RequestObjectFactory - Code Metrics - thomasvargiu/php-openid-client - Measure and Improve Code Quality continuously with Scrutinizer

RequestObjectFactory A
last analyzed 2019-07-22 14:09 UTC

↳ Parent: Project

Complexity

Total Complexity

Size/Duplication

Total Lines	150
Duplicated Lines	0 %

Test Coverage

Coverage

96.1%

Importance

Changes	4
Bugs	0	Features	0

Metric	Value
eloc	78
dl	0
loc	150
ccs	74
cts	77
cp	0.961
rs	10
c	4
b	0
f	0
wmc	27

5 Methods

Rating	Name	Size	Complexity
A	createPayload()	19	2
A	__construct()	16	6
A	create()	6	1
B	createEncryptedToken()	45	9
B	createSignedToken()	39	9

<?php

declare(strict_types=1);

namespace TMV\OpenIdClient\RequestObject;

use function array_filter;
use function array_merge;
use function implode;
use Jose\Component\Core\AlgorithmManager;
use Jose\Component\Encryption\Compression\CompressionMethodManager;
use Jose\Component\Encryption\Compression\Deflate;
use Jose\Component\Encryption\JWEBuilder;
use Jose\Component\Encryption\Serializer\CompactSerializer as EncryptionCompactSerializer;
use Jose\Component\Encryption\Serializer\JWESerializer;
use Jose\Component\Signature\Algorithm\None;
use Jose\Component\Signature\Algorithm\RS256;
use Jose\Component\Signature\JWSBuilder;
use Jose\Component\Signature\Serializer\CompactSerializer as SignatureCompactSerializer;
use Jose\Component\Signature\Serializer\JWSSerializer;
use function json_encode;
use function preg_match;
use function random_bytes;
use function strpos;
use function time;
use function TMV\OpenIdClient\base64url_encode;
use TMV\OpenIdClient\Client\ClientInterface;
use TMV\OpenIdClient\Exception\RuntimeException;
use function TMV\OpenIdClient\jose_secret_key;

class RequestObjectFactory
{
    /** @var AlgorithmManager */
    private $algorithmManager;

    /** @var JWSBuilder */
    private $jwsBuilder;

    /** @var JWEBuilder */
    private $jweBuilder;

    /** @var JWSSerializer */
    private $signatureSerializer;

    /** @var JWESerializer */
    private $encryptionSerializer;

    public function __construct(
        ?AlgorithmManager $algorithmManager = null,
        ?JWSBuilder $jwsBuilder = null,
        ?JWEBuilder $jweBuilder = null,
        ?JWSSerializer $signatureSerializer = null,
        ?JWESerializer $encryptionSerializer = null
    ) {
        $this->algorithmManager = $algorithmManager ?: new AlgorithmManager([new None(), new RS256()]);
        $this->jwsBuilder = $jwsBuilder ?: new JWSBuilder($this->algorithmManager);
        $this->jweBuilder = $jweBuilder ?: new JWEBuilder(
            $this->algorithmManager,
            $this->algorithmManager,
            new CompressionMethodManager([new Deflate()])
        );
        $this->signatureSerializer = $signatureSerializer ?: new SignatureCompactSerializer();
        $this->encryptionSerializer = $encryptionSerializer ?: new EncryptionCompactSerializer();
    }

    public function create(ClientInterface $client, array $params = []): string
    {
        $payload = $this->createPayload($client, $params);
        $signedToken = $this->createSignedToken($client, $payload);

        return $this->createEncryptedToken($client, $signedToken);
    }

    private function createPayload(ClientInterface $client, array $params = []): string
    {
        $metadata = $client->getMetadata();
        $issuer = $client->getIssuer();

        $payload = json_encode(array_merge($params, [
            'iss' => $metadata->getClientId(),
            'aud' => $issuer->getMetadata()->getIssuer(),
            'client_id' => $metadata->getClientId(),
            'jti' => base64url_encode(random_bytes(32)),
            'iat' => time(),
            'exp' => time() + 300,
        ]));

        if (false === $payload) {
            throw new RuntimeException('Unable to encode payload');
        }

        return $payload;
    }

    private function createSignedToken(ClientInterface $client, string $payload): string
    {
        $metadata = $client->getMetadata();

        /** @var string $alg */
        $alg = $metadata->get('request_object_signing_alg') ?: 'none';

        if ('none' === $alg) {
            return implode('.', [
                base64url_encode((string) json_encode(['alg' => $alg])),
                base64url_encode($payload),
                '',
            ]);
        }

        if (0 === strpos($alg, 'HS')) {
            $jwk = jose_secret_key($metadata->getClientSecret() ?: '');
        } else {
            $jwk = $client->getJwks()->selectKey('sig', $this->algorithmManager->get($alg));
        }

        if (null === $jwk) {
            throw new RuntimeException('No key to sign with alg ' . $alg);
        }

        $ktyIsOct = $jwk->has('kty') && $jwk->get('kty') === 'oct';

        $header = array_filter([
            'alg' => $alg,
            'typ' => 'JWT',
            'kid' => ! $ktyIsOct && $jwk->has('kid') ? $jwk->get('kid') : null,
        ]);

        $jws = $this->jwsBuilder->create()
            ->withPayload($payload)
            ->addSignature($jwk, $header)
            ->build();

        return $this->signatureSerializer->serialize($jws, 0);
    }

    private function createEncryptedToken(ClientInterface $client, string $payload): string
    {
        $metadata = $client->getMetadata();

        /** @var null|string $alg */
        $alg = $metadata->get('request_object_encryption_alg');

        if (null === $alg) {
            return $payload;
        }

        /** @var null|string $enc */
        $enc = $metadata->get('request_object_encryption_enc');

        if ((bool) preg_match('/^(RSA|ECDH)/', $alg)) {
            $jwk = $client->getIssuer()
                ->getJwks()
                ->selectKey('enc', $this->algorithmManager->get($alg));
        } else {
            $jwk = jose_secret_key(
                $metadata->getClientSecret() ?: '',
                'dir' === $alg ? $enc : $alg
            );
        }

        if (null === $jwk) {
            throw new RuntimeException('No key to sign with alg ' . $alg);
        }

        $ktyIsOct = $jwk->has('kty') && $jwk->get('kty') === 'oct';

        $header = array_filter([
            'alg' => $alg,
            'enc' => $enc,
            'cty' => 'JWT',
            'kid' => ! $ktyIsOct && $jwk->has('kid') ? $jwk->get('kid') : null,
        ]);

        $jwe = $this->jweBuilder->create()
            ->withPayload($payload)
            ->withSharedProtectedHeader($header)
            ->addRecipient($jwk)
            ->build();

        return $this->encryptionSerializer->serialize($jwe, 0);
    }
}


1		<?php
2
3		declare(strict_types=1);
4
5		namespace TMV\OpenIdClient\RequestObject;
6
7		use function array_filter;
8		use function array_merge;
9		use function implode;
10		use Jose\Component\Core\AlgorithmManager;
11		use Jose\Component\Encryption\Compression\CompressionMethodManager;
12		use Jose\Component\Encryption\Compression\Deflate;
13		use Jose\Component\Encryption\JWEBuilder;
14		use Jose\Component\Encryption\Serializer\CompactSerializer as EncryptionCompactSerializer;
15		use Jose\Component\Encryption\Serializer\JWESerializer;
16		use Jose\Component\Signature\Algorithm\None;
17		use Jose\Component\Signature\Algorithm\RS256;
18		use Jose\Component\Signature\JWSBuilder;
19		use Jose\Component\Signature\Serializer\CompactSerializer as SignatureCompactSerializer;
20		use Jose\Component\Signature\Serializer\JWSSerializer;
21		use function json_encode;
22		use function preg_match;
23		use function random_bytes;
24		use function strpos;
25		use function time;
26		use function TMV\OpenIdClient\base64url_encode;
27		use TMV\OpenIdClient\Client\ClientInterface;
28		use TMV\OpenIdClient\Exception\RuntimeException;
29		use function TMV\OpenIdClient\jose_secret_key;
30
31		class RequestObjectFactory
32		{
33		/** @var AlgorithmManager */
34		private $algorithmManager;
35
36		/** @var JWSBuilder */
37		private $jwsBuilder;
38
39		/** @var JWEBuilder */
40		private $jweBuilder;
41
42		/** @var JWSSerializer */
43		private $signatureSerializer;
44
45		/** @var JWESerializer */
46		private $encryptionSerializer;
47
48	6	public function __construct(
49		?AlgorithmManager $algorithmManager = null,
50		?JWSBuilder $jwsBuilder = null,
51		?JWEBuilder $jweBuilder = null,
52		?JWSSerializer $signatureSerializer = null,
53		?JWESerializer $encryptionSerializer = null
54		) {
55	6	$this->algorithmManager = $algorithmManager ?: new AlgorithmManager([new None(), new RS256()]);
56	6	$this->jwsBuilder = $jwsBuilder ?: new JWSBuilder($this->algorithmManager);
57	6	$this->jweBuilder = $jweBuilder ?: new JWEBuilder(
58	1	$this->algorithmManager,
59	1	$this->algorithmManager,
60	1	new CompressionMethodManager([new Deflate()])
61		);
62	6	$this->signatureSerializer = $signatureSerializer ?: new SignatureCompactSerializer();
63	6	$this->encryptionSerializer = $encryptionSerializer ?: new EncryptionCompactSerializer();
64	6	}
65
66	5	public function create(ClientInterface $client, array $params = []): string
67		{
68	5	$payload = $this->createPayload($client, $params);
69	5	$signedToken = $this->createSignedToken($client, $payload);
70
71	5	return $this->createEncryptedToken($client, $signedToken);
72		}
73
74	5	private function createPayload(ClientInterface $client, array $params = []): string
75		{
76	5	$metadata = $client->getMetadata();
77	5	$issuer = $client->getIssuer();
78
79	5	$payload = json_encode(array_merge($params, [
80	5	'iss' => $metadata->getClientId(),
81	5	'aud' => $issuer->getMetadata()->getIssuer(),
82	5	'client_id' => $metadata->getClientId(),
83	5	'jti' => base64url_encode(random_bytes(32)),
84	5	'iat' => time(),
85	5	'exp' => time() + 300,
86		]));
87
88	5	if (false === $payload) {
89		throw new RuntimeException('Unable to encode payload');
90		}
91
92	5	return $payload;
93		}
94
95	5	private function createSignedToken(ClientInterface $client, string $payload): string
96		{
97	5	$metadata = $client->getMetadata();
98
99		/** @var string $alg */
100	5	$alg = $metadata->get('request_object_signing_alg') ?: 'none';
101
102	5	if ('none' === $alg) {
103	3	return implode('.', [
104	3	base64url_encode((string) json_encode(['alg' => $alg])),
105	3	base64url_encode($payload),
106	3	'',
107		]);
108		}
109
110	2	if (0 === strpos($alg, 'HS')) {
111	1	$jwk = jose_secret_key($metadata->getClientSecret() ?: '');
112		} else {
113	1	$jwk = $client->getJwks()->selectKey('sig', $this->algorithmManager->get($alg));
114		}
115
116	2	if (null === $jwk) {
117		throw new RuntimeException('No key to sign with alg ' . $alg);
118		}
119
120	2	$ktyIsOct = $jwk->has('kty') && $jwk->get('kty') === 'oct';
121
122	2	$header = array_filter([
123	2	'alg' => $alg,
124	2	'typ' => 'JWT',
125	2	'kid' => ! $ktyIsOct && $jwk->has('kid') ? $jwk->get('kid') : null,
126		]);
127
128	2	$jws = $this->jwsBuilder->create()
129	2	->withPayload($payload)
130	2	->addSignature($jwk, $header)
131	2	->build();
132
133	2	return $this->signatureSerializer->serialize($jws, 0);
134		}
135
136	5	private function createEncryptedToken(ClientInterface $client, string $payload): string
137		{
138	5	$metadata = $client->getMetadata();
139
140		/** @var null\|string $alg */
141	5	$alg = $metadata->get('request_object_encryption_alg');
142
143	5	if (null === $alg) {
144	3	return $payload;
145		}
146
147		/** @var null\|string $enc */
148	2	$enc = $metadata->get('request_object_encryption_enc');
149
150	2	if ((bool) preg_match('/^(RSA\|ECDH)/', $alg)) {
151	1	$jwk = $client->getIssuer()
152	1	->getJwks()
153	1	->selectKey('enc', $this->algorithmManager->get($alg));
154		} else {
155	1	$jwk = jose_secret_key(
156	1	$metadata->getClientSecret() ?: '',
157	1	'dir' === $alg ? $enc : $alg
158		);
159		}
160
161	2	if (null === $jwk) {
162		throw new RuntimeException('No key to sign with alg ' . $alg);
163		}
164
165	2	$ktyIsOct = $jwk->has('kty') && $jwk->get('kty') === 'oct';
166
167	2	$header = array_filter([
168	2	'alg' => $alg,
169	2	'enc' => $enc,
170	2	'cty' => 'JWT',
171	2	'kid' => ! $ktyIsOct && $jwk->has('kid') ? $jwk->get('kid') : null,
172		]);
173
174	2	$jwe = $this->jweBuilder->create()
175	2	->withPayload($payload)
176	2	->withSharedProtectedHeader($header)
177	2	->addRecipient($jwk)
178	2	->build();
179
180	2	return $this->encryptionSerializer->serialize($jwe, 0);
181		}
182		}
183

thomasvargiu / php-openid-client

RequestObjectFactory A last analyzed 2019-07-22 14:09 UTC

Complexity

Size/Duplication

Test Coverage

Importance

5 Methods

Duplication Side-by-Side

Filter issues like

RequestObjectFactory A
last analyzed 2019-07-22 14:09 UTC