AttributeAddUsersGroups::getGroups() - Code Metrics - Inspection of "WIP: Migrate to symfony/ldap" - simplesamlphp/simplesamlphp-module-ldap - Measure and Improve Code Quality continuously with Scrutinizer

Passed
Pull Request — master (#28)

by Tim
created 2022-01-24 17:33 UTC
AttributeAddUsersGroups::getGroups() C

↳ Parent: AttributeAddUsersGroups
Complexity

Conditions	10
Paths	17
Size

Total Lines	170
Code Lines	104
Duplication

Lines	0
Ratio	0 %
Importance

Changes	6
Bugs	0	Features	0
Metric	Value
cc	10
eloc	104
c	6
b	0
f	0
nc	17
nop	1
dl	0
loc	170
rs	6.1333
How to fix Long Method Complexity

<?php

/**
 * Does a reverse membership lookup on the logged in user,
 * looking for groups it is a member of and adds them to
 * a defined attribute, in DN format.
 *
 * @package simplesamlphp/simplesamlphp-module-ldap
 */

declare(strict_types=1);

namespace SimpleSAML\Module\ldap\Auth\Process;

use SimpleSAML\Assert\Assert;
use SimpleSAML\Error;
use SimpleSAML\Logger;
use SimpleSAML\Module\ldap\Utils\Ldap as LdapUtils;
use SimpleSAML\Utils;
use Symfony\Component\Ldap\Adapter\ExtLdap\Query;

class AttributeAddUsersGroups extends BaseFilter
{
    /** @var string */
    protected string $searchUsername;

    /** @var string */
    protected string $searchPassword;

    /** @var string */
    protected string $product;


    /**
     * Initialize this filter.
     *
     * @param array $config Configuration information about this filter.
     * @param mixed $reserved For future use.
     */
    public function __construct(array $config, $reserved)
    {
        parent::__construct($config, $reserved);

        // Get filter specific config options
        $this->searchUsername = $this->config->getString('search.username');
        $this->searchPassword = $this->config->getString('search.password', null);
        $this->product = $this->config->getString('product', 'ActiveDirectory');
    }


    /**
     * LDAP search filters to be added to the base filters for this authproc-filter.
     * It's an array of key => value pairs that will be translated to (key=value) in the ldap query.
     *
     * @var array
     */
    protected array $additional_filters;


    /**
     * This is run when the filter is processed by SimpleSAML.
     * It will attempt to find the current users groups using
     * the best method possible for the LDAP product. The groups
     * are then added to the request attributes.
     *
     * @throws \SimpleSAML\Error\Exception
     * @param array &$state
     */
    public function process(array &$state): void
    {
        Assert::keyExists($state, 'Attributes');

        // Log the process
        Logger::debug(sprintf(
            '%s : Attempting to get the users groups...',
            $this->title
        ));

        $this->additional_filters = $this->config->getArray('additional_filters', []);

        // Reference the attributes, just to make the names shorter
        $attributes = &$state['Attributes'];
        $map = &$this->attribute_map;

        // Get the users groups from LDAP
        $groups = $this->getGroups($attributes);

        // If there are none, do not proceed
        if (empty($groups)) {
            return;
        }

        // Make the array if it is not set already
        if (!isset($attributes[$map['groups']])) {
            $attributes[$map['groups']] = [];
        }

        // Must be an array, else cannot merge groups
        if (!is_array($attributes[$map['groups']])) {
            throw new Error\Exception(sprintf(
                '%s : The group attribute [%s] is not an array of group DNs. %s',
                $this->title,
                $map['groups'],
                $this->varExport($attributes[$map['groups']])
            ));
        }

        // Add the users group(s)
        $group_attribute = &$attributes[$map['groups']];
        $group_attribute = array_merge($group_attribute, $groups);
        $group_attribute = array_unique($group_attribute);

        // All done
        Logger::debug(sprintf(
            '%s : Added users groups to the group attribute[%s]: %s',
            $this->title,
            $map['groups'],
            implode('; ', $groups)
        ));
    }


    /**
     * Will perform a search using the required attribute values from the user to
     * get their group membership, recursively.
     *
     * @throws \SimpleSAML\Error\Exception
     * @param array $attributes
     * @return array
     */
    protected function getGroups(array $attributes): array
    {
        // Log the request
        Logger::debug(sprintf(
            '%s : Checking for groups based on the best method for the LDAP product.',
            $this->title
        ));

        $ldapUtils = new LdapUtils();
        $ldap = $ldapUtils->bind($this->ldapServers, $this->searchUsername, $this->searchPassword);

        $options = [
            'scope' => $this->config->getString('search.scope', Query::SCOPE_SUB),
            'timeout' => $this->config->getInteger('timeout', 3),
        ];

        // Reference the map, just to make the name shorter
        $map = &$this->attribute_map;


        // All map-properties are guaranteed to exist and have a default value
        $dn_attribute = $map['dn'];
        $return_attribute = $map['return'];

        // Based on the directory service, search LDAP for groups
        // If any attributes are needed, prepare them before calling search method
        switch ($this->product) {
            case 'ActiveDirectory':
                $arrayUtils = new Utils\Arrays();

                // Log the AD specific search
                Logger::debug(sprintf(
                    '%s : Searching LDAP using ActiveDirectory specific method.',
                    $this->title
                ));

                // Make sure the defined DN attribute exists
                if (!isset($attributes[$dn_attribute])) {
                    Logger::warning(sprintf(
                        "%s : The DN attribute [%s] is not defined in the user's Attributes: %s",
                        $this->title,
                        $dn_attribute,
                        implode(', ', array_keys($attributes)),
                    ));

                    return [];
                }

                // Make sure the defined DN attribute has a value
                if (!isset($attributes[$dn_attribute][0]) || !$attributes[$dn_attribute][0]) {
                    Logger::warning(sprintf(
                        '%s : The DN attribute [%s] does not have a [0] value defined. %s',
                        $this->title,
                        $dn_attribute,
                        $this->varExport($attributes[$dn_attribute])
                    ));

                    return [];
                }

                // Log the search
                Logger::debug(sprintf(
                    '%s : Searching ActiveDirectory group membership.'
                        . ' DN: %s DN Attribute: %s Member Attribute: %s Type Attribute: %s Type Value: %s Base: %s',
                    $this->title,
                    $attributes[$dn_attribute][0],
                    $dn_attribute,
                    $map['member'],
                    $map['type'],
                    $this->type_map['group'],
                    implode('; ', $arrayUtils->arrayize($this->searchBase))
                ));

                $filter = sprintf(
                    "(&(%s=%s)(%s=%s))",
                    $map['type'],
                    $this->type_map['group'],
                    $map['member'] . ':1.2.840.113556.1.4.1941:',
                    $attributes[$dn_attribute][0],
                );

                break;
            case 'OpenLDAP':
                // Log the OpenLDAP specific search
                Logger::debug(sprintf(
                    '%s : Searching LDAP using OpenLDAP specific method.',
                    $this->title
                ));

                Logger::debug(sprintf(
                    '%s : Searching for groups in base [%s] with filter (%s=%s) and attributes %s',
                    $this->title,
                    implode(', ', $this->searchBase),
                    $map['memberof'],
                    $attributes[$map['username']][0],
                    $map['member']
                ));

                $filter = sprintf(
                    '(&(%s=%s))',
                    $map['memberof'],
                    $attributes[$map['username']][0]
                );
                break;
            default:
                // Log the generic search
                Logger::debug(
                    $this->title . 'Searching LDAP using the generic search method.'
                );

                Logger::debug(sprintf(
                    '%s : Checking DNs for groups. DNs: %s Attributes: %s, %s Group Type: %s',
                    $this->title,
                    implode('; ', $attributes[$map['memberof']]),
                    $map['memberof'],
                    $map['type'],
                    $this->type_map['group']
                ));

/**
 * @ TODO: finish generic search  method
 *
 *               // Search for the users group membership, recursively
 *               $groups = $this->search($attributes[$map['memberof']]);
 */
        }

        $entries = $ldapUtils->searchForMultiple(
            $ldap,
            $this->searchBase,
            $filter,

            $options,
            true
        );

        $groups = [];
        foreach ($entries as $entry) {
            if ($entry->hasAttribute($return_attribute)) {
                $values = $entry->getAttribute($return_attribute);
                $groups[] = array_pop($values);
                continue;
            } elseif ($entry->hasAttribute(strtolower($return_attribute))) {
                // Some backends return lowercase attributes
                $values = $entry->getAttribute(strtolower($return_attribute));
                $groups[] = array_pop($values);
                continue;
            } elseif ($entry->hasAttribute('dn')) {
                // AD queries also seem to return the objects dn by default
                $values = $entry->getAttribute('dn');
                $groups[] = array_pop($values);
                continue;
            }

            // Could not find DN, log and continue
            Logger::notice(sprintf(
                '%s : The return attribute [%s] could not be found in the entry. %s',
                $this->title,
                implode(', ', [$map['return'], strtolower($map['return']), 'dn']),
                $this->varExport($entry),
            ));
        }

        // All done
        Logger::debug(sprintf(
            '%s : User found to be a member of the groups: %s',
            $this->title,
            implode('; ', $groups),
        ));

        return $groups;
    }


    /**
     * Looks for groups from the list of DN's passed. Also
     * recursively searches groups for further membership.
     * Avoids loops by only searching a DN once. Returns
     * the list of groups found.
     *
     * @param array $memberof
     * @return array
     */
    protected function search(array $memberof): array
    {
        // Used to determine what DN's have already been searched
        static $searched = [];

        // Init the groups variable
        $groups = [];

        // Shorten the variable name
        //$map = &$this->attribute_map;

        // Work out what attributes to get for a group
        $use_group_name = false;
        $get_attributes = [$map['memberof'], $map['type']];

        if (isset($map['name']) && $map['name']) {

            $get_attributes[] = $map['name'];
            $use_group_name = true;
        }

        // Check each DN of the passed memberOf
        foreach ($memberof as $dn) {
            // Avoid infinite loops, only need to check a DN once
            if (isset($searched[$dn])) {
                continue;
            }

            // Track all DN's that are searched
            // Use DN for key as well, isset() is faster than in_array()
            $searched[$dn] = $dn;

            // Query LDAP for the attribute values for the DN
            try {
                $attributes = $this->getLdap()->getAttributes($dn, $get_attributes);
                $attributes = $this->/** @scrutinizer ignore-call */ getLdap()->getAttributes($dn, $get_attributes);
            } catch (Error\AuthSource $e) {
                continue; // DN must not exist, just continue. Logged by the LDAP object
            }

            // Only look for groups
            if (!in_array($this->type_map['group'], $attributes[$map['type']], true)) {
                continue;
            }

            // Add to found groups array
            if ($use_group_name && isset($attributes[$map['name']]) && is_array($attributes[$map['name']])) {
                $groups[] = $attributes[$map['name']][0];
            } else {
                $groups[] = $dn;
            }

            // Recursively search "sub" groups
            if (!empty($attributes[$map['memberof']])) {
                $groups = array_merge($groups, $this->search($attributes[$map['memberof']]));
            }
        }

        return $groups;
    }
}

simplesamlphp / simplesamlphp-module-ldap

Pull Request — master (#28)

AttributeAddUsersGroups::getGroups() C

Complexity

Size

Duplication

Importance

How to fix Long Method Complexity

Long Method

Duplication Side-by-Side

Filter issues like
