feat(core): skip MFA for internal components

* skip the MFA check when refreshing authz roles of service component principals (defined in perun.properties).
CESNET · Jul 26, 2023 · 259e284 · 259e284
1 parent c446b0d
commit 259e284
Showing 1 changed file with 6 additions and 1 deletion.
diff --git a/perun-core/src/main/java/cz/metacentrum/perun/core/blImpl/AuthzResolverBlImpl.java b/perun-core/src/main/java/cz/metacentrum/perun/core/blImpl/AuthzResolverBlImpl.java
@@ -362,6 +362,7 @@ public static boolean hasMFASkippableRole(PerunSession sess) throws RoleManageme
 		List<String> perunAdmins = new ArrayList<>(BeansUtils.getCoreConfig().getAdmins());
 		perunAdmins.addAll(BeansUtils.getCoreConfig().getRegistrarPrincipals());
 		if (perunAdmins.contains(sess.getPerunPrincipal().getActor())) {
+			log.debug("skipped MFA policy check for {}", sess.getPerunPrincipal().getActor());
 			return true;
 		}
 
@@ -2593,7 +2594,11 @@ public static synchronized void refreshAuthz(PerunSession sess) {
 			}
 		}
 
-		checkMfaForHavingRole(sess, sess.getPerunPrincipal().getRoles());
+		if (!serviceRole) {
+			checkMfaForHavingRole(sess, sess.getPerunPrincipal().getRoles());
+		} else {
+			log.debug("skipped MFA role check for {}", sess.getPerunPrincipal().getActor());
+		}
 
 		log.trace("Refreshed roles: {}", sess.getPerunPrincipal().getRoles());
 		sess.getPerunPrincipal().setAuthzInitialized(true);