Verifier::withoutUnsignedHeaders() - Code Metrics - Inspection of "Nonce header enforcement at Verifier::verify" - 1ma/Psr7Hmac - Measure and Improve Code Quality continuously with Scrutinizer

Completed

Push — master ( 580f1a...33f9ba )

by Marcel

created 2016-06-14 15:42 UTC

Verifier::withoutUnsignedHeaders() A

↳ Parent: Verifier

Complexity

Conditions	3
Paths	3

Size

Total Lines	12
Code Lines	6

Duplication

Lines	0
Ratio	0 %

Code Coverage

Tests	8
CRAP Score	3

Importance

Changes	3
Bugs	1	Features	0

Metric	Value
c	3
b	1
f	0
dl	0
loc	12
ccs	8
cts	8
cp	1
rs	9.4285
cc	3
eloc	6
nc	3
nop	1
crap	3

<?php

namespace UMA\Psr\Http\Message\HMAC;

use Psr\Http\Message\MessageInterface;
use UMA\Psr\Http\Message\Internal\HashCalculator;
use UMA\Psr\Http\Message\Internal\HeaderValidator;
use UMA\Psr\Http\Message\Monitor\BlindMonitor;
use UMA\Psr\Http\Message\Monitor\MonitorInterface;
use UMA\Psr\Http\Message\Serializer\MessageSerializer;

class Verifier
{
    /**
     * @var HashCalculator
     */
    private $calculator;

    /**
     * @var MonitorInterface
     */
    private $monitor;

    /**
     * @var HeaderValidator
     */
    private $validator;

    public function __construct()
    {
        $this->calculator = new HashCalculator();
        $this->monitor = new BlindMonitor();
        $this->validator = (new HeaderValidator())
            ->addRule(Specification::AUTH_HEADER, Specification::AUTH_REGEXP)
            ->addRule(Specification::NONCE_HEADER, Specification::NONCE_REGEXP)
            ->addRule(Specification::SIGN_HEADER, Specification::SIGN_REGEXP);
    }

    /**
     * @param MonitorInterface $monitor
     *
     * @return Verifier
     */
    public function setMonitor(MonitorInterface $monitor)
    {
        $this->monitor = $monitor;

        return $this;
    }

    /**
     * @param MessageInterface $message
     * @param string           $secret
     *
     * @return bool Signature verification outcome.
     *
     * @throws \InvalidArgumentException When $message is an implementation of
     *                                   MessageInterface that cannot be
     *                                   serialized and thus neither verified.
     */
    public function verify(MessageInterface $message, $secret)
    {
        if (false === $matches = $this->validator->conforms($message)) {
            return false;
        }

        $clientSideSignature = $matches[Specification::AUTH_HEADER][1];

        $serverSideSignature = $this->calculator
            ->hmac(MessageSerializer::serialize($this->withoutUnsignedHeaders($message)), $secret);

        return hash_equals($serverSideSignature, $clientSideSignature) && !$this->monitor->seen($message);
    }

    /**
     * @param MessageInterface $message
     *
     * @return MessageInterface
     */
    private function withoutUnsignedHeaders(MessageInterface $message)
    {
        $signedHeaders = array_filter(explode(',', $message->getHeaderLine(Specification::SIGN_HEADER)));

        foreach (array_keys($message->getHeaders()) as $headerName) {
            if (!in_array(mb_strtolower($headerName), $signedHeaders)) {
                $message = $message->withoutHeader($headerName);
            }
        }

        return $message;
    }
}


1		<?php
2
3		namespace UMA\Psr\Http\Message\HMAC;
4
5		use Psr\Http\Message\MessageInterface;
6		use UMA\Psr\Http\Message\Internal\HashCalculator;
7		use UMA\Psr\Http\Message\Internal\HeaderValidator;
8		use UMA\Psr\Http\Message\Monitor\BlindMonitor;
9		use UMA\Psr\Http\Message\Monitor\MonitorInterface;
10		use UMA\Psr\Http\Message\Serializer\MessageSerializer;
11
12		class Verifier
13		{
14		/**
15		* @var HashCalculator
16		*/
17		private $calculator;
18
19		/**
20		* @var MonitorInterface
21		*/
22		private $monitor;
23
24		/**
25		* @var HeaderValidator
26		*/
27		private $validator;
28
29	98	public function __construct()
30		{
31	98	$this->calculator = new HashCalculator();
32	98	$this->monitor = new BlindMonitor();
33	98	$this->validator = (new HeaderValidator())
34	98	->addRule(Specification::AUTH_HEADER, Specification::AUTH_REGEXP)
35	98	->addRule(Specification::NONCE_HEADER, Specification::NONCE_REGEXP)
36	98	->addRule(Specification::SIGN_HEADER, Specification::SIGN_REGEXP);
37	98	}
38
39		/**
40		* @param MonitorInterface $monitor
41		*
42		* @return Verifier
43		*/
44	7	public function setMonitor(MonitorInterface $monitor)
45		{
46	7	$this->monitor = $monitor;
47
48	7	return $this;
49		}
50
51		/**
52		* @param MessageInterface $message
53		* @param string $secret
54		*
55		* @return bool Signature verification outcome.
56		*
57		* @throws \InvalidArgumentException When $message is an implementation of
58		* MessageInterface that cannot be
59		* serialized and thus neither verified.
60		*/
61	98	public function verify(MessageInterface $message, $secret)
62		{
63	98	if (false === $matches = $this->validator->conforms($message)) {
64	91	return false;
65		}
66
67	77	$clientSideSignature = $matches[Specification::AUTH_HEADER][1];
68
69	77	$serverSideSignature = $this->calculator
70	77	->hmac(MessageSerializer::serialize($this->withoutUnsignedHeaders($message)), $secret);
71
72	77	return hash_equals($serverSideSignature, $clientSideSignature) && !$this->monitor->seen($message);
73		}
74
75		/**
76		* @param MessageInterface $message
77		*
78		* @return MessageInterface
79		*/
80	77	private function withoutUnsignedHeaders(MessageInterface $message)
81		{
82	77	$signedHeaders = array_filter(explode(',', $message->getHeaderLine(Specification::SIGN_HEADER)));
83
84	77	foreach (array_keys($message->getHeaders()) as $headerName) {
85	77	if (!in_array(mb_strtolower($headerName), $signedHeaders)) {
86	77	$message = $message->withoutHeader($headerName);
87	77	}
88	77	}
89
90	77	return $message;
91		}
92		}
93

1ma / Psr7Hmac

Push — master ( 580f1a...33f9ba )

Verifier::withoutUnsignedHeaders() A

Complexity

Size

Duplication

Code Coverage

Importance

Duplication Side-by-Side

Filter issues like