From 34d83c2dd2a17af92e48d74ebfbbfce28c7e8525 Mon Sep 17 00:00:00 2001 From: Jon Robertson Date: Wed, 8 Oct 2014 20:33:56 -0700 Subject: Split Duo type out into multiple sub-types The existing functionality is now in the duo-pam object type. The old duo type now returns output in a generic config file, and new types for the Duo auth proxy in LDAP and Radius proxies are added. Change-Id: I1525d79b44dafcf3ef85368297baefafcb5dc179 --- perl/lib/Wallet/Object/Duo.pm | 41 +++--- perl/lib/Wallet/Object/Duo/LDAPProxy.pm | 202 +++++++++++++++++++++++++++++ perl/lib/Wallet/Object/Duo/PAM.pm | 205 ++++++++++++++++++++++++++++++ perl/lib/Wallet/Object/Duo/RadiusProxy.pm | 204 +++++++++++++++++++++++++++++ 4 files changed, 630 insertions(+), 22 deletions(-) create mode 100644 perl/lib/Wallet/Object/Duo/LDAPProxy.pm create mode 100644 perl/lib/Wallet/Object/Duo/PAM.pm create mode 100644 perl/lib/Wallet/Object/Duo/RadiusProxy.pm (limited to 'perl/lib/Wallet/Object') diff --git a/perl/lib/Wallet/Object/Duo.pm b/perl/lib/Wallet/Object/Duo.pm index 6edc4fa..168ec8b 100644 --- a/perl/lib/Wallet/Object/Duo.pm +++ b/perl/lib/Wallet/Object/Duo.pm @@ -1,4 +1,4 @@ -# Wallet::Object::Duo -- Duo integration object implementation for the wallet. +# Wallet::Object::Duo -- Base Duo object implementation for the wallet # # Written by Russ Allbery # Copyright 2014 @@ -29,7 +29,7 @@ use Wallet::Object::Base; # This version should be increased on any code change to this module. Always # use two digits for the minor version with a leading zero if necessary so # that it will sort properly. -$VERSION = '0.01'; +$VERSION = '0.02'; ############################################################################## # Core methods @@ -84,7 +84,7 @@ sub new { # great here since we don't have a way to communicate the error back to the # caller. sub create { - my ($class, $type, $name, $schema, $creator, $host, $time) = @_; + my ($class, $type, $name, $schema, $creator, $host, $time, $duo_type) = @_; # We have to have a Duo integration key file set. if (not $Wallet::Config::DUO_KEY_FILE) { @@ -104,10 +104,11 @@ sub create { # Create the object in Duo. require Net::Duo::Admin::Integration; + $duo_type ||= $Wallet::Config::DUO_TYPE; my %data = ( - name => "$name ($Wallet::Config::DUO_TYPE)", + name => "$name ($duo_type)", notes => 'Managed by wallet', - type => $Wallet::Config::DUO_TYPE, + type => $duo_type, ); my $integration = Net::Duo::Admin::Integration->create ($duo, \%data); @@ -194,10 +195,10 @@ sub get { my $config = $json->decode (scalar slurp $Wallet::Config::DUO_KEY_FILE); # Construct the returned file. - my $output = "[duo]\n"; - $output .= "ikey = $key\n"; - $output .= 'skey = ' . $integration->secret_key . "\n"; - $output .= "host = $config->{api_hostname}\n"; + my $output; + $output .= "Integration key: $key\n"; + $output .= 'Secret key: ' . $integration->secret_key . "\n"; + $output .= "Host: $config->{api_hostname}\n"; # Log the action and return. $self->log_action ('get', $user, $host, $time); @@ -234,12 +235,11 @@ create a Duo integration, return a configuration file containing the key and API information for that integration, and delete the integration from Duo when the wallet object is destroyed. -Currently, only one configured integration type can be managed by the -wallet, and the integration information is always returned in the -configuration file format expected by the Duo UNIX integration. The -results of retrieving this object will be text, suitable for putting in -the UNIX integration configuration file, containing the integration key, -secret key, and admin hostname for that integration. +Usually you will want to use one of the subclasses of this module, which +override the output to give you a configuration fragment suited for a +specific application type. However, you can always use this module for +generic integrations where you don't mind massaging the output into the +configuration for the application using Duo. This object can be retrieved repeatedly without changing the secret key, matching Duo's native behavior with integrations. To change the keys of @@ -258,7 +258,7 @@ implementation. =over 4 -=item create(TYPE, NAME, DBH, PRINCIPAL, HOSTNAME [, DATETIME]) +=item create(TYPE, NAME, DBH, PRINCIPAL, HOSTNAME [, DATETIME, INTEGRATION_TYPE]) This is a class method and should be called on the Wallet::Object::Duo class. It creates a new object with the given TYPE and NAME (TYPE is @@ -272,9 +272,9 @@ time is used. When a new Duo integration object is created, a new integration will be created in the configured Duo account and the integration key will be stored in the wallet object. If the integration already exists, create() -will fail. The new integration's type is controlled by the DUO_TYPE -configuration variable, which defaults to C. See L -for more information. +will fail. If an integration type isn't given, the new integration's type +is controlled by the DUO_TYPE configuration variable, which defaults to +C. See L for more information. If create() fails, it throws an exception. @@ -314,9 +314,6 @@ isn't given, the current time is used. =head1 LIMITATIONS Only one Duo account is supported for a given wallet implementation. -Currently, only one Duo integration type is supported as well. Further -development should expand the available integration types, possibly as -additional wallet object types. =head1 SEE ALSO diff --git a/perl/lib/Wallet/Object/Duo/LDAPProxy.pm b/perl/lib/Wallet/Object/Duo/LDAPProxy.pm new file mode 100644 index 0000000..cd32523 --- /dev/null +++ b/perl/lib/Wallet/Object/Duo/LDAPProxy.pm @@ -0,0 +1,202 @@ +# Wallet::Object::Duo::LDAPProxy -- Duo auth proxy integration for LDAP +# +# Written by Jon Robertson +# Copyright 2014 +# The Board of Trustees of the Leland Stanford Junior University +# +# See LICENSE for licensing terms. + +############################################################################## +# Modules and declarations +############################################################################## + +package Wallet::Object::Duo::LDAPProxy; +require 5.006; + +use strict; +use warnings; +use vars qw(@ISA $VERSION); + +use JSON; +use Net::Duo::Admin; +use Net::Duo::Admin::Integration; +use Perl6::Slurp qw(slurp); +use Wallet::Config (); +use Wallet::Object::Duo; + +@ISA = qw(Wallet::Object::Duo); + +# This version should be increased on any code change to this module. Always +# use two digits for the minor version with a leading zero if necessary so +# that it will sort properly. +$VERSION = '0.01'; + +############################################################################## +# Core methods +############################################################################## + +# Override create to provide the specific Duo integration type that will be +# used in the remote Duo record. +sub create { + my ($class, $type, $name, $schema, $creator, $host, $time) = @_; + + $time ||= time; + my $self = $class->SUPER::create ($type, $name, $schema, $creator, $host, + $time, 'ldap'); + return $self; +} + +# Override get to output the data in a specific format used for Duo LDAP +# integration +sub get { + my ($self, $user, $host, $time) = @_; + $time ||= time; + + # Check that the object isn't locked. + my $id = $self->{type} . ':' . $self->{name}; + if ($self->flag_check ('locked')) { + $self->error ("cannot get $id: object is locked"); + return; + } + + # Retrieve the integration from Duo. + my $key; + eval { + my %search = (du_name => $self->{name}); + my $row = $self->{schema}->resultset ('Duo')->find (\%search); + $key = $row->get_column ('du_key'); + }; + if ($@) { + $self->error ($@); + return; + } + my $integration = Net::Duo::Admin::Integration->new ($self->{duo}, $key); + + # We also need the admin server name, which we can get from the Duo object + # configuration with a bit of JSON decoding. + my $json = JSON->new->utf8 (1)->relaxed (1); + my $config = $json->decode (scalar slurp $Wallet::Config::DUO_KEY_FILE); + + # Construct the returned file. + my $output = "[ldap_server_challenge]\n"; + $output .= "ikey = $key\n"; + $output .= 'skey = ' . $integration->secret_key . "\n"; + $output .= "api_host = $config->{api_hostname}\n"; + + # Log the action and return. + $self->log_action ('get', $user, $host, $time); + return $output; +} + +1; +__END__ + +############################################################################## +# Documentation +############################################################################## + +=for stopwords +Allbery Duo integration DBH keytab + +=head1 NAME + +Wallet::Object::Duo::LDAPProxy -- Duo auth proxy integration for LDAP + +=head1 SYNOPSIS + + my @name = qw(duo-ldap host.example.com); + my @trace = ($user, $host, time); + my $object = Wallet::Object::Duo::LDAPProxy->create (@name, $schema, @trace); + my $config = $object->get (@trace); + $object->destroy (@trace); + +=head1 DESCRIPTION + +Wallet::Object::Duo::LDAPProxy is a representation of Duo +integrations with the wallet, specifically to output Duo integrations +in a format that can easily be pulled into configuring the Duo +Authentication Proxy for LDAP. It implements the wallet object API +and provides the necessary glue to create a Duo integration, return a +configuration file containing the key and API information for that +integration, and delete the integration from Duo when the wallet object +is destroyed. + +The integration information is always returned in the configuration file +format expected by the Authentication Proxy for Duo in configuring it +for LDAP. + +This object can be retrieved repeatedly without changing the secret key, +matching Duo's native behavior with integrations. To change the keys of +the integration, delete it and recreate it. + +To use this object, at least one configuration parameter must be set. See +L for details on supported configuration parameters and +information about how to set wallet configuration. + +=head1 METHODS + +This object mostly inherits from Wallet::Object::Duo. See the +documentation for that class for all generic methods. Below are only +those methods that are overridden or behave specially for this +implementation. + +=over 4 + +=item create(TYPE, NAME, DBH, PRINCIPAL, HOSTNAME [, DATETIME]) + +This will override the Wallet::Object::Duo class with the information +needed to create a specific integration type in Duo. It creates a new +object with the given TYPE and NAME (TYPE is normally C and +must be for the rest of the wallet system to use the right class, but +this module doesn't check for ease of subclassing), using DBH as the +handle to the wallet metadata database. PRINCIPAL, HOSTNAME, and +DATETIME are stored as history information. PRINCIPAL should be the +user who is creating the object. If DATETIME isn't given, the current +time is used. + +When a new Duo integration object is created, a new integration will be +created in the configured Duo account and the integration key will be +stored in the wallet object. If the integration already exists, create() +will fail. + +If create() fails, it throws an exception. + +=item get(PRINCIPAL, HOSTNAME [, DATETIME]) + +Retrieves the configuration information for the Duo integration and +returns that information in the format expected by the configuration file +for the Duo UNIX integration. Returns undef on failure. The caller +should call error() to get the error message if get() returns undef. + +The returned configuration look look like: + + [ldap_server_challenge] + ikey = + skey = + api_host = + +The C parameter will be taken from the configuration file pointed +to by the DUO_KEY_FILE configuration variable. + +PRINCIPAL, HOSTNAME, and DATETIME are stored as history information. +PRINCIPAL should be the user who is downloading the keytab. If DATETIME +isn't given, the current time is used. + +=back + +=head1 LIMITATIONS + +Only one Duo account is supported for a given wallet implementation. + +=head1 SEE ALSO + +Net::Duo(3), Wallet::Config(3), Wallet::Object::Duo(3), wallet-backend(8) + +This module is part of the wallet system. The current version is +available from L. + +=head1 AUTHORS + +Jon Robertson + +=cut diff --git a/perl/lib/Wallet/Object/Duo/PAM.pm b/perl/lib/Wallet/Object/Duo/PAM.pm new file mode 100644 index 0000000..6f90ba1 --- /dev/null +++ b/perl/lib/Wallet/Object/Duo/PAM.pm @@ -0,0 +1,205 @@ +# Wallet::Object::Duo::PAM -- Duo PAM int. object implementation for wallet +# +# Written by Russ Allbery +# Jon Robertson +# Copyright 2014 +# The Board of Trustees of the Leland Stanford Junior University +# +# See LICENSE for licensing terms. + +############################################################################## +# Modules and declarations +############################################################################## + +package Wallet::Object::Duo::PAM; +require 5.006; + +use strict; +use warnings; +use vars qw(@ISA $VERSION); + +use JSON; +use Net::Duo::Admin; +use Net::Duo::Admin::Integration; +use Perl6::Slurp qw(slurp); +use Wallet::Config (); +use Wallet::Object::Duo; + +@ISA = qw(Wallet::Object::Duo); + +# This version should be increased on any code change to this module. Always +# use two digits for the minor version with a leading zero if necessary so +# that it will sort properly. +$VERSION = '0.01'; + +############################################################################## +# Core methods +############################################################################## + +# Override create to provide the specific Duo integration type that will be +# used in the remote Duo record. +sub create { + my ($class, $type, $name, $schema, $creator, $host, $time) = @_; + + $time ||= time; + my $self = $class->SUPER::create ($type, $name, $schema, $creator, $host, + $time, 'unix'); + return $self; +} + +# Override get to output the data in a specific format used by Duo's PAM +# module. +sub get { + my ($self, $user, $host, $time) = @_; + $time ||= time; + + # Check that the object isn't locked. + my $id = $self->{type} . ':' . $self->{name}; + if ($self->flag_check ('locked')) { + $self->error ("cannot get $id: object is locked"); + return; + } + + # Retrieve the integration from Duo. + my $key; + eval { + my %search = (du_name => $self->{name}); + my $row = $self->{schema}->resultset ('Duo')->find (\%search); + $key = $row->get_column ('du_key'); + }; + if ($@) { + $self->error ($@); + return; + } + my $integration = Net::Duo::Admin::Integration->new ($self->{duo}, $key); + + # We also need the admin server name, which we can get from the Duo object + # configuration with a bit of JSON decoding. + my $json = JSON->new->utf8 (1)->relaxed (1); + my $config = $json->decode (scalar slurp $Wallet::Config::DUO_KEY_FILE); + + # Construct the returned file. + my $output = "[duo]\n"; + $output .= "ikey = $key\n"; + $output .= 'skey = ' . $integration->secret_key . "\n"; + $output .= "host = $config->{api_hostname}\n"; + + # Log the action and return. + $self->log_action ('get', $user, $host, $time); + return $output; +} + +1; +__END__ + +############################################################################## +# Documentation +############################################################################## + +=for stopwords +Allbery Duo integration DBH keytab + +=head1 NAME + +Wallet::Object::Duo::PAM -- Duo PAM int. object implementation for wallet + +=head1 SYNOPSIS + + my @name = qw(duo-pam host.example.com); + my @trace = ($user, $host, time); + my $object = Wallet::Object::Duo::PAM->create (@name, $schema, @trace); + my $config = $object->get (@trace); + $object->destroy (@trace); + +=head1 DESCRIPTION + +Wallet::Object::Duo::PAM is a representation of Duo integrations with +the wallet, specifically to output Duo integrations in a format that +can easily be pulled into configuring the Duo PAM interface. It +implements the wallet object API and provides the necessary glue to +create a Duo integration, return a configuration file containing the key +and API information for that integration, and delete the integration from +Duo when the wallet object is destroyed. + +The integration information is always returned in the configuration file +format expected by the Duo UNIX integration. The results of retrieving +this object will be text, suitable for putting in the UNIX integration +configuration file, containing the integration key, secret key, and admin +hostname for that integration. + +This object can be retrieved repeatedly without changing the secret key, +matching Duo's native behavior with integrations. To change the keys of +the integration, delete it and recreate it. + +To use this object, at least one configuration parameter must be set. See +L for details on supported configuration parameters and +information about how to set wallet configuration. + +=head1 METHODS + +This object mostly inherits from Wallet::Object::Duo. See the +documentation for that class for all generic methods. Below are only +those methods that are overridden or behave specially for this +implementation. + +=over 4 + +=item create(TYPE, NAME, DBH, PRINCIPAL, HOSTNAME [, DATETIME]) + +This will override the Wallet::Object::Duo class with the information +needed to create a specific integration type in Duo. It creates a new +object with the given TYPE and NAME (TYPE is normally C and must +be for the rest of the wallet system to use the right class, but this +module doesn't check for ease of subclassing), using DBH as the handle +to the wallet metadata database. PRINCIPAL, HOSTNAME, and DATETIME are +stored as history information. PRINCIPAL should be the user who is +creating the object. If DATETIME isn't given, the current time is +used. + +When a new Duo integration object is created, a new integration will be +created in the configured Duo account and the integration key will be +stored in the wallet object. If the integration already exists, create() +will fail. + +If create() fails, it throws an exception. + +=item get(PRINCIPAL, HOSTNAME [, DATETIME]) + +Retrieves the configuration information for the Duo integration and +returns that information in the format expected by the configuration file +for the Duo UNIX integration. Returns undef on failure. The caller +should call error() to get the error message if get() returns undef. + +The returned configuration look look like: + + [duo] + ikey = + skey = + host = + +The C parameter will be taken from the configuration file pointed +to by the DUO_KEY_FILE configuration variable. + +PRINCIPAL, HOSTNAME, and DATETIME are stored as history information. +PRINCIPAL should be the user who is downloading the keytab. If DATETIME +isn't given, the current time is used. + +=back + +=head1 LIMITATIONS + +Only one Duo account is supported for a given wallet implementation. + +=head1 SEE ALSO + +Net::Duo(3), Wallet::Config(3), Wallet::Object::Duo(3), wallet-backend(8) + +This module is part of the wallet system. The current version is +available from L. + +=head1 AUTHORS + +Russ Allbery +Jon Robertson + +=cut diff --git a/perl/lib/Wallet/Object/Duo/RadiusProxy.pm b/perl/lib/Wallet/Object/Duo/RadiusProxy.pm new file mode 100644 index 0000000..2a29dec --- /dev/null +++ b/perl/lib/Wallet/Object/Duo/RadiusProxy.pm @@ -0,0 +1,204 @@ +# Wallet::Object::Duo::RadiusProxy -- Duo auth proxy integration for radius +# +# Written by Jon Robertson +# Copyright 2014 +# The Board of Trustees of the Leland Stanford Junior University +# +# See LICENSE for licensing terms. + +############################################################################## +# Modules and declarations +############################################################################## + +package Wallet::Object::Duo::RadiusProxy; +require 5.006; + +use strict; +use warnings; +use vars qw(@ISA $VERSION); + +use JSON; +use Net::Duo::Admin; +use Net::Duo::Admin::Integration; +use Perl6::Slurp qw(slurp); +use Wallet::Config (); +use Wallet::Object::Duo; + +@ISA = qw(Wallet::Object::Duo); + +# This version should be increased on any code change to this module. Always +# use two digits for the minor version with a leading zero if necessary so +# that it will sort properly. +$VERSION = '0.01'; + +############################################################################## +# Core methods +############################################################################## + +# Override create to provide the specific Duo integration type that will be +# used in the remote Duo record. +sub create { + my ($class, $type, $name, $schema, $creator, $host, $time) = @_; + + $time ||= time; + my $self = $class->SUPER::create ($type, $name, $schema, $creator, $host, + $time, 'radius'); + return $self; +} + +# Override get to output the data in a specific format used for Duo radius +# integration +sub get { + my ($self, $user, $host, $time) = @_; + $time ||= time; + + # Check that the object isn't locked. + my $id = $self->{type} . ':' . $self->{name}; + if ($self->flag_check ('locked')) { + $self->error ("cannot get $id: object is locked"); + return; + } + + # Retrieve the integration from Duo. + my $key; + eval { + my %search = (du_name => $self->{name}); + my $row = $self->{schema}->resultset ('Duo')->find (\%search); + $key = $row->get_column ('du_key'); + }; + if ($@) { + $self->error ($@); + return; + } + my $integration = Net::Duo::Admin::Integration->new ($self->{duo}, $key); + + # We also need the admin server name, which we can get from the Duo object + # configuration with a bit of JSON decoding. + my $json = JSON->new->utf8 (1)->relaxed (1); + my $config = $json->decode (scalar slurp $Wallet::Config::DUO_KEY_FILE); + + # Construct the returned file. + my $output = "[radius_server_challenge]\n"; + $output .= "ikey = $key\n"; + $output .= 'skey = ' . $integration->secret_key . "\n"; + $output .= "api_host = $config->{api_hostname}\n"; + $output .= "client = radius_client\n"; + + # Log the action and return. + $self->log_action ('get', $user, $host, $time); + return $output; +} + +1; +__END__ + +############################################################################## +# Documentation +############################################################################## + +=for stopwords +Allbery Duo integration DBH keytab + +=head1 NAME + +Wallet::Object::Duo::RadiusProxy -- Duo auth proxy integration for radius + +=head1 SYNOPSIS + + my @name = qw(duo-radius host.example.com); + my @trace = ($user, $host, time); + my $object = Wallet::Object::Duo::RadiusProxy->create (@name, $schema, @trace); + my $config = $object->get (@trace); + $object->destroy (@trace); + +=head1 DESCRIPTION + +Wallet::Object::Duo::RadiusProxy is a representation of Duo +integrations with the wallet, specifically to output Duo integrations +in a format that can easily be pulled into configuring the Duo +Authentication Proxy for Radius. It implements the wallet object API +and provides the necessary glue to create a Duo integration, return a +configuration file containing the key and API information for that +integration, and delete the integration from Duo when the wallet object +is destroyed. + +The integration information is always returned in the configuration file +format expected by the Authentication Proxy for Duo in configuring it +for Radius. + +This object can be retrieved repeatedly without changing the secret key, +matching Duo's native behavior with integrations. To change the keys of +the integration, delete it and recreate it. + +To use this object, at least one configuration parameter must be set. See +L for details on supported configuration parameters and +information about how to set wallet configuration. + +=head1 METHODS + +This object mostly inherits from Wallet::Object::Duo. See the +documentation for that class for all generic methods. Below are only +those methods that are overridden or behave specially for this +implementation. + +=over 4 + +=item create(TYPE, NAME, DBH, PRINCIPAL, HOSTNAME [, DATETIME]) + +This will override the Wallet::Object::Duo class with the information +needed to create a specific integration type in Duo. It creates a new +object with the given TYPE and NAME (TYPE is normally C and +must be for the rest of the wallet system to use the right class, but +this module doesn't check for ease of subclassing), using DBH as the +handle to the wallet metadata database. PRINCIPAL, HOSTNAME, and +DATETIME are stored as history information. PRINCIPAL should be the +user who is creating the object. If DATETIME isn't given, the current +time is used. + +When a new Duo integration object is created, a new integration will be +created in the configured Duo account and the integration key will be +stored in the wallet object. If the integration already exists, create() +will fail. + +If create() fails, it throws an exception. + +=item get(PRINCIPAL, HOSTNAME [, DATETIME]) + +Retrieves the configuration information for the Duo integration and +returns that information in the format expected by the configuration file +for the Duo UNIX integration. Returns undef on failure. The caller +should call error() to get the error message if get() returns undef. + +The returned configuration look look like: + + [radius_server_challenge] + ikey = + skey = + api_host = + client = radius_client + +The C parameter will be taken from the configuration file pointed +to by the DUO_KEY_FILE configuration variable. + +PRINCIPAL, HOSTNAME, and DATETIME are stored as history information. +PRINCIPAL should be the user who is downloading the keytab. If DATETIME +isn't given, the current time is used. + +=back + +=head1 LIMITATIONS + +Only one Duo account is supported for a given wallet implementation. + +=head1 SEE ALSO + +Net::Duo(3), Wallet::Config(3), Wallet::Object::Duo(3), wallet-backend(8) + +This module is part of the wallet system. The current version is +available from L. + +=head1 AUTHORS + +Jon Robertson + +=cut -- cgit v1.2.3 From 94cfb1c7969515a863d7b0e09f00b6ced5f4fc5c Mon Sep 17 00:00:00 2001 From: Jon Robertson Date: Thu, 9 Oct 2014 09:55:21 -0700 Subject: Created tests for new Duo object types Change-Id: I818be125f3195316b44e650ba6e05b8e0b831ea6 --- perl/lib/Wallet/Config.pm | 6 +- perl/lib/Wallet/Object/Duo/LDAPProxy.pm | 2 +- perl/t/data/duo/integration-ldap.json | 11 +++ perl/t/data/duo/integration-radius.json | 11 +++ perl/t/object/duo-ldap.t | 160 +++++++++++++++++++++++++++++++ perl/t/object/duo-pam.t | 159 ++++++++++++++++++++++++++++++ perl/t/object/duo-radius.t | 165 ++++++++++++++++++++++++++++++++ perl/t/object/duo.t | 7 +- 8 files changed, 513 insertions(+), 8 deletions(-) create mode 100644 perl/t/data/duo/integration-ldap.json create mode 100644 perl/t/data/duo/integration-radius.json create mode 100644 perl/t/object/duo-ldap.t create mode 100644 perl/t/object/duo-pam.t create mode 100644 perl/t/object/duo-radius.t (limited to 'perl/lib/Wallet/Object') diff --git a/perl/lib/Wallet/Config.pm b/perl/lib/Wallet/Config.pm index 527658c..2eb57f9 100644 --- a/perl/lib/Wallet/Config.pm +++ b/perl/lib/Wallet/Config.pm @@ -217,9 +217,9 @@ our $DUO_KEY_FILE; =item DUO_TYPE -The type of integration to create. Currently, only one type of integration -can be created by one wallet configuration. This restriction may be relaxed -in the future. The default value is C to create UNIX integrations. +The type of integration to create. The default value is C to create +UNIX integrations, since this was the first integration created and users +may rely on it to still be the default. =cut diff --git a/perl/lib/Wallet/Object/Duo/LDAPProxy.pm b/perl/lib/Wallet/Object/Duo/LDAPProxy.pm index cd32523..757a61a 100644 --- a/perl/lib/Wallet/Object/Duo/LDAPProxy.pm +++ b/perl/lib/Wallet/Object/Duo/LDAPProxy.pm @@ -42,7 +42,7 @@ sub create { $time ||= time; my $self = $class->SUPER::create ($type, $name, $schema, $creator, $host, - $time, 'ldap'); + $time, 'ldapproxy'); return $self; } diff --git a/perl/t/data/duo/integration-ldap.json b/perl/t/data/duo/integration-ldap.json new file mode 100644 index 0000000..78a4c9f --- /dev/null +++ b/perl/t/data/duo/integration-ldap.json @@ -0,0 +1,11 @@ +{ + "enroll_policy": "enroll", + "greeting": "", + "groups_allowed": [], + "integration_key": "DIRWIH0ZZPV4G88B37VQ", + "name": "Integration for LDAP proxy", + "notes": "", + "secret_key": "QO4ZLqQVRIOZYkHfdPDORfcNf8LeXIbCWwHazY7o", + "type": "ldap", + "visual_style": "default" +} diff --git a/perl/t/data/duo/integration-radius.json b/perl/t/data/duo/integration-radius.json new file mode 100644 index 0000000..514a33e --- /dev/null +++ b/perl/t/data/duo/integration-radius.json @@ -0,0 +1,11 @@ +{ + "enroll_policy": "enroll", + "greeting": "", + "groups_allowed": [], + "integration_key": "DIRWIH0ZZPV4G88B37VQ", + "name": "Integration for Radius proxy", + "notes": "", + "secret_key": "QO4ZLqQVRIOZYkHfdPDORfcNf8LeXIbCWwHazY7o", + "type": "radius", + "visual_style": "default" +} diff --git a/perl/t/object/duo-ldap.t b/perl/t/object/duo-ldap.t new file mode 100644 index 0000000..3648eba --- /dev/null +++ b/perl/t/object/duo-ldap.t @@ -0,0 +1,160 @@ +#!/usr/bin/perl +# +# Tests for the Duo Auth proxy LDAP integration object implementation. +# +# Written by Russ Allbery +# Copyright 2014 +# The Board of Trustees of the Leland Stanford Junior University +# +# See LICENSE for licensing terms. + +use strict; +use warnings; + +use POSIX qw(strftime); +use Test::More; + +BEGIN { + eval 'use Net::Duo'; + plan skip_all => 'Net::Duo required for testing duo' + if $@; + eval 'use Net::Duo::Mock::Agent'; + plan skip_all => 'Net::Duo::Mock::Agent required for testing duo' + if $@; +} + +BEGIN { + use_ok('Wallet::Admin'); + use_ok('Wallet::Config'); + use_ok('Wallet::Object::Duo::LDAPProxy'); +} + +use lib 't/lib'; +use Util; + +# Some global defaults to use. +my $user = 'admin@EXAMPLE.COM'; +my $host = 'localhost'; +my @trace = ($user, $host, time); +my $date = strftime ('%Y-%m-%d %H:%M:%S', localtime $trace[2]); + +# Flush all output immediately. +$| = 1; + +# Use Wallet::Admin to set up the database. +db_setup; +my $admin = eval { Wallet::Admin->new }; +is ($@, '', 'Database connection succeeded'); +is ($admin->reinitialize ($user), 1, 'Database initialization succeeded'); +my $schema = $admin->schema; + +# Create a mock object to use for Duo calls. +my $mock = Net::Duo::Mock::Agent->new ({ key_file => 't/data/duo/keys.json' }); + +# Test error handling in the absence of configuration. +my $object = eval { + Wallet::Object::Duo::LDAPProxy->new ('duo-ldap', 'test', $schema); +}; +is ($object, undef, 'Wallet::Object::Duo::LDAPProxy new with no config failed'); +is ($@, "duo object implementation not configured\n", '...with correct error'); +$object = eval { + Wallet::Object::Duo::LDAPProxy->create ('duo-ldap', 'test', $schema, + @trace); +}; +is ($object, undef, 'Wallet::Object::Duo::LDAPProxy creation with no config failed'); +is ($@, "duo object implementation not configured\n", '...with correct error'); + +# Set up the Duo configuration. +$Wallet::Config::DUO_AGENT = $mock; +$Wallet::Config::DUO_KEY_FILE = 't/data/duo/keys.json'; + +# Test creating an integration. +note ('Test creating an integration'); +my $expected = { + name => 'test (ldapproxy)', + notes => 'Managed by wallet', + type => 'ldapproxy', +}; +$mock->expect ( + { + method => 'POST', + uri => '/admin/v1/integrations', + content => $expected, + response_file => 't/data/duo/integration.json', + } +); +$object = Wallet::Object::Duo::LDAPProxy->create ('duo-ldap', 'test', $schema, + @trace); +isa_ok ($object, 'Wallet::Object::Duo::LDAPProxy'); + +# Check the metadata about the new wallet object. +$expected = <<"EOO"; + Type: duo-ldap + Name: test + Duo key: DIRWIH0ZZPV4G88B37VQ + Created by: $user + Created from: $host + Created on: $date +EOO +is ($object->show, $expected, 'Show output is correct'); + +# Test retrieving the integration information. +note ('Test retrieving an integration'); +$mock->expect ( + { + method => 'GET', + uri => '/admin/v1/integrations/DIRWIH0ZZPV4G88B37VQ', + response_file => 't/data/duo/integration-ldap.json', + } +); +my $data = $object->get (@trace); +ok (defined ($data), 'Retrieval succeeds'); +$expected = <<'EOO'; +[ldap_server_challenge] +ikey = DIRWIH0ZZPV4G88B37VQ +skey = QO4ZLqQVRIOZYkHfdPDORfcNf8LeXIbCWwHazY7o +api_host = example-admin.duosecurity.com +EOO +is ($data, $expected, '...and integration data is correct'); + +# Ensure that we can't retrieve the object when locked. +is ($object->flag_set ('locked', @trace), 1, + 'Setting object to locked succeeds'); +is ($object->get, undef, '...and now get fails'); +is ($object->error, 'cannot get duo-ldap:test: object is locked', + '...with correct error'); +is ($object->flag_clear ('locked', @trace), 1, + '...and clearing locked flag works'); + +# Create a new object by wallet type and name. +$object = Wallet::Object::Duo::LDAPProxy->new ('duo-ldap', 'test', $schema); + +# Test deleting an integration. We can't test this entirely properly because +# currently Net::Duo::Mock::Agent doesn't support stacking multiple expected +# calls and delete makes two calls. +note ('Test deleting an integration'); +$mock->expect ( + { + method => 'GET', + uri => '/admin/v1/integrations/DIRWIH0ZZPV4G88B37VQ', + response_file => 't/data/duo/integration.json', + } +); +TODO: { + local $TODO = 'Net::Duo::Mock::Agent not yet capable'; + + is ($object->destroy (@trace), 1, 'Duo object deletion succeeded'); + $object = eval { Wallet::Object::Duo::LDAPProxy->new ('duo-ldap', 'test', + $schema) }; + is ($object, undef, '...and now object cannot be retrieved'); + is ($@, "cannot find duo:test\n", '...with correct error'); +} + +# Clean up. +$admin->destroy; +END { + unlink ('wallet-db'); +} + +# Done testing. +done_testing (); diff --git a/perl/t/object/duo-pam.t b/perl/t/object/duo-pam.t new file mode 100644 index 0000000..7b88787 --- /dev/null +++ b/perl/t/object/duo-pam.t @@ -0,0 +1,159 @@ +#!/usr/bin/perl +# +# Tests for the Duo PAM integration object implementation. +# +# Written by Russ Allbery +# Copyright 2014 +# The Board of Trustees of the Leland Stanford Junior University +# +# See LICENSE for licensing terms. + +use strict; +use warnings; + +use POSIX qw(strftime); +use Test::More; + +BEGIN { + eval 'use Net::Duo'; + plan skip_all => 'Net::Duo required for testing duo' + if $@; + eval 'use Net::Duo::Mock::Agent'; + plan skip_all => 'Net::Duo::Mock::Agent required for testing duo' + if $@; +} + +BEGIN { + use_ok('Wallet::Admin'); + use_ok('Wallet::Config'); + use_ok('Wallet::Object::Duo::PAM'); +} + +use lib 't/lib'; +use Util; + +# Some global defaults to use. +my $user = 'admin@EXAMPLE.COM'; +my $host = 'localhost'; +my @trace = ($user, $host, time); +my $date = strftime ('%Y-%m-%d %H:%M:%S', localtime $trace[2]); + +# Flush all output immediately. +$| = 1; + +# Use Wallet::Admin to set up the database. +db_setup; +my $admin = eval { Wallet::Admin->new }; +is ($@, '', 'Database connection succeeded'); +is ($admin->reinitialize ($user), 1, 'Database initialization succeeded'); +my $schema = $admin->schema; + +# Create a mock object to use for Duo calls. +my $mock = Net::Duo::Mock::Agent->new ({ key_file => 't/data/duo/keys.json' }); + +# Test error handling in the absence of configuration. +my $object = eval { + Wallet::Object::Duo::PAM->new ('duo-pam', 'test', $schema); +}; +is ($object, undef, 'Wallet::Object::Duo::PAM new with no config failed'); +is ($@, "duo object implementation not configured\n", '...with correct error'); +$object = eval { + Wallet::Object::Duo::PAM->create ('duo-pam', 'test', $schema, @trace); +}; +is ($object, undef, 'Wallet::Object::Duo::PAM creation with no config failed'); +is ($@, "duo object implementation not configured\n", '...with correct error'); + +# Set up the Duo configuration. +$Wallet::Config::DUO_AGENT = $mock; +$Wallet::Config::DUO_KEY_FILE = 't/data/duo/keys.json'; + +# Test creating an integration. +note ('Test creating an integration'); +my $expected = { + name => 'test (unix)', + notes => 'Managed by wallet', + type => 'unix', +}; +$mock->expect ( + { + method => 'POST', + uri => '/admin/v1/integrations', + content => $expected, + response_file => 't/data/duo/integration.json', + } +); +$object = Wallet::Object::Duo::PAM->create ('duo-pam', 'test', $schema, + @trace); +isa_ok ($object, 'Wallet::Object::Duo::PAM'); + +# Check the metadata about the new wallet object. +$expected = <<"EOO"; + Type: duo-pam + Name: test + Duo key: DIRWIH0ZZPV4G88B37VQ + Created by: $user + Created from: $host + Created on: $date +EOO +is ($object->show, $expected, 'Show output is correct'); + +# Test retrieving the integration information. +note ('Test retrieving an integration'); +$mock->expect ( + { + method => 'GET', + uri => '/admin/v1/integrations/DIRWIH0ZZPV4G88B37VQ', + response_file => 't/data/duo/integration.json', + } +); +my $data = $object->get (@trace); +ok (defined ($data), 'Retrieval succeeds'); +$expected = <<'EOO'; +[duo] +ikey = DIRWIH0ZZPV4G88B37VQ +skey = QO4ZLqQVRIOZYkHfdPDORfcNf8LeXIbCWwHazY7o +host = example-admin.duosecurity.com +EOO +is ($data, $expected, '...and integration data is correct'); + +# Ensure that we can't retrieve the object when locked. +is ($object->flag_set ('locked', @trace), 1, + 'Setting object to locked succeeds'); +is ($object->get, undef, '...and now get fails'); +is ($object->error, 'cannot get duo-pam:test: object is locked', + '...with correct error'); +is ($object->flag_clear ('locked', @trace), 1, + '...and clearing locked flag works'); + +# Create a new object by wallet type and name. +$object = Wallet::Object::Duo::PAM->new ('duo-pam', 'test', $schema); + +# Test deleting an integration. We can't test this entirely properly because +# currently Net::Duo::Mock::Agent doesn't support stacking multiple expected +# calls and delete makes two calls. +note ('Test deleting an integration'); +$mock->expect ( + { + method => 'GET', + uri => '/admin/v1/integrations/DIRWIH0ZZPV4G88B37VQ', + response_file => 't/data/duo/integration.json', + } +); +TODO: { + local $TODO = 'Net::Duo::Mock::Agent not yet capable'; + + is ($object->destroy (@trace), 1, 'Duo object deletion succeeded'); + $object = eval { Wallet::Object::Duo::PAM->new ('duo-pam', 'test', + $schema) }; + is ($object, undef, '...and now object cannot be retrieved'); + is ($@, "cannot find duo:test\n", '...with correct error'); +} + +# Clean up. +$admin->destroy; +END { + unlink ('wallet-db'); +} + +# Done testing. +done_testing (); diff --git a/perl/t/object/duo-radius.t b/perl/t/object/duo-radius.t new file mode 100644 index 0000000..f258518 --- /dev/null +++ b/perl/t/object/duo-radius.t @@ -0,0 +1,165 @@ +#!/usr/bin/perl +# +# Tests for the Duo Auth proxy Radius integration object implementation. +# +# Written by Russ Allbery +# Copyright 2014 +# The Board of Trustees of the Leland Stanford Junior University +# +# See LICENSE for licensing terms. + +use strict; +use warnings; + +use POSIX qw(strftime); +use Test::More; + +BEGIN { + eval 'use Net::Duo'; + plan skip_all => 'Net::Duo required for testing duo' + if $@; + eval 'use Net::Duo::Mock::Agent'; + plan skip_all => 'Net::Duo::Mock::Agent required for testing duo' + if $@; +} + +BEGIN { + use_ok('Wallet::Admin'); + use_ok('Wallet::Config'); + use_ok('Wallet::Object::Duo::RadiusProxy'); +} + +use lib 't/lib'; +use Util; + +# Some global defaults to use. +my $user = 'admin@EXAMPLE.COM'; +my $host = 'localhost'; +my @trace = ($user, $host, time); +my $date = strftime ('%Y-%m-%d %H:%M:%S', localtime $trace[2]); + +# Flush all output immediately. +$| = 1; + +# Use Wallet::Admin to set up the database. +db_setup; +my $admin = eval { Wallet::Admin->new }; +is ($@, '', 'Database connection succeeded'); +is ($admin->reinitialize ($user), 1, 'Database initialization succeeded'); +my $schema = $admin->schema; + +# Create a mock object to use for Duo calls. +my $mock = Net::Duo::Mock::Agent->new ({ key_file => 't/data/duo/keys.json' }); + +# Test error handling in the absence of configuration. +my $object = eval { + Wallet::Object::Duo::RadiusProxy->new ('duo-raduys', 'test', $schema); +}; +is ($object, undef, + 'Wallet::Object::Duo::RadiusProxy new with no config failed'); +is ($@, "duo object implementation not configured\n", '...with correct error'); +$object = eval { + Wallet::Object::Duo::RadiusProxy->create ('duo-radius', 'test', $schema, + @trace); +}; +is ($object, undef, + 'Wallet::Object::Duo::RadiusProxy creation with no config failed'); +is ($@, "duo object implementation not configured\n", '...with correct error'); + +# Set up the Duo configuration. +$Wallet::Config::DUO_AGENT = $mock; +$Wallet::Config::DUO_KEY_FILE = 't/data/duo/keys.json'; + +# Test creating an integration. +note ('Test creating an integration'); +my $expected = { + name => 'test (radius)', + notes => 'Managed by wallet', + type => 'radius', +}; +$mock->expect ( + { + method => 'POST', + uri => '/admin/v1/integrations', + content => $expected, + response_file => 't/data/duo/integration-radius.json', + } +); +$object = Wallet::Object::Duo::RadiusProxy->create ('duo-radius', 'test', + $schema, @trace); +isa_ok ($object, 'Wallet::Object::Duo::RadiusProxy'); + +# Check the metadata about the new wallet object. +$expected = <<"EOO"; + Type: duo-radius + Name: test + Duo key: DIRWIH0ZZPV4G88B37VQ + Created by: $user + Created from: $host + Created on: $date +EOO +is ($object->show, $expected, 'Show output is correct'); + +# Test retrieving the integration information. +note ('Test retrieving an integration'); +$mock->expect ( + { + method => 'GET', + uri => '/admin/v1/integrations/DIRWIH0ZZPV4G88B37VQ', + response_file => 't/data/duo/integration-radius.json', + } +); +my $data = $object->get (@trace); +ok (defined ($data), 'Retrieval succeeds'); +$expected = <<'EOO'; +[radius_server_challenge] +ikey = DIRWIH0ZZPV4G88B37VQ +skey = QO4ZLqQVRIOZYkHfdPDORfcNf8LeXIbCWwHazY7o +api_host = example-admin.duosecurity.com +client = radius_client +EOO +is ($data, $expected, '...and integration data is correct'); + +# Ensure that we can't retrieve the object when locked. +is ($object->flag_set ('locked', @trace), 1, + 'Setting object to locked succeeds'); +is ($object->get, undef, '...and now get fails'); +is ($object->error, 'cannot get duo-radius:test: object is locked', + '...with correct error'); +is ($object->flag_clear ('locked', @trace), 1, + '...and clearing locked flag works'); + +# Create a new object by wallet type and name. +$object = Wallet::Object::Duo::RadiusProxy->new ('duo-radius', 'test', + $schema); + +# Test deleting an integration. We can't test this entirely properly because +# currently Net::Duo::Mock::Agent doesn't support stacking multiple expected +# calls and delete makes two calls. +note ('Test deleting an integration'); +$mock->expect ( + { + method => 'GET', + uri => '/admin/v1/integrations/DIRWIH0ZZPV4G88B37VQ', + response_file => 't/data/duo/integration.json', + } +); +TODO: { + local $TODO = 'Net::Duo::Mock::Agent not yet capable'; + + is ($object->destroy (@trace), 1, 'Duo object deletion succeeded'); + $object = eval { + Wallet::Object::Duo::RadiusProxy->new ('duo-radius', 'test', $schema); + }; + is ($object, undef, '...and now object cannot be retrieved'); + is ($@, "cannot find duo:test\n", '...with correct error'); +} + +# Clean up. +$admin->destroy; +END { + unlink ('wallet-db'); +} + +# Done testing. +done_testing (); diff --git a/perl/t/object/duo.t b/perl/t/object/duo.t index f73fe7e..a975597 100755 --- a/perl/t/object/duo.t +++ b/perl/t/object/duo.t @@ -108,10 +108,9 @@ $mock->expect ( my $data = $object->get (@trace); ok (defined ($data), 'Retrieval succeeds'); $expected = <<'EOO'; -[duo] -ikey = DIRWIH0ZZPV4G88B37VQ -skey = QO4ZLqQVRIOZYkHfdPDORfcNf8LeXIbCWwHazY7o -host = example-admin.duosecurity.com +Integration key: DIRWIH0ZZPV4G88B37VQ +Secret key: QO4ZLqQVRIOZYkHfdPDORfcNf8LeXIbCWwHazY7o +Host: example-admin.duosecurity.com EOO is ($data, $expected, '...and integration data is correct'); -- cgit v1.2.3 From 0e39650c6a831987057a8a9ed615dc3023fcab4a Mon Sep 17 00:00:00 2001 From: Jon Robertson Date: Mon, 13 Oct 2014 22:28:30 -0700 Subject: Added Duo RDP object to the wallet Change-Id: Ic728297fa830ffdd40c1580e32a81f8c5123f66a --- perl/lib/Wallet/Admin.pm | 3 +- perl/lib/Wallet/Object/Duo/RDP.pm | 204 +++++++++++++++++++++++++++++++++++ perl/t/data/duo/integration-rdp.json | 11 ++ perl/t/object/duo-rdp.t | 158 +++++++++++++++++++++++++++ 4 files changed, 375 insertions(+), 1 deletion(-) create mode 100644 perl/lib/Wallet/Object/Duo/RDP.pm create mode 100644 perl/t/data/duo/integration-rdp.json create mode 100644 perl/t/object/duo-rdp.t (limited to 'perl/lib/Wallet/Object') diff --git a/perl/lib/Wallet/Admin.pm b/perl/lib/Wallet/Admin.pm index 381ffc9..8120e9c 100644 --- a/perl/lib/Wallet/Admin.pm +++ b/perl/lib/Wallet/Admin.pm @@ -126,9 +126,10 @@ sub default_data { # types default rows. my @record = ([ qw/ty_name ty_class/ ], [ 'duo', 'Wallet::Object::Duo' ], + [ 'duo-ldap', 'Wallet::Object::Duo::LDAPProxy' ], [ 'duo-pam', 'Wallet::Object::Duo::PAM' ], [ 'duo-radius', 'Wallet::Object::Duo::RadiusProxy' ], - [ 'duo-ldap', 'Wallet::Object::Duo::LDAPProxy' ], + [ 'duo-rdp', 'Wallet::Object::Duo::RDP' ], [ 'file', 'Wallet::Object::File' ], [ 'keytab', 'Wallet::Object::Keytab' ], [ 'wa-keyring', 'Wallet::Object::WAKeyring' ]); diff --git a/perl/lib/Wallet/Object/Duo/RDP.pm b/perl/lib/Wallet/Object/Duo/RDP.pm new file mode 100644 index 0000000..4e7ff04 --- /dev/null +++ b/perl/lib/Wallet/Object/Duo/RDP.pm @@ -0,0 +1,204 @@ +# Wallet::Object::Duo::RDP -- Duo RDP int. object implementation for wallet +# +# Written by Russ Allbery +# Jon Robertson +# Copyright 2014 +# The Board of Trustees of the Leland Stanford Junior University +# +# See LICENSE for licensing terms. + +############################################################################## +# Modules and declarations +############################################################################## + +package Wallet::Object::Duo::RDP; +require 5.006; + +use strict; +use warnings; +use vars qw(@ISA $VERSION); + +use JSON; +use Net::Duo::Admin; +use Net::Duo::Admin::Integration; +use Perl6::Slurp qw(slurp); +use Wallet::Config (); +use Wallet::Object::Duo; + +@ISA = qw(Wallet::Object::Duo); + +# This version should be increased on any code change to this module. Always +# use two digits for the minor version with a leading zero if necessary so +# that it will sort properly. +$VERSION = '0.01'; + +############################################################################## +# Core methods +############################################################################## + +# Override create to provide the specific Duo integration type that will be +# used in the remote Duo record. +sub create { + my ($class, $type, $name, $schema, $creator, $host, $time) = @_; + + $time ||= time; + my $self = $class->SUPER::create ($type, $name, $schema, $creator, $host, + $time, 'rdp'); + return $self; +} + +# Override get to output the data in a specific format used by Duo's RDP +# module. +sub get { + my ($self, $user, $host, $time) = @_; + $time ||= time; + + # Check that the object isn't locked. + my $id = $self->{type} . ':' . $self->{name}; + if ($self->flag_check ('locked')) { + $self->error ("cannot get $id: object is locked"); + return; + } + + # Retrieve the integration from Duo. + my $key; + eval { + my %search = (du_name => $self->{name}); + my $row = $self->{schema}->resultset ('Duo')->find (\%search); + $key = $row->get_column ('du_key'); + }; + if ($@) { + $self->error ($@); + return; + } + my $integration = Net::Duo::Admin::Integration->new ($self->{duo}, $key); + + # We also need the admin server name, which we can get from the Duo object + # configuration with a bit of JSON decoding. + my $json = JSON->new->utf8 (1)->relaxed (1); + my $config = $json->decode (scalar slurp $Wallet::Config::DUO_KEY_FILE); + + # Construct the returned file. + my $output; + $output .= "Integration key: $key\n"; + $output .= 'Secret key: ' . $integration->secret_key . "\n"; + $output .= "Host: $config->{api_hostname}\n"; + + # Log the action and return. + $self->log_action ('get', $user, $host, $time); + return $output; +} + +1; +__END__ + +############################################################################## +# Documentation +############################################################################## + +=for stopwords +Allbery Duo integration DBH keytab + +=head1 NAME + +Wallet::Object::Duo::RDP -- Duo RDP int. object implementation for wallet + +=head1 SYNOPSIS + + my @name = qw(duo-rdp host.example.com); + my @trace = ($user, $host, time); + my $object = Wallet::Object::Duo::RDP->create (@name, $schema, @trace); + my $config = $object->get (@trace); + $object->destroy (@trace); + +=head1 DESCRIPTION + +Wallet::Object::Duo::RDP is a representation of Duo integrations with +the wallet, specifically to output Duo integrations to set up an RDP +integration. This can be used to set up remote logins, or all Windows +logins period if so selected in Duo's software. It implements the +wallet object API and provides the necessary glue to create a Duo +integration, return a configuration file containing the key and API +information for that integration, and delete the integration from Duo +when the wallet object is destroyed. + +Because the Duo RDP software is configured by a GUI, the information +returned for a get operation is a simple set that's readable but not +useful for directly plugging into a config file. The values would need +to be cut and pasted into the GUI. + +This object can be retrieved repeatedly without changing the secret key, +matching Duo's native behavior with integrations. To change the keys of +the integration, delete it and recreate it. + +To use this object, at least one configuration parameter must be set. See +L for details on supported configuration parameters and +information about how to set wallet configuration. + +=head1 METHODS + +This object mostly inherits from Wallet::Object::Duo. See the +documentation for that class for all generic methods. Below are only +those methods that are overridden or behave specially for this +implementation. + +=over 4 + +=item create(TYPE, NAME, DBH, PRINCIPAL, HOSTNAME [, DATETIME]) + +This will override the Wallet::Object::Duo class with the information +needed to create a specific integration type in Duo. It creates a new +object with the given TYPE and NAME (TYPE is normally C and must +be for the rest of the wallet system to use the right class, but this +module doesn't check for ease of subclassing), using DBH as the handle +to the wallet metadata database. PRINCIPAL, HOSTNAME, and DATETIME are +stored as history information. PRINCIPAL should be the user who is +creating the object. If DATETIME isn't given, the current time is +used. + +When a new Duo integration object is created, a new integration will be +created in the configured Duo account and the integration key will be +stored in the wallet object. If the integration already exists, create() +will fail. + +If create() fails, it throws an exception. + +=item get(PRINCIPAL, HOSTNAME [, DATETIME]) + +Retrieves the configuration information for the Duo integration and +returns that information in the format expected by the configuration file +for the Duo UNIX integration. Returns undef on failure. The caller +should call error() to get the error message if get() returns undef. + +The returned configuration look look like: + + Integration key: + Secret key: + Host: + +The C parameter will be taken from the configuration file pointed +to by the DUO_KEY_FILE configuration variable. + +PRINCIPAL, HOSTNAME, and DATETIME are stored as history information. +PRINCIPAL should be the user who is downloading the keytab. If DATETIME +isn't given, the current time is used. + +=back + +=head1 LIMITATIONS + +Only one Duo account is supported for a given wallet implementation. + +=head1 SEE ALSO + +Net::Duo(3), Wallet::Config(3), Wallet::Object::Duo(3), wallet-backend(8) + +This module is part of the wallet system. The current version is +available from L. + +=head1 AUTHORS + +Russ Allbery +Jon Robertson + +=cut diff --git a/perl/t/data/duo/integration-rdp.json b/perl/t/data/duo/integration-rdp.json new file mode 100644 index 0000000..28e925f --- /dev/null +++ b/perl/t/data/duo/integration-rdp.json @@ -0,0 +1,11 @@ +{ + "enroll_policy": "enroll", + "greeting": "", + "groups_allowed": [], + "integration_key": "DIRWIH0ZZPV4G88B37VQ", + "name": "Integration for Radius proxy", + "notes": "", + "secret_key": "QO4ZLqQVRIOZYkHfdPDORfcNf8LeXIbCWwHazY7o", + "type": "rdp", + "visual_style": "default" +} diff --git a/perl/t/object/duo-rdp.t b/perl/t/object/duo-rdp.t new file mode 100644 index 0000000..9b2d566 --- /dev/null +++ b/perl/t/object/duo-rdp.t @@ -0,0 +1,158 @@ +#!/usr/bin/perl +# +# Tests for the Duo RDP integration object implementation. +# +# Written by Russ Allbery +# Copyright 2014 +# The Board of Trustees of the Leland Stanford Junior University +# +# See LICENSE for licensing terms. + +use strict; +use warnings; + +use POSIX qw(strftime); +use Test::More; + +BEGIN { + eval 'use Net::Duo'; + plan skip_all => 'Net::Duo required for testing duo' + if $@; + eval 'use Net::Duo::Mock::Agent'; + plan skip_all => 'Net::Duo::Mock::Agent required for testing duo' + if $@; +} + +BEGIN { + use_ok('Wallet::Admin'); + use_ok('Wallet::Config'); + use_ok('Wallet::Object::Duo::RDP'); +} + +use lib 't/lib'; +use Util; + +# Some global defaults to use. +my $user = 'admin@EXAMPLE.COM'; +my $host = 'localhost'; +my @trace = ($user, $host, time); +my $date = strftime ('%Y-%m-%d %H:%M:%S', localtime $trace[2]); + +# Flush all output immediately. +$| = 1; + +# Use Wallet::Admin to set up the database. +db_setup; +my $admin = eval { Wallet::Admin->new }; +is ($@, '', 'Database connection succeeded'); +is ($admin->reinitialize ($user), 1, 'Database initialization succeeded'); +my $schema = $admin->schema; + +# Create a mock object to use for Duo calls. +my $mock = Net::Duo::Mock::Agent->new ({ key_file => 't/data/duo/keys.json' }); + +# Test error handling in the absence of configuration. +my $object = eval { + Wallet::Object::Duo::RDP->new ('duo-rdp', 'test', $schema); +}; +is ($object, undef, 'Wallet::Object::Duo::RDP new with no config failed'); +is ($@, "duo object implementation not configured\n", '...with correct error'); +$object = eval { + Wallet::Object::Duo::RDP->create ('duo-rdp', 'test', $schema, @trace); +}; +is ($object, undef, 'Wallet::Object::Duo::RDP creation with no config failed'); +is ($@, "duo object implementation not configured\n", '...with correct error'); + +# Set up the Duo configuration. +$Wallet::Config::DUO_AGENT = $mock; +$Wallet::Config::DUO_KEY_FILE = 't/data/duo/keys.json'; + +# Test creating an integration. +note ('Test creating an integration'); +my $expected = { + name => 'test (rdp)', + notes => 'Managed by wallet', + type => 'rdp', +}; +$mock->expect ( + { + method => 'POST', + uri => '/admin/v1/integrations', + content => $expected, + response_file => 't/data/duo/integration-rdp.json', + } +); +$object = Wallet::Object::Duo::RDP->create ('duo-rdp', 'test', $schema, + @trace); +isa_ok ($object, 'Wallet::Object::Duo::RDP'); + +# Check the metadata about the new wallet object. +$expected = <<"EOO"; + Type: duo-rdp + Name: test + Duo key: DIRWIH0ZZPV4G88B37VQ + Created by: $user + Created from: $host + Created on: $date +EOO +is ($object->show, $expected, 'Show output is correct'); + +# Test retrieving the integration information. +note ('Test retrieving an integration'); +$mock->expect ( + { + method => 'GET', + uri => '/admin/v1/integrations/DIRWIH0ZZPV4G88B37VQ', + response_file => 't/data/duo/integration-rdp.json', + } +); +my $data = $object->get (@trace); +ok (defined ($data), 'Retrieval succeeds'); +$expected = <<'EOO'; +Integration key: DIRWIH0ZZPV4G88B37VQ +Secret key: QO4ZLqQVRIOZYkHfdPDORfcNf8LeXIbCWwHazY7o +Host: example-admin.duosecurity.com +EOO +is ($data, $expected, '...and integration data is correct'); + +# Ensure that we can't retrieve the object when locked. +is ($object->flag_set ('locked', @trace), 1, + 'Setting object to locked succeeds'); +is ($object->get, undef, '...and now get fails'); +is ($object->error, 'cannot get duo-rdp:test: object is locked', + '...with correct error'); +is ($object->flag_clear ('locked', @trace), 1, + '...and clearing locked flag works'); + +# Create a new object by wallet type and name. +$object = Wallet::Object::Duo::RDP->new ('duo-rdp', 'test', $schema); + +# Test deleting an integration. We can't test this entirely properly because +# currently Net::Duo::Mock::Agent doesn't support stacking multiple expected +# calls and delete makes two calls. +note ('Test deleting an integration'); +$mock->expect ( + { + method => 'GET', + uri => '/admin/v1/integrations/DIRWIH0ZZPV4G88B37VQ', + response_file => 't/data/duo/integration-rdp.json', + } +); +TODO: { + local $TODO = 'Net::Duo::Mock::Agent not yet capable'; + + is ($object->destroy (@trace), 1, 'Duo object deletion succeeded'); + $object = eval { Wallet::Object::Duo::RDP->new ('duo-rdp', 'test', + $schema) }; + is ($object, undef, '...and now object cannot be retrieved'); + is ($@, "cannot find duo:test\n", '...with correct error'); +} + +# Clean up. +$admin->destroy; +END { + unlink ('wallet-db'); +} + +# Done testing. +done_testing (); -- cgit v1.2.3 From 44df8ab537e13c4bb41d0d1c85d4a42891c6ea12 Mon Sep 17 00:00:00 2001 From: Jon Robertson Date: Mon, 13 Oct 2014 22:35:23 -0700 Subject: Wallet::Object::Duo: Respect new type field in Duo table Make all the searches and creations for the Duo table add or search for the type field as well. This avoids one Duo type clobbering another for the same object name. Change-Id: I62192c3616f43c7acd8ce3f94db8a0e43e77e317 --- perl/lib/Wallet/Object/Duo.pm | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) (limited to 'perl/lib/Wallet/Object') diff --git a/perl/lib/Wallet/Object/Duo.pm b/perl/lib/Wallet/Object/Duo.pm index 168ec8b..d08294b 100644 --- a/perl/lib/Wallet/Object/Duo.pm +++ b/perl/lib/Wallet/Object/Duo.pm @@ -41,7 +41,9 @@ sub attr_show { my $output = ''; my $key; eval { - my %search = (du_name => $self->{name}); + my %search = (du_name => $self->{name}, + du_type => $self->{type}, + ); my $row = $self->{schema}->resultset ('Duo')->find (\%search); $key = $row->get_column ('du_key'); }; @@ -122,6 +124,7 @@ sub create { eval { my %record = ( du_name => $name, + du_type => $type, du_key => $integration->integration_key, ); $self->{schema}->resultset ('Duo')->create (\%record); @@ -148,7 +151,9 @@ sub destroy { my $schema = $self->{schema}; my $guard = $schema->txn_scope_guard; eval { - my %search = (du_name => $self->{name}); + my %search = (du_name => $self->{name}, + du_type => $self->{type}, + ); my $row = $schema->resultset ('Duo')->find (\%search); my $key = $row->get_column ('du_key'); my $int = Net::Duo::Admin::Integration->new ($self->{duo}, $key); @@ -179,7 +184,9 @@ sub get { # Retrieve the integration from Duo. my $key; eval { - my %search = (du_name => $self->{name}); + my %search = (du_name => $self->{name}, + du_type => $self->{type}, + ); my $row = $self->{schema}->resultset ('Duo')->find (\%search); $key = $row->get_column ('du_key'); }; -- cgit v1.2.3 From 1381f2e0d0bb2edfa4b52c9926c57b22379ee248 Mon Sep 17 00:00:00 2001 From: Jon Robertson Date: Tue, 14 Oct 2014 17:06:43 -0700 Subject: Added rename support for file objects File objects now support a rename command, which will rename the object and move the file to the right spot in the file store under its new name. Change-Id: I10ea2b8012586d69f0894905cfba54a738f3e418 --- perl/lib/Wallet/Object/Base.pm | 2 +- perl/lib/Wallet/Object/File.pm | 52 +++++++++++++++++++++++++++++++++++++++++- perl/lib/Wallet/Server.pm | 46 +++++++++++++++++++++++++++++++++++++ perl/t/object/file.t | 10 ++++++-- 4 files changed, 106 insertions(+), 4 deletions(-) (limited to 'perl/lib/Wallet/Object') diff --git a/perl/lib/Wallet/Object/Base.pm b/perl/lib/Wallet/Object/Base.pm index a6a78bf..bdd61fb 100644 --- a/perl/lib/Wallet/Object/Base.pm +++ b/perl/lib/Wallet/Object/Base.pm @@ -187,7 +187,7 @@ sub log_set { } my %fields = map { $_ => 1 } qw(owner acl_get acl_store acl_show acl_destroy acl_flags expires - comment flags type_data); + comment flags type_data name); unless ($fields{$field}) { die "invalid history field $field"; } diff --git a/perl/lib/Wallet/Object/File.pm b/perl/lib/Wallet/Object/File.pm index 1ff1288..65fe40e 100644 --- a/perl/lib/Wallet/Object/File.pm +++ b/perl/lib/Wallet/Object/File.pm @@ -18,6 +18,7 @@ use warnings; use vars qw(@ISA $VERSION); use Digest::MD5 qw(md5_hex); +use File::Copy qw(move); use Wallet::Config (); use Wallet::Object::Base; @@ -55,6 +56,55 @@ sub file_path { return "$Wallet::Config::FILE_BUCKET/$hash/$name"; } +# Rename a file object. This includes renaming both the object itself, and +# updating the file location for that object. +sub rename { + my ($self, $new_name, $user, $host, $time) = @_; + $time ||= time; + + my $old_name = $self->{name}; + my $type = $self->{type}; + my $schema = $self->{schema}; + my $old_path = $self->file_path; + + eval { + + # Find the current object record. + my $guard = $schema->txn_scope_guard; + my %search = (ob_type => $type, + ob_name => $old_name); + my $object = $schema->resultset('Object')->find (\%search); + die "cannot find ${type}:${old_name}\n" + unless ($object and $object->ob_name eq $old_name); + + # Update the object name but don't yet commit. + $object->ob_name ($new_name); + + # Update the file to the path for the new name, and die if we can't. + $self->{name} = $new_name; + my $new_path = $self->file_path; + move($old_path, $new_path) or die $!; + + $object->update; + $guard->commit; + }; + if ($@) { + $self->{name} = $old_name; + $self->error ("cannot rename object $type $old_name: $!"); + return; + } + + eval { + $self->log_set ('name', $old_name, $new_name, $user, $host, $time); + }; + if ($@) { + $self->error ("object $type $old_name was renamed but not logged: $!"); + return 1; + } + + return 1; +} + ############################################################################## # Core methods ############################################################################## @@ -145,7 +195,7 @@ API HOSTNAME DATETIME keytab remctld backend nul Allbery wallet-backend my @name = qw(file mysql-lsdb) my @trace = ($user, $host, time); - my $object = Wallet::Object::Keytab->create (@name, $schema, @trace); + my $object = Wallet::Object::File->create (@name, $schema, @trace); unless ($object->store ("the-password\n")) { die $object->error, "\n"; } diff --git a/perl/lib/Wallet/Server.pm b/perl/lib/Wallet/Server.pm index 95fd4e6..34075ed 100644 --- a/perl/lib/Wallet/Server.pm +++ b/perl/lib/Wallet/Server.pm @@ -244,6 +244,52 @@ sub autocreate { return 1; } +# Rename an object. We validate that the new name also falls within naming +# constraints, then need to change all references to that. If any updates +# fail, we'll revert the entire commit. +sub rename { + my ($self, $type, $name, $new_name) = @_; + + my $schema = $self->{schema}; + my $user = $self->{user}; + my $host = $self->{host}; + + # Currently we only can rename file objects. + if (type ne 'file') { + $self->error ('rename is only supported for file objects'); + return; + } + + # Validate the new name. + if (defined (&Wallet::Config::verify_name)) { + my $error = Wallet::Config::verify_name ($type, $new_name, $user); + if ($error) { + $self->error ("${type}:${name} rejected: $error"); + return; + } + } + + # Get the object and error if it does not already exist. + my $class = $self->type_mapping ($type); + unless ($class) { + $self->error ("unknown object type $type"); + return; + } + my $object = eval { $class->new ($type, $name, $schema) }; + if ($@) { + $self->error ($@); + return; + } + + # Rename the object. + $object = eval { $class->rename ($type, $name, $schema, $user, $host) }; + if ($@) { + $self->error ($@); + return; + } + return $object; +} + # Given the name and type of an object, returns a Perl object representing it # or returns undef and sets the internal error. sub retrieve { diff --git a/perl/t/object/file.t b/perl/t/object/file.t index 201f46d..b7f295a 100755 --- a/perl/t/object/file.t +++ b/perl/t/object/file.t @@ -12,7 +12,7 @@ use strict; use warnings; use POSIX qw(strftime); -use Test::More tests => 56; +use Test::More tests => 60; use Wallet::Admin; use Wallet::Config; @@ -101,9 +101,15 @@ is ($object->error, 'data exceeds maximum of 1024 bytes', is ($object->store ('', @trace), 1, 'Storing the empty object works'); is ($object->get (@trace), '', ' and get returns the right thing'); +# Test renaming a file object. +is ($object->rename ('test-rename', @trace), 1, 'Renaming the object works'); +is ($object->{name}, 'test-rename', ' and the object is renamed'); +ok (-f 'test-files/2b/test-rename', ' and the file is in the new location'); +ok (! -f 'test-files/09/test', ' and nothing is in the old location'); + # Test destruction. is ($object->destroy (@trace), 1, 'Destroying the object works'); -ok (! -f 'test-files/09/test', ' and the file is gone'); +ok (! -f 'test-files/2b/test-rename', ' and the file is gone'); # Now try some aggressive names. $object = eval { -- cgit v1.2.3 From f0d6302bbc5fd477236e3c5ea2193a17ef405bba Mon Sep 17 00:00:00 2001 From: Jon Robertson Date: Tue, 14 Oct 2014 17:06:43 -0700 Subject: Added rename support for file objects File objects now support a rename command, which will rename the object and move the file to the right spot in the file store under its new name. Change-Id: I10ea2b8012586d69f0894905cfba54a738f3e418 --- perl/lib/Wallet/Object/File.pm | 10 +++++++--- perl/lib/Wallet/Server.pm | 4 ++-- 2 files changed, 9 insertions(+), 5 deletions(-) (limited to 'perl/lib/Wallet/Object') diff --git a/perl/lib/Wallet/Object/File.pm b/perl/lib/Wallet/Object/File.pm index 65fe40e..226e32c 100644 --- a/perl/lib/Wallet/Object/File.pm +++ b/perl/lib/Wallet/Object/File.pm @@ -81,9 +81,13 @@ sub rename { $object->ob_name ($new_name); # Update the file to the path for the new name, and die if we can't. - $self->{name} = $new_name; - my $new_path = $self->file_path; - move($old_path, $new_path) or die $!; + # If the old path isn't there, then assume we haven't yet stored and + # keep going. + if ($old_path) { + $self->{name} = $new_name; + my $new_path = $self->file_path; + move($old_path, $new_path) or die $!; + } $object->update; $guard->commit; diff --git a/perl/lib/Wallet/Server.pm b/perl/lib/Wallet/Server.pm index 34075ed..f6ea342 100644 --- a/perl/lib/Wallet/Server.pm +++ b/perl/lib/Wallet/Server.pm @@ -255,7 +255,7 @@ sub rename { my $host = $self->{host}; # Currently we only can rename file objects. - if (type ne 'file') { + if ($type ne 'file') { $self->error ('rename is only supported for file objects'); return; } @@ -282,7 +282,7 @@ sub rename { } # Rename the object. - $object = eval { $class->rename ($type, $name, $schema, $user, $host) }; + eval { $object->rename ($new_name, $schema, $user, $host) }; if ($@) { $self->error ($@); return; -- cgit v1.2.3