SOAPClient::send() - Code Metrics - Inspection of "Replace static calls with non-static ones" - simplesamlphp/saml2 - Measure and Improve Code Quality continuously with Scrutinizer

Passed

Push — master ( 74acb4...37848b )

by Tim

created 2023-05-05 09:21 UTC

SOAPClient::send() F

↳ Parent: Project

Complexity

Conditions	19
Paths	768

Size

Total Lines	132
Code Lines	77

Duplication

Lines	0
Ratio	0 %

Importance

Changes	1
Bugs	0	Features	0

Metric	Value
cc	19
eloc	77
nc	768
nop	3
dl	0
loc	132
rs	0.6722
c	1
b	0
f	0

How to fix Long Method Complexity

<?php

declare(strict_types=1);

namespace SimpleSAML\SAML2;

use DOMDocument;
use Exception;
use SimpleSAML\Configuration;
use SimpleSAML\SAML2\Compat\ContainerSingleton;
use SimpleSAML\SAML2\Exception\InvalidArgumentException;
use SimpleSAML\SAML2\Exception\RuntimeException;
use SimpleSAML\SAML2\Utils\XPath;
use SimpleSAML\SAML2\XML\samlp\AbstractMessage;
use SimpleSAML\SAML2\XML\samlp\MessageFactory;
use SimpleSAML\SOAP11\XML\env\Body;
use SimpleSAML\SOAP11\XML\env\Envelope;
use SimpleSAML\SOAP11\XML\env\Fault;
use SimpleSAML\Utils
use SimpleSAML\XML\Chunk;

use SimpleSAML\XML\DOMDocumentFactory;
use SimpleSAML\XML\Exception\UnparseableXMLException;
use SimpleSAML\XMLSecurity\XMLSecurityKey;
use SoapClient as BuiltinSoapClient;

use function chunk_split;
use function file_exists;
use function openssl_pkey_get_details;
use function openssl_pkey_get_public;
use function sha1;
use function stream_context_create;
use function stream_context_get_options;

/**
 * Implementation of the SAML 2.0 SOAP binding.
 *
 * @package simplesamlphp/saml2
 */
class SOAPClient
{
    /**
     * This function sends the SOAP message to the service location and returns SOAP response
     *
     * @param \SimpleSAML\SAML2\XML\samlp\AbstractMessage $msg The request that should be sent.
     * @param \SimpleSAML\Configuration $srcMetadata The metadata of the issuer of the message.
     * @param \SimpleSAML\Configuration $dstMetadata The metadata of the destination of the message.
     * @throws \Exception
     * @return \SimpleSAML\SAML2\XML\samlp\AbstractMessage The response we received.
     *
     * @psalm-suppress UndefinedClass
     */
    public function send(
        AbstractMessage $msg,
        Configuration $srcMetadata,
        Configuration $dstMetadata = null,
    ): AbstractMessage {
        $issuer = $msg->getIssuer();

        $ctxOpts = [
            'ssl' => [
                'capture_peer_cert' => true,
                'allow_self_signed' => true,
            ],
        ];

        $container = ContainerSingleton::getInstance();

        // Determine if we are going to do a MutualSSL connection between the IdP and SP  - Shoaib
        if ($srcMetadata->hasValue('saml.SOAPClient.certificate')) {
            $cert = $srcMetadata->getValue('saml.SOAPClient.certificate');
            if ($cert !== false) {
                $configUtils = new Utils\Config();
                $ctxOpts['ssl']['local_cert'] = $configUtils->getCertPath(
                    $srcMetadata->getString('saml.SOAPClient.certificate')
                );
                if ($srcMetadata->hasValue('saml.SOAPClient.privatekey_pass')) {
                    $ctxOpts['ssl']['passphrase'] = $srcMetadata->getString('saml.SOAPClient.privatekey_pass');
                }
            }
        } else {
            /* Use the SP certificate and privatekey if it is configured. */
            $cryptoUtils = new Utils\Crypto();
            $privateKey = $cryptoUtils->loadPrivateKey($srcMetadata);
            $publicKey = $cryptoUtils->loadPublicKey($srcMetadata);
            if ($privateKey !== null && $publicKey !== null && isset($publicKey['PEM'])) {
                $keyCertData = $privateKey['PEM'] . $publicKey['PEM'];
                $file = $container->getTempDir() . '/' . sha1($keyCertData) . '.pem';
                if (!file_exists($file)) {
                    $container->writeFile($file, $keyCertData);
                }
                $ctxOpts['ssl']['local_cert'] = $file;
                if (isset($privateKey['password'])) {
                    $ctxOpts['ssl']['passphrase'] = $privateKey['password'];
                }
            }
        }

        // do peer certificate verification
        if ($dstMetadata !== null) {
            $peerPublicKeys = $dstMetadata->getPublicKeys('signing', true);
            $certData = '';
            foreach ($peerPublicKeys as $key) {
                if ($key['type'] !== 'X509Certificate') {
                    continue;
                }
                $certData .= "-----BEGIN CERTIFICATE-----\n" .
                    chunk_split($key['X509Certificate'], 64) .
                    "-----END CERTIFICATE-----\n";
            }
            $peerCertFile = $container->getTempDir() . '/' . sha1($certData) . '.pem';
            if (!file_exists($peerCertFile)) {
                $container->writeFile($peerCertFile, $certData);
            }
            // create ssl context
            $ctxOpts['ssl']['verify_peer'] = true;
            $ctxOpts['ssl']['verify_depth'] = 1;
            $ctxOpts['ssl']['cafile'] = $peerCertFile;
        }

        if ($srcMetadata->hasValue('saml.SOAPClient.stream_context.ssl.peer_name')) {
            $ctxOpts['ssl']['peer_name'] = $srcMetadata->getString('saml.SOAPClient.stream_context.ssl.peer_name');
        }

        $context = stream_context_create($ctxOpts);

        $options = [
            'uri' => $issuer?->getContent(),
            'location' => $msg->getDestination(),
            'stream_context' => $context,
        ];

        if ($srcMetadata->hasValue('saml.SOAPClient.proxyhost')) {
            $options['proxy_host'] = $srcMetadata->getValue('saml.SOAPClient.proxyhost');
        }

        if ($srcMetadata->hasValue('saml.SOAPClient.proxyport')) {
            $options['proxy_port'] = $srcMetadata->getValue('saml.SOAPClient.proxyport');
        }

        $destination = $msg->getDestination();
        if ($destination === null) {
            throw new Exception('Cannot send SOAP message, no destination set.');
        }

        // Add soap-envelopes
        $env = (new Envelope(new Body([new Chunk($msg->toXML())])))->toXML();
        $request = $env->ownerDocument?->saveXML();

        $container->debugMessage($request, 'out');

        $action = 'http://www.oasis-open.org/committees/security';
        /* Perform SOAP Request over HTTP */
        $x = new BuiltinSoapClient(null, $options);
        $soapresponsexml = $x->__doRequest($request, $destination, $action, SOAP_1_1, false);
        if (empty($soapresponsexml)) {
            throw new Exception('Empty SOAP response, check peer certificate.');
        }

        Utils::getContainer()->debugMessage($soapresponsexml, 'in');

        $dom = DOMDocumentFactory::fromString($soapresponsexml);
        $env = Envelope::fromXML($dom->documentElement);
        $container->debugMessage($env->toXML()->ownerDocument?->saveXML(), 'in');

        $soapfault = $this->getSOAPFault($dom);
        if ($soapfault !== null) {
            throw new Exception(
                sprintf(
                    "Actor: '%s';  Message: '%s';  Code: '%s'",
                    $soapfault->getFaultActor()?->getContent(),
                    $soapfault->getFaultString()->getContent(),
                    $soapfault->getFaultCode()->getContent(),
                ),
            );
        }

        // Extract the message from the response
        $samlresponse = MessageFactory::fromXML($env->getBody()->getElements()[0]->toXML());

        /* Add validator to message which uses the SSL context. */
        self::addSSLValidator($samlresponse, $context);

        $container->getLogger()->debug("Valid ArtifactResponse received from IdP");

        return $samlresponse;
    }


    /**
     * Add a signature validator based on a SSL context.
     *
     * @param \SimpleSAML\SAML2\XML\samlp\AbstractMessage $msg The message we should add a validator to.
     * @param resource $context The stream context.
     */
    private static function addSSLValidator(AbstractMessage $msg, $context): void
    {
        $options = stream_context_get_options($context);
        if (!isset($options['ssl']['peer_certificate'])) {
            return;
        }

        $container = ContainerSingleton::getInstance();
        $key = openssl_pkey_get_public($options['ssl']['peer_certificate']);
        if ($key === false) {
            $container->getLogger()->warning('Unable to get public key from peer certificate.');
            return;
        }

        $keyInfo = openssl_pkey_get_details($key);
        if ($keyInfo === false) {
            $container->getLogger()->warning('Unable to get key details from public key.');
            return;
        }

        if (!isset($keyInfo['key'])) {
            $container->getLogger()->warning('Missing key in public key details.');
            return;
        }

        $msg->addValidator([SOAPClient::class, 'validateSSL'], $keyInfo['key']);
    }


    /**
     * Validate a SOAP message against the certificate on the SSL connection.
     *
     * @param string $data The public key that was used on the connection.
     * @param \SimpleSAML\XMLSecurity\XMLSecurityKey $key The key we should validate the certificate against.
     * @throws \Exception
     */
    public static function validateSSL(string $data, XMLSecurityKey $key): void
    {
        $container = ContainerSingleton::getInstance();

        /** @psalm-suppress PossiblyNullArgument */
        $keyInfo = openssl_pkey_get_details($key->key);
        if ($keyInfo === false) {
            throw new Exception('Unable to get key details from XMLSecurityKey.');
        }

        if (!isset($keyInfo['key'])) {
            throw new Exception('Missing key in public key details.');
        }

        if ($keyInfo['key'] !== $data) {
            $container->getLogger()->debug('Key on SSL connection did not match key we validated against.');
            return;
        }

        $container->getLogger()->debug('Message validated based on SSL certificate.');
    }


    /**
     * Extracts the SOAP Fault from SOAP message
     *
     * @param \DOMDocument $soapMessage Soap response needs to be type DOMDocument
     * @return \SimpleSAML\SOAP11\XML\env\Fault|null
     */
    private function getSOAPFault(DOMDocument $soapMessage): ?Fault
    {
        /** @psalm-suppress PossiblyNullArgument */
        $soapFault = XPath::xpQuery(
            $soapMessage->firstChild,
            '/soap-env:Envelope/soap-env:Body/soap-env:Fault',
            XPath::getXPath($soapMessage->firstChild),
        );

        if (empty($soapFault)) {
            /* No fault. */
            return null;
        }

        return Fault::fromXML($soapFault[0]);
    }
}


1			<?php
2
3			declare(strict_types=1);
4
5			namespace SimpleSAML\SAML2;
6
7			use DOMDocument;
8			use Exception;
9			use SimpleSAML\Configuration;
10			use SimpleSAML\SAML2\Compat\ContainerSingleton;
11			use SimpleSAML\SAML2\Exception\InvalidArgumentException;
12			use SimpleSAML\SAML2\Exception\RuntimeException;
13			use SimpleSAML\SAML2\Utils\XPath;
14			use SimpleSAML\SAML2\XML\samlp\AbstractMessage;
15			use SimpleSAML\SAML2\XML\samlp\MessageFactory;
16			use SimpleSAML\SOAP11\XML\env\Body;
17			use SimpleSAML\SOAP11\XML\env\Envelope;
18			use SimpleSAML\SOAP11\XML\env\Fault;
19			use SimpleSAML\Utils
20			use SimpleSAML\XML\Chunk;
			0 ignored issues – show Bug introduced 2023-05-05 09:35 UTC by Report Bug Copy Issue Report A parse error occurred: Syntax error, unexpected T_USE, expecting ',' or ';' on line 20 at column 0 Loading history...
21			use SimpleSAML\XML\DOMDocumentFactory;
22			use SimpleSAML\XML\Exception\UnparseableXMLException;
23			use SimpleSAML\XMLSecurity\XMLSecurityKey;
24			use SoapClient as BuiltinSoapClient;
25
26			use function chunk_split;
27			use function file_exists;
28			use function openssl_pkey_get_details;
29			use function openssl_pkey_get_public;
30			use function sha1;
31			use function stream_context_create;
32			use function stream_context_get_options;
33
34			/**
35			* Implementation of the SAML 2.0 SOAP binding.
36			*
37			* @package simplesamlphp/saml2
38			*/
39			class SOAPClient
40			{
41			/**
42			* This function sends the SOAP message to the service location and returns SOAP response
43			*
44			* @param \SimpleSAML\SAML2\XML\samlp\AbstractMessage $msg The request that should be sent.
45			* @param \SimpleSAML\Configuration $srcMetadata The metadata of the issuer of the message.
46			* @param \SimpleSAML\Configuration $dstMetadata The metadata of the destination of the message.
47			* @throws \Exception
48			* @return \SimpleSAML\SAML2\XML\samlp\AbstractMessage The response we received.
49			*
50			* @psalm-suppress UndefinedClass
51			*/
52			public function send(
53			AbstractMessage $msg,
54			Configuration $srcMetadata,
55			Configuration $dstMetadata = null,
56			): AbstractMessage {
57			$issuer = $msg->getIssuer();
58
59			$ctxOpts = [
60			'ssl' => [
61			'capture_peer_cert' => true,
62			'allow_self_signed' => true,
63			],
64			];
65
66			$container = ContainerSingleton::getInstance();
67
68			// Determine if we are going to do a MutualSSL connection between the IdP and SP - Shoaib
69			if ($srcMetadata->hasValue('saml.SOAPClient.certificate')) {
70			$cert = $srcMetadata->getValue('saml.SOAPClient.certificate');
71			if ($cert !== false) {
72			$configUtils = new Utils\Config();
73			$ctxOpts['ssl']['local_cert'] = $configUtils->getCertPath(
74			$srcMetadata->getString('saml.SOAPClient.certificate')
75			);
76			if ($srcMetadata->hasValue('saml.SOAPClient.privatekey_pass')) {
77			$ctxOpts['ssl']['passphrase'] = $srcMetadata->getString('saml.SOAPClient.privatekey_pass');
78			}
79			}
80			} else {
81			/* Use the SP certificate and privatekey if it is configured. */
82			$cryptoUtils = new Utils\Crypto();
83			$privateKey = $cryptoUtils->loadPrivateKey($srcMetadata);
84			$publicKey = $cryptoUtils->loadPublicKey($srcMetadata);
85			if ($privateKey !== null && $publicKey !== null && isset($publicKey['PEM'])) {
86			$keyCertData = $privateKey['PEM'] . $publicKey['PEM'];
87			$file = $container->getTempDir() . '/' . sha1($keyCertData) . '.pem';
88			if (!file_exists($file)) {
89			$container->writeFile($file, $keyCertData);
90			}
91			$ctxOpts['ssl']['local_cert'] = $file;
92			if (isset($privateKey['password'])) {
93			$ctxOpts['ssl']['passphrase'] = $privateKey['password'];
94			}
95			}
96			}
97
98			// do peer certificate verification
99			if ($dstMetadata !== null) {
100			$peerPublicKeys = $dstMetadata->getPublicKeys('signing', true);
101			$certData = '';
102			foreach ($peerPublicKeys as $key) {
103			if ($key['type'] !== 'X509Certificate') {
104			continue;
105			}
106			$certData .= "-----BEGIN CERTIFICATE-----\n" .
107			chunk_split($key['X509Certificate'], 64) .
108			"-----END CERTIFICATE-----\n";
109			}
110			$peerCertFile = $container->getTempDir() . '/' . sha1($certData) . '.pem';
111			if (!file_exists($peerCertFile)) {
112			$container->writeFile($peerCertFile, $certData);
113			}
114			// create ssl context
115			$ctxOpts['ssl']['verify_peer'] = true;
116			$ctxOpts['ssl']['verify_depth'] = 1;
117			$ctxOpts['ssl']['cafile'] = $peerCertFile;
118			}
119
120			if ($srcMetadata->hasValue('saml.SOAPClient.stream_context.ssl.peer_name')) {
121			$ctxOpts['ssl']['peer_name'] = $srcMetadata->getString('saml.SOAPClient.stream_context.ssl.peer_name');
122			}
123
124			$context = stream_context_create($ctxOpts);
125
126			$options = [
127			'uri' => $issuer?->getContent(),
128			'location' => $msg->getDestination(),
129			'stream_context' => $context,
130			];
131
132			if ($srcMetadata->hasValue('saml.SOAPClient.proxyhost')) {
133			$options['proxy_host'] = $srcMetadata->getValue('saml.SOAPClient.proxyhost');
134			}
135
136			if ($srcMetadata->hasValue('saml.SOAPClient.proxyport')) {
137			$options['proxy_port'] = $srcMetadata->getValue('saml.SOAPClient.proxyport');
138			}
139
140			$destination = $msg->getDestination();
141			if ($destination === null) {
142			throw new Exception('Cannot send SOAP message, no destination set.');
143			}
144
145			// Add soap-envelopes
146			$env = (new Envelope(new Body([new Chunk($msg->toXML())])))->toXML();
147			$request = $env->ownerDocument?->saveXML();
148
149			$container->debugMessage($request, 'out');
150
151			$action = 'http://www.oasis-open.org/committees/security';
152			/* Perform SOAP Request over HTTP */
153			$x = new BuiltinSoapClient(null, $options);
154			$soapresponsexml = $x->__doRequest($request, $destination, $action, SOAP_1_1, false);
155			if (empty($soapresponsexml)) {
156			throw new Exception('Empty SOAP response, check peer certificate.');
157			}
158
159			Utils::getContainer()->debugMessage($soapresponsexml, 'in');
160
161			$dom = DOMDocumentFactory::fromString($soapresponsexml);
162			$env = Envelope::fromXML($dom->documentElement);
163			$container->debugMessage($env->toXML()->ownerDocument?->saveXML(), 'in');
164
165			$soapfault = $this->getSOAPFault($dom);
166			if ($soapfault !== null) {
167			throw new Exception(
168			sprintf(
169			"Actor: '%s'; Message: '%s'; Code: '%s'",
170			$soapfault->getFaultActor()?->getContent(),
171			$soapfault->getFaultString()->getContent(),
172			$soapfault->getFaultCode()->getContent(),
173			),
174			);
175			}
176
177			// Extract the message from the response
178			$samlresponse = MessageFactory::fromXML($env->getBody()->getElements()[0]->toXML());
179
180			/* Add validator to message which uses the SSL context. */
181			self::addSSLValidator($samlresponse, $context);
182
183			$container->getLogger()->debug("Valid ArtifactResponse received from IdP");
184
185			return $samlresponse;
186			}
187
188
189			/**
190			* Add a signature validator based on a SSL context.
191			*
192			* @param \SimpleSAML\SAML2\XML\samlp\AbstractMessage $msg The message we should add a validator to.
193			* @param resource $context The stream context.
194			*/
195			private static function addSSLValidator(AbstractMessage $msg, $context): void
196			{
197			$options = stream_context_get_options($context);
198			if (!isset($options['ssl']['peer_certificate'])) {
199			return;
200			}
201
202			$container = ContainerSingleton::getInstance();
203			$key = openssl_pkey_get_public($options['ssl']['peer_certificate']);
204			if ($key === false) {
205			$container->getLogger()->warning('Unable to get public key from peer certificate.');
206			return;
207			}
208
209			$keyInfo = openssl_pkey_get_details($key);
210			if ($keyInfo === false) {
211			$container->getLogger()->warning('Unable to get key details from public key.');
212			return;
213			}
214
215			if (!isset($keyInfo['key'])) {
216			$container->getLogger()->warning('Missing key in public key details.');
217			return;
218			}
219
220			$msg->addValidator([SOAPClient::class, 'validateSSL'], $keyInfo['key']);
221			}
222
223
224			/**
225			* Validate a SOAP message against the certificate on the SSL connection.
226			*
227			* @param string $data The public key that was used on the connection.
228			* @param \SimpleSAML\XMLSecurity\XMLSecurityKey $key The key we should validate the certificate against.
229			* @throws \Exception
230			*/
231			public static function validateSSL(string $data, XMLSecurityKey $key): void
232			{
233			$container = ContainerSingleton::getInstance();
234
235			/** @psalm-suppress PossiblyNullArgument */
236			$keyInfo = openssl_pkey_get_details($key->key);
237			if ($keyInfo === false) {
238			throw new Exception('Unable to get key details from XMLSecurityKey.');
239			}
240
241			if (!isset($keyInfo['key'])) {
242			throw new Exception('Missing key in public key details.');
243			}
244
245			if ($keyInfo['key'] !== $data) {
246			$container->getLogger()->debug('Key on SSL connection did not match key we validated against.');
247			return;
248			}
249
250			$container->getLogger()->debug('Message validated based on SSL certificate.');
251			}
252
253
254			/**
255			* Extracts the SOAP Fault from SOAP message
256			*
257			* @param \DOMDocument $soapMessage Soap response needs to be type DOMDocument
258			* @return \SimpleSAML\SOAP11\XML\env\Fault\|null
259			*/
260			private function getSOAPFault(DOMDocument $soapMessage): ?Fault
261			{
262			/** @psalm-suppress PossiblyNullArgument */
263			$soapFault = XPath::xpQuery(
264			$soapMessage->firstChild,
265			'/soap-env:Envelope/soap-env:Body/soap-env:Fault',
266			XPath::getXPath($soapMessage->firstChild),
267			);
268
269			if (empty($soapFault)) {
270			/* No fault. */
271			return null;
272			}
273
274			return Fault::fromXML($soapFault[0]);
275			}
276			}
277

simplesamlphp / saml2

Push — master ( 74acb4...37848b )

SOAPClient::send() F

Complexity

Size

Duplication

Importance

How to fix Long Method Complexity

Long Method

Duplication Side-by-Side

Filter issues like