PasswordVerify::login() - Code Metrics - Inspection of "A new PasswordVerify.php that does hashing in php..." - simplesamlphp/simplesamlphp-module-sqlauth - Measure and Improve Code Quality continuously with Scrutinizer

Passed

Pull Request — master (#6)

by Tim

created 2024-04-22 06:57 UTC

PasswordVerify::login() C

↳ Parent: PasswordVerify

Complexity

Conditions	12
Paths	36

Size

Total Lines	83
Code Lines	40

Duplication

Lines	0
Ratio	0 %

Importance

Changes	5
Bugs	0	Features	0

Metric	Value
cc	12
eloc	40
c	5
b	0
f	0
nc	36
nop	2
dl	0
loc	83
rs	6.9666

How to fix Long Method Complexity

<?php

declare(strict_types=1);

namespace SimpleSAML\Module\sqlauth\Auth\Source;

use Exception;
use PDO;
use PDOException;
use SimpleSAML\Assert\Assert;
use SimpleSAML\Error;
use SimpleSAML\Logger;
use SimpleSAML\Module\sqlauth\Auth\Source\SQL;

use function array_key_exists;
use function array_keys;
use function count;
use function implode;
use function in_array;
use function is_null;
use function password_verify;
use function sprintf;
use function strval;

/**
 * Simple SQL authentication source
 *
 * This class is very much like the SQL class. The major difference is that
 * instead of using SHA2 and other functions in the database we use the PHP
 * password_verify() function to allow for example PASSWORD_ARGON2ID to be used
 * for verification.
 *
 * While this class has a query parameter as the SQL class does the meaning
 * is different. The query for this class should return at least a column
 * called passwordhash containing the hashed password which was generated
 * for example using
 *    password_hash('hello', PASSWORD_ARGON2ID );
 *
 * Auth only passes if the PHP code below returns true.
 *   password_verify($password, row['passwordhash'] );
 *
 * Unlike the SQL class the username is the only parameter passed to the SQL query,
 * the query can not perform password checks, they are performed by the PHP code
 * in this class using password_verify().
 *
 * If there are other columns in the returned data they are assumed to be attributes
 * you would like to be returned through SAML.
 *
 * @package SimpleSAMLphp
 */

class PasswordVerify extends SQL
{
    /**
     * The column in the result set containing the passwordhash.
     */
    protected string $passwordhashcolumn = 'passwordhash';

    /**
     * Constructor for this authentication source.
     *
     * @param array $info  Information about this authentication source.
     * @param array $config  Configuration.
     */
    public function __construct(array $info, array $config)
    {
        // Call the parent constructor first, as required by the interface
        parent::__construct($info, $config);

        if (array_key_exists('passwordhashcolumn', $config)) {
            $this->passwordhashcolumn = $config['passwordhashcolumn'];
        }
    }



    /**
     * Attempt to log in using the given username and password.
     *
     * On a successful login, this function should return the users attributes. On failure,
     * it should throw an exception. If the error was caused by the user entering the wrong
     * username or password, a \SimpleSAML\Error\Error('WRONGUSERPASS') should be thrown.
     *
     * Note that both the username and the password are UTF-8 encoded.
     *
     * @param string $username  The username the user wrote.
     * @param string $password  The password the user wrote.
     * @return array  Associative array with the users attributes.
     */
    protected function login(string $username, string $password): array
    {
        $this->verifyUserNameWithRegex( $username );
        
        $db = $this->connect();

        $params = ['username' => $username, 'password' => $password];
        $attributes = [];

        $numQueries = count($this->query);
        for ($x = 0; $x < $numQueries; $x++) {

            $data = $this->executeQuery($this->query[$x], $params);
            
            Logger::info('sqlauth:' . $this->authId . ': Got ' . count($data) .
                         ' rows from database');

            if ($x === 0) {
                if (count($data) === 0) {
                    // No rows returned - invalid username/password
                    Logger::error('sqlauth:'.$this->authId.
                                  ': No rows in result set. Probably wrong username/password.');
                    throw new \SimpleSAML\Error\Error('WRONGUSERPASS');
                }
                /* Only the first query should be passed the password, as that is the only
                 * one used for authentication. Subsequent queries are only used for
                 * getting attribute lists, so only need the username. */
                unset($params['password']);
            }
                

            /**
             * Sanity check, passwordhash must be in each resulting tuple and must have
             * the same value in every tuple.
             * 
             * Note that $pwhash will contain the passwordhash value after this loop.
             */
            $pwhash = null;
            foreach ($data as $row) {
                if (!array_key_exists($this->passwordhashcolumn, $row)
                    || is_null($row[$this->passwordhashcolumn]))
                {
                    Logger::error('sqlauth:'.$this->authId.
                                  ': column ' . $this->passwordhashcolumn . ' must be in every result tuple.');
                    throw new \SimpleSAML\Error\Error('WRONGUSERPASS');
                }
                if( $pwhash ) {
                    if( $pwhash != $row[$this->passwordhashcolumn] ) {
                        Logger::error('sqlauth:'.$this->authId.
                                      ': column ' . $this->passwordhashcolumn . ' must be THE SAME in every result tuple.');
                        throw new \SimpleSAML\Error\Error('WRONGUSERPASS');
                    }
                }
                $pwhash = $row[$this->passwordhashcolumn];
            }
            /**
             * This should never happen as the count(data) test above would have already thrown.
             * But checking twice doesn't hurt.
             */
            if( is_null($pwhash)) {
                if( $pwhash != $row[$this->passwordhashcolumn] ) {

                    Logger::error('sqlauth:'.$this->authId.
                                  ': column ' . $this->passwordhashcolumn . ' does not contain a password hash.');
                    throw new \SimpleSAML\Error\Error('WRONGUSERPASS');
                }
            }

            /**
             * VERIFICATION!
             * Now to check if the password the user supplied is actually valid
             */
            if( !password_verify( $password, $pwhash )) {
                Logger::error('sqlauth:'.$this->authId. ': password is incorrect.');
                throw new \SimpleSAML\Error\Error('WRONGUSERPASS');
            }


            $this->extractAttributes( $attributes, $data, array($this->passwordhashcolumn) );
        }
        
        Logger::info('sqlauth:'.$this->authId.': Attributes: '.
                     implode(',', array_keys($attributes)));

        return $attributes;
    }
}


1			<?php
2
3			declare(strict_types=1);
4
5			namespace SimpleSAML\Module\sqlauth\Auth\Source;
6
7			use Exception;
8			use PDO;
9			use PDOException;
10			use SimpleSAML\Assert\Assert;
11			use SimpleSAML\Error;
12			use SimpleSAML\Logger;
13			use SimpleSAML\Module\sqlauth\Auth\Source\SQL;
14
15			use function array_key_exists;
16			use function array_keys;
17			use function count;
18			use function implode;
19			use function in_array;
20			use function is_null;
21			use function password_verify;
22			use function sprintf;
23			use function strval;
24
25			/**
26			* Simple SQL authentication source
27			*
28			* This class is very much like the SQL class. The major difference is that
29			* instead of using SHA2 and other functions in the database we use the PHP
30			* password_verify() function to allow for example PASSWORD_ARGON2ID to be used
31			* for verification.
32			*
33			* While this class has a query parameter as the SQL class does the meaning
34			* is different. The query for this class should return at least a column
35			* called passwordhash containing the hashed password which was generated
36			* for example using
37			* password_hash('hello', PASSWORD_ARGON2ID );
38			*
39			* Auth only passes if the PHP code below returns true.
40			* password_verify($password, row['passwordhash'] );
41			*
42			* Unlike the SQL class the username is the only parameter passed to the SQL query,
43			* the query can not perform password checks, they are performed by the PHP code
44			* in this class using password_verify().
45			*
46			* If there are other columns in the returned data they are assumed to be attributes
47			* you would like to be returned through SAML.
48			*
49			* @package SimpleSAMLphp
50			*/
51
52			class PasswordVerify extends SQL
53			{
54			/**
55			* The column in the result set containing the passwordhash.
56			*/
57			protected string $passwordhashcolumn = 'passwordhash';
58
59			/**
60			* Constructor for this authentication source.
61			*
62			* @param array $info Information about this authentication source.
63			* @param array $config Configuration.
64			*/
65			public function __construct(array $info, array $config)
66			{
67			// Call the parent constructor first, as required by the interface
68			parent::__construct($info, $config);
69
70			if (array_key_exists('passwordhashcolumn', $config)) {
71			$this->passwordhashcolumn = $config['passwordhashcolumn'];
72			}
73			}
74
75
76
77			/**
78			* Attempt to log in using the given username and password.
79			*
80			* On a successful login, this function should return the users attributes. On failure,
81			* it should throw an exception. If the error was caused by the user entering the wrong
82			* username or password, a \SimpleSAML\Error\Error('WRONGUSERPASS') should be thrown.
83			*
84			* Note that both the username and the password are UTF-8 encoded.
85			*
86			* @param string $username The username the user wrote.
87			* @param string $password The password the user wrote.
88			* @return array Associative array with the users attributes.
89			*/
90			protected function login(string $username, string $password): array
91			{
92			$this->verifyUserNameWithRegex( $username );
93
94			$db = $this->connect();
			0 ignored issues – show Unused Code introduced 2024-04-22 06:51 UTC by Report Bug Copy Issue Report The assignment to `$db` is dead and can be removed. Loading history...
95			$params = ['username' => $username, 'password' => $password];
96			$attributes = [];
97
98			$numQueries = count($this->query);
99			for ($x = 0; $x < $numQueries; $x++) {
100
101			$data = $this->executeQuery($this->query[$x], $params);
102
103			Logger::info('sqlauth:' . $this->authId . ': Got ' . count($data) .
104			' rows from database');
105
106			if ($x === 0) {
107			if (count($data) === 0) {
108			// No rows returned - invalid username/password
109			Logger::error('sqlauth:'.$this->authId.
110			': No rows in result set. Probably wrong username/password.');
111			throw new \SimpleSAML\Error\Error('WRONGUSERPASS');
112			}
113			/* Only the first query should be passed the password, as that is the only
114			* one used for authentication. Subsequent queries are only used for
115			* getting attribute lists, so only need the username. */
116			unset($params['password']);
117			}
118
119
120			/**
121			* Sanity check, passwordhash must be in each resulting tuple and must have
122			* the same value in every tuple.
123			*
124			* Note that $pwhash will contain the passwordhash value after this loop.
125			*/
126			$pwhash = null;
127			foreach ($data as $row) {
128			if (!array_key_exists($this->passwordhashcolumn, $row)
129			\|\| is_null($row[$this->passwordhashcolumn]))
130			{
131			Logger::error('sqlauth:'.$this->authId.
132			': column ' . $this->passwordhashcolumn . ' must be in every result tuple.');
133			throw new \SimpleSAML\Error\Error('WRONGUSERPASS');
134			}
135			if( $pwhash ) {
136			if( $pwhash != $row[$this->passwordhashcolumn] ) {
137			Logger::error('sqlauth:'.$this->authId.
138			': column ' . $this->passwordhashcolumn . ' must be THE SAME in every result tuple.');
139			throw new \SimpleSAML\Error\Error('WRONGUSERPASS');
140			}
141			}
142			$pwhash = $row[$this->passwordhashcolumn];
143			}
144			/**
145			* This should never happen as the count(data) test above would have already thrown.
146			* But checking twice doesn't hurt.
147			*/
148			if( is_null($pwhash)) {
149			if( $pwhash != $row[$this->passwordhashcolumn] ) {
			0 ignored issues – show Comprehensibility Best Practice introduced 2024-04-22 07:00 UTC by Report Bug Copy Issue Report The variable `$row` does not seem to be defined for all execution paths leading up to this point. Loading history...
150			Logger::error('sqlauth:'.$this->authId.
151			': column ' . $this->passwordhashcolumn . ' does not contain a password hash.');
152			throw new \SimpleSAML\Error\Error('WRONGUSERPASS');
153			}
154			}
155
156			/**
157			* VERIFICATION!
158			* Now to check if the password the user supplied is actually valid
159			*/
160			if( !password_verify( $password, $pwhash )) {
161			Logger::error('sqlauth:'.$this->authId. ': password is incorrect.');
162			throw new \SimpleSAML\Error\Error('WRONGUSERPASS');
163			}
164
165
166			$this->extractAttributes( $attributes, $data, array($this->passwordhashcolumn) );
167			}
168
169			Logger::info('sqlauth:'.$this->authId.': Attributes: '.
170			implode(',', array_keys($attributes)));
171
172			return $attributes;
173			}
174			}
175

simplesamlphp / simplesamlphp-module-sqlauth

Pull Request — master (#6)

PasswordVerify::login() C

Complexity

Size

Duplication

Importance

How to fix Long Method Complexity

Long Method

Duplication Side-by-Side

Filter issues like