Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

convert snooze filter MFA to use last_mfa_time and other cleanup #3293

Merged
merged 1 commit into from
Apr 21, 2023
Merged

convert snooze filter MFA to use last_mfa_time and other cleanup #3293

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 1 addition & 3 deletions src/dispatch/plugins/dispatch_duo/plugin.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -77,9 +77,7 @@ def send_push_notification(
"""
duo_client = duo_service.create_duo_auth_client(self.configuration)
try:
response = duo_client.auth(
factor="push", username=username.split("@"), device=device, type=type
)
response = duo_client.auth(factor="push", username=username, device=device, type=type)
except RuntimeError as e:
if "Invalid request parameters (username)" in str(e):
username, _ = username.split("@")
Expand Down
38 changes: 15 additions & 23 deletions src/dispatch/plugins/dispatch_slack/case/interactive.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,7 @@
from dispatch.incident import flows as incident_flows
from dispatch.participant import service as participant_service
from dispatch.plugin import service as plugin_service
from dispatch.plugins.dispatch_duo.enums import PushResponseResult
from dispatch.plugins.dispatch_slack import service as dispatch_slack_service
from dispatch.plugins.dispatch_slack.bolt import app
from dispatch.plugins.dispatch_slack.case.enums import (
Expand Down Expand Up @@ -631,7 +632,9 @@ def _create_snooze_filter(

signal = signal_service.update(db_session=db_session, signal=signal, signal_in=signal_in)

if mfa_enabled is False:
# Check if last_mfa_time was within the last hour
last_hour = datetime.now() - timedelta(hours=1)
if (user.last_mfa_time and user.last_mfa_time < last_hour) or mfa_enabled is False:
_create_snooze_filter(
db_session=db_session,
user=user,
Expand All @@ -648,26 +651,13 @@ def _create_snooze_filter(
view_id=body["view"]["id"],
view=modal,
)

if mfa_enabled is True:
else:
# Send the MFA push notification
email = context["user"].email
username, _ = email.split("@")
# In Duo it seems the username here can either be an email or regular username
# depending on how your Duo instance is setup. We try to manage both cases here.
try:
response = mfa_plugin.instance.send_push_notification(
username=username, type="Are you creating a signal filter in Dispatch?"
)
except RuntimeError as e:
if "Invalid request parameters (username)" in str(e):
response = mfa_plugin.instance.send_push_notification(
username=email, type="Are you creating a signal filter in Dispatch?"
)
else:
raise e from None

if response.get("result") == "allow":
response = mfa_plugin.instance.send_push_notification(
username=context["user"].email,
type="Are you creating a snooze filter in Dispatch?",
)
if response == PushResponseResult.allow:
# Get the existing filters for the signal
_create_snooze_filter(
db_session=db_session,
Expand All @@ -685,10 +675,12 @@ def _create_snooze_filter(
view_id=body["view"]["id"],
view=modal,
)
user.last_mfa_time = datetime.now()
db_session.commit()
else:
text = (
"Adding Snooze failed, the MFA request timed out."
if response.get("status") == "timeout"
if response == PushResponseResult.timeout
else "Adding Snooze failed, you must accept the MFA prompt."
)
modal = Modal(
Expand Down Expand Up @@ -1481,7 +1473,7 @@ def _send_response(success: bool) -> None:
title = "MFA Failed"
text = (
"Confirmation failed, the MFA request timed out."
if response == "timeout"
if response == PushResponseResult.timeout
else "Confirmation failed, you must accept the MFA prompt."
)
message_text = f":warning: {engaged_user} attempt to confirmed the behavior *as expected*. But, the MFA validation failed, reason: {response}\n\n *Context Provided* \n```{context_from_user}```"
Expand Down Expand Up @@ -1547,7 +1539,7 @@ def _resolve_case(case: Case) -> None:
response = mfa_plugin.instance.send_push_notification(
username=engaged_user, type="Are you confirming suspicious behavior in Dispatch?"
)
if response == "allow":
if response == PushResponseResult.allow:
_send_response(success=True)
user.last_mfa_time = datetime.now()
db_session.commit()
Expand Down