ClientAssertionJwt - Code Metrics - Inspection of "OIDC Support WIP" - OAuth2-Framework/oauth2-framework - Measure and Improve Code Quality continuously with Scrutinizer

Failed Conditions

Push — master ( 1325ac...02feb2 )

by Florent

created 2018-05-28 11:08 UTC

ClientAssertionJwt F

↳ Parent: Project

Complexity

Total Complexity

Size/Duplication

Total Lines	374
Duplicated Lines	0 %

Coupling/Cohesion

Components	1
Dependencies	22

Importance

Changes

Metric	Value
wmc	62
lcom	1
cbo	22
dl	0
loc	374
rs	1.7098
c	0
b	0
f	0

18 Methods

Rating	Name	Size	Complexity
B	tryToDecryptClientAssertion()	21	5
A	isClientAuthenticated()	15	3
A	getSupportedMethods()	4	1
A	__construct()	11	2
A	enableTrustedIssuerSupport()	4	1
A	enableJkuSupport()	4	1
A	enableEncryptedAssertions()	6	1
A	getSupportedSignatureAlgorithms()	4	1
A	getSupportedContentEncryptionAlgorithms()	4	2
A	getSupportedKeyEncryptionAlgorithms()	4	2
A	getSchemesParameters()	4	1
C	findClientIdAndCredentials()	39	7
A	checkClientConfiguration()	11	3
A	processClientSecretJwtConfiguration()	8	2
C	processPrivateKeyJwtConfiguration()	41	15
A	createClientSecret()	4	1
B	retrieveIssuerKeySet()	21	6
B	getClientKeySet()	19	8

How to fix Complexity

<?php

declare(strict_types=1);

/*
 * The MIT License (MIT)
 *
 * Copyright (c) 2014-2018 Spomky-Labs
 *
 * This software may be modified and distributed under the terms
 * of the MIT license.  See the LICENSE file for details.
 */

namespace OAuth2Framework\Component\ClientAuthentication;

use Base64Url\Base64Url;
use Jose\Component\Checker\ClaimCheckerManager;
use Jose\Component\Checker\HeaderCheckerManager;
use Jose\Component\Core\Converter\JsonConverter;
use Jose\Component\Core\JWK;
use Jose\Component\Core\JWKSet;
use Jose\Component\Encryption\JWELoader;
use Jose\Component\KeyManagement\JKUFactory;
use Jose\Component\Signature\JWS;
use Jose\Component\Signature\JWSVerifier;
use Jose\Component\Signature\Serializer\CompactSerializer;
use OAuth2Framework\Component\Core\Client\Client;
use OAuth2Framework\Component\Core\Client\ClientId;
use OAuth2Framework\Component\Core\DataBag\DataBag;
use OAuth2Framework\Component\Core\Message\OAuth2Message;
use OAuth2Framework\Component\Core\TrustedIssuer\TrustedIssuerRepository;
use OAuth2Framework\Component\Core\Util\RequestBodyParser;
use Psr\Http\Message\ServerRequestInterface;

class ClientAssertionJwt implements AuthenticationMethod
{
    private const CLIENT_ASSERTION_TYPE = 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer';

    /**
     * @var JWSVerifier
     */
    private $jwsVerifier;

    /**
     * @var null|TrustedIssuerRepository
     */
    private $trustedIssuerRepository = null;

    /**
     * @var null|JKUFactory
     */
    private $jkuFactory = null;

    /**
     * @var null|JWELoader
     */
    private $jweLoader = null;

    /**
     * @var null|JWKSet
     */
    private $keyEncryptionKeySet = null;

    /**
     * @var bool
     */
    private $encryptionRequired = false;

    /**
     * @var int
     */
    private $secretLifetime;

    /**
     * @var HeaderCheckerManager
     */
    private $headerCheckerManager;

    /**
     * @var ClaimCheckerManager
     */
    private $claimCheckerManager;

    /**
     * @var JsonConverter
     */
    private $jsonConverter;

    /**
     * ClientAssertionJwt constructor.
     *
     * @param JsonConverter        $jsonConverter
     * @param JWSVerifier          $jwsVerifier
     * @param HeaderCheckerManager $headerCheckerManager
     * @param ClaimCheckerManager  $claimCheckerManager
     * @param int                  $secretLifetime
     */
    public function __construct(JsonConverter $jsonConverter, JWSVerifier $jwsVerifier, HeaderCheckerManager $headerCheckerManager, ClaimCheckerManager $claimCheckerManager, int $secretLifetime = 0)
    {
        if ($secretLifetime < 0) {
            throw new \InvalidArgumentException('The secret lifetime must be at least 0 (= unlimited).');
        }
        $this->jsonConverter = $jsonConverter;
        $this->jwsVerifier = $jwsVerifier;
        $this->headerCheckerManager = $headerCheckerManager;
        $this->claimCheckerManager = $claimCheckerManager;
        $this->secretLifetime = $secretLifetime;
    }

    /**
     * @param TrustedIssuerRepository $trustedIssuerRepository
     */
    public function enableTrustedIssuerSupport(TrustedIssuerRepository $trustedIssuerRepository)
    {
        $this->trustedIssuerRepository = $trustedIssuerRepository;
    }

    /**
     * @param JKUFactory $jkuFactory
     */
    public function enableJkuSupport(JKUFactory $jkuFactory)
    {
        $this->jkuFactory = $jkuFactory;
    }

    /**
     * @param JWELoader $jweLoader
     * @param JWKSet    $keyEncryptionKeySet
     * @param bool      $encryptionRequired
     */
    public function enableEncryptedAssertions(JWELoader $jweLoader, JWKSet $keyEncryptionKeySet, bool $encryptionRequired)
    {
        $this->jweLoader = $jweLoader;
        $this->encryptionRequired = $encryptionRequired;
        $this->keyEncryptionKeySet = $keyEncryptionKeySet;
    }

    /**
     * @return string[]
     */
    public function getSupportedSignatureAlgorithms(): array
    {
        return $this->jwsVerifier->getSignatureAlgorithmManager()->list();
    }

    /**
     * @return string[]
     */
    public function getSupportedContentEncryptionAlgorithms(): array
    {
        return null === $this->jweLoader ? [] : $this->jweLoader->getJweDecrypter()->getContentEncryptionAlgorithmManager()->list();
    }

    /**
     * @return string[]
     */
    public function getSupportedKeyEncryptionAlgorithms(): array
    {
        return null === $this->jweLoader ? [] : $this->jweLoader->getJweDecrypter()->getKeyEncryptionAlgorithmManager()->list();
    }

    /**
     * {@inheritdoc}
     */
    public function getSchemesParameters(): array
    {
        return [];
    }

    /**
     * {@inheritdoc}
     */
    public function findClientIdAndCredentials(ServerRequestInterface $request, &$clientCredentials = null): ? ClientId
    {
        $parameters = RequestBodyParser::parseFormUrlEncoded($request);
        if (!array_key_exists('client_assertion_type', $parameters)) {
            return null;
        }
        $clientAssertionType = $parameters['client_assertion_type'];

        if (self::CLIENT_ASSERTION_TYPE !== $clientAssertionType) {
            return null;
        }
        if (!array_key_exists('client_assertion', $parameters)) {
            throw new OAuth2Message(400, OAuth2Message::ERROR_INVALID_REQUEST, 'Parameter "client_assertion" is missing.');
        }

        try {
            $client_assertion = $parameters['client_assertion'];
            $client_assertion = $this->tryToDecryptClientAssertion($client_assertion);
            $serializer = new CompactSerializer($this->jsonConverter);
            $jws = $serializer->unserialize($client_assertion);
            $this->headerCheckerManager->check($jws, 0);
            $claims = $this->jsonConverter->decode($jws->getPayload());
            $this->claimCheckerManager->check($claims);
        } catch (OAuth2Message $e) {
            throw $e;
        } catch (\Exception $e) {
            throw new OAuth2Message(400, OAuth2Message::ERROR_INVALID_REQUEST, 'Unable to load, decrypt or verify the client assertion.', [], $e);
        }

        // FIXME: Other claims can be considered as mandatory by the server
        $diff = array_diff(['iss', 'sub', 'aud', 'exp'], array_keys($claims));
        if (!empty($diff)) {
            throw new OAuth2Message(400, OAuth2Message::ERROR_INVALID_REQUEST, sprintf('The following claim(s) is/are mandatory: "%s".', implode(', ', array_values($diff))));
        }

        $clientCredentials = $jws;

        return ClientId::create($claims['sub']);
    }

    /**
     * @param string $assertion
     *
     * @return string
     *
     * @throws OAuth2Message
     */
    private function tryToDecryptClientAssertion(string $assertion): string
    {
        if (null === $this->jweLoader) {
            return $assertion;
        }

        try {
            $jwe = $this->jweLoader->loadAndDecryptWithKeySet($assertion, $this->keyEncryptionKeySet, $recipient);
/** @return stdClass|null */
function mayReturnNull() { }

function doesNotAcceptNull(stdClass $x) { }

// With potential error.
function withoutCheck() {
    $x = mayReturnNull();
    doesNotAcceptNull($x); // Potential error here.
}

// Safe - Alternative 1
function withCheck1() {
    $x = mayReturnNull();
    if ( ! $x instanceof stdClass) {
        throw new \LogicException('$x must be defined.');
    }
    doesNotAcceptNull($x);
}

// Safe - Alternative 2
function withCheck2() {
    $x = mayReturnNull();
    if ($x instanceof stdClass) {
        doesNotAcceptNull($x);
    }
}
            if (1 !== $jwe->countRecipients()) {
                throw new \InvalidArgumentException('The client assertion must have only one recipient.');
            }

            return $jwe->getPayload();
        } catch (\Exception $e) {
            if (true === $this->encryptionRequired) {
                throw new OAuth2Message(400, OAuth2Message::ERROR_INVALID_REQUEST, 'The encryption of the assertion is mandatory but the decryption of the assertion failed.', [], $e);
            }

            return $assertion;
        }
    }

    /**
     * {@inheritdoc}
     */
    public function isClientAuthenticated(Client $client, $clientCredentials, ServerRequestInterface $request): bool
    {
        try {
            if (!$clientCredentials instanceof JWS) {
                return false;
            }

            $claims = $this->jsonConverter->decode($clientCredentials->getPayload());
            $jwkset = $this->retrieveIssuerKeySet($client, $clientCredentials, $claims);

            return $this->jwsVerifier->verifyWithKeySet($clientCredentials, $jwkset, 0);
        } catch (\Exception $e) {
            return false;
        }
    }

    /**
     * {@inheritdoc}
     */
    public function getSupportedMethods(): array
    {
        return ['client_secret_jwt', 'private_key_jwt'];
    }

    /**
     * {@inheritdoc}
     */
    public function checkClientConfiguration(DataBag $commandParameters, DataBag $validatedParameters): DataBag
    {
        switch ($commandParameters->get('token_endpoint_auth_method')) {
            case 'client_secret_jwt':
                return $this->processClientSecretJwtConfiguration($commandParameters, $validatedParameters);
            case 'private_key_jwt':
                return $this->processPrivateKeyJwtConfiguration($commandParameters, $validatedParameters);
            default:
                return $validatedParameters;
        }
    }

    /**
     * @param DataBag $commandParameters
     * @param DataBag $validatedParameters
     *
     * @return DataBag
     */
    private function processClientSecretJwtConfiguration(DataBag $commandParameters, DataBag $validatedParameters): DataBag
    {
        $validatedParameters = $validatedParameters->with('token_endpoint_auth_method', $commandParameters->get('token_endpoint_auth_method'));
        $validatedParameters = $validatedParameters->with('client_secret', $this->createClientSecret());
        $validatedParameters = $validatedParameters->with('client_secret_expires_at', (0 === $this->secretLifetime ? 0 : time() + $this->secretLifetime));

        return $validatedParameters;
    }

    /**
     * @param DataBag $commandParameters
     * @param DataBag $validatedParameters
     *
     * @return DataBag
     */
    private function processPrivateKeyJwtConfiguration(DataBag $commandParameters, DataBag $validatedParameters): DataBag
    {
        switch (true) {
            case $commandParameters->has('jwks') && $commandParameters->has('jwks_uri'):
            case !$commandParameters->has('jwks') && !$commandParameters->has('jwks_uri') && null === $this->trustedIssuerRepository:
                throw new \InvalidArgumentException('Either the parameter "jwks" or "jwks_uri" must be set.');
            case !$commandParameters->has('jwks') && !$commandParameters->has('jwks_uri') && null !== $this->trustedIssuerRepository: //Allowed when trusted issuer support is set
                $validatedParameters = $validatedParameters->with('token_endpoint_auth_method', $commandParameters->get('token_endpoint_auth_method'));

                break;
            case $commandParameters->has('jwks'):
                try {
                    JWKSet::createFromKeyData($commandParameters->get('jwks'));
                } catch (\Throwable $e) {
                    throw new \InvalidArgumentException('The parameter "jwks" must be a valid JWKSet object.', 0, $e);
                }
                $validatedParameters = $validatedParameters->with('token_endpoint_auth_method', $commandParameters->get('token_endpoint_auth_method'));
                $validatedParameters = $validatedParameters->with('jwks', $commandParameters->get('jwks'));

                break;
            case $commandParameters->has('jwks_uri'):
                if (null === $this->jkuFactory) {
                    throw new \InvalidArgumentException('Distant key sets cannot be used. Please use "jwks" instead of "jwks_uri".');
                }

                try {
                    $jwks = $this->jkuFactory->loadFromUrl($commandParameters->get('jwks_uri'));
                } catch (\Exception $e) {
                    throw new \InvalidArgumentException('The parameter "jwks_uri" must be a valid uri to a JWKSet.', 0, $e);
                }
                if (0 === $jwks->count()) {
                    throw new \InvalidArgumentException('The distant key set is empty.');
                }
                $validatedParameters = $validatedParameters->with('token_endpoint_auth_method', $commandParameters->get('token_endpoint_auth_method'));
                $validatedParameters = $validatedParameters->with('jwks_uri', $commandParameters->get('jwks_uri'));

                break;
        }

        return $validatedParameters;
    }

    /**
     * @return string
     */
    private function createClientSecret(): string
    {
        return bin2hex(random_bytes(32));
    }

    /**
     * @param Client $client
     * @param JWS    $jws
     * @param array  $claims
     *
     * @return JWKSet
     */
    private function retrieveIssuerKeySet(Client $client, JWS $jws, array $claims): JWKSet
    {
        if ($claims['sub'] === $claims['iss']) { // The client is the issuer
            return $this->getClientKeySet($client);
        }

        if (null === $this->trustedIssuerRepository || null === $trustedIssuer = $this->trustedIssuerRepository->find($claims['iss'])) {
            throw new \InvalidArgumentException('Unable to retrieve the key set of the issuer.');
        }

        if (!in_array(self::CLIENT_ASSERTION_TYPE, $trustedIssuer->getAllowedAssertionTypes())) {
            throw new \InvalidArgumentException(sprintf('The assertion type "%s" is not allowed for that issuer.', self::CLIENT_ASSERTION_TYPE));
        }

        $signatureAlgorithm = $jws->getSignature(0)->getProtectedHeaderParameter('alg');
        if (!in_array($signatureAlgorithm, $trustedIssuer->getAllowedSignatureAlgorithms())) {
            throw new \InvalidArgumentException(sprintf('The signature algorithm "%s" is not allowed for that issuer.', $signatureAlgorithm));
        }

        return $trustedIssuer->getJWKSet();
    }

    /**
     * @param Client $client
     *
     * @return JWKSet
     */
    private function getClientKeySet(Client $client): JWKSet
    {
        switch (true) {
            case $client->has('jwks') && 'private_key_jwt' === $client->getTokenEndpointAuthenticationMethod():
                return JWKSet::createFromKeyData($client->get('jwks'));
            case $client->has('client_secret') && 'client_secret_jwt' === $client->getTokenEndpointAuthenticationMethod():
                $jwk = JWK::create([
                    'kty' => 'oct',
                    'use' => 'sig',
                    'k' => Base64Url::encode($client->get('client_secret')),
                ]);

                return JWKSet::createFromKeys([$jwk]);
            case $client->has('jwks_uri') && 'private_key_jwt' === $client->getTokenEndpointAuthenticationMethod() && null !== $this->jkuFactory:
                return $this->jkuFactory->loadFromUrl($client->get('jwks_uri'));
            default:
                throw new \InvalidArgumentException('The client has no key or key set.');
        }
    }
}


1			<?php
2
3			declare(strict_types=1);
4
5			/*
6			* The MIT License (MIT)
7			*
8			* Copyright (c) 2014-2018 Spomky-Labs
9			*
10			* This software may be modified and distributed under the terms
11			* of the MIT license. See the LICENSE file for details.
12			*/
13
14			namespace OAuth2Framework\Component\ClientAuthentication;
15
16			use Base64Url\Base64Url;
17			use Jose\Component\Checker\ClaimCheckerManager;
18			use Jose\Component\Checker\HeaderCheckerManager;
19			use Jose\Component\Core\Converter\JsonConverter;
20			use Jose\Component\Core\JWK;
21			use Jose\Component\Core\JWKSet;
22			use Jose\Component\Encryption\JWELoader;
23			use Jose\Component\KeyManagement\JKUFactory;
24			use Jose\Component\Signature\JWS;
25			use Jose\Component\Signature\JWSVerifier;
26			use Jose\Component\Signature\Serializer\CompactSerializer;
27			use OAuth2Framework\Component\Core\Client\Client;
28			use OAuth2Framework\Component\Core\Client\ClientId;
29			use OAuth2Framework\Component\Core\DataBag\DataBag;
30			use OAuth2Framework\Component\Core\Message\OAuth2Message;
31			use OAuth2Framework\Component\Core\TrustedIssuer\TrustedIssuerRepository;
32			use OAuth2Framework\Component\Core\Util\RequestBodyParser;
33			use Psr\Http\Message\ServerRequestInterface;
34
35			class ClientAssertionJwt implements AuthenticationMethod
36			{
37			private const CLIENT_ASSERTION_TYPE = 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer';
38
39			/**
40			* @var JWSVerifier
41			*/
42			private $jwsVerifier;
43
44			/**
45			* @var null\|TrustedIssuerRepository
46			*/
47			private $trustedIssuerRepository = null;
48
49			/**
50			* @var null\|JKUFactory
51			*/
52			private $jkuFactory = null;
53
54			/**
55			* @var null\|JWELoader
56			*/
57			private $jweLoader = null;
58
59			/**
60			* @var null\|JWKSet
61			*/
62			private $keyEncryptionKeySet = null;
63
64			/**
65			* @var bool
66			*/
67			private $encryptionRequired = false;
68
69			/**
70			* @var int
71			*/
72			private $secretLifetime;
73
74			/**
75			* @var HeaderCheckerManager
76			*/
77			private $headerCheckerManager;
78
79			/**
80			* @var ClaimCheckerManager
81			*/
82			private $claimCheckerManager;
83
84			/**
85			* @var JsonConverter
86			*/
87			private $jsonConverter;
88
89			/**
90			* ClientAssertionJwt constructor.
91			*
92			* @param JsonConverter $jsonConverter
93			* @param JWSVerifier $jwsVerifier
94			* @param HeaderCheckerManager $headerCheckerManager
95			* @param ClaimCheckerManager $claimCheckerManager
96			* @param int $secretLifetime
97			*/
98			public function __construct(JsonConverter $jsonConverter, JWSVerifier $jwsVerifier, HeaderCheckerManager $headerCheckerManager, ClaimCheckerManager $claimCheckerManager, int $secretLifetime = 0)
99			{
100			if ($secretLifetime < 0) {
101			throw new \InvalidArgumentException('The secret lifetime must be at least 0 (= unlimited).');
102			}
103			$this->jsonConverter = $jsonConverter;
104			$this->jwsVerifier = $jwsVerifier;
105			$this->headerCheckerManager = $headerCheckerManager;
106			$this->claimCheckerManager = $claimCheckerManager;
107			$this->secretLifetime = $secretLifetime;
108			}
109
110			/**
111			* @param TrustedIssuerRepository $trustedIssuerRepository
112			*/
113			public function enableTrustedIssuerSupport(TrustedIssuerRepository $trustedIssuerRepository)
114			{
115			$this->trustedIssuerRepository = $trustedIssuerRepository;
116			}
117
118			/**
119			* @param JKUFactory $jkuFactory
120			*/
121			public function enableJkuSupport(JKUFactory $jkuFactory)
122			{
123			$this->jkuFactory = $jkuFactory;
124			}
125
126			/**
127			* @param JWELoader $jweLoader
128			* @param JWKSet $keyEncryptionKeySet
129			* @param bool $encryptionRequired
130			*/
131			public function enableEncryptedAssertions(JWELoader $jweLoader, JWKSet $keyEncryptionKeySet, bool $encryptionRequired)
132			{
133			$this->jweLoader = $jweLoader;
134			$this->encryptionRequired = $encryptionRequired;
135			$this->keyEncryptionKeySet = $keyEncryptionKeySet;
136			}
137
138			/**
139			* @return string[]
140			*/
141			public function getSupportedSignatureAlgorithms(): array
142			{
143			return $this->jwsVerifier->getSignatureAlgorithmManager()->list();
144			}
145
146			/**
147			* @return string[]
148			*/
149			public function getSupportedContentEncryptionAlgorithms(): array
150			{
151			return null === $this->jweLoader ? [] : $this->jweLoader->getJweDecrypter()->getContentEncryptionAlgorithmManager()->list();
152			}
153
154			/**
155			* @return string[]
156			*/
157			public function getSupportedKeyEncryptionAlgorithms(): array
158			{
159			return null === $this->jweLoader ? [] : $this->jweLoader->getJweDecrypter()->getKeyEncryptionAlgorithmManager()->list();
160			}
161
162			/**
163			* {@inheritdoc}
164			*/
165			public function getSchemesParameters(): array
166			{
167			return [];
168			}
169
170			/**
171			* {@inheritdoc}
172			*/
173			public function findClientIdAndCredentials(ServerRequestInterface $request, &$clientCredentials = null): ? ClientId
174			{
175			$parameters = RequestBodyParser::parseFormUrlEncoded($request);
176			if (!array_key_exists('client_assertion_type', $parameters)) {
177			return null;
178			}
179			$clientAssertionType = $parameters['client_assertion_type'];
180
181			if (self::CLIENT_ASSERTION_TYPE !== $clientAssertionType) {
182			return null;
183			}
184			if (!array_key_exists('client_assertion', $parameters)) {
185			throw new OAuth2Message(400, OAuth2Message::ERROR_INVALID_REQUEST, 'Parameter "client_assertion" is missing.');
186			}
187
188			try {
189			$client_assertion = $parameters['client_assertion'];
190			$client_assertion = $this->tryToDecryptClientAssertion($client_assertion);
191			$serializer = new CompactSerializer($this->jsonConverter);
192			$jws = $serializer->unserialize($client_assertion);
193			$this->headerCheckerManager->check($jws, 0);
194			$claims = $this->jsonConverter->decode($jws->getPayload());
195			$this->claimCheckerManager->check($claims);
196			} catch (OAuth2Message $e) {
197			throw $e;
198			} catch (\Exception $e) {
199			throw new OAuth2Message(400, OAuth2Message::ERROR_INVALID_REQUEST, 'Unable to load, decrypt or verify the client assertion.', [], $e);
200			}
201
202			// FIXME: Other claims can be considered as mandatory by the server
203			$diff = array_diff(['iss', 'sub', 'aud', 'exp'], array_keys($claims));
204			if (!empty($diff)) {
205			throw new OAuth2Message(400, OAuth2Message::ERROR_INVALID_REQUEST, sprintf('The following claim(s) is/are mandatory: "%s".', implode(', ', array_values($diff))));
206			}
207
208			$clientCredentials = $jws;
209
210			return ClientId::create($claims['sub']);
211			}
212
213			/**
214			* @param string $assertion
215			*
216			* @return string
217			*
218			* @throws OAuth2Message
219			*/
220			private function tryToDecryptClientAssertion(string $assertion): string
221			{
222			if (null === $this->jweLoader) {
223			return $assertion;
224			}
225
226			try {
227			$jwe = $this->jweLoader->loadAndDecryptWithKeySet($assertion, $this->keyEncryptionKeySet, $recipient);
			0 ignored issues – show Bug introduced 2018-01-07 23:38 UTC by Report Bug Copy Issue Report It seems like `$this->keyEncryptionKeySet` can be `null`; however, `loadAndDecryptWithKeySet()` does not accept `null`, maybe add an additional type check? Unless you are absolutely sure that the expression can never be null because of other conditions, we strongly recommend to add an additional type check to your code: /** @return stdClass\|null */ function mayReturnNull() { } function doesNotAcceptNull(stdClass $x) { } // With potential error. function withoutCheck() { $x = mayReturnNull(); doesNotAcceptNull($x); // Potential error here. } // Safe - Alternative 1 function withCheck1() { $x = mayReturnNull(); if ( ! $x instanceof stdClass) { throw new \LogicException('$x must be defined.'); } doesNotAcceptNull($x); } // Safe - Alternative 2 function withCheck2() { $x = mayReturnNull(); if ($x instanceof stdClass) { doesNotAcceptNull($x); } } Loading history...
228			if (1 !== $jwe->countRecipients()) {
229			throw new \InvalidArgumentException('The client assertion must have only one recipient.');
230			}
231
232			return $jwe->getPayload();
233			} catch (\Exception $e) {
234			if (true === $this->encryptionRequired) {
235			throw new OAuth2Message(400, OAuth2Message::ERROR_INVALID_REQUEST, 'The encryption of the assertion is mandatory but the decryption of the assertion failed.', [], $e);
236			}
237
238			return $assertion;
239			}
240			}
241
242			/**
243			* {@inheritdoc}
244			*/
245			public function isClientAuthenticated(Client $client, $clientCredentials, ServerRequestInterface $request): bool
246			{
247			try {
248			if (!$clientCredentials instanceof JWS) {
249			return false;
250			}
251
252			$claims = $this->jsonConverter->decode($clientCredentials->getPayload());
253			$jwkset = $this->retrieveIssuerKeySet($client, $clientCredentials, $claims);
254
255			return $this->jwsVerifier->verifyWithKeySet($clientCredentials, $jwkset, 0);
256			} catch (\Exception $e) {
257			return false;
258			}
259			}
260
261			/**
262			* {@inheritdoc}
263			*/
264			public function getSupportedMethods(): array
265			{
266			return ['client_secret_jwt', 'private_key_jwt'];
267			}
268
269			/**
270			* {@inheritdoc}
271			*/
272			public function checkClientConfiguration(DataBag $commandParameters, DataBag $validatedParameters): DataBag
273			{
274			switch ($commandParameters->get('token_endpoint_auth_method')) {
275			case 'client_secret_jwt':
276			return $this->processClientSecretJwtConfiguration($commandParameters, $validatedParameters);
277			case 'private_key_jwt':
278			return $this->processPrivateKeyJwtConfiguration($commandParameters, $validatedParameters);
279			default:
280			return $validatedParameters;
281			}
282			}
283
284			/**
285			* @param DataBag $commandParameters
286			* @param DataBag $validatedParameters
287			*
288			* @return DataBag
289			*/
290			private function processClientSecretJwtConfiguration(DataBag $commandParameters, DataBag $validatedParameters): DataBag
291			{
292			$validatedParameters = $validatedParameters->with('token_endpoint_auth_method', $commandParameters->get('token_endpoint_auth_method'));
293			$validatedParameters = $validatedParameters->with('client_secret', $this->createClientSecret());
294			$validatedParameters = $validatedParameters->with('client_secret_expires_at', (0 === $this->secretLifetime ? 0 : time() + $this->secretLifetime));
295
296			return $validatedParameters;
297			}
298
299			/**
300			* @param DataBag $commandParameters
301			* @param DataBag $validatedParameters
302			*
303			* @return DataBag
304			*/
305			private function processPrivateKeyJwtConfiguration(DataBag $commandParameters, DataBag $validatedParameters): DataBag
306			{
307			switch (true) {
308			case $commandParameters->has('jwks') && $commandParameters->has('jwks_uri'):
309			case !$commandParameters->has('jwks') && !$commandParameters->has('jwks_uri') && null === $this->trustedIssuerRepository:
310			throw new \InvalidArgumentException('Either the parameter "jwks" or "jwks_uri" must be set.');
311			case !$commandParameters->has('jwks') && !$commandParameters->has('jwks_uri') && null !== $this->trustedIssuerRepository: //Allowed when trusted issuer support is set
312			$validatedParameters = $validatedParameters->with('token_endpoint_auth_method', $commandParameters->get('token_endpoint_auth_method'));
313
314			break;
315			case $commandParameters->has('jwks'):
316			try {
317			JWKSet::createFromKeyData($commandParameters->get('jwks'));
318			} catch (\Throwable $e) {
319			throw new \InvalidArgumentException('The parameter "jwks" must be a valid JWKSet object.', 0, $e);
320			}
321			$validatedParameters = $validatedParameters->with('token_endpoint_auth_method', $commandParameters->get('token_endpoint_auth_method'));
322			$validatedParameters = $validatedParameters->with('jwks', $commandParameters->get('jwks'));
323
324			break;
325			case $commandParameters->has('jwks_uri'):
326			if (null === $this->jkuFactory) {
327			throw new \InvalidArgumentException('Distant key sets cannot be used. Please use "jwks" instead of "jwks_uri".');
328			}
329
330			try {
331			$jwks = $this->jkuFactory->loadFromUrl($commandParameters->get('jwks_uri'));
332			} catch (\Exception $e) {
333			throw new \InvalidArgumentException('The parameter "jwks_uri" must be a valid uri to a JWKSet.', 0, $e);
334			}
335			if (0 === $jwks->count()) {
336			throw new \InvalidArgumentException('The distant key set is empty.');
337			}
338			$validatedParameters = $validatedParameters->with('token_endpoint_auth_method', $commandParameters->get('token_endpoint_auth_method'));
339			$validatedParameters = $validatedParameters->with('jwks_uri', $commandParameters->get('jwks_uri'));
340
341			break;
342			}
343
344			return $validatedParameters;
345			}
346
347			/**
348			* @return string
349			*/
350			private function createClientSecret(): string
351			{
352			return bin2hex(random_bytes(32));
353			}
354
355			/**
356			* @param Client $client
357			* @param JWS $jws
358			* @param array $claims
359			*
360			* @return JWKSet
361			*/
362			private function retrieveIssuerKeySet(Client $client, JWS $jws, array $claims): JWKSet
363			{
364			if ($claims['sub'] === $claims['iss']) { // The client is the issuer
365			return $this->getClientKeySet($client);
366			}
367
368			if (null === $this->trustedIssuerRepository \|\| null === $trustedIssuer = $this->trustedIssuerRepository->find($claims['iss'])) {
369			throw new \InvalidArgumentException('Unable to retrieve the key set of the issuer.');
370			}
371
372			if (!in_array(self::CLIENT_ASSERTION_TYPE, $trustedIssuer->getAllowedAssertionTypes())) {
373			throw new \InvalidArgumentException(sprintf('The assertion type "%s" is not allowed for that issuer.', self::CLIENT_ASSERTION_TYPE));
374			}
375
376			$signatureAlgorithm = $jws->getSignature(0)->getProtectedHeaderParameter('alg');
377			if (!in_array($signatureAlgorithm, $trustedIssuer->getAllowedSignatureAlgorithms())) {
378			throw new \InvalidArgumentException(sprintf('The signature algorithm "%s" is not allowed for that issuer.', $signatureAlgorithm));
379			}
380
381			return $trustedIssuer->getJWKSet();
382			}
383
384			/**
385			* @param Client $client
386			*
387			* @return JWKSet
388			*/
389			private function getClientKeySet(Client $client): JWKSet
390			{
391			switch (true) {
392			case $client->has('jwks') && 'private_key_jwt' === $client->getTokenEndpointAuthenticationMethod():
393			return JWKSet::createFromKeyData($client->get('jwks'));
394			case $client->has('client_secret') && 'client_secret_jwt' === $client->getTokenEndpointAuthenticationMethod():
395			$jwk = JWK::create([
396			'kty' => 'oct',
397			'use' => 'sig',
398			'k' => Base64Url::encode($client->get('client_secret')),
399			]);
400
401			return JWKSet::createFromKeys([$jwk]);
402			case $client->has('jwks_uri') && 'private_key_jwt' === $client->getTokenEndpointAuthenticationMethod() && null !== $this->jkuFactory:
403			return $this->jkuFactory->loadFromUrl($client->get('jwks_uri'));
404			default:
405			throw new \InvalidArgumentException('The client has no key or key set.');
406			}
407			}
408			}
409

OAuth2-Framework / oauth2-framework

Push — master ( 1325ac...02feb2 )

ClientAssertionJwt F

Complexity

Size/Duplication

Coupling/Cohesion

Importance

18 Methods

How to fix Complexity

Complex Class

Duplication Side-by-Side

Filter issues like