_hosts, self.connection.gateway_groups):
return AAResponse.accept()
else:
return AAResponse.deny()
def otp_authenticate(self, username, otp):
if otp == '1234':
# The code may return an AAResponse (dict) which will be passed through to SPS
return AAResponse.need_info('Are you sure?', 'confirm')
else:
# Contact the service at self.server_url and actually check the OTP
# Returning True means returning ACCEPT as verdict
return True
def test_otp_ask_for_new_otp_if_already_used(client, duo_user, interactive):
otp = interactive.askforinput("Please enter the previous OTP")
result = client.otp_authenticate(duo_user, otp)
assert result == AAResponse.need_info(
**{
"key": "otp",
"question": "This passcode has already been used. Please generate a new passcode and try again. ",
"disable_echo": False,
}
)
def _select_device(self):
if not self._selection:
self.logger.info("Device selection disabled, rejecting connection")
return AAResponse.deny(reason="Device selection disabled")
devices = self._get_devices()
if not devices:
self.logger.info("No devices to select from, rejecting connection")
return AAResponse.deny(reason="No devices to select from")
message = ""
self._device_index_map = {}
for position, device in enumerate(devices, start=1):
message += "{}) {}\n".format(position, device["nickname"])
self._device_index_map[position] = device["deviceId"]
message += "Please select a device: "
self.logger.debug("Prompting user to select a device; device_ids=%s", self._device_index_map)
return AAResponse.need_info(message, "selected_device")
def _check_auth_result(self, auth_result):
msg = "This passcode has already been used. Please generate a new passcode and try again."
if auth_result["status_msg"] == msg and not self._second_try:
return AAResponse.need_info(
**{
"key": "otp",
"question": msg + " ",
"disable_echo": self._disable_echo
})
if auth_result["result"] != "allow":
raise MFAAuthenticationFailure(auth_result["status_msg"])
return True
def do_authorize(self):
ticket_id = self.mfa_password
ticket_type_section = self._determine_section(ticket_id)
if not ticket_type_section:
return AAResponse.deny("Ticket ID doesn't match any patterns; ticket_id={}".format(ticket_id))
table = self.plugin_configuration.get(ticket_type_section, "table", required=True).strip()
templ = self.plugin_configuration.get(ticket_type_section, "query", required=True).strip()
self.logger.debug("ServiceNow query template: {}".format(templ))
query = Template(templ).substitute(Filter(self.connection), ticket_id=ticket_id, username=self.mfa_identity)
self.logger.debug("ServiceNow query: {}".format(query))
try:
resource = ServiceNowClient.from_config(self.plugin_configuration).get_resource("/table/{}".format(table))
response = resource.get(query=query, stream=True)
result = response.first_or_none()
except HTTPError as e:
self.logger.debug(self.ERROR_MESSAGE_TEMPLATE.format(error=str(e), details=""))
return AAResponse.deny(reason=self.DENY_REASON_TEMPLATE.format(ticket_id=ticket_id))
except ResponseError as e:
self.logger.debug(self.ERROR_MESSAGE_TEMPLATE.format(error=e.message, details=e.detail))
return AAResponse.deny(reason=self.DENY_REASON_TEMPLATE.format(ticket_id=ticket_id))
except Exception as e:
self.logger.debug("Unknow error occured. Cannot verify ServiceNow request: {}".format(str(e)))
return AAResponse.deny(reason=self.DENY_REASON_TEMPLATE.format(ticket_id=ticket_id))
if result:
self._update_service_now_ticket(resource, ticket_id)
return AAResponse.accept(reason="Verified ServiceNow request: {}".format(ticket_id))
else:
return AAResponse.deny(
reason="Ticket verification failed. No ServiceNow request matched by the provided query")
def do_authenticate(self):
reason = None
self._client = self._client or Client.from_config(
self.plugin_configuration, self._get_device_id(), self._push_display_text
)
try:
return self._dispatch()
except InvalidDeviceSelection as e:
self.logger.info("Invalid device selected: %s", e)
reason = "Invalid device selected."
except ResponseError as e:
self.logger.error("Invalid response: %s", e, exc_info=self._stacktrace)
reason = "Invalid response from PingID API."
except Exception as e:
self.logger.error("Unexpected error: %s: %s", type(e), e, exc_info=self._stacktrace)
return AAResponse.deny(reason=reason)
def _log_bypass_and_create_aa_response(self):
msg = "User configured as bypass user on Duo."
logger.info(msg)
return AAResponse.accept(reason=msg)
def test_bypass_auth_without_bypass_code_otp(client, duo_bypass_user, interactive):
otp = interactive.askforinput("Please enter OTP whatever you like")
result = client.otp_authenticate(duo_bypass_user, otp)
assert result == AAResponse.accept(reason="User configured as bypass user on Duo.")
def test_bypass_auth_without_bypass_code_push(client, duo_bypass_user, interactive):
result = client.push_authenticate(duo_bypass_user)
assert result == AAResponse.accept(reason="User configured as bypass user on Duo.")
def do_authenticate(self):
return AAResponse.accept().with_cookie(
{"push_details": self.create_push_details()})
def do_authorize(self):
return AAResponse.accept('the reason to accept')
def do_authenticate(self):
return AAResponse.accept('the reason to accept')