SamlProxyController - Code Metrics - Inspection of "Increase font weight of gssp titles on WAYG" - OpenConext/Stepup-Gateway - Measure and Improve Code Quality continuously with Scrutinizer

Completed

Push — feature/restyle-of-wayg ( a7659e...3faa0b )

unknown

created 2018-03-23 08:49 UTC

SamlProxyController C

↳ Parent: Project

Complexity

Total Complexity

Size/Duplication

Total Lines	347
Duplicated Lines	3.75 %

Coupling/Cohesion

Components	1
Dependencies	22

Importance

Changes

Metric	Value
wmc	22
c	0
b	0
f	0
lcom	1
cbo	22
dl	13
loc	347
rs	5.7894

12 Methods

Rating	Name	Duplication	Size	Complexity
A	singleSignOnAction()	0	74	3
B	sendSecondFactorVerificationAuthnRequestAction()	0	34	1
C	consumeAssertionAction()	0	83	8
A	metadataAction()	0	9	1
A	getProvider()	0	13	2
A	renderSamlResponse()	13	13	1
A	render()	0	8	1
A	getResponseAsXML()	0	4	1
A	createResponseFailureResponse()	0	7	1
A	createAuthnFailedResponse()	0	10	1
A	createResponse()	0	12	1
A	getServiceProvider()	0	8	1

How to fix Duplicated Code

<?php

/**
 * Copyright 2014 SURFnet bv
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

namespace Surfnet\StepupGateway\SamlStepupProviderBundle\Controller;

use DateTime;
use Exception;
use SAML2\Constants;
use SAML2\Response as SAMLResponse;
use Surfnet\SamlBundle\Http\XMLResponse;
use Surfnet\SamlBundle\SAML2\AuthnRequest;
use Surfnet\SamlBundle\SAML2\AuthnRequestFactory;
use Surfnet\StepupGateway\GatewayBundle\Saml\AssertionAdapter;
use Surfnet\StepupGateway\GatewayBundle\Saml\Exception\UnknownInResponseToException;
use Surfnet\StepupGateway\SamlStepupProviderBundle\Provider\Provider;
use Surfnet\StepupGateway\SamlStepupProviderBundle\Saml\StateHandler;
use Symfony\Bundle\FrameworkBundle\Controller\Controller;
use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\HttpFoundation\Response;
use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;
use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;

/**
 * @SuppressWarnings(PHPMD.CouplingBetweenObjects)
 * @SuppressWarnings(PHPMD.NPathComplexity)
 *
 * Should be refactored, {@see https://www.pivotaltracker.com/story/show/90169776}
 */
class SamlProxyController extends Controller
{
    /**
     * @param string  $provider
     * @param Request $httpRequest
     * @return \Symfony\Component\HttpFoundation\RedirectResponse|\Symfony\Component\HttpFoundation\Response
     */
    public function singleSignOnAction($provider, Request $httpRequest)
    {
        $provider = $this->getProvider($provider);

        /** @var \Psr\Log\LoggerInterface $logger */
        $logger = $this->get('logger');
        $logger->notice('Received AuthnRequest, started processing');

        /** @var \Surfnet\SamlBundle\Http\RedirectBinding $redirectBinding */
        $redirectBinding = $this->get('surfnet_saml.http.redirect_binding');

        $originalRequest = $redirectBinding->processSignedRequest($httpRequest);

        $originalRequestId = $originalRequest->getRequestId();
        $logger = $this->get('surfnet_saml.logger')->forAuthentication($originalRequestId);
        $logger->notice(sprintf(
            'AuthnRequest processing complete, received AuthnRequest from "%s", request ID: "%s"',
            $originalRequest->getServiceProvider(),
            $originalRequest->getRequestId()
        ));

        $logger->debug('Checking if SP "%s" is supported');
        /**
         * @var \Surfnet\StepupGateway\SamlStepupProviderBundle\Provider\ConnectedServiceProviders $connectedServiceProviders

         */
        $connectedServiceProviders = $this->get('gssp.connected_service_providers');
        if (!$connectedServiceProviders->isConnected($originalRequest->getServiceProvider())) {

            $logger->warning(sprintf(
                'Received AuthnRequest from SP "%s", while SP is not allowed to use this for SSO',
                $originalRequest->getServiceProvider()
            ));

            throw new AccessDeniedHttpException();
        }

        /** @var StateHandler $stateHandler */
        $stateHandler = $provider->getStateHandler();

        // Clear the state of the previous SSO action. Request data of
        // previous SSO actions should not have any effect in subsequent SSO
        // actions.
        $stateHandler->clear();

        $stateHandler
            ->setRequestId($originalRequestId)
            ->setRequestServiceProvider($originalRequest->getServiceProvider())

            ->setRelayState($httpRequest->get(AuthnRequest::PARAMETER_RELAY_STATE, ''));

        $proxyRequest = AuthnRequestFactory::createNewRequest(
            $provider->getServiceProvider(),
            $provider->getRemoteIdentityProvider()
        );

        // if a Specific subject is given to authenticate we should proxy that and verify in the response
        // that that subject indeed was authenticated
        $nameId = $originalRequest->getNameId();
        if ($nameId) {
            $proxyRequest->setSubject($nameId, $originalRequest->getNameIdFormat());
            $stateHandler->setSubject($nameId);
        }

        $proxyRequest->setScoping([$originalRequest->getServiceProvider()]);
        $stateHandler->setGatewayRequestId($proxyRequest->getRequestId());

        $logger->notice(sprintf(
            'Sending Proxy AuthnRequest with request ID: "%s" for original AuthnRequest "%s" to GSSP "%s" at "%s"',
            $proxyRequest->getRequestId(),
            $originalRequest->getRequestId(),
            $provider->getName(),
            $provider->getRemoteIdentityProvider()->getSsoUrl()
        ));

        return $redirectBinding->createResponseFor($proxyRequest);
    }

    public function sendSecondFactorVerificationAuthnRequestAction($provider, $subjectNameId)
    {
        $provider = $this->getProvider($provider);
        $stateHandler = $provider->getStateHandler();

        $originalRequestId = $this->get('gateway.proxy.response_context')->getInResponseTo();

        $authnRequest = AuthnRequestFactory::createNewRequest(
            $provider->getServiceProvider(),
            $provider->getRemoteIdentityProvider()
        );
        $authnRequest->setSubject($subjectNameId);

        $stateHandler
            ->setRequestId($originalRequestId)
            ->setGatewayRequestId($authnRequest->getRequestId())
            ->setSubject($subjectNameId)
            ->markRequestAsSecondFactorVerification();

        /** @var \Surfnet\SamlBundle\Monolog\SamlAuthenticationLogger $logger */
        $logger = $this->get('surfnet_saml.logger')->forAuthentication($originalRequestId);
        $logger->notice(sprintf(
            'Sending AuthnRequest to verify Second Factor with request ID: "%s" to GSSP "%s" at "%s" for subject "%s"',
            $authnRequest->getRequestId(),
            $provider->getName(),
            $provider->getRemoteIdentityProvider()->getSsoUrl(),
            $subjectNameId
        ));

        /** @var \Surfnet\SamlBundle\Http\RedirectBinding $redirectBinding */
        $redirectBinding = $this->get('surfnet_saml.http.redirect_binding');

        return $redirectBinding->createResponseFor($authnRequest);
    }

    /**
     * @param string  $provider
     * @param Request $httpRequest
     * @return \Symfony\Component\HttpFoundation\Response
     */
    public function consumeAssertionAction($provider, Request $httpRequest)
    {
        $provider = $this->getProvider($provider);
        $stateHandler = $provider->getStateHandler();
        $originalRequestId = $stateHandler->getRequestId();

        /** @var \Surfnet\SamlBundle\Monolog\SamlAuthenticationLogger $logger */
        $logger = $this->get('surfnet_saml.logger')->forAuthentication($originalRequestId);

        $action = $stateHandler->hasSubject() ? 'Second Factor Verification' : 'Proxy Response';
        $logger->notice(
            sprintf('Received SAMLResponse, attempting to process for %s', $action)
        );

        try {
            /** @var \SAML2\Assertion $assertion */
            $assertion = $this->get('surfnet_saml.http.post_binding')->processResponse(
                $httpRequest,
                $provider->getRemoteIdentityProvider(),
                $provider->getServiceProvider()
            );
        } catch (Exception $exception) {
            $logger->error(sprintf('Could not process received Response, error: "%s"', $exception->getMessage()));

            $response = $this->createResponseFailureResponse($provider);

            return $this->renderSamlResponse('unprocessableResponse', $stateHandler, $response);
        }

        $adaptedAssertion = new AssertionAdapter($assertion);
        $expectedResponse = $stateHandler->getGatewayRequestId();
        if (!$adaptedAssertion->inResponseToMatches($expectedResponse)) {
            throw new UnknownInResponseToException(
                $adaptedAssertion->getInResponseTo(),
                $expectedResponse
            );
        }

        $authenticatedNameId = $assertion->getNameId();
        $isSubjectRequested = $stateHandler->hasSubject();
        if ($isSubjectRequested && ($stateHandler->getSubject() !== $authenticatedNameId->value)) {
            $logger->critical(sprintf(
                'Requested Subject NameID "%s" and Response NameID "%s" do not match',
                $stateHandler->getSubject(),
                $authenticatedNameId->value
            ));

            if ($stateHandler->secondFactorVerificationRequested()) {
                // the error should go to the original requesting service provider
                $targetServiceProvider = $this->get('gateway.proxy.response_context')->getServiceProvider();
                $stateHandler->setRequestServiceProvider($targetServiceProvider->getEntityId());
            }

            return $this->renderSamlResponse(
                'recoverableError',
                $stateHandler,
                $this->createAuthnFailedResponse($provider)
            );
        }

        $logger->notice('Successfully processed SAMLResponse');

        if ($stateHandler->secondFactorVerificationRequested()) {
            $logger->notice(
                'Second Factor verification was requested and was successful, forwarding to SecondFactor handling'
            );

            return $this->forward('SurfnetStepupGatewayGatewayBundle:SecondFactor:gssfVerified');
        }

        /** @var \Surfnet\StepupGateway\SamlStepupProviderBundle\Saml\ProxyResponseFactory $proxyResponseFactory */
        $targetServiceProvider = $this->getServiceProvider($stateHandler->getRequestServiceProvider());
        $proxyResponseFactory = $this->get('gssp.provider.' . $provider->getName() . '.response_proxy');
        $response             = $proxyResponseFactory->createProxyResponse($assertion, $targetServiceProvider);

        $logger->notice(sprintf(
            'Responding to request "%s" with response based on response from the remote IdP with response "%s"',
            $stateHandler->getRequestId(),
            $response->getId()
        ));

        return $this->renderSamlResponse('consumeAssertion', $stateHandler, $response);
    }

    /**
     * @param string $provider
     * @return XMLResponse
     */
    public function metadataAction($provider)
    {
        $provider = $this->getProvider($provider);

        /** @var \Surfnet\SamlBundle\Metadata\MetadataFactory $factory */
        $factory = $this->get('gssp.provider.' . $provider->getName() . '.metadata.factory');

        return new XMLResponse($factory->generate());
    }

    /**
     * @param string $provider
     * @return \Surfnet\StepupGateway\SamlStepupProviderBundle\Provider\Provider
     */
    private function getProvider($provider)
    {
        /** @var \Surfnet\StepupGateway\SamlStepupProviderBundle\Provider\ProviderRepository $providerRepository */
        $providerRepository = $this->get('gssp.provider_repository');

        if (!$providerRepository->has($provider)) {
            throw new NotFoundHttpException(
                sprintf('Requested GSSP "%s" does not exist or is not registered', $provider)
            );
        }

        return $providerRepository->get($provider);
    }

    /**
     * @param string         $view
     * @param StateHandler   $stateHandler
     * @param SAMLResponse $response
     * @return Response
     */
    public function renderSamlResponse($view, StateHandler $stateHandler, SAMLResponse $response)

    {
        $response = $this->render($view, [
            'acu'        => $response->getDestination(),
            'response'   => $this->getResponseAsXML($response),
            'relayState' => $stateHandler->getRelayState()
        ]);

        // clear the state so we can call again :)
        $stateHandler->clear();

        return $response;
    }

    /**
     * @param string   $view
     * @param array    $parameters
     * @param Response $response

     * @return Response
     */
    public function render($view, array $parameters = array(), Response $response = null)
    {
        return parent::render(
            'SurfnetStepupGatewaySamlStepupProviderBundle:SamlProxy:' . $view . '.html.twig',
            $parameters,
            $response
        );
    }

    /**
     * @param SAMLResponse $response
     * @return string
     */
    private function getResponseAsXML(SAMLResponse $response)
    {
        return base64_encode($response->toUnsignedXML()->ownerDocument->saveXML());
    }

    /**
     * Response that indicates that an error occurred in the responder (the gateway). Used to indicate that we could
     * not process the response we received from the upstream GSSP
     *
     * @param Provider $provider
     * @return SAMLResponse
     */
    private function createResponseFailureResponse(Provider $provider)
    {
        $response = $this->createResponse($provider);
        $response->setStatus(['Code' => Constants::STATUS_RESPONDER]);

        return $response;
    }

    /**
     * Response that indicates that the authentication could not be performed correctly. In this context it means
     * that the upstream GSSP did not responsd with the same NameID as we request to authenticate in the AuthnRequest
     *
     * @param Provider $provider
     * @return SAMLResponse
     */
    private function createAuthnFailedResponse(Provider $provider)
    {
        $response = $this->createResponse($provider);
        $response->setStatus([
            'Code'    => Constants::STATUS_RESPONDER,
            'SubCode' => Constants::STATUS_AUTHN_FAILED
        ]);

        return $response;
    }

    /**
     * Creates a standard response with default status Code (success)
     *
     * @param Provider $provider
     * @return SAMLResponse
     */
    private function createResponse(Provider $provider)
    {
        $serviceProvider = $this->getServiceProvider($provider->getStateHandler()->getRequestServiceProvider());

        $response = new SAMLResponse();
        $response->setDestination($serviceProvider->getAssertionConsumerUrl());
        $response->setIssuer($provider->getIdentityProvider()->getEntityId());
        $response->setIssueInstant((new DateTime('now'))->getTimestamp());
        $response->setInResponseTo($provider->getStateHandler()->getRequestId());

        return $response;
    }

    /**
     * @param string $serviceProvider
     * @return \Surfnet\SamlBundle\Entity\ServiceProvider
     */
    private function getServiceProvider($serviceProvider)
    {
        /**
         * @var \Surfnet\StepupGateway\SamlStepupProviderBundle\Provider\ConnectedServiceProviders $connectedServiceProviders

         */
        $connectedServiceProviders = $this->get('gssp.connected_service_providers');
        return $connectedServiceProviders->getConfigurationOf($serviceProvider);
    }
}


1		<?php
2
3		/**
4		* Copyright 2014 SURFnet bv
5		*
6		* Licensed under the Apache License, Version 2.0 (the "License");
7		* you may not use this file except in compliance with the License.
8		* You may obtain a copy of the License at
9		*
10		* http://www.apache.org/licenses/LICENSE-2.0
11		*
12		* Unless required by applicable law or agreed to in writing, software
13		* distributed under the License is distributed on an "AS IS" BASIS,
14		* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
15		* See the License for the specific language governing permissions and
16		* limitations under the License.
17		*/
18
19		namespace Surfnet\StepupGateway\SamlStepupProviderBundle\Controller;
20
21		use DateTime;
22		use Exception;
23		use SAML2\Constants;
24		use SAML2\Response as SAMLResponse;
25		use Surfnet\SamlBundle\Http\XMLResponse;
26		use Surfnet\SamlBundle\SAML2\AuthnRequest;
27		use Surfnet\SamlBundle\SAML2\AuthnRequestFactory;
28		use Surfnet\StepupGateway\GatewayBundle\Saml\AssertionAdapter;
29		use Surfnet\StepupGateway\GatewayBundle\Saml\Exception\UnknownInResponseToException;
30		use Surfnet\StepupGateway\SamlStepupProviderBundle\Provider\Provider;
31		use Surfnet\StepupGateway\SamlStepupProviderBundle\Saml\StateHandler;
32		use Symfony\Bundle\FrameworkBundle\Controller\Controller;
33		use Symfony\Component\HttpFoundation\Request;
34		use Symfony\Component\HttpFoundation\Response;
35		use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;
36		use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
37
38		/**
39		* @SuppressWarnings(PHPMD.CouplingBetweenObjects)
40		* @SuppressWarnings(PHPMD.NPathComplexity)
41		*
42		* Should be refactored, {@see https://www.pivotaltracker.com/story/show/90169776}
43		*/
44		class SamlProxyController extends Controller
45		{
46		/**
47		* @param string $provider
48		* @param Request $httpRequest
49		* @return \Symfony\Component\HttpFoundation\RedirectResponse\|\Symfony\Component\HttpFoundation\Response
50		*/
51		public function singleSignOnAction($provider, Request $httpRequest)
52		{
53		$provider = $this->getProvider($provider);
54
55		/** @var \Psr\Log\LoggerInterface $logger */
56		$logger = $this->get('logger');
57		$logger->notice('Received AuthnRequest, started processing');
58
59		/** @var \Surfnet\SamlBundle\Http\RedirectBinding $redirectBinding */
60		$redirectBinding = $this->get('surfnet_saml.http.redirect_binding');
61
62		$originalRequest = $redirectBinding->processSignedRequest($httpRequest);
63
64		$originalRequestId = $originalRequest->getRequestId();
65		$logger = $this->get('surfnet_saml.logger')->forAuthentication($originalRequestId);
66		$logger->notice(sprintf(
67		'AuthnRequest processing complete, received AuthnRequest from "%s", request ID: "%s"',
68		$originalRequest->getServiceProvider(),
69		$originalRequest->getRequestId()
70		));
71
72		$logger->debug('Checking if SP "%s" is supported');
73		/**
74		* @var \Surfnet\StepupGateway\SamlStepupProviderBundle\Provider\ConnectedServiceProviders $connectedServiceProviders
		0 ignored issues – show Coding Style introduced 2016-04-29 09:07 UTC by Report Bug Copy Issue Report This line exceeds maximum limit of 120 characters; contains 125 characters Overly long lines are hard to read on any screen. Most code styles therefor impose a maximum limit on the number of characters in a line. Loading history...
75		*/
76		$connectedServiceProviders = $this->get('gssp.connected_service_providers');
77		if (!$connectedServiceProviders->isConnected($originalRequest->getServiceProvider())) {
		0 ignored issues – show Bug introduced 2018-01-16 13:09 UTC by Report Bug Copy Issue Report It seems like `$originalRequest->getServiceProvider()` targeting `Surfnet\SamlBundle\SAML2...t::getServiceProvider()` can also be of type `null` or `object<SAML2\XML\saml\Issuer>`; however, `Surfnet\StepupGateway\Sa...roviders::isConnected()` does only seem to accept `string`, maybe add an additional type check? This check looks at variables that are passed out again to other methods. If the outgoing method call has stricter type requirements than the method itself, an issue is raised. An additional type check may prevent trouble. Loading history...
78		$logger->warning(sprintf(
79		'Received AuthnRequest from SP "%s", while SP is not allowed to use this for SSO',
80		$originalRequest->getServiceProvider()
81		));
82
83		throw new AccessDeniedHttpException();
84		}
85
86		/** @var StateHandler $stateHandler */
87		$stateHandler = $provider->getStateHandler();
88
89		// Clear the state of the previous SSO action. Request data of
90		// previous SSO actions should not have any effect in subsequent SSO
91		// actions.
92		$stateHandler->clear();
93
94		$stateHandler
95		->setRequestId($originalRequestId)
96		->setRequestServiceProvider($originalRequest->getServiceProvider())
		0 ignored issues – show Bug introduced 2018-01-16 13:09 UTC by Report Bug Copy Issue Report It seems like `$originalRequest->getServiceProvider()` targeting `Surfnet\SamlBundle\SAML2...t::getServiceProvider()` can also be of type `null` or `object<SAML2\XML\saml\Issuer>`; however, `Surfnet\StepupGateway\Ga...equestServiceProvider()` does only seem to accept `string`, maybe add an additional type check? This check looks at variables that are passed out again to other methods. If the outgoing method call has stricter type requirements than the method itself, an issue is raised. An additional type check may prevent trouble. Loading history...
97		->setRelayState($httpRequest->get(AuthnRequest::PARAMETER_RELAY_STATE, ''));
98
99		$proxyRequest = AuthnRequestFactory::createNewRequest(
100		$provider->getServiceProvider(),
101		$provider->getRemoteIdentityProvider()
102		);
103
104		// if a Specific subject is given to authenticate we should proxy that and verify in the response
105		// that that subject indeed was authenticated
106		$nameId = $originalRequest->getNameId();
107		if ($nameId) {
108		$proxyRequest->setSubject($nameId, $originalRequest->getNameIdFormat());
109		$stateHandler->setSubject($nameId);
110		}
111
112		$proxyRequest->setScoping([$originalRequest->getServiceProvider()]);
113		$stateHandler->setGatewayRequestId($proxyRequest->getRequestId());
114
115		$logger->notice(sprintf(
116		'Sending Proxy AuthnRequest with request ID: "%s" for original AuthnRequest "%s" to GSSP "%s" at "%s"',
117		$proxyRequest->getRequestId(),
118		$originalRequest->getRequestId(),
119		$provider->getName(),
120		$provider->getRemoteIdentityProvider()->getSsoUrl()
121		));
122
123		return $redirectBinding->createResponseFor($proxyRequest);
124		}
125
126		public function sendSecondFactorVerificationAuthnRequestAction($provider, $subjectNameId)
127		{
128		$provider = $this->getProvider($provider);
129		$stateHandler = $provider->getStateHandler();
130
131		$originalRequestId = $this->get('gateway.proxy.response_context')->getInResponseTo();
132
133		$authnRequest = AuthnRequestFactory::createNewRequest(
134		$provider->getServiceProvider(),
135		$provider->getRemoteIdentityProvider()
136		);
137		$authnRequest->setSubject($subjectNameId);
138
139		$stateHandler
140		->setRequestId($originalRequestId)
141		->setGatewayRequestId($authnRequest->getRequestId())
142		->setSubject($subjectNameId)
143		->markRequestAsSecondFactorVerification();
144
145		/** @var \Surfnet\SamlBundle\Monolog\SamlAuthenticationLogger $logger */
146		$logger = $this->get('surfnet_saml.logger')->forAuthentication($originalRequestId);
147		$logger->notice(sprintf(
148		'Sending AuthnRequest to verify Second Factor with request ID: "%s" to GSSP "%s" at "%s" for subject "%s"',
149		$authnRequest->getRequestId(),
150		$provider->getName(),
151		$provider->getRemoteIdentityProvider()->getSsoUrl(),
152		$subjectNameId
153		));
154
155		/** @var \Surfnet\SamlBundle\Http\RedirectBinding $redirectBinding */
156		$redirectBinding = $this->get('surfnet_saml.http.redirect_binding');
157
158		return $redirectBinding->createResponseFor($authnRequest);
159		}
160
161		/**
162		* @param string $provider
163		* @param Request $httpRequest
164		* @return \Symfony\Component\HttpFoundation\Response
165		*/
166		public function consumeAssertionAction($provider, Request $httpRequest)
167		{
168		$provider = $this->getProvider($provider);
169		$stateHandler = $provider->getStateHandler();
170		$originalRequestId = $stateHandler->getRequestId();
171
172		/** @var \Surfnet\SamlBundle\Monolog\SamlAuthenticationLogger $logger */
173		$logger = $this->get('surfnet_saml.logger')->forAuthentication($originalRequestId);
174
175		$action = $stateHandler->hasSubject() ? 'Second Factor Verification' : 'Proxy Response';
176		$logger->notice(
177		sprintf('Received SAMLResponse, attempting to process for %s', $action)
178		);
179
180		try {
181		/** @var \SAML2\Assertion $assertion */
182		$assertion = $this->get('surfnet_saml.http.post_binding')->processResponse(
183		$httpRequest,
184		$provider->getRemoteIdentityProvider(),
185		$provider->getServiceProvider()
186		);
187		} catch (Exception $exception) {
188		$logger->error(sprintf('Could not process received Response, error: "%s"', $exception->getMessage()));
189
190		$response = $this->createResponseFailureResponse($provider);
191
192		return $this->renderSamlResponse('unprocessableResponse', $stateHandler, $response);
193		}
194
195		$adaptedAssertion = new AssertionAdapter($assertion);
196		$expectedResponse = $stateHandler->getGatewayRequestId();
197		if (!$adaptedAssertion->inResponseToMatches($expectedResponse)) {
198		throw new UnknownInResponseToException(
199		$adaptedAssertion->getInResponseTo(),
200		$expectedResponse
201		);
202		}
203
204		$authenticatedNameId = $assertion->getNameId();
205		$isSubjectRequested = $stateHandler->hasSubject();
206		if ($isSubjectRequested && ($stateHandler->getSubject() !== $authenticatedNameId->value)) {
207		$logger->critical(sprintf(
208		'Requested Subject NameID "%s" and Response NameID "%s" do not match',
209		$stateHandler->getSubject(),
210		$authenticatedNameId->value
211		));
212
213		if ($stateHandler->secondFactorVerificationRequested()) {
214		// the error should go to the original requesting service provider
215		$targetServiceProvider = $this->get('gateway.proxy.response_context')->getServiceProvider();
216		$stateHandler->setRequestServiceProvider($targetServiceProvider->getEntityId());
217		}
218
219		return $this->renderSamlResponse(
220		'recoverableError',
221		$stateHandler,
222		$this->createAuthnFailedResponse($provider)
223		);
224		}
225
226		$logger->notice('Successfully processed SAMLResponse');
227
228		if ($stateHandler->secondFactorVerificationRequested()) {
229		$logger->notice(
230		'Second Factor verification was requested and was successful, forwarding to SecondFactor handling'
231		);
232
233		return $this->forward('SurfnetStepupGatewayGatewayBundle:SecondFactor:gssfVerified');
234		}
235
236		/** @var \Surfnet\StepupGateway\SamlStepupProviderBundle\Saml\ProxyResponseFactory $proxyResponseFactory */
237		$targetServiceProvider = $this->getServiceProvider($stateHandler->getRequestServiceProvider());
238		$proxyResponseFactory = $this->get('gssp.provider.' . $provider->getName() . '.response_proxy');
239		$response = $proxyResponseFactory->createProxyResponse($assertion, $targetServiceProvider);
240
241		$logger->notice(sprintf(
242		'Responding to request "%s" with response based on response from the remote IdP with response "%s"',
243		$stateHandler->getRequestId(),
244		$response->getId()
245		));
246
247		return $this->renderSamlResponse('consumeAssertion', $stateHandler, $response);
248		}
249
250		/**
251		* @param string $provider
252		* @return XMLResponse
253		*/
254		public function metadataAction($provider)
255		{
256		$provider = $this->getProvider($provider);
257
258		/** @var \Surfnet\SamlBundle\Metadata\MetadataFactory $factory */
259		$factory = $this->get('gssp.provider.' . $provider->getName() . '.metadata.factory');
260
261		return new XMLResponse($factory->generate());
262		}
263
264		/**
265		* @param string $provider
266		* @return \Surfnet\StepupGateway\SamlStepupProviderBundle\Provider\Provider
267		*/
268		private function getProvider($provider)
269		{
270		/** @var \Surfnet\StepupGateway\SamlStepupProviderBundle\Provider\ProviderRepository $providerRepository */
271		$providerRepository = $this->get('gssp.provider_repository');
272
273		if (!$providerRepository->has($provider)) {
274		throw new NotFoundHttpException(
275		sprintf('Requested GSSP "%s" does not exist or is not registered', $provider)
276		);
277		}
278
279		return $providerRepository->get($provider);
280		}
281
282		/**
283		* @param string $view
284		* @param StateHandler $stateHandler
285		* @param SAMLResponse $response
286		* @return Response
287		*/
288	View Code Duplication	public function renderSamlResponse($view, StateHandler $stateHandler, SAMLResponse $response)
		0 ignored issues – show Duplication introduced 2017-08-01 06:56 UTC by Report Bug Copy Issue Report This method seems to be duplicated in your project. Duplicated code is one of the most pungent code smells. If you need to duplicate the same code in three or more different places, we strongly encourage you to look into extracting the code into a single class or operation. You can also find more detailed suggestions in the “Code” section of your repository. Loading history...
289		{
290		$response = $this->render($view, [
291		'acu' => $response->getDestination(),
292		'response' => $this->getResponseAsXML($response),
293		'relayState' => $stateHandler->getRelayState()
294		]);
295
296		// clear the state so we can call again :)
297		$stateHandler->clear();
298
299		return $response;
300		}
301
302		/**
303		* @param string $view
304		* @param array $parameters
305		* @param Response $response
		0 ignored issues – show Documentation introduced 2015-12-15 13:35 UTC by Report Bug Copy Issue Report Should the type for parameter `$response` not be `null\|Response`? This check looks for `@param` annotations where the type inferred by our type inference engine differs from the declared type. It makes a suggestion as to what type it considers more descriptive. Most often this is a case of a parameter that can be null in addition to its declared types. Loading history...
306		* @return Response
307		*/
308		public function render($view, array $parameters = array(), Response $response = null)
309		{
310		return parent::render(
311		'SurfnetStepupGatewaySamlStepupProviderBundle:SamlProxy:' . $view . '.html.twig',
312		$parameters,
313		$response
314		);
315		}
316
317		/**
318		* @param SAMLResponse $response
319		* @return string
320		*/
321		private function getResponseAsXML(SAMLResponse $response)
322		{
323		return base64_encode($response->toUnsignedXML()->ownerDocument->saveXML());
324		}
325
326		/**
327		* Response that indicates that an error occurred in the responder (the gateway). Used to indicate that we could
328		* not process the response we received from the upstream GSSP
329		*
330		* @param Provider $provider
331		* @return SAMLResponse
332		*/
333		private function createResponseFailureResponse(Provider $provider)
334		{
335		$response = $this->createResponse($provider);
336		$response->setStatus(['Code' => Constants::STATUS_RESPONDER]);
337
338		return $response;
339		}
340
341		/**
342		* Response that indicates that the authentication could not be performed correctly. In this context it means
343		* that the upstream GSSP did not responsd with the same NameID as we request to authenticate in the AuthnRequest
344		*
345		* @param Provider $provider
346		* @return SAMLResponse
347		*/
348		private function createAuthnFailedResponse(Provider $provider)
349		{
350		$response = $this->createResponse($provider);
351		$response->setStatus([
352		'Code' => Constants::STATUS_RESPONDER,
353		'SubCode' => Constants::STATUS_AUTHN_FAILED
354		]);
355
356		return $response;
357		}
358
359		/**
360		* Creates a standard response with default status Code (success)
361		*
362		* @param Provider $provider
363		* @return SAMLResponse
364		*/
365		private function createResponse(Provider $provider)
366		{
367		$serviceProvider = $this->getServiceProvider($provider->getStateHandler()->getRequestServiceProvider());
368
369		$response = new SAMLResponse();
370		$response->setDestination($serviceProvider->getAssertionConsumerUrl());
371		$response->setIssuer($provider->getIdentityProvider()->getEntityId());
372		$response->setIssueInstant((new DateTime('now'))->getTimestamp());
373		$response->setInResponseTo($provider->getStateHandler()->getRequestId());
374
375		return $response;
376		}
377
378		/**
379		* @param string $serviceProvider
380		* @return \Surfnet\SamlBundle\Entity\ServiceProvider
381		*/
382		private function getServiceProvider($serviceProvider)
383		{
384		/**
385		* @var \Surfnet\StepupGateway\SamlStepupProviderBundle\Provider\ConnectedServiceProviders $connectedServiceProviders
		0 ignored issues – show Coding Style introduced 2016-04-29 09:07 UTC by Report Bug Copy Issue Report This line exceeds maximum limit of 120 characters; contains 125 characters Overly long lines are hard to read on any screen. Most code styles therefor impose a maximum limit on the number of characters in a line. Loading history...
386		*/
387		$connectedServiceProviders = $this->get('gssp.connected_service_providers');
388		return $connectedServiceProviders->getConfigurationOf($serviceProvider);
389		}
390		}
391

OpenConext / Stepup-Gateway

Push — feature/restyle-of-wayg ( a7659e...3faa0b )

SamlProxyController C

Complexity

Size/Duplication

Coupling/Cohesion

Importance

12 Methods

How to fix Duplicated Code

Duplicated Code

Duplication Side-by-Side

Filter issues like