RFC7585Tests - Code Metrics - Inspection of "fixed dynamic connectivity tests" - GEANT/CAT - Measure and Improve Code Quality continuously with Scrutinizer

Passed

Push — release_2_1 ( 8ffb06...6b1ac5 )

by Maja

created 2024-04-05 09:00 UTC

RFC7585Tests F

↳ Parent: Project

Complexity

Total Complexity

Size/Duplication

Total Lines	441
Duplicated Lines	0 %

Importance

Changes	8
Bugs	3	Features	0

Metric	Value
wmc	60
eloc	185
dl	0
loc	441
rs	3.6
c	8
b	3
f	0

7 Methods

Rating	Name	Size	Complexity
F	relevantNAPTRhostnameResolution()	68	16
B	relevantNAPTRsrvResolution()	46	10
B	hostTLSprotocols()	15	9
A	__construct()	34	1
C	relevantNAPTRcompliance()	38	12
B	relevantNAPTR()	42	9
A	execSslscan()	20	3

How to fix Complexity

<?php

/*
 * *****************************************************************************
 * Contributions to this work were made on behalf of the GÉANT project, a 
 * project that has received funding from the European Union’s Framework 
 * Programme 7 under Grant Agreements No. 238875 (GN3) and No. 605243 (GN3plus),
 * Horizon 2020 research and innovation programme under Grant Agreements No. 
 * 691567 (GN4-1) and No. 731122 (GN4-2).
 * On behalf of the aforementioned projects, GEANT Association is the sole owner
 * of the copyright in all material which was developed by a member of the GÉANT
 * project. GÉANT Vereniging (Association) is registered with the Chamber of 
 * Commerce in Amsterdam with registration number 40535155 and operates in the 
 * UK as a branch of GÉANT Vereniging.
 * 
 * Registered office: Hoekenrode 3, 1102BR Amsterdam, The Netherlands. 
 * UK branch address: City House, 126-130 Hills Road, Cambridge CB2 1PQ, UK
 *
 * License: see the web/copyright.inc.php file in the file structure or
 *          <base_url>/copyright.php after deploying the software
 */

namespace core\diag;

/**
 * Test suite to verify that a given NAI realm has NAPTR records according to
 * consortium-agreed criteria
 * Can only be used if \config\Diagnostics::RADIUSTESTS is configured.
 *
 * @author Stefan Winter <[email protected]>
 * @author Tomasz Wolniewicz <[email protected]>
 * @author Maja Górecka-Wolniewicz <[email protected]>
 *
 * @license see LICENSE file in root directory
 *
 * @package Developer
 */
class RFC7585Tests extends AbstractTest
{

    /**
     * maintains state for the question: has the NAPTR existence check already been executed? Holds the number of NAPTR records found if so.
     * 
     * @var integer
     */
    private $NAPTR_executed;

    /**
     * maintains state for the question: has the NAPTR compliance check already been executed?
     * 
     * @var integer
     */
    private $NAPTR_compliance_executed;

    /**
     * maintains state for the question: has the NAPTR SRV check already been executed? Holds the number of SRV records if so.
     * 
     * @var integer
     */
    private $NAPTR_SRV_executed;

    /**
     * maintains state for the question: has the existrence of hostnames been checked already? Holds the number of IP:port pairs if so.
     * 
     * @var integer
     */
    private $NAPTR_hostname_executed;

    /**
     * holds the list of NAPTR records found. Exposed because we may want to
     * double-check the replacement against NRO expectations
     * 
     * @var array
     */
    public $NAPTR_records;

    /**
     * holds the list of SRV records found
     * 
     * @var array
     */
    private $NAPTR_SRV_records;

    /**
     * stores the various errors encountered during the checks
     * 
     * @var array
     */
    private $errorlist;

    /**
     * stores the IP address / port pairs (strings) which were ultimately found
     * as candidate RADIUS/TLS servers
     * 
     * @var array
     */
    public $NAPTR_hostname_records;
    // return codes specific to NAPTR existence checks

    /**
     * test hasn't been run yet
     */
    const RETVAL_NOTRUNYET = -1;

    /**
     * no NAPTRs for domain; this is not an error, simply means that realm is not doing dynamic discovery for any service
     */
    const RETVAL_NONAPTR = -104;

    /**
     * no eduroam NAPTR for domain; this is not an error, simply means that realm is not doing dynamic discovery for eduroam
     */
    const RETVAL_ONLYUNRELATEDNAPTR = -105;

    /**
     * This private variable contains the realm to be checked. Is filled in the
     * class constructor.
     * 
     * @var string
     */
    private $realm;

    /**
     * An instance of the Net_DNS2 resolver to do lookups with
     * 
     * @var \Net_DNS2_Resolver
     */
    private $resolver;

    /**
     * maintains state whether all DNS responses were DNSSEC-secured
     * 
     * @var bool
     */
    public $allResponsesSecure;

    /**
     * the discovery tag to use for the DNS lookups
     * 
     * @var string
     */
    private $discoveryTag;
    
    /**
     * Initialises the dynamic discovery test instance for a specific realm that is to be tested
     * 
     * @param string $realm the realm to be tested
     */
    public function __construct(string $realm, $discoverytag = \config\Diagnostics::RADIUSTESTS['TLS-discoverytag'])
    {
        parent::__construct();
        \core\common\Entity::intoThePotatoes();
        // return codes specific to NAPTR existence checks
        /**
         * no NAPTRs for domain; this is not an error, simply means that realm is not doing dynamic discovery for any service
         */
        $this->returnCodes[RFC7585Tests::RETVAL_NONAPTR]["message"] = _("This realm has no NAPTR records.");
        $this->returnCodes[RFC7585Tests::RETVAL_NONAPTR]["severity"] = \core\common\Entity::L_OK;

        /**
         * no eduroam NAPTR for domain; this is not an error, simply means that realm is not doing dynamic discovery for eduroam
         */
        $this->returnCodes[RFC7585Tests::RETVAL_ONLYUNRELATEDNAPTR]["message"] = _("NAPTR records were found, but all of them refer to unrelated services.");
        $this->returnCodes[RFC7585Tests::RETVAL_ONLYUNRELATEDNAPTR]["severity"] = \core\common\Entity::L_OK;

        $this->realm = $realm;
        $this->NAPTR_executed = RFC7585Tests::RETVAL_NOTRUNYET;
        $this->NAPTR_compliance_executed = RFC7585Tests::RETVAL_NOTRUNYET;
        $this->NAPTR_SRV_executed = RFC7585Tests::RETVAL_NOTRUNYET;
        $this->NAPTR_hostname_executed = RFC7585Tests::RETVAL_NOTRUNYET;
        $this->NAPTR_records = [];
        $this->NAPTR_SRV_records = [];
        $this->NAPTR_hostname_records = [];
        $this->errorlist = [];
        \core\common\Entity::outOfThePotatoes();

        $this->discoveryTag = $discoverytag;
        
        $this->resolver = new \Net_DNS2_Resolver(
                ["dnssec_ad_flag" => true]
        );
        $this->allResponsesSecure = true;
    }

    /**
     * Tests if this realm exists in DNS and has NAPTR records matching the
     * configured consortium NAPTR target.
     * 
     * possible RETVALs:
     * - RETVAL_NOTCONFIGURED; needs \config\Diagnostics::RADIUSTESTS['TLS-discoverytag']
     * - RETVAL_ONLYUNRELATEDNAPTR
     * - RETVAL_NONAPTR
     * 
     * @return int Either a RETVAL constant or a positive number (count of relevant NAPTR records)
     */
    public function relevantNAPTR()
    {
        if ($this->discoveryTag == "") {
            $this->NAPTR_executed = RADIUSTests::RETVAL_NOTCONFIGURED;
            return RADIUSTests::RETVAL_NOTCONFIGURED;
        }
        $NAPTRs = [];
        try {
            $response = $this->resolver->query($this->realm, 'NAPTR');
            $securedAnswer = $response->header->ad ?? 0;
            if ($securedAnswer == 0) {
                $this->allResponsesSecure = FALSE;
            }
            foreach ($response->answer as $oneAnswer) {
                $NAPTRs[] = [
                    'services' => $oneAnswer->services,
                    'flags' => $oneAnswer->flags,
                    'regexp' => $oneAnswer->regexp,
                    'replacement' => $oneAnswer->replacement,
                    'ad' => $securedAnswer,
                ];
            }
        } catch (\Net_DNS2_Exception $e) {
            // NXDOMAIN is an Exception, but we don't care - no result means no result
        }
        if (count($NAPTRs) == 0) {
            $this->NAPTR_executed = RFC7585Tests::RETVAL_NONAPTR;
            return RFC7585Tests::RETVAL_NONAPTR;
        }
        $NAPTRs_consortium = [];
        foreach ($NAPTRs as $naptr) {
            if ($naptr["services"] == $this->discoveryTag) {
                $NAPTRs_consortium[] = $naptr;
            }
        }
        if (count($NAPTRs_consortium) == 0) {
            $this->NAPTR_executed = RFC7585Tests::RETVAL_ONLYUNRELATEDNAPTR;
            return RFC7585Tests::RETVAL_ONLYUNRELATEDNAPTR;
        }
        $this->NAPTR_records = $NAPTRs_consortium;
        $this->NAPTR_executed = count($NAPTRs_consortium);
        return count($NAPTRs_consortium);
    }

    /**
     * Tests if all the discovered NAPTR entries conform to the consortium's requirements
     * 
     * possible RETVALs:
     * - RETVAL_NOTCONFIGURED; needs \config\Diagnostics::RADIUSTESTS['TLS-discoverytag']
     * - RETVAL_INVALID (at least one format error)
     * - RETVAL_OK (all fine)

     * @return int one of two RETVALs above
     */
    public function relevantNAPTRcompliance()
    {
// did we query DNS for the NAPTRs yet? If not, do so now.
        if ($this->NAPTR_executed == RFC7585Tests::RETVAL_NOTRUNYET) {
            $this->relevantNAPTR();
        }
// if the NAPTR checks aren't configured, tell the caller
        if ($this->NAPTR_executed === RADIUSTests::RETVAL_NOTCONFIGURED) {
            $this->NAPTR_compliance_executed = RADIUSTests::RETVAL_NOTCONFIGURED;
            return RADIUSTests::RETVAL_NOTCONFIGURED;
        }
// if there were no relevant NAPTR records, we are compliant :-)
        if (count($this->NAPTR_records) == 0) {
            $this->NAPTR_compliance_executed = RADIUSTests::RETVAL_OK;
            return RADIUSTests::RETVAL_OK;
        }
        $formatErrors = [];
// format of NAPTRs is consortium specific. eduroam and OpenRoaming below; 
// others need their own code
        if ($this->discoveryTag == "x-eduroam:radius.tls" || $this->discoveryTag == "aaa+auth:radius.tls.tcp") {
            foreach ($this->NAPTR_records as $edupointer) {
// must be "s" type for SRV
                if ($edupointer["flags"] != "s" && $edupointer["flags"] != "S") {
                    $formatErrors[] = ["TYPE" => "NAPTR-FLAG", "TARGET" => $edupointer['flag']];
                }
// no regex
                if (isset($edupointer["regex"]) && $edupointer["regex"] != "") {
                    $formatErrors[] = ["TYPE" => "NAPTR-REGEX", "TARGET" => $edupointer['regex']];
                }
            }
        }
        if (count($formatErrors) == 0) {
            $this->NAPTR_compliance_executed = RADIUSTests::RETVAL_OK;
            return RADIUSTests::RETVAL_OK;
        }
        $this->errorlist = array_merge($this->errorlist, $formatErrors);
        $this->NAPTR_compliance_executed = RADIUSTests::RETVAL_INVALID;
        return RADIUSTests::RETVAL_INVALID;
    }

    /**
     * Tests if NAPTR records can be resolved to SRVs. Will only run if NAPTR
     * checks completed without error.
     *
     * possible RETVALs:
     * - RETVAL_INVALID
     * - RETVAL_SKIPPED
     * 
     * @return int one of the RETVALs above or the number of SRV records which were resolved
     */
    public function relevantNAPTRsrvResolution()
    {
// see if preceding checks have been run, and run them if not
// compliance check will cascade NAPTR check on its own
        if ($this->NAPTR_compliance_executed == RFC7585Tests::RETVAL_NOTRUNYET) {
            $this->relevantNAPTRcompliance();
        }
// we only run the SRV checks if all records are compliant and more than one relevant NAPTR exists
        if ($this->NAPTR_executed <= 0 || $this->NAPTR_compliance_executed == RADIUSTests::RETVAL_INVALID) {
            $this->NAPTR_SRV_executed = RADIUSTests::RETVAL_SKIPPED;
            return RADIUSTests::RETVAL_SKIPPED;
        }
        $sRVerrors = [];
        $sRVtargets = [];
        $sRVcount = 0;

        foreach ($this->NAPTR_records as $edupointer) {
            try {
                $response = $this->resolver->query($edupointer["replacement"], 'SRV');
                $securedAnswer = $response->header->ad ?? 0;
                if ($securedAnswer == 0) {
                    $this->allResponsesSecure = FALSE;
                }
                foreach ($response->answer as $oneAnswer) {
                    $sRVtargets[] = [
                        'hostname' => $oneAnswer->target,
                        'port' => $oneAnswer->port,
                        'ad' => $securedAnswer,
                    ];
                }
            } catch (\Net_DNS2_Exception $e) {
                // NXDOMAIN is an Exception, but we don't care - no result means no result
            }
            if (count($sRVtargets) == $sRVcount) { // no new target added... defunct replacement
                $sRVerrors[] = ["TYPE" => "SRV_NOT_RESOLVING", "TARGET" => $edupointer['replacement']];
            }
            $sRVcount = count($sRVtargets);
        }
        $this->NAPTR_SRV_records = $sRVtargets;
        if (count($sRVerrors) > 0) {
            $this->NAPTR_SRV_executed = RADIUSTests::RETVAL_INVALID;
            $this->errorlist = array_merge($this->errorlist, $sRVerrors);
            return RADIUSTests::RETVAL_INVALID;
        }
        $this->NAPTR_SRV_executed = count($sRVtargets);
        return count($sRVtargets);
    }

    /**
     * Checks whether the previously discovered hostnames have actual IP addresses in DNS.
     * 
     * The actual list is stored in the class property NAPTR_hostname_records.
     * 
     * @return int count of IP / port pairs for all the hostnames
     */
    public function relevantNAPTRhostnameResolution()
    {
// make sure the previous tests have been run before we go on
// preceding tests will cascade automatically if needed
        if ($this->NAPTR_SRV_executed == RFC7585Tests::RETVAL_NOTRUNYET) {
            $this->relevantNAPTRsrvResolution();
        }
// if previous are SKIPPED, skip this one, too
        if ($this->NAPTR_SRV_executed == RADIUSTests::RETVAL_SKIPPED) {
            $this->NAPTR_hostname_executed = RADIUSTests::RETVAL_SKIPPED;
            return RADIUSTests::RETVAL_SKIPPED;
        }
// the SRV check may have returned INVALID, but could have found a
// a working subset of hosts anyway. We should continue checking all 
// discovered names.

        $ipAddrs = [];
        $resolutionErrors = [];

        $responsesUpToHereWereSecure = $this->allResponsesSecure;
        foreach ($this->NAPTR_SRV_records as $server) {
            foreach (["A", "AAAA"] as $family) {
                try {
                    $response = $this->resolver->query($server["hostname"], $family);
                    $securedAnswer = $response->header->ad ?? 0;
                    if ($securedAnswer == 0) {
                        $this->allResponsesSecure = FALSE;
                    }
                    foreach ($response->answer as $oneAnswer) {
                        if (!$oneAnswer->address) {
                            continue;
                        }
                        $ipAddrs[] = [
                            'hostname' => $server['hostname'],
                            'port' => $server['port'],
                            'family' => ($family == "A" ? "IPv4" : "IPv6"),
                            'IP' => $oneAnswer->address,
                            'securepath' => $securedAnswer && $responsesUpToHereWereSecure,
                        ];
                    }
                } catch (\Net_DNS2_Exception $e) {
                    // NXDOMAIN is an Exception, but we don't care - no result means no result
                }
            }
        }
        
        $this->NAPTR_hostname_records = $ipAddrs;
        $orphanedHostnames = [];
        foreach ($this->NAPTR_SRV_records as $srvHostnames) {
            $orphanedHostnames[$srvHostnames['hostname']] = "MISSING";
            foreach ($this->NAPTR_hostname_records as $resolvedHostnames) {
                if ($resolvedHostnames['hostname'] == $srvHostnames['hostname']) {
                    unset($orphanedHostnames[$resolvedHostnames['hostname']]);
                }
            }
        }
        foreach ($orphanedHostnames as $name => $nomatter) {
                $resolutionErrors[] = ["TYPE" => "HOST_NO_ADDRESS", "TARGET" => $name];
            }
                    
        if (count($resolutionErrors) > 0) {
            $this->errorlist = array_merge($this->errorlist, $resolutionErrors);
            $this->NAPTR_hostname_executed = RADIUSTests::RETVAL_INVALID;
            return RADIUSTests::RETVAL_INVALID;
        }
        $this->NAPTR_hostname_executed = count($this->NAPTR_hostname_records);
        $this->hostTLSprotocols();
        return count($this->NAPTR_hostname_records);
    }
    
    /**
     * Checks supported TLS protocols.
     * 
     * The actual list is stored in the class property NAPTR_hostname_records.
     * 
     * @return nothing
filter:
    dependency_paths: ["lib/*"]
     */
    private function hostTLSprotocols()
    {
        if ($this->NAPTR_SRV_executed == RFC7585Tests::RETVAL_NOTRUNYET) {
            $this->relevantNAPTRsrvResolution();
        }
        if ($this->NAPTR_hostname_executed == RFC7585Tests::RETVAL_NOTRUNYET) {
            $this->relevantNAPTRhostnameResolution();
        }
        foreach ($this->NAPTR_hostname_records as $hostindex => $addr) {
            $host = ($addr['family'] == "IPv6" ? "[" : "") . $addr['IP'] . ($addr['family'] == "IPv6" ? "]" : "") . ":" . $addr['port'];
            $this->NAPTR_hostname_records[$hostindex]['protocols'] = $this->execSslscan($hostindex, $host);
            foreach ($this->NAPTR_hostname_records[$hostindex]['protocols'] as $protocol) {
                if ($protocol['type'] == 'TLS1.3' && $protocol['enabled'] == 1) {
                    $this->NAPTR_hostname_records[$hostindex]['istls13'] = 1;
                    break;
                }
            }
        } 
    }
    
    /**
     * This function executes sslscan command
     * 
     * @param int $hostindex index of host in NAPTR_hostname_records
     * @param string $hostport    IP address:port
     * @return array supported / enabled protocols
     */
    private function execSslscan($hostindex, $host)
    {
        $this->loggerInstance->debug(4, \config\Master::PATHS['sslscan'] . " --no-heartbleed --no-fallback --connect-timeout=5 --no-ciphersuites --xml=- " . $host . "\n");
        $sslscanbabble = [];
        $result = 999; // likely to become zero by openssl; don't want to initialise to zero, could cover up exec failures
        exec(\config\Master::PATHS['sslscan'] . " --no-heartbleed --no-fallback --connect-timeout=5 --no-ciphersuites --xml=- " . $host ." 2>&1", $sslscanbabble, $result);
        $this->loggerInstance->debug(4, 'sslscan result '.implode($sslscanbabble));
        $xml = simplexml_load_string(implode($sslscanbabble));  
        $resarray = json_decode(json_encode((array)$xml),true);
        $prots = [];
        if (!isset($resarray['ssltest'])) {
            $this->NAPTR_hostname_records[$hostindex]['unavailable'] = 1;
            return $prots;
        }
        foreach ($resarray['ssltest']['protocol'] as $protocol) {
            $prots[] = 
                    ['type' => strtoupper($protocol['@attributes']['type']).$protocol['@attributes']['version'],
                            'enabled' => $protocol['@attributes']['enabled']];
        }
        return $prots;
    }
}


1			<?php
2
3			/*
4			* *****************************************************************************
5			* Contributions to this work were made on behalf of the GÉANT project, a
6			* project that has received funding from the European Union’s Framework
7			* Programme 7 under Grant Agreements No. 238875 (GN3) and No. 605243 (GN3plus),
8			* Horizon 2020 research and innovation programme under Grant Agreements No.
9			* 691567 (GN4-1) and No. 731122 (GN4-2).
10			* On behalf of the aforementioned projects, GEANT Association is the sole owner
11			* of the copyright in all material which was developed by a member of the GÉANT
12			* project. GÉANT Vereniging (Association) is registered with the Chamber of
13			* Commerce in Amsterdam with registration number 40535155 and operates in the
14			* UK as a branch of GÉANT Vereniging.
15			*
16			* Registered office: Hoekenrode 3, 1102BR Amsterdam, The Netherlands.
17			* UK branch address: City House, 126-130 Hills Road, Cambridge CB2 1PQ, UK
18			*
19			* License: see the web/copyright.inc.php file in the file structure or
20			* <base_url>/copyright.php after deploying the software
21			*/
22
23			namespace core\diag;
24
25			/**
26			* Test suite to verify that a given NAI realm has NAPTR records according to
27			* consortium-agreed criteria
28			* Can only be used if \config\Diagnostics::RADIUSTESTS is configured.
29			*
30			* @author Stefan Winter <[email protected]>
31			* @author Tomasz Wolniewicz <[email protected]>
32			* @author Maja Górecka-Wolniewicz <[email protected]>
33			*
34			* @license see LICENSE file in root directory
35			*
36			* @package Developer
37			*/
38			class RFC7585Tests extends AbstractTest
39			{
40
41			/**
42			* maintains state for the question: has the NAPTR existence check already been executed? Holds the number of NAPTR records found if so.
43			*
44			* @var integer
45			*/
46			private $NAPTR_executed;
47
48			/**
49			* maintains state for the question: has the NAPTR compliance check already been executed?
50			*
51			* @var integer
52			*/
53			private $NAPTR_compliance_executed;
54
55			/**
56			* maintains state for the question: has the NAPTR SRV check already been executed? Holds the number of SRV records if so.
57			*
58			* @var integer
59			*/
60			private $NAPTR_SRV_executed;
61
62			/**
63			* maintains state for the question: has the existrence of hostnames been checked already? Holds the number of IP:port pairs if so.
64			*
65			* @var integer
66			*/
67			private $NAPTR_hostname_executed;
68
69			/**
70			* holds the list of NAPTR records found. Exposed because we may want to
71			* double-check the replacement against NRO expectations
72			*
73			* @var array
74			*/
75			public $NAPTR_records;
76
77			/**
78			* holds the list of SRV records found
79			*
80			* @var array
81			*/
82			private $NAPTR_SRV_records;
83
84			/**
85			* stores the various errors encountered during the checks
86			*
87			* @var array
88			*/
89			private $errorlist;
90
91			/**
92			* stores the IP address / port pairs (strings) which were ultimately found
93			* as candidate RADIUS/TLS servers
94			*
95			* @var array
96			*/
97			public $NAPTR_hostname_records;
98			// return codes specific to NAPTR existence checks
99
100			/**
101			* test hasn't been run yet
102			*/
103			const RETVAL_NOTRUNYET = -1;
104
105			/**
106			* no NAPTRs for domain; this is not an error, simply means that realm is not doing dynamic discovery for any service
107			*/
108			const RETVAL_NONAPTR = -104;
109
110			/**
111			* no eduroam NAPTR for domain; this is not an error, simply means that realm is not doing dynamic discovery for eduroam
112			*/
113			const RETVAL_ONLYUNRELATEDNAPTR = -105;
114
115			/**
116			* This private variable contains the realm to be checked. Is filled in the
117			* class constructor.
118			*
119			* @var string
120			*/
121			private $realm;
122
123			/**
124			* An instance of the Net_DNS2 resolver to do lookups with
125			*
126			* @var \Net_DNS2_Resolver
127			*/
128			private $resolver;
129
130			/**
131			* maintains state whether all DNS responses were DNSSEC-secured
132			*
133			* @var bool
134			*/
135			public $allResponsesSecure;
136
137			/**
138			* the discovery tag to use for the DNS lookups
139			*
140			* @var string
141			*/
142			private $discoveryTag;
143
144			/**
145			* Initialises the dynamic discovery test instance for a specific realm that is to be tested
146			*
147			* @param string $realm the realm to be tested
148			*/
149			public function __construct(string $realm, $discoverytag = \config\Diagnostics::RADIUSTESTS['TLS-discoverytag'])
150			{
151			parent::__construct();
152			\core\common\Entity::intoThePotatoes();
153			// return codes specific to NAPTR existence checks
154			/**
155			* no NAPTRs for domain; this is not an error, simply means that realm is not doing dynamic discovery for any service
156			*/
157			$this->returnCodes[RFC7585Tests::RETVAL_NONAPTR]["message"] = _("This realm has no NAPTR records.");
158			$this->returnCodes[RFC7585Tests::RETVAL_NONAPTR]["severity"] = \core\common\Entity::L_OK;
159
160			/**
161			* no eduroam NAPTR for domain; this is not an error, simply means that realm is not doing dynamic discovery for eduroam
162			*/
163			$this->returnCodes[RFC7585Tests::RETVAL_ONLYUNRELATEDNAPTR]["message"] = _("NAPTR records were found, but all of them refer to unrelated services.");
164			$this->returnCodes[RFC7585Tests::RETVAL_ONLYUNRELATEDNAPTR]["severity"] = \core\common\Entity::L_OK;
165
166			$this->realm = $realm;
167			$this->NAPTR_executed = RFC7585Tests::RETVAL_NOTRUNYET;
168			$this->NAPTR_compliance_executed = RFC7585Tests::RETVAL_NOTRUNYET;
169			$this->NAPTR_SRV_executed = RFC7585Tests::RETVAL_NOTRUNYET;
170			$this->NAPTR_hostname_executed = RFC7585Tests::RETVAL_NOTRUNYET;
171			$this->NAPTR_records = [];
172			$this->NAPTR_SRV_records = [];
173			$this->NAPTR_hostname_records = [];
174			$this->errorlist = [];
175			\core\common\Entity::outOfThePotatoes();
176
177			$this->discoveryTag = $discoverytag;
178
179			$this->resolver = new \Net_DNS2_Resolver(
180			["dnssec_ad_flag" => true]
181			);
182			$this->allResponsesSecure = true;
183			}
184
185			/**
186			* Tests if this realm exists in DNS and has NAPTR records matching the
187			* configured consortium NAPTR target.
188			*
189			* possible RETVALs:
190			* - RETVAL_NOTCONFIGURED; needs \config\Diagnostics::RADIUSTESTS['TLS-discoverytag']
191			* - RETVAL_ONLYUNRELATEDNAPTR
192			* - RETVAL_NONAPTR
193			*
194			* @return int Either a RETVAL constant or a positive number (count of relevant NAPTR records)
195			*/
196			public function relevantNAPTR()
197			{
198			if ($this->discoveryTag == "") {
199			$this->NAPTR_executed = RADIUSTests::RETVAL_NOTCONFIGURED;
200			return RADIUSTests::RETVAL_NOTCONFIGURED;
201			}
202			$NAPTRs = [];
203			try {
204			$response = $this->resolver->query($this->realm, 'NAPTR');
205			$securedAnswer = $response->header->ad ?? 0;
206			if ($securedAnswer == 0) {
207			$this->allResponsesSecure = FALSE;
208			}
209			foreach ($response->answer as $oneAnswer) {
210			$NAPTRs[] = [
211			'services' => $oneAnswer->services,
212			'flags' => $oneAnswer->flags,
213			'regexp' => $oneAnswer->regexp,
214			'replacement' => $oneAnswer->replacement,
215			'ad' => $securedAnswer,
216			];
217			}
218			} catch (\Net_DNS2_Exception $e) {
219			// NXDOMAIN is an Exception, but we don't care - no result means no result
220			}
221			if (count($NAPTRs) == 0) {
222			$this->NAPTR_executed = RFC7585Tests::RETVAL_NONAPTR;
223			return RFC7585Tests::RETVAL_NONAPTR;
224			}
225			$NAPTRs_consortium = [];
226			foreach ($NAPTRs as $naptr) {
227			if ($naptr["services"] == $this->discoveryTag) {
228			$NAPTRs_consortium[] = $naptr;
229			}
230			}
231			if (count($NAPTRs_consortium) == 0) {
232			$this->NAPTR_executed = RFC7585Tests::RETVAL_ONLYUNRELATEDNAPTR;
233			return RFC7585Tests::RETVAL_ONLYUNRELATEDNAPTR;
234			}
235			$this->NAPTR_records = $NAPTRs_consortium;
236			$this->NAPTR_executed = count($NAPTRs_consortium);
237			return count($NAPTRs_consortium);
238			}
239
240			/**
241			* Tests if all the discovered NAPTR entries conform to the consortium's requirements
242			*
243			* possible RETVALs:
244			* - RETVAL_NOTCONFIGURED; needs \config\Diagnostics::RADIUSTESTS['TLS-discoverytag']
245			* - RETVAL_INVALID (at least one format error)
246			* - RETVAL_OK (all fine)
247
248			* @return int one of two RETVALs above
249			*/
250			public function relevantNAPTRcompliance()
251			{
252			// did we query DNS for the NAPTRs yet? If not, do so now.
253			if ($this->NAPTR_executed == RFC7585Tests::RETVAL_NOTRUNYET) {
254			$this->relevantNAPTR();
255			}
256			// if the NAPTR checks aren't configured, tell the caller
257			if ($this->NAPTR_executed === RADIUSTests::RETVAL_NOTCONFIGURED) {
258			$this->NAPTR_compliance_executed = RADIUSTests::RETVAL_NOTCONFIGURED;
259			return RADIUSTests::RETVAL_NOTCONFIGURED;
260			}
261			// if there were no relevant NAPTR records, we are compliant :-)
262			if (count($this->NAPTR_records) == 0) {
263			$this->NAPTR_compliance_executed = RADIUSTests::RETVAL_OK;
264			return RADIUSTests::RETVAL_OK;
265			}
266			$formatErrors = [];
267			// format of NAPTRs is consortium specific. eduroam and OpenRoaming below;
268			// others need their own code
269			if ($this->discoveryTag == "x-eduroam:radius.tls" \|\| $this->discoveryTag == "aaa+auth:radius.tls.tcp") {
270			foreach ($this->NAPTR_records as $edupointer) {
271			// must be "s" type for SRV
272			if ($edupointer["flags"] != "s" && $edupointer["flags"] != "S") {
273			$formatErrors[] = ["TYPE" => "NAPTR-FLAG", "TARGET" => $edupointer['flag']];
274			}
275			// no regex
276			if (isset($edupointer["regex"]) && $edupointer["regex"] != "") {
277			$formatErrors[] = ["TYPE" => "NAPTR-REGEX", "TARGET" => $edupointer['regex']];
278			}
279			}
280			}
281			if (count($formatErrors) == 0) {
282			$this->NAPTR_compliance_executed = RADIUSTests::RETVAL_OK;
283			return RADIUSTests::RETVAL_OK;
284			}
285			$this->errorlist = array_merge($this->errorlist, $formatErrors);
286			$this->NAPTR_compliance_executed = RADIUSTests::RETVAL_INVALID;
287			return RADIUSTests::RETVAL_INVALID;
288			}
289
290			/**
291			* Tests if NAPTR records can be resolved to SRVs. Will only run if NAPTR
292			* checks completed without error.
293			*
294			* possible RETVALs:
295			* - RETVAL_INVALID
296			* - RETVAL_SKIPPED
297			*
298			* @return int one of the RETVALs above or the number of SRV records which were resolved
299			*/
300			public function relevantNAPTRsrvResolution()
301			{
302			// see if preceding checks have been run, and run them if not
303			// compliance check will cascade NAPTR check on its own
304			if ($this->NAPTR_compliance_executed == RFC7585Tests::RETVAL_NOTRUNYET) {
305			$this->relevantNAPTRcompliance();
306			}
307			// we only run the SRV checks if all records are compliant and more than one relevant NAPTR exists
308			if ($this->NAPTR_executed <= 0 \|\| $this->NAPTR_compliance_executed == RADIUSTests::RETVAL_INVALID) {
309			$this->NAPTR_SRV_executed = RADIUSTests::RETVAL_SKIPPED;
310			return RADIUSTests::RETVAL_SKIPPED;
311			}
312			$sRVerrors = [];
313			$sRVtargets = [];
314			$sRVcount = 0;
315
316			foreach ($this->NAPTR_records as $edupointer) {
317			try {
318			$response = $this->resolver->query($edupointer["replacement"], 'SRV');
319			$securedAnswer = $response->header->ad ?? 0;
320			if ($securedAnswer == 0) {
321			$this->allResponsesSecure = FALSE;
322			}
323			foreach ($response->answer as $oneAnswer) {
324			$sRVtargets[] = [
325			'hostname' => $oneAnswer->target,
326			'port' => $oneAnswer->port,
327			'ad' => $securedAnswer,
328			];
329			}
330			} catch (\Net_DNS2_Exception $e) {
331			// NXDOMAIN is an Exception, but we don't care - no result means no result
332			}
333			if (count($sRVtargets) == $sRVcount) { // no new target added... defunct replacement
334			$sRVerrors[] = ["TYPE" => "SRV_NOT_RESOLVING", "TARGET" => $edupointer['replacement']];
335			}
336			$sRVcount = count($sRVtargets);
337			}
338			$this->NAPTR_SRV_records = $sRVtargets;
339			if (count($sRVerrors) > 0) {
340			$this->NAPTR_SRV_executed = RADIUSTests::RETVAL_INVALID;
341			$this->errorlist = array_merge($this->errorlist, $sRVerrors);
342			return RADIUSTests::RETVAL_INVALID;
343			}
344			$this->NAPTR_SRV_executed = count($sRVtargets);
345			return count($sRVtargets);
346			}
347
348			/**
349			* Checks whether the previously discovered hostnames have actual IP addresses in DNS.
350			*
351			* The actual list is stored in the class property NAPTR_hostname_records.
352			*
353			* @return int count of IP / port pairs for all the hostnames
354			*/
355			public function relevantNAPTRhostnameResolution()
356			{
357			// make sure the previous tests have been run before we go on
358			// preceding tests will cascade automatically if needed
359			if ($this->NAPTR_SRV_executed == RFC7585Tests::RETVAL_NOTRUNYET) {
360			$this->relevantNAPTRsrvResolution();
361			}
362			// if previous are SKIPPED, skip this one, too
363			if ($this->NAPTR_SRV_executed == RADIUSTests::RETVAL_SKIPPED) {
364			$this->NAPTR_hostname_executed = RADIUSTests::RETVAL_SKIPPED;
365			return RADIUSTests::RETVAL_SKIPPED;
366			}
367			// the SRV check may have returned INVALID, but could have found a
368			// a working subset of hosts anyway. We should continue checking all
369			// discovered names.
370
371			$ipAddrs = [];
372			$resolutionErrors = [];
373
374			$responsesUpToHereWereSecure = $this->allResponsesSecure;
375			foreach ($this->NAPTR_SRV_records as $server) {
376			foreach (["A", "AAAA"] as $family) {
377			try {
378			$response = $this->resolver->query($server["hostname"], $family);
379			$securedAnswer = $response->header->ad ?? 0;
380			if ($securedAnswer == 0) {
381			$this->allResponsesSecure = FALSE;
382			}
383			foreach ($response->answer as $oneAnswer) {
384			if (!$oneAnswer->address) {
385			continue;
386			}
387			$ipAddrs[] = [
388			'hostname' => $server['hostname'],
389			'port' => $server['port'],
390			'family' => ($family == "A" ? "IPv4" : "IPv6"),
391			'IP' => $oneAnswer->address,
392			'securepath' => $securedAnswer && $responsesUpToHereWereSecure,
393			];
394			}
395			} catch (\Net_DNS2_Exception $e) {
396			// NXDOMAIN is an Exception, but we don't care - no result means no result
397			}
398			}
399			}
400
401			$this->NAPTR_hostname_records = $ipAddrs;
402			$orphanedHostnames = [];
403			foreach ($this->NAPTR_SRV_records as $srvHostnames) {
404			$orphanedHostnames[$srvHostnames['hostname']] = "MISSING";
405			foreach ($this->NAPTR_hostname_records as $resolvedHostnames) {
406			if ($resolvedHostnames['hostname'] == $srvHostnames['hostname']) {
407			unset($orphanedHostnames[$resolvedHostnames['hostname']]);
408			}
409			}
410			}
411			foreach ($orphanedHostnames as $name => $nomatter) {
412			$resolutionErrors[] = ["TYPE" => "HOST_NO_ADDRESS", "TARGET" => $name];
413			}
414
415			if (count($resolutionErrors) > 0) {
416			$this->errorlist = array_merge($this->errorlist, $resolutionErrors);
417			$this->NAPTR_hostname_executed = RADIUSTests::RETVAL_INVALID;
418			return RADIUSTests::RETVAL_INVALID;
419			}
420			$this->NAPTR_hostname_executed = count($this->NAPTR_hostname_records);
421			$this->hostTLSprotocols();
422			return count($this->NAPTR_hostname_records);
423			}
424
425			/**
426			* Checks supported TLS protocols.
427			*
428			* The actual list is stored in the class property NAPTR_hostname_records.
429			*
430			* @return nothing
			0 ignored issues – show Bug introduced 2024-04-05 09:11 UTC by Report Bug Copy Issue Report The type `core\diag\nothing` was not found. Maybe you did not declare it correctly or list all dependencies? The issue could also be caused by a filter entry in the build configuration. If the path has been excluded in your configuration, e.g. `excluded_paths: ["lib/"]`, you can move it to the dependency path list as follows: filter: dependency_paths: ["lib/"] For further information see https://scrutinizer-ci.com/docs/tools/php/php-scrutinizer/#list-dependency-paths Loading history...
431			*/
432			private function hostTLSprotocols()
433			{
434			if ($this->NAPTR_SRV_executed == RFC7585Tests::RETVAL_NOTRUNYET) {
435			$this->relevantNAPTRsrvResolution();
436			}
437			if ($this->NAPTR_hostname_executed == RFC7585Tests::RETVAL_NOTRUNYET) {
438			$this->relevantNAPTRhostnameResolution();
439			}
440			foreach ($this->NAPTR_hostname_records as $hostindex => $addr) {
441			$host = ($addr['family'] == "IPv6" ? "[" : "") . $addr['IP'] . ($addr['family'] == "IPv6" ? "]" : "") . ":" . $addr['port'];
442			$this->NAPTR_hostname_records[$hostindex]['protocols'] = $this->execSslscan($hostindex, $host);
443			foreach ($this->NAPTR_hostname_records[$hostindex]['protocols'] as $protocol) {
444			if ($protocol['type'] == 'TLS1.3' && $protocol['enabled'] == 1) {
445			$this->NAPTR_hostname_records[$hostindex]['istls13'] = 1;
446			break;
447			}
448			}
449			}
450			}
451
452			/**
453			* This function executes sslscan command
454			*
455			* @param int $hostindex index of host in NAPTR_hostname_records
456			* @param string $hostport IP address:port
457			* @return array supported / enabled protocols
458			*/
459			private function execSslscan($hostindex, $host)
460			{
461			$this->loggerInstance->debug(4, \config\Master::PATHS['sslscan'] . " --no-heartbleed --no-fallback --connect-timeout=5 --no-ciphersuites --xml=- " . $host . "\n");
462			$sslscanbabble = [];
463			$result = 999; // likely to become zero by openssl; don't want to initialise to zero, could cover up exec failures
464			exec(\config\Master::PATHS['sslscan'] . " --no-heartbleed --no-fallback --connect-timeout=5 --no-ciphersuites --xml=- " . $host ." 2>&1", $sslscanbabble, $result);
465			$this->loggerInstance->debug(4, 'sslscan result '.implode($sslscanbabble));
466			$xml = simplexml_load_string(implode($sslscanbabble));
467			$resarray = json_decode(json_encode((array)$xml),true);
468			$prots = [];
469			if (!isset($resarray['ssltest'])) {
470			$this->NAPTR_hostname_records[$hostindex]['unavailable'] = 1;
471			return $prots;
472			}
473			foreach ($resarray['ssltest']['protocol'] as $protocol) {
474			$prots[] =
475			['type' => strtoupper($protocol['@attributes']['type']).$protocol['@attributes']['version'],
476			'enabled' => $protocol['@attributes']['enabled']];
477			}
478			return $prots;
479			}
480			}
481

GEANT / CAT

Push — release_2_1 ( 8ffb06...6b1ac5 )

RFC7585Tests F

Complexity

Size/Duplication

Importance

7 Methods

How to fix Complexity

Complex Class

Duplication Side-by-Side

Filter issues like