Renamed and improved helper

rimi-itk · rimi-itk · commit 48c31cda7d1c · 2024-05-07T23:38:40.000+02:00
diff --git a/README.md b/README.md
@@ -27,29 +27,32 @@ $form['key'] => [
 ];
 ```
 
-The [`CertificateHelper`](https://github.com/OS2web/os2web_key/blob/main/src/CertificateHelper.php) can be used to get
+The [`KeyHelper`](https://github.com/OS2web/os2web_key/blob/main/src/KeyHelper.php) can be used to get
 the actual certificates (parts):
 
 ``` php
 <?php
 
-use Drupal\os2web_key\CertificateHelper;
+use Drupal\os2web_key\KeyHelper;
 use Drupal\key\KeyRepositoryInterface;
 
 // Use dependency injection for this.
 /** @var KeyRepositoryInterface $repository */
 $repository = \Drupal::service('key.repository');
-/** @var CertificateHelper $helper */
-$helper = \Drupal::service(CertificateHelper::class);
+/** @var KeyHelper $helper */
+$helper = \Drupal::service(KeyHelper::class);
 
 // Use `drush key:list` to list your keys.
 $key = $repository->getKey('my_key');
+[
+  // Passwordless certificate.
+  CertificateKeyType::CERT => $certificate,
+  CertificateKeyType::PKEY => $privateKey,
+] = $helper->getCertificates($key);
 
-// Get the actual passwordless certificates.
-$certificates = $helper->getCertificates($key);
 ```
 
-**Note**: The parsed certificates have no password.
+**Note**: The parsed certificate has no password.
 
 ### OpenID Connect (OIDC)
 
@@ -77,10 +80,11 @@ use Drupal\os2web_key\Plugin\KeyType\OidcKeyType;
 $repository = \Drupal::service('key.repository');
 
 $key = $repository->getKey('openid_connect_ad');
-$values = json_decode($key->getKeyValue(), TRUE, 512, JSON_THROW_ON_ERROR);
-$discoveryUrl = $values[OidcKeyType::DISCOVERY_URL];
-$clientId = $values[OidcKeyType::CLIENT_ID];
-$clientSecret = $values[OidcKeyType::CLIENT_SECRET];
+[
+  OidcKeyType::DISCOVERY_URL => $discoveryUrl,
+  OidcKeyType::CLIENT_ID => $clientId,
+  OidcKeyType::CLIENT_SECRET => $clientSecret,
+] = $helper->getOidcValues($key);
 ```
 
 See [the Key Developer Guide](https://www.drupal.org/docs/contributed-modules/key/developer-guide) for details and more
diff --git a/os2web_key.services.yml b/os2web_key.services.yml
@@ -3,6 +3,6 @@ services:
     parent: logger.channel_base
     arguments: [ 'os2web_key' ]
 
-  Drupal\os2web_key\CertificateHelper:
+  Drupal\os2web_key\KeyHelper:
     arguments:
       - '@logger.channel.os2web_key'
diff --git a/src/KeyHelper.php b/src/KeyHelper.php
@@ -2,23 +2,21 @@
 
 namespace Drupal\os2web_key;
 
+use Drupal\Core\DependencyInjection\DependencySerializationTrait;
 use Drupal\Core\Logger\LoggerChannelInterface;
 use Drupal\key\KeyInterface;
 use Drupal\os2web_key\Exception\RuntimeException;
 use Drupal\os2web_key\Plugin\KeyType\CertificateKeyType;
+use Drupal\os2web_key\Plugin\KeyType\OidcKeyType;
 use Psr\Log\LoggerAwareTrait;
 
 /**
- * Certificate helper.
+ * Key helper.
  */
-class CertificateHelper {
+class KeyHelper {
+  use DependencySerializationTrait;
   use LoggerAwareTrait;
 
-  protected const FORMAT_PEM = 'pem';
-  protected const FORMAT_PFX = 'pfx';
-  protected const CERT = 'cert';
-  protected const PKEY = 'pkey';
-
   public function __construct(
     LoggerChannelInterface $logger,
   ) {
@@ -31,15 +29,15 @@ public function __construct(
    * @param \Drupal\key\KeyInterface $key
    *   The key.
    *
-   * @return array<string, string>
+   * @return array{cert: string, pkey: string}
    *   The certificates.
    */
   public function getCertificates(KeyInterface $key): array {
-    $contents = $key->getKeyValue();
     $type = $key->getKeyType();
     if (!($type instanceof CertificateKeyType)) {
-      throw new RuntimeException(sprintf('Invalid key type: %s', $type::class));
+      throw $this->createSslRuntimeException(sprintf('Invalid key type: %s', $type::class), $key);
     }
+    $contents = $key->getKeyValue();
 
     return $this->parseCertificates(
       $contents,
@@ -50,9 +48,43 @@ public function getCertificates(KeyInterface $key): array {
   }
 
   /**
-   * Read a certificate.
+   * Get OIDC values from a key.
+   *
+   * @param \Drupal\key\KeyInterface $key
+   *   The key.
    *
-   * @return array<string, string>
+   * @return array{discovery_url: string, client_id: string, client_secret: string}
+   *   The OIDC values.
+   */
+  public function getOidcValues(KeyInterface $key): array {
+    $type = $key->getKeyType();
+    if (!($type instanceof OidcKeyType)) {
+      throw $this->createSslRuntimeException(sprintf('Invalid key type: %s', $type::class), $key);
+    }
+    $contents = $key->getKeyValue();
+
+    try {
+      $values = json_decode($contents, TRUE, 512, JSON_THROW_ON_ERROR);
+      foreach ([
+        OidcKeyType::DISCOVERY_URL,
+        OidcKeyType::CLIENT_ID,
+        OidcKeyType::CLIENT_SECRET,
+      ] as $name) {
+        if (!isset($values[$name])) {
+          throw $this->createRuntimeException(sprintf("Missing OIDC value: %s", $name), $key);
+        }
+      }
+      return $values;
+    }
+    catch (\JsonException $e) {
+      throw $this->createRuntimeException(sprintf("Cannot get OIDC values: %s", $e->getMessage()), $key);
+    }
+  }
+
+  /**
+   * Parse certificates.
+   *
+   * @return array{cert: string, pkey: string}
    *   The certificates.
    */
   public function parseCertificates(
@@ -62,17 +94,17 @@ public function parseCertificates(
     ?KeyInterface $key,
   ): array {
     $certificates = [
-      self::CERT => NULL,
-      self::PKEY => NULL,
+      CertificateKeyType::CERT => NULL,
+      CertificateKeyType::PKEY => NULL,
     ];
     switch ($format) {
-      case self::FORMAT_PFX:
+      case CertificateKeyType::FORMAT_PFX:
         if (!openssl_pkcs12_read($contents, $certificates, $passphrase)) {
           throw $this->createSslRuntimeException('Error reading certificate', $key);
         }
         break;
 
-      case self::FORMAT_PEM:
+      case CertificateKeyType::FORMAT_PEM:
         $certificate = @openssl_x509_read($contents);
         if (FALSE === $certificate) {
           throw $this->createSslRuntimeException('Error reading certificate', $key);
@@ -90,7 +122,7 @@ public function parseCertificates(
         break;
     }
 
-    if (!isset($certificates[self::CERT], $certificates[self::PKEY])) {
+    if (!isset($certificates[CertificateKeyType::CERT], $certificates[CertificateKeyType::PKEY])) {
       throw $this->createRuntimeException("Cannot read certificate parts 'cert' and 'pkey'", $key);
     }
 
@@ -101,40 +133,30 @@ public function parseCertificates(
    * Create a passwordless certificate.
    */
   public function createPasswordlessCertificate(array $certificates, string $format, ?KeyInterface $key): string {
-    $cert = $certificates[self::CERT] ?? NULL;
+    $cert = $certificates[CertificateKeyType::CERT] ?? NULL;
     if (!isset($cert)) {
       throw $this->createRuntimeException('Certificate part "cert" not found', $key);
     }
 
-    $pkey = $certificates[self::PKEY] ?? NULL;
+    $pkey = $certificates[CertificateKeyType::PKEY] ?? NULL;
     if (!isset($pkey)) {
       throw $this->createRuntimeException('Certificate part "pkey" not found', $key);
     }
 
     $output = '';
     switch ($format) {
-      case self::FORMAT_PEM:
+      case CertificateKeyType::FORMAT_PEM:
         $parts = ['', ''];
         if (!@openssl_x509_export($cert, $parts[0])) {
           throw $this->createSslRuntimeException('Cannot export certificate', $key);
         }
         if (!@openssl_pkey_export($pkey, $parts[1])) {
           throw $this->createSslRuntimeException('Cannot export private key', $key);
         }
-        $extracerts = $certificates['extracerts'] ?? NULL;
-        if (is_array($extracerts)) {
-          foreach ($extracerts as $extracert) {
-            $part = '';
-            if (!@openssl_x509_export($extracert, $part)) {
-              throw $this->createSslRuntimeException('Cannot export certificate', $key);
-            }
-            // $parts[] = $part;
-          }
-        }
         $output = implode('', $parts);
         break;
 
-      case self::FORMAT_PFX:
+      case CertificateKeyType::FORMAT_PFX:
         if (!@openssl_pkcs12_export($cert, $output, $pkey, '')) {
           throw $this->createSslRuntimeException('Cannot export certificate', $key);
         }
diff --git a/src/Plugin/KeyType/CertificateKeyType.php b/src/Plugin/KeyType/CertificateKeyType.php
@@ -7,8 +7,8 @@
 use Drupal\Core\Form\FormStateInterface;
 use Drupal\key\Plugin\KeyPluginFormInterface;
 use Drupal\key\Plugin\KeyTypeBase;
-use Drupal\os2web_key\CertificateHelper;
 use Drupal\os2web_key\Exception\RuntimeException;
+use Drupal\os2web_key\KeyHelper;
 use Symfony\Component\DependencyInjection\ContainerInterface;
 
 /**
@@ -27,21 +27,23 @@
 class CertificateKeyType extends KeyTypeBase implements KeyPluginFormInterface {
   use DependencySerializationTrait;
 
+  public const FORMAT_PEM = 'pem';
+  public const FORMAT_PFX = 'pfx';
+  public const CERT = 'cert';
+  public const PKEY = 'pkey';
+
   private const PASSPHRASE = 'passphrase';
   private const INPUT_FORMAT = 'input_format';
   private const OUTPUT_FORMAT = 'output_format';
 
-  private const FORMAT_PEM = 'pem';
-  private const FORMAT_PFX = 'pfx';
-
   /**
    * Constructor.
    */
   public function __construct(
     array $configuration,
     $plugin_id,
     $plugin_definition,
-    private readonly CertificateHelper $certificateHelper,
+    private readonly KeyHelper $certificateHelper,
   ) {
     parent::__construct($configuration, $plugin_id, $plugin_definition);
   }
@@ -54,7 +56,7 @@ public static function create(ContainerInterface $container, array $configuratio
       $configuration,
       $plugin_id,
       $plugin_definition,
-      $container->get(CertificateHelper::class)
+      $container->get(KeyHelper::class)
     );
   }
 
