ClientAssertionJwt - Code Metrics - Inspection of "Grant Types fixed" - OAuth2-Framework/oauth2-framework - Measure and Improve Code Quality continuously with Scrutinizer

Failed Conditions

Push — ng ( 0fdecc...ff414d )

by Florent

created 2018-02-01 22:51 UTC

ClientAssertionJwt A

↳ Parent: Project

Complexity

Total Complexity

Size/Duplication

Total Lines	255
Duplicated Lines	0 %

Coupling/Cohesion

Components	3
Dependencies	4

Importance

Changes

Metric	Value
wmc	34
lcom	3
cbo	4
dl	0
loc	255
rs	9.2
c	0
b	0
f	0

12 Methods

Rating	Name	Size	Complexity
A	__construct()	11	2
A	enableEncryptedAssertions()	6	1
A	getSupportedSignatureAlgorithms()	4	1
A	getSupportedContentEncryptionAlgorithms()	4	2
A	getSupportedKeyEncryptionAlgorithms()	4	2
A	getSchemesParameters()	4	1
C	findClientIdAndCredentials()	38	7
B	tryToDecryptClientAssertion()	21	5
B	isClientAuthenticated()	25	3
A	getSupportedMethods()	4	1
C	checkClientConfiguration()	28	8
A	createClientSecret()	4	1

<?php

declare(strict_types=1);

/*
 * The MIT License (MIT)
 *
 * Copyright (c) 2014-2018 Spomky-Labs
 *
 * This software may be modified and distributed under the terms
 * of the MIT license.  See the LICENSE file for details.
 */

namespace OAuth2Framework\Component\TokenEndpoint\AuthenticationMethod;

use Jose\Component\Checker\ClaimCheckerManager;
use Jose\Component\Core\Converter\StandardConverter;
use Jose\Component\Core\JWKSet;
use Jose\Component\Encryption\JWELoader;
use Jose\Component\KeyManagement\JKUFactory;
use Jose\Component\Signature\JWS;
use Jose\Component\Signature\JWSVerifier;
use Jose\Component\Signature\Serializer\CompactSerializer;
use OAuth2Framework\Component\Core\Client\Client;
use OAuth2Framework\Component\Core\Client\ClientId;
use OAuth2Framework\Component\Core\DataBag\DataBag;
use OAuth2Framework\Component\Core\Exception\OAuth2Exception;
use Psr\Http\Message\ServerRequestInterface;

final class ClientAssertionJwt implements AuthenticationMethod
{
    /**
     * @var TrustedIssuerManager
     */
    private $trustedIssuerManager;

    /**
     * @var JWSVerifier
     */
    private $jwsVerifier;

    /**
     * @var JKUFactory
     */
    private $jkuFactory;

    /**
     * @var null|JWELoader
     */
    private $jweLoader = null;

    /**
     * @var null|JWKSet
     */
    private $keyEncryptionKeySet = null;

    /**
     * @var bool
     */
    private $encryptionRequired = false;

    /**
     * @var int
     */
    private $secretLifetime;

    /**
     * @var ClaimCheckerManager
     */
    private $claimCheckerManager;

    /**
     * ClientAssertionJwt constructor.
     *
     * @param TrustedIssuerManager $trustedIssuerManager
     * @param JKUFactory           $jkuFactory
     * @param JWSVerifier          $jwsVerifier
     * @param ClaimCheckerManager  $claimCheckerManager
     * @param int                  $secretLifetime
     */
    public function __construct(TrustedIssuerManager $trustedIssuerManager, JKUFactory $jkuFactory, JWSVerifier $jwsVerifier, ClaimCheckerManager $claimCheckerManager, int $secretLifetime = 0)
    {
        if ($secretLifetime < 0) {
            throw new \InvalidArgumentException('The secret lifetime must be at least 0 (= unlimited).');
        }
        $this->trustedIssuerManager = $trustedIssuerManager;
        $this->jkuFactory = $jkuFactory;
        $this->jwsVerifier = $jwsVerifier;
        $this->claimCheckerManager = $claimCheckerManager;
        $this->secretLifetime = $secretLifetime;
    }

    /**
     * @param JWELoader $jweLoader
     * @param JWKSet    $keyEncryptionKeySet
     * @param bool      $encryptionRequired
     */
    public function enableEncryptedAssertions(JWELoader $jweLoader, JWKSet $keyEncryptionKeySet, bool $encryptionRequired)
    {
        $this->jweLoader = $jweLoader;
        $this->encryptionRequired = $encryptionRequired;
        $this->keyEncryptionKeySet = $keyEncryptionKeySet;
    }

    /**
     * @return string[]
     */
    public function getSupportedSignatureAlgorithms(): array
    {
        return $this->jwsVerifier->getSignatureAlgorithmManager()->list();
    }

    /**
     * @return string[]
     */
    public function getSupportedContentEncryptionAlgorithms(): array
    {
        return null === $this->jweLoader ? [] : $this->jweLoader->getContentEncryptionAlgorithmManager()->list();
    }

    /**
     * @return string[]
     */
    public function getSupportedKeyEncryptionAlgorithms(): array
    {
        return null === $this->jweLoader ? [] : $this->jweLoader->getKeyEncryptionAlgorithmManager()->list();
    }

    /**
     * {@inheritdoc}
     */
    public function getSchemesParameters(): array
    {
        return [];
    }

    /**
     * {@inheritdoc}
     */
    public function findClientIdAndCredentials(ServerRequestInterface $request, &$clientCredentials = null): ? ClientId
    {
        $parameters = $request->getParsedBody() ?? [];
        if (!array_key_exists('client_assertion_type', $parameters)) {
            return null;
        }
        $clientAssertionType = $parameters['client_assertion_type'];

        if ('urn:ietf:params:oauth:client-assertion-type:jwt-bearer' !== $clientAssertionType) {
            return null;
        }

        try {
            if (!array_key_exists('client_assertion', $parameters)) {
                throw new \InvalidArgumentException('Parameter "client_assertion" is missing.');
            }
            $client_assertion = $parameters['client_assertion'];
            $client_assertion = $this->tryToDecryptClientAssertion($client_assertion);
            $serializer = new CompactSerializer(new StandardConverter());
            $jws = $serializer->unserialize($client_assertion);
            if (1 !== $jws->countSignatures()) {
                throw new \InvalidArgumentException('The assertion must have only one signature.');
            }
            $claims = json_decode($jws->getPayload(), true);

            // Other claims can be considered as mandatory
            $diff = array_diff(['iss', 'sub', 'aud', 'exp'], array_keys($claims));
            if (!empty($diff)) {
                throw new \InvalidArgumentException(sprintf('The following claim(s) is/are mandatory: "%s".', implode(', ', array_values($diff))));
            }

            $clientCredentials = $jws;

            return ClientId::create($claims['sub']);
        } catch (\Exception $e) {
            throw new OAuth2Exception(400, OAuth2Exception::ERROR_INVALID_REQUEST, $e->getMessage(), $e);
        }
    }

    /**
     * @param string $assertion
     *
     * @return string
     *
     * @throws OAuth2Exception
     */
    private function tryToDecryptClientAssertion(string $assertion): string
    {
        if (null === $this->jweLoader) {
            return $assertion;
        }

        try {
            $jwe = $this->jweLoader->loadAndDecryptWithKeySet($assertion, $this->keyEncryptionKeySet, $recipient);

            if (1 !== $jwe->countRecipients()) {
                throw new \InvalidArgumentException('The client assertion must have only one recipient.');
            }

            return $jwe->getPayload();
        } catch (\Exception $e) {
            if (true === $this->encryptionRequired) {
                throw new OAuth2Exception(400, OAuth2Exception::ERROR_INVALID_REQUEST, $e->getMessage(), $e);
            }

            return $assertion;
        }
    }

    /**
     * {@inheritdoc}
     */
    public function isClientAuthenticated(Client $client, $clientCredentials, ServerRequestInterface $request): bool
    {
        try {
            /** @var JWS $jws */
            $jws = $clientCredentials;

            //Retrieve the JWKSet from the client configuration or the trusted issuer (see iss claim)
            $this->jwsVerifier->verifyWithKeySet($jws);
            // The claim checker manager should return only checked claims
            $claims = $this->claimCheckerManager->check($claims);
function someFunction() {
    $x = 5;
    echo $x;
}

            //Trusted issuers should be supported
            if ($claims['sub'] !== $claims['iss']) {
                throw new \InvalidArgumentException('The claims "sub" and "iss" must contain the client public ID.');
            }
            //Get the JWKSet depending on the client configuration and parameters
            $jwkSet = $client->getPublicKeySet();
            //Assertion::isInstanceOf($jwkSet, JWKSet::class);

            $this->jwsVerifier->verifyWithKeySet($clientCredentials, $jwkSet, $signature);

        } catch (\Exception $e) {
            return false;
        }

        return true;
    }

    /**
     * {@inheritdoc}
     */
    public function getSupportedMethods(): array
    {
        return ['client_secret_jwt', 'private_key_jwt'];
    }

    /**
     * {@inheritdoc}
     */
    public function checkClientConfiguration(DataBag $commandParameters, DataBag $validatedParameters): DataBag
    {
        if ('client_secret_jwt' === $commandParameters->get('token_endpoint_auth_method')) {
            $validatedParameters = $validatedParameters->with('client_secret', $this->createClientSecret());
            $validatedParameters = $validatedParameters->with('client_secret_expires_at', (0 === $this->secretLifetime ? 0 : time() + $this->secretLifetime));
        } elseif ('private_key_jwt' === $commandParameters->get('token_endpoint_auth_method')) {
            if (!($commandParameters->has('jwks') xor $commandParameters->has('jwks_uri'))) {
                throw new \InvalidArgumentException('The parameter "jwks" or "jwks_uri" must be set.');
            }
            if ($commandParameters->has('jwks')) {
                $jwks = JWKSet::createFromKeyData($commandParameters->get('jwks'));
                if (!$jwks instanceof JWKSet) {
if ($x instanceof DoesNotExist) {
    // Do something.
}
                    throw new \InvalidArgumentException('The parameter "jwks" must be a valid JWKSet object.');
                }
                $validatedParameters = $validatedParameters->with('jwks', $commandParameters->get('jwks'));
            } else {
                $jwks = $this->jkuFactory->loadFromUrl($commandParameters->get('jwks_uri'));
                if (empty($jwks)) {
                    throw new \InvalidArgumentException('The parameter "jwks_uri" must be a valid uri to a JWK Set and at least one key.');
                }
                $validatedParameters = $validatedParameters->with('jwks_uri', $commandParameters->get('jwks_uri'));
            }
        } else {
            throw new \InvalidArgumentException('Unsupported token endpoint authentication method.');
        }

        return $validatedParameters;
    }

    /**
     * @return string
     */
    private function createClientSecret(): string
    {
        return bin2hex(random_bytes(128));
    }
}


Push — ng ( 0fdecc...ff414d )

ClientAssertionJwt A

Complexity

Size/Duplication

Coupling/Cohesion

Importance

12 Methods

1. Missing dependencies

2. Missing use statement

1			<?php
2
3			declare(strict_types=1);
4
5			/*
6			* The MIT License (MIT)
7			*
8			* Copyright (c) 2014-2018 Spomky-Labs
9			*
10			* This software may be modified and distributed under the terms
11			* of the MIT license. See the LICENSE file for details.
12			*/
13
14			namespace OAuth2Framework\Component\TokenEndpoint\AuthenticationMethod;
15
16			use Jose\Component\Checker\ClaimCheckerManager;
17			use Jose\Component\Core\Converter\StandardConverter;
18			use Jose\Component\Core\JWKSet;
19			use Jose\Component\Encryption\JWELoader;
20			use Jose\Component\KeyManagement\JKUFactory;
21			use Jose\Component\Signature\JWS;
22			use Jose\Component\Signature\JWSVerifier;
23			use Jose\Component\Signature\Serializer\CompactSerializer;
24			use OAuth2Framework\Component\Core\Client\Client;
25			use OAuth2Framework\Component\Core\Client\ClientId;
26			use OAuth2Framework\Component\Core\DataBag\DataBag;
27			use OAuth2Framework\Component\Core\Exception\OAuth2Exception;
28			use Psr\Http\Message\ServerRequestInterface;
29
30			final class ClientAssertionJwt implements AuthenticationMethod
31			{
32			/**
33			* @var TrustedIssuerManager
34			*/
35			private $trustedIssuerManager;
36
37			/**
38			* @var JWSVerifier
39			*/
40			private $jwsVerifier;
41
42			/**
43			* @var JKUFactory
44			*/
45			private $jkuFactory;
46
47			/**
48			* @var null\|JWELoader
49			*/
50			private $jweLoader = null;
51
52			/**
53			* @var null\|JWKSet
54			*/
55			private $keyEncryptionKeySet = null;
56
57			/**
58			* @var bool
59			*/
60			private $encryptionRequired = false;
61
62			/**
63			* @var int
64			*/
65			private $secretLifetime;
66
67			/**
68			* @var ClaimCheckerManager
69			*/
70			private $claimCheckerManager;
71
72			/**
73			* ClientAssertionJwt constructor.
74			*
75			* @param TrustedIssuerManager $trustedIssuerManager
76			* @param JKUFactory $jkuFactory
77			* @param JWSVerifier $jwsVerifier
78			* @param ClaimCheckerManager $claimCheckerManager
79			* @param int $secretLifetime
80			*/
81			public function __construct(TrustedIssuerManager $trustedIssuerManager, JKUFactory $jkuFactory, JWSVerifier $jwsVerifier, ClaimCheckerManager $claimCheckerManager, int $secretLifetime = 0)
82			{
83			if ($secretLifetime < 0) {
84			throw new \InvalidArgumentException('The secret lifetime must be at least 0 (= unlimited).');
85			}
86			$this->trustedIssuerManager = $trustedIssuerManager;
87			$this->jkuFactory = $jkuFactory;
88			$this->jwsVerifier = $jwsVerifier;
89			$this->claimCheckerManager = $claimCheckerManager;
90			$this->secretLifetime = $secretLifetime;
91			}
92
93			/**
94			* @param JWELoader $jweLoader
95			* @param JWKSet $keyEncryptionKeySet
96			* @param bool $encryptionRequired
97			*/
98			public function enableEncryptedAssertions(JWELoader $jweLoader, JWKSet $keyEncryptionKeySet, bool $encryptionRequired)
99			{
100			$this->jweLoader = $jweLoader;
101			$this->encryptionRequired = $encryptionRequired;
102			$this->keyEncryptionKeySet = $keyEncryptionKeySet;
103			}
104
105			/**
106			* @return string[]
107			*/
108			public function getSupportedSignatureAlgorithms(): array
109			{
110			return $this->jwsVerifier->getSignatureAlgorithmManager()->list();
111			}
112
113			/**
114			* @return string[]
115			*/
116			public function getSupportedContentEncryptionAlgorithms(): array
117			{
118			return null === $this->jweLoader ? [] : $this->jweLoader->getContentEncryptionAlgorithmManager()->list();
119			}
120
121			/**
122			* @return string[]
123			*/
124			public function getSupportedKeyEncryptionAlgorithms(): array
125			{
126			return null === $this->jweLoader ? [] : $this->jweLoader->getKeyEncryptionAlgorithmManager()->list();
127			}
128
129			/**
130			* {@inheritdoc}
131			*/
132			public function getSchemesParameters(): array
133			{
134			return [];
135			}
136
137			/**
138			* {@inheritdoc}
139			*/
140			public function findClientIdAndCredentials(ServerRequestInterface $request, &$clientCredentials = null): ? ClientId
141			{
142			$parameters = $request->getParsedBody() ?? [];
143			if (!array_key_exists('client_assertion_type', $parameters)) {
144			return null;
145			}
146			$clientAssertionType = $parameters['client_assertion_type'];
147
148			if ('urn:ietf:params:oauth:client-assertion-type:jwt-bearer' !== $clientAssertionType) {
149			return null;
150			}
151
152			try {
153			if (!array_key_exists('client_assertion', $parameters)) {
154			throw new \InvalidArgumentException('Parameter "client_assertion" is missing.');
155			}
156			$client_assertion = $parameters['client_assertion'];
157			$client_assertion = $this->tryToDecryptClientAssertion($client_assertion);
158			$serializer = new CompactSerializer(new StandardConverter());
159			$jws = $serializer->unserialize($client_assertion);
160			if (1 !== $jws->countSignatures()) {
161			throw new \InvalidArgumentException('The assertion must have only one signature.');
162			}
163			$claims = json_decode($jws->getPayload(), true);
164
165			// Other claims can be considered as mandatory
166			$diff = array_diff(['iss', 'sub', 'aud', 'exp'], array_keys($claims));
167			if (!empty($diff)) {
168			throw new \InvalidArgumentException(sprintf('The following claim(s) is/are mandatory: "%s".', implode(', ', array_values($diff))));
169			}
170
171			$clientCredentials = $jws;
172
173			return ClientId::create($claims['sub']);
174			} catch (\Exception $e) {
175			throw new OAuth2Exception(400, OAuth2Exception::ERROR_INVALID_REQUEST, $e->getMessage(), $e);
176			}
177			}
178
179			/**
180			* @param string $assertion
181			*
182			* @return string
183			*
184			* @throws OAuth2Exception
185			*/
186			private function tryToDecryptClientAssertion(string $assertion): string
187			{
188			if (null === $this->jweLoader) {
189			return $assertion;
190			}
191
192			try {
193			$jwe = $this->jweLoader->loadAndDecryptWithKeySet($assertion, $this->keyEncryptionKeySet, $recipient);
			0 ignored issues – show Bug introduced 2018-01-16 21:32 UTC by Report Bug Copy Issue Report The variable `$recipient` does not exist. Did you forget to declare it? This check marks access to variables or properties that have not been declared yet. While PHP has no explicit notion of declaring a variable, accessing it before a value is assigned to it is most likely a bug. Loading history...
194			if (1 !== $jwe->countRecipients()) {
195			throw new \InvalidArgumentException('The client assertion must have only one recipient.');
196			}
197
198			return $jwe->getPayload();
199			} catch (\Exception $e) {
200			if (true === $this->encryptionRequired) {
201			throw new OAuth2Exception(400, OAuth2Exception::ERROR_INVALID_REQUEST, $e->getMessage(), $e);
202			}
203
204			return $assertion;
205			}
206			}
207
208			/**
209			* {@inheritdoc}
210			*/
211			public function isClientAuthenticated(Client $client, $clientCredentials, ServerRequestInterface $request): bool
212			{
213			try {
214			/** @var JWS $jws */
215			$jws = $clientCredentials;
216
217			//Retrieve the JWKSet from the client configuration or the trusted issuer (see iss claim)
218			$this->jwsVerifier->verifyWithKeySet($jws);
219			// The claim checker manager should return only checked claims
220			$claims = $this->claimCheckerManager->check($claims);
			0 ignored issues – show Bug introduced 2018-01-20 13:12 UTC by Report Bug Copy Issue Report The variable `$claims` seems only to be defined at a later point. Did you maybe move this code here without moving the variable definition? This error can happen if you refactor code and forget to move the variable initialization. Let’s take a look at a simple example: function someFunction() { $x = 5; echo $x; } The above code is perfectly fine. Now imagine that we re-order the statements: function someFunction() { echo $x; $x = 5; } In that case, `$x` would be read before it is initialized. This was a very basic example, however the principle is the same for the found issue. Loading history...
221
222			//Trusted issuers should be supported
223			if ($claims['sub'] !== $claims['iss']) {
224			throw new \InvalidArgumentException('The claims "sub" and "iss" must contain the client public ID.');
225			}
226			//Get the JWKSet depending on the client configuration and parameters
227			$jwkSet = $client->getPublicKeySet();
228			//Assertion::isInstanceOf($jwkSet, JWKSet::class);
			0 ignored issues – show Unused Code Comprehensibility introduced 2018-01-30 12:08 UTC by Report Bug Copy Issue Report `59%` of this comment could be valid code. Did you maybe forget this after debugging? Sometimes obsolete code just ends up commented out instead of removed. In this case it is better to remove the code once you have checked you do not need it. The code might also have been commented out for debugging purposes. In this case it is vital that someone uncomments it again or your project may behave in very unexpected ways in production. This check looks for comments that seem to be mostly valid code and reports them. Loading history...
229			$this->jwsVerifier->verifyWithKeySet($clientCredentials, $jwkSet, $signature);
			0 ignored issues – show Bug introduced 2018-01-30 12:08 UTC by Report Bug Copy Issue Report The variable `$signature` does not exist. Did you forget to declare it? This check marks access to variables or properties that have not been declared yet. While PHP has no explicit notion of declaring a variable, accessing it before a value is assigned to it is most likely a bug. Loading history...
230			} catch (\Exception $e) {
231			return false;
232			}
233
234			return true;
235			}
236
237			/**
238			* {@inheritdoc}
239			*/
240			public function getSupportedMethods(): array
241			{
242			return ['client_secret_jwt', 'private_key_jwt'];
243			}
244
245			/**
246			* {@inheritdoc}
247			*/
248			public function checkClientConfiguration(DataBag $commandParameters, DataBag $validatedParameters): DataBag
249			{
250			if ('client_secret_jwt' === $commandParameters->get('token_endpoint_auth_method')) {
251			$validatedParameters = $validatedParameters->with('client_secret', $this->createClientSecret());
252			$validatedParameters = $validatedParameters->with('client_secret_expires_at', (0 === $this->secretLifetime ? 0 : time() + $this->secretLifetime));
253			} elseif ('private_key_jwt' === $commandParameters->get('token_endpoint_auth_method')) {
254			if (!($commandParameters->has('jwks') xor $commandParameters->has('jwks_uri'))) {
255			throw new \InvalidArgumentException('The parameter "jwks" or "jwks_uri" must be set.');
256			}
257			if ($commandParameters->has('jwks')) {
258			$jwks = JWKSet::createFromKeyData($commandParameters->get('jwks'));
259			if (!$jwks instanceof JWKSet) {
			0 ignored issues – show Bug introduced 2018-01-30 12:13 UTC by Report Bug Copy Issue Report The class `Jose\Component\Core\JWKSet` does not exist. Did you forget a USE statement, or did you not list all dependencies? This error could be the result of: 1. Missing dependencies PHP Analyzer uses your `composer.json` file (if available) to determine the dependencies of your project and to determine all the available classes and functions. It expects the `composer.json` to be in the root folder of your repository. Are you sure this class is defined by one of your dependencies, or did you maybe not list a dependency in either the `require` or `require-dev` section? 2. Missing use statement PHP does not complain about undefined classes in `ìnstanceof` checks. For example, the following PHP code will work perfectly fine: if ($x instanceof DoesNotExist) { // Do something. } If you have not tested against this specific condition, such errors might go unnoticed. Loading history...
260			throw new \InvalidArgumentException('The parameter "jwks" must be a valid JWKSet object.');
261			}
262			$validatedParameters = $validatedParameters->with('jwks', $commandParameters->get('jwks'));
263			} else {
264			$jwks = $this->jkuFactory->loadFromUrl($commandParameters->get('jwks_uri'));
265			if (empty($jwks)) {
266			throw new \InvalidArgumentException('The parameter "jwks_uri" must be a valid uri to a JWK Set and at least one key.');
267			}
268			$validatedParameters = $validatedParameters->with('jwks_uri', $commandParameters->get('jwks_uri'));
269			}
270			} else {
271			throw new \InvalidArgumentException('Unsupported token endpoint authentication method.');
272			}
273
274			return $validatedParameters;
275			}
276
277			/**
278			* @return string
279			*/
280			private function createClientSecret(): string
281			{
282			return bin2hex(random_bytes(128));
283			}
284			}
285

OAuth2-Framework / oauth2-framework

Push — ng ( 0fdecc...ff414d )

ClientAssertionJwt A

Complexity

Size/Duplication

Coupling/Cohesion

Importance

12 Methods

1. Missing dependencies

2. Missing use statement

Duplication Side-by-Side

Filter issues like