simplesamlphp / simplesamlphp-module-webauthn

src/Store.php

<?php

declare(strict_types=1);

namespace SimpleSAML\Module\webauthn;

use Exception;
use SimpleSAML\Assert\Assert;
use SimpleSAML\Module;
use SimpleSAML\Utils;

/**
 * Base class for consent storage handlers.
 *
 * @package SimpleSAMLphp
 * @author Olav Morken <olav.morken@uninett.no>
 * @author JAcob Christiansen <jach@wayf.dk>
 */

abstract class Store
{
    /**
     * Constructor for the base class.
     *
     * This constructor should always be called first in any class which implements this class.
     *
     * @param array &$config The configuration for this storage handler.
     * @phpstan-ignore constructor.unusedParameter
     */
    protected function __construct(array &$config)
    {
    }

    /**
     * is the user subject to 2nd factor at all?
     *
     * This function checks whether a given user has been enabled for WebAuthn.
     *
     * @param string $userId The hash identifying the user at an IdP.
     * @param bool $defaultIfNx if not found in the DB, should the user be considered enabled (true)
     *                              or disabled(false)
     * @param bool $useDatabase a bool that determines whether to use local database or not
     * @param bool $toggle variable which is associated with $force because it determines its meaning, it either
     *                     simply means whether to trigger webauthn authentication or switch the default settings,
     * @param bool $force switch that determines how $toggle will be used, if true then value of $toggle
     *                    will mean whether to trigger (true) or not (false) the webauthn authentication,
     *                    if false then $toggle means whether to switch the value of $defaultEnabled and then use that
     *
     * @return bool True if the user is enabled for 2FA, false if not
     */
    abstract public function is2FAEnabled(
        string $userId,
        bool $defaultIfNx,
        bool $useDatabase = true,
        bool $toggle = false,
        bool $force = true,
    ): bool;

    /**
     * does a given credentialID already exist?
     *
     * This function checks whether a given credential ID already exists in the database
     *
     * @param string $credIdHex The hex representation of the credentialID to look for.
     *
     * @return bool True if the credential exists, false if not
     */
    abstract public function doesCredentialExist(string $credIdHex): bool;

    /**
     * store newly enrolled token data
     *
     * @param string $userId        The user.
     * @param string $credentialId  The id identifying the credential.
     * @param string $credential    The credential.
     * @param int    $algo          The algorithm used.
     * @param int    $presenceLevel UV or UP?
     * @param int    $signCounter   The signature counter for this credential.
     * @param string $friendlyName  A user-supplied name for this token.
     * @param string $hashedId      hashed ID of the user
     *
     * @return bool
     */
    abstract public function storeTokenData(
        string $userId,
        string $credentialId,
        string $credential,
        int $algo,
        int $presenceLevel,
        int $isResidentKey,
        int $signCounter,
        string $friendlyName,
        string $hashedId,
        string $aaguid,
        string $attLevel,
    ): bool;

    /**
     * remove an existing credential from the database
     *
     * @param string $credentialId the credential
     * @return true
     */
    abstract public function deleteTokenData(string $credentialId): bool;

    /**
     * increment the signature counter after a successful authentication
     *
     * @param string $credentialId the credential
     * @param int    $signCounter  the new counter value
     * @return true
     */
    abstract public function updateSignCount(string $credentialId, int $signCounter): bool;

    /**
     * Retrieve existing token data
     *
     * @param string $userId the username
     * @return array Array of all crypto data we have on file.
     */
    abstract public function getTokenData(string $userId): array;

    /**
     * Retrieve username, given a credential ID
     *
     * @param string $hashedId the credential ID
     * @return string the username, if found (otherwise, empty string)
     */
    abstract public function getUsernameByHashedId(string $hashedId): string;

    /**
     * Get statistics for all consent given in the consent store
     *
     * @return mixed Statistics from the consent store
     *
     * @throws \Exception
     */
    public function getStatistics()
    {
        throw new Exception('Not implemented: getStatistics()');
    }


    /**
     * Parse consent storage configuration.
     *
     * This function parses the configuration for a consent storage method. An exception will be thrown if
     * configuration parsing fails.
     *
     * @param string|array $config The configuration.
     *
     * @return \SimpleSAML\Module\webauthn\Store An object which implements the \SimpleSAML\Module\webauthn\Store class.
     *
     * @throws \Exception if the configuration is invalid.
     */
    public static function parseStoreConfig(string|array $config): Store
    {
        if (is_string($config)) {

The condition is_string($config) is always false.

            $arrayUtils = new Utils\Arrays();
            $config = $arrayUtils->arrayize($config);
        }

        Assert::isArray($config, 'Invalid configuration for consent store option: ' . var_export($config, true));
        Assert::keyExists($config, 0, 'Consent store without name given.');

        $className = Module::resolveClass(
            $config[0],
            'WebAuthn\Store',
            '\SimpleSAML\Module\webauthn\Store',
        );

        /** @var \SimpleSAML\Module\webauthn\Store */
        return new $className($config);
    }
}