feat: 🎸 Added RestoreAcrs authproc filter, modify ACRs when MFA

Dominik Frantisek Bucik · Dominik Frantisek Bucik · commit ebafb059323b · 2022-01-12T08:26:47.000+01:00
diff --git a/lib/Auth/Process/RestoreAcrs.php b/lib/Auth/Process/RestoreAcrs.php
@@ -0,0 +1,79 @@
+<?php
+
+declare(strict_types=1);
+
+namespace SimpleSAML\Module\perun\Auth\Process;
+
+use SimpleSAML\Auth\ProcessingFilter;
+use SimpleSAML\Logger;
+use SimpleSAML\Module\perun\Disco;
+
+/**
+ * Auth proc filter, which should be used if Proxy provides MFA, and wants to first pass the request to the upstream
+ * IdP. The Perun Disco page, tries to add new ACRs to the request, if MFA has been requested, to prevent the IdP from
+ * failing. As a result, we then get modified requested ACRs, which should be restored to the previous (original) state
+ * using this authproc filter. It should be run on one of the first places of the IdP authproc chain.
+ */
+class RestoreAcrs extends ProcessingFilter
+{
+    public const CONFIG_FILE_NAME = 'module_perun.php';
+
+    private const DEBUG_PREFIX = 'perun:RestoreAcrs';
+
+    public function __construct($config, $reserved)
+    {
+        parent::__construct($config, $reserved);
+    }
+
+    public function process(&$request)
+    {
+        $this->restoreAcrs($request);
+    }
+
+    public static function storeAcrs(array &$state, array $acrsToAdd)
+    {
+        if (!empty($acrsToAdd)
+            && !empty($state[Disco::SAML_REQUESTED_AUTHN_CONTEXT][Disco::STATE_AUTHN_CONTEXT_CLASS_REF])
+            && sizeof($state[Disco::SAML_REQUESTED_AUTHN_CONTEXT][Disco::STATE_AUTHN_CONTEXT_CLASS_REF]) <= 1
+            && in_array(
+                Disco::MFA_PROFILE,
+                $state[Disco::SAML_REQUESTED_AUTHN_CONTEXT][Disco::STATE_AUTHN_CONTEXT_CLASS_REF],
+                true
+            )
+        ) {
+            Logger::debug(
+                self::DEBUG_PREFIX . ': Modifying ACRs list to pass regular authentication to the IdP to fallback to proxy MFA'
+            );
+            $original = [];
+            $new = [];
+            foreach ($state[Disco::SAML_REQUESTED_AUTHN_CONTEXT][Disco::STATE_AUTHN_CONTEXT_CLASS_REF] as $acr) {
+                $original[] = $acr;
+                $new[] = $acr;
+            }
+            foreach ($acrsToAdd as $acr) {
+                $new[] = $acr;
+            }
+            $new = array_unique($new);
+
+            unset($state[Disco::SAML_REQUESTED_AUTHN_CONTEXT][Disco::STATE_AUTHN_CONTEXT_CLASS_REF]);
+            if (isset($state[Disco::SAML_REQUESTED_AUTHN_CONTEXT_ORIGINAL])) {
+                unset($state[Disco::SAML_REQUESTED_AUTHN_CONTEXT_ORIGINAL]);
+            }
+            Logger::debug(self::DEBUG_PREFIX . ': original ACRs: ' . join(',', $original));
+            $state[Disco::SAML_REQUESTED_AUTHN_CONTEXT_ORIGINAL] = $original;
+            Logger::debug(self::DEBUG_PREFIX . ': ACRs after modification: ' . join(',', $new));
+            $state[Disco::SAML_REQUESTED_AUTHN_CONTEXT][Disco::STATE_AUTHN_CONTEXT_CLASS_REF] = $new;
+        }
+    }
+
+    private function restoreAcrs(&$request)
+    {
+        if (!empty($request[Disco::SAML_REQUESTED_AUTHN_CONTEXT_ORIGINAL])) {
+            unset($request[Disco::SAML_REQUESTED_AUTHN_CONTEXT][Disco::STATE_AUTHN_CONTEXT_CLASS_REF]);
+            $handle = &$request[Disco::SAML_REQUESTED_AUTHN_CONTEXT][Disco::STATE_AUTHN_CONTEXT_CLASS_REF];
+            $handle = $request[Disco::SAML_REQUESTED_AUTHN_CONTEXT_ORIGINAL];
+            unset($request[Disco::SAML_REQUESTED_AUTHN_CONTEXT_ORIGINAL]);
+            Logger::debug(self::DEBUG_PREFIX . ': ACRS restored: ' . join(',', $handle));
+        }
+    }
+}
diff --git a/lib/Disco.php b/lib/Disco.php
@@ -30,6 +30,8 @@ class Disco extends PowerIdPDisco
 
     public const DEFAULT_THEME = 'perun';
 
+    public const MFA_PROFILE = 'https://refeds.org/profile/mfa';
+
     // ROOT CONFIGURATION ENTRY
     public const WAYF = 'wayf_config';
 
@@ -48,6 +50,8 @@ class Disco extends PowerIdPDisco
 
     public const DISPLAY_SP = 'display_sp_name';
 
+    public const ADD_AUTHN_CONTEXT_CLASSES_FOR_MFA = 'add_authn_context_classes_for_mfa';
+
     // CONFIGURATION ENTRIES IDP BLOCKS
     public const IDP_BLOCKS = 'idp_blocks_config';
 
@@ -123,6 +127,8 @@ class Disco extends PowerIdPDisco
 
     public const SAML_REQUESTED_AUTHN_CONTEXT = 'saml:RequestedAuthnContext';
 
+    public const SAML_REQUESTED_AUTHN_CONTEXT_ORIGINAL = 'saml:RequestedAuthnContext:original';
+
     public const STATE_AUTHN_CONTEXT_CLASS_REF = 'AuthnContextClassRef';
 
     public const SAML_SP_SSO = 'saml:sp:sso';
@@ -186,6 +192,7 @@ public function __construct(array $metadataSets, $instance)
                     $this->originalAuthnContextClassRef = $state[self::SAML_REQUESTED_AUTHN_CONTEXT][self::AUTHN_CONTEXT_CLASS_REF];
 
                     $this->removeAuthContextClassRefWithPrefixes($state);
+                    $this->prepareAcrsForMfa($state);
                     if (isset($state['IdPMetadata']['entityid'])) {
                         $this->proxyIdpEntityId = $state['IdPMetadata']['entityid'];
                     }
@@ -980,4 +987,10 @@ private function fillSpNameForSaml($t)
             $this->spName = $t->translate->getTranslation($this->originalsp[self::NAME]);
         }
     }
+
+    private function prepareAcrsForMfa(array &$state)
+    {
+        $contextsToAdd = $this->wayfConfiguration->getArray(self::ADD_AUTHN_CONTEXT_CLASSES_FOR_MFA, []);
+        Module\perun\Auth\Process\RestoreAcrs::storeAcrs($state, $contextsToAdd);
+    }
 }
