IdentityProviderController::ssoAction() - Code Metrics - Inspection of "Feature/run selenium tests poc" - OpenConext/Stepup-Gateway - Measure and Improve Code Quality continuously with Scrutinizer

Completed

Pull Request — feature/create-sfo-behat-test (#192)

unknown

created 2020-04-03 12:09 UTC

IdentityProviderController::ssoAction() A

↳ Parent: IdentityProviderController

Complexity

Conditions	1
Paths	1

Size

Total Lines

Duplication

Lines	0
Ratio	0 %

Importance

Changes

Metric	Value
dl	0
loc	13
rs	9.8333
c	0
b	0
f	0
cc	1
nc	1
nop	1

<?php

namespace Surfnet\StepupGateway\Behat\Controller;

use RobRichards\XMLSecLibs\XMLSecurityKey;
use SAML2\Assertion;
use SAML2\Certificate\KeyLoader;
use SAML2\Certificate\PrivateKeyLoader;
use SAML2\Configuration\PrivateKey;
use SAML2\Constants;
use SAML2\Response;
use SAML2\Response as SAMLResponse;
use SAML2\XML\saml\NameID;
use SAML2\XML\saml\SubjectConfirmation;
use SAML2\XML\saml\SubjectConfirmationData;
use Surfnet\SamlBundle\Http\Exception\UnsignedRequestException;
use Surfnet\SamlBundle\Http\ReceivedAuthnRequestQueryString;
use Surfnet\SamlBundle\SAML2\ReceivedAuthnRequest;
use Symfony\Bundle\FrameworkBundle\Controller\Controller;
use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\HttpKernel\Exception\BadRequestHttpException;

class IdentityProviderController extends Controller
{
    /**
     * Handles a SSO request
     * @param Request $request
     */
    public function ssoAction(Request $request)
    {
        // receives the AuthnRequest and sends a SAML response
        $authnRequest = $this->receiveSignedAuthnRequestFrom($request);
        // Todo: For some reason, the nameId is not transpored even tho it is set on the auhtnrequest.. Figure out whats going on here and fix this.
        // now the test will only work with one hard-coded user.
        $response = $this->createResponse(
            'https://gateway.stepup.example.com/authentication/consume-assertion',
            ['Value' => 'urn:collab:person:stepup.example.com:john_haack', 'Format' => 'urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified'],
            $authnRequest->getRequestId()
        );
        return $this->renderSamlResponse($response);
    }

    /**
     * @param SAMLResponse $response
     * @return \Symfony\Component\HttpFoundation\Response
     */
    public function renderSamlResponse(SAMLResponse $response)
    {
        $parameters = [
            'acu' => $response->getDestination(),
            'response' => $this->getResponseAsXML($response),
            'relayState' => ''
        ];

        $response = parent::render(
class Daddy
{
    protected function getFirstName()
    {
        return "Eidur";
    }

    protected function getSurName()
    {
        return "Gudjohnsen";
    }
}

class Son
{
    public function getFirstName()
    {
        return parent::getSurname();
    }
}
            'SurfnetStepupGatewaySamlStepupProviderBundle:SamlProxy:consumeAssertion.html.twig',
            $parameters
        );

        return $response;
    }

    /**
     * @param string $destination
     * @param string $nameId

     * @return Response
     */
    public function createResponse($destination, array $nameId, $requestId)
    {
        $newAssertion = new Assertion();
        $newAssertion->setNotBefore(time());
        $newAssertion->setNotOnOrAfter(time() + (60 * 5));//
        $newAssertion->setAttributes(['urn:mace:dir:attribute-def:eduPersonTargetedID' => [NameID::fromArray($nameId)]]);

        $newAssertion->setIssuer('https://idp.stepup.example.com/');
        $newAssertion->setIssueInstant(time());

        $this->signAssertion($newAssertion);
        $this->addSubjectConfirmationFor($newAssertion, $destination, $requestId);
        $newAssertion->setNameId($nameId);
        $response = new SAMLResponse();
        $response->setAssertions([$newAssertion]);
        $response->setIssuer('https://idp.stepup.example.com/');
        $response->setIssueInstant(time());
        $response->setDestination($destination);
        $response->setInResponseTo($requestId);
        return $response;
    }

    /**
     * @param SAMLResponse $response
     * @return string
     */
    private function getResponseAsXML(SAMLResponse $response)
    {
        return base64_encode($response->toUnsignedXML()->ownerDocument->saveXML());
    }

    /**
     * @param Request $request
     * @return string
     */
    private function getFullRequestUri(Request $request)
    {
        return $request->getSchemeAndHttpHost() . $request->getBasePath() . $request->getRequestUri();
    }

    /**
     * @param Request $request
     * @return ReceivedAuthnRequest
     */
    public function receiveSignedAuthnRequestFrom(Request $request)
    {
        if (!$request->isMethod(Request::METHOD_GET)) {
            throw new BadRequestHttpException(sprintf(
                'Could not receive AuthnRequest from HTTP Request: expected a GET method, got %s',
                $request->getMethod()
            ));
        }

        $requestUri = $request->getRequestUri();
        if (strpos($requestUri, '?') === false) {
            throw new BadRequestHttpException(
                'Could not receive AuthnRequest from HTTP Request: expected query parameters, none found'
            );
        }

        list(, $rawQueryString) = explode('?', $requestUri);
        $query = ReceivedAuthnRequestQueryString::parse($rawQueryString);

        if (!$query->isSigned()) {
            throw new UnsignedRequestException('The SAMLRequest is expected to be signed but it was not');
        }

        $authnRequest = ReceivedAuthnRequest::from($query->getDecodedSamlRequest());

        $currentUri = $this->getFullRequestUri($request);
        if (!$authnRequest->getDestination() === $currentUri) {
            throw new BadRequestHttpException(sprintf(
                'Actual Destination "%s" does not match the AuthnRequest Destination "%s"',
                $currentUri,
                $authnRequest->getDestination()
            ));
        }

        return $authnRequest;
    }

    /**
     * @param Assertion $assertion
     * @return Assertion
     */
    public function signAssertion(Assertion $assertion)
    {
        $assertion->setSignatureKey($this->loadPrivateKey());
        $assertion->setCertificates([$this->getPublicCertificate()]);

        return $assertion;
    }

    private function addSubjectConfirmationFor(Assertion $newAssertion, $destination, $requestId)

    {
        $confirmation = new SubjectConfirmation();
        $confirmation->Method = Constants::CM_BEARER;

        $confirmationData                      = new SubjectConfirmationData();
        $confirmationData->InResponseTo        = $requestId;
        $confirmationData->Recipient           = $destination;
        $confirmationData->NotOnOrAfter        = $newAssertion->getNotOnOrAfter();

        $confirmation->SubjectConfirmationData = $confirmationData;

        $newAssertion->setSubjectConfirmation([$confirmation]);
    }

    /**
     * @return XMLSecurityKey
     */
    private function loadPrivateKey()

    {
        $key        = new PrivateKey('/var/www/ci/certificates/sp.pem', 'default');
        $keyLoader  = new PrivateKeyLoader();
        $privateKey = $keyLoader->loadPrivateKey($key);

        $xmlSecurityKey = new XMLSecurityKey(XMLSecurityKey::RSA_SHA256, ['type' => 'private']);
        $xmlSecurityKey->loadKey($privateKey->getKeyAsString());

        return $xmlSecurityKey;
    }

    /**
     * @return string
     */
    private function getPublicCertificate()
    {
        $keyLoader = new KeyLoader();
        $keyLoader->loadCertificateFile('/var/www/ci/certificates/sp.crt');
        /** @var \SAML2\Certificate\X509 $publicKey */
        $publicKey = $keyLoader->getKeys()->getOnlyElement();

        return $publicKey->getCertificate();
    }
}


1		<?php
2
3		namespace Surfnet\StepupGateway\Behat\Controller;
4
5		use RobRichards\XMLSecLibs\XMLSecurityKey;
6		use SAML2\Assertion;
7		use SAML2\Certificate\KeyLoader;
8		use SAML2\Certificate\PrivateKeyLoader;
9		use SAML2\Configuration\PrivateKey;
10		use SAML2\Constants;
11		use SAML2\Response;
12		use SAML2\Response as SAMLResponse;
13		use SAML2\XML\saml\NameID;
14		use SAML2\XML\saml\SubjectConfirmation;
15		use SAML2\XML\saml\SubjectConfirmationData;
16		use Surfnet\SamlBundle\Http\Exception\UnsignedRequestException;
17		use Surfnet\SamlBundle\Http\ReceivedAuthnRequestQueryString;
18		use Surfnet\SamlBundle\SAML2\ReceivedAuthnRequest;
19		use Symfony\Bundle\FrameworkBundle\Controller\Controller;
20		use Symfony\Component\HttpFoundation\Request;
21		use Symfony\Component\HttpKernel\Exception\BadRequestHttpException;
22
23		class IdentityProviderController extends Controller
24		{
25		/**
26		* Handles a SSO request
27		* @param Request $request
28		*/
29		public function ssoAction(Request $request)
30		{
31		// receives the AuthnRequest and sends a SAML response
32		$authnRequest = $this->receiveSignedAuthnRequestFrom($request);
33		// Todo: For some reason, the nameId is not transpored even tho it is set on the auhtnrequest.. Figure out whats going on here and fix this.
34		// now the test will only work with one hard-coded user.
35		$response = $this->createResponse(
36		'https://gateway.stepup.example.com/authentication/consume-assertion',
37		['Value' => 'urn:collab:person:stepup.example.com:john_haack', 'Format' => 'urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified'],
38		$authnRequest->getRequestId()
39		);
40		return $this->renderSamlResponse($response);
41		}
42
43		/**
44		* @param SAMLResponse $response
45		* @return \Symfony\Component\HttpFoundation\Response
46		*/
47		public function renderSamlResponse(SAMLResponse $response)
48		{
49		$parameters = [
50		'acu' => $response->getDestination(),
51		'response' => $this->getResponseAsXML($response),
52		'relayState' => ''
53		];
54
55		$response = parent::render(
		0 ignored issues – show Comprehensibility Bug introduced 2020-04-01 14:17 UTC by Report Bug Copy Issue Report It seems like you call parent on a different method (`render()` instead of `renderSamlResponse()`). Are you sure this is correct? If so, you might want to change this to `$this->render()`. This check looks for a call to a parent method whose name is different than the method from which it is called. Consider the following code: class Daddy { protected function getFirstName() { return "Eidur"; } protected function getSurName() { return "Gudjohnsen"; } } class Son { public function getFirstName() { return parent::getSurname(); } } The `getFirstName()` method in the `Son` calls the wrong method in the parent class. Loading history...
56		'SurfnetStepupGatewaySamlStepupProviderBundle:SamlProxy:consumeAssertion.html.twig',
57		$parameters
58		);
59
60		return $response;
61		}
62
63		/**
64		* @param string $destination
65		* @param string $nameId
		0 ignored issues – show Documentation introduced 2020-04-02 12:15 UTC by Report Bug Copy Issue Report Should the type for parameter `$nameId` not be `array`? This check looks for `@param` annotations where the type inferred by our type inference engine differs from the declared type. It makes a suggestion as to what type it considers more descriptive. Most often this is a case of a parameter that can be null in addition to its declared types. Loading history...
66		* @return Response
67		*/
68		public function createResponse($destination, array $nameId, $requestId)
69		{
70		$newAssertion = new Assertion();
71		$newAssertion->setNotBefore(time());
72		$newAssertion->setNotOnOrAfter(time() + (60 * 5));//
73		$newAssertion->setAttributes(['urn:mace:dir:attribute-def:eduPersonTargetedID' => [NameID::fromArray($nameId)]]);
		0 ignored issues – show Deprecated Code introduced 2020-04-02 12:15 UTC by Report Bug Copy Issue Report The method `SAML2\XML\saml\NameIDType::fromArray()` has been deprecated. This method has been deprecated. Loading history...
74		$newAssertion->setIssuer('https://idp.stepup.example.com/');
75		$newAssertion->setIssueInstant(time());
76
77		$this->signAssertion($newAssertion);
78		$this->addSubjectConfirmationFor($newAssertion, $destination, $requestId);
79		$newAssertion->setNameId($nameId);
80		$response = new SAMLResponse();
81		$response->setAssertions([$newAssertion]);
82		$response->setIssuer('https://idp.stepup.example.com/');
83		$response->setIssueInstant(time());
84		$response->setDestination($destination);
85		$response->setInResponseTo($requestId);
86		return $response;
87		}
88
89		/**
90		* @param SAMLResponse $response
91		* @return string
92		*/
93		private function getResponseAsXML(SAMLResponse $response)
94		{
95		return base64_encode($response->toUnsignedXML()->ownerDocument->saveXML());
96		}
97
98		/**
99		* @param Request $request
100		* @return string
101		*/
102		private function getFullRequestUri(Request $request)
103		{
104		return $request->getSchemeAndHttpHost() . $request->getBasePath() . $request->getRequestUri();
105		}
106
107		/**
108		* @param Request $request
109		* @return ReceivedAuthnRequest
110		*/
111		public function receiveSignedAuthnRequestFrom(Request $request)
112		{
113		if (!$request->isMethod(Request::METHOD_GET)) {
114		throw new BadRequestHttpException(sprintf(
115		'Could not receive AuthnRequest from HTTP Request: expected a GET method, got %s',
116		$request->getMethod()
117		));
118		}
119
120		$requestUri = $request->getRequestUri();
121		if (strpos($requestUri, '?') === false) {
122		throw new BadRequestHttpException(
123		'Could not receive AuthnRequest from HTTP Request: expected query parameters, none found'
124		);
125		}
126
127		list(, $rawQueryString) = explode('?', $requestUri);
128		$query = ReceivedAuthnRequestQueryString::parse($rawQueryString);
129
130		if (!$query->isSigned()) {
131		throw new UnsignedRequestException('The SAMLRequest is expected to be signed but it was not');
132		}
133
134		$authnRequest = ReceivedAuthnRequest::from($query->getDecodedSamlRequest());
135
136		$currentUri = $this->getFullRequestUri($request);
137		if (!$authnRequest->getDestination() === $currentUri) {
138		throw new BadRequestHttpException(sprintf(
139		'Actual Destination "%s" does not match the AuthnRequest Destination "%s"',
140		$currentUri,
141		$authnRequest->getDestination()
142		));
143		}
144
145		return $authnRequest;
146		}
147
148		/**
149		* @param Assertion $assertion
150		* @return Assertion
151		*/
152		public function signAssertion(Assertion $assertion)
153		{
154		$assertion->setSignatureKey($this->loadPrivateKey());
155		$assertion->setCertificates([$this->getPublicCertificate()]);
156
157		return $assertion;
158		}
159
160	View Code Duplication	private function addSubjectConfirmationFor(Assertion $newAssertion, $destination, $requestId)
		0 ignored issues – show Duplication introduced 2020-04-01 14:17 UTC by Report Bug Copy Issue Report This method seems to be duplicated in your project. Duplicated code is one of the most pungent code smells. If you need to duplicate the same code in three or more different places, we strongly encourage you to look into extracting the code into a single class or operation. You can also find more detailed suggestions in the “Code” section of your repository. Loading history...
161		{
162		$confirmation = new SubjectConfirmation();
163		$confirmation->Method = Constants::CM_BEARER;
164
165		$confirmationData = new SubjectConfirmationData();
166		$confirmationData->InResponseTo = $requestId;
167		$confirmationData->Recipient = $destination;
168		$confirmationData->NotOnOrAfter = $newAssertion->getNotOnOrAfter();
169
170		$confirmation->SubjectConfirmationData = $confirmationData;
171
172		$newAssertion->setSubjectConfirmation([$confirmation]);
173		}
174
175		/**
176		* @return XMLSecurityKey
177		*/
178	View Code Duplication	private function loadPrivateKey()
		0 ignored issues – show Duplication introduced 2020-04-02 13:17 UTC by Report Bug Copy Issue Report This method seems to be duplicated in your project. Duplicated code is one of the most pungent code smells. If you need to duplicate the same code in three or more different places, we strongly encourage you to look into extracting the code into a single class or operation. You can also find more detailed suggestions in the “Code” section of your repository. Loading history...
179		{
180		$key = new PrivateKey('/var/www/ci/certificates/sp.pem', 'default');
181		$keyLoader = new PrivateKeyLoader();
182		$privateKey = $keyLoader->loadPrivateKey($key);
183
184		$xmlSecurityKey = new XMLSecurityKey(XMLSecurityKey::RSA_SHA256, ['type' => 'private']);
185		$xmlSecurityKey->loadKey($privateKey->getKeyAsString());
186
187		return $xmlSecurityKey;
188		}
189
190		/**
191		* @return string
192		*/
193		private function getPublicCertificate()
194		{
195		$keyLoader = new KeyLoader();
196		$keyLoader->loadCertificateFile('/var/www/ci/certificates/sp.crt');
197		/** @var \SAML2\Certificate\X509 $publicKey */
198		$publicKey = $keyLoader->getKeys()->getOnlyElement();
199
200		return $publicKey->getCertificate();
201		}
202		}
203

OpenConext / Stepup-Gateway

Pull Request — feature/create-sfo-behat-test (#192)

IdentityProviderController::ssoAction() A

Complexity

Size

Duplication

Importance

Duplication Side-by-Side

Filter issues like