User - Code Metrics - Inspection of "implement the read-only mode for federation admins" - GEANT/CAT - Measure and Improve Code Quality continuously with Scrutinizer

Passed

Push — release_2_1 ( c5a9af...7447ed )

by Tomasz

created 2024-02-12 13:57 UTC

User A

↳ Parent: Project

Complexity

Total Complexity

Size/Duplication

Total Lines	250
Duplicated Lines	0 %

Importance

Changes

Metric	Value
wmc	40
eloc	122
c	0
b	0
f	0
dl	0
loc	250
rs	9.2

8 Methods

Rating	Name	Size	Complexity
B	__construct()	35	7
A	isIdPOwner()	9	3
A	isFederationAdmin()	15	5
A	isSuperadmin()	3	1
A	updateFreshness()	2	1
A	sendMailToUser()	20	2
D	findLoginIdPByEmail()	74	20
A	listOwnerships()	4	1

How to fix Complexity

<?php

/*
 * *****************************************************************************
 * Contributions to this work were made on behalf of the GÉANT project, a 
 * project that has received funding from the European Union’s Framework 
 * Programme 7 under Grant Agreements No. 238875 (GN3) and No. 605243 (GN3plus),
 * Horizon 2020 research and innovation programme under Grant Agreements No. 
 * 691567 (GN4-1) and No. 731122 (GN4-2).
 * On behalf of the aforementioned projects, GEANT Association is the sole owner
 * of the copyright in all material which was developed by a member of the GÉANT
 * project. GÉANT Vereniging (Association) is registered with the Chamber of 
 * Commerce in Amsterdam with registration number 40535155 and operates in the 
 * UK as a branch of GÉANT Vereniging.
 * 
 * Registered office: Hoekenrode 3, 1102BR Amsterdam, The Netherlands. 
 * UK branch address: City House, 126-130 Hills Road, Cambridge CB2 1PQ, UK
 *
 * License: see the web/copyright.inc.php file in the file structure or
 *          <base_url>/copyright.php after deploying the software
 */

/**
 * This class manages user privileges and bindings to institutions
 *
 * @author Stefan Winter <[email protected]>
 * @author Tomasz Wolniewicz <[email protected]>
 * 
 * @package Developer
 */
/**
 * necessary includes
 */

namespace core;

/**
 * This class represents a known CAT User (i.e. an institution and/or federation adiministrator).
 * @author Stefan Winter <[email protected]>
 * 
 * @package Developer
 */
class User extends EntityWithDBProperties
{

    /**
     *
     * @var string
     */
    public $userName;

    /**
     * Class constructor. The required argument is a user's persistent identifier as was returned by the authentication source.
     * 
     * @param string $userId User Identifier as per authentication source
     */
    public function __construct($userId)
    {
        $this->databaseType = "USER";
        parent::__construct(); // database handle is now available
        $this->attributes = [];
        $this->entityOptionTable = "user_options";
        $this->entityIdColumn = "user_id";
        $this->identifier = 0; // not used
        $this->userName = $userId;
        $optioninstance = Options::instance();

        if (\config\ConfAssistant::CONSORTIUM['name'] == "eduroam" && isset(\config\ConfAssistant::CONSORTIUM['deployment-voodoo']) && \config\ConfAssistant::CONSORTIUM['deployment-voodoo'] == "Operations Team") { // SW: APPROVED
// e d u r o a m DB doesn't follow the usual approach
// we could get multiple rows below (if administering multiple
// federations), so consolidate all into the usual options
            $info = $this->databaseHandle->exec("SELECT email, common_name, role, realm FROM view_admin WHERE eptid = ?", "s", $this->userName);
            $visited = FALSE;
            // SELECT -> resource, not boolean
            while ($userDetailQuery = mysqli_fetch_object(/** @scrutinizer ignore-type */ $info)) {
                if (!$visited) {
                    $mailOptinfo = $optioninstance->optionType("user:email");
                    $this->attributes[] = ["name" => "user:email", "lang" => NULL, "value" => $userDetailQuery->email, "level" => Options::LEVEL_USER, "row_id" => 0, "flag" => $mailOptinfo['flag']];
                    $realnameOptinfo = $optioninstance->optionType("user:realname");
                    $this->attributes[] = ["name" => "user:realname", "lang" => NULL, "value" => $userDetailQuery->common_name, "level" => Options::LEVEL_USER, "row_id" => 0, "flag" => $realnameOptinfo['flag']];
                    $visited = TRUE;
                }
                if ($userDetailQuery->role == "fedadmin") {
                    $optinfo = $optioninstance->optionType("user:fedadmin");
                    $this->attributes[] = ["name" => "user:fedadmin", "lang" => NULL, "value" => strtoupper($userDetailQuery->realm), "level" => Options::LEVEL_USER, "row_id" => 0, "flag" => $optinfo['flag']];
                }
            }
        } else {
            $this->attributes = $this->retrieveOptionsFromDatabase("SELECT DISTINCT option_name, option_lang, option_value, row_id
                                                FROM $this->entityOptionTable
                                                WHERE $this->entityIdColumn = ?", "User");
        }
    }

    /**
     * This function checks whether a user is a federation administrator. When called without argument, it only checks if the
     * user is a federation administrator of *any* federation. When given a parameter (ISO shortname of federation), it checks
     * if the user administers this particular federation.
     * 
     * @param string $federation optional: federation to be checked
     * @return boolean TRUE if the user is federation admin, FALSE if not 
     */
    public function isFederationAdmin($federation = 0)
    {
        $feds = $this->getAttributes("user:fedadmin");
        if (count($feds) == 0) { // not a fedadmin at all
            return FALSE;
        }
        if ($federation === 0) { // fedadmin for one; that's all we want to know
            return TRUE;
        }
        foreach ($feds as $fed) { // check if authz is for requested federation
            if (strtoupper($fed['value']) == strtoupper($federation)) {
                return TRUE;
            }
        }
        return FALSE; // no luck so far? Not the admin we are looking for.
    }

    /**
     * This function tests if the current user has been configured as the system superadmin, i.e. if the user is allowed
     * to execute the 112365365321.php script
     *
     * @return boolean TRUE if the user is a superadmin, FALSE if not 
     */
    public function isSuperadmin()
    {
        return in_array($this->userName, \config\Master::SUPERADMINS);
    }

    /**
     * This function tests if the current user is an ovner of a given IdP
     *
     * @param int $idp integer identifier of the IdP
     * @return boolean TRUE if the user is an owner, FALSE if not 
     */
    public function isIdPOwner($idp)
    {
        $temp = new IdP($idp);
        foreach ($temp->listOwners() as $oneowner) {
            if ($oneowner['ID'] == $this->userName) {
                return TRUE;
            }
        }
        return FALSE;
    }
    
    /**
     * This function lists all institution ids for which the user appears as admin
     * 
     * @return array if institution ids.
     */
    public function listOwnerships() {
        $dbHandle = \core\DBConnection::handle("INST");
        $query = $dbHandle->exec("SELECT institution_id FROM ownership WHERE user_id='".$this->userName."'");
        return array_column($query->fetch_all(), 0);
    }

    /**
     * shorthand function for email sending to the user
     * 
     * @param string $subject addressee of the mail
     * @param string $content content of the mail
     * @return boolean did it work?
     */
    public function sendMailToUser($subject, $content)
    {

        $mailaddr = $this->getAttributes("user:email");
        if (count($mailaddr) == 0) { // we don't know user's mail address
            return FALSE;
        }
        common\Entity::intoThePotatoes();
        $mail = \core\common\OutsideComm::mailHandle();
// who to whom?
        $mail->FromName = \config\Master::APPEARANCE['productname'] . " Notification System";
        $mail->addReplyTo(\config\Master::APPEARANCE['support-contact']['developer-mail'], \config\Master::APPEARANCE['productname'] . " " . _("Feedback"));
        $mail->addAddress($mailaddr[0]["value"]);
// what do we want to say?
        $mail->Subject = $subject;
        $mail->Body = $content;

        $sent = $mail->send();
        common\Entity::outOfThePotatoes();
        return $sent;
    }

    /**
     * NOOP in this class, only need to override abstract base class
     * 
     * @return void
     */
    public function updateFreshness()
    {
        // User is always fresh
    }

    const PROVIDER_STRINGS = [
        "eduPersonTargetedID" => "eduGAIN",
        "facebook_targetedID" => "Facebook",
        "google_eppn" => "Google",
        "linkedin_targetedID" => "LinkedIn",
        "twitter_targetedID" => "Twitter",
        "openid" => "Google (defunct)",
    ];

    /**
     * Some users apparently forget which eduGAIN/social ID they originally used
     * to log into CAT. We can try to help them: if they tell us the email
     * address by which they received the invitation token, then we can see if
     * any CAT IdPs are associated to an account which originally came in via
     * that email address. We then see which pretty-print auth provider name
     * was used
     * 
     * @param string $mail mail address to search with
     * @param string $lang language for the eduGAIN request
     * @return boolean|array the list of auth source IdPs we found for the mail, or FALSE if none found or invalid input
     */
    public static function findLoginIdPByEmail($mail, $lang)
    {
        $loggerInstance = new common\Logging();
        $listOfProviders = [];
        $matchedProviders = [];
        $skipCurl = 0;
        $realmail = filter_var($mail, FILTER_VALIDATE_EMAIL);
        if ($realmail === FALSE) {
            return FALSE;
        }
        $dbHandle = \core\DBConnection::handle("INST");
        $query = $dbHandle->exec("SELECT user_id FROM ownership WHERE orig_mail = ?", "s", $realmail);

        // SELECT -> resource, not boolean
        while ($oneRow = mysqli_fetch_object(/** @scrutinizer ignore-type */ $query)) {
            $matches = [];
            $lookFor = "";
            foreach (User::PROVIDER_STRINGS as $name => $prettyname) {
                if ($lookFor != "") {
                    $lookFor .= "|";
                }
                $lookFor .= "$name";
            }
            $finding = preg_match("/^(" . $lookFor . "):(.*)/", $oneRow->user_id, $matches);
            if ($finding === 0 || $finding === FALSE) {
                return FALSE;
            }

            $providerStrings = array_keys(User::PROVIDER_STRINGS);
            switch ($matches[1]) {
                case $providerStrings[0]: // eduGAIN needs to find the exact IdP behind it
                    $moreMatches = [];
                    $exactIdP = preg_match("/.*!(.*)$/", $matches[2], $moreMatches);
                    if ($exactIdP === 0 || $exactIdP === FALSE) {
                        break;
                    }
                    $idp = $moreMatches[1];
                    if (!in_array($idp, $matchedProviders)) {
                        $matchedProviders[] = $idp;
                        $name = $idp;
                        if ($skipCurl == 0) {
                            $url = \config\Diagnostics::EDUGAINRESOLVER['url'] . "?action=get_entity_name&type=idp&e_id=$idp&lang=$lang";
                            $ch = curl_init($url);
                            if ($ch === FALSE) {
                                $loggerInstance->debug(2, "Unable ask eduGAIN about IdP - CURL init failed!");
                                break;
                            }
                            curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
                            curl_setopt($ch, CURLOPT_TIMEOUT, \config\Diagnostics::EDUGAINRESOLVER['timeout']);
                            $response = curl_exec($ch);
                            if (is_bool($response)) { // catch both FALSE and TRUE because we use CURLOPT_RETURNTRANSFER
                                $skipCurl = 1;
                            } else {
                                $name = json_decode($response);
                            }
                            curl_close($ch);
                        }
                        $listOfProviders[] = User::PROVIDER_STRINGS[$providerStrings[0]] . " - IdP: " . $name;
                    }
                    break;
                case $providerStrings[1]:
                case $providerStrings[2]:
                case $providerStrings[3]:
                case $providerStrings[4]:
                case $providerStrings[5]:
                    if (!in_array(User::PROVIDER_STRINGS[$matches[1]], $listOfProviders)) {
                        $listOfProviders[] = User::PROVIDER_STRINGS[$matches[1]];
                    }
                    break;
                default:
                    return FALSE;
            }
        }
        return $listOfProviders;
    }
}

1			<?php
2
3			/*
4			* *****************************************************************************
5			* Contributions to this work were made on behalf of the GÉANT project, a
6			* project that has received funding from the European Union’s Framework
7			* Programme 7 under Grant Agreements No. 238875 (GN3) and No. 605243 (GN3plus),
8			* Horizon 2020 research and innovation programme under Grant Agreements No.
9			* 691567 (GN4-1) and No. 731122 (GN4-2).
10			* On behalf of the aforementioned projects, GEANT Association is the sole owner
11			* of the copyright in all material which was developed by a member of the GÉANT
12			* project. GÉANT Vereniging (Association) is registered with the Chamber of
13			* Commerce in Amsterdam with registration number 40535155 and operates in the
14			* UK as a branch of GÉANT Vereniging.
15			*
16			* Registered office: Hoekenrode 3, 1102BR Amsterdam, The Netherlands.
17			* UK branch address: City House, 126-130 Hills Road, Cambridge CB2 1PQ, UK
18			*
19			* License: see the web/copyright.inc.php file in the file structure or
20			* <base_url>/copyright.php after deploying the software
21			*/
22
23			/**
24			* This class manages user privileges and bindings to institutions
25			*
26			* @author Stefan Winter <[email protected]>
27			* @author Tomasz Wolniewicz <[email protected]>
28			*
29			* @package Developer
30			*/
31			/**
32			* necessary includes
33			*/
34
35			namespace core;
36
37			/**
38			* This class represents a known CAT User (i.e. an institution and/or federation adiministrator).
39			* @author Stefan Winter <[email protected]>
40			*
41			* @package Developer
42			*/
43			class User extends EntityWithDBProperties
44			{
45
46			/**
47			*
48			* @var string
49			*/
50			public $userName;
51
52			/**
53			* Class constructor. The required argument is a user's persistent identifier as was returned by the authentication source.
54			*
55			* @param string $userId User Identifier as per authentication source
56			*/
57			public function __construct($userId)
58			{
59			$this->databaseType = "USER";
60			parent::__construct(); // database handle is now available
61			$this->attributes = [];
62			$this->entityOptionTable = "user_options";
63			$this->entityIdColumn = "user_id";
64			$this->identifier = 0; // not used
65			$this->userName = $userId;
66			$optioninstance = Options::instance();
67
68			if (\config\ConfAssistant::CONSORTIUM['name'] == "eduroam" && isset(\config\ConfAssistant::CONSORTIUM['deployment-voodoo']) && \config\ConfAssistant::CONSORTIUM['deployment-voodoo'] == "Operations Team") { // SW: APPROVED
69			// e d u r o a m DB doesn't follow the usual approach
70			// we could get multiple rows below (if administering multiple
71			// federations), so consolidate all into the usual options
72			$info = $this->databaseHandle->exec("SELECT email, common_name, role, realm FROM view_admin WHERE eptid = ?", "s", $this->userName);
73			$visited = FALSE;
74			// SELECT -> resource, not boolean
75			while ($userDetailQuery = mysqli_fetch_object(/** @scrutinizer ignore-type */ $info)) {
76			if (!$visited) {
77			$mailOptinfo = $optioninstance->optionType("user:email");
78			$this->attributes[] = ["name" => "user:email", "lang" => NULL, "value" => $userDetailQuery->email, "level" => Options::LEVEL_USER, "row_id" => 0, "flag" => $mailOptinfo['flag']];
79			$realnameOptinfo = $optioninstance->optionType("user:realname");
80			$this->attributes[] = ["name" => "user:realname", "lang" => NULL, "value" => $userDetailQuery->common_name, "level" => Options::LEVEL_USER, "row_id" => 0, "flag" => $realnameOptinfo['flag']];
81			$visited = TRUE;
82			}
83			if ($userDetailQuery->role == "fedadmin") {
84			$optinfo = $optioninstance->optionType("user:fedadmin");
85			$this->attributes[] = ["name" => "user:fedadmin", "lang" => NULL, "value" => strtoupper($userDetailQuery->realm), "level" => Options::LEVEL_USER, "row_id" => 0, "flag" => $optinfo['flag']];
86			}
87			}
88			} else {
89			$this->attributes = $this->retrieveOptionsFromDatabase("SELECT DISTINCT option_name, option_lang, option_value, row_id
90			FROM $this->entityOptionTable
91			WHERE $this->entityIdColumn = ?", "User");
92			}
93			}
94
95			/**
96			* This function checks whether a user is a federation administrator. When called without argument, it only checks if the
97			* user is a federation administrator of any federation. When given a parameter (ISO shortname of federation), it checks
98			* if the user administers this particular federation.
99			*
100			* @param string $federation optional: federation to be checked
101			* @return boolean TRUE if the user is federation admin, FALSE if not
102			*/
103			public function isFederationAdmin($federation = 0)
104			{
105			$feds = $this->getAttributes("user:fedadmin");
106			if (count($feds) == 0) { // not a fedadmin at all
107			return FALSE;
108			}
109			if ($federation === 0) { // fedadmin for one; that's all we want to know
110			return TRUE;
111			}
112			foreach ($feds as $fed) { // check if authz is for requested federation
113			if (strtoupper($fed['value']) == strtoupper($federation)) {
114			return TRUE;
115			}
116			}
117			return FALSE; // no luck so far? Not the admin we are looking for.
118			}
119
120			/**
121			* This function tests if the current user has been configured as the system superadmin, i.e. if the user is allowed
122			* to execute the 112365365321.php script
123			*
124			* @return boolean TRUE if the user is a superadmin, FALSE if not
125			*/
126			public function isSuperadmin()
127			{
128			return in_array($this->userName, \config\Master::SUPERADMINS);
129			}
130
131			/**
132			* This function tests if the current user is an ovner of a given IdP
133			*
134			* @param int $idp integer identifier of the IdP
135			* @return boolean TRUE if the user is an owner, FALSE if not
136			*/
137			public function isIdPOwner($idp)
138			{
139			$temp = new IdP($idp);
140			foreach ($temp->listOwners() as $oneowner) {
141			if ($oneowner['ID'] == $this->userName) {
142			return TRUE;
143			}
144			}
145			return FALSE;
146			}
147
148			/**
149			* This function lists all institution ids for which the user appears as admin
150			*
151			* @return array if institution ids.
152			*/
153			public function listOwnerships() {
154			$dbHandle = \core\DBConnection::handle("INST");
155			$query = $dbHandle->exec("SELECT institution_id FROM ownership WHERE user_id='".$this->userName."'");
156			return array_column($query->fetch_all(), 0);
157			}
158
159			/**
160			* shorthand function for email sending to the user
161			*
162			* @param string $subject addressee of the mail
163			* @param string $content content of the mail
164			* @return boolean did it work?
165			*/
166			public function sendMailToUser($subject, $content)
167			{
168
169			$mailaddr = $this->getAttributes("user:email");
170			if (count($mailaddr) == 0) { // we don't know user's mail address
171			return FALSE;
172			}
173			common\Entity::intoThePotatoes();
174			$mail = \core\common\OutsideComm::mailHandle();
175			// who to whom?
176			$mail->FromName = \config\Master::APPEARANCE['productname'] . " Notification System";
177			$mail->addReplyTo(\config\Master::APPEARANCE['support-contact']['developer-mail'], \config\Master::APPEARANCE['productname'] . " " . _("Feedback"));
178			$mail->addAddress($mailaddr[0]["value"]);
179			// what do we want to say?
180			$mail->Subject = $subject;
181			$mail->Body = $content;
182
183			$sent = $mail->send();
184			common\Entity::outOfThePotatoes();
185			return $sent;
186			}
187
188			/**
189			* NOOP in this class, only need to override abstract base class
190			*
191			* @return void
192			*/
193			public function updateFreshness()
194			{
195			// User is always fresh
196			}
197
198			const PROVIDER_STRINGS = [
199			"eduPersonTargetedID" => "eduGAIN",
200			"facebook_targetedID" => "Facebook",
201			"google_eppn" => "Google",
202			"linkedin_targetedID" => "LinkedIn",
203			"twitter_targetedID" => "Twitter",
204			"openid" => "Google (defunct)",
205			];
206
207			/**
208			* Some users apparently forget which eduGAIN/social ID they originally used
209			* to log into CAT. We can try to help them: if they tell us the email
210			* address by which they received the invitation token, then we can see if
211			* any CAT IdPs are associated to an account which originally came in via
212			* that email address. We then see which pretty-print auth provider name
213			* was used
214			*
215			* @param string $mail mail address to search with
216			* @param string $lang language for the eduGAIN request
217			* @return boolean\|array the list of auth source IdPs we found for the mail, or FALSE if none found or invalid input
218			*/
219			public static function findLoginIdPByEmail($mail, $lang)
220			{
221			$loggerInstance = new common\Logging();
222			$listOfProviders = [];
223			$matchedProviders = [];
224			$skipCurl = 0;
225			$realmail = filter_var($mail, FILTER_VALIDATE_EMAIL);
226			if ($realmail === FALSE) {
227			return FALSE;
228			}
229			$dbHandle = \core\DBConnection::handle("INST");
230			$query = $dbHandle->exec("SELECT user_id FROM ownership WHERE orig_mail = ?", "s", $realmail);
231
232			// SELECT -> resource, not boolean
233			while ($oneRow = mysqli_fetch_object(/** @scrutinizer ignore-type */ $query)) {
234			$matches = [];
235			$lookFor = "";
236			foreach (User::PROVIDER_STRINGS as $name => $prettyname) {
237			if ($lookFor != "") {
238			$lookFor .= "\|";
239			}
240			$lookFor .= "$name";
241			}
242			$finding = preg_match("/^(" . $lookFor . "):(.*)/", $oneRow->user_id, $matches);
243			if ($finding === 0 \|\| $finding === FALSE) {
244			return FALSE;
245			}
246
247			$providerStrings = array_keys(User::PROVIDER_STRINGS);
248			switch ($matches[1]) {
249			case $providerStrings[0]: // eduGAIN needs to find the exact IdP behind it
250			$moreMatches = [];
251			$exactIdP = preg_match("/.!(.)$/", $matches[2], $moreMatches);
252			if ($exactIdP === 0 \|\| $exactIdP === FALSE) {
253			break;
254			}
255			$idp = $moreMatches[1];
256			if (!in_array($idp, $matchedProviders)) {
257			$matchedProviders[] = $idp;
258			$name = $idp;
259			if ($skipCurl == 0) {
260			$url = \config\Diagnostics::EDUGAINRESOLVER['url'] . "?action=get_entity_name&type=idp&e_id=$idp&lang=$lang";
261			$ch = curl_init($url);
262			if ($ch === FALSE) {
263			$loggerInstance->debug(2, "Unable ask eduGAIN about IdP - CURL init failed!");
264			break;
265			}
266			curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
267			curl_setopt($ch, CURLOPT_TIMEOUT, \config\Diagnostics::EDUGAINRESOLVER['timeout']);
268			$response = curl_exec($ch);
269			if (is_bool($response)) { // catch both FALSE and TRUE because we use CURLOPT_RETURNTRANSFER
270			$skipCurl = 1;
271			} else {
272			$name = json_decode($response);
273			}
274			curl_close($ch);
275			}
276			$listOfProviders[] = User::PROVIDER_STRINGS[$providerStrings[0]] . " - IdP: " . $name;
277			}
278			break;
279			case $providerStrings[1]:
280			case $providerStrings[2]:
281			case $providerStrings[3]:
282			case $providerStrings[4]:
283			case $providerStrings[5]:
284			if (!in_array(User::PROVIDER_STRINGS[$matches[1]], $listOfProviders)) {
285			$listOfProviders[] = User::PROVIDER_STRINGS[$matches[1]];
286			}
287			break;
288			default:
289			return FALSE;
290			}
291			}
292			return $listOfProviders;
293			}
294			}

GEANT / CAT

Push — release_2_1 ( c5a9af...7447ed )

User A

Complexity

Size/Duplication

Importance

8 Methods

How to fix Complexity

Complex Class

Duplication Side-by-Side

Filter issues like