Total Complexity | 57 |
Total Lines | 486 |
Duplicated Lines | 0 % |
Changes | 1 | ||
Bugs | 0 | Features | 0 |
Complex classes like AuthnResponse often do a lot of different things. To break such a class down, we need to identify a cohesive component within that class. A common approach to find such a component is to look for fields/methods that share the same prefixes, or suffixes.
Once you have determined the fields that belong together, you can apply the Extract Class refactoring. If the component makes sense as a sub-class, Extract Subclass is also a candidate, and is often faster.
While breaking up the class, it is a good idea to analyze how other classes use AuthnResponse, and based on these observations, apply Extract Interface, too.
1 | <?php |
||
25 | class AuthnResponse |
||
26 | { |
||
27 | /** |
||
28 | * @var \SimpleSAML\XML\Validator|null This variable contains an XML validator for this message. |
||
29 | */ |
||
30 | private $validator = null; |
||
31 | |||
32 | /** |
||
33 | * @var bool Whether this response was validated by some external means (e.g. SSL). |
||
34 | */ |
||
35 | private $messageValidated = false; |
||
36 | |||
37 | /** @var string */ |
||
38 | public const SHIB_PROTOCOL_NS = 'urn:oasis:names:tc:SAML:1.0:protocol'; |
||
39 | |||
40 | /** @var string */ |
||
41 | public const SHIB_ASSERT_NS = 'urn:oasis:names:tc:SAML:1.0:assertion'; |
||
42 | |||
43 | /** |
||
44 | * @var \DOMDocument|null The DOMDocument which represents this message. |
||
45 | */ |
||
46 | private $dom = null; |
||
47 | |||
48 | /** |
||
49 | * @var string|null The relaystate which is associated with this response. |
||
50 | */ |
||
51 | private $relayState = null; |
||
52 | |||
53 | |||
54 | /** |
||
55 | * Set whether this message was validated externally. |
||
56 | * |
||
57 | * @param bool $messageValidated TRUE if the message is already validated, FALSE if not. |
||
58 | * @return void |
||
59 | */ |
||
60 | public function setMessageValidated(bool $messageValidated): void |
||
61 | { |
||
62 | $this->messageValidated = $messageValidated; |
||
63 | } |
||
64 | |||
65 | |||
66 | /** |
||
67 | * @param string $xml |
||
68 | * @throws \Exception |
||
69 | * @return void |
||
70 | */ |
||
71 | public function setXML(string $xml): void |
||
72 | { |
||
73 | try { |
||
74 | $this->dom = DOMDocumentFactory::fromString(str_replace("\r", "", $xml)); |
||
75 | } catch (\Exception $e) { |
||
76 | throw new \Exception('Unable to parse AuthnResponse XML.'); |
||
77 | } |
||
78 | } |
||
79 | |||
80 | |||
81 | /** |
||
82 | * @param string|null $relayState |
||
83 | * @return void |
||
84 | */ |
||
85 | public function setRelayState(?string $relayState) : void |
||
86 | { |
||
87 | $this->relayState = $relayState; |
||
88 | } |
||
89 | |||
90 | |||
91 | /** |
||
92 | * @return string|null |
||
93 | */ |
||
94 | public function getRelayState(): ?string |
||
95 | { |
||
96 | return $this->relayState; |
||
97 | } |
||
98 | |||
99 | |||
100 | /** |
||
101 | * @throws \SimpleSAML\Error\Exception |
||
102 | * @return bool |
||
103 | */ |
||
104 | public function validate(): bool |
||
148 | } |
||
149 | |||
150 | |||
151 | /** |
||
152 | * Checks if the given node is validated by the signature on this response. |
||
153 | * |
||
154 | * @param \DOMElement|\SimpleXMLElement $node Node to be validated. |
||
155 | * @return bool TRUE if the node is validated or FALSE if not. |
||
156 | */ |
||
157 | private function isNodeValidated($node): bool |
||
158 | { |
||
159 | if ($this->messageValidated) { |
||
160 | // This message was validated externally |
||
161 | return true; |
||
162 | } |
||
163 | |||
164 | if ($this->validator === null) { |
||
165 | return false; |
||
166 | } |
||
167 | |||
168 | // Convert the node to a DOM node if it is an element from SimpleXML |
||
169 | if ($node instanceof \SimpleXMLElement) { |
||
170 | $node = dom_import_simplexml($node); |
||
171 | } |
||
172 | |||
173 | assert($node instanceof DOMNode); |
||
174 | |||
175 | return $this->validator->isNodeValidated($node); |
||
176 | } |
||
177 | |||
178 | |||
179 | /** |
||
180 | * This function runs an xPath query on this authentication response. |
||
181 | * |
||
182 | * @param string $query The query which should be run. |
||
183 | * @param \DOMNode $node The node which this query is relative to. If this node is NULL (the default) |
||
184 | * then the query will be relative to the root of the response. |
||
185 | * @return \DOMNodeList |
||
186 | */ |
||
187 | private function doXPathQuery(string $query, DOMNode $node = null): DOMNodeList |
||
188 | { |
||
189 | assert($this->dom instanceof DOMDocument); |
||
190 | |||
191 | if ($node === null) { |
||
192 | $node = $this->dom->documentElement; |
||
193 | } |
||
194 | |||
195 | assert($node instanceof DOMNode); |
||
196 | |||
197 | $xPath = new DOMXpath($this->dom); |
||
198 | $xPath->registerNamespace('shibp', self::SHIB_PROTOCOL_NS); |
||
199 | $xPath->registerNamespace('shib', self::SHIB_ASSERT_NS); |
||
200 | |||
201 | return $xPath->query($query, $node); |
||
202 | } |
||
203 | |||
204 | |||
205 | /** |
||
206 | * Retrieve the session index of this response. |
||
207 | * |
||
208 | * @return string|null The session index of this response. |
||
209 | */ |
||
210 | public function getSessionIndex(): ?string |
||
211 | { |
||
212 | assert($this->dom instanceof DOMDocument); |
||
213 | |||
214 | $query = '/shibp:Response/shib:Assertion/shib:AuthnStatement'; |
||
215 | $nodelist = $this->doXPathQuery($query); |
||
216 | if ($node = $nodelist->item(0)) { |
||
217 | return $node->getAttribute('SessionIndex'); |
||
218 | } |
||
219 | |||
220 | return null; |
||
221 | } |
||
222 | |||
223 | |||
224 | /** |
||
225 | * @throws \Exception |
||
226 | * @return array |
||
227 | */ |
||
228 | public function getAttributes(): array |
||
301 | } |
||
302 | |||
303 | |||
304 | /** |
||
305 | * @throws \Exception |
||
306 | * @return string |
||
307 | */ |
||
308 | public function getIssuer(): string |
||
317 | } |
||
318 | } |
||
319 | |||
320 | |||
321 | /** |
||
322 | * @return array |
||
323 | */ |
||
324 | public function getNameID(): array |
||
325 | { |
||
326 | $nameID = []; |
||
327 | |||
328 | $query = '/shibp:Response/shib:Assertion/shib:AuthenticationStatement/shib:Subject/shib:NameIdentifier'; |
||
329 | $nodelist = $this->doXPathQuery($query); |
||
330 | |||
331 | if ($node = $nodelist->item(0)) { |
||
332 | $nameID["Value"] = $node->nodeValue; |
||
333 | $nameID["Format"] = $node->getAttribute('Format'); |
||
334 | } |
||
335 | |||
336 | return $nameID; |
||
337 | } |
||
338 | |||
339 | |||
340 | /** |
||
341 | * Build a authentication response. |
||
342 | * |
||
343 | * @param \SimpleSAML\Configuration $idp Metadata for the IdP the response is sent from. |
||
344 | * @param \SimpleSAML\Configuration $sp Metadata for the SP the response is sent to. |
||
345 | * @param string $shire The endpoint on the SP the response is sent to. |
||
346 | * @param array|null $attributes The attributes which should be included in the response. |
||
347 | * @return string The response. |
||
348 | */ |
||
349 | public function generate(Configuration $idp, Configuration $sp, string $shire, ?array $attributes): string |
||
350 | { |
||
351 | if ($sp->hasValue('scopedattributes')) { |
||
352 | $scopedAttributes = $sp->getArray('scopedattributes'); |
||
353 | } elseif ($idp->hasValue('scopedattributes')) { |
||
354 | $scopedAttributes = $idp->getArray('scopedattributes'); |
||
355 | } else { |
||
356 | $scopedAttributes = []; |
||
357 | } |
||
358 | |||
359 | $id = Utils\Random::generateID(); |
||
360 | |||
361 | $issueInstant = Utils\Time::generateTimestamp(); |
||
362 | |||
363 | // 30 seconds timeskew back in time to allow differing clocks |
||
364 | $notBefore = Utils\Time::generateTimestamp(time() - 30); |
||
365 | |||
366 | $assertionExpire = Utils\Time::generateTimestamp(time() + 300); // 5 minutes |
||
367 | $assertionid = Utils\Random::generateID(); |
||
368 | |||
369 | $spEntityId = $sp->getString('entityid'); |
||
370 | |||
371 | $audience = $sp->getString('audience', $spEntityId); |
||
372 | $base64 = $sp->getBoolean('base64attributes', false); |
||
373 | |||
374 | $namequalifier = $sp->getString('NameQualifier', $spEntityId); |
||
375 | $nameid = Utils\Random::generateID(); |
||
376 | $subjectNode = |
||
377 | '<Subject>' . |
||
378 | '<NameIdentifier' . |
||
379 | ' Format="urn:mace:shibboleth:1.0:nameIdentifier"' . |
||
380 | ' NameQualifier="' . htmlspecialchars($namequalifier) . '"' . |
||
381 | '>' . |
||
382 | htmlspecialchars($nameid) . |
||
383 | '</NameIdentifier>' . |
||
384 | '<SubjectConfirmation>' . |
||
385 | '<ConfirmationMethod>' . |
||
386 | 'urn:oasis:names:tc:SAML:1.0:cm:bearer' . |
||
387 | '</ConfirmationMethod>' . |
||
388 | '</SubjectConfirmation>' . |
||
389 | '</Subject>'; |
||
390 | |||
391 | $encodedattributes = ''; |
||
392 | |||
393 | if (is_array($attributes)) { |
||
394 | $encodedattributes .= '<AttributeStatement>'; |
||
395 | $encodedattributes .= $subjectNode; |
||
396 | |||
397 | foreach ($attributes as $name => $value) { |
||
398 | $encodedattributes .= $this->encAttribute($name, $value, $base64, $scopedAttributes); |
||
399 | } |
||
400 | |||
401 | $encodedattributes .= '</AttributeStatement>'; |
||
402 | } |
||
403 | |||
404 | /* |
||
405 | * The SAML 1.1 response message |
||
406 | */ |
||
407 | $response = '<Response xmlns="urn:oasis:names:tc:SAML:1.0:protocol" |
||
408 | xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" |
||
409 | xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol" xmlns:xsd="http://www.w3.org/2001/XMLSchema" |
||
410 | xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" IssueInstant="' . $issueInstant . '" |
||
411 | MajorVersion="1" MinorVersion="1" |
||
412 | Recipient="' . htmlspecialchars($shire) . '" ResponseID="' . $id . '"> |
||
413 | <Status> |
||
414 | <StatusCode Value="samlp:Success" /> |
||
415 | </Status> |
||
416 | <Assertion xmlns="urn:oasis:names:tc:SAML:1.0:assertion" |
||
417 | AssertionID="' . $assertionid . '" IssueInstant="' . $issueInstant . '" |
||
418 | Issuer="' . htmlspecialchars($idp->getString('entityid')) . '" MajorVersion="1" MinorVersion="1"> |
||
419 | <Conditions NotBefore="' . $notBefore . '" NotOnOrAfter="' . $assertionExpire . '"> |
||
420 | <AudienceRestrictionCondition> |
||
421 | <Audience>' . htmlspecialchars($audience) . '</Audience> |
||
422 | </AudienceRestrictionCondition> |
||
423 | </Conditions> |
||
424 | <AuthenticationStatement AuthenticationInstant="' . $issueInstant . '" |
||
425 | AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:unspecified">' . |
||
426 | $subjectNode . ' |
||
427 | </AuthenticationStatement> |
||
428 | ' . $encodedattributes . ' |
||
429 | </Assertion> |
||
430 | </Response>'; |
||
431 | |||
432 | return $response; |
||
433 | } |
||
434 | |||
435 | |||
436 | /** |
||
437 | * Format a shib13 attribute. |
||
438 | * |
||
439 | * @param string $name Name of the attribute. |
||
440 | * @param array $values Values of the attribute (as an array of strings). |
||
441 | * @param bool $base64 Whether the attriubte values should be base64-encoded. |
||
442 | * @param array $scopedAttributes Array of attributes names which are scoped. |
||
443 | * @return string The attribute encoded as an XML-string. |
||
444 | */ |
||
445 | private function encAttribute(string $name, array $values, bool $base64, array $scopedAttributes): string |
||
446 | { |
||
447 | if (in_array($name, $scopedAttributes, true)) { |
||
448 | $scoped = true; |
||
449 | } else { |
||
450 | $scoped = false; |
||
451 | } |
||
452 | |||
453 | $attr = '<Attribute AttributeName="' . htmlspecialchars($name) . |
||
454 | '" AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri">'; |
||
455 | foreach ($values as $value) { |
||
456 | $scopePart = ''; |
||
457 | if ($scoped) { |
||
458 | $tmp = explode('@', $value, 2); |
||
459 | if (count($tmp) === 2) { |
||
460 | $value = $tmp[0]; |
||
461 | $scopePart = ' Scope="' . htmlspecialchars($tmp[1]) . '"'; |
||
462 | } |
||
463 | } |
||
464 | |||
465 | if ($base64) { |
||
466 | $value = base64_encode($value); |
||
467 | } |
||
468 | |||
469 | $attr .= '<AttributeValue' . $scopePart . '>' . htmlspecialchars($value) . '</AttributeValue>'; |
||
470 | } |
||
471 | $attr .= '</Attribute>'; |
||
472 | |||
473 | return $attr; |
||
474 | } |
||
475 | |||
476 | /** |
||
477 | * Check if we are currently between the given date & time conditions. |
||
478 | * |
||
479 | * Note that this function allows a 10-minute leap from the initial time as marked by $start. |
||
480 | * |
||
481 | * @param string|null $start A SAML2 timestamp marking the start of the period to check. Defaults to null, in which |
||
482 | * case there's no limitations in the past. |
||
483 | * @param string|null $end A SAML2 timestamp marking the end of the period to check. Defaults to null, in which |
||
484 | * case there's no limitations in the future. |
||
485 | * |
||
486 | * @return bool True if the current time belongs to the period specified by $start and $end. False otherwise. |
||
487 | * |
||
488 | * @see \SAML2\Utils::xsDateTimeToTimestamp. |
||
489 | * |
||
490 | * @author Andreas Solberg, UNINETT AS <[email protected]> |
||
491 | * @author Olav Morken, UNINETT AS <[email protected]> |
||
492 | */ |
||
493 | protected static function checkDateConditions(string $start = null, string $end = null): bool |
||
511 | } |
||
512 | } |
||
513 |
This check looks for calls to methods that do not seem to exist on a given type. It looks for the method on the type itself as well as in inherited classes or implemented interfaces.
This is most likely a typographical error or the method has been renamed.