PHPC-223: Use explicit SSL options rather then stream context

This also adds support for PHPC-185

Author: bjori

php_phongo.c

@@ -1199,49 +1199,90 @@ void php_phongo_result_to_zval(zval *retval, php_phongo_result_t *result) /* {{{
 
 mongoc_client_t *php_phongo_make_mongo_client(const char *uri, zval *driverOptions TSRMLS_DC) /* {{{ */
 {
-	php_stream_context       *ctx = NULL;
-	mongoc_client_t *client = mongoc_client_new(uri);
+	zval                     **tmp;
+	php_stream_context        *ctx;
+	const char                *mech;
+	const mongoc_uri_t        *muri;
+	mongoc_client_t *client =  mongoc_client_new(uri);
+
 
 	if (!client) {
 		return false;
 	}
 
-	if (driverOptions) {
-		zval **tmp;
+	if (driverOptions && zend_hash_find(Z_ARRVAL_P(driverOptions), "context", strlen("context") + 1, (void**)&tmp) == SUCCESS) {
+		ctx = php_stream_context_from_zval(*tmp, 0);
+	} else {
+		ctx = FG(default_context) ? FG(default_context) : php_stream_context_alloc(TSRMLS_C);
+	}
+	muri = mongoc_client_get_uri(client);
+
+	if (driverOptions && mongoc_uri_get_ssl(muri)) {
 
-		if (zend_hash_find(Z_ARRVAL_P(driverOptions), "context", strlen("context") + 1, (void**)&tmp) == SUCCESS) {
-			ctx = php_stream_context_from_zval(*tmp, PHP_FILE_NO_DEFAULT_CONTEXT);
-		} else if (FG(default_context)) {
-			ctx = FG(default_context);
+#define SET_STRING_CTX(name) \
+		if (php_array_exists(driverOptions, name)) { \
+			zval ztmp; \
+			zend_bool ctmp_free; \
+			int ctmp_len; \
+			char *ctmp; \
+			ctmp = php_array_fetchl_string(driverOptions, name, sizeof(name)-1, &ctmp_len, &ctmp_free); \
+			ZVAL_STRING(&ztmp, ctmp, ctmp_free); \
+			php_stream_context_set_option(ctx, "ssl", name, &ztmp); \
 		}
 
-		if (ctx) {
-			const mongoc_uri_t *muri = mongoc_client_get_uri(client);
-			const char *mech = mongoc_uri_get_auth_mechanism(muri);
+#define SET_BOOL_CTX(name, defaultvalue) \
+		{ \
+			zval ztmp; \
+			if (php_array_exists(driverOptions, name)) { \
+				ZVAL_BOOL(&ztmp, php_array_fetchl_bool(driverOptions, ZEND_STRL(name))); \
+				php_stream_context_set_option(ctx, "ssl", name, &ztmp); \
+			} \
+			else if (php_stream_context_get_option(ctx, "ssl", name, &tmp) == FAILURE) { \
+				ZVAL_BOOL(&ztmp, defaultvalue); \
+				php_stream_context_set_option(ctx, "ssl", name, &ztmp); \
+			} \
+		}
 
-			/* Check if we are doing X509 auth, in which case extract the username (subject) from the cert if no username is provided */
-			if (mech && !strcasecmp(mech, "MONGODB-X509") && !mongoc_uri_get_username(muri)) {
-				zval **pem;
+		SET_BOOL_CTX("verify_peer", 1);
+		SET_BOOL_CTX("verify_peer_name", 1);
+		SET_BOOL_CTX("verify_hostname", 1);
+		SET_BOOL_CTX("verify_expiry", 1);
+		SET_BOOL_CTX("allow_self_signed", 0);
 
-				if (SUCCESS == php_stream_context_get_option(ctx, "ssl", "local_cert", &pem)) {
-					char filename[MAXPATHLEN];
+		SET_STRING_CTX("peer_name");
+		SET_STRING_CTX("local_pk");
+		SET_STRING_CTX("local_cert");
+		SET_STRING_CTX("cafile");
+		SET_STRING_CTX("capath");
+		SET_STRING_CTX("passphrase");
+		SET_STRING_CTX("ciphers");
+#undef SET_BOOL_CTX
+#undef SET_STRING_CTX
+	}
 
-					convert_to_string_ex(pem);
-					if (VCWD_REALPATH(Z_STRVAL_PP(pem), filename)) {
-						mongoc_ssl_opt_t  ssl_options;
+	mech = mongoc_uri_get_auth_mechanism(muri);
 
-						ssl_options.pem_file = filename;
-						mongoc_client_set_ssl_opts(client, &ssl_options);
-					}
-				}
+	/* Check if we are doing X509 auth, in which case extract the username (subject) from the cert if no username is provided */
+	if (mech && !strcasecmp(mech, "MONGODB-X509") && !mongoc_uri_get_username(muri)) {
+		zval **pem;
+
+		if (SUCCESS == php_stream_context_get_option(ctx, "ssl", "local_cert", &pem)) {
+			char filename[MAXPATHLEN];
+
+			convert_to_string_ex(pem);
+			if (VCWD_REALPATH(Z_STRVAL_PP(pem), filename)) {
+				mongoc_ssl_opt_t  ssl_options;
+
+				ssl_options.pem_file = filename;
+				mongoc_client_set_ssl_opts(client, &ssl_options);
 			}
 		}
+	}
 
-		if (zend_hash_find(Z_ARRVAL_P(driverOptions), "debug", strlen("debug") + 1, (void**)&tmp) == SUCCESS) {
-			convert_to_string(*tmp);
+	if (driverOptions && zend_hash_find(Z_ARRVAL_P(driverOptions), "debug", strlen("debug") + 1, (void**)&tmp) == SUCCESS) {
+		convert_to_string(*tmp);
 
-			zend_alter_ini_entry_ex((char *)PHONGO_DEBUG_INI, sizeof(PHONGO_DEBUG_INI), Z_STRVAL_PP(tmp), Z_STRLEN_PP(tmp), PHP_INI_USER, PHP_INI_STAGE_RUNTIME, 0 TSRMLS_CC);
-		}
+		zend_alter_ini_entry_ex((char *)PHONGO_DEBUG_INI, sizeof(PHONGO_DEBUG_INI), Z_STRVAL_PP(tmp), Z_STRLEN_PP(tmp), PHP_INI_USER, PHP_INI_STAGE_RUNTIME, 0 TSRMLS_CC);
 	}
 
 	mongoc_client_set_stream_initiator(client, phongo_stream_initiator, ctx);

tests/connect/standalone-ssl-0003.phpt

@@ -0,0 +1,47 @@
+--TEST--
+Connect to MongoDB with using SSL without verifying anything
+--SKIPIF--
+<?php require __DIR__ . "/../utils/basic-skipif.inc"?>
+--FILE--
+<?php
+require_once __DIR__ . "/../utils/basic.inc";
+
+$SSL_DIR = realpath(__DIR__ . "/" . "./../../scripts/ssl/");
+$opts = array(
+        "verify_peer" => false,
+        "verify_peer_name" => false,
+        "allow_self_signed" => true,
+);
+
+$dsn = sprintf("%s/?ssl=true", STANDALONE_SSL);
+
+$manager = new MongoDB\Driver\Manager($dsn, array(), $opts);
+
+$bulk = new MongoDB\Driver\BulkWrite;
+
+$bulk->insert(array("my" => "value"));
+$bulk->insert(array("my" => "value", "foo" => "bar"));
+$bulk->insert(array("my" => "value", "foo" => "bar"));
+
+$bulk->delete(array("my" => "value", "foo" => "bar"), array("limit" => 1));
+
+$bulk->update(array("foo" => "bar"), array('$set' => array("foo" => "baz")), array("limit" => 1, "upsert" => 0));
+
+$retval = $manager->executeBulkWrite(NS, $bulk);
+
+printf("Inserted: %d\n", getInsertCount($retval));
+printf("Deleted: %d\n", getDeletedCount($retval));
+printf("Updated: %d\n", getModifiedCount($retval));
+printf("Upserted: %d\n", getUpsertedCount($retval));
+foreach(getWriteErrors($retval) as $error) {
+    printf("WriteErrors: %", $error);
+}
+?>
+===DONE===
+<?php exit(0); ?>
+--EXPECT--
+Inserted: 3
+Deleted: 1
+Updated: 1
+Upserted: 0
+===DONE===

tests/connect/standalone-ssl-0004.phpt

@@ -0,0 +1,49 @@
+--TEST--
+Connect to MongoDB with using SSL and verify the stream
+--SKIPIF--
+<?php require __DIR__ . "/../utils/basic-skipif.inc"?>
+--FILE--
+<?php
+require_once __DIR__ . "/../utils/basic.inc";
+
+$dsn = sprintf("%s/?ssl=true", STANDALONE_SSL);
+
+$SSL_DIR = realpath(__DIR__ . "/" . "./../../scripts/ssl/");
+$opts = array(
+        "peer_name" => "WRONG PEER NAME",
+        "verify_peer" => true,
+        "verify_peer_name" => true,
+        "allow_self_signed" => false,
+        "cafile" => $SSL_DIR . "/ca.pem", /* Defaults to openssl.cafile */
+        "ciphers" => "HIGH:!EXPORT:!aNULL@STRENGTH",
+);
+
+$manager = new MongoDB\Driver\Manager($dsn, array(), $opts);
+
+
+echo throws(function() use($manager) {
+    $bulk = new MongoDB\Driver\BulkWrite;
+    $bulk->insert(array("my" => "value"));
+    $retval = $manager->executeBulkWrite(NS, $bulk);
+}, "MongoDB\\Driver\\SSLConnectionException", "executeBulkWrite"), "\n";
+
+
+echo "Changing to server\n";
+$opts["peer_name"] = "server";
+$manager = new MongoDB\Driver\Manager($dsn, array(), $opts);
+$bulk = new MongoDB\Driver\BulkWrite;
+$bulk->insert(array("my" => "value"));
+$retval = $manager->executeBulkWrite(NS, $bulk);
+printf("Inserted: %d\n", $retval->getInsertedCount());
+
+
+
+?>
+===DONE===
+<?php exit(0); ?>
+--EXPECTF--
+OK: Got MongoDB\Driver\SSLConnectionException thrown from executeBulkWrite
+%s
+Changing to server
+Inserted: 1
+===DONE===

tests/connect/standalone-x509-0003.phpt

@@ -0,0 +1,45 @@
+--TEST--
+Connect to MongoDB with using SSL and X.509 auth
+--SKIPIF--
+<?php require __DIR__ . "/../utils/auth-x509-skipif.inc"?>
+--FILE--
+<?php
+require_once __DIR__ . "/../utils/basic.inc";
+
+$SSL_DIR = realpath(__DIR__ . "/" . "./../../scripts/ssl/");
+
+$opts = array(
+        "peer_name" => "server",
+        "verify_peer" => true,
+        "verify_peer_name" => true,
+        "allow_self_signed" => false,
+        "cafile" => $SSL_DIR . "/ca.pem", /* Defaults to openssl.cafile */
+        "local_cert" => $SSL_DIR . "/client.pem",
+);
+
+try {
+    $dsn = sprintf("%s&ssl=true", STANDALONE_X509);
+
+    $manager = new MongoDB\Driver\Manager($dsn, array(), $opts);
+
+    $bulk = new MongoDB\Driver\BulkWrite();
+    $bulk->insert(array("very" => "important"));
+    $manager->executeBulkWrite(NS, $bulk);
+    $query = new MongoDB\Driver\Query(array("very" => "important"));
+    $cursor = $manager->executeQuery(NS, $query);
+    foreach($cursor as $document) {
+        var_dump($document["very"]);
+    }
+    $command = new MongoDB\Driver\Command(array("drop" => COLLECTION_NAME));
+    $result = $manager->executeCommand(DATABASE_NAME, $command);
+} catch(Exception $e) {
+    echo get_class($e), ": ", $e->getMessage(), "\n";
+}
+
+
+?>
+===DONE===
+<?php exit(0); ?>
+--EXPECTF--
+string(9) "important"
+===DONE===

tests/connect/standalone-x509-0004.phpt

@@ -0,0 +1,47 @@
+--TEST--
+Connect to MongoDB with using X509 retrieving username from certificate #002
+--SKIPIF--
+<?php require __DIR__ . "/../utils/auth-x509-skipif.inc"?>
+--FILE--
+<?php
+require_once __DIR__ . "/../utils/basic.inc";
+
+$SSL_DIR = realpath(__DIR__ . "/" . "./../../scripts/ssl/");
+
+$opts = array(
+        "peer_name" => "server",
+        "verify_peer" => true,
+        "verify_peer_name" => true,
+        "allow_self_signed" => false,
+        "cafile" => $SSL_DIR . "/ca.pem", /* Defaults to openssl.cafile */
+        "capath" => $SSL_DIR, /* Defaults to openssl.capath */
+        "local_cert" => $SSL_DIR . "/client.pem",
+);
+
+try {
+    /* mongoc will pull the username of the certificate */
+    $parsed = parse_url(STANDALONE_X509);
+    $dsn = sprintf("mongodb://%s:%d/%s?ssl=true&authMechanism=MONGODB-X509", $parsed["host"], $parsed["port"], DATABASE_NAME);
+
+    $manager = new MongoDB\Driver\Manager($dsn, array(), $opts);
+
+    $bulk = new MongoDB\Driver\BulkWrite();
+    $bulk->insert(array("very" => "important"));
+    $manager->executeBulkWrite(NS, $bulk);
+    $query = new MongoDB\Driver\Query(array("very" => "important"));
+    $cursor = $manager->executeQuery(NS, $query);
+    foreach($cursor as $document) {
+        var_dump($document["very"]);
+    }
+    $command = new MongoDB\Driver\Command(array("drop" => COLLECTION_NAME));
+    $result = $manager->executeCommand(DATABASE_NAME, $command);
+} catch(Exception $e) {
+    echo get_class($e), ": ", $e->getMessage(), "\n";
+}
+
+?>
+===DONE===
+<?php exit(0); ?>
+--EXPECTF--
+string(9) "important"
+===DONE===