1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
|
package Bugzilla::DuoAPI;
use strict;
use warnings;
our $VERSION = '1.0';
=head1 NAME
Duo::API - Reference client to call Duo Security's API methods.
=head1 SYNOPSIS
use Duo::API;
my $client = Duo::API->new('INTEGRATION KEY', 'SECRET KEY', 'HOSTNAME');
my $res = $client->json_api_call('GET', '/auth/v2/check', {});
=head1 SEE ALSO
Duo for Developers: L<https://www.duosecurity.com/api>
=head1 COPYRIGHT
Copyright (c) 2013 Duo Security
This program is free software; you can redistribute it and/or modify
it under the same terms as Perl itself.
=head1 DESCRIPTION
Duo::API objects have the following methods:
=over 4
=item new($integration_key, $integration_secret_key, $api_hostname)
Returns a handle to sign and send requests. These parameters are
obtained when creating an API integration.
=item json_api_call($method, $path, \%params)
Make a request to an API endpoint with the given HTTPS method and
parameters. Returns the parsed result if successful or dies with the
error message from the Duo Security service.
=item api_call($method, $path, \%params)
Make a request without parsing the response.
=item canonicalize_params(\%params)
Serialize a parameter hash reference to a string to sign or send.
=item sign($method, $path, $canon_params, $date)
Return the Authorization header for a request. C<$canon_params> is the
string returned by L<canonicalize_params>.
=back
=cut
use CGI qw();
use Carp qw(croak);
use Digest::HMAC_SHA1 qw(hmac_sha1_hex);
use JSON qw(decode_json);
use LWP::UserAgent;
use MIME::Base64 qw(encode_base64);
use POSIX qw(strftime);
sub new {
my($proto, $ikey, $skey, $host) = @_;
my $class = ref($proto) || $proto;
my $self = {
'ikey' => $ikey,
'skey' => $skey,
'host' => $host,
};
bless($self, $class);
return $self;
}
sub canonicalize_params {
my ($self, $params) = @_;
my @ret;
while (my ($k, $v) = each(%{$params})) {
push(@ret, join('=', CGI::escape($k), CGI::escape($v)));
}
return join('&', sort(@ret));
}
sub sign {
my ($self, $method, $path, $canon_params, $date) = @_;
my $canon = join("\n",
$date,
uc($method),
lc($self->{'host'}),
$path,
$canon_params);
my $sig = hmac_sha1_hex($canon, $self->{'skey'});
my $auth = join(':',
$self->{'ikey'},
$sig);
$auth = 'Basic ' . encode_base64($auth, '');
return $auth;
}
sub api_call {
my ($self, $method, $path, $params) = @_;
$params ||= {};
my $canon_params = $self->canonicalize_params($params);
my $date = strftime('%a, %d %b %Y %H:%M:%S -0000',
gmtime(time()));
my $auth = $self->sign($method, $path, $canon_params, $date);
my $ua = LWP::UserAgent->new();
my $req = HTTP::Request->new();
$req->method($method);
$req->protocol('HTTP/1.1');
$req->header('If-SSL-Cert-Subject' => qr{CN=[^=]+\.duosecurity.com$});
$req->header('Authorization' => $auth);
$req->header('Date' => $date);
$req->header('Host' => $self->{'host'});
if (grep(/^$method$/, qw(POST PUT))) {
$req->header('Content-type' => 'application/x-www-form-urlencoded');
$req->content($canon_params);
}
else {
$path .= '?' . $canon_params;
}
$req->uri('https://' . $self->{'host'} . $path);
if ($ENV{'DEBUG'}) {
print STDERR $req->as_string();
}
my $res = $ua->request($req);
return $res;
}
sub json_api_call {
my $self = shift;
my $res = $self->api_call(@_);
my $json = $res->content();
if ($json !~ /^{/) {
croak($json);
}
my $ret = decode_json($json);
if (($ret->{'stat'} || '') ne 'OK') {
my $msg = join('',
'Error ', $ret->{'code'}, ': ', $ret->{'message'});
if (defined($ret->{'message_detail'})) {
$msg .= ' (' . $ret->{'message_detail'} . ')';
}
croak($msg);
}
return $ret->{'response'};
}
1;
|