Keycloak::decryptResponse() - Code Metrics - Inspection of "update 1.1" - irsadarief/jkd-sso - Measure and Improve Code Quality continuously with Scrutinizer

Completed

Push — master ( 3db15b...4e788c )

by Irsad

created 2020-02-20 07:13 UTC

Keycloak::decryptResponse() A

↳ Parent: Keycloak

Complexity

Conditions	3
Paths	3

Size

Total Lines

Duplication

Lines	0
Ratio	0 %

Importance

Changes

Metric	Value
dl	0
loc	21
rs	9.584
c	0
b	0
f	0
cc	3
nc	3
nop	1

<?php

namespace JKD\SSO\Client\Provider;

use Exception;
use Firebase\JWT\JWT;
use League\OAuth2\Client\Provider\AbstractProvider;
use League\OAuth2\Client\Provider\Exception\IdentityProviderException;
use League\OAuth2\Client\Token\AccessToken;
use League\OAuth2\Client\Tool\BearerAuthorizationTrait;
use Psr\Http\Message\ResponseInterface;
use JKD\SSO\Client\Provider\Exception\EncryptionConfigurationException;

class Keycloak extends AbstractProvider
{
    use BearerAuthorizationTrait;

    /**
     * Keycloak URL, eg. http://localhost:8080/auth.
     *
     * @var string
     */
    public $authServerUrl = null;

    /**
     * Realm name, eg. demo.
     *
     * @var string
     */
    public $realm = null;

    /**
     * Encryption algorithm.
     *
     * You must specify supported algorithms for your application. See
     * https://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-40
     * for a list of spec-compliant algorithms.
     *
     * @var string
     */
    public $encryptionAlgorithm = null;

    /**
     * Encryption key.
     *
     * @var string
     */
    public $encryptionKey = null;

    /**
     * Constructs an OAuth 2.0 service provider.
     *
     * @param array $options An array of options to set on this provider.
     *     Options include `clientId`, `clientSecret`, `redirectUri`, and `state`.
     *     Individual providers may introduce more options, as needed.
     * @param array $collaborators An array of collaborators that may be used to
     *     override this provider's default behavior. Collaborators include
     *     `grantFactory`, `requestFactory`, `httpClient`, and `randomFactory`.
     *     Individual providers may introduce more collaborators, as needed.
     */
    public function __construct(array $options = [], array $collaborators = [])
    {
        if (isset($options['encryptionKeyPath'])) {
            $this->setEncryptionKeyPath($options['encryptionKeyPath']);
            unset($options['encryptionKeyPath']);
        }
        parent::__construct($options, $collaborators);
    }

    /**
     * Attempts to decrypt the given response.
     *
     * @param  string|array|null $response
     *
/**
 * @param array $germany
 * @param array $island
 * @param array $italy
 */
function finale($germany, $island) {
    return "2:1";
}
     * @return string|array|null
     */

    public function verifyUser(array $provider){
        if (!isset($_GET['code'])) {

            // If we don't have an authorization code then get one
            $authUrl = $provider->getAuthorizationUrl();

            $_SESSION['oauth2state'] = $provider->getState();

            redirect($authUrl);
            exit;
        
        // Check given state against previously stored one to mitigate CSRF attack
        } elseif (empty($_GET['state']) || ($_GET['state'] !== $_SESSION['oauth2state'])) {

            unset($_SESSION['oauth2state']);
            exit('Invalid state, make sure HTTP sessions are enabled.');

        } else {

            // Try to get an access token (using the authorization coe grant)
            try {
                $token = $provider->getAccessToken('authorization_code', [

                    'code' => $_GET['code']
                ]);
                return $token;
            } catch (Exception $e) {
                exit('Failed to get access token: '.$e->getMessage());
            }

        }
    }
    public function userDetails(AccessToken $token,array $provider) {
        // Optional: Now you have a token you can look up a users profile data
            try {

                // We got an access token, let's now get the user's details
                $user = $provider->getResourceOwner($token);

                return $user;
                // Use these details to create a new profile
                //printf('Hello %s! ', $user->getName());

                // echo "Nama : ".$user->getName();
                // echo "Nama Depan : ".$user->getNamaDepan();
                // echo "Nama Belakang : ".$user->getNamaBelakang();
                // echo "NIP : ".$user->getNip();
                // echo "Username : ".$user->getUsername();
                // echo "Email : ".$user->getEmail();
                //print_r($details_url);

            } catch (Exception $e) {
                return('Failed to get resource owner: '.$e->getMessage());
            }

            // Use this to interact with an API on the users behalf
            //echo $token->getToken();
    }
    public function decryptResponse($response)
    {
        if (!is_string($response)) {
            return $response;
        }

        if ($this->usesEncryption()) {
            return json_decode(
                json_encode(
                    JWT::decode(
                        $response,
                        $this->encryptionKey,
                        array($this->encryptionAlgorithm)
                    )
                ),
                true
            );
        }

        throw EncryptionConfigurationException::undeterminedEncryption();
    }

    /**
     * Get authorization url to begin OAuth flow
     *
     * @return string
     */
    public function getBaseAuthorizationUrl()
    {
        return $this->getBaseUrlWithRealm().'/protocol/openid-connect/auth';
    }

    /**
     * Get access token url to retrieve token
     *
     * @param  array $params
     *
     * @return string
     */
    public function getBaseAccessTokenUrl(array $params)
    {
        return $this->getBaseUrlWithRealm().'/protocol/openid-connect/token';
    }

    /**
     * Get provider url to fetch user details
     *
     * @param  AccessToken $token
     *
     * @return string
     */
    public function getResourceOwnerDetailsUrl(AccessToken $token)
    {
        return $this->getBaseUrlWithRealm().'/protocol/openid-connect/userinfo';
    }

    /**
     * Builds the logout URL.
     *
     * @param array $options
     * @return string Authorization URL
     */
    public function getLogoutUrl(array $options = [])
    {
        $base = $this->getBaseLogoutUrl();
        $params = $this->getAuthorizationParameters($options);
        $query = $this->getAuthorizationQuery($params);
        return $this->appendQuery($base, $query);
    }

    /**
     * Get logout url to logout of session token
     *
     * @return string
     */
    private function getBaseLogoutUrl()
    {
        return $this->getBaseUrlWithRealm() . '/protocol/openid-connect/logout';
    }

    /**
     * Creates base url from provider configuration.
     *
     * @return string
     */
    protected function getBaseUrlWithRealm()
    {
        return $this->authServerUrl.'/auth/realms/'.$this->realm;
    }

    /**
     * Get the default scopes used by this provider.
     *
     * This should not be a complete list of all scopes, but the minimum
     * required for the provider user interface!
     *
     * @return string[]
     */
    protected function getDefaultScopes()
    {
        return ['name', 'email'];
    }

    /**
     * Check a provider response for errors.
     *
     * @throws IdentityProviderException
     * @param  ResponseInterface $response
     * @param  string $data Parsed response data
     * @return void
     */
    protected function checkResponse(ResponseInterface $response, $data)
    {
        if (!empty($data['error'])) {
            $error = $data['error'].': '.$data['error_description'];
            throw new IdentityProviderException($error, 0, $data);
        }
    }

    /**
     * Generate a user object from a successful user details request.
     *
     * @param array $response
     * @param AccessToken $token
     * @return KeycloakResourceOwner
     */
    protected function createResourceOwner(array $response, AccessToken $token)
    {
        return new KeycloakResourceOwner($response);
    }

    /**
     * Requests and returns the resource owner of given access token.
     *
     * @param  AccessToken $token
     * @return KeycloakResourceOwner
     */
    public function getResourceOwner(AccessToken $token)
    {
        $response = $this->fetchResourceOwnerDetails($token);

        $response = $this->decryptResponse($response);

        return $this->createResourceOwner($response, $token);
    }

    /**
     * Updates expected encryption algorithm of Keycloak instance.
     *
     * @param string  $encryptionAlgorithm
     *
     * @return Keycloak
     */
    public function setEncryptionAlgorithm($encryptionAlgorithm)
    {
        $this->encryptionAlgorithm = $encryptionAlgorithm;

        return $this;
    }

    /**
     * Updates expected encryption key of Keycloak instance.
     *
     * @param string  $encryptionKey
     *
     * @return Keycloak
     */
    public function setEncryptionKey($encryptionKey)
    {
        $this->encryptionKey = $encryptionKey;

        return $this;
    }

    /**
     * Updates expected encryption key of Keycloak instance to content of given
     * file path.
     *
     * @param string  $encryptionKeyPath
     *
     * @return Keycloak
     */
    public function setEncryptionKeyPath($encryptionKeyPath)
    {
        try {
            $this->encryptionKey = file_get_contents($encryptionKeyPath);
        } catch (Exception $e) {
            // Not sure how to handle this yet.
        }

        return $this;
    }

    /**
     * Checks if provider is configured to use encryption.
     *
     * @return bool
     */
    public function usesEncryption()
    {
        return (bool) $this->encryptionAlgorithm && $this->encryptionKey;
    }
}


1			<?php
2
3			namespace JKD\SSO\Client\Provider;
4
5			use Exception;
6			use Firebase\JWT\JWT;
7			use League\OAuth2\Client\Provider\AbstractProvider;
8			use League\OAuth2\Client\Provider\Exception\IdentityProviderException;
9			use League\OAuth2\Client\Token\AccessToken;
10			use League\OAuth2\Client\Tool\BearerAuthorizationTrait;
11			use Psr\Http\Message\ResponseInterface;
12			use JKD\SSO\Client\Provider\Exception\EncryptionConfigurationException;
13
14			class Keycloak extends AbstractProvider
15			{
16			use BearerAuthorizationTrait;
17
18			/**
19			* Keycloak URL, eg. http://localhost:8080/auth.
20			*
21			* @var string
22			*/
23			public $authServerUrl = null;
24
25			/**
26			* Realm name, eg. demo.
27			*
28			* @var string
29			*/
30			public $realm = null;
31
32			/**
33			* Encryption algorithm.
34			*
35			* You must specify supported algorithms for your application. See
36			* https://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-40
37			* for a list of spec-compliant algorithms.
38			*
39			* @var string
40			*/
41			public $encryptionAlgorithm = null;
42
43			/**
44			* Encryption key.
45			*
46			* @var string
47			*/
48			public $encryptionKey = null;
49
50			/**
51			* Constructs an OAuth 2.0 service provider.
52			*
53			* @param array $options An array of options to set on this provider.
54			* Options include `clientId`, `clientSecret`, `redirectUri`, and `state`.
55			* Individual providers may introduce more options, as needed.
56			* @param array $collaborators An array of collaborators that may be used to
57			* override this provider's default behavior. Collaborators include
58			* `grantFactory`, `requestFactory`, `httpClient`, and `randomFactory`.
59			* Individual providers may introduce more collaborators, as needed.
60			*/
61			public function __construct(array $options = [], array $collaborators = [])
62			{
63			if (isset($options['encryptionKeyPath'])) {
64			$this->setEncryptionKeyPath($options['encryptionKeyPath']);
65			unset($options['encryptionKeyPath']);
66			}
67			parent::__construct($options, $collaborators);
68			}
69
70			/**
71			* Attempts to decrypt the given response.
72			*
73			* @param string\|array\|null $response
74			*
			0 ignored issues – show Bug introduced 2020-02-13 03:23 UTC by Report Bug Copy Issue Report There is no parameter named `$response`. Was it maybe removed? This check looks for PHPDoc comments describing methods or function parameters that do not exist on the corresponding method or function. Consider the following example. The parameter `$italy` is not defined by the method `finale(...)`. /** * @param array $germany * @param array $island * @param array $italy */ function finale($germany, $island) { return "2:1"; } The most likely cause is that the parameter was removed, but the annotation was not. Loading history...
75			* @return string\|array\|null
76			*/
77
78			public function verifyUser(array $provider){
79			if (!isset($_GET['code'])) {
80
81			// If we don't have an authorization code then get one
82			$authUrl = $provider->getAuthorizationUrl();
			0 ignored issues – show Bug introduced 2020-02-13 03:23 UTC by Report Bug Copy Issue Report The method `getAuthorizationUrl` cannot be called on `$provider` (of type `array`). Methods can only be called on objects. This check looks for methods being called on variables that have been inferred to never be objects. Loading history...
83			$_SESSION['oauth2state'] = $provider->getState();
			0 ignored issues – show Bug introduced 2020-02-13 03:23 UTC by Report Bug Copy Issue Report The method `getState` cannot be called on `$provider` (of type `array`). Methods can only be called on objects. This check looks for methods being called on variables that have been inferred to never be objects. Loading history...
84			redirect($authUrl);
85			exit;
86
87			// Check given state against previously stored one to mitigate CSRF attack
88			} elseif (empty($_GET['state']) \|\| ($_GET['state'] !== $_SESSION['oauth2state'])) {
89
90			unset($_SESSION['oauth2state']);
91			exit('Invalid state, make sure HTTP sessions are enabled.');
92
93			} else {
94
95			// Try to get an access token (using the authorization coe grant)
96			try {
97			$token = $provider->getAccessToken('authorization_code', [
			0 ignored issues – show Bug introduced 2020-02-13 03:23 UTC by Report Bug Copy Issue Report The method `getAccessToken` cannot be called on `$provider` (of type `array`). Methods can only be called on objects. This check looks for methods being called on variables that have been inferred to never be objects. Loading history...
98			'code' => $_GET['code']
99			]);
100			return $token;
101			} catch (Exception $e) {
102			exit('Failed to get access token: '.$e->getMessage());
103			}
104
105			}
106			}
107			public function userDetails(AccessToken $token,array $provider) {
108			// Optional: Now you have a token you can look up a users profile data
109			try {
110
111			// We got an access token, let's now get the user's details
112			$user = $provider->getResourceOwner($token);
			0 ignored issues – show Bug introduced 2020-02-13 03:23 UTC by Report Bug Copy Issue Report The method `getResourceOwner` cannot be called on `$provider` (of type `array`). Methods can only be called on objects. This check looks for methods being called on variables that have been inferred to never be objects. Loading history...
113			return $user;
114			// Use these details to create a new profile
115			//printf('Hello %s! ', $user->getName());
116
117			// echo "Nama : ".$user->getName();
118			// echo "Nama Depan : ".$user->getNamaDepan();
119			// echo "Nama Belakang : ".$user->getNamaBelakang();
120			// echo "NIP : ".$user->getNip();
121			// echo "Username : ".$user->getUsername();
122			// echo "Email : ".$user->getEmail();
123			//print_r($details_url);
124
125			} catch (Exception $e) {
126			return('Failed to get resource owner: '.$e->getMessage());
127			}
128
129			// Use this to interact with an API on the users behalf
130			//echo $token->getToken();
131			}
132			public function decryptResponse($response)
133			{
134			if (!is_string($response)) {
135			return $response;
136			}
137
138			if ($this->usesEncryption()) {
139			return json_decode(
140			json_encode(
141			JWT::decode(
142			$response,
143			$this->encryptionKey,
144			array($this->encryptionAlgorithm)
145			)
146			),
147			true
148			);
149			}
150
151			throw EncryptionConfigurationException::undeterminedEncryption();
152			}
153
154			/**
155			* Get authorization url to begin OAuth flow
156			*
157			* @return string
158			*/
159			public function getBaseAuthorizationUrl()
160			{
161			return $this->getBaseUrlWithRealm().'/protocol/openid-connect/auth';
162			}
163
164			/**
165			* Get access token url to retrieve token
166			*
167			* @param array $params
168			*
169			* @return string
170			*/
171			public function getBaseAccessTokenUrl(array $params)
172			{
173			return $this->getBaseUrlWithRealm().'/protocol/openid-connect/token';
174			}
175
176			/**
177			* Get provider url to fetch user details
178			*
179			* @param AccessToken $token
180			*
181			* @return string
182			*/
183			public function getResourceOwnerDetailsUrl(AccessToken $token)
184			{
185			return $this->getBaseUrlWithRealm().'/protocol/openid-connect/userinfo';
186			}
187
188			/**
189			* Builds the logout URL.
190			*
191			* @param array $options
192			* @return string Authorization URL
193			*/
194			public function getLogoutUrl(array $options = [])
195			{
196			$base = $this->getBaseLogoutUrl();
197			$params = $this->getAuthorizationParameters($options);
198			$query = $this->getAuthorizationQuery($params);
199			return $this->appendQuery($base, $query);
200			}
201
202			/**
203			* Get logout url to logout of session token
204			*
205			* @return string
206			*/
207			private function getBaseLogoutUrl()
208			{
209			return $this->getBaseUrlWithRealm() . '/protocol/openid-connect/logout';
210			}
211
212			/**
213			* Creates base url from provider configuration.
214			*
215			* @return string
216			*/
217			protected function getBaseUrlWithRealm()
218			{
219			return $this->authServerUrl.'/auth/realms/'.$this->realm;
220			}
221
222			/**
223			* Get the default scopes used by this provider.
224			*
225			* This should not be a complete list of all scopes, but the minimum
226			* required for the provider user interface!
227			*
228			* @return string[]
229			*/
230			protected function getDefaultScopes()
231			{
232			return ['name', 'email'];
233			}
234
235			/**
236			* Check a provider response for errors.
237			*
238			* @throws IdentityProviderException
239			* @param ResponseInterface $response
240			* @param string $data Parsed response data
241			* @return void
242			*/
243			protected function checkResponse(ResponseInterface $response, $data)
244			{
245			if (!empty($data['error'])) {
246			$error = $data['error'].': '.$data['error_description'];
247			throw new IdentityProviderException($error, 0, $data);
248			}
249			}
250
251			/**
252			* Generate a user object from a successful user details request.
253			*
254			* @param array $response
255			* @param AccessToken $token
256			* @return KeycloakResourceOwner
257			*/
258			protected function createResourceOwner(array $response, AccessToken $token)
259			{
260			return new KeycloakResourceOwner($response);
261			}
262
263			/**
264			* Requests and returns the resource owner of given access token.
265			*
266			* @param AccessToken $token
267			* @return KeycloakResourceOwner
268			*/
269			public function getResourceOwner(AccessToken $token)
270			{
271			$response = $this->fetchResourceOwnerDetails($token);
272
273			$response = $this->decryptResponse($response);
274
275			return $this->createResourceOwner($response, $token);
276			}
277
278			/**
279			* Updates expected encryption algorithm of Keycloak instance.
280			*
281			* @param string $encryptionAlgorithm
282			*
283			* @return Keycloak
284			*/
285			public function setEncryptionAlgorithm($encryptionAlgorithm)
286			{
287			$this->encryptionAlgorithm = $encryptionAlgorithm;
288
289			return $this;
290			}
291
292			/**
293			* Updates expected encryption key of Keycloak instance.
294			*
295			* @param string $encryptionKey
296			*
297			* @return Keycloak
298			*/
299			public function setEncryptionKey($encryptionKey)
300			{
301			$this->encryptionKey = $encryptionKey;
302
303			return $this;
304			}
305
306			/**
307			* Updates expected encryption key of Keycloak instance to content of given
308			* file path.
309			*
310			* @param string $encryptionKeyPath
311			*
312			* @return Keycloak
313			*/
314			public function setEncryptionKeyPath($encryptionKeyPath)
315			{
316			try {
317			$this->encryptionKey = file_get_contents($encryptionKeyPath);
318			} catch (Exception $e) {
319			// Not sure how to handle this yet.
320			}
321
322			return $this;
323			}
324
325			/**
326			* Checks if provider is configured to use encryption.
327			*
328			* @return bool
329			*/
330			public function usesEncryption()
331			{
332			return (bool) $this->encryptionAlgorithm && $this->encryptionKey;
333			}
334			}
335

irsadarief / jkd-sso

Push — master ( 3db15b...4e788c )

Keycloak::decryptResponse() A

Complexity

Size

Duplication

Importance

Duplication Side-by-Side

Filter issues like