JWT - Code Metrics - Inspection of "[OpenIDConnect] JWT - up code quality (write about..." - SocialConnect/auth - Measure and Improve Code Quality continuously with Scrutinizer

Completed

Push — master ( 200e3f...a25d19 )

by Дмитрий

created 2017-02-14 14:58 UTC

JWT A

↳ Parent: Project

Complexity

Total Complexity

Size/Duplication

Total Lines	173
Duplicated Lines	0 %

Coupling/Cohesion

Components	1
Dependencies	3

Test Coverage

Coverage

Importance

Changes

Metric	Value
wmc	19
c	0
b	0
f	0
lcom	1
cbo	3
dl	0
loc	173
ccs	0
cts	82
cp	0
rs	10

5 Methods

Rating	Name	Size	Complexity
A	urlsafeB64Decode()	11	2
A	__construct()	19	2
A	validate()	15	4
A	findKeyByKind()	10	3
C	verifySignature()	50	8

<?php
/**
 * @author Patsura Dmitry https://github.com/ovr <[email protected]>
 */

namespace SocialConnect\OpenIDConnect;

use SocialConnect\OpenIDConnect\Exception\InvalidJWT;
use SocialConnect\OpenIDConnect\Exception\UnsupportedSignatureAlgoritm;

class JWT
{
    /**
     * Map of supported algorithms
     *
     * @var array
     */
    public static $algorithms = array(
        // HS
        'HS256' => ['hash_hmac', MHASH_SHA256],
        'HS384' => ['hash_hmac', MHASH_SHA384],
        'HS512' => ['hash_hmac', MHASH_SHA512],
        // RS
        'RS256' => ['openssl', OPENSSL_ALGO_SHA256],
        'RS384' => ['openssl', OPENSSL_ALGO_SHA384],
        'RS512' => ['openssl', OPENSSL_ALGO_SHA512],
    );

    /**
     * @var array
     */
    protected $parts;

    /**
     * @var array
     */
    protected $header;

    /**
     * @var array
     */
    protected $payload;

    /**
     * @var string
     */
    protected $signature;

    /**
     * @param string $input
     * @return string
     */
    public static function urlsafeB64Decode($input)
    {
        $remainder = strlen($input) % 4;

        if ($remainder) {
            $padlen = 4 - $remainder;
            $input .= str_repeat('=', $padlen);
        }

        return base64_decode(strtr($input, '-_', '+/'));
    }

    /**
     * @param string $token
     * @param array $keys
     * @throws InvalidJWT
     */
    public function __construct($token, array $keys)
    {
        $parts = explode('.', $token);
        if (count($parts) !== 3) {
            throw new InvalidJWT('Wrong number of segments');
        }

        list ($header64, $payload64, $token64) = $parts;

        $headerPayload = base64_decode($header64, true);
        $this->header = json_decode($headerPayload);


        $decodedPayload = base64_decode($payload64, true);
        $this->payload = json_decode($decodedPayload);


        $this->signature = self::urlsafeB64Decode($token64);

        $this->validate("{$header64}.{$payload64}", $keys);
    }

    /**
     * @param string $data
     * @param array $keys
     * @throws InvalidJWT
     */
    protected function validate($data, array $keys)
    {
        if (!isset($this->header->alg)) {
            throw new InvalidJWT('No alg inside header');
        }

        if (!isset($this->header->kid)) {
            throw new InvalidJWT('No kid inside header');
        }

        $result = $this->verifySignature($data, $keys);
        if (!$result) {
            throw new InvalidJWT('Unexpected signature');
        }
    }

    /**
     * @param array $keys
     * @param string $kid
     * @return JWK
     * @throws \RuntimeException
     */
    protected function findKeyByKind(array $keys, $kid)
    {
        foreach ($keys as $key) {
            if ($key['kid'] === $kid) {
                return new JWK($key);
            }
        }

        throw new \RuntimeException('Unknown key');
    }

    /**
     * @return bool
     * @throws \RuntimeException
     * @throws \SocialConnect\OpenIDConnect\Exception\UnsupportedSignatureAlgoritm
     */
    protected function verifySignature($data, array $keys)
    {
        $supported = isset(self::$algorithms[$this->header->alg]);
        if (!$supported) {
            throw new UnsupportedSignatureAlgoritm($this->header->alg);
        }

        $jwk = $this->findKeyByKind($keys, $this->header->kid);

        list ($function, $signatureAlg) = self::$algorithms[$this->header->alg];
        switch ($function) {
            case 'openssl':
                if (!function_exists('openssl_verify')) {
                    throw new \RuntimeException('Openssl-ext is required to use RSA encryption.');
                }

                $result = openssl_verify(
                    $data,
                    $this->signature,
                    $jwk->getPublicKey(),
                    $signatureAlg
                );
                
                return $result == 1;
            case 'hash_hmac':
                $hash = hash_hmac($signatureAlg, $data, $jwk->getPublicKey(), true);

                /**
                 * @todo In SocialConnect/Auth 2.0 drop PHP 5.5 support and support for hash_equals emulation
                 */
                if (function_exists('hash_equals')) {
                    return hash_equals($this->signature, $hash);
                }

                if (strlen($this->signature) != strlen($hash)) {
                    return false;
                }

                $ret = 0;
                $res = $this->signature ^ $hash;

                for($i = strlen($res) - 1; $i >= 0; $i--) {

                    $ret |= ord($res[$i]);
                }

                return !$ret;
        }

        throw new UnsupportedSignatureAlgoritm($this->header->alg);
    }
}


1			<?php
2			/**
3			* @author Patsura Dmitry https://github.com/ovr <[email protected]>
4			*/
5
6			namespace SocialConnect\OpenIDConnect;
7
8			use SocialConnect\OpenIDConnect\Exception\InvalidJWT;
9			use SocialConnect\OpenIDConnect\Exception\UnsupportedSignatureAlgoritm;
10
11			class JWT
12			{
13			/**
14			* Map of supported algorithms
15			*
16			* @var array
17			*/
18			public static $algorithms = array(
19			// HS
20			'HS256' => ['hash_hmac', MHASH_SHA256],
21			'HS384' => ['hash_hmac', MHASH_SHA384],
22			'HS512' => ['hash_hmac', MHASH_SHA512],
23			// RS
24			'RS256' => ['openssl', OPENSSL_ALGO_SHA256],
25			'RS384' => ['openssl', OPENSSL_ALGO_SHA384],
26			'RS512' => ['openssl', OPENSSL_ALGO_SHA512],
27			);
28
29			/**
30			* @var array
31			*/
32			protected $parts;
33
34			/**
35			* @var array
36			*/
37			protected $header;
38
39			/**
40			* @var array
41			*/
42			protected $payload;
43
44			/**
45			* @var string
46			*/
47			protected $signature;
48
49			/**
50			* @param string $input
51			* @return string
52			*/
53			public static function urlsafeB64Decode($input)
54			{
55			$remainder = strlen($input) % 4;
56
57			if ($remainder) {
58			$padlen = 4 - $remainder;
59			$input .= str_repeat('=', $padlen);
60			}
61
62			return base64_decode(strtr($input, '-_', '+/'));
63			}
64
65			/**
66			* @param string $token
67			* @param array $keys
68			* @throws InvalidJWT
69			*/
70			public function __construct($token, array $keys)
71			{
72			$parts = explode('.', $token);
73			if (count($parts) !== 3) {
74			throw new InvalidJWT('Wrong number of segments');
75			}
76
77			list ($header64, $payload64, $token64) = $parts;
78
79			$headerPayload = base64_decode($header64, true);
80			$this->header = json_decode($headerPayload);
			0 ignored issues – show Documentation Bug introduced 2017-02-12 14:20 UTC by Report Bug Copy Issue Report It seems like `json_decode($headerPayload)` of type `*` is incompatible with the declared type `array` of property `$header`. Our type inference engine has found an assignment to a property that is incompatible with the declared type of that property. Either this assignment is in error or the assigned type should be added to the documentation/type hint for that property.. Loading history...
81
82			$decodedPayload = base64_decode($payload64, true);
83			$this->payload = json_decode($decodedPayload);
			0 ignored issues – show Documentation Bug introduced 2017-02-12 14:20 UTC by Report Bug Copy Issue Report It seems like `json_decode($decodedPayload)` of type `*` is incompatible with the declared type `array` of property `$payload`. Our type inference engine has found an assignment to a property that is incompatible with the declared type of that property. Either this assignment is in error or the assigned type should be added to the documentation/type hint for that property.. Loading history...
84
85			$this->signature = self::urlsafeB64Decode($token64);
86
87			$this->validate("{$header64}.{$payload64}", $keys);
88			}
89
90			/**
91			* @param string $data
92			* @param array $keys
93			* @throws InvalidJWT
94			*/
95			protected function validate($data, array $keys)
96			{
97			if (!isset($this->header->alg)) {
98			throw new InvalidJWT('No alg inside header');
99			}
100
101			if (!isset($this->header->kid)) {
102			throw new InvalidJWT('No kid inside header');
103			}
104
105			$result = $this->verifySignature($data, $keys);
106			if (!$result) {
107			throw new InvalidJWT('Unexpected signature');
108			}
109			}
110
111			/**
112			* @param array $keys
113			* @param string $kid
114			* @return JWK
115			* @throws \RuntimeException
116			*/
117			protected function findKeyByKind(array $keys, $kid)
118			{
119			foreach ($keys as $key) {
120			if ($key['kid'] === $kid) {
121			return new JWK($key);
122			}
123			}
124
125			throw new \RuntimeException('Unknown key');
126			}
127
128			/**
129			* @return bool
130			* @throws \RuntimeException
131			* @throws \SocialConnect\OpenIDConnect\Exception\UnsupportedSignatureAlgoritm
132			*/
133			protected function verifySignature($data, array $keys)
134			{
135			$supported = isset(self::$algorithms[$this->header->alg]);
136			if (!$supported) {
137			throw new UnsupportedSignatureAlgoritm($this->header->alg);
138			}
139
140			$jwk = $this->findKeyByKind($keys, $this->header->kid);
141
142			list ($function, $signatureAlg) = self::$algorithms[$this->header->alg];
143			switch ($function) {
144			case 'openssl':
145			if (!function_exists('openssl_verify')) {
146			throw new \RuntimeException('Openssl-ext is required to use RSA encryption.');
147			}
148
149			$result = openssl_verify(
150			$data,
151			$this->signature,
152			$jwk->getPublicKey(),
153			$signatureAlg
154			);
155
156			return $result == 1;
157			case 'hash_hmac':
158			$hash = hash_hmac($signatureAlg, $data, $jwk->getPublicKey(), true);
159
160			/**
161			* @todo In SocialConnect/Auth 2.0 drop PHP 5.5 support and support for hash_equals emulation
162			*/
163			if (function_exists('hash_equals')) {
164			return hash_equals($this->signature, $hash);
165			}
166
167			if (strlen($this->signature) != strlen($hash)) {
168			return false;
169			}
170
171			$ret = 0;
172			$res = $this->signature ^ $hash;
173
174			for($i = strlen($res) - 1; $i >= 0; $i--) {
			0 ignored issues – show Coding Style introduced 2017-02-14 15:02 UTC by Report Bug Copy Issue Report Expected 1 space after FOR keyword; 0 found Loading history...
175			$ret \|= ord($res[$i]);
176			}
177
178			return !$ret;
179			}
180
181			throw new UnsupportedSignatureAlgoritm($this->header->alg);
182			}
183			}
184

SocialConnect / auth

Push — master ( 200e3f...a25d19 )

JWT A

Complexity

Size/Duplication

Coupling/Cohesion

Test Coverage

Importance

5 Methods

Duplication Side-by-Side

Filter issues like