AllowedInOtherInstitutionVoter::vote() - Code Metrics - Inspection of "Merge pull request #188 from OpenConext/feature/fi..." - OpenConext/Stepup-RA - Measure and Improve Code Quality continuously with Scrutinizer

Completed

Push — develop ( 784583...9a84aa )

by Michiel

created 2019-01-21 07:57 UTC

AllowedInOtherInstitutionVoter::vote() C

↳ Parent: AllowedInOtherInstitutionVoter

Complexity

Conditions	12
Paths	12

Size

Total Lines

Duplication

Lines	0
Ratio	0 %

Importance

Changes

Metric	Value
dl	0
loc	59
rs	6.4678
c	0
b	0
f	0
cc	12
nc	12
nop	3

How to fix Long Method Complexity

<?php

/**
 * Copyright 2018 SURFnet B.V.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

namespace Surfnet\StepupRa\RaBundle\Security\Authorization\Voter;

use InvalidArgumentException;
use Surfnet\StepupRa\RaBundle\Security\Authorization\Context\InstitutionContext;
use Surfnet\StepupRa\RaBundle\Service\InstitutionConfigurationOptionsServiceInterface;
use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
use Symfony\Component\Security\Core\Authorization\Voter\VoterInterface;
use Symfony\Component\Security\Core\Role\Role;

/**
 * Given a InstitutionContext, votes if allowed to perform actions on
 * a target institution (the institution of the identity we are performing actions on).
 */
class AllowedInOtherInstitutionVoter implements VoterInterface
{
    const VIEW_AUDITLOG = 'view_auditlog';

    private $service;

    public function __construct(InstitutionConfigurationOptionsServiceInterface $service)
    {
        $this->service = $service;
    }

    /**
     * @SuppressWarnings(PHPMD.CyclomaticComplexity) - many simple tests are required to ascertain if the action is
     * allowed
     *
     * @param TokenInterface $token A TokenInterface instance
     * @param InstitutionContext $subject The subject to secure
     * @param array $attributes An array of attributes associated with the method being invoked
     * @return int either ACCESS_GRANTED, ACCESS_ABSTAIN, or ACCESS_DENIED
     */
    public function vote(TokenInterface $token, $subject, array $attributes)
    {
        // Check if the class of this object is supported by this voter
        if (!$this->supportsClass(get_class($subject))) {
            return VoterInterface::ACCESS_ABSTAIN;
        }

        // This voter allows one attribute to vote on.
        if (count($attributes) > 1) {
            throw new InvalidArgumentException('Only one attribute is allowed');
        }

        $attribute = $attributes[0];

        // Check if the given attribute is covered by this voter
        if (!$this->supportsAttribute($attribute)) {
            return VoterInterface::ACCESS_ABSTAIN;
        }

        $actorRoles = $token->getRoles();

        // Does the actor have one of the required roles?
        if (!$this->authorizedByRole($actorRoles)) {
            return VoterInterface::ACCESS_DENIED;
        }

        $institutionConfig = $this->service->getInstitutionConfigurationOptionsFor($subject->getActorInstitution());

        if (!$institutionConfig) {
            return VoterInterface::ACCESS_ABSTAIN;
        }

        $raInstitutions = $institutionConfig->useRa;
        $raaInstitutions = $institutionConfig->useRaa;

        // Now test if any of the roles allow the user to perform the requested task
        foreach ($actorRoles as $role) {
            switch ($role->getRole()) {
                // The SRAA role is always allowed to perform the VIEW_AUDITLOG action
                case "ROLE_SRAA":
                    return VoterInterface::ACCESS_GRANTED;
                    break;
switch ($x) {
    case 1:
        return 'foo';
        break; // This break is not necessary and can be left off.
}
                case "ROLE_RA":
                    // RA roles are allowed if the target institution is in the useRa options.
                    if (in_array($subject->getTargetInstitution(), $raInstitutions)) {
                        return VoterInterface::ACCESS_GRANTED;
                    }
                    break;
                case "ROLE_RAA":
                    // (S)RAA roles are allowed if either the target institution is in the useRa or useRaa options.
                    if (in_array($subject->getTargetInstitution(), array_merge($raInstitutions, $raaInstitutions))) {
                        return VoterInterface::ACCESS_GRANTED;
                    }
                    break;
            }
        }

        return VoterInterface::ACCESS_DENIED;
    }

    private function supportsAttribute($attribute)
    {
        return in_array($attribute, [self::VIEW_AUDITLOG]);
    }

    private function supportsClass($class)
    {
        $supportedClass = InstitutionContext::class;

        return $supportedClass === $class;
    }

    private function authorizedByRole(array $roles)

    {
        // The role requirements to VIEW_AUDITLOG, one of these roles must be met
        $allowedRoles = ['ROLE_SRAA', 'ROLE_RAA', 'ROLE_RA'];

        // Convert the Role[] to an array of strings representing the role names.
        $roles = array_map(
            function (Role $role) {
                return $role->getRole();
            },
            $roles
        );

        // And test if there is an intersection (is one or more of the token roles also in the allowed roles)
        return count(array_intersect($roles, $allowedRoles)) > 0;
    }
}


1		<?php
2
3		/**
4		* Copyright 2018 SURFnet B.V.
5		*
6		* Licensed under the Apache License, Version 2.0 (the "License");
7		* you may not use this file except in compliance with the License.
8		* You may obtain a copy of the License at
9		*
10		* http://www.apache.org/licenses/LICENSE-2.0
11		*
12		* Unless required by applicable law or agreed to in writing, software
13		* distributed under the License is distributed on an "AS IS" BASIS,
14		* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
15		* See the License for the specific language governing permissions and
16		* limitations under the License.
17		*/
18
19		namespace Surfnet\StepupRa\RaBundle\Security\Authorization\Voter;
20
21		use InvalidArgumentException;
22		use Surfnet\StepupRa\RaBundle\Security\Authorization\Context\InstitutionContext;
23		use Surfnet\StepupRa\RaBundle\Service\InstitutionConfigurationOptionsServiceInterface;
24		use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
25		use Symfony\Component\Security\Core\Authorization\Voter\VoterInterface;
26		use Symfony\Component\Security\Core\Role\Role;
27
28		/**
29		* Given a InstitutionContext, votes if allowed to perform actions on
30		* a target institution (the institution of the identity we are performing actions on).
31		*/
32		class AllowedInOtherInstitutionVoter implements VoterInterface
33		{
34		const VIEW_AUDITLOG = 'view_auditlog';
35
36		private $service;
37
38		public function __construct(InstitutionConfigurationOptionsServiceInterface $service)
39		{
40		$this->service = $service;
41		}
42
43		/**
44		* @SuppressWarnings(PHPMD.CyclomaticComplexity) - many simple tests are required to ascertain if the action is
45		* allowed
46		*
47		* @param TokenInterface $token A TokenInterface instance
48		* @param InstitutionContext $subject The subject to secure
49		* @param array $attributes An array of attributes associated with the method being invoked
50		* @return int either ACCESS_GRANTED, ACCESS_ABSTAIN, or ACCESS_DENIED
51		*/
52		public function vote(TokenInterface $token, $subject, array $attributes)
53		{
54		// Check if the class of this object is supported by this voter
55		if (!$this->supportsClass(get_class($subject))) {
56		return VoterInterface::ACCESS_ABSTAIN;
57		}
58
59		// This voter allows one attribute to vote on.
60		if (count($attributes) > 1) {
61		throw new InvalidArgumentException('Only one attribute is allowed');
62		}
63
64		$attribute = $attributes[0];
65
66		// Check if the given attribute is covered by this voter
67		if (!$this->supportsAttribute($attribute)) {
68		return VoterInterface::ACCESS_ABSTAIN;
69		}
70
71		$actorRoles = $token->getRoles();
72
73		// Does the actor have one of the required roles?
74		if (!$this->authorizedByRole($actorRoles)) {
75		return VoterInterface::ACCESS_DENIED;
76		}
77
78		$institutionConfig = $this->service->getInstitutionConfigurationOptionsFor($subject->getActorInstitution());
79
80		if (!$institutionConfig) {
81		return VoterInterface::ACCESS_ABSTAIN;
82		}
83
84		$raInstitutions = $institutionConfig->useRa;
85		$raaInstitutions = $institutionConfig->useRaa;
86
87		// Now test if any of the roles allow the user to perform the requested task
88		foreach ($actorRoles as $role) {
89		switch ($role->getRole()) {
90		// The SRAA role is always allowed to perform the VIEW_AUDITLOG action
91		case "ROLE_SRAA":
92		return VoterInterface::ACCESS_GRANTED;
93		break;
		0 ignored issues – show Unused Code introduced 2018-10-24 12:16 UTC by Report Bug Copy Issue Report `break` is not strictly necessary here and could be removed. The `break` statement is not necessary if it is preceded for example by a `return` statement: switch ($x) { case 1: return 'foo'; break; // This break is not necessary and can be left off. } If you would like to keep this construct to be consistent with other `case` statements, you can safely mark this issue as a false-positive. Loading history...
94		case "ROLE_RA":
95		// RA roles are allowed if the target institution is in the useRa options.
96		if (in_array($subject->getTargetInstitution(), $raInstitutions)) {
97		return VoterInterface::ACCESS_GRANTED;
98		}
99		break;
100		case "ROLE_RAA":
101		// (S)RAA roles are allowed if either the target institution is in the useRa or useRaa options.
102		if (in_array($subject->getTargetInstitution(), array_merge($raInstitutions, $raaInstitutions))) {
103		return VoterInterface::ACCESS_GRANTED;
104		}
105		break;
106		}
107		}
108
109		return VoterInterface::ACCESS_DENIED;
110		}
111
112		private function supportsAttribute($attribute)
113		{
114		return in_array($attribute, [self::VIEW_AUDITLOG]);
115		}
116
117		private function supportsClass($class)
118		{
119		$supportedClass = InstitutionContext::class;
120
121		return $supportedClass === $class;
122		}
123
124	View Code Duplication	private function authorizedByRole(array $roles)
		0 ignored issues – show Duplication introduced 2018-10-30 15:45 UTC by Report Bug Copy Issue Report This method seems to be duplicated in your project. Duplicated code is one of the most pungent code smells. If you need to duplicate the same code in three or more different places, we strongly encourage you to look into extracting the code into a single class or operation. You can also find more detailed suggestions in the “Code” section of your repository. Loading history...
125		{
126		// The role requirements to VIEW_AUDITLOG, one of these roles must be met
127		$allowedRoles = ['ROLE_SRAA', 'ROLE_RAA', 'ROLE_RA'];
128
129		// Convert the Role[] to an array of strings representing the role names.
130		$roles = array_map(
131		function (Role $role) {
132		return $role->getRole();
133		},
134		$roles
135		);
136
137		// And test if there is an intersection (is one or more of the token roles also in the allowed roles)
138		return count(array_intersect($roles, $allowedRoles)) > 0;
139		}
140		}
141

OpenConext / Stepup-RA

Push — develop ( 784583...9a84aa )

AllowedInOtherInstitutionVoter::vote() C

Complexity

Size

Duplication

Importance

How to fix Long Method Complexity

Long Method

Duplication Side-by-Side

Filter issues like