Merge pull request #9 from OneIdentity/add-text-message-capabilities

Add text message capabilities
OneIdentity · Dec 14, 2021 · d388e06 · d388e06
2 parents ff388f6 + 4e880ec
commit d388e06
Show file tree

Hide file tree

Showing 3 changed files with 22 additions and 10 deletions.
diff --git a/CHANGELOG b/CHANGELOG
@@ -1,3 +1,8 @@
+2.1.0 2021-11-26
+
+Allow users to request OTP via text message
+Use new minor version as Plugin-SDK version changes
+
 2.0.4 2020-04-03
 
 Bugfix, allow connection of bypassed users

diff --git a/MANIFEST b/MANIFEST
@@ -1,7 +1,7 @@
 api: 1.2
 type: aa
 name: SPS_Duo
-version: 2.0.4
+version: 2.1.0
 description: Duo Multi-Factor Authentication plugin
 entry_point: main.py
 author_name: One Identity PAM Integration Team

diff --git a/lib/client.py b/lib/client.py
@@ -102,9 +102,13 @@ def otp_authenticate(self, username, otp):
             preauth = self._check_preauth(username)
             if self._is_bypass_user(preauth):
                 return self._log_bypass_and_create_aa_response()
-
-            logger.info("Account found, running passcode authentication.")
-            auth = self._duo.auth(factor="passcode", username=username, passcode=str(otp))
+            logger.info('Account found, running passcode authentication.')
+            if str(otp).lower() == 'sms':
+                self._check_device_capabilities(preauth, 'sms')
+                logger.info('Sending passcode via text message')
+                self._duo.auth(factor='sms', username=username, device='auto')  # First push device is used.
+                return AAResponse.need_info("Enter passcode from text message: ", 'otp')
+            auth = self._duo.auth(factor='passcode', username=username, passcode=str(otp))
             result = self._check_auth_result(auth)
         except (RuntimeError, KeyError) as e:
             raise MFACommunicationError(self._construct_exception_message(e))
@@ -117,12 +121,9 @@ def push_authenticate(self, username):
             preauth = self._check_preauth(username)
             if self._is_bypass_user(preauth):
                 return self._log_bypass_and_create_aa_response()
-
-            devices = preauth["devices"]
-            if not [dev for dev in devices if "push" in dev.get("capabilities", [])]:
-                raise MFAAuthenticationFailure("No push capable device enrolled.")
-            logger.info("Account and device found, running push authentication.")
-            auth = self._duo.auth(factor="push", username=username, device="auto")  # First push device is used.
+            self._check_device_capabilities(preauth, 'push')
+            logger.info('Account and device found, running push authentication.')
+            auth = self._duo.auth(factor='push', username=username, device='auto')  # First push device is used.
             self._check_auth_result(auth)
         except (RuntimeError, KeyError) as e:
             raise MFACommunicationError(self._construct_exception_message(e))
@@ -132,6 +133,12 @@ def push_authenticate(self, username):
             raise MFAServiceUnreachable(self._construct_exception_message(e))
         return True
 
+    @staticmethod
+    def _check_device_capabilities(preauth, capability):
+        devices = preauth['devices']
+        if not [dev for dev in devices if capability in dev.get('capabilities', [])]:
+            raise MFAAuthenticationFailure('No {} capable device enrolled.'.format(capability))
+
     def _log_bypass_and_create_aa_response(self):
         msg = "User configured as bypass user on Duo."
         logger.info(msg)