add normal challenge response

5cf72543 · Cornelius Kölbel · f080b8d3 · 5cf72543
Commit 5cf72543 authored Mar 04, 2016 by Cornelius Kölbel
Show whitespace changes
Inline Side-by-side

Showing with 47 additions and 7 deletions

privacyidea_pam.py privacyidea_pam.py +47 -7

No files found.
--- a/privacyidea_pam.py
+++ b/privacyidea_pam.py
 # -*- coding: utf-8 -*-
 #
+# 2015-03-04 Cornelius Kölbel <cornelius.koelbel@netknights.it>
+#            Add normal challenge/response support
 # 2016-03-03 Brandon Smith <freedom@reardencode.com>
 #            Add U2F challenge/response support
 # 2015-11-06 Cornelius Kölbel <cornelius.koelbel@netknights.it>
@@ -89,7 +91,6 @@ class Authenticator(object):
        return json_response
    def authenticate(self, password):
        rval = self.pamh.PAM_SYSTEM_ERR
        # First we try to authenticate against the sqlitedb
@@ -129,16 +130,53 @@ class Authenticator(object):
                    transaction_id = detail.get("transaction_id")
                    if transaction_id:
-                        attributes = detail.get("attributes", {})
+                        attributes = detail.get("attributes") or {}
+                        message = detail.get("message").encode("utf-8")
                        if "u2fSignRequest" in attributes:
                            rval = self.u2f_challenge_response(
-                                    transaction_id, detail.get("message"),
+                                    transaction_id, message,
+                                    attributes)
+                        else:
+                            rval = self.challenge_response(transaction_id,
+                                                           message,
                                                           attributes)
                    else:
+                        rval = self.pamh.PAM_AUTH_ERR
+            else:
                syslog.syslog(syslog.LOG_ERR,
-                                          "%s: unsupported challenge" %
+                              "%s: %s" % (__name__,
-                                          __name__)
+                                          result.get("error").get("message")))
+        return rval
+    def challenge_response(self, transaction_id, message, attributes):
+        rval = self.pamh.PAM_SYSTEM_ERR
+        syslog.syslog(syslog.LOG_DEBUG, "Prompting for challenge response")
+        pam_message = self.pamh.Message(self.pamh.PAM_PROMPT_ECHO_ON, message)
+        response = self.pamh.conversation(pam_message)
+        otp = response.resp
+        r_code = response.resp_retcode
+        data = {"user": self.user,
+                "transaction_id": transaction_id,
+                "pass": otp}
+        if self.realm:
+            data["realm"] = self.realm
+        json_response = self.make_request(data)
+        result = json_response.get("result")
+        detail = json_response.get("detail")
+        if self.debug:
+            syslog.syslog(syslog.LOG_DEBUG,
+                          "%s: result: %s" % (__name__, result))
+            syslog.syslog(syslog.LOG_DEBUG,
+                          "%s: detail: %s" % (__name__, detail))
+        if result.get("status"):
+            if result.get("value"):
+                rval = self.pamh.PAM_SUCCESS
            else:
                rval = self.pamh.PAM_AUTH_ERR
        else:
@@ -213,8 +251,6 @@ class Authenticator(object):
        return rval
 def pam_sm_authenticate(pamh, flags, argv):
    config = _get_config(argv)
    debug = config.get("debug")
@@ -265,15 +301,19 @@ def pam_sm_authenticate(pamh, flags, argv):
 def pam_sm_setcred(pamh, flags, argv):
    return pamh.PAM_SUCCESS
 def pam_sm_acct_mgmt(pamh, flags, argv):
    return pamh.PAM_SUCCESS
 def pam_sm_open_session(pamh, flags, argv):
    return pamh.PAM_SUCCESS
 def pam_sm_close_session(pamh, flags, argv):
    return pamh.PAM_SUCCESS
 def pam_sm_chauthtok(pamh, flags, argv):
    return pamh.PAM_SUCCESS