Issues in Keycloak.php (master) - Issues in master - irsadarief/jkd-sso - Measure and Improve Code Quality continuously with Scrutinizer

Issues (6)

Security Analysis no request data

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

src/Provider/Keycloak.php (5 issues)

Labels

Bug 5

Severity

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php

namespace JKD\SSO\Client\Provider;

use Exception;
use Firebase\JWT\JWT;
use League\OAuth2\Client\Provider\AbstractProvider;
use League\OAuth2\Client\Provider\Exception\IdentityProviderException;
use League\OAuth2\Client\Token\AccessToken;
use League\OAuth2\Client\Tool\BearerAuthorizationTrait;
use Psr\Http\Message\ResponseInterface;
use JKD\SSO\Client\Provider\Exception\EncryptionConfigurationException;

class Keycloak extends AbstractProvider
{
    use BearerAuthorizationTrait;

    /**
     * Keycloak URL, eg. http://localhost:8080/auth.
     *
     * @var string
     */
    public $authServerUrl = null;

    /**
     * Realm name, eg. demo.
     *
     * @var string
     */
    public $realm = null;

    /**
     * Encryption algorithm.
     *
     * You must specify supported algorithms for your application. See
     * https://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-40
     * for a list of spec-compliant algorithms.
     *
     * @var string
     */
    public $encryptionAlgorithm = null;

    /**
     * Encryption key.
     *
     * @var string
     */
    public $encryptionKey = null;

    /**
     * Constructs an OAuth 2.0 service provider.
     *
     * @param array $options An array of options to set on this provider.
     *     Options include `clientId`, `clientSecret`, `redirectUri`, and `state`.
     *     Individual providers may introduce more options, as needed.
     * @param array $collaborators An array of collaborators that may be used to
     *     override this provider's default behavior. Collaborators include
     *     `grantFactory`, `requestFactory`, `httpClient`, and `randomFactory`.
     *     Individual providers may introduce more collaborators, as needed.
     */
    public function __construct(array $options = [], array $collaborators = [])
    {
        if (isset($options['encryptionKeyPath'])) {
            $this->setEncryptionKeyPath($options['encryptionKeyPath']);
            unset($options['encryptionKeyPath']);
        }
        parent::__construct($options, $collaborators);
    }

    /**
     * Attempts to decrypt the given response.
     *
     * @param  string|array|null $response
     *
/**
 * @param array $germany
 * @param array $island
 * @param array $italy
 */
function finale($germany, $island) {
    return "2:1";
}
     * @return string|array|null
     */

    public function verifyUser(array $provider){
        if (!isset($_GET['code'])) {

            // If we don't have an authorization code then get one
            $authUrl = $provider->getAuthorizationUrl();

            $_SESSION['oauth2state'] = $provider->getState();

            redirect($authUrl);
            exit;
        
        // Check given state against previously stored one to mitigate CSRF attack
        } elseif (empty($_GET['state']) || ($_GET['state'] !== $_SESSION['oauth2state'])) {

            unset($_SESSION['oauth2state']);
            exit('Invalid state, make sure HTTP sessions are enabled.');

        } else {

            // Try to get an access token (using the authorization coe grant)
            try {
                $token = $provider->getAccessToken('authorization_code', [

                    'code' => $_GET['code']
                ]);
                return $token;
            } catch (Exception $e) {
                exit('Failed to get access token: '.$e->getMessage());
            }

        }
    }
    public function userDetails(AccessToken $token,array $provider) {
        // Optional: Now you have a token you can look up a users profile data
            try {

                // We got an access token, let's now get the user's details
                $user = $provider->getResourceOwner($token);

                return $user;
                // Use these details to create a new profile
                //printf('Hello %s! ', $user->getName());

                // echo "Nama : ".$user->getName();
                // echo "Nama Depan : ".$user->getNamaDepan();
                // echo "Nama Belakang : ".$user->getNamaBelakang();
                // echo "NIP : ".$user->getNip();
                // echo "Username : ".$user->getUsername();
                // echo "Email : ".$user->getEmail();
                //print_r($details_url);

            } catch (Exception $e) {
                return('Failed to get resource owner: '.$e->getMessage());
            }

            // Use this to interact with an API on the users behalf
            //echo $token->getToken();
    }
    public function decryptResponse($response)
    {
        if (!is_string($response)) {
            return $response;
        }

        if ($this->usesEncryption()) {
            return json_decode(
                json_encode(
                    JWT::decode(
                        $response,
                        $this->encryptionKey,
                        array($this->encryptionAlgorithm)
                    )
                ),
                true
            );
        }

        throw EncryptionConfigurationException::undeterminedEncryption();
    }

    /**
     * Get authorization url to begin OAuth flow
     *
     * @return string
     */
    public function getBaseAuthorizationUrl()
    {
        return $this->getBaseUrlWithRealm().'/protocol/openid-connect/auth';
    }

    /**
     * Get access token url to retrieve token
     *
     * @param  array $params
     *
     * @return string
     */
    public function getBaseAccessTokenUrl(array $params)
    {
        return $this->getBaseUrlWithRealm().'/protocol/openid-connect/token';
    }

    /**
     * Get provider url to fetch user details
     *
     * @param  AccessToken $token
     *
     * @return string
     */
    public function getResourceOwnerDetailsUrl(AccessToken $token)
    {
        return $this->getBaseUrlWithRealm().'/protocol/openid-connect/userinfo';
    }

    /**
     * Builds the logout URL.
     *
     * @param array $options
     * @return string Authorization URL
     */
    public function getLogoutUrl(array $options = [])
    {
        $base = $this->getBaseLogoutUrl();
        $params = $this->getAuthorizationParameters($options);
        $query = $this->getAuthorizationQuery($params);
        return $this->appendQuery($base, $query);
    }

    /**
     * Get logout url to logout of session token
     *
     * @return string
     */
    private function getBaseLogoutUrl()
    {
        return $this->getBaseUrlWithRealm() . '/protocol/openid-connect/logout';
    }

    /**
     * Creates base url from provider configuration.
     *
     * @return string
     */
    protected function getBaseUrlWithRealm()
    {
        return $this->authServerUrl.'/auth/realms/'.$this->realm;
    }

    /**
     * Get the default scopes used by this provider.
     *
     * This should not be a complete list of all scopes, but the minimum
     * required for the provider user interface!
     *
     * @return string[]
     */
    protected function getDefaultScopes()
    {
        return ['profile-pegawai', 'email'];
    }

    /**
     * Check a provider response for errors.
     *
     * @throws IdentityProviderException
     * @param  ResponseInterface $response
     * @param  string $data Parsed response data
     * @return void
     */
    protected function checkResponse(ResponseInterface $response, $data)
    {
        if (!empty($data['error'])) {
            $error = $data['error'].': '.$data['error_description'];
            throw new IdentityProviderException($error, 0, $data);
        }
    }

    /**
     * Generate a user object from a successful user details request.
     *
     * @param array $response
     * @param AccessToken $token
     * @return KeycloakResourceOwner
     */
    protected function createResourceOwner(array $response, AccessToken $token)
    {
        return new KeycloakResourceOwner($response);
    }

    /**
     * Requests and returns the resource owner of given access token.
     *
     * @param  AccessToken $token
     * @return KeycloakResourceOwner
     */
    public function getResourceOwner(AccessToken $token)
    {
        $response = $this->fetchResourceOwnerDetails($token);

        $response = $this->decryptResponse($response);

        return $this->createResourceOwner($response, $token);
    }

    /**
     * Updates expected encryption algorithm of Keycloak instance.
     *
     * @param string  $encryptionAlgorithm
     *
     * @return Keycloak
     */
    public function setEncryptionAlgorithm($encryptionAlgorithm)
    {
        $this->encryptionAlgorithm = $encryptionAlgorithm;

        return $this;
    }

    /**
     * Updates expected encryption key of Keycloak instance.
     *
     * @param string  $encryptionKey
     *
     * @return Keycloak
     */
    public function setEncryptionKey($encryptionKey)
    {
        $this->encryptionKey = $encryptionKey;

        return $this;
    }

    /**
     * Updates expected encryption key of Keycloak instance to content of given
     * file path.
     *
     * @param string  $encryptionKeyPath
     *
     * @return Keycloak
     */
    public function setEncryptionKeyPath($encryptionKeyPath)
    {
        try {
            $this->encryptionKey = file_get_contents($encryptionKeyPath);
        } catch (Exception $e) {
            // Not sure how to handle this yet.
        }

        return $this;
    }

    /**
     * Checks if provider is configured to use encryption.
     *
     * @return bool
     */
    public function usesEncryption()
    {
        return (bool) $this->encryptionAlgorithm && $this->encryptionKey;
    }
}


1			<?php
2
3			namespace JKD\SSO\Client\Provider;
4
5			use Exception;
6			use Firebase\JWT\JWT;
7			use League\OAuth2\Client\Provider\AbstractProvider;
8			use League\OAuth2\Client\Provider\Exception\IdentityProviderException;
9			use League\OAuth2\Client\Token\AccessToken;
10			use League\OAuth2\Client\Tool\BearerAuthorizationTrait;
11			use Psr\Http\Message\ResponseInterface;
12			use JKD\SSO\Client\Provider\Exception\EncryptionConfigurationException;
13
14			class Keycloak extends AbstractProvider
15			{
16			use BearerAuthorizationTrait;
17
18			/**
19			* Keycloak URL, eg. http://localhost:8080/auth.
20			*
21			* @var string
22			*/
23			public $authServerUrl = null;
24
25			/**
26			* Realm name, eg. demo.
27			*
28			* @var string
29			*/
30			public $realm = null;
31
32			/**
33			* Encryption algorithm.
34			*
35			* You must specify supported algorithms for your application. See
36			* https://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-40
37			* for a list of spec-compliant algorithms.
38			*
39			* @var string
40			*/
41			public $encryptionAlgorithm = null;
42
43			/**
44			* Encryption key.
45			*
46			* @var string
47			*/
48			public $encryptionKey = null;
49
50			/**
51			* Constructs an OAuth 2.0 service provider.
52			*
53			* @param array $options An array of options to set on this provider.
54			* Options include `clientId`, `clientSecret`, `redirectUri`, and `state`.
55			* Individual providers may introduce more options, as needed.
56			* @param array $collaborators An array of collaborators that may be used to
57			* override this provider's default behavior. Collaborators include
58			* `grantFactory`, `requestFactory`, `httpClient`, and `randomFactory`.
59			* Individual providers may introduce more collaborators, as needed.
60			*/
61			public function __construct(array $options = [], array $collaborators = [])
62			{
63			if (isset($options['encryptionKeyPath'])) {
64			$this->setEncryptionKeyPath($options['encryptionKeyPath']);
65			unset($options['encryptionKeyPath']);
66			}
67			parent::__construct($options, $collaborators);
68			}
69
70			/**
71			* Attempts to decrypt the given response.
72			*
73			* @param string\|array\|null $response
74			*
			0 ignored issues – show Bug introduced 2020-02-13 03:23 UTC by Report Bug Copy Issue Report Show Similar Issues like this There is no parameter named `$response`. Was it maybe removed? This check looks for PHPDoc comments describing methods or function parameters that do not exist on the corresponding method or function. Consider the following example. The parameter `$italy` is not defined by the method `finale(...)`. /** * @param array $germany * @param array $island * @param array $italy */ function finale($germany, $island) { return "2:1"; } The most likely cause is that the parameter was removed, but the annotation was not. Loading history...
75			* @return string\|array\|null
76			*/
77
78			public function verifyUser(array $provider){
79			if (!isset($_GET['code'])) {
80
81			// If we don't have an authorization code then get one
82			$authUrl = $provider->getAuthorizationUrl();
			0 ignored issues – show Bug introduced 2020-02-13 03:23 UTC by Report Bug Copy Issue Report Show Similar Issues like this The method `getAuthorizationUrl` cannot be called on `$provider` (of type `array`). Methods can only be called on objects. This check looks for methods being called on variables that have been inferred to never be objects. Loading history...
83			$_SESSION['oauth2state'] = $provider->getState();
			0 ignored issues – show Bug introduced 2020-02-13 03:23 UTC by Report Bug Copy Issue Report Show Similar Issues like this The method `getState` cannot be called on `$provider` (of type `array`). Methods can only be called on objects. This check looks for methods being called on variables that have been inferred to never be objects. Loading history...
84			redirect($authUrl);
85			exit;
86
87			// Check given state against previously stored one to mitigate CSRF attack
88			} elseif (empty($_GET['state']) \|\| ($_GET['state'] !== $_SESSION['oauth2state'])) {
89
90			unset($_SESSION['oauth2state']);
91			exit('Invalid state, make sure HTTP sessions are enabled.');
92
93			} else {
94
95			// Try to get an access token (using the authorization coe grant)
96			try {
97			$token = $provider->getAccessToken('authorization_code', [
			0 ignored issues – show Bug introduced 2020-02-13 03:23 UTC by Report Bug Copy Issue Report Show Similar Issues like this The method `getAccessToken` cannot be called on `$provider` (of type `array`). Methods can only be called on objects. This check looks for methods being called on variables that have been inferred to never be objects. Loading history...
98			'code' => $_GET['code']
99			]);
100			return $token;
101			} catch (Exception $e) {
102			exit('Failed to get access token: '.$e->getMessage());
103			}
104
105			}
106			}
107			public function userDetails(AccessToken $token,array $provider) {
108			// Optional: Now you have a token you can look up a users profile data
109			try {
110
111			// We got an access token, let's now get the user's details
112			$user = $provider->getResourceOwner($token);
			0 ignored issues – show Bug introduced 2020-02-13 03:23 UTC by Report Bug Copy Issue Report Show Similar Issues like this The method `getResourceOwner` cannot be called on `$provider` (of type `array`). Methods can only be called on objects. This check looks for methods being called on variables that have been inferred to never be objects. Loading history...
113			return $user;
114			// Use these details to create a new profile
115			//printf('Hello %s! ', $user->getName());
116
117			// echo "Nama : ".$user->getName();
118			// echo "Nama Depan : ".$user->getNamaDepan();
119			// echo "Nama Belakang : ".$user->getNamaBelakang();
120			// echo "NIP : ".$user->getNip();
121			// echo "Username : ".$user->getUsername();
122			// echo "Email : ".$user->getEmail();
123			//print_r($details_url);
124
125			} catch (Exception $e) {
126			return('Failed to get resource owner: '.$e->getMessage());
127			}
128
129			// Use this to interact with an API on the users behalf
130			//echo $token->getToken();
131			}
132			public function decryptResponse($response)
133			{
134			if (!is_string($response)) {
135			return $response;
136			}
137
138			if ($this->usesEncryption()) {
139			return json_decode(
140			json_encode(
141			JWT::decode(
142			$response,
143			$this->encryptionKey,
144			array($this->encryptionAlgorithm)
145			)
146			),
147			true
148			);
149			}
150
151			throw EncryptionConfigurationException::undeterminedEncryption();
152			}
153
154			/**
155			* Get authorization url to begin OAuth flow
156			*
157			* @return string
158			*/
159			public function getBaseAuthorizationUrl()
160			{
161			return $this->getBaseUrlWithRealm().'/protocol/openid-connect/auth';
162			}
163
164			/**
165			* Get access token url to retrieve token
166			*
167			* @param array $params
168			*
169			* @return string
170			*/
171			public function getBaseAccessTokenUrl(array $params)
172			{
173			return $this->getBaseUrlWithRealm().'/protocol/openid-connect/token';
174			}
175
176			/**
177			* Get provider url to fetch user details
178			*
179			* @param AccessToken $token
180			*
181			* @return string
182			*/
183			public function getResourceOwnerDetailsUrl(AccessToken $token)
184			{
185			return $this->getBaseUrlWithRealm().'/protocol/openid-connect/userinfo';
186			}
187
188			/**
189			* Builds the logout URL.
190			*
191			* @param array $options
192			* @return string Authorization URL
193			*/
194			public function getLogoutUrl(array $options = [])
195			{
196			$base = $this->getBaseLogoutUrl();
197			$params = $this->getAuthorizationParameters($options);
198			$query = $this->getAuthorizationQuery($params);
199			return $this->appendQuery($base, $query);
200			}
201
202			/**
203			* Get logout url to logout of session token
204			*
205			* @return string
206			*/
207			private function getBaseLogoutUrl()
208			{
209			return $this->getBaseUrlWithRealm() . '/protocol/openid-connect/logout';
210			}
211
212			/**
213			* Creates base url from provider configuration.
214			*
215			* @return string
216			*/
217			protected function getBaseUrlWithRealm()
218			{
219			return $this->authServerUrl.'/auth/realms/'.$this->realm;
220			}
221
222			/**
223			* Get the default scopes used by this provider.
224			*
225			* This should not be a complete list of all scopes, but the minimum
226			* required for the provider user interface!
227			*
228			* @return string[]
229			*/
230			protected function getDefaultScopes()
231			{
232			return ['profile-pegawai', 'email'];
233			}
234
235			/**
236			* Check a provider response for errors.
237			*
238			* @throws IdentityProviderException
239			* @param ResponseInterface $response
240			* @param string $data Parsed response data
241			* @return void
242			*/
243			protected function checkResponse(ResponseInterface $response, $data)
244			{
245			if (!empty($data['error'])) {
246			$error = $data['error'].': '.$data['error_description'];
247			throw new IdentityProviderException($error, 0, $data);
248			}
249			}
250
251			/**
252			* Generate a user object from a successful user details request.
253			*
254			* @param array $response
255			* @param AccessToken $token
256			* @return KeycloakResourceOwner
257			*/
258			protected function createResourceOwner(array $response, AccessToken $token)
259			{
260			return new KeycloakResourceOwner($response);
261			}
262
263			/**
264			* Requests and returns the resource owner of given access token.
265			*
266			* @param AccessToken $token
267			* @return KeycloakResourceOwner
268			*/
269			public function getResourceOwner(AccessToken $token)
270			{
271			$response = $this->fetchResourceOwnerDetails($token);
272
273			$response = $this->decryptResponse($response);
274
275			return $this->createResourceOwner($response, $token);
276			}
277
278			/**
279			* Updates expected encryption algorithm of Keycloak instance.
280			*
281			* @param string $encryptionAlgorithm
282			*
283			* @return Keycloak
284			*/
285			public function setEncryptionAlgorithm($encryptionAlgorithm)
286			{
287			$this->encryptionAlgorithm = $encryptionAlgorithm;
288
289			return $this;
290			}
291
292			/**
293			* Updates expected encryption key of Keycloak instance.
294			*
295			* @param string $encryptionKey
296			*
297			* @return Keycloak
298			*/
299			public function setEncryptionKey($encryptionKey)
300			{
301			$this->encryptionKey = $encryptionKey;
302
303			return $this;
304			}
305
306			/**
307			* Updates expected encryption key of Keycloak instance to content of given
308			* file path.
309			*
310			* @param string $encryptionKeyPath
311			*
312			* @return Keycloak
313			*/
314			public function setEncryptionKeyPath($encryptionKeyPath)
315			{
316			try {
317			$this->encryptionKey = file_get_contents($encryptionKeyPath);
318			} catch (Exception $e) {
319			// Not sure how to handle this yet.
320			}
321
322			return $this;
323			}
324
325			/**
326			* Checks if provider is configured to use encryption.
327			*
328			* @return bool
329			*/
330			public function usesEncryption()
331			{
332			return (bool) $this->encryptionAlgorithm && $this->encryptionKey;
333			}
334			}
335

irsadarief / jkd-sso

Issues (6)

Security Analysis no request data

src/Provider/Keycloak.php (5 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like