JWT - Code Metrics - Inspection of "[OpenIDConnect] JWT - check hash-ext install" - SocialConnect/auth - Measure and Improve Code Quality continuously with Scrutinizer

Completed

Push — master ( aca7c3...f7f22d )

by Дмитрий

created 2017-02-25 03:25 UTC

JWT A

↳ Parent: Project

Complexity

Total Complexity

Size/Duplication

Total Lines	250
Duplicated Lines	0 %

Coupling/Cohesion

Components	1
Dependencies	3

Test Coverage

Coverage

17.71%

Importance

Changes

Metric	Value
wmc	33
lcom	1
cbo	3
dl	0
loc	250
ccs	17
cts	96
cp	0.1771
rs	9.3999
c	0
b	0
f	0

8 Methods

Rating	Name	Size	Complexity
A	urlsafeB64Decode()	11	2
B	decode()	34	6
A	validateHeader()	10	3
A	validate()	10	2
A	findKeyByKind()	10	3
A	__construct()	6	1
C	validateClaims()	34	7
B	verifySignature()	54	9

<?php
/**
 * @author Patsura Dmitry https://github.com/ovr <[email protected]>
 */

namespace SocialConnect\OpenIDConnect;

use DateTime;
use SocialConnect\OpenIDConnect\Exception\InvalidJWT;
use SocialConnect\OpenIDConnect\Exception\UnsupportedSignatureAlgoritm;

class JWT
{
    /**
     * When checking nbf, iat or exp
     * we provide additional time screw/leeway
     *
     * @link https://github.com/SocialConnect/auth/issues/26
     */
    public static $screw = 0;

    /**
     * Map of supported algorithms
     *
     * @var array
     */
    public static $algorithms = array(
        // HS
        'HS256' => ['hash_hmac', 'SHA256'],
        'HS384' => ['hash_hmac', 'SHA384'],
        'HS512' => ['hash_hmac', 'SHA512'],
        // RS
        'RS256' => ['openssl', 'SHA256'],
        'RS384' => ['openssl', 'SHA384'],
        'RS512' => ['openssl', 'SHA512'],
    );

    /**
     * @var array
     */
    protected $header;

    /**
     * @var array
     */
    protected $payload;

    /**
     * @var string|null
     */
    protected $signature;

    /**
     * @param string $input
     * @return string
     */
    public static function urlsafeB64Decode($input)
    {
        $remainder = strlen($input) % 4;

        if ($remainder) {
            $padlen = 4 - $remainder;
            $input .= str_repeat('=', $padlen);
        }

        return base64_decode(strtr($input, '-_', '+/'));
    }

    /**
     * @param array $payload
     * @param array $header
     * @param string|null $signature
     */
    public function __construct(array $payload, array $header, $signature = null)
    {
        $this->payload = $payload;
        $this->header = $header;
        $this->signature = $signature;
    }

    /**
     * @param string $token
     * @param array $keys
     * @return JWT
     * @throws InvalidJWT
     */
    public static function decode($token, array $keys)
    {
        $parts = explode('.', $token);
        if (count($parts) !== 3) {
            throw new InvalidJWT('Wrong number of segments');
        }

        list ($header64, $payload64, $signature64) = $parts;

        $headerPayload = base64_decode($header64);
        if (!$headerPayload) {
            throw new InvalidJWT('Cannot decode base64 from header');
        }

        $header = json_decode($headerPayload, true);
        if ($header === null) {
            throw new InvalidJWT('Cannot decode JSON from header');
        }

        $decodedPayload = base64_decode($payload64);
        if (!$decodedPayload) {
            throw new InvalidJWT('Cannot decode base64 from payload');
        }

        $payload = json_decode($decodedPayload, true);
        if ($payload === null) {
            throw new InvalidJWT('Cannot decode JSON from payload');
        }

        $token = new self($payload, $header, self::urlsafeB64Decode($signature64));
        $token->validate("{$header64}.{$payload64}", $keys);

        return $token;
    }

    protected function validateHeader()
    {
        if (!isset($this->header['alg'])) {
            throw new InvalidJWT('No alg inside header');
        }

        if (!isset($this->header['kid'])) {
            throw new InvalidJWT('No kid inside header');
        }
    }

    protected function validateClaims()
    {
        $now = time();

        /**
         * @link https://tools.ietf.org/html/rfc7519#section-4.1.5
         * "nbf" (Not Before) Claim check
         */
        if (isset($this->payload['nbf']) && $this->payload['nbf'] > ($now + self::$screw)) {
            throw new InvalidJWT(
                'nbf (Not Fefore) claim is not valid ' . date(DateTime::RFC3339, $this->payload['nbf'])
            );
        }

        /**
         * @link https://tools.ietf.org/html/rfc7519#section-4.1.6
         * "iat" (Issued At) Claim
         */
        if (isset($this->payload['iat']) && $this->payload['iat'] > ($now + self::$screw)) {
            throw new InvalidJWT(
                'iat (Issued At) claim is not valid ' . date(DateTime::RFC3339, $this->payload['iat'])
            );
        }

        /**
         * @link https://tools.ietf.org/html/rfc7519#section-4.1.4
         * "exp" (Expiration Time) Claim
         */
        if (isset($this->payload['exp']) && ($now - self::$screw) >= $this->payload['exp']) {
            throw new InvalidJWT(
                'exp (Expiration Time) claim is not valid ' . date(DateTime::RFC3339, $this->payload['exp'])
            );
        }
    }

    /**
     * @param string $data
     * @param array $keys
     * @throws InvalidJWT
     */
    protected function validate($data, array $keys)
    {
        $this->validateHeader();
        $this->validateClaims();

        $result = $this->verifySignature($data, $keys);
        if (!$result) {
            throw new InvalidJWT('Unexpected signature');
        }
    }

    /**
     * @param array $keys
     * @param string $kid
     * @return JWK
     * @throws \RuntimeException
     */
    protected function findKeyByKind(array $keys, $kid)
    {
        foreach ($keys as $key) {
            if ($key['kid'] === $kid) {
                return new JWK($key);
            }
        }

        throw new \RuntimeException('Unknown key');
    }

    /**
     * @param string $data
     * @param array $keys
     * @return bool
     * @throws UnsupportedSignatureAlgoritm
     */
    protected function verifySignature($data, array $keys)
    {
        $supported = isset(self::$algorithms[$this->header['alg']]);
        if (!$supported) {
            throw new UnsupportedSignatureAlgoritm($this->header['alg']);
        }

        $jwk = $this->findKeyByKind($keys, $this->header['kid']);

        list ($function, $signatureAlg) = self::$algorithms[$this->header['alg']];
        switch ($function) {
            case 'openssl':
                if (!function_exists('openssl_verify')) {
                    throw new \RuntimeException('Openssl-ext is required to use RS encryption.');
                }

                $result = openssl_verify(
                    $data,
                    $this->signature,
                    $jwk->getPublicKey(),
                    $signatureAlg
                );
                
                return $result == 1;
            case 'hash_hmac':
                if (!function_exists('hash_hmac')) {
                    throw new \RuntimeException('hash-ext is required to use HS encryption.');
                }

                $hash = hash_hmac($signatureAlg, $data, $jwk->getPublicKey(), true);

                /**
                 * @todo In SocialConnect/Auth 2.0 drop PHP 5.5 support and support for hash_equals emulation
                 */
                if (function_exists('hash_equals')) {
                    return hash_equals($this->signature, $hash);
                }

                if (strlen($this->signature) != strlen($hash)) {
                    return false;
                }

                $ret = 0;
                $res = $this->signature ^ $hash;

                for ($i = strlen($res) - 1; $i >= 0; $i--) {
                    $ret |= ord($res[$i]);
                }

                return !$ret;
        }

        throw new UnsupportedSignatureAlgoritm($this->header['alg']);
    }
}


1		<?php
2		/**
3		* @author Patsura Dmitry https://github.com/ovr <[email protected]>
4		*/
5
6		namespace SocialConnect\OpenIDConnect;
7
8		use DateTime;
9		use SocialConnect\OpenIDConnect\Exception\InvalidJWT;
10		use SocialConnect\OpenIDConnect\Exception\UnsupportedSignatureAlgoritm;
11
12		class JWT
13		{
14		/**
15		* When checking nbf, iat or exp
16		* we provide additional time screw/leeway
17		*
18		* @link https://github.com/SocialConnect/auth/issues/26
19		*/
20		public static $screw = 0;
21
22		/**
23		* Map of supported algorithms
24		*
25		* @var array
26		*/
27		public static $algorithms = array(
28		// HS
29		'HS256' => ['hash_hmac', 'SHA256'],
30		'HS384' => ['hash_hmac', 'SHA384'],
31		'HS512' => ['hash_hmac', 'SHA512'],
32		// RS
33		'RS256' => ['openssl', 'SHA256'],
34		'RS384' => ['openssl', 'SHA384'],
35		'RS512' => ['openssl', 'SHA512'],
36		);
37
38		/**
39		* @var array
40		*/
41		protected $header;
42
43		/**
44		* @var array
45		*/
46		protected $payload;
47
48		/**
49		* @var string\|null
50		*/
51		protected $signature;
52
53		/**
54		* @param string $input
55		* @return string
56		*/
57		public static function urlsafeB64Decode($input)
58		{
59		$remainder = strlen($input) % 4;
60
61		if ($remainder) {
62		$padlen = 4 - $remainder;
63		$input .= str_repeat('=', $padlen);
64		}
65
66		return base64_decode(strtr($input, '-_', '+/'));
67		}
68
69		/**
70		* @param array $payload
71		* @param array $header
72		* @param string\|null $signature
73		*/
74	4	public function __construct(array $payload, array $header, $signature = null)
75		{
76	4	$this->payload = $payload;
77	4	$this->header = $header;
78	4	$this->signature = $signature;
79	4	}
80
81		/**
82		* @param string $token
83		* @param array $keys
84		* @return JWT
85		* @throws InvalidJWT
86		*/
87		public static function decode($token, array $keys)
88		{
89		$parts = explode('.', $token);
90		if (count($parts) !== 3) {
91		throw new InvalidJWT('Wrong number of segments');
92		}
93
94		list ($header64, $payload64, $signature64) = $parts;
95
96		$headerPayload = base64_decode($header64);
97		if (!$headerPayload) {
98		throw new InvalidJWT('Cannot decode base64 from header');
99		}
100
101		$header = json_decode($headerPayload, true);
102		if ($header === null) {
103		throw new InvalidJWT('Cannot decode JSON from header');
104		}
105
106		$decodedPayload = base64_decode($payload64);
107		if (!$decodedPayload) {
108		throw new InvalidJWT('Cannot decode base64 from payload');
109		}
110
111		$payload = json_decode($decodedPayload, true);
112		if ($payload === null) {
113		throw new InvalidJWT('Cannot decode JSON from payload');
114		}
115
116		$token = new self($payload, $header, self::urlsafeB64Decode($signature64));
117		$token->validate("{$header64}.{$payload64}", $keys);
118
119		return $token;
120		}
121
122		protected function validateHeader()
123		{
124		if (!isset($this->header['alg'])) {
125		throw new InvalidJWT('No alg inside header');
126		}
127
128		if (!isset($this->header['kid'])) {
129		throw new InvalidJWT('No kid inside header');
130		}
131		}
132
133	4	protected function validateClaims()
134		{
135	4	$now = time();
136
137		/**
138		* @link https://tools.ietf.org/html/rfc7519#section-4.1.5
139		* "nbf" (Not Before) Claim check
140		*/
141	4	if (isset($this->payload['nbf']) && $this->payload['nbf'] > ($now + self::$screw)) {
142	1	throw new InvalidJWT(
143	1	'nbf (Not Fefore) claim is not valid ' . date(DateTime::RFC3339, $this->payload['nbf'])
144	1	);
145		}
146
147		/**
148		* @link https://tools.ietf.org/html/rfc7519#section-4.1.6
149		* "iat" (Issued At) Claim
150		*/
151	3	if (isset($this->payload['iat']) && $this->payload['iat'] > ($now + self::$screw)) {
152		throw new InvalidJWT(
153		'iat (Issued At) claim is not valid ' . date(DateTime::RFC3339, $this->payload['iat'])
154		);
155		}
156
157		/**
158		* @link https://tools.ietf.org/html/rfc7519#section-4.1.4
159		* "exp" (Expiration Time) Claim
160		*/
161	3	if (isset($this->payload['exp']) && ($now - self::$screw) >= $this->payload['exp']) {
162	1	throw new InvalidJWT(
163	1	'exp (Expiration Time) claim is not valid ' . date(DateTime::RFC3339, $this->payload['exp'])
164	1	);
165		}
166	2	}
167
168		/**
169		* @param string $data
170		* @param array $keys
171		* @throws InvalidJWT
172		*/
173		protected function validate($data, array $keys)
174		{
175		$this->validateHeader();
176		$this->validateClaims();
177
178		$result = $this->verifySignature($data, $keys);
179		if (!$result) {
180		throw new InvalidJWT('Unexpected signature');
181		}
182		}
183
184		/**
185		* @param array $keys
186		* @param string $kid
187		* @return JWK
188		* @throws \RuntimeException
189		*/
190		protected function findKeyByKind(array $keys, $kid)
191		{
192		foreach ($keys as $key) {
193		if ($key['kid'] === $kid) {
194		return new JWK($key);
195		}
196		}
197
198		throw new \RuntimeException('Unknown key');
199		}
200
201		/**
202		* @param string $data
203		* @param array $keys
204		* @return bool
205		* @throws UnsupportedSignatureAlgoritm
206		*/
207		protected function verifySignature($data, array $keys)
208		{
209		$supported = isset(self::$algorithms[$this->header['alg']]);
210		if (!$supported) {
211		throw new UnsupportedSignatureAlgoritm($this->header['alg']);
212		}
213
214		$jwk = $this->findKeyByKind($keys, $this->header['kid']);
215
216		list ($function, $signatureAlg) = self::$algorithms[$this->header['alg']];
217		switch ($function) {
218		case 'openssl':
219		if (!function_exists('openssl_verify')) {
220		throw new \RuntimeException('Openssl-ext is required to use RS encryption.');
221		}
222
223		$result = openssl_verify(
224		$data,
225		$this->signature,
226		$jwk->getPublicKey(),
227		$signatureAlg
228		);
229
230		return $result == 1;
231		case 'hash_hmac':
232		if (!function_exists('hash_hmac')) {
233		throw new \RuntimeException('hash-ext is required to use HS encryption.');
234		}
235
236		$hash = hash_hmac($signatureAlg, $data, $jwk->getPublicKey(), true);
237
238		/**
239		* @todo In SocialConnect/Auth 2.0 drop PHP 5.5 support and support for hash_equals emulation
240		*/
241		if (function_exists('hash_equals')) {
242		return hash_equals($this->signature, $hash);
243		}
244
245		if (strlen($this->signature) != strlen($hash)) {
246		return false;
247		}
248
249		$ret = 0;
250		$res = $this->signature ^ $hash;
251
252		for ($i = strlen($res) - 1; $i >= 0; $i--) {
253		$ret \|= ord($res[$i]);
254		}
255
256		return !$ret;
257		}
258
259		throw new UnsupportedSignatureAlgoritm($this->header['alg']);
260		}
261		}
262

SocialConnect / auth

Push — master ( aca7c3...f7f22d )

JWT A

Complexity

Size/Duplication

Coupling/Cohesion

Test Coverage

Importance

8 Methods

Duplication Side-by-Side

Filter issues like