From b36342387ca8e629b469d2a7f5c22a0083f7a5fc Mon Sep 17 00:00:00 2001
From: Adam Goodman <akgood@duosecurity.com>
Date: Fri, 28 Feb 2014 11:52:09 -0500
Subject: If a password is not provided (or blank), use the user's default
 out-of-band factor. This makes it possible to use the
 'auth-user-pass-optional' server directive.

---
 duo_openvpn.py | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/duo_openvpn.py b/duo_openvpn.py
index 4d91db4..1b5d8b2 100755
--- a/duo_openvpn.py
+++ b/duo_openvpn.py
@@ -311,7 +311,7 @@ def preauth(client, control, username):
 
     result = response.get('result')
     if result == API_RESULT_AUTH:
-        return
+        return response['factors'].get('default')
 
     status = response.get('status')
     if not status:
@@ -364,7 +364,7 @@ def main(Client=Client, environ=os.environ):
     password = environ.get('password')
     ipaddr = environ.get('ipaddr', '0.0.0.0')
 
-    if not control or not username or not password:
+    if not control or not username:
         log('required environment variables not found')
         sys.exit(1)
 
@@ -389,11 +389,18 @@ def main(Client=Client, environ=os.environ):
         )
 
     try:
-        preauth(client, control, username)
+        default_factor = preauth(client, control, username)
     except Exception, e:
         log(str(e))
         failure(control)
 
+    if not (password or default_factor):
+        log('no password provided and no out-of-band factors '
+            'available for username {0:s}'.format(username))
+        failure(control)
+    elif not password:
+        password = default_factor
+
     try:
         auth(client, control, username, password, ipaddr)
     except Exception, e:
-- 
cgit v1.2.3