Domů Procházet Nápověda
Registrovat se Přihlásit se
moonsflyer
/
yunjing_master
1
0
Rozštěpit 0
Soubory Úkoly 0 Pull Requesty 0 Wiki
Větev: master
Větve Značky
yunjing_master
/
sdk
/
aws
/
Aws
/
Sns
/
MessageValidator.php

MessageValidator.php 6.0 KB
Trvalý odkaz Historie Surový

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192 
  1. <?php
    2. 

  2. namespace Aws\Sns;
    3. 

  3. 

  4. use Aws\Sns\Exception\InvalidSnsMessageException;
    5. 

  5. 

  6. /**
    7. 

  7.  * Uses openssl to verify SNS messages to ensure that they were sent by AWS.
    8. 

  8.  */
    9. 

  9. class MessageValidator
    10. 

  10. {
    11. 

  11.     const SIGNATURE_VERSION_1 = '1';
    12. 

  12. 

  13.     /**
    14. 

  14.      * @var callable Callable used to download the certificate content.
    15. 

  15.      */
    16. 

  16.     private $certClient;
    17. 

  17. 

  18.     /** @var string */
    19. 

  19.     private $hostPattern;
    20. 

  20. 

  21.     /**
    22. 

  22.      * @var string  A pattern that will match all regional SNS endpoints, e.g.:
    23. 

  23.      *                  - sns.<region>.amazonaws.com        (AWS)
    24. 

  24.      *                  - sns.us-gov-west-1.amazonaws.com   (AWS GovCloud)
    25. 

  25.      *                  - sns.cn-north-1.amazonaws.com.cn   (AWS China)
    26. 

  26.      */
    27. 

  27.     private static $defaultHostPattern
    28. 

  28.         = '/^sns\.[a-zA-Z0-9\-]{3,}\.amazonaws\.com(\.cn)?$/';
    29. 

  29. 

  30.     private static function isLambdaStyle(Message $message)
    31. 

  31.     {
    32. 

  32.         return isset($message['SigningCertUrl']);
    33. 

  33.     }
    34. 

  34. 

  35.     private static function convertLambdaMessage(Message $lambdaMessage)
    36. 

  36.     {
    37. 

  37.         $keyReplacements = [
    38. 

  38.             'SigningCertUrl' => 'SigningCertURL',
    39. 

  39.             'SubscribeUrl' => 'SubscribeURL',
    40. 

  40.             'UnsubscribeUrl' => 'UnsubscribeURL',
    41. 

  41.         ];
    42. 

  42. 

  43.         $message = clone $lambdaMessage;
    44. 

  44.         foreach ($keyReplacements as $lambdaKey => $canonicalKey) {
    45. 

  45.             if (isset($message[$lambdaKey])) {
    46. 

  46.                 $message[$canonicalKey] = $message[$lambdaKey];
    47. 

  47.                 unset($message[$lambdaKey]);
    48. 

  48.             }
    49. 

  49.         }
    50. 

  50. 

  51.         return $message;
    52. 

  52.     }
    53. 

  53. 

  54.     /**
    55. 

  55.      * Constructs the Message Validator object and ensures that openssl is
    56. 

  56.      * installed.
    57. 

  57.      *
    58. 

  58.      * @param callable $certClient Callable used to download the certificate.
    59. 

  59.      *                             Should have the following function signature:
    60. 

  60.      *                             `function (string $certUrl) : string|false $certContent`
    61. 

  61.      * @param string $hostNamePattern
    62. 

  62.      */
    63. 

  63.     public function __construct(
    64. 

  64.         callable $certClient = null,
    65. 

  65.         $hostNamePattern = ''
    66. 

  66.     ) {
    67. 

  67.         $this->certClient = $certClient ?: function($certUrl) {
    68. 

  68.             return @ file_get_contents($certUrl);
    69. 

  69.         };
    70. 

  70.         $this->hostPattern = $hostNamePattern ?: self::$defaultHostPattern;
    71. 

  71.     }
    72. 

  72. 

  73.     /**
    74. 

  74.      * Validates a message from SNS to ensure that it was delivered by AWS.
    75. 

  75.      *
    76. 

  76.      * @param Message $message Message to validate.
    77. 

  77.      *
    78. 

  78.      * @throws InvalidSnsMessageException If the cert cannot be retrieved or its
    79. 

  79.      *                                    source verified, or the message
    80. 

  80.      *                                    signature is invalid.
    81. 

  81.      */
    82. 

  82.     public function validate(Message $message)
    83. 

  83.     {
    84. 

  84.         if (self::isLambdaStyle($message)) {
    85. 

  85.             $message = self::convertLambdaMessage($message);
    86. 

  86.         }
    87. 

  87. 

  88.         // Get the certificate.
    89. 

  89.         $this->validateUrl($message['SigningCertURL']);
    90. 

  90.         $certificate = call_user_func($this->certClient, $message['SigningCertURL']);
    91. 

  91.         if ($certificate === false) {
    92. 

  92.             throw new InvalidSnsMessageException(
    93. 

  93.                 "Cannot get the certificate from \"{$message['SigningCertURL']}\"."
    94. 

  94.             );
    95. 

  95.         }
    96. 

  96. 

  97.         // Extract the public key.
    98. 

  98.         $key = openssl_get_publickey($certificate);
    99. 

  99.         if (!$key) {
    100. 

  100.             throw new InvalidSnsMessageException(
    101. 

  101.                 'Cannot get the public key from the certificate.'
    102. 

  102.             );
    103. 

  103.         }
    104. 

  104. 

  105.         // Verify the signature of the message.
    106. 

  106.         $content = $this->getStringToSign($message);
    107. 

  107.         $signature = base64_decode($message['Signature']);
    108. 

  108.         if (openssl_verify($content, $signature, $key, OPENSSL_ALGO_SHA1) != 1) {
    109. 

  109.             throw new InvalidSnsMessageException(
    110. 

  110.                 'The message signature is invalid.'
    111. 

  111.             );
    112. 

  112.         }
    113. 

  113.     }
    114. 

  114. 

  115.     /**
    116. 

  116.      * Determines if a message is valid and that is was delivered by AWS. This
    117. 

  117.      * method does not throw exceptions and returns a simple boolean value.
    118. 

  118.      *
    119. 

  119.      * @param Message $message The message to validate
    120. 

  120.      *
    121. 

  121.      * @return bool
    122. 

  122.      */
    123. 

  123.     public function isValid(Message $message)
    124. 

  124.     {
    125. 

  125.         try {
    126. 

  126.             $this->validate($message);
    127. 

  127.             return true;
    128. 

  128.         } catch (InvalidSnsMessageException $e) {
    129. 

  129.             return false;
    130. 

  130.         }
    131. 

  131.     }
    132. 

  132. 

  133.     /**
    134. 

  134.      * Builds string-to-sign according to the SNS message spec.
    135. 

  135.      *
    136. 

  136.      * @param Message $message Message for which to build the string-to-sign.
    137. 

  137.      *
    138. 

  138.      * @return string
    139. 

  139.      * @link http://docs.aws.amazon.com/sns/latest/gsg/SendMessageToHttp.verify.signature.html
    140. 

  140.      */
    141. 

  141.     public function getStringToSign(Message $message)
    142. 

  142.     {
    143. 

  143.         static $signableKeys = [
    144. 

  144.             'Message',
    145. 

  145.             'MessageId',
    146. 

  146.             'Subject',
    147. 

  147.             'SubscribeURL',
    148. 

  148.             'Timestamp',
    149. 

  149.             'Token',
    150. 

  150.             'TopicArn',
    151. 

  151.             'Type',
    152. 

  152.         ];
    153. 

  153. 

  154.         if ($message['SignatureVersion'] !== self::SIGNATURE_VERSION_1) {
    155. 

  155.             throw new InvalidSnsMessageException(
    156. 

  156.                 "The SignatureVersion \"{$message['SignatureVersion']}\" is not supported."
    157. 

  157.             );
    158. 

  158.         }
    159. 

  159. 

  160.         $stringToSign = '';
    161. 

  161.         foreach ($signableKeys as $key) {
    162. 

  162.             if (isset($message[$key])) {
    163. 

  163.                 $stringToSign .= "{$key}\n{$message[$key]}\n";
    164. 

  164.             }
    165. 

  165.         }
    166. 

  166. 

  167.         return $stringToSign;
    168. 

  168.     }
    169. 

  169. 

  170.     /**
    171. 

  171.      * Ensures that the URL of the certificate is one belonging to AWS, and not
    172. 

  172.      * just something from the amazonaws domain, which could include S3 buckets.
    173. 

  173.      *
    174. 

  174.      * @param string $url Certificate URL
    175. 

  175.      *
    176. 

  176.      * @throws InvalidSnsMessageException if the cert url is invalid.
    177. 

  177.      */
    178. 

  178.     private function validateUrl($url)
    179. 

  179.     {
    180. 

  180.         $parsed = parse_url($url);
    181. 

  181.         if (empty($parsed['scheme'])
    182. 

  182.             || empty($parsed['host'])
    183. 

  183.             || $parsed['scheme'] !== 'https'
    184. 

  184.             || substr($url, -4) !== '.pem'
    185. 

  185.             || !preg_match($this->hostPattern, $parsed['host'])
    186. 

  186.         ) {
    187. 

  187.             throw new InvalidSnsMessageException(
    188. 

  188.                 'The certificate is located on an invalid domain.'
    189. 

  189.             );
    190. 

  190.         }
    191. 

  191.     }
    192. 

  192. }
    193.