WsSecurityFilterRequest - Code Metrics - Inspection of "[WIP] Ws security" - goetas-webservices/soap-client - Measure and Improve Code Quality continuously with Scrutinizer

Completed
Pull Request — master (#9)

by Asmir
created 2016-12-21 14:38 UTC
WsSecurityFilterRequest B

↳ Parent: Project
Complexity

Total Complexity
Size/Duplication

Total Lines	450
Duplicated Lines	0 %
Coupling/Cohesion

Components	1
Dependencies	5
Importance

Changes
Metric	Value
wmc	50
lcom	1
cbo	5
dl	0
loc	450
c	0
b	0
f	0
rs	8.6206
13 Methods

Rating	Name	Size	Complexity
A	setTimestampOptions()	5	1
A	__construct()	4	1
A	setSecurityOptionsEncryption()	5	1
A	setSecurityOptionsSignature()	5	1
C	createKeyInfo()	35	7
A	createNodeListForEncryption()	13	2
C	createNodeListForSigning()	23	8
D	filterDom()	44	10
A	generateUUID()	19	1
A	handleTimestamp()	15	2
C	handleUsername()	36	7
B	handleSignature()	44	5
B	handleEncryption()	22	4
How to fix Complexity

<?php

namespace GoetasWebservices\SoapServices\SoapClient\WssWsSecurity\Serializer;

use ass\XmlSecurity\DSig as XmlSecurityDSig;
use ass\XmlSecurity\Enc as XmlSecurityEnc;
use ass\XmlSecurity\Key as XmlSecurityKey;
use GoetasWebservices\SoapServices\SoapClient\WssWsSecurity\Security;

class WsSecurityFilterRequest extends AbstractWsSecurityFilter
{
    /**
     * Web Services Security: SOAP Message Security 1.0 (WS-Security 2004)
     */
    const NAME_WSS_SMS = 'http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0';

    /**
     * Web Services Security UsernameToken Profile 1.0
     */
    const NAME_WSS_UTP = 'http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0';

    /**
     * Web Services Security: SOAP Message Security 1.1 (WS-Security 2004)
     */
    const NAME_WSS_SMS_1_1 = 'http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1';

    /**
     * Web Services Security X.509 Certificate Token Profile
     */
    const NAME_WSS_X509 = 'http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0';

    /**
     * The date format to be used with {@link \DateTime}
     */
    const DATETIME_FORMAT = 'Y-m-d\TH:i:s.000\Z';

    /**
     * (X509 3.2.1) Reference to a Subject Key Identifier
     */
    const TOKEN_REFERENCE_SUBJECT_KEY_IDENTIFIER = 0;

    /**
     * (X509 3.2.1) Reference to a Security Token
     */
    const TOKEN_REFERENCE_SECURITY_TOKEN = 1;

    /**
     * (SMS_1.1 7.3) Key Identifiers
     */
    const TOKEN_REFERENCE_THUMBPRINT_SHA1 = 2;

    /**
     * (SMS 10) Add security timestamp.
     *
     * @var boolean
     */
    private $addTimestamp = true;

    /**
     * Encrypt the signature?
     *
     * @var boolean
     */
    private $encryptSignature = false;

    /**
     * (SMS 10) Security timestamp expires time in seconds.
     *
     * @var int
     */
    private $expires = 300;

    /**
     * Sign all headers.
     *
     * @var boolean
     */
    private $signAllHeaders = false;

    /**
     * @var \DateTime
     */
    private $initialTimestamp;

    /**
     * (X509 3.2) Token reference type for encryption.
     *
     * @var int
     */
    private $tokenReferenceEncryption = null;

    /**
     * (X509 3.2) Token reference type for signature.
     *
     * @var int
     */
    private $tokenReferenceSignature = null;


    public function setTimestampOptions($addTimestamp = true, $expires = 300)
    {
        $this->addTimestamp = $addTimestamp;
        $this->expires = $expires;
    }

    /**
     * @param \DateTime $initialTimestamp
     */
    public function __construct(\DateTime $initialTimestamp = null)
    {
        $this->initialTimestamp = $initialTimestamp;
    }

    /**
     * Set security options.
     *
     * @param int $tokenReference self::TOKEN_REFERENCE_SUBJECT_KEY_IDENTIFIER | self::TOKEN_REFERENCE_SECURITY_TOKEN | self::TOKEN_REFERENCE_THUMBPRINT_SHA1
     * @param boolean $encryptSignature Encrypt signature
     *
     * @return void
     */
    public function setSecurityOptionsEncryption($tokenReference, $encryptSignature = false)
    {
        $this->tokenReferenceEncryption = $tokenReference;
        $this->encryptSignature = $encryptSignature;
    }

    /**
     * Set security options.
     *
     * @param int $tokenReference self::TOKEN_REFERENCE_SUBJECT_KEY_IDENTIFIER | self::TOKEN_REFERENCE_SECURITY_TOKEN | self::TOKEN_REFERENCE_THUMBPRINT_SHA1
     * @param boolean $signAllHeaders Sign all headers?
     *
     * @return void
     */
    public function setSecurityOptionsSignature($tokenReference, $signAllHeaders = false)
    {
        $this->tokenReferenceSignature = $tokenReference;
        $this->signAllHeaders = $signAllHeaders;
    }

    /**
     * Adds the configured KeyInfo to the parentNode.
     *
     * @param \DOMDocument $dom
     * @param int $tokenReference Token reference type
     * @param string $guid Unique ID
     * @param XmlSecurityKey $xmlSecurityKey XML security key
     *
     * @return \DOMElement
     */
    private function createKeyInfo(\DOMDocument $dom, $tokenReference, $guid, XmlSecurityKey $xmlSecurityKey = null)
    {
        $keyInfo = $dom->createElementNS(XmlSecurityDSig::NS_XMLDSIG, 'KeyInfo');
        $securityTokenReference = $dom->createElementNS(self::NS_WSS, 'SecurityTokenReference');
        $keyInfo->appendChild($securityTokenReference);
        // security token
        if (self::TOKEN_REFERENCE_SECURITY_TOKEN === $tokenReference) {
            $reference = $dom->createElementNS(self::NS_WSS, 'Reference');
            $reference->setAttribute('URI', '#' . $guid);
            if (null !== $xmlSecurityKey) {
                $reference->setAttribute('ValueType', self::NAME_WSS_X509 . '#X509v3');
            }
            $securityTokenReference->appendChild($reference);
            // subject key identifier
        } elseif (self::TOKEN_REFERENCE_SUBJECT_KEY_IDENTIFIER === $tokenReference && null !== $xmlSecurityKey) {
            $keyIdentifier = $dom->createElementNS(self::NS_WSS, 'KeyIdentifier');
            $keyIdentifier->setAttribute('EncodingType', self::NAME_WSS_SMS . '#Base64Binary');
            $keyIdentifier->setAttribute('ValueType', self::NAME_WSS_X509 . '#509SubjectKeyIdentifier');
            $securityTokenReference->appendChild($keyIdentifier);
            $certificate = $xmlSecurityKey->getX509SubjectKeyIdentifier();
abstract class User
{
    /** @return string */
    abstract public function getPassword();
}

class MyUser extends User
{
    public function getPassword()
    {
        // return something
    }

    public function getDisplayName()
    {
        // return some name.
    }
}

class AuthSystem
{
    public function authenticate(User $user)
    {
        $this->logger->info(sprintf('Authenticating %s.', $user->getDisplayName()));
        // do something.
    }
}
            $dataNode = new \DOMText($certificate);
            $keyIdentifier->appendChild($dataNode);
            // thumbprint sha1
        } elseif (self::TOKEN_REFERENCE_THUMBPRINT_SHA1 === $tokenReference && null !== $xmlSecurityKey) {
            $keyIdentifier = $dom->createElementNS(self::NS_WSS, 'KeyIdentifier');
            $keyIdentifier->setAttribute('EncodingType', self::NAME_WSS_SMS . '#Base64Binary');
            $keyIdentifier->setAttribute('ValueType', self::NAME_WSS_SMS_1_1 . '#ThumbprintSHA1');
            $securityTokenReference->appendChild($keyIdentifier);
            $thumbprintSha1 = base64_encode(sha1(base64_decode($xmlSecurityKey->getX509Certificate(true)), true));
abstract class User
{
    /** @return string */
    abstract public function getPassword();
}

class MyUser extends User
{
    public function getPassword()
    {
        // return something
    }

    public function getDisplayName()
    {
        // return some name.
    }
}

class AuthSystem
{
    public function authenticate(User $user)
    {
        $this->logger->info(sprintf('Authenticating %s.', $user->getDisplayName()));
        // do something.
    }
}
            $dataNode = new \DOMText($thumbprintSha1);
            $keyIdentifier->appendChild($dataNode);
        }

        return $keyInfo;
    }

    /**
     * Create a list of \DOMNodes that should be encrypted.
     *
     * @param \DOMDocument $dom DOMDocument to query
     *
     * @return \DOMNodeList
     */
    private function createNodeListForEncryption(\DOMDocument $dom)
    {
        $xpath = new \DOMXPath($dom);
        $xpath->registerNamespace('SOAP-ENV', $dom->documentElement->namespaceURI);
        $xpath->registerNamespace('ds', XmlSecurityDSig::NS_XMLDSIG);
        if ($this->encryptSignature === true) {
            $query = '//ds:Signature | //SOAP-ENV:Body';
        } else {
            $query = '//SOAP-ENV:Body';
        }

        return $xpath->query($query);
    }

    /**
     * Create a list of \DOMNodes that should be signed.
     *
     * @param \DOMDocument $dom DOMDocument to query
     * @param \DOMElement $security Security element
     *
     * @return array(\DOMNode)

     */
    private function createNodeListForSigning(\DOMDocument $dom, \DOMElement $security)
    {
        $nodes = array();
        $body = $dom->getElementsByTagNameNS($dom->documentElement->namespaceURI, 'Body')->item(0);
        if (null !== $body) {
            $nodes[] = $body;
        }
        foreach ($security->childNodes as $node) {
            if (XML_ELEMENT_NODE === $node->nodeType) {
                $nodes[] = $node;
            }
        }
        if ($this->signAllHeaders) {
            foreach ($security->parentNode->childNodes as $node) {
                if (XML_ELEMENT_NODE === $node->nodeType &&
                    self::NS_WSS !== $node->namespaceURI
                ) {
                    $nodes[] = $node;
                }
            }
        }
        return $nodes;
    }


    /**
     * Modify the given request XML.
     *
     * @param \DOMElement $currentNode,
/**
 * @param array $germany
 * @param array $ireland
 */
function finale($germany, $island) {
    return "2:1";
}
     * @param Security $securityData
     *
     * @return \DOMElement
     */
    public function filterDom(\DOMElement $currentNode, Security $securityData)
    {
        $dom = $currentNode->ownerDocument;
        $root = $dom->documentElement;

        $namespaces = array(
            'ws' => self::NS_WSS,
            'wsu' => self::NS_WSU,
            XmlSecurityDSig::PFX_XMLDSIG => XmlSecurityDSig::NS_XMLDSIG,
            XmlSecurityEnc::PFX_XMLENC => XmlSecurityEnc::NS_XMLENC,
        );

        foreach ($namespaces as $prefix => $ns) {
            $root->setAttributeNS(
                'http://www.w3.org/2000/xmlns/', // xmlns namespace URI
                'xmlns:'.$prefix,
                $ns
            );
        }

        $security = $dom->createElementNS(self::NS_WSS, $root->lookupPrefix(self::NS_WSS).':Security');
        $currentNode->parentNode->replaceChild($security, $currentNode);

        // init timestamp
        $dt = $this->initialTimestamp ?: new \DateTime('now', new \DateTimeZone('UTC'));

        if (true === $this->addTimestamp || null !== $this->expires) {
            $this->handleTimestamp($security, $dt);
        }

        if (null !== $securityData->getUsername()) {
            $this->handleUsername($security, $dt, $securityData);
        }

        if (null !== $this->userSecurityKey && $this->userSecurityKey->hasKeys()) {
            $signature = $this->handleSignature($security);

            // encrypt soap document
            if (null !== $this->serviceSecurityKey && $this->serviceSecurityKey->hasKeys()) {
                $this->handleEncryption($security, $signature);
            }
        }
        return $security;
    }

    /**
     * Generate a pseudo-random version 4 UUID.
     *
     * @see http://de.php.net/manual/en/function.uniqid.php#94959
     *
     * @return string
     */
    private static function generateUUID()
    {
        return sprintf(
            '%04x%04x-%04x-%04x-%04x-%04x%04x%04x',
            // 32 bits for "time_low"

            mt_rand(0, 0xffff), mt_rand(0, 0xffff),
            // 16 bits for "time_mid"

            mt_rand(0, 0xffff),
            // 16 bits for "time_hi_and_version",

            // four most significant bits holds version number 4
            mt_rand(0, 0x0fff) | 0x4000,
            // 16 bits, 8 bits for "clk_seq_hi_res",

            // 8 bits for "clk_seq_low",

            // two most significant bits holds zero and one for variant DCE1.1
            mt_rand(0, 0x3fff) | 0x8000,
            // 48 bits for "node"

            mt_rand(0, 0xffff), mt_rand(0, 0xffff), mt_rand(0, 0xffff)
        );
    }

    /**
     * @param \DOMElement $security
     * @param \DateTime $dt
     */
    private function handleTimestamp(\DOMElement $security, \DateTime $dt)
    {
        $dom = $security->ownerDocument;
        $timestamp = $dom->createElementNS(self::NS_WSU, 'Timestamp');
        $created = $dom->createElementNS(self::NS_WSU, 'Created', $dt->format(self::DATETIME_FORMAT));
        $timestamp->appendChild($created);
        if (null !== $this->expires) {
            $dt = clone $dt;
            $dt->modify('+' . $this->expires . ' seconds');
            $expiresTimestamp = $dt->format(self::DATETIME_FORMAT);
            $expires = $dom->createElementNS(self::NS_WSU, 'Expires', $expiresTimestamp);
            $timestamp->appendChild($expires);
        }
        $security->appendChild($timestamp);
    }

    /**
     * @param \DOMElement $security
     * @param $dt
     * @param Security $securityData
     */
    private function handleUsername(\DOMElement $security, $dt, Security $securityData)
    {
        $dom = $security->ownerDocument;

        $usernameToken = $dom->createElementNS(self::NS_WSS, 'UsernameToken');
        $security->appendChild($usernameToken);

        $username = $dom->createElementNS(self::NS_WSS, 'Username', $securityData->getUsername());
        $usernameToken->appendChild($username);

        if (null !== $securityData->getPassword()
            && (null === $this->userSecurityKey
                || (null !== $this->userSecurityKey && !$this->userSecurityKey->hasPrivateKey()))
        ) {

            if ($securityData->isPasswordDigest()) {
                $nonce = mt_rand();
                $password = base64_encode(sha1($nonce . $dt->format(self::DATETIME_FORMAT) . $securityData->getPassword(), true));
                $passwordType = self::NAME_WSS_UTP . '#PasswordDigest';
            } else {
                $password = $securityData->getPassword();
                $passwordType = self::NAME_WSS_UTP . '#PasswordText';
            }

            $password = $dom->createElementNS(self::NS_WSS, 'Password', $password);
            $password->setAttribute('Type', $passwordType);
            $usernameToken->appendChild($password);
            if ($securityData->isPasswordDigest()) {
                $nonce = $dom->createElementNS(self::NS_WSS, 'Nonce', base64_encode($nonce));
function myFunction($a) {
    switch ($a) {
        case 'foo':
            $x = 1;
            break;

        case 'bar':
            $x = 2;
            break;
    }

    // $x is potentially undefined here.
    echo $x;
}
                $usernameToken->appendChild($nonce);

                $created = $dom->createElementNS(self::NS_WSU, 'Created', $dt->format(self::DATETIME_FORMAT));
                $usernameToken->appendChild($created);
            }
        }
    }

    /**
     * @param \DOMElement $security
     * @return \DOMElement
     */
    private function handleSignature(\DOMElement $security)
    {
        $dom = $security->ownerDocument;

        // this is fundamental for the signature
        // formatting the dom adds nodes that are not signed
        $dom->formatOutput = false;
        $dom->preserveWhiteSpace = true;

        $guid = 'CertId-' . self::generateUUID();
        // add token references
        $keyInfo = null;
        if (null !== $this->tokenReferenceSignature) {
            $keyInfo = $this->createKeyInfo($dom, $this->tokenReferenceSignature, $guid, $this->userSecurityKey->getPublicKey());
        }
        $nodes = $this->createNodeListForSigning($dom, $security);


        $signature = XmlSecurityDSig::createSignature($this->userSecurityKey->getPrivateKey(), XmlSecurityDSig::EXC_C14N, $security, null, $keyInfo);

        if ((!$prefix = $security->lookupPrefix(self::NS_WSU)) && (!$prefix = $security->ownerDocument->lookupPrefix(self::NS_WSU))) {
            $prefix = 'ns-'.  substr(sha1(self::NS_WSU), 0, 8);
        }

        $options = array(
            'id_ns_prefix' => $prefix,
            'id_prefix_ns' => self::NS_WSU,
        );
        foreach ($nodes as $node) {
            XmlSecurityDSig::addNodeToSignature($signature, $node, XmlSecurityDSig::SHA1, XmlSecurityDSig::EXC_C14N, $options);
        }
        XmlSecurityDSig::signDocument($signature, $this->userSecurityKey->getPrivateKey(), XmlSecurityDSig::EXC_C14N);

        $publicCertificate = $this->userSecurityKey->getPublicKey()->getX509Certificate(true);
abstract class User
{
    /** @return string */
    abstract public function getPassword();
}

class MyUser extends User
{
    public function getPassword()
    {
        // return something
    }

    public function getDisplayName()
    {
        // return some name.
    }
}

class AuthSystem
{
    public function authenticate(User $user)
    {
        $this->logger->info(sprintf('Authenticating %s.', $user->getDisplayName()));
        // do something.
    }
}
        $binarySecurityToken = $dom->createElementNS(self::NS_WSS, 'BinarySecurityToken', $publicCertificate);
        $binarySecurityToken->setAttribute('EncodingType', self::NAME_WSS_SMS . '#Base64Binary');
        $binarySecurityToken->setAttribute('ValueType', self::NAME_WSS_X509 . '#X509v3');

        $security->insertBefore($binarySecurityToken, $signature);

        $binarySecurityToken->setAttributeNs(self::NS_WSU, $prefix.':Id', $guid);

        return $signature;
    }

    /**
     * @param \DOMElement $security
     * @param \DOMElement $signature
     */
    private function handleEncryption(\DOMElement $security, \DOMElement $signature)
    {
        $dom = $security->ownerDocument;
        $guid = 'EncKey-' . self::generateUUID();
        // add token references
        $keyInfo = null;
        if (null !== $this->tokenReferenceEncryption) {
            $keyInfo = $this->createKeyInfo($dom, $this->tokenReferenceEncryption, $guid, $this->serviceSecurityKey->getPublicKey());
        }
        $encryptedKey = XmlSecurityEnc::createEncryptedKey($guid, $this->serviceSecurityKey->getPrivateKey(), $this->serviceSecurityKey->getPublicKey(), $security, $signature, $keyInfo);
        $referenceList = XmlSecurityEnc::createReferenceList($encryptedKey);
        // token reference to encrypted key
        $keyInfo = $this->createKeyInfo($dom, self::TOKEN_REFERENCE_SECURITY_TOKEN, $guid);
        $nodes = $this->createNodeListForEncryption($dom);
        foreach ($nodes as $node) {
            $type = XmlSecurityEnc::ELEMENT;
            if ($node->localName == 'Body') {
                $type = XmlSecurityEnc::CONTENT;
            }
            XmlSecurityEnc::encryptNode($node, $type, $this->serviceSecurityKey->getPrivateKey(), $referenceList, $keyInfo);
        }
    }
}

Pull Request — master (#9)

WsSecurityFilterRequest B

Complexity

Size/Duplication

Coupling/Cohesion

Importance

13 Methods

How to fix Complexity

Complex Class

Available Fixes

Available Fixes

Available Fixes

Available Fixes

goetas-webservices / soap-client

Pull Request — master (#9)

WsSecurityFilterRequest B

Complexity

Size/Duplication

Coupling/Cohesion

Importance

13 Methods

How to fix Complexity

Complex Class

Available Fixes

Available Fixes

Available Fixes

Available Fixes

Duplication Side-by-Side

Filter issues like
