more comprehensive checks for #1

codemasher · codemasher · commit 71b08270e537 · 2018-11-24T00:19:27.000+01:00
diff --git a/src/HTTPOptions.php b/src/HTTPOptions.php
@@ -18,6 +18,7 @@
  * @property string $user_agent
  * @property array  $curl_options
  * @property string $ca_info
+ * @property bool   $ssl_verifypeer
  */
 class HTTPOptions extends SettingsContainerAbstract{
 	use HTTPOptionsTrait;
diff --git a/src/HTTPOptionsTrait.php b/src/HTTPOptionsTrait.php
@@ -30,35 +30,151 @@ trait HTTPOptionsTrait{
 	protected $curl_options = [];
 
 	/**
-	 * CA Root Certificates for use with CURL/SSL (if not configured in php.ini)
+	 * CA Root Certificates for use with CURL/SSL (if not configured in php.ini or available in a default path)
 	 *
 	 * @var string
+	 *
+	 * @link https://curl.haxx.se/docs/caextract.html
 	 * @link https://curl.haxx.se/ca/cacert.pem
 	 * @link https://raw.githubusercontent.com/bagder/ca-bundle/master/ca-bundle.crt
 	 */
 	protected $ca_info = null;
 
+	/**
+	 * see CURLOPT_SSL_VERIFYPEER
+	 * requires either HTTPOptions::$ca_info or a properly working system CA file
+	 *
+	 * @var bool
+	 * @link http://php.net/manual/en/function.curl-setopt.php
+	 */
+	protected $ssl_verifypeer = true;
+
 	/**
 	 * HTTPOptionsTrait constructor
 	 *
-	 * @throws \chillerlan\HTTP\ClientException
+	 * @throws \Psr\Http\Client\ClientExceptionInterface
 	 */
 	protected function HTTPOptionsTrait():void{
 
 		if(!is_array($this->curl_options)){
 			$this->curl_options = [];
 		}
 
-		// we cannot verify a peer against a non-existent ca file, so turn it off in that case
-/*		if(!$this->ca_info || !is_file($this->ca_info)
-		   || (isset($this->curl_options[CURLOPT_CAINFO]) && !is_file($this->curl_options[CURLOPT_CAINFO]))){
+		if(!is_string($this->user_agent) || empty(trim($this->user_agent))){
+			throw new ClientException('invalid user agent');
+		}
+
+		$this->setCA();
+	}
+
+	/**
+	 * @return void
+	 * @throws \Psr\Http\Client\ClientExceptionInterface
+	 */
+	protected function setCA():void{
+
+		// disable verification if wanted so
+		if($this->ssl_verifypeer !== true || (isset($this->curl_options[CURLOPT_SSL_VERIFYPEER]) && !$this->curl_options[CURLOPT_SSL_VERIFYPEER])){
+			unset($this->curl_options[CURLOPT_CAINFO], $this->curl_options[CURLOPT_CAPATH]);
+
+			$this->curl_options[CURLOPT_SSL_VERIFYHOST] = 0;
+			$this->curl_options[CURLOPT_SSL_VERIFYPEER] = false;
+
+			return;
+		}
+
+		$this->curl_options[CURLOPT_SSL_VERIFYHOST] = 2;
+		$this->curl_options[CURLOPT_SSL_VERIFYPEER] = true;
+
+		// a path/dir/link to a CA bundle is given, let's check that
+		if(is_string($this->ca_info)){
+
+			// if you - for whatever obscure reason - need to check Windows .lnk links,
+			// see http://php.net/manual/en/function.is-link.php#91249
+			switch(true){
+				case is_dir($this->ca_info):
+				case is_link($this->ca_info) && is_dir(readlink($this->ca_info)): // @codeCoverageIgnore
+					$this->curl_options[CURLOPT_CAPATH] = $this->ca_info;
+					unset($this->curl_options[CURLOPT_CAINFO]);
+					return;
+
+				case is_file($this->ca_info):
+				case is_link($this->ca_info) && is_file(readlink($this->ca_info)): // @codeCoverageIgnore
+					$this->curl_options[CURLOPT_CAINFO] = $this->ca_info;
+					unset($this->curl_options[CURLOPT_CAPATH]);
+					return;
+			}
+
+			throw new ClientException('invalid path to SSL CA bundle (HTTPOptions::$ca_info): '.$this->ca_info);
+		}
+
+		// we somehow landed here, so let's check if there's a CA bundle given via the cURL options
+		$ca = $this->curl_options[CURLOPT_CAPATH] ?? $this->curl_options[CURLOPT_CAINFO] ?? false;
+
+		if($ca){
+
+			// just check if the file/path exists
+			switch(true){
+				case is_dir($ca):
+				case is_link($ca) && is_dir(readlink($ca)): // @codeCoverageIgnore
+					unset($this->curl_options[CURLOPT_CAINFO]);
+					return;
+
+				case is_file($ca):
+				case is_link($ca) && is_file(readlink($ca)): // @codeCoverageIgnore
+					return;
+			}
+
+			throw new ClientException('invalid path to SSL CA bundle (CURLOPT_CAPATH/CURLOPT_CAINFO): '.$ca);
+		}
+
+		// check php.ini options - PHP should find the file by itself
+		if(file_exists(ini_get('curl.cainfo'))){
+			return; // @codeCoverageIgnore
+		}
+
+		// this is getting weird. as a last resort, we're going to check some default paths for a CA bundle file
+		$cafiles = [
+			// check other php.ini settings
+			ini_get('openssl.cafile'),
+			// Red Hat, CentOS, Fedora (provided by the ca-certificates package)
+			'/etc/pki/tls/certs/ca-bundle.crt',
+			// Ubuntu, Debian (provided by the ca-certificates package)
+			'/etc/ssl/certs/ca-certificates.crt',
+			// FreeBSD (provided by the ca_root_nss package)
+			'/usr/local/share/certs/ca-root-nss.crt',
+			// SLES 12 (provided by the ca-certificates package)
+			'/var/lib/ca-certificates/ca-bundle.pem',
+			// OS X provided by homebrew (using the default path)
+			'/usr/local/etc/openssl/cert.pem',
+			// Google app engine
+			'/etc/ca-certificates.crt',
+			// Windows?
+			// http://php.net/manual/en/function.curl-setopt.php#110457
+			'C:\\Windows\\system32\\curl-ca-bundle.crt',
+			'C:\\Windows\\curl-ca-bundle.crt',
+			'C:\\Windows\\system32\\cacert.pem',
+			'C:\\Windows\\cacert.pem',
+			// working path
+			__DIR__.'/cacert.pem',
+		];
+
+		foreach($cafiles as $file){
+			if(is_file($file) || (is_link($file) && is_file(readlink($file)))){
+				$this->curl_options[CURLOPT_CAINFO] = $file;
+				return;
+			}
+		}
 
-			$this->curl_options += [
-				CURLOPT_SSL_VERIFYPEER => false,
-				CURLOPT_CAINFO         => null,
-			];
-		}*/
+		$msg = 'No system CA bundle could be found in any of the the common system locations. '
+			.'In order to verify peer certificates, you will need to supply the path on disk to a certificate bundle via  '
+			.'HTTPOptions::$ca_info or HTTPOptions::$curl_options. If you do not need a specific certificate bundle, '
+			.'then you can download a CA bundle over here: https://curl.haxx.se/docs/caextract.html. '
+			.'Once you have a CA bundle available on disk, you can set the "curl.cainfo" php.ini setting to point '
+			.'to the path to the file, allowing you to omit the $ca_info or $curl_options setting. '
+			.'See http://curl.haxx.se/docs/sslcerts.html for more information.';
 
+		throw new ClientException($msg); // @codeCoverageIgnore
 	}
 
 }
diff --git a/tests/HTTPOptionsTest.php b/tests/HTTPOptionsTest.php
@@ -0,0 +1,116 @@
+<?php
+/**
+ * Class HTTPOptionsTest
+ *
+ * @filesource   HTTPOptionsTest.php
+ * @created      14.11.2018
+ * @package      chillerlan\HTTPTest
+ * @author       smiley <smiley@chillerlan.net>
+ * @copyright    2018 smiley
+ * @license      MIT
+ */
+
+namespace chillerlan\HTTPTest;
+
+use chillerlan\HTTP\HTTPOptions;
+use PHPUnit\Framework\TestCase;
+
+class HTTPOptionsTest extends TestCase{
+
+	public function testConvertInvalidCurlOptionsValueToArray(){
+		$this->assertTrue(is_array((new HTTPOptions(['curl_options' => 'foo']))->curl_options)); //coverage
+	}
+
+	/**
+	 * @expectedException \Psr\Http\Client\ClientExceptionInterface
+	 * @expectedExceptionMessage invalid user agent
+	 */
+	public function testInvalidUserAgentException(){
+		new HTTPOptions(['user_agent' => false]);
+	}
+
+	public function testCaDisable(){
+		$o = new HTTPOptions([
+			'ssl_verifypeer' => false,
+			'curl_options'   => [
+				CURLOPT_CAINFO => 'foo',
+				CURLOPT_CAPATH => 'bar',
+			],
+		]);
+
+		$this->assertSame(0, $o->curl_options[CURLOPT_SSL_VERIFYHOST]);
+		$this->assertSame(false, $o->curl_options[CURLOPT_SSL_VERIFYPEER]);
+		$this->assertArrayNotHasKey(CURLOPT_CAINFO, $o->curl_options);
+		$this->assertArrayNotHasKey(CURLOPT_CAPATH, $o->curl_options);
+	}
+
+	public function testCaInfoFile(){
+		$file = __DIR__.'/cacert.pem';
+		$o = new HTTPOptions(['ca_info' => $file]);
+
+		$this->assertSame($file, $o->curl_options[CURLOPT_CAINFO]);
+		$this->assertSame(2, $o->curl_options[CURLOPT_SSL_VERIFYHOST]);
+		$this->assertSame(true, $o->curl_options[CURLOPT_SSL_VERIFYPEER]);
+		$this->assertArrayNotHasKey(CURLOPT_CAPATH, $o->curl_options);
+	}
+
+	public function testCaInfoDir(){
+		$dir = __DIR__;
+		$o = new HTTPOptions(['ca_info' => $dir]);
+
+		$this->assertSame($dir, $o->curl_options[CURLOPT_CAPATH]);
+		$this->assertSame(2, $o->curl_options[CURLOPT_SSL_VERIFYHOST]);
+		$this->assertSame(true, $o->curl_options[CURLOPT_SSL_VERIFYPEER]);
+		$this->assertArrayNotHasKey(CURLOPT_CAINFO, $o->curl_options);
+	}
+
+	/**
+	 * @expectedException \Psr\Http\Client\ClientExceptionInterface
+	 * @expectedExceptionMessage invalid path to SSL CA bundle (HTTPOptions::$ca_info): foo
+	 */
+	public function testCaInfoInvalidException(){
+		new HTTPOptions(['ca_info' => 'foo']);
+	}
+
+	public function testCurloptCaInfoFile(){
+		$file = __DIR__.'/cacert.pem';
+		$o = new HTTPOptions(['curl_options' => [CURLOPT_CAINFO => $file]]);
+
+		$this->assertSame($file, $o->curl_options[CURLOPT_CAINFO]);
+		$this->assertSame(2, $o->curl_options[CURLOPT_SSL_VERIFYHOST]);
+		$this->assertSame(true, $o->curl_options[CURLOPT_SSL_VERIFYPEER]);
+		$this->assertArrayNotHasKey(CURLOPT_CAPATH, $o->curl_options);
+	}
+
+	public function testCurloptCaInfoDir(){
+		$dir = __DIR__;
+		$o = new HTTPOptions(['curl_options' => [CURLOPT_CAPATH => $dir]]);
+
+		$this->assertSame($dir, $o->curl_options[CURLOPT_CAPATH]);
+		$this->assertSame(2, $o->curl_options[CURLOPT_SSL_VERIFYHOST]);
+		$this->assertSame(true, $o->curl_options[CURLOPT_SSL_VERIFYPEER]);
+		$this->assertArrayNotHasKey(CURLOPT_CAINFO, $o->curl_options);
+	}
+
+	/**
+	 * @expectedException \Psr\Http\Client\ClientExceptionInterface
+	 * @expectedExceptionMessage invalid path to SSL CA bundle (CURLOPT_CAPATH/CURLOPT_CAINFO): foo
+	 */
+	public function testCurloptCaInfoInvalidException(){
+		new HTTPOptions(['curl_options' => [CURLOPT_CAINFO => 'foo']]);
+	}
+
+	public function testCaInfoFallback(){
+
+		if(file_exists(ini_get('curl.cainfo'))){
+			$this->markTestSkipped('curl.cainfo set');
+		}
+
+		$o = new HTTPOptions;
+
+		$this->assertFileExists($o->curl_options[CURLOPT_CAINFO]);
+		$this->assertSame(2, $o->curl_options[CURLOPT_SSL_VERIFYHOST]);
+		$this->assertSame(true, $o->curl_options[CURLOPT_SSL_VERIFYPEER]);
+	}
+
+}
