feat: showLogout configuration option

2b8636b3 · Pavel Břoušek · 4cf1abba · 2b8636b3 · 2b8636b3 · 2b8636b3
Verified Commit 2b8636b3 authored 3 years ago by Pavel Břoušek
--- a/docs/privacyidea.md
+++ b/docs/privacyidea.md
@@ -17,7 +17,7 @@ You need to add the authentication source 'privacyidea' to
 `config/authsources.php`. _example-privacyidea_ is the name used to identify this module, it can be changed to your liking. The following is a template configuration:

 ```PHP
-'example-privacyidea' => array(
+'example-privacyidea' => [
    'privacyidea:PrivacyideaAuthSource',

    /*
@@ -100,35 +100,35 @@ You need to add the authentication source 'privacyidea' to
     * SAML attribute names.
     * Optional.
     */
-    'attributemap' => array(
+    'attributemap' => [
        'username' => 'samlLoginName',
        'surname' => 'surName',
        'givenname' => 'givenName',
        'email' => 'emailAddress',
        'phone' => 'telePhone',
        'mobile' => 'mobilePhone'
-    ),
+    ],

    /*
     * You are able to concatenate attributes like the given and surname.
     * Optional.
     */
-    'concatenationmap' => array(
+    'concatenationmap' => [
        'givenname,surname' => 'fullName',
-    ),
+    ],

    /*
     * Here the detail attributes can be edited.
     * If they should not be listed, just remove them.
     * Optional.
     */
-    'detailmap' => array(
+    'detailmap' => [
        'message' => 'message',
        'type' => 'otpType',
        'serial' => 'otpSerial',
        'otplen' => 'otpLength'
-    ),
-),
+    ],
+],
 ```

 ## User attributes
@@ -151,12 +151,12 @@ attribute 'groups', you can map that to 'groups' if you include it in the attrib
 If you want to use privacyIDEA as an auth process filter, add the configuration to the metadata file (e.g. `simplesaml/metadata/saml20-idp-hosted.php`.

 ```PHP
-'authproc' => array(
+'authproc' => [

    /**
     *  Configuration for the privacyIDEA server.
     */
-    20 => array(
+    20 => [
        'class'             => 'privacyidea:PrivacyideaAuthProc',

        /**
@@ -174,7 +174,7 @@ If you want to use privacyIDEA as an auth process filter, add the configuration
         *  You can choose a single one or multiple ones. The first set will be used.
         */
        'uidKey'            => 'uid',
-        //  'uidKey'        => array('uid', 'userName', 'uName'),
+        //  'uidKey'        => ['uid', 'userName', 'uName'],

        /**
         *  Check if the hostname matches the name in the certificate.
@@ -265,7 +265,7 @@ If you want to use privacyIDEA as an auth process filter, add the configuration
         *  Enter a range like "10.0.0.0-10.2.0.0" or a single ip like "192.168.178.2"
         *  The selected ip addresses do not need 2FA
         */
-        'excludeClientIPs'  => array("10.0.0.0-10.2.0.0", "192.168.178.2"),
+        'excludeClientIPs'  => ["10.0.0.0-10.2.0.0", "192.168.178.2"],


        /**
@@ -288,10 +288,10 @@ If you want to use privacyIDEA as an auth process filter, add the configuration
         *  If there is a match, the filter will set the specified state variable to false and thereby disables
         *  privacyIDEA for this entityID The first matching expression will take precedence.
         */
-        'excludeEntityIDs' => array(
+        'excludeEntityIDs' => [
            '/http(s)\/\/conditional-no2fa-provider.de\/(.*)/',
            '/http(.*)no2fa-provider.de/'
-        ),
+        ],
        /**
         *  Per value in excludeEntityIDs, you may specify another set of regular expressions to match the
         *  attributes in the SAML request. If there is a match in any attribute value, this filter will
@@ -300,17 +300,23 @@ If you want to use privacyIDEA as an auth process filter, add the configuration
         *  accounts.
         *  The key in includeAttributes must be identical to a value in excludeEntityIDs to have an effect!
         */
-        'includeAttributes' => array(
-            '/http(s)\/\/conditional-no2fa-provider.de\/(.*)/' => array(
-                'memberOf' => array(
+        'includeAttributes' => [
+            '/http(s)\/\/conditional-no2fa-provider.de\/(.*)/' => [
+                'memberOf' => [
                    '/cn=2fa-required([-_])regexmatch(.*),cn=groups,(.*)/',
                    'cn=2fa-required-exactmatch,ou=section,dc=privacyidea,dc=org'
-                ),
-                'myAttribute' => array(
+                ],
+                'myAttribute' => [
                    '/(.*)2fa-required/', '2fa-required',
-                )
-            )
-        ),
-    ),
-)
+                ]
+            ]
+        ],
+
+        /**
+         * Whether to show logout link on the auth proc filter page.
+         * Optional, default to true.
+         */
+        'showLogout' => false,
+    ],
+]
 ```
--- a/lib/Auth/Process/PrivacyideaAuthProc.php
+++ b/lib/Auth/Process/PrivacyideaAuthProc.php
@@ -55,6 +55,7 @@ class PrivacyideaAuthProc extends ProcessingFilter
        // Update state before starting the authentication process
        $state['privacyidea:privacyidea'] = $this->authProcConfig;
        $state['privacyidea:privacyidea']['authenticationMethod'] = 'authprocess';
+        $state['privacyidea:privacyidea:ui']['showLogout'] = $this->authProcConfig['showLogout'] ?? true;

        // If set in config, allow to check the IP of the client and to control the 2FA depending on the client IP.
        // It can be used to configure that a user does not need to provide a second factor when logging in from the local network.

--- a/templates/LoginForm.php
+++ b/templates/LoginForm.php
@@ -241,7 +241,7 @@ if (null !== $this->data['errorCode']) {

            <?php
            // Logout
-            if (isset($this->data['LogoutURL'])) { ?>
+            if ($this->data['showLogout'] ?? true && isset($this->data['LogoutURL'])) { ?>
                <p>
                    <a href="<?php echo htmlspecialchars($this->data['LogoutURL']); ?>"><?php echo $this->t('{status:logout}'); ?></a>
                </p>