1:   2:   3:   4:   5:   6:   7:   8:   9:  10:  11:  12:  13:  14:  15:  16:  17:  18:  19:  20:  21:  22:  23:  24:  25:  26:  27:  28:  29:  30:  31:  32:  33:  34:  35:  36:  37:  38:  39:  40:  41:  42:  43:  44:  45:  46:  47:  48:  49:  50:  51:  52:  53:  54:  55:  56:  57:  58:  59:  60:  61:  62:  63:  64:  65:  66:  67:  68:  69:  70:  71:  72:  73:  74:  75:  76:  77:  78:  79:  80:  81:  82:  83:  84:  85:  86:  87:  88:  89:  90:  91:  92:  93:  94:  95:  96:  97:  98:  99: 100: 101: 102: 103: 104: 105: 106: 107: 108: 109: 110: 111: 112: 113: 114: 115: 116: 117: 118: 119: 120: 121: 122: 123: 124: 125: 126: 127: 128: 129: 130: 131: 132: 133: 134: 135: 136: 137: 138: 139: 140: 141: 142: 143: 144: 145: 

<?php
namespace Dropbox;

/**
 * See: {@link useExternalPaths()}
 */
class RootCertificates
{
    /* @var boolean */
    private static $useExternalFile = false;

    /* @var string[]|null */
    private static $paths = null;  // A tuple of (rootCertsFilePath, rootCertsFolderPath)

    /**
     * If you're running within a PHAR, call this method before you use the SDK
     * to make any network requests.
     *
     * Normally, the SDK tells cURL to look in the "certs" folder for root certificate
     * information.  But this won't work if this SDK is running from within a PHAR because
     * cURL won't read files that are packaged in a PHAR.
     */
    static function useExternalPaths()
    {
        if (!self::$useExternalFile and self::$paths !== null) {
            throw new \Exception("You called \"useExternalFile\" too late.  The SDK already used the root ".
                                 "certificate file (probably to make an API call).");
        }

        self::$useExternalFile = true;
    }

    private static $originalPath = '/certs/trusted-certs.crt';

    /**
     * @internal
     *
     * @return string[]
     *    A tuple of (rootCertsFilePath, rootCertsFolderPath).  To be used with cURL options CAINFO and CAPATH.
     */
    static function getPaths()
    {
        if (self::$paths === null) {
            if (self::$useExternalFile) {
                try {
                    $baseFolder = sys_get_temp_dir();
                    $file = self::createExternalCaFile($baseFolder);
                    $folder = self::createExternalCaFolder($baseFolder);
                }
                catch (\Exception $ex) {
                    throw new \Exception("Unable to create external root certificate file and folder: ".$ex->getMessage());
                }
            }
            else {
                if (substr(__DIR__, 0, 7) === 'phar://') {
                    throw new \Exception("The code appears to be running in a PHAR.  You need to call \\Dropbox\\RootCertificates\\useExternalPaths() before making any API calls.");
                }
                $file = __DIR__.self::$originalPath;
                $folder = \dirname($file);
            }
            self::$paths = array($file, $folder);
        }

        return self::$paths;
    }

    /**
     * @param string $baseFolder
     *
     * @return string
     */
    private static function createExternalCaFolder($baseFolder)
    {
        // This is hacky, but I can't find a simple way to do this.

        // This process isn't atomic, so give it three tries.
        for ($i = 0; $i < 3; $i++) {
            $path = \tempnam($baseFolder, "dropbox-php-sdk-trusted-certs-empty-dir");
            if ($path === false) {
                throw new \Exception("Couldn't create temp file in folder ".Util::q($baseFolder).".");
            }
            if (!\unlink($path)) {
                throw new \Exception("Couldn't remove temp file to make way for temp dir: ".Util::q($path));
            }
            // TODO: Figure out how to make the folder private on Windows.  The '700' only works on Unix.
            if (!\mkdir($path, 700)) {
                // Someone snuck in between the unlink() and the mkdir() and stole our path.
                throw new \Exception("Couldn't create temp dir: ".Util::q($path));
            }
            \register_shutdown_function(function() use ($path) {
                \rmdir($path);
            });
            return $path;
        }

        throw new \Exception("Unable to create temp dir in ".Util::q($baseFolder).", there's always something in the way.");
    }

    /**
     * @param string $baseFolder
     *
     * @return string
     */
    private static function createExternalCaFile($baseFolder)
    {
        $path = \tempnam($baseFolder, "dropbox-php-sdk-trusted-certs");
        if ($path === false) {
            throw new \Exception("Couldn't create temp file in folder ".Util::q($baseFolder).".");
        }
        \register_shutdown_function(function() use ($path) {
            \unlink($path);
        });

        // NOTE: Can't use the standard PHP copy().  That would clobber the locked-down
        // permissions set by tempnam().
        self::copyInto(__DIR__.self::$originalPath, $path);

        return $path;
    }

    /**
     * @param string $src
     * @param string $dest
     */
    private static function copyInto($src, $dest)
    {
        $srcFd = \fopen($src, "r");
        if ($srcFd === false) {
            throw new \Exception("Couldn't open " . Util::q($src) . " for reading.");
        }
        $destFd = \fopen($dest, "w");
        if ($destFd === false) {
            \fclose($srcFd);
            throw new \Exception("Couldn't open " . Util::q($dest) . " for writing.");
        }

        \stream_copy_to_stream($srcFd, $destFd);

        fclose($srcFd);
        if (!\fclose($destFd)) {
            throw new \Exception("Error closing file ".Util::q($dest).".");
        }
    }
}