Home Verkennen Help
Inloggen
urbanu619
/
yunbaolive
1
0
Vork 0
Bestanden Issues 0 Pull-aanvragen 0 Wiki
Aftakking: master
Aftakkingen Labels
yunbaolive
/
web
/
sdk
/
aws
/
Aws
/
Sns
/
MessageValidator.php

MessageValidator.php 6.2 KB
Permalink Geschiedenis Ruwe

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195 
  1. <?php
    2. 

  2. namespace Aws\Sns;
    3. 

  3. 

  4. use Aws\Sns\Exception\InvalidSnsMessageException;
    5. 

  5. 

  6. /**
    7. 

  7.  * Uses openssl to verify SNS messages to ensure that they were sent by AWS.
    8. 

  8.  */
    9. 

  9. class MessageValidator
    10. 

  10. {
    11. 

  11.     const SIGNATURE_VERSION_1 = '1';
    12. 

  12.     const SIGNATURE_VERSION_2 = '2';
    13. 

  13. 

  14.     /**
    15. 

  15.      * @var callable Callable used to download the certificate content.
    16. 

  16.      */
    17. 

  17.     private $certClient;
    18. 

  18. 

  19.     /** @var string */
    20. 

  20.     private $hostPattern;
    21. 

  21. 

  22.     /**
    23. 

  23.      * @var string  A pattern that will match all regional SNS endpoints, e.g.:
    24. 

  24.      *                  - sns.<region>.amazonaws.com        (AWS)
    25. 

  25.      *                  - sns.us-gov-west-1.amazonaws.com   (AWS GovCloud)
    26. 

  26.      *                  - sns.cn-north-1.amazonaws.com.cn   (AWS China)
    27. 

  27.      */
    28. 

  28.     private static $defaultHostPattern
    29. 

  29.         = '/^sns\.[a-zA-Z0-9\-]{3,}\.amazonaws\.com(\.cn)?$/';
    30. 

  30. 

  31.     private static function isLambdaStyle(Message $message)
    32. 

  32.     {
    33. 

  33.         return isset($message['SigningCertUrl']);
    34. 

  34.     }
    35. 

  35. 

  36.     private static function convertLambdaMessage(Message $lambdaMessage)
    37. 

  37.     {
    38. 

  38.         $keyReplacements = [
    39. 

  39.             'SigningCertUrl' => 'SigningCertURL',
    40. 

  40.             'SubscribeUrl' => 'SubscribeURL',
    41. 

  41.             'UnsubscribeUrl' => 'UnsubscribeURL',
    42. 

  42.         ];
    43. 

  43. 

  44.         $message = clone $lambdaMessage;
    45. 

  45.         foreach ($keyReplacements as $lambdaKey => $canonicalKey) {
    46. 

  46.             if (isset($message[$lambdaKey])) {
    47. 

  47.                 $message[$canonicalKey] = $message[$lambdaKey];
    48. 

  48.                 unset($message[$lambdaKey]);
    49. 

  49.             }
    50. 

  50.         }
    51. 

  51. 

  52.         return $message;
    53. 

  53.     }
    54. 

  54. 

  55.     /**
    56. 

  56.      * Constructs the Message Validator object and ensures that openssl is
    57. 

  57.      * installed.
    58. 

  58.      *
    59. 

  59.      * @param callable $certClient Callable used to download the certificate.
    60. 

  60.      *                             Should have the following function signature:
    61. 

  61.      *                             `function (string $certUrl) : string|false $certContent`
    62. 

  62.      * @param string $hostNamePattern
    63. 

  63.      */
    64. 

  64.     public function __construct(
    65. 

  65.         callable $certClient = null,
    66. 

  66.         $hostNamePattern = ''
    67. 

  67.     ) {
    68. 

  68.         $this->certClient = $certClient ?: function($certUrl) {
    69. 

  69.             return @ file_get_contents($certUrl);
    70. 

  70.         };
    71. 

  71.         $this->hostPattern = $hostNamePattern ?: self::$defaultHostPattern;
    72. 

  72.     }
    73. 

  73. 

  74.     /**
    75. 

  75.      * Validates a message from SNS to ensure that it was delivered by AWS.
    76. 

  76.      *
    77. 

  77.      * @param Message $message Message to validate.
    78. 

  78.      *
    79. 

  79.      * @throws InvalidSnsMessageException If the cert cannot be retrieved or its
    80. 

  80.      *                                    source verified, or the message
    81. 

  81.      *                                    signature is invalid.
    82. 

  82.      */
    83. 

  83.     public function validate(Message $message)
    84. 

  84.     {
    85. 

  85.         if (self::isLambdaStyle($message)) {
    86. 

  86.             $message = self::convertLambdaMessage($message);
    87. 

  87.         }
    88. 

  88. 

  89.         // Get the certificate.
    90. 

  90.         $this->validateUrl($message['SigningCertURL']);
    91. 

  91.         $certificate = call_user_func($this->certClient, $message['SigningCertURL']);
    92. 

  92.         if ($certificate === false) {
    93. 

  93.             throw new InvalidSnsMessageException(
    94. 

  94.                 "Cannot get the certificate from \"{$message['SigningCertURL']}\"."
    95. 

  95.             );
    96. 

  96.         }
    97. 

  97. 

  98.         // Extract the public key.
    99. 

  99.         $key = openssl_get_publickey($certificate);
    100. 

  100.         if (!$key) {
    101. 

  101.             throw new InvalidSnsMessageException(
    102. 

  102.                 'Cannot get the public key from the certificate.'
    103. 

  103.             );
    104. 

  104.         }
    105. 

  105. 

  106.         // Verify the signature of the message.
    107. 

  107.         $content = $this->getStringToSign($message);
    108. 

  108.         $signature = base64_decode($message['Signature']);
    109. 

  109.         $algo = ($message['SignatureVersion'] === self::SIGNATURE_VERSION_1 ? OPENSSL_ALGO_SHA1 : OPENSSL_ALGO_SHA256);
    110. 

  110.         if (openssl_verify($content, $signature, $key, $algo) !== 1) {
    111. 

  111.             throw new InvalidSnsMessageException(
    112. 

  112.                 'The message signature is invalid.'
    113. 

  113.             );
    114. 

  114.         }
    115. 

  115.     }
    116. 

  116. 

  117.     /**
    118. 

  118.      * Determines if a message is valid and that is was delivered by AWS. This
    119. 

  119.      * method does not throw exceptions and returns a simple boolean value.
    120. 

  120.      *
    121. 

  121.      * @param Message $message The message to validate
    122. 

  122.      *
    123. 

  123.      * @return bool
    124. 

  124.      */
    125. 

  125.     public function isValid(Message $message)
    126. 

  126.     {
    127. 

  127.         try {
    128. 

  128.             $this->validate($message);
    129. 

  129.             return true;
    130. 

  130.         } catch (InvalidSnsMessageException $e) {
    131. 

  131.             return false;
    132. 

  132.         }
    133. 

  133.     }
    134. 

  134. 

  135.     /**
    136. 

  136.      * Builds string-to-sign according to the SNS message spec.
    137. 

  137.      *
    138. 

  138.      * @param Message $message Message for which to build the string-to-sign.
    139. 

  139.      *
    140. 

  140.      * @return string
    141. 

  141.      * @link http://docs.aws.amazon.com/sns/latest/gsg/SendMessageToHttp.verify.signature.html
    142. 

  142.      */
    143. 

  143.     public function getStringToSign(Message $message)
    144. 

  144.     {
    145. 

  145.         static $signableKeys = [
    146. 

  146.             'Message',
    147. 

  147.             'MessageId',
    148. 

  148.             'Subject',
    149. 

  149.             'SubscribeURL',
    150. 

  150.             'Timestamp',
    151. 

  151.             'Token',
    152. 

  152.             'TopicArn',
    153. 

  153.             'Type',
    154. 

  154.         ];
    155. 

  155. 

  156.         if ($message['SignatureVersion'] !== self::SIGNATURE_VERSION_1
    157. 

  157.             && $message['SignatureVersion'] !== self::SIGNATURE_VERSION_2) {
    158. 

  158.             throw new InvalidSnsMessageException(
    159. 

  159.                 "The SignatureVersion \"{$message['SignatureVersion']}\" is not supported."
    160. 

  160.             );
    161. 

  161.         }
    162. 

  162. 

  163.         $stringToSign = '';
    164. 

  164.         foreach ($signableKeys as $key) {
    165. 

  165.             if (isset($message[$key])) {
    166. 

  166.                 $stringToSign .= "{$key}\n{$message[$key]}\n";
    167. 

  167.             }
    168. 

  168.         }
    169. 

  169. 

  170.         return $stringToSign;
    171. 

  171.     }
    172. 

  172. 

  173.     /**
    174. 

  174.      * Ensures that the URL of the certificate is one belonging to AWS, and not
    175. 

  175.      * just something from the amazonaws domain, which could include S3 buckets.
    176. 

  176.      *
    177. 

  177.      * @param string $url Certificate URL
    178. 

  178.      *
    179. 

  179.      * @throws InvalidSnsMessageException if the cert url is invalid.
    180. 

  180.      */
    181. 

  181.     private function validateUrl($url)
    182. 

  182.     {
    183. 

  183.         $parsed = parse_url($url);
    184. 

  184.         if (empty($parsed['scheme'])
    185. 

  185.             || empty($parsed['host'])
    186. 

  186.             || $parsed['scheme'] !== 'https'
    187. 

  187.             || substr($url, -4) !== '.pem'
    188. 

  188.             || !preg_match($this->hostPattern, $parsed['host'])
    189. 

  189.         ) {
    190. 

  190.             throw new InvalidSnsMessageException(
    191. 

  191.                 'The certificate is located on an invalid domain.'
    192. 

  192.             );
    193. 

  193.         }
    194. 

  194.     }
    195. 

  195. }
    196.