Oidc::verifyUserinfo() - Code Metrics - Inspection of "token verification via userinfo AND rfc7662" - gyselroth/micro - Measure and Improve Code Quality continuously with Scrutinizer

Completed

Pull Request — master (#7)

unknown

created 2017-11-14 15:26 UTC

Oidc::verifyUserinfo() A

↳ Parent: Oidc

Complexity

Conditions	3
Paths	3

Size

Total Lines	20
Code Lines	11

Duplication

Lines	0
Ratio	0 %

Importance

Changes

Metric	Value
dl	0
loc	20
rs	9.4285
c	0
b	0
f	0
cc	3
eloc	11
nc	3
nop	2

<?php
declare(strict_types = 1);

/**
 * Micro
 *
 * @author    Raffael Sahli <[email protected]>
 * @copyright Copyright (c) 2017 gyselroth GmbH (https://gyselroth.com)
 * @license   MIT https://opensource.org/licenses/MIT
 */

namespace Micro\Auth\Adapter;

use \Psr\Log\LoggerInterface;
use \Micro\Auth\Exception;

class Oidc extends AbstractAdapter
{
    /**
     * OpenID-connect discovery path
     */
    CONST DISCOVERY_PATH = '/.well-known/openid-configuration';


    /**
     * OpenID-connect provider url
     *
     * @var string
     */
    protected $provider_url = 'https://oidc.example.org';


    /**
     * Token validation endpoint (rfc7662)
     *
     * @var string
     */
    protected $token_validation_url;


    /**
     * Identity attribute
     *
     * @var string
     */
    protected $identity_attribute = 'preferred_username';


    /**
     * Attributes
     *
     * @var array
     */
    protected $attributes = [];


    /**
     * Access token
     *
     * @var string
     */
    private $access_token;


    /**
     * Init adapter
     *
     * @param   LoggerInterface $logger
     * @param   Iterable $config
     * @return  void

     */
    public function __construct(LoggerInterface $logger, ?Iterable $config=null)
    {
        $this->logger = $logger;
        $this->setOptions($config);
    }


    /**
     * Set options
     *
     * @param   Iterable $config
     * @return  AdapterInterface
     */
    public function setOptions(? Iterable $config = null) : AdapterInterface
    {
        if ($config === null) {
            return $this;
        }

        foreach($config as $option => $value) {
            switch($option) {
                case 'provider_url':
switch ($expr) {
    case "A": { //wrong
        doSomething();
        break;
    }
    case "B"; //wrong
        doSomething();
        break;
    case "C": //right
        doSomething();
        break;
}
                case 'token_validation_url':
                case 'identity_attribute':
                    $this->{$option} = (string)$value;
                    unset($config[$option]);
                break;
            }
        }

        return  parent::setOptions($config);
    }


    /**
     * Authenticate
     *
     * @return bool
     */
    public function authenticate(): bool
    {
        if (!isset($_SERVER['HTTP_AUTHORIZATION'])) {
            $this->logger->debug('skip auth adapter ['.get_class($this).'], no http authorization header or access_token param found', [
                'category' => get_class($this)
            ]);

            return false;
        } else {
            $header = $_SERVER['HTTP_AUTHORIZATION'];
            $parts  = explode(' ', $header);

            if ($parts[0] == 'Bearer') {
                $this->logger->debug('found http bearer authorization header', [
                    'category' => get_class($this)
                ]);

                return $this->verifyToken($parts[1]);
            } else {
                $this->logger->debug('http authorization header contains no bearer string or invalid authentication string', [
                    'category' => get_class($this)
                ]);

                return false;
            }
        }
    }


    /**
     * Get discovery url
     *
     * @return string
     */
    public function getDiscoveryUrl(): string
    {
        return $this->provider_url.self::DISCOVERY_PATH;
    }


    /**
     * Get discovery document
     *
     * @return array
     */
    public function getDiscoveryDocument(): array
    {
        if ($apc = extension_loaded('apc') && apc_exists($this->provider_url)) {

            return apc_get($this->provider_url);
        } else {
            $ch = curl_init();
            $url = $this->getDiscoveryUrl();
            curl_setopt($ch, CURLOPT_URL, $url);
            curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);

            $this->logger->debug('fetch openid-connect discovery document from ['.$url.']', [
                'category' => get_class($this)
            ]);

            $result = curl_exec($ch);
            $code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
            curl_close($ch);

            if($code === 200) {
                $discovery = json_decode($result, true);
                $this->logger->debug('received openid-connect discovery document from ['.$url.']', [
                    'category' => get_class($this),
                    'discovery'=> $discovery
                ]);

                if ($apc === true) {
                    apc_store($this->provider_url, $discovery);
                }

                return $discovery;
            } else {
                $this->logger->error('failed to receive openid-connect discovery document from ['.$url.'], request ended with status ['.$code.']', [
                    'category' => get_class($this),
                ]);

                throw new Exception('failed to get openid-connect discovery document');
            }
        }
    }


    /**
     * Token verification
     *
     * @param   string $token
     * @return  bool
     */
    protected function verifyToken(string $token): bool
    {
        if($this->token_validation_url) {
            $this->logger->debug('validate oauth2 token via rfc7662 token validation endpoint ['.$this->token_validation_url.']', [
               'category' => get_class($this),
            ]);

            $url = str_replace('{token}', $token, $this->token_validation_url);
            $verification = 'verifyIntrospection';
        } else {
            $discovery = $this->getDiscoveryDocument();
            if (!(isset($discovery['userinfo_endpoint']))) {
                throw new Exception('userinfo_endpoint could not be determained');
            }

            $this->logger->debug('validate token via openid-connect userinfo_endpoint ['.$discovery['userinfo_endpoint'].']', [
               'category' => get_class($this),
            ]);

            $url = $discovery['userinfo_endpoint'].'?access_token='.$token;
            $verification = 'verifyUserinfo';
        }

        $ch = curl_init();
        curl_setopt($ch, CURLOPT_URL, $url);
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
        $result = curl_exec($ch);
        $code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
        curl_close($ch);
        $response = json_decode($result, true);

        if ($this->$verification($code, $response)) {
            $this->access_token = $token;
            return true;
        }

        $this->logger->error('failed verify oauth2 access token via authorization server, received status ['.$code.']', [
           'category' => get_class($this),
        ]);

        return false;
    }


    /**
     * Introspection verification
     *
     * @param   int $code
     * @param   array $response
     * @return  bool
     */
    protected function verifyIntrospection(int $code, array $response): bool
    {
        if ($code !== 200) {
            return false;
        }

        if($response['active']) {
            $this->logger->debug('successfully verified oauth2 access token via authorization server', [
               'category' => get_class($this),
            ]);

            if(!isset($response['username'])) {
                throw new Exception('attribute \'username\' not found in oauth2 response');
            }

            $this->identifier = $response['username'];

            return true;
        }

        return false;
    }


    /**
     * Userinfo verification
     *
     * @param   int $code
     * @param   array $response
     * @return  bool
     */
    protected function verifyUserinfo(int $code, ?array $response): bool
    {
        if ($code === 200) {
            $attributes = $response;
            $this->logger->debug('successfully verified oauth2 access token via authorization server', [
               'category' => get_class($this),
            ]);

            if(!isset($attributes[$this->identity_attribute])) {
                throw new Exception('identity attribute '.$this->identity_attribute.' not found in oauth2 response');
            }

            $this->identifier = $attributes['preferred_username'];
            $this->attributes = $attributes;

            return true;
        }

        return false;
    }


    /**
     * Get attributes
     *
     * @return array
     */
    public function getAttributes(): array
    {
        if(count($this->attributes) !== 0) {
            return $this->attributes;
        }

        $discovery = $this->getDiscoveryDocument();
        if (!(isset($discovery['authorization_endpoint']))) {
            throw new Exception('authorization_endpoint could not be determained');
        }

        $this->logger->debug('fetch user attributes from userinfo_endpoint ['.$discovery['userinfo_endpoint'].']', [
           'category' => get_class($this),
        ]);

        $url = $discovery['userinfo_endpoint'].'?access_token='.$this->access_token;
        $ch = curl_init();
        curl_setopt($ch, CURLOPT_URL, $url);
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
        $result = curl_exec($ch);
        $code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
        curl_close($ch);
        $response = json_decode($result, true);
$myVar = 'Value';
$higher = false;

if (rand(1, 6) > 3) {
    $higher = true;
} else {
    $higher = false;
}

        if($code === 200) {
            $attributes = json_decode($result, true);
            $this->logger->debug('successfully requested user attributes from userinfo_endpoint', [
               'category' => get_class($this),
            ]);

            return $this->attributes = $attributes;
        } else {
            $this->logger->error('failed requesting user attributes from userinfo_endpoint, status code ['.$code.']', [
               'category' => get_class($this),
            ]);

            throw new Exception('failed requesting user attribute from userinfo_endpoint');
        }

    }
}


1			<?php
2			declare(strict_types = 1);
3
4			/**
5			* Micro
6			*
7			* @author Raffael Sahli <[email protected]>
8			* @copyright Copyright (c) 2017 gyselroth GmbH (https://gyselroth.com)
9			* @license MIT https://opensource.org/licenses/MIT
10			*/
11
12			namespace Micro\Auth\Adapter;
13
14			use \Psr\Log\LoggerInterface;
15			use \Micro\Auth\Exception;
16
17			class Oidc extends AbstractAdapter
18			{
19			/**
20			* OpenID-connect discovery path
21			*/
22			CONST DISCOVERY_PATH = '/.well-known/openid-configuration';
23
24
25			/**
26			* OpenID-connect provider url
27			*
28			* @var string
29			*/
30			protected $provider_url = 'https://oidc.example.org';
31
32
33			/**
34			* Token validation endpoint (rfc7662)
35			*
36			* @var string
37			*/
38			protected $token_validation_url;
39
40
41			/**
42			* Identity attribute
43			*
44			* @var string
45			*/
46			protected $identity_attribute = 'preferred_username';
47
48
49			/**
50			* Attributes
51			*
52			* @var array
53			*/
54			protected $attributes = [];
55
56
57			/**
58			* Access token
59			*
60			* @var string
61			*/
62			private $access_token;
63
64
65			/**
66			* Init adapter
67			*
68			* @param LoggerInterface $logger
69			* @param Iterable $config
70			* @return void
			0 ignored issues – show Comprehensibility Best Practice introduced 2017-06-21 11:15 UTC by Report Bug Copy Issue Report Adding a `@return` annotation to constructors is generally not recommended as a constructor does not have a meaningful return value. Adding a `@return` annotation to a constructor is not recommended, since a constructor does not have a meaningful return value. Please refer to the PHP core documentation on constructors. Loading history...
71			*/
72			public function __construct(LoggerInterface $logger, ?Iterable $config=null)
73			{
74			$this->logger = $logger;
75			$this->setOptions($config);
76			}
77
78
79			/**
80			* Set options
81			*
82			* @param Iterable $config
83			* @return AdapterInterface
84			*/
85			public function setOptions(? Iterable $config = null) : AdapterInterface
86			{
87			if ($config === null) {
88			return $this;
89			}
90
91			foreach($config as $option => $value) {
92			switch($option) {
93			case 'provider_url':
			0 ignored issues – show Coding Style introduced 2017-10-19 15:32 UTC by Report Bug Copy Issue Report `case` statements should be defined using a colon. As per the PSR-2 coding standard, case statements should not be wrapped in curly braces. There is no need for braces, since each case is terminated by the next `break`. There is also the option to use a semicolon instead of a colon, this is discouraged because many programmers do not even know it works and the colon is universal between programming languages. switch ($expr) { case "A": { //wrong doSomething(); break; } case "B"; //wrong doSomething(); break; case "C": //right doSomething(); break; } To learn more about the PSR-2 coding standard, please refer to the PHP-Fig. Loading history...
94			case 'token_validation_url':
95			case 'identity_attribute':
96			$this->{$option} = (string)$value;
97			unset($config[$option]);
98			break;
99			}
100			}
101
102			return parent::setOptions($config);
103			}
104
105
106			/**
107			* Authenticate
108			*
109			* @return bool
110			*/
111			public function authenticate(): bool
112			{
113			if (!isset($_SERVER['HTTP_AUTHORIZATION'])) {
114			$this->logger->debug('skip auth adapter ['.get_class($this).'], no http authorization header or access_token param found', [
115			'category' => get_class($this)
116			]);
117
118			return false;
119			} else {
120			$header = $_SERVER['HTTP_AUTHORIZATION'];
121			$parts = explode(' ', $header);
122
123			if ($parts[0] == 'Bearer') {
124			$this->logger->debug('found http bearer authorization header', [
125			'category' => get_class($this)
126			]);
127
128			return $this->verifyToken($parts[1]);
129			} else {
130			$this->logger->debug('http authorization header contains no bearer string or invalid authentication string', [
131			'category' => get_class($this)
132			]);
133
134			return false;
135			}
136			}
137			}
138
139
140			/**
141			* Get discovery url
142			*
143			* @return string
144			*/
145			public function getDiscoveryUrl(): string
146			{
147			return $this->provider_url.self::DISCOVERY_PATH;
148			}
149
150
151			/**
152			* Get discovery document
153			*
154			* @return array
155			*/
156			public function getDiscoveryDocument(): array
157			{
158			if ($apc = extension_loaded('apc') && apc_exists($this->provider_url)) {
			0 ignored issues – show Comprehensibility introduced 2017-08-10 14:48 UTC by Report Bug Copy Issue Report Consider adding parentheses for clarity. Current Interpretation: `$apc = (extension_loaded...s($this->provider_url))`, Probably Intended Meaning: `($apc = extension_loaded...ts($this->provider_url)` Loading history...
159			return apc_get($this->provider_url);
160			} else {
161			$ch = curl_init();
162			$url = $this->getDiscoveryUrl();
163			curl_setopt($ch, CURLOPT_URL, $url);
164			curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
165
166			$this->logger->debug('fetch openid-connect discovery document from ['.$url.']', [
167			'category' => get_class($this)
168			]);
169
170			$result = curl_exec($ch);
171			$code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
172			curl_close($ch);
173
174			if($code === 200) {
175			$discovery = json_decode($result, true);
176			$this->logger->debug('received openid-connect discovery document from ['.$url.']', [
177			'category' => get_class($this),
178			'discovery'=> $discovery
179			]);
180
181			if ($apc === true) {
182			apc_store($this->provider_url, $discovery);
183			}
184
185			return $discovery;
186			} else {
187			$this->logger->error('failed to receive openid-connect discovery document from ['.$url.'], request ended with status ['.$code.']', [
188			'category' => get_class($this),
189			]);
190
191			throw new Exception('failed to get openid-connect discovery document');
192			}
193			}
194			}
195
196
197			/**
198			* Token verification
199			*
200			* @param string $token
201			* @return bool
202			*/
203			protected function verifyToken(string $token): bool
204			{
205			if($this->token_validation_url) {
206			$this->logger->debug('validate oauth2 token via rfc7662 token validation endpoint ['.$this->token_validation_url.']', [
207			'category' => get_class($this),
208			]);
209
210			$url = str_replace('{token}', $token, $this->token_validation_url);
211			$verification = 'verifyIntrospection';
212			} else {
213			$discovery = $this->getDiscoveryDocument();
214			if (!(isset($discovery['userinfo_endpoint']))) {
215			throw new Exception('userinfo_endpoint could not be determained');
216			}
217
218			$this->logger->debug('validate token via openid-connect userinfo_endpoint ['.$discovery['userinfo_endpoint'].']', [
219			'category' => get_class($this),
220			]);
221
222			$url = $discovery['userinfo_endpoint'].'?access_token='.$token;
223			$verification = 'verifyUserinfo';
224			}
225
226			$ch = curl_init();
227			curl_setopt($ch, CURLOPT_URL, $url);
228			curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
229			$result = curl_exec($ch);
230			$code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
231			curl_close($ch);
232			$response = json_decode($result, true);
233
234			if ($this->$verification($code, $response)) {
235			$this->access_token = $token;
236			return true;
237			}
238
239			$this->logger->error('failed verify oauth2 access token via authorization server, received status ['.$code.']', [
240			'category' => get_class($this),
241			]);
242
243			return false;
244			}
245
246
247			/**
248			* Introspection verification
249			*
250			* @param int $code
251			* @param array $response
252			* @return bool
253			*/
254			protected function verifyIntrospection(int $code, array $response): bool
255			{
256			if ($code !== 200) {
257			return false;
258			}
259
260			if($response['active']) {
261			$this->logger->debug('successfully verified oauth2 access token via authorization server', [
262			'category' => get_class($this),
263			]);
264
265			if(!isset($response['username'])) {
266			throw new Exception('attribute \'username\' not found in oauth2 response');
267			}
268
269			$this->identifier = $response['username'];
270
271			return true;
272			}
273
274			return false;
275			}
276
277
278			/**
279			* Userinfo verification
280			*
281			* @param int $code
282			* @param array $response
283			* @return bool
284			*/
285			protected function verifyUserinfo(int $code, ?array $response): bool
286			{
287			if ($code === 200) {
288			$attributes = $response;
289			$this->logger->debug('successfully verified oauth2 access token via authorization server', [
290			'category' => get_class($this),
291			]);
292
293			if(!isset($attributes[$this->identity_attribute])) {
294			throw new Exception('identity attribute '.$this->identity_attribute.' not found in oauth2 response');
295			}
296
297			$this->identifier = $attributes['preferred_username'];
298			$this->attributes = $attributes;
299
300			return true;
301			}
302
303			return false;
304			}
305
306
307			/**
308			* Get attributes
309			*
310			* @return array
311			*/
312			public function getAttributes(): array
313			{
314			if(count($this->attributes) !== 0) {
315			return $this->attributes;
316			}
317
318			$discovery = $this->getDiscoveryDocument();
319			if (!(isset($discovery['authorization_endpoint']))) {
320			throw new Exception('authorization_endpoint could not be determained');
321			}
322
323			$this->logger->debug('fetch user attributes from userinfo_endpoint ['.$discovery['userinfo_endpoint'].']', [
324			'category' => get_class($this),
325			]);
326
327			$url = $discovery['userinfo_endpoint'].'?access_token='.$this->access_token;
328			$ch = curl_init();
329			curl_setopt($ch, CURLOPT_URL, $url);
330			curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
331			$result = curl_exec($ch);
332			$code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
333			curl_close($ch);
334			$response = json_decode($result, true);
			0 ignored issues – show Unused Code introduced 2017-08-30 10:22 UTC by Report Bug Copy Issue Report `$response` is not used, you could remove the assignment. This check looks for variable assignements that are either overwritten by other assignments or where the variable is not used subsequently. $myVar = 'Value'; $higher = false; if (rand(1, 6) > 3) { $higher = true; } else { $higher = false; } Both the `$myVar` assignment in line 1 and the `$higher` assignment in line 2 are dead. The first because `$myVar` is never used and the second because `$higher` is always overwritten for every possible time line. Loading history...
335
336			if($code === 200) {
337			$attributes = json_decode($result, true);
338			$this->logger->debug('successfully requested user attributes from userinfo_endpoint', [
339			'category' => get_class($this),
340			]);
341
342			return $this->attributes = $attributes;
343			} else {
344			$this->logger->error('failed requesting user attributes from userinfo_endpoint, status code ['.$code.']', [
345			'category' => get_class($this),
346			]);
347
348			throw new Exception('failed requesting user attribute from userinfo_endpoint');
349			}
350
351			}
352			}
353

gyselroth / micro

Pull Request — master (#7)

Oidc::verifyUserinfo() A

Complexity

Size

Duplication

Importance

Duplication Side-by-Side

Filter issues like