diff --git a/lib/Auth/Process/PrivacyideaAuthProc.php b/lib/Auth/Process/PrivacyideaAuthProc.php index 649e2e76581fb11700d602d604ab1082ed90b8e2..7e0da3868094826fc0d4682cf37a5f092044f40e 100644 --- a/lib/Auth/Process/PrivacyideaAuthProc.php +++ b/lib/Auth/Process/PrivacyideaAuthProc.php @@ -52,10 +52,16 @@ class sspmod_privacyidea_Auth_Process_PrivacyideaAuthProc extends SimpleSAML_Aut // It can be used to configure that a user does not need to provide a second factor when logging in from the local network. if (!empty($this->authProcConfig['excludeClientIPs'])) { - $state['privacyIDEA']['enabled'][0] = $this->matchIP(sspmod_privacyidea_Auth_Utils::getClientIP(), $this->authProcConfig['excludeClientIPs']); + $ip = sspmod_privacyidea_Auth_Utils::getClientIP(); + if ($this->matchIP($ip, $this->authProcConfig['excludeClientIPs'])) + { + SimpleSAML_Logger::debug("privacyIDEA: privacyIDEA is disabled because ip " . $ip . " is excluded."); + SimpleSAML_Auth_ProcessingChain::resumeProcessing($state); + } } // If set to "true" in config, selectively disable the privacyIDEA authentication using the entityID and/or SAML attributes. + // The skipping will be done in self::isPrivacyIDEADisabled if (!empty($this->authProcConfig['checkEntityID']) && $this->authProcConfig['checkEntityID'] === 'true') { $stateId = SimpleSAML_Auth_State::saveState($state, 'privacyidea:privacyidea'); @@ -64,11 +70,10 @@ class sspmod_privacyidea_Auth_Process_PrivacyideaAuthProc extends SimpleSAML_Aut } // Check if privacyIDEA is disabled by configuration setting - if (sspmod_privacyidea_Auth_Utils::isPrivacyIDEADisabled($state, $this->authProcConfig)) + if (self::isPrivacyIDEADisabled($state, $this->authProcConfig)) { SimpleSAML_Logger::debug("privacyIDEA: privacyIDEA is disabled by a filter"); SimpleSAML_Auth_ProcessingChain::resumeProcessing($state); - return; } // SSO check if authentication should be skipped @@ -131,7 +136,7 @@ class sspmod_privacyidea_Auth_Process_PrivacyideaAuthProc extends SimpleSAML_Aut { SimpleSAML_Auth_ProcessingChain::resumeProcessing($state); } - else if (!empty($response->multiChallenge)) + elseif (!empty($response->multiChallenge)) { $stateId = sspmod_privacyidea_Auth_Utils::processPIResponse($stateId, $response); } @@ -333,12 +338,28 @@ class sspmod_privacyidea_Auth_Process_PrivacyideaAuthProc extends SimpleSAML_Aut if (preg_match($reg, $str)) { - array_push($retArr, $reg); + $retArr[] = $reg; } } return $retArr; } + /** + * Check if PrivacyIDEA was disabled by a filter. + * @param array $state The global state of simpleSAMLphp. + * @param array $config The config for the PrivacyIDEA server. + * @return boolean Whether PrivacyIDEA is disabled. + */ + public static function isPrivacyIDEADisabled(array $state, array $config) + { + if (isset($config['enabledPath']) && isset($config['enabledKey'])) + { + return isset($state[$config['enabledPath']][$config['enabledKey']][0]) + && !$state[$config['enabledPath']][$config['enabledKey']][0]; + } + return false; + } + /** * This function allows to show the debug messages from privacyIDEA server * @param $message diff --git a/lib/Auth/Utils.php b/lib/Auth/Utils.php index 40b07cd7be7497d82ade8ff57c94b350ce875aac..8f058fe5ad38bba3d3762a2ef08fdcd515de5ebb 100644 --- a/lib/Auth/Utils.php +++ b/lib/Auth/Utils.php @@ -396,23 +396,4 @@ class sspmod_privacyidea_Auth_Utils } return $config; } - - /** - * Check if PrivacyIDEA was disabled by a filter. - * @param array $state The global state of simpleSAMLphp. - * @param array $config The config for the PrivacyIDEA server. - * @return boolean Whether PrivacyIDEA is disabled. - */ - public static function isPrivacyIDEADisabled(array $state, array $config) - { - if (isset($config['enabledPath']) || isset($state['enabledPath'])) - { - if (isset($config['enabledKey']) - && ($config['enabledKey'] === false || $state['enabledKey'] === false)) - { - return true; - } - } - return false; - } }