CommandAuthorizationService::determineRaRole() - Code Metrics - Inspection of "Allow language switching from SelfService" - OpenConext/Stepup-Middleware - Measure and Improve Code Quality continuously with Scrutinizer

Completed

Push — bugfix/allow-locale-preference... ( 38bd7e...fabbc1 )

by Michiel

created 2020-02-18 10:52 UTC

CommandAuthorizationService::determineRaRole() A

↳ Parent: CommandAuthorizationService::isSraa()

Complexity

Conditions	3
Paths	2

Size

Total Lines

Duplication

Lines	0
Ratio	0 %

Importance

Changes

Metric	Value
dl	0
loc	14
rs	9.7998
c	0
b	0
f	0
cc	3
nc	2
nop	1

<?php
/**
 * Copyright 2010 SURFnet B.V.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

namespace Surfnet\StepupMiddleware\ApiBundle\Authorization\Service;

use Psr\Log\LoggerInterface;
use Surfnet\Stepup\Configuration\Value\InstitutionRole;
use Surfnet\Stepup\Identity\Value\IdentityId;
use Surfnet\Stepup\Identity\Value\Institution;
use Surfnet\StepupMiddleware\ApiBundle\Identity\Service\IdentityService;
use Surfnet\StepupMiddleware\ApiBundle\Identity\Service\WhitelistService;
use Surfnet\StepupMiddleware\CommandHandlingBundle\Command\Command;
use Surfnet\StepupMiddleware\CommandHandlingBundle\Command\RaExecutable;
use Surfnet\StepupMiddleware\CommandHandlingBundle\Command\SelfServiceExecutable;
use Surfnet\StepupMiddleware\CommandHandlingBundle\Identity\Command\CreateIdentityCommand;
use Surfnet\StepupMiddleware\CommandHandlingBundle\Identity\Command\ExpressLocalePreferenceCommand;
use Surfnet\StepupMiddleware\CommandHandlingBundle\Identity\Command\RevokeRegistrantsSecondFactorCommand;
use Surfnet\StepupMiddleware\CommandHandlingBundle\Identity\Command\UpdateIdentityCommand;
use Surfnet\StepupMiddleware\CommandHandlingBundle\Identity\Command\VetSecondFactorCommand;

/**
 * @SuppressWarnings(PHPMD.CouplingBetweenObjects)
 */
class CommandAuthorizationService
{

    /**
     * @var WhitelistService
     */
    private $whitelistService;
    /**
     * @var IdentityService
     */
    private $identityService;
    /**
     * @var AuthorizationContextService
     */
    private $authorizationContextService;
    /**
     * @var LoggerInterface
     */
    private $logger;

    public function __construct(
        WhitelistService $whitelistService,
        IdentityService $identityService,
        LoggerInterface $logger,
        AuthorizationContextService $authorizationContextService
    ) {
        $this->logger = $logger;
        $this->authorizationContextService = $authorizationContextService;
        $this->whitelistService = $whitelistService;
        $this->identityService = $identityService;
    }

    /**
     * @param Institution $institution
     * @param IdentityId|null $actorId
     * @return bool
     */
    public function isInstitutionWhitelisted(Institution $institution, IdentityId $actorId = null)
    {
        // If the actor is SRAA all actions should be allowed
        if (!is_null($actorId) && $this->isSraa($actorId)) {
            return true;
        }

        if ($this->whitelistService->isWhitelisted($institution->getInstitution())) {

            return true;
        }

        return false;
    }

    /**
     * @param Command $command
     * @param IdentityId|null $actorId
     * @return bool
     */
    public function maySelfServiceCommandBeExecutedOnBehalfOf(Command $command, IdentityId $actorId = null)
    {
        // Assert self service command could be executed
        if ($command instanceof SelfServiceExecutable) {
            $this->logger->notice('Asserting a SelfService command');

            // If the actor is SRAA all actions should be allowed
            if ($this->isSraa($actorId)) {
                return true;
            }

            // the CreateIdentityCommand is used to create an Identity for a new user,
            // the UpdateIdentityCommand is used to update name or email of an identity
            // Both are only sent by the SS when the Identity is not logged in yet,
            // thus there is not Metadata::actorInstitution,
            if ($command instanceof CreateIdentityCommand || $command instanceof UpdateIdentityCommand) {
                return true;
            }

            // Validate if the actor is the user
            if ($command->getIdentityId() !== $actorId->getIdentityId()) {
function someFunction(A $objectMaybe = null)
{
    if ($objectMaybe instanceof A) {
        $objectMaybe->doSomething();
    }
}
                return false;
            }
        }

        return true;
    }

    /**
     * @SuppressWarnings(PHPMD.CyclomaticComplexity) - To keep the method readable, increased CC is allowed
     * @param Command $command
     * @param IdentityId|null $actorId
     * @param Institution|null $actorInstitution
     * @return bool
     */
    public function mayRaCommandBeExecutedOnBehalfOf(Command $command, IdentityId $actorId = null, Institution $actorInstitution = null)
    {
        // Assert RAA specific authorizations
        if ($command instanceof RaExecutable) {
            $this->logger->notice('Asserting a RA command');

            // No additional FGA authorization is required for this shared (SS/RA) command
            if ($command instanceof ExpressLocalePreferenceCommand) {
                return true;
            }

            // The actor metadata should be set
            if (is_null($actorId) || is_null($actorInstitution)) {
                return false;
            }

            // If the actor is SRAA all actions should be allowed
            if ($this->isSraa($actorId)) {
                return true;
            }

            $raInstitution = $command->getRaInstitution();
            if (is_null($raInstitution)) {
                $raInstitution = $actorInstitution->getInstitution();
            }

            $role = InstitutionRole::useRaa();

            // the VetSecondFactorCommand is used to vet a second factor for a user
            // the RevokeRegistrantsSecondFactorCommand is used to revoke a user's secondfactor
            // Both are only sent by the RA where the minimal role requirement is RA
            // all the other actions require RAA rights
            if ($command instanceof VetSecondFactorCommand || $command instanceof RevokeRegistrantsSecondFactorCommand) {
                $role = InstitutionRole::useRa();
            }

            $authorizationContext = $this->authorizationContextService->buildInstitutionAuthorizationContext(
                $actorId,
                $role
            );

            if (!$authorizationContext->getInstitutions()->contains(new Institution($raInstitution))) {
                return false;
            }
        }

        return true;
    }

    /**
     * @param IdentityId|null $actorId
     * @return bool
     */
    private function isSraa(IdentityId $actorId = null)
    {
        if (is_null($actorId)) {
            return false;
        }

        $registrationAuthorityCredentials = $this->identityService->findRegistrationAuthorityCredentialsOf($actorId->getIdentityId());
        if (!$registrationAuthorityCredentials) {
            return false;
        }

        if (!$registrationAuthorityCredentials->isSraa()) {

            return false;
        }

        return true;
    }
}


1			<?php
2			/**
3			* Copyright 2010 SURFnet B.V.
4			*
5			* Licensed under the Apache License, Version 2.0 (the "License");
6			* you may not use this file except in compliance with the License.
7			* You may obtain a copy of the License at
8			*
9			* http://www.apache.org/licenses/LICENSE-2.0
10			*
11			* Unless required by applicable law or agreed to in writing, software
12			* distributed under the License is distributed on an "AS IS" BASIS,
13			* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14			* See the License for the specific language governing permissions and
15			* limitations under the License.
16			*/
17
18			namespace Surfnet\StepupMiddleware\ApiBundle\Authorization\Service;
19
20			use Psr\Log\LoggerInterface;
21			use Surfnet\Stepup\Configuration\Value\InstitutionRole;
22			use Surfnet\Stepup\Identity\Value\IdentityId;
23			use Surfnet\Stepup\Identity\Value\Institution;
24			use Surfnet\StepupMiddleware\ApiBundle\Identity\Service\IdentityService;
25			use Surfnet\StepupMiddleware\ApiBundle\Identity\Service\WhitelistService;
26			use Surfnet\StepupMiddleware\CommandHandlingBundle\Command\Command;
27			use Surfnet\StepupMiddleware\CommandHandlingBundle\Command\RaExecutable;
28			use Surfnet\StepupMiddleware\CommandHandlingBundle\Command\SelfServiceExecutable;
29			use Surfnet\StepupMiddleware\CommandHandlingBundle\Identity\Command\CreateIdentityCommand;
30			use Surfnet\StepupMiddleware\CommandHandlingBundle\Identity\Command\ExpressLocalePreferenceCommand;
31			use Surfnet\StepupMiddleware\CommandHandlingBundle\Identity\Command\RevokeRegistrantsSecondFactorCommand;
32			use Surfnet\StepupMiddleware\CommandHandlingBundle\Identity\Command\UpdateIdentityCommand;
33			use Surfnet\StepupMiddleware\CommandHandlingBundle\Identity\Command\VetSecondFactorCommand;
34
35			/**
36			* @SuppressWarnings(PHPMD.CouplingBetweenObjects)
37			*/
38			class CommandAuthorizationService
39			{
40
41			/**
42			* @var WhitelistService
43			*/
44			private $whitelistService;
45			/**
46			* @var IdentityService
47			*/
48			private $identityService;
49			/**
50			* @var AuthorizationContextService
51			*/
52			private $authorizationContextService;
53			/**
54			* @var LoggerInterface
55			*/
56			private $logger;
57
58			public function __construct(
59			WhitelistService $whitelistService,
60			IdentityService $identityService,
61			LoggerInterface $logger,
62			AuthorizationContextService $authorizationContextService
63			) {
64			$this->logger = $logger;
65			$this->authorizationContextService = $authorizationContextService;
66			$this->whitelistService = $whitelistService;
67			$this->identityService = $identityService;
68			}
69
70			/**
71			* @param Institution $institution
72			* @param IdentityId\|null $actorId
73			* @return bool
74			*/
75			public function isInstitutionWhitelisted(Institution $institution, IdentityId $actorId = null)
76			{
77			// If the actor is SRAA all actions should be allowed
78			if (!is_null($actorId) && $this->isSraa($actorId)) {
79			return true;
80			}
81
82			if ($this->whitelistService->isWhitelisted($institution->getInstitution())) {
			0 ignored issues – show Unused Code introduced 2020-01-21 10:14 UTC by Report Bug Copy Issue Report This `if` statement, and the following `return` statement can be replaced with `return $this->whitelistS...ion->getInstitution());`. Loading history...
83			return true;
84			}
85
86			return false;
87			}
88
89			/**
90			* @param Command $command
91			* @param IdentityId\|null $actorId
92			* @return bool
93			*/
94			public function maySelfServiceCommandBeExecutedOnBehalfOf(Command $command, IdentityId $actorId = null)
95			{
96			// Assert self service command could be executed
97			if ($command instanceof SelfServiceExecutable) {
98			$this->logger->notice('Asserting a SelfService command');
99
100			// If the actor is SRAA all actions should be allowed
101			if ($this->isSraa($actorId)) {
102			return true;
103			}
104
105			// the CreateIdentityCommand is used to create an Identity for a new user,
106			// the UpdateIdentityCommand is used to update name or email of an identity
107			// Both are only sent by the SS when the Identity is not logged in yet,
108			// thus there is not Metadata::actorInstitution,
109			if ($command instanceof CreateIdentityCommand \|\| $command instanceof UpdateIdentityCommand) {
110			return true;
111			}
112
113			// Validate if the actor is the user
114			if ($command->getIdentityId() !== $actorId->getIdentityId()) {
			0 ignored issues – show Bug introduced 2020-01-21 10:14 UTC by Report Bug Copy Issue Report It seems like `$actorId` is not always an object, but can also be of type `null`. Maybe add an additional type check? If a variable is not always an object, we recommend to add an additional type check to ensure your method call is safe: function someFunction(A $objectMaybe = null) { if ($objectMaybe instanceof A) { $objectMaybe->doSomething(); } } Loading history...
115			return false;
116			}
117			}
118
119			return true;
120			}
121
122			/**
123			* @SuppressWarnings(PHPMD.CyclomaticComplexity) - To keep the method readable, increased CC is allowed
124			* @param Command $command
125			* @param IdentityId\|null $actorId
126			* @param Institution\|null $actorInstitution
127			* @return bool
128			*/
129			public function mayRaCommandBeExecutedOnBehalfOf(Command $command, IdentityId $actorId = null, Institution $actorInstitution = null)
130			{
131			// Assert RAA specific authorizations
132			if ($command instanceof RaExecutable) {
133			$this->logger->notice('Asserting a RA command');
134
135			// No additional FGA authorization is required for this shared (SS/RA) command
136			if ($command instanceof ExpressLocalePreferenceCommand) {
137			return true;
138			}
139
140			// The actor metadata should be set
141			if (is_null($actorId) \|\| is_null($actorInstitution)) {
142			return false;
143			}
144
145			// If the actor is SRAA all actions should be allowed
146			if ($this->isSraa($actorId)) {
147			return true;
148			}
149
150			$raInstitution = $command->getRaInstitution();
151			if (is_null($raInstitution)) {
152			$raInstitution = $actorInstitution->getInstitution();
153			}
154
155			$role = InstitutionRole::useRaa();
156
157			// the VetSecondFactorCommand is used to vet a second factor for a user
158			// the RevokeRegistrantsSecondFactorCommand is used to revoke a user's secondfactor
159			// Both are only sent by the RA where the minimal role requirement is RA
160			// all the other actions require RAA rights
161			if ($command instanceof VetSecondFactorCommand \|\| $command instanceof RevokeRegistrantsSecondFactorCommand) {
162			$role = InstitutionRole::useRa();
163			}
164
165			$authorizationContext = $this->authorizationContextService->buildInstitutionAuthorizationContext(
166			$actorId,
167			$role
168			);
169
170			if (!$authorizationContext->getInstitutions()->contains(new Institution($raInstitution))) {
171			return false;
172			}
173			}
174
175			return true;
176			}
177
178			/**
179			* @param IdentityId\|null $actorId
180			* @return bool
181			*/
182			private function isSraa(IdentityId $actorId = null)
183			{
184			if (is_null($actorId)) {
185			return false;
186			}
187
188			$registrationAuthorityCredentials = $this->identityService->findRegistrationAuthorityCredentialsOf($actorId->getIdentityId());
189			if (!$registrationAuthorityCredentials) {
190			return false;
191			}
192
193			if (!$registrationAuthorityCredentials->isSraa()) {
			0 ignored issues – show Unused Code introduced 2020-01-09 10:47 UTC by Report Bug Copy Issue Report This `if` statement, and the following `return` statement can be replaced with `return $registrationAuth...yCredentials->isSraa();`. Loading history...
194			return false;
195			}
196
197			return true;
198			}
199			}
200

OpenConext / Stepup-Middleware

Push — bugfix/allow-locale-preference... ( 38bd7e...fabbc1 )

CommandAuthorizationService::determineRaRole() A

Complexity

Size

Duplication

Importance

Duplication Side-by-Side

Filter issues like