SAMLConfiguration - Code Metrics - Inspection of "SilverStripe 4 compatibility" - silverstripe/silverstripe-activedirectory - Measure and Improve Code Quality continuously with Scrutinizer

Completed

Pull Request — master (#84)

by Robbie

created 2017-01-16 20:55 UTC

SAMLConfiguration A

↳ Parent: Project

Complexity

Total Complexity

Size/Duplication

Total Lines	123
Duplicated Lines	0 %

Coupling/Cohesion

Components	0
Dependencies	3

Importance

Changes

Metric	Value
wmc	6
lcom	0
cbo	3
dl	0
loc	123
rs	10
c	0
b	0
f	0

1 Method

Rating	Name	Duplication	Size	Complexity
B	asArray()	0	97	6

<?php

namespace SilverStripe\ActiveDirectory\Services;

use OneLogin_Saml2_Constants;
use SilverStripe\Core\Object;
use SilverStripe\Control\Director;

/**
 * Class SAMLConfiguration
 *
 * This object's job is to convert configuration from SilverStripe config system
 * into an array that can be consumed by the Onelogin SAML implementation.
 *
 * The configuration tells the IdP and SP how to establish the circle of trust - i.e.
 * how to exchange certificates and which endpoints to use (e.g. see SAMLConfiguration::metadata).
 *
 * https://syncplicity.zendesk.com/hc/en-us/articles/202392814-Single-sign-on-with-ADFS
 *
 * @package activedirectory
 */
class SAMLConfiguration extends Object
{
    /**
     * @var bool
     */
    private static $strict;


    /**
     * @var bool
     */
    private static $debug;


    /**
     * @var array
     */
    private static $SP;


    /**
     * @var array
     */
    private static $IdP;


    /**
     * @return array
     */
    public function asArray()
    {
        $conf = [];

        $conf['strict'] = $this->config()->get('strict');
        $conf['debug'] = $this->config()->get('debug');

        // SERVICE PROVIDER SECTION
        $sp = $this->config()->get('SP');
        $spCertPath = Director::is_absolute($sp['x509cert'])
            ? $sp['x509cert']
            : sprintf('%s/%s', BASE_PATH, $sp['x509cert']);
        $spKeyPath = Director::is_absolute($sp['privateKey'])
            ? $sp['privateKey']
            : sprintf('%s/%s', BASE_PATH, $sp['privateKey']);

        $conf['sp']['entityId'] = $sp['entityId'];
        $conf['sp']['assertionConsumerService'] = [
            'url' => $sp['entityId'] . '/saml/acs',
            'binding' => OneLogin_Saml2_Constants::BINDING_HTTP_POST
        ];
        $conf['sp']['NameIDFormat'] = isset($sp['nameIdFormat']) ? $sp['nameIdFormat'] : OneLogin_Saml2_Constants::NAMEID_TRANSIENT;
        $conf['sp']['x509cert'] = file_get_contents($spCertPath);
        $conf['sp']['privateKey'] = file_get_contents($spKeyPath);

        // IDENTITY PROVIDER SECTION
        $idp = $this->config()->get('IdP');
        $conf['idp']['entityId'] = $idp['entityId'];
        $conf['idp']['singleSignOnService'] = [
            'url' => $idp['singleSignOnService'],
            'binding' => OneLogin_Saml2_Constants::BINDING_HTTP_REDIRECT,
        ];
        if (isset($idp['singleLogoutService'])) {
            $conf['idp']['singleLogoutService'] = [
                'url' => $idp['singleLogoutService'],
                'binding' => OneLogin_Saml2_Constants::BINDING_HTTP_REDIRECT,
            ];
        }

        $idpCertPath = Director::is_absolute($idp['x509cert'])
            ? $idp['x509cert']
            : sprintf('%s/%s', BASE_PATH, $idp['x509cert']);
        $conf['idp']['x509cert'] = file_get_contents($idpCertPath);

        // SECURITY SECTION
        $security = $this->config()->get('Security');
        $signatureAlgorithm = $security['signatureAlgorithm'];

        $conf['security'] = [
            /** signatures and encryptions offered */
            // Indicates that the nameID of the <samlp:logoutRequest> sent by this SP will be encrypted.
            'nameIdEncrypted' => true,
            // Indicates whether the <samlp:AuthnRequest> messages sent by this SP will be signed. [Metadata of the
            // SP will offer this info]
            'authnRequestsSigned' => true,
            // Indicates whether the <samlp:logoutRequest> messages sent by this SP will be signed.
            'logoutRequestSigned' => true,
            // Indicates whether the <samlp:logoutResponse> messages sent by this SP will be signed.
            'logoutResponseSigned' => true,
            'signMetadata' => false,
            /** signatures and encryptions required **/
            // Indicates a requirement for the <samlp:Response>, <samlp:LogoutRequest>
            // and <samlp:LogoutResponse> elements received by this SP to be signed.
            'wantMessagesSigned' => false,
            // Indicates a requirement for the <saml:Assertion> elements received by
            // this SP to be signed. [Metadata of the SP will offer this info]
            'wantAssertionsSigned' => true,
            // Indicates a requirement for the NameID received by
            // this SP to be encrypted.
            'wantNameIdEncrypted' => false,

            // Algorithm that the toolkit will use on signing process. Options:
            //  - 'http://www.w3.org/2000/09/xmldsig#rsa-sha1'
            //  - 'http://www.w3.org/2000/09/xmldsig#dsa-sha1'
            //  - 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256'
            //  - 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha384'
            //  - 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha512'
            'signatureAlgorithm' => $signatureAlgorithm,

            // Authentication context.
            // Set to false and no AuthContext will be sent in the AuthNRequest,
            // Set true or don't present thi parameter and you will get an AuthContext
            // 'exact' 'urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport'
            // Set an array with the possible auth context values:
            // array ('urn:oasis:names:tc:SAML:2.0:ac:classes:Password', 'urn:oasis:names:tc:SAML:2.0:ac:classes:X509'),

            'requestedAuthnContext' => [
                'urn:federation:authentication:windows',
                'urn:oasis:names:tc:SAML:2.0:ac:classes:Password',
                'urn:oasis:names:tc:SAML:2.0:ac:classes:X509',
            ],
            // Indicates if the SP will validate all received xmls.
            // (In order to validate the xml, 'strict' and 'wantXMLValidation' must be true).
            'wantXMLValidation' => true,
        ];

        return $conf;
    }
}


1			<?php
2
3			namespace SilverStripe\ActiveDirectory\Services;
4
5			use OneLogin_Saml2_Constants;
6			use SilverStripe\Core\Object;
7			use SilverStripe\Control\Director;
8
9			/**
10			* Class SAMLConfiguration
11			*
12			* This object's job is to convert configuration from SilverStripe config system
13			* into an array that can be consumed by the Onelogin SAML implementation.
14			*
15			* The configuration tells the IdP and SP how to establish the circle of trust - i.e.
16			* how to exchange certificates and which endpoints to use (e.g. see SAMLConfiguration::metadata).
17			*
18			* https://syncplicity.zendesk.com/hc/en-us/articles/202392814-Single-sign-on-with-ADFS
19			*
20			* @package activedirectory
21			*/
22			class SAMLConfiguration extends Object
23			{
24			/**
25			* @var bool
26			*/
27			private static $strict;
			0 ignored issues – show Unused Code introduced 2016-03-22 20:04 UTC by Report Bug Copy Issue Report The property `$strict` is not used and could be removed. This check marks private properties in classes that are never used. Those properties can be removed. Loading history...
28
29			/**
30			* @var bool
31			*/
32			private static $debug;
			0 ignored issues – show Unused Code introduced 2016-03-22 20:04 UTC by Report Bug Copy Issue Report The property `$debug` is not used and could be removed. This check marks private properties in classes that are never used. Those properties can be removed. Loading history...
33
34			/**
35			* @var array
36			*/
37			private static $SP;
			0 ignored issues – show Unused Code introduced 2016-03-22 20:04 UTC by Report Bug Copy Issue Report The property `$SP` is not used and could be removed. This check marks private properties in classes that are never used. Those properties can be removed. Loading history...
38
39			/**
40			* @var array
41			*/
42			private static $IdP;
			0 ignored issues – show Unused Code introduced 2016-03-22 20:04 UTC by Report Bug Copy Issue Report The property `$IdP` is not used and could be removed. This check marks private properties in classes that are never used. Those properties can be removed. Loading history...
43
44			/**
45			* @return array
46			*/
47			public function asArray()
48			{
49			$conf = [];
50
51			$conf['strict'] = $this->config()->get('strict');
52			$conf['debug'] = $this->config()->get('debug');
53
54			// SERVICE PROVIDER SECTION
55			$sp = $this->config()->get('SP');
56			$spCertPath = Director::is_absolute($sp['x509cert'])
57			? $sp['x509cert']
58			: sprintf('%s/%s', BASE_PATH, $sp['x509cert']);
59			$spKeyPath = Director::is_absolute($sp['privateKey'])
60			? $sp['privateKey']
61			: sprintf('%s/%s', BASE_PATH, $sp['privateKey']);
62
63			$conf['sp']['entityId'] = $sp['entityId'];
64			$conf['sp']['assertionConsumerService'] = [
65			'url' => $sp['entityId'] . '/saml/acs',
66			'binding' => OneLogin_Saml2_Constants::BINDING_HTTP_POST
67			];
68			$conf['sp']['NameIDFormat'] = isset($sp['nameIdFormat']) ? $sp['nameIdFormat'] : OneLogin_Saml2_Constants::NAMEID_TRANSIENT;
69			$conf['sp']['x509cert'] = file_get_contents($spCertPath);
70			$conf['sp']['privateKey'] = file_get_contents($spKeyPath);
71
72			// IDENTITY PROVIDER SECTION
73			$idp = $this->config()->get('IdP');
74			$conf['idp']['entityId'] = $idp['entityId'];
75			$conf['idp']['singleSignOnService'] = [
76			'url' => $idp['singleSignOnService'],
77			'binding' => OneLogin_Saml2_Constants::BINDING_HTTP_REDIRECT,
78			];
79			if (isset($idp['singleLogoutService'])) {
80			$conf['idp']['singleLogoutService'] = [
81			'url' => $idp['singleLogoutService'],
82			'binding' => OneLogin_Saml2_Constants::BINDING_HTTP_REDIRECT,
83			];
84			}
85
86			$idpCertPath = Director::is_absolute($idp['x509cert'])
87			? $idp['x509cert']
88			: sprintf('%s/%s', BASE_PATH, $idp['x509cert']);
89			$conf['idp']['x509cert'] = file_get_contents($idpCertPath);
90
91			// SECURITY SECTION
92			$security = $this->config()->get('Security');
93			$signatureAlgorithm = $security['signatureAlgorithm'];
94
95			$conf['security'] = [
96			/** signatures and encryptions offered */
97			// Indicates that the nameID of the <samlp:logoutRequest> sent by this SP will be encrypted.
98			'nameIdEncrypted' => true,
99			// Indicates whether the <samlp:AuthnRequest> messages sent by this SP will be signed. [Metadata of the
100			// SP will offer this info]
101			'authnRequestsSigned' => true,
102			// Indicates whether the <samlp:logoutRequest> messages sent by this SP will be signed.
103			'logoutRequestSigned' => true,
104			// Indicates whether the <samlp:logoutResponse> messages sent by this SP will be signed.
105			'logoutResponseSigned' => true,
106			'signMetadata' => false,
107			/ signatures and encryptions required /
108			// Indicates a requirement for the <samlp:Response>, <samlp:LogoutRequest>
109			// and <samlp:LogoutResponse> elements received by this SP to be signed.
110			'wantMessagesSigned' => false,
111			// Indicates a requirement for the <saml:Assertion> elements received by
112			// this SP to be signed. [Metadata of the SP will offer this info]
113			'wantAssertionsSigned' => true,
114			// Indicates a requirement for the NameID received by
115			// this SP to be encrypted.
116			'wantNameIdEncrypted' => false,
117
118			// Algorithm that the toolkit will use on signing process. Options:
119			// - 'http://www.w3.org/2000/09/xmldsig#rsa-sha1'
120			// - 'http://www.w3.org/2000/09/xmldsig#dsa-sha1'
121			// - 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256'
122			// - 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha384'
123			// - 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha512'
124			'signatureAlgorithm' => $signatureAlgorithm,
125
126			// Authentication context.
127			// Set to false and no AuthContext will be sent in the AuthNRequest,
128			// Set true or don't present thi parameter and you will get an AuthContext
129			// 'exact' 'urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport'
130			// Set an array with the possible auth context values:
131			// array ('urn:oasis:names:tc:SAML:2.0:ac:classes:Password', 'urn:oasis:names:tc:SAML:2.0:ac:classes:X509'),
			0 ignored issues – show Unused Code Comprehensibility introduced 2017-01-16 21:03 UTC by Report Bug Copy Issue Report `70%` of this comment could be valid code. Did you maybe forget this after debugging? Sometimes obsolete code just ends up commented out instead of removed. In this case it is better to remove the code once you have checked you do not need it. The code might also have been commented out for debugging purposes. In this case it is vital that someone uncomments it again or your project may behave in very unexpected ways in production. This check looks for comments that seem to be mostly valid code and reports them. Loading history...
132			'requestedAuthnContext' => [
133			'urn:federation:authentication:windows',
134			'urn:oasis:names:tc:SAML:2.0:ac:classes:Password',
135			'urn:oasis:names:tc:SAML:2.0:ac:classes:X509',
136			],
137			// Indicates if the SP will validate all received xmls.
138			// (In order to validate the xml, 'strict' and 'wantXMLValidation' must be true).
139			'wantXMLValidation' => true,
140			];
141
142			return $conf;
143			}
144			}
145

silverstripe / silverstripe-activedirectory

Pull Request — master (#84)

SAMLConfiguration A

Complexity

Size/Duplication

Coupling/Cohesion

Importance

1 Method

Duplication Side-by-Side

Filter issues like