PasswordVerify::login() - Code Metrics - Inspection of "A new PasswordVerify.php that does hashing in php..." - simplesamlphp/simplesamlphp-module-sqlauth - Measure and Improve Code Quality continuously with Scrutinizer

Passed

Pull Request — master (#6)

by Tim

created 2023-11-02 20:28 UTC

PasswordVerify::login() C

↳ Parent: PasswordVerify

Complexity

Conditions	13
Paths	21

Size

Total Lines	115
Code Lines	66

Duplication

Lines	0
Ratio	0 %

Importance

Changes	3
Bugs	0	Features	0

Metric	Value
cc	13
eloc	66
c	3
b	0
f	0
nc	21
nop	2
dl	0
loc	115
rs	6.0351

How to fix Long Method Complexity

<?php

declare(strict_types=1);

namespace SimpleSAML\Module\sqlauth\Auth\Source;

use Exception;
use PDO;
use PDOException;
use SimpleSAML\Assert\Assert;
use SimpleSAML\Error;
use SimpleSAML\Logger;
use SimpleSAML\Module\sqlauth\Auth\Source\SQL;

use function array_key_exists;
use function array_keys;
use function count;
use function implode;
use function in_array;
use function is_null;
use function password_verify;
use function sprintf;
use function strval;

/**
 * Simple SQL authentication source
 *
 * This class is very much like the SQL class. The major difference is that
 * instead of using SHA2 and other functions in the database we use the PHP
 * password_verify() function to allow for example PASSWORD_ARGON2ID to be used
 * for verification.
 *
 * While this class has a query parameter as the SQL class does the meaning
 * is different. The query for this class should return at least a column
 * called passwordhash containing the hashed password which was generated
 * for example using
 *    password_hash('hello', PASSWORD_ARGON2ID );
 *
 * Auth only passes if the PHP code below returns true.
 *   password_verify($password, row['passwordhash'] );
 *
 * Unlike the SQL class the username is the only parameter passed to the SQL query,
 * the query can not perform password checks, they are performed by the PHP code 
 * in this class using password_verify().
 *
 * If there are other columns in the returned data they are assumed to be attributes
 * you would like to be returned through SAML.
 *
 * @package SimpleSAMLphp
 */

class PasswordVerify extends SQL
{
    /**
     * The column in the result set containing the passwordhash.
     */
    protected ?string $passwordhashcolumn = null;

    /**
     * Constructor for this authentication source.
     *
     * @param array $info  Information about this authentication source.
     * @param array $config  Configuration.
     */
    public function __construct(array $info, array $config)
    {
        // Call the parent constructor first, as required by the interface
        parent::__construct($info, $config);

        if (array_key_exists('passwordhashcolumn', $config)) {
            $this->passwordhashcolumn = $config['passwordhashcolumn'];
        }

        if ($this->passwordhashcolumn === null) {
            $this->passwordhashcolumn = 'passwordhash';
        }
    }


    /**
     * Extract SQL columns into SAML attribute array
     *
     * @param array  $data  Associative array from database in the format of PDO fetchAll
     * @param array  $forbiddenAttributes An array of attributes to never return
     * @return array  Associative array with the users attributes.
     */
    protected function extractAttributes(array $data, array $forbiddenAttributes = []): array
    {
        $attributes = [];
        foreach ($data as $row) {
            foreach ($row as $name => $value) {
                if ($value === null) {
                    continue;
                }
                if (in_array($name, $forbiddenAttributes)) {
                    continue;
                }

                $value = strval($value);

                if (!array_key_exists($name, $attributes)) {
                    $attributes[$name] = [];
                }

                if (in_array($value, $attributes[$name], true)) {
                    // Value already exists in attribute
                    continue;
                }

                $attributes[$name][] = $value;
            }
        }

        return $attributes;
    }


    /**
     * Attempt to log in using the given username and password.
     *
     * On a successful login, this function should return the users attributes. On failure,
     * it should throw an exception. If the error was caused by the user entering the wrong
     * username or password, a \SimpleSAML\Error\Error('WRONGUSERPASS') should be thrown.
     *
     * Note that both the username and the password are UTF-8 encoded.
     *
     * @param string $username  The username the user wrote.
     * @param string $password  The password the user wrote.
     * @return array  Associative array with the users attributes.
     */
    protected function login(string $username, string $password): array
    {
        $db = $this->connect();

        try {
            $sth = $db->prepare($this->query);
        } catch (PDOException $e) {
            throw new Exception(sprintf(
                'sqlauth:%s: - Failed to prepare query: %s',
                $this->authId,
                $e->getMessage(),
            ));
        }


        try {
            $sth->execute(['username' => $username]);
        } catch (PDOException $e) {
            throw new Exception(sprintf(
                'sqlauth:%s: - Failed to execute sql: %s query: %s',
                $this->authId,
                $this->query,
                $e->getMessage(),
            ));
        }

        try {
            $data = $sth->fetchAll(PDO::FETCH_ASSOC);
        } catch (PDOException $e) {
            throw new Exception(sprintf(
                'sqlauth:%s: - Failed to fetch result set: %s',
                $this->authId,
                $e->getMessage(),
            ));
        }

        Logger::info(sprintf(
            'sqlauth:%s : Got %d rows from database',
            $this->authId,
            count($data),
        ));

        if (count($data) === 0) {
            // No rows returned - invalid username/password
            Logger::error(sprintf(
                'sqlauth:%s: No rows in result set. Probably wrong username/password.',
                $this->authId,
            ));
            throw new Error\Error('WRONGUSERPASS');
        }

        /**
         * Sanity check, passwordhash must be in each resulting tuple and must have
         * the same value in every tuple.
         *
         * Note that $pwhash will contain the passwordhash value after this loop.
         */
        $pwhash = null;
        foreach ($data as $row) {
            if (
                !array_key_exists($this->passwordhashcolumn, $row)
                || is_null($row[$this->passwordhashcolumn])
            ) {
                Logger::error(sprintf(
                    'sqlauth:%s: column %s must be in every result tuple.',
                    $this->authId,
                    $this->passwordhashcolumn,
                ));
                throw new Error\Error('WRONGUSERPASS');
            }
            if ($pwhash) {
                if ($pwhash !== $row[$this->passwordhashcolumn]) {
                    Logger::error(sprintf(
                        'sqlauth:%s: column %s must be THE SAME in every result tuple.',
                        $this->authId,
                        $this->passwordhashcolumn,
                    ));
                    throw new Error\Error('WRONGUSERPASS');
                }
            }
            $pwhash = $row[$this->passwordhashcolumn];
        }
        /**
         * This should never happen as the count(data) test above would have already thrown.
         * But checking twice doesn't hurt.
         */
        if (is_null($pwhash)) {
            if ($pwhash !== $row[$this->passwordhashcolumn]) {

                Logger::error(sprintf(
                    'sqlauth:%s: column %s does not contain a password hash.',
                    $this->authId,
                    $this->passwordhashcolumn,
                ));
                throw new Error\Error('WRONGUSERPASS');
            }
        }

        /**
         * VERIFICATION!
         * Now to check if the password the user supplied is actually valid
         */
        if (!password_verify($password, $pwhash)) {
            Logger::error(sprintf('sqlauth:%s: password is incorrect.', $this->authId));
            throw new Error\Error('WRONGUSERPASS');
        }

        $attributes = $this->extractAttributes($data, [$this->passwordhashcolumn]);

        Logger::info(sprintf(
            'sqlauth:%s: Attributes: %s',
            $this->authId,
            implode(',', array_keys($attributes)),
        ));

        return $attributes;
    }
}


1			<?php
2
3			declare(strict_types=1);
4
5			namespace SimpleSAML\Module\sqlauth\Auth\Source;
6
7			use Exception;
8			use PDO;
9			use PDOException;
10			use SimpleSAML\Assert\Assert;
11			use SimpleSAML\Error;
12			use SimpleSAML\Logger;
13			use SimpleSAML\Module\sqlauth\Auth\Source\SQL;
14
15			use function array_key_exists;
16			use function array_keys;
17			use function count;
18			use function implode;
19			use function in_array;
20			use function is_null;
21			use function password_verify;
22			use function sprintf;
23			use function strval;
24
25			/**
26			* Simple SQL authentication source
27			*
28			* This class is very much like the SQL class. The major difference is that
29			* instead of using SHA2 and other functions in the database we use the PHP
30			* password_verify() function to allow for example PASSWORD_ARGON2ID to be used
31			* for verification.
32			*
33			* While this class has a query parameter as the SQL class does the meaning
34			* is different. The query for this class should return at least a column
35			* called passwordhash containing the hashed password which was generated
36			* for example using
37			* password_hash('hello', PASSWORD_ARGON2ID );
38			*
39			* Auth only passes if the PHP code below returns true.
40			* password_verify($password, row['passwordhash'] );
41			*
42			* Unlike the SQL class the username is the only parameter passed to the SQL query,
43			* the query can not perform password checks, they are performed by the PHP code
44			* in this class using password_verify().
45			*
46			* If there are other columns in the returned data they are assumed to be attributes
47			* you would like to be returned through SAML.
48			*
49			* @package SimpleSAMLphp
50			*/
51
52			class PasswordVerify extends SQL
53			{
54			/**
55			* The column in the result set containing the passwordhash.
56			*/
57			protected ?string $passwordhashcolumn = null;
58
59			/**
60			* Constructor for this authentication source.
61			*
62			* @param array $info Information about this authentication source.
63			* @param array $config Configuration.
64			*/
65			public function __construct(array $info, array $config)
66			{
67			// Call the parent constructor first, as required by the interface
68			parent::__construct($info, $config);
69
70			if (array_key_exists('passwordhashcolumn', $config)) {
71			$this->passwordhashcolumn = $config['passwordhashcolumn'];
72			}
73
74			if ($this->passwordhashcolumn === null) {
75			$this->passwordhashcolumn = 'passwordhash';
76			}
77			}
78
79
80			/**
81			* Extract SQL columns into SAML attribute array
82			*
83			* @param array $data Associative array from database in the format of PDO fetchAll
84			* @param array $forbiddenAttributes An array of attributes to never return
85			* @return array Associative array with the users attributes.
86			*/
87			protected function extractAttributes(array $data, array $forbiddenAttributes = []): array
88			{
89			$attributes = [];
90			foreach ($data as $row) {
91			foreach ($row as $name => $value) {
92			if ($value === null) {
93			continue;
94			}
95			if (in_array($name, $forbiddenAttributes)) {
96			continue;
97			}
98
99			$value = strval($value);
100
101			if (!array_key_exists($name, $attributes)) {
102			$attributes[$name] = [];
103			}
104
105			if (in_array($value, $attributes[$name], true)) {
106			// Value already exists in attribute
107			continue;
108			}
109
110			$attributes[$name][] = $value;
111			}
112			}
113
114			return $attributes;
115			}
116
117
118			/**
119			* Attempt to log in using the given username and password.
120			*
121			* On a successful login, this function should return the users attributes. On failure,
122			* it should throw an exception. If the error was caused by the user entering the wrong
123			* username or password, a \SimpleSAML\Error\Error('WRONGUSERPASS') should be thrown.
124			*
125			* Note that both the username and the password are UTF-8 encoded.
126			*
127			* @param string $username The username the user wrote.
128			* @param string $password The password the user wrote.
129			* @return array Associative array with the users attributes.
130			*/
131			protected function login(string $username, string $password): array
132			{
133			$db = $this->connect();
134
135			try {
136			$sth = $db->prepare($this->query);
137			} catch (PDOException $e) {
138			throw new Exception(sprintf(
139			'sqlauth:%s: - Failed to prepare query: %s',
140			$this->authId,
141			$e->getMessage(),
142			));
143			}
144
145
146			try {
147			$sth->execute(['username' => $username]);
148			} catch (PDOException $e) {
149			throw new Exception(sprintf(
150			'sqlauth:%s: - Failed to execute sql: %s query: %s',
151			$this->authId,
152			$this->query,
153			$e->getMessage(),
154			));
155			}
156
157			try {
158			$data = $sth->fetchAll(PDO::FETCH_ASSOC);
159			} catch (PDOException $e) {
160			throw new Exception(sprintf(
161			'sqlauth:%s: - Failed to fetch result set: %s',
162			$this->authId,
163			$e->getMessage(),
164			));
165			}
166
167			Logger::info(sprintf(
168			'sqlauth:%s : Got %d rows from database',
169			$this->authId,
170			count($data),
171			));
172
173			if (count($data) === 0) {
174			// No rows returned - invalid username/password
175			Logger::error(sprintf(
176			'sqlauth:%s: No rows in result set. Probably wrong username/password.',
177			$this->authId,
178			));
179			throw new Error\Error('WRONGUSERPASS');
180			}
181
182			/**
183			* Sanity check, passwordhash must be in each resulting tuple and must have
184			* the same value in every tuple.
185			*
186			* Note that $pwhash will contain the passwordhash value after this loop.
187			*/
188			$pwhash = null;
189			foreach ($data as $row) {
190			if (
191			!array_key_exists($this->passwordhashcolumn, $row)
192			\|\| is_null($row[$this->passwordhashcolumn])
193			) {
194			Logger::error(sprintf(
195			'sqlauth:%s: column %s must be in every result tuple.',
196			$this->authId,
197			$this->passwordhashcolumn,
198			));
199			throw new Error\Error('WRONGUSERPASS');
200			}
201			if ($pwhash) {
202			if ($pwhash !== $row[$this->passwordhashcolumn]) {
203			Logger::error(sprintf(
204			'sqlauth:%s: column %s must be THE SAME in every result tuple.',
205			$this->authId,
206			$this->passwordhashcolumn,
207			));
208			throw new Error\Error('WRONGUSERPASS');
209			}
210			}
211			$pwhash = $row[$this->passwordhashcolumn];
212			}
213			/**
214			* This should never happen as the count(data) test above would have already thrown.
215			* But checking twice doesn't hurt.
216			*/
217			if (is_null($pwhash)) {
218			if ($pwhash !== $row[$this->passwordhashcolumn]) {
			0 ignored issues – show Comprehensibility Best Practice introduced 2023-06-28 23:47 UTC by Report Bug Copy Issue Report The variable `$row` seems to be defined by a `foreach` iteration on line `189`. Are you sure the iterator is never empty, otherwise this variable is not defined? Loading history...
219			Logger::error(sprintf(
220			'sqlauth:%s: column %s does not contain a password hash.',
221			$this->authId,
222			$this->passwordhashcolumn,
223			));
224			throw new Error\Error('WRONGUSERPASS');
225			}
226			}
227
228			/**
229			* VERIFICATION!
230			* Now to check if the password the user supplied is actually valid
231			*/
232			if (!password_verify($password, $pwhash)) {
233			Logger::error(sprintf('sqlauth:%s: password is incorrect.', $this->authId));
234			throw new Error\Error('WRONGUSERPASS');
235			}
236
237			$attributes = $this->extractAttributes($data, [$this->passwordhashcolumn]);
238
239			Logger::info(sprintf(
240			'sqlauth:%s: Attributes: %s',
241			$this->authId,
242			implode(',', array_keys($attributes)),
243			));
244
245			return $attributes;
246			}
247			}
248

simplesamlphp / simplesamlphp-module-sqlauth

Pull Request — master (#6)

PasswordVerify::login() C

Complexity

Size

Duplication

Importance

How to fix Long Method Complexity

Long Method

Duplication Side-by-Side

Filter issues like