Issues in Verify.php (master) - Issues in master - TheRakeshPurohit/rtCamp - Measure and Improve Code Quality continuously with Scrutinizer

Issues (96)

lib/Google/AccessToken/Verify.php (12 issues)

Labels

Severity

<?php

/*
 * Copyright 2008 Google Inc.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

use Firebase\JWT\ExpiredException as ExpiredExceptionV3;
use Firebase\JWT\SignatureInvalidException;
use GuzzleHttp\Client;
use GuzzleHttp\ClientInterface;
use Psr\Cache\CacheItemPoolInterface;
use Google\Auth\Cache\MemoryCacheItemPool;
use Stash\Driver\FileSystem;
filter:
    dependency_paths: ["lib/*"]
use Stash\Pool;
.
|-- OtherDir
|   |-- Bar.php
|   `-- Foo.php
`-- SomeDir
    `-- Foo.php

/**
 * Wrapper around Google Access Tokens which provides convenience functions
 *
 */
class Google_AccessToken_Verify
{
  const FEDERATED_SIGNON_CERT_URL = 'https://www.googleapis.com/oauth2/v3/certs';
  const OAUTH2_ISSUER = 'accounts.google.com';
  const OAUTH2_ISSUER_HTTPS = 'https://accounts.google.com';

  /**
   * @var GuzzleHttp\ClientInterface The http client
   */
  private $http;

  /**
   * @var Psr\Cache\CacheItemPoolInterface cache class
   */
  private $cache;

  /**
   * Instantiates the class, but does not initiate the login flow, leaving it
   * to the discretion of the caller.
   */
  public function __construct(
      ClientInterface $http = null,
      CacheItemPoolInterface $cache = null,
      $jwt = null
  ) {
    if (null === $http) {
      $http = new Client();
    }

    if (null === $cache) {
      $cache = new MemoryCacheItemPool;
    }

    $this->http = $http;
    $this->cache = $cache;
    $this->jwt = $jwt ?: $this->getJwtService();

  }

  /**
   * Verifies an id token and returns the authenticated apiLoginTicket.
   * Throws an exception if the id token is not valid.
   * The audience parameter can be used to control which id tokens are
   * accepted.  By default, the id token must have been issued to this OAuth2 client.
   *
   * @param $audience
   * @return array the token payload, if successful
   */
  public function verifyIdToken($idToken, $audience = null)
  {
    if (empty($idToken)) {
      throw new LogicException('id_token cannot be null');
    }

    // set phpseclib constants if applicable
    $this->setPhpsecConstants();

    // Check signature
    $certs = $this->getFederatedSignOnCerts();
    foreach ($certs as $cert) {
      $bigIntClass = $this->getBigIntClass();
      $rsaClass = $this->getRsaClass();
      $modulus = new $bigIntClass($this->jwt->urlsafeB64Decode($cert['n']), 256);
      $exponent = new $bigIntClass($this->jwt->urlsafeB64Decode($cert['e']), 256);

      $rsa = new $rsaClass();
      $rsa->loadKey(array('n' => $modulus, 'e' => $exponent));

      try {
        $payload = $this->jwt->decode(
            $idToken,
            $rsa->getPublicKey(),
            array('RS256')
        );

        if (property_exists($payload, 'aud')) {
          if ($audience && $payload->aud != $audience) {
            return false;

          }
        }

        // support HTTP and HTTPS issuers
        // @see https://developers.google.com/identity/sign-in/web/backend-auth
        $issuers = array(self::OAUTH2_ISSUER, self::OAUTH2_ISSUER_HTTPS);
        if (!isset($payload->iss) || !in_array($payload->iss, $issuers)) {
          return false;

        }

        return (array) $payload;
      } catch (ExpiredException $e) {
filter:
    dependency_paths: ["lib/*"]
        return false;

      } catch (ExpiredExceptionV3 $e) {
        return false;

      } catch (SignatureInvalidException $e) {
        // continue
      } catch (DomainException $e) {
        // continue
      }
    }

    return false;

  }

  private function getCache()
  {
    return $this->cache;
  }

  /**
   * Retrieve and cache a certificates file.
   *
   * @param $url string location
   * @throws Google_Exception
   * @return array certificates
   */
  private function retrieveCertsFromLocation($url)
  {
    // If we're retrieving a local file, just grab it.
    if (0 !== strpos($url, 'http')) {
      if (!$file = file_get_contents($url)) {
        throw new Google_Exception(
            "Failed to retrieve verification certificates: '" .
            $url . "'."
        );
      }

      return json_decode($file, true);
    }

    $response = $this->http->get($url);

    if ($response->getStatusCode() == 200) {
      return json_decode((string) $response->getBody(), true);
    }
    throw new Google_Exception(
        sprintf(
            'Failed to retrieve verification certificates: "%s".',
            $response->getBody()->getContents()
        ),
        $response->getStatusCode()
    );
  }

  // Gets federated sign-on certificates to use for verifying identity tokens.
  // Returns certs as array structure, where keys are key ids, and values
  // are PEM encoded certificates.
  private function getFederatedSignOnCerts()
  {
    $certs = null;
    if ($cache = $this->getCache()) {
      $cacheItem = $cache->getItem('federated_signon_certs_v3');
      $certs = $cacheItem->get();
    }


    if (!$certs) {
      $certs = $this->retrieveCertsFromLocation(
          self::FEDERATED_SIGNON_CERT_URL
      );

      if ($cache) {

        $cacheItem->expiresAt(new DateTime('+1 hour'));

        $cacheItem->set($certs);
        $cache->save($cacheItem);
      }
    }

    if (!isset($certs['keys'])) {
      throw new InvalidArgumentException(
          'federated sign-on certs expects "keys" to be set'
      );
    }

    return $certs['keys'];
  }

  private function getJwtService()
  {
    $jwtClass = 'JWT';
    if (class_exists('\Firebase\JWT\JWT')) {
      $jwtClass = 'Firebase\JWT\JWT';
    }

    if (property_exists($jwtClass, 'leeway') && $jwtClass::$leeway < 1) {
      // Ensures JWT leeway is at least 1
      // @see https://github.com/google/google-api-php-client/issues/827
      $jwtClass::$leeway = 1;
    }

    return new $jwtClass;
  }

  private function getRsaClass()
  {
    if (class_exists('phpseclib\Crypt\RSA')) {
      return 'phpseclib\Crypt\RSA';
    }

    return 'Crypt_RSA';
  }

  private function getBigIntClass()
  {
    if (class_exists('phpseclib\Math\BigInteger')) {
      return 'phpseclib\Math\BigInteger';
    }

    return 'Math_BigInteger';
  }

  private function getOpenSslConstant()
  {
    if (class_exists('phpseclib\Crypt\RSA')) {
      return 'phpseclib\Crypt\RSA::MODE_OPENSSL';
    }

    if (class_exists('Crypt_RSA')) {
      return 'CRYPT_RSA_MODE_OPENSSL';
    }

    throw new \Exception('Cannot find RSA class');
  }

  /**
   * phpseclib calls "phpinfo" by default, which requires special
   * whitelisting in the AppEngine VM environment. This function
   * sets constants to bypass the need for phpseclib to check phpinfo
   *
   * @see phpseclib/Math/BigInteger
   * @see https://github.com/GoogleCloudPlatform/getting-started-php/issues/85
   */
  private function setPhpsecConstants()
  {
    if (filter_var(getenv('GAE_VM'), FILTER_VALIDATE_BOOLEAN)) {
      if (!defined('MATH_BIGINTEGER_OPENSSL_ENABLED')) {
        define('MATH_BIGINTEGER_OPENSSL_ENABLED', true);
      }
      if (!defined('CRYPT_RSA_MODE')) {
        define('CRYPT_RSA_MODE', constant($this->getOpenSslConstant()));
      }
    }
  }
}


1			<?php
2
3			/*
4			* Copyright 2008 Google Inc.
5			*
6			* Licensed under the Apache License, Version 2.0 (the "License");
7			* you may not use this file except in compliance with the License.
8			* You may obtain a copy of the License at
9			*
10			* http://www.apache.org/licenses/LICENSE-2.0
11			*
12			* Unless required by applicable law or agreed to in writing, software
13			* distributed under the License is distributed on an "AS IS" BASIS,
14			* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
15			* See the License for the specific language governing permissions and
16			* limitations under the License.
17			*/
18
19			use Firebase\JWT\ExpiredException as ExpiredExceptionV3;
20			use Firebase\JWT\SignatureInvalidException;
21			use GuzzleHttp\Client;
22			use GuzzleHttp\ClientInterface;
23			use Psr\Cache\CacheItemPoolInterface;
24			use Google\Auth\Cache\MemoryCacheItemPool;
25			use Stash\Driver\FileSystem;
			0 ignored issues – show Bug introduced 2020-07-09 08:27 UTC by Report Bug Copy Issue Report Show Similar Issues like this The type `Stash\Driver\FileSystem` was not found. Maybe you did not declare it correctly or list all dependencies? The issue could also be caused by a filter entry in the build configuration. If the path has been excluded in your configuration, e.g. `excluded_paths: ["lib/"]`, you can move it to the dependency path list as follows: filter: dependency_paths: ["lib/"] For further information see https://scrutinizer-ci.com/docs/tools/php/php-scrutinizer/#list-dependency-paths Loading history...
26			use Stash\Pool;
			0 ignored issues – show Bug introduced 2020-07-09 08:27 UTC by Report Bug Copy Issue Report Show Similar Issues like this This use statement conflicts with another class in this namespace, `Pool`. Consider defining an alias. Let?s assume that you have a directory layout like this: . \|-- OtherDir \| \|-- Bar.php \| `-- Foo.php `-- SomeDir `-- Foo.php and let?s assume the following content of `Bar.php`: // Bar.php namespace OtherDir; use SomeDir\Foo; // This now conflicts the class OtherDir\Foo If both files `OtherDir/Foo.php` and `SomeDir/Foo.php` are loaded in the same runtime, you will see a PHP error such as the following: PHP Fatal error: Cannot use SomeDir\Foo as Foo because the name is already in use in OtherDir/Foo.php However, as `OtherDir/Foo.php` does not necessarily have to be loaded and the error is only triggered if it is loaded before `OtherDir/Bar.php`, this problem might go unnoticed for a while. In order to prevent this error from surfacing, you must import the namespace with a different alias: // Bar.php namespace OtherDir; use SomeDir\Foo as SomeDirFoo; // There is no conflict anymore. Loading history... Bug introduced 2020-07-09 08:27 UTC by Report Bug Copy Issue Report Show Similar Issues like this The type `Stash\Pool` was not found. Maybe you did not declare it correctly or list all dependencies? The issue could also be caused by a filter entry in the build configuration. If the path has been excluded in your configuration, e.g. `excluded_paths: ["lib/"]`, you can move it to the dependency path list as follows: filter: dependency_paths: ["lib/"] For further information see https://scrutinizer-ci.com/docs/tools/php/php-scrutinizer/#list-dependency-paths Loading history...
27
28			/**
29			* Wrapper around Google Access Tokens which provides convenience functions
30			*
31			*/
32			class Google_AccessToken_Verify
33			{
34			const FEDERATED_SIGNON_CERT_URL = 'https://www.googleapis.com/oauth2/v3/certs';
35			const OAUTH2_ISSUER = 'accounts.google.com';
36			const OAUTH2_ISSUER_HTTPS = 'https://accounts.google.com';
37
38			/**
39			* @var GuzzleHttp\ClientInterface The http client
40			*/
41			private $http;
42
43			/**
44			* @var Psr\Cache\CacheItemPoolInterface cache class
45			*/
46			private $cache;
47
48			/**
49			* Instantiates the class, but does not initiate the login flow, leaving it
50			* to the discretion of the caller.
51			*/
52			public function __construct(
53			ClientInterface $http = null,
54			CacheItemPoolInterface $cache = null,
55			$jwt = null
56			) {
57			if (null === $http) {
58			$http = new Client();
59			}
60
61			if (null === $cache) {
62			$cache = new MemoryCacheItemPool;
63			}
64
65			$this->http = $http;
66			$this->cache = $cache;
67			$this->jwt = $jwt ?: $this->getJwtService();
			0 ignored issues – show Bug Best Practice introduced 2020-07-09 08:27 UTC by Report Bug Copy Issue Report Show Similar Issues like this The property `jwt` does not exist. Although not strictly required by PHP, it is generally a best practice to declare properties explicitly. Loading history...
68			}
69
70			/**
71			* Verifies an id token and returns the authenticated apiLoginTicket.
72			* Throws an exception if the id token is not valid.
73			* The audience parameter can be used to control which id tokens are
74			* accepted. By default, the id token must have been issued to this OAuth2 client.
75			*
76			* @param $audience
77			* @return array the token payload, if successful
78			*/
79			public function verifyIdToken($idToken, $audience = null)
80			{
81			if (empty($idToken)) {
82			throw new LogicException('id_token cannot be null');
83			}
84
85			// set phpseclib constants if applicable
86			$this->setPhpsecConstants();
87
88			// Check signature
89			$certs = $this->getFederatedSignOnCerts();
90			foreach ($certs as $cert) {
91			$bigIntClass = $this->getBigIntClass();
92			$rsaClass = $this->getRsaClass();
93			$modulus = new $bigIntClass($this->jwt->urlsafeB64Decode($cert['n']), 256);
94			$exponent = new $bigIntClass($this->jwt->urlsafeB64Decode($cert['e']), 256);
95
96			$rsa = new $rsaClass();
97			$rsa->loadKey(array('n' => $modulus, 'e' => $exponent));
98
99			try {
100			$payload = $this->jwt->decode(
101			$idToken,
102			$rsa->getPublicKey(),
103			array('RS256')
104			);
105
106			if (property_exists($payload, 'aud')) {
107			if ($audience && $payload->aud != $audience) {
108			return false;
			0 ignored issues – show Bug Best Practice introduced 2020-07-09 08:27 UTC by Report Bug Copy Issue Report Show Similar Issues like this The expression `return false` returns the type `false` which is incompatible with the documented return type `array`. Loading history...
109			}
110			}
111
112			// support HTTP and HTTPS issuers
113			// @see https://developers.google.com/identity/sign-in/web/backend-auth
114			$issuers = array(self::OAUTH2_ISSUER, self::OAUTH2_ISSUER_HTTPS);
115			if (!isset($payload->iss) \|\| !in_array($payload->iss, $issuers)) {
116			return false;
			0 ignored issues – show Bug Best Practice introduced 2020-07-09 08:27 UTC by Report Bug Copy Issue Report Show Similar Issues like this The expression `return false` returns the type `false` which is incompatible with the documented return type `array`. Loading history...
117			}
118
119			return (array) $payload;
120			} catch (ExpiredException $e) {
			0 ignored issues – show Bug introduced 2020-07-09 08:27 UTC by Report Bug Copy Issue Report Show Similar Issues like this The type `ExpiredException` was not found. Maybe you did not declare it correctly or list all dependencies? The issue could also be caused by a filter entry in the build configuration. If the path has been excluded in your configuration, e.g. `excluded_paths: ["lib/"]`, you can move it to the dependency path list as follows: filter: dependency_paths: ["lib/"] For further information see https://scrutinizer-ci.com/docs/tools/php/php-scrutinizer/#list-dependency-paths Loading history...
121			return false;
			0 ignored issues – show Bug Best Practice introduced 2020-07-09 08:27 UTC by Report Bug Copy Issue Report Show Similar Issues like this The expression `return false` returns the type `false` which is incompatible with the documented return type `array`. Loading history...
122			} catch (ExpiredExceptionV3 $e) {
123			return false;
			0 ignored issues – show Bug Best Practice introduced 2020-07-09 08:27 UTC by Report Bug Copy Issue Report Show Similar Issues like this The expression `return false` returns the type `false` which is incompatible with the documented return type `array`. Loading history...
124			} catch (SignatureInvalidException $e) {
125			// continue
126			} catch (DomainException $e) {
127			// continue
128			}
129			}
130
131			return false;
			0 ignored issues – show Bug Best Practice introduced 2020-07-09 08:27 UTC by Report Bug Copy Issue Report Show Similar Issues like this The expression `return false` returns the type `false` which is incompatible with the documented return type `array`. Loading history...
132			}
133
134			private function getCache()
135			{
136			return $this->cache;
137			}
138
139			/**
140			* Retrieve and cache a certificates file.
141			*
142			* @param $url string location
143			* @throws Google_Exception
144			* @return array certificates
145			*/
146			private function retrieveCertsFromLocation($url)
147			{
148			// If we're retrieving a local file, just grab it.
149			if (0 !== strpos($url, 'http')) {
150			if (!$file = file_get_contents($url)) {
151			throw new Google_Exception(
152			"Failed to retrieve verification certificates: '" .
153			$url . "'."
154			);
155			}
156
157			return json_decode($file, true);
158			}
159
160			$response = $this->http->get($url);
161
162			if ($response->getStatusCode() == 200) {
163			return json_decode((string) $response->getBody(), true);
164			}
165			throw new Google_Exception(
166			sprintf(
167			'Failed to retrieve verification certificates: "%s".',
168			$response->getBody()->getContents()
169			),
170			$response->getStatusCode()
171			);
172			}
173
174			// Gets federated sign-on certificates to use for verifying identity tokens.
175			// Returns certs as array structure, where keys are key ids, and values
176			// are PEM encoded certificates.
177			private function getFederatedSignOnCerts()
178			{
179			$certs = null;
180			if ($cache = $this->getCache()) {
181			$cacheItem = $cache->getItem('federated_signon_certs_v3');
182			$certs = $cacheItem->get();
183			}
184
185
186			if (!$certs) {
187			$certs = $this->retrieveCertsFromLocation(
188			self::FEDERATED_SIGNON_CERT_URL
189			);
190
191			if ($cache) {
			0 ignored issues – show introduced 2020-07-09 08:27 UTC by Report Bug Copy Issue Report Show Similar Issues like this `$cache` is of type `Psr\Cache\CacheItemPoolInterface`, thus it always evaluated to `true`. Loading history...
192			$cacheItem->expiresAt(new DateTime('+1 hour'));
			0 ignored issues – show Comprehensibility Best Practice introduced 2020-07-09 08:27 UTC by Report Bug Copy Issue Report Show Similar Issues like this The variable `$cacheItem` does not seem to be defined for all execution paths leading up to this point. Loading history...
193			$cacheItem->set($certs);
194			$cache->save($cacheItem);
195			}
196			}
197
198			if (!isset($certs['keys'])) {
199			throw new InvalidArgumentException(
200			'federated sign-on certs expects "keys" to be set'
201			);
202			}
203
204			return $certs['keys'];
205			}
206
207			private function getJwtService()
208			{
209			$jwtClass = 'JWT';
210			if (class_exists('\Firebase\JWT\JWT')) {
211			$jwtClass = 'Firebase\JWT\JWT';
212			}
213
214			if (property_exists($jwtClass, 'leeway') && $jwtClass::$leeway < 1) {
215			// Ensures JWT leeway is at least 1
216			// @see https://github.com/google/google-api-php-client/issues/827
217			$jwtClass::$leeway = 1;
218			}
219
220			return new $jwtClass;
221			}
222
223			private function getRsaClass()
224			{
225			if (class_exists('phpseclib\Crypt\RSA')) {
226			return 'phpseclib\Crypt\RSA';
227			}
228
229			return 'Crypt_RSA';
230			}
231
232			private function getBigIntClass()
233			{
234			if (class_exists('phpseclib\Math\BigInteger')) {
235			return 'phpseclib\Math\BigInteger';
236			}
237
238			return 'Math_BigInteger';
239			}
240
241			private function getOpenSslConstant()
242			{
243			if (class_exists('phpseclib\Crypt\RSA')) {
244			return 'phpseclib\Crypt\RSA::MODE_OPENSSL';
245			}
246
247			if (class_exists('Crypt_RSA')) {
248			return 'CRYPT_RSA_MODE_OPENSSL';
249			}
250
251			throw new \Exception('Cannot find RSA class');
252			}
253
254			/**
255			* phpseclib calls "phpinfo" by default, which requires special
256			* whitelisting in the AppEngine VM environment. This function
257			* sets constants to bypass the need for phpseclib to check phpinfo
258			*
259			* @see phpseclib/Math/BigInteger
260			* @see https://github.com/GoogleCloudPlatform/getting-started-php/issues/85
261			*/
262			private function setPhpsecConstants()
263			{
264			if (filter_var(getenv('GAE_VM'), FILTER_VALIDATE_BOOLEAN)) {
265			if (!defined('MATH_BIGINTEGER_OPENSSL_ENABLED')) {
266			define('MATH_BIGINTEGER_OPENSSL_ENABLED', true);
267			}
268			if (!defined('CRYPT_RSA_MODE')) {
269			define('CRYPT_RSA_MODE', constant($this->getOpenSslConstant()));
270			}
271			}
272			}
273			}
274

TheRakeshPurohit / rtCamp

Issues (96)

lib/Google/AccessToken/Verify.php (12 issues)

Labels

Severity

Introduced By

Duplication Side-by-Side

Filter issues like