SAMLController::acs() - Code Metrics - silverstripe/silverstripe-activedirectory - Measure and Improve Code Quality continuously with Scrutinizer

SAMLController::acs() C
last analyzed 2018-07-22 22:44 UTC

↳ Parent: SAMLController

Complexity

Conditions	10
Paths	12

Size

Total Lines

Duplication

Lines	0
Ratio	0 %

Importance

Changes

Metric	Value
dl	0
loc	77
rs	6.6351
c	0
b	0
f	0
cc	10
nc	12
nop	0

How to fix Long Method Complexity

<?php
/**
 * Class SAMLController
 *
 * This controller handles serving metadata requests for the IdP, as well as handling
 * creating new users and logging them into SilverStripe after being authenticated at the IdP.
 */
class SAMLController extends Controller
namespace YourVendor;

class YourClass { }
{
    /**
     * @var array
     */
    private static $allowed_actions = [

        'index',
        'login',
        'logout',
        'acs',
        'sls',
        'metadata'
    ];

    /**
     * Assertion Consumer Service
     *
     * The user gets sent back here after authenticating with the IdP, off-site.
     * The earlier redirection to the IdP can be found in the SAMLAuthenticator::authenticate.
     *
     * After this handler completes, we end up with a rudimentary Member record (which will be created on-the-fly
     * if not existent), with the user already logged in. Login triggers memberLoggedIn hooks, which allows
     * LDAP side of this module to finish off loading Member data.
     *
     * @throws OneLogin_Saml2_Error
     */
    public function acs()
    {
        $auth = Injector::inst()->get('SAMLHelper')->getSAMLAuth();
        $auth->processResponse();

        $error = $auth->getLastErrorReason();
        if (!empty($error)) {
            SS_Log::log($error, SS_Log::ERR);
            Form::messageForForm("SAMLLoginForm_LoginForm", "Authentication error: '{$error}'", 'bad');
            Session::save();
            return $this->getRedirect();
        }

        if (!$auth->isAuthenticated()) {
            Form::messageForForm("SAMLLoginForm_LoginForm", _t('Member.ERRORWRONGCRED'), 'bad');
            Session::save();
            return $this->getRedirect();
        }

        $decodedNameId = base64_decode($auth->getNameId());
        // check that the NameID is a binary string (which signals that it is a guid
        if (ctype_print($decodedNameId)) {
            Form::messageForForm("SAMLLoginForm_LoginForm", "Name ID provided by IdP is not a binary GUID.", 'bad');
            Session::save();
            return $this->getRedirect();
        }

        // transform the NameId to guid
        $guid = LDAPUtil::bin_to_str_guid($decodedNameId);
        if (!LDAPUtil::validGuid($guid)) {
            $errorMessage = "Not a valid GUID '{$guid}' recieved from server.";
            SS_Log::log($errorMessage, SS_Log::ERR);
            Form::messageForForm("SAMLLoginForm_LoginForm", $errorMessage, 'bad');
            Session::save();
            return $this->getRedirect();
        }

        // Write a rudimentary member with basic fields on every login, so that we at least have something
        // if LDAP synchronisation fails.
        $member = Member::get()->filter('GUID', $guid)->limit(1)->first();
        if (!($member && $member->exists())) {
            $member = new Member();
            $member->GUID = $guid;
        }

        $attributes = $auth->getAttributes();

        foreach ($member->config()->claims_field_mappings as $claim => $field) {
            if (!isset($attributes[$claim][0])) {
                SS_Log::log(
                    sprintf(
                        'Claim rule \'%s\' configured in LDAPMember.claims_field_mappings, but wasn\'t passed through. Please check IdP claim rules.',
                        $claim
                    ), SS_Log::WARN
                );

                continue;
            }

            if(count($attributes[$claim]) > 1) {
                $member->$field = $attributes[$claim];
            } else {
                $member->$field = $attributes[$claim][0];
            }
        }

        $member->SAMLSessionIndex = $auth->getSessionIndex();

        // This will trigger LDAP update through LDAPMemberExtension::memberLoggedIn.
        // The LDAP update will also write the Member record. We shouldn't write before
        // calling this, as any onAfterWrite hooks that attempt to update LDAP won't
        // have the Username field available yet for new Member records, and fail.
        // Both SAML and LDAP identify Members by the GUID field.
        $member->logIn();

        return $this->getRedirect();
    }

    /**
     * Generate this SP's metadata. This is needed for intialising the SP-IdP relationship.
     * IdP is instructed to call us back here to establish the relationship. IdP may also be configured
     * to hit this endpoint periodically during normal operation, to check the SP availability.
     */
    public function metadata()
    {
        try {
            $auth = Injector::inst()->get('SAMLHelper')->getSAMLAuth();
            $settings = $auth->getSettings();
            $metadata = $settings->getSPMetadata();
            $errors = $settings->validateMetadata($metadata);
            if (empty($errors)) {
                header('Content-Type: text/xml');
                echo $metadata;
            } else {
                throw new \OneLogin_Saml2_Error(
                    'Invalid SP metadata: ' . implode(', ', $errors),
                    \OneLogin_Saml2_Error::METADATA_SP_INVALID
                );
            }
        } catch (Exception $e) {
            SS_Log::log($e->getMessage(), SS_Log::ERR);
            echo $e->getMessage();
        }
    }

    /**
     * @return SS_HTTPResponse
     */
    protected function getRedirect()
    {
        // Absolute redirection URLs may cause spoofing
        if (Session::get('BackURL') && Director::is_site_url(Session::get('BackURL'))) {

            return $this->redirect(Session::get('BackURL'));
        }

        // Spoofing attack, redirect to homepage instead of spoofing url
        if (Session::get('BackURL') && !Director::is_site_url(Session::get('BackURL'))) {

            return $this->redirect(Director::absoluteBaseURL());
        }

        // If a default login dest has been set, redirect to that.
        if (Security::config()->default_login_dest) {
            return $this->redirect(Director::absoluteBaseURL() . Security::config()->default_login_dest);
        }

        // fallback to redirect back to home page
        return $this->redirect(Director::absoluteBaseURL());
    }
}


1		<?php
2		/**
3		* Class SAMLController
4		*
5		* This controller handles serving metadata requests for the IdP, as well as handling
6		* creating new users and logging them into SilverStripe after being authenticated at the IdP.
7		*/
8		class SAMLController extends Controller
		0 ignored issues – show Coding Style Compatibility introduced 2016-03-22 20:04 UTC by Report Bug Copy Issue Report PSR1 recommends that each class must be in a namespace of at least one level to avoid collisions. You can fix this by adding a namespace to your class: namespace YourVendor; class YourClass { } When choosing a vendor namespace, try to pick something that is not too generic to avoid conflicts with other libraries. Loading history...
9		{
10		/**
11		* @var array
12		*/
13		private static $allowed_actions = [
		0 ignored issues – show Comprehensibility introduced 2017-05-05 05:43 UTC by Report Bug Copy Issue Report Consider using a different property name as you override a private property of the parent class. Loading history... Unused Code introduced 2017-01-16 21:03 UTC by Report Bug Copy Issue Report The property `$allowed_actions` is not used and could be removed. This check marks private properties in classes that are never used. Those properties can be removed. Loading history...
14		'index',
15		'login',
16		'logout',
17		'acs',
18		'sls',
19		'metadata'
20		];
21
22		/**
23		* Assertion Consumer Service
24		*
25		* The user gets sent back here after authenticating with the IdP, off-site.
26		* The earlier redirection to the IdP can be found in the SAMLAuthenticator::authenticate.
27		*
28		* After this handler completes, we end up with a rudimentary Member record (which will be created on-the-fly
29		* if not existent), with the user already logged in. Login triggers memberLoggedIn hooks, which allows
30		* LDAP side of this module to finish off loading Member data.
31		*
32		* @throws OneLogin_Saml2_Error
33		*/
34		public function acs()
35		{
36		$auth = Injector::inst()->get('SAMLHelper')->getSAMLAuth();
37		$auth->processResponse();
38
39		$error = $auth->getLastErrorReason();
40		if (!empty($error)) {
41		SS_Log::log($error, SS_Log::ERR);
42		Form::messageForForm("SAMLLoginForm_LoginForm", "Authentication error: '{$error}'", 'bad');
43		Session::save();
44		return $this->getRedirect();
45		}
46
47		if (!$auth->isAuthenticated()) {
48		Form::messageForForm("SAMLLoginForm_LoginForm", _t('Member.ERRORWRONGCRED'), 'bad');
49		Session::save();
50		return $this->getRedirect();
51		}
52
53		$decodedNameId = base64_decode($auth->getNameId());
54		// check that the NameID is a binary string (which signals that it is a guid
55		if (ctype_print($decodedNameId)) {
56		Form::messageForForm("SAMLLoginForm_LoginForm", "Name ID provided by IdP is not a binary GUID.", 'bad');
57		Session::save();
58		return $this->getRedirect();
59		}
60
61		// transform the NameId to guid
62		$guid = LDAPUtil::bin_to_str_guid($decodedNameId);
63		if (!LDAPUtil::validGuid($guid)) {
64		$errorMessage = "Not a valid GUID '{$guid}' recieved from server.";
65		SS_Log::log($errorMessage, SS_Log::ERR);
66		Form::messageForForm("SAMLLoginForm_LoginForm", $errorMessage, 'bad');
67		Session::save();
68		return $this->getRedirect();
69		}
70
71		// Write a rudimentary member with basic fields on every login, so that we at least have something
72		// if LDAP synchronisation fails.
73		$member = Member::get()->filter('GUID', $guid)->limit(1)->first();
74		if (!($member && $member->exists())) {
75		$member = new Member();
76		$member->GUID = $guid;
77		}
78
79		$attributes = $auth->getAttributes();
80
81		foreach ($member->config()->claims_field_mappings as $claim => $field) {
82		if (!isset($attributes[$claim][0])) {
83		SS_Log::log(
84		sprintf(
85		'Claim rule \'%s\' configured in LDAPMember.claims_field_mappings, but wasn\'t passed through. Please check IdP claim rules.',
86		$claim
87		), SS_Log::WARN
88		);
89
90		continue;
91		}
92
93		if(count($attributes[$claim]) > 1) {
94		$member->$field = $attributes[$claim];
95		} else {
96		$member->$field = $attributes[$claim][0];
97		}
98		}
99
100		$member->SAMLSessionIndex = $auth->getSessionIndex();
101
102		// This will trigger LDAP update through LDAPMemberExtension::memberLoggedIn.
103		// The LDAP update will also write the Member record. We shouldn't write before
104		// calling this, as any onAfterWrite hooks that attempt to update LDAP won't
105		// have the Username field available yet for new Member records, and fail.
106		// Both SAML and LDAP identify Members by the GUID field.
107		$member->logIn();
108
109		return $this->getRedirect();
110		}
111
112		/**
113		* Generate this SP's metadata. This is needed for intialising the SP-IdP relationship.
114		* IdP is instructed to call us back here to establish the relationship. IdP may also be configured
115		* to hit this endpoint periodically during normal operation, to check the SP availability.
116		*/
117		public function metadata()
118		{
119		try {
120		$auth = Injector::inst()->get('SAMLHelper')->getSAMLAuth();
121		$settings = $auth->getSettings();
122		$metadata = $settings->getSPMetadata();
123		$errors = $settings->validateMetadata($metadata);
124		if (empty($errors)) {
125		header('Content-Type: text/xml');
126		echo $metadata;
127		} else {
128		throw new \OneLogin_Saml2_Error(
129		'Invalid SP metadata: ' . implode(', ', $errors),
130		\OneLogin_Saml2_Error::METADATA_SP_INVALID
131		);
132		}
133		} catch (Exception $e) {
134		SS_Log::log($e->getMessage(), SS_Log::ERR);
135		echo $e->getMessage();
136		}
137		}
138
139		/**
140		* @return SS_HTTPResponse
141		*/
142		protected function getRedirect()
143		{
144		// Absolute redirection URLs may cause spoofing
145	View Code Duplication	if (Session::get('BackURL') && Director::is_site_url(Session::get('BackURL'))) {
		0 ignored issues – show Duplication introduced 2016-03-22 20:04 UTC by Report Bug Copy Issue Report This code seems to be duplicated across your project. Duplicated code is one of the most pungent code smells. If you need to duplicate the same code in three or more different places, we strongly encourage you to look into extracting the code into a single class or operation. You can also find more detailed suggestions in the “Code” section of your repository. Loading history...
146		return $this->redirect(Session::get('BackURL'));
147		}
148
149		// Spoofing attack, redirect to homepage instead of spoofing url
150	View Code Duplication	if (Session::get('BackURL') && !Director::is_site_url(Session::get('BackURL'))) {
		0 ignored issues – show Duplication introduced 2016-03-22 20:04 UTC by Report Bug Copy Issue Report This code seems to be duplicated across your project. Duplicated code is one of the most pungent code smells. If you need to duplicate the same code in three or more different places, we strongly encourage you to look into extracting the code into a single class or operation. You can also find more detailed suggestions in the “Code” section of your repository. Loading history...
151		return $this->redirect(Director::absoluteBaseURL());
152		}
153
154		// If a default login dest has been set, redirect to that.
155		if (Security::config()->default_login_dest) {
156		return $this->redirect(Director::absoluteBaseURL() . Security::config()->default_login_dest);
157		}
158
159		// fallback to redirect back to home page
160		return $this->redirect(Director::absoluteBaseURL());
161		}
162		}
163

silverstripe / silverstripe-activedirectory

SAMLController::acs() C last analyzed 2018-07-22 22:44 UTC

Complexity

Size

Duplication

Importance

How to fix Long Method Complexity

Long Method

Duplication Side-by-Side

Filter issues like

SAMLController::acs() C
last analyzed 2018-07-22 22:44 UTC