SamlProxyController::consumeAssertionAction() - Code Metrics - Inspection of "Release 2.0.0" - OpenConext/Stepup-Gateway - Measure and Improve Code Quality continuously with Scrutinizer

Completed

Pull Request — master (#102)

by Boy

created 2016-06-22 10:58 UTC

SamlProxyController::consumeAssertionAction() C

↳ Parent: SamlProxyController

Complexity

Conditions	9
Paths	12

Size

Total Lines	86
Code Lines	52

Duplication

Lines	9
Ratio	10.47 %

Importance

Changes

Metric	Value
c	0
b	0
f	0
dl	9
loc	86
rs	5.3477
cc	9
eloc	52
nc	12
nop	2

How to fix Long Method

<?php

/**
 * Copyright 2014 SURFnet bv
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

namespace Surfnet\StepupGateway\SamlStepupProviderBundle\Controller;

use DateTime;
use Exception;
use SAML2_Const;
use SAML2_Response;
use Surfnet\SamlBundle\Http\XMLResponse;
use Surfnet\SamlBundle\SAML2\AuthnRequest;
use Surfnet\SamlBundle\SAML2\AuthnRequestFactory;
use Surfnet\StepupGateway\GatewayBundle\Saml\AssertionAdapter;
use Surfnet\StepupGateway\SamlStepupProviderBundle\Provider\Provider;
use Surfnet\StepupGateway\SamlStepupProviderBundle\Saml\StateHandler;
use Symfony\Bundle\FrameworkBundle\Controller\Controller;
use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\HttpFoundation\Response;
use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;
use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;

/**
 * @SuppressWarnings(PHPMD.CouplingBetweenObjects)
 * @SuppressWarnings(PHPMD.NPathComplexity)
 *
 * Should be refactored, {@see https://www.pivotaltracker.com/story/show/90169776}
 */
class SamlProxyController extends Controller
{
    /**
     * @param string  $provider
     * @param Request $httpRequest
     * @return \Symfony\Component\HttpFoundation\RedirectResponse|\Symfony\Component\HttpFoundation\Response
     */
    public function singleSignOnAction($provider, Request $httpRequest)
    {
        $provider = $this->getProvider($provider);

        /** @var \Psr\Log\LoggerInterface $logger */
        $logger = $this->get('logger');
        $logger->notice('Received AuthnRequest, started processing');

        /** @var \Surfnet\SamlBundle\Http\RedirectBinding $redirectBinding */
        $redirectBinding = $this->get('surfnet_saml.http.redirect_binding');

        try {
            $originalRequest = $redirectBinding->processRequest($httpRequest);

        } catch (Exception $e) {
            $logger->critical(sprintf('Could not process Request, error: "%s"', $e->getMessage()));

            return $this->render('unrecoverableError');
        }

        $originalRequestId = $originalRequest->getRequestId();
        $logger = $this->get('surfnet_saml.logger')->forAuthentication($originalRequestId);
        $logger->notice(sprintf(
            'AuthnRequest processing complete, received AuthnRequest from "%s", request ID: "%s"',
            $originalRequest->getServiceProvider(),
            $originalRequest->getRequestId()
        ));

        $logger->debug('Checking if SP "%s" is supported');
        /**
         * @var \Surfnet\StepupGateway\SamlStepupProviderBundle\Provider\ConnectedServiceProviders $connectedServiceProviders

         */
        $connectedServiceProviders = $this->get('gssp.connected_service_providers');
        if (!$connectedServiceProviders->isConnected($originalRequest->getServiceProvider())) {
            $logger->warning(sprintf(
                'Received AuthnRequest from SP "%s", while SP is not allowed to use this for SSO',
                $originalRequest->getServiceProvider()
            ));

            throw new AccessDeniedHttpException();
        }

        /** @var StateHandler $stateHandler */
        $stateHandler = $provider->getStateHandler();
        $stateHandler
            ->setRequestId($originalRequestId)
            ->setRequestServiceProvider($originalRequest->getServiceProvider())
            ->setRelayState($httpRequest->get(AuthnRequest::PARAMETER_RELAY_STATE, ''));

        $proxyRequest = AuthnRequestFactory::createNewRequest(
            $provider->getServiceProvider(),
            $provider->getRemoteIdentityProvider()
        );

        // if a Specific subject is given to authenticate we should proxy that and verify in the response
        // that that subject indeed was authenticated
        $nameId = $originalRequest->getNameId();
        if ($nameId) {
            $proxyRequest->setSubject($nameId, $originalRequest->getNameIdFormat());
            $stateHandler->setSubject($nameId);
        }

        $proxyRequest->setScoping([$originalRequest->getServiceProvider()]);
        $stateHandler->setGatewayRequestId($proxyRequest->getRequestId());

        $logger->notice(sprintf(
            'Sending Proxy AuthnRequest with request ID: "%s" for original AuthnRequest "%s" to GSSP "%s" at "%s"',
            $proxyRequest->getRequestId(),
            $originalRequest->getRequestId(),
            $provider->getName(),
            $provider->getRemoteIdentityProvider()->getSsoUrl()
        ));

        return $redirectBinding->createRedirectResponseFor($proxyRequest);
    }

    public function sendSecondFactorVerificationAuthnRequestAction($provider, $subjectNameId)
    {
        $provider = $this->getProvider($provider);
        $stateHandler = $provider->getStateHandler();

        $originalRequestId = $this->get('gateway.proxy.response_context')->getInResponseTo();

        $authnRequest = AuthnRequestFactory::createNewRequest(
            $provider->getServiceProvider(),
            $provider->getRemoteIdentityProvider()
        );
        $authnRequest->setSubject($subjectNameId);

        $stateHandler
            ->setRequestId($originalRequestId)
            ->setGatewayRequestId($authnRequest->getRequestId())
            ->setSubject($subjectNameId)
            ->markRequestAsSecondFactorVerification();

        /** @var \Surfnet\SamlBundle\Monolog\SamlAuthenticationLogger $logger */
        $logger = $this->get('surfnet_saml.logger')->forAuthentication($originalRequestId);
        $logger->notice(sprintf(
            'Sending AuthnRequest to verify Second Factor with request ID: "%s" to GSSP "%s" at "%s" for subject "%s"',
            $authnRequest->getRequestId(),
            $provider->getName(),
            $provider->getRemoteIdentityProvider()->getSsoUrl(),
            $subjectNameId
        ));

        /** @var \Surfnet\SamlBundle\Http\RedirectBinding $redirectBinding */
        $redirectBinding = $this->get('surfnet_saml.http.redirect_binding');

        return $redirectBinding->createRedirectResponseFor($authnRequest);
    }

    /**
     * @param string  $provider
     * @param Request $httpRequest
     * @return \Symfony\Component\HttpFoundation\Response
     */
    public function consumeAssertionAction($provider, Request $httpRequest)
    {
        $provider = $this->getProvider($provider);
        $stateHandler = $provider->getStateHandler();
        $originalRequestId = $stateHandler->getRequestId();

        /** @var \Surfnet\SamlBundle\Monolog\SamlAuthenticationLogger $logger */
        $logger = $this->get('surfnet_saml.logger')->forAuthentication($originalRequestId);

        $action = $stateHandler->hasSubject() ? 'Second Factor Verification' : 'Proxy Response';
        $logger->notice(
            sprintf('Received SAMLResponse, attempting to process for %s', $action)
        );

        try {
            /** @var \SAML2_Assertion $assertion */
            $assertion = $this->get('surfnet_saml.http.post_binding')->processResponse(
                $httpRequest,
                $provider->getRemoteIdentityProvider(),
                $provider->getServiceProvider()
            );
        } catch (Exception $exception) {
            $logger->error(sprintf('Could not process received Response, error: "%s"', $exception->getMessage()));

            $response = $this->createResponseFailureResponse($provider);

            return $this->renderSamlResponse('unprocessableResponse', $stateHandler, $response);
        }

        $adaptedAssertion = new AssertionAdapter($assertion);
        $expectedResponse = $stateHandler->getGatewayRequestId();
        if (!$adaptedAssertion->inResponseToMatches($expectedResponse)) {

            $logger->critical(sprintf(
                'Received Response with unexpected InResponseTo: "%s", %s',
                $adaptedAssertion->getInResponseTo(),
                ($expectedResponse ? 'expected "' . $expectedResponse . '"' : ' no response expected')
            ));

            return $this->render('unrecoverableError');
        }

        $authenticatedNameId = $assertion->getNameId();
        $isSubjectRequested = $stateHandler->hasSubject();
        if ($isSubjectRequested && ($stateHandler->getSubject() !== $authenticatedNameId['Value'])) {
            $logger->critical(sprintf(
                'Requested Subject NameID "%s" and Response NameID "%s" do not match',
                $stateHandler->getSubject(),
                $authenticatedNameId['Value']
            ));

            if ($stateHandler->secondFactorVerificationRequested()) {
                // the error should go to the original requesting service provider
                $targetServiceProvider = $this->get('gateway.proxy.response_context')->getServiceProvider();
                $stateHandler->setRequestServiceProvider($targetServiceProvider->getEntityId());
            }

            return $this->renderSamlResponse(
                'recoverableError',
                $stateHandler,
                $this->createAuthnFailedResponse($provider)
            );
        }

        $logger->notice('Successfully processed SAMLResponse');

        if ($stateHandler->secondFactorVerificationRequested()) {
            $logger->notice(
                'Second Factor verification was requested and was successful, forwarding to SecondFactor handling'
            );

            return $this->forward('SurfnetStepupGatewayGatewayBundle:SecondFactor:gssfVerified');
        }

        /** @var \Surfnet\StepupGateway\SamlStepupProviderBundle\Saml\ProxyResponseFactory $proxyResponseFactory */
        $targetServiceProvider = $this->getServiceProvider($stateHandler->getRequestServiceProvider());
        $proxyResponseFactory = $this->get('gssp.provider.' . $provider->getName() . '.response_proxy');
        $response             = $proxyResponseFactory->createProxyResponse($assertion, $targetServiceProvider);

        $logger->notice(sprintf(
            'Responding to request "%s" with response based on response from the remote IdP with response "%s"',
            $stateHandler->getRequestId(),
            $response->getId()
        ));

        return $this->renderSamlResponse('consumeAssertion', $stateHandler, $response);
    }

    /**
     * @param string $provider
     * @return XMLResponse
     */
    public function metadataAction($provider)
    {
        $provider = $this->getProvider($provider);

        /** @var \Surfnet\SamlBundle\Metadata\MetadataFactory $factory */
        $factory = $this->get('gssp.provider.' . $provider->getName() . '.metadata.factory');

        return new XMLResponse($factory->generate());
    }

    /**
     * @param string $provider
     * @return \Surfnet\StepupGateway\SamlStepupProviderBundle\Provider\Provider
     */
    private function getProvider($provider)
    {
        /** @var \Surfnet\StepupGateway\SamlStepupProviderBundle\Provider\ProviderRepository $providerRepository */
        $providerRepository = $this->get('gssp.provider_repository');

        if (!$providerRepository->has($provider)) {
            $this->get('logger')->info(sprintf('Requested GSSP "%s" does not exist or is not registered', $provider));

            throw new NotFoundHttpException('Requested provider does not exist');
        }

        return $providerRepository->get($provider);
    }

    /**
     * @param string         $view
     * @param StateHandler   $stateHandler
     * @param SAML2_Response $response
     * @return Response
     */
    public function renderSamlResponse($view, StateHandler $stateHandler, SAML2_Response $response)

    {
        $response = $this->render($view, [
            'acu'        => $response->getDestination(),
            'response'   => $this->getResponseAsXML($response),
            'relayState' => $stateHandler->getRelayState()
        ]);

        // clear the state so we can call again :)
        $stateHandler->clear();

        return $response;
    }

    /**
     * @param string   $view
     * @param array    $parameters
     * @param Response $response

     * @return Response
     */
    public function render($view, array $parameters = array(), Response $response = null)
    {
        return parent::render(
            'SurfnetStepupGatewaySamlStepupProviderBundle:SamlProxy:' . $view . '.html.twig',
            $parameters,
            $response
        );
    }

    /**
     * @param SAML2_Response $response
     * @return string
     */
    private function getResponseAsXML(SAML2_Response $response)
    {
        return base64_encode($response->toUnsignedXML()->ownerDocument->saveXML());
    }

    /**
     * Response that indicates that an error occurred in the responder (the gateway). Used to indicate that we could
     * not process the response we received from the upstream GSSP
     *
     * @param Provider $provider
     * @return SAML2_Response
     */
    private function createResponseFailureResponse(Provider $provider)
    {
        $response = $this->createResponse($provider);
        $response->setStatus(['Code' => SAML2_Const::STATUS_RESPONDER]);

        return $response;
    }

    /**
     * Response that indicates that the authentication could not be performed correctly. In this context it means
     * that the upstream GSSP did not responsd with the same NameID as we request to authenticate in the AuthnRequest
     *
     * @param Provider $provider
     * @return SAML2_Response
     */
    private function createAuthnFailedResponse(Provider $provider)
    {
        $response = $this->createResponse($provider);
        $response->setStatus([
            'Code'    => SAML2_Const::STATUS_RESPONDER,
            'SubCode' => SAML2_Const::STATUS_AUTHN_FAILED
        ]);

        return $response;
    }

    /**
     * Creates a standard response with default status Code (success)
     *
     * @param Provider $provider
     * @return SAML2_Response
     */
    private function createResponse(Provider $provider)
    {
        $serviceProvider = $this->getServiceProvider($provider->getStateHandler()->getRequestServiceProvider());

        $response = new SAML2_Response();
        $response->setDestination($serviceProvider->getAssertionConsumerUrl());
        $response->setIssuer($provider->getIdentityProvider()->getEntityId());
        $response->setIssueInstant((new DateTime('now'))->getTimestamp());
        $response->setInResponseTo($provider->getStateHandler()->getRequestId());

        return $response;
    }

    /**
     * @param string $serviceProvider
     * @return \Surfnet\SamlBundle\Entity\ServiceProvider
     */
    private function getServiceProvider($serviceProvider)
    {
        /**
         * @var \Surfnet\StepupGateway\SamlStepupProviderBundle\Provider\ConnectedServiceProviders $connectedServiceProviders

         */
        $connectedServiceProviders = $this->get('gssp.connected_service_providers');
        return $connectedServiceProviders->getConfigurationOf($serviceProvider);
    }
}


1		<?php
2
3		/**
4		* Copyright 2014 SURFnet bv
5		*
6		* Licensed under the Apache License, Version 2.0 (the "License");
7		* you may not use this file except in compliance with the License.
8		* You may obtain a copy of the License at
9		*
10		* http://www.apache.org/licenses/LICENSE-2.0
11		*
12		* Unless required by applicable law or agreed to in writing, software
13		* distributed under the License is distributed on an "AS IS" BASIS,
14		* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
15		* See the License for the specific language governing permissions and
16		* limitations under the License.
17		*/
18
19		namespace Surfnet\StepupGateway\SamlStepupProviderBundle\Controller;
20
21		use DateTime;
22		use Exception;
23		use SAML2_Const;
24		use SAML2_Response;
25		use Surfnet\SamlBundle\Http\XMLResponse;
26		use Surfnet\SamlBundle\SAML2\AuthnRequest;
27		use Surfnet\SamlBundle\SAML2\AuthnRequestFactory;
28		use Surfnet\StepupGateway\GatewayBundle\Saml\AssertionAdapter;
29		use Surfnet\StepupGateway\SamlStepupProviderBundle\Provider\Provider;
30		use Surfnet\StepupGateway\SamlStepupProviderBundle\Saml\StateHandler;
31		use Symfony\Bundle\FrameworkBundle\Controller\Controller;
32		use Symfony\Component\HttpFoundation\Request;
33		use Symfony\Component\HttpFoundation\Response;
34		use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;
35		use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
36
37		/**
38		* @SuppressWarnings(PHPMD.CouplingBetweenObjects)
39		* @SuppressWarnings(PHPMD.NPathComplexity)
40		*
41		* Should be refactored, {@see https://www.pivotaltracker.com/story/show/90169776}
42		*/
43		class SamlProxyController extends Controller
44		{
45		/**
46		* @param string $provider
47		* @param Request $httpRequest
48		* @return \Symfony\Component\HttpFoundation\RedirectResponse\|\Symfony\Component\HttpFoundation\Response
49		*/
50		public function singleSignOnAction($provider, Request $httpRequest)
51		{
52		$provider = $this->getProvider($provider);
53
54		/** @var \Psr\Log\LoggerInterface $logger */
55		$logger = $this->get('logger');
56		$logger->notice('Received AuthnRequest, started processing');
57
58		/** @var \Surfnet\SamlBundle\Http\RedirectBinding $redirectBinding */
59		$redirectBinding = $this->get('surfnet_saml.http.redirect_binding');
60
61		try {
62		$originalRequest = $redirectBinding->processRequest($httpRequest);
		0 ignored issues – show Deprecated Code introduced 2016-05-31 12:35 UTC by Report Bug Copy Issue Report The method `Surfnet\SamlBundle\Http\...nding::processRequest()` has been deprecated with message: Use processSignedRequest or processUnsignedRequest This method has been deprecated. The supplier of the class has supplied an explanatory message. The explanatory message should give you some clue as to whether and when the method will be removed from the class and what other method or class to use instead. Loading history...
63		} catch (Exception $e) {
64		$logger->critical(sprintf('Could not process Request, error: "%s"', $e->getMessage()));
65
66		return $this->render('unrecoverableError');
67		}
68
69		$originalRequestId = $originalRequest->getRequestId();
70		$logger = $this->get('surfnet_saml.logger')->forAuthentication($originalRequestId);
71		$logger->notice(sprintf(
72		'AuthnRequest processing complete, received AuthnRequest from "%s", request ID: "%s"',
73		$originalRequest->getServiceProvider(),
74		$originalRequest->getRequestId()
75		));
76
77		$logger->debug('Checking if SP "%s" is supported');
78		/**
79		* @var \Surfnet\StepupGateway\SamlStepupProviderBundle\Provider\ConnectedServiceProviders $connectedServiceProviders
		0 ignored issues – show Coding Style introduced 2016-04-29 09:07 UTC by Report Bug Copy Issue Report This line exceeds maximum limit of 120 characters; contains 125 characters Overly long lines are hard to read on any screen. Most code styles therefor impose a maximum limit on the number of characters in a line. Loading history...
80		*/
81		$connectedServiceProviders = $this->get('gssp.connected_service_providers');
82		if (!$connectedServiceProviders->isConnected($originalRequest->getServiceProvider())) {
83		$logger->warning(sprintf(
84		'Received AuthnRequest from SP "%s", while SP is not allowed to use this for SSO',
85		$originalRequest->getServiceProvider()
86		));
87
88		throw new AccessDeniedHttpException();
89		}
90
91		/** @var StateHandler $stateHandler */
92		$stateHandler = $provider->getStateHandler();
93		$stateHandler
94		->setRequestId($originalRequestId)
95		->setRequestServiceProvider($originalRequest->getServiceProvider())
96		->setRelayState($httpRequest->get(AuthnRequest::PARAMETER_RELAY_STATE, ''));
97
98		$proxyRequest = AuthnRequestFactory::createNewRequest(
99		$provider->getServiceProvider(),
100		$provider->getRemoteIdentityProvider()
101		);
102
103		// if a Specific subject is given to authenticate we should proxy that and verify in the response
104		// that that subject indeed was authenticated
105		$nameId = $originalRequest->getNameId();
106		if ($nameId) {
107		$proxyRequest->setSubject($nameId, $originalRequest->getNameIdFormat());
108		$stateHandler->setSubject($nameId);
109		}
110
111		$proxyRequest->setScoping([$originalRequest->getServiceProvider()]);
112		$stateHandler->setGatewayRequestId($proxyRequest->getRequestId());
113
114		$logger->notice(sprintf(
115		'Sending Proxy AuthnRequest with request ID: "%s" for original AuthnRequest "%s" to GSSP "%s" at "%s"',
116		$proxyRequest->getRequestId(),
117		$originalRequest->getRequestId(),
118		$provider->getName(),
119		$provider->getRemoteIdentityProvider()->getSsoUrl()
120		));
121
122		return $redirectBinding->createRedirectResponseFor($proxyRequest);
123		}
124
125		public function sendSecondFactorVerificationAuthnRequestAction($provider, $subjectNameId)
126		{
127		$provider = $this->getProvider($provider);
128		$stateHandler = $provider->getStateHandler();
129
130		$originalRequestId = $this->get('gateway.proxy.response_context')->getInResponseTo();
131
132		$authnRequest = AuthnRequestFactory::createNewRequest(
133		$provider->getServiceProvider(),
134		$provider->getRemoteIdentityProvider()
135		);
136		$authnRequest->setSubject($subjectNameId);
137
138		$stateHandler
139		->setRequestId($originalRequestId)
140		->setGatewayRequestId($authnRequest->getRequestId())
141		->setSubject($subjectNameId)
142		->markRequestAsSecondFactorVerification();
143
144		/** @var \Surfnet\SamlBundle\Monolog\SamlAuthenticationLogger $logger */
145		$logger = $this->get('surfnet_saml.logger')->forAuthentication($originalRequestId);
146		$logger->notice(sprintf(
147		'Sending AuthnRequest to verify Second Factor with request ID: "%s" to GSSP "%s" at "%s" for subject "%s"',
148		$authnRequest->getRequestId(),
149		$provider->getName(),
150		$provider->getRemoteIdentityProvider()->getSsoUrl(),
151		$subjectNameId
152		));
153
154		/** @var \Surfnet\SamlBundle\Http\RedirectBinding $redirectBinding */
155		$redirectBinding = $this->get('surfnet_saml.http.redirect_binding');
156
157		return $redirectBinding->createRedirectResponseFor($authnRequest);
158		}
159
160		/**
161		* @param string $provider
162		* @param Request $httpRequest
163		* @return \Symfony\Component\HttpFoundation\Response
164		*/
165		public function consumeAssertionAction($provider, Request $httpRequest)
166		{
167		$provider = $this->getProvider($provider);
168		$stateHandler = $provider->getStateHandler();
169		$originalRequestId = $stateHandler->getRequestId();
170
171		/** @var \Surfnet\SamlBundle\Monolog\SamlAuthenticationLogger $logger */
172		$logger = $this->get('surfnet_saml.logger')->forAuthentication($originalRequestId);
173
174		$action = $stateHandler->hasSubject() ? 'Second Factor Verification' : 'Proxy Response';
175		$logger->notice(
176		sprintf('Received SAMLResponse, attempting to process for %s', $action)
177		);
178
179		try {
180		/** @var \SAML2_Assertion $assertion */
181		$assertion = $this->get('surfnet_saml.http.post_binding')->processResponse(
182		$httpRequest,
183		$provider->getRemoteIdentityProvider(),
184		$provider->getServiceProvider()
185		);
186		} catch (Exception $exception) {
187		$logger->error(sprintf('Could not process received Response, error: "%s"', $exception->getMessage()));
188
189		$response = $this->createResponseFailureResponse($provider);
190
191		return $this->renderSamlResponse('unprocessableResponse', $stateHandler, $response);
192		}
193
194		$adaptedAssertion = new AssertionAdapter($assertion);
195		$expectedResponse = $stateHandler->getGatewayRequestId();
196	View Code Duplication	if (!$adaptedAssertion->inResponseToMatches($expectedResponse)) {
		0 ignored issues – show Duplication introduced 2015-12-15 13:35 UTC by Report Bug Copy Issue Report This code seems to be duplicated across your project. Duplicated code is one of the most pungent code smells. If you need to duplicate the same code in three or more different places, we strongly encourage you to look into extracting the code into a single class or operation. You can also find more detailed suggestions in the “Code” section of your repository. Loading history...
197		$logger->critical(sprintf(
198		'Received Response with unexpected InResponseTo: "%s", %s',
199		$adaptedAssertion->getInResponseTo(),
200		($expectedResponse ? 'expected "' . $expectedResponse . '"' : ' no response expected')
201		));
202
203		return $this->render('unrecoverableError');
204		}
205
206		$authenticatedNameId = $assertion->getNameId();
207		$isSubjectRequested = $stateHandler->hasSubject();
208		if ($isSubjectRequested && ($stateHandler->getSubject() !== $authenticatedNameId['Value'])) {
209		$logger->critical(sprintf(
210		'Requested Subject NameID "%s" and Response NameID "%s" do not match',
211		$stateHandler->getSubject(),
212		$authenticatedNameId['Value']
213		));
214
215		if ($stateHandler->secondFactorVerificationRequested()) {
216		// the error should go to the original requesting service provider
217		$targetServiceProvider = $this->get('gateway.proxy.response_context')->getServiceProvider();
218		$stateHandler->setRequestServiceProvider($targetServiceProvider->getEntityId());
219		}
220
221		return $this->renderSamlResponse(
222		'recoverableError',
223		$stateHandler,
224		$this->createAuthnFailedResponse($provider)
225		);
226		}
227
228		$logger->notice('Successfully processed SAMLResponse');
229
230		if ($stateHandler->secondFactorVerificationRequested()) {
231		$logger->notice(
232		'Second Factor verification was requested and was successful, forwarding to SecondFactor handling'
233		);
234
235		return $this->forward('SurfnetStepupGatewayGatewayBundle:SecondFactor:gssfVerified');
236		}
237
238		/** @var \Surfnet\StepupGateway\SamlStepupProviderBundle\Saml\ProxyResponseFactory $proxyResponseFactory */
239		$targetServiceProvider = $this->getServiceProvider($stateHandler->getRequestServiceProvider());
240		$proxyResponseFactory = $this->get('gssp.provider.' . $provider->getName() . '.response_proxy');
241		$response = $proxyResponseFactory->createProxyResponse($assertion, $targetServiceProvider);
242
243		$logger->notice(sprintf(
244		'Responding to request "%s" with response based on response from the remote IdP with response "%s"',
245		$stateHandler->getRequestId(),
246		$response->getId()
247		));
248
249		return $this->renderSamlResponse('consumeAssertion', $stateHandler, $response);
250		}
251
252		/**
253		* @param string $provider
254		* @return XMLResponse
255		*/
256		public function metadataAction($provider)
257		{
258		$provider = $this->getProvider($provider);
259
260		/** @var \Surfnet\SamlBundle\Metadata\MetadataFactory $factory */
261		$factory = $this->get('gssp.provider.' . $provider->getName() . '.metadata.factory');
262
263		return new XMLResponse($factory->generate());
264		}
265
266		/**
267		* @param string $provider
268		* @return \Surfnet\StepupGateway\SamlStepupProviderBundle\Provider\Provider
269		*/
270		private function getProvider($provider)
271		{
272		/** @var \Surfnet\StepupGateway\SamlStepupProviderBundle\Provider\ProviderRepository $providerRepository */
273		$providerRepository = $this->get('gssp.provider_repository');
274
275		if (!$providerRepository->has($provider)) {
276		$this->get('logger')->info(sprintf('Requested GSSP "%s" does not exist or is not registered', $provider));
277
278		throw new NotFoundHttpException('Requested provider does not exist');
279		}
280
281		return $providerRepository->get($provider);
282		}
283
284		/**
285		* @param string $view
286		* @param StateHandler $stateHandler
287		* @param SAML2_Response $response
288		* @return Response
289		*/
290	View Code Duplication	public function renderSamlResponse($view, StateHandler $stateHandler, SAML2_Response $response)
		0 ignored issues – show Duplication introduced 2015-12-15 13:35 UTC by Report Bug Copy Issue Report This method seems to be duplicated in your project. Duplicated code is one of the most pungent code smells. If you need to duplicate the same code in three or more different places, we strongly encourage you to look into extracting the code into a single class or operation. You can also find more detailed suggestions in the “Code” section of your repository. Loading history...
291		{
292		$response = $this->render($view, [
293		'acu' => $response->getDestination(),
294		'response' => $this->getResponseAsXML($response),
295		'relayState' => $stateHandler->getRelayState()
296		]);
297
298		// clear the state so we can call again :)
299		$stateHandler->clear();
300
301		return $response;
302		}
303
304		/**
305		* @param string $view
306		* @param array $parameters
307		* @param Response $response
		0 ignored issues – show Documentation introduced 2015-12-15 13:35 UTC by Report Bug Copy Issue Report Should the type for parameter `$response` not be `null\|Response`? This check looks for `@param` annotations where the type inferred by our type inference engine differs from the declared type. It makes a suggestion as to what type it considers more descriptive. Most often this is a case of a parameter that can be null in addition to its declared types. Loading history...
308		* @return Response
309		*/
310		public function render($view, array $parameters = array(), Response $response = null)
311		{
312		return parent::render(
313		'SurfnetStepupGatewaySamlStepupProviderBundle:SamlProxy:' . $view . '.html.twig',
314		$parameters,
315		$response
316		);
317		}
318
319		/**
320		* @param SAML2_Response $response
321		* @return string
322		*/
323		private function getResponseAsXML(SAML2_Response $response)
324		{
325		return base64_encode($response->toUnsignedXML()->ownerDocument->saveXML());
326		}
327
328		/**
329		* Response that indicates that an error occurred in the responder (the gateway). Used to indicate that we could
330		* not process the response we received from the upstream GSSP
331		*
332		* @param Provider $provider
333		* @return SAML2_Response
334		*/
335		private function createResponseFailureResponse(Provider $provider)
336		{
337		$response = $this->createResponse($provider);
338		$response->setStatus(['Code' => SAML2_Const::STATUS_RESPONDER]);
339
340		return $response;
341		}
342
343		/**
344		* Response that indicates that the authentication could not be performed correctly. In this context it means
345		* that the upstream GSSP did not responsd with the same NameID as we request to authenticate in the AuthnRequest
346		*
347		* @param Provider $provider
348		* @return SAML2_Response
349		*/
350		private function createAuthnFailedResponse(Provider $provider)
351		{
352		$response = $this->createResponse($provider);
353		$response->setStatus([
354		'Code' => SAML2_Const::STATUS_RESPONDER,
355		'SubCode' => SAML2_Const::STATUS_AUTHN_FAILED
356		]);
357
358		return $response;
359		}
360
361		/**
362		* Creates a standard response with default status Code (success)
363		*
364		* @param Provider $provider
365		* @return SAML2_Response
366		*/
367		private function createResponse(Provider $provider)
368		{
369		$serviceProvider = $this->getServiceProvider($provider->getStateHandler()->getRequestServiceProvider());
370
371		$response = new SAML2_Response();
372		$response->setDestination($serviceProvider->getAssertionConsumerUrl());
373		$response->setIssuer($provider->getIdentityProvider()->getEntityId());
374		$response->setIssueInstant((new DateTime('now'))->getTimestamp());
375		$response->setInResponseTo($provider->getStateHandler()->getRequestId());
376
377		return $response;
378		}
379
380		/**
381		* @param string $serviceProvider
382		* @return \Surfnet\SamlBundle\Entity\ServiceProvider
383		*/
384		private function getServiceProvider($serviceProvider)
385		{
386		/**
387		* @var \Surfnet\StepupGateway\SamlStepupProviderBundle\Provider\ConnectedServiceProviders $connectedServiceProviders
		0 ignored issues – show Coding Style introduced 2016-04-29 09:07 UTC by Report Bug Copy Issue Report This line exceeds maximum limit of 120 characters; contains 125 characters Overly long lines are hard to read on any screen. Most code styles therefor impose a maximum limit on the number of characters in a line. Loading history...
388		*/
389		$connectedServiceProviders = $this->get('gssp.connected_service_providers');
390		return $connectedServiceProviders->getConfigurationOf($serviceProvider);
391		}
392		}
393

OpenConext / Stepup-Gateway

Pull Request — master (#102)

SamlProxyController::consumeAssertionAction() C

Complexity

Size

Duplication

Importance

How to fix Long Method

Long Method

Duplication Side-by-Side

Filter issues like