From 2b8636b3ec27188fffc7bb5bbd072f3812c9a343 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ou=C5=A1ek?= <brousek@ics.muni.cz>
Date: Wed, 23 Mar 2022 08:33:50 +0100
Subject: [PATCH] feat: showLogout configuration option
---
docs/privacyidea.md | 54 +++++++++++++-----------
lib/Auth/Process/PrivacyideaAuthProc.php | 1 +
templates/LoginForm.php | 2 +-
3 files changed, 32 insertions(+), 25 deletions(-)
diff --git a/docs/privacyidea.md b/docs/privacyidea.md
index 34c74f6..c6ccc2c 100644
--- a/docs/privacyidea.md
+++ b/docs/privacyidea.md
@@ -17,7 +17,7 @@ You need to add the authentication source 'privacyidea' to
`config/authsources.php`. _example-privacyidea_ is the name used to identify this module, it can be changed to your liking. The following is a template configuration:
```PHP
-'example-privacyidea' => array(
+'example-privacyidea' => [
'privacyidea:PrivacyideaAuthSource',
/*
@@ -100,35 +100,35 @@ You need to add the authentication source 'privacyidea' to
* SAML attribute names.
* Optional.
*/
- 'attributemap' => array(
+ 'attributemap' => [
'username' => 'samlLoginName',
'surname' => 'surName',
'givenname' => 'givenName',
'email' => 'emailAddress',
'phone' => 'telePhone',
'mobile' => 'mobilePhone'
- ),
+ ],
/*
* You are able to concatenate attributes like the given and surname.
* Optional.
*/
- 'concatenationmap' => array(
+ 'concatenationmap' => [
'givenname,surname' => 'fullName',
- ),
+ ],
/*
* Here the detail attributes can be edited.
* If they should not be listed, just remove them.
* Optional.
*/
- 'detailmap' => array(
+ 'detailmap' => [
'message' => 'message',
'type' => 'otpType',
'serial' => 'otpSerial',
'otplen' => 'otpLength'
- ),
-),
+ ],
+],
```
## User attributes
@@ -151,12 +151,12 @@ attribute 'groups', you can map that to 'groups' if you include it in the attrib
If you want to use privacyIDEA as an auth process filter, add the configuration to the metadata file (e.g. `simplesaml/metadata/saml20-idp-hosted.php`.
```PHP
-'authproc' => array(
+'authproc' => [
/**
* Configuration for the privacyIDEA server.
*/
- 20 => array(
+ 20 => [
'class' => 'privacyidea:PrivacyideaAuthProc',
/**
@@ -174,7 +174,7 @@ If you want to use privacyIDEA as an auth process filter, add the configuration
* You can choose a single one or multiple ones. The first set will be used.
*/
'uidKey' => 'uid',
- // 'uidKey' => array('uid', 'userName', 'uName'),
+ // 'uidKey' => ['uid', 'userName', 'uName'],
/**
* Check if the hostname matches the name in the certificate.
@@ -265,7 +265,7 @@ If you want to use privacyIDEA as an auth process filter, add the configuration
* Enter a range like "10.0.0.0-10.2.0.0" or a single ip like "192.168.178.2"
* The selected ip addresses do not need 2FA
*/
- 'excludeClientIPs' => array("10.0.0.0-10.2.0.0", "192.168.178.2"),
+ 'excludeClientIPs' => ["10.0.0.0-10.2.0.0", "192.168.178.2"],
/**
@@ -288,10 +288,10 @@ If you want to use privacyIDEA as an auth process filter, add the configuration
* If there is a match, the filter will set the specified state variable to false and thereby disables
* privacyIDEA for this entityID The first matching expression will take precedence.
*/
- 'excludeEntityIDs' => array(
+ 'excludeEntityIDs' => [
'/http(s)\/\/conditional-no2fa-provider.de\/(.*)/',
'/http(.*)no2fa-provider.de/'
- ),
+ ],
/**
* Per value in excludeEntityIDs, you may specify another set of regular expressions to match the
* attributes in the SAML request. If there is a match in any attribute value, this filter will
@@ -300,17 +300,23 @@ If you want to use privacyIDEA as an auth process filter, add the configuration
* accounts.
* The key in includeAttributes must be identical to a value in excludeEntityIDs to have an effect!
*/
- 'includeAttributes' => array(
- '/http(s)\/\/conditional-no2fa-provider.de\/(.*)/' => array(
- 'memberOf' => array(
+ 'includeAttributes' => [
+ '/http(s)\/\/conditional-no2fa-provider.de\/(.*)/' => [
+ 'memberOf' => [
'/cn=2fa-required([-_])regexmatch(.*),cn=groups,(.*)/',
'cn=2fa-required-exactmatch,ou=section,dc=privacyidea,dc=org'
- ),
- 'myAttribute' => array(
+ ],
+ 'myAttribute' => [
'/(.*)2fa-required/', '2fa-required',
- )
- )
- ),
- ),
-)
+ ]
+ ]
+ ],
+
+ /**
+ * Whether to show logout link on the auth proc filter page.
+ * Optional, default to true.
+ */
+ 'showLogout' => false,
+ ],
+]
```
diff --git a/lib/Auth/Process/PrivacyideaAuthProc.php b/lib/Auth/Process/PrivacyideaAuthProc.php
index b0fc618..94ed5f5 100644
--- a/lib/Auth/Process/PrivacyideaAuthProc.php
+++ b/lib/Auth/Process/PrivacyideaAuthProc.php
@@ -55,6 +55,7 @@ class PrivacyideaAuthProc extends ProcessingFilter
// Update state before starting the authentication process
$state['privacyidea:privacyidea'] = $this->authProcConfig;
$state['privacyidea:privacyidea']['authenticationMethod'] = 'authprocess';
+ $state['privacyidea:privacyidea:ui']['showLogout'] = $this->authProcConfig['showLogout'] ?? true;
// If set in config, allow to check the IP of the client and to control the 2FA depending on the client IP.
// It can be used to configure that a user does not need to provide a second factor when logging in from the local network.
diff --git a/templates/LoginForm.php b/templates/LoginForm.php
index 08e11ad..706941e 100644
--- a/templates/LoginForm.php
+++ b/templates/LoginForm.php
@@ -241,7 +241,7 @@ if (null !== $this->data['errorCode']) {
<?php
// Logout
- if (isset($this->data['LogoutURL'])) { ?>
+ if ($this->data['showLogout'] ?? true && isset($this->data['LogoutURL'])) { ?>
<p>
<a href="<?php echo htmlspecialchars($this->data['LogoutURL']); ?>"><?php echo $this->t('{status:logout}'); ?></a>
</p>
--
GitLab