Merge pull request #5 from veewee/soapui-style

Make it possible to configure WSSE like you do in SoapUI

Author: veewee

.github/workflows/analyzers.yaml

@@ -7,7 +7,7 @@ jobs:
         strategy:
             matrix:
                 operating-system: [ubuntu-latest]
-                php-versions: ['8.0', '8.1']
+                php-versions: ['8.1']
             fail-fast: false
         name: PHP ${{ matrix.php-versions }} @ ${{ matrix.operating-system }}
         steps:

.github/workflows/code-style.yaml

@@ -7,7 +7,7 @@ jobs:
         strategy:
             matrix:
                 operating-system: [ubuntu-latest]
-                php-versions: ['8.0', '8.1']
+                php-versions: ['8.1']
             fail-fast: false
         name: PHP ${{ matrix.php-versions }} @ ${{ matrix.operating-system }}
         steps:

.github/workflows/tests.yaml

@@ -7,7 +7,7 @@ jobs:
         strategy:
             matrix:
                 operating-system: [ubuntu-latest]
-                php-versions: ['8.0', '8.1']
+                php-versions: ['8.1']
             fail-fast: false
         name: PHP ${{ matrix.php-versions }} @ ${{ matrix.operating-system }}
         steps:

.phive/phars.xml

@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <phive xmlns="https://phar.io/phive">
-  <phar name="psalm" version="^4.13.1" installed="4.13.1" location="./tools/psalm.phar" copy="true"/>
+  <phar name="psalm" version="^4.13.1" installed="4.22.0" location="./tools/psalm.phar" copy="true"/>
   <phar name="php-cs-fixer" version="^3.3.2" installed="3.3.2" location="./tools/php-cs-fixer.phar" copy="true"/>
 </phive>

README.md

@@ -38,43 +38,209 @@ $transport = Psr18Transport::createForClient(
 
 ### WsseMiddleware
 
-If you ever had to implement Web Service Security (WSS / WSSE) manually, you know that it is a lot of work to get this one working.
-Luckily for you we created an opinionated WSSE middleware that can be used to sign your SOAP requests.
+Oh boy ... WS-Security ... can be a real pain !
+This package aims for being as flexible as possible and provides you the tools you need to correctly configure Web Service Security.
+The components are shaped based on the [WS-Security UI inside SoapUI](https://www.soapui.org/docs/soapui-projects/ws-security/).
+This enables you to configure everything the way your SOAP server wants you to!
+If you have a working config on SoapUI, you can transform it to PHP code by following the entries and their configurations. 
+
+*Usage:*
 
-**Usage**
 ```php
 use Http\Client\Common\PluginClient;
 use Soap\Psr18Transport\Psr18Transport;
 use Soap\Psr18WsseMiddleware\WsseMiddleware;
 
-// Simple:
-$wsse = new WsseMiddleware('privatekey.pem', 'publickey.pyb');
+$transport = Psr18Transport::createForClient(
+    new PluginClient($yourPsr18Client, [
+        new WsseMiddleware([$entries])
+    ])
+);
+```
 
-// With signed headers. E.g: in combination with WSA:
-$wsse = (new WsseMiddleware('privatekey.pem', 'publickey.pyb'))
-    ->withAllHeadersSigned();
+The WSSE middleware can be built out of multiple configurable entries:
 
-// With configurable timestamp expiration:
-$wsse = (new WsseMiddleware('privatekey.pem', 'publickey.pyb'))
-    ->withTimestamp(3600);
+* BinarySecurityToken
+* Decryption
+* Encryption
+* SamlAssertion
+* Signature
+* Timestamp
+* Username
 
-// With plain user token:
-$wsse = (new WsseMiddleware('privatekey.pem', 'publickey.pyb'))
-    ->withUserToken('username', 'password', false);
+Underneath, there are some common examples on how to configure the `$wsseMiddleware`.
 
-// With digest user token:
-$wsse = (new WsseMiddleware('privatekey.pem', 'publickey.pyb'))
-    ->withUserToken('username', 'password', true);
+#### Adding a username and password
 
-// With end-to-end encryption enabled:
-$wsse = (new WsseMiddleware('privatekey.pem', 'publickey.pyb'))
-    ->withEncryption('client-x509.pem')
-    ->withServerCertificateHasSubjectKeyIdentifier(true);
+Some services require you to add a username and optionally a password.
+This can be done with following middleware.
 
-// Configure your PSR18 client:
-$transport = Psr18Transport::createForClient(
-    new PluginClient($yourPsr18Client, [
-        $wsse
-    ])
+```php
+use Soap\Psr18WsseMiddleware\WsseMiddleware;
+use Soap\Psr18WsseMiddleware\WSSecurity\Entry;
+
+$wsseMiddleware = new WsseMiddleware(
+    outgoing: [
+        (new Entry\Username($user))
+            ->withPassword('xxx')
+            ->withDigest(false),
+    ]
 );
 ```
+
+#### Signing a SOAP request with PKCS12 or X509 certificate.
+
+This is one of the most common implementation of WSS out there.
+You are granted a certificate by the soap service with which you need to fetch data.
+
+In case of a p12 certificate: convert it to a private key and public X509 certificate first:
+
+```bash
+openssl pkcs12 -in your.p12 -out security_token.pub -clcerts -nokeys
+openssl pkcs12 -in your.p12 -out security_token.priv -nocerts -nodes
+```
+
+Next, you can configure the middleware like this:
+
+```php
+use Soap\Psr18WsseMiddleware\WSSecurity\KeyStore\Certificate;
+use Soap\Psr18WsseMiddleware\WSSecurity\KeyStore\Key;
+use Soap\Psr18WsseMiddleware\WSSecurity\SignatureMethod;
+use Soap\Psr18WsseMiddleware\WSSecurity\DigestMethod;
+use Soap\Psr18WsseMiddleware\WSSecurity\KeyIdentifier;
+use Soap\Psr18WsseMiddleware\WsseMiddleware;
+use Soap\Psr18WsseMiddleware\WSSecurity\Entry;
+
+$privKey = Key::fromFile('security_token.priv')->withPassphrase('xxx'); // Regular private key (not wrapped in X509)
+$pubKey = Certificate::fromFile('security_token.pub'); // Public X509 cert
+
+$wsseMiddleware = new WsseMiddleware(
+    outgoing: [
+        new Entry\Timestamp(60),
+        new Entry\BinarySecurityToken($pubKey),
+        (new Entry\Signature(
+            $privKey,
+            new KeyIdentifier\BinarySecurityTokenIdentifier()
+        ))
+            ->withSignatureMethod(SignatureMethod::RSA_SHA256)
+            ->withDigestMethod(DigestMethod::SHA256)
+            ->withSignAllHeaders(true)
+            ->withSignBody(true)
+    ]
+);
+```
+
+This example can also be used in combination with signing and username authentication.
+
+#### Authorize a SOAP request with a SAML assertion
+
+Another common implementation is authentication through a WS-Trust compliant STS instance.
+In this case, you first have to fetch a SAML assertion from the STS service.
+Most of them require you to sign the request with a X509 certificate.
+This can be done with the middleware above.
+
+Once you received back your SAML assertion, you have to pass it to the webservice you want to contact.
+A common configuration for passing the SAML assertion might look like this:
+
+```php
+use Soap\Psr18WsseMiddleware\WSSecurity\KeyStore\Certificate;
+use Soap\Psr18WsseMiddleware\WSSecurity\KeyStore\Key;
+use Soap\Psr18WsseMiddleware\WSSecurity\SignatureMethod;
+use Soap\Psr18WsseMiddleware\WSSecurity\DigestMethod;
+use Soap\Psr18WsseMiddleware\WSSecurity\KeyIdentifier;
+use Soap\Psr18WsseMiddleware\WsseMiddleware;
+use Soap\Psr18WsseMiddleware\WSSecurity\Entry;
+use VeeWee\Xml\Dom\Document;
+use function VeeWee\Xml\Dom\Locator\document_element;
+
+$privKey = Key::fromFile('security_token.priv')->withPassphrase('xxx'); // Regular private key (not wrapped in X509)
+
+// These are provided through the STS service.
+$samlAssertion = Document::fromXmlString(<<<EOXML
+<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" AssertionID="xxxx" />
+EOXML
+);
+$samlAssertionId = $samlAssertion->locate(document_element())->getAttribute('AssertionID');
+
+$wsseMiddleware = new WsseMiddleware(
+    outgoing: [
+        new Entry\Timestamp(60),
+        (new Entry\Signature(
+            $privKey,
+            new KeyIdentifier\SamlKeyIdentifier($samlAssertionId)
+        ))
+            ->withSignatureMethod(SignatureMethod::RSA_SHA256)
+            ->withDigestMethod(DigestMethod::SHA256)
+            ->withSignAllHeaders(true)
+            ->withSignBody(true)
+            ->withInsertBefore(false),
+        new Entry\SamlAssertion($samlAssertion),
+    ]
+);
+```
+
+#### Encrypt sensitive data
+
+Some services require you to encrypt sensitive parts of the request and decrypt sensitive parts of the response.
+In this case, you can add your public key to the request, encrypt the payload and send it over the wire.
+Incoming responses will be encrypted with your public key and kan be decrypted by using your private key.
+
+
+Encryption contains a [known bug](https://github.com/robrichards/wse-php/pull/67) in the underlying [robrichards/wse-php](https://github.com/robrichards/wse-php) library.
+Since a fix has not been merged yet, you can apply a patch like this:
+
+```bash
+composer require --dev cweagans/composer-patches
+```
+
+```json
+{
+  "extra": {
+    "patches": {
+      "robrichards/wse-php": {
+        "Fix encryption bug": "https://patch-diff.githubusercontent.com/raw/robrichards/wse-php/pull/67.diff"
+      }
+    }
+  }
+}
+```
+
+The configuration for encryption looks like this:
+
+```php
+use Soap\Psr18WsseMiddleware\WSSecurity\DataEncryptionMethod;
+use Soap\Psr18WsseMiddleware\WSSecurity\KeyEncryptionMethod;
+use Soap\Psr18WsseMiddleware\WSSecurity\KeyStore\Certificate;
+use Soap\Psr18WsseMiddleware\WSSecurity\KeyStore\Key;
+use Soap\Psr18WsseMiddleware\WSSecurity\SignatureMethod;
+use Soap\Psr18WsseMiddleware\WSSecurity\DigestMethod;
+use Soap\Psr18WsseMiddleware\WSSecurity\KeyIdentifier;
+use Soap\Psr18WsseMiddleware\WsseMiddleware;
+use Soap\Psr18WsseMiddleware\WSSecurity\Entry;
+
+$privKey = Key::fromFile('security_token.priv')->withPassphrase('xxx'); // Regular private key (not wrapped in X509)
+$pubKey = Certificate::fromFile('security_token.pub'); // Public X509 cert
+$signKey = Certificate::fromFile('sign-key.pem'); // X509 cert for signing. Could be the same as $pubKey.
+
+$wsseMiddleware = new WsseMiddleware(
+    outgoing: [
+        new Entry\Timestamp(60),
+        new Entry\BinarySecurityToken($pubKey),
+        (new Entry\Signature(
+            $privKey,
+            new KeyIdentifier\BinarySecurityTokenIdentifier()
+        ))
+        (new Entry\Encryption(
+            $signKey,
+            new KeyIdentifier\X509SubjectKeyIdentifier($signKey)
+        ))
+            ->withKeyEncryptionMethod(KeyEncryptionMethod::RSA_OAEP_MGF1P)
+            ->withDataEncryptionMethod(DataEncryptionMethod::AES256_CBC)
+    ],
+    incoming: [
+        new Entry\Decryption($privKey)
+    ]
+);
+```
+
+Note: Encryption only can also be done without adding a signature.

composer.json

@@ -19,18 +19,35 @@
         }
     ],
     "require": {
-        "php": "^8.0",
-        "php-soap/psr18-transport": "^1.0",
+        "php": "^8.1",
+        "ext-dom": "*",
+        "ext-openssl": "*",
+        "azjezz/psl": "^1.9",
+        "paragonie/hidden-string": "^2.0",
+        "php-soap/psr18-transport": "^1.2.1",
         "php-soap/engine": "^1.0",
-        "php-soap/xml": "^1.0",
+        "php-soap/xml": "^1.3.1",
         "php-http/client-common": "^2.3",
         "robrichards/wse-php": "^2.0",
-        "veewee/xml": "^1.0"
+        "veewee/xml": "^1.5"
     },
     "require-dev": {
         "nyholm/psr7": "^1.3",
         "php-http/mock-client": "^1.4",
         "symfony/http-client": "^5.3",
-        "phpunit/phpunit": "^9.5"
+        "phpunit/phpunit": "^9.5",
+        "cweagans/composer-patches": "^1.7"
+    },
+    "extra": {
+        "patches": {
+            "robrichards/wse-php": {
+                "Fix encryption bug": "https://patch-diff.githubusercontent.com/raw/robrichards/wse-php/pull/67.diff"
+            }
+        }
+    },
+    "config": {
+        "allow-plugins": {
+            "cweagans/composer-patches": true
+        }
     }
 }

psalm.xml

@@ -1,10 +1,9 @@
 <?xml version="1.0"?>
 <psalm
-    errorLevel="2"
+    errorLevel="1"
     resolveFromConfigFile="true"
-    forbidEcho="true"
     strictBinaryOperands="true"
-    phpVersion="8.0"
+    phpVersion="8.1"
     allowStringToStandInForClass="true"
     rememberPropertyAssignmentsAfterCall="false"
     skipChecksOnUnresolvableIncludes="false"