HmacValidator - Code Metrics - jkphl/antibot - Measure and Improve Code Quality continuously with Scrutinizer

HmacValidator B
last analyzed 2020-11-14 18:51 UTC

↳ Parent: Project

Complexity

Total Complexity

Size/Duplication

Total Lines	437
Duplicated Lines	0 %

Coupling/Cohesion

Components	1
Dependencies	9

Test Coverage

Coverage

90.32%

Importance

Changes

Metric	Value
wmc	47
lcom	1
cbo	9
dl	0
loc	437
ccs	112
cts	124
cp	0.9032
rs	8.64
c	0
b	0
f	0

13 Methods

Rating	Name	Size	Complexity
A	setMethodVector()	11	2
A	validateRequestMethod()	12	3
A	setSubmissionTimes()	15	3
A	validate()	24	4
A	armor()	29	3
A	validateHmac()	24	3
A	validateRequestMethodVector()	16	4
B	validateRequestTiming()	37	9
A	probeTimedHmacAsInitialAndFollowup()	19	4
A	probeTimedHmac()	17	3
A	calculateHmac()	19	2
A	calculateRequestMethodVectorHmac()	10	4
A	calculateRequestTimingHmac()	10	3

How to fix Complexity

<?php

/**
 * antibot
 *
 * @category   Jkphl
 * @package    Jkphl\Antibot
 * @subpackage Jkphl\Antibot\Ports\Validators
 * @author     Joschi Kuphal <[email protected]> / @jkphl
 * @copyright  Copyright © 2020 Joschi Kuphal <[email protected]> / @jkphl
 * @license    http://opensource.org/licenses/MIT The MIT License (MIT)
 */

/***********************************************************************************
 *  The MIT License (MIT)
 *
 *  Copyright © 2020 Joschi Kuphal <[email protected]>
 *
 *  Permission is hereby granted, free of charge, to any person obtaining a copy of
 *  this software and associated documentation files (the "Software"), to deal in
 *  the Software without restriction, including without limitation the rights to
 *  use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
 *  the Software, and to permit persons to whom the Software is furnished to do so,
 *  subject to the following conditions:
 *
 *  The above copyright notice and this permission notice shall be included in all
 *  copies or substantial portions of the Software.
 *
 *  THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
 *  IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
 *  FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
 *  COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
 *  IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
 *  CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
 ***********************************************************************************/

namespace Jkphl\Antibot\Ports\Validators;

use Jkphl\Antibot\Domain\Antibot;
use Jkphl\Antibot\Domain\Exceptions\InvalidRequestMethodOrderException;
use Jkphl\Antibot\Domain\Exceptions\SkippedValidationException;
use Jkphl\Antibot\Infrastructure\Exceptions\HmacValidationException;
use Jkphl\Antibot\Infrastructure\Factory\HmacFactory;
use Jkphl\Antibot\Infrastructure\Model\AbstractValidator;
use Jkphl\Antibot\Infrastructure\Model\InputElement;
use Jkphl\Antibot\Ports\Exceptions\InvalidArgumentException;
use Psr\Http\Message\ServerRequestInterface;

/**
 * HMAC Validator
 *
 * @package    Jkphl\Antibot
 * @subpackage Jkphl\Antibot\Ports\Validators
 */
class HmacValidator extends AbstractValidator
{
    /**
     * Request method vector
     *
     * @var null|array
     */
    protected $methodVector = null;
    /**
     * Request submission times
     *
     * @var null|array
     */
    protected $submissionTimes = null;
    /**
     * Previous request method extracted from valid HMAC
     *
     * @var string|null
     */
    protected $previousMethod = null;
    /**
     * Previous validation result
     *
     * @var null|bool
     */
    protected $validated = null;
    /**
     * Validation order position
     *
     * @var int
     */
    const POSITION = 100;
    /**
     * GET request
     *
     * @var string
     */
    const METHOD_GET = 'GET';
    /**
     * POST request
     *
     * @var string
     */
    const METHOD_POST = 'POST';
    /**
     * Minimum submission time
     *
     * @var float
     */
    const MINIMUM_SUBMISSION = 3;
    /**
     * Minimum submission time for follow-up submissions
     *
     * @var float
     */
    const MINIMUM_FOLLOWUP_SUBMISSION = 1;
    /**
     * Maximum submission time
     *
     * @var float
     */
    const MAXIMUM_SUBMISSION = 3600;
    /**
     * Block access
     *
     * @var string
     */
    const BLOCK = 'BLOCK';

    /**
     * Set the request method vector
     *
     * @param string $previous Previous request
     * @param string $current  Current request
     */
    public function setMethodVector(string $previous = null, string $current = null): void
    {
        // If the request method vector should be unset
        if ($previous === null) {
            $this->methodVector = null;

            return;
        }

        $this->methodVector = [$this->validateRequestMethod($previous), $this->validateRequestMethod($current)];
    }

    /**
     * Sanitize and validate a request method
     *
     * @param string $method Request method
     *
     * @return string Validated request method
     * @throws InvalidArgumentException If the request method is invalid
     */
    protected function validateRequestMethod(string $method): string
    {
        $method = strtoupper($method);
        if ($method !== static::METHOD_GET && $method !== static::METHOD_POST) {
            throw new InvalidArgumentException(
                sprintf(InvalidArgumentException::INVALID_REQUEST_METHOD_STR, $method),
                InvalidArgumentException::INVALID_REQUEST_METHOD
            );
        }

        return $method;
    }

    /**
     * Sanitize and set the submission times
     *
     * @param float $max              Maximum submission time
     * @param float $min              Minimum submission time
     * @param float|null $minFollowUp Minimum submission time for follow-up submissions
     */
    public function setSubmissionTimes(float $max = null, float $min = null, float $minFollowUp = null): void
    {
        // If the submission times should be unset
        if ($max === null) {
            $this->submissionTimes = null;

            return;
        }

        $max                   = min(floatval($max), static::MAXIMUM_SUBMISSION);
        $min                   = max(floatval($min), static::MINIMUM_SUBMISSION);
        $minFollowUp           = ($minFollowUp === null)
            ? $min : max(floatval($minFollowUp), static::MINIMUM_FOLLOWUP_SUBMISSION);
        $this->submissionTimes = [$min, $minFollowUp, $max];
    }

    /**
     * Validate a request
     *
     * @param ServerRequestInterface $request Request
     * @param Antibot $antibot                Antibot instance
     *
     * @return bool
     * @throws HmacValidationException
     * @throws SkippedValidationException If no Antibot data has been submitted
     */
    public function validate(ServerRequestInterface $request, Antibot $antibot): bool
    {
        $data = $antibot->getData();

        // If no Antibot data has been submitted
        if ($data === null) {
            throw new SkippedValidationException(static::class);
        }

        // If no HMAC has been submitted: Fail
        if (empty($data['hmac'])) {
            return false;
        }

        // Validate the submitted HMAC
        $success = $this->validateHmac($data['hmac'], $request, $antibot);

        // If the request method vector was valid: Store the initial request method for further use
        if (!empty($this->methodVector)) {
            $this->previousMethod = $this->methodVector[0];
        }

        return $success;
    }

    /**
     * Create protective form HTML
     *
     * @param ServerRequestInterface $request Request
     * @param Antibot $antibot                Antibot instance
     *
     * @return InputElement[] HMTL input elements
     */
    public function armor(ServerRequestInterface $request, Antibot $antibot): array
    {
        // Ensure validation has run before
        try {
            $this->validate($request, $antibot);
        } catch (\Exception $e) {
            // Continue
        }

        $now   = null;
        $hmac  = $this->calculateHmac($request, $antibot, $now);
        $armor = [
            new InputElement([
                'type'  => 'hidden',
                'name'  => $antibot->getParameterPrefix().'[hmac]',
                'value' => $hmac
            ])
        ];
        // Add the timestamp field
        if ($now !== null) {
            $armor[] = new InputElement([
                'type'  => 'hidden',
                'name'  => $antibot->getParameterPrefix().'[ts]',
                'value' => intval($now)
            ]);
        }

        return $armor;
    }

    /**
     * Decrypt and validate an HMAC
     *
     * @param string $hmac                    HMAC
     * @param ServerRequestInterface $request Request
     * @param Antibot $antibot                Antibot instance
     *
     * @return bool HMAC is valid
     * @throws HmacValidationException If the request timing is invalid
     */
    protected function validateHmac(string $hmac, ServerRequestInterface $request, Antibot $antibot): bool
    {
        $hmacParams = [$antibot->getUnique()];

        // Short-circuit blocked HMAC
        $hmacBlock   = $hmacParams;
        $hmacBlock[] = self::BLOCK;
        if (HmacFactory::createFromString(serialize($hmacBlock), $antibot->getUnique()) === $hmac) {
            return false;
        }

        // Validate the request method vector
        $this->validateRequestMethodVector($request, $hmacParams);

        // If the request timings validate
        if ($this->validateRequestTiming($hmac, $antibot, $hmacParams)) {
            return true;
        }

        // Else: Do a simple validation without request timings
        $currentHMAC = HmacFactory::createFromString(serialize($hmacParams), $antibot->getUnique());

        return $hmac === $currentHMAC;
    }

    /**
     * Validate the request method vector
     *
     * @param ServerRequestInterface $request Request
     * @param array $hmacParams               HMAC parameters
     *
     * @throws HmacValidationException If the request method order is invalid
     */
    protected function validateRequestMethodVector(ServerRequestInterface $request, array &$hmacParams): void
    {
        // If the request method vector should be used
        if (!empty($this->methodVector)) {
            $serverParams  = $request->getServerParams();
            $requestMethod = empty($serverParams['REQUEST_METHOD']) ? 'EMPTY' : $serverParams['REQUEST_METHOD'];
            if ($requestMethod !== $this->methodVector[1]) {
                throw new HmacValidationException(
                    HmacValidationException::INVALID_REQUEST_METHOD_ORDER_STR,
                    HmacValidationException::INVALID_REQUEST_METHOD_ORDER
                );
            }

            $hmacParams[] = $this->methodVector[0];
        }
    }

    /**
     * Validate the request timing
     *
     * @param string $hmac      HMAC
     * @param Antibot $antibot  Antibot instance
     * @param array $hmacParams HMAC parameters
     *
     * @return bool Request timings were enabled and validated successfully
     *
     * @throws HmacValidationException If the request timing is invalid
     */
    protected function validateRequestTiming(string $hmac, Antibot $antibot, array $hmacParams): bool
    {
        // If submission time checks are enabled
        if (!empty($this->submissionTimes)) {
            list($first, $min, $max) = $this->submissionTimes;
            $now       = time();
            $initial   = $now - $first;
            $data      = $antibot->getData();
            $timestamp = empty($data['ts']) ? null : $data['ts'];

            // If a timestamp has been submitted
            if ($timestamp
                && (($timestamp + $min) <= $now)
                && (($timestamp + $max) >= $now)
                && $this->probeTimedHmacAsInitialAndFollowup($hmac, $antibot, $hmacParams, $timestamp, $initial)
            ) {
                $antibot->getLogger()->debug("[HMAC] Validated using submitted timestamp $timestamp");

                return true;
            } else {
                // Run through the valid seconds range
                for ($time = $now - $min; $time >= $now - $max; --$time) {
                    // If the HMAC validates as initial or follow-up request
                    if ($this->probeTimedHmacAsInitialAndFollowup($hmac, $antibot, $hmacParams, $time, $initial)) {
                        return true;
                    }
                }
            }

            throw new HmacValidationException(
                HmacValidationException::INVALID_REQUEST_TIMING_STR,
                HmacValidationException::INVALID_REQUEST_TIMING
            );
        }

        return false;
    }

    /**
     * Probe a timed HMAC both as initial and follow-up request
     *
     * @param string $hmac      HMAC
     * @param Antibot $antibot  Antibot instance
     * @param array $hmacParams HMAC params
     * @param int $timestamp    Timestamp
     * @param int $initial      Initial request threshold
     *
     * @return bool HMAC is valid
     */
    protected function probeTimedHmacAsInitialAndFollowup(
        string $hmac,
        Antibot $antibot,
        array $hmacParams,
        int $timestamp,
        int $initial
    ): bool {
        // If the HMAC validates with auto-guessed mode: Succeed
        if ($this->probeTimedHmac($hmac, $antibot, $hmacParams, $timestamp, $timestamp > $initial)) {
            return true;
        }

        // Also test as late follow-up request
        if (($timestamp <= $initial) && $this->probeTimedHMAC($hmac, $antibot, $hmacParams, $timestamp, true)) {
            return true;
        }

        return false;
    }

    /**
     * Probe a timed HMAC
     *
     * @param string $hmac      HMAC
     * @param Antibot $antibot  Antibot instance
     * @param array $hmacParams HMAC params
     * @param int $timestamp    Timestamp
     * @param bool $followUp    Is a follow-up request
     *
     * @return bool HMAC is valid
     */
    protected function probeTimedHmac(
        string $hmac,
        Antibot $antibot,
        array $hmacParams,
        int $timestamp,
        bool $followUp = false
    ): bool {
        if ($followUp) {
            $hmacParams[] = true;
        }
        $hmacParams[] = $timestamp;
        $currentHMAC  = HmacFactory::createFromString(serialize($hmacParams), $antibot->getUnique());

        $antibot->getLogger()->debug("[HMAC] Probing $timestamp (".($followUp ? 'FLLW' : 'INIT')."): $currentHMAC");

        return $currentHMAC == $hmac;
    }

    /**
     * Calculate the HMAC
     *
     * @param ServerRequestInterface $request Request
     * @param Antibot $antibot                Antibot instance
     * @param int|null $now                   Current timestamp
     *
     * @return string HMAC
     */
    protected function calculateHmac(ServerRequestInterface $request, Antibot $antibot, int &$now = null): string
    {
        $hmacParams = [$antibot->getUnique()];
        $now        = null;

        // Invalidate the HMAC if there's a current, invalid one
        if (false) {
            $hmacParams[] = self::BLOCK;
        } else {
            $this->calculateRequestMethodVectorHmac($request, $hmacParams);
            $this->calculateRequestTimingHmac($antibot, $hmacParams, $now);
        }

        $hmac = HmacFactory::createFromString(serialize($hmacParams), $antibot->getUnique());

        $antibot->getLogger()->debug("[HMAC] Created HMAC $hmac", $hmacParams);

        return $hmac;
    }

    /**
     * Add request method vector data to the HMAC configuration
     *
     * @param ServerRequestInterface $request Request
     * @param array $hmacParams               HMAC parameters
     */
    protected function calculateRequestMethodVectorHmac(ServerRequestInterface $request, array &$hmacParams): void
    {
        // If the request method vector should be used
        if (!empty($this->methodVector)) {
            $serverParams  = $request->getServerParams();
            $requestMethod = $this->previousMethod ?: (empty($serverParams['REQUEST_METHOD']) ? '' : $serverParams['REQUEST_METHOD']);
//            $requestMethod = empty($serverParams['REQUEST_METHOD']) ? '' : $serverParams['REQUEST_METHOD'];
            $hmacParams[] = $this->validateRequestMethod($requestMethod);
        }
    }

    /**
     * Add request timing data to the HMAC configuration
     *
     * @param Antibot $antibot  Antibot instance
     * @param array $hmacParams HMAC parameters
     * @param int|null $now     Current timestamp
     */
    protected function calculateRequestTimingHmac(Antibot $antibot, array &$hmacParams, int &$now = null): void
    {
        // If submission time checks are enabled
        if (!empty($this->submissionTimes)) {
            if (!empty($antibot->getData())) {
                $hmacParams[] = true;
            }
            $hmacParams[] = $now = time();
        }
    }
}


1		<?php
2
3		/**
4		* antibot
5		*
6		* @category Jkphl
7		* @package Jkphl\Antibot
8		* @subpackage Jkphl\Antibot\Ports\Validators
9		* @author Joschi Kuphal <[email protected]> / @jkphl
10		* @copyright Copyright © 2020 Joschi Kuphal <[email protected]> / @jkphl
11		* @license http://opensource.org/licenses/MIT The MIT License (MIT)
12		*/
13
14		/***********************************************************************************
15		* The MIT License (MIT)
16		*
17		* Copyright © 2020 Joschi Kuphal <[email protected]>
18		*
19		* Permission is hereby granted, free of charge, to any person obtaining a copy of
20		* this software and associated documentation files (the "Software"), to deal in
21		* the Software without restriction, including without limitation the rights to
22		* use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
23		* the Software, and to permit persons to whom the Software is furnished to do so,
24		* subject to the following conditions:
25		*
26		* The above copyright notice and this permission notice shall be included in all
27		* copies or substantial portions of the Software.
28		*
29		* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
30		* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
31		* FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
32		* COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
33		* IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
34		* CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
35		***********************************************************************************/
36
37		namespace Jkphl\Antibot\Ports\Validators;
38
39		use Jkphl\Antibot\Domain\Antibot;
40		use Jkphl\Antibot\Domain\Exceptions\InvalidRequestMethodOrderException;
41		use Jkphl\Antibot\Domain\Exceptions\SkippedValidationException;
42		use Jkphl\Antibot\Infrastructure\Exceptions\HmacValidationException;
43		use Jkphl\Antibot\Infrastructure\Factory\HmacFactory;
44		use Jkphl\Antibot\Infrastructure\Model\AbstractValidator;
45		use Jkphl\Antibot\Infrastructure\Model\InputElement;
46		use Jkphl\Antibot\Ports\Exceptions\InvalidArgumentException;
47		use Psr\Http\Message\ServerRequestInterface;
48
49		/**
50		* HMAC Validator
51		*
52		* @package Jkphl\Antibot
53		* @subpackage Jkphl\Antibot\Ports\Validators
54		*/
55		class HmacValidator extends AbstractValidator
56		{
57		/**
58		* Request method vector
59		*
60		* @var null\|array
61		*/
62		protected $methodVector = null;
63		/**
64		* Request submission times
65		*
66		* @var null\|array
67		*/
68		protected $submissionTimes = null;
69		/**
70		* Previous request method extracted from valid HMAC
71		*
72		* @var string\|null
73		*/
74		protected $previousMethod = null;
75		/**
76		* Previous validation result
77		*
78		* @var null\|bool
79		*/
80		protected $validated = null;
81		/**
82		* Validation order position
83		*
84		* @var int
85		*/
86		const POSITION = 100;
87		/**
88		* GET request
89		*
90		* @var string
91		*/
92		const METHOD_GET = 'GET';
93		/**
94		* POST request
95		*
96		* @var string
97		*/
98		const METHOD_POST = 'POST';
99		/**
100		* Minimum submission time
101		*
102		* @var float
103		*/
104		const MINIMUM_SUBMISSION = 3;
105		/**
106		* Minimum submission time for follow-up submissions
107		*
108		* @var float
109		*/
110		const MINIMUM_FOLLOWUP_SUBMISSION = 1;
111		/**
112		* Maximum submission time
113		*
114		* @var float
115		*/
116		const MAXIMUM_SUBMISSION = 3600;
117		/**
118		* Block access
119		*
120		* @var string
121		*/
122		const BLOCK = 'BLOCK';
123
124		/**
125		* Set the request method vector
126		*
127		* @param string $previous Previous request
128		* @param string $current Current request
129		*/
130	2	public function setMethodVector(string $previous = null, string $current = null): void
131		{
132		// If the request method vector should be unset
133	2	if ($previous === null) {
134		$this->methodVector = null;
135
136		return;
137		}
138
139	2	$this->methodVector = [$this->validateRequestMethod($previous), $this->validateRequestMethod($current)];
140	2	}
141
142		/**
143		* Sanitize and validate a request method
144		*
145		* @param string $method Request method
146		*
147		* @return string Validated request method
148		* @throws InvalidArgumentException If the request method is invalid
149		*/
150	2	protected function validateRequestMethod(string $method): string
151		{
152	2	$method = strtoupper($method);
153	2	if ($method !== static::METHOD_GET && $method !== static::METHOD_POST) {
154		throw new InvalidArgumentException(
155		sprintf(InvalidArgumentException::INVALID_REQUEST_METHOD_STR, $method),
156		InvalidArgumentException::INVALID_REQUEST_METHOD
157		);
158		}
159
160	2	return $method;
161		}
162
163		/**
164		* Sanitize and set the submission times
165		*
166		* @param float $max Maximum submission time
167		* @param float $min Minimum submission time
168		* @param float\|null $minFollowUp Minimum submission time for follow-up submissions
169		*/
170	2	public function setSubmissionTimes(float $max = null, float $min = null, float $minFollowUp = null): void
171		{
172		// If the submission times should be unset
173	2	if ($max === null) {
174		$this->submissionTimes = null;
175
176		return;
177		}
178
179	2	$max = min(floatval($max), static::MAXIMUM_SUBMISSION);
180	2	$min = max(floatval($min), static::MINIMUM_SUBMISSION);
181	2	$minFollowUp = ($minFollowUp === null)
182	2	? $min : max(floatval($minFollowUp), static::MINIMUM_FOLLOWUP_SUBMISSION);
183	2	$this->submissionTimes = [$min, $minFollowUp, $max];
184	2	}
185
186		/**
187		* Validate a request
188		*
189		* @param ServerRequestInterface $request Request
190		* @param Antibot $antibot Antibot instance
191		*
192		* @return bool
193		* @throws HmacValidationException
194		* @throws SkippedValidationException If no Antibot data has been submitted
195		*/
196	4	public function validate(ServerRequestInterface $request, Antibot $antibot): bool
197		{
198	4	$data = $antibot->getData();
199
200		// If no Antibot data has been submitted
201	4	if ($data === null) {
202	4	throw new SkippedValidationException(static::class);
203		}
204
205		// If no HMAC has been submitted: Fail
206	3	if (empty($data['hmac'])) {
207		return false;
208		}
209
210		// Validate the submitted HMAC
211	3	$success = $this->validateHmac($data['hmac'], $request, $antibot);
212
213		// If the request method vector was valid: Store the initial request method for further use
214	3	if (!empty($this->methodVector)) {
215	1	$this->previousMethod = $this->methodVector[0];
216		}
217
218	3	return $success;
219		}
220
221		/**
222		* Create protective form HTML
223		*
224		* @param ServerRequestInterface $request Request
225		* @param Antibot $antibot Antibot instance
226		*
227		* @return InputElement[] HMTL input elements
228		*/
229	4	public function armor(ServerRequestInterface $request, Antibot $antibot): array
230		{
231		// Ensure validation has run before
232		try {
233	4	$this->validate($request, $antibot);
234	4	} catch (\Exception $e) {
235		// Continue
236		}
237
238	4	$now = null;
239	4	$hmac = $this->calculateHmac($request, $antibot, $now);
240		$armor = [
241	4	new InputElement([
242	4	'type' => 'hidden',
243	4	'name' => $antibot->getParameterPrefix().'[hmac]',
244	4	'value' => $hmac
245		])
246		];
247		// Add the timestamp field
248	4	if ($now !== null) {
249	2	$armor[] = new InputElement([
250	2	'type' => 'hidden',
251	2	'name' => $antibot->getParameterPrefix().'[ts]',
252	2	'value' => intval($now)
253		]);
254		}
255
256	4	return $armor;
257		}
258
259		/**
260		* Decrypt and validate an HMAC
261		*
262		* @param string $hmac HMAC
263		* @param ServerRequestInterface $request Request
264		* @param Antibot $antibot Antibot instance
265		*
266		* @return bool HMAC is valid
267		* @throws HmacValidationException If the request timing is invalid
268		*/
269	3	protected function validateHmac(string $hmac, ServerRequestInterface $request, Antibot $antibot): bool
270		{
271	3	$hmacParams = [$antibot->getUnique()];
272
273		// Short-circuit blocked HMAC
274	3	$hmacBlock = $hmacParams;
275	3	$hmacBlock[] = self::BLOCK;
276	3	if (HmacFactory::createFromString(serialize($hmacBlock), $antibot->getUnique()) === $hmac) {
277		return false;
278		}
279
280		// Validate the request method vector
281	3	$this->validateRequestMethodVector($request, $hmacParams);
282
283		// If the request timings validate
284	3	if ($this->validateRequestTiming($hmac, $antibot, $hmacParams)) {
285	1	return true;
286		}
287
288		// Else: Do a simple validation without request timings
289	2	$currentHMAC = HmacFactory::createFromString(serialize($hmacParams), $antibot->getUnique());
290
291	2	return $hmac === $currentHMAC;
292		}
293
294		/**
295		* Validate the request method vector
296		*
297		* @param ServerRequestInterface $request Request
298		* @param array $hmacParams HMAC parameters
299		*
300		* @throws HmacValidationException If the request method order is invalid
301		*/
302	3	protected function validateRequestMethodVector(ServerRequestInterface $request, array &$hmacParams): void
303		{
304		// If the request method vector should be used
305	3	if (!empty($this->methodVector)) {
306	1	$serverParams = $request->getServerParams();
307	1	$requestMethod = empty($serverParams['REQUEST_METHOD']) ? 'EMPTY' : $serverParams['REQUEST_METHOD'];
308	1	if ($requestMethod !== $this->methodVector[1]) {
309	1	throw new HmacValidationException(
310	1	HmacValidationException::INVALID_REQUEST_METHOD_ORDER_STR,
311	1	HmacValidationException::INVALID_REQUEST_METHOD_ORDER
312		);
313		}
314
315	1	$hmacParams[] = $this->methodVector[0];
316		}
317	3	}
318
319		/**
320		* Validate the request timing
321		*
322		* @param string $hmac HMAC
323		* @param Antibot $antibot Antibot instance
324		* @param array $hmacParams HMAC parameters
325		*
326		* @return bool Request timings were enabled and validated successfully
327		*
328		* @throws HmacValidationException If the request timing is invalid
329		*/
330	3	protected function validateRequestTiming(string $hmac, Antibot $antibot, array $hmacParams): bool
331		{
332		// If submission time checks are enabled
333	3	if (!empty($this->submissionTimes)) {
334	1	list($first, $min, $max) = $this->submissionTimes;
335	1	$now = time();
336	1	$initial = $now - $first;
337	1	$data = $antibot->getData();
338	1	$timestamp = empty($data['ts']) ? null : $data['ts'];
339
340		// If a timestamp has been submitted
341	1	if ($timestamp
342	1	&& (($timestamp + $min) <= $now)
343	1	&& (($timestamp + $max) >= $now)
344	1	&& $this->probeTimedHmacAsInitialAndFollowup($hmac, $antibot, $hmacParams, $timestamp, $initial)
345		) {
346	1	$antibot->getLogger()->debug("[HMAC] Validated using submitted timestamp $timestamp");
347
348	1	return true;
349		} else {
350		// Run through the valid seconds range
351	1	for ($time = $now - $min; $time >= $now - $max; --$time) {
352		// If the HMAC validates as initial or follow-up request
353	1	if ($this->probeTimedHmacAsInitialAndFollowup($hmac, $antibot, $hmacParams, $time, $initial)) {
354		return true;
355		}
356		}
357		}
358
359	1	throw new HmacValidationException(
360	1	HmacValidationException::INVALID_REQUEST_TIMING_STR,
361	1	HmacValidationException::INVALID_REQUEST_TIMING
362		);
363		}
364
365	2	return false;
366		}
367
368		/**
369		* Probe a timed HMAC both as initial and follow-up request
370		*
371		* @param string $hmac HMAC
372		* @param Antibot $antibot Antibot instance
373		* @param array $hmacParams HMAC params
374		* @param int $timestamp Timestamp
375		* @param int $initial Initial request threshold
376		*
377		* @return bool HMAC is valid
378		*/
379	1	protected function probeTimedHmacAsInitialAndFollowup(
380		string $hmac,
381		Antibot $antibot,
382		array $hmacParams,
383		int $timestamp,
384		int $initial
385		): bool {
386		// If the HMAC validates with auto-guessed mode: Succeed
387	1	if ($this->probeTimedHmac($hmac, $antibot, $hmacParams, $timestamp, $timestamp > $initial)) {
388	1	return true;
389		}
390
391		// Also test as late follow-up request
392	1	if (($timestamp <= $initial) && $this->probeTimedHMAC($hmac, $antibot, $hmacParams, $timestamp, true)) {
393		return true;
394		}
395
396	1	return false;
397		}
398
399		/**
400		* Probe a timed HMAC
401		*
402		* @param string $hmac HMAC
403		* @param Antibot $antibot Antibot instance
404		* @param array $hmacParams HMAC params
405		* @param int $timestamp Timestamp
406		* @param bool $followUp Is a follow-up request
407		*
408		* @return bool HMAC is valid
409		*/
410	1	protected function probeTimedHmac(
411		string $hmac,
412		Antibot $antibot,
413		array $hmacParams,
414		int $timestamp,
415		bool $followUp = false
416		): bool {
417	1	if ($followUp) {
418	1	$hmacParams[] = true;
419		}
420	1	$hmacParams[] = $timestamp;
421	1	$currentHMAC = HmacFactory::createFromString(serialize($hmacParams), $antibot->getUnique());
422
423	1	$antibot->getLogger()->debug("[HMAC] Probing $timestamp (".($followUp ? 'FLLW' : 'INIT')."): $currentHMAC");
424
425	1	return $currentHMAC == $hmac;
426		}
427
428		/**
429		* Calculate the HMAC
430		*
431		* @param ServerRequestInterface $request Request
432		* @param Antibot $antibot Antibot instance
433		* @param int\|null $now Current timestamp
434		*
435		* @return string HMAC
436		*/
437	4	protected function calculateHmac(ServerRequestInterface $request, Antibot $antibot, int &$now = null): string
438		{
439	4	$hmacParams = [$antibot->getUnique()];
440	4	$now = null;
441
442		// Invalidate the HMAC if there's a current, invalid one
443	4	if (false) {
444		$hmacParams[] = self::BLOCK;
445		} else {
446	4	$this->calculateRequestMethodVectorHmac($request, $hmacParams);
447	4	$this->calculateRequestTimingHmac($antibot, $hmacParams, $now);
448		}
449
450	4	$hmac = HmacFactory::createFromString(serialize($hmacParams), $antibot->getUnique());
451
452	4	$antibot->getLogger()->debug("[HMAC] Created HMAC $hmac", $hmacParams);
453
454	4	return $hmac;
455		}
456
457		/**
458		* Add request method vector data to the HMAC configuration
459		*
460		* @param ServerRequestInterface $request Request
461		* @param array $hmacParams HMAC parameters
462		*/
463	4	protected function calculateRequestMethodVectorHmac(ServerRequestInterface $request, array &$hmacParams): void
464		{
465		// If the request method vector should be used
466	4	if (!empty($this->methodVector)) {
467	2	$serverParams = $request->getServerParams();
468	2	$requestMethod = $this->previousMethod ?: (empty($serverParams['REQUEST_METHOD']) ? '' : $serverParams['REQUEST_METHOD']);
469		// $requestMethod = empty($serverParams['REQUEST_METHOD']) ? '' : $serverParams['REQUEST_METHOD'];
470	2	$hmacParams[] = $this->validateRequestMethod($requestMethod);
471		}
472	4	}
473
474		/**
475		* Add request timing data to the HMAC configuration
476		*
477		* @param Antibot $antibot Antibot instance
478		* @param array $hmacParams HMAC parameters
479		* @param int\|null $now Current timestamp
480		*/
481	4	protected function calculateRequestTimingHmac(Antibot $antibot, array &$hmacParams, int &$now = null): void
482		{
483		// If submission time checks are enabled
484	4	if (!empty($this->submissionTimes)) {
485	2	if (!empty($antibot->getData())) {
486	1	$hmacParams[] = true;
487		}
488	2	$hmacParams[] = $now = time();
489		}
490	4	}
491		}
492

jkphl / antibot

HmacValidator B last analyzed 2020-11-14 18:51 UTC

Complexity

Size/Duplication

Coupling/Cohesion

Test Coverage

Importance

13 Methods

How to fix Complexity

Complex Class

Duplication Side-by-Side

Filter issues like

HmacValidator B
last analyzed 2020-11-14 18:51 UTC