PageRenderTime 27ms CodeModel.GetById 20ms RepoModel.GetById 0ms app.codeStats 0ms

/src/conduit/ConduitClient.php

http://github.com/facebook/libphutil
PHP | 363 lines | 290 code | 59 blank | 14 comment | 43 complexity | 8b3162c441584d2f7cd37d6a51fe86f4 MD5 | raw file
Possible License(s): Apache-2.0 
    

  1. <?php
    2. 

  2. 

  3. final class ConduitClient extends Phobject {
    4. 

  4. 

  5.   private $uri;
    6. 

  6.   private $host;
    7. 

  7.   private $connectionID;
    8. 

  8.   private $sessionKey;
    9. 

  9.   private $timeout = 300.0;
    10. 

  10.   private $username;
    11. 

  11.   private $password;
    12. 

  12.   private $publicKey;
    13. 

  13.   private $privateKey;
    14. 

  14.   private $conduitToken;
    15. 

  15.   private $oauthToken;
    16. 

  16. 

  17.   const AUTH_ASYMMETRIC = 'asymmetric';
    18. 

  18. 

  19.   const SIGNATURE_CONSIGN_1 = 'Consign1.0/';
    20. 

  20. 

  21.   public function getConnectionID() {
    22. 

  22.     return $this->connectionID;
    23. 

  23.   }
    24. 

  24. 

  25.   public function __construct($uri) {
    26. 

  26.     $this->uri = new PhutilURI($uri);
    27. 

  27.     if (!strlen($this->uri->getDomain())) {
    28. 

  28.       throw new Exception(
    29. 

  29.         pht("Conduit URI '%s' must include a valid host.", $uri));
    30. 

  30.     }
    31. 

  31.     $this->host = $this->uri->getDomain();
    32. 

  32.   }
    33. 

  33. 

  34.   /**
    35. 

  35.    * Override the domain specified in the service URI and provide a specific
    36. 

  36.    * host identity.
    37. 

  37.    *
    38. 

  38.    * This can be used to connect to a specific node in a cluster environment.
    39. 

  39.    */
    40. 

  40.   public function setHost($host) {
    41. 

  41.     $this->host = $host;
    42. 

  42.     return $this;
    43. 

  43.   }
    44. 

  44. 

  45.   public function getHost() {
    46. 

  46.     return $this->host;
    47. 

  47.   }
    48. 

  48. 

  49.   public function setConduitToken($conduit_token) {
    50. 

  50.     $this->conduitToken = $conduit_token;
    51. 

  51.     return $this;
    52. 

  52.   }
    53. 

  53. 

  54.   public function getConduitToken() {
    55. 

  55.     return $this->conduitToken;
    56. 

  56.   }
    57. 

  57. 

  58.   public function setOAuthToken($oauth_token) {
    59. 

  59.     $this->oauthToken = $oauth_token;
    60. 

  60.     return $this;
    61. 

  61.   }
    62. 

  62. 

  63.   public function callMethodSynchronous($method, array $params) {
    64. 

  64.     return $this->callMethod($method, $params)->resolve();
    65. 

  65.   }
    66. 

  66. 

  67.   public function didReceiveResponse($method, $data) {
    68. 

  68.     if ($method == 'conduit.connect') {
    69. 

  69.       $this->sessionKey = idx($data, 'sessionKey');
    70. 

  70.       $this->connectionID = idx($data, 'connectionID');
    71. 

  71.     }
    72. 

  72.     return $data;
    73. 

  73.   }
    74. 

  74. 

  75.   public function setTimeout($timeout) {
    76. 

  76.     $this->timeout = $timeout;
    77. 

  77.     return $this;
    78. 

  78.   }
    79. 

  79. 

  80.   public function setSigningKeys(
    81. 

  81.     $public_key,
    82. 

  82.     PhutilOpaqueEnvelope $private_key) {
    83. 

  83. 

  84.     $this->publicKey = $public_key;
    85. 

  85.     $this->privateKey = $private_key;
    86. 

  86.     return $this;
    87. 

  87.   }
    88. 

  88. 

  89.   public function callMethod($method, array $params) {
    90. 

  90. 

  91.     $meta = array();
    92. 

  92. 

  93.     if ($this->sessionKey) {
    94. 

  94.       $meta['sessionKey'] = $this->sessionKey;
    95. 

  95.     }
    96. 

  96. 

  97.     if ($this->connectionID) {
    98. 

  98.       $meta['connectionID'] = $this->connectionID;
    99. 

  99.     }
    100. 

  100. 

  101.     if ($method == 'conduit.connect') {
    102. 

  102.       $certificate = idx($params, 'certificate');
    103. 

  103.       if ($certificate) {
    104. 

  104.         $token = time();
    105. 

  105.         $params['authToken'] = $token;
    106. 

  106.         $params['authSignature'] = sha1($token.$certificate);
    107. 

  107.       }
    108. 

  108.       unset($params['certificate']);
    109. 

  109.     }
    110. 

  110. 

  111.     if ($this->privateKey && $this->publicKey) {
    112. 

  112.       $meta['auth.type'] = self::AUTH_ASYMMETRIC;
    113. 

  113.       $meta['auth.key'] = $this->publicKey;
    114. 

  114.       $meta['auth.host'] = $this->getHostString();
    115. 

  115. 

  116.       $signature = $this->signRequest($method, $params, $meta);
    117. 

  117.       $meta['auth.signature'] = $signature;
    118. 

  118.     }
    119. 

  119. 

  120.     if ($this->conduitToken) {
    121. 

  121.       $meta['token'] = $this->conduitToken;
    122. 

  122.     }
    123. 

  123. 

  124.     if ($this->oauthToken) {
    125. 

  125.       $meta['access_token'] = $this->oauthToken;
    126. 

  126.     }
    127. 

  127. 

  128.     if ($meta) {
    129. 

  129.       $params['__conduit__'] = $meta;
    130. 

  130.     }
    131. 

  131. 

  132.     $uri = id(clone $this->uri)->setPath('/api/'.$method);
    133. 

  133. 

  134.     $data = array(
    135. 

  135.       'params'      => json_encode($params),
    136. 

  136.       'output'      => 'json',
    137. 

  137. 

  138.       // This is a hint to Phabricator that the client expects a Conduit
    139. 

  139.       // response. It is not necessary, but provides better error messages in
    140. 

  140.       // some cases.
    141. 

  141.       '__conduit__' => true,
    142. 

  142.     );
    143. 

  143. 

  144.     // Always use the cURL-based HTTPSFuture, for proxy support and other
    145. 

  145.     // protocol edge cases that HTTPFuture does not support.
    146. 

  146.     $core_future = new HTTPSFuture($uri, $data);
    147. 

  147.     $core_future->addHeader('Host', $this->getHost());
    148. 

  148. 

  149.     $core_future->setMethod('POST');
    150. 

  150.     $core_future->setTimeout($this->timeout);
    151. 

  151. 

  152.     if ($this->username !== null) {
    153. 

  153.       $core_future->setHTTPBasicAuthCredentials(
    154. 

  154.         $this->username,
    155. 

  155.         $this->password);
    156. 

  156.     }
    157. 

  157. 

  158.     $conduit_future = new ConduitFuture($core_future);
    159. 

  159.     $conduit_future->setClient($this, $method);
    160. 

  160.     $conduit_future->beginProfile($data);
    161. 

  161.     $conduit_future->isReady();
    162. 

  162. 

  163.     return $conduit_future;
    164. 

  164.   }
    165. 

  165. 

  166.   public function setBasicAuthCredentials($username, $password) {
    167. 

  167.     $this->username = $username;
    168. 

  168.     $this->password = new PhutilOpaqueEnvelope($password);
    169. 

  169.     return $this;
    170. 

  170.   }
    171. 

  171. 

  172.   private function getHostString() {
    173. 

  173.     $host = $this->getHost();
    174. 

  174. 

  175.     $uri = new PhutilURI($this->uri);
    176. 

  176.     $port = $uri->getPort();
    177. 

  177.     if (!$port) {
    178. 

  178.       switch ($uri->getProtocol()) {
    179. 

  179.         case 'https':
    180. 

  180.           $port = 443;
    181. 

  181.           break;
    182. 

  182.         default:
    183. 

  183.           $port = 80;
    184. 

  184.           break;
    185. 

  185.       }
    186. 

  186.     }
    187. 

  187. 

  188.     return $host.':'.$port;
    189. 

  189.   }
    190. 

  190. 

  191.   private function signRequest(
    192. 

  192.     $method,
    193. 

  193.     array $params,
    194. 

  194.     array $meta) {
    195. 

  195. 

  196.     $input = self::encodeRequestDataForSignature(
    197. 

  197.       $method,
    198. 

  198.       $params,
    199. 

  199.       $meta);
    200. 

  200. 

  201.     $signature = null;
    202. 

  202.     $result = openssl_sign(
    203. 

  203.       $input,
    204. 

  204.       $signature,
    205. 

  205.       $this->privateKey->openEnvelope());
    206. 

  206.     if (!$result) {
    207. 

  207.       throw new Exception(
    208. 

  208.         pht('Unable to sign Conduit request with signing key.'));
    209. 

  209.     }
    210. 

  210. 

  211.     return self::SIGNATURE_CONSIGN_1.base64_encode($signature);
    212. 

  212.   }
    213. 

  213. 

  214.   public static function verifySignature(
    215. 

  215.     $method,
    216. 

  216.     array $params,
    217. 

  217.     array $meta,
    218. 

  218.     $openssl_public_key) {
    219. 

  219. 

  220.     $auth_type = idx($meta, 'auth.type');
    221. 

  221.     switch ($auth_type) {
    222. 

  222.       case self::AUTH_ASYMMETRIC:
    223. 

  223.         break;
    224. 

  224.       default:
    225. 

  225.         throw new Exception(
    226. 

  226.           pht(
    227. 

  227.             'Unable to verify request signature, specified "%s" '.
    228. 

  228.             '("%s") is unknown.',
    229. 

  229.             'auth.type',
    230. 

  230.             $auth_type));
    231. 

  231.     }
    232. 

  232. 

  233.     $public_key = idx($meta, 'auth.key');
    234. 

  234.     if (!strlen($public_key)) {
    235. 

  235.       throw new Exception(
    236. 

  236.         pht(
    237. 

  237.           'Unable to verify request signature, no "%s" present in '.
    238. 

  238.           'request protocol information.',
    239. 

  239.           'auth.key'));
    240. 

  240.     }
    241. 

  241. 

  242.     $signature = idx($meta, 'auth.signature');
    243. 

  243.     if (!strlen($signature)) {
    244. 

  244.       throw new Exception(
    245. 

  245.         pht(
    246. 

  246.           'Unable to verify request signature, no "%s" present '.
    247. 

  247.           'in request protocol information.',
    248. 

  248.           'auth.signature'));
    249. 

  249.     }
    250. 

  250. 

  251.     $prefix = self::SIGNATURE_CONSIGN_1;
    252. 

  252.     if (strncmp($signature, $prefix, strlen($prefix)) !== 0) {
    253. 

  253.       throw new Exception(
    254. 

  254.         pht(
    255. 

  255.           'Unable to verify request signature, signature format is not '.
    256. 

  256.           'known.'));
    257. 

  257.     }
    258. 

  258.     $signature = substr($signature, strlen($prefix));
    259. 

  259. 

  260.     $input = self::encodeRequestDataForSignature(
    261. 

  261.       $method,
    262. 

  262.       $params,
    263. 

  263.       $meta);
    264. 

  264. 

  265.     $signature = base64_decode($signature);
    266. 

  266. 

  267.     $trap = new PhutilErrorTrap();
    268. 

  268.       $result = @openssl_verify(
    269. 

  269.         $input,
    270. 

  270.         $signature,
    271. 

  271.         $openssl_public_key);
    272. 

  272.       $err = $trap->getErrorsAsString();
    273. 

  273.     $trap->destroy();
    274. 

  274. 

  275.     if ($result === 1) {
    276. 

  276.       // Signature is good.
    277. 

  277.       return true;
    278. 

  278.     } else if ($result === 0) {
    279. 

  279.       // Signature is bad.
    280. 

  280.       throw new Exception(
    281. 

  281.         pht(
    282. 

  282.           'Request signature verification failed: signature is not correct.'));
    283. 

  283.     } else {
    284. 

  284.       // Some kind of error.
    285. 

  285.       if (strlen($err)) {
    286. 

  286.         throw new Exception(
    287. 

  287.           pht(
    288. 

  288.             'OpenSSL encountered an error verifying the request signature: %s',
    289. 

  289.             $err));
    290. 

  290.       } else {
    291. 

  291.         throw new Exception(
    292. 

  292.           pht(
    293. 

  293.             'OpenSSL encountered an unknown error verifying the request: %s',
    294. 

  294.             $err));
    295. 

  295.       }
    296. 

  296.     }
    297. 

  297.   }
    298. 

  298. 

  299.   private static function encodeRequestDataForSignature(
    300. 

  300.     $method,
    301. 

  301.     array $params,
    302. 

  302.     array $meta) {
    303. 

  303. 

  304.     unset($meta['auth.signature']);
    305. 

  305. 

  306.     $structure = array(
    307. 

  307.       'method' => $method,
    308. 

  308.       'protocol' => $meta,
    309. 

  309.       'parameters' => $params,
    310. 

  310.     );
    311. 

  311. 

  312.     return self::encodeRawDataForSignature($structure);
    313. 

  313.   }
    314. 

  314. 

  315.   public static function encodeRawDataForSignature($data) {
    316. 

  316.     $out = array();
    317. 

  317. 

  318.     if (is_array($data)) {
    319. 

  319.       if (!$data || (array_keys($data) == range(0, count($data) - 1))) {
    320. 

  320.         $out[] = 'A';
    321. 

  321.         $out[] = count($data);
    322. 

  322.         $out[] = ':';
    323. 

  323.         foreach ($data as $value) {
    324. 

  324.           $out[] = self::encodeRawDataForSignature($value);
    325. 

  325.         }
    326. 

  326.       } else {
    327. 

  327.         ksort($data);
    328. 

  328.         $out[] = 'O';
    329. 

  329.         $out[] = count($data);
    330. 

  330.         $out[] = ':';
    331. 

  331.         foreach ($data as $key => $value) {
    332. 

  332.           $out[] = self::encodeRawDataForSignature($key);
    333. 

  333.           $out[] = self::encodeRawDataForSignature($value);
    334. 

  334.         }
    335. 

  335.       }
    336. 

  336.     } else if (is_string($data)) {
    337. 

  337.       $out[] = 'S';
    338. 

  338.       $out[] = strlen($data);
    339. 

  339.       $out[] = ':';
    340. 

  340.       $out[] = $data;
    341. 

  341.     } else if (is_int($data)) {
    342. 

  342.       $out[] = 'I';
    343. 

  343.       $out[] = strlen((string)$data);
    344. 

  344.       $out[] = ':';
    345. 

  345.       $out[] = (string)$data;
    346. 

  346.     } else if (is_null($data)) {
    347. 

  347.       $out[] = 'N';
    348. 

  348.       $out[] = ':';
    349. 

  349.     } else if ($data === true) {
    350. 

  350.       $out[] = 'B1:';
    351. 

  351.     } else if ($data === false) {
    352. 

  352.       $out[] = 'B0:';
    353. 

  353.     } else {
    354. 

  354.       throw new Exception(
    355. 

  355.         pht(
    356. 

  356.           'Unexpected data type in request data: %s.',
    357. 

  357.           gettype($data)));
    358. 

  358.     }
    359. 

  359. 

  360.     return implode('', $out);
    361. 

  361.   }
    362. 

  362. 

  363. }
    364. 

  364.