Surfnet\StepupGateway\GatewayBundle\Sso2fa\CookieService

Complexity

Total Complexity

40

Size/Duplication

Total Lines	277
Duplicated Lines	0 %

Importance

Changes	3
Bugs	0	Features	0

9 Methods

Rating	Name	Duplication	Size	Complexity
A	__construct()	0	14	1
A	store()	0	3	1
B	isCookieValid()	0	38	8
B	shouldSkip2faAuthentication()	0	47	7
A	getCookieFingerprint()	0	3	1
B	shouldAddCookie()	0	34	9
A	read()	0	16	4
A	getRemoteSp()	0	7	2
B	handleSsoOn2faCookieStorage()	0	53	7

<?php declare(strict_types=1);

/**
 * Copyright 2022 SURFnet bv
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

PHP version not specified

Missing @category tag in file comment

Missing @package tag in file comment

Missing @author tag in file comment

Missing @license tag in file comment

Missing @link tag in file comment

namespace Surfnet\StepupGateway\GatewayBundle\Sso2fa;

use Doctrine\Common\Collections\Collection;
use Exception;
use Psr\Log\LoggerInterface;
use Surfnet\StepupBundle\Service\SecondFactorTypeService;
use Surfnet\StepupGateway\GatewayBundle\Entity\SecondFactor;
use Surfnet\StepupGateway\GatewayBundle\Entity\ServiceProvider;
use Surfnet\StepupGateway\GatewayBundle\Exception\RuntimeException;
use Surfnet\StepupGateway\GatewayBundle\Saml\ResponseContext;
use Surfnet\StepupGateway\GatewayBundle\Service\InstitutionConfigurationService;
use Surfnet\StepupGateway\GatewayBundle\Service\SecondFactorService;
use Surfnet\StepupGateway\GatewayBundle\Sso2fa\DateTime\ExpirationHelperInterface;
use Surfnet\StepupGateway\GatewayBundle\Sso2fa\Exception\CookieNotFoundException;
use Surfnet\StepupGateway\GatewayBundle\Sso2fa\Exception\DecryptionFailedException;
use Surfnet\StepupGateway\GatewayBundle\Sso2fa\Exception\InvalidAuthenticationTimeException;
use Surfnet\StepupGateway\GatewayBundle\Sso2fa\Http\CookieHelperInterface;
use Surfnet\StepupGateway\GatewayBundle\Sso2fa\ValueObject\CookieValue;
use Surfnet\StepupGateway\GatewayBundle\Sso2fa\ValueObject\CookieValueInterface;
use Surfnet\StepupGateway\GatewayBundle\Sso2fa\ValueObject\NullCookieValue;
use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\HttpFoundation\Response;

/**

Missing short description in doc comment

 * @SuppressWarnings(PHPMD.CouplingBetweenObjects) | Coupling is high as we are integrating logic into the infrastructure
 */

Missing @category tag in class comment

Missing @package tag in class comment

Missing @author tag in class comment

Missing @license tag in class comment

Missing @link tag in class comment

class CookieService implements CookieServiceInterface
{
    /**

Missing short description in doc comment

     * @var CookieHelperInterface
     */
    private $cookieHelper;

Private member variable "cookieHelper" must be prefixed with an underscore

    /**

Missing short description in doc comment

     * @var InstitutionConfigurationService
     */
    private $institutionConfigurationService;

Private member variable "institutionConfigurationService" must be prefixed with an underscore

    /**

Missing short description in doc comment

     * @var LoggerInterface
     */
    private $logger;

Private member variable "logger" must be prefixed with an underscore

    /**

Missing short description in doc comment

     * @var SecondFactorService
     */
    private $secondFactorService;

Private member variable "secondFactorService" must be prefixed with an underscore

    /**

Missing short description in doc comment

     * @var SecondFactorTypeService
     */
    private $secondFactorTypeService;

Private member variable "secondFactorTypeService" must be prefixed with an underscore

    /**

Missing short description in doc comment

     * @var ExpirationHelperInterface
     */
    private $expirationHelper;

Private member variable "expirationHelper" must be prefixed with an underscore

    public function __construct(

Missing doc comment for function __construct()

        CookieHelperInterface $cookieHelper,
        InstitutionConfigurationService $institutionConfigurationService,
        SecondFactorService $secondFactorService,
        SecondFactorTypeService $secondFactorTypeService,
        ExpirationHelperInterface $expirationHelper,
        LoggerInterface $logger
    ) {
        $this->cookieHelper = $cookieHelper;
        $this->institutionConfigurationService = $institutionConfigurationService;
        $this->secondFactorService = $secondFactorService;
        $this->secondFactorTypeService = $secondFactorTypeService;
        $this->expirationHelper = $expirationHelper;
        $this->logger = $logger;
    }

    public function handleSsoOn2faCookieStorage(

Missing doc comment for function handleSsoOn2faCookieStorage()

        ResponseContext $responseContext,
        Request $request,
        Response $httpResponse
    ): Response {
        // Check if this specific SP is configured to allow setting of an SSO on 2FA cookie (configured in MW config)
        $remoteSp = $this->getRemoteSp($responseContext);
        if (!$remoteSp->allowedToSetSsoCookieOn2fa()) {
            $this->logger->notice(
                sprintf(
                    'SP: %s does not allow writing SSO on 2FA cookies',
                    $remoteSp->getEntityId()
                )
            );
            return $httpResponse;
        }

        // The second factor id is read from state. It is the SF Id of the token used during authentication
        $secondFactorId = $responseContext->getSelectedSecondFactor();

        // We can only set an SSO on 2FA cookie if a second factor authentication is being handled.
        if ($secondFactorId) {
            $secondFactor = $this->secondFactorService->findByUuid($secondFactorId);
            if (!$secondFactor) {
                throw new RuntimeException(sprintf('Second Factor token not found with ID: %s', $secondFactorId));
            }
            // Test if the institution of the Identity this SF belongs to has SSO on 2FA enabled
            $isEnabled = $this->institutionConfigurationService->ssoOn2faEnabled($secondFactor->institution);
            $this->logger->notice(
                sprintf(
                    'SSO on 2FA is %senabled for %s',
                    $isEnabled ? '' : 'not ',
                    $secondFactor->institution
                )
            );
            if ($isEnabled) {
                // The cookie reader can return a NullCookie if the cookie is not present, was expired or was otherwise
                // deemed invalid. See the CookieHelper::read implementation for details.
                $ssoCookie = $this->read($request);
                $identityId = $responseContext->getIdentityNameId();
                $loa = $secondFactor->getLoaLevel($this->secondFactorTypeService);
                $isValid = $this->isCookieValid($ssoCookie, $loa, $identityId);
                $isVerifiedBySsoOn2faCookie = $responseContext->isVerifiedBySsoOn2faCookie();
                // Did the LoA requirement change? If a higher LoA was requested, or did a new token authentication
                // take place? In that case create a new SSO on 2FA cookie
                if ($this->shouldAddCookie($ssoCookie, $isValid, $loa, $isVerifiedBySsoOn2faCookie)) {
                    $cookie = CookieValue::from($identityId, $secondFactor->secondFactorId, $loa);
                    $this->store($httpResponse, $cookie);
                }
            }
        }
        $responseContext->finalizeAuthentication();
        return $httpResponse;
    }

    /**

Parameter $responseContext should have a doc-comment as per coding-style.

Parameter $requiredLoa should have a doc-comment as per coding-style.

Parameter $identityNameId should have a doc-comment as per coding-style.

Parameter $secondFactorCollection should have a doc-comment as per coding-style.

Parameter $request should have a doc-comment as per coding-style.

     * Allow high cyclomatic complexity in favour of keeping this method readable
     * @SuppressWarnings(PHPMD.CyclomaticComplexity)

There must be exactly one blank line before the tags in a doc comment

     * @SuppressWarnings(PHPMD.NPathComplexity)
     */

Missing @return tag in function comment

    public function shouldSkip2faAuthentication(
        ResponseContext $responseContext,
        float $requiredLoa,
        string $identityNameId,
        Collection $secondFactorCollection,
        Request $request
    ): bool {
        if ($responseContext->isForceAuthn()) {
            $this->logger->notice('Ignoring SSO on 2FA cookie when ForceAuthN is specified.');
            return false;
        }
        $remoteSp = $this->getRemoteSp($responseContext);
        // Test if the SP allows SSO on 2FA to take place (configured in MW config)
        if (!$remoteSp->allowSsoOn2fa()) {
            $this->logger->notice(
                sprintf(
                    'Ignoring SSO on 2FA for SP: %s',
                    $remoteSp->getEntityId()
                )
            );
            return false;
        }
        $ssoCookie = $this->read($request);
        // Perform validation on the cookie and its contents
        if (!$this->isCookieValid($ssoCookie, $requiredLoa, $identityNameId)) {
            return false;
        }
        if (!$this->secondFactorService->findByUuid($ssoCookie->secondFactorId())) {
            $this->logger->notice(
                'The second factor stored in the SSO cookie was revoked or has otherwise became unknown to Gateway',
                [
                    'secondFactorIdFromCookie' => $ssoCookie->secondFactorId()
                ]
            );
            return false;
        }

        /** @var SecondFactor $secondFactor */

The open comment tag must be the only content on the line

Missing short description in doc comment

The close comment tag must be the only content on the line

        foreach ($secondFactorCollection as $secondFactor) {
            $loa = $secondFactor->getLoaLevel($this->secondFactorTypeService);
            if ($loa >= $requiredLoa) {
                $this->logger->notice('Verified the current 2FA authentication can be given with the SSO on 2FA cookie');
                $responseContext->saveSelectedSecondFactor($secondFactor);
                return true;
            }
        }
        return false;
    }

    public function getCookieFingerprint(Request $request): string

Missing doc comment for function getCookieFingerprint()

    {
        return $this->cookieHelper->fingerprint($request);
    }

    /**

Parameter $isCookieValid should have a doc-comment as per coding-style.

     * This method determines if an SSO on 2FA cookie should be created.
     *
     * The comments in the code block should give a good feel for what business rules
     * are applied in this method.
     *
     * @param CookieValueInterface $ssoCookie           The SSO on 2FA cookie as read from the HTTP response

Expected 26 spaces after parameter name; 11 found

     * @param float $loa                                The LoA that was requested for this authentication, used to

Expected 16 spaces after parameter type; 1 found

Doc comment for parameter $loa does not match actual variable name $isCookieValid

     *                                                  compare to the LoA stored in the SSO cookie
     * @param bool $wasAuthenticatedWithSsoOn2faCookie  Indicator if the currently running authentication was performed

Expected 17 spaces after parameter type; 1 found

Doc comment for parameter $wasAuthenticatedWithSsoOn2faCookie does not match actual variable name $loa

Expected 1 spaces after parameter name; 2 found

     *                                                  with the SSO on 2FA cookie
     */

Missing @return tag in function comment

    private function shouldAddCookie(

Private method name "CookieService::shouldAddCookie" must be prefixed with an underscore

        CookieValueInterface $ssoCookie,
        bool $isCookieValid,
        float $loa,
        bool $wasAuthenticatedWithSsoOn2faCookie
    ): bool {
        // When the cookie is not yet set, was expired or was otherwise deemed invalid, we get a NullCookieValue
        // back from the reader. Indicating there is no valid cookie present.
        $cookieNotSet = $ssoCookie instanceof NullCookieValue;
        // OR the existing cookie does exist, but the LoA stored in that cookie does not match the required LoA
        $cookieDoesNotMeetLoaRequirement = ($ssoCookie instanceof CookieValue && !$ssoCookie->meetsRequiredLoa($loa));
        if (!$ssoCookie instanceof NullCookieValue && $cookieDoesNotMeetLoaRequirement) {
            $this->logger->notice(
                sprintf(
                    'Storing new SSO on 2FA cookie as LoA requirement (%d changed to %d) changed',
                    $ssoCookie->getLoa(),
                    $loa
                )
            );
        }
        // OR when a new authentication took place, we replace the existing cookie with a new one
        if (!$wasAuthenticatedWithSsoOn2faCookie) {
            $this->logger->notice('Storing new SSO on 2FA cookie as a new authentication took place');
        }

        // Or when the cookie is not valid for some reason (see logs for the specific error)
        if (!$isCookieValid) {
            $this->logger->notice('Storing new SSO on 2FA cookie, the current cookie is invalid');
        }

        return $cookieNotSet ||
            !$isCookieValid ||
            $cookieDoesNotMeetLoaRequirement ||
            !$wasAuthenticatedWithSsoOn2faCookie;
    }

    private function store(Response $response, CookieValueInterface $cookieValue)

Missing doc comment for function store()

Private method name "CookieService::store" must be prefixed with an underscore

    {
        $this->cookieHelper->write($response, $cookieValue);
    }

    private function read(Request $request): CookieValueInterface

Missing doc comment for function read()

Private method name "CookieService::read" must be prefixed with an underscore

    {
        try {
            return $this->cookieHelper->read($request);
        } catch (CookieNotFoundException $e) {
            $this->logger->notice('Attempt to decrypt the cookie failed, the cookie could not be found');
            return new NullCookieValue();
        } catch (DecryptionFailedException $e) {
            $this->logger->notice('Decryption of the SSO on 2FA cookie failed');
            return new NullCookieValue();
        } catch (Exception $e) {
            $this->logger->notice(
                'Decryption failed, see original message in context',
                ['original-exception-message' => $e->getMessage()]
            );
            return new NullCookieValue();
        }
    }

    private function getRemoteSp(ResponseContext $responseContext): ServiceProvider

Missing doc comment for function getRemoteSp()

Private method name "CookieService::getRemoteSp" must be prefixed with an underscore

    {
        $remoteSp = $responseContext->getServiceProvider();
        if (!$remoteSp) {

$remoteSp is of type Surfnet\StepupGateway\GatewayBundle\Entity\ServiceProvider, thus it always evaluated to true.

            throw new RuntimeException('SP not found in the response context, unable to continue with SSO on 2FA');
        }
        return $remoteSp;
    }

    private function isCookieValid(CookieValueInterface $ssoCookie, float $requiredLoa, string $identityNameId): bool

Missing doc comment for function isCookieValid()

Private method name "CookieService::isCookieValid" must be prefixed with an underscore

    {
        if ($ssoCookie instanceof NullCookieValue) {
            return false;
        }
        if ($ssoCookie instanceof CookieValue && !$ssoCookie->meetsRequiredLoa($requiredLoa)) {
            $this->logger->notice(
                sprintf(
                    'The required LoA %d did not match the LoA of the SSO cookie %d',
                    $requiredLoa,
                    $ssoCookie->getLoa()
                )
            );
            return false;
        }
        if ($ssoCookie instanceof CookieValue && !$ssoCookie->issuedTo($identityNameId)) {
            $this->logger->notice(
                sprintf(
                    'The SSO on 2FA cookie was not issued to %s, but to %s',
                    $identityNameId,
                    $ssoCookie->getIdentityId()
                )
            );
            return false;
        }
        try {
            $isExpired = $this->expirationHelper->isExpired($ssoCookie);
            if ($isExpired) {
                $this->logger->notice(
                    'The SSO on 2FA cookie has expired. Meaning [authentication time] + [cookie lifetime] is in the past'
                );
                return false;
            }
        } catch (InvalidAuthenticationTimeException $e) {
            $this->logger->notice('The SSO on 2FA cookie contained an invalid authentication time', [$e->getMessage()]);
            return false;
        }
        return true;
    }
}