Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Guzzle vendor library looks like deprecated #9531

Closed
tassoman opened this issue Jan 15, 2016 · 5 comments
Closed

Guzzle vendor library looks like deprecated #9531

tassoman opened this issue Jan 15, 2016 · 5 comments
Assignees
Labels
answered For when a question was asked and we referred to forum or answered it.
Milestone

Comments

@tassoman
Copy link
Contributor

Ciao!
I'm trying to write a plugin that manage HTTP queries to Piwik Reporting APIs. It should verify our staging installation meets production environment.

I've started using Piwik\HTTP::fetchRemoteFile($urlToFile) method and I was stuck in the problem exposed somehow in #7580. My problem is our certificate is self-signed instead root public.

So I've decided to build myself an HTTPS call without certificate verification 😭 and I discovered Guzzle\HTTP\Client using PHPStorm IDE

Having no clue of what am I doing 😲 I've tried to readthedocs discovering that $client = new GuzzleHttp\Client();

Then I've ended up there should be «something». A rapid grep of composer.lock showed Piwik's Guzzle is still v3 that's now deprecated by v5. Finally, the stable documentation writes about v6.

Now I'm confused 😕

@tsteur
Copy link
Member

tsteur commented Jan 17, 2016

Are you writing a Piwik plugin? In this case you can directly access the API without going over HTTP by using the Request::processRequest method http://developer.piwik.org/api-reference/Piwik/API/Request#processrequest like this https://github.com/piwik/piwik/blob/2.16.0-b2/plugins/SegmentEditor/SegmentList.php#L21-L23

We don't really use Guzzle. It is required by another dependency (I think by AWS-SDK-PHP). It probably requires Guzzle 3 because it's compatible with PHP 5.3+ whereas Guzzle 4 requires PHP 5.4+ and latest version requires PHP 5.5+. So we couldn't really use a newer version for now but we're not using it anyway. Please use Piwik\Http instead.

Maybe this solves the problem with your certificate and allows you to actually use Http class http://forum.piwik.org/t/certificate-error-on-update-to-2-12-1-solved-tu/15124/4?u=thomas_piwik . Otherwise we'd need to maybe reopen #7580

@tsteur tsteur closed this as completed Jan 17, 2016
@tsteur tsteur self-assigned this Jan 17, 2016
@tsteur tsteur added this to the 2.16.0 milestone Jan 17, 2016
@tsteur tsteur added the answered For when a question was asked and we referred to forum or answered it. label Jan 17, 2016
@tassoman
Copy link
Contributor Author

Hi @tsteur thank you for your fast reply.
Now I understand using Guzzle\Http\Client is not the right choice.
I've already tried using Request::processRequest but it's useful when you're querying the local Piwik's installation. My will is to query staging and production installations from Dev machine, today all them are three different Piwik's versions.
I've also tried setting [curl.cacert] inside Dev's php.ini configuration but didn't worked, looks like I was missing something.
Doing a raw curl from the shell ended up the certificate chain is missing one cert.
Finally, if sysops can't bring me the full chain certificates I think I sadly need to get rid of verification.
Using Piwik\Http directly I can't get rid of verification (-k) because of security risk. Do
You think I can extend it by writing Piwik\Plugins\MyPlugin\Http inside my Dev environment?

@tsteur
Copy link
Member

tsteur commented Jan 18, 2016

You can maybe extend it inside your dev environment. I'm not quite sure about you're setup. So you are working on a plugin for Piwik, and within this plugin you request data from different environments (QA, Test, Prod, ...)?

You could otherwise download maybe another simple library and ship it with your plugin. Eg you can put a library inside your libs folder of the plugin but you'd need to load it manually.

Doing a raw curl from the shell ended up the certificate chain is missing one cert.

So it seems like there's a problem with certs in general?

@tassoman
Copy link
Contributor Author

Yes the problem is with my certificates chain. So I've managed the thing insecurely avoiding the certificate verification (-k --insecure curl way), it's enough for a Development installation because it works entirely inside the intranet.

I got the things done extending the Piwik\Http class by Piwik\Plugins\MyPlugin\Https. Then Piwik\Plugins\MyPlugin\Commands\MyCommand creates the Https object.

This Https object just overrides configCurlCertificate() by:

public static function configCurlCertificate(&$ch)
{
  if (file_exists(PIWIK_INCLUDE_PATH . '/core/DataFiles/cacert.pem')) {
    @curl_setopt($ch, CURLOPT_CAINFO, PIWIK_INCLUDE_PATH . '/core/DataFiles/cacert.pem');
  }
  // This is the insecure way: -k --insecure
  @curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, fasle);
  @curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, fasle);
}

@tsteur
Copy link
Member

tsteur commented Jan 19, 2016

Glad to hear 👍

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
answered For when a question was asked and we referred to forum or answered it.
Projects
None yet
Development

No branches or pull requests

2 participants