Issues in Login.php - Fixed Issues - Inspection of "Merge pull request #1 from flipboxfactory/develop" - flipboxfactory/saml-sp - Measure and Improve Code Quality continuously with Scrutinizer

Completed

Push — master ( 524cff...dc4813 )

unknown

created 2018-04-10 19:52 UTC

src/services/Login.php (4 issues)

Showing only issues like (Show All)

mismatching argument types.

Documentation Minor

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php
/**
 * Created by PhpStorm.
 * User: dsmrt
 * Date: 1/11/18
 * Time: 8:30 PM
 */

namespace flipbox\saml\sp\services;


use craft\base\Component;
use craft\elements\User;
use craft\models\UserGroup;
use flipbox\keychain\records\KeyChainRecord;
use flipbox\saml\core\exceptions\InvalidMessage;
use flipbox\saml\sp\records\ProviderIdentityRecord;
use flipbox\saml\sp\Saml;
use LightSaml\Model\Assertion\Assertion;
use LightSaml\Model\Protocol\Response as SamlResponse;
use yii\base\Event;
use yii\base\UserException;

class Login extends Component
{

    const EVENT_RESPONSE_TO_USER = 'eventResponseToUser';

    /**
     * @param SamlResponse $response
     * @return \flipbox\saml\sp\records\ProviderIdentityRecord
     * @throws InvalidMessage
     * @throws UserException
     * @throws \Exception
     * @throws \Throwable
     * @throws \craft\errors\ElementNotFoundException
     * @throws \yii\base\Exception
     */
    public function login(SamlResponse $response)
    {

        $assertion = $this->getFirstAssertion($response);
        Saml::getInstance()->getResponse()->isValidTimeAssertion($assertion);
        Saml::getInstance()->getResponse()->isValidAssertion($assertion);

        /**
         * Sync User
         */
        $identity = $this->syncUser($response);

        /**
         * Log user in
         */
        if (! $this->loginUser($identity)) {
            throw new UserException("Unknown error while logging in.");
        }

        /**
         * User's successfully logged in so we can now set the lastLogin for the
         * provider identity and save it to the db.
         */
        $identity->lastLoginDate = new \DateTime();
        if (! Saml::getInstance()->getProviderIdentity()->save($identity)) {
            throw new UserException("Error while saving identity.");
        }

        return $identity;

    }

    protected function decryptAssertions(KeyChainRecord $keyChainRecord, \LightSaml\Model\Protocol\Response $response)
    {
        Saml::getInstance()->getResponse()->decryptAssertions(
            $response,
            $keyChainRecord
        );
    }

    /**
     * @param SamlResponse $response
     * @return Assertion
     * @throws InvalidMessage
     */
    public function getFirstAssertion(\LightSaml\Model\Protocol\Response $response)
    {

        $ownProvider = Saml::getInstance()->getProvider()->findOwn();

        if ($ownProvider->keychain && $response->getFirstEncryptedAssertion()) {
            $this->decryptAssertions(
                $ownProvider->keychain,
                $response
            );
        }

        $assertions = $response->getAllAssertions();

        if (! isset($assertions[0])) {
            throw new InvalidMessage("Invalid message. No assertions found in response.");
        }
        /**
         * Just grab the first one for now.
         */
        return $assertions[0];
    }

    /**
     * @param SamlResponse $response
     * @return \flipbox\saml\sp\records\ProviderIdentityRecord
     * @throws InvalidMessage
     * @throws UserException
     * @throws \Throwable
     * @throws \craft\errors\ElementNotFoundException
     * @throws \yii\base\Exception
     */
    protected function syncUser(\LightSaml\Model\Protocol\Response $response)
    {

        $assertion = $this->getFirstAssertion($response);

        /**
         * Get username from the NameID
         * @todo Give an option to map another attribute value to $username (like email)
         */
        $nameId = $username = $assertion->getSubject()->getNameID()->getValue();

        $idpProvider = Saml::getInstance()->getProvider()->findByEntityId(
            $response->getIssuer()->getValue()
        );

        /** @var \flipbox\saml\sp\records\ProviderIdentityRecord $identity */
        if (! $identity = Saml::getInstance()->getProviderIdentity()->findByNameId(
            $nameId,
            $idpProvider
        )) {
            if (! Saml::getInstance()->getSettings()->createUser) {
                throw new UserException("System doesn't have permission to create a new user.");
            }
        }

        /**
         * Is there a user that exists already?
         */
        if ($user = $this->getUserByUsernameOrEmail($username)) {
            /**
             * System check for whether we are allowed merge with this this user
             */
            if (! Saml::getInstance()->getSettings()->mergeLocalUsers) {
                //don't continue
                throw new UserException(
                    sprintf(
                        "User (%s) already exists.",
                        $username
                    )
                );
            }
        } else {
            /**
             *
             */
            if ($user = $this->getUserByUsernameOrEmail($username, true)) {

                /**
                 * System check for whether we are allowed merge with this this user
                 */
                if (! Saml::getInstance()->getSettings()->mergeLocalUsers) {
                    //don't continue
                    throw new UserException(
                        sprintf(
                            "User (%s) already exists.",
                            $username
                        )
                    );
                }
            } else {
                /**
                 * New User
                 */
                $user = new User([
                    'username' => $username
                ]);

            }
        }

        if (! $this->isUserActive($user)) {
function acceptsInteger($int) { }

$x = '123'; // string "123"

// Instead of
acceptsInteger($x);

// we recommend to use
acceptsInteger((integer) $x);
            if (! Saml::getInstance()->getSettings()->enableUsers) {
                throw new UserException('User access denied.');
            }
            $this->enableUser($user);
function acceptsInteger($int) { }

$x = '123'; // string "123"

// Instead of
acceptsInteger($x);

// we recommend to use
acceptsInteger((integer) $x);
        }


        $this->transformToUser($response, $user);
function acceptsInteger($int) { }

$x = '123'; // string "123"

// Instead of
acceptsInteger($x);

// we recommend to use
acceptsInteger((integer) $x);

        /**
         * After event for Metadata creation
         */
        $event = new Event();
        $event->sender = $response;
        $event->data = $user;

        $this->trigger(
            static::EVENT_RESPONSE_TO_USER,
            $event
        );

        if (! \Craft::$app->getElements()->saveElement($user)) {
            throw new UserException("User save failed.");
        }

        /**
         * Sync groups depending on the plugin setting.
         */
        if (Saml::getInstance()->getSettings()->syncGroups) {
            $this->syncUserGroupsByAssertion($user, $assertion);
function acceptsInteger($int) { }

$x = '123'; // string "123"

// Instead of
acceptsInteger($x);

// we recommend to use
acceptsInteger((integer) $x);
        }

        $sessionIndex = null;
        if ($assertion->hasAnySessionIndex()) {
            $sessionIndex = $assertion->getFirstAuthnStatement()->getSessionIndex();
        }

        /**
         * Create the new identity if one wasn't found above.
         * Since we now have the user id, and we might not have above,
         * do this last.
         */
        if (! $identity) {
            $identity = new ProviderIdentityRecord([
                'providerId' => $idpProvider->id,
                'nameId'     => $username,
                'userId'     => $user->id,
            ]);
        }

        $identity->enabled = true;
        $identity->sessionId = $sessionIndex;
        return $identity;
    }

    /**
     * @param $emailOrUsername
     * @return array|\craft\base\ElementInterface|User|null
     */
    protected function getUserByUsernameOrEmail($usernameOrEmail, bool $archived = false)
    {

        return User::find()
            ->where([
                'or',
                ['username' => $usernameOrEmail],
                ['email' => $usernameOrEmail]
            ])
            ->addSelect(['users.password', 'users.passwordResetRequired'])
            ->status(null)
            ->archived($archived)
            ->one();
    }

    /**
     * @param User $user
     * @throws \Throwable
     */
    protected function enableUser(User $user)
    {
        if ($this->isUserSuspended($user)) {
            \Craft::$app->getUsers()->unsuspendUser($user);
        }

        if ($this->isUserLocked($user)) {
            \Craft::$app->getUsers()->unlockUser($user);
        }

        if (! $user->enabled) {
            $user->enabled = true;
        }

        if ($user->archived) {
            $user->archived = false;
        }

        if (! $this->isUserActive($user)) {
            \Craft::$app->getUsers()->activateUser($user);
        }
    }

    /**
     * @param User $user
     * @return bool
     */
    protected function isUserPending(User $user)
    {
        return false === $this->isUserActive($user) &&
            $user->getStatus() === User::STATUS_PENDING;
    }

    /**
     * @param User $user
     * @return bool
     */
    protected function isUserArchived(User $user)
    {
        return false === $this->isUserActive($user) &&
            $user->getStatus() === User::STATUS_ARCHIVED;
    }

    /**
     * @param User $user
     * @return bool
     */
    protected function isUserLocked(User $user)
    {
        return false === $this->isUserActive($user) &&
            $user->getStatus() === User::STATUS_LOCKED;
    }

    /**
     * @param User $user
     * @return bool
     */
    protected function isUserSuspended(User $user)
    {
        return false === $this->isUserActive($user) &&
            $user->getStatus() === User::STATUS_SUSPENDED;
    }

    /**
     * @param User $user
     * @return bool
     */
    protected function isUserActive(User $user)
    {
        return $user->getStatus() === User::STATUS_ACTIVE;
    }

    /**
     * @param User $user
     * @param Assertion $assertion
     * @return bool
     * @throws UserException
     */
    protected function syncUserGroupsByAssertion(User $user, Assertion $assertion)
    {
        $groupNames = Saml::getInstance()->getSettings()->groupAttributeNames;
        $groups = [];
        foreach ($assertion->getFirstAttributeStatement()->getAllAttributes() as $attribute) {
            /**
             * Is there a group name match?
             * Match the attribute name to the specified name in the plugin settings
             */
            if (in_array($attribute->getName(), $groupNames)) {
                /**
                 * Loop thru all of the attributes values because they could have multiple values.
                 * Example XML:
                 * <saml2:Attribute Name="groups" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
                 *   <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
                 *           xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">craft_admin</saml2:AttributeValue>
                 *   <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
                 *           xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">craft_member</saml2:AttributeValue>
                 * </saml2:Attribute>
                 */

                foreach ($attribute->getAllAttributeValues() as $value) {
                    if ($group = $this->findOrCreateUserGroup($value)) {
                        $groups[] = $group->id;
                    }
                }

            }
        }
        /**
         * just return if this is empty
         */
        if (empty($groups)) {
            return true;
        }

        return \Craft::$app->getUsers()->assignUserToGroups($user->id, $groups);

    }


    /**
     * @param SamlResponse $response
     * @param User $user
     * @return User
     */
    protected function transformToUser(\LightSaml\Model\Protocol\Response $response, User $user)
    {
        $assertion = $response->getFirstAssertion();

        $attributeMap = Saml::getInstance()->getSettings()->responseAttributeMap;
        /**
         * Loop thru attributes and set to the user
         */
        foreach ($assertion->getFirstAttributeStatement()->getAllAttributes() as $attribute) {
            if (isset($attributeMap[$attribute->getName()])) {
                $craftProperty = $attributeMap[$attribute->getName()];

                //check if it exists as a property first
                if (property_exists($user, $craftProperty)) {
                    $user->{$craftProperty} = $attribute->getFirstAttributeValue();
                } else {
                    if (is_callable($craftProperty)) {
                        call_user_func($craftProperty, $user, $attribute);
                    }
                }
            }
        }

        return $user;

    }

    /**
     * @param $groupHandle
     * @return UserGroup
     * @throws UserException
     * @throws \craft\errors\WrongEditionException
     */
    protected function findOrCreateUserGroup($groupHandle): UserGroup
    {

        if (! $userGroup = \Craft::$app->getUserGroups()->getGroupByHandle($groupHandle)) {
            if (! \Craft::$app->getUserGroups()->saveGroup($userGroup = new UserGroup([
                'name'   => $groupHandle,
                'handle' => $groupHandle,
            ]))) {
                throw new UserException("Error saving new group {$groupHandle}");
            }
        }

        return $userGroup;

    }

    /**
     * @param ProviderIdentityRecord $identity
     * @return bool
     * @throws UserException
     * @throws \Throwable
     */
    protected function loginUser(\flipbox\saml\sp\records\ProviderIdentityRecord $identity)
    {
        if ($identity->getUser()->getStatus() !== User::STATUS_ACTIVE) {
            if (! \Craft::$app->getUsers()->activateUser($identity->getUser())) {
                throw new UserException("Can't activate user.");
            }
        }

        if (\Craft::$app->getUser()->login(
            $identity->getUser(),
            /** @todo read session duration from the response */
            \Craft::$app->getConfig()->getGeneral()->userSessionDuration
        )) {
            $identity->lastLoginDate = new \DateTime();
        } else {
            throw new UserException("User login failed.");
        }

        return true;
    }

}

1			<?php
2			/**
3			* Created by PhpStorm.
4			* User: dsmrt
5			* Date: 1/11/18
6			* Time: 8:30 PM
7			*/
8
9			namespace flipbox\saml\sp\services;
10
11
12			use craft\base\Component;
13			use craft\elements\User;
14			use craft\models\UserGroup;
15			use flipbox\keychain\records\KeyChainRecord;
16			use flipbox\saml\core\exceptions\InvalidMessage;
17			use flipbox\saml\sp\records\ProviderIdentityRecord;
18			use flipbox\saml\sp\Saml;
19			use LightSaml\Model\Assertion\Assertion;
20			use LightSaml\Model\Protocol\Response as SamlResponse;
21			use yii\base\Event;
22			use yii\base\UserException;
23
24			class Login extends Component
25			{
26
27			const EVENT_RESPONSE_TO_USER = 'eventResponseToUser';
28
29			/**
30			* @param SamlResponse $response
31			* @return \flipbox\saml\sp\records\ProviderIdentityRecord
32			* @throws InvalidMessage
33			* @throws UserException
34			* @throws \Exception
35			* @throws \Throwable
36			* @throws \craft\errors\ElementNotFoundException
37			* @throws \yii\base\Exception
38			*/
39			public function login(SamlResponse $response)
40			{
41
42			$assertion = $this->getFirstAssertion($response);
43			Saml::getInstance()->getResponse()->isValidTimeAssertion($assertion);
44			Saml::getInstance()->getResponse()->isValidAssertion($assertion);
45
46			/**
47			* Sync User
48			*/
49			$identity = $this->syncUser($response);
50
51			/**
52			* Log user in
53			*/
54			if (! $this->loginUser($identity)) {
55			throw new UserException("Unknown error while logging in.");
56			}
57
58			/**
59			* User's successfully logged in so we can now set the lastLogin for the
60			* provider identity and save it to the db.
61			*/
62			$identity->lastLoginDate = new \DateTime();
63			if (! Saml::getInstance()->getProviderIdentity()->save($identity)) {
64			throw new UserException("Error while saving identity.");
65			}
66
67			return $identity;
68
69			}
70
71			protected function decryptAssertions(KeyChainRecord $keyChainRecord, \LightSaml\Model\Protocol\Response $response)
72			{
73			Saml::getInstance()->getResponse()->decryptAssertions(
74			$response,
75			$keyChainRecord
76			);
77			}
78
79			/**
80			* @param SamlResponse $response
81			* @return Assertion
82			* @throws InvalidMessage
83			*/
84			public function getFirstAssertion(\LightSaml\Model\Protocol\Response $response)
85			{
86
87			$ownProvider = Saml::getInstance()->getProvider()->findOwn();
88
89			if ($ownProvider->keychain && $response->getFirstEncryptedAssertion()) {
90			$this->decryptAssertions(
91			$ownProvider->keychain,
92			$response
93			);
94			}
95
96			$assertions = $response->getAllAssertions();
97
98			if (! isset($assertions[0])) {
99			throw new InvalidMessage("Invalid message. No assertions found in response.");
100			}
101			/**
102			* Just grab the first one for now.
103			*/
104			return $assertions[0];
105			}
106
107			/**
108			* @param SamlResponse $response
109			* @return \flipbox\saml\sp\records\ProviderIdentityRecord
110			* @throws InvalidMessage
111			* @throws UserException
112			* @throws \Throwable
113			* @throws \craft\errors\ElementNotFoundException
114			* @throws \yii\base\Exception
115			*/
116			protected function syncUser(\LightSaml\Model\Protocol\Response $response)
117			{
118
119			$assertion = $this->getFirstAssertion($response);
120
121			/**
122			* Get username from the NameID
123			* @todo Give an option to map another attribute value to $username (like email)
124			*/
125			$nameId = $username = $assertion->getSubject()->getNameID()->getValue();
126
127			$idpProvider = Saml::getInstance()->getProvider()->findByEntityId(
128			$response->getIssuer()->getValue()
129			);
130
131			/** @var \flipbox\saml\sp\records\ProviderIdentityRecord $identity */
132			if (! $identity = Saml::getInstance()->getProviderIdentity()->findByNameId(
133			$nameId,
134			$idpProvider
135			)) {
136			if (! Saml::getInstance()->getSettings()->createUser) {
137			throw new UserException("System doesn't have permission to create a new user.");
138			}
139			}
140
141			/**
142			* Is there a user that exists already?
143			*/
144			if ($user = $this->getUserByUsernameOrEmail($username)) {
145			/**
146			* System check for whether we are allowed merge with this this user
147			*/
148			if (! Saml::getInstance()->getSettings()->mergeLocalUsers) {
149			//don't continue
150			throw new UserException(
151			sprintf(
152			"User (%s) already exists.",
153			$username
154			)
155			);
156			}
157			} else {
158			/**
159			*
160			*/
161			if ($user = $this->getUserByUsernameOrEmail($username, true)) {
162
163			/**
164			* System check for whether we are allowed merge with this this user
165			*/
166			if (! Saml::getInstance()->getSettings()->mergeLocalUsers) {
167			//don't continue
168			throw new UserException(
169			sprintf(
170			"User (%s) already exists.",
171			$username
172			)
173			);
174			}
175			} else {
176			/**
177			* New User
178			*/
179			$user = new User([
180			'username' => $username
181			]);
182
183			}
184			}
185
186			if (! $this->isUserActive($user)) {
			0 ignored issues – show Documentation introduced 2018-04-10 19:48 UTC by Report Bug Copy Issue Report Show Similar Issues like this `$user` is of type `array\|object<craft\base\ElementInterface>`, but the function expects a `object<craft\elements\User>`. It seems like the type of the argument is not accepted by the function/method which you are calling. In some cases, in particular if PHP’s automatic type-juggling kicks in this might be fine. In other cases, however this might be a bug. We suggest to add an explicit type cast like in the following example: function acceptsInteger($int) { } $x = '123'; // string "123" // Instead of acceptsInteger($x); // we recommend to use acceptsInteger((integer) $x); Loading history...
187			if (! Saml::getInstance()->getSettings()->enableUsers) {
188			throw new UserException('User access denied.');
189			}
190			$this->enableUser($user);
			0 ignored issues – show Documentation introduced 2018-04-10 19:48 UTC by Report Bug Copy Issue Report Show Similar Issues like this `$user` is of type `array\|object<craft\base\ElementInterface>`, but the function expects a `object<craft\elements\User>`. It seems like the type of the argument is not accepted by the function/method which you are calling. In some cases, in particular if PHP’s automatic type-juggling kicks in this might be fine. In other cases, however this might be a bug. We suggest to add an explicit type cast like in the following example: function acceptsInteger($int) { } $x = '123'; // string "123" // Instead of acceptsInteger($x); // we recommend to use acceptsInteger((integer) $x); Loading history...
191			}
192
193
194			$this->transformToUser($response, $user);
			0 ignored issues – show Documentation introduced 2018-04-10 19:48 UTC by Report Bug Copy Issue Report Show Similar Issues like this `$user` is of type `array\|object<craft\base\ElementInterface>`, but the function expects a `object<craft\elements\User>`. It seems like the type of the argument is not accepted by the function/method which you are calling. In some cases, in particular if PHP’s automatic type-juggling kicks in this might be fine. In other cases, however this might be a bug. We suggest to add an explicit type cast like in the following example: function acceptsInteger($int) { } $x = '123'; // string "123" // Instead of acceptsInteger($x); // we recommend to use acceptsInteger((integer) $x); Loading history...
195
196			/**
197			* After event for Metadata creation
198			*/
199			$event = new Event();
200			$event->sender = $response;
201			$event->data = $user;
202
203			$this->trigger(
204			static::EVENT_RESPONSE_TO_USER,
205			$event
206			);
207
208			if (! \Craft::$app->getElements()->saveElement($user)) {
209			throw new UserException("User save failed.");
210			}
211
212			/**
213			* Sync groups depending on the plugin setting.
214			*/
215			if (Saml::getInstance()->getSettings()->syncGroups) {
216			$this->syncUserGroupsByAssertion($user, $assertion);
			0 ignored issues – show Documentation introduced 2018-04-10 19:48 UTC by Report Bug Copy Issue Report Show Similar Issues like this `$user` is of type `array\|object<craft\base\ElementInterface>`, but the function expects a `object<craft\elements\User>`. It seems like the type of the argument is not accepted by the function/method which you are calling. In some cases, in particular if PHP’s automatic type-juggling kicks in this might be fine. In other cases, however this might be a bug. We suggest to add an explicit type cast like in the following example: function acceptsInteger($int) { } $x = '123'; // string "123" // Instead of acceptsInteger($x); // we recommend to use acceptsInteger((integer) $x); Loading history...
217			}
218
219			$sessionIndex = null;
220			if ($assertion->hasAnySessionIndex()) {
221			$sessionIndex = $assertion->getFirstAuthnStatement()->getSessionIndex();
222			}
223
224			/**
225			* Create the new identity if one wasn't found above.
226			* Since we now have the user id, and we might not have above,
227			* do this last.
228			*/
229			if (! $identity) {
230			$identity = new ProviderIdentityRecord([
231			'providerId' => $idpProvider->id,
232			'nameId' => $username,
233			'userId' => $user->id,
234			]);
235			}
236
237			$identity->enabled = true;
238			$identity->sessionId = $sessionIndex;
239			return $identity;
240			}
241
242			/**
243			* @param $emailOrUsername
244			* @return array\|\craft\base\ElementInterface\|User\|null
245			*/
246			protected function getUserByUsernameOrEmail($usernameOrEmail, bool $archived = false)
247			{
248
249			return User::find()
250			->where([
251			'or',
252			['username' => $usernameOrEmail],
253			['email' => $usernameOrEmail]
254			])
255			->addSelect(['users.password', 'users.passwordResetRequired'])
256			->status(null)
257			->archived($archived)
258			->one();
259			}
260
261			/**
262			* @param User $user
263			* @throws \Throwable
264			*/
265			protected function enableUser(User $user)
266			{
267			if ($this->isUserSuspended($user)) {
268			\Craft::$app->getUsers()->unsuspendUser($user);
269			}
270
271			if ($this->isUserLocked($user)) {
272			\Craft::$app->getUsers()->unlockUser($user);
273			}
274
275			if (! $user->enabled) {
276			$user->enabled = true;
277			}
278
279			if ($user->archived) {
280			$user->archived = false;
281			}
282
283			if (! $this->isUserActive($user)) {
284			\Craft::$app->getUsers()->activateUser($user);
285			}
286			}
287
288			/**
289			* @param User $user
290			* @return bool
291			*/
292			protected function isUserPending(User $user)
293			{
294			return false === $this->isUserActive($user) &&
295			$user->getStatus() === User::STATUS_PENDING;
296			}
297
298			/**
299			* @param User $user
300			* @return bool
301			*/
302			protected function isUserArchived(User $user)
303			{
304			return false === $this->isUserActive($user) &&
305			$user->getStatus() === User::STATUS_ARCHIVED;
306			}
307
308			/**
309			* @param User $user
310			* @return bool
311			*/
312			protected function isUserLocked(User $user)
313			{
314			return false === $this->isUserActive($user) &&
315			$user->getStatus() === User::STATUS_LOCKED;
316			}
317
318			/**
319			* @param User $user
320			* @return bool
321			*/
322			protected function isUserSuspended(User $user)
323			{
324			return false === $this->isUserActive($user) &&
325			$user->getStatus() === User::STATUS_SUSPENDED;
326			}
327
328			/**
329			* @param User $user
330			* @return bool
331			*/
332			protected function isUserActive(User $user)
333			{
334			return $user->getStatus() === User::STATUS_ACTIVE;
335			}
336
337			/**
338			* @param User $user
339			* @param Assertion $assertion
340			* @return bool
341			* @throws UserException
342			*/
343			protected function syncUserGroupsByAssertion(User $user, Assertion $assertion)
344			{
345			$groupNames = Saml::getInstance()->getSettings()->groupAttributeNames;
346			$groups = [];
347			foreach ($assertion->getFirstAttributeStatement()->getAllAttributes() as $attribute) {
348			/**
349			* Is there a group name match?
350			* Match the attribute name to the specified name in the plugin settings
351			*/
352			if (in_array($attribute->getName(), $groupNames)) {
353			/**
354			* Loop thru all of the attributes values because they could have multiple values.
355			* Example XML:
356			* <saml2:Attribute Name="groups" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
357			* <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
358			* xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">craft_admin</saml2:AttributeValue>
359			* <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
360			* xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">craft_member</saml2:AttributeValue>
361			* </saml2:Attribute>
362			*/
363
364			foreach ($attribute->getAllAttributeValues() as $value) {
365			if ($group = $this->findOrCreateUserGroup($value)) {
366			$groups[] = $group->id;
367			}
368			}
369
370			}
371			}
372			/**
373			* just return if this is empty
374			*/
375			if (empty($groups)) {
376			return true;
377			}
378
379			return \Craft::$app->getUsers()->assignUserToGroups($user->id, $groups);
380
381			}
382
383
384			/**
385			* @param SamlResponse $response
386			* @param User $user
387			* @return User
388			*/
389			protected function transformToUser(\LightSaml\Model\Protocol\Response $response, User $user)
390			{
391			$assertion = $response->getFirstAssertion();
392
393			$attributeMap = Saml::getInstance()->getSettings()->responseAttributeMap;
394			/**
395			* Loop thru attributes and set to the user
396			*/
397			foreach ($assertion->getFirstAttributeStatement()->getAllAttributes() as $attribute) {
398			if (isset($attributeMap[$attribute->getName()])) {
399			$craftProperty = $attributeMap[$attribute->getName()];
400
401			//check if it exists as a property first
402			if (property_exists($user, $craftProperty)) {
403			$user->{$craftProperty} = $attribute->getFirstAttributeValue();
404			} else {
405			if (is_callable($craftProperty)) {
406			call_user_func($craftProperty, $user, $attribute);
407			}
408			}
409			}
410			}
411
412			return $user;
413
414			}
415
416			/**
417			* @param $groupHandle
418			* @return UserGroup
419			* @throws UserException
420			* @throws \craft\errors\WrongEditionException
421			*/
422			protected function findOrCreateUserGroup($groupHandle): UserGroup
423			{
424
425			if (! $userGroup = \Craft::$app->getUserGroups()->getGroupByHandle($groupHandle)) {
426			if (! \Craft::$app->getUserGroups()->saveGroup($userGroup = new UserGroup([
427			'name' => $groupHandle,
428			'handle' => $groupHandle,
429			]))) {
430			throw new UserException("Error saving new group {$groupHandle}");
431			}
432			}
433
434			return $userGroup;
435
436			}
437
438			/**
439			* @param ProviderIdentityRecord $identity
440			* @return bool
441			* @throws UserException
442			* @throws \Throwable
443			*/
444			protected function loginUser(\flipbox\saml\sp\records\ProviderIdentityRecord $identity)
445			{
446			if ($identity->getUser()->getStatus() !== User::STATUS_ACTIVE) {
447			if (! \Craft::$app->getUsers()->activateUser($identity->getUser())) {
448			throw new UserException("Can't activate user.");
449			}
450			}
451
452			if (\Craft::$app->getUser()->login(
453			$identity->getUser(),
454			/** @todo read session duration from the response */
455			\Craft::$app->getConfig()->getGeneral()->userSessionDuration
456			)) {
457			$identity->lastLoginDate = new \DateTime();
458			} else {
459			throw new UserException("User login failed.");
460			}
461
462			return true;
463			}
464
465			}

flipboxfactory / saml-sp

Push — master ( 524cff...dc4813 )

src/services/Login.php (4 issues)

Showing only issues like (Show All)

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like