Suppot Duo for MFA

nathan-v · nathan-v · commit ba02715409fa · 2018-03-08T10:49:43.000-08:00
Duo MFA:
* Uses local on-box webserver to serve Duo iFrame web UI
* Why: Web interface currently required for Duo&lt;-&gt;Okta
* Webserver is opened in a process which closes itself; no zombies
* Webserver binds to 127.0.0.1 to prevent access by other hosts on network
* Does not add any new dependencies

Other:
* Adds support for Okta Verify to time out and exit rather than being in a permanent loop
* Fixes comment typo in okta.py
* Change sleep to 0 during testing; no need for the 100ms waits
* Exclude Python 2/3 import switches from code coverage
diff --git a/.coveragerc b/.coveragerc
@@ -2,4 +2,5 @@
 show_missing = True
 
 exclude_lines =
+    pragma: no cover
     if __name__ == .__main__.:
diff --git a/.gitignore b/.gitignore
@@ -10,3 +10,4 @@ nd_okta_auth.egg-info
 .idea/
 build/
 htmlcov/
+__pycache__
diff --git a/nd_okta_auth/duo.py b/nd_okta_auth/duo.py
@@ -0,0 +1,66 @@
+from multiprocessing import Process
+import sys
+import time
+if sys.version_info[0] < 3:  # pragma: no cover
+    from BaseHTTPServer import BaseHTTPRequestHandler, HTTPServer
+else:
+    from http.server import HTTPServer, BaseHTTPRequestHandler
+
+
+class QuietHandler(BaseHTTPRequestHandler, object):
+    '''
+    We have to do this HTTP sever siliness because the Duo widget has to be
+    presented over HTTP or HTTPS or the callback won't work.
+    '''
+    def __init__(self, html, *args):
+        self.html = html
+        super(QuietHandler, self).__init__(*args)
+
+    def log_message(self, _format, *args):
+        # This quiets the server log to prevent request logging in the terminal
+        pass
+
+    def do_GET(self):
+        self.send_response(200)
+        self.send_header('Content-type', 'text/html')
+        self.end_headers()
+        self.wfile.write(self.html.encode('utf-8'))
+        return
+
+
+class Duo:
+    def __init__(self, details, state_token):
+        self.details = details
+        self.token = state_token
+        self.html = None
+
+    def trigger_duo(self):
+        host = self.details['host']
+        sig = self.details['signature']
+        script = self.details['_links']['script']['href']
+        callback = self.details['_links']['complete']['href']
+
+        self.html = '''<p style="text-align:center">You may close this
+         after the next page loads successfully</p>
+        <iframe id="duo_iframe" style="margin: 0 auto;display:block;"
+        width="620" height="330" frameborder="0"></iframe>
+        <form method="POST" id="duo_form" action="{cb}">
+        <input type="hidden" name="stateToken" value="{tkn}" /></form>
+        <script src="{scr}"></script><script>Duo.init(
+          {{'host': '{hst}','sig_request': '{sig}','post_action': '{cb}'}}
+        );</script>'''.format(tkn=self.token, scr=script,
+                              hst=host, sig=sig,
+                              cb=callback)
+
+        p = Process(target=self.duo_webserver)
+        p.start()
+        time.sleep(10)
+        p.terminate()
+
+    def duo_webserver(self):
+        server_address = ('127.0.0.1', 65432)
+        httpd = HTTPServer(server_address, self.handler_with_html)
+        httpd.serve_forever()
+
+    def handler_with_html(self, *args):
+        QuietHandler(self.html, *args)
diff --git a/nd_okta_auth/main.py b/nd_okta_auth/main.py
@@ -156,6 +156,9 @@ def main(argv):
         while not verified:
             passcode = user_input('MFA Passcode: ')
             verified = okta_client.validate_mfa(e.fid, e.state_token, passcode)
+    except okta.UnknownError as e:
+        log.fatal('Fatal error.')
+        sys.exit(1)
 
     # Once we're authenticated with an OktaSaml client object, we can use that
     # object to get a fresh SAMLResponse repeatedly and refresh our AWS
diff --git a/nd_okta_auth/okta.py b/nd_okta_auth/okta.py
@@ -13,8 +13,11 @@
 import sys
 import bs4
 import requests
-if sys.version_info[0] < 3:  # Python 2
-    from exceptions import Exception
+import webbrowser
+from multiprocessing import Process
+from nd_okta_auth.duo import Duo
+if sys.version_info[0] < 3:  # pragma: no cover
+    from exceptions import Exception  # Python 2
 
 log = logging.getLogger(__name__)
 
@@ -158,7 +161,7 @@ def validate_mfa(self, fid, state_token, passcode):
     def okta_verify_with_push(self, fid, state_token, sleep=1):
         '''Triggers an Okta Push Verification and waits.
 
-        This metho is meant to be called by self.auth() if a Login session
+        This method is meant to be called by self.auth() if a Login session
         requires MFA, and the users profile supports Okta Push with Verify.
 
         We trigger the push, and then immediately go into a wait loop. Each
@@ -184,6 +187,57 @@ def okta_verify_with_push(self, fid, state_token, sleep=1):
                 log.error('Okta Verify Push REJECTED')
                 return False
 
+            if ret.get('factorResult', 'TIMEOUT') == 'TIMEOUT':
+                log.error('Okta Verify Push TIMEOUT')
+                return False
+
+            links = ret.get('_links')
+            ret = self._request(links['next']['href'], data)
+
+        self.set_token(ret)
+        return True
+
+    def duo_auth(self, uid, fid, state_token, sleep=1):
+        '''Triggers a Duo Auth request.
+
+        This method is meant to be called by self.auth() if a Login session
+        requires MFA, and the users profile supports Duo Web.
+
+        We set up a local web server for web auth and then open a browser for
+        the user. We then immediately go into a wait loop. Each time we loop
+        around, we pull the latest status for that push event. If it's Declined
+        we will throw an error. If its accepted, we write out our SessionToken.
+
+        Args:
+            uid: Okta user ID required by Duo
+            fid: Okta Factor ID used to trigger the push
+            state_token: State Token allowing us to trigger the push
+        '''
+        log.warning('Duo requied; opening browser...')
+        path = '/authn/factors/{fid}/verify'.format(fid=fid)
+        data = {'fid': fid,
+                'stateToken': state_token}
+        ret = self._request(path, data)
+
+        verification = ret['_embedded']['factor']['_embedded']['verification']
+        duo = Duo(verification, state_token)
+        p = Process(target=duo.trigger_duo)
+        p.start()
+        time.sleep(2)
+        webbrowser.open_new('http://127.0.0.1:65432/duo.html')
+
+        while ret['status'] != 'SUCCESS':
+            log.info('Waiting for Okta Verification...')
+            time.sleep(sleep)
+
+            if ret.get('factorResult', 'REJECTED') == 'REJECTED':
+                log.error('Duo Push REJECTED')
+                return False
+
+            if ret.get('factorResult', 'TIMEOUT') == 'TIMEOUT':
+                log.error('Duo Push TIMEOUT')
+                return False
+
             links = ret.get('_links')
             ret = self._request(links['next']['href'], data)
 
@@ -231,15 +285,21 @@ def auth(self):
 
         if status == 'MFA_REQUIRED' or status == 'MFA_CHALLENGE':
             for factor in ret['_embedded']['factors']:
-                if factor['factorType'] == 'push':
-                    try:
+                try:
+                    if factor['factorType'] == 'push':
                         if self.okta_verify_with_push(factor['id'],
                                                       ret['stateToken']):
                             return
-                    except KeyboardInterrupt:
-                        # Allow users to use MFA Passcode by
-                        # breaking out of waiting for the push.
-                        break
+                    if factor['provider'] == 'DUO':
+                        if self.duo_auth(ret['_embedded']['user']['id'],
+                                         factor['id'],
+                                         ret['stateToken']):
+                            return
+
+                except KeyboardInterrupt:
+                    # Allow users to use MFA Passcode by
+                    # breaking out of waiting for the push.
+                    break
 
             for factor in ret['_embedded']['factors']:
                 if factor['factorType'] == 'token:software:totp':
diff --git a/nd_okta_auth/test/duo_test.py b/nd_okta_auth/test/duo_test.py
@@ -0,0 +1,122 @@
+from __future__ import unicode_literals
+import sys
+import unittest
+from nd_okta_auth import duo
+if sys.version_info[0] < 3:
+    import mock  # Python 2
+    from StringIO import StringIO as IO
+else:
+    from unittest import mock  # Python 3
+    from io import BytesIO as IO
+
+DETAILS = {
+    'host': 'somehost',
+    'signature': 'somesig',
+    '_links': {
+        'script': {
+            'href': 'http://example.com/script.js'
+        },
+        'complete': {
+            'href': 'http://example.com/callback'
+        },
+    },
+}
+
+HTML = ('''<p style="text-align:center">You may close this after the\n'''
+        '''         next page loads successfully</p>\n        '''
+        '''<iframe id="duo_iframe" style="margin: 0 auto;display:block;"\n'''
+        '''        width="620" height="330" frameborder="0"></iframe>\n'''
+        '''        <form method="POST" id="duo_form" '''
+        '''action="http://example.com/callback">\n        '''
+        '''<input type="hidden" name="stateToken" value="token" /></form>\n'''
+        '''        <script src="http://example.com/script.js"></script>'''
+        '''<script>Duo.init(\n          '''
+        '''{\'host\': \'somehost\',\'sig_request\': \'somesig\','''
+        '''\'post_action\': \'http://example.com/callback\'}\n'''
+        '''        );</script>''')
+
+
+class TestDuo(unittest.TestCase):
+    def test_init_missing_args(self):
+        with self.assertRaises(TypeError):
+            duo.Duo()
+
+    def test_init_with_args(self):
+        duo_test = duo.Duo(DETAILS, 'token')
+        self.assertEquals(duo_test.details, DETAILS)
+        self.assertEquals(duo_test.token, 'token')
+
+    @mock.patch('time.sleep', return_value=None)
+    @mock.patch('nd_okta_auth.duo.Process')
+    def test_trigger_duo(self, process_mock, _sleep_mock):
+        process_mock.start.return_value = None
+
+        duo_test = duo.Duo(DETAILS, 'token')
+        duo_test.trigger_duo()
+
+        process_mock.assert_has_calls([
+            mock.call().start(),
+            mock.call().terminate(),
+
+        ])
+
+    @mock.patch('nd_okta_auth.duo.HTTPServer')
+    def test_duo_webserver(self, server_mock):
+        server_mock.return_value = mock.MagicMock()
+
+        duo_test = duo.Duo(DETAILS, 'token')
+        duo_test.duo_webserver()
+
+        server_mock.assert_has_calls([
+            mock.call(('127.0.0.1', 65432), duo_test.handler_with_html),
+            mock.call().serve_forever()
+        ])
+
+    @mock.patch('nd_okta_auth.duo.QuietHandler')
+    def test_handler(self, qh_mock):
+        duo_test = duo.Duo(DETAILS, 'token')
+        duo_test.handler_with_html('foo', 'bar', 'baz')
+
+        assert qh_mock.called
+
+        qh_mock.assert_has_calls([
+            mock.call(None, 'foo', 'bar', 'baz')
+        ])
+
+
+class TestQuietHandler(unittest.TestCase):
+    def test_init_missing_args(self):
+        with self.assertRaises(TypeError):
+            duo.QuietHandler()
+
+    def test_init_with_args(self):
+        qh_test = duo.QuietHandler(HTML, MockRequestPOST(), 'bar', 'baz')
+        self.assertEquals(qh_test.html, HTML)
+
+    def test_log_message(self):
+        qh_test = duo.QuietHandler(HTML, MockRequestPOST(), 'bar', 'baz')
+        self.assertEquals(qh_test.log_message(''), None)
+
+    def test_do_get(self):
+        mr = MockRequest()
+        duo.QuietHandler(HTML, mr, 'bar', 'baz')
+
+
+class MockRequestPOST(object):
+    def makefile(self, *args, **kwargs):
+        return IO(b"POST /")
+
+    def sendall(self, *args):
+        return None
+
+
+class MockRequest(object):
+    def __init__(self):
+        self.resp = None
+
+    def makefile(self, *args, **kwargs):
+        return IO(b"GET /")
+
+    def sendall(self, *args):
+        self.resp = args[0]
+        return None
diff --git a/nd_okta_auth/test/main_test.py b/nd_okta_auth/test/main_test.py
@@ -184,6 +184,25 @@ def test_entry_point_bad_password(self, pass_mock, config_mock, okta_mock):
         with self.assertRaises(SystemExit):
             main.main('test')
 
+    @mock.patch('nd_okta_auth.okta.OktaSaml')
+    @mock.patch('nd_okta_auth.main.get_config_parser')
+    @mock.patch('getpass.getpass')
+    def test_entry_point_okta_unknown(self, pass_mock, config_mock, okta_mock):
+        # Mock out the password getter and return a simple password
+        pass_mock.return_value = 'test_password'
+
+        # Just mock out the entire Okta object, we won't really instantiate it
+        fake_okta = mock.MagicMock(name='fake_okta')
+        fake_okta.auth.side_effect = okta.UnknownError
+        okta_mock.return_value = fake_okta
+
+        # Mock out the arguments that were passed in
+        fake_parser = mock.MagicMock(name='fake_parser')
+        config_mock.return_value = fake_parser
+
+        with self.assertRaises(SystemExit):
+            main.main('test')
+
     @mock.patch('nd_okta_auth.okta.OktaSaml')
     @mock.patch('nd_okta_auth.main.get_config_parser')
     @mock.patch('getpass.getpass')
diff --git a/nd_okta_auth/test/okta_test.py b/nd_okta_auth/test/okta_test.py
