Skip to content

[HttpClient] Add an opportunity to use curl BLOB constants certs #48775

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 5 commits into from
Closed

[HttpClient] Add an opportunity to use curl BLOB constants certs #48775

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
eaae298
[HttpClient] Add an opportunity to use curl BLOB constants for `CAINF…
voodooism Dec 23, 2022
300e70d
[HttpClient] Add an opportunity to use curl BLOB constants for `CAINF…
voodooism Dec 26, 2022
9c93ec8
[FrameworkBundle] Extend configuration to have an opportunity to set …
voodooism Dec 26, 2022
e80fe87
[HttpClient] Fix coding standards
voodooism Dec 26, 2022
1d644e2
[HttpClient] check if option is set
voodooism Dec 26, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
54 changes: 48 additions & 6 deletions src/Symfony/Bundle/FrameworkBundle/DependencyInjection/Configuration.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1699,16 +1699,25 @@ private function addHttpClientSection(ArrayNodeDefinition $rootNode, callable $e
->info('Indicates if the host should exist as a certificate common name.')
->end()
->scalarNode('cafile')
->info('A certificate authority file.')
->info('Path to the certificate authority file.')
->end()
->scalarNode('cafile_raw')
->info('The certificate authority file contents.')
->end()
->scalarNode('capath')
->info('A directory that contains multiple certificate authority files.')
->end()
->scalarNode('local_cert')
->info('A PEM formatted certificate file.')
->info('Path to the PEM formatted certificate file.')
->end()
->scalarNode('local_cert_raw')
->info('The PEM formatted certificate file contents.')
->end()
->scalarNode('local_pk')
->info('A private key file.')
->info('Path to the private key file.')
->end()
->scalarNode('local_pk_raw')
->info('The private key file contents.')
->end()
->scalarNode('passphrase')
->info('The passphrase used to encrypt the "local_pk" file.')
Expand All @@ -1727,6 +1736,18 @@ private function addHttpClientSection(ArrayNodeDefinition $rootNode, callable $e
->end()
->append($this->addHttpClientRetrySection())
->end()
->validate()
->ifTrue(function ($v) { return isset($v['cafile'], $v['cafile_raw']); })
->thenInvalid('Either "cafile" or "cafile_raw" should be defined.')
->end()
->validate()
->ifTrue(function ($v) { return isset($v['cafile'], $v['cafile_raw']); })
->thenInvalid('Either "local_cert" or "local_cert_raw" should be defined.')
->end()
->validate()
->ifTrue(function ($v) { return isset($v['cafile'], $v['cafile_raw']); })
->thenInvalid('Either "local_pk" or "local_pk_raw" should be defined.')
->end()
->end()
->scalarNode('mock_response_factory')
->info('The id of the service that should generate mock responses. It should be either an invokable or an iterable.')
Expand Down Expand Up @@ -1842,16 +1863,25 @@ private function addHttpClientSection(ArrayNodeDefinition $rootNode, callable $e
->info('Indicates if the host should exist as a certificate common name.')
->end()
->scalarNode('cafile')
->info('A certificate authority file.')
->info('Path to a certificate authority file.')
->end()
->scalarNode('cafile_raw')
->info('Certificate authority file contents.')
->end()
->scalarNode('capath')
->info('A directory that contains multiple certificate authority files.')
->end()
->scalarNode('local_cert')
->info('A PEM formatted certificate file.')
->info('Path to the PEM formatted certificate file.')
->end()
->scalarNode('local_cert_raw')
->info('The PEM formatted certificate file contents.')
->end()
->scalarNode('local_pk')
->info('A private key file.')
->info('Path to the private key file.')
->end()
->scalarNode('local_pk_raw')
->info('The private key file contents.')
->end()
->scalarNode('passphrase')
->info('The passphrase used to encrypt the "local_pk" file.')
Expand All @@ -1870,6 +1900,18 @@ private function addHttpClientSection(ArrayNodeDefinition $rootNode, callable $e
->end()
->append($this->addHttpClientRetrySection())
->end()
->validate()
->ifTrue(function ($v) { return isset($v['cafile'], $v['cafile_raw']); })
->thenInvalid('Either "cafile" or "cafile_raw" should be defined.')
->end()
->validate()
->ifTrue(function ($v) { return isset($v['cafile'], $v['cafile_raw']); })
->thenInvalid('Either "local_cert" or "local_cert_raw" should be defined.')
->end()
->validate()
->ifTrue(function ($v) { return isset($v['cafile'], $v['cafile_raw']); })
->thenInvalid('Either "local_pk" or "local_pk_raw" should be defined.')
->end()
->end()
->end()
->end()
Expand Down
3 changes: 3 additions & 0 deletions src/Symfony/Bundle/FrameworkBundle/Resources/config/schema/symfony-1.0.xsd
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -631,9 +631,12 @@
<xsd:attribute name="verify-peer" type="xsd:boolean" />
<xsd:attribute name="verify-host" type="xsd:boolean" />
<xsd:attribute name="cafile" type="xsd:string" />
<xsd:attribute name="cafile-raw" type="xsd:string" />
<xsd:attribute name="capath" type="xsd:string" />
<xsd:attribute name="local-cert" type="xsd:string" />
<xsd:attribute name="local-cert-raw" type="xsd:string" />
<xsd:attribute name="local-pk" type="xsd:string" />
<xsd:attribute name="local-pk-raw" type="xsd:string" />
<xsd:attribute name="passphrase" type="xsd:string" />
<xsd:attribute name="ciphers" type="xsd:string" />
</xsd:complexType>
Expand Down
3 changes: 3 additions & 0 deletions ...ameworkBundle/Tests/DependencyInjection/Fixtures/php/http_client_full_default_options.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,9 +15,12 @@
'verify_peer' => true,
'verify_host' => true,
'cafile' => '/etc/ssl/cafile',
'cafile_raw' => null,
'capath' => '/etc/ssl',
'local_cert' => '/etc/ssl/cert.pem',
'local_cert_raw' => null,
'local_pk' => '/etc/ssl/private_key.pem',
'local_pk_raw' => null,
'passphrase' => 'password123456',
'ciphers' => 'RC4-SHA:TLS13-AES-128-GCM-SHA256',
'peer_fingerprint' => [
Expand Down
3 changes: 3 additions & 0 deletions ...ameworkBundle/Tests/DependencyInjection/Fixtures/yml/http_client_full_default_options.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,9 +14,12 @@ framework:
verify_peer: true
verify_host: true
cafile: /etc/ssl/cafile
cafile_raw: null
capath: /etc/ssl
local_cert: /etc/ssl/cert.pem
local_cert_raw: null
local_pk: /etc/ssl/private_key.pem
local_pk_raw: null
passphrase: password123456
ciphers: 'RC4-SHA:TLS13-AES-128-GCM-SHA256'
peer_fingerprint:
Expand Down
4 changes: 4 additions & 0 deletions src/Symfony/Component/HttpClient/CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,9 @@
CHANGELOG
=========
6.3
---

* Added supporting raw data for `cafile`, `localCert` and `localPk` options

6.2
---
Expand Down
28 changes: 23 additions & 5 deletions src/Symfony/Component/HttpClient/CurlHttpClient.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -121,6 +121,18 @@ public function request(string $method, string $url, array $options = []): Respo
\CURLOPT_CERTINFO => $options['capture_peer_cert_chain'],
];

$optionsWithRawVersion = [
'cafile_raw' => 'CURLOPT_CAINFO_BLOB',
'local_cert_raw' => 'CURLOPT_SSLCERT_BLOB',
'local_pk_raw' => 'CURLOPT_SSLKEY_BLOB',
];

foreach ($optionsWithRawVersion as $option => $curlopt) {
if (isset($options[$option]) && \defined($curlopt)) {
$curlopts[\constant($curlopt)] = $options[$option];
}
}

if (1.0 === (float) $options['http_version']) {
$curlopts[\CURLOPT_HTTP_VERSION] = \CURL_HTTP_VERSION_1_0;
} elseif (1.1 === (float) $options['http_version']) {
Expand Down Expand Up @@ -477,12 +489,18 @@ private function validateExtraCurlOptions(array $options): void
\CURLOPT_PROGRESSFUNCTION => 'on_progress',
];

if (\defined('CURLOPT_UNIX_SOCKET_PATH')) {
$curloptsToConfig[\CURLOPT_UNIX_SOCKET_PATH] = 'bindto';
}
$versionDependentCurloptsToOptionsMap = [
'CURLOPT_CAINFO_RAW' => 'cafile_raw',
'CURLOPT_PINNEDPUBLICKEY' => 'peer_fingerprint',
'CURLOPT_SSLCERT_BLOB' => 'local_cert_raw',
'CURLOPT_SSLKEY_BLOB' => 'local_pk_raw',
'CURLOPT_UNIX_SOCKET_PATH' => 'bindto',
];

if (\defined('CURLOPT_PINNEDPUBLICKEY')) {
$curloptsToConfig[\CURLOPT_PINNEDPUBLICKEY] = 'peer_fingerprint';
foreach ($versionDependentCurloptsToOptionsMap as $versionDependentCurlopt => $option) {
if (\defined($versionDependentCurlopt)) {
$curloptsToConfig[\constant($versionDependentCurlopt)] = $option;
}
}

$curloptsToCheck = [
Expand Down
9 changes: 9 additions & 0 deletions src/Symfony/Component/HttpClient/HttpClientTrait.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -148,6 +148,15 @@ private static function prepareRequest(?string $method, ?string $url, array $opt
throw new InvalidArgumentException('Define either the "auth_basic" or the "auth_bearer" option, setting both is not supported.');
}

$optionsWithRawVersion = ['cafile', 'local_cert', 'local_pk'];

foreach ($optionsWithRawVersion as $option) {
$rawVersion = sprintf('%s_raw', $option);
if (isset($options[$option], $options[$rawVersion])) {
throw new InvalidArgumentException(sprintf('Define either the "%s" or the "%s" option, setting both is not supported.', $option, $rawVersion));
}
}

if (null !== $url) {
// Merge auth with headers
if (($options['auth_basic'] ?? false) && !($options['normalized_headers']['authorization'] ?? false)) {
Expand Down
25 changes: 15 additions & 10 deletions src/Symfony/Component/HttpClient/Tests/HttpClientTraitTest.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -54,15 +54,15 @@ public function testPrepareRequestWithBodyIsArray()
$defaults = [
'base_uri' => 'http://example.com?c=c',
'query' => ['a' => 1, 'b' => 'b'],
'body' => []
'body' => [],
];
[, $defaults] = self::prepareRequest(null, null, $defaults);

[,$options] = self::prepareRequest(null, 'http://example.com', [
'body' => [1, 2],
'headers' => [
'Content-Type' => 'application/x-www-form-urlencoded; charset=utf-8'
]
'Content-Type' => 'application/x-www-form-urlencoded; charset=utf-8',
],
], $defaults);

$this->assertContains('Content-Type: application/x-www-form-urlencoded; charset=utf-8', $options['headers']);
Expand Down Expand Up @@ -229,18 +229,23 @@ public function testInvalidAuthBearerValue()
self::prepareRequest('POST', 'http://example.com', ['auth_bearer' => "a\nb"], HttpClientInterface::OPTIONS_DEFAULTS);
}

public function testSetAuthBasicAndBearerOptions()
public function provideMutualExclusiveOptions(): iterable
{
$this->expectException(InvalidArgumentException::class);
$this->expectExceptionMessage('Define either the "auth_basic" or the "auth_bearer" option, setting both is not supported.');
self::prepareRequest('POST', 'http://example.com', ['auth_bearer' => 'foo', 'auth_basic' => 'foo:bar'], HttpClientInterface::OPTIONS_DEFAULTS);
yield 'Set both "cafile" and "cafile_raw"' => [['cafile' => 'foo', 'cafile_raw' => 'bar']];
yield 'Set both "local_cert" and "local_cert_raw"' => [['local_cert' => 'foo', 'local_cert_raw' => 'bar']];
yield 'Set both "local_pk" and "local_pk_raw"' => [['local_pk' => 'foo', 'local_pk_raw' => 'bar']];
yield 'Set both "json" and "body"' => [['json' => ['foo' => 'bar'], 'body' => '<html/>']];
yield 'Set both "auth_basic" and "auth_bearer"' => [['auth_basic' => 'foo:bar', 'auth_bearer' => 'foo']];
}

public function testSetJSONAndBodyOptions()
/**
* @dataProvider provideMutualExclusiveOptions
*/
public function testSetMutualExclusiveOptions(array $options)
{
$this->expectException(InvalidArgumentException::class);
$this->expectExceptionMessage('Define either the "json" or the "body" option, setting both is not supported');
self::prepareRequest('POST', 'http://example.com', ['json' => ['foo' => 'bar'], 'body' => '<html/>'], HttpClientInterface::OPTIONS_DEFAULTS);
$this->expectExceptionMessage(sprintf('Define either the "%s" or the "%s" option, setting both is not supported.', ...array_keys($options)));
self::prepareRequest('POST', 'http://example.com', $options, HttpClientInterface::OPTIONS_DEFAULTS);
}

public function providePrepareAuthBasic()
Expand Down
3 changes: 3 additions & 0 deletions src/Symfony/Contracts/HttpClient/HttpClientInterface.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -59,9 +59,12 @@ interface HttpClientInterface
'verify_peer' => true, // see https://php.net/context.ssl for the following options
'verify_host' => true,
'cafile' => null,
'cafile_raw' => null,
'capath' => null,
'local_cert' => null,
'local_cert_raw' => null,
'local_pk' => null,
'local_pk_raw' => null,
'passphrase' => null,
'ciphers' => null,
'peer_fingerprint' => null,
Expand Down