ServerConfig::get() - Code Metrics - Inspection of "new API, move some classes around, improve unit te..." - eduVPN/vpn-server-api - Measure and Improve Code Quality continuously with Scrutinizer

Completed

Push — master ( a4ad96...a25367 )

by François

created 2016-04-24 16:04 UTC

ServerConfig::get() B

↳ Parent: ServerConfig

Complexity

Conditions	6
Paths	9

Size

Total Lines	143
Code Lines	71

Duplication

Lines	0
Ratio	0 %

Importance

Changes	1
Bugs	0	Features	0

Metric	Value
c	1
b	0
f	0
dl	0
loc	143
rs	8.1463
cc	6
eloc	71
nc	9
nop	1

How to fix Long Method

<?php
/**
 * Copyright 2015 François Kooman <[email protected]>.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 * http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

namespace fkooman\VPN\Server;

use RuntimeException;

class ServerConfig
{
    public function get(array $serverConfig)
    {
        $requiredParameters = [
            'cn',
            'valid_from',
            'valid_to',
            'dev',          // tun-udp, tun-tcp, tun0, tun1, ...
            'proto',        // udp6, tcp-server
            'port',         // 1194, 443, ...

            'v4_prefix',    // 10.42.42.0/24, ...

            'v6_prefix',
            'dns',
            'management_port',  // 7505, 7506, ...

            'ca',
            'cert',
            'key',
            'dh',
            'ta',
            'listen',
            'otp',
        ];

        // XXX verify the parameters and types

        foreach ($requiredParameters as $p) {
            if (!array_key_exists($p, $serverConfig)) {
                throw new RuntimeException(sprintf('missing parameter "%s"', $p));
            }
        }

        $v4 = new IPv4($serverConfig['v4_prefix']);

        $dnsEntries = [];
        foreach ($serverConfig['dns'] as $dnsAddress) {
            $dnsEntries[] = sprintf('push "dhcp-option DNS %s"', $dnsAddress);
        }

        $otpEntries = [];
        if ($serverConfig['otp']) {
            $otpEntries[] = 'auth-user-pass-verify /usr/bin/vpn-server-api-verify-otp via-env';
        }

        return [
            sprintf('# OpenVPN Server Configuration for %s', $serverConfig['cn']),

            sprintf('# Valid From: %s', date('c', $serverConfig['valid_from'])),
            sprintf('# Valid To: %s', date('c', $serverConfig['valid_to'])),

            sprintf('dev %s', $serverConfig['dev']),

            sprintf('local %s', $serverConfig['listen']),

            # UDP6 (works also for UDP)
            sprintf('proto %s', $serverConfig['proto']),
            sprintf('port %d', $serverConfig['port']),

            # IPv4
            sprintf('server %s %s', $v4->getNetwork(), $v4->getNetmask()),

            # IPv6
            sprintf('server-ipv6 %s', $serverConfig['v6_prefix']),

            'push "redirect-gateway def1 bypass-dhcp"',

            # for Windows clients we need this extra route to mark the TAP adapter as 
            # trusted and as having "Internet" access to allow the user to set it to 
            # "Home" or "Work" to allow accessing file shares and printers  
            #'push "route 0.0.0.0 0.0.0.0"',

            # for iOS we need this OpenVPN 2.4 "ipv6" flag to redirect-gateway
            # See https://docs.openvpn.net/docs/openvpn-connect/openvpn-connect-ios-faq.html
            'push "redirect-gateway ipv6"',

            # we use 2000::/3 instead of ::/0 because it seems to break on native IPv6 
            # networks where the ::/0 default route already exists
            'push "route-ipv6 2000::/3"',

            'topology subnet',
            # disable compression
            'comp-lzo no',
            'push "comp-lzo no"',
            'persist-key',
            'persist-tun',
            'verb 3',
            sprintf('max-clients %d', $v4->getNumberOfHosts() - 1),
            'keepalive 10 60',
            'user openvpn',
            'group openvpn',
            'remote-cert-tls client',

            # CRYPTO (DATA CHANNEL)
            'auth SHA256',
            'cipher AES-256-CBC',

            # CRYPTO (CONTROL CHANNEL)
            # @see RFC 7525  
            # @see https://bettercrypto.org
            # @see https://community.openvpn.net/openvpn/wiki/Hardening
            'tls-version-min 1.2',

            # To work with default configuration in iOS OpenVPN with
            # "Force AES-CBC ciphersuites" enabled, we need to accept an 
            # additional cipher "TLS_DHE_RSA_WITH_AES_256_CBC_SHA"
            'tls-cipher TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA',

            sprintf('script-security %d', $serverConfig['otp'] ? 3 : 2),
            'client-connect /usr/bin/vpn-server-api-client-connect',
            'client-disconnect /usr/bin/vpn-server-api-client-disconnect',

            # OTP
            implode(PHP_EOL, $otpEntries),

            # Certificate Revocation List
            'crl-verify /var/lib/vpn-server-api/ca.crl',

            # ask client to tell us on disconnect
            'push "explicit-exit-notify 3"',

            # DNS
            implode(PHP_EOL, $dnsEntries),

            # disable "netbios", i.e. Windows file sharing over TCP/IP
            #push "dhcp-option DISABLE-NBT"

            # also send a NTP server
            #push "dhcp-option NTP time.example.org"

            # allow client-to-client communication, see openvpn(8)
            #client-to-client

            # need to allow 7505 also with SELinux
            sprintf('management localhost %d', $serverConfig['management_port']),

            sprintf('<ca>%s</ca>', PHP_EOL.$serverConfig['ca'].PHP_EOL),
            sprintf('<cert>%s</cert>', PHP_EOL.$serverConfig['cert'].PHP_EOL),
            sprintf('<key>%s</key>', PHP_EOL.$serverConfig['key'].PHP_EOL),
            sprintf('<dh>%s</dh>', PHP_EOL.$serverConfig['dh'].PHP_EOL),

            'key-direction 0',

            sprintf('<tls-auth>%s</tls-auth>', PHP_EOL.$serverConfig['ta'].PHP_EOL),
        ];
    }
}


1			<?php
2			/**
3			* Copyright 2015 François Kooman <[email protected]>.
4			*
5			* Licensed under the Apache License, Version 2.0 (the "License");
6			* you may not use this file except in compliance with the License.
7			* You may obtain a copy of the License at
8			*
9			* http://www.apache.org/licenses/LICENSE-2.0
10			*
11			* Unless required by applicable law or agreed to in writing, software
12			* distributed under the License is distributed on an "AS IS" BASIS,
13			* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14			* See the License for the specific language governing permissions and
15			* limitations under the License.
16			*/
17
18			namespace fkooman\VPN\Server;
19
20			use RuntimeException;
21
22			class ServerConfig
23			{
24			public function get(array $serverConfig)
25			{
26			$requiredParameters = [
27			'cn',
28			'valid_from',
29			'valid_to',
30			'dev', // tun-udp, tun-tcp, tun0, tun1, ...
31			'proto', // udp6, tcp-server
32			'port', // 1194, 443, ...
			0 ignored issues – show Unused Code Comprehensibility introduced 2016-04-13 08:28 UTC by Report Bug Copy Issue Report `63%` of this comment could be valid code. Did you maybe forget this after debugging? Sometimes obsolete code just ends up commented out instead of removed. In this case it is better to remove the code once you have checked you do not need it. The code might also have been commented out for debugging purposes. In this case it is vital that someone uncomments it again or your project may behave in very unexpected ways in production. This check looks for comments that seem to be mostly valid code and reports them. Loading history...
33			'v4_prefix', // 10.42.42.0/24, ...
			0 ignored issues – show Unused Code Comprehensibility introduced 2016-04-20 10:01 UTC by Report Bug Copy Issue Report `67%` of this comment could be valid code. Did you maybe forget this after debugging? Sometimes obsolete code just ends up commented out instead of removed. In this case it is better to remove the code once you have checked you do not need it. The code might also have been commented out for debugging purposes. In this case it is vital that someone uncomments it again or your project may behave in very unexpected ways in production. This check looks for comments that seem to be mostly valid code and reports them. Loading history...
34			'v6_prefix',
35			'dns',
36			'management_port', // 7505, 7506, ...
			0 ignored issues – show Unused Code Comprehensibility introduced 2016-03-15 16:51 UTC by Report Bug Copy Issue Report `63%` of this comment could be valid code. Did you maybe forget this after debugging? Sometimes obsolete code just ends up commented out instead of removed. In this case it is better to remove the code once you have checked you do not need it. The code might also have been commented out for debugging purposes. In this case it is vital that someone uncomments it again or your project may behave in very unexpected ways in production. This check looks for comments that seem to be mostly valid code and reports them. Loading history...
37			'ca',
38			'cert',
39			'key',
40			'dh',
41			'ta',
42			'listen',
43			'otp',
44			];
45
46			// XXX verify the parameters and types
47
48			foreach ($requiredParameters as $p) {
49			if (!array_key_exists($p, $serverConfig)) {
50			throw new RuntimeException(sprintf('missing parameter "%s"', $p));
51			}
52			}
53
54			$v4 = new IPv4($serverConfig['v4_prefix']);
55
56			$dnsEntries = [];
57			foreach ($serverConfig['dns'] as $dnsAddress) {
58			$dnsEntries[] = sprintf('push "dhcp-option DNS %s"', $dnsAddress);
59			}
60
61			$otpEntries = [];
62			if ($serverConfig['otp']) {
63			$otpEntries[] = 'auth-user-pass-verify /usr/bin/vpn-server-api-verify-otp via-env';
64			}
65
66			return [
67			sprintf('# OpenVPN Server Configuration for %s', $serverConfig['cn']),
68
69			sprintf('# Valid From: %s', date('c', $serverConfig['valid_from'])),
70			sprintf('# Valid To: %s', date('c', $serverConfig['valid_to'])),
71
72			sprintf('dev %s', $serverConfig['dev']),
73
74			sprintf('local %s', $serverConfig['listen']),
75
76			# UDP6 (works also for UDP)
77			sprintf('proto %s', $serverConfig['proto']),
78			sprintf('port %d', $serverConfig['port']),
79
80			# IPv4
81			sprintf('server %s %s', $v4->getNetwork(), $v4->getNetmask()),
82
83			# IPv6
84			sprintf('server-ipv6 %s', $serverConfig['v6_prefix']),
85
86			'push "redirect-gateway def1 bypass-dhcp"',
87
88			# for Windows clients we need this extra route to mark the TAP adapter as
89			# trusted and as having "Internet" access to allow the user to set it to
90			# "Home" or "Work" to allow accessing file shares and printers
91			#'push "route 0.0.0.0 0.0.0.0"',
92
93			# for iOS we need this OpenVPN 2.4 "ipv6" flag to redirect-gateway
94			# See https://docs.openvpn.net/docs/openvpn-connect/openvpn-connect-ios-faq.html
95			'push "redirect-gateway ipv6"',
96
97			# we use 2000::/3 instead of ::/0 because it seems to break on native IPv6
98			# networks where the ::/0 default route already exists
99			'push "route-ipv6 2000::/3"',
100
101			'topology subnet',
102			# disable compression
103			'comp-lzo no',
104			'push "comp-lzo no"',
105			'persist-key',
106			'persist-tun',
107			'verb 3',
108			sprintf('max-clients %d', $v4->getNumberOfHosts() - 1),
109			'keepalive 10 60',
110			'user openvpn',
111			'group openvpn',
112			'remote-cert-tls client',
113
114			# CRYPTO (DATA CHANNEL)
115			'auth SHA256',
116			'cipher AES-256-CBC',
117
118			# CRYPTO (CONTROL CHANNEL)
119			# @see RFC 7525
120			# @see https://bettercrypto.org
121			# @see https://community.openvpn.net/openvpn/wiki/Hardening
122			'tls-version-min 1.2',
123
124			# To work with default configuration in iOS OpenVPN with
125			# "Force AES-CBC ciphersuites" enabled, we need to accept an
126			# additional cipher "TLS_DHE_RSA_WITH_AES_256_CBC_SHA"
127			'tls-cipher TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA',
128
129			sprintf('script-security %d', $serverConfig['otp'] ? 3 : 2),
130			'client-connect /usr/bin/vpn-server-api-client-connect',
131			'client-disconnect /usr/bin/vpn-server-api-client-disconnect',
132
133			# OTP
134			implode(PHP_EOL, $otpEntries),
135
136			# Certificate Revocation List
137			'crl-verify /var/lib/vpn-server-api/ca.crl',
138
139			# ask client to tell us on disconnect
140			'push "explicit-exit-notify 3"',
141
142			# DNS
143			implode(PHP_EOL, $dnsEntries),
144
145			# disable "netbios", i.e. Windows file sharing over TCP/IP
146			#push "dhcp-option DISABLE-NBT"
147
148			# also send a NTP server
149			#push "dhcp-option NTP time.example.org"
150
151			# allow client-to-client communication, see openvpn(8)
152			#client-to-client
153
154			# need to allow 7505 also with SELinux
155			sprintf('management localhost %d', $serverConfig['management_port']),
156
157			sprintf('<ca>%s</ca>', PHP_EOL.$serverConfig['ca'].PHP_EOL),
158			sprintf('<cert>%s</cert>', PHP_EOL.$serverConfig['cert'].PHP_EOL),
159			sprintf('<key>%s</key>', PHP_EOL.$serverConfig['key'].PHP_EOL),
160			sprintf('<dh>%s</dh>', PHP_EOL.$serverConfig['dh'].PHP_EOL),
161
162			'key-direction 0',
163
164			sprintf('<tls-auth>%s</tls-auth>', PHP_EOL.$serverConfig['ta'].PHP_EOL),
165			];
166			}
167			}
168

eduVPN / vpn-server-api

GitHub Access Token became invalid

Push — master ( a4ad96...a25367 )

ServerConfig::get() B

Complexity

Size

Duplication

Importance

How to fix Long Method

Long Method

Duplication Side-by-Side

Filter issues like