IdentityProviderController::loadPrivateKey() - Code Metrics - Inspection of "Merge branch 'release/3.0' into develop" - OpenConext/Stepup-Gateway - Measure and Improve Code Quality continuously with Scrutinizer

Completed

Push — develop ( 91a0ef...68f4fc )

by Michiel

created 2021-03-02 12:44 UTC

IdentityProviderController::loadPrivateKey() A

↳ Parent: IdentityProviderController

Complexity

Conditions	1
Paths	1

Size

Total Lines

Duplication

Lines	11
Ratio	100 %

Importance

Changes

Metric	Value
dl	11
loc	11
rs	9.9
c	0
b	0
f	0
cc	1
nc	1
nop	0

<?php

namespace Surfnet\StepupGateway\Behat\Controller;

use RobRichards\XMLSecLibs\XMLSecurityKey;
use SAML2\Assertion;
use SAML2\Certificate\KeyLoader;
use SAML2\Certificate\PrivateKeyLoader;
use SAML2\Configuration\PrivateKey;
use SAML2\Constants;
use SAML2\Response;
use SAML2\Response as SAMLResponse;
use SAML2\XML\saml\NameID;
use SAML2\XML\saml\SubjectConfirmation;
use SAML2\XML\saml\SubjectConfirmationData;
use Surfnet\SamlBundle\Http\Exception\UnsignedRequestException;
use Surfnet\SamlBundle\Http\ReceivedAuthnRequestQueryString;
use Surfnet\SamlBundle\SAML2\ReceivedAuthnRequest;
use Surfnet\StepupGateway\Behat\Command\LoginCommand;
use Symfony\Bundle\FrameworkBundle\Controller\Controller;
use Symfony\Component\Form\Extension\Core\Type\SubmitType;
use Symfony\Component\Form\Extension\Core\Type\TextType;
use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\HttpKernel\Exception\BadRequestHttpException;

class IdentityProviderController extends Controller

{
    /**
     * Handles a SSO request
     * @param Request $request
     */
    public function ssoAction(Request $request)
    {
        // Receives the AuthnRequest and sends a SAML response
        $authnRequest = $this->receiveSignedAuthnRequestFrom($request);
        // By default render the username form
        $loginData = new LoginCommand();
        if ($authnRequest) {
            $loginData->setRequestId($authnRequest->getRequestId());
        }
        $form = $this
            ->createFormBuilder($loginData)
            ->add('username', TextType::class)
            ->add('requestId', TextType::class)
            ->add('submit', SubmitType::class)
            ->getForm();

        $form->handleRequest($request);

        if ($form->isSubmitted() && $form->isValid()) {
            $loginData = $form->getData();
            $response = $this->createResponse(
                'https://gateway.stepup.example.com/authentication/consume-assertion',
                ['Value' => $loginData->getUsername(), 'Format' => 'urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified'],
                $loginData->getRequestId()
            );
            return $this->renderSamlResponse($response);
        }

        return $this->render('@test_resources/login.html.twig', [
            'form' => $form->createView(),
        ]);
    }

    /**
     * Handles a GSSP SSO request
     * @param Request $request
     */
    public function gsspSsoAction(Request $request)
    {
        // receives the AuthnRequest and sends a SAML response
        $authnRequest = $this->receiveSignedAuthnRequestFrom($request);
        // Todo: For some reason, the nameId is not transpored even tho it is set on the auhtnrequest.. Figure out whats going on here and fix this.
        // now the test will only work with one hard-coded user.
        $response = $this->createResponse(
            $authnRequest->getAssertionConsumerServiceURL(),
            ['Value' => 'foobar', 'Format' => 'urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified'],
            $authnRequest->getRequestId()
        );
        return $this->renderSamlResponse($response);
    }

    /**
     * @param SAMLResponse $response
     * @return \Symfony\Component\HttpFoundation\Response
     */
    public function renderSamlResponse(SAMLResponse $response)
    {
        $parameters = [
            'acu' => $response->getDestination(),
            'response' => $this->getResponseAsXML($response),
            'relayState' => ''
        ];

        $response = parent::render(
class Daddy
{
    protected function getFirstName()
    {
        return "Eidur";
    }

    protected function getSurName()
    {
        return "Gudjohnsen";
    }
}

class Son
{
    public function getFirstName()
    {
        return parent::getSurname();
    }
}
            'SurfnetStepupGatewaySamlStepupProviderBundle:SamlProxy:consumeAssertion.html.twig',
            $parameters
        );

        return $response;
    }

    /**
     * @param string $destination
     * @param string $nameId

     * @return Response
     */
    public function createResponse($destination, array $nameId, $requestId)
    {
        $newAssertion = new Assertion();
        $newAssertion->setNotBefore(time());
        $newAssertion->setNotOnOrAfter(time() + (60 * 5));//
        $newAssertion->setAttributes(['urn:mace:dir:attribute-def:eduPersonTargetedID' => [NameID::fromArray($nameId)]]);

        $newAssertion->setIssuer('https://idp.stepup.example.com/');
        $newAssertion->setIssueInstant(time());

        $this->signAssertion($newAssertion);
        $this->addSubjectConfirmationFor($newAssertion, $destination, $requestId);
        $newAssertion->setNameId($nameId);
        $response = new SAMLResponse();
        $response->setAssertions([$newAssertion]);
        $response->setIssuer('https://idp.stepup.example.com/');
        $response->setIssueInstant(time());
        $response->setDestination($destination);
        $response->setInResponseTo($requestId);
        return $response;
    }

    /**
     * @param SAMLResponse $response
     * @return string
     */
    private function getResponseAsXML(SAMLResponse $response)
    {
        return base64_encode($response->toUnsignedXML()->ownerDocument->saveXML());
    }

    /**
     * @param Request $request
     * @return string
     */
    private function getFullRequestUri(Request $request)
    {
        return $request->getSchemeAndHttpHost() . $request->getBasePath() . $request->getRequestUri();
    }

    /**
     * @param Request $request
     * @return ReceivedAuthnRequest

     */
    public function receiveSignedAuthnRequestFrom(Request $request)
    {
        if (!$request->isMethod(Request::METHOD_GET)) {
            return;
        }

        $requestUri = $request->getRequestUri();
        if (strpos($requestUri, '?') === false) {
            throw new BadRequestHttpException(
                'Could not receive AuthnRequest from HTTP Request: expected query parameters, none found'
            );
        }

        list(, $rawQueryString) = explode('?', $requestUri);
        $query = ReceivedAuthnRequestQueryString::parse($rawQueryString);

        if (!$query->isSigned()) {
            throw new UnsignedRequestException('The SAMLRequest is expected to be signed but it was not');
        }

        $authnRequest = ReceivedAuthnRequest::from($query->getDecodedSamlRequest());

        $currentUri = $this->getFullRequestUri($request);
        if (!$authnRequest->getDestination() === $currentUri) {
            throw new BadRequestHttpException(sprintf(
                'Actual Destination "%s" does not match the AuthnRequest Destination "%s"',
                $currentUri,
                $authnRequest->getDestination()
            ));
        }

        return $authnRequest;
    }

    /**
     * @param Assertion $assertion
     * @return Assertion
     */
    public function signAssertion(Assertion $assertion)
    {
        $assertion->setSignatureKey($this->loadPrivateKey());
        $assertion->setCertificates([$this->getPublicCertificate()]);

        return $assertion;
    }

    private function addSubjectConfirmationFor(Assertion $newAssertion, $destination, $requestId)

    {
        $confirmation = new SubjectConfirmation();
        $confirmation->Method = Constants::CM_BEARER;

        $confirmationData                      = new SubjectConfirmationData();
        $confirmationData->InResponseTo        = $requestId;
        $confirmationData->Recipient           = $destination;
        $confirmationData->NotOnOrAfter        = $newAssertion->getNotOnOrAfter();

        $confirmation->SubjectConfirmationData = $confirmationData;

        $newAssertion->setSubjectConfirmation([$confirmation]);
    }

    /**
     * @return XMLSecurityKey
     */
    private function loadPrivateKey()

    {
        $key        = new PrivateKey('/var/www/ci/certificates/sp.pem', 'default');
        $keyLoader  = new PrivateKeyLoader();
        $privateKey = $keyLoader->loadPrivateKey($key);

        $xmlSecurityKey = new XMLSecurityKey(XMLSecurityKey::RSA_SHA256, ['type' => 'private']);
        $xmlSecurityKey->loadKey($privateKey->getKeyAsString());

        return $xmlSecurityKey;
    }

    /**
     * @return string
     */
    private function getPublicCertificate()
    {
        $keyLoader = new KeyLoader();
        $keyLoader->loadCertificateFile('/var/www/ci/certificates/sp.crt');
        /** @var \SAML2\Certificate\X509 $publicKey */
        $publicKey = $keyLoader->getKeys()->getOnlyElement();

        return $publicKey->getCertificate();
    }
}


1		<?php
2
3		namespace Surfnet\StepupGateway\Behat\Controller;
4
5		use RobRichards\XMLSecLibs\XMLSecurityKey;
6		use SAML2\Assertion;
7		use SAML2\Certificate\KeyLoader;
8		use SAML2\Certificate\PrivateKeyLoader;
9		use SAML2\Configuration\PrivateKey;
10		use SAML2\Constants;
11		use SAML2\Response;
12		use SAML2\Response as SAMLResponse;
13		use SAML2\XML\saml\NameID;
14		use SAML2\XML\saml\SubjectConfirmation;
15		use SAML2\XML\saml\SubjectConfirmationData;
16		use Surfnet\SamlBundle\Http\Exception\UnsignedRequestException;
17		use Surfnet\SamlBundle\Http\ReceivedAuthnRequestQueryString;
18		use Surfnet\SamlBundle\SAML2\ReceivedAuthnRequest;
19		use Surfnet\StepupGateway\Behat\Command\LoginCommand;
20		use Symfony\Bundle\FrameworkBundle\Controller\Controller;
21		use Symfony\Component\Form\Extension\Core\Type\SubmitType;
22		use Symfony\Component\Form\Extension\Core\Type\TextType;
23		use Symfony\Component\HttpFoundation\Request;
24		use Symfony\Component\HttpKernel\Exception\BadRequestHttpException;
25
26		class IdentityProviderController extends Controller
		0 ignored issues – show Deprecated Code introduced 2021-03-02 12:48 UTC by Report Bug Copy Issue Report The class `Symfony\Bundle\Framework...e\Controller\Controller` has been deprecated with message: since Symfony 4.2, use "Symfony\Bundle\FrameworkBundle\Controller\AbstractController" instead. This class, trait or interface has been deprecated. The supplier of the file has supplied an explanatory message. The explanatory message should give you some clue as to whether and when the type will be removed from the class and what other constant to use instead. Loading history...
27		{
28		/**
29		* Handles a SSO request
30		* @param Request $request
31		*/
32		public function ssoAction(Request $request)
33		{
34		// Receives the AuthnRequest and sends a SAML response
35		$authnRequest = $this->receiveSignedAuthnRequestFrom($request);
36		// By default render the username form
37		$loginData = new LoginCommand();
38		if ($authnRequest) {
39		$loginData->setRequestId($authnRequest->getRequestId());
40		}
41		$form = $this
42		->createFormBuilder($loginData)
43		->add('username', TextType::class)
44		->add('requestId', TextType::class)
45		->add('submit', SubmitType::class)
46		->getForm();
47
48		$form->handleRequest($request);
49
50		if ($form->isSubmitted() && $form->isValid()) {
51		$loginData = $form->getData();
52		$response = $this->createResponse(
53		'https://gateway.stepup.example.com/authentication/consume-assertion',
54		['Value' => $loginData->getUsername(), 'Format' => 'urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified'],
55		$loginData->getRequestId()
56		);
57		return $this->renderSamlResponse($response);
58		}
59
60		return $this->render('@test_resources/login.html.twig', [
61		'form' => $form->createView(),
62		]);
63		}
64
65		/**
66		* Handles a GSSP SSO request
67		* @param Request $request
68		*/
69		public function gsspSsoAction(Request $request)
70		{
71		// receives the AuthnRequest and sends a SAML response
72		$authnRequest = $this->receiveSignedAuthnRequestFrom($request);
73		// Todo: For some reason, the nameId is not transpored even tho it is set on the auhtnrequest.. Figure out whats going on here and fix this.
74		// now the test will only work with one hard-coded user.
75		$response = $this->createResponse(
76		$authnRequest->getAssertionConsumerServiceURL(),
77		['Value' => 'foobar', 'Format' => 'urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified'],
78		$authnRequest->getRequestId()
79		);
80		return $this->renderSamlResponse($response);
81		}
82
83		/**
84		* @param SAMLResponse $response
85		* @return \Symfony\Component\HttpFoundation\Response
86		*/
87		public function renderSamlResponse(SAMLResponse $response)
88		{
89		$parameters = [
90		'acu' => $response->getDestination(),
91		'response' => $this->getResponseAsXML($response),
92		'relayState' => ''
93		];
94
95		$response = parent::render(
		0 ignored issues – show Comprehensibility Bug introduced 2020-04-01 14:17 UTC by Report Bug Copy Issue Report It seems like you call parent on a different method (`render()` instead of `renderSamlResponse()`). Are you sure this is correct? If so, you might want to change this to `$this->render()`. This check looks for a call to a parent method whose name is different than the method from which it is called. Consider the following code: class Daddy { protected function getFirstName() { return "Eidur"; } protected function getSurName() { return "Gudjohnsen"; } } class Son { public function getFirstName() { return parent::getSurname(); } } The `getFirstName()` method in the `Son` calls the wrong method in the parent class. Loading history...
96		'SurfnetStepupGatewaySamlStepupProviderBundle:SamlProxy:consumeAssertion.html.twig',
97		$parameters
98		);
99
100		return $response;
101		}
102
103		/**
104		* @param string $destination
105		* @param string $nameId
		0 ignored issues – show Documentation introduced 2020-04-02 12:15 UTC by Report Bug Copy Issue Report Should the type for parameter `$nameId` not be `array`? This check looks for `@param` annotations where the type inferred by our type inference engine differs from the declared type. It makes a suggestion as to what type it considers more descriptive. Most often this is a case of a parameter that can be null in addition to its declared types. Loading history...
106		* @return Response
107		*/
108		public function createResponse($destination, array $nameId, $requestId)
109		{
110		$newAssertion = new Assertion();
111		$newAssertion->setNotBefore(time());
112		$newAssertion->setNotOnOrAfter(time() + (60 * 5));//
113		$newAssertion->setAttributes(['urn:mace:dir:attribute-def:eduPersonTargetedID' => [NameID::fromArray($nameId)]]);
		0 ignored issues – show Deprecated Code introduced 2020-04-02 12:15 UTC by Report Bug Copy Issue Report The method `SAML2\XML\saml\NameIDType::fromArray()` has been deprecated. This method has been deprecated. Loading history...
114		$newAssertion->setIssuer('https://idp.stepup.example.com/');
115		$newAssertion->setIssueInstant(time());
116
117		$this->signAssertion($newAssertion);
118		$this->addSubjectConfirmationFor($newAssertion, $destination, $requestId);
119		$newAssertion->setNameId($nameId);
120		$response = new SAMLResponse();
121		$response->setAssertions([$newAssertion]);
122		$response->setIssuer('https://idp.stepup.example.com/');
123		$response->setIssueInstant(time());
124		$response->setDestination($destination);
125		$response->setInResponseTo($requestId);
126		return $response;
127		}
128
129		/**
130		* @param SAMLResponse $response
131		* @return string
132		*/
133		private function getResponseAsXML(SAMLResponse $response)
134		{
135		return base64_encode($response->toUnsignedXML()->ownerDocument->saveXML());
136		}
137
138		/**
139		* @param Request $request
140		* @return string
141		*/
142		private function getFullRequestUri(Request $request)
143		{
144		return $request->getSchemeAndHttpHost() . $request->getBasePath() . $request->getRequestUri();
145		}
146
147		/**
148		* @param Request $request
149		* @return ReceivedAuthnRequest
		0 ignored issues – show Documentation introduced 2020-04-14 14:42 UTC by Report Bug Copy Issue Report Should the return type not be `ReceivedAuthnRequest\|null`? This check compares the return type specified in the `@return` annotation of a function or method doc comment with the types returned by the function and raises an issue if they mismatch. Loading history...
150		*/
151		public function receiveSignedAuthnRequestFrom(Request $request)
152		{
153		if (!$request->isMethod(Request::METHOD_GET)) {
154		return;
155		}
156
157		$requestUri = $request->getRequestUri();
158		if (strpos($requestUri, '?') === false) {
159		throw new BadRequestHttpException(
160		'Could not receive AuthnRequest from HTTP Request: expected query parameters, none found'
161		);
162		}
163
164		list(, $rawQueryString) = explode('?', $requestUri);
165		$query = ReceivedAuthnRequestQueryString::parse($rawQueryString);
166
167		if (!$query->isSigned()) {
168		throw new UnsignedRequestException('The SAMLRequest is expected to be signed but it was not');
169		}
170
171		$authnRequest = ReceivedAuthnRequest::from($query->getDecodedSamlRequest());
172
173		$currentUri = $this->getFullRequestUri($request);
174		if (!$authnRequest->getDestination() === $currentUri) {
175		throw new BadRequestHttpException(sprintf(
176		'Actual Destination "%s" does not match the AuthnRequest Destination "%s"',
177		$currentUri,
178		$authnRequest->getDestination()
179		));
180		}
181
182		return $authnRequest;
183		}
184
185		/**
186		* @param Assertion $assertion
187		* @return Assertion
188		*/
189		public function signAssertion(Assertion $assertion)
190		{
191		$assertion->setSignatureKey($this->loadPrivateKey());
192		$assertion->setCertificates([$this->getPublicCertificate()]);
193
194		return $assertion;
195		}
196
197	View Code Duplication	private function addSubjectConfirmationFor(Assertion $newAssertion, $destination, $requestId)
		0 ignored issues – show Duplication introduced 2020-04-01 14:17 UTC by Report Bug Copy Issue Report This method seems to be duplicated in your project. Duplicated code is one of the most pungent code smells. If you need to duplicate the same code in three or more different places, we strongly encourage you to look into extracting the code into a single class or operation. You can also find more detailed suggestions in the “Code” section of your repository. Loading history...
198		{
199		$confirmation = new SubjectConfirmation();
200		$confirmation->Method = Constants::CM_BEARER;
201
202		$confirmationData = new SubjectConfirmationData();
203		$confirmationData->InResponseTo = $requestId;
204		$confirmationData->Recipient = $destination;
205		$confirmationData->NotOnOrAfter = $newAssertion->getNotOnOrAfter();
206
207		$confirmation->SubjectConfirmationData = $confirmationData;
208
209		$newAssertion->setSubjectConfirmation([$confirmation]);
210		}
211
212		/**
213		* @return XMLSecurityKey
214		*/
215	View Code Duplication	private function loadPrivateKey()
		0 ignored issues – show Duplication introduced 2020-04-02 13:17 UTC by Report Bug Copy Issue Report This method seems to be duplicated in your project. Duplicated code is one of the most pungent code smells. If you need to duplicate the same code in three or more different places, we strongly encourage you to look into extracting the code into a single class or operation. You can also find more detailed suggestions in the “Code” section of your repository. Loading history...
216		{
217		$key = new PrivateKey('/var/www/ci/certificates/sp.pem', 'default');
218		$keyLoader = new PrivateKeyLoader();
219		$privateKey = $keyLoader->loadPrivateKey($key);
220
221		$xmlSecurityKey = new XMLSecurityKey(XMLSecurityKey::RSA_SHA256, ['type' => 'private']);
222		$xmlSecurityKey->loadKey($privateKey->getKeyAsString());
223
224		return $xmlSecurityKey;
225		}
226
227		/**
228		* @return string
229		*/
230		private function getPublicCertificate()
231		{
232		$keyLoader = new KeyLoader();
233		$keyLoader->loadCertificateFile('/var/www/ci/certificates/sp.crt');
234		/** @var \SAML2\Certificate\X509 $publicKey */
235		$publicKey = $keyLoader->getKeys()->getOnlyElement();
236
237		return $publicKey->getCertificate();
238		}
239		}
240

OpenConext / Stepup-Gateway

Push — develop ( 91a0ef...68f4fc )

IdentityProviderController::loadPrivateKey() A

Complexity

Size

Duplication

Importance

Duplication Side-by-Side

Filter issues like