Merge pull request #4805 from alcohol/capath
Add capath configuration capability and refactor cafile resolvingpull/4124/head
commit
7d7b3ccb2a
|
@ -55,9 +55,15 @@ php_openssl extension in php.ini.
|
||||||
|
|
||||||
## cafile
|
## cafile
|
||||||
|
|
||||||
A way to set the path to the openssl CA file. In PHP 5.6+ you should rather
|
Location of Certificate Authority file on local filesystem. In PHP 5.6+ you
|
||||||
set this via openssl.cafile in php.ini, although PHP 5.6+ should be able to
|
should rather set this via openssl.cafile in php.ini, although PHP 5.6+ should
|
||||||
detect your system CA file automatically.
|
be able to detect your system CA file automatically.
|
||||||
|
|
||||||
|
## capath
|
||||||
|
|
||||||
|
If cafile is not specified or if the certificate is not found there, the
|
||||||
|
directory pointed to by capath is searched for a suitable certificate.
|
||||||
|
capath must be a correctly hashed certificate directory.
|
||||||
|
|
||||||
## http-basic
|
## http-basic
|
||||||
|
|
||||||
|
|
|
@ -149,6 +149,10 @@
|
||||||
"type": "string",
|
"type": "string",
|
||||||
"description": "A way to set the path to the openssl CA file. In PHP 5.6+ you should rather set this via openssl.cafile in php.ini, although PHP 5.6+ should be able to detect your system CA file automatically."
|
"description": "A way to set the path to the openssl CA file. In PHP 5.6+ you should rather set this via openssl.cafile in php.ini, although PHP 5.6+ should be able to detect your system CA file automatically."
|
||||||
},
|
},
|
||||||
|
"capath": {
|
||||||
|
"type": "string",
|
||||||
|
"description": "If cafile is not specified or if the certificate is not found there, the directory pointed to by capath is searched for a suitable certificate. capath must be a correctly hashed certificate directory."
|
||||||
|
},
|
||||||
"http-basic": {
|
"http-basic": {
|
||||||
"type": "object",
|
"type": "object",
|
||||||
"description": "A hash of domain name => {\"username\": \"...\", \"password\": \"...\"}.",
|
"description": "A hash of domain name => {\"username\": \"...\", \"password\": \"...\"}.",
|
||||||
|
|
|
@ -333,6 +333,10 @@ EOT
|
||||||
function ($val) { return file_exists($val) && is_readable($val); },
|
function ($val) { return file_exists($val) && is_readable($val); },
|
||||||
function ($val) { return $val === 'null' ? null : $val; }
|
function ($val) { return $val === 'null' ? null : $val; }
|
||||||
),
|
),
|
||||||
|
'capath' => array(
|
||||||
|
function ($val) { return is_dir($val) && is_readable($val); },
|
||||||
|
function ($val) { return $val === 'null' ? null : $val; }
|
||||||
|
),
|
||||||
'github-expose-hostname' => array($booleanValidator, $booleanNormalizer),
|
'github-expose-hostname' => array($booleanValidator, $booleanNormalizer),
|
||||||
);
|
);
|
||||||
$multiConfigValues = array(
|
$multiConfigValues = array(
|
||||||
|
|
|
@ -47,6 +47,7 @@ class Config
|
||||||
'github-domains' => array('github.com'),
|
'github-domains' => array('github.com'),
|
||||||
'disable-tls' => false,
|
'disable-tls' => false,
|
||||||
'cafile' => null,
|
'cafile' => null,
|
||||||
|
'capath' => null,
|
||||||
'github-expose-hostname' => true,
|
'github-expose-hostname' => true,
|
||||||
'gitlab-domains' => array('gitlab.com'),
|
'gitlab-domains' => array('gitlab.com'),
|
||||||
'store-auths' => 'prompt',
|
'store-auths' => 'prompt',
|
||||||
|
@ -179,6 +180,7 @@ class Config
|
||||||
case 'cache-repo-dir':
|
case 'cache-repo-dir':
|
||||||
case 'cache-vcs-dir':
|
case 'cache-vcs-dir':
|
||||||
case 'cafile':
|
case 'cafile':
|
||||||
|
case 'capath':
|
||||||
// convert foo-bar to COMPOSER_FOO_BAR and check if it exists since it overrides the local config
|
// convert foo-bar to COMPOSER_FOO_BAR and check if it exists since it overrides the local config
|
||||||
$env = 'COMPOSER_' . strtoupper(strtr($key, '-', '_'));
|
$env = 'COMPOSER_' . strtoupper(strtr($key, '-', '_'));
|
||||||
|
|
||||||
|
|
|
@ -590,9 +590,12 @@ class Factory
|
||||||
$remoteFilesystemOptions = array();
|
$remoteFilesystemOptions = array();
|
||||||
if ($disableTls === false) {
|
if ($disableTls === false) {
|
||||||
if ($config && $config->get('cafile')) {
|
if ($config && $config->get('cafile')) {
|
||||||
$remoteFilesystemOptions = array('ssl' => array('cafile' => $config->get('cafile')));
|
$remoteFilesystemOptions['ssl']['cafile'] = $config->get('cafile');
|
||||||
}
|
}
|
||||||
$remoteFilesystemOptions = array_merge_recursive($remoteFilesystemOptions, $options);
|
if ($config && $config->get('capath')) {
|
||||||
|
$remoteFilesystemOptions['ssl']['capath'] = $config->get('capath');
|
||||||
|
}
|
||||||
|
$remoteFilesystemOptions = array_replace_recursive($remoteFilesystemOptions, $options);
|
||||||
}
|
}
|
||||||
try {
|
try {
|
||||||
$remoteFilesystem = new RemoteFilesystem($io, $config, $remoteFilesystemOptions, $disableTls);
|
$remoteFilesystem = new RemoteFilesystem($io, $config, $remoteFilesystemOptions, $disableTls);
|
||||||
|
|
|
@ -54,15 +54,7 @@ class RemoteFilesystem
|
||||||
// Setup TLS options
|
// Setup TLS options
|
||||||
// The cafile option can be set via config.json
|
// The cafile option can be set via config.json
|
||||||
if ($disableTls === false) {
|
if ($disableTls === false) {
|
||||||
$this->options = $this->getTlsDefaults();
|
$this->options = $this->getTlsDefaults($options);
|
||||||
if (isset($options['ssl']['cafile'])
|
|
||||||
&& (
|
|
||||||
!is_readable($options['ssl']['cafile'])
|
|
||||||
|| !$this->validateCaFile($options['ssl']['cafile'])
|
|
||||||
)
|
|
||||||
) {
|
|
||||||
throw new TransportException('The configured cafile was not valid or could not be read.');
|
|
||||||
}
|
|
||||||
} else {
|
} else {
|
||||||
$this->disableTls = true;
|
$this->disableTls = true;
|
||||||
}
|
}
|
||||||
|
@ -575,7 +567,12 @@ class RemoteFilesystem
|
||||||
return $options;
|
return $options;
|
||||||
}
|
}
|
||||||
|
|
||||||
private function getTlsDefaults()
|
/**
|
||||||
|
* @param array $options
|
||||||
|
*
|
||||||
|
* @return array
|
||||||
|
*/
|
||||||
|
private function getTlsDefaults(array $options)
|
||||||
{
|
{
|
||||||
$ciphers = implode(':', array(
|
$ciphers = implode(':', array(
|
||||||
'ECDHE-RSA-AES128-GCM-SHA256',
|
'ECDHE-RSA-AES128-GCM-SHA256',
|
||||||
|
@ -622,7 +619,7 @@ class RemoteFilesystem
|
||||||
*
|
*
|
||||||
* cafile or capath can be overridden by passing in those options to constructor.
|
* cafile or capath can be overridden by passing in those options to constructor.
|
||||||
*/
|
*/
|
||||||
$options = array(
|
$defaults = array(
|
||||||
'ssl' => array(
|
'ssl' => array(
|
||||||
'ciphers' => $ciphers,
|
'ciphers' => $ciphers,
|
||||||
'verify_peer' => true,
|
'verify_peer' => true,
|
||||||
|
@ -631,46 +628,50 @@ class RemoteFilesystem
|
||||||
)
|
)
|
||||||
);
|
);
|
||||||
|
|
||||||
|
if (isset($options['ssl'])) {
|
||||||
|
$defaults['ssl'] = array_replace_recursive($defaults['ssl'], $options['ssl']);
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Attempt to find a local cafile or throw an exception if none pre-set
|
* Attempt to find a local cafile or throw an exception if none pre-set
|
||||||
* The user may go download one if this occurs.
|
* The user may go download one if this occurs.
|
||||||
*/
|
*/
|
||||||
if (!isset($this->options['ssl']['cafile'])) {
|
if (!isset($defaults['ssl']['cafile']) && !isset($defaults['ssl']['capath'])) {
|
||||||
$result = $this->getSystemCaRootBundlePath();
|
$result = $this->getSystemCaRootBundlePath();
|
||||||
if ($result) {
|
|
||||||
if (preg_match('{^phar://}', $result)) {
|
if (preg_match('{^phar://}', $result)) {
|
||||||
$targetPath = rtrim(sys_get_temp_dir(), '\\/') . '/composer-cacert.pem';
|
$hash = hash_file('sha256', $result);
|
||||||
|
$targetPath = rtrim(sys_get_temp_dir(), '\\/') . '/composer-cacert-' . $hash . '.pem';
|
||||||
|
|
||||||
// use stream_copy_to_stream instead of copy
|
if (!file_exists($targetPath) || $hash !== hash_file('sha256', $targetPath)) {
|
||||||
// to work around https://bugs.php.net/bug.php?id=64634
|
$this->streamCopy($result, $targetPath);
|
||||||
$source = fopen($result, 'r');
|
chmod($targetPath, 0666);
|
||||||
$target = fopen($targetPath, 'w+');
|
}
|
||||||
stream_copy_to_stream($source, $target);
|
|
||||||
fclose($source);
|
|
||||||
fclose($target);
|
|
||||||
unset($source, $target);
|
|
||||||
|
|
||||||
$options['ssl']['cafile'] = $targetPath;
|
$defaults['ssl']['cafile'] = $targetPath;
|
||||||
|
} elseif (is_dir($result)) {
|
||||||
|
$defaults['ssl']['capath'] = $result;
|
||||||
} else {
|
} else {
|
||||||
if (is_dir($result)) {
|
$defaults['ssl']['cafile'] = $result;
|
||||||
$options['ssl']['capath'] = $result;
|
|
||||||
} elseif ($result) {
|
|
||||||
$options['ssl']['cafile'] = $result;
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
} else {
|
|
||||||
throw new TransportException('A valid cafile could not be located automatically.');
|
if (isset($defaults['ssl']['cafile']) && (!is_readable($defaults['ssl']['cafile']) || !$this->validateCaFile($defaults['ssl']['cafile']))) {
|
||||||
|
throw new TransportException('The configured cafile was not valid or could not be read.');
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (isset($defaults['ssl']['capath']) && (!is_dir($defaults['ssl']['capath']) || !is_readable($defaults['ssl']['capath']))) {
|
||||||
|
throw new TransportException('The configured capath was not valid or could not be read.');
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Disable TLS compression to prevent CRIME attacks where supported.
|
* Disable TLS compression to prevent CRIME attacks where supported.
|
||||||
*/
|
*/
|
||||||
if (PHP_VERSION_ID >= 50413) {
|
if (PHP_VERSION_ID >= 50413) {
|
||||||
$options['ssl']['disable_compression'] = true;
|
$defaults['ssl']['disable_compression'] = true;
|
||||||
}
|
}
|
||||||
|
|
||||||
return $options;
|
return $defaults;
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
@ -704,6 +705,8 @@ class RemoteFilesystem
|
||||||
* ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
* ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
||||||
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
|
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
|
||||||
* SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
* SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||||
|
*
|
||||||
|
* @return string
|
||||||
*/
|
*/
|
||||||
private function getSystemCaRootBundlePath()
|
private function getSystemCaRootBundlePath()
|
||||||
{
|
{
|
||||||
|
@ -721,6 +724,11 @@ class RemoteFilesystem
|
||||||
return $caPath = $envCertFile;
|
return $caPath = $envCertFile;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
$configured = ini_get('openssl.cafile');
|
||||||
|
if ($configured && strlen($configured) > 0 && is_readable($configured) && $this->validateCaFile($configured)) {
|
||||||
|
return $caPath = $configured;
|
||||||
|
}
|
||||||
|
|
||||||
$caBundlePaths = array(
|
$caBundlePaths = array(
|
||||||
'/etc/pki/tls/certs/ca-bundle.crt', // Fedora, RHEL, CentOS (ca-certificates package)
|
'/etc/pki/tls/certs/ca-bundle.crt', // Fedora, RHEL, CentOS (ca-certificates package)
|
||||||
'/etc/ssl/certs/ca-certificates.crt', // Debian, Ubuntu, Gentoo, Arch Linux (ca-certificates package)
|
'/etc/ssl/certs/ca-certificates.crt', // Debian, Ubuntu, Gentoo, Arch Linux (ca-certificates package)
|
||||||
|
@ -732,14 +740,8 @@ class RemoteFilesystem
|
||||||
'/usr/share/ssl/certs/ca-bundle.crt', // Really old RedHat?
|
'/usr/share/ssl/certs/ca-bundle.crt', // Really old RedHat?
|
||||||
'/etc/ssl/cert.pem', // OpenBSD
|
'/etc/ssl/cert.pem', // OpenBSD
|
||||||
'/usr/local/etc/ssl/cert.pem', // FreeBSD 10.x
|
'/usr/local/etc/ssl/cert.pem', // FreeBSD 10.x
|
||||||
__DIR__.'/../../../res/cacert.pem', // Bundled with Composer
|
|
||||||
);
|
);
|
||||||
|
|
||||||
$configured = ini_get('openssl.cafile');
|
|
||||||
if ($configured && strlen($configured) > 0 && is_readable($configured) && $this->validateCaFile($configured)) {
|
|
||||||
return $caPath = $configured;
|
|
||||||
}
|
|
||||||
|
|
||||||
foreach ($caBundlePaths as $caBundle) {
|
foreach ($caBundlePaths as $caBundle) {
|
||||||
if (@is_readable($caBundle) && $this->validateCaFile($caBundle)) {
|
if (@is_readable($caBundle) && $this->validateCaFile($caBundle)) {
|
||||||
return $caPath = $caBundle;
|
return $caPath = $caBundle;
|
||||||
|
@ -753,9 +755,14 @@ class RemoteFilesystem
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
return $caPath = false;
|
return $caPath = __DIR__.'/../../../res/cacert.pem'; // Bundled with Composer, last resort
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @param string $filename
|
||||||
|
*
|
||||||
|
* @return bool
|
||||||
|
*/
|
||||||
private function validateCaFile($filename)
|
private function validateCaFile($filename)
|
||||||
{
|
{
|
||||||
if ($this->io->isDebug()) {
|
if ($this->io->isDebug()) {
|
||||||
|
@ -775,4 +782,22 @@ class RemoteFilesystem
|
||||||
|
|
||||||
return (bool) openssl_x509_parse($contents);
|
return (bool) openssl_x509_parse($contents);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Uses stream_copy_to_stream instead of copy to work around https://bugs.php.net/bug.php?id=64634
|
||||||
|
*
|
||||||
|
* @param string $source
|
||||||
|
* @param string $target
|
||||||
|
*/
|
||||||
|
private function streamCopy($source, $target)
|
||||||
|
{
|
||||||
|
$source = fopen($source, 'r');
|
||||||
|
$target = fopen($target, 'w+');
|
||||||
|
|
||||||
|
stream_copy_to_stream($source, $target);
|
||||||
|
fclose($source);
|
||||||
|
fclose($target);
|
||||||
|
|
||||||
|
unset($source, $target);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -64,6 +64,10 @@ class ZipDownloaderTest extends \PHPUnit_Framework_TestCase
|
||||||
->with('cafile')
|
->with('cafile')
|
||||||
->will($this->returnValue(null));
|
->will($this->returnValue(null));
|
||||||
$config->expects($this->at(2))
|
$config->expects($this->at(2))
|
||||||
|
->method('get')
|
||||||
|
->with('capath')
|
||||||
|
->will($this->returnValue(null));
|
||||||
|
$config->expects($this->at(3))
|
||||||
->method('get')
|
->method('get')
|
||||||
->with('vendor-dir')
|
->with('vendor-dir')
|
||||||
->will($this->returnValue($this->testDir));
|
->will($this->returnValue($this->testDir));
|
||||||
|
|
Loading…
Reference in New Issue