OpenIDConnectProvider::getAccessToken() - Code Metrics - Inspection of "wip openidconnect additional features" - ozo2003/HelperBundle - Measure and Improve Code Quality continuously with Scrutinizer

Passed
Push — master ( 06a7ac...ba6e27 )

by Dāvis
created 2018-01-10 16:01 UTC
OpenIDConnectProvider::getAccessToken() C

↳ Parent: OpenIDConnectProvider
Complexity

Conditions	7
Paths	9
Size

Total Lines	74
Code Lines	25
Duplication

Lines	0
Ratio	0 %
Importance

Changes
Metric	Value
cc	7
eloc	25
nc	9
nop	2
dl	0
loc	74
rs	6.6374
c	0
b	0
f	0
How to fix Long Method

<?php

namespace Sludio\HelperBundle\Openidconnect\Provider;

use Lcobucci\JWT\Signer;
use Lcobucci\JWT\Signer\Key;
use Lcobucci\JWT\Signer\Rsa\Sha256;
use Lcobucci\JWT\Token;
use League\OAuth2\Client\Grant\AbstractGrant;
use League\OAuth2\Client\Provider\AbstractProvider;
use League\OAuth2\Client\Token\AccessToken as BaseAccessToken;
use Psr\Http\Message\ResponseInterface;
use Sludio\HelperBundle\Openidconnect\Component\Providerable;
use Sludio\HelperBundle\Openidconnect\Security\Exception\InvalidTokenException;
use Sludio\HelperBundle\Openidconnect\Specification;
use Symfony\Bundle\FrameworkBundle\Routing\Router;
use Symfony\Component\Routing\Generator\UrlGeneratorInterface;

class OpenIDConnectProvider extends AbstractProvider implements Providerable
{
    /**
     * @var string
     */
    protected $publicKey;

    /**
     * @var Signer
     */
    protected $signer;

    /**
     * @var Specification\ValidatorChain
     */
    protected $validatorChain;

    /**
     * @var string
     */
    protected $idTokenIssuer;
    /**
     * @var Uri[]
     */
    protected $uris = [];

    /**
     * @var bool
     */
    protected $useSession;
    /**
     * @var Router
     */
    private $router;
    /**
     * @var string
     */
    private $baseUri;

    /**
     * @param array  $options
     * @param array  $collaborators
     * @param Router $router
     */
    public function __construct(array $options = [], array $collaborators = [], Router $router)
    {
        $this->signer = new Sha256();

        $this->validatorChain = new Specification\ValidatorChain();
        $this->validatorChain->setValidators([
            new Specification\NotEmpty('iat', true),
            new Specification\GreaterOrEqualsTo('exp', true),
            new Specification\EqualsTo('iss', true),
            new Specification\EqualsTo('aud', true),
            new Specification\NotEmpty('sub', true),
            new Specification\LesserOrEqualsTo('nbf'),
            new Specification\EqualsTo('jti'),
            new Specification\EqualsTo('azp'),
            new Specification\EqualsTo('nonce'),
        ]);

        $this->router = $router;

        parent::__construct($options, $collaborators);
        $this->buildParams($options);
    }

    private function buildParams(array $options = [])
    {
        if (!empty($options)) {
            $this->clientId = $options['client_key'];
            $this->clientSecret = $options['client_secret'];
            $this->idTokenIssuer = $options['id_token_issuer'];
            $this->publicKey = 'file://'.$options['public_key'];
            $this->state = $this->getRandomState();
            $this->baseUri = $options['base_uri'];
            $this->useSession = $options['use_session'];
            $url = null;
            switch ($options['redirect']['type']) {
                case 'uri':
                    $url = $options['redirect']['uri'];
                    break;
                case 'route':
                    $params = !empty($options['redirect']['params']) ? $options['redirect']['params'] : [];
                    $url = $this->router->generate($options['redirect']['route'], $params, UrlGeneratorInterface::ABSOLUTE_URL);
                    break;
            }
            $this->redirectUri = $url;

            /** @var $options array[] */
            foreach ($options['uris'] as $name => $uri) {
                $opt = [
                    'client_id' => $this->clientId,
                    'redirect_uri' => $this->redirectUri,
                    'state' => $this->state,
                    'base_uri' => $this->baseUri,
                ];
                $this->uris[$name] = new Uri($uri, $opt);
            }
        }
    }

    /**
     * Requests an access token using a specified grant and option set.
     *
     * @param  mixed $grant
     * @param  array $options
     *
     * @return BaseAccessToken
     * @throws InvalidTokenException
     * @throws \BadMethodCallException
     */
    public function getAccessToken($grant, array $options = [])
    {
        /** @var Token $token */
        $accessToken = parent::getAccessToken($grant, $options);

        if (null === $accessToken) {
            throw new InvalidTokenException('Invalid access token.');
        }

        $token = $accessToken->getIdToken();
        $token = $accessToken->getIdToken();

        // id_token is empty.
        if (null === $token) {
            throw new InvalidTokenException('Expected an id_token but did not receive one from the authorization server.');
        }

        // If the ID Token is received via direct communication between the Client and the Token Endpoint
        // (which it is in this flow), the TLS server validation MAY be used to validate the issuer in place of checking
        // the token signature. The Client MUST validate the signature of all other ID Tokens according to JWS [JWS]
        // using the algorithm specified in the JWT alg Header Parameter. The Client MUST use the keys provided by
        // the Issuer.
        //
        // The alg value SHOULD be the default of RS256 or the algorithm sent by the Client in the
        // id_token_signed_response_alg parameter during Registration.
        if (false === $token->verify($this->signer, $this->getPublicKey())) {
            throw new InvalidTokenException('Received an invalid id_token from authorization server.');
        }

        // validations
        // @see http://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation
        // validate the iss (issuer)
        // - The Issuer Identifier for the OpenID Provider (which is typically obtained during Discovery)
        // MUST exactly match the value of the iss (issuer) Claim.
        // validate the aud
        // - The Client MUST validate that the aud (audience) Claim contains its client_id value registered at the Issuer
        // identified by the iss (issuer) Claim as an audience. The aud (audience) Claim MAY contain an array with more
        // than one element. The ID Token MUST be rejected if the ID Token does not list the Client as a valid audience,
        // or if it contains additional audiences not trusted by the Client.
        // - If a nonce value was sent in the Authentication Request, a nonce Claim MUST be present and its value checked
        // to verify that it is the same value as the one that was sent in the Authentication Request. The Client SHOULD
        // check the nonce value for replay attacks. The precise method for detecting replay attacks is Client specific.
        // - If the auth_time Claim was requested, either through a specific request for this Claim or by using
        // the max_age parameter, the Client SHOULD check the auth_time Claim value and request re-authentication if it
        // determines too much time has elapsed since the last End-User authentication.
        // TODO
        // If the acr Claim was requested, the Client SHOULD check that the asserted Claim Value is appropriate.
        // The meaning and processing of acr Claim Values is out of scope for this specification.
        $currentTime = time();
        $data = [
            'iss' => $this->getIdTokenIssuer(),
            'exp' => $currentTime,
            'auth_time' => $currentTime,
            'iat' => $currentTime,
            'nbf' => $currentTime,
            'aud' => $this->clientId,
        ];

        // If the ID Token contains multiple audiences, the Client SHOULD verify that an azp Claim is present.
        // If an azp (authorized party) Claim is present, the Client SHOULD verify that its client_id is the Claim Value.
        if ($token->hasClaim('azp')) {
            $data['azp'] = $this->clientId;
        }

        if (false === $this->validatorChain->validate($data, $token)) {
            throw new InvalidTokenException('The id_token did not pass validation.');
        }

        if ($this->useSession) {
            $_SESSION['access_token'] = $accessToken->getToken();
            $_SESSION['refresh_token'] = $accessToken->getRefreshToken();
            $_SESSION['id_token'] = $accessToken->getIdTokenHint();
            $_SESSION['id_token'] = $accessToken->getIdTokenHint();
        }

        return $accessToken;
    }

    public function getPublicKey()
    {
        return new Key($this->publicKey);
    }

    /**
     * Get the issuer of the OpenID Connect id_token
     *
     * @return string
     */
    protected function getIdTokenIssuer()
    {
        return $this->idTokenIssuer;
    }

    /**
     * @return Specification\ValidatorChain
     */
    public function getValidatorChain()
    {
        return $this->validatorChain;
    }

    public function getBaseAuthorizationUrl()
    {
        return '';
    }

    public function getBaseAccessTokenUrl(array $params)
    {
        return '';
    }

    public function getDefaultScopes()
    {
        return [];
    }

    public function getResourceOwnerDetailsUrl(BaseAccessToken $token)
    {
    }

    public function getUri($name)
    {
        return $this->uris[$name];
    }

    /**
     * Returns all options that are required.
     *
     * @return array
     */
    protected function getRequiredOptions()
    {
        return [];
    }

    /**
     * Overload parent as OpenID Connect specification states scopes shall be separated by spaces
     *
     * @return string
     */
    protected function getScopeSeparator()
    {
        return ' ';
    }

    /**
     * Creates an access token from a response.
     *
     * The grant that was used to fetch the response can be used to provide
     * additional context.
     *
     * @param  array             $response
     *
     * @param AbstractGrant|null $grant
     *
     * @return AccessToken
     */
    protected function createAccessToken(array $response, AbstractGrant $grant = null)
    {
        if ($this->check()) {
            return new AccessToken($response);
        }

        return null;
    }

    public function check()
    {
        return true;
    }

    protected function createResourceOwner(array $response, BaseAccessToken $token)
    {
        return [];
    }

    protected function checkResponse(ResponseInterface $response, $data)
    {
    }
}

ozo2003 / HelperBundle

Push — master ( 06a7ac...ba6e27 )

OpenIDConnectProvider::getAccessToken() C

Complexity

Size

Duplication

Importance

How to fix Long Method

Long Method

Duplication Side-by-Side

Filter issues like
