Skip to content
Snippets Groups Projects
Verified Commit c1a4ee1a authored by Pavel Břoušek's avatar Pavel Břoušek
Browse files

style: refactoring

parent c46afd88
Branches
No related tags found
1 merge request!47Mfa enforce settings
Hide whitespace changes
Inline Side-by-side
lib/Auth/Process/GetMfaTokensPrivacyIDEA.php
+ 1
1
View file @ c1a4ee1a
...@@ -23,7 +23,7 @@ class GetMfaTokensPrivacyIDEA extends \SimpleSAML\Auth\ProcessingFilter ...@@ -23,7 +23,7 @@ class GetMfaTokensPrivacyIDEA extends \SimpleSAML\Auth\ProcessingFilter
private $timeout; private $timeout;
private $tokens_attr = 'mfaTokens'; private $tokens_attr = AuthSwitcher::MFA_TOKENS;
private $privacy_idea_username; private $privacy_idea_username;
......
lib/Auth/Process/SwitchAuth.php
+ 7
16
View file @ c1a4ee1a
...@@ -20,8 +20,6 @@ class SwitchAuth extends \SimpleSAML\Auth\ProcessingFilter ...@@ -20,8 +20,6 @@ class SwitchAuth extends \SimpleSAML\Auth\ProcessingFilter
/* constants */ /* constants */
private const DEBUG_PREFIX = 'authswitcher:SwitchAuth: '; private const DEBUG_PREFIX = 'authswitcher:SwitchAuth: ';
private const MFA_TOKENS = 'mfaTokens';
private $type_filter_array = [ private $type_filter_array = [
'TOTP' => 'privacyidea:PrivacyideaAuthProc', 'TOTP' => 'privacyidea:PrivacyideaAuthProc',
'WebAuthn' => 'privacyidea:PrivacyideaAuthProc', 'WebAuthn' => 'privacyidea:PrivacyideaAuthProc',
...@@ -56,11 +54,6 @@ class SwitchAuth extends \SimpleSAML\Auth\ProcessingFilter ...@@ -56,11 +54,6 @@ class SwitchAuth extends \SimpleSAML\Auth\ProcessingFilter
*/ */
private $max_auth = 'https://id.muni.cz/profile/maxAuth'; private $max_auth = 'https://id.muni.cz/profile/maxAuth';
/**
* Whether MFA is enforced for the current user.
*/
private $mfa_enforced;
private $check_entropy = false; private $check_entropy = false;
private $sfa_alphabet_attr; private $sfa_alphabet_attr;
...@@ -119,7 +112,7 @@ class SwitchAuth extends \SimpleSAML\Auth\ProcessingFilter ...@@ -119,7 +112,7 @@ class SwitchAuth extends \SimpleSAML\Auth\ProcessingFilter
*/ */
public function process(&$state) public function process(&$state)
{ {
$this->mfa_enforced = !empty($state['Attributes']['mfaEnforced']); $mfaEnforced = Utils::isMFAEnforced($state);
$this->getConfig($this->config); $this->getConfig($this->config);
...@@ -142,16 +135,14 @@ class SwitchAuth extends \SimpleSAML\Auth\ProcessingFilter ...@@ -142,16 +135,14 @@ class SwitchAuth extends \SimpleSAML\Auth\ProcessingFilter
$state, $state,
$upstreamContext, $upstreamContext,
!$this->check_entropy || $this->checkSfaEntropy($state['Attributes']), !$this->check_entropy || $this->checkSfaEntropy($state['Attributes']),
$this->mfa_enforced $mfaEnforced
); );
self::info('supported requested contexts: ' . json_encode($this->supported_requested_contexts)); self::info('supported requested contexts: ' . json_encode($this->supported_requested_contexts));
$shouldPerformMFA = !$this->authnContextHelper->MFAin([ $shouldPerformMFA = !$this->authnContextHelper->MFAin([
$upstreamContext, $upstreamContext,
]) && ($this->mfa_enforced || $this->authnContextHelper->isMFAprefered( ]) && ($mfaEnforced || $this->authnContextHelper->isMFAprefered($this->supported_requested_contexts));
$this->supported_requested_contexts
));
if ($this->mfa_preferred_privacyidea_fail && !empty($state[AuthSwitcher::PRIVACY_IDEA_FAIL]) && $shouldPerformMFA) { if ($this->mfa_preferred_privacyidea_fail && !empty($state[AuthSwitcher::PRIVACY_IDEA_FAIL]) && $shouldPerformMFA) {
throw new Exception(self::DEBUG_PREFIX . 'MFA should be performed but connection to privacyidea failed.'); throw new Exception(self::DEBUG_PREFIX . 'MFA should be performed but connection to privacyidea failed.');
...@@ -276,8 +267,8 @@ class SwitchAuth extends \SimpleSAML\Auth\ProcessingFilter ...@@ -276,8 +267,8 @@ class SwitchAuth extends \SimpleSAML\Auth\ProcessingFilter
private function getMFAForUid($state) private function getMFAForUid($state)
{ {
$result = []; $result = [];
if (!empty($state['Attributes'][self::MFA_TOKENS])) { if (!empty($state['Attributes'][AuthSwitcher::MFA_TOKENS])) {
foreach ($state['Attributes'][self::MFA_TOKENS] as $mfaToken) { foreach ($state['Attributes'][AuthSwitcher::MFA_TOKENS] as $mfaToken) {
if (is_string($mfaToken)) { if (is_string($mfaToken)) {
$mfaToken = json_decode($mfaToken, true); $mfaToken = json_decode($mfaToken, true);
} }
...@@ -301,8 +292,8 @@ class SwitchAuth extends \SimpleSAML\Auth\ProcessingFilter ...@@ -301,8 +292,8 @@ class SwitchAuth extends \SimpleSAML\Auth\ProcessingFilter
private function getActiveMethod(&$state) private function getActiveMethod(&$state)
{ {
$result = []; $result = [];
if (!empty($state['Attributes'][self::MFA_TOKENS])) { if (!empty($state['Attributes'][AuthSwitcher::MFA_TOKENS])) {
foreach ($state['Attributes'][self::MFA_TOKENS] as $mfaToken) { foreach ($state['Attributes'][AuthSwitcher::MFA_TOKENS] as $mfaToken) {
if (is_string($mfaToken)) { if (is_string($mfaToken)) {
$mfaToken = json_decode($mfaToken, true); $mfaToken = json_decode($mfaToken, true);
} }
......
lib/AuthSwitcher.php
+ 10
0
View file @ c1a4ee1a
...@@ -53,4 +53,14 @@ class AuthSwitcher ...@@ -53,4 +53,14 @@ class AuthSwitcher
public const PRIVACY_IDEA_FAIL = 'PrivacyIDEAFail'; public const PRIVACY_IDEA_FAIL = 'PrivacyIDEAFail';
public const SP_REQUESTED_CONTEXTS = 'AUTHSWITCHER_SP_REQUESTED_CONTEXTS'; public const SP_REQUESTED_CONTEXTS = 'AUTHSWITCHER_SP_REQUESTED_CONTEXTS';
/**
* user attribute which contains MFA tokens
*/
public const MFA_TOKENS = 'mfaTokens';
/**
* user attribute which contains boolean whether MFA should be enforced
*/
public const MFA_ENFORCED = 'mfaEnforced';
} }
lib/Utils.php
+ 4
0
View file @ c1a4ee1a
...@@ -51,4 +51,8 @@ class Utils ...@@ -51,4 +51,8 @@ class Utils
throw new Exception('authswitcher:SwitchMfaMethods: ' . $variable . ' missing in state attributes'); throw new Exception('authswitcher:SwitchMfaMethods: ' . $variable . ' missing in state attributes');
} }
} }
public static isMFAEnforced($state) {
return !empty($state['Attributes'][AuthSwitcher::MFA_ENFORCED]);
}
} }
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment