duosecurity / duo_client_java Goto Github PK

Hi, using the cli without changes I'm seeing an invalid signature error with nfr or prod keys. This was working with our production keys at one point (prior to the okhttp change). I opened a support case a few days ago and am still waiting for a response.

java -jar duo-example-admin-0.4.1-SNAPSHOT-jar-with-dependencies.jar -host XXXXXXXXXXXXXXX.duosecurity.com -ikey XXXXXXXXXXXXXXXXXXXXXXXXX  -skey XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Duo Admin Demo
error making request
java.lang.Exception: Duo error code (40103): Invalid signature in request credentials

I've used the python client successfully, but the java client seems to not work. Tried in code as well as the given example, both give invalid ikey error.

$ java -jar duo-example-admin-0.2-jar-with-dependencies.jar -host "api-.duosecurity.com" -ikey "DI......." -skey "8n............................"
Duo Admin Demo
error making request
java.lang.Exception: Duo error code (40102): Invalid integration key in request credentials
Done with Admin API demo.

$ java -version
java version "1.8.0_181"
Java(TM) SE Runtime Environment (build 1.8.0_181-b13)
Java HotSpot(TM) 64-Bit Server VM (build 25.181-b13, mixed mode)

@mmoayyed had asked for this in #29

I took a side trip to implement a Builder to make it easier, so now I need to actually add the new functionality...

In com.duosecurity.client.Http, there's a static instance of SimpleDateFormat, RFC_2822_DATE_FORMAT, that is used in method signRequest. SimpleDateFormat is not thread safe, and therefore this usage can cause serious issues when used in a multi-threaded app (like a j2ee web app). For example, see http://www.codefutures.com/weblog/andygrove/2007/10/simpledateformat-and-thread-safety.html

Hi,

It looks like latest release is v0.2.2 but the version within pom.xml for the duo-client is still v0.2.1. When I build from the source the .jar I maven creates is versioned with v0.2.1. Is this expected?

Thanks.

Version 0.3.0 isn't tagged, and the version in your master branch is 0.3.0, which is clearly shouldn't be as there have been changes to it since the version number was changed. It should be 0.3.1-SNAPSHOT indicating that it isn't released code. Using mvn release:prepare and mvn release:perform on the repo will do all of the pom version changing and tagging instead of having to do it manual like you did for #9.

Using the java client, I can hit the URI to retrieve the JSON object of all my users (/admin/v1/users). I then add the one line of code request.addParam("username","XXX1234") to add a specific user so I only get back their details. When doing this, i get java.lang.Exception: Duo error code (40103): Invalid signature in request credentials.

According to the API documentation (retrieve-users), to retrieve specific users you need to specify the params like this:

usernames=cjones&usernames=mwong

On my request I've done something like this:

request.addParam("usernames", "cjones");
request.addParam("usernames", "mwong");

As a response I'm getting information about only one user. I believe the problem is that the addParam method is adding fields to a TreeMap:

private SortedMap<String, Object> params = new TreeMap<String, Object>();

Since we can't have duplicate keys, we can't search for multiple users. I've also noticed that you can set a List as value on the addParam method. Something like this:

request.addParam("username", Arrays.asList("cjones", "mwong"));

But that's also not working, the raw response is:

{"stat":"OK","response":[]}

I am having issues with the Authentication Logs API (/admin/v1/logs/authentication).

It seems there is an (as far as I can tell) undocumented limit on it.
I use the SDK as follows:

import com.duosecurity.client.Http

val user = "api-xxxxx.duosecurity.com"
val integrationKey = "MYTOKEN"
val secret = "MYSECRET"
val http = new Http("GET", user, "/admin/v1/logs/authentication")
http.addParam("minTime", "0")
http.signRequest(integrationKey, secret)
val response = http.executeRequest

If I run this faster than once every 30s the API returns me

java.lang.Exception: Duo error code (42901): Too Many Requests
  com.duosecurity.client.Http.executeRequest(Http.java:62)

a) Where can I find how many is "too many" requests?
b) Should the SDK not at least retry?
c) How come /admin/v1/logs/administrator does not have this limitation?

Thank you!