summaryrefslogtreecommitdiffstats
path: root/Bugzilla/DuoAPI.pm
blob: fb2b4ba380752f3407070f604cc30e6a5a44a49d (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
package Bugzilla::DuoAPI;
use strict;
use warnings;

our $VERSION = '1.0';

=head1 NAME

Duo::API - Reference client to call Duo Security's API methods.

=head1 SYNOPSIS

 use Duo::API;
 my $client = Duo::API->new('INTEGRATION KEY', 'SECRET KEY', 'HOSTNAME');
 my $res = $client->json_api_call('GET', '/auth/v2/check', {});

=head1 SEE ALSO

Duo for Developers: L<https://www.duosecurity.com/api>

=head1 COPYRIGHT

Copyright (c) 2013 Duo Security

This program is free software; you can redistribute it and/or modify
it under the same terms as Perl itself.

=head1 DESCRIPTION

Duo::API objects have the following methods:

=over 4

=item new($integration_key, $integration_secret_key, $api_hostname)

Returns a handle to sign and send requests. These parameters are
obtained when creating an API integration.

=item json_api_call($method, $path, \%params)

Make a request to an API endpoint with the given HTTPS method and
parameters. Returns the parsed result if successful or dies with the
error message from the Duo Security service.

=item api_call($method, $path, \%params)

Make a request without parsing the response.

=item canonicalize_params(\%params)

Serialize a parameter hash reference to a string to sign or send.

=item sign($method, $path, $canon_params, $date)

Return the Authorization header for a request. C<$canon_params> is the
string returned by L<canonicalize_params>.

=back

=cut

use CGI qw();
use Carp qw(croak);
use Digest::HMAC_SHA1 qw(hmac_sha1_hex);
use JSON qw(decode_json);
use LWP::UserAgent;
use MIME::Base64 qw(encode_base64);
use POSIX qw(strftime);

sub new {
  my ($proto, $ikey, $skey, $host) = @_;
  my $class = ref($proto) || $proto;
  my $self = {'ikey' => $ikey, 'skey' => $skey, 'host' => $host,};
  bless($self, $class);
  return $self;
}

sub canonicalize_params {
  my ($self, $params) = @_;

  my @ret;
  while (my ($k, $v) = each(%{$params})) {
    push(@ret, join('=', CGI::escape($k), CGI::escape($v)));
  }
  return join('&', sort(@ret));
}

sub sign {
  my ($self, $method, $path, $canon_params, $date) = @_;
  my $canon
    = join("\n", $date, uc($method), lc($self->{'host'}), $path, $canon_params);
  my $sig = hmac_sha1_hex($canon, $self->{'skey'});
  my $auth = join(':', $self->{'ikey'}, $sig);
  $auth = 'Basic ' . encode_base64($auth, '');
  return $auth;
}

sub api_call {
  my ($self, $method, $path, $params) = @_;
  $params ||= {};

  my $canon_params = $self->canonicalize_params($params);
  my $date         = strftime('%a, %d %b %Y %H:%M:%S -0000', gmtime(time()));
  my $auth         = $self->sign($method, $path, $canon_params, $date);

  my $ua  = LWP::UserAgent->new();
  my $req = HTTP::Request->new();
  $req->method($method);
  $req->protocol('HTTP/1.1');
  $req->header('If-SSL-Cert-Subject' => qr{CN=[^=]+\.duosecurity.com$});
  $req->header('Authorization'       => $auth);
  $req->header('Date'                => $date);
  $req->header('Host'                => $self->{'host'});

  if (grep(/^$method$/, qw(POST PUT))) {
    $req->header('Content-type' => 'application/x-www-form-urlencoded');
    $req->content($canon_params);
  }
  else {
    $path .= '?' . $canon_params;
  }

  $req->uri('https://' . $self->{'host'} . $path);
  if ($ENV{'DEBUG'}) {
    print STDERR $req->as_string();
  }
  my $res = $ua->request($req);
  return $res;
}

sub json_api_call {
  my $self = shift;
  my $res  = $self->api_call(@_);
  my $json = $res->content();
  if ($json !~ /^{/) {
    croak($json);
  }
  my $ret = decode_json($json);
  if (($ret->{'stat'} || '') ne 'OK') {
    my $msg = join('', 'Error ', $ret->{'code'}, ': ', $ret->{'message'});
    if (defined($ret->{'message_detail'})) {
      $msg .= ' (' . $ret->{'message_detail'} . ')';
    }
    croak($msg);
  }
  return $ret->{'response'};
}

1;