JwtKey - Code Metrics - Inspection of "Cleanup" - kleijnweb/jwt-bundle - Measure and Improve Code Quality continuously with Scrutinizer

Completed

Push — master ( ff92f6...3ef1d3 )

by John

created 2017-04-06 08:07 UTC

JwtKey B

↳ Parent: Project

Complexity

Total Complexity

Size/Duplication

Total Lines	198
Duplicated Lines	4.55 %

Coupling/Cohesion

Components	1
Dependencies	7

Importance

Changes

Metric	Value
wmc	44
lcom	1
cbo	7
dl	9
loc	198
rs	8.3396
c	0
b	0
f	0

7 Methods

Rating	Name	Duplication	Size	Complexity
C	__construct()	0	29	7
A	getId()	0	4	1
A	validateToken()	0	12	2
A	validateHeader()	0	12	4
D	validateClaims()	9	44	27
A	getSignatureValidator()	0	8	2
A	__sleep()	0	4	1

How to fix Duplicated Code Complexity

Duplicated Code

Duplicate code is one of the most pungent code smells. A rule that is often used is to re-structure code once it is duplicated in three or more places.

Common duplication problems, and corresponding solutions are:

If you have the same expression in different places: Extract expression to a method
If you have the same method in different sub-classes: Extract method, and pull up field to the parent class
If you have the same code in unrelated classes: Consider extracting the code to a new class, and injecting that class

Complex Class

Tip: Before tackling complexity, make sure that you eliminate any duplication first. This often can reduce the size of classes significantly.

Complex classes like JwtKey often do a lot of different things. To break such a class down, we need to identify a cohesive component within that class. A common approach to find such a component is to look for fields/methods that share the same prefixes, or suffixes. You can also have a look at the cohesion graph to spot any un-connected, or weakly-connected components.

Once you have determined the fields that belong together, you can apply the Extract Class refactoring. If the component makes sense as a sub-class, Extract Subclass is also a candidate, and is often faster.

While breaking up the class, it is a good idea to analyze how other classes use JwtKey, and based on these observations, apply Extract Interface, too.

<?php declare(strict_types = 1);
/*
 * This file is part of the KleijnWeb\JwtBundle package.
 *
 * For the full copyright and license information, please view the LICENSE
 * file that was distributed with this source code.
 */

namespace KleijnWeb\JwtBundle\Jwt;

use KleijnWeb\JwtBundle\Jwt\Exception\InvalidTimeException;
use KleijnWeb\JwtBundle\Jwt\Exception\KeyTokenMismatchException;
use KleijnWeb\JwtBundle\Jwt\Exception\MissingClaimsException;
use KleijnWeb\JwtBundle\Jwt\SignatureValidator\HmacValidator;
use KleijnWeb\JwtBundle\Jwt\SignatureValidator\RsaValidator;
use KleijnWeb\JwtBundle\Jwt\SignatureValidator\SignatureValidator;

/**
 * @author John Kleijn <[email protected]>
 */
class JwtKey
{
    const TYPE_HMAC = 'HS256';
    const TYPE_RSA  = 'RS256';

    /**
     * @var string
     */
    private $id;

    /**
     * @var string
     */
    private $issuer;

    /**
     * @var string
     */
    private $type = self::TYPE_HMAC;

    /**
     * @var array
     */
    private $audience = [];

    /**
     * @var int
     */
    private $minIssueTime;

    /**
     * @var array
     */
    private $requiredClaims = [];

    /**
     * @var int
     */
    private $issuerTimeLeeway;

    /**
     * @var string
     */
    private $secret;

    /**
     * @var SecretLoader
     */
    private $secretLoader;

    /**
     * @param array $options
     */
    public function __construct(array $options)
    {
        if (!isset($options['secret']) && !isset($options['loader'])) {
            throw new \InvalidArgumentException("Need a secret or a loader to verify tokens");
        }
        if (isset($options['secret']) && isset($options['loader'])) {
            throw new \InvalidArgumentException("Cannot configure both secret and loader");
        }
        $defaults = [
            'kid'          => null,
            'issuer'       => null,
            'audience'     => [],
            'minIssueTime' => null,
            'leeway'       => 0,
            'type'         => $this->type,
            'require'      => $this->requiredClaims,
        ];

        $options                = array_merge($defaults, $options);
        $this->issuer           = $options['issuer'];
        $this->audience         = $options['audience'];
        $this->type             = $options['type'];
        $this->minIssueTime     = $options['minIssueTime'];
        $this->requiredClaims   = $options['require'];
        $this->issuerTimeLeeway = $options['leeway'];
        $this->id               = $options['kid'];
        $this->secret           = isset($options['secret']) ? $options['secret'] : null;
        $this->secretLoader     = isset($options['loader']) ? $options['loader'] : null;
    }

    /**
     * @return string
     */
    public function getId(): string
    {
        return $this->id;
    }

    /**
     * @param JwtToken $token
     *
     * @throws \InvalidArgumentException
     */
    public function validateToken(JwtToken $token)
    {
        $this->validateHeader($token->getHeader());
        $this->validateClaims($token->getClaims());

        if (!$this->secretLoader) {
            $token->validateSignature($this->secret, $this->getSignatureValidator());

            return;
        }
        $token->validateSignature($this->secretLoader->load($token), $this->getSignatureValidator());
    }

    /**
     * @param array $header
     *
     * @throws \InvalidArgumentException
     */
    public function validateHeader(array $header)
    {
        if (!isset($header['alg'])) {
            throw new \InvalidArgumentException("Missing 'alg' in header");
        }
        if (!isset($header['typ'])) {
            throw new \InvalidArgumentException("Missing 'typ' in header");
        }
        if ($this->type !== $header['alg']) {
            throw new \InvalidArgumentException("Algorithm mismatch");
        }
    }

    /**
     * @param array $claims
     *
     * @throws \InvalidArgumentException
     */
    public function validateClaims(array $claims)
    {
        if ($this->requiredClaims) {

            $missing = array_diff_key(array_flip($this->requiredClaims), $claims);
            if (count($missing)) {
                throw new MissingClaimsException("Missing claims: " . implode(', ', $missing));
            }
        }
        if ($this->issuer && !isset($claims['iss'])) {
            throw new MissingClaimsException("Claim 'iss' is required");
        }
        if ($this->minIssueTime && !isset($claims['iat'])) {
            throw new MissingClaimsException("Claim 'iat' is required");
        }
        if (!empty($this->audience) && !isset($claims['aud'])) {
            throw new MissingClaimsException("Claim 'aud' is required");
        }
        if ((!isset($claims['sub']) || empty($claims['sub'])) && (!isset($claims['prn']) || empty($claims['prn']))) {
            throw new MissingClaimsException("Missing principle subject claim");
        }
        if (isset($claims['exp']) && $claims['exp'] + $this->issuerTimeLeeway < time()) {

            throw new InvalidTimeException("Token is expired by 'exp'");
        }
        if (isset($claims['iat']) && $claims['iat'] < ($this->minIssueTime + $this->issuerTimeLeeway)) {

            throw new InvalidTimeException("Server deemed your token too old");
        }
        if (isset($claims['nbf']) && ($claims['nbf'] - $this->issuerTimeLeeway) > time()) {

            throw new InvalidTimeException("Token not valid yet");
        }
        if (isset($claims['iss']) && $claims['iss'] !== $this->issuer) {
            throw new KeyTokenMismatchException("Issuer mismatch");
        }

        if (count($this->audience)) {
            if (isset($claims['aud']) &&
                (
                    (is_array($this->audience) && !in_array($claims['aud'], $this->audience))
                    || (!is_array($this->audience) && $claims['aud'] !== $this->audience)
                )
            ) {
                throw new KeyTokenMismatchException("Audience mismatch");
            }
        }
    }


    /**
     * @return SignatureValidator
     */
    public function getSignatureValidator(): SignatureValidator
    {
        if ($this->type == self::TYPE_RSA) {
            return new RsaValidator();
        }

        return new HmacValidator();
    }

    /**
     * Prevent accidental persistence of secret
     */
    final public function __sleep()
    {
        return [];
    }
}


1		<?php declare(strict_types = 1);
2		/*
3		* This file is part of the KleijnWeb\JwtBundle package.
4		*
5		* For the full copyright and license information, please view the LICENSE
6		* file that was distributed with this source code.
7		*/
8
9		namespace KleijnWeb\JwtBundle\Jwt;
10
11		use KleijnWeb\JwtBundle\Jwt\Exception\InvalidTimeException;
12		use KleijnWeb\JwtBundle\Jwt\Exception\KeyTokenMismatchException;
13		use KleijnWeb\JwtBundle\Jwt\Exception\MissingClaimsException;
14		use KleijnWeb\JwtBundle\Jwt\SignatureValidator\HmacValidator;
15		use KleijnWeb\JwtBundle\Jwt\SignatureValidator\RsaValidator;
16		use KleijnWeb\JwtBundle\Jwt\SignatureValidator\SignatureValidator;
17
18		/**
19		* @author John Kleijn <[email protected]>
20		*/
21		class JwtKey
22		{
23		const TYPE_HMAC = 'HS256';
24		const TYPE_RSA = 'RS256';
25
26		/**
27		* @var string
28		*/
29		private $id;
30
31		/**
32		* @var string
33		*/
34		private $issuer;
35
36		/**
37		* @var string
38		*/
39		private $type = self::TYPE_HMAC;
40
41		/**
42		* @var array
43		*/
44		private $audience = [];
45
46		/**
47		* @var int
48		*/
49		private $minIssueTime;
50
51		/**
52		* @var array
53		*/
54		private $requiredClaims = [];
55
56		/**
57		* @var int
58		*/
59		private $issuerTimeLeeway;
60
61		/**
62		* @var string
63		*/
64		private $secret;
65
66		/**
67		* @var SecretLoader
68		*/
69		private $secretLoader;
70
71		/**
72		* @param array $options
73		*/
74		public function __construct(array $options)
75		{
76		if (!isset($options['secret']) && !isset($options['loader'])) {
77		throw new \InvalidArgumentException("Need a secret or a loader to verify tokens");
78		}
79		if (isset($options['secret']) && isset($options['loader'])) {
80		throw new \InvalidArgumentException("Cannot configure both secret and loader");
81		}
82		$defaults = [
83		'kid' => null,
84		'issuer' => null,
85		'audience' => [],
86		'minIssueTime' => null,
87		'leeway' => 0,
88		'type' => $this->type,
89		'require' => $this->requiredClaims,
90		];
91
92		$options = array_merge($defaults, $options);
93		$this->issuer = $options['issuer'];
94		$this->audience = $options['audience'];
95		$this->type = $options['type'];
96		$this->minIssueTime = $options['minIssueTime'];
97		$this->requiredClaims = $options['require'];
98		$this->issuerTimeLeeway = $options['leeway'];
99		$this->id = $options['kid'];
100		$this->secret = isset($options['secret']) ? $options['secret'] : null;
101		$this->secretLoader = isset($options['loader']) ? $options['loader'] : null;
102		}
103
104		/**
105		* @return string
106		*/
107		public function getId(): string
108		{
109		return $this->id;
110		}
111
112		/**
113		* @param JwtToken $token
114		*
115		* @throws \InvalidArgumentException
116		*/
117		public function validateToken(JwtToken $token)
118		{
119		$this->validateHeader($token->getHeader());
120		$this->validateClaims($token->getClaims());
121
122		if (!$this->secretLoader) {
123		$token->validateSignature($this->secret, $this->getSignatureValidator());
124
125		return;
126		}
127		$token->validateSignature($this->secretLoader->load($token), $this->getSignatureValidator());
128		}
129
130		/**
131		* @param array $header
132		*
133		* @throws \InvalidArgumentException
134		*/
135		public function validateHeader(array $header)
136		{
137		if (!isset($header['alg'])) {
138		throw new \InvalidArgumentException("Missing 'alg' in header");
139		}
140		if (!isset($header['typ'])) {
141		throw new \InvalidArgumentException("Missing 'typ' in header");
142		}
143		if ($this->type !== $header['alg']) {
144		throw new \InvalidArgumentException("Algorithm mismatch");
145		}
146		}
147
148		/**
149		* @param array $claims
150		*
151		* @throws \InvalidArgumentException
152		*/
153		public function validateClaims(array $claims)
154		{
155		if ($this->requiredClaims) {
		0 ignored issues – show Bug Best Practice introduced 2016-02-05 06:47 UTC by Report Bug Copy Issue Report The expression `$this->requiredClaims` of type `array` is implicitly converted to a boolean; are you sure this is intended? If so, consider using `! empty($expr)` instead to make it clear that you intend to check for an array without elements. This check marks implicit conversions of arrays to boolean values in a comparison. While in PHP an empty array is considered to be equal (but not identical) to false, this is not always apparent. Consider making the comparison explicit by using `empty(..)` or `! empty(...)` instead. Loading history...
156		$missing = array_diff_key(array_flip($this->requiredClaims), $claims);
157		if (count($missing)) {
158		throw new MissingClaimsException("Missing claims: " . implode(', ', $missing));
159		}
160		}
161		if ($this->issuer && !isset($claims['iss'])) {
162		throw new MissingClaimsException("Claim 'iss' is required");
163		}
164		if ($this->minIssueTime && !isset($claims['iat'])) {
165		throw new MissingClaimsException("Claim 'iat' is required");
166		}
167		if (!empty($this->audience) && !isset($claims['aud'])) {
168		throw new MissingClaimsException("Claim 'aud' is required");
169		}
170		if ((!isset($claims['sub']) \|\| empty($claims['sub'])) && (!isset($claims['prn']) \|\| empty($claims['prn']))) {
171		throw new MissingClaimsException("Missing principle subject claim");
172		}
173	View Code Duplication	if (isset($claims['exp']) && $claims['exp'] + $this->issuerTimeLeeway < time()) {
		0 ignored issues – show Duplication introduced 2017-03-31 17:15 UTC by Report Bug Copy Issue Report This code seems to be duplicated across your project. Duplicated code is one of the most pungent code smells. If you need to duplicate the same code in three or more different places, we strongly encourage you to look into extracting the code into a single class or operation. You can also find more detailed suggestions in the “Code” section of your repository. Loading history...
174		throw new InvalidTimeException("Token is expired by 'exp'");
175		}
176	View Code Duplication	if (isset($claims['iat']) && $claims['iat'] < ($this->minIssueTime + $this->issuerTimeLeeway)) {
		0 ignored issues – show Duplication introduced 2016-02-05 06:47 UTC by Report Bug Copy Issue Report This code seems to be duplicated across your project. Duplicated code is one of the most pungent code smells. If you need to duplicate the same code in three or more different places, we strongly encourage you to look into extracting the code into a single class or operation. You can also find more detailed suggestions in the “Code” section of your repository. Loading history...
177		throw new InvalidTimeException("Server deemed your token too old");
178		}
179	View Code Duplication	if (isset($claims['nbf']) && ($claims['nbf'] - $this->issuerTimeLeeway) > time()) {
		0 ignored issues – show Duplication introduced 2016-02-05 06:47 UTC by Report Bug Copy Issue Report This code seems to be duplicated across your project. Duplicated code is one of the most pungent code smells. If you need to duplicate the same code in three or more different places, we strongly encourage you to look into extracting the code into a single class or operation. You can also find more detailed suggestions in the “Code” section of your repository. Loading history...
180		throw new InvalidTimeException("Token not valid yet");
181		}
182		if (isset($claims['iss']) && $claims['iss'] !== $this->issuer) {
183		throw new KeyTokenMismatchException("Issuer mismatch");
184		}
185
186		if (count($this->audience)) {
187		if (isset($claims['aud']) &&
188		(
189		(is_array($this->audience) && !in_array($claims['aud'], $this->audience))
190		\|\| (!is_array($this->audience) && $claims['aud'] !== $this->audience)
191		)
192		) {
193		throw new KeyTokenMismatchException("Audience mismatch");
194		}
195		}
196		}
197
198
199		/**
200		* @return SignatureValidator
201		*/
202		public function getSignatureValidator(): SignatureValidator
203		{
204		if ($this->type == self::TYPE_RSA) {
205		return new RsaValidator();
206		}
207
208		return new HmacValidator();
209		}
210
211		/**
212		* Prevent accidental persistence of secret
213		*/
214		final public function __sleep()
215		{
216		return [];
217		}
218		}
219

kleijnweb / jwt-bundle