ResponseContext::getAuthenticatingIdp() - Code Metrics - Inspection of "Reset the SSO cookie on every real 2FA authenticat..." - OpenConext/Stepup-Gateway - Measure and Improve Code Quality continuously with Scrutinizer

Passed
Pull Request — develop (#301)

by Michiel
created 2023-09-12 11:15 UTC
ResponseContext::getAuthenticatingIdp() A

↳ Parent: ResponseContext
Complexity

Conditions	4
Paths	4
Size

Total Lines	17
Code Lines	9
Duplication

Lines	0
Ratio	0 %
Importance

Changes
Metric	Value
cc	4
eloc	9
nc	4
nop	0
dl	0
loc	17
rs	9.9666
c	0
b	0
f	0
1 Method

Rating	Name	Duplication	Size	Complexity
A	ResponseContext::saveSelectedSecondFactor()	0	5	1
<?php

/**
 * Copyright 2014 SURFnet bv
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */


namespace Surfnet\StepupGateway\GatewayBundle\Saml;

use DateTime;
use DateTimeZone;
use DOMDocument;
use Exception;
use Psr\Log\LoggerInterface;
use SAML2\Assertion;
use SAML2\XML\saml\Issuer;
use Surfnet\SamlBundle\Entity\IdentityProvider;
use Surfnet\StepupGateway\GatewayBundle\Entity\SecondFactor;
use Surfnet\StepupGateway\GatewayBundle\Entity\ServiceProvider;
use Surfnet\StepupGateway\GatewayBundle\Saml\Exception\RuntimeException;
use Surfnet\StepupGateway\GatewayBundle\Saml\Proxy\ProxyStateHandler;
use Surfnet\StepupGateway\GatewayBundle\Service\SamlEntityService;
use Surfnet\StepupGateway\SecondFactorOnlyBundle\Adfs\Exception\AcsLocationNotAllowedException;

/**

 * @SuppressWarnings(PHPMD.CouplingBetweenObjects)
 */

class ResponseContext
{
    /**

     * @var IdentityProvider
     */
    private $hostedIdentityProvider;


    /**

     * @var SamlEntityService
     */
    private $samlEntityService;


    /**

     * @var ProxyStateHandler
     */
    private $stateHandler;


    /**

     * @var LoggerInterface
     */
    private $logger;


    /**

     * @var DateTime
     */
    private $generationTime;


    /**

     * @var ServiceProvider
     */
    private $targetServiceProvider;


    /**

     * @throws Exception
     */
    public function __construct(
        IdentityProvider $identityProvider,
        SamlEntityService $samlEntityService,
        ProxyStateHandler $stateHandler,
        LoggerInterface $logger,
        DateTime $now = null
    ) {
        $this->hostedIdentityProvider = $identityProvider;
        $this->samlEntityService      = $samlEntityService;
        $this->stateHandler           = $stateHandler;
        $this->logger                 = $logger;
        $this->generationTime         = is_null($now) ? new DateTime('now', new DateTimeZone('UTC')): $now;
    }

    /**

     * @return string|null
     */
    public function getDestination(): ?string
    {
        $requestAcsUrl = $this->stateHandler->getRequestAssertionConsumerServiceUrl();

        return $this->getServiceProvider()->determineAcsLocation($requestAcsUrl, $this->logger);
    }

    /**

     * @return string
     * @throws AcsLocationNotAllowedException
     */
    public function getDestinationForAdfs(): string
    {
        $requestAcsUrl = $this->stateHandler->getRequestAssertionConsumerServiceUrl();

        return $this->getServiceProvider()->determineAcsLocationForAdfs($requestAcsUrl);
    }

    public function getIssuer(): Issuer

    {
        $issuer = new Issuer();
        $issuer->setValue($this->hostedIdentityProvider->getEntityId());
        $issuer->setValue(/** @scrutinizer ignore-type */ $this->hostedIdentityProvider->getEntityId());
        return $issuer;
    }

    /**

     * @return int
     */
    public function getIssueInstant(): int
    {
        return $this->generationTime->getTimestamp();
    }

    /**

     * @return null|string
     */
    public function getInResponseTo(): ?string
    {
        return $this->stateHandler->getRequestId();
    }

    /**

     * @return null|string
     */
    public function getExpectedInResponseTo(): ?string
    {
        return $this->stateHandler->getGatewayRequestId();
    }

    /**

     * @return null|string
     */
    public function getRequiredLoa(): ?string
    {
        return $this->stateHandler->getRequiredLoaIdentifier();
    }

    /**

     * @return IdentityProvider
     */
    public function getIdentityProvider(): IdentityProvider
    {
        return $this->hostedIdentityProvider;
    }

    /**

     * @return null|ServiceProvider
     */
    public function getServiceProvider(): ?ServiceProvider
    {
        if (isset($this->targetServiceProvider)) {
            return $this->targetServiceProvider;
        }

        $serviceProviderId = $this->stateHandler->getRequestServiceProvider();

        return $this->targetServiceProvider = $this->samlEntityService->getServiceProvider($serviceProviderId);
    }

    /**

     * @return null|string
     */
    public function getRelayState(): ?string
    {
        return $this->stateHandler->getRelayState();
    }

    /**

     * @param Assertion $assertion

     * @throws Exception

     */

    public function saveAssertion(Assertion $assertion): void
    {
        $this->stateHandler->saveIdentityNameId($this->resolveNameIdValue($assertion));
        // same for the entityId of the authenticating Authority
        $authenticatingAuthorities = $assertion->getAuthenticatingAuthority();
        if (!empty($authenticatingAuthorities)) {
            $this->stateHandler->setAuthenticatingIdp(reset($authenticatingAuthorities));
        }

        // And also attempt to save the user's schacHomeOrganization
        $attributes = $assertion->getAttributes();
        if (!empty($attributes['urn:mace:terena.org:attribute-def:schacHomeOrganization'])) {
            $schacHomeOrganization = $attributes['urn:mace:terena.org:attribute-def:schacHomeOrganization'];
            $this->stateHandler->setSchacHomeOrganization(reset($schacHomeOrganization));
        }

        $this->stateHandler->saveAssertion($assertion->toXML()->ownerDocument->saveXML());
        $this->stateHandler->saveAssertion($assertion->toXML()->ownerDocument->/** @scrutinizer ignore-call */ saveXML());
    }

    /**

     * @return Assertion
     * @throws Exception
     */
    public function reconstituteAssertion(): Assertion
    {
        $assertionAsXML    = $this->stateHandler->getAssertion();
        $assertionDocument = new DOMDocument();
        $assertionDocument->loadXML($assertionAsXML);

        return new Assertion($assertionDocument->documentElement);
    }

    /**

     * @return null|string
     */
    public function getIdentityNameId(): string
    {
        return $this->stateHandler->getIdentityNameId();
    }

    /**
     * Return the lower-cased schacHomeOrganization value from the assertion.
     *
     * Comparisons on SHO values should always be case-insensitive. Stepup
     * configuration always contains SHO values lower-cased, so this getter
     * can be used to compare the SHO with configured values.
     *
     * @see StepUpAuthenticationService::resolveHighestRequiredLoa()
     *
     * @return null|string
     */
    public function getNormalizedSchacHomeOrganization(): ?string
    {
        return strtolower(
            $this->stateHandler->getSchacHomeOrganization()
            /** @scrutinizer ignore-type */ $this->stateHandler->getSchacHomeOrganization()
        );
    }

    /**

     * @param SecondFactor $secondFactor

     */

    public function saveSelectedSecondFactor(SecondFactor $secondFactor): void
    {
        $this->stateHandler->setSelectedSecondFactorId($secondFactor->secondFactorId);
        $this->stateHandler->setSecondFactorVerified(false);
        $this->stateHandler->setPreferredLocale($secondFactor->displayLocale);
    }

    /**

     * @return null|string
     */
    public function getSelectedSecondFactor(): ?string
    {
        return $this->stateHandler->getSelectedSecondFactorId();
    }

    public function markSecondFactorVerified(): void

    {
        $this->stateHandler->setSecondFactorVerified(true);
    }

    public function finalizeAuthentication(): void

    {
        // The second factor ID is used right before sending the response to verify if the SSO on
        // 2FA cookies Second Factor is still known on the platform Thats why it is forgotten at
        // this point during authentication.
        $this->stateHandler->setSelectedSecondFactorId(null);
        // Right before sending the response, we check if we need to update the SSO on 2FA cookie
        // One of the triggers for storing a new cookie is if the authentication was performed with
        // a real Second Factor token. That's why this value is purged from state at this very late
        // point in time.
        $this->stateHandler->setVerifiedBySsoOn2faCookie(null);
    }

    /**

     * @return bool
     */
    public function isSecondFactorVerified(): bool
    {
        return $this->stateHandler->getSelectedSecondFactorId() && $this->stateHandler->isSecondFactorVerified();
    }

    public function getResponseAction(): ?string

    {
        return $this->stateHandler->getResponseAction();
    }

    /**
     * Resets some state after the response is sent
     * (e.g. resets which second factor was selected and whether it was verified).
     */

    public function responseSent()
    {
        $this->stateHandler->setSecondFactorVerified(false);
        $this->stateHandler->setSsoOn2faCookieFingerprint('');
    }

    /**
     * Retrieve the ResponseContextServiceId from state
     *
     * Used to determine we are dealing with an SFO or regular authentication. Both have different ResponseContext
     * instances, and it's imperative that successive consumers use the correct service.
     *
     * @return string|null
     */
    public function getResponseContextServiceId(): ?string
    {
        return $this->stateHandler->getResponseContextServiceId();
    }

    /**

     * Either gets the internal-collabPersonId if present or falls back on the regular name id attribute
     * @throws Exception

     */

    private function resolveNameIdValue(Assertion $assertion): string

    {
        $attributes = $assertion->getAttributes();
        if (array_key_exists('urn:mace:surf.nl:attribute-def:internal-collabPersonId', $attributes)) {
            return reset($attributes['urn:mace:surf.nl:attribute-def:internal-collabPersonId']);
        }
        $nameId = $assertion->getNameId();
        if ($nameId && is_string($nameId->getValue())) {
            return $nameId->getValue();
        }

        throw new RuntimeException('Unable to resolve an identifier from internalCollabPersonId or the Subject NameId');
    }

    public function isForceAuthn(): bool

    {
        return $this->stateHandler->isForceAuthn();
    }

    public function markVerifiedBySsoOn2faCookie(string $fingerprint)

    {
        $this->logger->notice('Marking markVerifiedBySsoOn2faCookie');
        $this->stateHandler->setVerifiedBySsoOn2faCookie(true);
        $this->stateHandler->setSsoOn2faCookieFingerprint($fingerprint);
    }

    public function isVerifiedBySsoOn2faCookie(): bool

    {
        $isVerified = $this->stateHandler->isVerifiedBySsoOn2faCookie() ? 'YES': 'NO';
        $this->logger->notice(sprintf('Read isVerifiedBySsoOn2faCookie %s', $isVerified));
        return $this->stateHandler->isVerifiedBySsoOn2faCookie();
    }
}

OpenConext / Stepup-Gateway

Pull Request — develop (#301)

ResponseContext::getAuthenticatingIdp() A

Complexity

Size

Duplication

Importance

1 Method

Duplication Side-by-Side

Filter issues like
