OAuth2-Framework /
oauth2-framework
Complex classes like ClientAssertionJwt often do a lot of different things. To break such a class down, we need to identify a cohesive component within that class. A common approach to find such a component is to look for fields/methods that share the same prefixes, or suffixes. You can also have a look at the cohesion graph to spot any un-connected, or weakly-connected components.
Once you have determined the fields that belong together, you can apply the Extract Class refactoring. If the component makes sense as a sub-class, Extract Subclass is also a candidate, and is often faster.
While breaking up the class, it is a good idea to analyze how other classes use ClientAssertionJwt, and based on these observations, apply Extract Interface, too.
| 1 | <?php |
||
| 35 | class ClientAssertionJwt implements AuthenticationMethod |
||
| 36 | { |
||
| 37 | private const CLIENT_ASSERTION_TYPE = 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer'; |
||
| 38 | |||
| 39 | private $jwsVerifier; |
||
| 40 | |||
| 41 | /** |
||
| 42 | * @var TrustedIssuerRepository|null |
||
| 43 | */ |
||
| 44 | private $trustedIssuerRepository = null; |
||
| 45 | |||
| 46 | /** |
||
| 47 | * @var JKUFactory|null |
||
| 48 | */ |
||
| 49 | private $jkuFactory = null; |
||
| 50 | |||
| 51 | /** |
||
| 52 | * @var JWELoader|null |
||
| 53 | */ |
||
| 54 | private $jweLoader = null; |
||
| 55 | |||
| 56 | /** |
||
| 57 | * @var JWKSet|null |
||
| 58 | */ |
||
| 59 | private $keyEncryptionKeySet = null; |
||
| 60 | |||
| 61 | /** |
||
| 62 | * @var bool |
||
| 63 | */ |
||
| 64 | private $encryptionRequired = false; |
||
| 65 | |||
| 66 | /** |
||
| 67 | * @var int |
||
| 68 | */ |
||
| 69 | private $secretLifetime; |
||
| 70 | |||
| 71 | /** |
||
| 72 | * @var HeaderCheckerManager |
||
| 73 | */ |
||
| 74 | private $headerCheckerManager; |
||
| 75 | |||
| 76 | /** |
||
| 77 | * @var ClaimCheckerManager |
||
| 78 | */ |
||
| 79 | private $claimCheckerManager; |
||
| 80 | |||
| 81 | /** |
||
| 82 | * @var JsonConverter |
||
| 83 | */ |
||
| 84 | private $jsonConverter; |
||
| 85 | |||
| 86 | public function __construct(JsonConverter $jsonConverter, JWSVerifier $jwsVerifier, HeaderCheckerManager $headerCheckerManager, ClaimCheckerManager $claimCheckerManager, int $secretLifetime = 0) |
||
| 87 | { |
||
| 88 | if ($secretLifetime < 0) { |
||
| 89 | throw new \InvalidArgumentException('The secret lifetime must be at least 0 (= unlimited).'); |
||
| 90 | } |
||
| 91 | $this->jsonConverter = $jsonConverter; |
||
| 92 | $this->jwsVerifier = $jwsVerifier; |
||
| 93 | $this->headerCheckerManager = $headerCheckerManager; |
||
| 94 | $this->claimCheckerManager = $claimCheckerManager; |
||
| 95 | $this->secretLifetime = $secretLifetime; |
||
| 96 | } |
||
| 97 | |||
| 98 | public function enableTrustedIssuerSupport(TrustedIssuerRepository $trustedIssuerRepository): void |
||
| 99 | { |
||
| 100 | $this->trustedIssuerRepository = $trustedIssuerRepository; |
||
| 101 | } |
||
| 102 | |||
| 103 | public function enableJkuSupport(JKUFactory $jkuFactory): void |
||
| 104 | { |
||
| 105 | $this->jkuFactory = $jkuFactory; |
||
| 106 | } |
||
| 107 | |||
| 108 | public function enableEncryptedAssertions(JWELoader $jweLoader, JWKSet $keyEncryptionKeySet, bool $encryptionRequired): void |
||
| 109 | { |
||
| 110 | $this->jweLoader = $jweLoader; |
||
| 111 | $this->encryptionRequired = $encryptionRequired; |
||
| 112 | $this->keyEncryptionKeySet = $keyEncryptionKeySet; |
||
| 113 | } |
||
| 114 | |||
| 115 | /** |
||
| 116 | * @return string[] |
||
| 117 | */ |
||
| 118 | public function getSupportedSignatureAlgorithms(): array |
||
| 119 | { |
||
| 120 | return $this->jwsVerifier->getSignatureAlgorithmManager()->list(); |
||
| 121 | } |
||
| 122 | |||
| 123 | /** |
||
| 124 | * @return string[] |
||
| 125 | */ |
||
| 126 | public function getSupportedContentEncryptionAlgorithms(): array |
||
| 127 | { |
||
| 128 | return null === $this->jweLoader ? [] : $this->jweLoader->getJweDecrypter()->getContentEncryptionAlgorithmManager()->list(); |
||
| 129 | } |
||
| 130 | |||
| 131 | /** |
||
| 132 | * @return string[] |
||
| 133 | */ |
||
| 134 | public function getSupportedKeyEncryptionAlgorithms(): array |
||
| 135 | { |
||
| 136 | return null === $this->jweLoader ? [] : $this->jweLoader->getJweDecrypter()->getKeyEncryptionAlgorithmManager()->list(); |
||
| 137 | } |
||
| 138 | |||
| 139 | public function getSchemesParameters(): array |
||
| 140 | { |
||
| 141 | return []; |
||
| 142 | } |
||
| 143 | |||
| 144 | public function findClientIdAndCredentials(ServerRequestInterface $request, &$clientCredentials = null): ?ClientId |
||
| 145 | { |
||
| 146 | $parameters = RequestBodyParser::parseFormUrlEncoded($request); |
||
| 147 | if (!\array_key_exists('client_assertion_type', $parameters)) { |
||
| 148 | return null; |
||
| 149 | } |
||
| 150 | $clientAssertionType = $parameters['client_assertion_type']; |
||
| 151 | |||
| 152 | if (self::CLIENT_ASSERTION_TYPE !== $clientAssertionType) { |
||
| 153 | return null; |
||
| 154 | } |
||
| 155 | if (!\array_key_exists('client_assertion', $parameters)) { |
||
| 156 | throw new OAuth2Error(400, OAuth2Error::ERROR_INVALID_REQUEST, 'Parameter "client_assertion" is missing.'); |
||
| 157 | } |
||
| 158 | |||
| 159 | try { |
||
| 160 | $client_assertion = $parameters['client_assertion']; |
||
| 161 | $client_assertion = $this->tryToDecryptClientAssertion($client_assertion); |
||
| 162 | $serializer = new CompactSerializer($this->jsonConverter); |
||
| 163 | $jws = $serializer->unserialize($client_assertion); |
||
| 164 | $this->headerCheckerManager->check($jws, 0); |
||
| 165 | $claims = $this->jsonConverter->decode($jws->getPayload()); |
||
| 166 | $this->claimCheckerManager->check($claims); |
||
| 167 | } catch (OAuth2Error $e) { |
||
| 168 | throw $e; |
||
| 169 | } catch (\Exception $e) { |
||
| 170 | throw new OAuth2Error(400, OAuth2Error::ERROR_INVALID_REQUEST, 'Unable to load, decrypt or verify the client assertion.', [], $e); |
||
| 171 | } |
||
| 172 | |||
| 173 | // FIXME: Other claims can be considered as mandatory by the server |
||
| 174 | $diff = \array_diff(['iss', 'sub', 'aud', 'exp'], \array_keys($claims)); |
||
| 175 | if (!empty($diff)) { |
||
| 176 | throw new OAuth2Error(400, OAuth2Error::ERROR_INVALID_REQUEST, \Safe\sprintf('The following claim(s) is/are mandatory: "%s".', \implode(', ', \array_values($diff)))); |
||
| 177 | } |
||
| 178 | |||
| 179 | $clientCredentials = $jws; |
||
| 180 | |||
| 181 | return new ClientId($claims['sub']); |
||
| 182 | } |
||
| 183 | |||
| 184 | private function tryToDecryptClientAssertion(string $assertion): string |
||
| 185 | { |
||
| 186 | if (null === $this->jweLoader) { |
||
| 187 | return $assertion; |
||
| 188 | } |
||
| 189 | |||
| 190 | try { |
||
| 191 | $jwe = $this->jweLoader->loadAndDecryptWithKeySet($assertion, $this->keyEncryptionKeySet, $recipient); |
||
|
|
|||
| 192 | if (1 !== $jwe->countRecipients()) { |
||
| 193 | throw new \InvalidArgumentException('The client assertion must have only one recipient.'); |
||
| 194 | } |
||
| 195 | |||
| 196 | return $jwe->getPayload(); |
||
| 197 | } catch (\Exception $e) { |
||
| 198 | if (true === $this->encryptionRequired) { |
||
| 199 | throw new OAuth2Error(400, OAuth2Error::ERROR_INVALID_REQUEST, 'The encryption of the assertion is mandatory but the decryption of the assertion failed.', [], $e); |
||
| 200 | } |
||
| 201 | |||
| 202 | return $assertion; |
||
| 203 | } |
||
| 204 | } |
||
| 205 | |||
| 206 | public function isClientAuthenticated(Client $client, $clientCredentials, ServerRequestInterface $request): bool |
||
| 207 | { |
||
| 208 | try { |
||
| 209 | if (!$clientCredentials instanceof JWS) { |
||
| 210 | return false; |
||
| 211 | } |
||
| 212 | |||
| 213 | $claims = $this->jsonConverter->decode($clientCredentials->getPayload()); |
||
| 214 | $jwkset = $this->retrieveIssuerKeySet($client, $clientCredentials, $claims); |
||
| 215 | |||
| 216 | return $this->jwsVerifier->verifyWithKeySet($clientCredentials, $jwkset, 0); |
||
| 217 | } catch (\Exception $e) { |
||
| 218 | return false; |
||
| 219 | } |
||
| 220 | } |
||
| 221 | |||
| 222 | public function getSupportedMethods(): array |
||
| 226 | |||
| 227 | public function checkClientConfiguration(DataBag $commandParameters, DataBag $validatedParameters): DataBag |
||
| 228 | { |
||
| 229 | switch ($commandParameters->get('token_endpoint_auth_method')) { |
||
| 230 | case 'client_secret_jwt': |
||
| 231 | return $this->checkClientSecretJwtConfiguration($commandParameters, $validatedParameters); |
||
| 232 | case 'private_key_jwt': |
||
| 233 | return $this->checkPrivateKeyJwtConfiguration($commandParameters, $validatedParameters); |
||
| 234 | default: |
||
| 235 | return $validatedParameters; |
||
| 236 | } |
||
| 237 | } |
||
| 238 | |||
| 239 | private function checkClientSecretJwtConfiguration(DataBag $commandParameters, DataBag $validatedParameters): DataBag |
||
| 247 | |||
| 248 | private function checkPrivateKeyJwtConfiguration(DataBag $commandParameters, DataBag $validatedParameters): DataBag |
||
| 269 | |||
| 270 | private function createClientSecret(): string |
||
| 274 | |||
| 275 | private function retrieveIssuerKeySet(Client $client, JWS $jws, array $claims): JWKSet |
||
| 296 | |||
| 297 | private function getClientKeySet(Client $client): JWKSet |
||
| 318 | } |
||
| 319 |
Loading history...
Unless you are absolutely sure that the expression can never be null because of other conditions, we strongly recommend to add an additional type check to your code: