Skip to content
Snippets Groups Projects
Verified Commit f52389be authored by Pavel Břoušek's avatar Pavel Břoušek
Browse files

fix: correct behavior for mfa_preferred_privacyidea_fail=true

fix typo in GetMfaTokensPrivacyIDEA, fix logic in SwitchAuth
parent e59d98a4
No related branches found
No related tags found
1 merge request!31Improvements for problematic situations
......@@ -67,7 +67,7 @@ class GetMfaTokensPrivacyIDEA extends \SimpleSAML\Auth\ProcessingFilter
$state[Authswitcher::PRIVACY_IDEA_FAIL] = false;
$state['Attributes'][$this->tokens_attr] = [];
$admin_token = $this->getAdminToken();
if (null === $admin_token) {
if (empty($admin_token)) {
$state[AuthSwitcher::PRIVACY_IDEA_FAIL] = true;
return;
......@@ -134,7 +134,7 @@ class GetMfaTokensPrivacyIDEA extends \SimpleSAML\Auth\ProcessingFilter
return $response['result']['value']['token'];
}
private function getPrivacyIdeaTokensByType($state, $type, $admin_token)
private function getPrivacyIdeaTokensByType(&$state, $type, $admin_token)
{
$ch = curl_init();
curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, $this->connect_timeout);
......
......@@ -122,22 +122,19 @@ class SwitchAuth extends \SimpleSAML\Auth\ProcessingFilter
self::info('supported requested contexts: ' . json_encode($state[AuthSwitcher::SUPPORTED_REQUESTED_CONTEXTS]));
if (
$this->mfa_preferred_privacyidea_fail && isset($state[AuthSwitcher::PRIVACY_IDEA_FAIL]) &&
$state[AuthSwitcher::PRIVACY_IDEA_FAIL] &&
AuthnContextHelper::isMFAprefered($state[Authswitcher::SUPPORTED_REQUESTED_CONTEXTS]) &&
!AuthnContextHelper::MFAin([$upstreamContext])
) {
throw new Exception(self::DEBUG_PREFIX . 'MFA is preferred but connection to privacyidea failed.');
}
// switch to MFA if enforced or preferred but not already done if we handle the proxy mode
$performMFA = AuthnContextHelper::MFAin($usersCapabilities) && !AuthnContextHelper::MFAin([
$shouldPerformMFA = !AuthnContextHelper::MFAin([
$upstreamContext,
]) && ($this->mfa_enforced || AuthnContextHelper::isMFAprefered(
$state[AuthSwitcher::SUPPORTED_REQUESTED_CONTEXTS]
));
if ($this->mfa_preferred_privacyidea_fail && !empty($state[AuthSwitcher::PRIVACY_IDEA_FAIL]) && $shouldPerformMFA) {
throw new Exception(self::DEBUG_PREFIX . 'MFA should be performed but connection to privacyidea failed.');
}
// switch to MFA if enforced or preferred but not already done if we handle the proxy mode
$performMFA = AuthnContextHelper::MFAin($usersCapabilities) && $shouldPerformMFA;
$maxUserCapability = '';
if (in_array(AuthSwitcher::MFA, $usersCapabilities, true)) {
$maxUserCapability = AuthSwitcher::MFA;
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment