WopiProofValidator::verify() - Code Metrics - Inspection of "feat: Add `WopiProofValidator` service." - Champs-Libres/wopi-lib - Measure and Improve Code Quality continuously with Scrutinizer

Passed

Push — master ( 52d862...8362e5 )

by Pol

created 2021-09-06 05:48 UTC

WopiProofValidator::verify() A

↳ Parent: WopiProofValidator

Complexity

Conditions	2
Paths	2

Size

Total Lines	13
Code Lines	9

Duplication

Lines	0
Ratio	0 %

Code Coverage

Tests	5
CRAP Score	2.0932

Importance

Changes	1
Bugs	0	Features	0

Metric	Value
cc	2
eloc	9
c	1
b	0
f	0
nc	2
nop	3
dl	0
loc	13
ccs	5
cts	7
cp	0.7143
crap	2.0932
rs	9.9666

<?php

/**
 * For the full copyright and license information, please view
 * the LICENSE file that was distributed with this source code.
 */

declare(strict_types=1);

namespace ChampsLibres\WopiLib\Service;

use ChampsLibres\WopiLib\Discovery\WopiDiscoveryInterface;
use ChampsLibres\WopiLib\Service\Contract\WopiProofValidatorInterface;
use phpseclib3\Crypt\PublicKeyLoader;
use Psr\Http\Message\RequestInterface;
use Throwable;

use function strlen;
use const OPENSSL_ALGO_SHA256;

final class WopiProofValidator implements WopiProofValidatorInterface
{
    private WopiDiscoveryInterface $wopiDiscovery;

    public function __construct(WopiDiscoveryInterface $wopiDiscovery)
    {
        $this->wopiDiscovery = $wopiDiscovery;
    }

    public function __constructX(string $accessToken, string $url, string $timestamp)
    {
        $this->expected = sprintf(

            '%s%s%s%s%s%s',
            pack('N', strlen($accessToken)),
            $accessToken,
            pack('N', strlen($url)),
            strtoupper($url),
            pack('N', 8),
            pack('J', $timestamp)
        );
    }

    public function isValid(RequestInterface $request): bool
    {
        $xWopiProof = $request->getHeaderLine('X-WOPI-Proof');
        $xWopiProofOld = $request->getHeaderLine('X-WOPI-ProofOld');
        $timestamp = $request->getHeaderLine('X-WOPI-Timestamp');

        $key = $this->wopiDiscovery->getPublicKey();
        $keyOld = $this->wopiDiscovery->getPublicKeyOld();

        $url = (string) $request->getUri();
        $params = [];
        parse_str($request->getUri()->getQuery(), $params);

        $expected = sprintf(
            '%s%s%s%s%s%s',
            pack('N', strlen($params['access_token'])),
            $params['access_token'],
            pack('N', strlen($url)),
            strtoupper($url),
            pack('N', 8),
            pack('J', $timestamp)
        );

        return $this->verify($expected, $xWopiProof, $key) || $this->verify($expected, $xWopiProofOld, $key) || $this->verify($expected, $xWopiProof, $keyOld);
    }

    /**
     * @param string $key The key in MSBLOB format
     */
    private function verify(string $expected, string $proof, string $key): bool
    {
        try {
            $key = PublicKeyLoader::loadPublicKey($key);
        } catch (Throwable $e) {
            return false;
        }

        return 1 === openssl_verify(
            $expected,
            base64_decode($proof, true),
            $key,
            OPENSSL_ALGO_SHA256
        );
    }
}


1		<?php
2
3		/**
4		* For the full copyright and license information, please view
5		* the LICENSE file that was distributed with this source code.
6		*/
7
8		declare(strict_types=1);
9
10		namespace ChampsLibres\WopiLib\Service;
11
12		use ChampsLibres\WopiLib\Discovery\WopiDiscoveryInterface;
13		use ChampsLibres\WopiLib\Service\Contract\WopiProofValidatorInterface;
14		use phpseclib3\Crypt\PublicKeyLoader;
15		use Psr\Http\Message\RequestInterface;
16		use Throwable;
17
18		use function strlen;
19		use const OPENSSL_ALGO_SHA256;
20
21		final class WopiProofValidator implements WopiProofValidatorInterface
22		{
23		private WopiDiscoveryInterface $wopiDiscovery;
24
25	2	public function __construct(WopiDiscoveryInterface $wopiDiscovery)
26		{
27	2	$this->wopiDiscovery = $wopiDiscovery;
28	2	}
29
30		public function __constructX(string $accessToken, string $url, string $timestamp)
31		{
32		$this->expected = sprintf(
		0 ignored issues – show Bug Best Practice introduced 2021-09-06 05:50 UTC by Report Bug Copy Issue Report The property `expected` does not exist. Although not strictly required by PHP, it is generally a best practice to declare properties explicitly. Loading history...
33		'%s%s%s%s%s%s',
34		pack('N', strlen($accessToken)),
35		$accessToken,
36		pack('N', strlen($url)),
37		strtoupper($url),
38		pack('N', 8),
39		pack('J', $timestamp)
40		);
41		}
42
43	1	public function isValid(RequestInterface $request): bool
44		{
45	1	$xWopiProof = $request->getHeaderLine('X-WOPI-Proof');
46	1	$xWopiProofOld = $request->getHeaderLine('X-WOPI-ProofOld');
47	1	$timestamp = $request->getHeaderLine('X-WOPI-Timestamp');
48
49	1	$key = $this->wopiDiscovery->getPublicKey();
50	1	$keyOld = $this->wopiDiscovery->getPublicKeyOld();
51
52	1	$url = (string) $request->getUri();
53	1	$params = [];
54	1	parse_str($request->getUri()->getQuery(), $params);
55
56	1	$expected = sprintf(
57	1	'%s%s%s%s%s%s',
58	1	pack('N', strlen($params['access_token'])),
59	1	$params['access_token'],
60	1	pack('N', strlen($url)),
61	1	strtoupper($url),
62	1	pack('N', 8),
63	1	pack('J', $timestamp)
64		);
65
66	1	return $this->verify($expected, $xWopiProof, $key) \|\| $this->verify($expected, $xWopiProofOld, $key) \|\| $this->verify($expected, $xWopiProof, $keyOld);
67		}
68
69		/**
70		* @param string $key The key in MSBLOB format
71		*/
72	1	private function verify(string $expected, string $proof, string $key): bool
73		{
74		try {
75	1	$key = PublicKeyLoader::loadPublicKey($key);
76		} catch (Throwable $e) {
77		return false;
78		}
79
80	1	return 1 === openssl_verify(
81		$expected,
82	1	base64_decode($proof, true),
83		$key,
84	1	OPENSSL_ALGO_SHA256
85		);
86		}
87		}
88

Champs-Libres / wopi-lib

Push — master ( 52d862...8362e5 )

WopiProofValidator::verify() A

Complexity

Size

Duplication

Code Coverage

Importance

Duplication Side-by-Side

Filter issues like