ras_site_get_mfa
Retrieve multi-factor authentication configuration to audit security settings or troubleshoot login issues in Parallels RAS environments.
Instructions
Get multi-factor authentication provider configuration, including enabled MFA providers (TOTP, RADIUS, Deepnet, SafeNet, Email OTP), criteria rules, and bypass conditions. Use this to audit MFA security posture or troubleshoot MFA login failures.
Input Schema
TableJSON Schema
| Name | Required | Description | Default |
|---|---|---|---|
No arguments | |||
Implementation Reference
- src/tools/site-settings.ts:109-129 (handler)Complete implementation of the ras_site_get_mfa tool handler. This async function calls the RAS API to retrieve multi-factor authentication configuration (MFA providers, criteria rules, bypass conditions) and returns the data as formatted JSON text.server.registerTool( "ras_site_get_mfa", { title: "MFA Configuration", description: "Get multi-factor authentication provider configuration, including enabled " + "MFA providers (TOTP, RADIUS, Deepnet, SafeNet, Email OTP), criteria rules, " + "and bypass conditions. Use this to audit MFA security posture or troubleshoot " + "MFA login failures.", annotations: READ_ONLY_ANNOTATIONS, inputSchema: {}, }, async () => { try { const data = await rasClient.get("/api/site-settings/mfa"); return { content: [{ type: "text" as const, text: JSON.stringify(data, null, 2) }] }; } catch (err) { return { content: [{ type: "text" as const, text: sanitiseError(err, "Failed to retrieve MFA config") }], isError: true }; } } );
- src/tools/site-settings.ts:111-120 (schema)Tool schema definition for ras_site_get_mfa, including title, description, annotations (read-only, non-destructive, idempotent), and empty inputSchema indicating no parameters required.{ title: "MFA Configuration", description: "Get multi-factor authentication provider configuration, including enabled " + "MFA providers (TOTP, RADIUS, Deepnet, SafeNet, Email OTP), criteria rules, " + "and bypass conditions. Use this to audit MFA security posture or troubleshoot " + "MFA login failures.", annotations: READ_ONLY_ANNOTATIONS, inputSchema: {}, },
- src/client.ts:128-166 (helper)The RasClient.get() method used by ras_site_get_mfa to make authenticated GET requests to the RAS API. Handles authentication, session management, automatic retry on 401 errors, and request timeouts.async get(path: string): Promise<unknown> { // Ensure we have a valid session if (!this.authToken) { await this.login(); } const fetchOptions = { method: "GET" as const, headers: { ...this.headers, auth_token: this.authToken!, }, signal: AbortSignal.timeout(REQUEST_TIMEOUT_MS), }; let response = await fetch(`${this.baseUrl}${path}`, fetchOptions); // Token may have expired — re-authenticate once and retry if (response.status === 401) { await this.login(); response = await fetch(`${this.baseUrl}${path}`, { ...fetchOptions, headers: { ...this.headers, auth_token: this.authToken!, }, signal: AbortSignal.timeout(REQUEST_TIMEOUT_MS), }); } if (!response.ok) { const body = await response.text(); throw new Error( `RAS API error (HTTP ${response.status}) on ${path}: ${body.substring(0, 300)}` ); } return response.json(); }
- src/client.ts:43-54 (helper)The sanitiseError() helper function used by ras_site_get_mfa handler to sanitize error messages by removing sensitive information (auth tokens, passwords) and truncating long responses.function sanitiseError(err: unknown, context: string): string { const raw = err instanceof Error ? err.message : String(err); // Remove anything that looks like a token or password value let sanitised = raw .replace(/auth_token[=:]\s*\S+/gi, "auth_token=[REDACTED]") .replace(/password[=:]\s*\S+/gi, "password=[REDACTED]"); // Truncate excessively long API response bodies if (sanitised.length > 500) { sanitised = sanitised.substring(0, 500) + "... (truncated)"; } return `${context}: ${sanitised}`; }