Saml::getSettings() - Code Metrics - Inspection of "Move some SAML general settings to idp (#2879)" - elabftw/elabftw - Measure and Improve Code Quality continuously with Scrutinizer

Passed

Push — hypernext ( bec607...759d43 )

by Nico

created 2021-08-24 18:23 UTC

Saml::getSettings() B

↳ Parent: Saml

Complexity

Conditions	1
Paths	1

Size

Total Lines	199
Code Lines	57

Duplication

Lines	0
Ratio	0 %

Code Coverage

Tests	38
CRAP Score	1

Importance

Changes

Metric	Value
cc	1
eloc	57
nc	1
nop	1
dl	0
loc	199
ccs	38
cts	38
cp	1
crap	1
rs	8.9381
c	0
b	0
f	0

How to fix Long Method

<?php declare(strict_types=1);
/**
 * @author Nicolas CARPi <[email protected]>
 * @copyright 2012 Nicolas CARPi
 * @see https://www.elabftw.net Official website
 * @license AGPL-3.0
 * @package elabftw
 */

namespace Elabftw\Elabftw;

use Elabftw\Models\Config;
use Elabftw\Models\Idps;
use function rtrim;

/**
 * Saml settings
 */
class Saml
{
    public function __construct(public Config $Config, private Idps $Idps)
    {
    }

    /**
     * Get the settings array
     * On login we don't have an id but we don't need the settings
     * from a particular idp (just the service provider)
     * So getActive will just grab the first active one
     *
     * @param int|null $id id of the selected idp
     */
    public function getSettings(?int $id = null): array
    {
        $idp = $this->Idps->getActive($id);
        return array(
            // If 'strict' is True, then the PHP Toolkit will reject unsigned
            // or unencrypted messages if it expects them signed or encrypted
            // Also will reject the messages if not strictly follow the SAML
            // standard: Destination, NameId, Conditions ... are validated too.
            'strict' => $this->Config->configArr['saml_strict'],

            // Enable debug mode (to print errors)
            'debug' => $this->Config->configArr['saml_debug'],

            // Set a BaseURL to be used instead of try to guess
            // the BaseURL of the view that process the SAML Message.
            // Ex. http://sp.example.com/
            //     http://example.com/sp/
            'baseurl' => $this->Config->configArr['saml_baseurl'],

            // Service Provider Data that we are deploying
            'sp' => array(
                // Identifier of the SP entity  (must be a URI)
                'entityId' => $this->Config->configArr['saml_entityid'],
                // Specifies info about where and how the <AuthnResponse> message MUST be
                // returned to the requester, in this case our SP.
                'assertionConsumerService' => array(
                    // URL Location where the <Response> from the IdP will be returned
                    'url' => rtrim($this->Config->configArr['saml_baseurl'] ?? '', '/') . '/index.php?acs',
                    // SAML protocol binding to be used when returning the <Response>
                    // message.  Onelogin Toolkit supports for this endpoint the
                    // HTTP-Redirect binding only
                    'binding' => $this->Config->configArr['saml_acs_binding'],
                ),
                // If you need to specify requested attributes, set a
                // attributeConsumingService. nameFormat, attributeValue and
                // friendlyName can be omitted. Otherwise remove this section.
                'attributeConsumingService' => array(
                        'ServiceName' => 'eLabFTW',
                        'serviceDescription' => 'Electronic Lab Notebook',
                        'requestedAttributes' => array(
                            array(
                                'name' => '',
                                'isRequired' => false,
                                'nameFormat' => '',
                                'friendlyName' => '',
                                'attributeValue' => '',
                            ),
                        ),
                ),
                // Specifies info about where and how the <Logout Response> message MUST be
                // returned to the requester, in this case our SP.
                'singleLogoutService' => array(
                    // URL Location where the <Response> from the IdP will be returned
                    'url' => $this->Config->configArr['saml_baseurl'] . '/app/logout.php?sls',
                    // SAML protocol binding to be used when returning the <Response>
                    // message.  Onelogin Toolkit supports for this endpoint the
                    // HTTP-Redirect binding only
                    'binding' => $this->Config->configArr['saml_slo_binding'],
                ),
                // Specifies constraints on the name identifier to be used to
                // represent the requested subject.
                // Take a look on lib/Saml2/Constants.php to see the NameIdFormat supported
                'NameIDFormat' => $this->Config->configArr['saml_nameidformat'],

                // Usually x509cert and privateKey of the SP are provided by files placed at
                // the certs folder. But we can also provide them with the following parameters
                'x509cert' => $this->Config->configArr['saml_x509'],
                'privateKey' => $this->Config->configArr['saml_privatekey'],
            ),

            // Identity Provider Data that we want connect with our SP
            'idp' => array(
                // Identifier of the IdP entity  (must be a URI)
                'entityId' => $idp['entityid'],
                // SSO endpoint info of the IdP. (Authentication Request protocol)
                'singleSignOnService' => array(
                    // URL Target of the IdP where the SP will send the Authentication Request Message
                    'url' => $idp['sso_url'],
                    // SAML protocol binding to be used when returning the <Response>
                    // message.  Onelogin Toolkit supports for this endpoint the
                    // HTTP-POST binding only
                    'binding' => $idp['sso_binding'],
                ),
                // SLO endpoint info of the IdP.
                'singleLogoutService' => array(
                    // URL Location of the IdP where the SP will send the SLO Request
                    'url' => $idp['slo_url'],
                    // SAML protocol binding to be used when returning the <Response>
                    // message.  Onelogin Toolkit supports for this endpoint the
                    // HTTP-Redirect binding only
                    'binding' => $idp['slo_binding'],
                ),
                // Public x509 certificate of the IdP
                'x509cert' => $idp['x509'],
                /*
                 *  Instead of use the whole x509cert you can use a fingerprint
                 *  (openssl x509 -noout -fingerprint -in "idp.crt" to generate it,
                 *   or add for example the -sha256 , -sha384 or -sha512 parameter)
                 *
                 *  If a fingerprint is provided, then the certFingerprintAlgorithm is required in order to
                 *  let the toolkit know which Algorithm was used. Possible values: sha1, sha256, sha384 or sha512
                 *  'sha1' is the default value.
                 */
                // 'certFingerprint' => '',
                // 'certFingerprintAlgorithm' => 'sha1',
                'emailAttr' => $idp['email_attr'],
                'teamAttr' => $idp['team_attr'],
                'fnameAttr' => $idp['fname_attr'],
                'lnameAttr' => $idp['lname_attr'],
            ),
            // Security settings
            'security' => array(

                /** signatures and encryptions offered */

                // Indicates that the nameID of the <samlp:logoutRequest> sent by this SP
                // will be encrypted.
                'nameIdEncrypted' => (bool) $this->Config->configArr['saml_nameidencrypted'],

                // Indicates whether the <samlp:AuthnRequest> messages sent by this SP
                // will be signed.              [The Metadata of the SP will offer this info]
                'authnRequestsSigned' => (bool) $this->Config->configArr['saml_authnrequestssigned'],

                // Indicates whether the <samlp:logoutRequest> messages sent by this SP
                // will be signed.
                'logoutRequestSigned' => (bool) $this->Config->configArr['saml_logoutrequestsigned'],

                // Indicates whether the <samlp:logoutResponse> messages sent by this SP
                // will be signed.
                'logoutResponseSigned' => (bool) $this->Config->configArr['saml_logoutresponsesigned'],

                /* Sign the Metadata
                 False || True (use sp certs) || array (
                                                            keyFileName => 'metadata.key',
                                                            certFileName => 'metadata.crt'
                                                        )
                */
                'signMetadata' => (bool) $this->Config->configArr['saml_signmetadata'],


                /** signatures and encryptions required */
                // Indicates a requirement for the <samlp:Response>, <samlp:LogoutRequest> and
                // <samlp:LogoutResponse> elements received by this SP to be signed.
                'wantMessagesSigned' => (bool) $this->Config->configArr['saml_wantmessagessigned'],

                // Indicates a requirement for the <saml:Assertion> elements received by
                // this SP to be encrypted.
                'wantAssertionsEncrypted' => (bool) $this->Config->configArr['saml_wantassertionsencrypted'],

                // Indicates a requirement for the <saml:Assertion> elements received by
                // this SP to be signed.        [The Metadata of the SP will offer this info]
                'wantAssertionsSigned' => (bool) $this->Config->configArr['saml_wantassertionssigned'],

                // Indicates a requirement for the NameID element on the SAMLResponse received
                // by this SP to be present.
                'wantNameId' => (bool) $this->Config->configArr['saml_wantnameid'],

                // Indicates a requirement for the NameID received by
                // this SP to be encrypted.
                'wantNameIdEncrypted' => (bool) $this->Config->configArr['saml_wantnameidencrypted'],

                // Authentication context.
                // Set to false and no AuthContext will be sent in the AuthNRequest,
                // Set true or don't present this parameter and you will get an AuthContext 'exact' 'urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport'
                // Set an array with the possible auth context values: array ('urn:oasis:names:tc:SAML:2.0:ac:classes:Password', 'urn:oasis:names:tc:SAML:2.0:ac:classes:X509'),
                'requestedAuthnContext' => false,

                // Allows the authn comparison parameter to be set, defaults to 'exact' if
                // the setting is not present.
                'requestedAuthnContextComparison' => 'exact',

                // Indicates if the SP will validate all received xmls.
                // (In order to validate the xml, 'strict' and 'wantXMLValidation' must be true).
                'wantXMLValidation' => (bool) $this->Config->configArr['saml_wantxmlvalidation'],

                // If true, SAMLResponses with an empty value at its Destination
                // attribute will not be rejected for this fact.
                'relaxDestinationValidation' => (bool) $this->Config->configArr['saml_relaxdestinationvalidation'],

                // Algorithm that the toolkit will use on signing process. Options:
                //    'http://www.w3.org/2000/09/xmldsig#rsa-sha1'
                //    'http://www.w3.org/2000/09/xmldsig#dsa-sha1'
                //    'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256'
                //    'http://www.w3.org/2001/04/xmldsig-more#rsa-sha384'
                //    'http://www.w3.org/2001/04/xmldsig-more#rsa-sha512'
                // Notice that sha1 is a deprecated algorithm and should not be used
                'signatureAlgorithm' => 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256',

                // Algorithm that the toolkit will use on digest process. Options:
                //    'http://www.w3.org/2000/09/xmldsig#sha1'
                //    'http://www.w3.org/2001/04/xmlenc#sha256'
                //    'http://www.w3.org/2001/04/xmldsig-more#sha384'
                //    'http://www.w3.org/2001/04/xmlenc#sha512'
                // Notice that sha1 is a deprecated algorithm and should not be used
                'digestAlgorithm' => 'http://www.w3.org/2001/04/xmlenc#sha256',

                // ADFS URL-Encodes SAML data as lowercase, and the toolkit by default uses
                // uppercase. Turn it True for ADFS compatibility on signature verification
                'lowercaseUrlencoding' => (bool) $this->Config->configArr['saml_lowercaseurlencoding'],
            ),
        );
    }
}


1		<?php declare(strict_types=1);
2		/**
3		* @author Nicolas CARPi <[email protected]>
4		* @copyright 2012 Nicolas CARPi
5		* @see https://www.elabftw.net Official website
6		* @license AGPL-3.0
7		* @package elabftw
8		*/
9
10		namespace Elabftw\Elabftw;
11
12		use Elabftw\Models\Config;
13		use Elabftw\Models\Idps;
14		use function rtrim;
15
16		/**
17		* Saml settings
18		*/
19		class Saml
20		{
21		public function __construct(public Config $Config, private Idps $Idps)
22		{
23		}
24
25		/**
26		* Get the settings array
27		* On login we don't have an id but we don't need the settings
28		* from a particular idp (just the service provider)
29		* So getActive will just grab the first active one
30		*
31		* @param int\|null $id id of the selected idp
32		*/
33		public function getSettings(?int $id = null): array
34		{
35		$idp = $this->Idps->getActive($id);
36		return array(
37		// If 'strict' is True, then the PHP Toolkit will reject unsigned
38	1	// or unencrypted messages if it expects them signed or encrypted
39		// Also will reject the messages if not strictly follow the SAML
40	1	// standard: Destination, NameId, Conditions ... are validated too.
41	1	'strict' => $this->Config->configArr['saml_strict'],
42	1
43		// Enable debug mode (to print errors)
44		'debug' => $this->Config->configArr['saml_debug'],
45
46		// Set a BaseURL to be used instead of try to guess
47		// the BaseURL of the view that process the SAML Message.
48		// Ex. http://sp.example.com/
49	1	// http://example.com/sp/
50		'baseurl' => $this->Config->configArr['saml_baseurl'],
51	1
52	1	// Service Provider Data that we are deploying
53		'sp' => array(
54		// Identifier of the SP entity (must be a URI)
55		'entityId' => $this->Config->configArr['saml_entityid'],
56		// Specifies info about where and how the <AuthnResponse> message MUST be
57		// returned to the requester, in this case our SP.
58		'assertionConsumerService' => array(
59		// URL Location where the <Response> from the IdP will be returned
60		'url' => rtrim($this->Config->configArr['saml_baseurl'] ?? '', '/') . '/index.php?acs',
61	1	// SAML protocol binding to be used when returning the <Response>
62		// message. Onelogin Toolkit supports for this endpoint the
63	1	// HTTP-Redirect binding only
64		'binding' => $this->Config->configArr['saml_acs_binding'],
65	1	),
66		// If you need to specify requested attributes, set a
67		// attributeConsumingService. nameFormat, attributeValue and
68		// friendlyName can be omitted. Otherwise remove this section.
69		'attributeConsumingService' => array(
70	1	'ServiceName' => 'eLabFTW',
71		'serviceDescription' => 'Electronic Lab Notebook',
72		'requestedAttributes' => array(
73	1	array(
74		'name' => '',
75		'isRequired' => false,
76		'nameFormat' => '',
77		'friendlyName' => '',
78		'attributeValue' => '',
79	1	),
80		),
81		),
82		// Specifies info about where and how the <Logout Response> message MUST be
83		// returned to the requester, in this case our SP.
84	1	'singleLogoutService' => array(
85		// URL Location where the <Response> from the IdP will be returned
86		'url' => $this->Config->configArr['saml_baseurl'] . '/app/logout.php?sls',
87		// SAML protocol binding to be used when returning the <Response>
88		// message. Onelogin Toolkit supports for this endpoint the
89	1	// HTTP-Redirect binding only
90		'binding' => $this->Config->configArr['saml_slo_binding'],
91		),
92		// Specifies constraints on the name identifier to be used to
93	1	// represent the requested subject.
94		// Take a look on lib/Saml2/Constants.php to see the NameIdFormat supported
95		'NameIDFormat' => $this->Config->configArr['saml_nameidformat'],
96
97		// Usually x509cert and privateKey of the SP are provided by files placed at
98		// the certs folder. But we can also provide them with the following parameters
99		'x509cert' => $this->Config->configArr['saml_x509'],
100		'privateKey' => $this->Config->configArr['saml_privatekey'],
101		),
102
103		// Identity Provider Data that we want connect with our SP
104		'idp' => array(
105		// Identifier of the IdP entity (must be a URI)
106		'entityId' => $idp['entityid'],
107		// SSO endpoint info of the IdP. (Authentication Request protocol)
108		'singleSignOnService' => array(
109		// URL Target of the IdP where the SP will send the Authentication Request Message
110		'url' => $idp['sso_url'],
111		// SAML protocol binding to be used when returning the <Response>
112		// message. Onelogin Toolkit supports for this endpoint the
113		// HTTP-POST binding only
114		'binding' => $idp['sso_binding'],
115	1	),
116		// SLO endpoint info of the IdP.
117		'singleLogoutService' => array(
118		// URL Location of the IdP where the SP will send the SLO Request
119	1	'url' => $idp['slo_url'],
120		// SAML protocol binding to be used when returning the <Response>
121		// message. Onelogin Toolkit supports for this endpoint the
122		// HTTP-Redirect binding only
123		'binding' => $idp['slo_binding'],
124	1	),
125		// Public x509 certificate of the IdP
126		'x509cert' => $idp['x509'],
127		/*
128	1	* Instead of use the whole x509cert you can use a fingerprint
129	1	* (openssl x509 -noout -fingerprint -in "idp.crt" to generate it,
130		* or add for example the -sha256 , -sha384 or -sha512 parameter)
131		*
132		* If a fingerprint is provided, then the certFingerprintAlgorithm is required in order to
133		* let the toolkit know which Algorithm was used. Possible values: sha1, sha256, sha384 or sha512
134		* 'sha1' is the default value.
135	1	*/
136		// 'certFingerprint' => '',
137		// 'certFingerprintAlgorithm' => 'sha1',
138		'emailAttr' => $idp['email_attr'],
139	1	'teamAttr' => $idp['team_attr'],
140		'fnameAttr' => $idp['fname_attr'],
141		'lnameAttr' => $idp['lname_attr'],
142		),
143	1	// Security settings
144		'security' => array(
145
146		/** signatures and encryptions offered */
147
148	1	// Indicates that the nameID of the <samlp:logoutRequest> sent by this SP
149		// will be encrypted.
150		'nameIdEncrypted' => (bool) $this->Config->configArr['saml_nameidencrypted'],
151
152	1	// Indicates whether the <samlp:AuthnRequest> messages sent by this SP
153		// will be signed. [The Metadata of the SP will offer this info]
154		'authnRequestsSigned' => (bool) $this->Config->configArr['saml_authnrequestssigned'],
155	1
156		// Indicates whether the <samlp:logoutRequest> messages sent by this SP
157		// will be signed.
158		'logoutRequestSigned' => (bool) $this->Config->configArr['saml_logoutrequestsigned'],
159
160		// Indicates whether the <samlp:logoutResponse> messages sent by this SP
161		// will be signed.
162		'logoutResponseSigned' => (bool) $this->Config->configArr['saml_logoutresponsesigned'],
163
164		/* Sign the Metadata
165		False \|\| True (use sp certs) \|\| array (
166		keyFileName => 'metadata.key',
167		certFileName => 'metadata.crt'
168		)
169		*/
170		'signMetadata' => (bool) $this->Config->configArr['saml_signmetadata'],
171
172
173		/** signatures and encryptions required */
174		// Indicates a requirement for the <samlp:Response>, <samlp:LogoutRequest> and
175	1	// <samlp:LogoutResponse> elements received by this SP to be signed.
176		'wantMessagesSigned' => (bool) $this->Config->configArr['saml_wantmessagessigned'],
177
178		// Indicates a requirement for the <saml:Assertion> elements received by
179	1	// this SP to be encrypted.
180		'wantAssertionsEncrypted' => (bool) $this->Config->configArr['saml_wantassertionsencrypted'],
181
182		// Indicates a requirement for the <saml:Assertion> elements received by
183	1	// this SP to be signed. [The Metadata of the SP will offer this info]
184		'wantAssertionsSigned' => (bool) $this->Config->configArr['saml_wantassertionssigned'],
185
186		// Indicates a requirement for the NameID element on the SAMLResponse received
187	1	// by this SP to be present.
188		'wantNameId' => (bool) $this->Config->configArr['saml_wantnameid'],
189
190		// Indicates a requirement for the NameID received by
191		// this SP to be encrypted.
192		'wantNameIdEncrypted' => (bool) $this->Config->configArr['saml_wantnameidencrypted'],
193
194		// Authentication context.
195	1	// Set to false and no AuthContext will be sent in the AuthNRequest,
196		// Set true or don't present this parameter and you will get an AuthContext 'exact' 'urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport'
197		// Set an array with the possible auth context values: array ('urn:oasis:names:tc:SAML:2.0:ac:classes:Password', 'urn:oasis:names:tc:SAML:2.0:ac:classes:X509'),
198		'requestedAuthnContext' => false,
199
200		// Allows the authn comparison parameter to be set, defaults to 'exact' if
201		// the setting is not present.
202	1	'requestedAuthnContextComparison' => 'exact',
203
204		// Indicates if the SP will validate all received xmls.
205		// (In order to validate the xml, 'strict' and 'wantXMLValidation' must be true).
206	1	'wantXMLValidation' => (bool) $this->Config->configArr['saml_wantxmlvalidation'],
207
208		// If true, SAMLResponses with an empty value at its Destination
209		// attribute will not be rejected for this fact.
210	1	'relaxDestinationValidation' => (bool) $this->Config->configArr['saml_relaxdestinationvalidation'],
211
212		// Algorithm that the toolkit will use on signing process. Options:
213		// 'http://www.w3.org/2000/09/xmldsig#rsa-sha1'
214	1	// 'http://www.w3.org/2000/09/xmldsig#dsa-sha1'
215		// 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256'
216		// 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha384'
217		// 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha512'
218	1	// Notice that sha1 is a deprecated algorithm and should not be used
219		'signatureAlgorithm' => 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256',
220
221		// Algorithm that the toolkit will use on digest process. Options:
222		// 'http://www.w3.org/2000/09/xmldsig#sha1'
223		// 'http://www.w3.org/2001/04/xmlenc#sha256'
224		// 'http://www.w3.org/2001/04/xmldsig-more#sha384'
225		// 'http://www.w3.org/2001/04/xmlenc#sha512'
226		// Notice that sha1 is a deprecated algorithm and should not be used
227		'digestAlgorithm' => 'http://www.w3.org/2001/04/xmlenc#sha256',
228	1
229		// ADFS URL-Encodes SAML data as lowercase, and the toolkit by default uses
230		// uppercase. Turn it True for ADFS compatibility on signature verification
231		'lowercaseUrlencoding' => (bool) $this->Config->configArr['saml_lowercaseurlencoding'],
232	1	),
233		);
234		}
235		}
236

elabftw / elabftw

Push — hypernext ( bec607...759d43 )

Saml::getSettings() B

Complexity

Size

Duplication

Code Coverage

Importance

How to fix Long Method

Long Method

Duplication Side-by-Side

Filter issues like