CoreSecurity
in package
$this->core->security Class to manage the security access and dynamic getenv variables
Table of Contents
Properties
- $cache : mixed
- $cache_iv : mixed
- $cache_key : mixed
- $dsToken : mixed
- $error : mixed
- $errorMsg : mixed
- $last_key_cache : mixed
- $secret_vars : mixed
- $core : mixed
Methods
- __construct() : mixed
- addError() : mixed
- Add an error Message
- checkAllowedIPs() : bool
- Check if myip is allowed in the pattern described in $allowed_ips Example: $allowed_ips="127.0.0.1,234.45.23.123,10.0.0.0/24"
- checkAPIKey() : array<string|int, bool>|array<string|int, false>|mixed|array<string|int, string>|void
- Call https://api.clouframework.io/core/api-keys to verify an APIKey More info in: https://www.notion.so/cloudframework/CloudFrameworkSecurity-APIKeys-CFS-APIKeys-13b47034a6f14f23b836c1f4238da548
- checkBasicAuth() : mixed
- Verify user,password with Basic Authorization Header from $this->getBasicAuth()
- checkBasicAuthWithConfig() : mixed
- checkCloudFrameWorkSecurity() : mixed
- checkCrypt() : bool
- Verify a string with its encrypted value to verify the match
- checkServerKey() : mixed
- checkWebKey() : array<string|int, mixed>|false|mixed
- compress() : mixed
- crypt() : string|null
- One-way string encryption (hashing)
- deactivateDSToken() : array<string|int, mixed>|bool|void
- Change the status = 0
- decrypt() : mixed
- deleteDSToken() : array<string|int, mixed>|bool|void
- Delete the entity with KeyName=$token
- encrypt() : string
- method to encrypt a plain text string initialization vector(IV) has to be the same when encrypting and decrypting based on: https://gist.github.com/joashp/a1ae9cb30fa533f4ad94
- existBasicAuth() : bool
- Check if exists a Basic Authorizatino header
- existBasicAuthConfig() : mixed
- existServerKey() : mixed
- existWebKey() : mixed
- generateCloudFrameWorkSecurityString() : mixed
- generateRandomString() : string
- It generates a random unique string.
- getBasicAuth() : mixed
- Return an array with [user,password] from PHP_AUTH_USER, PHP_AUTH_PW or if they don't exist HTTP_AUTHORIZATION header
- getCache() : mixed|null
- Get var Cache of the module
- getCloudFrameWorkSecurityInfo() : mixed
- getDSToken() : array<string|int, mixed>|mixed
- Verify a Token with different rules and return the content from field JSONZIP unziping it.
- getDSTokenInfo() : array<string|int, mixed>|mixed
- Just Read a Token from Database
- getERPSecretVar() : mixed
- Return a specific secret var form ERP
- getGoogleAccessToken() : array<string|int, mixed>|voud
- Prompt the user to generate a token
- getGoogleAccessTokenInfo() : mixed|string
- Retrieve info about a Google Access Token For example you can generate a localhost token using: gcloud auth print-access-token --account={{personal_email_user}} For example you can instance token with: $metadata = new Google\Cloud\Core\Compute\Metadata(); $ret = json_decode($metadata->get('instance/service-accounts/default/token'),true)['access_token'];
- getGoogleEmailAccount() : mixed
- Get the Google user email that the terminal or the instance (appengine, computeengine, or user localhost..) is using.
- getGoogleIdentityToken() : string|void
- Get an Identity token for the $user https://cloud.google.com/compute/docs/instances/verifying-instance-identity#curl https://cloud.google.com/compute/docs/instances/verifying-instance-identity#token_format
- getGoogleIdentityTokenInfo() : array<string|int, mixed>|bool|null
- Retrieve info about a Google Identity Token https://developers.google.com/identity/gsi/web/guides/verify-google-id-token https://cloud.google.com/compute/docs/instances/verifying-instance-identity#token_format
- getGoogleTokenInfo() : array<string|int, mixed>|void
- Return info about an Access Token or Identity Tokens This function call getGoogleAccessTokenInfo($token) or getGoogleIdentityTokenInfo($token) depending on $token format
- getHeader() : mixed
- getSecretVar() : mixed|null
- Return the secret value of $secret_key
- getSecretVars() : mixed|null
- Return $this->secret_vars
- getServerKey() : mixed
- getWebKey() : mixed|string
- Read $_GET['web-key'] or HEADER X-WEB-KEY
- isCron() : bool
- It says if the call is being doing by Cron Appengine Service.
- jwt_decode() : string
- It decode a JSON WEB TOKEN based on a public key based on https://github.com/firebase/php-jwt to generate publicKey ../scripts/jwtRS256.sh
- jwt_encode() : string|null
- It generates a JSON WEB TOKEN based on a private key based on https://github.com/firebase/php-jwt to generate privateKey ../scripts/jwtRS256.sh
- prompt() : false|string|null
- Execute a user Prompt
- readCache() : mixed
- Reset Cache of the module
- readERPDeveloperEncryptedSubKeys() : bool|void
- Read a Development SubKeys to encrypt locally the cache where the secrets will be stores In production these subkeys are cached to increase performance and because the risk who someone have access to Cache server is low. It rotates every day.
- readERPSecretVars() : mixed|null
- Return a secret var stored in CloudFramework Secret Manager through the ERP/BPA $this->get('core.gcp.secrets.env_vars') in the $this->get('core.gcp.secrets.project_id')
- readMyERPSecretsVars() : mixed
- GET from CloudFramework ERP Secrets of user is running the script or the GCP appengine,cloudfuntion,computeengine If the user is running in localhost it will prompted If the GCP engine is running it will use the Token of the Instance
- replaceAccentedCharacters() : string|array<string|int, mixed>
- Replace Accented characters to avoid Key troubles source: https://stackoverflow.com/questions/3371697/replacing-accented-characters-php
- resetCache() : mixed
- Reset Cache of the module
- resetCacheForERPSecretVars() : mixed
- Reset Cache of the module
- resetERPCache() : mixed
- Reset the cache for the ERP Secrets
- setDSToken() : mixed
- setSecretVar() : mixed
- Assgin a $secret_value to the secret $secret_key
- uncompress() : mixed
- updateCache() : mixed
- Update Cache of the module
- updateDSToken() : array<string|int, mixed>|bool|void
- Update the token data.
- urlsafeB64Decode() : mixed
- urlsafeB64Encode() : mixed
- checkIPs() : bool
- createDSToken() : mixed
Properties
$cache
public
mixed
$cache
= \null
$cache_iv
public
mixed
$cache_iv
= \null
$cache_key
public
mixed
$cache_key
= \null
$dsToken
public
mixed
$dsToken
= \null
$error
public
mixed
$error
= \false
$errorMsg
public
mixed
$errorMsg
= []
$last_key_cache
public
mixed
$last_key_cache
= \null
$secret_vars
public
mixed
$secret_vars
= \null
$core
private
mixed
$core
Methods
__construct()
public
__construct(Core7 &$core) : mixed
Parameters
- $core : Core7
addError()
Add an error Message
public
addError( $value) : mixed
Parameters
checkAllowedIPs()
Check if myip is allowed in the pattern described in $allowed_ips Example: $allowed_ips="127.0.0.1,234.45.23.123,10.0.0.0/24"
public
checkAllowedIPs(string $allowed_ips[, null $myip = null ]) : bool
Parameters
- $allowed_ips : string
-
Here You describe the IPs or subnets separated by ','. '*' value means any IP
- $myip : null = null
-
Optional. By default it is $this->core->system->ip
Return values
boolcheckAPIKey()
Call https://api.clouframework.io/core/api-keys to verify an APIKey More info in: https://www.notion.so/cloudframework/CloudFrameworkSecurity-APIKeys-CFS-APIKeys-13b47034a6f14f23b836c1f4238da548
public
checkAPIKey(string $token, string $key[, string $namespace = 'cloudframework' ][, string $org = 'common' ]) : array<string|int, bool>|array<string|int, false>|mixed|array<string|int, string>|void
Parameters
- $token : string
-
token of the entity of CloudFrameWorkAPIKeys
- $key : string
-
key of the APIKey to evaluate if it exists
- $namespace : string = 'cloudframework'
-
spacename of the data. Default cloudframework.
- $org : string = 'common'
-
organization of the entity inside of the spacename. Default common
Return values
array<string|int, bool>|array<string|int, false>|mixed|array<string|int, string>|voidcheckBasicAuth()
Verify user,password with Basic Authorization Header from $this->getBasicAuth()
public
checkBasicAuth(mixed $user, mixed $passw) : mixed
Parameters
- $user : mixed
- $passw : mixed
checkBasicAuthWithConfig()
public
checkBasicAuthWithConfig() : mixed
checkCloudFrameWorkSecurity()
public
checkCloudFrameWorkSecurity([mixed $maxSeconds = 0 ][, mixed $id = '' ][, mixed $secret = '' ]) : mixed
Parameters
- $maxSeconds : mixed = 0
- $id : mixed = ''
- $secret : mixed = ''
checkCrypt()
Verify a string with its encrypted value to verify the match
public
checkCrypt(string|array<string|int, mixed> $input[, string|null $input_encrypted = null ]) : bool
Parameters
- $input : string|array<string|int, mixed>
-
original input encrypted
- $input_encrypted : string|null = null
-
Encrypted string to compare. If null or empty is provided it will try to get the value from $this->core->config->get("core.security.password")
Return values
boolcheckServerKey()
public
checkServerKey([mixed $keys = null ]) : mixed
Parameters
- $keys : mixed = null
checkWebKey()
public
checkWebKey([null $keys = null ]) : array<string|int, mixed>|false|mixed
Parameters
- $keys : null = null
Return values
array<string|int, mixed>|false|mixedcompress()
public
compress(mixed $data) : mixed
Parameters
- $data : mixed
crypt()
One-way string encryption (hashing)
public
crypt(string|array<string|int, mixed> $input[, int $rounds = 7 ]) : string|null
Parameters
- $input : string|array<string|int, mixed>
-
The string or array to encrypt. If array is provided it will be converted to string with json_encoded. If length of $input > 72 then it returns null
- $rounds : int = 7
Return values
string|nulldeactivateDSToken()
Change the status = 0
public
deactivateDSToken( $token) : array<string|int, mixed>|bool|void
Parameters
Return values
array<string|int, mixed>|bool|void —If the deletion is right it return the array with the recored deleted
decrypt()
public
decrypt(mixed $encrypted_text[, mixed $secret_key = '' ][, mixed $secret_iv = '' ]) : mixed
Parameters
- $encrypted_text : mixed
- $secret_key : mixed = ''
- $secret_iv : mixed = ''
deleteDSToken()
Delete the entity with KeyName=$token
public
deleteDSToken( $token) : array<string|int, mixed>|bool|void
Parameters
Return values
array<string|int, mixed>|bool|void —If the deletion is right it return the array with the recored deleted
encrypt()
method to encrypt a plain text string initialization vector(IV) has to be the same when encrypting and decrypting based on: https://gist.github.com/joashp/a1ae9cb30fa533f4ad94
public
encrypt(mixed $text[, string $secret_key = '' ][, string $secret_iv = '' ]) : string
Parameters
- $text : mixed
- $secret_key : string = ''
-
optional secret key. If empty it will take it from config-vars: core.security.encrypt_key
- $secret_iv : string = ''
-
optional secret key. If empty it will take it from config-vars: core.security.encrypt_secret
Return values
string —in base64
existBasicAuth()
Check if exists a Basic Authorizatino header
public
existBasicAuth() : bool
Return values
bool —tellong
existBasicAuthConfig()
public
existBasicAuthConfig() : mixed
existServerKey()
public
existServerKey() : mixed
existWebKey()
public
existWebKey() : mixed
generateCloudFrameWorkSecurityString()
public
generateCloudFrameWorkSecurityString([mixed $id = '' ][, mixed $time = '' ][, mixed $secret = '' ]) : mixed
Parameters
- $id : mixed = ''
- $time : mixed = ''
- $secret : mixed = ''
generateRandomString()
It generates a random unique string.
public
generateRandomString([mixed $pref = '' ]) : string
Parameters
- $pref : mixed = ''
Return values
string —with a length of 32 chars
getBasicAuth()
Return an array with [user,password] from PHP_AUTH_USER, PHP_AUTH_PW or if they don't exist HTTP_AUTHORIZATION header
public
getBasicAuth() : mixed
getCache()
Get var Cache of the module
public
getCache([string $var = '' ][, string $security_group = 'default' ]) : mixed|null
Parameters
- $var : string = ''
-
y empty it returns all the variable of the security group
- $security_group : string = 'default'
Return values
mixed|nullgetCloudFrameWorkSecurityInfo()
public
getCloudFrameWorkSecurityInfo([mixed $maxSeconds = 0 ][, mixed $id = '' ][, mixed $secret = '' ]) : mixed
Parameters
- $maxSeconds : mixed = 0
- $id : mixed = ''
- $secret : mixed = ''
getDSToken()
Verify a Token with different rules and return the content from field JSONZIP unziping it.
public
getDSToken( $token[, string $prefixStarts = '' ][, int $time = 0 ][, string $fingerprint_hash = '' ][, bool $use_fingerprint_security = true ]) : array<string|int, mixed>|mixed
Parameters
- $token :
-
Id generated with setDSToken
- $prefixStarts : string = ''
- $time : int = 0
-
MAX TIME to expire the token
- $fingerprint_hash : string = ''
-
fingerprint_has to use.. if '' we will generate it using: $this->core->system->getRequestFingerPrint()['hash']
- $use_fingerprint_security : bool = true
-
Says it we are going to apply fingerprint security
Return values
array<string|int, mixed>|mixed —The content contained in DS.JSONZIP
getDSTokenInfo()
Just Read a Token from Database
public
getDSTokenInfo( $token) : array<string|int, mixed>|mixed
Parameters
Return values
array<string|int, mixed>|mixed —The content contained in DS.JSONZIP
getERPSecretVar()
Return a specific secret var form ERP
public
getERPSecretVar( $var[, string $erp_secret_id = '' ][, string $erp_platform_id = '' ][, string $erp_user = '' ]) : mixed
Parameters
getGoogleAccessToken()
Prompt the user to generate a token
public
getGoogleAccessToken([string $user = '' ]) : array<string|int, mixed>|voud
Parameters
- $user : string = ''
-
this should be passed when you are working in a script or development environment
Return values
array<string|int, mixed>|voud —{ "access_token": "ya29.****", "expires_in": 1799, "token_type": "Bearer" }
getGoogleAccessTokenInfo()
Retrieve info about a Google Access Token For example you can generate a localhost token using: gcloud auth print-access-token --account={{personal_email_user}} For example you can instance token with: $metadata = new Google\Cloud\Core\Compute\Metadata(); $ret = json_decode($metadata->get('instance/service-accounts/default/token'),true)['access_token'];
public
getGoogleAccessTokenInfo( $token) : mixed|string
Parameters
Return values
mixed|string —appengine output { "issued_to": "anonymous", "audience": "anonymous", "scope": "https://www.googleapis.com/auth/trace.append https://www.googleapis.com/auth/monitoring.write https://www.googleapis.com/auth/userinfo.email https://www.googleapis.com/auth/logging.write https://www.googleapis.com/auth/cloud_debugger https://www.googleapis.com/auth/cloud-platform https://www.googleapis.com/auth/devstorage.full_control https://www.googleapis.com/auth/appengine.apis", "expires_in": 1408, "email": "cloudframework-io@appspot.gserviceaccount.com", "verified_email": true, "access_type": "online" }, compute engine script { "aud": "32555940559.apps.googleusercontent.com", "azp": "107073846750350635781", "email": "173191905033-compute@developer.gserviceaccount.com", "email_verified": true, "exp": 1638615700, "google": { "compute_engine": { "instance_creation_timestamp": 1608593543, "instance_id": "5265569244953019153", "instance_name": "bnext-spain-etl-machine", "license_id": [ "5926592092274602096" ], "project_id": "bnext-cloud", "project_number": 173191905033, "zone": "europe-west1-b" } }, "iat": 1638612100, "iss": "https://accounts.google.com", "sub": "107073846750350635781" }
getGoogleEmailAccount()
Get the Google user email that the terminal or the instance (appengine, computeengine, or user localhost..) is using.
public
getGoogleEmailAccount() : mixed
getGoogleIdentityToken()
Get an Identity token for the $user https://cloud.google.com/compute/docs/instances/verifying-instance-identity#curl https://cloud.google.com/compute/docs/instances/verifying-instance-identity#token_format
public
getGoogleIdentityToken([string $user = '' ][, string $audience = 'https//api.cloudframework.io' ]) : string|void
Parameters
- $user : string = ''
-
this should be passed when you are working in a script or development environment
- $audience : string = 'https//api.cloudframework.io'
-
this is the audience added to the token for more security. Only valid for GAE service account
Return values
string|void —example: eyJhbGciOiJSUzI1NiIsImtpZCI6I....
getGoogleIdentityTokenInfo()
Retrieve info about a Google Identity Token https://developers.google.com/identity/gsi/web/guides/verify-google-id-token https://cloud.google.com/compute/docs/instances/verifying-instance-identity#token_format
public
getGoogleIdentityTokenInfo( $token) : array<string|int, mixed>|bool|null
Parameters
Return values
array<string|int, mixed>|bool|null —if the token is valid returns an array otherwise false. If there is a service error it returns null and addError in the class appengine output example{ "aud": "https://api7.cloudframework.io", "azp": "105263613482625024225", "email": "cloudframework-io@appspot.gserviceaccount.com", "email_verified": true, "exp": 1638601791, "iat": 1638598191, "iss": "https://accounts.google.com", "sub": "105263613482625024225" }, computeengine script example{ "aud": "32555940559.apps.googleusercontent.com", "azp": "107073846750350635781", "exp": 1638609030, "iat": 1638605430, "iss": "https://accounts.google.com", "sub": "107073846750350635781" }, user localhost example{ "iss": "https://accounts.google.com", "azp": "32555940559.apps.googleusercontent.com", "aud": "32555940559.apps.googleusercontent.com", "sub": "116008531197812823243", "hd": "adrianmm.com", "email": "info@adrianmm.com", "email_verified": true, "at_hash": "LgKsYP8U6NcmstQR1LgO7w", "iat": 1638611898, "exp": 1638615498 }
getGoogleTokenInfo()
Return info about an Access Token or Identity Tokens This function call getGoogleAccessTokenInfo($token) or getGoogleIdentityTokenInfo($token) depending on $token format
public
getGoogleTokenInfo( $token) : array<string|int, mixed>|void
Parameters
Return values
array<string|int, mixed>|voidgetHeader()
public
getHeader(mixed $str) : mixed
Parameters
- $str : mixed
getSecretVar()
Return the secret value of $secret_key
public
getSecretVar( $secret_key) : mixed|null
Parameters
Return values
mixed|nullgetSecretVars()
Return $this->secret_vars
public
getSecretVars() : mixed|null
Return values
mixed|nullgetServerKey()
public
getServerKey() : mixed
getWebKey()
Read $_GET['web-key'] or HEADER X-WEB-KEY
public
getWebKey() : mixed|string
Return values
mixed|stringisCron()
It says if the call is being doing by Cron Appengine Service.
public
isCron() : bool
Return values
booljwt_decode()
It decode a JSON WEB TOKEN based on a public key based on https://github.com/firebase/php-jwt to generate publicKey ../scripts/jwtRS256.sh
public
jwt_decode( $jwt[, null $publicKey = null ][, null $keyId = null ][, string $algorithm = null ]) : string
Parameters
- $jwt :
- $publicKey : null = null
-
optionally you can verify the signature of the token
- $keyId : null = null
-
optionally you can verify header.kid of the token
- $algorithm : string = null
-
optionally you can verify the header.alg of the token: SHA256,RS256..
Return values
string —with a length of 32 chars
jwt_encode()
It generates a JSON WEB TOKEN based on a private key based on https://github.com/firebase/php-jwt to generate privateKey ../scripts/jwtRS256.sh
public
jwt_encode(mixed $payload, mixed $privateKey[, mixed $keyId = null ][, mixed $head = null ][, mixed $algorithm = 'SHA256' ]) : string|null
Parameters
- $payload : mixed
- $privateKey : mixed
- $keyId : mixed = null
- $head : mixed = null
- $algorithm : mixed = 'SHA256'
Return values
string|null —with a length of 32 chars or null. if null check $this->error, $this->>errorMsg
prompt()
Execute a user Prompt
public
prompt( $title[, null $default = null ]) : false|string|null
Parameters
Return values
false|string|nullreadCache()
Reset Cache of the module
public
readCache([mixed $security_group = 'default' ]) : mixed
Parameters
- $security_group : mixed = 'default'
readERPDeveloperEncryptedSubKeys()
Read a Development SubKeys to encrypt locally the cache where the secrets will be stores In production these subkeys are cached to increase performance and because the risk who someone have access to Cache server is low. It rotates every day.
public
readERPDeveloperEncryptedSubKeys([string $erp_platform_id = '' ][, string $erp_user = '' ]) : bool|void
Parameters
- $erp_platform_id : string = ''
-
if empty it will try to get it from $this->core->config->get('core.erp.platform_id')
- $erp_user : string = ''
-
if empty it will try to get it from $this->core->config->get('core.erp.user_id.'.$erp_platform_id)
Return values
bool|voidreadERPSecretVars()
Return a secret var stored in CloudFramework Secret Manager through the ERP/BPA $this->get('core.gcp.secrets.env_vars') in the $this->get('core.gcp.secrets.project_id')
public
readERPSecretVars([string $erp_secret_id = '' ][, string $erp_platform_id = '' ][, string $erp_user = '' ]) : mixed|null
Parameters
- $erp_secret_id : string = ''
-
ID of the secret in the ERP. If this ID match with with
- $erp_platform_id : string = ''
-
ID of the platform to look for the secret
- $erp_user : string = ''
-
ID of the user who reads the secret
Return values
mixed|null —if the env var $var exist it returns the content and it can be any type
readMyERPSecretsVars()
GET from CloudFramework ERP Secrets of user is running the script or the GCP appengine,cloudfuntion,computeengine If the user is running in localhost it will prompted If the GCP engine is running it will use the Token of the Instance
public
readMyERPSecretsVars([string $erp_platform_id = '' ][, string $erp_user = '' ]) : mixed
Parameters
- $erp_platform_id : string = ''
- $erp_user : string = ''
-
User to use in the autentication. If empty it will prompt in the terminal if you are an script
replaceAccentedCharacters()
Replace Accented characters to avoid Key troubles source: https://stackoverflow.com/questions/3371697/replacing-accented-characters-php
public
replaceAccentedCharacters(string|array<string|int, mixed> $input) : string|array<string|int, mixed>
Parameters
- $input : string|array<string|int, mixed>
-
original input encrypted
Return values
string|array<string|int, mixed>resetCache()
Reset Cache of the module
public
resetCache([mixed $security_group = 'default' ]) : mixed
Parameters
- $security_group : mixed = 'default'
resetCacheForERPSecretVars()
Reset Cache of the module
public
resetCacheForERPSecretVars() : mixed
resetERPCache()
Reset the cache for the ERP Secrets
public
resetERPCache() : mixed
setDSToken()
public
setDSToken(mixed $data[, mixed $prefix = '' ][, mixed $fingerprint_hash = '' ][, mixed $time_expiration = 0 ]) : mixed
Parameters
- $data : mixed
- $prefix : mixed = ''
- $fingerprint_hash : mixed = ''
- $time_expiration : mixed = 0
setSecretVar()
Assgin a $secret_value to the secret $secret_key
public
setSecretVar( $secret_key, $secret_value) : mixed
Parameters
uncompress()
public
uncompress(mixed $data) : mixed
Parameters
- $data : mixed
updateCache()
Update Cache of the module
public
updateCache(mixed $var, mixed $data[, mixed $security_group = 'default' ]) : mixed
Parameters
- $var : mixed
- $data : mixed
- $security_group : mixed = 'default'
updateDSToken()
Update the token data.
public
updateDSToken( $token, mixed $data) : array<string|int, mixed>|bool|void
Parameters
Return values
array<string|int, mixed>|bool|void —If the deletion is right it return the array with the recored deleted
urlsafeB64Decode()
public
urlsafeB64Decode(mixed $input) : mixed
Parameters
- $input : mixed
urlsafeB64Encode()
public
urlsafeB64Encode(mixed $input) : mixed
Parameters
- $input : mixed
checkIPs()
private
checkIPs(array<string|int, mixed>|string $allows) : bool
Parameters
- $allows : array<string|int, mixed>|string
-
string to compare with the current IP
Return values
boolcreateDSToken()
private
createDSToken() : mixed