Pavel Břoušek · 86651c83 · 580e5350 · c7e55a3f · 863dd8e7 · 14990e5a
--- a/lib/Auth/Process/SwitchAuth.php

+ 28

− 16
+++ b/lib/Auth/Process/SwitchAuth.php

+ 28

− 16
 @@ -24,7 +24,7 @@ class SwitchAuth extends \SimpleSAML\Auth\ProcessingFilter

    private const SETUP_MFA_URL = 'authswitcher/setupMFA.php';

-    public const SETUP_MFA_TPL_URL = 'authswitcher/setup-mfa-tpl.php';
+    public const SETUP_MFA_TPL_URL = 'authswitcher:setup-mfa-tpl.php';

    public const PARAM_MFA_REDIRECT_URL = 'mfa_redirect_url';

 @@ -134,41 +134,33 @@ class SwitchAuth extends \SimpleSAML\Auth\ProcessingFilter

        $usersCapabilities = $this->getMFAForUid($state);

-        if (
-            $mfaEnforced && empty($state['Attributes'][AuthSwitcher::MFA_TOKENS]) &&
-            !in_array($this->entityID, $this->mfa_excluded_sps) && !empty($this->setup_mfa_redirect_url)
-        ) {
-            $url = Module::getModuleURL(self::SETUP_MFA_URL);
-            $params = [];
-            $params[self::PARAM_MFA_REDIRECT_URL] = $this->setup_mfa_redirect_url;
-            HTTP::redirectTrustedURL($url, $params);
-        }
+        $upstreamContext = $this->proxyMode ? ProxyHelper::fetchContextFromUpstreamIdp($state) : null;

        self::info('user capabilities: ' . json_encode($usersCapabilities));

        self::setErrorHandling($state);

        if ($this->proxyMode) {
-            $upstreamContext = ProxyHelper::fetchContextFromUpstreamIdp($state);
            self::info('upstream context: ' . $upstreamContext);
            ProxyHelper::recoverSPRequestedContexts($state);
-        } else {
-            $upstreamContext = null;
        }

        $this->supported_requested_contexts = $this->authnContextHelper->getSupportedRequestedContexts(
            $usersCapabilities,
            $state,
            $upstreamContext,
-            !$this->check_entropy || $this->checkSfaEntropy($state['Attributes']),
-            $mfaEnforced
+            !$this->check_entropy || $this->checkSfaEntropy($state['Attributes'])
        );

        self::info('supported requested contexts: ' . json_encode($this->supported_requested_contexts));

        $shouldPerformMFA = !$this->authnContextHelper->MFAin([
                $upstreamContext,
-            ]) && ($mfaEnforced || $this->authnContextHelper->isMFAprefered($this->supported_requested_contexts));
+            ]) && (
+                $mfaEnforced
+                || empty($this->supported_requested_contexts)
+                || $this->authnContextHelper->isMFAprefered($this->supported_requested_contexts)
+            );

        if (
            $this->mfa_preferred_privacyidea_fail
 @@ -178,6 +170,26 @@ class SwitchAuth extends \SimpleSAML\Auth\ProcessingFilter
            throw new Exception(self::DEBUG_PREFIX . 'MFA should be performed but connection to privacyidea failed.');
        }

+        if (
+            $shouldPerformMFA
+            && empty($state['Attributes'][AuthSwitcher::MFA_TOKENS])
+            && !empty($this->setup_mfa_redirect_url)
+            && !in_array($this->entityID, $this->mfa_excluded_sps)
+        ) {
+            self::info('user must perform MFA but has no tokens, redirect to setup');
+            $url = Module::getModuleURL(self::SETUP_MFA_URL);
+            $state[self::PARAM_MFA_REDIRECT_URL] = $this->setup_mfa_redirect_url;
+            $stateId = State::saveState($state, 'authswitcher:authswitcher');
+            HTTP::redirectTrustedURL($url, ['stateId' => $stateId]);
+            exit;
+        }
+        if (empty($this->supported_requested_contexts)) {
+            Logger::info(
+                'authswitcher: no requested AuthnContext can be fulfilled: ' . json_encode($requestedContexts)
+            );
+            self::noAuthnContextResponder($state);
+        }
+
        // switch to MFA if enforced or preferred but not already done if we handle the proxy mode
        $performMFA = $this->authnContextHelper->MFAin($usersCapabilities) && $shouldPerformMFA;