Skip to content
Snippets Groups Projects
Verified Commit f52389be authored by Pavel Břoušek's avatar Pavel Břoušek
Browse files

fix: correct behavior for mfa_preferred_privacyidea_fail=true 

fix typo in GetMfaTokensPrivacyIDEA, fix logic in SwitchAuth
parent e59d98a4
Branches
Tags
1 merge request!31Improvements for problematic situations
Hide whitespace changes
Inline Side-by-side
lib/Auth/Process/GetMfaTokensPrivacyIDEA.php
+ 2
2
View file @ f52389be
...@@ -67,7 +67,7 @@ class GetMfaTokensPrivacyIDEA extends \SimpleSAML\Auth\ProcessingFilter ...@@ -67,7 +67,7 @@ class GetMfaTokensPrivacyIDEA extends \SimpleSAML\Auth\ProcessingFilter
$state[Authswitcher::PRIVACY_IDEA_FAIL] = false; $state[Authswitcher::PRIVACY_IDEA_FAIL] = false;
$state['Attributes'][$this->tokens_attr] = []; $state['Attributes'][$this->tokens_attr] = [];
$admin_token = $this->getAdminToken(); $admin_token = $this->getAdminToken();
if (null === $admin_token) { if (empty($admin_token)) {
$state[AuthSwitcher::PRIVACY_IDEA_FAIL] = true; $state[AuthSwitcher::PRIVACY_IDEA_FAIL] = true;
return; return;
...@@ -134,7 +134,7 @@ class GetMfaTokensPrivacyIDEA extends \SimpleSAML\Auth\ProcessingFilter ...@@ -134,7 +134,7 @@ class GetMfaTokensPrivacyIDEA extends \SimpleSAML\Auth\ProcessingFilter
return $response['result']['value']['token']; return $response['result']['value']['token'];
} }
private function getPrivacyIdeaTokensByType($state, $type, $admin_token) private function getPrivacyIdeaTokensByType(&$state, $type, $admin_token)
{ {
$ch = curl_init(); $ch = curl_init();
curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, $this->connect_timeout); curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, $this->connect_timeout);
......
lib/Auth/Process/SwitchAuth.php
+ 8
11
View file @ f52389be
...@@ -122,22 +122,19 @@ class SwitchAuth extends \SimpleSAML\Auth\ProcessingFilter ...@@ -122,22 +122,19 @@ class SwitchAuth extends \SimpleSAML\Auth\ProcessingFilter
self::info('supported requested contexts: ' . json_encode($state[AuthSwitcher::SUPPORTED_REQUESTED_CONTEXTS])); self::info('supported requested contexts: ' . json_encode($state[AuthSwitcher::SUPPORTED_REQUESTED_CONTEXTS]));
if ( $shouldPerformMFA = !AuthnContextHelper::MFAin([
$this->mfa_preferred_privacyidea_fail && isset($state[AuthSwitcher::PRIVACY_IDEA_FAIL]) &&
$state[AuthSwitcher::PRIVACY_IDEA_FAIL] &&
AuthnContextHelper::isMFAprefered($state[Authswitcher::SUPPORTED_REQUESTED_CONTEXTS]) &&
!AuthnContextHelper::MFAin([$upstreamContext])
) {
throw new Exception(self::DEBUG_PREFIX . 'MFA is preferred but connection to privacyidea failed.');
}
// switch to MFA if enforced or preferred but not already done if we handle the proxy mode
$performMFA = AuthnContextHelper::MFAin($usersCapabilities) && !AuthnContextHelper::MFAin([
$upstreamContext, $upstreamContext,
]) && ($this->mfa_enforced || AuthnContextHelper::isMFAprefered( ]) && ($this->mfa_enforced || AuthnContextHelper::isMFAprefered(
$state[AuthSwitcher::SUPPORTED_REQUESTED_CONTEXTS] $state[AuthSwitcher::SUPPORTED_REQUESTED_CONTEXTS]
)); ));
if ($this->mfa_preferred_privacyidea_fail && !empty($state[AuthSwitcher::PRIVACY_IDEA_FAIL]) && $shouldPerformMFA) {
throw new Exception(self::DEBUG_PREFIX . 'MFA should be performed but connection to privacyidea failed.');
}
// switch to MFA if enforced or preferred but not already done if we handle the proxy mode
$performMFA = AuthnContextHelper::MFAin($usersCapabilities) && $shouldPerformMFA;
$maxUserCapability = ''; $maxUserCapability = '';
if (in_array(AuthSwitcher::MFA, $usersCapabilities, true)) { if (in_array(AuthSwitcher::MFA, $usersCapabilities, true)) {
$maxUserCapability = AuthSwitcher::MFA; $maxUserCapability = AuthSwitcher::MFA;
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment