ServerConfig::get() - Code Metrics - Inspection of "add TCP_NODELAY socket flag and push to client whe..." - eduVPN/vpn-server-api - Measure and Improve Code Quality continuously with Scrutinizer

Completed

Push — master ( ef9738...5a1952 )

by François

created 2016-04-25 08:16 UTC

ServerConfig::get() C

↳ Parent: ServerConfig

Complexity

Conditions	8
Paths	17

Size

Total Lines	157
Code Lines	77

Duplication

Lines	0
Ratio	0 %

Importance

Changes	3
Bugs	0	Features	1

Metric	Value
c	3
b	0
f	1
dl	0
loc	157
rs	5.2676
cc	8
eloc	77
nc	17
nop	1

How to fix Long Method

<?php
/**
 * Copyright 2015 François Kooman <[email protected]>.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 * http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

namespace fkooman\VPN\Server;

use RuntimeException;

class ServerConfig
{
    public function get(array $serverConfig)
    {
        $requiredParameters = [
            'cn',
            'valid_from',
            'valid_to',
            'dev',          // tun-udp, tun-tcp, tun0, tun1, ...
            'proto',        // udp6, tcp-server
            'port',         // 1194, 443, ...

            'v4_prefix',    // 10.42.42.0/24, ...

            'v6_prefix',
            'dns',
            'management_port',  // 7505, 7506, ...

            'ca',
            'cert',
            'key',
            'dh',
            'ta',
            'listen',
            'otp',
        ];

        // XXX verify the parameters and types

        foreach ($requiredParameters as $p) {
            if (!array_key_exists($p, $serverConfig)) {
                throw new RuntimeException(sprintf('missing parameter "%s"', $p));
            }
        }

        $v4 = new IPv4($serverConfig['v4_prefix']);

        $dnsEntries = [];
        foreach ($serverConfig['dns'] as $dnsAddress) {
            $dnsEntries[] = sprintf('push "dhcp-option DNS %s"', $dnsAddress);
        }

        $otpEntries = [];
        if ($serverConfig['otp']) {
            $otpEntries[] = 'auth-user-pass-verify /usr/bin/vpn-server-api-verify-otp via-env';

            # increase the renegotiation time to 8h from the default of 1h when
            # using OTP, otherwise the user will be asked for the OTP key every
            # hour
            $otpEntries[] = 'reneg-sec 28800';
        }

        $tcpOptions = [];
        if('tcp' === $serverConfig['proto'] || 'tcp6' === $serverConfig) {
            $tcpOptions[] = 'socket-flags TCP_NODELAY';
            $tcpOptions[] = 'push "socket-flags TCP_NODELAY"';
        }

        return [
            sprintf('# OpenVPN Server Configuration for %s', $serverConfig['cn']),

            sprintf('# Valid From: %s', date('c', $serverConfig['valid_from'])),
            sprintf('# Valid To: %s', date('c', $serverConfig['valid_to'])),

            sprintf('dev %s', $serverConfig['dev']),

            sprintf('local %s', $serverConfig['listen']),

            # UDP6 (works also for UDP)
            sprintf('proto %s', $serverConfig['proto']),
            sprintf('port %d', $serverConfig['port']),

            # IPv4
            sprintf('server %s %s', $v4->getNetwork(), $v4->getNetmask()),

            # IPv6
            sprintf('server-ipv6 %s', $serverConfig['v6_prefix']),

            'push "redirect-gateway def1 bypass-dhcp"',

            # for Windows clients we need this extra route to mark the TAP adapter as 
            # trusted and as having "Internet" access to allow the user to set it to 
            # "Home" or "Work" to allow accessing file shares and printers  
            #'push "route 0.0.0.0 0.0.0.0"',

            # for iOS we need this OpenVPN 2.4 "ipv6" flag to redirect-gateway
            # See https://docs.openvpn.net/docs/openvpn-connect/openvpn-connect-ios-faq.html
            'push "redirect-gateway ipv6"',

            # we use 2000::/3 instead of ::/0 because it seems to break on native IPv6 
            # networks where the ::/0 default route already exists
            'push "route-ipv6 2000::/3"',

            'topology subnet',
            # disable compression
            'comp-lzo no',
            'push "comp-lzo no"',
            'persist-key',
            'persist-tun',
            'verb 3',
            sprintf('max-clients %d', $v4->getNumberOfHosts() - 1),
            'keepalive 10 60',
            'user openvpn',
            'group openvpn',
            'remote-cert-tls client',

            # when using TCP, we want to reduce the latency of the TCP tunnel
            implode(PHP_EOL, $tcpOptions),

            # CRYPTO (DATA CHANNEL)
            'auth SHA256',
            'cipher AES-256-CBC',

            # CRYPTO (CONTROL CHANNEL)
            # @see RFC 7525  
            # @see https://bettercrypto.org
            # @see https://community.openvpn.net/openvpn/wiki/Hardening
            'tls-version-min 1.2',

            # To work with default configuration in iOS OpenVPN with
            # "Force AES-CBC ciphersuites" enabled, we need to accept an 
            # additional cipher "TLS_DHE_RSA_WITH_AES_256_CBC_SHA"
            'tls-cipher TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA',

            sprintf('script-security %d', $serverConfig['otp'] ? 3 : 2),
            'client-connect /usr/bin/vpn-server-api-client-connect',
            'client-disconnect /usr/bin/vpn-server-api-client-disconnect',

            # OTP
            implode(PHP_EOL, $otpEntries),

            # Certificate Revocation List
            'crl-verify /var/lib/vpn-server-api/ca.crl',

            # ask client to tell us on disconnect
            'push "explicit-exit-notify 3"',

            # DNS
            implode(PHP_EOL, $dnsEntries),

            # disable "netbios", i.e. Windows file sharing over TCP/IP
            #push "dhcp-option DISABLE-NBT"

            # also send a NTP server
            #push "dhcp-option NTP time.example.org"

            # allow client-to-client communication, see openvpn(8)
            #client-to-client

            # need to allow 7505 also with SELinux
            sprintf('management localhost %d', $serverConfig['management_port']),

            sprintf('<ca>%s</ca>', PHP_EOL.$serverConfig['ca'].PHP_EOL),
            sprintf('<cert>%s</cert>', PHP_EOL.$serverConfig['cert'].PHP_EOL),
            sprintf('<key>%s</key>', PHP_EOL.$serverConfig['key'].PHP_EOL),
            sprintf('<dh>%s</dh>', PHP_EOL.$serverConfig['dh'].PHP_EOL),

            'key-direction 0',

            sprintf('<tls-auth>%s</tls-auth>', PHP_EOL.$serverConfig['ta'].PHP_EOL),
        ];
    }
}


1			<?php
2			/**
3			* Copyright 2015 François Kooman <[email protected]>.
4			*
5			* Licensed under the Apache License, Version 2.0 (the "License");
6			* you may not use this file except in compliance with the License.
7			* You may obtain a copy of the License at
8			*
9			* http://www.apache.org/licenses/LICENSE-2.0
10			*
11			* Unless required by applicable law or agreed to in writing, software
12			* distributed under the License is distributed on an "AS IS" BASIS,
13			* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14			* See the License for the specific language governing permissions and
15			* limitations under the License.
16			*/
17
18			namespace fkooman\VPN\Server;
19
20			use RuntimeException;
21
22			class ServerConfig
23			{
24			public function get(array $serverConfig)
25			{
26			$requiredParameters = [
27			'cn',
28			'valid_from',
29			'valid_to',
30			'dev', // tun-udp, tun-tcp, tun0, tun1, ...
31			'proto', // udp6, tcp-server
32			'port', // 1194, 443, ...
			0 ignored issues – show Unused Code Comprehensibility introduced 2016-04-13 08:28 UTC by Report Bug Copy Issue Report `63%` of this comment could be valid code. Did you maybe forget this after debugging? Sometimes obsolete code just ends up commented out instead of removed. In this case it is better to remove the code once you have checked you do not need it. The code might also have been commented out for debugging purposes. In this case it is vital that someone uncomments it again or your project may behave in very unexpected ways in production. This check looks for comments that seem to be mostly valid code and reports them. Loading history...
33			'v4_prefix', // 10.42.42.0/24, ...
			0 ignored issues – show Unused Code Comprehensibility introduced 2016-04-20 10:01 UTC by Report Bug Copy Issue Report `67%` of this comment could be valid code. Did you maybe forget this after debugging? Sometimes obsolete code just ends up commented out instead of removed. In this case it is better to remove the code once you have checked you do not need it. The code might also have been commented out for debugging purposes. In this case it is vital that someone uncomments it again or your project may behave in very unexpected ways in production. This check looks for comments that seem to be mostly valid code and reports them. Loading history...
34			'v6_prefix',
35			'dns',
36			'management_port', // 7505, 7506, ...
			0 ignored issues – show Unused Code Comprehensibility introduced 2016-03-15 16:51 UTC by Report Bug Copy Issue Report `63%` of this comment could be valid code. Did you maybe forget this after debugging? Sometimes obsolete code just ends up commented out instead of removed. In this case it is better to remove the code once you have checked you do not need it. The code might also have been commented out for debugging purposes. In this case it is vital that someone uncomments it again or your project may behave in very unexpected ways in production. This check looks for comments that seem to be mostly valid code and reports them. Loading history...
37			'ca',
38			'cert',
39			'key',
40			'dh',
41			'ta',
42			'listen',
43			'otp',
44			];
45
46			// XXX verify the parameters and types
47
48			foreach ($requiredParameters as $p) {
49			if (!array_key_exists($p, $serverConfig)) {
50			throw new RuntimeException(sprintf('missing parameter "%s"', $p));
51			}
52			}
53
54			$v4 = new IPv4($serverConfig['v4_prefix']);
55
56			$dnsEntries = [];
57			foreach ($serverConfig['dns'] as $dnsAddress) {
58			$dnsEntries[] = sprintf('push "dhcp-option DNS %s"', $dnsAddress);
59			}
60
61			$otpEntries = [];
62			if ($serverConfig['otp']) {
63			$otpEntries[] = 'auth-user-pass-verify /usr/bin/vpn-server-api-verify-otp via-env';
64
65			# increase the renegotiation time to 8h from the default of 1h when
66			# using OTP, otherwise the user will be asked for the OTP key every
67			# hour
68			$otpEntries[] = 'reneg-sec 28800';
69			}
70
71			$tcpOptions = [];
72			if('tcp' === $serverConfig['proto'] \|\| 'tcp6' === $serverConfig) {
73			$tcpOptions[] = 'socket-flags TCP_NODELAY';
74			$tcpOptions[] = 'push "socket-flags TCP_NODELAY"';
75			}
76
77			return [
78			sprintf('# OpenVPN Server Configuration for %s', $serverConfig['cn']),
79
80			sprintf('# Valid From: %s', date('c', $serverConfig['valid_from'])),
81			sprintf('# Valid To: %s', date('c', $serverConfig['valid_to'])),
82
83			sprintf('dev %s', $serverConfig['dev']),
84
85			sprintf('local %s', $serverConfig['listen']),
86
87			# UDP6 (works also for UDP)
88			sprintf('proto %s', $serverConfig['proto']),
89			sprintf('port %d', $serverConfig['port']),
90
91			# IPv4
92			sprintf('server %s %s', $v4->getNetwork(), $v4->getNetmask()),
93
94			# IPv6
95			sprintf('server-ipv6 %s', $serverConfig['v6_prefix']),
96
97			'push "redirect-gateway def1 bypass-dhcp"',
98
99			# for Windows clients we need this extra route to mark the TAP adapter as
100			# trusted and as having "Internet" access to allow the user to set it to
101			# "Home" or "Work" to allow accessing file shares and printers
102			#'push "route 0.0.0.0 0.0.0.0"',
103
104			# for iOS we need this OpenVPN 2.4 "ipv6" flag to redirect-gateway
105			# See https://docs.openvpn.net/docs/openvpn-connect/openvpn-connect-ios-faq.html
106			'push "redirect-gateway ipv6"',
107
108			# we use 2000::/3 instead of ::/0 because it seems to break on native IPv6
109			# networks where the ::/0 default route already exists
110			'push "route-ipv6 2000::/3"',
111
112			'topology subnet',
113			# disable compression
114			'comp-lzo no',
115			'push "comp-lzo no"',
116			'persist-key',
117			'persist-tun',
118			'verb 3',
119			sprintf('max-clients %d', $v4->getNumberOfHosts() - 1),
120			'keepalive 10 60',
121			'user openvpn',
122			'group openvpn',
123			'remote-cert-tls client',
124
125			# when using TCP, we want to reduce the latency of the TCP tunnel
126			implode(PHP_EOL, $tcpOptions),
127
128			# CRYPTO (DATA CHANNEL)
129			'auth SHA256',
130			'cipher AES-256-CBC',
131
132			# CRYPTO (CONTROL CHANNEL)
133			# @see RFC 7525
134			# @see https://bettercrypto.org
135			# @see https://community.openvpn.net/openvpn/wiki/Hardening
136			'tls-version-min 1.2',
137
138			# To work with default configuration in iOS OpenVPN with
139			# "Force AES-CBC ciphersuites" enabled, we need to accept an
140			# additional cipher "TLS_DHE_RSA_WITH_AES_256_CBC_SHA"
141			'tls-cipher TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA',
142
143			sprintf('script-security %d', $serverConfig['otp'] ? 3 : 2),
144			'client-connect /usr/bin/vpn-server-api-client-connect',
145			'client-disconnect /usr/bin/vpn-server-api-client-disconnect',
146
147			# OTP
148			implode(PHP_EOL, $otpEntries),
149
150			# Certificate Revocation List
151			'crl-verify /var/lib/vpn-server-api/ca.crl',
152
153			# ask client to tell us on disconnect
154			'push "explicit-exit-notify 3"',
155
156			# DNS
157			implode(PHP_EOL, $dnsEntries),
158
159			# disable "netbios", i.e. Windows file sharing over TCP/IP
160			#push "dhcp-option DISABLE-NBT"
161
162			# also send a NTP server
163			#push "dhcp-option NTP time.example.org"
164
165			# allow client-to-client communication, see openvpn(8)
166			#client-to-client
167
168			# need to allow 7505 also with SELinux
169			sprintf('management localhost %d', $serverConfig['management_port']),
170
171			sprintf('<ca>%s</ca>', PHP_EOL.$serverConfig['ca'].PHP_EOL),
172			sprintf('<cert>%s</cert>', PHP_EOL.$serverConfig['cert'].PHP_EOL),
173			sprintf('<key>%s</key>', PHP_EOL.$serverConfig['key'].PHP_EOL),
174			sprintf('<dh>%s</dh>', PHP_EOL.$serverConfig['dh'].PHP_EOL),
175
176			'key-direction 0',
177
178			sprintf('<tls-auth>%s</tls-auth>', PHP_EOL.$serverConfig['ta'].PHP_EOL),
179			];
180			}
181			}
182

eduVPN / vpn-server-api

GitHub Access Token became invalid

Push — master ( ef9738...5a1952 )

ServerConfig::get() C

Complexity

Size

Duplication

Importance

How to fix Long Method

Long Method

Duplication Side-by-Side

Filter issues like