Issues in ExplicitSessionTimeoutHandler.php - New Issues - Inspection of "Merge pull request #153 from OpenConext/feature/up..." - OpenConext/Stepup-SelfService - Measure and Improve Code Quality continuously with Scrutinizer

Completed

Push — develop ( 44ec0d...21eab1 )

by Michiel

created 2018-09-10 07:07 UTC

Handler/ExplicitSessionTimeoutHandler.php (2 issues)

Labels

Bug 2

Severity

Minor 2

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php

/**
 * Copyright 2016 SURFnet bv
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

namespace Surfnet\StepupSelfService\SelfServiceBundle\Security\Authentication\Handler;

use Psr\Log\LoggerInterface;
use Surfnet\StepupSelfService\SelfServiceBundle\Security\Authentication\AuthenticatedSessionStateHandler;
use Surfnet\StepupSelfService\SelfServiceBundle\Security\Authentication\Session\SessionLifetimeGuard;
use Symfony\Component\HttpFoundation\RedirectResponse;
use Symfony\Component\HttpKernel\Event\GetResponseEvent;
use Symfony\Component\Routing\RouterInterface;
use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface;
use Symfony\Component\Security\Http\Logout\CookieClearingLogoutHandler;
use Symfony\Component\Security\Http\Logout\SessionLogoutHandler;

/**
 * @SuppressWarnings(PHPMD.CouplingBetweenObjects)
 */
class ExplicitSessionTimeoutHandler implements AuthenticationHandler
{
    /**
     * @var AuthenticationHandler|null
     */
    private $nextHandler;

    /**
     * @var TokenStorageInterface
     */
    private $tokenStorage;

    /**
     * @var SessionLifetimeGuard
     */
    private $sessionLifetimeGuard;

    /**
     * @var AuthenticatedSessionStateHandler
     */
    private $authenticatedSession;

    /**
     * @var SessionLogoutHandler
     */
    private $sessionLogoutHandler;

    /**
     * @var CookieClearingLogoutHandler
     */
    private $cookieClearingLogoutHandler;

    /**
     * @var RouterInterface
     */
    private $router;
    /**
     * @var LoggerInterface
     */
    private $logger;

    public function __construct(
        TokenStorageInterface $tokenStorageInterface,
        AuthenticatedSessionStateHandler $authenticatedSessionStateHandler,
        SessionLifetimeGuard $sessionLifetimeGuard,
        SessionLogoutHandler $sessionLogoutHandler,
        CookieClearingLogoutHandler $cookieClearingLogoutHandler,
        RouterInterface $router,
        LoggerInterface $logger
    ) {
        $this->tokenStorage                = $tokenStorageInterface;
        $this->authenticatedSession        = $authenticatedSessionStateHandler;
        $this->sessionLifetimeGuard        = $sessionLifetimeGuard;
        $this->sessionLogoutHandler        = $sessionLogoutHandler;
        $this->cookieClearingLogoutHandler = $cookieClearingLogoutHandler;
        $this->router                      = $router;
        $this->logger                      = $logger;
    }

    public function process(GetResponseEvent $event)
    {
        if ($this->tokenStorage->getToken() !== null
            && !$this->sessionLifetimeGuard->sessionLifetimeWithinLimits($this->authenticatedSession)
        ) {
            $invalidatedBy = [];
            if (!$this->sessionLifetimeGuard->sessionLifetimeWithinAbsoluteLimit($this->authenticatedSession)) {
                $invalidatedBy[] = 'absolute';
            }

            if (!$this->sessionLifetimeGuard->sessionLifetimeWithinRelativeLimit($this->authenticatedSession)) {
                $invalidatedBy[] = 'relative';
            }

            $this->logger->notice(sprintf(
                'Authenticated user found, but session was determined to be outside of the "%s" time limit. User will '
                . 'be logged out and redirected to session-expired page to attempt new login.',
                implode(' and ', $invalidatedBy)
            ));


            $token   = $this->tokenStorage->getToken();
            $request = $event->getRequest();

            // if the current request was not a GET request we cannot safely redirect to that page after login as it
            // may require a form resubmit for instance. Therefor, we redirect to the last GET request (either current
            // or previous).
            $afterLoginRedirectTo = $this->authenticatedSession->getCurrentRequestUri();
            if ($event->getRequest()->getMethod() === 'GET') {
                $afterLoginRedirectTo = $event->getRequest()->getRequestUri();
            }

            // log the user out using Symfony methodology, see the LogoutListener
            $event->setResponse(new RedirectResponse($this->router->generate('selfservice_security_session_expired')));

            $this->sessionLogoutHandler->logout($request, $event->getResponse(), $token);
/** @return stdClass|null */
function mayReturnNull() { }

function doesNotAcceptNull(stdClass $x) { }

// With potential error.
function withoutCheck() {
    $x = mayReturnNull();
    doesNotAcceptNull($x); // Potential error here.
}

// Safe - Alternative 1
function withCheck1() {
    $x = mayReturnNull();
    if ( ! $x instanceof stdClass) {
        throw new \LogicException('$x must be defined.');
    }
    doesNotAcceptNull($x);
}

// Safe - Alternative 2
function withCheck2() {
    $x = mayReturnNull();
    if ($x instanceof stdClass) {
        doesNotAcceptNull($x);
    }
}
            $this->cookieClearingLogoutHandler->logout($request, $event->getResponse(), $token);
/** @return stdClass|null */
function mayReturnNull() { }

function doesNotAcceptNull(stdClass $x) { }

// With potential error.
function withoutCheck() {
    $x = mayReturnNull();
    doesNotAcceptNull($x); // Potential error here.
}

// Safe - Alternative 1
function withCheck1() {
    $x = mayReturnNull();
    if ( ! $x instanceof stdClass) {
        throw new \LogicException('$x must be defined.');
    }
    doesNotAcceptNull($x);
}

// Safe - Alternative 2
function withCheck2() {
    $x = mayReturnNull();
    if ($x instanceof stdClass) {
        doesNotAcceptNull($x);
    }
}
            $this->tokenStorage->setToken(null);

            // the session is restarted after invalidation during the logout, so we can (re)store the last GET request
            $this->authenticatedSession->setCurrentRequestUri($afterLoginRedirectTo);

            return;
        }

        if ($this->nextHandler !== null) {
            $this->nextHandler->process($event);
        }
    }

    public function setNext(AuthenticationHandler $handler)
    {
        $this->nextHandler = $handler;
    }
}


1			<?php
2
3			/**
4			* Copyright 2016 SURFnet bv
5			*
6			* Licensed under the Apache License, Version 2.0 (the "License");
7			* you may not use this file except in compliance with the License.
8			* You may obtain a copy of the License at
9			*
10			* http://www.apache.org/licenses/LICENSE-2.0
11			*
12			* Unless required by applicable law or agreed to in writing, software
13			* distributed under the License is distributed on an "AS IS" BASIS,
14			* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
15			* See the License for the specific language governing permissions and
16			* limitations under the License.
17			*/
18
19			namespace Surfnet\StepupSelfService\SelfServiceBundle\Security\Authentication\Handler;
20
21			use Psr\Log\LoggerInterface;
22			use Surfnet\StepupSelfService\SelfServiceBundle\Security\Authentication\AuthenticatedSessionStateHandler;
23			use Surfnet\StepupSelfService\SelfServiceBundle\Security\Authentication\Session\SessionLifetimeGuard;
24			use Symfony\Component\HttpFoundation\RedirectResponse;
25			use Symfony\Component\HttpKernel\Event\GetResponseEvent;
26			use Symfony\Component\Routing\RouterInterface;
27			use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface;
28			use Symfony\Component\Security\Http\Logout\CookieClearingLogoutHandler;
29			use Symfony\Component\Security\Http\Logout\SessionLogoutHandler;
30
31			/**
32			* @SuppressWarnings(PHPMD.CouplingBetweenObjects)
33			*/
34			class ExplicitSessionTimeoutHandler implements AuthenticationHandler
35			{
36			/**
37			* @var AuthenticationHandler\|null
38			*/
39			private $nextHandler;
40
41			/**
42			* @var TokenStorageInterface
43			*/
44			private $tokenStorage;
45
46			/**
47			* @var SessionLifetimeGuard
48			*/
49			private $sessionLifetimeGuard;
50
51			/**
52			* @var AuthenticatedSessionStateHandler
53			*/
54			private $authenticatedSession;
55
56			/**
57			* @var SessionLogoutHandler
58			*/
59			private $sessionLogoutHandler;
60
61			/**
62			* @var CookieClearingLogoutHandler
63			*/
64			private $cookieClearingLogoutHandler;
65
66			/**
67			* @var RouterInterface
68			*/
69			private $router;
70			/**
71			* @var LoggerInterface
72			*/
73			private $logger;
74
75			public function __construct(
76			TokenStorageInterface $tokenStorageInterface,
77			AuthenticatedSessionStateHandler $authenticatedSessionStateHandler,
78			SessionLifetimeGuard $sessionLifetimeGuard,
79			SessionLogoutHandler $sessionLogoutHandler,
80			CookieClearingLogoutHandler $cookieClearingLogoutHandler,
81			RouterInterface $router,
82			LoggerInterface $logger
83			) {
84			$this->tokenStorage = $tokenStorageInterface;
85			$this->authenticatedSession = $authenticatedSessionStateHandler;
86			$this->sessionLifetimeGuard = $sessionLifetimeGuard;
87			$this->sessionLogoutHandler = $sessionLogoutHandler;
88			$this->cookieClearingLogoutHandler = $cookieClearingLogoutHandler;
89			$this->router = $router;
90			$this->logger = $logger;
91			}
92
93			public function process(GetResponseEvent $event)
94			{
95			if ($this->tokenStorage->getToken() !== null
96			&& !$this->sessionLifetimeGuard->sessionLifetimeWithinLimits($this->authenticatedSession)
97			) {
98			$invalidatedBy = [];
99			if (!$this->sessionLifetimeGuard->sessionLifetimeWithinAbsoluteLimit($this->authenticatedSession)) {
100			$invalidatedBy[] = 'absolute';
101			}
102
103			if (!$this->sessionLifetimeGuard->sessionLifetimeWithinRelativeLimit($this->authenticatedSession)) {
104			$invalidatedBy[] = 'relative';
105			}
106
107			$this->logger->notice(sprintf(
108			'Authenticated user found, but session was determined to be outside of the "%s" time limit. User will '
109			. 'be logged out and redirected to session-expired page to attempt new login.',
110			implode(' and ', $invalidatedBy)
111			));
112
113
114			$token = $this->tokenStorage->getToken();
115			$request = $event->getRequest();
116
117			// if the current request was not a GET request we cannot safely redirect to that page after login as it
118			// may require a form resubmit for instance. Therefor, we redirect to the last GET request (either current
119			// or previous).
120			$afterLoginRedirectTo = $this->authenticatedSession->getCurrentRequestUri();
121			if ($event->getRequest()->getMethod() === 'GET') {
122			$afterLoginRedirectTo = $event->getRequest()->getRequestUri();
123			}
124
125			// log the user out using Symfony methodology, see the LogoutListener
126			$event->setResponse(new RedirectResponse($this->router->generate('selfservice_security_session_expired')));
127
128			$this->sessionLogoutHandler->logout($request, $event->getResponse(), $token);
			0 ignored issues – show Bug introduced 2018-08-23 15:29 UTC by Report Bug Copy Issue Report Show Similar Issues like this It seems like `$event->getResponse()` can be `null`; however, `logout()` does not accept `null`, maybe add an additional type check? Unless you are absolutely sure that the expression can never be null because of other conditions, we strongly recommend to add an additional type check to your code: /** @return stdClass\|null */ function mayReturnNull() { } function doesNotAcceptNull(stdClass $x) { } // With potential error. function withoutCheck() { $x = mayReturnNull(); doesNotAcceptNull($x); // Potential error here. } // Safe - Alternative 1 function withCheck1() { $x = mayReturnNull(); if ( ! $x instanceof stdClass) { throw new \LogicException('$x must be defined.'); } doesNotAcceptNull($x); } // Safe - Alternative 2 function withCheck2() { $x = mayReturnNull(); if ($x instanceof stdClass) { doesNotAcceptNull($x); } } Loading history...
129			$this->cookieClearingLogoutHandler->logout($request, $event->getResponse(), $token);
			0 ignored issues – show Bug introduced 2018-08-23 15:29 UTC by Report Bug Copy Issue Report Show Similar Issues like this It seems like `$event->getResponse()` can be `null`; however, `logout()` does not accept `null`, maybe add an additional type check? Unless you are absolutely sure that the expression can never be null because of other conditions, we strongly recommend to add an additional type check to your code: /** @return stdClass\|null */ function mayReturnNull() { } function doesNotAcceptNull(stdClass $x) { } // With potential error. function withoutCheck() { $x = mayReturnNull(); doesNotAcceptNull($x); // Potential error here. } // Safe - Alternative 1 function withCheck1() { $x = mayReturnNull(); if ( ! $x instanceof stdClass) { throw new \LogicException('$x must be defined.'); } doesNotAcceptNull($x); } // Safe - Alternative 2 function withCheck2() { $x = mayReturnNull(); if ($x instanceof stdClass) { doesNotAcceptNull($x); } } Loading history...
130			$this->tokenStorage->setToken(null);
131
132			// the session is restarted after invalidation during the logout, so we can (re)store the last GET request
133			$this->authenticatedSession->setCurrentRequestUri($afterLoginRedirectTo);
134
135			return;
136			}
137
138			if ($this->nextHandler !== null) {
139			$this->nextHandler->process($event);
140			}
141			}
142
143			public function setNext(AuthenticationHandler $handler)
144			{
145			$this->nextHandler = $handler;
146			}
147			}
148

OpenConext / Stepup-SelfService

Push — develop ( 44ec0d...21eab1 )

Handler/ExplicitSessionTimeoutHandler.php (2 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like