Fix #42 RADIUS authentication support for push, append, challenge/response modes

README.md

@@ -16,7 +16,7 @@ Current products supported:
 
 - [Install](#install)
   - [MacOS](#macos)
-  - [Windows & Linux](#windows-or-linux)
+  - [Windows or Linux](#windows-or-linux)
 - [Usage](#usage)
   - [Command-Line Interface (CLI)](#command-line-interface-cli)
     - [logon](#logon)
@@ -101,7 +101,7 @@ $ cybr logon -u username -a cyberark-or-ldap -b https://pvwa.example.com
 |-b|--base-url|☑||URL to /PasswordVault|https://pvwa.example.com|
 |-i|--insecure-tls||false|Whether to validate TLS|false|
 
-Logon to the PAS REST API as the username you provide using the authentication method you choose. At this time, only `cyberark` and `ldap` authentication methods are supported.
+Logon to the PAS REST API as the username you provide using the authentication method you choose. At this time, only `cyberark`, `ldap`, `radius` authentication methods are supported. If your RADIUS server is configured for challenge/response, you will first be prompted for your `password` followed by your `one-time passcode`.
 
 Upon successful logon, a file will be created in your user's home directory at `.cybr/config`. It is an encoded file that cannot be read in plain-text. This holds your current session information.
 

cmd/logoff.go

@@ -21,17 +21,13 @@ var logoffCmd = &cobra.Command{
 		if err != nil {
 			log.Fatalf("Failed to read configuration file. %s", err)
 		}
-		// Logoff the PAS REST API
-		err = client.Logoff()
-		if err != nil {
-			log.Fatalf("Failed to log off. %s", err)
-			return
-		}
 		// Remove the config file written to local file system
 		err = client.RemoveConfig()
 		if err != nil {
 			log.Fatalf("Failed to remove configuration file. %s", err)
 		}
+		// Logoff the PAS REST API
+		_ = client.Logoff()
 
 		fmt.Println("Successfully logged off PAS.")
 	},

cmd/logon.go

@@ -3,6 +3,7 @@ package cmd
 import (
 	"fmt"
 	"log"
+	"strings"
 	"syscall"
 
 	pasapi "github.com/infamousjoeg/cybr-cli/pkg/cybr/api"
@@ -53,9 +54,25 @@ var logonCmd = &cobra.Command{
 		}
 
 		err = client.Logon(credentials)
-		if err != nil {
+		if err != nil && !strings.Contains(err.Error(), "ITATS542I") {
 			log.Fatalf("Failed to Logon to the PVWA. %s", err)
-			return
+		}
+
+		// if error contains challenge error code, deal with OTPCode here instead and redo client.Logon()
+		if err != nil {
+			// Get secret value from STDIN
+			fmt.Print("Enter one-time passcode: ")
+			byteOTPCode, err := terminal.ReadPassword(int(syscall.Stdin))
+			credentials.Password = string(byteOTPCode)
+			fmt.Println()
+			if err != nil {
+				log.Fatalln("An error occurred trying to read one-time passcode from " +
+					"Stdin. Exiting...")
+			}
+			err = client.Logon(credentials)
+			if err != nil {
+				log.Fatalf("Failed to respond to challenge. Possible timeout occurred. %s", err)
+			}
 		}
 
 		err = client.SetConfig()
@@ -71,10 +88,10 @@ var logonCmd = &cobra.Command{
 func init() {
 	logonCmd.Flags().StringVarP(&Username, "username", "u", "", "Username to logon PAS REST API using")
 	logonCmd.MarkFlagRequired("username")
-	logonCmd.Flags().StringVarP(&AuthenticationType, "auth-type", "a", "", "Authentication method to logon using")
+	logonCmd.Flags().StringVarP(&AuthenticationType, "auth-type", "a", "", "Authentication method to logon using [cyberark|ldap|radius]")
 	logonCmd.MarkFlagRequired("authType")
 	logonCmd.Flags().BoolVarP(&InsecureTLS, "insecure-tls", "i", false, "If detected, TLS will not be verified")
-	logonCmd.Flags().StringVarP(&BaseURL, "base-url", "b", "", "Base URL to send Logon request to")
+	logonCmd.Flags().StringVarP(&BaseURL, "base-url", "b", "", "Base URL to send Logon request to [https://pvwa.example.com]")
 	logonCmd.MarkFlagRequired("base-url")
 	rootCmd.AddCommand(logonCmd)
 }

pkg/cybr/api/auth.go

@@ -23,6 +23,7 @@ func (c *Client) Logon(req LogonRequest) error {
 		return err
 	}
 
+	// Handle cyberark, ldap, and radius push, append & challenge/response authentication methods
 	url := fmt.Sprintf("%s/PasswordVault/api/auth/%s/logon", c.BaseURL, c.AuthType)
 	token, err := httpJson.SendRequestRaw(url, "POST", "", req, c.InsecureTLS, c.Logger)
 	if err != nil {

pkg/cybr/api/client.go

@@ -28,7 +28,7 @@ func getUserHomeDir() (string, error) {
 
 // IsValid checks to make sure that the authentication method chosen is valid
 func (c *Client) IsValid() error {
-	if c.AuthType == "cyberark" || c.AuthType == "ldap" {
+	if c.AuthType == "cyberark" || c.AuthType == "ldap" || c.AuthType == "radius" {
 		return nil
 	}
 	return fmt.Errorf("Invalid auth type '%s'", c.AuthType)