SamlProvider::authenticate() - Code Metrics - OpenConext/Stepup-RA - Measure and Improve Code Quality continuously with Scrutinizer

SamlProvider::authenticate() B
last analyzed 2021-02-03 08:59 UTC

↳ Parent: SamlProvider

Complexity

Conditions	11
Paths	12

Size

Total Lines

Duplication

Lines	0
Ratio	0 %

Importance

Changes

Metric	Value
dl	0
loc	46
rs	7.3166
c	0
b	0
f	0
cc	11
nc	12
nop	1

How to fix Complexity

<?php

/**
 * Copyright 2014 SURFnet bv
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

namespace Surfnet\StepupRa\RaBundle\Security\Authentication\Provider;

use Psr\Log\LoggerInterface;
use Surfnet\SamlBundle\SAML2\Attribute\AttributeDictionary;
use Surfnet\SamlBundle\SAML2\Response\AssertionAdapter;
use Surfnet\StepupRa\RaBundle\Exception\MissingRequiredAttributeException;
use Surfnet\StepupRa\RaBundle\Exception\UserNotRaException;
use Surfnet\StepupRa\RaBundle\Security\Authentication\Token\SamlToken;
use Surfnet\StepupRa\RaBundle\Service\IdentityService;
use Surfnet\StepupRa\RaBundle\Service\ProfileService;
use Symfony\Component\Security\Core\Authentication\Provider\AuthenticationProviderInterface;
use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
use Symfony\Component\Security\Core\Exception\BadCredentialsException;

/**
 * @SuppressWarnings(PHPMD.CouplingBetweenObjects) - The SamlProvider needs to test several authorizations in order
 *  to determine the user may, or may not log in. This causes the coupling.
 */
class SamlProvider implements AuthenticationProviderInterface
{
    /**
     * @var IdentityService
     */
    private $identityService;

    /**
     * @var ProfileService
     */
    private $profileService;

    /**
     * @var AttributeDictionary
     */
    private $attributeDictionary;

    /**
     * @var LoggerInterface
     */
    private $logger;

    public function __construct(
        IdentityService $identityService,
        ProfileService $profileService,
        AttributeDictionary $attributeDictionary,
        LoggerInterface $logger
    ) {
        $this->identityService                        = $identityService;
        $this->profileService                        = $profileService;
        $this->attributeDictionary                    = $attributeDictionary;
        $this->logger                                 = $logger;
    }

    /**
     * @SuppressWarnings(PHPMD.NPathComplexity)      - The authorization tests cause the complexity to raise, could and
     * @SuppressWarnings(PHPMD.CyclomaticComplexity)   might be changed by introducing additional utility classes.
     *                                                 Consider rebuilding this in the future.
     * @param SamlToken|TokenInterface $token
     * @return TokenInterface|void
     */
    public function authenticate(TokenInterface $token)
    {
        $translatedAssertion = $this->attributeDictionary->translate($token->assertion);
interface SomeInterface { }
class SomeClass implements SomeInterface {
    public $a;
}

function someFunction(SomeInterface $object) {
    if ($object instanceof SomeClass) {
        $a = $object->a;
    }
}

        $nameId   = $translatedAssertion->getNameID();
        $institution = $this->getSingleStringValue('schacHomeOrganization', $translatedAssertion);
        $identity = $this->identityService->findByNameIdAndInstitution($nameId, $institution);

        // if no identity can be found, we're done.
        if ($identity === null) {
            throw new BadCredentialsException(
                'Unable to find Identity matching the criteria. Has the identity been registered before?'
            );
        }

        $profile = $this->profileService->findByIdentityId($identity->id);

        // if no credentials can be found, we're done.
        if (!$profile->isSraa && empty($profile->authorizations) && empty($profile->management)) {

            throw new UserNotRaException(
                'The Identity is not registered as (S)RA(A) and therefor does not have access to this application'
            );
        }

        // determine the role based on the credentials given
        $roles = [];
        if ($profile->isSraa) {
            $roles[] = 'ROLE_SRAA';
        }

        // Get authorizations (explicit RA(A) roles use_ra/use_raa).
        foreach ($profile->authorizations as $institution => $role) {
            if ($role[0] == 'raa' && !in_array('ROLE_RAA', $roles)) {
                $roles[] = 'ROLE_RAA';
            }
            if ($role[0] == 'ra' && !in_array('ROLE_RA', $roles)) {
                $roles[] = 'ROLE_RA';
            }
        }

        // set the token
        $authenticatedToken = new SamlToken($token->getLoa(), $roles);
interface User
{
    /** @return string */
    public function getPassword();
}

class MyUser implements User
{
    public function getPassword()
    {
        // return something
    }

    public function getDisplayName()
    {
        // return some name.
    }
}

class AuthSystem
{
    public function authenticate(User $user)
    {
        $this->logger->info(sprintf('Authenticating %s.', $user->getDisplayName()));
        // do something.
    }
}
        $authenticatedToken->setUser($identity);

        return $authenticatedToken;
    }

    private function getSingleStringValue($attribute, AssertionAdapter $translatedAssertion)
    {
        $values = $translatedAssertion->getAttributeValue($attribute);

        if (empty($values)) {
            throw new MissingRequiredAttributeException(
                sprintf(
                    'Missing a required SAML attribute. This application requires the "%s" attribute to function.',
                    $attribute
                )
            );
        }

        // see https://www.pivotaltracker.com/story/show/121296389
        if (count($values) > 1) {
            $this->logger->warning(sprintf(
                'Found "%d" values for attribute "%s", using first value',
                count($values),
                $attribute
            ));
        }

        $value = reset($values);

        if (!is_string($value)) {
            $message = sprintf(
                'First value of attribute "%s" must be a string, "%s" given',
                $attribute,
                is_object($value) ? get_class($value) : gettype($value)
            );

            $this->logger->warning($message);

            throw new MissingRequiredAttributeException($message);
        }

        return $value;
    }

    public function supports(TokenInterface $token)
    {
        return $token instanceof SamlToken;
    }
}


1			<?php
2
3			/**
4			* Copyright 2014 SURFnet bv
5			*
6			* Licensed under the Apache License, Version 2.0 (the "License");
7			* you may not use this file except in compliance with the License.
8			* You may obtain a copy of the License at
9			*
10			* http://www.apache.org/licenses/LICENSE-2.0
11			*
12			* Unless required by applicable law or agreed to in writing, software
13			* distributed under the License is distributed on an "AS IS" BASIS,
14			* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
15			* See the License for the specific language governing permissions and
16			* limitations under the License.
17			*/
18
19			namespace Surfnet\StepupRa\RaBundle\Security\Authentication\Provider;
20
21			use Psr\Log\LoggerInterface;
22			use Surfnet\SamlBundle\SAML2\Attribute\AttributeDictionary;
23			use Surfnet\SamlBundle\SAML2\Response\AssertionAdapter;
24			use Surfnet\StepupRa\RaBundle\Exception\MissingRequiredAttributeException;
25			use Surfnet\StepupRa\RaBundle\Exception\UserNotRaException;
26			use Surfnet\StepupRa\RaBundle\Security\Authentication\Token\SamlToken;
27			use Surfnet\StepupRa\RaBundle\Service\IdentityService;
28			use Surfnet\StepupRa\RaBundle\Service\ProfileService;
29			use Symfony\Component\Security\Core\Authentication\Provider\AuthenticationProviderInterface;
30			use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
31			use Symfony\Component\Security\Core\Exception\BadCredentialsException;
32
33			/**
34			* @SuppressWarnings(PHPMD.CouplingBetweenObjects) - The SamlProvider needs to test several authorizations in order
35			* to determine the user may, or may not log in. This causes the coupling.
36			*/
37			class SamlProvider implements AuthenticationProviderInterface
38			{
39			/**
40			* @var IdentityService
41			*/
42			private $identityService;
43
44			/**
45			* @var ProfileService
46			*/
47			private $profileService;
48
49			/**
50			* @var AttributeDictionary
51			*/
52			private $attributeDictionary;
53
54			/**
55			* @var LoggerInterface
56			*/
57			private $logger;
58
59			public function __construct(
60			IdentityService $identityService,
61			ProfileService $profileService,
62			AttributeDictionary $attributeDictionary,
63			LoggerInterface $logger
64			) {
65			$this->identityService = $identityService;
66			$this->profileService = $profileService;
67			$this->attributeDictionary = $attributeDictionary;
68			$this->logger = $logger;
69			}
70
71			/**
72			* @SuppressWarnings(PHPMD.NPathComplexity) - The authorization tests cause the complexity to raise, could and
73			* @SuppressWarnings(PHPMD.CyclomaticComplexity) might be changed by introducing additional utility classes.
74			* Consider rebuilding this in the future.
75			* @param SamlToken\|TokenInterface $token
76			* @return TokenInterface\|void
77			*/
78			public function authenticate(TokenInterface $token)
79			{
80			$translatedAssertion = $this->attributeDictionary->translate($token->assertion);
			0 ignored issues – show Bug introduced 2015-12-15 13:46 UTC by Report Bug Copy Issue Report Accessing `assertion` on the interface `Symfony\Component\Securi...on\Token\TokenInterface` suggest that you code against a concrete implementation. How about adding an `instanceof` check? If you access a property on an interface, you most likely code against a concrete implementation of the interface. Available Fixes Adding an additional type check: interface SomeInterface { } class SomeClass implements SomeInterface { public $a; } function someFunction(SomeInterface $object) { if ($object instanceof SomeClass) { $a = $object->a; } } Changing the type hint: interface SomeInterface { } class SomeClass implements SomeInterface { public $a; } function someFunction(SomeClass $object) { $a = $object->a; } Loading history...
81
82			$nameId = $translatedAssertion->getNameID();
83			$institution = $this->getSingleStringValue('schacHomeOrganization', $translatedAssertion);
84			$identity = $this->identityService->findByNameIdAndInstitution($nameId, $institution);
85
86			// if no identity can be found, we're done.
87			if ($identity === null) {
88			throw new BadCredentialsException(
89			'Unable to find Identity matching the criteria. Has the identity been registered before?'
90			);
91			}
92
93			$profile = $this->profileService->findByIdentityId($identity->id);
94
95			// if no credentials can be found, we're done.
96			if (!$profile->isSraa && empty($profile->authorizations) && empty($profile->management)) {
			0 ignored issues – show Bug introduced 2020-06-24 15:39 UTC by Report Bug Copy Issue Report The property `management` does not seem to exist in `Surfnet\StepupMiddleware...le\Identity\Dto\Profile`. An attempt at access to an undefined property has been detected. This may either be a typographical error or the property has been renamed but there are still references to its old name. If you really want to allow access to undefined properties, you can define magic methods to allow access. See the php core documentation on Overloading. Loading history...
97			throw new UserNotRaException(
98			'The Identity is not registered as (S)RA(A) and therefor does not have access to this application'
99			);
100			}
101
102			// determine the role based on the credentials given
103			$roles = [];
104			if ($profile->isSraa) {
105			$roles[] = 'ROLE_SRAA';
106			}
107
108			// Get authorizations (explicit RA(A) roles use_ra/use_raa).
109			foreach ($profile->authorizations as $institution => $role) {
110			if ($role[0] == 'raa' && !in_array('ROLE_RAA', $roles)) {
111			$roles[] = 'ROLE_RAA';
112			}
113			if ($role[0] == 'ra' && !in_array('ROLE_RA', $roles)) {
114			$roles[] = 'ROLE_RA';
115			}
116			}
117
118			// set the token
119			$authenticatedToken = new SamlToken($token->getLoa(), $roles);
			0 ignored issues – show Bug introduced 2015-12-15 13:46 UTC by Report Bug Copy Issue Report It seems like you code against a concrete implementation and not the interface `Symfony\Component\Securi...on\Token\TokenInterface` as the method `getLoa()` does only exist in the following implementations of said interface: `Surfnet\StepupRa\RaBundl...ication\Token\SamlToken`. Let’s take a look at an example: interface User { /** @return string / public function getPassword(); } class MyUser implements User { public function getPassword() { // return something } public function getDisplayName() { // return some name. } } class AuthSystem { public function authenticate(User $user) { $this->logger->info(sprintf('Authenticating %s.', $user->getDisplayName())); // do something. } } In the above example, the authenticate() method works fine as long as you just pass instances of MyUser. However, if you now also want to pass a different implementation of User which does not have a getDisplayName() method, the code will break. Available Fixes Change the type-hint for the parameter: class AuthSystem { public function authenticate(MyUser $user) { / ... / } } Add an additional type-check: class AuthSystem { public function authenticate(User $user) { if ($user instanceof MyUser) { $this->logger->info(/* ... /); } // or alternatively if ( ! $user instanceof MyUser) { throw new \LogicException( '$user must be an instance of MyUser, ' .'other instances are not supported.' ); } } } Note:* PHP Analyzer uses reverse abstract interpretation to narrow down the types inside the if block in such a case. Add the method to the interface: interface User { /** @return string / public function getPassword(); /* @return string */ public function getDisplayName(); } Loading history...
120			$authenticatedToken->setUser($identity);
121
122			return $authenticatedToken;
123			}
124
125			private function getSingleStringValue($attribute, AssertionAdapter $translatedAssertion)
126			{
127			$values = $translatedAssertion->getAttributeValue($attribute);
128
129			if (empty($values)) {
130			throw new MissingRequiredAttributeException(
131			sprintf(
132			'Missing a required SAML attribute. This application requires the "%s" attribute to function.',
133			$attribute
134			)
135			);
136			}
137
138			// see https://www.pivotaltracker.com/story/show/121296389
139			if (count($values) > 1) {
140			$this->logger->warning(sprintf(
141			'Found "%d" values for attribute "%s", using first value',
142			count($values),
143			$attribute
144			));
145			}
146
147			$value = reset($values);
148
149			if (!is_string($value)) {
150			$message = sprintf(
151			'First value of attribute "%s" must be a string, "%s" given',
152			$attribute,
153			is_object($value) ? get_class($value) : gettype($value)
154			);
155
156			$this->logger->warning($message);
157
158			throw new MissingRequiredAttributeException($message);
159			}
160
161			return $value;
162			}
163
164			public function supports(TokenInterface $token)
165			{
166			return $token instanceof SamlToken;
167			}
168			}
169

OpenConext / Stepup-RA

SamlProvider::authenticate() B last analyzed 2021-02-03 08:59 UTC

Complexity

Size

Duplication

Importance

How to fix Complexity

Long Method

Available Fixes

Available Fixes

Duplication Side-by-Side

Filter issues like

SamlProvider::authenticate() B
last analyzed 2021-02-03 08:59 UTC