Settings::setCheckHost() - Code Metrics - Inspection of "Close #15" - neomerx/cors-psr7 - Measure and Improve Code Quality continuously with Scrutinizer

Completed

Push — master ( 6e86f3...1e378a )

by Neomerx

created 2016-03-17 14:58 UTC

Settings::setCheckHost() A

↳ Parent: Settings

Complexity

Conditions	1
Paths	1

Size

Total Lines	6
Code Lines	3

Duplication

Lines	0
Ratio	0 %

Code Coverage

Tests	3
CRAP Score	1

Importance

Changes	1
Bugs	0	Features	0

Metric	Value
c	1
b	0
f	0
dl	0
loc	6
ccs	3
cts	3
cp	1
rs	9.4285
cc	1
eloc	3
nc	1
nop	1
crap	1

<?php namespace Neomerx\Cors\Strategies;

/**
 * Copyright 2015 [email protected] (www.neomerx.com)
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 * http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

use \Psr\Http\Message\RequestInterface;
use \Neomerx\Cors\Log\LoggerAwareTrait;
use \Neomerx\Cors\Contracts\Http\ParsedUrlInterface;
use \Neomerx\Cors\Contracts\Constants\CorsResponseHeaders;
use \Neomerx\Cors\Contracts\Strategies\SettingsStrategyInterface;

/**
 * Implements strategy as a simple set of setting identical for all resources and requests.
 *
 * @package Neomerx\Cors
 */
class Settings implements SettingsStrategyInterface
{
    use LoggerAwareTrait;

    /**
     * 'All' value for allowed origins.
     */
    const VALUE_ALLOW_ORIGIN_ALL = CorsResponseHeaders::VALUE_ALLOW_ORIGIN_ALL;

    /**
     * 'All' values for allowed headers.
     */
    const VALUE_ALLOW_ALL_HEADERS = '*';

    /**
     * @var string|array If specified as array (recommended for better performance) it should
     * be in parse_url() result format.
     *
     * @see http://php.net/manual/function.parse-url.php
     */
    private $serverOrigin = [
        'scheme' => '',
        'host'   => ParsedUrlInterface::DEFAULT_PORT,
        'port'   => '',
    ];

    /**
     * A list of allowed request origins (lower-cased, no trail slashes).
     * Value `true` enables and value `null` disables origin.
     * If all origins '*' are enabled all settings for other origins are ignored.
     *
     * For example,
     *
     * $allowedOrigins = [
     *     'http://example.com:123'     => true,
     *     'http://evil.com'            => null,
     *     self::VALUE_ALLOW_ORIGIN_ALL => null,
     * ];
     *
     * @var array
     */
    private $allowedOrigins = [];

    /**
     * A list of allowed request methods (case sensitive). Value `true` enables and value `null` disables method.
     *
     * For example,
     *
     * $allowedMethods = [
     *     'GET'    => true,
     *     'PATCH'  => true,
     *     'POST'   => true,
     *     'PUT'    => null,
     *     'DELETE' => true,
     * ];
     *
     * Security Note: you have to remember CORS is not access control system and you should not expect all cross-origin
     * requests will have pre-flights. For so-called 'simple' methods with so-called 'simple' headers request
     * will be made without pre-flight. Thus you can not restrict such requests with CORS and should use other means.
     * For example method 'GET' without any headers or with only 'simple' headers will not have pre-flight request so
     * disabling it will not restrict access to resource(s).
     *
     * You can read more on 'simple' methods at http://www.w3.org/TR/cors/#simple-method
     *
     * @var array
     */
    private $allowedMethods = [];

    /**
     * A list of allowed request headers (lower-cased). Value `true` enables and value `null` disables header.
     *
     * For example,
     *
     * $allowedHeaders = [
     *     'content-type'                => true,
     *     'x-custom-request-header'     => null,
     *     self::VALUE_ALLOW_ALL_HEADERS => null,
     * ];
     *
     * Security Note: you have to remember CORS is not access control system and you should not expect all cross-origin
     * requests will have pre-flights. For so-called 'simple' methods with so-called 'simple' headers request
     * will be made without pre-flight. Thus you can not restrict such requests with CORS and should use other means.
     * For example method 'GET' without any headers or with only 'simple' headers will not have pre-flight request so
     * disabling it will not restrict access to resource(s).
     *
     * You can read more on 'simple' headers at http://www.w3.org/TR/cors/#simple-header
     *
     * @var array
     */
    private $allowedHeaders = [];

    /**
     * A list of headers (case insensitive) which will be made accessible to user agent (browser) in response.
     * Value `true` enables and value `null` disables header.
     *
     * For example,
     *
     * $exposedHeaders = [
     *     'Content-Type'             => true,
     *     'X-Custom-Response-Header' => true,
     *     'X-Disabled-Header'        => null,
     * ];
     *
     * @var string[]
     */
    private $exposedHeaders = [];

    /**
     * If access with credentials is supported by the resource.
     *
     * @var bool
     */
    private $isUsingCredentials = false;

    /**
     * Pre-flight response cache max period in seconds.
     *
     * @var int
     */
    private $preFlightCacheMaxAge = 0;

    /**
     * If allowed methods should be added to pre-flight response when 'simple' method is requested (see #6.2.9 CORS).
     *
     * @see http://www.w3.org/TR/cors/#resource-preflight-requests
     *
     * @var bool
     */
    private $isForceAddMethods = false;

    /**
     * If allowed headers should be added when request headers are 'simple' and
     * non of them is 'Content-Type' (see #6.2.10 CORS).
     *
     * @see http://www.w3.org/TR/cors/#resource-preflight-requests
     *
     * @var bool
     */
    private $isForceAddHeaders = false;

    /**
     * If request 'Host' header should be checked against server's origin.
     *
     * @var bool
     */
    private $isCheckHost = false;

    /**
     * @inheritdoc
     */
    public function getServerOrigin()
    {
        return $this->serverOrigin;
    }

    /**
     * @inheritdoc
     */
    public function setServerOrigin($origin)
    {
        $this->serverOrigin = $origin;

        return $this;
    }

    /**
     * @inheritdoc
     */
    public function isPreFlightCanBeCached(RequestInterface $request)
    {
        return $this->getPreFlightCacheMaxAge($request) > 0;
    }

    /**
     * @inheritdoc
     */
    public function getPreFlightCacheMaxAge(RequestInterface $request)
    {
        return $this->preFlightCacheMaxAge;
    }

    /**
     * @inheritdoc
     */
    public function setPreFlightCacheMaxAge($cacheMaxAge)
    {
        $this->preFlightCacheMaxAge = $cacheMaxAge;

        return $this;
    }

    /**
     * @inheritdoc
     */
    public function isForceAddAllowedMethodsToPreFlightResponse()
    {
        return $this->isForceAddMethods;
    }

    /**
     * @inheritdoc
     */
    public function setForceAddAllowedMethodsToPreFlightResponse($forceFlag)
    {
        $this->isForceAddMethods = $forceFlag;

        return $this;
    }

    /**
     * @inheritdoc
     */
    public function isForceAddAllowedHeadersToPreFlightResponse()
    {
        return $this->isForceAddHeaders;
    }

    /**
     * @inheritdoc
     */
    public function setForceAddAllowedHeadersToPreFlightResponse($forceFlag)
    {
        $this->isForceAddHeaders = $forceFlag;

        return $this;
    }

    /**
     * @inheritdoc
     */
    public function isRequestCredentialsSupported(RequestInterface $request)
    {
        return $this->isUsingCredentials;
    }

    /**
     * @inheritdoc
     */
    public function setRequestCredentialsSupported($isSupported)
    {
        $this->isUsingCredentials = $isSupported;

        return $this;
    }

    /**
     * @inheritdoc
     */
    public function isRequestOriginAllowed(ParsedUrlInterface $requestOrigin)
    {
        // check if all origins are allowed with '*'
        $isAllowed = isset($this->allowedOrigins[CorsResponseHeaders::VALUE_ALLOW_ORIGIN_ALL]);

        if ($isAllowed === false) {
            $requestOriginStr = strtolower($requestOrigin->getOrigin());
            $isAllowed        = isset($this->allowedOrigins[$requestOriginStr]);
        }

        return $isAllowed;
    }

    /**
     * @inheritdoc
     */
    public function setRequestAllowedOrigins(array $origins)
    {
        $this->allowedOrigins = $origins;

        return $this;
    }

    /**
     * @inheritdoc
     */
    public function isRequestMethodSupported($method)
    {
        $isAllowed = isset($this->allowedMethods[$method]);

        return $isAllowed;
    }

    /**
     * @inheritdoc
     */
    public function isRequestAllHeadersSupported($headers)
    {
        $allSupported = true;

        if (isset($this->allowedHeaders[self::VALUE_ALLOW_ALL_HEADERS]) === true) {
            return $allSupported;
        }

        foreach ($headers as $header) {
            $header = strtolower($header);
            if (isset($this->allowedHeaders[$header]) === false) {
                $allSupported = false;
                $this->logInfo(
                    'Request header is not allowed. Check config settings for Allowed Headers.',
                    ['header' => $header]
                );
                break;
            }
        }

        return $allSupported;
    }

    /**
     * @inheritdoc
     */
    public function getRequestAllowedMethods(RequestInterface $request, $requestMethod)
    {
        return implode(', ', $this->getEnabledItems($this->allowedMethods));
    }

    /**
     * @inheritdoc
     */
    public function setRequestAllowedMethods(array $methods)
    {
        $this->allowedMethods = $methods;

        return $this;
    }

    /**
     * @inheritdoc
     */
    public function getRequestAllowedHeaders(RequestInterface $request, array $requestHeaders)
    {
        return implode(', ', $this->getEnabledItems($this->allowedHeaders));
    }

    /**
     * @inheritdoc
     */
    public function setRequestAllowedHeaders(array $headers)
    {
        $this->allowedHeaders = $headers;

        return $this;
    }

    /**
     * @inheritdoc
     */
    public function getResponseExposedHeaders(RequestInterface $request)
    {
        return $this->getEnabledItems($this->exposedHeaders);
    }

    /**
     * @inheritdoc
     */
    public function setResponseExposedHeaders(array $headers)
    {
        $this->exposedHeaders = $headers;

        return $this;
    }

    /**
     * @inheritdoc
     */
    public function isCheckHost()
    {
        return $this->isCheckHost;
    }

    /**
     * @inheritdoc
     */
    public function setCheckHost($checkFlag)
    {
        $this->isCheckHost = $checkFlag;

        return $this;
    }

    /**
     * Select only enabled items from $list.
     *
     * @param array $list
     *
     * @return array
     */
    protected function getEnabledItems(array $list)
    {
        $items = [];

        foreach ($list as $item => $enabled) {
            if ($enabled === true) {
                $items[] = $item;
            }
        }

        return $items;
    }
}


1		<?php namespace Neomerx\Cors\Strategies;
2
3		/**
4		* Copyright 2015 [email protected] (www.neomerx.com)
5		*
6		* Licensed under the Apache License, Version 2.0 (the "License");
7		* you may not use this file except in compliance with the License.
8		* You may obtain a copy of the License at
9		*
10		* http://www.apache.org/licenses/LICENSE-2.0
11		*
12		* Unless required by applicable law or agreed to in writing, software
13		* distributed under the License is distributed on an "AS IS" BASIS,
14		* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
15		* See the License for the specific language governing permissions and
16		* limitations under the License.
17		*/
18
19		use \Psr\Http\Message\RequestInterface;
20		use \Neomerx\Cors\Log\LoggerAwareTrait;
21		use \Neomerx\Cors\Contracts\Http\ParsedUrlInterface;
22		use \Neomerx\Cors\Contracts\Constants\CorsResponseHeaders;
23		use \Neomerx\Cors\Contracts\Strategies\SettingsStrategyInterface;
24
25		/**
26		* Implements strategy as a simple set of setting identical for all resources and requests.
27		*
28		* @package Neomerx\Cors
29		*/
30		class Settings implements SettingsStrategyInterface
31		{
32		use LoggerAwareTrait;
33
34		/**
35		* 'All' value for allowed origins.
36		*/
37		const VALUE_ALLOW_ORIGIN_ALL = CorsResponseHeaders::VALUE_ALLOW_ORIGIN_ALL;
38
39		/**
40		* 'All' values for allowed headers.
41		*/
42		const VALUE_ALLOW_ALL_HEADERS = '*';
43
44		/**
45		* @var string\|array If specified as array (recommended for better performance) it should
46		* be in parse_url() result format.
47		*
48		* @see http://php.net/manual/function.parse-url.php
49		*/
50		private $serverOrigin = [
51		'scheme' => '',
52		'host' => ParsedUrlInterface::DEFAULT_PORT,
53		'port' => '',
54		];
55
56		/**
57		* A list of allowed request origins (lower-cased, no trail slashes).
58		* Value `true` enables and value `null` disables origin.
59		* If all origins '*' are enabled all settings for other origins are ignored.
60		*
61		* For example,
62		*
63		* $allowedOrigins = [
64		* 'http://example.com:123' => true,
65		* 'http://evil.com' => null,
66		* self::VALUE_ALLOW_ORIGIN_ALL => null,
67		* ];
68		*
69		* @var array
70		*/
71		private $allowedOrigins = [];
72
73		/**
74		* A list of allowed request methods (case sensitive). Value `true` enables and value `null` disables method.
75		*
76		* For example,
77		*
78		* $allowedMethods = [
79		* 'GET' => true,
80		* 'PATCH' => true,
81		* 'POST' => true,
82		* 'PUT' => null,
83		* 'DELETE' => true,
84		* ];
85		*
86		* Security Note: you have to remember CORS is not access control system and you should not expect all cross-origin
87		* requests will have pre-flights. For so-called 'simple' methods with so-called 'simple' headers request
88		* will be made without pre-flight. Thus you can not restrict such requests with CORS and should use other means.
89		* For example method 'GET' without any headers or with only 'simple' headers will not have pre-flight request so
90		* disabling it will not restrict access to resource(s).
91		*
92		* You can read more on 'simple' methods at http://www.w3.org/TR/cors/#simple-method
93		*
94		* @var array
95		*/
96		private $allowedMethods = [];
97
98		/**
99		* A list of allowed request headers (lower-cased). Value `true` enables and value `null` disables header.
100		*
101		* For example,
102		*
103		* $allowedHeaders = [
104		* 'content-type' => true,
105		* 'x-custom-request-header' => null,
106		* self::VALUE_ALLOW_ALL_HEADERS => null,
107		* ];
108		*
109		* Security Note: you have to remember CORS is not access control system and you should not expect all cross-origin
110		* requests will have pre-flights. For so-called 'simple' methods with so-called 'simple' headers request
111		* will be made without pre-flight. Thus you can not restrict such requests with CORS and should use other means.
112		* For example method 'GET' without any headers or with only 'simple' headers will not have pre-flight request so
113		* disabling it will not restrict access to resource(s).
114		*
115		* You can read more on 'simple' headers at http://www.w3.org/TR/cors/#simple-header
116		*
117		* @var array
118		*/
119		private $allowedHeaders = [];
120
121		/**
122		* A list of headers (case insensitive) which will be made accessible to user agent (browser) in response.
123		* Value `true` enables and value `null` disables header.
124		*
125		* For example,
126		*
127		* $exposedHeaders = [
128		* 'Content-Type' => true,
129		* 'X-Custom-Response-Header' => true,
130		* 'X-Disabled-Header' => null,
131		* ];
132		*
133		* @var string[]
134		*/
135		private $exposedHeaders = [];
136
137		/**
138		* If access with credentials is supported by the resource.
139		*
140		* @var bool
141		*/
142		private $isUsingCredentials = false;
143
144		/**
145		* Pre-flight response cache max period in seconds.
146		*
147		* @var int
148		*/
149		private $preFlightCacheMaxAge = 0;
150
151		/**
152		* If allowed methods should be added to pre-flight response when 'simple' method is requested (see #6.2.9 CORS).
153		*
154		* @see http://www.w3.org/TR/cors/#resource-preflight-requests
155		*
156		* @var bool
157		*/
158		private $isForceAddMethods = false;
159
160		/**
161		* If allowed headers should be added when request headers are 'simple' and
162		* non of them is 'Content-Type' (see #6.2.10 CORS).
163		*
164		* @see http://www.w3.org/TR/cors/#resource-preflight-requests
165		*
166		* @var bool
167		*/
168		private $isForceAddHeaders = false;
169
170		/**
171		* If request 'Host' header should be checked against server's origin.
172		*
173		* @var bool
174		*/
175		private $isCheckHost = false;
176
177		/**
178		* @inheritdoc
179		*/
180	10	public function getServerOrigin()
181		{
182	10	return $this->serverOrigin;
183		}
184
185		/**
186		* @inheritdoc
187		*/
188	17	public function setServerOrigin($origin)
189		{
190	17	$this->serverOrigin = $origin;
191
192	17	return $this;
193		}
194
195		/**
196		* @inheritdoc
197		*/
198	3	public function isPreFlightCanBeCached(RequestInterface $request)
199		{
200	3	return $this->getPreFlightCacheMaxAge($request) > 0;
201		}
202
203		/**
204		* @inheritdoc
205		*/
206	3	public function getPreFlightCacheMaxAge(RequestInterface $request)
207		{
208	3	return $this->preFlightCacheMaxAge;
209		}
210
211		/**
212		* @inheritdoc
213		*/
214	9	public function setPreFlightCacheMaxAge($cacheMaxAge)
215		{
216	9	$this->preFlightCacheMaxAge = $cacheMaxAge;
217
218	9	return $this;
219		}
220
221		/**
222		* @inheritdoc
223		*/
224	2	public function isForceAddAllowedMethodsToPreFlightResponse()
225		{
226	2	return $this->isForceAddMethods;
227		}
228
229		/**
230		* @inheritdoc
231		*/
232	9	public function setForceAddAllowedMethodsToPreFlightResponse($forceFlag)
233		{
234	9	$this->isForceAddMethods = $forceFlag;
235
236	9	return $this;
237		}
238
239		/**
240		* @inheritdoc
241		*/
242	1	public function isForceAddAllowedHeadersToPreFlightResponse()
243		{
244	1	return $this->isForceAddHeaders;
245		}
246
247		/**
248		* @inheritdoc
249		*/
250	9	public function setForceAddAllowedHeadersToPreFlightResponse($forceFlag)
251		{
252	9	$this->isForceAddHeaders = $forceFlag;
253
254	9	return $this;
255		}
256
257		/**
258		* @inheritdoc
259		*/
260	4	public function isRequestCredentialsSupported(RequestInterface $request)
261		{
262	4	return $this->isUsingCredentials;
263		}
264
265		/**
266		* @inheritdoc
267		*/
268	17	public function setRequestCredentialsSupported($isSupported)
269		{
270	17	$this->isUsingCredentials = $isSupported;
271
272	17	return $this;
273		}
274
275		/**
276		* @inheritdoc
277		*/
278	8	public function isRequestOriginAllowed(ParsedUrlInterface $requestOrigin)
279		{
280		// check if all origins are allowed with '*'
281	8	$isAllowed = isset($this->allowedOrigins[CorsResponseHeaders::VALUE_ALLOW_ORIGIN_ALL]);
282
283	8	if ($isAllowed === false) {
284	8	$requestOriginStr = strtolower($requestOrigin->getOrigin());
285	8	$isAllowed = isset($this->allowedOrigins[$requestOriginStr]);
286	8	}
287
288	8	return $isAllowed;
289		}
290
291		/**
292		* @inheritdoc
293		*/
294	17	public function setRequestAllowedOrigins(array $origins)
295		{
296	17	$this->allowedOrigins = $origins;
297
298	17	return $this;
299		}
300
301		/**
302		* @inheritdoc
303		*/
304	5	public function isRequestMethodSupported($method)
305		{
306	5	$isAllowed = isset($this->allowedMethods[$method]);
307
308	5	return $isAllowed;
309		}
310
311		/**
312		* @inheritdoc
313		*/
314	5	public function isRequestAllHeadersSupported($headers)
315		{
316	5	$allSupported = true;
317
318	5	if (isset($this->allowedHeaders[self::VALUE_ALLOW_ALL_HEADERS]) === true) {
319	1	return $allSupported;
320		}
321
322	4	foreach ($headers as $header) {
323	4	$header = strtolower($header);
324	4	if (isset($this->allowedHeaders[$header]) === false) {
325	2	$allSupported = false;
326	2	$this->logInfo(
327	2	'Request header is not allowed. Check config settings for Allowed Headers.',
328	2	['header' => $header]
329	2	);
330	2	break;
331		}
332	4	}
333
334	4	return $allSupported;
335		}
336
337		/**
338		* @inheritdoc
339		*/
340	3	public function getRequestAllowedMethods(RequestInterface $request, $requestMethod)
341		{
342	3	return implode(', ', $this->getEnabledItems($this->allowedMethods));
343		}
344
345		/**
346		* @inheritdoc
347		*/
348	17	public function setRequestAllowedMethods(array $methods)
349		{
350	17	$this->allowedMethods = $methods;
351
352	17	return $this;
353		}
354
355		/**
356		* @inheritdoc
357		*/
358	3	public function getRequestAllowedHeaders(RequestInterface $request, array $requestHeaders)
359		{
360	3	return implode(', ', $this->getEnabledItems($this->allowedHeaders));
361		}
362
363		/**
364		* @inheritdoc
365		*/
366	17	public function setRequestAllowedHeaders(array $headers)
367		{
368	17	$this->allowedHeaders = $headers;
369
370	17	return $this;
371		}
372
373		/**
374		* @inheritdoc
375		*/
376	2	public function getResponseExposedHeaders(RequestInterface $request)
377		{
378	2	return $this->getEnabledItems($this->exposedHeaders);
379		}
380
381		/**
382		* @inheritdoc
383		*/
384	17	public function setResponseExposedHeaders(array $headers)
385		{
386	17	$this->exposedHeaders = $headers;
387
388	17	return $this;
389		}
390
391		/**
392		* @inheritdoc
393		*/
394	10	public function isCheckHost()
395		{
396	10	return $this->isCheckHost;
397		}
398
399		/**
400		* @inheritdoc
401		*/
402	17	public function setCheckHost($checkFlag)
403		{
404	17	$this->isCheckHost = $checkFlag;
405
406	17	return $this;
407		}
408
409		/**
410		* Select only enabled items from $list.
411		*
412		* @param array $list
413		*
414		* @return array
415		*/
416	6	protected function getEnabledItems(array $list)
417		{
418	6	$items = [];
419
420	6	foreach ($list as $item => $enabled) {
421	6	if ($enabled === true) {
422	6	$items[] = $item;
423	6	}
424	6	}
425
426	6	return $items;
427		}
428		}
429

neomerx / cors-psr7

Push — master ( 6e86f3...1e378a )

Settings::setCheckHost() A

Complexity

Size

Duplication

Code Coverage

Importance

Duplication Side-by-Side

Filter issues like