ResponseAssertion::setAssertionAttributes() - Code Metrics - Inspection of "Code sniff improvements and official release" - flipboxfactory/saml-idp - Measure and Improve Code Quality continuously with Scrutinizer

Completed

Push — master ( 83faf4...2c5c59 )

by Damien

created 2019-05-18 03:13 UTC

ResponseAssertion::setAssertionAttributes() A

↳ Parent: ResponseAssertion

Complexity

Conditions	5
Paths	8

Size

Total Lines	40
Code Lines	18

Duplication

Lines	0
Ratio	0 %

Code Coverage

Tests	0
CRAP Score	30

Importance

Changes

Metric	Value
cc	5
eloc	18
nc	8
nop	4
dl	0
loc	40
ccs	0
cts	18
cp	0
crap	30
rs	9.3554
c	0
b	0
f	0

<?php

namespace flipbox\saml\idp\services\messages;

use craft\base\Component;
use craft\elements\User;
use craft\helpers\ConfigHelper;
use flipbox\saml\core\models\AttributeMap;
use flipbox\saml\core\records\AbstractProvider;
use flipbox\saml\idp\models\Settings;
use flipbox\saml\idp\records\ProviderRecord;
use flipbox\saml\idp\Saml;
use SAML2\Assertion;
use SAML2\AuthnRequest as SamlAuthnRequest;
use SAML2\Constants;
use SAML2\EncryptedAssertion;
use SAML2\Response as ResponseMessage;
use SAML2\XML\saml\NameID;
use SAML2\XML\saml\SubjectConfirmation;
use SAML2\XML\saml\SubjectConfirmationData;

class ResponseAssertion extends Component
{
    public function create(
        User $user,
        SamlAuthnRequest $authnRequest,
        ResponseMessage $response,
        ProviderRecord $identityProvider,
        ProviderRecord $serviceProvider,
        Settings $settings
    ) {
        $assertion = new Assertion();

        $issuer = $response->getIssuer();
        if (! is_null($issuer)) {
            $assertion->setIssuer(
                $issuer
            );
        }


        $assertion->setSubjectConfirmation([
            $this->createSubjectConfirmation(
                $authnRequest,
                $serviceProvider,
                $user,
                $settings
            ),
        ]);

        $this->createConditions($assertion, $settings);


        $this->createAuthnStatement($assertion);


        $this->setAssertionAttributes(
            $user,
            $assertion,
            $serviceProvider,
            $settings
        );

        $firstDescriptor = $serviceProvider->spSsoDescriptors()[0];

        // Sign Assertions
        if ($firstDescriptor->wantAssertionsSigned()) {
            $assertion->setSignatureKey(
                $identityProvider->signingXMLSecurityKey()
            );
        }


        // Encrypt Assertions
        if ($serviceProvider->encryptAssertions) {
            $unencrypted = $assertion;

            if (is_null($serviceProvider->encryptionKey())) {
                throw new \Exception('No encryption key found for the service provider.');
            }
            $unencrypted->setEncryptionKey(
                $serviceProvider->encryptionKey()
            );

            $assertion = new EncryptedAssertion();
            $assertion->setAssertion(
                $unencrypted,
                $serviceProvider->encryptionKey()
            );
        }

        $response->setAssertions(
            [
                $assertion,
            ]
        );

        return $assertion;
    }

    /**
     * @param SamlAuthnRequest $authnRequest
     * @param User $user
     * @return SubjectConfirmation
     * @throws \Exception
     */
    protected function createSubjectConfirmation(
        SamlAuthnRequest $authnRequest,
        AbstractProvider $serviceProvider,
        User $user,
        Settings $settings
    ) {
        /**
         * Subject Confirmation
         * Reference: https://stackoverflow.com/a/29546696/1590910
         *
         * The times in the <SubjectConfirmationData> signals for how long time assertion can be tied to the subject.
         * In Web SSO where the subject confirmation method "bearer" is usually used, it means that within this time
         * we can trust that the assertion applies to the one providing the assertion. The assertion might be valid
         * for a longer time, but we must create a session within this time frame. This is described in the Web SSO
         * Profile section 4.1.4.3. The times in <SubjectConfirmationData> must fall within the interval of
         * those in <Conditions>.
         */

        $subjectConfirmation = new SubjectConfirmation();

        $subjectConfirmation->setMethod(
            Constants::CM_BEARER
        );


        // Add Subject Confirmation Data
        $subjectConfirmation->setSubjectConfirmationData(
            $subjectConfirmationData = new SubjectConfirmationData()
        );

        $subjectConfirmationData->setInResponseTo($authnRequest->getId());
        $subjectConfirmationData->setNotOnOrAfter(
            (new \DateTime(
                $settings->messageNotOnOrAfter
            ))->getTimestamp()
        );

        $subjectConfirmationData->setRecipient(
            $authnRequest->getAssertionConsumerServiceURL()
        );

        $subjectConfirmation->setNameID(
            $nameId = new NameID()
        );

        $nameId->setFormat(Constants::NAMEID_UNSPECIFIED);
        $nameId->setValue(
            $serviceProvider->assignNameId($user)
        );

        return $subjectConfirmation;
    }

    /**
     * @param Assertion $assertion
     * @throws \Exception
     */
    protected function createConditions(
        Assertion $assertion,
        Settings $settings
    ) {
        /**
         * Conditions
         * Reference: https://stackoverflow.com/a/29546696/1590910
         *
         * The times in <Conditions> is the validity of the entire assertion.
         * It should not be consumed after this time. There is nothing preventing a user
         * session on an SP to extend beyond this point in time though.
         */

        $assertion->setNotBefore(
            (new \DateTime(
                $settings->messageNotBefore
            ))->getTimestamp()
        );

        $assertion->setNotOnOrAfter(
            (new \DateTime(
                $settings->messageNotOnOrAfter
            ))->getTimestamp()
        );
    }

    /**
     * @param Assertion $assertion
     * @throws \yii\base\Exception
     * @throws \yii\base\InvalidConfigException
     */
    protected function createAuthnStatement(Assertion $assertion)
    {
        /**
         * Reference: https://stackoverflow.com/a/29546696/1590910
         *
         * SessionNotOnOrAfter is something completely different that is not directly related to the lifetime of
         * the assertion or the subject. It is a parameter the idp can use to control how long an SP session may be.
         * Please note that this parameter is defined that it SHOULD be handled by an SP according to the SAML2Core
         * spec, but far from all SP implementations do. An example of an implementation that does is as usual
         * Shibboleth, that always will respect the occurence of this parameter. When using Single Logout, this
         * parameter is more critical, as it synchronizes the timeout of the session on both the SP and the
         * Idp, to ensure that an SP does not issue a logout request for a session no longer known to the Idp.
         */
        $sessionEnd = (new \DateTime())->setTimestamp(
            ConfigHelper::durationInSeconds(
                /**
                * Use crafts user session duration
                */
                \Craft::$app->config->getGeneral()->userSessionDuration
            )
            + // Math!
            (new \DateTime())->getTimestamp()
        );

        /**
         * Add AuthnStatement attributes and AuthnContext
         */
        $assertion->setAuthnInstant((new \DateTime())->getTimestamp());
        $assertion->setSessionNotOnOrAfter(
            $sessionEnd->getTimestamp()
        );

        $assertion->setSessionIndex(
            Saml::getInstance()->getSession()->getId()
        );

        $assertion->setAuthnContextClassRef(
            Constants::AC_PASSWORD
        );
    }

    public function setAssertionAttributes(
        User $user,
        Assertion $assertion,
        ProviderRecord $serviceProvider,
        Settings $settings
    ) {

        // set on the assertion and the subject confirmations
        $assertion->setNameID(
            $nameId = new NameID()
        );

        $nameId->setFormat(Constants::NAMEID_UNSPECIFIED);
        $nameId->setValue(
            $serviceProvider->assignNameId($user)
        );


        // Check the provider first
        $attributeMap =
            $serviceProvider->hasMapping() ? $serviceProvider->getMapping() : $settings->responseAttributeMap;

        $attributes = [];
        foreach ($attributeMap as $map) {
            $map = new AttributeMap($map);
            $attributes[$map->attributeName] = $this->assignProperty(
                $user,
                $map
            );
        }

        // Add groups if configured
        if ($serviceProvider->syncGroups &&
            ($groupAttribute = $this->groupsToAttributes($user, $serviceProvider))
        ) {
            $attributes[$serviceProvider->groupsAttributeName] = $groupAttribute;
        }

        Saml::debug(json_encode($attributes));
        $assertion->setAttributes($attributes);
    }

    /**
     * @param User $user
     * @param AbstractProvider $serviceProvider
     * @return array|bool
     */
    protected function groupsToAttributes(User $user, AbstractProvider $serviceProvider)
    {
        if (count($user->getGroups()) === 0) {
            return false;
        }
        $attribute = [];
        foreach ($user->getGroups() as $group) {
            $options = $serviceProvider->getGroupOptions();
            if (! $options->shouldSync($group->id)) {
                continue;
            }

            $attribute[] = $group->name;
        }

        return $attribute;
    }

    /**
     * Utilities
     */

    /**
     * @param User $user
     * @param $attributeName
     * @param $craftProperty
     * @return array
     */
    protected function assignProperty(
        User $user,
        AttributeMap $map
    ) {
        $value = $map->renderValue($user);

        if ($value instanceof \DateTime) {
            $value = $value->format(\DateTime::ISO8601);
        }

        return [
            $map->attributeName => $value,
        ];
    }

    /**
     * @return User|false|\yii\web\IdentityInterface|null
     */
    protected function getUser()
    {
        return \Craft::$app->getUser()->getIdentity();
    }
}


1			<?php
2
3			namespace flipbox\saml\idp\services\messages;
4
5			use craft\base\Component;
6			use craft\elements\User;
7			use craft\helpers\ConfigHelper;
8			use flipbox\saml\core\models\AttributeMap;
9			use flipbox\saml\core\records\AbstractProvider;
10			use flipbox\saml\idp\models\Settings;
11			use flipbox\saml\idp\records\ProviderRecord;
12			use flipbox\saml\idp\Saml;
13			use SAML2\Assertion;
14			use SAML2\AuthnRequest as SamlAuthnRequest;
15			use SAML2\Constants;
16			use SAML2\EncryptedAssertion;
17			use SAML2\Response as ResponseMessage;
18			use SAML2\XML\saml\NameID;
19			use SAML2\XML\saml\SubjectConfirmation;
20			use SAML2\XML\saml\SubjectConfirmationData;
21
22			class ResponseAssertion extends Component
23			{
24			public function create(
25			User $user,
26			SamlAuthnRequest $authnRequest,
27			ResponseMessage $response,
28			ProviderRecord $identityProvider,
29			ProviderRecord $serviceProvider,
30			Settings $settings
31			) {
32			$assertion = new Assertion();
33
34			$issuer = $response->getIssuer();
35			if (! is_null($issuer)) {
36			$assertion->setIssuer(
37			$issuer
38			);
39			}
40
41
42			$assertion->setSubjectConfirmation([
43			$this->createSubjectConfirmation(
44			$authnRequest,
45			$serviceProvider,
46			$user,
47			$settings
48			),
49			]);
50
51			$this->createConditions($assertion, $settings);
52
53
54			$this->createAuthnStatement($assertion);
55
56
57			$this->setAssertionAttributes(
58			$user,
59			$assertion,
60			$serviceProvider,
61			$settings
62			);
63
64			$firstDescriptor = $serviceProvider->spSsoDescriptors()[0];
65
66			// Sign Assertions
67			if ($firstDescriptor->wantAssertionsSigned()) {
68			$assertion->setSignatureKey(
69			$identityProvider->signingXMLSecurityKey()
70			);
71			}
72
73
74			// Encrypt Assertions
75			if ($serviceProvider->encryptAssertions) {
76			$unencrypted = $assertion;
77
78			if (is_null($serviceProvider->encryptionKey())) {
79			throw new \Exception('No encryption key found for the service provider.');
80			}
81			$unencrypted->setEncryptionKey(
82			$serviceProvider->encryptionKey()
83			);
84
85			$assertion = new EncryptedAssertion();
86			$assertion->setAssertion(
87			$unencrypted,
88			$serviceProvider->encryptionKey()
89			);
90			}
91
92			$response->setAssertions(
93			[
94			$assertion,
95			]
96			);
97
98			return $assertion;
99			}
100
101			/**
102			* @param SamlAuthnRequest $authnRequest
103			* @param User $user
104			* @return SubjectConfirmation
105			* @throws \Exception
106			*/
107			protected function createSubjectConfirmation(
108			SamlAuthnRequest $authnRequest,
109			AbstractProvider $serviceProvider,
110			User $user,
111			Settings $settings
112			) {
113			/**
114			* Subject Confirmation
115			* Reference: https://stackoverflow.com/a/29546696/1590910
116			*
117			* The times in the <SubjectConfirmationData> signals for how long time assertion can be tied to the subject.
118			* In Web SSO where the subject confirmation method "bearer" is usually used, it means that within this time
119			* we can trust that the assertion applies to the one providing the assertion. The assertion might be valid
120			* for a longer time, but we must create a session within this time frame. This is described in the Web SSO
121			* Profile section 4.1.4.3. The times in <SubjectConfirmationData> must fall within the interval of
122			* those in <Conditions>.
123			*/
124
125			$subjectConfirmation = new SubjectConfirmation();
126
127			$subjectConfirmation->setMethod(
128			Constants::CM_BEARER
129			);
130
131
132			// Add Subject Confirmation Data
133			$subjectConfirmation->setSubjectConfirmationData(
134			$subjectConfirmationData = new SubjectConfirmationData()
135			);
136
137			$subjectConfirmationData->setInResponseTo($authnRequest->getId());
138			$subjectConfirmationData->setNotOnOrAfter(
139			(new \DateTime(
140			$settings->messageNotOnOrAfter
141			))->getTimestamp()
142			);
143
144			$subjectConfirmationData->setRecipient(
145			$authnRequest->getAssertionConsumerServiceURL()
146			);
147
148			$subjectConfirmation->setNameID(
149			$nameId = new NameID()
150			);
151
152			$nameId->setFormat(Constants::NAMEID_UNSPECIFIED);
153			$nameId->setValue(
154			$serviceProvider->assignNameId($user)
155			);
156
157			return $subjectConfirmation;
158			}
159
160			/**
161			* @param Assertion $assertion
162			* @throws \Exception
163			*/
164			protected function createConditions(
165			Assertion $assertion,
166			Settings $settings
167			) {
168			/**
169			* Conditions
170			* Reference: https://stackoverflow.com/a/29546696/1590910
171			*
172			* The times in <Conditions> is the validity of the entire assertion.
173			* It should not be consumed after this time. There is nothing preventing a user
174			* session on an SP to extend beyond this point in time though.
175			*/
176
177			$assertion->setNotBefore(
178			(new \DateTime(
179			$settings->messageNotBefore
180			))->getTimestamp()
181			);
182
183			$assertion->setNotOnOrAfter(
184			(new \DateTime(
185			$settings->messageNotOnOrAfter
186			))->getTimestamp()
187			);
188			}
189
190			/**
191			* @param Assertion $assertion
192			* @throws \yii\base\Exception
193			* @throws \yii\base\InvalidConfigException
194			*/
195			protected function createAuthnStatement(Assertion $assertion)
196			{
197			/**
198			* Reference: https://stackoverflow.com/a/29546696/1590910
199			*
200			* SessionNotOnOrAfter is something completely different that is not directly related to the lifetime of
201			* the assertion or the subject. It is a parameter the idp can use to control how long an SP session may be.
202			* Please note that this parameter is defined that it SHOULD be handled by an SP according to the SAML2Core
203			* spec, but far from all SP implementations do. An example of an implementation that does is as usual
204			* Shibboleth, that always will respect the occurence of this parameter. When using Single Logout, this
205			* parameter is more critical, as it synchronizes the timeout of the session on both the SP and the
206			* Idp, to ensure that an SP does not issue a logout request for a session no longer known to the Idp.
207			*/
208			$sessionEnd = (new \DateTime())->setTimestamp(
209			ConfigHelper::durationInSeconds(
210			/**
211			* Use crafts user session duration
212			*/
213			\Craft::$app->config->getGeneral()->userSessionDuration
214			)
215			+ // Math!
216			(new \DateTime())->getTimestamp()
217			);
218
219			/**
220			* Add AuthnStatement attributes and AuthnContext
221			*/
222			$assertion->setAuthnInstant((new \DateTime())->getTimestamp());
223			$assertion->setSessionNotOnOrAfter(
224			$sessionEnd->getTimestamp()
225			);
226
227			$assertion->setSessionIndex(
228			Saml::getInstance()->getSession()->getId()
229			);
230
231			$assertion->setAuthnContextClassRef(
232			Constants::AC_PASSWORD
233			);
234			}
235
236			public function setAssertionAttributes(
237			User $user,
238			Assertion $assertion,
239			ProviderRecord $serviceProvider,
240			Settings $settings
241			) {
242
243			// set on the assertion and the subject confirmations
244			$assertion->setNameID(
245			$nameId = new NameID()
246			);
247
248			$nameId->setFormat(Constants::NAMEID_UNSPECIFIED);
249			$nameId->setValue(
250			$serviceProvider->assignNameId($user)
251			);
252
253
254			// Check the provider first
255			$attributeMap =
256			$serviceProvider->hasMapping() ? $serviceProvider->getMapping() : $settings->responseAttributeMap;
257
258			$attributes = [];
259			foreach ($attributeMap as $map) {
260			$map = new AttributeMap($map);
261			$attributes[$map->attributeName] = $this->assignProperty(
262			$user,
263			$map
264			);
265			}
266
267			// Add groups if configured
268			if ($serviceProvider->syncGroups &&
269			($groupAttribute = $this->groupsToAttributes($user, $serviceProvider))
270			) {
271			$attributes[$serviceProvider->groupsAttributeName] = $groupAttribute;
272			}
273
274			Saml::debug(json_encode($attributes));
275			$assertion->setAttributes($attributes);
276			}
277
278			/**
279			* @param User $user
280			* @param AbstractProvider $serviceProvider
281			* @return array\|bool
282			*/
283			protected function groupsToAttributes(User $user, AbstractProvider $serviceProvider)
284			{
285			if (count($user->getGroups()) === 0) {
286			return false;
287			}
288			$attribute = [];
289			foreach ($user->getGroups() as $group) {
290			$options = $serviceProvider->getGroupOptions();
291			if (! $options->shouldSync($group->id)) {
292			continue;
293			}
294
295			$attribute[] = $group->name;
296			}
297
298			return $attribute;
299			}
300
301			/**
302			* Utilities
303			*/
304
305			/**
306			* @param User $user
307			* @param $attributeName
308			* @param $craftProperty
309			* @return array
310			*/
311			protected function assignProperty(
312			User $user,
313			AttributeMap $map
314			) {
315			$value = $map->renderValue($user);
316
317			if ($value instanceof \DateTime) {
318			$value = $value->format(\DateTime::ISO8601);
319			}
320
321			return [
322			$map->attributeName => $value,
323			];
324			}
325
326			/**
327			* @return User\|false\|\yii\web\IdentityInterface\|null
328			*/
329			protected function getUser()
330			{
331			return \Craft::$app->getUser()->getIdentity();
332			}
333			}
334

flipboxfactory / saml-idp

GitHub Access Token became invalid

Push — master ( 83faf4...2c5c59 )

ResponseAssertion::setAssertionAttributes() A

Complexity

Size

Duplication

Code Coverage

Importance

Duplication Side-by-Side

Filter issues like