Remove --disable-tls/--cafile flags and rely solely on config options plus some wording clarifications

doc/03-cli.md

@@ -97,8 +97,6 @@ resolution.
 * **--optimize-autoloader (-o):** Convert PSR-0/4 autoloading to classmap to get a faster
   autoloader. This is recommended especially for production, but can take
   a bit of time to run so it is currently not done by default.
-* **--disable-tls:** Display SSL/TLS peer verification.
-* **--cafile:** If specified, use the given certificate file for SSL/TLS peer verification.
 * **--classmap-authoritative (-a):** Autoload classes from the classmap only.
   Implicitly enables `--optimize-autoloader`.
 
@@ -148,8 +146,6 @@ php composer.phar update vendor/*
   Implicitly enables `--optimize-autoloader`.
 * **--lock:** Only updates the lock file hash to suppress warning about the
   lock file being out of date.
-* **--disable-tls:** Display SSL/TLS peer verification.
-* **--cafile:** If specified, use the given certificate file for SSL/TLS peer verification.
 * **--with-dependencies:** Add also all dependencies of whitelisted packages to the whitelist.
 * **--prefer-stable:** Prefer stable versions of dependencies.
 * **--prefer-lowest:** Prefer lowest versions of dependencies. Useful for testing minimal
@@ -188,8 +184,6 @@ php composer.phar require vendor/package:2.* vendor/package2:dev-master
 * **--update-no-dev:** Run the dependency update with the `--no-dev` option.
 * **--update-with-dependencies:** Also update dependencies of the newly
   required packages.
-* **--disable-tls:** Display SSL/TLS peer verification.
-* **--cafile:** If specified, use the given certificate file for SSL/TLS peer verification.
 * **--sort-packages:** Keep packages sorted in `composer.json`.
 * **--optimize-autoloader (-o):** Convert PSR-0/4 autoloading to classmap to
   get a faster autoloader. This is recommended especially for production, but
@@ -265,8 +259,6 @@ You can also search for more than one term by passing multiple arguments.
 ### Options
 
 * **--only-name (-N):** Search only in name.
-* **--disable-tls:** Display SSL/TLS peer verification.
-* **--cafile:** If specified, use the given certificate file for SSL/TLS peer verification.
 
 ## show
 
@@ -310,8 +302,6 @@ php composer.phar show monolog/monolog 1.0.2
 * **--installed (-i):** List the packages that are installed.
 * **--platform (-p):** List only platform packages (php & extensions).
 * **--self (-s):** List the root package info.
-* **--disable-tls:** Display SSL/TLS peer verification.
-* **--cafile:** If specified, use the given certificate file for SSL/TLS peer verification.
 * **--tree (-t):** List the dependencies as a tree. Only usable when giving a single package name or combined with `-i`.
 
 ## browse / home
@@ -422,8 +412,6 @@ sudo composer self-update
 ### Options
 
 * **--rollback (-r):** Rollback to the last version you had installed.
-* **--disable-tls:** Display SSL/TLS peer verification.
-* **--cafile:** If specified, use the given certificate file for SSL/TLS peer verification.
 * **--clean-backups:** Delete old backups during an update. This makes the
   current version of Composer the only backup available after the update.
 
@@ -517,8 +505,6 @@ By default the command checks for the packages on packagist.org.
 * **--keep-vcs:** Skip the deletion of the VCS metadata for the created
   project. This is mostly useful if you run the command in non-interactive
   mode.
-* **--disable-tls:** Display SSL/TLS peer verification.
-* **--cafile:** If specified, use the given certificate file for SSL/TLS peer verification.
 * **--ignore-platform-reqs:** ignore `php`, `hhvm`, `lib-*` and `ext-*`
   requirements and force the installation even if the local machine does not
   fulfill these.
@@ -579,11 +565,6 @@ problems.
 php composer.phar diagnose
 ```
 
-### Options
-
-* **--disable-tls:** Display SSL/TLS peer verification.
-* **--cafile:** If specified, use the given certificate file for SSL/TLS peer verification.
-
 ## archive
 
 This command is used to generate a zip/tar archive for a given package in a

doc/06-config.md

@@ -40,6 +40,25 @@ of their API. [Read
 more](articles/troubleshooting.md#api-rate-limit-and-oauth-tokens) on how to get
 an OAuth token for GitHub.
 
+## gitlab-oauth
+
+A list of domain names and oauth keys. For example using `{"gitlab.com":
+"oauthtoken"}` as the value of this option will use `oauthtoken` to access
+private repositories on gitlab.
+
+## disable-tls
+
+Defaults to `false`. If set to true all HTTPS URLs will be tried with HTTP
+instead and no network level encryption is performed. Enabling this is a
+security risk and is NOT recommended. The better way is to enable the
+php_openssl extension in php.ini.
+
+## cafile
+
+A way to set the path to the openssl CA file. In PHP 5.6+ you should rather
+set this via openssl.cafile in php.ini, although PHP 5.6+ should be able to
+detect your system CA file automatically.
+
 ## http-basic
 
 A list of domain names and username/passwords to authenticate against them. For

res/composer-schema.json

@@ -141,6 +141,14 @@
                     "description": "A hash of domain name => gitlab API oauth tokens, typically {\"gitlab.com\":\"<token>\"}.",
                     "additionalProperties": true
                 },
+                "disable-tls": {
+                    "type": "boolean",
+                    "description": "Defaults to `false`. If set to true all HTTPS URLs will be tried with HTTP instead and no network level encryption is performed. Enabling this is a security risk and is NOT recommended. The better way is to enable the php_openssl extension in php.ini."
+                },
+                "cafile": {
+                    "type": "string",
+                    "description": "A way to set the path to the openssl CA file. In PHP 5.6+ you should rather set this via openssl.cafile in php.ini, although PHP 5.6+ should be able to detect your system CA file automatically."
+                },
                 "http-basic": {
                     "type": "object",
                     "description": "A hash of domain name => {\"username\": \"...\", \"password\": \"...\"}.",

src/Composer/Command/CreateProjectCommand.php

@@ -69,8 +69,6 @@ class CreateProjectCommand extends Command
                 new InputOption('no-progress', null, InputOption::VALUE_NONE, 'Do not output download progress.'),
                 new InputOption('keep-vcs', null, InputOption::VALUE_NONE, 'Whether to prevent deletion vcs folder.'),
                 new InputOption('no-install', null, InputOption::VALUE_NONE, 'Whether to skip installation of the package dependencies.'),
-                new InputOption('disable-tls', null, InputOption::VALUE_NONE, 'Disable SSL/TLS protection for HTTPS requests'),
-                new InputOption('cafile', null, InputOption::VALUE_REQUIRED, 'The path to a valid CA certificate file for SSL/TLS certificate verification'),
                 new InputOption('ignore-platform-reqs', null, InputOption::VALUE_NONE, 'Ignore platform requirements (php & ext- packages).'),
             ))
             ->setHelp(<<<EOT

src/Composer/Command/DiagnoseCommand.php

@@ -49,10 +49,7 @@ class DiagnoseCommand extends Command
 The <info>diagnose</info> command checks common errors to help debugging problems.
 
 EOT
-            )->setDefinition(array(
-                new InputOption('disable-tls', null, InputOption::VALUE_NONE, 'Disable SSL/TLS protection for HTTPS requests'),
-                new InputOption('cafile', null, InputOption::VALUE_REQUIRED, 'The path to a valid CA certificate file for SSL/TLS certificate verification'),
-            ))
+            )
         ;
     }
 

src/Composer/Command/InstallCommand.php

@@ -46,8 +46,6 @@ class InstallCommand extends Command
                 new InputOption('no-progress', null, InputOption::VALUE_NONE, 'Do not output download progress.'),
                 new InputOption('verbose', 'v|vv|vvv', InputOption::VALUE_NONE, 'Shows more details including new commits pulled in when updating packages.'),
                 new InputOption('optimize-autoloader', 'o', InputOption::VALUE_NONE, 'Optimize autoloader during autoloader dump'),
-                new InputOption('disable-tls', null, InputOption::VALUE_NONE, 'Disable SSL/TLS protection for HTTPS requests'),
-                new InputOption('cafile', null, InputOption::VALUE_REQUIRED, 'The path to a valid CA certificate file for SSL/TLS certificate verification'),
                 new InputOption('classmap-authoritative', 'a', InputOption::VALUE_NONE, 'Autoload classes from the classmap only. Implicitly enables `--optimize-autoloader`.'),
                 new InputOption('ignore-platform-reqs', null, InputOption::VALUE_NONE, 'Ignore platform requirements (php & ext- packages).'),
                 new InputArgument('packages', InputArgument::IS_ARRAY | InputArgument::OPTIONAL, 'Should not be provided, use composer require instead to add a given package to composer.json.'),

src/Composer/Command/RequireCommand.php

@@ -46,8 +46,6 @@ class RequireCommand extends InitCommand
                 new InputOption('no-update', null, InputOption::VALUE_NONE, 'Disables the automatic update of the dependencies.'),
                 new InputOption('update-no-dev', null, InputOption::VALUE_NONE, 'Run the dependency update with the --no-dev option.'),
                 new InputOption('update-with-dependencies', null, InputOption::VALUE_NONE, 'Allows inherited dependencies to be updated with explicit dependencies.'),
-                new InputOption('disable-tls', null, InputOption::VALUE_NONE, 'Disable SSL/TLS protection for HTTPS requests'),
-                new InputOption('cafile', null, InputOption::VALUE_REQUIRED, 'The path to a valid CA certificate file for SSL/TLS certificate verification'),
                 new InputOption('ignore-platform-reqs', null, InputOption::VALUE_NONE, 'Ignore platform requirements (php & ext- packages).'),
                 new InputOption('sort-packages', null, InputOption::VALUE_NONE, 'Sorts packages when adding/updating a new dependency'),
                 new InputOption('optimize-autoloader', 'o', InputOption::VALUE_NONE, 'Optimize autoloader during autoloader dump'),

src/Composer/Command/SearchCommand.php

@@ -41,8 +41,6 @@ class SearchCommand extends Command
             ->setDescription('Search for packages')
             ->setDefinition(array(
                 new InputOption('only-name', 'N', InputOption::VALUE_NONE, 'Search only in name'),
-                new InputOption('disable-tls', null, InputOption::VALUE_NONE, 'Disable SSL/TLS protection for HTTPS requests'),
-                new InputOption('cafile', null, InputOption::VALUE_REQUIRED, 'The path to a valid CA certificate file for SSL/TLS certificate verification'),
                 new InputArgument('tokens', InputArgument::IS_ARRAY | InputArgument::REQUIRED, 'tokens to search for'),
             ))
             ->setHelp(<<<EOT

src/Composer/Command/SelfUpdateCommand.php

@@ -43,8 +43,6 @@ class SelfUpdateCommand extends Command
             ->setDefinition(array(
                 new InputOption('rollback', 'r', InputOption::VALUE_NONE, 'Revert to an older installation of composer'),
                 new InputOption('clean-backups', null, InputOption::VALUE_NONE, 'Delete old backups during an update. This makes the current version of composer the only backup available after the update'),
-                new InputOption('disable-tls', null, InputOption::VALUE_NONE, 'Disable SSL/TLS protection for HTTPS requests'),
-                new InputOption('cafile', null, InputOption::VALUE_REQUIRED, 'The path to a valid CA certificate file for SSL/TLS certificate verification'),
                 new InputArgument('version', InputArgument::OPTIONAL, 'The version to update to'),
                 new InputOption('no-progress', null, InputOption::VALUE_NONE, 'Do not output download progress.'),
             ))
@@ -63,17 +61,15 @@ EOT
     {
         $config = Factory::createConfig();
 
-        if($config->get('disable-tls') === true || $input->getOption('disable-tls')) {
+        if ($config->get('disable-tls') === true) {
             $baseUrl = 'http://' . self::HOMEPAGE;
         } else {
             $baseUrl = 'https://' . self::HOMEPAGE;
         }
+
         $io = $this->getIO();
         $remoteFilesystem = Factory::createRemoteFilesystem($io, $config);
 
-        // TODO: Silent switch probably should be kicking out exception
-        $baseUrl = (extension_loaded('openssl') ? 'https' : 'http') . '://' . self::HOMEPAGE;
-
         $cacheDir = $config->get('cache-dir');
         $rollbackDir = $config->get('home');
         $localFilename = realpath($_SERVER['argv'][0]) ?: $_SERVER['argv'][0];

src/Composer/Command/ShowCommand.php

@@ -56,8 +56,6 @@ class ShowCommand extends Command
                 new InputOption('available', 'a', InputOption::VALUE_NONE, 'List available packages only'),
                 new InputOption('self', 's', InputOption::VALUE_NONE, 'Show the root package information'),
                 new InputOption('name-only', 'N', InputOption::VALUE_NONE, 'List package names only'),
-                new InputOption('disable-tls', null, InputOption::VALUE_NONE, 'Disable SSL/TLS protection for HTTPS requests'),
-                new InputOption('cafile', null, InputOption::VALUE_REQUIRED, 'The path to a valid CA certificate file for SSL/TLS certificate verification'),
                 new InputOption('path', 'P', InputOption::VALUE_NONE, 'Show package paths'),
                 new InputOption('tree', 't', InputOption::VALUE_NONE, 'List the dependencies as a tree'),
             ))

src/Composer/Command/UpdateCommand.php

@@ -52,8 +52,6 @@ class UpdateCommand extends Command
                 new InputOption('with-dependencies', null, InputOption::VALUE_NONE, 'Add also all dependencies of whitelisted packages to the whitelist.'),
                 new InputOption('verbose', 'v|vv|vvv', InputOption::VALUE_NONE, 'Shows more details including new commits pulled in when updating packages.'),
                 new InputOption('optimize-autoloader', 'o', InputOption::VALUE_NONE, 'Optimize autoloader during autoloader dump.'),
-                new InputOption('disable-tls', null, InputOption::VALUE_NONE, 'Disable SSL/TLS protection for HTTPS requests'),
-                new InputOption('cafile', null, InputOption::VALUE_REQUIRED, 'The path to a valid CA certificate file for SSL/TLS certificate verification'),
                 new InputOption('classmap-authoritative', 'a', InputOption::VALUE_NONE, 'Autoload classes from the classmap only. Implicitly enables `--optimize-autoloader`.'),
                 new InputOption('ignore-platform-reqs', null, InputOption::VALUE_NONE, 'Ignore platform requirements (php & ext- packages).'),
                 new InputOption('prefer-stable', null, InputOption::VALUE_NONE, 'Prefer stable versions of dependencies.'),

src/Composer/Factory.php

@@ -521,25 +521,25 @@ class Factory
             $disableTls = true;
         } elseif (!extension_loaded('openssl')) {
             throw new \RuntimeException('The openssl extension is required for SSL/TLS protection but is not available. '
-                . 'You can disable this error, at your own risk, by passing the \'--disable-tls\' option to this command.');
+                . 'You can disable this error, at your own risk, by setting the \'disable-tls\' option to true.');
         }
         $remoteFilesystemOptions = array();
         if ($disableTls === false) {
             if (isset($config) && !empty($config->get('cafile'))) {
-                $remoteFilesystemOptions = array('ssl'=>array('cafile'=>$config->get('cafile')));
-            }
-            if (!empty($io->getInputOption('cafile'))) {
-                $remoteFilesystemOptions = array('ssl'=>array('cafile'=>$io->getInputOption('cafile')));
+                $remoteFilesystemOptions = array('ssl' => array('cafile' => $config->get('cafile')));
             }
             $remoteFilesystemOptions = array_merge_recursive($remoteFilesystemOptions, $options);
         }
         try {
-            $remoteFilesystem = new RemoteFilesystem($io, $remoteFilesystemOptions, $disableTls);
+            $remoteFilesystem = new RemoteFilesystem($io, $config, $remoteFilesystemOptions, $disableTls);
         } catch (TransportException $e) {
             if (preg_match('|cafile|', $e->getMessage())) {
                 $io->write('<error>Unable to locate a valid CA certificate file. You must set a valid \'cafile\' option.</error>');
                 $io->write('<error>A valid CA certificate file is required for SSL/TLS protection.</error>');
-                $io->write('<error>You can disable this error, at your own risk, by passing the \'--disable-tls\' option to this command.</error>');
+                if (PHP_VERSION_ID < 50600) {
+                    $io->write('<error>It is recommended you upgrade to PHP 5.6+ which can detect your system CA file automatically.</error>');
+                }
+                $io->write('<error>You can disable this error, at your own risk, by setting the \'disable-tls\' option to true.</error>');
             }
             throw $e;
         }

src/Composer/Util/ConfigValidator.php

@@ -19,6 +19,7 @@ use Composer\Json\JsonValidationException;
 use Composer\IO\IOInterface;
 use Composer\Json\JsonFile;
 use Composer\Spdx\SpdxLicenses;
+use Composer\Factory;
 
 /**
  * Validates a composer configuration.

src/Composer/Util/GitLab.php

@@ -14,6 +14,7 @@ namespace Composer\Util;
 
 use Composer\IO\IOInterface;
 use Composer\Config;
+use Composer\Factory;
 use Composer\Downloader\TransportException;
 use Composer\Json\JsonFile;
 
@@ -40,7 +41,7 @@ class GitLab
         $this->io = $io;
         $this->config = $config;
         $this->process = $process ?: new ProcessExecutor();
-        $this->remoteFilesystem = $remoteFilesystem ?: new RemoteFilesystem($io, $config);
+        $this->remoteFilesystem = $remoteFilesystem ?: Factory::createRemoteFilesystem($this->io, $config);
     }
 
     /**