SamlProxyController - Code Metrics - Inspection of "Merge pull request #156 from OpenConext/feature/fi..." - OpenConext/Stepup-Gateway - Measure and Improve Code Quality continuously with Scrutinizer

Completed

Push — develop ( 172608...37dcd5 )

unknown

created 2018-04-17 05:03 UTC

SamlProxyController C

↳ Parent: Project

Complexity

Total Complexity

Size/Duplication

Total Lines	393
Duplicated Lines	3.31 %

Coupling/Cohesion

Components	1
Dependencies	22

Importance

Changes

Metric	Value
wmc	23
lcom	1
cbo	22
dl	13
loc	393
rs	5.7894
c	0
b	0
f	0

13 Methods

Rating	Name	Duplication	Size	Complexity
A	singleSignOnAction()	0	74	3
B	sendSecondFactorVerificationAuthnRequestAction()	0	34	1
A	metadataAction()	0	9	1
A	getProvider()	0	13	2
C	consumeAssertionAction()	0	83	7
A	getDestination()	0	12	2
A	renderSamlResponse()	13	13	1
A	render()	0	8	1
A	getResponseAsXML()	0	4	1
A	createResponseFailureResponse()	0	7	1
A	createAuthnFailedResponse()	0	10	1
A	createResponse()	0	10	1
A	getServiceProvider()	0	8	1

How to fix Duplicated Code

<?php

/**
 * Copyright 2014 SURFnet bv
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

namespace Surfnet\StepupGateway\SamlStepupProviderBundle\Controller;

use DateTime;
use Exception;
use SAML2\Constants;
use SAML2\Response as SAMLResponse;
use Surfnet\SamlBundle\Http\XMLResponse;
use Surfnet\SamlBundle\SAML2\AuthnRequest;
use Surfnet\SamlBundle\SAML2\AuthnRequestFactory;
use Surfnet\StepupGateway\GatewayBundle\Saml\AssertionAdapter;
use Surfnet\StepupGateway\GatewayBundle\Saml\Exception\UnknownInResponseToException;
use Surfnet\StepupGateway\SamlStepupProviderBundle\Provider\Provider;
use Surfnet\StepupGateway\SamlStepupProviderBundle\Saml\StateHandler;
use Symfony\Bundle\FrameworkBundle\Controller\Controller;
use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\HttpFoundation\Response;
use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;
use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;

/**
 * Handling of GSSP registration and verification.
 *
 * See docs/GatewayState.md for a high-level diagram on how this controller
 * interacts with outside actors and other parts of Stepup.
 *
 * Should be refactored, {@see https://www.pivotaltracker.com/story/show/90169776}
 *
 * @SuppressWarnings(PHPMD.CouplingBetweenObjects)
 * @SuppressWarnings(PHPMD.NPathComplexity)
 */
class SamlProxyController extends Controller
{
    /**
     * Proxy a GSSP authentication request to the remote GSSP SSO endpoint.
     *
     * The user is about to be sent to the remote GSSP application. An authn
     * request was created in ::sendSecondFactorVerificationAuthnRequestAction() and this method
     * proxies the authn request to the remote SSO URL. The remote application
     * will send an assertion back to consumeAssertionAction().
     *
     * @param string  $provider
     * @param Request $httpRequest
     * @return \Symfony\Component\HttpFoundation\RedirectResponse|\Symfony\Component\HttpFoundation\Response
     */
    public function singleSignOnAction($provider, Request $httpRequest)
    {
        $provider = $this->getProvider($provider);

        /** @var \Psr\Log\LoggerInterface $logger */
        $logger = $this->get('logger');
        $logger->notice('Received AuthnRequest, started processing');

        /** @var \Surfnet\SamlBundle\Http\RedirectBinding $redirectBinding */
        $redirectBinding = $this->get('surfnet_saml.http.redirect_binding');

        $originalRequest = $redirectBinding->processSignedRequest($httpRequest);

        $originalRequestId = $originalRequest->getRequestId();
        $logger = $this->get('surfnet_saml.logger')->forAuthentication($originalRequestId);
        $logger->notice(sprintf(
            'AuthnRequest processing complete, received AuthnRequest from "%s", request ID: "%s"',
            $originalRequest->getServiceProvider(),
            $originalRequest->getRequestId()
        ));

        $logger->debug('Checking if SP "%s" is supported');
        /**
         * @var \Surfnet\StepupGateway\SamlStepupProviderBundle\Provider\ConnectedServiceProviders $connectedServiceProviders

         */
        $connectedServiceProviders = $this->get('gssp.connected_service_providers');
        if (!$connectedServiceProviders->isConnected($originalRequest->getServiceProvider())) {

            $logger->warning(sprintf(
                'Received AuthnRequest from SP "%s", while SP is not allowed to use this for SSO',
                $originalRequest->getServiceProvider()
            ));

            throw new AccessDeniedHttpException();
        }

        /** @var StateHandler $stateHandler */
        $stateHandler = $provider->getStateHandler();

        // Clear the state of the previous SSO action. Request data of
        // previous SSO actions should not have any effect in subsequent SSO
        // actions.
        $stateHandler->clear();

        $stateHandler
            ->setRequestId($originalRequestId)
            ->setRequestServiceProvider($originalRequest->getServiceProvider())

            ->setRelayState($httpRequest->get(AuthnRequest::PARAMETER_RELAY_STATE, ''));

        $proxyRequest = AuthnRequestFactory::createNewRequest(
            $provider->getServiceProvider(),
            $provider->getRemoteIdentityProvider()
        );

        // if a Specific subject is given to authenticate we should proxy that and verify in the response
        // that that subject indeed was authenticated
        $nameId = $originalRequest->getNameId();
        if ($nameId) {
            $proxyRequest->setSubject($nameId, $originalRequest->getNameIdFormat());
            $stateHandler->setSubject($nameId);
        }

        $proxyRequest->setScoping([$originalRequest->getServiceProvider()]);
        $stateHandler->setGatewayRequestId($proxyRequest->getRequestId());

        $logger->notice(sprintf(
            'Sending Proxy AuthnRequest with request ID: "%s" for original AuthnRequest "%s" to GSSP "%s" at "%s"',
            $proxyRequest->getRequestId(),
            $originalRequest->getRequestId(),
            $provider->getName(),
            $provider->getRemoteIdentityProvider()->getSsoUrl()
        ));

        return $redirectBinding->createResponseFor($proxyRequest);
    }

    /**
     * Start a GSSP single sign-on.
     *
     * The user has selected a second factor token and the token happens to be
     * a GSSP token. The SecondFactorController therefor did an internal
     * redirect (see SecondFactorController::verifyGssfAction) to this method.
     *
     * In this method, an authn request is created. This authn request is not
     * sent directly to the GSSP SSO URL, but proxied trough the gateway first
     * (see SamlProxyController::ssoAction).
     *
     * @param $provider
     * @param $subjectNameId
     * @return \Symfony\Component\HttpFoundation\RedirectResponse
     */
    public function sendSecondFactorVerificationAuthnRequestAction($provider, $subjectNameId)
    {
        $provider = $this->getProvider($provider);
        $stateHandler = $provider->getStateHandler();

        $originalRequestId = $this->get('gateway.proxy.response_context')->getInResponseTo();

        $authnRequest = AuthnRequestFactory::createNewRequest(
            $provider->getServiceProvider(),
            $provider->getRemoteIdentityProvider()
        );
        $authnRequest->setSubject($subjectNameId);

        $stateHandler
            ->setRequestId($originalRequestId)
            ->setGatewayRequestId($authnRequest->getRequestId())
            ->setSubject($subjectNameId)
            ->markRequestAsSecondFactorVerification();

        /** @var \Surfnet\SamlBundle\Monolog\SamlAuthenticationLogger $logger */
        $logger = $this->get('surfnet_saml.logger')->forAuthentication($originalRequestId);
        $logger->notice(sprintf(
            'Sending AuthnRequest to verify Second Factor with request ID: "%s" to GSSP "%s" at "%s" for subject "%s"',
            $authnRequest->getRequestId(),
            $provider->getName(),
            $provider->getRemoteIdentityProvider()->getSsoUrl(),
            $subjectNameId
        ));

        /** @var \Surfnet\SamlBundle\Http\RedirectBinding $redirectBinding */
        $redirectBinding = $this->get('surfnet_saml.http.redirect_binding');

        return $redirectBinding->createResponseFor($authnRequest);
    }

    /**
     * Process an assertion received from the remote GSSP application.
     *
     * The GSSP application sent an assertion back to the gateway. When
     * successful, the user is sent back to the
     * SecondFactorController:gssfVerifiedAction.
     *
     * @param string  $provider
     * @param Request $httpRequest
     * @return \Symfony\Component\HttpFoundation\Response
     */
    public function consumeAssertionAction($provider, Request $httpRequest)
    {
        $provider = $this->getProvider($provider);
        $stateHandler = $provider->getStateHandler();
        $originalRequestId = $stateHandler->getRequestId();

        /** @var \Surfnet\SamlBundle\Monolog\SamlAuthenticationLogger $logger */
        $logger = $this->get('surfnet_saml.logger')->forAuthentication($originalRequestId);

        $action = $stateHandler->hasSubject() ? 'Second Factor Verification' : 'Proxy Response';
        $logger->notice(
            sprintf('Received SAMLResponse, attempting to process for %s', $action)
        );

        try {
            /** @var \SAML2\Assertion $assertion */
            $assertion = $this->get('surfnet_saml.http.post_binding')->processResponse(
                $httpRequest,
                $provider->getRemoteIdentityProvider(),
                $provider->getServiceProvider()
            );
        } catch (Exception $exception) {
            $logger->error(sprintf('Could not process received Response, error: "%s"', $exception->getMessage()));

            $response = $this->createResponseFailureResponse(
                $provider,
                $this->getDestination($provider->getStateHandler())
            );

            return $this->renderSamlResponse('consumeAssertion', $stateHandler, $response);
        }

        $adaptedAssertion = new AssertionAdapter($assertion);
        $expectedResponse = $stateHandler->getGatewayRequestId();
        if (!$adaptedAssertion->inResponseToMatches($expectedResponse)) {
            throw new UnknownInResponseToException(
                $adaptedAssertion->getInResponseTo(),
                $expectedResponse
            );
        }

        $authenticatedNameId = $assertion->getNameId();
        $isSubjectRequested = $stateHandler->hasSubject();
        if ($isSubjectRequested && ($stateHandler->getSubject() !== $authenticatedNameId->value)) {
            $logger->critical(sprintf(
                'Requested Subject NameID "%s" and Response NameID "%s" do not match',
                $stateHandler->getSubject(),
                $authenticatedNameId->value
            ));

            return $this->renderSamlResponse(
                'recoverableError',
                $stateHandler,
                $this->createAuthnFailedResponse(
                    $provider,
                    $this->getDestination($provider->getStateHandler())
                )
            );
        }

        $logger->notice('Successfully processed SAMLResponse');

        if ($stateHandler->secondFactorVerificationRequested()) {
            $logger->notice(
                'Second Factor verification was requested and was successful, forwarding to SecondFactor handling'
            );

            return $this->forward('SurfnetStepupGatewayGatewayBundle:SecondFactor:gssfVerified');
        }

        /** @var \Surfnet\StepupGateway\SamlStepupProviderBundle\Saml\ProxyResponseFactory $proxyResponseFactory */
        $targetServiceProvider = $this->getServiceProvider($stateHandler->getRequestServiceProvider());
        $proxyResponseFactory = $this->get('gssp.provider.' . $provider->getName() . '.response_proxy');
        $response             = $proxyResponseFactory->createProxyResponse($assertion, $targetServiceProvider);

        $logger->notice(sprintf(
            'Responding to request "%s" with response based on response from the remote IdP with response "%s"',
            $stateHandler->getRequestId(),
            $response->getId()
        ));

        return $this->renderSamlResponse('consumeAssertion', $stateHandler, $response);
    }

    /**
     * @param string $provider
     * @return XMLResponse
     */
    public function metadataAction($provider)
    {
        $provider = $this->getProvider($provider);

        /** @var \Surfnet\SamlBundle\Metadata\MetadataFactory $factory */
        $factory = $this->get('gssp.provider.' . $provider->getName() . '.metadata.factory');

        return new XMLResponse($factory->generate());
    }

    /**
     * @param string $provider
     * @return \Surfnet\StepupGateway\SamlStepupProviderBundle\Provider\Provider
     */
    private function getProvider($provider)
    {
        /** @var \Surfnet\StepupGateway\SamlStepupProviderBundle\Provider\ProviderRepository $providerRepository */
        $providerRepository = $this->get('gssp.provider_repository');

        if (!$providerRepository->has($provider)) {
            throw new NotFoundHttpException(
                sprintf('Requested GSSP "%s" does not exist or is not registered', $provider)
            );
        }

        return $providerRepository->get($provider);
    }

    /**
     * @param StateHandler $stateHandler
     * @return string
     */
    private function getDestination(StateHandler $stateHandler)
    {
        if ($stateHandler->secondFactorVerificationRequested()) {
            $destination = $this->get('gateway.proxy.response_context')->getDestination();
        } else {
            $destination = $this->getServiceProvider(
                $stateHandler->getRequestServiceProvider()
            )->getAssertionConsumerUrl();
        }

        return $destination;
    }

    /**
     * @param string         $view
     * @param StateHandler   $stateHandler
     * @param SAMLResponse $response
     * @return Response
     */
    public function renderSamlResponse($view, StateHandler $stateHandler, SAMLResponse $response)

    {
        $response = $this->render($view, [
            'acu'        => $response->getDestination(),
            'response'   => $this->getResponseAsXML($response),
            'relayState' => $stateHandler->getRelayState()
        ]);

        // clear the state so we can call again :)
        $stateHandler->clear();

        return $response;
    }

    /**
     * @param string   $view
     * @param array    $parameters
     * @param Response $response

     * @return Response
     */
    public function render($view, array $parameters = array(), Response $response = null)
    {
        return parent::render(
            'SurfnetStepupGatewaySamlStepupProviderBundle:SamlProxy:' . $view . '.html.twig',
            $parameters,
            $response
        );
    }

    /**
     * @param SAMLResponse $response
     * @return string
     */
    private function getResponseAsXML(SAMLResponse $response)
    {
        return base64_encode($response->toUnsignedXML()->ownerDocument->saveXML());
    }

    /**
     * Response that indicates that an error occurred in the responder (the gateway). Used to indicate that we could
     * not process the response we received from the upstream GSSP
     *
     * @param Provider $provider
     * @param string $destination
     * @return SAMLResponse
     */
    private function createResponseFailureResponse(Provider $provider, $destination)
    {
        $response = $this->createResponse($provider, $destination);
        $response->setStatus(['Code' => Constants::STATUS_RESPONDER]);

        return $response;
    }

    /**
     * Response that indicates that the authentication could not be performed correctly. In this context it means
     * that the upstream GSSP did not responsd with the same NameID as we request to authenticate in the AuthnRequest
     *
     * @param Provider $provider
     * @param string $destination
     * @return SAMLResponse
     */
    private function createAuthnFailedResponse(Provider $provider, $destination)
    {
        $response = $this->createResponse($provider, $destination);
        $response->setStatus([
            'Code'    => Constants::STATUS_RESPONDER,
            'SubCode' => Constants::STATUS_AUTHN_FAILED
        ]);

        return $response;
    }

    /**
     * Creates a standard response with default status Code (success)
     *
     * @param Provider $provider
     * @param string $destination
     * @return SAMLResponse
     */
    private function createResponse(Provider $provider, $destination)
    {
        $response = new SAMLResponse();
        $response->setDestination($destination);
        $response->setIssuer($provider->getIdentityProvider()->getEntityId());
        $response->setIssueInstant((new DateTime('now'))->getTimestamp());
        $response->setInResponseTo($provider->getStateHandler()->getRequestId());

        return $response;
    }

    /**
     * @param string $serviceProvider
     * @return \Surfnet\SamlBundle\Entity\ServiceProvider
     */
    private function getServiceProvider($serviceProvider)
    {
        /**
         * @var \Surfnet\StepupGateway\SamlStepupProviderBundle\Provider\ConnectedServiceProviders $connectedServiceProviders

         */
        $connectedServiceProviders = $this->get('gssp.connected_service_providers');
        return $connectedServiceProviders->getConfigurationOf($serviceProvider);
    }
}


1		<?php
2
3		/**
4		* Copyright 2014 SURFnet bv
5		*
6		* Licensed under the Apache License, Version 2.0 (the "License");
7		* you may not use this file except in compliance with the License.
8		* You may obtain a copy of the License at
9		*
10		* http://www.apache.org/licenses/LICENSE-2.0
11		*
12		* Unless required by applicable law or agreed to in writing, software
13		* distributed under the License is distributed on an "AS IS" BASIS,
14		* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
15		* See the License for the specific language governing permissions and
16		* limitations under the License.
17		*/
18
19		namespace Surfnet\StepupGateway\SamlStepupProviderBundle\Controller;
20
21		use DateTime;
22		use Exception;
23		use SAML2\Constants;
24		use SAML2\Response as SAMLResponse;
25		use Surfnet\SamlBundle\Http\XMLResponse;
26		use Surfnet\SamlBundle\SAML2\AuthnRequest;
27		use Surfnet\SamlBundle\SAML2\AuthnRequestFactory;
28		use Surfnet\StepupGateway\GatewayBundle\Saml\AssertionAdapter;
29		use Surfnet\StepupGateway\GatewayBundle\Saml\Exception\UnknownInResponseToException;
30		use Surfnet\StepupGateway\SamlStepupProviderBundle\Provider\Provider;
31		use Surfnet\StepupGateway\SamlStepupProviderBundle\Saml\StateHandler;
32		use Symfony\Bundle\FrameworkBundle\Controller\Controller;
33		use Symfony\Component\HttpFoundation\Request;
34		use Symfony\Component\HttpFoundation\Response;
35		use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;
36		use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
37
38		/**
39		* Handling of GSSP registration and verification.
40		*
41		* See docs/GatewayState.md for a high-level diagram on how this controller
42		* interacts with outside actors and other parts of Stepup.
43		*
44		* Should be refactored, {@see https://www.pivotaltracker.com/story/show/90169776}
45		*
46		* @SuppressWarnings(PHPMD.CouplingBetweenObjects)
47		* @SuppressWarnings(PHPMD.NPathComplexity)
48		*/
49		class SamlProxyController extends Controller
50		{
51		/**
52		* Proxy a GSSP authentication request to the remote GSSP SSO endpoint.
53		*
54		* The user is about to be sent to the remote GSSP application. An authn
55		* request was created in ::sendSecondFactorVerificationAuthnRequestAction() and this method
56		* proxies the authn request to the remote SSO URL. The remote application
57		* will send an assertion back to consumeAssertionAction().
58		*
59		* @param string $provider
60		* @param Request $httpRequest
61		* @return \Symfony\Component\HttpFoundation\RedirectResponse\|\Symfony\Component\HttpFoundation\Response
62		*/
63		public function singleSignOnAction($provider, Request $httpRequest)
64		{
65		$provider = $this->getProvider($provider);
66
67		/** @var \Psr\Log\LoggerInterface $logger */
68		$logger = $this->get('logger');
69		$logger->notice('Received AuthnRequest, started processing');
70
71		/** @var \Surfnet\SamlBundle\Http\RedirectBinding $redirectBinding */
72		$redirectBinding = $this->get('surfnet_saml.http.redirect_binding');
73
74		$originalRequest = $redirectBinding->processSignedRequest($httpRequest);
75
76		$originalRequestId = $originalRequest->getRequestId();
77		$logger = $this->get('surfnet_saml.logger')->forAuthentication($originalRequestId);
78		$logger->notice(sprintf(
79		'AuthnRequest processing complete, received AuthnRequest from "%s", request ID: "%s"',
80		$originalRequest->getServiceProvider(),
81		$originalRequest->getRequestId()
82		));
83
84		$logger->debug('Checking if SP "%s" is supported');
85		/**
86		* @var \Surfnet\StepupGateway\SamlStepupProviderBundle\Provider\ConnectedServiceProviders $connectedServiceProviders
		0 ignored issues – show Coding Style introduced 2016-04-29 09:07 UTC by Report Bug Copy Issue Report This line exceeds maximum limit of 120 characters; contains 125 characters Overly long lines are hard to read on any screen. Most code styles therefor impose a maximum limit on the number of characters in a line. Loading history...
87		*/
88		$connectedServiceProviders = $this->get('gssp.connected_service_providers');
89		if (!$connectedServiceProviders->isConnected($originalRequest->getServiceProvider())) {
		0 ignored issues – show Bug introduced 2018-01-16 13:09 UTC by Report Bug Copy Issue Report It seems like `$originalRequest->getServiceProvider()` targeting `Surfnet\SamlBundle\SAML2...t::getServiceProvider()` can also be of type `null` or `object<SAML2\XML\saml\Issuer>`; however, `Surfnet\StepupGateway\Sa...roviders::isConnected()` does only seem to accept `string`, maybe add an additional type check? This check looks at variables that are passed out again to other methods. If the outgoing method call has stricter type requirements than the method itself, an issue is raised. An additional type check may prevent trouble. Loading history...
90		$logger->warning(sprintf(
91		'Received AuthnRequest from SP "%s", while SP is not allowed to use this for SSO',
92		$originalRequest->getServiceProvider()
93		));
94
95		throw new AccessDeniedHttpException();
96		}
97
98		/** @var StateHandler $stateHandler */
99		$stateHandler = $provider->getStateHandler();
100
101		// Clear the state of the previous SSO action. Request data of
102		// previous SSO actions should not have any effect in subsequent SSO
103		// actions.
104		$stateHandler->clear();
105
106		$stateHandler
107		->setRequestId($originalRequestId)
108		->setRequestServiceProvider($originalRequest->getServiceProvider())
		0 ignored issues – show Bug introduced 2018-01-16 13:09 UTC by Report Bug Copy Issue Report It seems like `$originalRequest->getServiceProvider()` targeting `Surfnet\SamlBundle\SAML2...t::getServiceProvider()` can also be of type `null` or `object<SAML2\XML\saml\Issuer>`; however, `Surfnet\StepupGateway\Ga...equestServiceProvider()` does only seem to accept `string`, maybe add an additional type check? This check looks at variables that are passed out again to other methods. If the outgoing method call has stricter type requirements than the method itself, an issue is raised. An additional type check may prevent trouble. Loading history...
109		->setRelayState($httpRequest->get(AuthnRequest::PARAMETER_RELAY_STATE, ''));
110
111		$proxyRequest = AuthnRequestFactory::createNewRequest(
112		$provider->getServiceProvider(),
113		$provider->getRemoteIdentityProvider()
114		);
115
116		// if a Specific subject is given to authenticate we should proxy that and verify in the response
117		// that that subject indeed was authenticated
118		$nameId = $originalRequest->getNameId();
119		if ($nameId) {
120		$proxyRequest->setSubject($nameId, $originalRequest->getNameIdFormat());
121		$stateHandler->setSubject($nameId);
122		}
123
124		$proxyRequest->setScoping([$originalRequest->getServiceProvider()]);
125		$stateHandler->setGatewayRequestId($proxyRequest->getRequestId());
126
127		$logger->notice(sprintf(
128		'Sending Proxy AuthnRequest with request ID: "%s" for original AuthnRequest "%s" to GSSP "%s" at "%s"',
129		$proxyRequest->getRequestId(),
130		$originalRequest->getRequestId(),
131		$provider->getName(),
132		$provider->getRemoteIdentityProvider()->getSsoUrl()
133		));
134
135		return $redirectBinding->createResponseFor($proxyRequest);
136		}
137
138		/**
139		* Start a GSSP single sign-on.
140		*
141		* The user has selected a second factor token and the token happens to be
142		* a GSSP token. The SecondFactorController therefor did an internal
143		* redirect (see SecondFactorController::verifyGssfAction) to this method.
144		*
145		* In this method, an authn request is created. This authn request is not
146		* sent directly to the GSSP SSO URL, but proxied trough the gateway first
147		* (see SamlProxyController::ssoAction).
148		*
149		* @param $provider
150		* @param $subjectNameId
151		* @return \Symfony\Component\HttpFoundation\RedirectResponse
152		*/
153		public function sendSecondFactorVerificationAuthnRequestAction($provider, $subjectNameId)
154		{
155		$provider = $this->getProvider($provider);
156		$stateHandler = $provider->getStateHandler();
157
158		$originalRequestId = $this->get('gateway.proxy.response_context')->getInResponseTo();
159
160		$authnRequest = AuthnRequestFactory::createNewRequest(
161		$provider->getServiceProvider(),
162		$provider->getRemoteIdentityProvider()
163		);
164		$authnRequest->setSubject($subjectNameId);
165
166		$stateHandler
167		->setRequestId($originalRequestId)
168		->setGatewayRequestId($authnRequest->getRequestId())
169		->setSubject($subjectNameId)
170		->markRequestAsSecondFactorVerification();
171
172		/** @var \Surfnet\SamlBundle\Monolog\SamlAuthenticationLogger $logger */
173		$logger = $this->get('surfnet_saml.logger')->forAuthentication($originalRequestId);
174		$logger->notice(sprintf(
175		'Sending AuthnRequest to verify Second Factor with request ID: "%s" to GSSP "%s" at "%s" for subject "%s"',
176		$authnRequest->getRequestId(),
177		$provider->getName(),
178		$provider->getRemoteIdentityProvider()->getSsoUrl(),
179		$subjectNameId
180		));
181
182		/** @var \Surfnet\SamlBundle\Http\RedirectBinding $redirectBinding */
183		$redirectBinding = $this->get('surfnet_saml.http.redirect_binding');
184
185		return $redirectBinding->createResponseFor($authnRequest);
186		}
187
188		/**
189		* Process an assertion received from the remote GSSP application.
190		*
191		* The GSSP application sent an assertion back to the gateway. When
192		* successful, the user is sent back to the
193		* SecondFactorController:gssfVerifiedAction.
194		*
195		* @param string $provider
196		* @param Request $httpRequest
197		* @return \Symfony\Component\HttpFoundation\Response
198		*/
199		public function consumeAssertionAction($provider, Request $httpRequest)
200		{
201		$provider = $this->getProvider($provider);
202		$stateHandler = $provider->getStateHandler();
203		$originalRequestId = $stateHandler->getRequestId();
204
205		/** @var \Surfnet\SamlBundle\Monolog\SamlAuthenticationLogger $logger */
206		$logger = $this->get('surfnet_saml.logger')->forAuthentication($originalRequestId);
207
208		$action = $stateHandler->hasSubject() ? 'Second Factor Verification' : 'Proxy Response';
209		$logger->notice(
210		sprintf('Received SAMLResponse, attempting to process for %s', $action)
211		);
212
213		try {
214		/** @var \SAML2\Assertion $assertion */
215		$assertion = $this->get('surfnet_saml.http.post_binding')->processResponse(
216		$httpRequest,
217		$provider->getRemoteIdentityProvider(),
218		$provider->getServiceProvider()
219		);
220		} catch (Exception $exception) {
221		$logger->error(sprintf('Could not process received Response, error: "%s"', $exception->getMessage()));
222
223		$response = $this->createResponseFailureResponse(
224		$provider,
225		$this->getDestination($provider->getStateHandler())
226		);
227
228		return $this->renderSamlResponse('consumeAssertion', $stateHandler, $response);
229		}
230
231		$adaptedAssertion = new AssertionAdapter($assertion);
232		$expectedResponse = $stateHandler->getGatewayRequestId();
233		if (!$adaptedAssertion->inResponseToMatches($expectedResponse)) {
234		throw new UnknownInResponseToException(
235		$adaptedAssertion->getInResponseTo(),
236		$expectedResponse
237		);
238		}
239
240		$authenticatedNameId = $assertion->getNameId();
241		$isSubjectRequested = $stateHandler->hasSubject();
242		if ($isSubjectRequested && ($stateHandler->getSubject() !== $authenticatedNameId->value)) {
243		$logger->critical(sprintf(
244		'Requested Subject NameID "%s" and Response NameID "%s" do not match',
245		$stateHandler->getSubject(),
246		$authenticatedNameId->value
247		));
248
249		return $this->renderSamlResponse(
250		'recoverableError',
251		$stateHandler,
252		$this->createAuthnFailedResponse(
253		$provider,
254		$this->getDestination($provider->getStateHandler())
255		)
256		);
257		}
258
259		$logger->notice('Successfully processed SAMLResponse');
260
261		if ($stateHandler->secondFactorVerificationRequested()) {
262		$logger->notice(
263		'Second Factor verification was requested and was successful, forwarding to SecondFactor handling'
264		);
265
266		return $this->forward('SurfnetStepupGatewayGatewayBundle:SecondFactor:gssfVerified');
267		}
268
269		/** @var \Surfnet\StepupGateway\SamlStepupProviderBundle\Saml\ProxyResponseFactory $proxyResponseFactory */
270		$targetServiceProvider = $this->getServiceProvider($stateHandler->getRequestServiceProvider());
271		$proxyResponseFactory = $this->get('gssp.provider.' . $provider->getName() . '.response_proxy');
272		$response = $proxyResponseFactory->createProxyResponse($assertion, $targetServiceProvider);
273
274		$logger->notice(sprintf(
275		'Responding to request "%s" with response based on response from the remote IdP with response "%s"',
276		$stateHandler->getRequestId(),
277		$response->getId()
278		));
279
280		return $this->renderSamlResponse('consumeAssertion', $stateHandler, $response);
281		}
282
283		/**
284		* @param string $provider
285		* @return XMLResponse
286		*/
287		public function metadataAction($provider)
288		{
289		$provider = $this->getProvider($provider);
290
291		/** @var \Surfnet\SamlBundle\Metadata\MetadataFactory $factory */
292		$factory = $this->get('gssp.provider.' . $provider->getName() . '.metadata.factory');
293
294		return new XMLResponse($factory->generate());
295		}
296
297		/**
298		* @param string $provider
299		* @return \Surfnet\StepupGateway\SamlStepupProviderBundle\Provider\Provider
300		*/
301		private function getProvider($provider)
302		{
303		/** @var \Surfnet\StepupGateway\SamlStepupProviderBundle\Provider\ProviderRepository $providerRepository */
304		$providerRepository = $this->get('gssp.provider_repository');
305
306		if (!$providerRepository->has($provider)) {
307		throw new NotFoundHttpException(
308		sprintf('Requested GSSP "%s" does not exist or is not registered', $provider)
309		);
310		}
311
312		return $providerRepository->get($provider);
313		}
314
315		/**
316		* @param StateHandler $stateHandler
317		* @return string
318		*/
319		private function getDestination(StateHandler $stateHandler)
320		{
321		if ($stateHandler->secondFactorVerificationRequested()) {
322		$destination = $this->get('gateway.proxy.response_context')->getDestination();
323		} else {
324		$destination = $this->getServiceProvider(
325		$stateHandler->getRequestServiceProvider()
326		)->getAssertionConsumerUrl();
327		}
328
329		return $destination;
330		}
331
332		/**
333		* @param string $view
334		* @param StateHandler $stateHandler
335		* @param SAMLResponse $response
336		* @return Response
337		*/
338	View Code Duplication	public function renderSamlResponse($view, StateHandler $stateHandler, SAMLResponse $response)
		0 ignored issues – show Duplication introduced 2017-08-01 06:56 UTC by Report Bug Copy Issue Report This method seems to be duplicated in your project. Duplicated code is one of the most pungent code smells. If you need to duplicate the same code in three or more different places, we strongly encourage you to look into extracting the code into a single class or operation. You can also find more detailed suggestions in the “Code” section of your repository. Loading history...
339		{
340		$response = $this->render($view, [
341		'acu' => $response->getDestination(),
342		'response' => $this->getResponseAsXML($response),
343		'relayState' => $stateHandler->getRelayState()
344		]);
345
346		// clear the state so we can call again :)
347		$stateHandler->clear();
348
349		return $response;
350		}
351
352		/**
353		* @param string $view
354		* @param array $parameters
355		* @param Response $response
		0 ignored issues – show Documentation introduced 2015-12-15 13:35 UTC by Report Bug Copy Issue Report Should the type for parameter `$response` not be `null\|Response`? This check looks for `@param` annotations where the type inferred by our type inference engine differs from the declared type. It makes a suggestion as to what type it considers more descriptive. Most often this is a case of a parameter that can be null in addition to its declared types. Loading history...
356		* @return Response
357		*/
358		public function render($view, array $parameters = array(), Response $response = null)
359		{
360		return parent::render(
361		'SurfnetStepupGatewaySamlStepupProviderBundle:SamlProxy:' . $view . '.html.twig',
362		$parameters,
363		$response
364		);
365		}
366
367		/**
368		* @param SAMLResponse $response
369		* @return string
370		*/
371		private function getResponseAsXML(SAMLResponse $response)
372		{
373		return base64_encode($response->toUnsignedXML()->ownerDocument->saveXML());
374		}
375
376		/**
377		* Response that indicates that an error occurred in the responder (the gateway). Used to indicate that we could
378		* not process the response we received from the upstream GSSP
379		*
380		* @param Provider $provider
381		* @param string $destination
382		* @return SAMLResponse
383		*/
384		private function createResponseFailureResponse(Provider $provider, $destination)
385		{
386		$response = $this->createResponse($provider, $destination);
387		$response->setStatus(['Code' => Constants::STATUS_RESPONDER]);
388
389		return $response;
390		}
391
392		/**
393		* Response that indicates that the authentication could not be performed correctly. In this context it means
394		* that the upstream GSSP did not responsd with the same NameID as we request to authenticate in the AuthnRequest
395		*
396		* @param Provider $provider
397		* @param string $destination
398		* @return SAMLResponse
399		*/
400		private function createAuthnFailedResponse(Provider $provider, $destination)
401		{
402		$response = $this->createResponse($provider, $destination);
403		$response->setStatus([
404		'Code' => Constants::STATUS_RESPONDER,
405		'SubCode' => Constants::STATUS_AUTHN_FAILED
406		]);
407
408		return $response;
409		}
410
411		/**
412		* Creates a standard response with default status Code (success)
413		*
414		* @param Provider $provider
415		* @param string $destination
416		* @return SAMLResponse
417		*/
418		private function createResponse(Provider $provider, $destination)
419		{
420		$response = new SAMLResponse();
421		$response->setDestination($destination);
422		$response->setIssuer($provider->getIdentityProvider()->getEntityId());
423		$response->setIssueInstant((new DateTime('now'))->getTimestamp());
424		$response->setInResponseTo($provider->getStateHandler()->getRequestId());
425
426		return $response;
427		}
428
429		/**
430		* @param string $serviceProvider
431		* @return \Surfnet\SamlBundle\Entity\ServiceProvider
432		*/
433		private function getServiceProvider($serviceProvider)
434		{
435		/**
436		* @var \Surfnet\StepupGateway\SamlStepupProviderBundle\Provider\ConnectedServiceProviders $connectedServiceProviders
		0 ignored issues – show Coding Style introduced 2016-04-29 09:07 UTC by Report Bug Copy Issue Report This line exceeds maximum limit of 120 characters; contains 125 characters Overly long lines are hard to read on any screen. Most code styles therefor impose a maximum limit on the number of characters in a line. Loading history...
437		*/
438		$connectedServiceProviders = $this->get('gssp.connected_service_providers');
439		return $connectedServiceProviders->getConfigurationOf($serviceProvider);
440		}
441		}
442

OpenConext / Stepup-Gateway

Push — develop ( 172608...37dcd5 )

SamlProxyController C

Complexity

Size/Duplication

Coupling/Cohesion

Importance

13 Methods

How to fix Duplicated Code

Duplicated Code

Duplication Side-by-Side

Filter issues like