RepeatedIdValidatorAction   A
last analyzed

Complexity

Total Complexity 15

Size/Duplication

Total Lines 100
Duplicated Lines 0 %

Importance

Changes 1
Bugs 0 Features 0
Metric Value
wmc 15
eloc 48
c 1
b 0
f 0
dl 0
loc 100
rs 10

4 Methods

Rating   Name   Duplication   Size   Complexity  
A doExecute() 0 4 2
A validateBearerAssertion() 0 31 4
B getIdExpiryTime() 0 35 8
A __construct() 0 5 1
1
<?php
2
3
/*
4
 * This file is part of the LightSAML-Core package.
5
 *
6
 * (c) Milos Tomic <[email protected]>
7
 *
8
 * This source file is subject to the MIT license that is bundled
9
 * with this source code in the file LICENSE.
10
 */
11
12
namespace LightSaml\Action\Assertion\Inbound;
13
14
use LightSaml\Action\Assertion\AbstractAssertionAction;
15
use LightSaml\Context\Profile\AssertionContext;
16
use LightSaml\Context\Profile\Helper\LogHelper;
17
use LightSaml\Error\LightSamlContextException;
18
use LightSaml\Store\Id\IdStoreInterface;
19
use Psr\Log\LoggerInterface;
20
21
/**
22
 * 4.1.4.5  POST-Specific Processing Rules
23
 * The service provider MUST ensure that bearer assertions are not replayed, by maintaining the set of used
24
 * ID values for the length of time for which the assertion would be considered valid based on the
25
 * NotOnOrAfter attribute in the <SubjectConfirmationData>.
26
 */
27
class RepeatedIdValidatorAction extends AbstractAssertionAction
28
{
29
    /** @var IdStoreInterface */
30
    protected $idStore;
31
32
    public function __construct(LoggerInterface $logger, IdStoreInterface $idStore)
33
    {
34
        parent::__construct($logger);
35
36
        $this->idStore = $idStore;
37
    }
38
39
    /**
40
     * @return void
41
     */
42
    protected function doExecute(AssertionContext $context)
43
    {
44
        if ($context->getAssertion()->hasBearerSubject()) {
45
            $this->validateBearerAssertion($context);
46
        }
47
    }
48
49
    /**
50
     * @throws \LightSaml\Error\LightSamlContextException
51
     */
52
    protected function validateBearerAssertion(AssertionContext $context)
53
    {
54
        if (null == $context->getAssertion()->getId()) {
55
            $message = 'Bearer Assertion must have ID attribute';
56
            $this->logger->error($message, LogHelper::getActionErrorContext($context, $this));
57
            throw new LightSamlContextException($context, $message);
58
        }
59
60
        if (null == $context->getAssertion()->getIssuer()) {
61
            $message = 'Bearer Assertion must have Issuer element';
62
            $this->logger->error($message, LogHelper::getActionErrorContext($context, $this));
63
            throw new LightSamlContextException($context, $message);
64
        }
65
66
        if ($this->idStore->has($context->getAssertion()->getIssuer()->getValue(), $context->getAssertion()->getId())) {
67
            $message = sprintf(
68
                "Repeated assertion id '%s' of issuer '%s'",
69
                $context->getAssertion()->getId(),
70
                $context->getAssertion()->getIssuer()->getValue()
71
            );
72
            $this->logger->error($message, LogHelper::getActionErrorContext($context, $this, [
73
                'id' => $context->getAssertion()->getId(),
74
                'issuer' => $context->getAssertion()->getIssuer()->getValue(),
75
            ]));
76
            throw new LightSamlContextException($context, $message);
77
        }
78
79
        $this->idStore->set(
80
            $context->getAssertion()->getIssuer()->getValue(),
81
            $context->getAssertion()->getId(),
82
            $this->getIdExpiryTime($context)
83
        );
84
    }
85
86
    /**
87
     * @throws \LogicException
88
     * @throws \LightSaml\Error\LightSamlValidationException
89
     *
90
     * @return \DateTime
91
     */
92
    protected function getIdExpiryTime(AssertionContext $context)
93
    {
94
        /** @var \DateTime $result */
95
        $result = null;
96
        $bearerConfirmations = $context->getAssertion()->getSubject()->getBearerConfirmations();
97
        if (null == $bearerConfirmations) {
98
            throw new \LogicException('Bearer assertion must have bearer subject confirmations');
99
        }
100
101
        foreach ($bearerConfirmations as $subjectConfirmation) {
102
            if (null == $subjectConfirmation->getSubjectConfirmationData()) {
103
                $message = 'Bearer SubjectConfirmation must have SubjectConfirmationData element';
104
                $this->logger->error($message, LogHelper::getActionErrorContext($context, $this));
105
                throw new LightSamlContextException($context, $message);
106
            }
107
108
            $dt = $subjectConfirmation->getSubjectConfirmationData()->getNotOnOrAfterDateTime();
109
            if (null == $dt) {
110
                $message = 'Bearer SubjectConfirmation must have NotOnOrAfter attribute';
111
                $this->logger->error($message, LogHelper::getActionErrorContext($context, $this));
112
                throw new LightSamlContextException($context, $message);
113
            }
114
115
            if (null == $result || $result->getTimestamp() < $dt->getTimestamp()) {
116
                $result = $dt;
117
            }
118
        }
119
120
        if (null == $result) {
121
            $message = 'Unable to find NotOnOrAfter attribute in bearer assertion';
122
            $this->logger->error($message, LogHelper::getActionErrorContext($context, $this));
123
            throw new LightSamlContextException($context, $message);
124
        }
125
126
        return $result;
127
    }
128
}
129