diff --git a/lib/Auth/Process/PrivacyideaAuthProc.php b/lib/Auth/Process/PrivacyideaAuthProc.php
index 5657a1062467ab366f2f3a987ff8a868eae79348..b0fc6187ca2c60f1cd299f7de722b8360b261cc4 100644
--- a/lib/Auth/Process/PrivacyideaAuthProc.php
+++ b/lib/Auth/Process/PrivacyideaAuthProc.php
@@ -59,13 +59,15 @@ class PrivacyideaAuthProc extends ProcessingFilter
// If set in config, allow to check the IP of the client and to control the 2FA depending on the client IP.
// It can be used to configure that a user does not need to provide a second factor when logging in from the local network.
if (!empty($this->authProcConfig['excludeClientIPs'])) {
- $state['privacyIDEA']['enabled'][0] = $this->matchIP(
- Utils::getClientIP(),
- $this->authProcConfig['excludeClientIPs']
- );
+ $ip = Utils::getClientIP();
+ if ($this->matchIP($ip, $this->authProcConfig['excludeClientIPs'])) {
+ Logger::debug('privacyIDEA: privacyIDEA is disabled because ip ' . $ip . ' is excluded.');
+ ProcessingChain::resumeProcessing($state);
+ }
}
// If set to "true" in config, selectively disable the privacyIDEA authentication using the entityID and/or SAML attributes.
+ // The skipping will be done in self::isPrivacyIDEADisabled
if (!empty($this->authProcConfig['checkEntityID']) && 'true' === $this->authProcConfig['checkEntityID']) {
$stateId = State::saveState($state, 'privacyidea:privacyidea');
$stateId = $this->checkEntityID($this->authProcConfig, $stateId);
@@ -73,11 +75,9 @@ class PrivacyideaAuthProc extends ProcessingFilter
}
// Check if privacyIDEA is disabled by configuration setting
- if (Utils::isPrivacyIDEADisabled($state, $this->authProcConfig)) {
+ if (self::isPrivacyIDEADisabled($state, $this->authProcConfig)) {
Logger::debug('privacyIDEA: privacyIDEA is disabled by a filter');
ProcessingChain::resumeProcessing($state);
-
- return;
}
// SSO check if authentication should be skipped
@@ -164,6 +164,24 @@ class PrivacyideaAuthProc extends ProcessingFilter
Logger::error($message);
}
+ /**
+ * Check if PrivacyIDEA was disabled by a filter.
+ *
+ * @param array $state the global state of simpleSAMLphp
+ * @param array $config the config for the PrivacyIDEA server
+ *
+ * @return bool whether PrivacyIDEA is disabled
+ */
+ public static function isPrivacyIDEADisabled(array $state, array $config)
+ {
+ if (isset($config['enabledPath'], $config['enabledKey'])) {
+ return isset($state[$config['enabledPath']][$config['enabledKey']][0])
+ && !$state[$config['enabledPath']][$config['enabledKey']][0];
+ }
+
+ return false;
+ }
+
/**
* This function check if user has a token and if not - help to enroll a new one in UI.
*
@@ -334,7 +352,7 @@ class PrivacyideaAuthProc extends ProcessingFilter
Logger::debug('privacyidea:checkEntityID: test regexp ' . $reg . ' against the string ' . $str);
if (preg_match($reg, $str)) {
- array_push($retArr, $reg);
+ $retArr[] = $reg;
}
}
diff --git a/lib/Auth/Utils.php b/lib/Auth/Utils.php
index da3f8fb9f0a1bfe482e4dc66e6bb869f197579f5..99ff885ac485db6b4bb40d2329bb74404cbf7af1 100644
--- a/lib/Auth/Utils.php
+++ b/lib/Auth/Utils.php
@@ -348,24 +348,4 @@ class Utils
return $config;
}
-
- /**
- * Check if PrivacyIDEA was disabled by a filter.
- *
- * @param array $state the global state of simpleSAMLphp
- * @param array $config the config for the PrivacyIDEA server
- *
- * @return bool whether PrivacyIDEA is disabled
- */
- public static function isPrivacyIDEADisabled(array $state, array $config)
- {
- if (isset($config['enabledPath']) || isset($state['enabledPath'])) {
- if (isset($config['enabledKey'])
- && (false === $config['enabledKey'] || false === $state['enabledKey'])) {
- return true;
- }
- }
-
- return false;
- }
}