Skip to content
Snippets Groups Projects
Commit bdb3d5f3 authored by Hahn Axel (hahn)'s avatar Hahn Axel (hahn)
Browse files

update mfa client

parent 24712e49
No related branches found
No related tags found
No related merge requests found
Show whitespace changes
Inline Side-by-side
src/mfa-ensure.php
+ 4
11
View file @ bdb3d5f3
...@@ -3,22 +3,15 @@ ...@@ -3,22 +3,15 @@
* mfa-ensure.php * mfa-ensure.php
* *
* @author Axel Hahn <axel.hahn@unibe> * @author Axel Hahn <axel.hahn@unibe>
* @package IML-Appmonitor
* *
*/ */
if(!($_SERVER['REMOTE_USER']??false)){
return true;
}
$aConfig = @include "mfaconfig.php";
if(!($aConfig['api']??false)){
return true;
}
require_once __DIR__.'/mfaclient.class.php'; require_once __DIR__.'/mfaclient.class.php';
$mfa = new mfaclient($aConfig, ($_SERVER['REMOTE_USER']??'')); $mfa = new mfaclient();
$mfa->debug($aConfig['debug']??false); $mfa->debug($aConfig['debug']??false);
$iHttpStatus=$mfa->ensure(); $iHttpStatus=$mfa->ensure();
// mfa was skipped? Enable this line to see the reason
// echo $mfa->showStatus();
\ No newline at end of file
src/mfaclient.class.php
+ 50
8
View file @ bdb3d5f3
...@@ -24,6 +24,8 @@ class mfaclient ...@@ -24,6 +24,8 @@ class mfaclient
protected bool $bDebug = false; protected bool $bDebug = false;
protected array $aStatus = [];
/** /**
* Intialize mfa client - optional set config and user * Intialize mfa client - optional set config and user
* *
...@@ -31,17 +33,14 @@ class mfaclient ...@@ -31,17 +33,14 @@ class mfaclient
* @see setUser * @see setUser
* *
* @param array $aConfig optional: configuration with app id and base url * @param array $aConfig optional: configuration with app id and base url
* @param string $sUser optional: user id that was logged in
*/ */
public function __construct(array $aConfig = [], string $sUser = "") public function __construct(array $aConfig = [])
{ {
$this->loadConfig(); $this->loadConfig();
if ($aConfig) { if ($aConfig) {
$this->setConfig($aConfig); $this->setConfig($aConfig);
} }
if ($sUser) { $this->setUser($this->aConfig['user']??'');
$this->setUser($sUser);
}
} }
...@@ -235,7 +234,7 @@ class mfaclient ...@@ -235,7 +234,7 @@ class mfaclient
? '' ? ''
: "<script> : "<script>
window.onload = function() { window.onload = function() {
document.getElementById('$sFormId').submit(); // document.getElementById('$sFormId').submit();
} }
</script>" </script>"
) )
...@@ -285,7 +284,6 @@ class mfaclient ...@@ -285,7 +284,6 @@ class mfaclient
if (file_exists($sCfgfile)) { if (file_exists($sCfgfile)) {
$aTmp = include $sCfgfile; $aTmp = include $sCfgfile;
$this->aConfig = $aTmp??[]; $this->aConfig = $aTmp??[];
$this->setUser($aTmp['user']??'');
} }
} }
/** /**
...@@ -374,11 +372,24 @@ class mfaclient ...@@ -374,11 +372,24 @@ class mfaclient
session_start(); session_start();
} }
if (($_SESSION['mfa']['user'] ?? '') == $this->sUser) { if (($_SESSION['mfa']['user'] ?? '') == $this->sUser) {
$this->aStatus[] = 'User still has a valid session after solving a challenge.';
return 200; return 200;
} else { } else {
$this->logout(); $this->logout();
} }
foreach(['api', 'appid', 'shared_secret', 'user'] as $sKey){
if(!isset($this->aConfig[$sKey])){
$this->aStatus[] = "Skip: Key '$sKey' was not set in config.";
return 200;
}
if(!$this->aConfig[$sKey]){
$this->aStatus[] = "Skip: Key '$sKey' is empty in config.";
return 200;
}
}
$aMfaReturn = $this->check(); $aMfaReturn = $this->check();
$this->_wd(__METHOD__ . "<br>Http request to mfa api<pre>" . print_r($aMfaReturn, 1) . "</pre>"); $this->_wd(__METHOD__ . "<br>Http request to mfa api<pre>" . print_r($aMfaReturn, 1) . "</pre>");
$aBody = json_decode($aMfaReturn['response']['body'] ?? '', 1); $aBody = json_decode($aMfaReturn['response']['body'] ?? '', 1);
...@@ -405,6 +416,8 @@ class mfaclient ...@@ -405,6 +416,8 @@ class mfaclient
); );
} }
$this->aStatus[] = 'User solved the session now.';
$_SESSION['mfa']['user'] = $this->sUser; $_SESSION['mfa']['user'] = $this->sUser;
session_write_close(); session_write_close();
...@@ -477,6 +490,24 @@ class mfaclient ...@@ -477,6 +490,24 @@ class mfaclient
return $ipaddress; return $ipaddress;
} }
/**
* return current config
* @return array
*/
public function getConfig(): array
{
return $this->aConfig;
}
/**
* return current status
* @return array
*/
public function getStatus(): array
{
return $this->aStatus;
}
/** /**
* get list of urls from MFA server * get list of urls from MFA server
* *
...@@ -487,5 +518,16 @@ class mfaclient ...@@ -487,5 +518,16 @@ class mfaclient
return $this->_api("urls"); return $this->_api("urls");
} }
/**
* show current status if you want to find out why mfa was skipped
* @example <code>echo $mfa->showStatus();</code>
* @return string
*/
public function showStatus(): string
{
return 'MFA status: <ul><li>'
. implode('</li><li>', $this->aStatus)
.'</li></ul>'
;
}
} }
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment