diff --git a/tine20/Tinebase/AreaLock.php b/tine20/Tinebase/AreaLock.php index 560d0110cd7..f882a25d606 100644 --- a/tine20/Tinebase/AreaLock.php +++ b/tine20/Tinebase/AreaLock.php @@ -261,6 +261,11 @@ protected function _hasValidAuth(string $area): bool . __LINE__ . ' Config not found for area ' . $area); return false; } + + if (Tinebase_Auth_MFA::checkMFABypass()) { + return true; + } + /** @var Tinebase_Model_AreaLockConfig $config */ foreach($configs as $config) { if (!$config->getBackend()->hasValidAuth()) { @@ -272,13 +277,17 @@ protected function _hasValidAuth(string $area): bool } /** + * @param string $area * @return array */ protected function _getAuthValidity(string $area): array { + $bypass = Tinebase_Auth_MFA::checkMFABypass(); $result = []; foreach ($this->getAreaConfigs($area) as $config) { - $result[$config->{Tinebase_Model_AreaLockConfig::FLD_AREA_NAME}] = $config->getBackend()->getAuthValidity(); + $result[$config->{Tinebase_Model_AreaLockConfig::FLD_AREA_NAME}] = $bypass + ? Tinebase_DateTime::now()->addYear(1) + : $config->getBackend()->getAuthValidity(); } return $result; } diff --git a/tine20/Tinebase/Auth/MFA.php b/tine20/Tinebase/Auth/MFA.php index d625a075748..b8a6097f4bc 100644 --- a/tine20/Tinebase/Auth/MFA.php +++ b/tine20/Tinebase/Auth/MFA.php @@ -9,6 +9,8 @@ * @author Paul Mehrer */ +use \IPLib\Factory; + /** * SecondFactor Auth Facade * @@ -135,6 +137,24 @@ private function __construct(Tinebase_Model_MFA_Config $config) $this->_config = $config; } + public static function checkMFABypass(): bool + { + // mfa free netmasks: + if (($_SERVER['HTTP_X_REAL_IP'] ?? false) && + !empty($byPassMasks = Tinebase_Config::getInstance()->{Tinebase_Config::MFA_BYPASS_NETMASKS}) && + ($ip = Factory::parseAddressString($_SERVER['HTTP_X_REAL_IP'])) + ) { + foreach ($byPassMasks as $netmask) { + if (Factory::parseRangeString($netmask)?->contains($ip)) { + // bypassing + return true; + } + } + } + + return false; + } + /** * don't clone. Use the singleton. */ diff --git a/tine20/Tinebase/Controller.php b/tine20/Tinebase/Controller.php index 547ed50f524..fbeb505605f 100644 --- a/tine20/Tinebase/Controller.php +++ b/tine20/Tinebase/Controller.php @@ -10,7 +10,6 @@ * */ -use \IPLib\Factory; use \Psr\Http\Message\RequestInterface; /** @@ -931,19 +930,11 @@ public function _validateSecondFactor(Tinebase_Model_AccessLog $accessLog, Tineb $areaLock = Tinebase_AreaLock::getInstance(); $userConfigIntersection = new Tinebase_Record_RecordSet(Tinebase_Model_MFA_UserConfig::class); if ($areaLock->hasLock(Tinebase_Model_AreaLockConfig::AREA_LOGIN)) { - // mfa free netmasks: - if (($_SERVER['HTTP_X_REAL_IP'] ?? false) && - !empty($byPassMasks = Tinebase_Config::getInstance()->{Tinebase_Config::MFA_BYPASS_NETMASKS}) && - ($ip = Factory::parseAddressString($_SERVER['HTTP_X_REAL_IP']))) { - foreach ($byPassMasks as $netmask) { - if (Factory::parseRangeString($netmask)?->contains($ip)) { - // bypassing - if ($this->_forceUnlockLoginArea) { - $areaLock->forceUnlock(Tinebase_Model_AreaLockConfig::AREA_LOGIN); - } - return; - } + if (Tinebase_Auth_MFA::checkMFABypass()) { + if ($this->_forceUnlockLoginArea) { + $areaLock->forceUnlock(Tinebase_Model_AreaLockConfig::AREA_LOGIN); } + return; } /** @var Tinebase_Model_AreaLockConfig $areaConfig */