PHP SDK: Use VaaS HTTP API

.github/workflows/ci-php.yaml

@@ -29,7 +29,7 @@ on:
 env:
   CLIENT_ID: ${{ secrets.CLIENT_ID }}
   CLIENT_SECRET: ${{secrets.CLIENT_SECRET}}
-  VAAS_URL: "wss://gateway.production.vaas.gdatasecurity.de"
+  VAAS_URL: "https://gateway.production.vaas.gdatasecurity.de"
   TOKEN_URL: "https://account.gdata.de/realms/vaas-production/protocol/openid-connect/token"
   VAAS_CLIENT_ID: ${{ secrets.VAAS_CLIENT_ID }}
   VAAS_USER_NAME: ${{ secrets.VAAS_USER_NAME }}
@@ -57,7 +57,7 @@ jobs:
         run: |
           echo "CLIENT_ID=${{ secrets.STAGING_CLIENT_ID }}" >> $GITHUB_ENV
           echo "CLIENT_SECRET=${{ secrets.STAGING_CLIENT_SECRET }}" >> $GITHUB_ENV
-          echo "VAAS_URL=wss://gateway.staging.vaas.gdatasecurity.de" >> $GITHUB_ENV
+          echo "VAAS_URL=https://gateway.staging.vaas.gdatasecurity.de" >> $GITHUB_ENV
           echo "TOKEN_URL=https://account-staging.gdata.de/realms/vaas-staging/protocol/openid-connect/token" >> $GITHUB_ENV
           echo "VAAS_CLIENT_ID=${{ secrets.STAGING_VAAS_CLIENT_ID }}" >> $GITHUB_ENV
           echo "VAAS_USER_NAME=${{ secrets.STAGING_VAAS_USER_NAME }}" >> $GITHUB_ENV
@@ -68,7 +68,7 @@ jobs:
         run: |
           echo "CLIENT_ID=${{ secrets.DEVELOP_CLIENT_ID }}" >> $GITHUB_ENV
           echo "CLIENT_SECRET=${{ secrets.DEVELOP_CLIENT_SECRET }}" >> $GITHUB_ENV
-          echo "VAAS_URL=wss://gateway.develop.vaas.gdatasecurity.de" >> $GITHUB_ENV
+          echo "VAAS_URL=https://gateway.develop.vaas.gdatasecurity.de" >> $GITHUB_ENV
           echo "TOKEN_URL=https://account-staging.gdata.de/realms/vaas-develop/protocol/openid-connect/token" >> $GITHUB_ENV
           echo "VAAS_CLIENT_ID=${{ secrets.DEVELOP_VAAS_CLIENT_ID }}" >> $GITHUB_ENV
           echo "VAAS_USER_NAME=${{ secrets.DEVELOP_VAAS_USER_NAME }}" >> $GITHUB_ENV
@@ -86,7 +86,7 @@ jobs:
           php_version: ${{ matrix.version }}
 
       - name: run tests
-        run: ./vendor/bin/phpunit --colors --testdox
+        run: ./vendor/bin/phpunit --colors --testdox --exclude-group exclude
         working-directory: php/tests/vaas
 
       - name: install example requirements

php/examples/VaasExample/AuthenticationExamples.php

@@ -2,55 +2,34 @@
 
 namespace VaasExamples;
 
-use VaasSdk\Authentication\ClientCredentialsGrantAuthenticator;
-use VaasSdk\Exceptions\InvalidSha256Exception;
-use VaasSdk\Exceptions\TimeoutException;
-use VaasSdk\Exceptions\VaasAuthenticationException;
-use VaasSdk\ResourceOwnerPasswordGrantAuthenticator;
+use VaasSdk\Authentication\Authenticator;
+use VaasSdk\Authentication\GrantType;
+use VaasSdk\Options\AuthenticationOptions;
 use VaasSdk\Vaas;
 
-$USE_RESOURCE_OWNER_PASSWORD_GRANT_AUTHENTICATOR = false;
-
 // If you got a username and password from us, you can use the ResourceOwnerPasswordAuthenticator like this
-if ($USE_RESOURCE_OWNER_PASSWORD_GRANT_AUTHENTICATOR){
-    $authenticator = new ResourceOwnerPasswordGrantAuthenticator(
-        "vaas-customer",
-        getenv("VAAS_USER_NAME"),
-        getenv("VAAS_PASSWORD"),
-        getenv("TOKEN_URL")
-    );
-}
+
+// $credentials = new AuthenticationOptions(
+//     grantType: GrantType::PASSWORD,
+//     clientId: getenv("VAAS_CLIENT_ID"),
+//     username: getenv("VAAS_USER_NAME"),
+//     password: getenv("VAAS_PASSWORD")
+// );
+    
 // You may use self registration and create a new username and password for the
-// ResourceOwnerPasswordAuthenticator by yourself like the example above on https://vaas.gdata.de/login
-
-// If you got a client id and client secret from us, you can use the ClientCredentialsGrantAuthenticator like this
-else{
-    $authenticator = new ClientCredentialsGrantAuthenticator(
-        getenv("CLIENT_ID"),
-        getenv("CLIENT_SECRET"),
-        getenv("TOKEN_URL")
-    );
-}
-
-$vaas = new Vaas(
-    getenv("VAAS_URL")
+// `Password` authentication method by yourself like the example above on https://vaas.gdata.de/login
+
+// If you got a client id and client secret from us, you can use the `Client Credentials` authentication method like this
+
+$credentials = new AuthenticationOptions(
+    grantType: GrantType::CLIENT_CREDENTIALS,
+    clientId: getenv("CLIENT_ID"),
+    clientSecret: getenv("CLIENT_SECRET")
 );
 
-try {
-    $vaas->Connect($authenticator->getToken());
-} catch (VaasAuthenticationException $e) {
-    fwrite(STDERR, "Authentication failed: " . $e->getMessage() . "\n");
-    exit(1);
-}
+$authenticator = new Authenticator($credentials);
+$vaas = new Vaas($authenticator);
 
 // Get verdict for an eicar hash
-try {
-    $vaasVerdict = $vaas->ForSha256("000005c43196142f01d615a67b7da8a53cb0172f8e9317a2ec9a0a39a1da6fe8");
-} catch (InvalidSha256Exception $e) {
-    fwrite(STDERR, "Invalid sha256: " . $e->getMessage() . "\n");
-    exit(1);
-} catch (TimeoutException $e) {
-    fwrite(STDERR, "Timeout: " . $e->getMessage() . "\n");
-    exit(1);
-}
-fwrite(STDOUT, "Verdict for $vaasVerdict->Sha256 is $vaasVerdict->Verdict \n");
+$vaasVerdict = $vaas->forSha256Async("000005c43196142f01d615a67b7da8a53cb0172f8e9317a2ec9a0a39a1da6fe8")->await();
+fwrite(STDOUT, "Verdict for $vaasVerdict->sha256 is $vaasVerdict->verdict->value \n");

php/examples/VaasExample/GetVerdictByFile.php

@@ -2,23 +2,24 @@
 
 namespace VaasExamples;
 
-use VaasSdk\Authentication\ClientCredentialsGrantAuthenticator;
+use VaasSdk\Authentication\Authenticator;
+use VaasSdk\Authentication\GrantType;
+use VaasSdk\Options\AuthenticationOptions;
 use VaasSdk\Vaas;
 
 include_once("./vendor/autoload.php");
 
-$authenticator = new ClientCredentialsGrantAuthenticator(
-    getenv("CLIENT_ID"),
-    getenv("CLIENT_SECRET"),
-    getenv("TOKEN_URL") ?: "https://account.gdata.de/realms/vaas-production/protocol/openid-connect/token"
+$credentials = new AuthenticationOptions(
+    grantType: GrantType::CLIENT_CREDENTIALS,
+    clientId: getenv("CLIENT_ID"),
+    clientSecret: getenv("CLIENT_SECRET")
 );
 
-$vaas = (new Vaas())
-    ->withAuthenticator($authenticator)
-    ->withUrl(getenv("VAAS_URL") ?? "wss://gateway.production.vaas.gdatasecurity.de")
-    ->build();
+$authenticator = new Authenticator($credentials);
+
+$vaas = new Vaas($authenticator);
 
 $scanPath = getenv("SCAN_PATH");
-$vaasVerdict = $vaas->ForFile($scanPath);
+$vaasVerdict = $vaas->forFileAsync($scanPath)->await();
 
-fwrite(STDOUT, "Verdict for $vaasVerdict->Sha256 is " . $vaasVerdict->Verdict->value . " \n");
+fwrite(STDOUT, "Verdict for $vaasVerdict->sha256 is " . $vaasVerdict->verdict->value . " \n");

php/examples/VaasExample/GetVerdictByHash.php

@@ -2,24 +2,26 @@
 
 namespace VaasExamples;
 
-use VaasSdk\Authentication\ClientCredentialsGrantAuthenticator;
+use VaasSdk\Authentication\Authenticator;
+use VaasSdk\Authentication\GrantType;
+use VaasSdk\Options\AuthenticationOptions;
 use VaasSdk\Vaas;
 
 include_once("./vendor/autoload.php");
 
-$authenticator = new ClientCredentialsGrantAuthenticator(
-    getenv("CLIENT_ID"),
-    getenv("CLIENT_SECRET"),
-    getenv("TOKEN_URL") ?: "https://account.gdata.de/realms/vaas-production/protocol/openid-connect/token"
+$credentials = new AuthenticationOptions(
+    grantType: GrantType::CLIENT_CREDENTIALS,
+    clientId: getenv("CLIENT_ID"),
+    clientSecret: getenv("CLIENT_SECRET")
 );
-$vaas = (new Vaas())
-    ->withAuthenticator($authenticator)
-    ->withUrl(getenv("VAAS_URL") ?? "wss://gateway.production.vaas.gdatasecurity.de")
-    ->build();
+
+$authenticator = new Authenticator($credentials);
+
+$vaas = new Vaas($authenticator);
 
 // EICAR
-$vaasVerdict = $vaas->ForSha256("000005c43196142f01d615a67b7da8a53cb0172f8e9317a2ec9a0a39a1da6fe8");
-fwrite(STDOUT, "Verdict for $vaasVerdict->Sha256 is " . $vaasVerdict->Verdict->value . " \n");
+$vaasVerdict = $vaas->forSha256Async("000005c43196142f01d615a67b7da8a53cb0172f8e9317a2ec9a0a39a1da6fe8")->await();
+fwrite(STDOUT, "Verdict for $vaasVerdict->sha256 is " . $vaasVerdict->verdict->value . " \n");
 // SOMEFILE
-$vaasVerdict = $vaas->ForSha256("70caea443deb0d0a890468f9ac0a9b1187676ba3e66eb60a722b187107eb1ea8");
-fwrite(STDOUT, "Verdict for $vaasVerdict->Sha256 is " . $vaasVerdict->Verdict->value . " \n");
+$vaasVerdict = $vaas->forSha256Async("70caea443deb0d0a890468f9ac0a9b1187676ba3e66eb60a722b187107eb1ea8")->await();
+fwrite(STDOUT, "Verdict for $vaasVerdict->sha256 is " . $vaasVerdict->verdict->value . " \n");

php/examples/VaasExample/GetVerdictByUrl.php

@@ -2,24 +2,26 @@
 
 namespace VaasExamples;
 
-use VaasSdk\Authentication\ClientCredentialsGrantAuthenticator;
+use VaasSdk\Authentication\Authenticator;
+use VaasSdk\Authentication\GrantType;
+use VaasSdk\Options\AuthenticationOptions;
 use VaasSdk\Vaas;
 
 include_once("./vendor/autoload.php");
 
-$authenticator = new ClientCredentialsGrantAuthenticator(
-    getenv("CLIENT_ID"),
-    getenv("CLIENT_SECRET"),
-    getenv("TOKEN_URL") ?: "https://account.gdata.de/realms/vaas-production/protocol/openid-connect/token"
+$credentials = new AuthenticationOptions(
+    grantType: GrantType::CLIENT_CREDENTIALS,
+    clientId: getenv("CLIENT_ID"),
+    clientSecret: getenv("CLIENT_SECRET")
 );
-$vaas = (new Vaas())
-    ->withAuthenticator($authenticator)
-    ->withUrl(getenv("VAAS_URL") ?? "wss://gateway.production.vaas.gdatasecurity.de")
-    ->build();
+
+$authenticator = new Authenticator($credentials);
+
+$vaas = new Vaas($authenticator);
 
 // EICAR
-$vaasVerdict = $vaas->ForUrl("https://secure.eicar.org/eicar.com");
-fwrite(STDOUT, "Verdict for $vaasVerdict->Sha256 is " . $vaasVerdict->Verdict->value . " \n");
+$vaasVerdict = $vaas->forUrlAsync("https://secure.eicar.org/eicar.com")->await();
+fwrite(STDOUT, "Verdict for $vaasVerdict->sha256 is " . $vaasVerdict->verdict->value . " \n");
 // SOMEFILE
-$vaasVerdict = $vaas->ForUrl("https://www.gdatasoftware.com/oem/verdict-as-a-service");
-fwrite(STDOUT, "Verdict for $vaasVerdict->Sha256 is " . $vaasVerdict->Verdict->value . " \n");
+$vaasVerdict = $vaas->forUrlAsync("https://www.gdatasoftware.com/oem/verdict-as-a-service")->await();
+fwrite(STDOUT, "Verdict for $vaasVerdict->sha256 is " . $vaasVerdict->verdict->value . " \n");

php/examples/wordpress/src/gd-scan/Vaas/Client.php

@@ -2,8 +2,8 @@
 
 namespace WpGdScan\Vaas;
 
-use VaasSdk\Vaas;
 use VaasSdk\Authentication\ClientCredentialsGrantAuthenticator;
+use VaasSdk\Vaas;
 
 class Client
 {

php/phpunit.xml

@@ -1,11 +1,8 @@
 <phpunit>
   <testsuites>
     <testsuite name="VaasTesting">
-      <file>tests/vaas/StreamsInLoopTest.php</file>
-      <file>tests/vaas/Sha256Test.php</file>
       <file>tests/vaas/VaasTest.php</file>
-      <file>tests/vaas/ProtocolTest.php</file>
-      <file>tests/vaas/ClientCredentialsGrantAuthenticatorTest.php</file>
+      <file>tests/vaas/AuthenticatorTest.php</file>
     </testsuite>
   </testsuites>
 </phpunit>

php/src/vaas/Authentication/Authenticator.php

@@ -0,0 +1,139 @@
+<?php
+
+namespace VaasSdk\Authentication;
+
+use Amp\Cancellation;
+use Amp\Future;
+use Amp\Http\Client\HttpClient;
+use Amp\Http\Client\HttpClientBuilder;
+use Amp\Http\Client\Request;
+use Amp\Sync\LocalMutex;
+use Amp\Sync\Mutex;
+use Exception;
+use InvalidArgumentException;
+use VaasSdk\Exceptions\VaasAuthenticationException;
+use VaasSdk\Options\AuthenticationOptions;
+use VaasSdk\Options\VaasOptions;
+use function Amp\async;
+use function Amp\delay;
+
+class Authenticator
+{
+    private HttpClient $httpClient;
+    private VaasOptions $options;
+    private AuthenticationOptions $credentials;
+    private Mutex $mutex;
+    private ?TokenResponse $lastTokenResponse = null;
+    private int $validTo = 0;
+    private ?int $lastRequestTime = null;
+
+    public function __construct(AuthenticationOptions $credentials, ?VaasOptions $options = null, ?HttpClient $httpClient = null)
+    {
+        $this->credentials = $credentials;
+        $this->options = $options ?? new VaasOptions();
+        $this->httpClient = $httpClient ?? HttpClientBuilder::buildDefault();
+        $this->mutex = new LocalMutex();
+    }
+
+    /**
+     * Gets the access token asynchronously.
+     * If the token is still valid, it will be returned immediately.
+     * If the token is expired, a new token will be requested.
+     * @param Cancellation|null $cancellation Cancellation token
+     * @return Future Future that resolves to the access token string
+     */
+    public function getTokenAsync(?Cancellation $cancellation = null): Future
+    {
+        return async(function () use ($cancellation) {
+            $lock = $this->mutex->acquire();
+            try {
+                $now = time();
+                if ($this->lastTokenResponse !== null && $this->validTo > $now) {
+                    return $this->lastTokenResponse->accessToken;
+                }
+
+                if ($this->lastRequestTime !== null) {
+                    $timeToWait = $this->lastRequestTime + 1 - $now;
+                    if ($timeToWait > 0) {
+                        delay($timeToWait);
+                    }
+                }
+
+                $this->lastRequestTime = time();
+                $this->lastTokenResponse = $this->requestTokenAsync($cancellation)->await();
+                $expiresInSeconds = $this->lastTokenResponse->expiresInSeconds ?? throw new VaasAuthenticationException("Identity provider did not return expires_in");
+
+                $this->validTo = time() + $expiresInSeconds;
+                return $this->lastTokenResponse->accessToken;
+            }
+            catch (Exception $ex) {
+                throw new VaasAuthenticationException("Failed to get token", $ex->getCode(), $ex);
+            }
+            finally {
+                $lock->release();
+            }
+        });
+    }
+
+    /**
+     * Requests a new token asynchronously.
+     * @param Cancellation|null $cancellation Cancellation token
+     * @return Future Future that resolves to a TokenResponse
+     */
+    private function requestTokenAsync(?Cancellation $cancellation = null): Future
+    {
+        return async(function () use ($cancellation) {
+            $form = $this->tokenRequestToForm();
+            $request = new Request($this->options->tokenUrl, 'POST');
+            $request->setBody($form);
+            $request->setHeader('Content-Type', 'application/x-www-form-urlencoded');
+
+            try {
+                $response = $this->httpClient->request($request, $cancellation);
+            } catch (Exception $ex) {
+                throw new VaasAuthenticationException("Failed to request token", $ex->getCode(), $ex);
+            }
+
+            $stringResponse = $response->getBody()->buffer($cancellation);
+
+            if (!$response->isSuccessful()) {
+                $statusCode = $response->getStatus();
+                $errorResponse = json_decode($stringResponse, true);
+                if ($errorResponse === null) {
+                    throw new VaasAuthenticationException("Identity provider returned status code $statusCode: Empty body");
+                }
+
+                throw new VaasAuthenticationException("Identity provider returned status code $statusCode: " . ($errorResponse['error_description'] ?? $errorResponse['error']));
+            }
+
+            $tokenResponse = json_decode($stringResponse, true);
+            if ($tokenResponse === null) { throw new VaasAuthenticationException("Identity provider returned invalid JSON"); }
+            if ($tokenResponse['access_token'] === null) { throw new VaasAuthenticationException("Access token is null"); }
+            if ($tokenResponse['expires_in'] === null) { throw new VaasAuthenticationException("expires_in is null"); }
+
+            return new TokenResponse($tokenResponse['access_token'], $tokenResponse['expires_in']);
+        });
+    }
+
+    /**
+     * Converts the token request to form data.
+     * @return string Form data for the token request
+     */
+    private function tokenRequestToForm(): string
+    {
+        if ($this->credentials->grantType === GrantType::CLIENT_CREDENTIALS) {
+            return http_build_query([
+                'client_id' => $this->credentials->clientId,
+                'client_secret' => $this->credentials->clientSecret ?? throw new InvalidArgumentException(),
+                'grant_type' => 'client_credentials',
+            ]);
+        }
+
+        return http_build_query([
+            'client_id' => $this->credentials->clientId,
+            'username' => $this->credentials->userName ?? throw new InvalidArgumentException(),
+            'password' => $this->credentials->password ?? throw new InvalidArgumentException(),
+            'grant_type' => 'password',
+        ]);
+    }
+}