ParameterConfirmationToken - Code Metrics - Inspection of "API Refactor bootstrap, request handling" - silverstripe/silverstripe-framework - Measure and Improve Code Quality continuously with Scrutinizer

Completed

Push — master ( 4ad6bd...3873e4 )

by Ingo

created 2017-06-22 10:53 UTC

ParameterConfirmationToken A

↳ Parent: Project

Complexity

Total Complexity

Size/Duplication

Total Lines	222
Duplicated Lines	0 %

Coupling/Cohesion

Components	1
Dependencies	5

Importance

Changes

Metric	Value
dl	0
loc	222
rs	10
c	0
b	0
f	0
wmc	19
lcom	1
cbo	5

13 Methods

Rating	Name	Size	Complexity
A	pathForToken()	4	1
A	genToken()	11	1
A	checkToken()	16	3
A	__construct()	15	2
A	getName()	4	1
A	parameterProvided()	4	1
A	tokenProvided()	4	1
A	reloadRequired()	4	2
A	suppress()	4	1
A	params()	7	1
A	currentURL()	8	1
A	reloadWithToken()	21	1
A	prepare_tokens()	13	3

<?php

namespace SilverStripe\Core\Startup;

use SilverStripe\Control\Controller;
use SilverStripe\Control\HTTPRequest;
use SilverStripe\Control\HTTPResponse;
use SilverStripe\Core\Convert;
use SilverStripe\Security\RandomGenerator;

/**
 * Class ParameterConfirmationToken
 *
 * When you need to use a dangerous GET parameter that needs to be set before core/Core.php is
 * established, this class takes care of allowing some other code of confirming the parameter,
 * by generating a one-time-use token & redirecting with that token included in the redirected URL
 *
 * WARNING: This class is experimental and designed specifically for use pre-startup in main.php
 * It will likely be heavily refactored before the release of 3.2
 */
class ParameterConfirmationToken
{

    /**
     * The name of the parameter
     *
     * @var string
     */
    protected $parameterName = null;

    /**
     * @var HTTPRequest
     */
    protected $request = null;

    /**
     * The parameter given
     *
     * @var string|null The string value, or null if not provided
     */
    protected $parameter = null;

    /**
     * The validated and checked token for this parameter
     *
     * @var string|null A string value, or null if either not provided or invalid
     */
    protected $token = null;

    protected function pathForToken($token)
    {
        return TEMP_FOLDER.'/token_'.preg_replace('/[^a-z0-9]+/', '', $token);
    }

    /**
     * Generate a new random token and store it
     *
     * @return string Token name
     */
    protected function genToken()
    {
        // Generate a new random token (as random as possible)
        $rg = new RandomGenerator();
        $token = $rg->randomToken('md5');

        // Store a file in the session save path (safer than /tmp, as open_basedir might limit that)
        file_put_contents($this->pathForToken($token), $token);

        return $token;
    }

    /**
     * Validate a token
     *
     * @param string $token
     * @return boolean True if the token is valid
     */
    protected function checkToken($token)
    {
        if (!$token) {
            return false;
        }

        $file = $this->pathForToken($token);
        $content = null;

        if (file_exists($file)) {
            $content = file_get_contents($file);
            unlink($file);
        }

        return $content == $token;
    }

    /**
     * Create a new ParameterConfirmationToken
     *
     * @param string $parameterName Name of the querystring parameter to check
     * @param HTTPRequest $request
     */
    public function __construct($parameterName, HTTPRequest $request)
    {
        // Store the parameter name
        $this->parameterName = $parameterName;
        $this->request = $request;

        // Store the parameter value
        $this->parameter = $request->getVar($parameterName);

        // If the token provided is valid, mark it as such
        $token = $request->getVar($parameterName.'token');
        if ($this->checkToken($token)) {
            $this->token = $token;
        }
    }

    /**
     * Get the name of this token
     *
     * @return string
     */
    public function getName()
    {
        return $this->parameterName;
    }

    /**
     * Is the parameter requested?
     * ?parameter and ?parameter=1 are both considered requested
     *
     * @return bool
     */
    public function parameterProvided()
    {
        return $this->parameter !== null;
    }

    /**
     * Is the necessary token provided for this parameter?
     * A value must be provided for the token
     *
     * @return bool
     */
    public function tokenProvided()
    {
        return !empty($this->token);
    }

    /**
     * Is this parameter requested without a valid token?
     *
     * @return bool True if the parameter is given without a valid token
     */
    public function reloadRequired()
    {
        return $this->parameterProvided() && !$this->tokenProvided();
    }

    /**
     * Suppress the current parameter by unsetting it from $_GET
     */
    public function suppress()
    {
        $this->request->offsetUnset($this->parameterName);
    }

    /**
     * Determine the querystring parameters to include
     *
     * @return array List of querystring parameters with name and token parameters
     */
    public function params()
    {
        return array(
            $this->parameterName => $this->parameter,
            $this->parameterName.'token' => $this->genToken()
        );
    }

    /**
     * Get redirect url, excluding querystring
     *
     * @return string
     */
    protected function currentURL()
    {
        return Controller::join_links(
            BASE_URL,
            '/',
            $this->request->getURL(false)
        );
    }

    /**
     * Forces a reload of the request with the token included
     *
     * @return HTTPResponse
     */
    public function reloadWithToken()
    {
        // Merge get params with current url
        $params = array_merge($this->request->getVars(), $this->params());
        $location = Controller::join_links(
            $this->currentURL(),
            '?'.http_build_query($params)
        );
        $locationJS = Convert::raw2js($location);
        $locationATT = Convert::raw2att($location);
        $body = <<<HTML
<script>location.href='$locationJS';</script>
<noscript><meta http-equiv="refresh" content="0; url=$locationATT"></noscript>
You are being redirected. If you are not redirected soon, <a href="$locationATT">click here to continue the flush</a>
HTML;

        // Build response
        $result = new HTTPResponse($body);
        $result->redirect($location);
        return $result;
    }

    /**
     * Given a list of token names, suppress all tokens that have not been validated, and
     * return the non-validated token with the highest priority
     *
     * @param array $keys List of token keys in ascending priority (low to high)
     * @param HTTPRequest $request
     * @return ParameterConfirmationToken The token container for the unvalidated $key given with the highest priority
     */
    public static function prepare_tokens($keys, HTTPRequest $request)
    {
        $target = null;
        foreach ($keys as $key) {
            $token = new ParameterConfirmationToken($key, $request);
            // Validate this token
            if ($token->reloadRequired()) {
                $token->suppress();
                $target = $token;
            }
        }
        return $target;
    }
}


1			<?php
2
3			namespace SilverStripe\Core\Startup;
4
5			use SilverStripe\Control\Controller;
6			use SilverStripe\Control\HTTPRequest;
7			use SilverStripe\Control\HTTPResponse;
8			use SilverStripe\Core\Convert;
9			use SilverStripe\Security\RandomGenerator;
10
11			/**
12			* Class ParameterConfirmationToken
13			*
14			* When you need to use a dangerous GET parameter that needs to be set before core/Core.php is
15			* established, this class takes care of allowing some other code of confirming the parameter,
16			* by generating a one-time-use token & redirecting with that token included in the redirected URL
17			*
18			* WARNING: This class is experimental and designed specifically for use pre-startup in main.php
19			* It will likely be heavily refactored before the release of 3.2
20			*/
21			class ParameterConfirmationToken
22			{
23
24			/**
25			* The name of the parameter
26			*
27			* @var string
28			*/
29			protected $parameterName = null;
30
31			/**
32			* @var HTTPRequest
33			*/
34			protected $request = null;
35
36			/**
37			* The parameter given
38			*
39			* @var string\|null The string value, or null if not provided
40			*/
41			protected $parameter = null;
42
43			/**
44			* The validated and checked token for this parameter
45			*
46			* @var string\|null A string value, or null if either not provided or invalid
47			*/
48			protected $token = null;
49
50			protected function pathForToken($token)
51			{
52			return TEMP_FOLDER.'/token_'.preg_replace('/[^a-z0-9]+/', '', $token);
53			}
54
55			/**
56			* Generate a new random token and store it
57			*
58			* @return string Token name
59			*/
60			protected function genToken()
61			{
62			// Generate a new random token (as random as possible)
63			$rg = new RandomGenerator();
64			$token = $rg->randomToken('md5');
65
66			// Store a file in the session save path (safer than /tmp, as open_basedir might limit that)
67			file_put_contents($this->pathForToken($token), $token);
68
69			return $token;
70			}
71
72			/**
73			* Validate a token
74			*
75			* @param string $token
76			* @return boolean True if the token is valid
77			*/
78			protected function checkToken($token)
79			{
80			if (!$token) {
81			return false;
82			}
83
84			$file = $this->pathForToken($token);
85			$content = null;
86
87			if (file_exists($file)) {
88			$content = file_get_contents($file);
89			unlink($file);
90			}
91
92			return $content == $token;
93			}
94
95			/**
96			* Create a new ParameterConfirmationToken
97			*
98			* @param string $parameterName Name of the querystring parameter to check
99			* @param HTTPRequest $request
100			*/
101			public function __construct($parameterName, HTTPRequest $request)
102			{
103			// Store the parameter name
104			$this->parameterName = $parameterName;
105			$this->request = $request;
106
107			// Store the parameter value
108			$this->parameter = $request->getVar($parameterName);
109
110			// If the token provided is valid, mark it as such
111			$token = $request->getVar($parameterName.'token');
112			if ($this->checkToken($token)) {
113			$this->token = $token;
114			}
115			}
116
117			/**
118			* Get the name of this token
119			*
120			* @return string
121			*/
122			public function getName()
123			{
124			return $this->parameterName;
125			}
126
127			/**
128			* Is the parameter requested?
129			* ?parameter and ?parameter=1 are both considered requested
130			*
131			* @return bool
132			*/
133			public function parameterProvided()
134			{
135			return $this->parameter !== null;
136			}
137
138			/**
139			* Is the necessary token provided for this parameter?
140			* A value must be provided for the token
141			*
142			* @return bool
143			*/
144			public function tokenProvided()
145			{
146			return !empty($this->token);
147			}
148
149			/**
150			* Is this parameter requested without a valid token?
151			*
152			* @return bool True if the parameter is given without a valid token
153			*/
154			public function reloadRequired()
155			{
156			return $this->parameterProvided() && !$this->tokenProvided();
157			}
158
159			/**
160			* Suppress the current parameter by unsetting it from $_GET
161			*/
162			public function suppress()
163			{
164			$this->request->offsetUnset($this->parameterName);
165			}
166
167			/**
168			* Determine the querystring parameters to include
169			*
170			* @return array List of querystring parameters with name and token parameters
171			*/
172			public function params()
173			{
174			return array(
175			$this->parameterName => $this->parameter,
176			$this->parameterName.'token' => $this->genToken()
177			);
178			}
179
180			/**
181			* Get redirect url, excluding querystring
182			*
183			* @return string
184			*/
185			protected function currentURL()
186			{
187			return Controller::join_links(
188			BASE_URL,
189			'/',
190			$this->request->getURL(false)
191			);
192			}
193
194			/**
195			* Forces a reload of the request with the token included
196			*
197			* @return HTTPResponse
198			*/
199			public function reloadWithToken()
200			{
201			// Merge get params with current url
202			$params = array_merge($this->request->getVars(), $this->params());
203			$location = Controller::join_links(
204			$this->currentURL(),
205			'?'.http_build_query($params)
206			);
207			$locationJS = Convert::raw2js($location);
208			$locationATT = Convert::raw2att($location);
209			$body = <<<HTML
210			<script>location.href='$locationJS';</script>
211			<noscript><meta http-equiv="refresh" content="0; url=$locationATT"></noscript>
212			You are being redirected. If you are not redirected soon, <a href="$locationATT">click here to continue the flush</a>
213			HTML;
214
215			// Build response
216			$result = new HTTPResponse($body);
217			$result->redirect($location);
218			return $result;
219			}
220
221			/**
222			* Given a list of token names, suppress all tokens that have not been validated, and
223			* return the non-validated token with the highest priority
224			*
225			* @param array $keys List of token keys in ascending priority (low to high)
226			* @param HTTPRequest $request
227			* @return ParameterConfirmationToken The token container for the unvalidated $key given with the highest priority
228			*/
229			public static function prepare_tokens($keys, HTTPRequest $request)
230			{
231			$target = null;
232			foreach ($keys as $key) {
233			$token = new ParameterConfirmationToken($key, $request);
234			// Validate this token
235			if ($token->reloadRequired()) {
236			$token->suppress();
237			$target = $token;
238			}
239			}
240			return $target;
241			}
242			}
243

silverstripe / silverstripe-framework

Push — master ( 4ad6bd...3873e4 )

ParameterConfirmationToken A

Complexity

Size/Duplication

Coupling/Cohesion

Importance

13 Methods

Duplication Side-by-Side

Filter issues like