SessionController::deleteSessionAction() - Code Metrics - Inspection of "EZP-26342: Add Validation of Relations on ContentS..." - ezsystems/ezpublish-kernel - Measure and Improve Code Quality continuously with Scrutinizer

Completed

Push — EZP-26342-validation-improvmen... ( 9c5a9c...57b308 )

by André

created 2016-10-10 15:35 UTC

SessionController::deleteSessionAction() A

↳ Parent: SessionController

Complexity

Conditions	4
Paths	2

Size

Total Lines	15
Code Lines	8

Duplication

Lines	6
Ratio	40 %

Importance

Changes

Metric	Value
cc	4
eloc	8
nc	2
nop	2
dl	6
loc	15
rs	9.2
c	0
b	0
f	0

<?php
/**
 * @copyright Copyright (C) eZ Systems AS. All rights reserved.
 * @license For full copyright and license information view LICENSE file distributed with this source code.
 */
namespace eZ\Publish\Core\REST\Server\Controller;

use eZ\Publish\Core\Base\Exceptions\UnauthorizedException;
use eZ\Publish\Core\MVC\Symfony\Security\Authentication\AuthenticatorInterface;
use eZ\Publish\Core\REST\Common\Exceptions\NotFoundException;
use eZ\Publish\Core\REST\Common\Message;
use eZ\Publish\Core\REST\Server\Controller;
use eZ\Publish\Core\REST\Server\Values;
use eZ\Publish\Core\REST\Server\Exceptions;
use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\Security\Csrf\CsrfToken;
use Symfony\Component\Security\Csrf\CsrfTokenManager;
use Symfony\Component\Security\Core\Exception\AccessDeniedException;
use Symfony\Component\Security\Core\Exception\AuthenticationException;
use Symfony\Component\Security\Csrf\TokenStorage\TokenStorageInterface;

class SessionController extends Controller
{
    /**
     * @var \eZ\Publish\Core\MVC\Symfony\Security\Authentication\AuthenticatorInterface
     */
    private $authenticator;

    /**
     * @var \Symfony\Component\Security\Csrf\CsrfTokenManager
     */
    private $csrfTokenManager;

    /**
     * @var \Symfony\Component\Security\Csrf\TokenStorage\TokenStorageInterface
     */
    private $csrfTokenStorage;

    /**
     * @var string
     */
    private $csrfTokenIntention;

    public function __construct(
        AuthenticatorInterface $authenticator,
        $tokenIntention,
        CsrfTokenManager $csrfTokenManager = null,
        TokenStorageInterface $csrfTokenStorage = null
    ) {
        $this->authenticator = $authenticator;
        $this->csrfTokenIntention = $tokenIntention;
        $this->csrfTokenManager = $csrfTokenManager;
        $this->csrfTokenStorage = $csrfTokenStorage;
    }

    /**
     * Creates a new session based on the credentials provided as POST parameters.
     *
     * @throws \eZ\Publish\Core\Base\Exceptions\UnauthorizedException If the login or password are incorrect or invalid CSRF
     *
     * @return Values\UserSession|Values\Conflict
     */
    public function createSessionAction(Request $request)
    {
        /** @var $sessionInput \eZ\Publish\Core\REST\Server\Values\SessionInput */
        $sessionInput = $this->inputDispatcher->parse(
            new Message(
                array('Content-Type' => $request->headers->get('Content-Type')),
                $request->getContent()

            )
        );
        $request->attributes->set('username', $sessionInput->login);
        $request->attributes->set('password', $sessionInput->password);

        try {
            $session = $request->getSession();
            if ($session->isStarted() && $this->hasStoredCsrfToken()) {
                $this->checkCsrfToken($request);
            }

            $token = $this->authenticator->authenticate($request);
            $csrfToken = $this->getCsrfToken();

            return new Values\UserSession(
                $token->getUser()->getAPIUser(),
                $session->getName(),
                $session->getId(),
                $csrfToken,
                !$token->hasAttribute('isFromSession')
            );
        } catch (Exceptions\UserConflictException $e) {
            // Already logged in with another user, this will be converted to HTTP status 409
            return new Values\Conflict();
        } catch (AuthenticationException $e) {
            throw new UnauthorizedException('Invalid login or password', $request->getPathInfo());
        } catch (AccessDeniedException $e) {
            throw new UnauthorizedException($e->getMessage(), $request->getPathInfo());
        }
    }

    /**
     * Refresh given session.
     *
     * @param string $sessionId
     *
     * @throws \eZ\Publish\Core\REST\Common\Exceptions\NotFoundException
     *
     * @return \eZ\Publish\Core\REST\Server\Values\UserSession
     */
    public function refreshSessionAction($sessionId, Request $request)
    {
        $session = $request->getSession();

        if ($session === null || !$session->isStarted() || $session->getId() != $sessionId || !$this->hasStoredCsrfToken()) {

            $response = $this->authenticator->logout($request);
            $response->setStatusCode(404);

            return $response;
class Author {
    private $name;

    public function __construct($name) {
        $this->name = $name;
    }

    public function getName() {
        return $this->name;
    }
}

abstract class Post {
    public function getAuthor() {
        return 'Johannes';
    }
}

class BlogPost extends Post {
    public function getAuthor() {
        return new Author('Johannes');
    }
}

class ForumPost extends Post { /* ... */ }

function my_function(Post $post) {
    echo strtoupper($post->getAuthor());
}
        }

        $this->checkCsrfToken($request);

        return new Values\UserSession(
            $this->repository->getCurrentUser(),

            $session->getName(),
            $session->getId(),
            $request->headers->get('X-CSRF-Token'),
            false
        );
    }

    /**
     * Deletes given session.
     *
     * @param string $sessionId
     *
     * @return Values\DeletedUserSession
     *
     * @throws NotFoundException
     */
    public function deleteSessionAction($sessionId, Request $request)
    {
        /** @var $session \Symfony\Component\HttpFoundation\Session\Session */
        $session = $request->getSession();
        if (!$session->isStarted() || $session->getId() != $sessionId || !$this->hasStoredCsrfToken()) {

            $response = $this->authenticator->logout($request);
            $response->setStatusCode(404);

            return $response;
class Author {
    private $name;

    public function __construct($name) {
        $this->name = $name;
    }

    public function getName() {
        return $this->name;
    }
}

abstract class Post {
    public function getAuthor() {
        return 'Johannes';
    }
}

class BlogPost extends Post {
    public function getAuthor() {
        return new Author('Johannes');
    }
}

class ForumPost extends Post { /* ... */ }

function my_function(Post $post) {
    echo strtoupper($post->getAuthor());
}
        }

        $this->checkCsrfToken($request);

        return new Values\DeletedUserSession($this->authenticator->logout($request));
    }

    /**
     * Tests if a CSRF token is stored.
     *
     * @return bool
     */
    private function hasStoredCsrfToken()
    {
        if (!isset($this->csrfTokenStorage)) {
            return true;
        }

        return $this->csrfTokenStorage->hasToken($this->csrfTokenIntention);
    }

    /**
     * Checks the presence / validity of the CSRF token.
     *
     * @param Request $request
     *
     * @throws UnauthorizedException if the token is missing or invalid.
     */
    private function checkCsrfToken(Request $request)
    {
        if ($this->csrfTokenManager === null) {
            return;
        }

        $exception = new UnauthorizedException(
            'Missing or invalid CSRF token',
            $request->getMethod() . ' ' . $request->getPathInfo()
        );

        if (!$request->headers->has('X-CSRF-Token')) {
            throw $exception;
        }

        $csrfToken = new CsrfToken(
            $this->csrfTokenIntention,
            $request->headers->get('X-CSRF-Token')
        );

        if (!$this->csrfTokenManager->isTokenValid($csrfToken)) {
            throw $exception;
        }
    }

    /**
     * Returns the csrf token for REST. The token is generated if it doesn't exist.
     *
     * @return string The csrf token, or an empty string if csrf check is disabled.
     */
    private function getCsrfToken()
    {
        if ($this->csrfTokenManager === null) {
            return '';
        }

        return $this->csrfTokenManager->getToken($this->csrfTokenIntention)->getValue();
    }
}


1		<?php
2		/**
3		* @copyright Copyright (C) eZ Systems AS. All rights reserved.
4		* @license For full copyright and license information view LICENSE file distributed with this source code.
5		*/
6		namespace eZ\Publish\Core\REST\Server\Controller;
7
8		use eZ\Publish\Core\Base\Exceptions\UnauthorizedException;
9		use eZ\Publish\Core\MVC\Symfony\Security\Authentication\AuthenticatorInterface;
10		use eZ\Publish\Core\REST\Common\Exceptions\NotFoundException;
11		use eZ\Publish\Core\REST\Common\Message;
12		use eZ\Publish\Core\REST\Server\Controller;
13		use eZ\Publish\Core\REST\Server\Values;
14		use eZ\Publish\Core\REST\Server\Exceptions;
15		use Symfony\Component\HttpFoundation\Request;
16		use Symfony\Component\Security\Csrf\CsrfToken;
17		use Symfony\Component\Security\Csrf\CsrfTokenManager;
18		use Symfony\Component\Security\Core\Exception\AccessDeniedException;
19		use Symfony\Component\Security\Core\Exception\AuthenticationException;
20		use Symfony\Component\Security\Csrf\TokenStorage\TokenStorageInterface;
21
22		class SessionController extends Controller
23		{
24		/**
25		* @var \eZ\Publish\Core\MVC\Symfony\Security\Authentication\AuthenticatorInterface
26		*/
27		private $authenticator;
28
29		/**
30		* @var \Symfony\Component\Security\Csrf\CsrfTokenManager
31		*/
32		private $csrfTokenManager;
33
34		/**
35		* @var \Symfony\Component\Security\Csrf\TokenStorage\TokenStorageInterface
36		*/
37		private $csrfTokenStorage;
38
39		/**
40		* @var string
41		*/
42		private $csrfTokenIntention;
43
44		public function __construct(
45		AuthenticatorInterface $authenticator,
46		$tokenIntention,
47		CsrfTokenManager $csrfTokenManager = null,
48		TokenStorageInterface $csrfTokenStorage = null
49		) {
50		$this->authenticator = $authenticator;
51		$this->csrfTokenIntention = $tokenIntention;
52		$this->csrfTokenManager = $csrfTokenManager;
53		$this->csrfTokenStorage = $csrfTokenStorage;
54		}
55
56		/**
57		* Creates a new session based on the credentials provided as POST parameters.
58		*
59		* @throws \eZ\Publish\Core\Base\Exceptions\UnauthorizedException If the login or password are incorrect or invalid CSRF
60		*
61		* @return Values\UserSession\|Values\Conflict
62		*/
63		public function createSessionAction(Request $request)
64		{
65		/** @var $sessionInput \eZ\Publish\Core\REST\Server\Values\SessionInput */
66		$sessionInput = $this->inputDispatcher->parse(
67		new Message(
68		array('Content-Type' => $request->headers->get('Content-Type')),
69		$request->getContent()
		0 ignored issues – show Bug introduced 2016-09-16 14:08 UTC by Report Bug Copy Issue Report It seems like `$request->getContent()` targeting `Symfony\Component\HttpFo...n\Request::getContent()` can also be of type `resource`; however, `eZ\Publish\Core\REST\Common\Message::__construct()` does only seem to accept `string`, maybe add an additional type check? This check looks at variables that are passed out again to other methods. If the outgoing method call has stricter type requirements than the method itself, an issue is raised. An additional type check may prevent trouble. Loading history...
70		)
71		);
72		$request->attributes->set('username', $sessionInput->login);
73		$request->attributes->set('password', $sessionInput->password);
74
75		try {
76		$session = $request->getSession();
77		if ($session->isStarted() && $this->hasStoredCsrfToken()) {
78		$this->checkCsrfToken($request);
79		}
80
81		$token = $this->authenticator->authenticate($request);
82		$csrfToken = $this->getCsrfToken();
83
84		return new Values\UserSession(
85		$token->getUser()->getAPIUser(),
86		$session->getName(),
87		$session->getId(),
88		$csrfToken,
89		!$token->hasAttribute('isFromSession')
90		);
91		} catch (Exceptions\UserConflictException $e) {
92		// Already logged in with another user, this will be converted to HTTP status 409
93		return new Values\Conflict();
94		} catch (AuthenticationException $e) {
95		throw new UnauthorizedException('Invalid login or password', $request->getPathInfo());
96		} catch (AccessDeniedException $e) {
97		throw new UnauthorizedException($e->getMessage(), $request->getPathInfo());
98		}
99		}
100
101		/**
102		* Refresh given session.
103		*
104		* @param string $sessionId
105		*
106		* @throws \eZ\Publish\Core\REST\Common\Exceptions\NotFoundException
107		*
108		* @return \eZ\Publish\Core\REST\Server\Values\UserSession
109		*/
110		public function refreshSessionAction($sessionId, Request $request)
111		{
112		$session = $request->getSession();
113
114	View Code Duplication	if ($session === null \|\| !$session->isStarted() \|\| $session->getId() != $sessionId \|\| !$this->hasStoredCsrfToken()) {
		0 ignored issues – show Duplication introduced 2016-09-19 10:23 UTC by Report Bug Copy Issue Report This code seems to be duplicated across your project. Duplicated code is one of the most pungent code smells. If you need to duplicate the same code in three or more different places, we strongly encourage you to look into extracting the code into a single class or operation. You can also find more detailed suggestions in the “Code” section of your repository. Loading history...
115		$response = $this->authenticator->logout($request);
116		$response->setStatusCode(404);
117
118		return $response;
		0 ignored issues – show Bug Best Practice introduced 2016-09-16 14:08 UTC by Report Bug Copy Issue Report The return type of `return $response;` (`Symfony\Component\HttpFoundation\Response`) is incompatible with the return type documented by `eZ\Publish\Core\REST\Ser...r::refreshSessionAction` of type `eZ\Publish\Core\REST\Server\Values\UserSession`. If you return a value from a function or method, it should be a sub-type of the type that is given by the parent type f.e. an interface, or abstract method. This is more formally defined by the Lizkov substitution principle, and guarantees that classes that depend on the parent type can use any instance of a child type interchangably. This principle also belongs to the SOLID principles for object oriented design. Let’s take a look at an example: class Author { private $name; public function __construct($name) { $this->name = $name; } public function getName() { return $this->name; } } abstract class Post { public function getAuthor() { return 'Johannes'; } } class BlogPost extends Post { public function getAuthor() { return new Author('Johannes'); } } class ForumPost extends Post { /* ... */ } function my_function(Post $post) { echo strtoupper($post->getAuthor()); } Our function `my_function` expects a `Post` object, and outputs the author of the post. The base class `Post` returns a simple string and outputting a simple string will work just fine. However, the child class `BlogPost` which is a sub-type of `Post` instead decided to return an `object`, and is therefore violating the SOLID principles. If a `BlogPost` were passed to `my_function`, PHP would not complain, but ultimately fail when executing the `strtoupper` call in its body. Loading history...
119		}
120
121		$this->checkCsrfToken($request);
122
123		return new Values\UserSession(
124		$this->repository->getCurrentUser(),
		0 ignored issues – show Deprecated Code introduced 2016-09-16 14:08 UTC by Report Bug Copy Issue Report The method `eZ\Publish\API\Repositor...itory::getCurrentUser()` has been deprecated with message: since 6.6, to be removed. Use PermissionResolver::getCurrentUserReference() instead. Get current user. Loads the full user object if not already loaded, if you only need to know user id use {@see getCurrentUserReference()} This method has been deprecated. The supplier of the class has supplied an explanatory message. The explanatory message should give you some clue as to whether and when the method will be removed from the class and what other method or class to use instead. Loading history...
125		$session->getName(),
126		$session->getId(),
127		$request->headers->get('X-CSRF-Token'),
128		false
129		);
130		}
131
132		/**
133		* Deletes given session.
134		*
135		* @param string $sessionId
136		*
137		* @return Values\DeletedUserSession
138		*
139		* @throws NotFoundException
140		*/
141		public function deleteSessionAction($sessionId, Request $request)
142		{
143		/** @var $session \Symfony\Component\HttpFoundation\Session\Session */
144		$session = $request->getSession();
145	View Code Duplication	if (!$session->isStarted() \|\| $session->getId() != $sessionId \|\| !$this->hasStoredCsrfToken()) {
		0 ignored issues – show Duplication introduced 2016-09-19 10:23 UTC by Report Bug Copy Issue Report This code seems to be duplicated across your project. Duplicated code is one of the most pungent code smells. If you need to duplicate the same code in three or more different places, we strongly encourage you to look into extracting the code into a single class or operation. You can also find more detailed suggestions in the “Code” section of your repository. Loading history...
146		$response = $this->authenticator->logout($request);
147		$response->setStatusCode(404);
148
149		return $response;
		0 ignored issues – show Bug Best Practice introduced 2016-09-19 10:47 UTC by Report Bug Copy Issue Report The return type of `return $response;` (`Symfony\Component\HttpFoundation\Response`) is incompatible with the return type documented by `eZ\Publish\Core\REST\Ser...er::deleteSessionAction` of type `eZ\Publish\Core\REST\Ser...lues\DeletedUserSession`. If you return a value from a function or method, it should be a sub-type of the type that is given by the parent type f.e. an interface, or abstract method. This is more formally defined by the Lizkov substitution principle, and guarantees that classes that depend on the parent type can use any instance of a child type interchangably. This principle also belongs to the SOLID principles for object oriented design. Let’s take a look at an example: class Author { private $name; public function __construct($name) { $this->name = $name; } public function getName() { return $this->name; } } abstract class Post { public function getAuthor() { return 'Johannes'; } } class BlogPost extends Post { public function getAuthor() { return new Author('Johannes'); } } class ForumPost extends Post { /* ... */ } function my_function(Post $post) { echo strtoupper($post->getAuthor()); } Our function `my_function` expects a `Post` object, and outputs the author of the post. The base class `Post` returns a simple string and outputting a simple string will work just fine. However, the child class `BlogPost` which is a sub-type of `Post` instead decided to return an `object`, and is therefore violating the SOLID principles. If a `BlogPost` were passed to `my_function`, PHP would not complain, but ultimately fail when executing the `strtoupper` call in its body. Loading history...
150		}
151
152		$this->checkCsrfToken($request);
153
154		return new Values\DeletedUserSession($this->authenticator->logout($request));
155		}
156
157		/**
158		* Tests if a CSRF token is stored.
159		*
160		* @return bool
161		*/
162		private function hasStoredCsrfToken()
163		{
164		if (!isset($this->csrfTokenStorage)) {
165		return true;
166		}
167
168		return $this->csrfTokenStorage->hasToken($this->csrfTokenIntention);
169		}
170
171		/**
172		* Checks the presence / validity of the CSRF token.
173		*
174		* @param Request $request
175		*
176		* @throws UnauthorizedException if the token is missing or invalid.
177		*/
178		private function checkCsrfToken(Request $request)
179		{
180		if ($this->csrfTokenManager === null) {
181		return;
182		}
183
184		$exception = new UnauthorizedException(
185		'Missing or invalid CSRF token',
186		$request->getMethod() . ' ' . $request->getPathInfo()
187		);
188
189		if (!$request->headers->has('X-CSRF-Token')) {
190		throw $exception;
191		}
192
193		$csrfToken = new CsrfToken(
194		$this->csrfTokenIntention,
195		$request->headers->get('X-CSRF-Token')
196		);
197
198		if (!$this->csrfTokenManager->isTokenValid($csrfToken)) {
199		throw $exception;
200		}
201		}
202
203		/**
204		* Returns the csrf token for REST. The token is generated if it doesn't exist.
205		*
206		* @return string The csrf token, or an empty string if csrf check is disabled.
207		*/
208		private function getCsrfToken()
209		{
210		if ($this->csrfTokenManager === null) {
211		return '';
212		}
213
214		return $this->csrfTokenManager->getToken($this->csrfTokenIntention)->getValue();
215		}
216		}
217

ezsystems / ezpublish-kernel

Push — EZP-26342-validation-improvmen... ( 9c5a9c...57b308 )

SessionController::deleteSessionAction() A

Complexity

Size

Duplication

Importance

Duplication Side-by-Side

Filter issues like