AuthorizationEndpoint::verify() - Code Metrics - Inspection of "refactor" - php-guard/oauth-server - Measure and Improve Code Quality continuously with Scrutinizer

Completed
Push — master ( 6e52f0...d9a404 )

by Alexandre
created 2018-03-04 18:01 UTC
AuthorizationEndpoint::verify() D

↳ Parent: AuthorizationEndpoint
Complexity

Conditions	23
Paths	71
Size

Total Lines	118
Code Lines	76
Duplication

Lines	0
Ratio	0 %
Importance

Changes
Metric	Value
cc	23
eloc	76
nc	71
nop	1
dl	0
loc	118
rs	4.6303
c	0
b	0
f	0
How to fix Long Method Complexity

<?php
/**
 * Created by PhpStorm.
 * User: Alexandre
 * Date: 07/01/2018
 * Time: 13:57
 */

namespace OAuth2OLD\Endpoints;


use GuzzleHttp\Psr7\Request;
use GuzzleHttp\Psr7\Response;
use GuzzleHttp\Psr7\Uri;
use OAuth2OLD\Config;
use OAuth2OLD\EndpointMessages\Authorization\AuthorizationRequest;
use OAuth2OLD\EndpointMessages\Authorization\AuthorizationResponse;
use OAuth2OLD\EndpointMessages\Authorization\ErrorResponse;
use OAuth2OLD\Exceptions\OAuthException;
use OAuth2OLD\OpenID\ResponseModes\ResponseModeInterface;
use OAuth2OLD\ResponseTypes\ResponseTypeInterface;
use OAuth2OLD\Roles\ClientInterface;
use OAuth2OLD\Roles\Clients\RegisteredClient;
use OAuth2OLD\Roles\ResourceOwnerInterface;
use OAuth2OLD\Storages\ClientStorageInterface;
use Psr\Http\Message\ResponseInterface;
use Psr\Http\Message\ServerRequestInterface;
use Psr\Http\Message\UriInterface;

class AuthorizationEndpoint extends AbstractEndpoint
{
    /**
     * https://github.com/authbucket/oauth2-php/blob/master/src/GrantType/AuthorizationCodeGrantTypeHandler.php
     *
     *
     * @param ServerRequestInterface $request
     * @param ResourceOwnerInterface $resourceOwner
     * @return ResponseInterface
     * @throws \Exception
     */
    function handle(ServerRequestInterface $request, ResourceOwnerInterface $resourceOwner): ResponseInterface

    {
        /**
         * @var RegisteredClient $client
         */
        $result = $this->verify($request);
        if ($result instanceof Response) {
            return $result;
        }

        /**
         * @var RegisteredClient $client
         * @var array $responseTypes
         * @var Uri $redirectUri
         * @var array|null $scope
         * @var string|null $responseMode
         * @var bool $isInsecure
         */
        extract($result);

        $authorizationRequest = AuthorizationRequest::createFromServerRequest($request);

        try {
/*

            if (!$authorizationDecision) {
                throw new OAuthException('access_denied',
                    'The resource owner server denied the request',
                    'https://tools.ietf.org/html/rfc6749#section-4.1.1');
            }
*/
//            $scope = $scopeRestrictedByResourceOwner ? $scopeRestrictedByResourceOwner : $scope;

            $data = [];

            /**
             * @var ResponseTypeInterface $responseType
             * @var Uri $redirectUri
             */
            foreach ($responseTypes as $responseType) {
                $result = $responseType->handle($request, $resourceOwner, $client, $scope);

                $data = array_merge($data, $result);
            }
        } catch (OAuthException $e) {
            return new ErrorResponse($redirectUri, $e->getError(),
                $e->getErrorDescription(),
                $e->getErrorUri(),
                $authorizationRequest->getState());
        }

        if ($authorizationRequest->getState()) {
            $data['state'] = $authorizationRequest->getState();
        }

        if ($responseMode == ResponseModeInterface::RESPONSE_MODE_QUERY) {
            foreach ($data as $k => $v) {
                $redirectUri = Uri::withQueryValue($redirectUri, $k, $v);
            }
        } else {
            $redirectUri = $redirectUri->withFragment(http_build_query($data));
        }

        return new AuthorizationResponse($redirectUri);
    }

    public function beforeConsent(ServerRequestInterface $request, &$result = null): ?Response {
    public function beforeConsent(ServerRequestInterface $request, /** @scrutinizer ignore-unused */ &$result = null): ?Response {
        return null;
    }

    /**
     * Renvoie une réponse si une erreur survient, null sinon,  le client et la redirect_uri sont des parametres int/out
     * @param ServerRequestInterface $request
     * @return Response|array
     * @throws \Exception
     */
    protected function verify(ServerRequestInterface $request)
    {
        $authorizationRequest = AuthorizationRequest::createFromServerRequest($request);

        if (!$authorizationRequest->getClientId()) {
            return new Response(400, [], json_encode([
                'error' => 'invalid_request',
                'error_description' => 'Missing a required parameter : client_id',
                'error_uri' => 'https://tools.ietf.org/html/rfc6749#section-4.1',
            ]));
        }

        /**
         * @var ClientStorageInterface $clientStorage
         */
        $clientStorage = $this->server->getStorageRepository()->getStorage('client');

        $client = $clientStorage->get($authorizationRequest->getClientId());
        if (!$client) {
            return new Response(400, [], json_encode([
                'error' => 'invalid_request',
                'error_description' => 'Invalid parameter : client_id',
                'error_uri' => 'https://tools.ietf.org/html/rfc6749#section-4.1',
            ]));
        }
        if (!$client instanceof RegisteredClient) {

            return new Response(400, [], json_encode([
                'error' => 'invalid_request',
                'error_description' => 'Client type is not supported',
                'error_uri' => 'https://tools.ietf.org/html/rfc6749#section-4.1',
            ]));
        }

        try {
            $redirectUri = $this->checkClientRedirectUri($client, $authorizationRequest->getRedirectUri());
        } catch (\Exception $e) {
            return new Response(400, [], json_encode([
                'error' => 'invalid_request',
                'error_description' => $e->getMessage(),
                'error_uri' => 'https://tools.ietf.org/html/rfc6749#section-4.1',
            ]));
        }

        try {
            if (!$authorizationRequest->getResponseType()) {
                throw new OAuthException('invalid_request',
                    'Missing a required parameter : response_type',
                    'https://tools.ietf.org/html/rfc6749#section-4.1'
                );
            }

            if ($this->server->getConfigurationRepository()->getConfig(Config::ENFORCE_STATE) &&
                !$authorizationRequest->getState()) {
                throw new OAuthException('invalid_request',
                    'Missing a required parameter : state',
                    'https://tools.ietf.org/html/rfc6749#section-4.1'
                );
            }

            $enforceTls = $this->server->getConfigurationRepository()->getConfig(Config::ENFORCE_TLS);
            $responseMode = ResponseTypeInterface::RESPONSE_MODE_QUERY;

            $isImplicit = false;
            $isInsecure = false;
            $responseTypes = [];
            foreach (explode(' ', $authorizationRequest->getResponseType()) as $responseTypeName) {
                $responseType = $this->server->getResponseTypeRepository()->getResponseType($responseTypeName);
                if (!$responseType) {
                    throw new OAuthException('unsupported_response_type',
                        'Invalid response_type parameter',
                        'https://tools.ietf.org/html/rfc6749#section-3.1.1');
                }

                if (($enforceTls == true && !$redirectUri->getScheme() != 'https') ||
                    (is_null($enforceTls) && $responseType->requireTLS() && !$redirectUri->getScheme() != 'https')) {
                    if (is_null($enforceTls) && !$client->isTLSSupported()) {
                        $isInsecure = true;
                    } else {
                        throw new OAuthException('access_denied',
                            'Require the use of TLS for the redirect URI',
                            'https://tools.ietf.org/html/rfc6749#section-3.1.2.1');
                    }
                }

                $responseType->verifyRequest($request);
                $responseTypes[] = $responseType;

                if ($responseType->getDefaultResponseMode() == ResponseTypeInterface::RESPONSE_MODE_FRAGMENT) {

                    $responseMode = $responseType->getDefaultResponseMode();
                }

                if ($responseType->isImplicit()) {
                    $isImplicit = true;
                }
            }

            if ($isImplicit && !$client->isImplicitAllowed()) {
                throw new OAuthException('unauthorized_client',
                    'Client is not allowed to use implicit grant',
                    'https://tools.ietf.org/html/rfc6749#section-3.1.1');
            }

            $scopePolicyManager = $this->server->getScopePolicyManager();

            $scope = $scopePolicyManager->getScopeArray($client, $authorizationRequest->getScope());
            if (!$scopePolicyManager->checkScope($client, $scope)) {
                $supportedScopes = implode(', ', $scopePolicyManager->getSupportedScopes($client));
                throw new OAuthException('invalid_scope',
                    'Some of requested scopes are not supported. Scope supported : ' . $supportedScopes,
                    'https://tools.ietf.org/html/rfc6749#section-4.1');
            }

        } catch (OAuthException $e) {
            return new ErrorResponse($redirectUri,
                $e->getError(), $e->getErrorDescription(), $e->getErrorUri(),
                $authorizationRequest->getState());
        }

        return compact('client', 'responseTypes', 'redirectUri', 'scope', 'responseMode', 'isInsecure');
    }

    /**
     * @see https://tools.ietf.org/html/rfc6749#section-3.1.2.3
     *
     * Dynamic Configuration
     *
     *     If multiple redirection URIs have been registered, if only part of
     * the redirection URI has been registered, or if no redirection URI has
     * been registered, the client MUST include a redirection URI with the
     * authorization request using the "redirect_uri" request parameter.
     *
     * When a redirection URI is included in an authorization request, the
     * authorization server MUST compare and match the value received
     * against at least one of the registered redirection URIs (or URI
     * components) as defined in [RFC3986] Section 6, if any redirection
     * URIs were registered.  If the client registration included the full
     * redirection URI, the authorization server MUST compare the two URIs
     * using simple string comparison as defined in [RFC3986] Section 6.2.1
     *
     * @param ClientInterface|RegisteredClient $client
     * @param null|string $redirectUri
     * @return UriInterface
     * @throws \Exception
     */
    private function checkClientRedirectUri(ClientInterface $client, ?string $redirectUri) : UriInterface
    {
        if (!$redirectUri) {
            if ($this->server->getConfigurationRepository()->getConfig(Config::ENFORCE_REDIRECT_URI)) {
                throw new \Exception('A redirect URI must be supplied');
            }
            if (empty($client->getRedirectUris())) {
                throw new \Exception('No redirect URI was supplied or stored');
            }
            if (count($client->getRedirectUris()) > 1) {
                throw new \Exception('A redirect URI must be supplied when multiple redirect URIs are registered');
            }
            $redirectUri = new Uri($client->getRedirectUris()[0]);
        } else {
            $redirectUri = new Uri($redirectUri);
            if ($redirectUri->getFragment()) {
                throw new \Exception('The redirect URI must not contain a fragment');
            }
            if (empty($client->getRedirectUris())) {
                if ($client->requireRedirectUri()) {
                    throw new \Exception('A redirect URI must be stored');
                } else {
                    return $redirectUri;
                }
            }
            $redirectUriWithoutQuery = Uri::composeComponents(
                $redirectUri->getScheme(), $redirectUri->getAuthority(), $redirectUri->getPath(), '', '');
            $match = false;
            foreach ($client->getRedirectUris() as $registeredUri) {
                $registeredUri = new Uri($registeredUri);
                if ($registeredUri->getQuery()) {
                    if ($registeredUri->__toString() === $redirectUri->__toString()) {
                        $match = true;
                        break;
                    }
                } else {
                    if ($this->server->getConfigurationRepository()->getConfig(Config::STRICT_REDIRECT_URI_COMPARISON)) {
                        if ($registeredUri->__toString() === $redirectUri->__toString()) {
                            $match = true;
                            break;
                        }
                    } else if ($registeredUri->__toString() === $redirectUriWithoutQuery) {
                        $match = true;
                        break;
                    }
                }
            }
            if (!$match) {
                throw new \Exception('The redirect URI provided is missing or does not match');
            }
        }
        return $redirectUri;
    }
}
php-guard / oauth-server

Push — master ( 6e52f0...d9a404 )

AuthorizationEndpoint::verify() D

Complexity

Size

Duplication

Importance

How to fix Long Method Complexity

Long Method

Duplication Side-by-Side

Filter issues like
