OpenConext /
Stepup-Gateway
| Total Complexity | 40 |
| Total Lines | 277 |
| Duplicated Lines | 0 % |
| Changes | 3 | ||
| Bugs | 0 | Features | 0 |
Complex classes like CookieService often do a lot of different things. To break such a class down, we need to identify a cohesive component within that class. A common approach to find such a component is to look for fields/methods that share the same prefixes, or suffixes.
Once you have determined the fields that belong together, you can apply the Extract Class refactoring. If the component makes sense as a sub-class, Extract Subclass is also a candidate, and is often faster.
While breaking up the class, it is a good idea to analyze how other classes use CookieService, and based on these observations, apply Extract Interface, too.
| 1 | <?php declare(strict_types=1); |
||
| 45 | class CookieService implements CookieServiceInterface |
||
| 46 | { |
||
| 47 | /** |
||
| 48 | * @var CookieHelperInterface |
||
| 49 | */ |
||
| 50 | private $cookieHelper; |
||
| 51 | /** |
||
| 52 | * @var InstitutionConfigurationService |
||
| 53 | */ |
||
| 54 | private $institutionConfigurationService; |
||
| 55 | /** |
||
| 56 | * @var LoggerInterface |
||
| 57 | */ |
||
| 58 | private $logger; |
||
| 59 | /** |
||
| 60 | * @var SecondFactorService |
||
| 61 | */ |
||
| 62 | private $secondFactorService; |
||
| 63 | |||
| 64 | /** |
||
| 65 | * @var SecondFactorTypeService |
||
| 66 | */ |
||
| 67 | private $secondFactorTypeService; |
||
| 68 | /** |
||
| 69 | * @var ExpirationHelperInterface |
||
| 70 | */ |
||
| 71 | private $expirationHelper; |
||
| 72 | |||
| 73 | public function __construct( |
||
| 87 | } |
||
| 88 | |||
| 89 | public function handleSsoOn2faCookieStorage( |
||
| 90 | ResponseContext $responseContext, |
||
| 91 | Request $request, |
||
| 92 | Response $httpResponse |
||
| 93 | ): Response { |
||
| 94 | // Check if this specific SP is configured to allow setting of an SSO on 2FA cookie (configured in MW config) |
||
| 95 | $remoteSp = $this->getRemoteSp($responseContext); |
||
| 96 | if (!$remoteSp->allowedToSetSsoCookieOn2fa()) { |
||
| 97 | $this->logger->notice( |
||
| 98 | sprintf( |
||
| 99 | 'SP: %s does not allow writing SSO on 2FA cookies', |
||
| 100 | $remoteSp->getEntityId() |
||
| 101 | ) |
||
| 102 | ); |
||
| 103 | return $httpResponse; |
||
| 104 | } |
||
| 105 | |||
| 106 | // The second factor id is read from state. It is the SF Id of the token used during authentication |
||
| 107 | $secondFactorId = $responseContext->getSelectedSecondFactor(); |
||
| 108 | |||
| 109 | // We can only set an SSO on 2FA cookie if a second factor authentication is being handled. |
||
| 110 | if ($secondFactorId) { |
||
| 111 | $secondFactor = $this->secondFactorService->findByUuid($secondFactorId); |
||
| 112 | if (!$secondFactor) { |
||
| 113 | throw new RuntimeException(sprintf('Second Factor token not found with ID: %s', $secondFactorId)); |
||
| 114 | } |
||
| 115 | // Test if the institution of the Identity this SF belongs to has SSO on 2FA enabled |
||
| 116 | $isEnabled = $this->institutionConfigurationService->ssoOn2faEnabled($secondFactor->institution); |
||
| 117 | $this->logger->notice( |
||
| 118 | sprintf( |
||
| 119 | 'SSO on 2FA is %senabled for %s', |
||
| 120 | $isEnabled ? '' : 'not ', |
||
| 121 | $secondFactor->institution |
||
| 122 | ) |
||
| 123 | ); |
||
| 124 | if ($isEnabled) { |
||
| 125 | // The cookie reader can return a NullCookie if the cookie is not present, was expired or was otherwise |
||
| 126 | // deemed invalid. See the CookieHelper::read implementation for details. |
||
| 127 | $ssoCookie = $this->read($request); |
||
| 128 | $identityId = $responseContext->getIdentityNameId(); |
||
| 129 | $loa = $secondFactor->getLoaLevel($this->secondFactorTypeService); |
||
| 130 | $isValid = $this->isCookieValid($ssoCookie, $loa, $identityId); |
||
| 131 | $isVerifiedBySsoOn2faCookie = $responseContext->isVerifiedBySsoOn2faCookie(); |
||
| 132 | // Did the LoA requirement change? If a higher LoA was requested, or did a new token authentication |
||
| 133 | // take place? In that case create a new SSO on 2FA cookie |
||
| 134 | if ($this->shouldAddCookie($ssoCookie, $isValid, $loa, $isVerifiedBySsoOn2faCookie)) { |
||
| 135 | $cookie = CookieValue::from($identityId, $secondFactor->secondFactorId, $loa); |
||
| 136 | $this->store($httpResponse, $cookie); |
||
| 137 | } |
||
| 138 | } |
||
| 139 | } |
||
| 140 | $responseContext->finalizeAuthentication(); |
||
| 141 | return $httpResponse; |
||
| 142 | } |
||
| 143 | |||
| 144 | /** |
||
| 145 | * Allow high cyclomatic complexity in favour of keeping this method readable |
||
| 146 | * @SuppressWarnings(PHPMD.CyclomaticComplexity) |
||
| 147 | * @SuppressWarnings(PHPMD.NPathComplexity) |
||
| 148 | */ |
||
| 149 | public function shouldSkip2faAuthentication( |
||
| 150 | ResponseContext $responseContext, |
||
| 151 | float $requiredLoa, |
||
| 152 | string $identityNameId, |
||
| 153 | Collection $secondFactorCollection, |
||
| 154 | Request $request |
||
| 155 | ): bool { |
||
| 156 | if ($responseContext->isForceAuthn()) { |
||
| 157 | $this->logger->notice('Ignoring SSO on 2FA cookie when ForceAuthN is specified.'); |
||
| 158 | return false; |
||
| 159 | } |
||
| 160 | $remoteSp = $this->getRemoteSp($responseContext); |
||
| 161 | // Test if the SP allows SSO on 2FA to take place (configured in MW config) |
||
| 162 | if (!$remoteSp->allowSsoOn2fa()) { |
||
| 163 | $this->logger->notice( |
||
| 164 | sprintf( |
||
| 165 | 'Ignoring SSO on 2FA for SP: %s', |
||
| 166 | $remoteSp->getEntityId() |
||
| 167 | ) |
||
| 168 | ); |
||
| 169 | return false; |
||
| 170 | } |
||
| 171 | $ssoCookie = $this->read($request); |
||
| 172 | // Perform validation on the cookie and its contents |
||
| 173 | if (!$this->isCookieValid($ssoCookie, $requiredLoa, $identityNameId)) { |
||
| 174 | return false; |
||
| 175 | } |
||
| 176 | if (!$this->secondFactorService->findByUuid($ssoCookie->secondFactorId())) { |
||
| 177 | $this->logger->notice( |
||
| 178 | 'The second factor stored in the SSO cookie was revoked or has otherwise became unknown to Gateway', |
||
| 179 | [ |
||
| 180 | 'secondFactorIdFromCookie' => $ssoCookie->secondFactorId() |
||
| 181 | ] |
||
| 182 | ); |
||
| 183 | return false; |
||
| 184 | } |
||
| 185 | |||
| 186 | /** @var SecondFactor $secondFactor */ |
||
| 187 | foreach ($secondFactorCollection as $secondFactor) { |
||
| 188 | $loa = $secondFactor->getLoaLevel($this->secondFactorTypeService); |
||
| 189 | if ($loa >= $requiredLoa) { |
||
| 190 | $this->logger->notice('Verified the current 2FA authentication can be given with the SSO on 2FA cookie'); |
||
| 191 | $responseContext->saveSelectedSecondFactor($secondFactor); |
||
| 192 | return true; |
||
| 193 | } |
||
| 194 | } |
||
| 195 | return false; |
||
| 196 | } |
||
| 197 | |||
| 198 | public function getCookieFingerprint(Request $request): string |
||
| 199 | { |
||
| 200 | return $this->cookieHelper->fingerprint($request); |
||
| 201 | } |
||
| 202 | |||
| 203 | /** |
||
| 204 | * This method determines if an SSO on 2FA cookie should be created. |
||
| 205 | * |
||
| 206 | * The comments in the code block should give a good feel for what business rules |
||
| 207 | * are applied in this method. |
||
| 208 | * |
||
| 209 | * @param CookieValueInterface $ssoCookie The SSO on 2FA cookie as read from the HTTP response |
||
| 210 | * @param float $loa The LoA that was requested for this authentication, used to |
||
| 211 | * compare to the LoA stored in the SSO cookie |
||
| 212 | * @param bool $wasAuthenticatedWithSsoOn2faCookie Indicator if the currently running authentication was performed |
||
| 213 | * with the SSO on 2FA cookie |
||
| 214 | */ |
||
| 215 | private function shouldAddCookie( |
||
| 216 | CookieValueInterface $ssoCookie, |
||
| 217 | bool $isCookieValid, |
||
| 218 | float $loa, |
||
| 219 | bool $wasAuthenticatedWithSsoOn2faCookie |
||
| 220 | ): bool { |
||
| 221 | // When the cookie is not yet set, was expired or was otherwise deemed invalid, we get a NullCookieValue |
||
| 222 | // back from the reader. Indicating there is no valid cookie present. |
||
| 223 | $cookieNotSet = $ssoCookie instanceof NullCookieValue; |
||
| 224 | // OR the existing cookie does exist, but the LoA stored in that cookie does not match the required LoA |
||
| 225 | $cookieDoesNotMeetLoaRequirement = ($ssoCookie instanceof CookieValue && !$ssoCookie->meetsRequiredLoa($loa)); |
||
| 226 | if (!$ssoCookie instanceof NullCookieValue && $cookieDoesNotMeetLoaRequirement) { |
||
| 227 | $this->logger->notice( |
||
| 228 | sprintf( |
||
| 229 | 'Storing new SSO on 2FA cookie as LoA requirement (%d changed to %d) changed', |
||
| 230 | $ssoCookie->getLoa(), |
||
| 231 | $loa |
||
| 232 | ) |
||
| 233 | ); |
||
| 234 | } |
||
| 235 | // OR when a new authentication took place, we replace the existing cookie with a new one |
||
| 236 | if (!$wasAuthenticatedWithSsoOn2faCookie) { |
||
| 237 | $this->logger->notice('Storing new SSO on 2FA cookie as a new authentication took place'); |
||
| 238 | } |
||
| 239 | |||
| 240 | // Or when the cookie is not valid for some reason (see logs for the specific error) |
||
| 241 | if (!$isCookieValid) { |
||
| 242 | $this->logger->notice('Storing new SSO on 2FA cookie, the current cookie is invalid'); |
||
| 243 | } |
||
| 244 | |||
| 245 | return $cookieNotSet || |
||
| 246 | !$isCookieValid || |
||
| 247 | $cookieDoesNotMeetLoaRequirement || |
||
| 248 | !$wasAuthenticatedWithSsoOn2faCookie; |
||
| 249 | } |
||
| 250 | |||
| 251 | private function store(Response $response, CookieValueInterface $cookieValue) |
||
| 254 | } |
||
| 255 | |||
| 256 | private function read(Request $request): CookieValueInterface |
||
| 257 | { |
||
| 258 | try { |
||
| 259 | return $this->cookieHelper->read($request); |
||
| 260 | } catch (CookieNotFoundException $e) { |
||
| 261 | $this->logger->notice('Attempt to decrypt the cookie failed, the cookie could not be found'); |
||
| 262 | return new NullCookieValue(); |
||
| 263 | } catch (DecryptionFailedException $e) { |
||
| 264 | $this->logger->notice('Decryption of the SSO on 2FA cookie failed'); |
||
| 265 | return new NullCookieValue(); |
||
| 266 | } catch (Exception $e) { |
||
| 267 | $this->logger->notice( |
||
| 268 | 'Decryption failed, see original message in context', |
||
| 269 | ['original-exception-message' => $e->getMessage()] |
||
| 270 | ); |
||
| 271 | return new NullCookieValue(); |
||
| 272 | } |
||
| 273 | } |
||
| 274 | |||
| 275 | private function getRemoteSp(ResponseContext $responseContext): ServiceProvider |
||
| 276 | { |
||
| 277 | $remoteSp = $responseContext->getServiceProvider(); |
||
| 278 | if (!$remoteSp) { |
||
| 279 | throw new RuntimeException('SP not found in the response context, unable to continue with SSO on 2FA'); |
||
| 280 | } |
||
| 281 | return $remoteSp; |
||
| 282 | } |
||
| 283 | |||
| 284 | private function isCookieValid(CookieValueInterface $ssoCookie, float $requiredLoa, string $identityNameId): bool |
||
| 322 | } |
||
| 323 | } |
||
| 324 |
Loading history...