feat: config options password_contexts and mfa_contexts

also dropped redundant option proxy_mode from additional attributes filter

README.md

@@ -77,6 +77,12 @@ Add an instance of the auth proc filter with example configuration `authswitcher
           'preferred_filter' => 'privacyidea:PrivacyideaAuthProc',
           'max_user_capability_attr' => 'maxUserCapability',
           'max_auth' => 'https://id.muni.cz/profile/maxAuth',
+          //'password_contexts' => array_merge(AuthSwitcher::PASSWORD_CONTEXTS, [
+          //    'my-custom-authn-context-for-password'
+          //]),
+          //'mfa_contexts' => array_merge(AuthSwitcher::MFA_CONTEXTS, [
+          //    'my-custom-authn-context-for-mfa'
+          //]),
       ],
       'configs' => [
             'totp:Totp' => [
@@ -186,7 +192,6 @@ This filter sets attributes based on whether MFA was in fact performed (at upstr
 `AddAdditionalAttributesAfterMfa` needs to run after the `SwitchAuth` filter.
 
 In configuration, you just need to add a `custom_attrs` option which contains a map of additional attributes and their values.
-Also, you can add a `proxy_mode` option as mentioned above.
 
 ```php
 55 => [

lib/Auth/Process/AddAdditionalAttributesAfterMfa.php

@@ -5,8 +5,6 @@ declare(strict_types=1);
 namespace SimpleSAML\Module\authswitcher\Auth\Process;
 
 use SimpleSAML\Configuration;
-use SimpleSAML\Module\authswitcher\ProxyHelper;
-use SimpleSAML\Module\authswitcher\Utils;
 
 class AddAdditionalAttributesAfterMfa extends \SimpleSAML\Auth\ProcessingFilter
 {
@@ -14,8 +12,6 @@ class AddAdditionalAttributesAfterMfa extends \SimpleSAML\Auth\ProcessingFilter
 
     private $customAttrs;
 
-    private $proxyMode = false;
-
     public function __construct($config, $reserved)
     {
         parent::__construct($config, $reserved);
@@ -23,18 +19,11 @@ class AddAdditionalAttributesAfterMfa extends \SimpleSAML\Auth\ProcessingFilter
         $config = Configuration::loadFromArray($config['config']);
 
         $this->customAttrs = $config->getArray('custom_attrs');
-        $this->proxyMode = $config->getBoolean('proxy_mode', $this->proxyMode);
     }
 
     public function process(&$state)
     {
-        if ($this->proxyMode) {
-            $upstreamContext = ProxyHelper::fetchContextFromUpstreamIdp($state);
-        } else {
-            $upstreamContext = null;
-        }
-
-        if (Utils::wasMFAPerformed($state, $upstreamContext)) {
+        if ($state[AuthSwitcher::MFA_PERFORMED]) {
             foreach ($this->customAttrs as $key => $value) {
                 $state['Attributes'][$key] = $value;
             }

lib/Auth/Process/SwitchAuth.php

@@ -96,6 +96,11 @@ class SwitchAuth extends \SimpleSAML\Auth\ProcessingFilter
         $this->sfa_alphabet_attr = $config->getString('sfa_alphabet_attr', $this->sfa_alphabet_attr);
         $this->sfa_len_attr = $config->getString('sfa_len_attr', $this->sfa_len_attr);
         $this->check_entropy = $config->getBoolean('check_entropy', $this->check_entropy);
+
+        $this->password_contexts = $config->getArray('password_contexts', AuthSwitcher::PASSWORD_CONTEXTS);
+        $this->mfa_contexts = $config->getArray('mfa_contexts', AuthSwitcher::MFA_CONTEXTS);
+
+        $this->authnContextHelper = new AuthnContextHelper($this->password_contexts, $this->mfa_contexts);
     }
 
     /**
@@ -123,7 +128,7 @@ class SwitchAuth extends \SimpleSAML\Auth\ProcessingFilter
             $upstreamContext = null;
         }
 
-        $state[AuthSwitcher::SUPPORTED_REQUESTED_CONTEXTS] = AuthnContextHelper::getSupportedRequestedContexts(
+        $this->supported_requested_contexts = $this->authnContextHelper->getSupportedRequestedContexts(
             $usersCapabilities,
             $state,
             $upstreamContext,
@@ -131,12 +136,12 @@ class SwitchAuth extends \SimpleSAML\Auth\ProcessingFilter
             $this->mfa_enforced
         );
 
-        self::info('supported requested contexts: ' . json_encode($state[AuthSwitcher::SUPPORTED_REQUESTED_CONTEXTS]));
+        self::info('supported requested contexts: ' . json_encode($this->supported_requested_contexts));
 
-        $shouldPerformMFA = !AuthnContextHelper::MFAin([
+        $shouldPerformMFA = !$this->authnContextHelper->MFAin([
             $upstreamContext,
-        ]) && ($this->mfa_enforced || AuthnContextHelper::isMFAprefered(
-            $state[AuthSwitcher::SUPPORTED_REQUESTED_CONTEXTS]
+        ]) && ($this->mfa_enforced || $this->authnContextHelper->isMFAprefered(
+            $this->supported_requested_contexts
         ));
 
         if ($this->mfa_preferred_privacyidea_fail && !empty($state[AuthSwitcher::PRIVACY_IDEA_FAIL]) && $shouldPerformMFA) {
@@ -144,11 +149,13 @@ class SwitchAuth extends \SimpleSAML\Auth\ProcessingFilter
         }
 
         // switch to MFA if enforced or preferred but not already done if we handle the proxy mode
-        $performMFA = AuthnContextHelper::MFAin($usersCapabilities) && $shouldPerformMFA;
+        $performMFA = $this->authnContextHelper->MFAin($usersCapabilities) && $shouldPerformMFA;
 
         $maxUserCapability = '';
-        if (in_array(AuthSwitcher::MFA, $usersCapabilities, true) || AuthnContextHelper::MFAin([$upstreamContext])) {
-            $maxUserCapability = AuthSwitcher::MFA;
+        if (in_array(AuthSwitcher::REFEDS_MFA, $usersCapabilities, true) || $this->authnContextHelper->MFAin([
+            $upstreamContext,
+        ])) {
+            $maxUserCapability = AuthSwitcher::REFEDS_MFA;
         } elseif (count($usersCapabilities) === 1) {
             $maxUserCapability = $usersCapabilities[0];
         }
@@ -164,19 +171,19 @@ class SwitchAuth extends \SimpleSAML\Auth\ProcessingFilter
 
     public function setAuthnContext(&$state, $maxUserCapability, $upstreamContext = null)
     {
-        $mfaPerformed = Utils::wasMFAPerformed($state, $upstreamContext);
+        $state[AuthSwitcher::MFA_PERFORMED] = !empty($state[AuthSwitcher::MFA_BEING_PERFORMED]) || $this->authnContextHelper->MFAin([
+            $upstreamContext,
+        ]);
 
-        if ($maxUserCapability === AuthSwitcher::SFA || ($maxUserCapability === AuthSwitcher::MFA && $mfaPerformed)) {
+        if ($maxUserCapability === AuthSwitcher::REFEDS_SFA || ($maxUserCapability === AuthSwitcher::REFEDS_MFA && $state[AuthSwitcher::MFA_PERFORMED])) {
             $state['Attributes'][$this->max_user_capability_attr][] = $this->max_auth;
         }
 
-        $possibleReplies = $mfaPerformed ? array_merge(
-            AuthSwitcher::REPLY_CONTEXTS_MFA,
-            AuthSwitcher::REPLY_CONTEXTS_SFA
-        ) : AuthSwitcher::REPLY_CONTEXTS_SFA;
-        $possibleReplies = array_values(
-            array_intersect($possibleReplies, $state[AuthSwitcher::SUPPORTED_REQUESTED_CONTEXTS])
-        );
+        $possibleReplies = $state[AuthSwitcher::MFA_PERFORMED] ? array_merge(
+            $this->mfa_contexts,
+            $this->password_contexts
+        ) : $this->password_contexts;
+        $possibleReplies = array_values(array_intersect($possibleReplies, $this->supported_requested_contexts));
         if (empty($possibleReplies)) {
             AuthnContextHelper::noAuthnContextResponder($state);
         } else {
@@ -268,7 +275,7 @@ class SwitchAuth extends \SimpleSAML\Auth\ProcessingFilter
 
                 foreach ($this->type_filter_array as $type => $method) {
                     if ($mfaToken['revoked'] === false && $mfaToken[$this->token_type_attr] === $type) {
-                        $result[] = AuthSwitcher::MFA;
+                        $result[] = AuthSwitcher::REFEDS_MFA;
                         break;
                     }
                 }
@@ -277,7 +284,7 @@ class SwitchAuth extends \SimpleSAML\Auth\ProcessingFilter
                 }
             }
         }
-        $result[] = AuthSwitcher::SFA;
+        $result[] = AuthSwitcher::REFEDS_SFA;
 
         return $result;
     }

lib/AuthSwitcher.php

@@ -12,24 +12,24 @@ use SAML2\Constants;
 class AuthSwitcher
 {
     /**
-     * Name of the MFA being performed attribute.
+     * Key into state array for MFA being performed.
      */
-    public const MFA_BEING_PERFORMED = 'mfa_being_performed';
+    public const MFA_BEING_PERFORMED = 'authswitcher_mfa_being_performed';
 
     /**
-     * Name of the support requested contexts attribute.
+     * Key into state array for MFA was done.
      */
-    public const SUPPORTED_REQUESTED_CONTEXTS = 'authswitcher_supported_requested_contexts';
+    public const MFA_PERFORMED = 'authswitcher_mfa_performed';
 
     /**
      * REFEDS profile for SFA.
      */
-    public const SFA = 'https://refeds.org/profile/sfa';
+    public const REFEDS_SFA = 'https://refeds.org/profile/sfa';
 
     /**
      * REFEDS profile for MFA.
      */
-    public const MFA = 'https://refeds.org/profile/mfa';
+    public const REFEDS_MFA = 'https://refeds.org/profile/mfa';
 
     /**
      * Microsoft authentication context for MFA.
@@ -37,34 +37,14 @@ class AuthSwitcher
     public const MS_MFA = 'http://schemas.microsoft.com/claims/multipleauthn';
 
     /**
-     * Supported AuthnContexts (pass <= sfa < mfa).
+     * Contexts trusted as multifactor authentication, in the order of preference (for replies).
      */
-    public const SUPPORTED = [Constants::AC_PASSWORD_PROTECTED_TRANSPORT, self::SFA, self::MFA, self::MS_MFA];
+    public const MFA_CONTEXTS = [self::REFEDS_MFA, self::MS_MFA];
 
     /**
-     * Contexts to assume when request contains none.
+     * Contexts trusted as password authentication, in the order of preference (for replies).
      */
-    public const DEFAULT_REQUESTED_CONTEXTS = [self::SFA, Constants::AC_PASSWORD_PROTECTED_TRANSPORT, self::MFA];
-
-    /**
-     * Contexts to reply when MFA was performed, in the order of preference.
-     */
-    public const REPLY_CONTEXTS_MFA = [self::MFA, self::MS_MFA];
-
-    /**
-     * Contexts to reply when MFA was not performed, in the order of preference.
-     */
-    public const REPLY_CONTEXTS_SFA = [self::SFA, Constants::AC_PASSWORD_PROTECTED_TRANSPORT];
-
-    /**
-     * Contexts which are considered multifactor authentication.
-     */
-    public const MFA_CONTEXTS = self::REPLY_CONTEXTS_MFA;
-
-    /**
-     * Contexts which are considered single factor authentication only.
-     */
-    public const SFA_CONTEXTS = self::REPLY_CONTEXTS_SFA;
+    public const PASSWORD_CONTEXTS = [self::REFEDS_SFA, Constants::AC_PASSWORD_PROTECTED_TRANSPORT];
 
     public const ERROR_STATE_ID = 'authswitcher_error_state_id';
 

lib/AuthnContextHelper.php

@@ -14,21 +14,29 @@ use SimpleSAML\Module\saml\Error\NoAuthnContext;
  */
 class AuthnContextHelper
 {
-    public static function MFAin($contexts)
+    public function __construct($password_contexts, $mfa_contexts)
     {
-        return array_intersect(AuthSwitcher::MFA_CONTEXTS, $contexts);
+        $this->password_contexts = $password_contexts;
+        $this->mfa_contexts = $mfa_contexts;
+        $this->supported_contexts = array_merge($this->mfa_contexts, $this->password_contexts);
+        $this->default_requested_contexts = array_merge($this->password_contexts, $this->mfa_contexts);
     }
 
-    public static function isMFAprefered($supportedRequestedContexts = [])
+    public function MFAin($contexts)
+    {
+        return !empty(array_intersect($this->mfa_contexts, $contexts));
+    }
+
+    public function isMFAprefered($supportedRequestedContexts = [])
     {
         return count($supportedRequestedContexts) > 0 && in_array(
             $supportedRequestedContexts[0],
-            AuthSwitcher::MFA_CONTEXTS,
+            $this->mfa_contexts,
             true
         );
     }
 
-    public static function getSupportedRequestedContexts(
+    public function getSupportedRequestedContexts(
         $usersCapabilities,
         $state,
         $upstreamContext,
@@ -39,14 +47,14 @@ class AuthnContextHelper
         if (empty($requestedContexts)) {
             Logger::info(
                 'authswitcher: no AuthnContext requested, using default: ' . json_encode(
-                    AuthSwitcher::DEFAULT_REQUESTED_CONTEXTS
+                    $this->default_requested_contexts
                 )
             );
-            $requestedContexts = AuthSwitcher::DEFAULT_REQUESTED_CONTEXTS;
+            $requestedContexts = $this->default_requested_contexts;
         }
-        $supportedRequestedContexts = array_values(array_intersect($requestedContexts, AuthSwitcher::SUPPORTED));
+        $supportedRequestedContexts = array_values(array_intersect($requestedContexts, $this->supported_contexts));
         if (!$sfaEntropy) {
-            $supportedRequestedContexts = array_diff($supportedRequestedContexts, [Authswitcher::SFA]);
+            $supportedRequestedContexts = array_diff($supportedRequestedContexts, [Authswitcher::REFEDS_SFA]);
             Logger::info(
                 'authswitcher: SFA password entropy level isn\'t satisfied. Remove SFA from SupportedRequestedContext.'
             );
@@ -63,7 +71,7 @@ class AuthnContextHelper
 
         // check for unsatisfiable combinations
         if (
-            !self::testComparison(
+            !$this->testComparison(
                 $usersCapabilities,
                 $supportedRequestedContexts,
                 $state['saml:RequestedAuthnContext']['Comparison'] ?? Constants::COMPARISON_EXACT,
@@ -85,15 +93,9 @@ class AuthnContextHelper
         self::noAuthnContext($state, Constants::STATUS_RESPONDER);
     }
 
-    public static function SFAin($contexts)
+    public function SFAin($contexts)
     {
-        foreach (AuthSwitcher::SFA_CONTEXTS as $sfa_context) {
-            if (in_array($sfa_context, $contexts, true)) {
-                return true;
-            }
-        }
-
-        return false;
+        return !empty(array_intersect($this->password_contexts, $contexts));
     }
 
     /**
@@ -106,21 +108,21 @@ class AuthnContextHelper
      * @param mixed|null $upstreamContext
      * @param mixed      $mfaEnforced
      */
-    private static function testComparison(
+    private function testComparison(
         $usersCapabilities,
         $supportedRequestedContexts,
         $comparison,
         $upstreamContext = null,
         $mfaEnforced = false
     ) {
-        $upstreamMFA = $upstreamContext === null ? false : self::MFAin([$upstreamContext]);
-        $upstreamSFA = $upstreamContext === null ? false : self::SFAin([$upstreamContext]);
+        $upstreamMFA = $upstreamContext === null ? false : $this->MFAin([$upstreamContext]);
+        $upstreamSFA = $upstreamContext === null ? false : $this->SFAin([$upstreamContext]);
 
-        $requestedSFA = self::SFAin($supportedRequestedContexts);
-        $requestedMFA = self::MFAin($supportedRequestedContexts);
+        $requestedSFA = $this->SFAin($supportedRequestedContexts);
+        $requestedMFA = $this->MFAin($supportedRequestedContexts);
 
-        $userCanSFA = self::SFAin($usersCapabilities);
-        $userCanMFA = self::MFAin($usersCapabilities);
+        $userCanSFA = $this->SFAin($usersCapabilities);
+        $userCanMFA = $this->MFAin($usersCapabilities);
 
         switch ($comparison) {
             case Constants::COMPARISON_BETTER:

lib/Utils.php

@@ -29,17 +29,6 @@ class Utils
         $authFilter->process($state);
     }
 
-    /**
-     * Check whether MFA was performed, either locally (by running MFA auth proc filters) or at the upstream IdP.
-     *
-     * @param mixed      $state
-     * @param mixed|null $upstreamContext
-     */
-    public static function wasMFAPerformed($state, $upstreamContext = null)
-    {
-        return !empty($state[AuthSwitcher::MFA_BEING_PERFORMED]) || $upstreamContext === AuthSwitcher::MFA;
-    }
-
     public static function areFilterModulesEnabled(array $filters)
     {
         $invalidModules = [];