diff --git a/simplesamlphp-module-privacyidea/lib/Auth/Process/PrivacyideaAuthProc.php b/simplesamlphp-module-privacyidea/lib/Auth/Process/PrivacyideaAuthProc.php index 58e6bab..28ebbcd 100644 --- a/simplesamlphp-module-privacyidea/lib/Auth/Process/PrivacyideaAuthProc.php +++ b/simplesamlphp-module-privacyidea/lib/Auth/Process/PrivacyideaAuthProc.php @@ -37,7 +37,7 @@ public function __construct(array $config, $reserved) /** * Run the filter. * - * @param array $state + * @param $state * @throws Exception if authentication fails */ public function process(&$state) @@ -67,7 +67,7 @@ public function process(&$state) { $stateId = SimpleSAML_Auth_State::saveState($state, 'privacyidea:privacyidea'); $stateId = $this->checkEntityID($this->authProcConfig, $stateId); - $state = SimpleSAML_Auth_State::loadState($stateId, 'privacyidea:privacyidea'); + $state = SimpleSAML_Auth_State::loadState($stateId, 'privacyidea:privacyidea', true); } // Check if privacyIDEA is disabled by configuration setting @@ -153,7 +153,7 @@ public function process(&$state) $stateId = $this->enrollToken($stateId, $username); } - $state = SimpleSAML_Auth_State::loadState($stateId, 'privacyidea:privacyidea'); + $state = SimpleSAML_Auth_State::loadState($stateId, 'privacyidea:privacyidea', true); // This is AuthProcFilter, so step 1 (username+password) is already done. Set the step to 2 $state['privacyidea:privacyidea:ui']['step'] = 2; @@ -164,7 +164,7 @@ public function process(&$state) $stateId = SimpleSAML_Auth_State::saveState($state, 'privacyidea:privacyidea'); $url = SimpleSAML_Module::getModuleURL('privacyidea/FormBuilder.php'); - SimpleSAML_Utilities::redirectTrustedURL($url, array('stateId' => $stateId)); + SimpleSAML_Utils_HTTP::redirectTrustedURL($url, array('stateId' => $stateId)); } /** @@ -174,12 +174,12 @@ public function process(&$state) * @return string * @throws PIBadRequestException */ - private function enrollToken($stateId, $username) + private function enrollToken(string $stateId, string $username): string { assert('string' === gettype($username)); assert('string' === gettype($stateId)); - $state = SimpleSAML_Auth_State::loadState($stateId, 'privacyidea:privacyidea'); + $state = SimpleSAML_Auth_State::loadState($stateId, 'privacyidea:privacyidea', true); // Error if no serviceAccount or servicePass if ($this->pi->serviceAccountAvailable() === false) @@ -214,11 +214,11 @@ private function enrollToken($stateId, $username) /** * This is the help function to exclude some IP from 2FA. Only if is set in config. - * @param $clientIP - * @param $excludeClientIPs - * @return bool|void + * @param string $clientIP + * @param array $excludeClientIPs + * @return bool */ - private function matchIP($clientIP, $excludeClientIPs) + private function matchIP(string $clientIP, array $excludeClientIPs): bool { assert('string' === gettype($clientIP)); $clientIP = ip2long($clientIP); @@ -256,10 +256,10 @@ private function matchIP($clientIP, $excludeClientIPs) * @param string $stateId * @return string */ - private function checkEntityID($authProcConfig, $stateId) + private function checkEntityID(array $authProcConfig, string $stateId): string { SimpleSAML_Logger::debug("Checking requesting entity ID for privacyIDEA"); - $state = SimpleSAML_Auth_State::loadState($stateId, 'privacyidea:privacyidea'); + $state = SimpleSAML_Auth_State::loadState($stateId, 'privacyidea:privacyidea', true); $excludeEntityIDs = $authProcConfig['excludeEntityIDs'] ?: array(); $includeAttributes = $authProcConfig['includeAttributes'] ?: array(); @@ -339,7 +339,7 @@ private function checkEntityID($authProcConfig, $stateId) * @param array $reg_arr * @return array */ - private function strMatchesRegArr($str, array $reg_arr) + private function strMatchesRegArr(string $str, array $reg_arr): array { $retArr = array(); @@ -365,7 +365,7 @@ private function strMatchesRegArr($str, array $reg_arr) * @param array $config The config for the PrivacyIDEA server. * @return boolean Whether PrivacyIDEA is disabled. */ - public static function isPrivacyIDEADisabled(array $state, array $config) + public static function isPrivacyIDEADisabled(array $state, array $config): bool { if (isset($config['enabledPath']) && isset($config['enabledKey'])) { @@ -377,18 +377,18 @@ public static function isPrivacyIDEADisabled(array $state, array $config) /** * This function allows to show the debug messages from privacyIDEA server - * @param $message + * @param string $message */ - public function piDebug($message) + public function piDebug(string $message) { SimpleSAML_Logger::debug($message); } /** * This function allows to show the debug messages from privacyIDEA server - * @param $message + * @param string $message */ - public function piError($message) + public function piError(string $message) { SimpleSAML_Logger::error($message); } diff --git a/simplesamlphp-module-privacyidea/lib/Auth/Source/PrivacyideaAuthSource.php b/simplesamlphp-module-privacyidea/lib/Auth/Source/PrivacyideaAuthSource.php index ac22c6b..3ee9cb1 100644 --- a/simplesamlphp-module-privacyidea/lib/Auth/Source/PrivacyideaAuthSource.php +++ b/simplesamlphp-module-privacyidea/lib/Auth/Source/PrivacyideaAuthSource.php @@ -52,6 +52,7 @@ class sspmod_privacyidea_Auth_Source_PrivacyideaAuthSource extends sspmod_core_A * Constructor for this authentication source. * @param array $info Information about this authentication source. * @param array $config Configuration set in authsources.php + * @throws SimpleSAML_Error_ConfigurationError */ public function __construct(array $info, array $config) { @@ -86,7 +87,8 @@ public function __construct(array $info, array $config) * This function saves the information about the login, and redirects to the login page. * * @override - * @param array &$state Information about the current authentication. + * @param &$state + * @throws Exception */ public function authenticate(&$state) { @@ -137,7 +139,7 @@ public function authenticate(&$state) $stateId = SimpleSAML_Auth_State::saveState($state, 'privacyidea:privacyidea'); $url = SimpleSAML_Module::getModuleURL('privacyidea/FormBuilder.php'); - SimpleSAML_Utilities::redirectTrustedURL($url, array('stateId' => $stateId)); + SimpleSAML_Utils_HTTP::redirectTrustedURL($url, array('stateId' => $stateId)); } /** @@ -146,7 +148,7 @@ public function authenticate(&$state) * @param string $username The username the user wrote. * @param string $password The password the user wrote. */ - protected function login($username, $password) + protected function login(string $username, string $password) { // Stub. SimpleSAML_Logger::debug("privacyIDEA AuthSource login stub"); @@ -159,12 +161,12 @@ protected function login($username, $password) * @param array $formParams * @throws Exception */ - public static function authSourceLogin($stateId, $formParams) + public static function authSourceLogin(string $stateId, array $formParams) { assert('array' === gettype($stateId)); assert('array' === gettype($formParams)); - $state = SimpleSAML_Auth_State::loadState($stateId, 'privacyidea:privacyidea'); + $state = SimpleSAML_Auth_State::loadState($stateId, 'privacyidea:privacyidea', true); $step = $state['privacyidea:privacyidea:ui']['step']; $source = SimpleSAML_Auth_Source::getById($state['privacyidea:privacyidea']["AuthId"]); @@ -273,7 +275,7 @@ public static function authSourceLogin($stateId, $formParams) $stateId = sspmod_privacyidea_Auth_Utils::processPIResponse($stateId, $response); } - $state = SimpleSAML_Auth_State::loadState($stateId, 'privacyidea:privacyidea'); + $state = SimpleSAML_Auth_State::loadState($stateId, 'privacyidea:privacyidea', true); // Increase steps counter if (empty($state['privacyidea:privacyidea']['errorMessage'])) @@ -284,7 +286,7 @@ public static function authSourceLogin($stateId, $formParams) //SimpleSAML_Logger::error("NEW STEP: " . $state['privacyidea:privacyidea:ui']['step']); $stateId = SimpleSAML_Auth_State::saveState($state, 'privacyidea:privacyidea'); $url = SimpleSAML_Module::getModuleURL('privacyidea/FormBuilder.php'); - SimpleSAML_Utilities::redirectTrustedURL($url, array('stateId' => $stateId)); + SimpleSAML_Utils_HTTP::redirectTrustedURL($url, array('stateId' => $stateId)); } /** @@ -295,9 +297,9 @@ public static function authSourceLogin($stateId, $formParams) * * @param array $state * @param PIResponse $piResponse - * @param $authSourceConfig + * @param array $authSourceConfig */ - public static function checkAuthenticationComplete($state, PIResponse $piResponse, $authSourceConfig) + public static function checkAuthenticationComplete(array $state, PIResponse $piResponse, array $authSourceConfig) { $attributes = $piResponse->detailAndAttributes; @@ -329,12 +331,12 @@ public static function checkAuthenticationComplete($state, PIResponse $piRespons /** * This function merge all attributes and detail which SimpleSAMLphp needs. * - * @param $userAttributes - * @param $detailAttributes - * @param $authSourceConfig + * @param array $userAttributes + * @param array $detailAttributes + * @param array $authSourceConfig * @return array */ - protected static function mergeAttributes($userAttributes, $detailAttributes, $authSourceConfig) + protected static function mergeAttributes(array $userAttributes, array $detailAttributes, array $authSourceConfig): array { // Prepare attributes array to return $attributes = array(); @@ -398,6 +400,7 @@ protected static function mergeAttributes($userAttributes, $detailAttributes, $a * the session after performing the standard login. * * @param array $state The state after the login has completed. + * @throws Exception */ public static function loginCompletedWriteSSO(array $state) { @@ -434,14 +437,14 @@ public static function loginCompletedWriteSSO(array $state) /** * Check if url is allowed. - * @param $id + * @param string $stateID */ - private static function checkIdLegality($id) + private static function checkIdLegality(string $stateID) { - $sid = SimpleSAML_Utilities::parseStateID($id); + $sid = SimpleSAML_Auth_State::parseStateID($stateID); if (!is_null($sid['url'])) { - SimpleSAML_Utilities::checkURLAllowed($sid['url']); + SimpleSAML_Utils_HTTP::checkURLAllowed($sid['url']); } } } diff --git a/simplesamlphp-module-privacyidea/lib/Auth/Utils.php b/simplesamlphp-module-privacyidea/lib/Auth/Utils.php index 7ba3c5f..2655266 100644 --- a/simplesamlphp-module-privacyidea/lib/Auth/Utils.php +++ b/simplesamlphp-module-privacyidea/lib/Auth/Utils.php @@ -136,7 +136,12 @@ public static function authenticatePI(array &$state, array $formParams) return $response; } - public static function handlePrivacyIDEAException($exception, &$state) + /** + * @param $exception + * @param array $state + * @return void + */ + public static function handlePrivacyIDEAException($exception, array &$state) { SimpleSAML_Logger::error("Exception: " . $exception->getMessage()); $state['privacyidea:privacyidea']['errorCode'] = $exception->getCode(); @@ -150,6 +155,7 @@ public static function handlePrivacyIDEAException($exception, &$state) * that is used can be considered valid. * * @return void + * @throws Exception */ public static function tryWriteSSO() { @@ -181,17 +187,17 @@ public static function tryWriteSSO() * module is present, indicating that 2FA was completed before. * A boolean is returned to indicate if the login/2FA can be skipped. * - * @param $state + * @param array $state * @return boolean true if login/2FA can be skipped, false if not */ - public static function checkForValidSSO($state) + public static function checkForValidSSO(array $state): bool { SimpleSAML_Logger::debug("privacyIDEA: checkForValidSSO"); // For SSO to be valid, we check 2 things: // 1. Valid login of SSP which is not expired // 2. Completed 2FA with this module - if (is_array($state) && array_key_exists('Expire', $state) && $state['Expire'] > time()) + if (array_key_exists('Expire', $state) && $state['Expire'] > time()) { SimpleSAML_Logger::debug("privacyIDEA: Valid login found. Checking for valid 2FA.."); $session = SimpleSAML_Session::getSessionFromRequest(); @@ -223,7 +229,7 @@ public static function handleLogout() * @param array $config * @return PrivacyIDEA|null privacyIDEA object or null on error */ - public static function createPrivacyIDEAInstance($config) + public static function createPrivacyIDEAInstance(array $config) { if (!empty($config['privacyideaServerURL'])) { @@ -277,12 +283,12 @@ public static function createPrivacyIDEAInstance($config) * @param string $stateId to load the state * @param mixed $response from privacyIDEA * @return string stateId of the modified state - * @throws Exception + * @throws Exception|SimpleSAML_Error_Exception */ - public static function processPIResponse($stateId, PIResponse $response) + public static function processPIResponse(string $stateId, PIResponse $response): string { assert('string' === gettype($stateId)); - $state = SimpleSAML_Auth_State::loadState($stateId, 'privacyidea:privacyidea'); + $state = SimpleSAML_Auth_State::loadState($stateId, 'privacyidea:privacyidea', true); $config = $state['privacyidea:privacyidea']; $state['privacyidea:privacyidea:ui']['mode'] = "otp"; @@ -424,7 +430,7 @@ public static function getClientIP() * @param array $state The global state to check the keys against * @return array The updated config */ - public static function checkUidKey(array $config, array $state) + public static function checkUidKey(array $config, array $state): array { assert('array' === gettype($config)); assert('array' === gettype($state)); diff --git a/simplesamlphp-module-privacyidea/www/FormBuilder.php b/simplesamlphp-module-privacyidea/www/FormBuilder.php index 312628e..f1e35cb 100644 --- a/simplesamlphp-module-privacyidea/www/FormBuilder.php +++ b/simplesamlphp-module-privacyidea/www/FormBuilder.php @@ -1,14 +1,22 @@ getMessage()); + throw $e; } -$state = SimpleSAML_Auth_State::loadState($stateId, 'privacyidea:privacyidea'); // Find the username if (isset($state['privacyidea:privacyidea']['uidKey'])) @@ -30,7 +38,15 @@ } // Prepare the form to show -$tpl = new SimpleSAML_XHTML_Template(SimpleSAML_Configuration::getInstance(), 'privacyidea:LoginForm.php'); +try +{ + $tpl = new SimpleSAML_XHTML_Template(SimpleSAML_Configuration::getInstance(), 'privacyidea:LoginForm.php'); +} +catch (Exception $e) +{ + SimpleSAML_Logger::error("Unable to prepare the login form. " . $e->getMessage()); + throw $e; +} // Prepare error to show in UI $tpl->data['errorCode'] = null; @@ -73,32 +89,38 @@ elseif ($state['privacyidea:privacyidea']['authenticationMethod'] === "authsource") { // AuthSource - $source = SimpleSAML_Auth_Source::getById($state["privacyidea:privacyidea"]["AuthId"]); - - if ($source == NULL) + try { - SimpleSAML_Logger::error("Could not find authentication source with ID: " . $state["privacyidea:privacyidea"]["AuthId"]); + $source = SimpleSAML_Auth_Source::getById($state["privacyidea:privacyidea"]["AuthId"]); + $tpl->data['username'] = $username; + if (method_exists($source, "isRememberMeEnabled")) + { + $tpl->data['rememberMeEnabled'] = $source->isRememberMeEnabled(); + } + if (method_exists($source, "isRememberMeChecked")) + { + $tpl->data['rememberMeChecked'] = $source->isRememberMeChecked(); + } + if (method_exists($source, "getLoginLinks")) + { + $tpl->data['links'] = $source->getLoginLinks(); + } + if (array_key_exists('forcedUsername', $state)) + { + $tpl->data['forceUsername'] = true; + $tpl->data['rememberUsernameEnabled'] = false; + $tpl->data['rememberUsernameChecked'] = false; + } + else + { + $tpl->data['forceUsername'] = false; + } + $tpl->data['SPMetadata'] = $state['SPMetadata']; } - - $tpl->data['username'] = $username; - $tpl->data['rememberMeEnabled'] = $source->isRememberMeEnabled(); - $tpl->data['rememberMeChecked'] = $source->isRememberMeChecked(); - $tpl->data['links'] = $source->getLoginLinks(); - - if (array_key_exists('forcedUsername', $state)) + catch (SimpleSAML_Error_Exception $e) { - $tpl->data['forceUsername'] = true; - $tpl->data['rememberUsernameEnabled'] = false; - $tpl->data['rememberUsernameChecked'] = false; + SimpleSAML_Logger::error("Could not find authentication source with ID: " . $state["privacyidea:privacyidea"]["AuthId"] . $e->getMessage()); } - else - { - $tpl->data['forceUsername'] = false; - $tpl->data['rememberUsernameEnabled'] = $source->getRememberUsernameEnabled(); - $tpl->data['rememberUsernameChecked'] = $source->getRememberUsernameChecked(); - } - - $tpl->data['SPMetadata'] = @$state['SPMetadata']; } // Get all the ui data placed in state and set it to $tpl->data for future use in LoginForm.php @@ -126,5 +148,12 @@ $tpl->data['LogoutURL'] = SimpleSAML_Module::getModuleURL('core/authenticate.php', array('as' => $state['Source']['auth'])) . "&logout"; } -SimpleSAML_Session::getSessionFromRequest()->setData("privacyidea:privacyidea", "stateId", $stateId); +try +{ + SimpleSAML_Session::getSessionFromRequest()->setData("privacyidea:privacyidea", "stateId", $stateId); +} +catch (Exception $e) +{ + SimpleSAML_Logger::error("No access to request session. " . $e->getMessage()); +} $tpl->show(); \ No newline at end of file diff --git a/simplesamlphp-module-privacyidea/www/FormReceiver.php b/simplesamlphp-module-privacyidea/www/FormReceiver.php index 2da0aed..9f25d14 100644 --- a/simplesamlphp-module-privacyidea/www/FormReceiver.php +++ b/simplesamlphp-module-privacyidea/www/FormReceiver.php @@ -1,12 +1,38 @@ getData("privacyidea:privacyidea", "stateId"); -SimpleSAML_Session::getSessionFromRequest()->deleteData("privacyidea:privacyidea", "stateId"); -if (empty($stateId)) + +try +{ + $stateId = SimpleSAML_Session::getSessionFromRequest()->getData("privacyidea:privacyidea", "stateId"); +} +catch (Exception $e) +{ + SimpleSAML_Logger::error("Unable to reach the state ID from session. " . $e->getMessage()); + throw $e; +} +try +{ + SimpleSAML_Session::getSessionFromRequest()->deleteData("privacyidea:privacyidea", "stateId"); +} +catch (Exception $e) +{ + SimpleSAML_Logger::error("Unable to delete the old state ID. " . $e->getMessage()); + throw $e; +} + +try +{ + $state = SimpleSAML_Auth_State::loadState($stateId, 'privacyidea:privacyidea', true); +} +catch (SimpleSAML_Error_NoState $e) { - SimpleSAML_Logger::error("stateId empty in FormReceiver."); - throw new Exception("State information lost!"); + SimpleSAML_Logger::error("Lost state data. " . $e->getMessage()); + throw $e; +} +catch (Exception $e) +{ + SimpleSAML_Logger::error("Unable to load the state. " . $e->getMessage()); + throw $e; } -$state = SimpleSAML_Auth_State::loadState($stateId, 'privacyidea:privacyidea'); // Find the username if (array_key_exists('username', $_REQUEST)) @@ -66,7 +92,7 @@ $stateId = sspmod_privacyidea_Auth_Utils::processPIResponse($stateId, $response); } $url = SimpleSAML_Module::getModuleURL('privacyidea/FormBuilder.php'); - SimpleSAML_Utilities::redirectTrustedURL($url, array('stateId' => $stateId)); + SimpleSAML_Utils_HTTP::redirectTrustedURL($url, array('stateId' => $stateId)); } catch (Exception $e) { @@ -76,36 +102,71 @@ else { // Auth Source - $source = SimpleSAML_Auth_Source::getById($state["privacyidea:privacyidea"]["AuthId"]); - if ($source->getRememberUsernameEnabled()) + try + { + $source = SimpleSAML_Auth_Source::getById($state["privacyidea:privacyidea"]["AuthId"]); + } + catch (SimpleSAML_Error_Exception $e) { - $sessionHandler = SimpleSAML_SessionHandler::getSessionHandler(); - $params = $sessionHandler->getCookieParams(); + SimpleSAML_Logger::error("Unable to load the authsource. SimpleSAML Exception: " . $e->getMessage()); + throw $e; + } - $params['expire'] = time(); - $params['expire'] += (isset($_REQUEST['rememberUsername']) && $_REQUEST['rememberUsername'] === 'Yes' ? 31536000 : -300); - SimpleSAML_Utilities::setCookie($source->getAuthId() . '-username', $username, $params, FALSE); + if (method_exists($source, "getRememberUsernameEnabled") && $source->getRememberUsernameEnabled()) + { + try + { + $sessionHandler = SimpleSAML_SessionHandler::getSessionHandler(); + $params = $sessionHandler->getCookieParams(); + $params['expire'] = time(); + $params['expire'] += (isset($_REQUEST['rememberUsername']) && $_REQUEST['rememberUsername'] === 'Yes' ? 31536000 : -300); + try + { + SimpleSAML_Utils_HTTP::setCookie($source->getAuthId() . '-username', $username, $params, FALSE); + } + catch (SimpleSAML_Error_CannotSetCookie $e) + { + SimpleSAML_Logger::error("Unable to save the username in a cookie. " . $e->getMessage()); + } + } + catch (Exception $e) + { + SimpleSAML_Logger::error("Unable to reach the simpleSAML Session Handler. Cannot to save the username. " . $e->getMessage()); + } } - if ($source->isRememberMeEnabled()) + if (method_exists($source, "isRememberMeEnabled") && $source->isRememberMeEnabled()) { if (array_key_exists('rememberMe', $_REQUEST) && $_REQUEST['rememberMe'] === 'Yes') { $state['RememberMe'] = TRUE; - $stateId = SimpleSAML_Auth_State::saveState($state, sspmod_core_Auth_UserPassBase::STAGEID); } } + $stateID = SimpleSAML_Auth_State::saveState($state, sspmod_core_Auth_UserPassBase::STAGEID); + try { - sspmod_privacyidea_Auth_Source_PrivacyideaAuthSource::authSourceLogin($stateId, $formParams); + sspmod_privacyidea_Auth_Source_PrivacyideaAuthSource::authSourceLogin($stateID, $formParams); } catch (Exception $e) { SimpleSAML_Logger::error($e->getMessage()); - $state = SimpleSAML_Auth_State::loadState($stateId, 'privacyidea:privacyidea'); - $state['privacyidea:privacyidea']['errorCode'] = $e->getCode(); - $state['privacyidea:privacyidea']['errorMessage'] = $e->getMessage(); - $stateId = SimpleSAML_Auth_State::saveState($state, 'privacyidea:privacyidea'); + + try + { + $state = SimpleSAML_Auth_State::loadState($stateID, 'privacyidea:privacyidea', true); + $state['privacyidea:privacyidea']['errorCode'] = $e->getCode(); + $state['privacyidea:privacyidea']['errorMessage'] = $e->getMessage(); + $stateID = SimpleSAML_Auth_State::saveState($state, 'privacyidea:privacyidea'); + } + catch (SimpleSAML_Error_NoState $e) + { + SimpleSAML_Logger::error($e->getMessage()); + } + catch (Exception $e) + { + SimpleSAML_Logger::error($e->getMessage()); + } } }