Skip to content

Commit

Permalink
Merge pull request #35 from NetKnights-GmbH/34-catch-the-exceptions
Browse files Browse the repository at this point in the history 
34 catch the exceptions
  • Loading branch information
@nilsbehlen
nilsbehlen authored Feb 13, 2023
2 parents a0e07be + d3c0d7d commit 6b2b2cc
Show file tree
Hide file tree
Showing 5 changed files with 192 additions and 93 deletions.
36 changes: 18 additions & 18 deletions simplesamlphp-module-privacyidea/lib/Auth/Process/PrivacyideaAuthProc.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -37,7 +37,7 @@ public function __construct(array $config, $reserved)
/**
* Run the filter.
*
* @param array $state
* @param $state
* @throws Exception if authentication fails
*/
public function process(&$state)
Expand Down Expand Up @@ -67,7 +67,7 @@ public function process(&$state)
{
$stateId = SimpleSAML_Auth_State::saveState($state, 'privacyidea:privacyidea');
$stateId = $this->checkEntityID($this->authProcConfig, $stateId);
$state = SimpleSAML_Auth_State::loadState($stateId, 'privacyidea:privacyidea');
$state = SimpleSAML_Auth_State::loadState($stateId, 'privacyidea:privacyidea', true);
}

// Check if privacyIDEA is disabled by configuration setting
Expand Down Expand Up @@ -153,7 +153,7 @@ public function process(&$state)
$stateId = $this->enrollToken($stateId, $username);
}

$state = SimpleSAML_Auth_State::loadState($stateId, 'privacyidea:privacyidea');
$state = SimpleSAML_Auth_State::loadState($stateId, 'privacyidea:privacyidea', true);

// This is AuthProcFilter, so step 1 (username+password) is already done. Set the step to 2
$state['privacyidea:privacyidea:ui']['step'] = 2;
Expand All @@ -164,7 +164,7 @@ public function process(&$state)
$stateId = SimpleSAML_Auth_State::saveState($state, 'privacyidea:privacyidea');

$url = SimpleSAML_Module::getModuleURL('privacyidea/FormBuilder.php');
SimpleSAML_Utilities::redirectTrustedURL($url, array('stateId' => $stateId));
SimpleSAML_Utils_HTTP::redirectTrustedURL($url, array('stateId' => $stateId));
}

/**
Expand All @@ -174,12 +174,12 @@ public function process(&$state)
* @return string
* @throws PIBadRequestException
*/
private function enrollToken($stateId, $username)
private function enrollToken(string $stateId, string $username): string
{
assert('string' === gettype($username));
assert('string' === gettype($stateId));

$state = SimpleSAML_Auth_State::loadState($stateId, 'privacyidea:privacyidea');
$state = SimpleSAML_Auth_State::loadState($stateId, 'privacyidea:privacyidea', true);

// Error if no serviceAccount or servicePass
if ($this->pi->serviceAccountAvailable() === false)
Expand Down Expand Up @@ -214,11 +214,11 @@ private function enrollToken($stateId, $username)

/**
* This is the help function to exclude some IP from 2FA. Only if is set in config.
* @param $clientIP
* @param $excludeClientIPs
* @return bool|void
* @param string $clientIP
* @param array $excludeClientIPs
* @return bool
*/
private function matchIP($clientIP, $excludeClientIPs)
private function matchIP(string $clientIP, array $excludeClientIPs): bool
{
assert('string' === gettype($clientIP));
$clientIP = ip2long($clientIP);
Expand Down Expand Up @@ -256,10 +256,10 @@ private function matchIP($clientIP, $excludeClientIPs)
* @param string $stateId
* @return string
*/
private function checkEntityID($authProcConfig, $stateId)
private function checkEntityID(array $authProcConfig, string $stateId): string
{
SimpleSAML_Logger::debug("Checking requesting entity ID for privacyIDEA");
$state = SimpleSAML_Auth_State::loadState($stateId, 'privacyidea:privacyidea');
$state = SimpleSAML_Auth_State::loadState($stateId, 'privacyidea:privacyidea', true);

$excludeEntityIDs = $authProcConfig['excludeEntityIDs'] ?: array();
$includeAttributes = $authProcConfig['includeAttributes'] ?: array();
Expand Down Expand Up @@ -339,7 +339,7 @@ private function checkEntityID($authProcConfig, $stateId)
* @param array $reg_arr
* @return array
*/
private function strMatchesRegArr($str, array $reg_arr)
private function strMatchesRegArr(string $str, array $reg_arr): array
{
$retArr = array();

Expand All @@ -365,7 +365,7 @@ private function strMatchesRegArr($str, array $reg_arr)
* @param array $config The config for the PrivacyIDEA server.
* @return boolean Whether PrivacyIDEA is disabled.
*/
public static function isPrivacyIDEADisabled(array $state, array $config)
public static function isPrivacyIDEADisabled(array $state, array $config): bool
{
if (isset($config['enabledPath']) && isset($config['enabledKey']))
{
Expand All @@ -377,18 +377,18 @@ public static function isPrivacyIDEADisabled(array $state, array $config)

/**
* This function allows to show the debug messages from privacyIDEA server
* @param $message
* @param string $message
*/
public function piDebug($message)
public function piDebug(string $message)
{
SimpleSAML_Logger::debug($message);
}

/**
* This function allows to show the debug messages from privacyIDEA server
* @param $message
* @param string $message
*/
public function piError($message)
public function piError(string $message)
{
SimpleSAML_Logger::error($message);
}
Expand Down
37 changes: 20 additions & 17 deletions simplesamlphp-module-privacyidea/lib/Auth/Source/PrivacyideaAuthSource.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -52,6 +52,7 @@ class sspmod_privacyidea_Auth_Source_PrivacyideaAuthSource extends sspmod_core_A
* Constructor for this authentication source.
* @param array $info Information about this authentication source.
* @param array $config Configuration set in authsources.php
* @throws SimpleSAML_Error_ConfigurationError
*/
public function __construct(array $info, array $config)
{
Expand Down Expand Up @@ -86,7 +87,8 @@ public function __construct(array $info, array $config)
* This function saves the information about the login, and redirects to the login page.
*
* @override
* @param array &$state Information about the current authentication.
* @param &$state
* @throws Exception
*/
public function authenticate(&$state)
{
Expand Down Expand Up @@ -137,7 +139,7 @@ public function authenticate(&$state)
$stateId = SimpleSAML_Auth_State::saveState($state, 'privacyidea:privacyidea');

$url = SimpleSAML_Module::getModuleURL('privacyidea/FormBuilder.php');
SimpleSAML_Utilities::redirectTrustedURL($url, array('stateId' => $stateId));
SimpleSAML_Utils_HTTP::redirectTrustedURL($url, array('stateId' => $stateId));
}

/**
Expand All @@ -146,7 +148,7 @@ public function authenticate(&$state)
* @param string $username The username the user wrote.
* @param string $password The password the user wrote.
*/
protected function login($username, $password)
protected function login(string $username, string $password)
{
// Stub.
SimpleSAML_Logger::debug("privacyIDEA AuthSource login stub");
Expand All @@ -159,12 +161,12 @@ protected function login($username, $password)
* @param array $formParams
* @throws Exception
*/
public static function authSourceLogin($stateId, $formParams)
public static function authSourceLogin(string $stateId, array $formParams)
{
assert('array' === gettype($stateId));
assert('array' === gettype($formParams));

$state = SimpleSAML_Auth_State::loadState($stateId, 'privacyidea:privacyidea');
$state = SimpleSAML_Auth_State::loadState($stateId, 'privacyidea:privacyidea', true);
$step = $state['privacyidea:privacyidea:ui']['step'];

$source = SimpleSAML_Auth_Source::getById($state['privacyidea:privacyidea']["AuthId"]);
Expand Down Expand Up @@ -273,7 +275,7 @@ public static function authSourceLogin($stateId, $formParams)
$stateId = sspmod_privacyidea_Auth_Utils::processPIResponse($stateId, $response);
}

$state = SimpleSAML_Auth_State::loadState($stateId, 'privacyidea:privacyidea');
$state = SimpleSAML_Auth_State::loadState($stateId, 'privacyidea:privacyidea', true);

// Increase steps counter
if (empty($state['privacyidea:privacyidea']['errorMessage']))
Expand All @@ -284,7 +286,7 @@ public static function authSourceLogin($stateId, $formParams)
//SimpleSAML_Logger::error("NEW STEP: " . $state['privacyidea:privacyidea:ui']['step']);
$stateId = SimpleSAML_Auth_State::saveState($state, 'privacyidea:privacyidea');
$url = SimpleSAML_Module::getModuleURL('privacyidea/FormBuilder.php');
SimpleSAML_Utilities::redirectTrustedURL($url, array('stateId' => $stateId));
SimpleSAML_Utils_HTTP::redirectTrustedURL($url, array('stateId' => $stateId));
}

/**
Expand All @@ -295,9 +297,9 @@ public static function authSourceLogin($stateId, $formParams)
*
* @param array $state
* @param PIResponse $piResponse
* @param $authSourceConfig
* @param array $authSourceConfig
*/
public static function checkAuthenticationComplete($state, PIResponse $piResponse, $authSourceConfig)
public static function checkAuthenticationComplete(array $state, PIResponse $piResponse, array $authSourceConfig)
{
$attributes = $piResponse->detailAndAttributes;

Expand Down Expand Up @@ -329,12 +331,12 @@ public static function checkAuthenticationComplete($state, PIResponse $piRespons
/**
* This function merge all attributes and detail which SimpleSAMLphp needs.
*
* @param $userAttributes
* @param $detailAttributes
* @param $authSourceConfig
* @param array $userAttributes
* @param array $detailAttributes
* @param array $authSourceConfig
* @return array
*/
protected static function mergeAttributes($userAttributes, $detailAttributes, $authSourceConfig)
protected static function mergeAttributes(array $userAttributes, array $detailAttributes, array $authSourceConfig): array
{
// Prepare attributes array to return
$attributes = array();
Expand Down Expand Up @@ -398,6 +400,7 @@ protected static function mergeAttributes($userAttributes, $detailAttributes, $a
* the session after performing the standard login.
*
* @param array $state The state after the login has completed.
* @throws Exception
*/
public static function loginCompletedWriteSSO(array $state)
{
Expand Down Expand Up @@ -434,14 +437,14 @@ public static function loginCompletedWriteSSO(array $state)

/**
* Check if url is allowed.
* @param $id
* @param string $stateID
*/
private static function checkIdLegality($id)
private static function checkIdLegality(string $stateID)
{
$sid = SimpleSAML_Utilities::parseStateID($id);
$sid = SimpleSAML_Auth_State::parseStateID($stateID);
if (!is_null($sid['url']))
{
SimpleSAML_Utilities::checkURLAllowed($sid['url']);
SimpleSAML_Utils_HTTP::checkURLAllowed($sid['url']);
}
}
}
24 changes: 15 additions & 9 deletions simplesamlphp-module-privacyidea/lib/Auth/Utils.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -136,7 +136,12 @@ public static function authenticatePI(array &$state, array $formParams)
return $response;
}

public static function handlePrivacyIDEAException($exception, &$state)
/**
* @param $exception
* @param array $state
* @return void
*/
public static function handlePrivacyIDEAException($exception, array &$state)
{
SimpleSAML_Logger::error("Exception: " . $exception->getMessage());
$state['privacyidea:privacyidea']['errorCode'] = $exception->getCode();
Expand All @@ -150,6 +155,7 @@ public static function handlePrivacyIDEAException($exception, &$state)
* that is used can be considered valid.
*
* @return void
* @throws Exception
*/
public static function tryWriteSSO()
{
Expand Down Expand Up @@ -181,17 +187,17 @@ public static function tryWriteSSO()
* module is present, indicating that 2FA was completed before.
* A boolean is returned to indicate if the login/2FA can be skipped.
*
* @param $state
* @param array $state
* @return boolean true if login/2FA can be skipped, false if not
*/
public static function checkForValidSSO($state)
public static function checkForValidSSO(array $state): bool
{
SimpleSAML_Logger::debug("privacyIDEA: checkForValidSSO");

// For SSO to be valid, we check 2 things:
// 1. Valid login of SSP which is not expired
// 2. Completed 2FA with this module
if (is_array($state) && array_key_exists('Expire', $state) && $state['Expire'] > time())
if (array_key_exists('Expire', $state) && $state['Expire'] > time())
{
SimpleSAML_Logger::debug("privacyIDEA: Valid login found. Checking for valid 2FA..");
$session = SimpleSAML_Session::getSessionFromRequest();
Expand Down Expand Up @@ -223,7 +229,7 @@ public static function handleLogout()
* @param array $config
* @return PrivacyIDEA|null privacyIDEA object or null on error
*/
public static function createPrivacyIDEAInstance($config)
public static function createPrivacyIDEAInstance(array $config)
{
if (!empty($config['privacyideaServerURL']))
{
Expand Down Expand Up @@ -277,12 +283,12 @@ public static function createPrivacyIDEAInstance($config)
* @param string $stateId to load the state
* @param mixed $response from privacyIDEA
* @return string stateId of the modified state
* @throws Exception
* @throws Exception|SimpleSAML_Error_Exception
*/
public static function processPIResponse($stateId, PIResponse $response)
public static function processPIResponse(string $stateId, PIResponse $response): string
{
assert('string' === gettype($stateId));
$state = SimpleSAML_Auth_State::loadState($stateId, 'privacyidea:privacyidea');
$state = SimpleSAML_Auth_State::loadState($stateId, 'privacyidea:privacyidea', true);

$config = $state['privacyidea:privacyidea'];
$state['privacyidea:privacyidea:ui']['mode'] = "otp";
Expand Down Expand Up @@ -424,7 +430,7 @@ public static function getClientIP()
* @param array $state The global state to check the keys against
* @return array The updated config
*/
public static function checkUidKey(array $config, array $state)
public static function checkUidKey(array $config, array $state): array
{
assert('array' === gettype($config));
assert('array' === gettype($state));
Expand Down
Loading

0 comments on commit 6b2b2cc

Please sign in to comment.