Skip to content
Snippets Groups Projects
Verified Commit 34a06a83 authored by Pavel Břoušek's avatar Pavel Břoušek
Browse files

fix: fix disabling filter by previous filter

the authproc filter can be configured to be disabled, if a previous filter sets the configured entry in the state.

BREAKING CHANGE: method isPrivacyIDEADisabled moved from Utils to PrivacyideaAuthProc
parents 019ff980 4de86b5a
Branches
Tags
No related merge requests found
...@@ -59,13 +59,15 @@ class PrivacyideaAuthProc extends ProcessingFilter ...@@ -59,13 +59,15 @@ class PrivacyideaAuthProc extends ProcessingFilter
// If set in config, allow to check the IP of the client and to control the 2FA depending on the client IP. // If set in config, allow to check the IP of the client and to control the 2FA depending on the client IP.
// It can be used to configure that a user does not need to provide a second factor when logging in from the local network. // It can be used to configure that a user does not need to provide a second factor when logging in from the local network.
if (!empty($this->authProcConfig['excludeClientIPs'])) { if (!empty($this->authProcConfig['excludeClientIPs'])) {
$state['privacyIDEA']['enabled'][0] = $this->matchIP( $ip = Utils::getClientIP();
Utils::getClientIP(), if ($this->matchIP($ip, $this->authProcConfig['excludeClientIPs'])) {
$this->authProcConfig['excludeClientIPs'] Logger::debug('privacyIDEA: privacyIDEA is disabled because ip ' . $ip . ' is excluded.');
); ProcessingChain::resumeProcessing($state);
}
} }
// If set to "true" in config, selectively disable the privacyIDEA authentication using the entityID and/or SAML attributes. // If set to "true" in config, selectively disable the privacyIDEA authentication using the entityID and/or SAML attributes.
// The skipping will be done in self::isPrivacyIDEADisabled
if (!empty($this->authProcConfig['checkEntityID']) && 'true' === $this->authProcConfig['checkEntityID']) { if (!empty($this->authProcConfig['checkEntityID']) && 'true' === $this->authProcConfig['checkEntityID']) {
$stateId = State::saveState($state, 'privacyidea:privacyidea'); $stateId = State::saveState($state, 'privacyidea:privacyidea');
$stateId = $this->checkEntityID($this->authProcConfig, $stateId); $stateId = $this->checkEntityID($this->authProcConfig, $stateId);
...@@ -73,11 +75,9 @@ class PrivacyideaAuthProc extends ProcessingFilter ...@@ -73,11 +75,9 @@ class PrivacyideaAuthProc extends ProcessingFilter
} }
// Check if privacyIDEA is disabled by configuration setting // Check if privacyIDEA is disabled by configuration setting
if (Utils::isPrivacyIDEADisabled($state, $this->authProcConfig)) { if (self::isPrivacyIDEADisabled($state, $this->authProcConfig)) {
Logger::debug('privacyIDEA: privacyIDEA is disabled by a filter'); Logger::debug('privacyIDEA: privacyIDEA is disabled by a filter');
ProcessingChain::resumeProcessing($state); ProcessingChain::resumeProcessing($state);
return;
} }
// SSO check if authentication should be skipped // SSO check if authentication should be skipped
...@@ -164,6 +164,24 @@ class PrivacyideaAuthProc extends ProcessingFilter ...@@ -164,6 +164,24 @@ class PrivacyideaAuthProc extends ProcessingFilter
Logger::error($message); Logger::error($message);
} }
/**
* Check if PrivacyIDEA was disabled by a filter.
*
* @param array $state the global state of simpleSAMLphp
* @param array $config the config for the PrivacyIDEA server
*
* @return bool whether PrivacyIDEA is disabled
*/
public static function isPrivacyIDEADisabled(array $state, array $config)
{
if (isset($config['enabledPath'], $config['enabledKey'])) {
return isset($state[$config['enabledPath']][$config['enabledKey']][0])
&& !$state[$config['enabledPath']][$config['enabledKey']][0];
}
return false;
}
/** /**
* This function check if user has a token and if not - help to enroll a new one in UI. * This function check if user has a token and if not - help to enroll a new one in UI.
* *
...@@ -334,7 +352,7 @@ class PrivacyideaAuthProc extends ProcessingFilter ...@@ -334,7 +352,7 @@ class PrivacyideaAuthProc extends ProcessingFilter
Logger::debug('privacyidea:checkEntityID: test regexp ' . $reg . ' against the string ' . $str); Logger::debug('privacyidea:checkEntityID: test regexp ' . $reg . ' against the string ' . $str);
if (preg_match($reg, $str)) { if (preg_match($reg, $str)) {
array_push($retArr, $reg); $retArr[] = $reg;
} }
} }
......
...@@ -348,24 +348,4 @@ class Utils ...@@ -348,24 +348,4 @@ class Utils
return $config; return $config;
} }
/**
* Check if PrivacyIDEA was disabled by a filter.
*
* @param array $state the global state of simpleSAMLphp
* @param array $config the config for the PrivacyIDEA server
*
* @return bool whether PrivacyIDEA is disabled
*/
public static function isPrivacyIDEADisabled(array $state, array $config)
{
if (isset($config['enabledPath']) || isset($state['enabledPath'])) {
if (isset($config['enabledKey'])
&& (false === $config['enabledKey'] || false === $state['enabledKey'])) {
return true;
}
}
return false;
}
} }
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment