diff options
author | Jon Oberheide <jon@oberheide.org> | 2011-11-01 13:16:36 -0400 |
---|---|---|
committer | Jon Oberheide <jon@oberheide.org> | 2011-11-01 13:16:36 -0400 |
commit | c25ef04f318142fc5f0f37035b1d1a954aebe29f (patch) | |
tree | fa0578f1b29aa857dfda7b90f1df23c9d12dcece /duo_openvpn.py | |
parent | d0bee24da4f193b0b570055e363147f50ba84a16 (diff) | |
download | openvpn-duo-plugin-c25ef04f318142fc5f0f37035b1d1a954aebe29f.tar.gz openvpn-duo-plugin-c25ef04f318142fc5f0f37035b1d1a954aebe29f.zip |
add c plugin wrapper to allow deferred plugin responses
Diffstat (limited to 'duo_openvpn.py')
-rwxr-xr-x | duo_openvpn.py | 79 |
1 files changed, 51 insertions, 28 deletions
diff --git a/duo_openvpn.py b/duo_openvpn.py index 3a7424d..d7d238e 100755 --- a/duo_openvpn.py +++ b/duo_openvpn.py @@ -7,10 +7,6 @@ import os, sys, urllib, hashlib, httplib, hmac, base64, json, syslog -IKEY = '' -SKEY = '' -HOST = '' - API_RESULT_AUTH = 'auth' API_RESULT_ALLOW = 'allow' API_RESULT_DENY = 'deny' @@ -69,20 +65,38 @@ def log(msg): msg = 'Duo OpenVPN: %s' % msg syslog.syslog(msg) -def preauth(username): +def success(control): + log('writing success code to %s' % control) + + f = open(control, 'w') + f.write('1') + f.close() + + sys.exit(0) + +def failure(control): + log('writing failure code to %s' % control) + + f = open(control, 'w') + f.write('0') + f.close() + + sys.exit(1) + +def preauth(ikey, skey, host, control, username): log('pre-authentication for %s' % username) args = { 'user': username, } - response = api(IKEY, SKEY, HOST, 'POST', '/rest/v1/preauth', **args) + response = api(ikey, skey, host, 'POST', '/rest/v1/preauth', **args) result = response.get('result') if not result: log('invalid API response: %s' % response) - sys.exit(1) + failure(control) if result == API_RESULT_AUTH: return @@ -91,22 +105,22 @@ def preauth(username): if not status: log('invalid API response: %s' % response) - sys.exit(1) + failure(control) if result == API_RESULT_ENROLL: log('user %s is not enrolled: %s' % (username, status)) - sys.exit(1) + failure(control) elif result == API_RESULT_DENY: log('preauth failure for %s: %s' % (username, status)) - sys.exit(1) + failure(control) elif result == API_RESULT_ALLOW: log('preauth success for %s: %s' % (username, status)) - sys.exit(0) + success(control) else: log('unknown preauth result: %s' % result) - sys.exit(1) + failure(control) -def auth(username, password, ipaddr): +def auth(ikey, skey, host, control, username, password, ipaddr): log('authentication for %s' % username) args = { @@ -116,47 +130,56 @@ def auth(username, password, ipaddr): 'ipaddr': ipaddr } - response = api(IKEY, SKEY, HOST, 'POST', '/rest/v1/auth', **args) + response = api(ikey, skey, host, 'POST', '/rest/v1/auth', **args) result = response.get('result') status = response.get('status') if not result or not status: log('invalid API response: %s' % response) - sys.exit(1) + failure(control) if result == API_RESULT_ALLOW: log('auth success for %s: %s' % (username, status)) - sys.exit(0) + success(control) elif result == API_RESULT_DENY: log('auth failure for %s: %s' % (username, status)) - sys.exit(1) + failure(control) else: log('unknown auth result: %s' % result) - sys.exit(1) + failure(control) def main(): - username = os.environ.get('common_name') + ikey = os.environ.get('ikey') + skey = os.environ.get('skey') + host = os.environ.get('host') + + if not ikey or not skey or not host: + log('required ikey/skey/host configuration parameters not found') + failure(control) + + control = os.environ.get('control') + username = os.environ.get('username') password = os.environ.get('password') - ipaddr = os.environ.get('untrusted_ip', '0.0.0.0') + ipaddr = os.environ.get('ipaddr', '0.0.0.0') - if not username or not password: - log('environment variables not found') - sys.exit(1) + if not control or not username or not password: + log('required environment variables not found') + failure(control) try: - preauth(username) + preauth(ikey, skey, host, control, username) except Exception, e: log(str(e)) - sys.exit(1) + failure(control) try: - auth(username, password, ipaddr) + auth(ikey, skey, host, control, username, password, ipaddr) except Exception, e: log(str(e)) - sys.exit(1) + failure(control) - sys.exit(1) + failure(control) if __name__ == '__main__': main() |