# Below are snippets from an authentication script used by the Gluu Server to enforce two-factor authentication (2FA) using Duo Security. import duo_web import json if (step == 1): print "Duo. Authenticate for step 1" credentials = identity.getCredentials() user_name = credentials.getUsername() user_password = credentials.getPassword() logged_in = False if (StringHelper.isNotEmptyString(user_name) and StringHelper.isNotEmptyString(user_password)): userService = CdiUtil.bean(UserService) logged_in = authenticationService.authenticate(user_name, user_password) if (not logged_in): return False user = authenticationService.getAuthenticatedUser() if (self.use_duo_group): print "Duo. Authenticate for step 1. Checking if user belong to Duo group" is_member_duo_group = self.isUserMemberOfGroup(user, self.audit_attribute, self.duo_group) if (is_member_duo_group): print "Duo. Authenticate for step 1. User '" + user.getUserId() + "' member of Duo group" duo_count_login_steps = 2 else: self.processAuditGroup(user) duo_count_login_steps = 1 identity.setWorkingParameter("duo_count_login_steps", duo_count_login_steps) return True elif (step == 2): print "Duo. Authenticate for step 2" user = authenticationService.getAuthenticatedUser() if user == None: print "Duo. Authenticate for step 2. Failed to determine user name" return False user_name = user.getUserId() sig_response_array = requestParameters.get("sig_response") if ArrayHelper.isEmpty(sig_response_array): print "Duo. Authenticate for step 2. sig_response is empty" return False duo_sig_response = sig_response_array[0] if (step == 1): print "Duo. Prepare for step 1" return True elif (step == 2): print "Duo. Prepare for step 2" user = authenticationService.getAuthenticatedUser() if (user == None): print "Duo. Prepare for step 2. Failed to determine user name" return False user_name = user.getUserId() duo_sig_request = duo_web.sign_request(self.ikey, self.skey, self.akey, user_name) print "Duo. Prepare for step 2. duo_sig_request: " + duo_sig_request identity.setWorkingParameter("duo_host", duo_host) identity.setWorkingParameter("duo_sig_request", duo_sig_request) return True else: return False def getExtraParametersForStep(self, configurationAttributes, step): return None def getCountAuthenticationSteps(self, configurationAttributes): identity = CdiUtil.bean(Identity) if (identity.isSetWorkingParameter("duo_count_login_steps")): return identity.getWorkingParameter("duo_count_login_steps") return 2 def getPageForStep(self, configurationAttributes, step): if (step == 2): return "/auth/duo/duologin.xhtml" return "" def logout(self, configurationAttributes, requestParameters): return True def isUserMemberOfGroup(self, user, attribute, group): is_member = False member_of_list = user.getAttributeValues(attribute) if (member_of_list != None): for member_of in member_of_list: if StringHelper.equalsIgnoreCase(group, member_of) or member_of.endswith(group): is_member = True break return is_member def processAuditGroup(self, user): if (self.use_audit_group): is_member = self.isUserMemberOfGroup(user, self.audit_attribute, self.audit_group) if (is_member): print "Duo. Authenticate for processAuditGroup. User '" + user.getUserId() + "' member of audit group" print "Duo. Authenticate for processAuditGroup. Sending e-mail about user '" + user.getUserId() + "' login to", self.audit_email # Send e-mail to administrator user_id = user.getUserId() mailService = CdiUtil.bean(MailService) subject = "User log in: " + user_id body = "User log in: " + user_id mailService.sendMail(self.audit_email, subject, body)