From 14bb07ab010b0e38e6afb6d1f7976819477f396b Mon Sep 17 00:00:00 2001
From: Byron Jones <glob@mozilla.com>
Date: Mon, 23 Nov 2015 14:46:59 +0800
Subject: Bug 1225366 - allow duo authentication for users already enrolled
 with duo

---
 Bugzilla/MFA/Duo.pm | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

(limited to 'Bugzilla/MFA')

diff --git a/Bugzilla/MFA/Duo.pm b/Bugzilla/MFA/Duo.pm
index 4c9aa1184..91096689f 100644
--- a/Bugzilla/MFA/Duo.pm
+++ b/Bugzilla/MFA/Duo.pm
@@ -9,6 +9,7 @@ package Bugzilla::MFA::Duo;
 use strict;
 use parent 'Bugzilla::MFA';
 
+use Bugzilla::DuoAPI;
 use Bugzilla::DuoWeb;
 use Bugzilla::Error;
 
@@ -19,6 +20,23 @@ sub can_verify_inline {
 sub enroll {
     my ($self, $params) = @_;
 
+    # verify that the user is enrolled with duo
+    my $client = Bugzilla::DuoAPI->new(
+        Bugzilla->params->{duo_ikey},
+        Bugzilla->params->{duo_skey},
+        Bugzilla->params->{duo_host}
+    );
+    my $response = $client->json_api_call('POST', '/auth/v2/preauth', { username => $params->{username} });
+
+    # not enrolled - show a nice error page instead of just throwing
+    unless ($response->{result} eq 'auth' || $response->{result} eq 'allow') {
+        print Bugzilla->cgi->header();
+        my $template = Bugzilla->template;
+        $template->process('mfa/duo/not_enrolled.html.tmpl', { email => $params->{username} })
+            || ThrowTemplateError($template->error());
+        exit;
+    }
+
     $self->property_set('user', $params->{username});
 }
 
-- 
cgit v1.2.3-24-g4f1b