Authentication::authenticate() - Code Metrics - GEANT/CAT - Measure and Improve Code Quality continuously with Scrutinizer

Authentication::authenticate() F
last analyzed 2026-01-21 16:23 UTC

↳ Parent: Authentication

Complexity

Conditions	17
Paths	588

Size

Total Lines	73
Code Lines	53

Duplication

Lines	0
Ratio	0 %

Importance

Changes	2
Bugs	0	Features	0

Metric	Value
eloc	53
c	2
b	0
f	0
dl	0
loc	73
rs	1.6222
cc	17
nc	588
nop	0

How to fix Long Method Complexity

<?php
/*
 * *****************************************************************************
 * Contributions to this work were made on behalf of the GÉANT project, a 
 * project that has received funding from the European Union’s Framework 
 * Programme 7 under Grant Agreements No. 238875 (GN3) and No. 605243 (GN3plus),
 * Horizon 2020 research and innovation programme under Grant Agreements No. 
 * 691567 (GN4-1) and No. 731122 (GN4-2).
 * On behalf of the aforementioned projects, GEANT Association is the sole owner
 * of the copyright in all material which was developed by a member of the GÉANT
 * project. GÉANT Vereniging (Association) is registered with the Chamber of 
 * Commerce in Amsterdam with registration number 40535155 and operates in the 
 * UK as a branch of GÉANT Vereniging.
 * 
 * Registered office: Hoekenrode 3, 1102BR Amsterdam, The Netherlands. 
 * UK branch address: City House, 126-130 Hills Road, Cambridge CB2 1PQ, UK
 *
 * License: see the web/copyright.inc.php file in the file structure or
 *          <base_url>/copyright.php after deploying the software
 */

namespace web\lib\admin;

use Exception;

/**
 * This class handles admin user authentication.
 * 
 * @author Stefan Winter <[email protected]>
 */
class Authentication extends \core\common\Entity {

    /**
     * initialise ourselves, and simpleSAMLphp
     */
    public function __construct() {
        parent::__construct();
        include_once \config\Master::AUTHENTICATION['ssp-path-to-autoloader'];
    }
    /**
     * finds out whether the user is already authenticated. Does not trigger an authentication if not.
     *
     * @return boolean auth state
     */
    public function isAuthenticated() {

        $authSimple = new \SimpleSAML\Auth\Simple(\config\Master::AUTHENTICATION['ssp-authsource']);
        $session = \SimpleSAML\Session::getSessionFromRequest();
        $status = $authSimple->isAuthenticated();
        $session->cleanup();
        return $status;
    }

    /**
     * authenticates a user.
     * 
     * @return void
     * @throws Exception
     */
    public function authenticate() {
        \core\common\Entity::intoThePotatoes();
        $loggerInstance = new \core\common\Logging();
        $authSimple = new \SimpleSAML\Auth\Simple(\config\Master::AUTHENTICATION['ssp-authsource']);
        if (!$authSimple->isAuthenticated()) {
            $_SESSION['saveLog'] = true;
        }
        $authSimple->requireAuth();
        $admininfo = $authSimple->getAttributes();
        \core\common\Logging::debug_s(4, $admininfo, "SAML ATTR0:\n", "\n");
        if (isset($admininfo['uniqueIdentifier'])) {
            $idps = explode('##########', $admininfo['uniqueIdentifier']);
            $idpsNo = count($idps);
            if ($idpsNo > 2) {
                \core\common\Logging::debug_s(3, $idps, "PROXIED IDP:\n", "\n");
            }
            $authorizingAuthority = $idps[count($idps)-2];
            \core\common\Logging::debug_s(3, $authorizingAuthority, "IDP:\n", "\n");
            $_SESSION['authorizing_authority'] = $authorizingAuthority;

        }
        if (isset($_SESSION['saveLog']) && $_SESSION['saveLog'] == true) {
            $saveLog = true;
        } else {
            $saveLog = false;
        }
        unset($_SESSION['saveLog']);
        $session = \SimpleSAML\Session::getSessionFromRequest();
        $session->cleanup();
        if (!isset($admininfo[\config\Master::AUTHENTICATION['ssp-attrib-identifier']][0])) {
            $failtext = "FATAL ERROR: we did not receive a unique user identifier from the authentication source!";
            echo $failtext;
            throw new Exception($failtext);
        }
        $user = $admininfo[\config\Master::AUTHENTICATION['ssp-attrib-identifier']][0];
        if ($saveLog) {
            $loggerInstance->debug(4, "Writing log\n");
            $this->logLoginTime($user);
        }
        $_SESSION['user'] = $user;
        $_SESSION['name'] = $admininfo[\config\Master::AUTHENTICATION['ssp-attrib-name']][0] ?? _("Unnamed User");
        $_SESSION['auth_email'] = $admininfo[\config\Master::AUTHENTICATION['ssp-attrib-email']][0] ?? _("");
        if (isset($admininfo[\config\Master::AUTHENTICATION['ssp-entitlement']])) {
            $_SESSION['entitlement'] = $admininfo[\config\Master::AUTHENTICATION['ssp-entitlement']];
        }
        /*
         * This is a nice pathological test case for a user ID.
         *
         * */
        //$_SESSION['user'] = "<saml:NameID xmlns:saml=\"urn:oasis:names:tc:SAML:2.0:assertion\" NameQualifier=\"https://idp.jisc.ac.uk/idp/shibboleth\" SPNameQualifier=\"https://cat-beta.govroam.uk/simplesaml/module.php/saml/sp/metadata.php/default-sp\" Format=\"urn:oasis:names:tc:SAML:2.0:nameid-format:persistent\">XXXXXXXXXXXXXXXX</saml:NameID>";

        $newNameReceived = FALSE;
        $userObject = new \core\User($user);
        $attribMapping = [
            "ssp-attrib-name" => "user:realname",
            "ssp-attrib-email" => "user:email"];
        foreach ($attribMapping as $SSPside => $CATside) {
            if (isset($admininfo[\config\Master::AUTHENTICATION[$SSPside]][0]) && (count($userObject->getAttributes($CATside)) == 0) && \config\Master::DB['USER']['readonly'] === FALSE) {
                $name = $admininfo[\config\Master::AUTHENTICATION[$SSPside]][0];
                $userObject->addAttribute($CATside, NULL, $name);
                $loggerInstance->writeAudit($_SESSION['user'], "NEW", "User - added $CATside from external auth source");
                if ($CATside == "user:realname") {
                    $newNameReceived = TRUE;
                }
            }
        }
        if (count($userObject->getAttributes('user:realname')) > 0 || $newNameReceived) { // we have a real name in the DB. We trust this more than a session one, so set it
            $nameArray = $userObject->getAttributes("user:realname");
            if (!empty($nameArray[0])) {
                $_SESSION['name'] = $nameArray[0]['value'];
            }
        }
        \core\common\Entity::outOfThePotatoes();
    }

    /**
     * deauthenticates the user.
     * Sends a SAML LogoutRequest to the IdP, which will kill the SSO session and return us to our own logout_check page.
     * 
     * @return void
     */
    public function deauthenticate() {
        $as = new \SimpleSAML\Auth\Simple(\config\Master::AUTHENTICATION['ssp-authsource']);
        $servername = htmlspecialchars(strip_tags(filter_input(INPUT_SERVER, 'SERVER_NAME')));
        $scriptself = htmlspecialchars(strip_tags(filter_input(INPUT_SERVER, 'PHP_SELF')));
        $url = "https://www.eduroam.org"; // fallback if something goes wrong during URL construction below
        $trailerPosition = strrpos($scriptself, "/inc/logout.php");
        if ($trailerPosition !== FALSE) {
            $base = substr($scriptself, 0, $trailerPosition);
            if ($base !== FALSE) {
                $url = "//$servername" . $base . "/logout_check.php";
            }
        }
        $as->logout([
            'ReturnTo' => $url,
            'ReturnStateParam' => 'LogoutState',
            'ReturnStateStage' => 'MyLogoutState',
        ]);
    }
    
    private function logLoginTime($user) {
        $handle = \core\DBConnection::handle("INST");
        if (!$handle instanceof \core\DBConnection) {
            $frontendHandle = $handle;

        }
        $truncatedUser = substr($user,0,999);      
        $handle->exec("INSERT INTO admin_logins (user_id, last_login) VALUES ('$truncatedUser', NOW()) ON DUPLICATE KEY UPDATE last_login=NOW()");
    }

}


1			<?php
2			/*
3			* *****************************************************************************
4			* Contributions to this work were made on behalf of the GÉANT project, a
5			* project that has received funding from the European Union’s Framework
6			* Programme 7 under Grant Agreements No. 238875 (GN3) and No. 605243 (GN3plus),
7			* Horizon 2020 research and innovation programme under Grant Agreements No.
8			* 691567 (GN4-1) and No. 731122 (GN4-2).
9			* On behalf of the aforementioned projects, GEANT Association is the sole owner
10			* of the copyright in all material which was developed by a member of the GÉANT
11			* project. GÉANT Vereniging (Association) is registered with the Chamber of
12			* Commerce in Amsterdam with registration number 40535155 and operates in the
13			* UK as a branch of GÉANT Vereniging.
14			*
15			* Registered office: Hoekenrode 3, 1102BR Amsterdam, The Netherlands.
16			* UK branch address: City House, 126-130 Hills Road, Cambridge CB2 1PQ, UK
17			*
18			* License: see the web/copyright.inc.php file in the file structure or
19			* <base_url>/copyright.php after deploying the software
20			*/
21
22			namespace web\lib\admin;
23
24			use Exception;
25
26			/**
27			* This class handles admin user authentication.
28			*
29			* @author Stefan Winter <[email protected]>
30			*/
31			class Authentication extends \core\common\Entity {
32
33			/**
34			* initialise ourselves, and simpleSAMLphp
35			*/
36			public function __construct() {
37			parent::__construct();
38			include_once \config\Master::AUTHENTICATION['ssp-path-to-autoloader'];
39			}
40			/**
41			* finds out whether the user is already authenticated. Does not trigger an authentication if not.
42			*
43			* @return boolean auth state
44			*/
45			public function isAuthenticated() {
46
47			$authSimple = new \SimpleSAML\Auth\Simple(\config\Master::AUTHENTICATION['ssp-authsource']);
48			$session = \SimpleSAML\Session::getSessionFromRequest();
49			$status = $authSimple->isAuthenticated();
50			$session->cleanup();
51			return $status;
52			}
53
54			/**
55			* authenticates a user.
56			*
57			* @return void
58			* @throws Exception
59			*/
60			public function authenticate() {
61			\core\common\Entity::intoThePotatoes();
62			$loggerInstance = new \core\common\Logging();
63			$authSimple = new \SimpleSAML\Auth\Simple(\config\Master::AUTHENTICATION['ssp-authsource']);
64			if (!$authSimple->isAuthenticated()) {
65			$_SESSION['saveLog'] = true;
66			}
67			$authSimple->requireAuth();
68			$admininfo = $authSimple->getAttributes();
69			\core\common\Logging::debug_s(4, $admininfo, "SAML ATTR0:\n", "\n");
70			if (isset($admininfo['uniqueIdentifier'])) {
71			$idps = explode('##########', $admininfo['uniqueIdentifier']);
72			$idpsNo = count($idps);
73			if ($idpsNo > 2) {
74			\core\common\Logging::debug_s(3, $idps, "PROXIED IDP:\n", "\n");
75			}
76			$authorizingAuthority = $idps[count($idps)-2];
77			\core\common\Logging::debug_s(3, $authorizingAuthority, "IDP:\n", "\n");
78			$_SESSION['authorizing_authority'] = $authorizingAuthority;
79
80			}
81			if (isset($_SESSION['saveLog']) && $_SESSION['saveLog'] == true) {
82			$saveLog = true;
83			} else {
84			$saveLog = false;
85			}
86			unset($_SESSION['saveLog']);
87			$session = \SimpleSAML\Session::getSessionFromRequest();
88			$session->cleanup();
89			if (!isset($admininfo[\config\Master::AUTHENTICATION['ssp-attrib-identifier']][0])) {
90			$failtext = "FATAL ERROR: we did not receive a unique user identifier from the authentication source!";
91			echo $failtext;
92			throw new Exception($failtext);
93			}
94			$user = $admininfo[\config\Master::AUTHENTICATION['ssp-attrib-identifier']][0];
95			if ($saveLog) {
96			$loggerInstance->debug(4, "Writing log\n");
97			$this->logLoginTime($user);
98			}
99			$_SESSION['user'] = $user;
100			$_SESSION['name'] = $admininfo[\config\Master::AUTHENTICATION['ssp-attrib-name']][0] ?? _("Unnamed User");
101			$_SESSION['auth_email'] = $admininfo[\config\Master::AUTHENTICATION['ssp-attrib-email']][0] ?? _("");
102			if (isset($admininfo[\config\Master::AUTHENTICATION['ssp-entitlement']])) {
103			$_SESSION['entitlement'] = $admininfo[\config\Master::AUTHENTICATION['ssp-entitlement']];
104			}
105			/*
106			* This is a nice pathological test case for a user ID.
107			*
108			* */
109			//$_SESSION['user'] = "<saml:NameID xmlns:saml=\"urn:oasis:names:tc:SAML:2.0:assertion\" NameQualifier=\"https://idp.jisc.ac.uk/idp/shibboleth\" SPNameQualifier=\"https://cat-beta.govroam.uk/simplesaml/module.php/saml/sp/metadata.php/default-sp\" Format=\"urn:oasis:names:tc:SAML:2.0:nameid-format:persistent\">XXXXXXXXXXXXXXXX</saml:NameID>";
110
111			$newNameReceived = FALSE;
112			$userObject = new \core\User($user);
113			$attribMapping = [
114			"ssp-attrib-name" => "user:realname",
115			"ssp-attrib-email" => "user:email"];
116			foreach ($attribMapping as $SSPside => $CATside) {
117			if (isset($admininfo[\config\Master::AUTHENTICATION[$SSPside]][0]) && (count($userObject->getAttributes($CATside)) == 0) && \config\Master::DB['USER']['readonly'] === FALSE) {
118			$name = $admininfo[\config\Master::AUTHENTICATION[$SSPside]][0];
119			$userObject->addAttribute($CATside, NULL, $name);
120			$loggerInstance->writeAudit($_SESSION['user'], "NEW", "User - added $CATside from external auth source");
121			if ($CATside == "user:realname") {
122			$newNameReceived = TRUE;
123			}
124			}
125			}
126			if (count($userObject->getAttributes('user:realname')) > 0 \|\| $newNameReceived) { // we have a real name in the DB. We trust this more than a session one, so set it
127			$nameArray = $userObject->getAttributes("user:realname");
128			if (!empty($nameArray[0])) {
129			$_SESSION['name'] = $nameArray[0]['value'];
130			}
131			}
132			\core\common\Entity::outOfThePotatoes();
133			}
134
135			/**
136			* deauthenticates the user.
137			* Sends a SAML LogoutRequest to the IdP, which will kill the SSO session and return us to our own logout_check page.
138			*
139			* @return void
140			*/
141			public function deauthenticate() {
142			$as = new \SimpleSAML\Auth\Simple(\config\Master::AUTHENTICATION['ssp-authsource']);
143			$servername = htmlspecialchars(strip_tags(filter_input(INPUT_SERVER, 'SERVER_NAME')));
144			$scriptself = htmlspecialchars(strip_tags(filter_input(INPUT_SERVER, 'PHP_SELF')));
145			$url = "https://www.eduroam.org"; // fallback if something goes wrong during URL construction below
146			$trailerPosition = strrpos($scriptself, "/inc/logout.php");
147			if ($trailerPosition !== FALSE) {
148			$base = substr($scriptself, 0, $trailerPosition);
149			if ($base !== FALSE) {
150			$url = "//$servername" . $base . "/logout_check.php";
151			}
152			}
153			$as->logout([
154			'ReturnTo' => $url,
155			'ReturnStateParam' => 'LogoutState',
156			'ReturnStateStage' => 'MyLogoutState',
157			]);
158			}
159
160			private function logLoginTime($user) {
161			$handle = \core\DBConnection::handle("INST");
162			if (!$handle instanceof \core\DBConnection) {
163			$frontendHandle = $handle;
			0 ignored issues – show Unused Code introduced 2025-10-06 12:10 UTC by Report Bug Copy Issue Report The assignment to `$frontendHandle` is dead and can be removed. Loading history...
164			}
165			$truncatedUser = substr($user,0,999);
166			$handle->exec("INSERT INTO admin_logins (user_id, last_login) VALUES ('$truncatedUser', NOW()) ON DUPLICATE KEY UPDATE last_login=NOW()");
167			}
168
169			}
170

GEANT / CAT

Authentication::authenticate() F last analyzed 2026-01-21 16:23 UTC

Complexity

Size

Duplication

Importance

How to fix Long Method Complexity

Long Method

Duplication Side-by-Side

Filter issues like

Authentication::authenticate() F
last analyzed 2026-01-21 16:23 UTC