ResponseContext - Code Metrics - Inspection of "Reset the SSO cookie on every real 2FA authenticat..." - OpenConext/Stepup-Gateway - Measure and Improve Code Quality continuously with Scrutinizer

Passed

Pull Request — develop (#301)

by Michiel

created 2023-09-11 14:47 UTC

ResponseContext A

↳ Parent: Project

Complexity

Total Complexity

Size/Duplication

Total Lines	327
Duplicated Lines	0 %

Importance

Changes	2
Bugs	0	Features	0

Metric	Value
eloc	81
dl	0
loc	327
rs	9.1199
c	2
b	0
f	0
wmc	41

29 Methods

Rating	Name	Size	Complexity
A	getIssueInstant()	3	1
A	getDestinationForAdfs()	5	1
A	saveAssertion()	17	3
A	getExpectedInResponseTo()	3	1
A	getNormalizedSchacHomeOrganization()	4	1
A	getServiceProvider()	9	2
A	reconstituteAssertion()	7	1
A	getAuthenticatingIdp()	17	4
A	getIssuer()	5	1
A	getIdentityProvider()	3	1
A	getRequiredLoa()	3	1
A	getDestination()	5	1
A	__construct()	12	2
A	getInResponseTo()	3	1
A	getRelayState()	3	1
A	getIdentityNameId()	3	1
A	saveSelectedSecondFactor()	6	1
A	isForceAuthn()	3	1
A	isSecondFactorVerified()	3	2
A	finalizeAuthentication()	4	1
A	markVerifiedBySsoOn2faCookie()	4	1
A	isVerifiedBySsoOn2faCookie()	3	1
A	markSecondFactorVerified()	3	1
A	wasAuthenticatedWithSsoOn2faCookie()	3	1
A	resolveNameIdValue()	12	5
A	getResponseAction()	3	1
A	getResponseContextServiceId()	3	1
A	responseSent()	5	1
A	getSelectedSecondFactor()	3	1

How to fix Complexity

<?php

/**
 * Copyright 2014 SURFnet bv
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */


namespace Surfnet\StepupGateway\GatewayBundle\Saml;

use DateTime;
use DateTimeZone;
use DOMDocument;
use Psr\Log\LoggerInterface;
use SAML2\Assertion;
use SAML2\XML\saml\Issuer;
use Surfnet\SamlBundle\Entity\IdentityProvider;
use Surfnet\StepupGateway\GatewayBundle\Entity\SecondFactor;
use Surfnet\StepupGateway\GatewayBundle\Entity\ServiceProvider;
use Surfnet\StepupGateway\GatewayBundle\Saml\Exception\RuntimeException;
use Surfnet\StepupGateway\GatewayBundle\Saml\Proxy\ProxyStateHandler;
use Surfnet\StepupGateway\GatewayBundle\Service\SamlEntityService;

class ResponseContext

{
    /**

     * @var IdentityProvider
     */
    private $hostedIdentityProvider;


    /**

     * @var \Surfnet\StepupGateway\GatewayBundle\Service\SamlEntityService
     */
    private $samlEntityService;


    /**

     * @var ProxyStateHandler
     */
    private $stateHandler;


    /**

     * @var LoggerInterface
     */
    private $logger;


    /**

     * @var DateTime
     */
    private $generationTime;


    /**

     * @var IdentityProvider|null
     */
    private $authenticatingIdp;


    /**

     * @var ServiceProvider
     */
    private $targetServiceProvider;


    public function __construct(

        IdentityProvider $identityProvider,
        SamlEntityService $samlEntityService,
        ProxyStateHandler $stateHandler,
        LoggerInterface $logger,
        DateTime $now = null
    ) {
        $this->hostedIdentityProvider = $identityProvider;
        $this->samlEntityService      = $samlEntityService;
        $this->stateHandler           = $stateHandler;
        $this->logger                 = $logger;
        $this->generationTime         = is_null($now) ? new DateTime('now', new DateTimeZone('UTC')): $now;
    }

    /**

     * @return string
     */
    public function getDestination()
    {
        $requestAcsUrl = $this->stateHandler->getRequestAssertionConsumerServiceUrl();

        return $this->getServiceProvider()->determineAcsLocation($requestAcsUrl, $this->logger);
    }

    /**

     * @return string
     */
    public function getDestinationForAdfs()
    {
        $requestAcsUrl = $this->stateHandler->getRequestAssertionConsumerServiceUrl();

        return $this->getServiceProvider()->determineAcsLocationForAdfs($requestAcsUrl);
    }

    public function getIssuer(): Issuer

    {
        $issuer = new Issuer();
        $issuer->setValue($this->hostedIdentityProvider->getEntityId());
        $issuer->setValue(/** @scrutinizer ignore-type */ $this->hostedIdentityProvider->getEntityId());
        return $issuer;
    }

    /**

     * @return int
     */
    public function getIssueInstant()
    {
        return $this->generationTime->getTimestamp();
    }

    /**

     * @return null|string
     */
    public function getInResponseTo()
    {
        return $this->stateHandler->getRequestId();
    }

    /**

     * @return null|string
     */
    public function getExpectedInResponseTo()
    {
        return $this->stateHandler->getGatewayRequestId();
    }

    /**

     * @return null|string
     */
    public function getRequiredLoa()
    {
        return $this->stateHandler->getRequiredLoaIdentifier();
    }

    /**

     * @return IdentityProvider
     */
    public function getIdentityProvider()
    {
        return $this->hostedIdentityProvider;
    }

    /**

     * @return null|ServiceProvider
     */
    public function getServiceProvider()
    {
        if (isset($this->targetServiceProvider)) {
            return $this->targetServiceProvider;
        }

        $serviceProviderId = $this->stateHandler->getRequestServiceProvider();

        return $this->targetServiceProvider = $this->samlEntityService->getServiceProvider($serviceProviderId);
    }

    /**

     * @return null|string
     */
    public function getRelayState()
    {
        return $this->stateHandler->getRelayState();
    }

    /**

     * @param Assertion $assertion

     */

    public function saveAssertion(Assertion $assertion)
    {
        $this->stateHandler->saveIdentityNameId($this->resolveNameIdValue($assertion));
        // same for the entityId of the authenticating Authority
        $authenticatingAuthorities = $assertion->getAuthenticatingAuthority();
        if (!empty($authenticatingAuthorities)) {
            $this->stateHandler->setAuthenticatingIdp(reset($authenticatingAuthorities));
        }

        // And also attempt to save the user's schacHomeOrganization
        $attributes = $assertion->getAttributes();
        if (!empty($attributes['urn:mace:terena.org:attribute-def:schacHomeOrganization'])) {
            $schacHomeOrganization = $attributes['urn:mace:terena.org:attribute-def:schacHomeOrganization'];
            $this->stateHandler->setSchacHomeOrganization(reset($schacHomeOrganization));
        }

        $this->stateHandler->saveAssertion($assertion->toXML()->ownerDocument->saveXML());
        $this->stateHandler->saveAssertion($assertion->toXML()->ownerDocument->/** @scrutinizer ignore-call */ saveXML());
    }

    /**

     * @return Assertion
     */
    public function reconstituteAssertion()
    {
        $assertionAsXML    = $this->stateHandler->getAssertion();
        $assertionDocument = new DOMDocument();
        $assertionDocument->loadXML($assertionAsXML);

        return new Assertion($assertionDocument->documentElement);
    }

    /**

     * @return null|string
     */
    public function getIdentityNameId(): string
    {
        return $this->stateHandler->getIdentityNameId();
    }

    /**
     * Return the lower-cased schacHomeOrganization value from the assertion.
     *
     * Comparisons on SHO values should always be case insensitive. Stepup
     * configuration always contains SHO values lower-cased, so this getter
     * can be used to compare the SHO with configured values.
     *
     * @see StepUpAuthenticationService::resolveHighestRequiredLoa()
     *
     * @return null|string
     */
    public function getNormalizedSchacHomeOrganization()
    {
        return strtolower(
            $this->stateHandler->getSchacHomeOrganization()
            /** @scrutinizer ignore-type */ $this->stateHandler->getSchacHomeOrganization()
        );
    }

    /**

     * @return null|IdentityProvider
     */
    public function getAuthenticatingIdp()
    {
        $entityId = $this->stateHandler->getAuthenticatingIdp();

        if (!$entityId) {
            return null;
        }

        if (isset($this->authenticatingIdp)) {
            return $this->authenticatingIdp;
        }

        $this->authenticatingIdp = $this->samlEntityService->hasIdentityProvider($entityId)
            ? $this->samlEntityService->getIdentityProvider($entityId)
            : null;

        return $this->authenticatingIdp;
    }

    /**

     * @param SecondFactor $secondFactor

     * @param bool $authenticatedWithSsoOn2faCookie Marks if the authentication was performed with the SSO cookie or

     *                                              by performing an actual Second Factor authentication.
     */

    public function saveSelectedSecondFactor(SecondFactor $secondFactor, bool $authenticatedWithSsoOn2faCookie)
    {
        $this->stateHandler->setSelectedSecondFactorId($secondFactor->secondFactorId);
        $this->stateHandler->setAuthenticatedWithSsoOn2faCookie($authenticatedWithSsoOn2faCookie);
        $this->stateHandler->setSecondFactorVerified(false);
        $this->stateHandler->setPreferredLocale($secondFactor->displayLocale);
    }

    public function wasAuthenticatedWithSsoOn2faCookie(): bool

    {
        return $this->stateHandler->wasAuthenticatedUsingSsoOn2faCookie();
    }

    /**

     * @return null|string
     */
    public function getSelectedSecondFactor()
    {
        return $this->stateHandler->getSelectedSecondFactorId();
    }

    public function markSecondFactorVerified()

    {
        $this->stateHandler->setSecondFactorVerified(true);
    }

    public function finalizeAuthentication()

    {
        $this->stateHandler->setSelectedSecondFactorId(null);
        $this->stateHandler->setAuthenticatedWithSsoOn2faCookie(null);
    }

    /**

     * @return bool
     */
    public function isSecondFactorVerified()
    {
        return $this->stateHandler->getSelectedSecondFactorId() && $this->stateHandler->isSecondFactorVerified();
    }

    public function getResponseAction()

    {
        return $this->stateHandler->getResponseAction();
    }

    /**
     * Resets some state after the response is sent
     * (e.g. resets which second factor was selected and whether it was verified).
     */

    public function responseSent()
    {
        $this->stateHandler->setSecondFactorVerified(false);
        $this->stateHandler->setVerifiedBySsoOn2faCookie(false);
        $this->stateHandler->setSsoOn2faCookieFingerprint('');
    }

    /**
     * Retrieve the ResponseContextServiceId from state
     *
     * Used to determine we are dealing with a SFO or regular authentication. Both have different ResponseContext
     * instances, and it's imperative that successive consumers use the correct service.
     *
     * @return string|null
     */
    public function getResponseContextServiceId()
    {
        return $this->stateHandler->getResponseContextServiceId();
    }

    /**

     * Either gets the internal-collabPersonId if present or falls back on the regular name id attribute
     */

    private function resolveNameIdValue(Assertion $assertion): string

    {
        $attributes = $assertion->getAttributes();
        if (array_key_exists('urn:mace:surf.nl:attribute-def:internal-collabPersonId', $attributes)) {
            return reset($attributes['urn:mace:surf.nl:attribute-def:internal-collabPersonId']);
        }
        $nameId = $assertion->getNameId();
        if ($nameId && !is_null($nameId->getValue()) && is_string($nameId->getValue())) {
            return $nameId->getValue();
        }

        throw new RuntimeException('Unable to resolve an identifier from internalCollabPersonId or the Subject NameId');
    }

    public function isForceAuthn(): bool

    {
        return $this->stateHandler->isForceAuthn();
    }

    public function markVerifiedBySsoOn2faCookie(string $fingerprint)

    {
        $this->stateHandler->setVerifiedBySsoOn2faCookie(true);
        $this->stateHandler->setSsoOn2faCookieFingerprint($fingerprint);
    }

    public function isVerifiedBySsoOn2faCookie(): bool

    {
        return $this->stateHandler->isVerifiedBySsoOn2faCookie();
    }
}


OpenConext / Stepup-Gateway

Pull Request — develop (#301)

ResponseContext A

Complexity

Size/Duplication

Importance

29 Methods

How to fix Complexity

Complex Class

Duplication Side-by-Side

Filter issues like