OpenIDConnectProvider::getRandomState() - Code Metrics - Inspection of "WIP openidconnect" - ozo2003/HelperBundle - Measure and Improve Code Quality continuously with Scrutinizer

Passed

Branch — master (eb9804)

by Dāvis

created 2018-01-16 11:08 UTC

OpenIDConnectProvider::getRandomState() A

↳ Parent: OpenIDConnectProvider

Complexity

Conditions	1
Paths	1

Size

Total Lines	3
Code Lines	1

Duplication

Lines	0
Ratio	0 %

Importance

Changes

Metric	Value
cc	1
eloc	1
nc	1
nop	1
dl	0
loc	3
rs	10
c	0
b	0
f	0

<?php

namespace Sludio\HelperBundle\Openidconnect\Provider;

use Lcobucci\JWT\Signer;
filter:
    dependency_paths: ["lib/*"]
use Lcobucci\JWT\Signer\Key;
filter:
    dependency_paths: ["lib/*"]
use Lcobucci\JWT\Signer\Rsa\Sha256;
filter:
    dependency_paths: ["lib/*"]
use League\OAuth2\Client\Grant\AbstractGrant;
filter:
    dependency_paths: ["lib/*"]
use League\OAuth2\Client\Token\AccessToken as BaseAccessToken;
filter:
    dependency_paths: ["lib/*"]
use Psr\Http\Message\ResponseInterface;
filter:
    dependency_paths: ["lib/*"]
use Sludio\HelperBundle\Openidconnect\Component\Providerable;
use Sludio\HelperBundle\Openidconnect\Security\Exception\InvalidTokenException;
use Sludio\HelperBundle\Openidconnect\Specification;
use Symfony\Bundle\FrameworkBundle\Routing\Router;
use Symfony\Component\Routing\Generator\UrlGeneratorInterface;
use Sludio\HelperBundle\Script\Utils\Helper;
use Symfony\Component\HttpFoundation\Session\Session;

class OpenIDConnectProvider extends BaseProvider implements Providerable
{
    const METHOD_POST = 'POST';
    const METHOD_GET = 'GET';

    /**
     * @var string
     */
    protected $publicKey;

    /**
     * @var Signer
     */
    protected $signer;

    /**
     * @var Specification\ValidatorChain
     */
    protected $validatorChain;

    /**
     * @var string
     */
    protected $idTokenIssuer;
    /**
     * @var Uri[]
     */
    protected $uris = [];

    /**
     * @var bool
     */
    protected $useSession;

    /**
     * @var Router
     */
    private $router;

    /**
     * @var string
     */
    private $baseUri;

    protected $session;

    /**
     * @param array  $options
     * @param array  $collaborators
     * @param Router $router
     */
    public function __construct(array $options = [], array $collaborators = [], Router $router, Session $session)
    {
        $this->signer = new Sha256();

        $this->validatorChain = new Specification\ValidatorChain();
        $this->validatorChain->setValidators([
            new Specification\NotEmpty('iat', true),
            new Specification\GreaterOrEqualsTo('exp', true),
            new Specification\EqualsTo('iss', true),
            new Specification\EqualsTo('aud', true),
            new Specification\NotEmpty('sub', true),
            new Specification\LesserOrEqualsTo('nbf'),
            new Specification\EqualsTo('jti'),
            new Specification\EqualsTo('azp'),
            new Specification\EqualsTo('nonce'),
        ]);

        $this->router = $router;
        $this->session = $session;

        parent::__construct($options, $collaborators);
        $this->buildParams($options);
    }

    /**
     * @inheritdoc
     */
    protected function getRandomState($length = 32)
    {
        return Helper::getUniqueId($length);
    }

    private function buildParams(array $options = [])
    {
        if (!empty($options)) {
            $this->clientId = $options['client_key'];

            $this->clientSecret = $options['client_secret'];

            unset($options['client_secret'], $options['client_key']);
            $this->idTokenIssuer = $options['id_token_issuer'];
            $this->publicKey = 'file://'.$options['public_key'];
            $this->state = $this->getRandomState();

            $this->baseUri = $options['base_uri'];
            $this->useSession = $options['use_session'];
            $url = null;
            switch ($options['redirect']['type']) {
                case 'uri':
                    $url = $options['redirect']['uri'];
                    break;
                case 'route':
                    $params = !empty($options['redirect']['params']) ? $options['redirect']['params'] : [];
                    $url = $this->router->generate($options['redirect']['route'], $params, UrlGeneratorInterface::ABSOLUTE_URL);
                    break;
            }
            $this->redirectUri = $url;


            /** @var $options array[] */
            foreach ($options['uris'] as $name => $uri) {
                $opt = [
                    'client_id' => $this->clientId,
                    'redirect_uri' => $this->redirectUri,
                    'state' => $this->state,
                    'base_uri' => $this->baseUri,
                ];
                $method = isset($uri['method']) ? $uri['method'] : self::METHOD_POST;
                $this->uris[$name] = new Uri($uri, $opt, $this->useSession, $method, $this->session);
            }
        }
    }

    /**
     * Requests an access token using a specified grant and option set.
     *
     * @param  mixed $grant
     * @param  array $options
     *
     * @return AccessToken
     * @throws InvalidTokenException
     * @throws \BadMethodCallException
     */
    public function getAccessToken($grant, array $options = [])
    {
        /** @var AccessToken $token */
        $accessToken = parent::getAccessToken($grant, $options);

        if (null === $accessToken) {
            throw new InvalidTokenException('Invalid access token.');
        }

        $token = $accessToken->getIdToken();
        // id_token is empty.
        if (null === $token) {
            throw new InvalidTokenException('Expected an id_token but did not receive one from the authorization server.');
        }

        // If the ID Token is received via direct communication between the Client and the Token Endpoint
        // (which it is in this flow), the TLS server validation MAY be used to validate the issuer in place of checking
        // the token signature. The Client MUST validate the signature of all other ID Tokens according to JWS [JWS]
        // using the algorithm specified in the JWT alg Header Parameter. The Client MUST use the keys provided by
        // the Issuer.
        //
        // The alg value SHOULD be the default of RS256 or the algorithm sent by the Client in the
        // id_token_signed_response_alg parameter during Registration.
        if (false === $token->verify($this->signer, $this->getPublicKey())) {
            throw new InvalidTokenException('Received an invalid id_token from authorization server.');
        }

        // validations
        // @see http://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation
        // validate the iss (issuer)
        // - The Issuer Identifier for the OpenID Provider (which is typically obtained during Discovery)
        // MUST exactly match the value of the iss (issuer) Claim.
        // validate the aud
        // - The Client MUST validate that the aud (audience) Claim contains its client_id value registered at the Issuer
        // identified by the iss (issuer) Claim as an audience. The aud (audience) Claim MAY contain an array with more
        // than one element. The ID Token MUST be rejected if the ID Token does not list the Client as a valid audience,
        // or if it contains additional audiences not trusted by the Client.
        // - If a nonce value was sent in the Authentication Request, a nonce Claim MUST be present and its value checked
        // to verify that it is the same value as the one that was sent in the Authentication Request. The Client SHOULD
        // check the nonce value for replay attacks. The precise method for detecting replay attacks is Client specific.
        // - If the auth_time Claim was requested, either through a specific request for this Claim or by using
        // the max_age parameter, the Client SHOULD check the auth_time Claim value and request re-authentication if it
        // determines too much time has elapsed since the last End-User authentication.
        // TODO
        // If the acr Claim was requested, the Client SHOULD check that the asserted Claim Value is appropriate.
        // The meaning and processing of acr Claim Values is out of scope for this specification.
        $currentTime = time();
        $data = [
            'iss' => $this->getIdTokenIssuer(),
            'exp' => $currentTime,
            'auth_time' => $currentTime,
            'iat' => $currentTime,
            'nbf' => $currentTime,
            'aud' => $this->clientId,
        ];

        // If the ID Token contains multiple audiences, the Client SHOULD verify that an azp Claim is present.
        // If an azp (authorized party) Claim is present, the Client SHOULD verify that its client_id is the Claim Value.
        if ($token->hasClaim('azp')) {
            $data['azp'] = $this->clientId;
        }

        if (false === $this->validatorChain->validate($data, $token)) {
            throw new InvalidTokenException('The id_token did not pass validation.');
        }

        if ($this->useSession) {
            $this->session->set('access_token', $accessToken->getToken());
            $this->session->set('refresh_token', $accessToken->getRefreshToken());
            $this->session->set('id_token', $accessToken->getIdTokenHint());
        }

        return $accessToken;
    }

    public function getPublicKey()
    {
        return new Key($this->publicKey);
    }

    /**
     * Get the issuer of the OpenID Connect id_token
     *
     * @return string
     */
    protected function getIdTokenIssuer()
    {
        return $this->idTokenIssuer;
    }

    /**
     * Creates an access token from a response.
     *
     * The grant that was used to fetch the response can be used to provide
     * additional context.
     *
     * @param  array             $response
     *
     * @param AbstractGrant|null $grant
     *
     * @return AccessToken
     */
    protected function createAccessToken(array $response, AbstractGrant $grant = null)
    {
        if ($this->check()) {
            return new AccessToken($response);
        }

        return null;
    }

    public function check()
    {
        return true;
    }

    /**
     * @return Specification\ValidatorChain
     */
    public function getValidatorChain()
    {
        return $this->validatorChain;
    }

    public function getBaseAuthorizationUrl()
    {
        return '';
    }

    public function getBaseAccessTokenUrl(array $params)
    {
        return '';
    }

    public function getDefaultScopes()
    {
        return [];
    }

    public function getResourceOwnerDetailsUrl(BaseAccessToken $token)
    {
    }

    public function getUri($name)
    {
        return $this->uris[$name];
    }

    /**
     * Returns all options that are required.
     *
     * @return array
     */
    protected function getRequiredOptions()
    {
        return [];
    }

    /**
     * Overload parent as OpenID Connect specification states scopes shall be separated by spaces
     *
     * @return string
     */
    protected function getScopeSeparator()
    {
        return ' ';
    }

    protected function createResourceOwner(array $response, BaseAccessToken $token)
    {
        return [];
    }

    protected function checkResponse(ResponseInterface $response, $data)
    {
    }
}


1			<?php
2
3			namespace Sludio\HelperBundle\Openidconnect\Provider;
4
5			use Lcobucci\JWT\Signer;
			0 ignored issues – show Bug introduced 2018-01-11 18:57 UTC by Report Bug Copy Issue Report The type `Lcobucci\JWT\Signer` was not found. Maybe you did not declare it correctly or list all dependencies? The issue could also be caused by a filter entry in the build configuration. If the path has been excluded in your configuration, e.g. `excluded_paths: ["lib/"]`, you can move it to the dependency path list as follows: filter: dependency_paths: ["lib/"] For further information see https://scrutinizer-ci.com/docs/tools/php/php-scrutinizer/#list-dependency-paths Loading history...
6			use Lcobucci\JWT\Signer\Key;
			0 ignored issues – show Bug introduced 2018-01-11 18:57 UTC by Report Bug Copy Issue Report The type `Lcobucci\JWT\Signer\Key` was not found. Maybe you did not declare it correctly or list all dependencies? The issue could also be caused by a filter entry in the build configuration. If the path has been excluded in your configuration, e.g. `excluded_paths: ["lib/"]`, you can move it to the dependency path list as follows: filter: dependency_paths: ["lib/"] For further information see https://scrutinizer-ci.com/docs/tools/php/php-scrutinizer/#list-dependency-paths Loading history...
7			use Lcobucci\JWT\Signer\Rsa\Sha256;
			0 ignored issues – show Bug introduced 2018-01-11 18:57 UTC by Report Bug Copy Issue Report The type `Lcobucci\JWT\Signer\Rsa\Sha256` was not found. Maybe you did not declare it correctly or list all dependencies? The issue could also be caused by a filter entry in the build configuration. If the path has been excluded in your configuration, e.g. `excluded_paths: ["lib/"]`, you can move it to the dependency path list as follows: filter: dependency_paths: ["lib/"] For further information see https://scrutinizer-ci.com/docs/tools/php/php-scrutinizer/#list-dependency-paths Loading history...
8			use League\OAuth2\Client\Grant\AbstractGrant;
			0 ignored issues – show Bug introduced 2018-01-11 18:57 UTC by Report Bug Copy Issue Report The type `League\OAuth2\Client\Grant\AbstractGrant` was not found. Maybe you did not declare it correctly or list all dependencies? The issue could also be caused by a filter entry in the build configuration. If the path has been excluded in your configuration, e.g. `excluded_paths: ["lib/"]`, you can move it to the dependency path list as follows: filter: dependency_paths: ["lib/"] For further information see https://scrutinizer-ci.com/docs/tools/php/php-scrutinizer/#list-dependency-paths Loading history...
9			use League\OAuth2\Client\Token\AccessToken as BaseAccessToken;
			0 ignored issues – show Bug introduced 2018-01-11 18:57 UTC by Report Bug Copy Issue Report The type `League\OAuth2\Client\Token\AccessToken` was not found. Maybe you did not declare it correctly or list all dependencies? The issue could also be caused by a filter entry in the build configuration. If the path has been excluded in your configuration, e.g. `excluded_paths: ["lib/"]`, you can move it to the dependency path list as follows: filter: dependency_paths: ["lib/"] For further information see https://scrutinizer-ci.com/docs/tools/php/php-scrutinizer/#list-dependency-paths Loading history...
10			use Psr\Http\Message\ResponseInterface;
			0 ignored issues – show Bug introduced 2018-01-11 18:57 UTC by Report Bug Copy Issue Report The type `Psr\Http\Message\ResponseInterface` was not found. Maybe you did not declare it correctly or list all dependencies? The issue could also be caused by a filter entry in the build configuration. If the path has been excluded in your configuration, e.g. `excluded_paths: ["lib/"]`, you can move it to the dependency path list as follows: filter: dependency_paths: ["lib/"] For further information see https://scrutinizer-ci.com/docs/tools/php/php-scrutinizer/#list-dependency-paths Loading history...
11			use Sludio\HelperBundle\Openidconnect\Component\Providerable;
12			use Sludio\HelperBundle\Openidconnect\Security\Exception\InvalidTokenException;
13			use Sludio\HelperBundle\Openidconnect\Specification;
14			use Symfony\Bundle\FrameworkBundle\Routing\Router;
15			use Symfony\Component\Routing\Generator\UrlGeneratorInterface;
16			use Sludio\HelperBundle\Script\Utils\Helper;
17			use Symfony\Component\HttpFoundation\Session\Session;
18
19			class OpenIDConnectProvider extends BaseProvider implements Providerable
20			{
21			const METHOD_POST = 'POST';
22			const METHOD_GET = 'GET';
23
24			/**
25			* @var string
26			*/
27			protected $publicKey;
28
29			/**
30			* @var Signer
31			*/
32			protected $signer;
33
34			/**
35			* @var Specification\ValidatorChain
36			*/
37			protected $validatorChain;
38
39			/**
40			* @var string
41			*/
42			protected $idTokenIssuer;
43			/**
44			* @var Uri[]
45			*/
46			protected $uris = [];
47
48			/**
49			* @var bool
50			*/
51			protected $useSession;
52
53			/**
54			* @var Router
55			*/
56			private $router;
57
58			/**
59			* @var string
60			*/
61			private $baseUri;
62
63			protected $session;
64
65			/**
66			* @param array $options
67			* @param array $collaborators
68			* @param Router $router
69			*/
70			public function __construct(array $options = [], array $collaborators = [], Router $router, Session $session)
71			{
72			$this->signer = new Sha256();
73
74			$this->validatorChain = new Specification\ValidatorChain();
75			$this->validatorChain->setValidators([
76			new Specification\NotEmpty('iat', true),
77			new Specification\GreaterOrEqualsTo('exp', true),
78			new Specification\EqualsTo('iss', true),
79			new Specification\EqualsTo('aud', true),
80			new Specification\NotEmpty('sub', true),
81			new Specification\LesserOrEqualsTo('nbf'),
82			new Specification\EqualsTo('jti'),
83			new Specification\EqualsTo('azp'),
84			new Specification\EqualsTo('nonce'),
85			]);
86
87			$this->router = $router;
88			$this->session = $session;
89
90			parent::__construct($options, $collaborators);
91			$this->buildParams($options);
92			}
93
94			/**
95			* @inheritdoc
96			*/
97			protected function getRandomState($length = 32)
98			{
99			return Helper::getUniqueId($length);
100			}
101
102			private function buildParams(array $options = [])
103			{
104			if (!empty($options)) {
105			$this->clientId = $options['client_key'];
			0 ignored issues – show Bug Best Practice introduced 2018-01-11 18:57 UTC by Report Bug Copy Issue Report The property `clientId` does not exist. Although not strictly required by PHP, it is generally a best practice to declare properties explicitly. Loading history...
106			$this->clientSecret = $options['client_secret'];
			0 ignored issues – show Bug Best Practice introduced 2018-01-11 18:57 UTC by Report Bug Copy Issue Report The property `clientSecret` does not exist. Although not strictly required by PHP, it is generally a best practice to declare properties explicitly. Loading history...
107			unset($options['client_secret'], $options['client_key']);
108			$this->idTokenIssuer = $options['id_token_issuer'];
109			$this->publicKey = 'file://'.$options['public_key'];
110			$this->state = $this->getRandomState();
			0 ignored issues – show Bug Best Practice introduced 2018-01-11 18:57 UTC by Report Bug Copy Issue Report The property `state` does not exist. Although not strictly required by PHP, it is generally a best practice to declare properties explicitly. Loading history...
111			$this->baseUri = $options['base_uri'];
112			$this->useSession = $options['use_session'];
113			$url = null;
114			switch ($options['redirect']['type']) {
115			case 'uri':
116			$url = $options['redirect']['uri'];
117			break;
118			case 'route':
119			$params = !empty($options['redirect']['params']) ? $options['redirect']['params'] : [];
120			$url = $this->router->generate($options['redirect']['route'], $params, UrlGeneratorInterface::ABSOLUTE_URL);
121			break;
122			}
123			$this->redirectUri = $url;
			0 ignored issues – show Bug Best Practice introduced 2018-01-11 18:57 UTC by Report Bug Copy Issue Report The property `redirectUri` does not exist. Although not strictly required by PHP, it is generally a best practice to declare properties explicitly. Loading history...
124
125			/** @var $options array[] */
126			foreach ($options['uris'] as $name => $uri) {
127			$opt = [
128			'client_id' => $this->clientId,
129			'redirect_uri' => $this->redirectUri,
130			'state' => $this->state,
131			'base_uri' => $this->baseUri,
132			];
133			$method = isset($uri['method']) ? $uri['method'] : self::METHOD_POST;
134			$this->uris[$name] = new Uri($uri, $opt, $this->useSession, $method, $this->session);
135			}
136			}
137			}
138
139			/**
140			* Requests an access token using a specified grant and option set.
141			*
142			* @param mixed $grant
143			* @param array $options
144			*
145			* @return AccessToken
146			* @throws InvalidTokenException
147			* @throws \BadMethodCallException
148			*/
149			public function getAccessToken($grant, array $options = [])
150			{
151			/** @var AccessToken $token */
152			$accessToken = parent::getAccessToken($grant, $options);
153
154			if (null === $accessToken) {
155			throw new InvalidTokenException('Invalid access token.');
156			}
157
158			$token = $accessToken->getIdToken();
159			// id_token is empty.
160			if (null === $token) {
161			throw new InvalidTokenException('Expected an id_token but did not receive one from the authorization server.');
162			}
163
164			// If the ID Token is received via direct communication between the Client and the Token Endpoint
165			// (which it is in this flow), the TLS server validation MAY be used to validate the issuer in place of checking
166			// the token signature. The Client MUST validate the signature of all other ID Tokens according to JWS [JWS]
167			// using the algorithm specified in the JWT alg Header Parameter. The Client MUST use the keys provided by
168			// the Issuer.
169			//
170			// The alg value SHOULD be the default of RS256 or the algorithm sent by the Client in the
171			// id_token_signed_response_alg parameter during Registration.
172			if (false === $token->verify($this->signer, $this->getPublicKey())) {
173			throw new InvalidTokenException('Received an invalid id_token from authorization server.');
174			}
175
176			// validations
177			// @see http://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation
178			// validate the iss (issuer)
179			// - The Issuer Identifier for the OpenID Provider (which is typically obtained during Discovery)
180			// MUST exactly match the value of the iss (issuer) Claim.
181			// validate the aud
182			// - The Client MUST validate that the aud (audience) Claim contains its client_id value registered at the Issuer
183			// identified by the iss (issuer) Claim as an audience. The aud (audience) Claim MAY contain an array with more
184			// than one element. The ID Token MUST be rejected if the ID Token does not list the Client as a valid audience,
185			// or if it contains additional audiences not trusted by the Client.
186			// - If a nonce value was sent in the Authentication Request, a nonce Claim MUST be present and its value checked
187			// to verify that it is the same value as the one that was sent in the Authentication Request. The Client SHOULD
188			// check the nonce value for replay attacks. The precise method for detecting replay attacks is Client specific.
189			// - If the auth_time Claim was requested, either through a specific request for this Claim or by using
190			// the max_age parameter, the Client SHOULD check the auth_time Claim value and request re-authentication if it
191			// determines too much time has elapsed since the last End-User authentication.
192			// TODO
193			// If the acr Claim was requested, the Client SHOULD check that the asserted Claim Value is appropriate.
194			// The meaning and processing of acr Claim Values is out of scope for this specification.
195			$currentTime = time();
196			$data = [
197			'iss' => $this->getIdTokenIssuer(),
198			'exp' => $currentTime,
199			'auth_time' => $currentTime,
200			'iat' => $currentTime,
201			'nbf' => $currentTime,
202			'aud' => $this->clientId,
203			];
204
205			// If the ID Token contains multiple audiences, the Client SHOULD verify that an azp Claim is present.
206			// If an azp (authorized party) Claim is present, the Client SHOULD verify that its client_id is the Claim Value.
207			if ($token->hasClaim('azp')) {
208			$data['azp'] = $this->clientId;
209			}
210
211			if (false === $this->validatorChain->validate($data, $token)) {
212			throw new InvalidTokenException('The id_token did not pass validation.');
213			}
214
215			if ($this->useSession) {
216			$this->session->set('access_token', $accessToken->getToken());
217			$this->session->set('refresh_token', $accessToken->getRefreshToken());
218			$this->session->set('id_token', $accessToken->getIdTokenHint());
219			}
220
221			return $accessToken;
222			}
223
224			public function getPublicKey()
225			{
226			return new Key($this->publicKey);
227			}
228
229			/**
230			* Get the issuer of the OpenID Connect id_token
231			*
232			* @return string
233			*/
234			protected function getIdTokenIssuer()
235			{
236			return $this->idTokenIssuer;
237			}
238
239			/**
240			* Creates an access token from a response.
241			*
242			* The grant that was used to fetch the response can be used to provide
243			* additional context.
244			*
245			* @param array $response
246			*
247			* @param AbstractGrant\|null $grant
248			*
249			* @return AccessToken
250			*/
251			protected function createAccessToken(array $response, AbstractGrant $grant = null)
252			{
253			if ($this->check()) {
254			return new AccessToken($response);
255			}
256
257			return null;
258			}
259
260			public function check()
261			{
262			return true;
263			}
264
265			/**
266			* @return Specification\ValidatorChain
267			*/
268			public function getValidatorChain()
269			{
270			return $this->validatorChain;
271			}
272
273			public function getBaseAuthorizationUrl()
274			{
275			return '';
276			}
277
278			public function getBaseAccessTokenUrl(array $params)
279			{
280			return '';
281			}
282
283			public function getDefaultScopes()
284			{
285			return [];
286			}
287
288			public function getResourceOwnerDetailsUrl(BaseAccessToken $token)
289			{
290			}
291
292			public function getUri($name)
293			{
294			return $this->uris[$name];
295			}
296
297			/**
298			* Returns all options that are required.
299			*
300			* @return array
301			*/
302			protected function getRequiredOptions()
303			{
304			return [];
305			}
306
307			/**
308			* Overload parent as OpenID Connect specification states scopes shall be separated by spaces
309			*
310			* @return string
311			*/
312			protected function getScopeSeparator()
313			{
314			return ' ';
315			}
316
317			protected function createResourceOwner(array $response, BaseAccessToken $token)
318			{
319			return [];
320			}
321
322			protected function checkResponse(ResponseInterface $response, $data)
323			{
324			}
325			}
326

ozo2003 / HelperBundle

Branch — master (eb9804)

OpenIDConnectProvider::getRandomState() A

Complexity

Size

Duplication

Importance

Duplication Side-by-Side

Filter issues like