auth_logs request uses 'GET' but doesn't check for URI limits
csanders-git opened this issue · 0 comments
csanders-git commented
get_authentication_log takes a parameter of a list of user_ids. This list can be arbitrarily long in code, but this endpoint in duo_client_python passes the encoded parameters as a GET request, which has a max length per the HTTP RFC (and as a result needs to be split to complete). Documentation indicates that v2 of the log endpoint supports GET OR POST (https://duo.com/docs/adminapi#authentication-logs) , this does NOT appear to be correct. As POST requests fail with a 405. As a result, the length of the parameters needs to be analyzed prior to sending the request.
(Pdb) out_uri
'https://api-[REMOVED].duosecurity.com/admin/v2/logs/authentication'
(Pdb) data
{'mintime': '1639679487000', 'maxtime': '1639765887000', 'sort': 'ts:asc', 'limit': '100', 'offset': '0'}
(Pdb) headers
{b'Authorization': b'Basic ]REMOVED]==', b'Date': b'Fri, 17 Dec 2021 18:31:27 -0000', b'User-Agent': b'Duo API Python/4.3.2', b'Content-type': b'application/x-www-form-urlencoded'}
(Pdb) method
'POST'
(Pdb) resp = requests.post(out_uri, data=data, headers=headers)
(Pdb) print(f"status_code = {resp.status_code}")
status_code = 405
duo_client_python/duo_client/admin.py
Line 453 in 7c5b115