sethlyons · sethlyons · Jun 29, 2016
diff --git a/duo_security.gemspec b/duo_security.gemspec
@@ -16,7 +16,9 @@ Gem::Specification.new do |gem|
   gem.version       = DuoSecurity::VERSION
 
   gem.add_dependency "httparty", "~> 0.10"
-
-  gem.add_development_dependency "vcr", "~> 2.2.4"
+
+  gem.add_development_dependency "minitest", "~> 5.9.0"
+  gem.add_development_dependency "rake", "~> 11.2.0"
+  gem.add_development_dependency "vcr", "~> 2.4.0"
   gem.add_development_dependency "webmock", "~> 1.8.9"
 end
diff --git a/lib/duo_security.rb b/lib/duo_security.rb
@@ -1,6 +1,9 @@
-require "duo_security/version"
 require "duo_security/api"
+require "duo_security/api_base"
+require "duo_security/api_v1"
+require "duo_security/api_v2"
 require "duo_security/attempt"
+require "duo_security/version"
 
 module DuoSecurity
 end
diff --git a/lib/duo_security/api.rb b/lib/duo_security/api.rb
@@ -1,82 +1,17 @@
-require 'cgi'
-require 'httparty'
+#!/usr/bin/env ruby
 
 module DuoSecurity
   class API
-    class UnknownUser < StandardError; end
-
-    FACTORS = ["auto", "passcode", "phone", "sms", "push"]
-
-    include HTTParty
-    ssl_ca_file File.expand_path(File.join(File.dirname(__FILE__), "..", "..", "data", "ca-bundle.crt"))
-
-    def initialize(host, secret_key, integration_key)
-      @host = host
-      @skey = secret_key
-      @ikey = integration_key
-
-      self.class.base_uri "https://#{@host}/rest/v1"
-    end
-
-    def ping
-      response = self.class.get("/ping")
-      response.parsed_response.fetch("response") == "pong"
-    end
-
-    def check
-      auth = sign("get", @host, "/rest/v1/check", {}, @skey, @ikey)
-      response = self.class.get("/check", headers: {"Authorization" => auth})
-
-      # TODO use parsed_response.fetch(...) when content-type is set correctly
-      response["response"] == "valid"
-    end
-
-    def preauth(user)
-      response = post("/preauth", {"user" => user})["response"]
-
-      raise UnknownUser, response.fetch("status") if response.fetch("result") == "enroll" || response.fetch("result") == "deny"
-
-      return response
-    end
-
-    def auth(user, factor, factor_params)
-      raise ArgumentError.new("Factor should be one of #{FACTORS.join(", ")}") unless FACTORS.include?(factor)
-
-      params = {"user" => user, "factor" => factor}.merge(factor_params)
-      response = post("/auth",params)
-
-      response["response"]["result"] == "allow"
-    end
-
-    protected
-
-    def post(path, params = {})
-      auth = sign("post", @host, "/rest/v1#{path}", params, @skey, @ikey)
-      self.class.post(path, headers: {"Authorization" => auth}, body: params)
-    end
-
-    def hmac_sha1(key, data)
-      OpenSSL::HMAC.hexdigest(OpenSSL::Digest::Digest.new('sha1'), key, data.to_s)
-    end
-
-    def sign(method, host, path, params, skey, ikey)
-      canon = [method.upcase, host.downcase, path]
-
-      args = []
-      for key in params.keys.sort
-        val = params[key]
-        args << "#{CGI.escape(key)}=#{CGI.escape(val)}"
+    def self.new(host, secret_key, integration_key, api_version = 1)
+      case api_version
+      when 1
+        ApiV1.new(host, secret_key, integration_key)
+      when 2
+        ApiV2.new(host, secret_key, integration_key)
+      else
+        raise "API version #{api_version} not supported"
       end
-
-      canon << args.join("&")
-      canon = canon.join("\n")
-
-      sig = hmac_sha1(skey, canon)
-      auth = "#{ikey}:#{sig}"
-
-      encoded = Base64.encode64(auth).split("\n").join("")
-
-      return "Basic #{encoded}"
     end
-  end
-end
+  end # API
+end # DuoSecurity
+
diff --git a/lib/duo_security/api_base.rb b/lib/duo_security/api_base.rb
@@ -0,0 +1,17 @@
+#!/usr/bin/env ruby
+
+module DuoSecurity
+  class API_Base
+  class UnknownUser < StandardError; end
+    require 'cgi'
+    require 'httparty'
+    FACTORS = ["auto", "passcode", "phone", "sms", "push"]
+    include HTTParty
+    ssl_ca_file File.expand_path(File.join(File.dirname(__FILE__), "..", "..", "data", "ca-bundle.crt"))
+
+    def ping
+      response = self.class.get("/ping")
+      response.parsed_response.fetch("response") == "pong"
+    end
+  end
+end
diff --git a/lib/duo_security/api_v1.rb b/lib/duo_security/api_v1.rb
@@ -0,0 +1,73 @@
+module DuoSecurity
+  class ApiV1 < API_Base
+    def initialize(host, secret_key, integration_key)
+      @host = host
+      @skey = secret_key
+      @ikey = integration_key
+
+      self.class.base_uri "https://#{@host}/rest/v1"
+    end
+
+    def check
+      auth = sign("get", @host, "/rest/v1/check", {}, @skey, @ikey)
+      response = self.class.get("/check",
+                                headers: {"Authorization" => auth,
+                                          "Content-Type" => "application/x-www-form-urlencoded"})
+
+
+      # TODO use parsed_response.fetch(...) when content-type is set correctly
+      response["response"] == "valid"
+    end
+
+    def preauth(user)
+      response = post("/preauth", {"user" => user})["response"]
+
+      raise API_Base::UnknownUser, response.fetch("status") if response.fetch("result") == "enroll" || response.fetch("result") == "deny"
+
+      return response
+    end
+
+    def auth(user, factor, factor_params)
+      raise ArgumentError.new("Factor should be one of #{FACTORS.join(", ")}") unless FACTORS.include?(factor)
+
+      params = {"user" => user, "factor" => factor}.merge(factor_params)
+      response = post("/auth",params)
+
+      response["response"]["result"] == "allow"
+    end
+
+    protected
+
+    def post(path, params = {})
+      auth = sign("post", @host, "/rest/v1#{path}", params, @skey, @ikey)
+      self.class.post(path,
+                      headers: {"Authorization" => auth,
+                                "Content-Type" => "application/x-www-form-urlencoded"},
+                      body: params)
+    end
+
+    def hmac_sha1(key, data)
+      OpenSSL::HMAC.hexdigest(OpenSSL::Digest.new('sha1'), key, data.to_s)
+    end
+
+    def sign(method, host, path, params, skey, ikey)
+      canon = [method.upcase, host.downcase, path]
+
+      args = []
+      for key in params.keys.sort
+        val = params[key]
+        args << "#{CGI.escape(key)}=#{CGI.escape(val)}"
+      end
+
+      canon << args.join("&")
+      canon = canon.join("\n")
+
+      sig = hmac_sha1(skey, canon)
+      auth = "#{ikey}:#{sig}"
+
+      encoded = Base64.encode64(auth).split("\n").join("")
+
+      return "Basic #{encoded}"
+    end
+  end
+end
diff --git a/lib/duo_security/api_v2.rb b/lib/duo_security/api_v2.rb
@@ -0,0 +1,72 @@
+module DuoSecurity
+  class ApiV2 < API_Base
+    def initialize(host, secret_key, integration_key)
+      @host = host
+      @skey = secret_key
+      @ikey = integration_key
+      @now = Time.now.strftime("%a, %d %b %Y %T %z")
+
+      self.class.base_uri "https://#{@host}/auth/v2"
+    end
+
+    def check
+      auth = sign("get", @host, "/auth/v2/check", {}, @skey, @ikey)
+      response = self.class.get("/check", headers: {"Authorization" => auth})
+
+      # TODO use parsed_response.fetch(...) when content-type is set correctly
+      response["response"] == "valid"
+    end
+
+    def preauth(user)
+      response = post("/preauth", {"username" => user})["response"]
+
+      raise API_Base::UnknownUser, response.fetch("status") if response.fetch("result") == "enroll" || response.fetch("result") == "deny"
+
+      return response
+    end
+
+    def auth(user, factor, factor_params)
+      raise ArgumentError.new("Factor should be one of #{FACTORS.join(", ")}") unless FACTORS.include?(factor)
+
+      params = {"username" => user, "factor" => factor}.merge(factor_params)
+      response = post("/auth",params)
+
+      response["response"]["result"] == "allow"
+    end
+
+    protected
+
+    def post(path, params = {})
+      auth = sign("post", @host, "/auth/v2#{path}", params, @skey, @ikey)
+      self.class.post(path,
+                      headers: {"Authorization" => auth,
+                                "Content-Type" => "application/x-www-form-urlencoded",
+                                "Date" => @now},
+                      body: params)
+    end
+
+    def hmac_sha1(key, data)
+      OpenSSL::HMAC.hexdigest(OpenSSL::Digest.new('sha1'), key, data.to_s)
+    end
+
+    def sign(method, host, path, params, skey, ikey)
+      canon = [@now, method.upcase, host.downcase, path]
+
+      args = []
+      for key in params.keys.sort
+        val = params[key]
+        args << "#{CGI.escape(key)}=#{CGI.escape(val)}"
+      end
+
+      canon << args.join("&")
+      canon = canon.join("\n")
+
+      sig = hmac_sha1(skey, canon)
+      auth = "#{ikey}:#{sig}"
+
+      encoded = Base64.encode64(auth).split("\n").join("")
+
+      return "Basic #{encoded}"
+    end
+  end
+end
diff --git a/lib/duo_security/attempt.rb b/lib/duo_security/attempt.rb
@@ -8,9 +8,9 @@ def initialize(api, username)
     def login!
       preauth = @api.preauth(@username)
       factor  = preauth["factors"].fetch("default")
-      
+
       @api.auth(@username, "auto", {"auto" => factor})
-    rescue API::UnknownUser => e
+    rescue API_Base::UnknownUser
       false
     end
   end

diff --git a/lib/duo_security/version.rb b/lib/duo_security/version.rb
@@ -1,3 +1,3 @@
 module DuoSecurity
-  VERSION = "0.0.2"
+  VERSION = "0.0.3"
 end