CommandAuthorizationService::determineRaRole() - Code Metrics - Inspection of "Allow language switching from SelfService" - OpenConext/Stepup-Middleware - Measure and Improve Code Quality continuously with Scrutinizer

Completed

Push — bugfix/allow-locale-preference... ( e97d0f...38bd7e )

by Michiel

created 2020-02-18 09:55 UTC

CommandAuthorizationService::determineRaRole() A

↳ Parent: CommandAuthorizationService

Complexity

Conditions	3
Paths	2

Size

Total Lines

Duplication

Lines	0
Ratio	0 %

Importance

Changes

Metric	Value
dl	0
loc	14
rs	9.7998
c	0
b	0
f	0
cc	3
nc	2
nop	1

<?php
/**
 * Copyright 2010 SURFnet B.V.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

namespace Surfnet\StepupMiddleware\ApiBundle\Authorization\Service;

use Psr\Log\LoggerInterface;
use Surfnet\Stepup\Configuration\Value\InstitutionRole;
use Surfnet\Stepup\Identity\Value\IdentityId;
use Surfnet\Stepup\Identity\Value\Institution;
use Surfnet\StepupMiddleware\ApiBundle\Identity\Service\IdentityService;
use Surfnet\StepupMiddleware\ApiBundle\Identity\Service\WhitelistService;
use Surfnet\StepupMiddleware\CommandHandlingBundle\Command\Command;
use Surfnet\StepupMiddleware\CommandHandlingBundle\Command\RaExecutable;
use Surfnet\StepupMiddleware\CommandHandlingBundle\Command\SelfServiceExecutable;
use Surfnet\StepupMiddleware\CommandHandlingBundle\Identity\Command\CreateIdentityCommand;
use Surfnet\StepupMiddleware\CommandHandlingBundle\Identity\Command\ExpressLocalePreferenceCommand;
use Surfnet\StepupMiddleware\CommandHandlingBundle\Identity\Command\RevokeRegistrantsSecondFactorCommand;
use Surfnet\StepupMiddleware\CommandHandlingBundle\Identity\Command\UpdateIdentityCommand;
use Surfnet\StepupMiddleware\CommandHandlingBundle\Identity\Command\VetSecondFactorCommand;

/**
 * @SuppressWarnings(PHPMD.CouplingBetweenObjects)
 */
class CommandAuthorizationService
{
    /**
     * @var WhitelistService
     */
    private $whitelistService;
    /**
     * @var IdentityService
     */
    private $identityService;
    /**
     * @var AuthorizationContextService
     */
    private $authorizationContextService;
    /**
     * @var LoggerInterface
     */
    private $logger;

    public function __construct(
        WhitelistService $whitelistService,
        IdentityService $identityService,
        LoggerInterface $logger,
        AuthorizationContextService $authorizationContextService
    ) {
        $this->logger = $logger;
        $this->authorizationContextService = $authorizationContextService;
        $this->whitelistService = $whitelistService;
        $this->identityService = $identityService;
    }

    /**
     * @param Institution $institution
     * @param IdentityId|null $actorId
     * @return bool
     */
    public function isInstitutionWhitelisted(Institution $institution, IdentityId $actorId = null)
    {
        // If the actor is SRAA all actions should be allowed
        if (!is_null($actorId) && $this->isSraa($actorId)) {
            return true;
        }

        if ($this->whitelistService->isWhitelisted($institution->getInstitution())) {

            return true;
        }

        return false;
    }

    /**
     * @param Command $command
     * @param IdentityId|null $actorId
     * @return bool
     */
    public function maySelfServiceCommandBeExecutedOnBehalfOf(Command $command, IdentityId $actorId = null)
    {
        // Assert self service command could be executed
        if ($command instanceof SelfServiceExecutable) {
            $this->logger->notice('Asserting a SelfService command');

            // If the actor is SRAA all actions should be allowed
            if ($this->isSraa($actorId)) {
                return true;
            }

            // the CreateIdentityCommand is used to create an Identity for a new user,
            // the UpdateIdentityCommand is used to update name or email of an identity
            // Both are only sent by the SS when the Identity is not logged in yet,
            // thus there is not Metadata::actorInstitution,
            if ($command instanceof CreateIdentityCommand || $command instanceof UpdateIdentityCommand) {
                return true;
            }

            // Validate if the actor is the user
            if ($command->getIdentityId() !== $actorId->getIdentityId()) {
function someFunction(A $objectMaybe = null)
{
    if ($objectMaybe instanceof A) {
        $objectMaybe->doSomething();
    }
}
                return false;
            }
        }

        return true;
    }

    /**
     * @param Command $command
     * @param IdentityId|null $actorId
     * @param Institution|null $actorInstitution
     * @return bool
     */
    public function mayRaCommandBeExecutedOnBehalfOf(Command $command, IdentityId $actorId = null, Institution $actorInstitution = null)
    {
        // Assert RAA specific authorizations
        if ($command instanceof RaExecutable) {
            $this->logger->notice('Asserting a RA command');

            // The actor metadata should be set
            if (is_null($actorId) || is_null($actorInstitution)) {
                return false;
            }

            // If the actor is SRAA all actions should be allowed
            if ($this->isSraa($actorId) || $this->isSharedCommand($command)) {
                return true;
            }

            $raInstitution = $command->getRaInstitution();
            if (is_null($raInstitution)) {
                $raInstitution = $actorInstitution->getInstitution();
            }

            $authorizationContext = $this->authorizationContextService->buildInstitutionAuthorizationContext(
                $actorId,
                $this->determineRaRole($command)
            );

            if (!$authorizationContext->getInstitutions()->contains(new Institution($raInstitution))) {
                return false;
            }
        }

        return true;
    }

    /**
     * @param IdentityId|null $actorId
     * @return bool
     */
    private function isSraa(IdentityId $actorId = null)
    {
        if (is_null($actorId)) {
            return false;
        }

        $registrationAuthorityCredentials = $this->identityService->findRegistrationAuthorityCredentialsOf($actorId->getIdentityId());
        if (!$registrationAuthorityCredentials) {
            return false;
        }

        if (!$registrationAuthorityCredentials->isSraa()) {

            return false;
        }

        return true;
    }

    private function determineRaRole($command)
    {
        $role = InstitutionRole::useRaa();

        // the VetSecondFactorCommand is used to vet a second factor for a user
        // the RevokeRegistrantsSecondFactorCommand is used to revoke a user's secondfactor
        // Both are only sent by the RA where the minimal role requirement is RA
        // all the other actions require RAA rights
        if ($command instanceof VetSecondFactorCommand || $command instanceof RevokeRegistrantsSecondFactorCommand) {
            $role = InstitutionRole::useRa();
        }

        return $role;
    }

    private function isSharedCommand(Command $command)
    {
        // No additional FGA authz is required for this shared (SS/RA) command
        return $command instanceof ExpressLocalePreferenceCommand;
    }
}


1			<?php
2			/**
3			* Copyright 2010 SURFnet B.V.
4			*
5			* Licensed under the Apache License, Version 2.0 (the "License");
6			* you may not use this file except in compliance with the License.
7			* You may obtain a copy of the License at
8			*
9			* http://www.apache.org/licenses/LICENSE-2.0
10			*
11			* Unless required by applicable law or agreed to in writing, software
12			* distributed under the License is distributed on an "AS IS" BASIS,
13			* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14			* See the License for the specific language governing permissions and
15			* limitations under the License.
16			*/
17
18			namespace Surfnet\StepupMiddleware\ApiBundle\Authorization\Service;
19
20			use Psr\Log\LoggerInterface;
21			use Surfnet\Stepup\Configuration\Value\InstitutionRole;
22			use Surfnet\Stepup\Identity\Value\IdentityId;
23			use Surfnet\Stepup\Identity\Value\Institution;
24			use Surfnet\StepupMiddleware\ApiBundle\Identity\Service\IdentityService;
25			use Surfnet\StepupMiddleware\ApiBundle\Identity\Service\WhitelistService;
26			use Surfnet\StepupMiddleware\CommandHandlingBundle\Command\Command;
27			use Surfnet\StepupMiddleware\CommandHandlingBundle\Command\RaExecutable;
28			use Surfnet\StepupMiddleware\CommandHandlingBundle\Command\SelfServiceExecutable;
29			use Surfnet\StepupMiddleware\CommandHandlingBundle\Identity\Command\CreateIdentityCommand;
30			use Surfnet\StepupMiddleware\CommandHandlingBundle\Identity\Command\ExpressLocalePreferenceCommand;
31			use Surfnet\StepupMiddleware\CommandHandlingBundle\Identity\Command\RevokeRegistrantsSecondFactorCommand;
32			use Surfnet\StepupMiddleware\CommandHandlingBundle\Identity\Command\UpdateIdentityCommand;
33			use Surfnet\StepupMiddleware\CommandHandlingBundle\Identity\Command\VetSecondFactorCommand;
34
35			/**
36			* @SuppressWarnings(PHPMD.CouplingBetweenObjects)
37			*/
38			class CommandAuthorizationService
39			{
40			/**
41			* @var WhitelistService
42			*/
43			private $whitelistService;
44			/**
45			* @var IdentityService
46			*/
47			private $identityService;
48			/**
49			* @var AuthorizationContextService
50			*/
51			private $authorizationContextService;
52			/**
53			* @var LoggerInterface
54			*/
55			private $logger;
56
57			public function __construct(
58			WhitelistService $whitelistService,
59			IdentityService $identityService,
60			LoggerInterface $logger,
61			AuthorizationContextService $authorizationContextService
62			) {
63			$this->logger = $logger;
64			$this->authorizationContextService = $authorizationContextService;
65			$this->whitelistService = $whitelistService;
66			$this->identityService = $identityService;
67			}
68
69			/**
70			* @param Institution $institution
71			* @param IdentityId\|null $actorId
72			* @return bool
73			*/
74			public function isInstitutionWhitelisted(Institution $institution, IdentityId $actorId = null)
75			{
76			// If the actor is SRAA all actions should be allowed
77			if (!is_null($actorId) && $this->isSraa($actorId)) {
78			return true;
79			}
80
81			if ($this->whitelistService->isWhitelisted($institution->getInstitution())) {
			0 ignored issues – show Unused Code introduced 2020-01-21 10:14 UTC by Report Bug Copy Issue Report This `if` statement, and the following `return` statement can be replaced with `return $this->whitelistS...ion->getInstitution());`. Loading history...
82			return true;
83			}
84
85			return false;
86			}
87
88			/**
89			* @param Command $command
90			* @param IdentityId\|null $actorId
91			* @return bool
92			*/
93			public function maySelfServiceCommandBeExecutedOnBehalfOf(Command $command, IdentityId $actorId = null)
94			{
95			// Assert self service command could be executed
96			if ($command instanceof SelfServiceExecutable) {
97			$this->logger->notice('Asserting a SelfService command');
98
99			// If the actor is SRAA all actions should be allowed
100			if ($this->isSraa($actorId)) {
101			return true;
102			}
103
104			// the CreateIdentityCommand is used to create an Identity for a new user,
105			// the UpdateIdentityCommand is used to update name or email of an identity
106			// Both are only sent by the SS when the Identity is not logged in yet,
107			// thus there is not Metadata::actorInstitution,
108			if ($command instanceof CreateIdentityCommand \|\| $command instanceof UpdateIdentityCommand) {
109			return true;
110			}
111
112			// Validate if the actor is the user
113			if ($command->getIdentityId() !== $actorId->getIdentityId()) {
			0 ignored issues – show Bug introduced 2020-01-21 10:14 UTC by Report Bug Copy Issue Report It seems like `$actorId` is not always an object, but can also be of type `null`. Maybe add an additional type check? If a variable is not always an object, we recommend to add an additional type check to ensure your method call is safe: function someFunction(A $objectMaybe = null) { if ($objectMaybe instanceof A) { $objectMaybe->doSomething(); } } Loading history...
114			return false;
115			}
116			}
117
118			return true;
119			}
120
121			/**
122			* @param Command $command
123			* @param IdentityId\|null $actorId
124			* @param Institution\|null $actorInstitution
125			* @return bool
126			*/
127			public function mayRaCommandBeExecutedOnBehalfOf(Command $command, IdentityId $actorId = null, Institution $actorInstitution = null)
128			{
129			// Assert RAA specific authorizations
130			if ($command instanceof RaExecutable) {
131			$this->logger->notice('Asserting a RA command');
132
133			// The actor metadata should be set
134			if (is_null($actorId) \|\| is_null($actorInstitution)) {
135			return false;
136			}
137
138			// If the actor is SRAA all actions should be allowed
139			if ($this->isSraa($actorId) \|\| $this->isSharedCommand($command)) {
140			return true;
141			}
142
143			$raInstitution = $command->getRaInstitution();
144			if (is_null($raInstitution)) {
145			$raInstitution = $actorInstitution->getInstitution();
146			}
147
148			$authorizationContext = $this->authorizationContextService->buildInstitutionAuthorizationContext(
149			$actorId,
150			$this->determineRaRole($command)
151			);
152
153			if (!$authorizationContext->getInstitutions()->contains(new Institution($raInstitution))) {
154			return false;
155			}
156			}
157
158			return true;
159			}
160
161			/**
162			* @param IdentityId\|null $actorId
163			* @return bool
164			*/
165			private function isSraa(IdentityId $actorId = null)
166			{
167			if (is_null($actorId)) {
168			return false;
169			}
170
171			$registrationAuthorityCredentials = $this->identityService->findRegistrationAuthorityCredentialsOf($actorId->getIdentityId());
172			if (!$registrationAuthorityCredentials) {
173			return false;
174			}
175
176			if (!$registrationAuthorityCredentials->isSraa()) {
			0 ignored issues – show Unused Code introduced 2020-01-09 10:47 UTC by Report Bug Copy Issue Report This `if` statement, and the following `return` statement can be replaced with `return $registrationAuth...yCredentials->isSraa();`. Loading history...
177			return false;
178			}
179
180			return true;
181			}
182
183			private function determineRaRole($command)
184			{
185			$role = InstitutionRole::useRaa();
186
187			// the VetSecondFactorCommand is used to vet a second factor for a user
188			// the RevokeRegistrantsSecondFactorCommand is used to revoke a user's secondfactor
189			// Both are only sent by the RA where the minimal role requirement is RA
190			// all the other actions require RAA rights
191			if ($command instanceof VetSecondFactorCommand \|\| $command instanceof RevokeRegistrantsSecondFactorCommand) {
192			$role = InstitutionRole::useRa();
193			}
194
195			return $role;
196			}
197
198			private function isSharedCommand(Command $command)
199			{
200			// No additional FGA authz is required for this shared (SS/RA) command
201			return $command instanceof ExpressLocalePreferenceCommand;
202			}
203			}
204

OpenConext / Stepup-Middleware

Push — bugfix/allow-locale-preference... ( e97d0f...38bd7e )

CommandAuthorizationService::determineRaRole() A

Complexity

Size

Duplication

Importance

Duplication Side-by-Side

Filter issues like