YubikeyMemberAuthenticator::validateYubikey() - Code Metrics - Inspection of "Marco/master" - Firesphere/silverstripe-yubiauth - Measure and Improve Code Quality continuously with Scrutinizer

Passed

Pull Request — master (#13)

by Simon

created 2018-05-07 12:30 UTC

YubikeyMemberAuthenticator::validateYubikey() C

↳ Parent: YubikeyMemberAuthenticator

Complexity

Conditions	7
Paths	8

Size

Total Lines	37
Code Lines	16

Duplication

Lines	0
Ratio	0 %

Importance

Changes

Metric	Value
cc	7
eloc	16
nc	8
nop	3
dl	0
loc	37
rs	6.7272
c	0
b	0
f	0

<?php

namespace Firesphere\YubiAuth\Authenticators;

use Exception;
use Firesphere\BootstrapMFA\Authenticators\BootstrapMFAAuthenticator;
use Firesphere\YubiAuth\Handlers\YubikeyLoginHandler;
use Firesphere\YubiAuth\Helpers\QwertyConvertor;
use Firesphere\YubiAuth\Providers\YubikeyAuthProvider;
use SilverStripe\Control\HTTPRequest;
use SilverStripe\Core\Config\Config;
use SilverStripe\Core\Environment;
use SilverStripe\Core\Injector\Injector;
use SilverStripe\ORM\ValidationResult;
use SilverStripe\Security\Authenticator;
use SilverStripe\Security\Member;
use Yubikey\Response;
use Yubikey\Validate;

/**
 * Class YubikeyAuthenticator
 *
 * Enable Yubikey Authentication for SilverStripe CMS and member-protected pages.
 */
class YubikeyMemberAuthenticator extends BootstrapMFAAuthenticator
{

    /**
     * @var Validate
     */
    protected $yubiService;
    /**
     * @var YubikeyAuthProvider
     */
    protected $provider;
    /**
     * @var string
     */
    private $authenticatorName = 'yubiauth';


    /**
     * Set the provider to a YubikeyAuthProvider instance
     *
     * YubikeyMemberAuthenticator constructor.
     */
    public function __construct()
    {
        if (!$this->provider) {
            $this->provider = Injector::inst()->get(YubikeyAuthProvider::class);
        }
    }

    /**
     * Name of this authenticator
     *
     * @return string
     */
    public static function get_name()
    {
        return _t('YubikeyAuthenticator.TITLE', 'Yubikey 2 factor login');
    }

    /**
     * @return YubikeyAuthProvider
     */
    public function getProvider()
    {
        return $this->provider;
    }

    /**
     * @param YubikeyAuthProvider $provider
     * @return $this
     */
    public function setProvider($provider)
    {
        $this->provider = $provider;

        return $this;
    }

    public function supportedServices()
    {
        // Bitwise-OR of all the supported services in this Authenticator, to make a bitmask
        return Authenticator::LOGIN | Authenticator::LOGOUT | Authenticator::CHANGE_PASSWORD
            | Authenticator::RESET_PASSWORD | Authenticator::CHECK_PASSWORD;
    }

    /**
     * @inheritdoc
     *
     * @param array $data
     * @param HTTPRequest $request
     * @param ValidationResult $validationResult
     *
     * @return ValidationResult|Member
     * @throws \SilverStripe\ORM\ValidationException
     */
    public function validateYubikey($data, $request, &$validationResult = null)
    {
        if (!$validationResult instanceof ValidationResult) {
            $validationResult = ValidationResult::create();
        }

        $memberID = $request->getSession()->get('YubikeyLoginHandler.MemberID');
        // First, let's see if we know the member
        /** @var Member|null $member */
        $member = Member::get()->filter(['ID' => $memberID])->first();

        // Continue if we have a valid member
        if ($member && $member instanceof Member) {

            // We do not have to check the YubiAuth for now.
            if (!$member->YubiAuthEnabled && empty($data['yubiauth'])) {
                return $this->authenticateNoYubikey($member);
            }

            // If we know the member, and it's YubiAuth enabled, continue.
            if (!empty($data['yubiauth'])) {
                /** @var Validate $service */
                $this->yubiService = Injector::inst()->createWithArgs(
                    Validate::class,
                    [
                        Environment::getEnv('YUBIAUTH_APIKEY'),
                        Environment::getEnv('YUBIAUTH_CLIENTID'),
                    ]
                );

                return $this->authenticateYubikey($data, $member);
            }
            $member->registerFailedLogin();
            $validationResult->addError('Yubikey Authentication error');
        }

        return null;
    }

    /**
     * Handle login if the user did not enter a Yubikey string.
     * Will break out and return NULL if the member should use their Yubikey
     *
     * @param  Member $member
     * @return ValidationResult|Member
     * @throws \SilverStripe\ORM\ValidationException
     */
    private function authenticateNoYubikey($member)
    {
        ++$member->NoYubikeyCount;
        $member->write();
        $yubiAuthNoYubi = $this->provider->checkNoYubiAttempts($member);
        if ($yubiAuthNoYubi instanceof ValidationResult) {
            return $yubiAuthNoYubi;
        }

        return $member;
    }

    /**
     * Validate a member plus it's yubikey login. It compares the fingerprintt and after that,
     * tries to validate the Yubikey string
     *
     * @param  array $data
     * @param  Member $member
     * @return ValidationResult|Member
     */
    private function authenticateYubikey($data, $member)
    {
        if ($url = Config::inst()->get(self::class, 'AuthURL')) {
            $this->yubiService->setHost($url);
        }
        $yubiCode = QwertyConvertor::convertString($data['yubiauth']);
        $yubiFingerprint = substr($yubiCode, 0, -32);
        $validationResult = ValidationResult::create();

        if ($member->Yubikey) {
            $validationResult = $this->provider->validateYubikey($member, $yubiFingerprint);
            if (!$validationResult->isValid()) {
                $member->registerFailedLogin();

                return $validationResult;
            }
        }
        try {
            /** @var Response $result */
            $result = $this->yubiService->check($yubiCode);
            $this->updateMember($member, $yubiFingerprint);
        } catch (Exception $e) {
            $validationResult->addError($e->getMessage());

            $member->registerFailedLogin();

            return $validationResult;
        }
        if ($result->success() === true) {
            $this->updateMember($member, $yubiFingerprint);

            return $member;
        }

        $validationResult = ValidationResult::create();
        $validationResult->addError(_t('YubikeyAuthenticator.ERROR', 'Yubikey authentication error'));
        $member->registerFailedLogin();

        return $validationResult;
    }

    /**
     * Update the member to forcefully enable YubiAuth
     * Also, register the Yubikey to the member.
     * Documentation:
     * https://developers.yubico.com/yubikey-val/Getting_Started_Writing_Clients.html
     *
     * @param Member $member
     * @param string $yubiString The Identifier String of the Yubikey
     */
    private function updateMember($member, $yubiString)
    {
        $member->registerSuccessfulLogin();
        $member->NoYubikeyCount = 0;

        if (!$member->YubiAuthEnabled) {
            $member->YubiAuthEnabled = true;
        }
        if (!$member->Yubikey) {
            $member->Yubikey = $yubiString;
        }
        $member->write();
    }


    /**
     * @param string $link
     * @return \SilverStripe\Security\MemberAuthenticator\LoginHandler|static
     */
    public function getLoginHandler($link)
    {
        return YubikeyLoginHandler::create($link, $this);
    }
}


1			<?php
2
3			namespace Firesphere\YubiAuth\Authenticators;
4
5			use Exception;
6			use Firesphere\BootstrapMFA\Authenticators\BootstrapMFAAuthenticator;
7			use Firesphere\YubiAuth\Handlers\YubikeyLoginHandler;
8			use Firesphere\YubiAuth\Helpers\QwertyConvertor;
9			use Firesphere\YubiAuth\Providers\YubikeyAuthProvider;
10			use SilverStripe\Control\HTTPRequest;
11			use SilverStripe\Core\Config\Config;
12			use SilverStripe\Core\Environment;
13			use SilverStripe\Core\Injector\Injector;
14			use SilverStripe\ORM\ValidationResult;
15			use SilverStripe\Security\Authenticator;
16			use SilverStripe\Security\Member;
17			use Yubikey\Response;
18			use Yubikey\Validate;
19
20			/**
21			* Class YubikeyAuthenticator
22			*
23			* Enable Yubikey Authentication for SilverStripe CMS and member-protected pages.
24			*/
25			class YubikeyMemberAuthenticator extends BootstrapMFAAuthenticator
26			{
27
28			/**
29			* @var Validate
30			*/
31			protected $yubiService;
32			/**
33			* @var YubikeyAuthProvider
34			*/
35			protected $provider;
36			/**
37			* @var string
38			*/
39			private $authenticatorName = 'yubiauth';
			0 ignored issues – show introduced 2017-11-15 06:00 UTC by Report Bug Copy Issue Report The private property `$authenticatorName` is not used, and could be removed. Loading history...
40
41			/**
42			* Set the provider to a YubikeyAuthProvider instance
43			*
44			* YubikeyMemberAuthenticator constructor.
45			*/
46			public function __construct()
47			{
48			if (!$this->provider) {
49			$this->provider = Injector::inst()->get(YubikeyAuthProvider::class);
50			}
51			}
52
53			/**
54			* Name of this authenticator
55			*
56			* @return string
57			*/
58			public static function get_name()
59			{
60			return _t('YubikeyAuthenticator.TITLE', 'Yubikey 2 factor login');
61			}
62
63			/**
64			* @return YubikeyAuthProvider
65			*/
66			public function getProvider()
67			{
68			return $this->provider;
69			}
70
71			/**
72			* @param YubikeyAuthProvider $provider
73			* @return $this
74			*/
75			public function setProvider($provider)
76			{
77			$this->provider = $provider;
78
79			return $this;
80			}
81
82			public function supportedServices()
83			{
84			// Bitwise-OR of all the supported services in this Authenticator, to make a bitmask
85			return Authenticator::LOGIN \| Authenticator::LOGOUT \| Authenticator::CHANGE_PASSWORD
86			\| Authenticator::RESET_PASSWORD \| Authenticator::CHECK_PASSWORD;
87			}
88
89			/**
90			* @inheritdoc
91			*
92			* @param array $data
93			* @param HTTPRequest $request
94			* @param ValidationResult $validationResult
95			*
96			* @return ValidationResult\|Member
97			* @throws \SilverStripe\ORM\ValidationException
98			*/
99			public function validateYubikey($data, $request, &$validationResult = null)
100			{
101			if (!$validationResult instanceof ValidationResult) {
102			$validationResult = ValidationResult::create();
103			}
104
105			$memberID = $request->getSession()->get('YubikeyLoginHandler.MemberID');
106			// First, let's see if we know the member
107			/** @var Member\|null $member */
108			$member = Member::get()->filter(['ID' => $memberID])->first();
109
110			// Continue if we have a valid member
111			if ($member && $member instanceof Member) {
112
113			// We do not have to check the YubiAuth for now.
114			if (!$member->YubiAuthEnabled && empty($data['yubiauth'])) {
115			return $this->authenticateNoYubikey($member);
116			}
117
118			// If we know the member, and it's YubiAuth enabled, continue.
119			if (!empty($data['yubiauth'])) {
120			/** @var Validate $service */
121			$this->yubiService = Injector::inst()->createWithArgs(
122			Validate::class,
123			[
124			Environment::getEnv('YUBIAUTH_APIKEY'),
125			Environment::getEnv('YUBIAUTH_CLIENTID'),
126			]
127			);
128
129			return $this->authenticateYubikey($data, $member);
130			}
131			$member->registerFailedLogin();
132			$validationResult->addError('Yubikey Authentication error');
133			}
134
135			return null;
136			}
137
138			/**
139			* Handle login if the user did not enter a Yubikey string.
140			* Will break out and return NULL if the member should use their Yubikey
141			*
142			* @param Member $member
143			* @return ValidationResult\|Member
144			* @throws \SilverStripe\ORM\ValidationException
145			*/
146			private function authenticateNoYubikey($member)
147			{
148			++$member->NoYubikeyCount;
149			$member->write();
150			$yubiAuthNoYubi = $this->provider->checkNoYubiAttempts($member);
151			if ($yubiAuthNoYubi instanceof ValidationResult) {
152			return $yubiAuthNoYubi;
153			}
154
155			return $member;
156			}
157
158			/**
159			* Validate a member plus it's yubikey login. It compares the fingerprintt and after that,
160			* tries to validate the Yubikey string
161			*
162			* @param array $data
163			* @param Member $member
164			* @return ValidationResult\|Member
165			*/
166			private function authenticateYubikey($data, $member)
167			{
168			if ($url = Config::inst()->get(self::class, 'AuthURL')) {
169			$this->yubiService->setHost($url);
170			}
171			$yubiCode = QwertyConvertor::convertString($data['yubiauth']);
172			$yubiFingerprint = substr($yubiCode, 0, -32);
173			$validationResult = ValidationResult::create();
174
175			if ($member->Yubikey) {
176			$validationResult = $this->provider->validateYubikey($member, $yubiFingerprint);
177			if (!$validationResult->isValid()) {
178			$member->registerFailedLogin();
179
180			return $validationResult;
181			}
182			}
183			try {
184			/** @var Response $result */
185			$result = $this->yubiService->check($yubiCode);
186			$this->updateMember($member, $yubiFingerprint);
187			} catch (Exception $e) {
188			$validationResult->addError($e->getMessage());
189
190			$member->registerFailedLogin();
191
192			return $validationResult;
193			}
194			if ($result->success() === true) {
195			$this->updateMember($member, $yubiFingerprint);
196
197			return $member;
198			}
199
200			$validationResult = ValidationResult::create();
201			$validationResult->addError(_t('YubikeyAuthenticator.ERROR', 'Yubikey authentication error'));
202			$member->registerFailedLogin();
203
204			return $validationResult;
205			}
206
207			/**
208			* Update the member to forcefully enable YubiAuth
209			* Also, register the Yubikey to the member.
210			* Documentation:
211			* https://developers.yubico.com/yubikey-val/Getting_Started_Writing_Clients.html
212			*
213			* @param Member $member
214			* @param string $yubiString The Identifier String of the Yubikey
215			*/
216			private function updateMember($member, $yubiString)
217			{
218			$member->registerSuccessfulLogin();
219			$member->NoYubikeyCount = 0;
220
221			if (!$member->YubiAuthEnabled) {
222			$member->YubiAuthEnabled = true;
223			}
224			if (!$member->Yubikey) {
225			$member->Yubikey = $yubiString;
226			}
227			$member->write();
228			}
229
230
231			/**
232			* @param string $link
233			* @return \SilverStripe\Security\MemberAuthenticator\LoginHandler\|static
234			*/
235			public function getLoginHandler($link)
236			{
237			return YubikeyLoginHandler::create($link, $this);
238			}
239			}
240

Firesphere / silverstripe-yubiauth

Pull Request — master (#13)

YubikeyMemberAuthenticator::validateYubikey() C

Complexity

Size

Duplication

Importance

Duplication Side-by-Side

Filter issues like