nextcloud/lib/private/Server.php

2253 lines
68 KiB
PHP
Raw Normal View History

2013-08-21 02:58:15 +04:00
<?php
2015-03-26 13:44:34 +03:00
/**
2016-07-21 18:07:57 +03:00
* @copyright Copyright (c) 2016, ownCloud, Inc.
* @copyright Copyright (c) 2016, Lukas Reschke <lukas@statuscode.ch>
2016-07-21 18:07:57 +03:00
*
* @author Arne Hamann <kontakt+github@arne.email>
2016-05-26 20:56:05 +03:00
* @author Arthur Schiwon <blizzz@arthur-schiwon.de>
2015-03-26 13:44:34 +03:00
* @author Bart Visscher <bartv@thisnet.nl>
* @author Bernhard Posselt <dev@bernhard-posselt.com>
* @author Bernhard Reiter <ockham@raz.or.at>
2016-07-21 18:07:57 +03:00
* @author Bjoern Schiessle <bjoern@schiessle.org>
2016-05-26 20:56:05 +03:00
* @author Björn Schießle <bjoern@schiessle.org>
* @author Christopher Schäpers <kondou@ts.unde.re>
* @author Christoph Wurst <christoph@winzerhof-wurst.at>
* @author Damjan Georgievski <gdamjan@gmail.com>
* @author Daniel Kesselberg <mail@danielkesselberg.de>
* @author Georg Ehrke <oc.list@georgehrke.com>
2016-07-21 18:07:57 +03:00
* @author Joas Schilling <coding@schilljs.com>
* @author John Molakvoæ (skjnldsv) <skjnldsv@protonmail.com>
* @author Jörn Friedrich Dreyer <jfd@butonic.de>
* @author Julius Haertl <jus@bitgrid.net>
* @author Julius Härtl <jus@bitgrid.net>
2016-05-26 20:56:05 +03:00
* @author Lukas Reschke <lukas@statuscode.ch>
* @author Maxence Lange <maxence@artificial-owl.com>
* @author Michael Weimann <mail@michael-weimann.eu>
2015-03-26 13:44:34 +03:00
* @author Morris Jobke <hey@morrisjobke.de>
* @author Piotr Mrówczyński <mrow4a@yahoo.com>
2016-07-21 19:13:36 +03:00
* @author Robin Appelman <robin@icewind.nl>
2016-01-12 17:02:16 +03:00
* @author Robin McCorkell <robin@mccorkell.me.uk>
2016-07-21 18:07:57 +03:00
* @author Roeland Jago Douma <roeland@famdouma.nl>
* @author root <root@localhost.localdomain>
2015-03-26 13:44:34 +03:00
* @author Sander <brantje@gmail.com>
* @author Thomas Müller <thomas.mueller@tmit.eu>
* @author Thomas Tanghus <thomas@tanghus.net>
* @author Tobia De Koninck <tobia@ledfan.be>
2015-03-26 13:44:34 +03:00
* @author Vincent Petry <pvince81@owncloud.com>
* @author Xheni Myrtaj <myrtajxheni@gmail.com>
2015-03-26 13:44:34 +03:00
*
* @license AGPL-3.0
*
* This code is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License, version 3,
* as published by the Free Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License, version 3,
* along with this program. If not, see <http://www.gnu.org/licenses/>
2015-03-26 13:44:34 +03:00
*
*/
2017-08-24 17:21:50 +03:00
2013-08-21 02:58:15 +04:00
namespace OC;
2014-12-05 21:56:29 +03:00
use bantu\IniGetWrapper\IniGetWrapper;
use OC\Accounts\AccountManager;
use OC\App\AppManager;
use OC\App\AppStore\Bundles\BundleFetcher;
use OC\App\AppStore\Fetcher\AppFetcher;
use OC\App\AppStore\Fetcher\CategoryFetcher;
2013-09-05 01:45:11 +04:00
use OC\AppFramework\Http\Request;
use OC\AppFramework\Utility\SimpleContainer;
use OC\AppFramework\Utility\TimeFactory;
use OC\Authentication\Events\LoginFailed;
use OC\Authentication\Listeners\LoginFailedListener;
use OC\Authentication\LoginCredentials\Store;
use OC\Authentication\Token\IProvider;
use OC\Avatar\AvatarManager;
use OC\Collaboration\Collaborators\GroupPlugin;
use OC\Collaboration\Collaborators\MailPlugin;
use OC\Collaboration\Collaborators\RemoteGroupPlugin;
use OC\Collaboration\Collaborators\RemotePlugin;
use OC\Collaboration\Collaborators\UserPlugin;
use OC\Command\CronBus;
use OC\Comments\ManagerFactory as CommentsManagerFactory;
use OC\Contacts\ContactsMenu\ActionFactory;
use OC\Contacts\ContactsMenu\ContactsStore;
use OC\Dashboard\DashboardManager;
2014-10-03 22:39:09 +04:00
use OC\Diagnostics\EventLogger;
use OC\Diagnostics\QueryLogger;
use OC\Federation\CloudFederationFactory;
use OC\Federation\CloudFederationProviderManager;
use OC\Federation\CloudIdManager;
2015-11-26 19:47:53 +03:00
use OC\Files\Config\UserMountCache;
2015-12-03 16:10:05 +03:00
use OC\Files\Config\UserMountCacheListener;
use OC\Files\Mount\CacheMountProvider;
use OC\Files\Mount\LocalHomeMountProvider;
use OC\Files\Mount\ObjectHomeMountProvider;
use OC\Files\Node\HookConnector;
2016-03-11 16:00:36 +03:00
use OC\Files\Node\LazyRoot;
2015-06-11 12:29:27 +03:00
use OC\Files\Node\Root;
use OC\Files\Storage\StorageFactory;
2015-06-11 12:29:27 +03:00
use OC\Files\View;
use OC\FullTextSearch\FullTextSearchManager;
2015-06-11 12:29:27 +03:00
use OC\Http\Client\ClientService;
Add code integrity check This PR implements the base foundation of the code signing and integrity check. In this PR implemented is the signing and verification logic, as well as commands to sign single apps or the core repository. Furthermore, there is a basic implementation to display problems with the code integrity on the update screen. Code signing basically happens the following way: - There is a ownCloud Root Certificate authority stored `resources/codesigning/root.crt` (in this PR I also ship the private key which we obviously need to change before a release :wink:). This certificate is not intended to be used for signing directly and only is used to sign new certificates. - Using the `integrity:sign-core` and `integrity:sign-app` commands developers can sign either the core release or a single app. The core release needs to be signed with a certificate that has a CN of `core`, apps need to be signed with a certificate that either has a CN of `core` (shipped apps!) or the AppID. - The command generates a signature.json file of the following format: ```json { "hashes": { "/filename.php": "2401fed2eea6f2c1027c482a633e8e25cd46701f811e2d2c10dc213fd95fa60e350bccbbebdccc73a042b1a2799f673fbabadc783284cc288e4f1a1eacb74e3d", "/lib/base.php": "55548cc16b457cd74241990cc9d3b72b6335f2e5f45eee95171da024087d114fcbc2effc3d5818a6d5d55f2ae960ab39fd0414d0c542b72a3b9e08eb21206dd9" }, "certificate": "-----BEGIN CERTIFICATE-----MIIBvTCCASagAwIBAgIUPvawyqJwCwYazcv7iz16TWxfeUMwDQYJKoZIhvcNAQEF\nBQAwIzEhMB8GA1UECgwYb3duQ2xvdWQgQ29kZSBTaWduaW5nIENBMB4XDTE1MTAx\nNDEzMTcxMFoXDTE2MTAxNDEzMTcxMFowEzERMA8GA1UEAwwIY29udGFjdHMwgZ8w\nDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANoQesGdCW0L2L+a2xITYipixkScrIpB\nkX5Snu3fs45MscDb61xByjBSlFgR4QI6McoCipPw4SUr28EaExVvgPSvqUjYLGps\nfiv0Cvgquzbx/X3mUcdk9LcFo1uWGtrTfkuXSKX41PnJGTr6RQWGIBd1V52q1qbC\nJKkfzyeMeuQfAgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAvF/KIhRMQ3tYTmgHWsiM\nwDMgIDb7iaHF0fS+/Nvo4PzoTO/trev6tMyjLbJ7hgdCpz/1sNzE11Cibf6V6dsz\njCE9invP368Xv0bTRObRqeSNsGogGl5ceAvR0c9BG+NRIKHcly3At3gLkS2791bC\niG+UxI/MNcWV0uJg9S63LF8=\n-----END CERTIFICATE-----", "signature": "U29tZVNpZ25lZERhdGFFeGFtcGxl" } ``` `hashes` is an array of all files in the folder with their corresponding SHA512 hashes (this is actually quite cheap to calculate), the `certificate` is the certificate used for signing. It has to be issued by the ownCloud Root Authority and it's CN needs to be permitted to perform the required action. The `signature` is then a signature of the `hashes` which can be verified using the `certificate`. Steps to do in other PRs, this is already a quite huge one: - Add nag screen in case the code check fails to ensure that administrators are aware of this. - Add code verification also to OCC upgrade and unify display code more. - Add enforced code verification to apps shipped from the appstore with a level of "official" - Add enfocrced code verification to apps shipped from the appstore that were already signed in a previous release - Add some developer documentation on how devs can request their own certificate - Check when installing ownCloud - Add support for CRLs to allow revoking certificates **Note:** The upgrade checks are only run when the instance has a defined release channel of `stable` (defined in `version.php`). If you want to test this, you need to change the channel thus and then generate the core signature: ``` ➜ master git:(add-integrity-checker) ✗ ./occ integrity:sign-core --privateKey=resources/codesigning/core.key --certificate=resources/codesigning/core.crt Successfully signed "core" ``` Then increase the version and you should see something like the following: ![2015-11-04_12-02-57](https://cloud.githubusercontent.com/assets/878997/10936336/6adb1d14-82ec-11e5-8f06-9a74801c9abf.png) As you can see a failed code check will not prevent the further update. It will instead just be a notice to the admin. In a next step we will add some nag screen. For packaging stable releases this requires the following additional steps as a last action before zipping: 1. Run `./occ integrity:sign-core` once 2. Run `./occ integrity:sign-app` _for each_ app. However, this can be simply automated using a simple foreach on the apps folder.
2015-11-03 22:26:06 +03:00
use OC\IntegrityCheck\Checker;
use OC\IntegrityCheck\Helpers\AppLocator;
use OC\IntegrityCheck\Helpers\EnvironmentHelper;
use OC\IntegrityCheck\Helpers\FileAccessHelper;
use OC\Lock\DBLockingProvider;
use OC\Lock\MemcacheLockingProvider;
2015-05-21 17:11:10 +03:00
use OC\Lock\NoopLockingProvider;
use OC\Lockdown\LockdownManager;
use OC\Log\LogFactory;
use OC\Log\PsrLoggerAdapter;
use OC\Mail\Mailer;
use OC\Memcache\ArrayCache;
use OC\Memcache\Factory;
2015-08-31 13:24:37 +03:00
use OC\Notification\Manager;
use OC\OCS\DiscoveryService;
use OC\Preview\GeneratorHelper;
use OC\Remote\Api\ApiFactory;
use OC\Remote\InstanceFactory;
use OC\RichObjectStrings\Validator;
use OC\Security\Bruteforce\Throttler;
2014-08-18 18:30:23 +04:00
use OC\Security\CertificateManager;
use OC\Security\CredentialsManager;
use OC\Security\Crypto;
use OC\Security\CSP\ContentSecurityPolicyManager;
use OC\Security\CSP\ContentSecurityPolicyNonceManager;
use OC\Security\CSRF\CsrfTokenGenerator;
use OC\Security\CSRF\CsrfTokenManager;
use OC\Security\CSRF\TokenStorage\SessionStorage;
use OC\Security\Hasher;
use OC\Security\SecureRandom;
2015-02-17 00:12:47 +03:00
use OC\Security\TrustedDomainHelper;
use OC\Session\CryptoWrapper;
use OC\Share20\ProviderFactory;
use OC\Share20\ShareHelper;
use OC\SystemTag\ManagerFactory as SystemTagManagerFactory;
use OC\Tagging\TagMapper;
use OC\Template\IconsCacher;
use OC\Template\JSCombiner;
use OC\Template\SCSSCacher;
use OCA\Theming\ImageManager;
use OCA\Theming\ThemingDefaults;
use OCA\Theming\Util;
use OCP\Accounts\IAccountManager;
use OCP\App\IAppManager;
use OCP\AppFramework\QueryException;
use OCP\Authentication\LoginCredentials\IStore;
use OCP\BackgroundJob\IJobList;
use OCP\Collaboration\AutoComplete\IManager;
use OCP\Comments\ICommentsManager;
use OCP\Contacts\ContactsMenu\IActionFactory;
use OCP\Contacts\ContactsMenu\IContactsStore;
use OCP\Dashboard\IDashboardManager;
use OCP\Defaults;
use OCP\Diagnostics\IEventLogger;
use OCP\Diagnostics\IQueryLogger;
use OCP\EventDispatcher\IEventDispatcher;
use OCP\Federation\ICloudFederationFactory;
use OCP\Federation\ICloudFederationProviderManager;
use OCP\Federation\ICloudIdManager;
use OCP\Files\Config\IMountProviderCollection;
use OCP\Files\Config\IUserMountCache;
use OCP\Files\IMimeTypeDetector;
use OCP\Files\IMimeTypeLoader;
use OCP\Files\IRootFolder;
use OCP\Files\Mount\IMountManager;
use OCP\Files\NotFoundException;
use OCP\Files\Storage\IStorageFactory;
use OCP\FullTextSearch\IFullTextSearchManager;
use OCP\GlobalScale\IConfig;
use OCP\Group\Events\BeforeGroupCreatedEvent;
use OCP\Group\Events\BeforeGroupDeletedEvent;
use OCP\Group\Events\BeforeUserAddedEvent;
use OCP\Group\Events\BeforeUserRemovedEvent;
use OCP\Group\Events\GroupCreatedEvent;
use OCP\Group\Events\GroupDeletedEvent;
use OCP\Group\Events\UserAddedEvent;
use OCP\Group\Events\UserRemovedEvent;
use OCP\Group\ISubAdmin;
use OCP\Http\Client\IClientService;
use OCP\IAppConfig;
use OCP\IAvatarManager;
use OCP\ICache;
use OCP\ICacheFactory;
use OCP\IContainer;
use OCP\IDateTimeFormatter;
use OCP\IDateTimeZone;
use OCP\IDBConnection;
use OCP\IGroupManager;
use OCP\IInitialStateService;
use OCP\IL10N;
use OCP\ILogger;
use OCP\INavigationManager;
use OCP\IPreview;
use OCP\IRequest;
use OCP\ISearch;
2015-06-11 12:29:27 +03:00
use OCP\IServerContainer;
use OCP\ITagManager;
use OCP\ITempManager;
use OCP\IURLGenerator;
use OCP\IUser;
use OCP\IUserManager;
use OCP\IUserSession;
use OCP\L10N\IFactory;
use OCP\Lock\ILockingProvider;
use OCP\Log\ILogFactory;
use OCP\Mail\IMailer;
use OCP\Remote\Api\IApiFactory;
use OCP\Remote\IInstanceFactory;
use OCP\RichObjectStrings\IValidator;
use OCP\Route\IRouter;
Add public API to give developers the possibility to adjust the global CSP defaults Allows to inject something into the default content policy. This is for example useful when you're injecting Javascript code into a view belonging to another controller and cannot modify its Content-Security-Policy itself. Note that the adjustment is only applied to applications that use AppFramework controllers. To use this from your `app.php` use `\OC::$server->getContentSecurityPolicyManager()->addDefaultPolicy($policy)`, $policy has to be of type `\OCP\AppFramework\Http\ContentSecurityPolicy`. To test this add something like the following into an `app.php` of any enabled app: ``` $manager = \OC::$server->getContentSecurityPolicyManager(); $policy = new \OCP\AppFramework\Http\ContentSecurityPolicy(false); $policy->addAllowedFrameDomain('asdf'); $policy->addAllowedScriptDomain('yolo.com'); $policy->allowInlineScript(false); $manager->addDefaultPolicy($policy); $policy = new \OCP\AppFramework\Http\ContentSecurityPolicy(false); $policy->addAllowedFontDomain('yolo.com'); $manager->addDefaultPolicy($policy); $policy = new \OCP\AppFramework\Http\ContentSecurityPolicy(false); $policy->addAllowedFrameDomain('banana.com'); $manager->addDefaultPolicy($policy); ``` If you now open the files app the policy should be: ``` Content-Security-Policy:default-src 'none';script-src yolo.com 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src yolo.com 'self';connect-src 'self';media-src 'self';frame-src asdf banana.com 'self' ```
2016-01-28 16:33:02 +03:00
use OCP\Security\IContentSecurityPolicyManager;
use OCP\Security\ICredentialsManager;
use OCP\Security\ICrypto;
use OCP\Security\IHasher;
use OCP\Security\ISecureRandom;
use OCP\Share\IShareHelper;
use OCP\SystemTag\ISystemTagManager;
use OCP\SystemTag\ISystemTagObjectMapper;
use OCP\User\Events\BeforePasswordUpdatedEvent;
use OCP\User\Events\BeforeUserCreatedEvent;
use OCP\User\Events\BeforeUserDeletedEvent;
use OCP\User\Events\BeforeUserLoggedInEvent;
use OCP\User\Events\BeforeUserLoggedInWithCookieEvent;
use OCP\User\Events\BeforeUserLoggedOutEvent;
use OCP\User\Events\PasswordUpdatedEvent;
use OCP\User\Events\UserChangedEvent;
use OCP\User\Events\UserCreatedEvent;
use OCP\User\Events\UserDeletedEvent;
use OCP\User\Events\UserLoggedInEvent;
use OCP\User\Events\UserLoggedInWithCookieEvent;
use OCP\User\Events\UserLoggedOutEvent;
use Psr\Log\LoggerInterface;
use Symfony\Component\EventDispatcher\EventDispatcherInterface;
use Symfony\Component\EventDispatcher\GenericEvent;
use OCA\Files_External\Service\UserStoragesService;
use OCA\Files_External\Service\UserGlobalStoragesService;
use OCA\Files_External\Service\GlobalStoragesService;
use OCA\Files_External\Service\BackendService;
2013-08-21 02:58:15 +04:00
/**
* Class Server
2014-07-16 16:25:31 +04:00
*
2013-08-21 02:58:15 +04:00
* @package OC
*
* TODO: hookup all manager classes
*/
class Server extends ServerContainer implements IServerContainer {
2014-11-27 16:50:14 +03:00
/** @var string */
private $webRoot;
/**
* @param string $webRoot
2015-12-18 13:24:15 +03:00
* @param \OC\Config $config
2014-11-27 16:50:14 +03:00
*/
2015-12-18 13:24:15 +03:00
public function __construct($webRoot, \OC\Config $config) {
parent::__construct();
2014-11-27 16:50:14 +03:00
$this->webRoot = $webRoot;
// To find out if we are running from CLI or not
$this->registerParameter('isCLI', \OC::$CLI);
2017-08-24 17:21:50 +03:00
$this->registerService(\OCP\IServerContainer::class, function (IServerContainer $c) {
return $c;
});
$this->registerAlias(\OCP\Calendar\IManager::class, \OC\Calendar\Manager::class);
$this->registerDeprecatedAlias('CalendarManager', \OC\Calendar\Manager::class);
$this->registerAlias(\OCP\Calendar\Resource\IManager::class, \OC\Calendar\Resource\Manager::class);
$this->registerDeprecatedAlias('CalendarResourceBackendManager', \OC\Calendar\Resource\Manager::class);
$this->registerAlias(\OCP\Calendar\Room\IManager::class, \OC\Calendar\Room\Manager::class);
$this->registerDeprecatedAlias('CalendarRoomBackendManager', \OC\Calendar\Room\Manager::class);
$this->registerAlias(\OCP\Contacts\IManager::class, \OC\ContactsManager::class);
$this->registerDeprecatedAlias('ContactsManager', \OCP\Contacts\IManager::class);
$this->registerAlias(\OCP\DirectEditing\IManager::class, \OC\DirectEditing\Manager::class);
$this->registerAlias(IActionFactory::class, ActionFactory::class);
$this->registerService(IPreview::class, function (Server $c) {
return new PreviewManager(
$c->getConfig(),
$c->getRootFolder(),
$c->getAppDataDir('preview'),
$c->getEventDispatcher(),
$c->getGeneratorHelper(),
$c->getSession()->get('user_id')
);
2013-09-05 01:45:11 +04:00
});
$this->registerDeprecatedAlias('PreviewManager', IPreview::class);
$this->registerService(\OC\Preview\Watcher::class, function (Server $c) {
return new \OC\Preview\Watcher(
$c->getAppDataDir('preview')
);
});
$this->registerService(\OCP\Encryption\IManager::class, function (Server $c) {
$view = new View();
$util = new Encryption\Util(
$view,
$c->getUserManager(),
$c->getGroupManager(),
$c->getConfig()
);
return new Encryption\Manager(
$c->getConfig(),
$c->getLogger(),
$c->getL10N('core'),
new View(),
$util,
new ArrayCache()
);
});
$this->registerDeprecatedAlias('EncryptionManager', \OCP\Encryption\IManager::class);
$this->registerService('EncryptionFileHelper', function (Server $c) {
$util = new Encryption\Util(
new View(),
$c->getUserManager(),
$c->getGroupManager(),
$c->getConfig()
);
return new Encryption\File(
$util,
$c->getRootFolder(),
$c->getShareManager()
);
});
$this->registerService('EncryptionKeyStorage', function (Server $c) {
$view = new View();
$util = new Encryption\Util(
$view,
$c->getUserManager(),
$c->getGroupManager(),
$c->getConfig()
);
return new Encryption\Keys\Storage($view, $util);
});
2015-12-03 16:10:05 +03:00
$this->registerService('TagMapper', function (Server $c) {
return new TagMapper($c->getDatabaseConnection());
});
$this->registerService(\OCP\ITagManager::class, function (Server $c) {
$tagMapper = $c->query('TagMapper');
2014-12-10 17:59:41 +03:00
return new TagManager($tagMapper, $c->getUserSession());
});
$this->registerDeprecatedAlias('TagManager', \OCP\ITagManager::class);
$this->registerService('SystemTagManagerFactory', function (Server $c) {
$config = $c->getConfig();
$factoryClass = $config->getSystemValue('systemtags.managerFactory', SystemTagManagerFactory::class);
return new $factoryClass($this);
});
$this->registerService(ISystemTagManager::class, function (Server $c) {
return $c->query('SystemTagManagerFactory')->getManager();
});
$this->registerDeprecatedAlias('SystemTagManager', ISystemTagManager::class);
$this->registerService(ISystemTagObjectMapper::class, function (Server $c) {
return $c->query('SystemTagManagerFactory')->getObjectMapper();
});
$this->registerService('RootFolder', function (Server $c) {
$manager = \OC\Files\Filesystem::getMountManager(null);
$view = new View();
$root = new Root(
$manager,
$view,
null,
$c->getUserMountCache(),
$this->getLogger(),
$this->getUserManager()
);
$connector = new HookConnector($root, $view, $c->getEventDispatcher());
$connector->viewToNode();
$previewConnector = new \OC\Preview\WatcherConnector($root, $c->getSystemConfig());
$previewConnector->connectWatcher();
return $root;
});
$this->registerDeprecatedAlias('SystemTagObjectMapper', ISystemTagObjectMapper::class);
$this->registerService(IRootFolder::class, function (Server $c) {
2017-08-24 17:21:50 +03:00
return new LazyRoot(function () use ($c) {
2016-08-26 13:13:34 +03:00
return $c->query('RootFolder');
2016-03-11 16:00:36 +03:00
});
});
$this->registerDeprecatedAlias('LazyRootFolder', IRootFolder::class);
$this->registerDeprecatedAlias('UserManager', \OC\User\Manager::class);
$this->registerAlias(\OCP\IUserManager::class, \OC\User\Manager::class);
$this->registerService(\OCP\IGroupManager::class, function (Server $c) {
$groupManager = new \OC\Group\Manager($this->getUserManager(), $c->getEventDispatcher(), $this->getLogger());
$groupManager->listen('\OC\Group', 'preCreate', function ($gid) {
\OC_Hook::emit('OC_Group', 'pre_createGroup', ['run' => true, 'gid' => $gid]);
/** @var IEventDispatcher $dispatcher */
$dispatcher = $this->query(IEventDispatcher::class);
$dispatcher->dispatchTyped(new BeforeGroupCreatedEvent($gid));
});
$groupManager->listen('\OC\Group', 'postCreate', function (\OC\Group\Group $group) {
\OC_Hook::emit('OC_User', 'post_createGroup', ['gid' => $group->getGID()]);
/** @var IEventDispatcher $dispatcher */
$dispatcher = $this->query(IEventDispatcher::class);
$dispatcher->dispatchTyped(new GroupCreatedEvent($group));
});
$groupManager->listen('\OC\Group', 'preDelete', function (\OC\Group\Group $group) {
\OC_Hook::emit('OC_Group', 'pre_deleteGroup', ['run' => true, 'gid' => $group->getGID()]);
/** @var IEventDispatcher $dispatcher */
$dispatcher = $this->query(IEventDispatcher::class);
$dispatcher->dispatchTyped(new BeforeGroupDeletedEvent($group));
});
$groupManager->listen('\OC\Group', 'postDelete', function (\OC\Group\Group $group) {
\OC_Hook::emit('OC_User', 'post_deleteGroup', ['gid' => $group->getGID()]);
/** @var IEventDispatcher $dispatcher */
$dispatcher = $this->query(IEventDispatcher::class);
$dispatcher->dispatchTyped(new GroupDeletedEvent($group));
});
$groupManager->listen('\OC\Group', 'preAddUser', function (\OC\Group\Group $group, \OC\User\User $user) {
\OC_Hook::emit('OC_Group', 'pre_addToGroup', ['run' => true, 'uid' => $user->getUID(), 'gid' => $group->getGID()]);
/** @var IEventDispatcher $dispatcher */
$dispatcher = $this->query(IEventDispatcher::class);
$dispatcher->dispatchTyped(new BeforeUserAddedEvent($group, $user));
});
$groupManager->listen('\OC\Group', 'postAddUser', function (\OC\Group\Group $group, \OC\User\User $user) {
\OC_Hook::emit('OC_Group', 'post_addToGroup', ['uid' => $user->getUID(), 'gid' => $group->getGID()]);
//Minimal fix to keep it backward compatible TODO: clean up all the GroupManager hooks
\OC_Hook::emit('OC_User', 'post_addToGroup', ['uid' => $user->getUID(), 'gid' => $group->getGID()]);
/** @var IEventDispatcher $dispatcher */
$dispatcher = $this->query(IEventDispatcher::class);
$dispatcher->dispatchTyped(new UserAddedEvent($group, $user));
});
$groupManager->listen('\OC\Group', 'preRemoveUser', function (\OC\Group\Group $group, \OC\User\User $user) {
/** @var IEventDispatcher $dispatcher */
$dispatcher = $this->query(IEventDispatcher::class);
$dispatcher->dispatchTyped(new BeforeUserRemovedEvent($group, $user));
});
$groupManager->listen('\OC\Group', 'postRemoveUser', function (\OC\Group\Group $group, \OC\User\User $user) {
/** @var IEventDispatcher $dispatcher */
$dispatcher = $this->query(IEventDispatcher::class);
$dispatcher->dispatchTyped(new UserRemovedEvent($group, $user));
});
return $groupManager;
2014-07-16 16:25:31 +04:00
});
$this->registerDeprecatedAlias('GroupManager', \OCP\IGroupManager::class);
2017-08-24 17:21:50 +03:00
$this->registerService(Store::class, function (Server $c) {
$session = $c->getSession();
if (\OC::$server->getSystemConfig()->getValue('installed', false)) {
$tokenProvider = $c->query(IProvider::class);
} else {
$tokenProvider = null;
}
$logger = $c->getLogger();
return new Store($session, $logger, $tokenProvider);
});
$this->registerAlias(IStore::class, Store::class);
$this->registerService(Authentication\Token\DefaultTokenMapper::class, function (Server $c) {
$dbConnection = $c->getDatabaseConnection();
return new Authentication\Token\DefaultTokenMapper($dbConnection);
});
$this->registerAlias(IProvider::class, Authentication\Token\Manager::class);
$this->registerService(\OC\User\Session::class, function (Server $c) {
$manager = $c->getUserManager();
$session = new \OC\Session\Memory('');
2016-05-02 20:58:19 +03:00
$timeFactory = new TimeFactory();
2016-04-27 13:01:13 +03:00
// Token providers might require a working database. This code
// might however be called when ownCloud is not yet setup.
if (\OC::$server->getSystemConfig()->getValue('installed', false)) {
$defaultTokenProvider = $c->query(IProvider::class);
2016-04-27 13:01:13 +03:00
} else {
$defaultTokenProvider = null;
}
2016-06-24 18:53:37 +03:00
$legacyDispatcher = $c->getEventDispatcher();
$userSession = new \OC\User\Session(
$manager,
$session,
$timeFactory,
$defaultTokenProvider,
$c->getConfig(),
$c->getSecureRandom(),
$c->getLockdownManager(),
$c->getLogger(),
$c->query(IEventDispatcher::class)
);
2013-09-20 14:45:56 +04:00
$userSession->listen('\OC\User', 'preCreateUser', function ($uid, $password) {
\OC_Hook::emit('OC_User', 'pre_createUser', ['run' => true, 'uid' => $uid, 'password' => $password]);
/** @var IEventDispatcher $dispatcher */
$dispatcher = $this->query(IEventDispatcher::class);
$dispatcher->dispatchTyped(new BeforeUserCreatedEvent($uid, $password));
2013-09-20 14:45:56 +04:00
});
$userSession->listen('\OC\User', 'postCreateUser', function ($user, $password) {
/** @var $user \OC\User\User */
\OC_Hook::emit('OC_User', 'post_createUser', ['uid' => $user->getUID(), 'password' => $password]);
/** @var IEventDispatcher $dispatcher */
$dispatcher = $this->query(IEventDispatcher::class);
$dispatcher->dispatchTyped(new UserCreatedEvent($user, $password));
2013-09-20 14:45:56 +04:00
});
$userSession->listen('\OC\User', 'preDelete', function ($user) use ($legacyDispatcher) {
2013-09-20 14:45:56 +04:00
/** @var $user \OC\User\User */
\OC_Hook::emit('OC_User', 'pre_deleteUser', ['run' => true, 'uid' => $user->getUID()]);
$legacyDispatcher->dispatch('OCP\IUser::preDelete', new GenericEvent($user));
/** @var IEventDispatcher $dispatcher */
$dispatcher = $this->query(IEventDispatcher::class);
$dispatcher->dispatchTyped(new BeforeUserDeletedEvent($user));
2013-09-20 14:45:56 +04:00
});
$userSession->listen('\OC\User', 'postDelete', function ($user) {
/** @var $user \OC\User\User */
\OC_Hook::emit('OC_User', 'post_deleteUser', ['uid' => $user->getUID()]);
/** @var IEventDispatcher $dispatcher */
$dispatcher = $this->query(IEventDispatcher::class);
$dispatcher->dispatchTyped(new UserDeletedEvent($user));
2013-09-20 14:45:56 +04:00
});
$userSession->listen('\OC\User', 'preSetPassword', function ($user, $password, $recoveryPassword) {
/** @var $user \OC\User\User */
\OC_Hook::emit('OC_User', 'pre_setPassword', ['run' => true, 'uid' => $user->getUID(), 'password' => $password, 'recoveryPassword' => $recoveryPassword]);
/** @var IEventDispatcher $dispatcher */
$dispatcher = $this->query(IEventDispatcher::class);
$dispatcher->dispatchTyped(new BeforePasswordUpdatedEvent($user, $password, $recoveryPassword));
2013-09-20 14:45:56 +04:00
});
$userSession->listen('\OC\User', 'postSetPassword', function ($user, $password, $recoveryPassword) {
/** @var $user \OC\User\User */
\OC_Hook::emit('OC_User', 'post_setPassword', ['run' => true, 'uid' => $user->getUID(), 'password' => $password, 'recoveryPassword' => $recoveryPassword]);
/** @var IEventDispatcher $dispatcher */
$dispatcher = $this->query(IEventDispatcher::class);
$dispatcher->dispatchTyped(new PasswordUpdatedEvent($user, $password, $recoveryPassword));
2013-09-20 14:45:56 +04:00
});
$userSession->listen('\OC\User', 'preLogin', function ($uid, $password) {
\OC_Hook::emit('OC_User', 'pre_login', ['run' => true, 'uid' => $uid, 'password' => $password]);
/** @var IEventDispatcher $dispatcher */
$dispatcher = $this->query(IEventDispatcher::class);
$dispatcher->dispatchTyped(new BeforeUserLoggedInEvent($uid, $password));
2013-09-20 14:45:56 +04:00
});
$userSession->listen('\OC\User', 'postLogin', function ($user, $password, $isTokenLogin) {
2013-09-20 14:45:56 +04:00
/** @var $user \OC\User\User */
\OC_Hook::emit('OC_User', 'post_login', ['run' => true, 'uid' => $user->getUID(), 'password' => $password, 'isTokenLogin' => $isTokenLogin]);
/** @var IEventDispatcher $dispatcher */
$dispatcher = $this->query(IEventDispatcher::class);
$dispatcher->dispatchTyped(new UserLoggedInEvent($user, $password, $isTokenLogin));
});
$userSession->listen('\OC\User', 'preRememberedLogin', function ($uid) {
/** @var IEventDispatcher $dispatcher */
$dispatcher = $this->query(IEventDispatcher::class);
$dispatcher->dispatchTyped(new BeforeUserLoggedInWithCookieEvent($uid));
2013-09-20 14:45:56 +04:00
});
$userSession->listen('\OC\User', 'postRememberedLogin', function ($user, $password) {
/** @var $user \OC\User\User */
\OC_Hook::emit('OC_User', 'post_login', ['run' => true, 'uid' => $user->getUID(), 'password' => $password]);
/** @var IEventDispatcher $dispatcher */
$dispatcher = $this->query(IEventDispatcher::class);
$dispatcher->dispatchTyped(new UserLoggedInWithCookieEvent($user, $password));
});
$userSession->listen('\OC\User', 'logout', function ($user) {
\OC_Hook::emit('OC_User', 'logout', []);
/** @var IEventDispatcher $dispatcher */
$dispatcher = $this->query(IEventDispatcher::class);
$dispatcher->dispatchTyped(new BeforeUserLoggedOutEvent($user));
});
$userSession->listen('\OC\User', 'postLogout', function ($user) {
/** @var IEventDispatcher $dispatcher */
$dispatcher = $this->query(IEventDispatcher::class);
$dispatcher->dispatchTyped(new UserLoggedOutEvent($user));
2013-09-20 14:45:56 +04:00
});
$userSession->listen('\OC\User', 'changeUser', function ($user, $feature, $value, $oldValue) {
/** @var $user \OC\User\User */
\OC_Hook::emit('OC_User', 'changeUser', ['run' => true, 'user' => $user, 'feature' => $feature, 'value' => $value, 'old_value' => $oldValue]);
/** @var IEventDispatcher $dispatcher */
$dispatcher = $this->query(IEventDispatcher::class);
$dispatcher->dispatchTyped(new UserChangedEvent($user, $feature, $value, $oldValue));
});
2013-09-20 14:45:56 +04:00
return $userSession;
});
$this->registerAlias(\OCP\IUserSession::class, \OC\User\Session::class);
$this->registerDeprecatedAlias('UserSession', \OC\User\Session::class);
2016-05-11 12:23:25 +03:00
$this->registerAlias(\OCP\Authentication\TwoFactorAuth\IRegistry::class, \OC\Authentication\TwoFactorAuth\Registry::class);
2016-05-11 12:23:25 +03:00
$this->registerAlias(INavigationManager::class, \OC\NavigationManager::class);
$this->registerDeprecatedAlias('NavigationManager', INavigationManager::class);
$this->registerService(\OC\AllConfig::class, function (Server $c) {
return new \OC\AllConfig(
$c->getSystemConfig()
);
});
$this->registerDeprecatedAlias('AllConfig', \OC\AllConfig::class);
$this->registerAlias(\OCP\IConfig::class, \OC\AllConfig::class);
$this->registerService(\OC\SystemConfig::class, function ($c) use ($config) {
2015-12-18 13:24:15 +03:00
return new \OC\SystemConfig($config);
});
$this->registerDeprecatedAlias('SystemConfig', \OC\SystemConfig::class);
$this->registerService(\OC\AppConfig::class, function (Server $c) {
2016-01-07 12:26:00 +03:00
return new \OC\AppConfig($c->getDatabaseConnection());
});
$this->registerDeprecatedAlias('AppConfig', \OC\AppConfig::class);
$this->registerAlias(IAppConfig::class, \OC\AppConfig::class);
$this->registerService(IFactory::class, function (Server $c) {
return new \OC\L10N\Factory(
$c->getConfig(),
$c->getRequest(),
$c->getUserSession(),
\OC::$SERVERROOT
);
2013-09-25 20:34:01 +04:00
});
$this->registerDeprecatedAlias('L10NFactory', IFactory::class);
$this->registerService(IURLGenerator::class, function (Server $c) {
$config = $c->getConfig();
$cacheFactory = $c->getMemCacheFactory();
$request = $c->getRequest();
return new \OC\URLGenerator(
$config,
$cacheFactory,
$request
);
});
$this->registerDeprecatedAlias('URLGenerator', IURLGenerator::class);
$this->registerDeprecatedAlias('AppFetcher', AppFetcher::class);
$this->registerDeprecatedAlias('CategoryFetcher', CategoryFetcher::class);
$this->registerService(ICache::class, function ($c) {
return new Cache\File();
});
$this->registerDeprecatedAlias('UserCache', ICache::class);
$this->registerService(Factory::class, function (Server $c) {
$arrayCacheFactory = new \OC\Memcache\Factory('', $c->getLogger(),
ArrayCache::class,
ArrayCache::class,
ArrayCache::class
);
$config = $c->getConfig();
2015-12-03 16:10:05 +03:00
if ($config->getSystemValue('installed', false) && !(defined('PHPUNIT_RUN') && PHPUNIT_RUN)) {
$v = \OC_App::getAppVersions();
$v['core'] = implode(',', \OC_Util::getVersion());
$version = implode(',', $v);
$instanceId = \OC_Util::getInstanceId();
$path = \OC::$SERVERROOT;
$prefix = md5($instanceId . '-' . $version . '-' . $path);
return new \OC\Memcache\Factory($prefix, $c->getLogger(),
$config->getSystemValue('memcache.local', null),
$config->getSystemValue('memcache.distributed', null),
$config->getSystemValue('memcache.locking', null)
);
}
return $arrayCacheFactory;
2014-01-06 15:55:56 +04:00
});
$this->registerDeprecatedAlias('MemCacheFactory', Factory::class);
$this->registerAlias(ICacheFactory::class, Factory::class);
$this->registerService('RedisFactory', function (Server $c) {
$systemConfig = $c->getSystemConfig();
return new RedisFactory($systemConfig);
});
$this->registerService(\OCP\Activity\IManager::class, function (Server $c) {
2016-05-02 12:57:24 +03:00
return new \OC\Activity\Manager(
$c->getRequest(),
$c->getUserSession(),
$c->getConfig(),
$c->query(IValidator::class)
);
});
$this->registerDeprecatedAlias('ActivityManager', \OCP\Activity\IManager::class);
$this->registerService(\OCP\Activity\IEventMerger::class, function (Server $c) {
return new \OC\Activity\EventMerger(
$c->getL10N('lib')
);
});
$this->registerAlias(IValidator::class, Validator::class);
$this->registerService(AvatarManager::class, function (Server $c) {
return new AvatarManager(
$c->query(\OC\User\Manager::class),
$c->getAppDataDir('avatar'),
$c->getL10N('lib'),
$c->getLogger(),
$c->getConfig()
);
2013-09-20 13:46:11 +04:00
});
$this->registerAlias(IAvatarManager::class, AvatarManager::class);
$this->registerDeprecatedAlias('AvatarManager', AvatarManager::class);
$this->registerAlias(\OCP\Support\CrashReport\IRegistry::class, \OC\Support\CrashReport\Registry::class);
$this->registerAlias(\OCP\Support\Subscription\IRegistry::class, \OC\Support\Subscription\Registry::class);
$this->registerService(\OC\Log::class, function (Server $c) {
$logType = $c->query(AllConfig::class)->getSystemValue('log_type', 'file');
$factory = new LogFactory($c, $this->getSystemConfig());
$logger = $factory->get($logType);
$registry = $c->query(\OCP\Support\CrashReport\IRegistry::class);
return new Log($logger, $this->getSystemConfig(), null, $registry);
});
$this->registerAlias(ILogger::class, \OC\Log::class);
$this->registerDeprecatedAlias('Logger', \OC\Log::class);
// PSR-3 logger
$this->registerAlias(LoggerInterface::class, PsrLoggerAdapter::class);
$this->registerService(ILogFactory::class, function (Server $c) {
return new LogFactory($c, $this->getSystemConfig());
});
$this->registerService(IJobList::class, function (Server $c) {
$config = $c->getConfig();
return new \OC\BackgroundJob\JobList(
$c->getDatabaseConnection(),
$config,
new TimeFactory()
);
});
$this->registerDeprecatedAlias('JobList', IJobList::class);
$this->registerService(IRouter::class, function (Server $c) {
$cacheFactory = $c->getMemCacheFactory();
2015-11-27 15:51:20 +03:00
$logger = $c->getLogger();
if ($cacheFactory->isLocalCacheAvailable()) {
$router = new \OC\Route\CachingRouter($cacheFactory->createLocal('route'), $logger);
} else {
2015-11-27 15:51:20 +03:00
$router = new \OC\Route\Router($logger);
}
return $router;
});
$this->registerDeprecatedAlias('Router', IRouter::class);
$this->registerService(ISearch::class, function ($c) {
return new Search();
});
$this->registerDeprecatedAlias('Search', ISearch::class);
2017-08-24 17:21:50 +03:00
$this->registerService(\OC\Security\RateLimiting\Backend\IBackend::class, function ($c) {
return new \OC\Security\RateLimiting\Backend\MemoryCache(
$this->getMemCacheFactory(),
new \OC\AppFramework\Utility\TimeFactory()
);
});
$this->registerService(\OCP\Security\ISecureRandom::class, function ($c) {
return new SecureRandom();
});
$this->registerDeprecatedAlias('SecureRandom', \OCP\Security\ISecureRandom::class);
$this->registerService(ICrypto::class, function (Server $c) {
return new Crypto($c->getConfig(), $c->getSecureRandom());
});
$this->registerDeprecatedAlias('Crypto', ICrypto::class);
$this->registerService(IHasher::class, function (Server $c) {
return new Hasher($c->getConfig());
});
$this->registerDeprecatedAlias('Hasher', IHasher::class);
$this->registerService(ICredentialsManager::class, function (Server $c) {
return new CredentialsManager($c->getCrypto(), $c->getDatabaseConnection());
});
$this->registerDeprecatedAlias('CredentialsManager', ICredentialsManager::class);
$this->registerService(IDBConnection::class, function (Server $c) {
$systemConfig = $c->getSystemConfig();
$factory = new \OC\DB\ConnectionFactory($systemConfig);
$type = $systemConfig->getValue('dbtype', 'sqlite');
if (!$factory->isValidType($type)) {
throw new \OC\DatabaseException('Invalid database type');
}
$connectionParams = $factory->createConnectionParams();
$connection = $factory->getConnection($type, $connectionParams);
$connection->getConfiguration()->setSQLLogger($c->getQueryLogger());
return $connection;
});
$this->registerDeprecatedAlias('DatabaseConnection', IDBConnection::class);
$this->registerService(IClientService::class, function (Server $c) {
2015-03-16 13:28:23 +03:00
$user = \OC_User::getUser();
$uid = $user ? $user : null;
return new ClientService(
$c->getConfig(),
$c->getLogger(),
new \OC\Security\CertificateManager(
$uid,
new View(),
$c->getConfig(),
$c->getLogger(),
$c->getSecureRandom()
)
2015-03-16 13:28:23 +03:00
);
});
$this->registerDeprecatedAlias('HttpClientService', IClientService::class);
$this->registerService(IEventLogger::class, function (Server $c) {
$eventLogger = new EventLogger();
if ($c->getSystemConfig()->getValue('debug', false)) {
// In debug mode, module is being activated by default
$eventLogger->activate();
}
return $eventLogger;
});
$this->registerDeprecatedAlias('EventLogger', IEventLogger::class);
$this->registerService(IQueryLogger::class, function (Server $c) {
$queryLogger = new QueryLogger();
if ($c->getSystemConfig()->getValue('debug', false)) {
// In debug mode, module is being activated by default
$queryLogger->activate();
}
return $queryLogger;
});
$this->registerDeprecatedAlias('QueryLogger', IQueryLogger::class);
$this->registerService(TempManager::class, function (Server $c) {
return new TempManager(
$c->getLogger(),
$c->getConfig()
);
});
$this->registerDeprecatedAlias('TempManager', TempManager::class);
$this->registerAlias(ITempManager::class, TempManager::class);
$this->registerService(AppManager::class, function (Server $c) {
return new \OC\App\AppManager(
$c->getUserSession(),
$c->getConfig(),
$c->query(\OC\AppConfig::class),
$c->getGroupManager(),
$c->getMemCacheFactory(),
$c->getEventDispatcher(),
$c->getLogger()
);
});
$this->registerDeprecatedAlias('AppManager', AppManager::class);
$this->registerAlias(IAppManager::class, AppManager::class);
$this->registerService(IDateTimeZone::class, function (Server $c) {
2014-12-16 17:34:55 +03:00
return new DateTimeZone(
$c->getConfig(),
$c->getSession()
);
});
$this->registerDeprecatedAlias('DateTimeZone', IDateTimeZone::class);
$this->registerService(IDateTimeFormatter::class, function (Server $c) {
$language = $c->getConfig()->getUserValue($c->getSession()->get('user_id'), 'core', 'lang', null);
2014-12-16 17:34:55 +03:00
return new DateTimeFormatter(
$c->getDateTimeZone()->getTimeZone(),
$c->getL10N('lib', $language)
);
});
$this->registerDeprecatedAlias('DateTimeFormatter', IDateTimeFormatter::class);
$this->registerService(IUserMountCache::class, function (Server $c) {
2015-12-03 16:10:05 +03:00
$mountCache = new UserMountCache($c->getDatabaseConnection(), $c->getUserManager(), $c->getLogger());
$listener = new UserMountCacheListener($mountCache);
$listener->listen($c->getUserManager());
return $mountCache;
});
$this->registerDeprecatedAlias('UserMountCache', IUserMountCache::class);
$this->registerService(IMountProviderCollection::class, function (Server $c) {
$loader = \OC\Files\Filesystem::getLoader();
$mountCache = $c->query(IUserMountCache::class);
2017-08-24 17:21:50 +03:00
$manager = new \OC\Files\Config\MountProviderCollection($loader, $mountCache);
// builtin providers
$config = $c->getConfig();
$manager->registerProvider(new CacheMountProvider($config));
$manager->registerHomeProvider(new LocalHomeMountProvider());
$manager->registerHomeProvider(new ObjectHomeMountProvider($config));
return $manager;
});
$this->registerDeprecatedAlias('MountConfigManager', IMountProviderCollection::class);
2014-12-05 21:56:29 +03:00
$this->registerService('IniWrapper', function ($c) {
return new IniGetWrapper();
2014-12-05 21:56:29 +03:00
});
$this->registerService('AsyncCommandBus', function (Server $c) {
2017-08-24 17:21:50 +03:00
$busClass = $c->getConfig()->getSystemValue('commandbus');
if ($busClass) {
list($app, $class) = explode('::', $busClass, 2);
if ($c->getAppManager()->isInstalled($app)) {
\OC_App::loadApp($app);
return $c->query($class);
} else {
throw new ServiceUnavailableException("The app providing the command bus ($app) is not enabled");
}
} else {
$jobList = $c->getJobList();
return new CronBus($jobList);
}
});
2015-02-17 00:12:47 +03:00
$this->registerService('TrustedDomainHelper', function ($c) {
return new TrustedDomainHelper($this->getConfig());
});
$this->registerService(Throttler::class, function (Server $c) {
return new Throttler(
$c->getDatabaseConnection(),
new TimeFactory(),
$c->getLogger(),
$c->getConfig()
);
});
$this->registerDeprecatedAlias('Throttler', Throttler::class);
Add code integrity check This PR implements the base foundation of the code signing and integrity check. In this PR implemented is the signing and verification logic, as well as commands to sign single apps or the core repository. Furthermore, there is a basic implementation to display problems with the code integrity on the update screen. Code signing basically happens the following way: - There is a ownCloud Root Certificate authority stored `resources/codesigning/root.crt` (in this PR I also ship the private key which we obviously need to change before a release :wink:). This certificate is not intended to be used for signing directly and only is used to sign new certificates. - Using the `integrity:sign-core` and `integrity:sign-app` commands developers can sign either the core release or a single app. The core release needs to be signed with a certificate that has a CN of `core`, apps need to be signed with a certificate that either has a CN of `core` (shipped apps!) or the AppID. - The command generates a signature.json file of the following format: ```json { "hashes": { "/filename.php": "2401fed2eea6f2c1027c482a633e8e25cd46701f811e2d2c10dc213fd95fa60e350bccbbebdccc73a042b1a2799f673fbabadc783284cc288e4f1a1eacb74e3d", "/lib/base.php": "55548cc16b457cd74241990cc9d3b72b6335f2e5f45eee95171da024087d114fcbc2effc3d5818a6d5d55f2ae960ab39fd0414d0c542b72a3b9e08eb21206dd9" }, "certificate": "-----BEGIN CERTIFICATE-----MIIBvTCCASagAwIBAgIUPvawyqJwCwYazcv7iz16TWxfeUMwDQYJKoZIhvcNAQEF\nBQAwIzEhMB8GA1UECgwYb3duQ2xvdWQgQ29kZSBTaWduaW5nIENBMB4XDTE1MTAx\nNDEzMTcxMFoXDTE2MTAxNDEzMTcxMFowEzERMA8GA1UEAwwIY29udGFjdHMwgZ8w\nDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANoQesGdCW0L2L+a2xITYipixkScrIpB\nkX5Snu3fs45MscDb61xByjBSlFgR4QI6McoCipPw4SUr28EaExVvgPSvqUjYLGps\nfiv0Cvgquzbx/X3mUcdk9LcFo1uWGtrTfkuXSKX41PnJGTr6RQWGIBd1V52q1qbC\nJKkfzyeMeuQfAgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAvF/KIhRMQ3tYTmgHWsiM\nwDMgIDb7iaHF0fS+/Nvo4PzoTO/trev6tMyjLbJ7hgdCpz/1sNzE11Cibf6V6dsz\njCE9invP368Xv0bTRObRqeSNsGogGl5ceAvR0c9BG+NRIKHcly3At3gLkS2791bC\niG+UxI/MNcWV0uJg9S63LF8=\n-----END CERTIFICATE-----", "signature": "U29tZVNpZ25lZERhdGFFeGFtcGxl" } ``` `hashes` is an array of all files in the folder with their corresponding SHA512 hashes (this is actually quite cheap to calculate), the `certificate` is the certificate used for signing. It has to be issued by the ownCloud Root Authority and it's CN needs to be permitted to perform the required action. The `signature` is then a signature of the `hashes` which can be verified using the `certificate`. Steps to do in other PRs, this is already a quite huge one: - Add nag screen in case the code check fails to ensure that administrators are aware of this. - Add code verification also to OCC upgrade and unify display code more. - Add enforced code verification to apps shipped from the appstore with a level of "official" - Add enfocrced code verification to apps shipped from the appstore that were already signed in a previous release - Add some developer documentation on how devs can request their own certificate - Check when installing ownCloud - Add support for CRLs to allow revoking certificates **Note:** The upgrade checks are only run when the instance has a defined release channel of `stable` (defined in `version.php`). If you want to test this, you need to change the channel thus and then generate the core signature: ``` ➜ master git:(add-integrity-checker) ✗ ./occ integrity:sign-core --privateKey=resources/codesigning/core.key --certificate=resources/codesigning/core.crt Successfully signed "core" ``` Then increase the version and you should see something like the following: ![2015-11-04_12-02-57](https://cloud.githubusercontent.com/assets/878997/10936336/6adb1d14-82ec-11e5-8f06-9a74801c9abf.png) As you can see a failed code check will not prevent the further update. It will instead just be a notice to the admin. In a next step we will add some nag screen. For packaging stable releases this requires the following additional steps as a last action before zipping: 1. Run `./occ integrity:sign-core` once 2. Run `./occ integrity:sign-app` _for each_ app. However, this can be simply automated using a simple foreach on the apps folder.
2015-11-03 22:26:06 +03:00
$this->registerService('IntegrityCodeChecker', function (Server $c) {
// IConfig and IAppManager requires a working database. This code
// might however be called when ownCloud is not yet setup.
2017-08-24 17:21:50 +03:00
if (\OC::$server->getSystemConfig()->getValue('installed', false)) {
Add code integrity check This PR implements the base foundation of the code signing and integrity check. In this PR implemented is the signing and verification logic, as well as commands to sign single apps or the core repository. Furthermore, there is a basic implementation to display problems with the code integrity on the update screen. Code signing basically happens the following way: - There is a ownCloud Root Certificate authority stored `resources/codesigning/root.crt` (in this PR I also ship the private key which we obviously need to change before a release :wink:). This certificate is not intended to be used for signing directly and only is used to sign new certificates. - Using the `integrity:sign-core` and `integrity:sign-app` commands developers can sign either the core release or a single app. The core release needs to be signed with a certificate that has a CN of `core`, apps need to be signed with a certificate that either has a CN of `core` (shipped apps!) or the AppID. - The command generates a signature.json file of the following format: ```json { "hashes": { "/filename.php": "2401fed2eea6f2c1027c482a633e8e25cd46701f811e2d2c10dc213fd95fa60e350bccbbebdccc73a042b1a2799f673fbabadc783284cc288e4f1a1eacb74e3d", "/lib/base.php": "55548cc16b457cd74241990cc9d3b72b6335f2e5f45eee95171da024087d114fcbc2effc3d5818a6d5d55f2ae960ab39fd0414d0c542b72a3b9e08eb21206dd9" }, "certificate": "-----BEGIN CERTIFICATE-----MIIBvTCCASagAwIBAgIUPvawyqJwCwYazcv7iz16TWxfeUMwDQYJKoZIhvcNAQEF\nBQAwIzEhMB8GA1UECgwYb3duQ2xvdWQgQ29kZSBTaWduaW5nIENBMB4XDTE1MTAx\nNDEzMTcxMFoXDTE2MTAxNDEzMTcxMFowEzERMA8GA1UEAwwIY29udGFjdHMwgZ8w\nDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANoQesGdCW0L2L+a2xITYipixkScrIpB\nkX5Snu3fs45MscDb61xByjBSlFgR4QI6McoCipPw4SUr28EaExVvgPSvqUjYLGps\nfiv0Cvgquzbx/X3mUcdk9LcFo1uWGtrTfkuXSKX41PnJGTr6RQWGIBd1V52q1qbC\nJKkfzyeMeuQfAgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAvF/KIhRMQ3tYTmgHWsiM\nwDMgIDb7iaHF0fS+/Nvo4PzoTO/trev6tMyjLbJ7hgdCpz/1sNzE11Cibf6V6dsz\njCE9invP368Xv0bTRObRqeSNsGogGl5ceAvR0c9BG+NRIKHcly3At3gLkS2791bC\niG+UxI/MNcWV0uJg9S63LF8=\n-----END CERTIFICATE-----", "signature": "U29tZVNpZ25lZERhdGFFeGFtcGxl" } ``` `hashes` is an array of all files in the folder with their corresponding SHA512 hashes (this is actually quite cheap to calculate), the `certificate` is the certificate used for signing. It has to be issued by the ownCloud Root Authority and it's CN needs to be permitted to perform the required action. The `signature` is then a signature of the `hashes` which can be verified using the `certificate`. Steps to do in other PRs, this is already a quite huge one: - Add nag screen in case the code check fails to ensure that administrators are aware of this. - Add code verification also to OCC upgrade and unify display code more. - Add enforced code verification to apps shipped from the appstore with a level of "official" - Add enfocrced code verification to apps shipped from the appstore that were already signed in a previous release - Add some developer documentation on how devs can request their own certificate - Check when installing ownCloud - Add support for CRLs to allow revoking certificates **Note:** The upgrade checks are only run when the instance has a defined release channel of `stable` (defined in `version.php`). If you want to test this, you need to change the channel thus and then generate the core signature: ``` ➜ master git:(add-integrity-checker) ✗ ./occ integrity:sign-core --privateKey=resources/codesigning/core.key --certificate=resources/codesigning/core.crt Successfully signed "core" ``` Then increase the version and you should see something like the following: ![2015-11-04_12-02-57](https://cloud.githubusercontent.com/assets/878997/10936336/6adb1d14-82ec-11e5-8f06-9a74801c9abf.png) As you can see a failed code check will not prevent the further update. It will instead just be a notice to the admin. In a next step we will add some nag screen. For packaging stable releases this requires the following additional steps as a last action before zipping: 1. Run `./occ integrity:sign-core` once 2. Run `./occ integrity:sign-app` _for each_ app. However, this can be simply automated using a simple foreach on the apps folder.
2015-11-03 22:26:06 +03:00
$config = $c->getConfig();
$appManager = $c->getAppManager();
} else {
$config = null;
$appManager = null;
}
return new Checker(
2017-08-24 17:21:50 +03:00
new EnvironmentHelper(),
new FileAccessHelper(),
new AppLocator(),
$config,
$c->getMemCacheFactory(),
$appManager,
$c->getTempManager(),
$c->getMimeTypeDetector()
Add code integrity check This PR implements the base foundation of the code signing and integrity check. In this PR implemented is the signing and verification logic, as well as commands to sign single apps or the core repository. Furthermore, there is a basic implementation to display problems with the code integrity on the update screen. Code signing basically happens the following way: - There is a ownCloud Root Certificate authority stored `resources/codesigning/root.crt` (in this PR I also ship the private key which we obviously need to change before a release :wink:). This certificate is not intended to be used for signing directly and only is used to sign new certificates. - Using the `integrity:sign-core` and `integrity:sign-app` commands developers can sign either the core release or a single app. The core release needs to be signed with a certificate that has a CN of `core`, apps need to be signed with a certificate that either has a CN of `core` (shipped apps!) or the AppID. - The command generates a signature.json file of the following format: ```json { "hashes": { "/filename.php": "2401fed2eea6f2c1027c482a633e8e25cd46701f811e2d2c10dc213fd95fa60e350bccbbebdccc73a042b1a2799f673fbabadc783284cc288e4f1a1eacb74e3d", "/lib/base.php": "55548cc16b457cd74241990cc9d3b72b6335f2e5f45eee95171da024087d114fcbc2effc3d5818a6d5d55f2ae960ab39fd0414d0c542b72a3b9e08eb21206dd9" }, "certificate": "-----BEGIN CERTIFICATE-----MIIBvTCCASagAwIBAgIUPvawyqJwCwYazcv7iz16TWxfeUMwDQYJKoZIhvcNAQEF\nBQAwIzEhMB8GA1UECgwYb3duQ2xvdWQgQ29kZSBTaWduaW5nIENBMB4XDTE1MTAx\nNDEzMTcxMFoXDTE2MTAxNDEzMTcxMFowEzERMA8GA1UEAwwIY29udGFjdHMwgZ8w\nDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANoQesGdCW0L2L+a2xITYipixkScrIpB\nkX5Snu3fs45MscDb61xByjBSlFgR4QI6McoCipPw4SUr28EaExVvgPSvqUjYLGps\nfiv0Cvgquzbx/X3mUcdk9LcFo1uWGtrTfkuXSKX41PnJGTr6RQWGIBd1V52q1qbC\nJKkfzyeMeuQfAgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAvF/KIhRMQ3tYTmgHWsiM\nwDMgIDb7iaHF0fS+/Nvo4PzoTO/trev6tMyjLbJ7hgdCpz/1sNzE11Cibf6V6dsz\njCE9invP368Xv0bTRObRqeSNsGogGl5ceAvR0c9BG+NRIKHcly3At3gLkS2791bC\niG+UxI/MNcWV0uJg9S63LF8=\n-----END CERTIFICATE-----", "signature": "U29tZVNpZ25lZERhdGFFeGFtcGxl" } ``` `hashes` is an array of all files in the folder with their corresponding SHA512 hashes (this is actually quite cheap to calculate), the `certificate` is the certificate used for signing. It has to be issued by the ownCloud Root Authority and it's CN needs to be permitted to perform the required action. The `signature` is then a signature of the `hashes` which can be verified using the `certificate`. Steps to do in other PRs, this is already a quite huge one: - Add nag screen in case the code check fails to ensure that administrators are aware of this. - Add code verification also to OCC upgrade and unify display code more. - Add enforced code verification to apps shipped from the appstore with a level of "official" - Add enfocrced code verification to apps shipped from the appstore that were already signed in a previous release - Add some developer documentation on how devs can request their own certificate - Check when installing ownCloud - Add support for CRLs to allow revoking certificates **Note:** The upgrade checks are only run when the instance has a defined release channel of `stable` (defined in `version.php`). If you want to test this, you need to change the channel thus and then generate the core signature: ``` ➜ master git:(add-integrity-checker) ✗ ./occ integrity:sign-core --privateKey=resources/codesigning/core.key --certificate=resources/codesigning/core.crt Successfully signed "core" ``` Then increase the version and you should see something like the following: ![2015-11-04_12-02-57](https://cloud.githubusercontent.com/assets/878997/10936336/6adb1d14-82ec-11e5-8f06-9a74801c9abf.png) As you can see a failed code check will not prevent the further update. It will instead just be a notice to the admin. In a next step we will add some nag screen. For packaging stable releases this requires the following additional steps as a last action before zipping: 1. Run `./occ integrity:sign-core` once 2. Run `./occ integrity:sign-app` _for each_ app. However, this can be simply automated using a simple foreach on the apps folder.
2015-11-03 22:26:06 +03:00
);
});
$this->registerService(\OCP\IRequest::class, function ($c) {
if (isset($this['urlParams'])) {
$urlParams = $this['urlParams'];
} else {
$urlParams = [];
}
if (defined('PHPUNIT_RUN') && PHPUNIT_RUN
&& in_array('fakeinput', stream_get_wrappers())
) {
$stream = 'fakeinput://data';
} else {
$stream = 'php://input';
}
return new Request(
[
'get' => $_GET,
'post' => $_POST,
'files' => $_FILES,
'server' => $_SERVER,
'env' => $_ENV,
'cookies' => $_COOKIE,
'method' => (isset($_SERVER) && isset($_SERVER['REQUEST_METHOD']))
? $_SERVER['REQUEST_METHOD']
: '',
'urlParams' => $urlParams,
],
$this->getSecureRandom(),
$this->getConfig(),
$this->getCsrfTokenManager(),
$stream
);
});
$this->registerDeprecatedAlias('Request', \OCP\IRequest::class);
$this->registerService(IMailer::class, function (Server $c) {
2015-03-16 15:01:17 +03:00
return new Mailer(
$c->getConfig(),
$c->getLogger(),
$c->query(Defaults::class),
$c->getURLGenerator(),
$c->getL10N('lib'),
$c->query(IEventDispatcher::class),
$c->getL10NFactory()
2015-03-16 15:01:17 +03:00
);
});
$this->registerDeprecatedAlias('Mailer', IMailer::class);
2017-08-24 17:21:50 +03:00
$this->registerService('LDAPProvider', function (Server $c) {
2016-07-22 11:46:29 +03:00
$config = $c->getConfig();
$factoryClass = $config->getSystemValue('ldapProviderFactory', null);
2017-08-24 17:21:50 +03:00
if (is_null($factoryClass)) {
2016-07-22 11:46:29 +03:00
throw new \Exception('ldapProviderFactory not set');
}
/** @var \OCP\LDAP\ILDAPProviderFactory $factory */
$factory = new $factoryClass($this);
return $factory->getLDAPProvider();
});
$this->registerService(ILockingProvider::class, function (Server $c) {
2016-03-24 16:07:43 +03:00
$ini = $c->getIniWrapper();
$config = $c->getConfig();
$ttl = $config->getSystemValue('filelocking.ttl', max(3600, $ini->getNumeric('max_execution_time')));
if ($config->getSystemValue('filelocking.enabled', true) or (defined('PHPUNIT_RUN') && PHPUNIT_RUN)) {
2015-05-21 17:11:10 +03:00
/** @var \OC\Memcache\Factory $memcacheFactory */
$memcacheFactory = $c->getMemCacheFactory();
$memcache = $memcacheFactory->createLocking('lock');
2015-09-02 17:55:37 +03:00
if (!($memcache instanceof \OC\Memcache\NullCache)) {
2016-03-24 16:07:43 +03:00
return new MemcacheLockingProvider($memcache, $ttl);
2015-09-02 17:55:37 +03:00
}
return new DBLockingProvider(
$c->getDatabaseConnection(),
$c->getLogger(),
new TimeFactory(),
$ttl,
!\OC::$CLI
);
2015-05-21 17:11:10 +03:00
}
return new NoopLockingProvider();
});
$this->registerDeprecatedAlias('LockingProvider', ILockingProvider::class);
$this->registerService(IMountManager::class, function () {
return new \OC\Files\Mount\Manager();
});
$this->registerDeprecatedAlias('MountManager', IMountManager::class);
$this->registerService(IMimeTypeDetector::class, function (Server $c) {
return new \OC\Files\Type\Detection(
$c->getURLGenerator(),
$c->getLogger(),
\OC::$configDir,
\OC::$SERVERROOT . '/resources/config/'
2015-12-03 16:10:05 +03:00
);
});
$this->registerDeprecatedAlias('MimeTypeDetector', IMimeTypeDetector::class);
$this->registerService(IMimeTypeLoader::class, function (Server $c) {
2015-09-03 21:48:42 +03:00
return new \OC\Files\Type\Loader(
$c->getDatabaseConnection()
);
});
$this->registerDeprecatedAlias('MimeTypeLoader', IMimeTypeLoader::class);
$this->registerService(BundleFetcher::class, function () {
return new BundleFetcher($this->getL10N('lib'));
});
$this->registerService(\OCP\Notification\IManager::class, function (Server $c) {
return new Manager(
$c->query(IValidator::class),
$c->getLogger()
);
2015-08-31 13:24:37 +03:00
});
$this->registerDeprecatedAlias('NotificationManager', \OCP\Notification\IManager::class);
$this->registerService(CapabilitiesManager::class, function (Server $c) {
$manager = new CapabilitiesManager($c->getLogger());
2015-12-03 16:10:05 +03:00
$manager->registerCapability(function () use ($c) {
return new \OC\OCS\CoreCapabilities($c->getConfig());
2015-07-21 22:44:59 +03:00
});
$manager->registerCapability(function () use ($c) {
return $c->query(\OC\Security\Bruteforce\Capabilities::class);
});
2015-07-21 22:44:59 +03:00
return $manager;
});
$this->registerDeprecatedAlias('CapabilitiesManager', CapabilitiesManager::class);
$this->registerService(ICommentsManager::class, function (Server $c) {
$config = $c->getConfig();
$factoryClass = $config->getSystemValue('comments.managerFactory', CommentsManagerFactory::class);
/** @var \OCP\Comments\ICommentsManagerFactory $factory */
$factory = new $factoryClass($this);
$manager = $factory->getManager();
$manager->registerDisplayNameResolver('user', function ($id) use ($c) {
$manager = $c->getUserManager();
$user = $manager->get($id);
if (is_null($user)) {
$l = $c->getL10N('core');
$displayName = $l->t('Unknown user');
} else {
$displayName = $user->getDisplayName();
}
return $displayName;
});
return $manager;
});
$this->registerDeprecatedAlias('CommentsManager', ICommentsManager::class);
2017-08-24 17:21:50 +03:00
$this->registerService('ThemingDefaults', function (Server $c) {
/*
* Dark magic for autoloader.
* If we do a class_exists it will try to load the class which will
* make composer cache the result. Resulting in errors when enabling
* the theming app.
*/
$prefixes = \OC::$composerAutoloader->getPrefixesPsr4();
if (isset($prefixes['OCA\\Theming\\'])) {
$classExists = true;
} else {
2016-07-22 17:49:33 +03:00
$classExists = false;
}
if ($classExists && $c->getConfig()->getSystemValue('installed', false) && $c->getAppManager()->isInstalled('theming') && $c->getTrustedDomainHelper()->isTrustedDomain($c->getRequest()->getInsecureServerHost())) {
return new ThemingDefaults(
$c->getConfig(),
$c->getL10N('theming'),
$c->getURLGenerator(),
$c->getMemCacheFactory(),
new Util($c->getConfig(), $this->getAppManager(), $c->getAppDataDir('theming')),
new ImageManager($c->getConfig(), $c->getAppDataDir('theming'), $c->getURLGenerator(), $this->getMemCacheFactory(), $this->getLogger()),
$c->getAppManager(),
$c->getNavigationManager()
);
}
return new \OC_Defaults();
});
2017-08-24 17:21:50 +03:00
$this->registerService(SCSSCacher::class, function (Server $c) {
return new SCSSCacher(
$c->getLogger(),
$c->query(\OC\Files\AppData\Factory::class),
$c->getURLGenerator(),
$c->getConfig(),
$c->getThemingDefaults(),
\OC::$SERVERROOT,
$this->getMemCacheFactory(),
$c->query(IconsCacher::class),
new TimeFactory()
);
});
$this->registerService(JSCombiner::class, function (Server $c) {
return new JSCombiner(
$c->getAppDataDir('js'),
$c->getURLGenerator(),
$this->getMemCacheFactory(),
$c->getSystemConfig(),
$c->getLogger()
);
});
$this->registerAlias(\OCP\EventDispatcher\IEventDispatcher::class, \OC\EventDispatcher\EventDispatcher::class);
$this->registerDeprecatedAlias('EventDispatcher', \OC\EventDispatcher\SymfonyAdapter::class);
$this->registerAlias(EventDispatcherInterface::class, \OC\EventDispatcher\SymfonyAdapter::class);
$this->registerService('CryptoWrapper', function (Server $c) {
// FIXME: Instantiiated here due to cyclic dependency
$request = new Request(
[
'get' => $_GET,
'post' => $_POST,
'files' => $_FILES,
'server' => $_SERVER,
'env' => $_ENV,
'cookies' => $_COOKIE,
'method' => (isset($_SERVER) && isset($_SERVER['REQUEST_METHOD']))
? $_SERVER['REQUEST_METHOD']
: null,
],
$c->getSecureRandom(),
$c->getConfig()
);
return new CryptoWrapper(
$c->getConfig(),
$c->getCrypto(),
$c->getSecureRandom(),
$request
);
});
$this->registerService(CsrfTokenManager::class, function (Server $c) {
$tokenGenerator = new CsrfTokenGenerator($c->getSecureRandom());
return new CsrfTokenManager(
$tokenGenerator,
$c->query(SessionStorage::class)
);
});
$this->registerDeprecatedAlias('CsrfTokenManager', CsrfTokenManager::class);
$this->registerService(SessionStorage::class, function (Server $c) {
return new SessionStorage($c->getSession());
});
$this->registerAlias(\OCP\Security\IContentSecurityPolicyManager::class, ContentSecurityPolicyManager::class);
$this->registerDeprecatedAlias('ContentSecurityPolicyManager', ContentSecurityPolicyManager::class);
2017-08-24 17:21:50 +03:00
$this->registerService('ContentSecurityPolicyNonceManager', function (Server $c) {
return new ContentSecurityPolicyNonceManager(
$c->getCsrfTokenManager(),
$c->getRequest()
);
});
2017-08-24 17:21:50 +03:00
$this->registerService(\OCP\Share\IManager::class, function (Server $c) {
$config = $c->getConfig();
$factoryClass = $config->getSystemValue('sharing.managerFactory', ProviderFactory::class);
2016-05-02 12:59:54 +03:00
/** @var \OCP\Share\IProviderFactory $factory */
2016-01-20 10:30:37 +03:00
$factory = new $factoryClass($this);
$manager = new \OC\Share20\Manager(
$c->getLogger(),
$c->getConfig(),
$c->getSecureRandom(),
$c->getHasher(),
$c->getMountManager(),
$c->getGroupManager(),
$c->getL10N('lib'),
$c->getL10NFactory(),
2016-02-02 23:02:09 +03:00
$factory,
$c->getUserManager(),
2016-06-24 18:53:37 +03:00
$c->getLazyRootFolder(),
$c->getEventDispatcher(),
$c->getMailer(),
$c->getURLGenerator(),
$c->getThemingDefaults(),
$c->query(IEventDispatcher::class)
);
return $manager;
});
$this->registerDeprecatedAlias('ShareManager', \OCP\Share\IManager::class);
$this->registerService(\OCP\Collaboration\Collaborators\ISearch::class, function (Server $c) {
$instance = new Collaboration\Collaborators\Search($c);
// register default plugins
$instance->registerPlugin(['shareType' => 'SHARE_TYPE_USER', 'class' => UserPlugin::class]);
$instance->registerPlugin(['shareType' => 'SHARE_TYPE_GROUP', 'class' => GroupPlugin::class]);
$instance->registerPlugin(['shareType' => 'SHARE_TYPE_EMAIL', 'class' => MailPlugin::class]);
$instance->registerPlugin(['shareType' => 'SHARE_TYPE_REMOTE', 'class' => RemotePlugin::class]);
$instance->registerPlugin(['shareType' => 'SHARE_TYPE_REMOTE_GROUP', 'class' => RemoteGroupPlugin::class]);
return $instance;
});
$this->registerDeprecatedAlias('CollaboratorSearch', \OCP\Collaboration\Collaborators\ISearch::class);
$this->registerAlias(\OCP\Collaboration\Collaborators\ISearchResult::class, \OC\Collaboration\Collaborators\SearchResult::class);
$this->registerAlias(\OCP\Collaboration\AutoComplete\IManager::class, \OC\Collaboration\AutoComplete\Manager::class);
$this->registerAlias(\OCP\Collaboration\Resources\IProviderManager::class, \OC\Collaboration\Resources\ProviderManager::class);
$this->registerAlias(\OCP\Collaboration\Resources\IManager::class, \OC\Collaboration\Resources\Manager::class);
2017-08-24 17:21:50 +03:00
$this->registerService('SettingsManager', function (Server $c) {
$manager = new \OC\Settings\Manager(
$c->getLogger(),
$c->getL10NFactory(),
$c->getURLGenerator(),
$c
);
return $manager;
});
$this->registerService(\OC\Files\AppData\Factory::class, function (Server $c) {
return new \OC\Files\AppData\Factory(
$c->getRootFolder(),
$c->getSystemConfig()
);
});
$this->registerService('LockdownManager', function (Server $c) {
2017-08-24 17:21:50 +03:00
return new LockdownManager(function () use ($c) {
return $c->getSession();
});
});
$this->registerService(\OCP\OCS\IDiscoveryService::class, function (Server $c) {
return new DiscoveryService($c->getMemCacheFactory(), $c->getHTTPClientService());
});
$this->registerService(ICloudIdManager::class, function (Server $c) {
return new CloudIdManager();
});
$this->registerService(IConfig::class, function (Server $c) {
return new GlobalScale\Config($c->getConfig());
});
$this->registerService(ICloudFederationProviderManager::class, function (Server $c) {
return new CloudFederationProviderManager($c->getAppManager(), $c->getHTTPClientService(), $c->getCloudIdManager(), $c->getLogger());
});
$this->registerService(ICloudFederationFactory::class, function (Server $c) {
return new CloudFederationFactory();
});
$this->registerAlias(\OCP\AppFramework\Utility\IControllerMethodReflector::class, \OC\AppFramework\Utility\ControllerMethodReflector::class);
$this->registerDeprecatedAlias('ControllerMethodReflector', \OCP\AppFramework\Utility\IControllerMethodReflector::class);
$this->registerAlias(\OCP\AppFramework\Utility\ITimeFactory::class, \OC\AppFramework\Utility\TimeFactory::class);
$this->registerDeprecatedAlias('TimeFactory', \OCP\AppFramework\Utility\ITimeFactory::class);
$this->registerService(Defaults::class, function (Server $c) {
return new Defaults(
$c->getThemingDefaults()
);
});
$this->registerDeprecatedAlias('Defaults', \OCP\Defaults::class);
2017-08-24 17:21:50 +03:00
$this->registerService(\OCP\ISession::class, function (SimpleContainer $c) {
return $c->query(\OCP\IUserSession::class)->getSession();
});
2017-08-24 17:21:50 +03:00
$this->registerService(IShareHelper::class, function (Server $c) {
return new ShareHelper(
$c->query(\OCP\Share\IManager::class)
);
});
$this->registerService(Installer::class, function (Server $c) {
return new Installer(
$c->getAppFetcher(),
$c->getHTTPClientService(),
$c->getTempManager(),
$c->getLogger(),
$c->getConfig(),
\OC::$CLI
);
});
$this->registerService(IApiFactory::class, function (Server $c) {
return new ApiFactory($c->getHTTPClientService());
});
$this->registerService(IInstanceFactory::class, function (Server $c) {
$memcacheFactory = $c->getMemCacheFactory();
return new InstanceFactory($memcacheFactory->createLocal('remoteinstance.'), $c->getHTTPClientService());
});
$this->registerService(IContactsStore::class, function (Server $c) {
return new ContactsStore(
$c->getContactsManager(),
$c->getConfig(),
$c->getUserManager(),
$c->getGroupManager()
);
});
$this->registerAlias(IContactsStore::class, ContactsStore::class);
$this->registerAlias(IAccountManager::class, AccountManager::class);
$this->registerService(IStorageFactory::class, function () {
return new StorageFactory();
});
$this->registerAlias(IDashboardManager::class, DashboardManager::class);
$this->registerAlias(IFullTextSearchManager::class, FullTextSearchManager::class);
$this->registerAlias(ISubAdmin::class, SubAdmin::class);
$this->registerAlias(IInitialStateService::class, InitialStateService::class);
$this->connectDispatcher();
}
/**
* @return \OCP\Calendar\IManager
*/
public function getCalendarManager() {
return $this->query(\OC\Calendar\Manager::class);
}
/**
* @return \OCP\Calendar\Resource\IManager
*/
public function getCalendarResourceBackendManager() {
return $this->query(\OC\Calendar\Resource\Manager::class);
}
/**
* @return \OCP\Calendar\Room\IManager
*/
public function getCalendarRoomBackendManager() {
return $this->query(\OC\Calendar\Room\Manager::class);
}
private function connectDispatcher() {
$dispatcher = $this->getEventDispatcher();
// Delete avatar on user deletion
$dispatcher->addListener('OCP\IUser::preDelete', function (GenericEvent $e) {
$logger = $this->getLogger();
$manager = $this->getAvatarManager();
/** @var IUser $user */
$user = $e->getSubject();
try {
$avatar = $manager->getAvatar($user->getUID());
$avatar->remove();
} catch (NotFoundException $e) {
// no avatar to remove
} catch (\Exception $e) {
// Ignore exceptions
$logger->info('Could not cleanup avatar of ' . $user->getUID());
}
});
$dispatcher->addListener('OCP\IUser::changeUser', function (GenericEvent $e) {
$manager = $this->getAvatarManager();
/** @var IUser $user */
$user = $e->getSubject();
$feature = $e->getArgument('feature');
$oldValue = $e->getArgument('oldValue');
$value = $e->getArgument('value');
// We only change the avatar on display name changes
if ($feature !== 'displayName') {
return;
}
try {
$avatar = $manager->getAvatar($user->getUID());
$avatar->userChanged($feature, $oldValue, $value);
} catch (NotFoundException $e) {
// no avatar to remove
}
});
/** @var IEventDispatcher $eventDispatched */
$eventDispatched = $this->query(IEventDispatcher::class);
$eventDispatched->addServiceListener(LoginFailed::class, LoginFailedListener::class);
}
/**
* @return \OCP\Contacts\IManager
*/
public function getContactsManager() {
return $this->query(\OCP\Contacts\IManager::class);
}
/**
* @return \OC\Encryption\Manager
*/
public function getEncryptionManager() {
return $this->query(\OCP\Encryption\IManager::class);
}
/**
* @return \OC\Encryption\File
*/
public function getEncryptionFilesHelper() {
return $this->query('EncryptionFileHelper');
}
/**
* @return \OCP\Encryption\Keys\IStorage
*/
public function getEncryptionKeyStorage() {
return $this->query('EncryptionKeyStorage');
}
/**
* The current request object holding all information about the request
* currently being processed is returned from this method.
* In case the current execution was not initiated by a web request null is returned
*
2015-04-01 13:13:49 +03:00
* @return \OCP\IRequest
*/
public function getRequest() {
return $this->query(IRequest::class);
}
2013-09-05 01:45:11 +04:00
/**
* Returns the preview manager which can create preview images for a given file
*
* @return IPreview
2013-09-05 01:45:11 +04:00
*/
public function getPreviewManager() {
return $this->query(IPreview::class);
2013-09-05 01:45:11 +04:00
}
/**
* Returns the tag manager which can get and set tags for different object types
*
* @see \OCP\ITagManager::load()
* @return ITagManager
*/
public function getTagManager() {
return $this->query(ITagManager::class);
}
/**
* Returns the system-tag manager
*
* @return ISystemTagManager
*
* @since 9.0.0
*/
public function getSystemTagManager() {
return $this->query(ISystemTagManager::class);
}
/**
* Returns the system-tag object mapper
*
* @return ISystemTagObjectMapper
*
* @since 9.0.0
*/
public function getSystemTagObjectMapper() {
return $this->query(ISystemTagObjectMapper::class);
}
2013-09-20 13:46:11 +04:00
/**
* Returns the avatar manager, used for avatar functionality
*
* @return IAvatarManager
2013-09-20 13:46:11 +04:00
*/
public function getAvatarManager() {
return $this->query(IAvatarManager::class);
2013-09-20 13:46:11 +04:00
}
/**
* Returns the root folder of ownCloud's data directory
*
* @return IRootFolder
*/
public function getRootFolder() {
return $this->query(IRootFolder::class);
}
2016-03-11 16:00:36 +03:00
/**
* Returns the root folder of ownCloud's data directory
* This is the lazy variant so this gets only initialized once it
* is actually used.
*
* @return IRootFolder
2016-03-11 16:00:36 +03:00
*/
public function getLazyRootFolder() {
return $this->query(IRootFolder::class);
2016-03-11 16:00:36 +03:00
}
2013-09-18 16:25:12 +04:00
/**
* Returns a view to ownCloud's files folder
*
* @param string $userId user ID
* @return \OCP\Files\Folder|null
2013-09-18 16:25:12 +04:00
*/
public function getUserFolder($userId = null) {
if ($userId === null) {
$user = $this->getUserSession()->getUser();
if (!$user) {
return null;
}
$userId = $user->getUID();
}
2013-09-18 16:25:12 +04:00
$root = $this->getRootFolder();
return $root->getUserFolder($userId);
2013-09-18 16:25:12 +04:00
}
/**
* Returns an app-specific view in ownClouds data directory
*
* @return \OCP\Files\Folder
* @deprecated since 9.2.0 use IAppData
2013-09-18 16:25:12 +04:00
*/
public function getAppFolder() {
2014-07-22 21:45:01 +04:00
$dir = '/' . \OC_App::getCurrentApp();
2013-09-18 16:25:12 +04:00
$root = $this->getRootFolder();
2014-07-16 16:25:31 +04:00
if (!$root->nodeExists($dir)) {
2013-09-18 16:25:12 +04:00
$folder = $root->newFolder($dir);
} else {
$folder = $root->get($dir);
}
return $folder;
}
2013-09-20 14:45:56 +04:00
/**
* @return \OC\User\Manager
*/
public function getUserManager() {
return $this->query(IUserManager::class);
2013-09-20 14:45:56 +04:00
}
2014-07-16 16:25:31 +04:00
/**
* @return \OC\Group\Manager
*/
public function getGroupManager() {
return $this->query(IGroupManager::class);
2014-07-16 16:25:31 +04:00
}
2013-09-20 14:45:56 +04:00
/**
* @return \OC\User\Session
*/
public function getUserSession() {
return $this->query(IUserSession::class);
2013-09-20 14:45:56 +04:00
}
/**
* @return \OCP\ISession
*/
public function getSession() {
return $this->getUserSession()->getSession();
}
/**
* @param \OCP\ISession $session
*/
public function setSession(\OCP\ISession $session) {
$this->query(SessionStorage::class)->setSession($session);
$this->getUserSession()->setSession($session);
$this->query(Store::class)->setSession($session);
}
2016-05-11 12:23:25 +03:00
/**
* @return \OC\Authentication\TwoFactorAuth\Manager
*/
public function getTwoFactorAuthManager() {
return $this->query(\OC\Authentication\TwoFactorAuth\Manager::class);
2016-05-11 12:23:25 +03:00
}
/**
* @return \OC\NavigationManager
*/
public function getNavigationManager() {
return $this->query(INavigationManager::class);
}
/**
* @return \OCP\IConfig
*/
public function getConfig() {
return $this->query(AllConfig::class);
}
/**
* @return \OC\SystemConfig
*/
public function getSystemConfig() {
return $this->query(SystemConfig::class);
}
/**
* Returns the app config manager
*
* @return IAppConfig
*/
public function getAppConfig() {
return $this->query(IAppConfig::class);
}
/**
* @return IFactory
*/
public function getL10NFactory() {
return $this->query(IFactory::class);
}
2013-09-25 20:34:01 +04:00
/**
* get an L10N instance
2014-07-16 16:25:31 +04:00
*
2014-03-01 00:03:43 +04:00
* @param string $app appid
2014-08-31 12:05:59 +04:00
* @param string $lang
* @return IL10N
2013-09-25 20:34:01 +04:00
*/
public function getL10N($app, $lang = null) {
return $this->getL10NFactory()->get($app, $lang);
2013-09-25 20:34:01 +04:00
}
/**
* @return IURLGenerator
*/
public function getURLGenerator() {
return $this->query(IURLGenerator::class);
}
/**
* @return AppFetcher
*/
public function getAppFetcher() {
return $this->query(AppFetcher::class);
}
/**
* Returns an ICache instance. Since 8.1.0 it returns a fake cache. Use
* getMemCacheFactory() instead.
*
* @return ICache
* @deprecated 8.1.0 use getMemCacheFactory to obtain a proper cache
*/
public function getCache() {
return $this->query(ICache::class);
}
2014-01-06 15:55:56 +04:00
/**
2014-01-08 18:51:40 +04:00
* Returns an \OCP\CacheFactory instance
2014-01-06 15:55:56 +04:00
*
* @return \OCP\ICacheFactory
2014-01-06 15:55:56 +04:00
*/
public function getMemCacheFactory() {
return $this->query(Factory::class);
2014-01-06 15:55:56 +04:00
}
/**
* Returns an \OC\RedisFactory instance
*
* @return \OC\RedisFactory
*/
public function getGetRedisFactory() {
return $this->query('RedisFactory');
}
/**
* Returns the current session
2013-09-20 16:33:45 +04:00
*
* @return \OCP\IDBConnection
*/
public function getDatabaseConnection() {
return $this->query(IDBConnection::class);
2013-09-20 16:33:45 +04:00
}
/**
* Returns the activity manager
*
* @return \OCP\Activity\IManager
*/
public function getActivityManager() {
return $this->query(\OCP\Activity\IManager::class);
2013-09-20 16:33:45 +04:00
}
/**
* Returns an job list for controlling background jobs
*
* @return IJobList
*/
public function getJobList() {
return $this->query(IJobList::class);
}
/**
* Returns a logger instance
*
* @return ILogger
*/
public function getLogger() {
return $this->query(ILogger::class);
}
/**
* @return ILogFactory
* @throws \OCP\AppFramework\QueryException
*/
public function getLogFactory() {
return $this->query(ILogFactory::class);
}
/**
* Returns a router for generating and matching urls
*
* @return IRouter
*/
public function getRouter() {
return $this->query(IRouter::class);
}
2014-04-19 21:30:12 +04:00
/**
* Returns a search instance
2014-07-16 16:25:31 +04:00
*
* @return ISearch
*/
public function getSearch() {
return $this->query(ISearch::class);
}
2014-04-19 21:30:12 +04:00
/**
* Returns a SecureRandom instance
*
* @return \OCP\Security\ISecureRandom
*/
public function getSecureRandom() {
return $this->query(ISecureRandom::class);
}
/**
* Returns a Crypto instance
*
* @return ICrypto
*/
public function getCrypto() {
return $this->query(ICrypto::class);
}
/**
* Returns a Hasher instance
*
* @return IHasher
*/
public function getHasher() {
return $this->query(IHasher::class);
}
/**
* Returns a CredentialsManager instance
*
* @return ICredentialsManager
*/
public function getCredentialsManager() {
return $this->query(ICredentialsManager::class);
}
/**
* Get the certificate manager for the user
*
* @param string $userId (optional) if not specified the current loggedin user is used, use null to get the system certificate manager
2015-06-17 16:47:45 +03:00
* @return \OCP\ICertificateManager | null if $uid is null and no user is logged in
*/
public function getCertificateManager($userId = '') {
if ($userId === '') {
$userSession = $this->getUserSession();
$user = $userSession->getUser();
if (is_null($user)) {
return null;
}
$userId = $user->getUID();
}
return new CertificateManager(
$userId,
new View(),
$this->getConfig(),
$this->getLogger(),
$this->getSecureRandom()
);
}
2014-08-29 19:19:38 +04:00
2015-03-16 13:28:23 +03:00
/**
* Returns an instance of the HTTP client service
*
* @return IClientService
2015-03-16 13:28:23 +03:00
*/
public function getHTTPClientService() {
return $this->query(IClientService::class);
2015-03-16 13:28:23 +03:00
}
2014-08-29 19:19:38 +04:00
/**
2014-09-04 03:10:02 +04:00
* Create a new event source
2014-08-29 19:19:38 +04:00
*
* @return \OCP\IEventSource
*/
public function createEventSource() {
2014-08-29 19:19:38 +04:00
return new \OC_EventSource();
}
/**
* Get the active event logger
*
* The returned logger only logs data when debug mode is enabled
*
* @return IEventLogger
*/
public function getEventLogger() {
return $this->query(IEventLogger::class);
}
/**
* Get the active query logger
*
* The returned logger only logs data when debug mode is enabled
*
* @return IQueryLogger
*/
public function getQueryLogger() {
return $this->query(IQueryLogger::class);
}
/**
* Get the manager for temporary files and folders
*
* @return \OCP\ITempManager
*/
public function getTempManager() {
return $this->query(ITempManager::class);
}
/**
* Get the app manager
*
* @return \OCP\App\IAppManager
*/
public function getAppManager() {
return $this->query(IAppManager::class);
}
2014-11-27 16:36:11 +03:00
/**
* Creates a new mailer
*
* @return IMailer
*/
public function getMailer() {
return $this->query(IMailer::class);
}
2014-11-27 16:36:11 +03:00
/**
* Get the webroot
*
* @return string
*/
public function getWebRoot() {
2014-11-27 16:50:14 +03:00
return $this->webRoot;
2014-11-27 16:36:11 +03:00
}
/**
* @return \OC\OCSClient
*/
public function getOcsClient() {
return $this->query('OcsClient');
}
/**
* @return IDateTimeZone
*/
2014-12-16 17:34:55 +03:00
public function getDateTimeZone() {
return $this->query(IDateTimeZone::class);
2014-12-16 17:34:55 +03:00
}
/**
* @return IDateTimeFormatter
2014-12-16 17:34:55 +03:00
*/
public function getDateTimeFormatter() {
return $this->query(IDateTimeFormatter::class);
}
/**
* @return IMountProviderCollection
*/
2015-12-03 16:10:05 +03:00
public function getMountProviderCollection() {
return $this->query(IMountProviderCollection::class);
}
2014-12-05 21:56:29 +03:00
/**
* Get the IniWrapper
*
* @return IniGetWrapper
2014-12-05 21:56:29 +03:00
*/
public function getIniWrapper() {
return $this->query('IniWrapper');
2014-12-05 21:56:29 +03:00
}
2015-02-17 00:12:47 +03:00
/**
* @return \OCP\Command\IBus
*/
2015-12-03 16:10:05 +03:00
public function getCommandBus() {
return $this->query('AsyncCommandBus');
}
2015-02-17 00:12:47 +03:00
/**
* Get the trusted domain helper
*
* @return TrustedDomainHelper
*/
public function getTrustedDomainHelper() {
return $this->query('TrustedDomainHelper');
}
/**
* Get the locking provider
*
* @return ILockingProvider
* @since 8.1.0
*/
public function getLockingProvider() {
return $this->query(ILockingProvider::class);
}
/**
* @return IMountManager
**/
public function getMountManager() {
return $this->query(IMountManager::class);
}
/**
* @return IUserMountCache
*/
public function getUserMountCache() {
return $this->query(IUserMountCache::class);
}
2016-05-03 11:30:07 +03:00
/**
* Get the MimeTypeDetector
*
* @return IMimeTypeDetector
*/
public function getMimeTypeDetector() {
return $this->query(IMimeTypeDetector::class);
}
2015-09-03 21:48:42 +03:00
/**
* Get the MimeTypeLoader
*
* @return IMimeTypeLoader
2015-09-03 21:48:42 +03:00
*/
public function getMimeTypeLoader() {
return $this->query(IMimeTypeLoader::class);
2015-09-03 21:48:42 +03:00
}
/**
* Get the manager of all the capabilities
*
* @return CapabilitiesManager
*/
public function getCapabilitiesManager() {
return $this->query(CapabilitiesManager::class);
}
/**
* Get the EventDispatcher
*
* @return EventDispatcherInterface
* @since 8.2.0
* @deprecated 18.0.0 use \OCP\EventDispatcher\IEventDispatcher
*/
public function getEventDispatcher() {
return $this->query(\OC\EventDispatcher\SymfonyAdapter::class);
}
2015-08-31 13:24:37 +03:00
/**
* Get the Notification Manager
*
* @return \OCP\Notification\IManager
2015-08-31 13:24:37 +03:00
* @since 8.2.0
*/
public function getNotificationManager() {
return $this->query(\OCP\Notification\IManager::class);
2015-08-31 13:24:37 +03:00
}
/**
* @return ICommentsManager
*/
public function getCommentsManager() {
return $this->query(ICommentsManager::class);
}
/**
* @return \OCA\Theming\ThemingDefaults
*/
public function getThemingDefaults() {
return $this->query('ThemingDefaults');
}
Add code integrity check This PR implements the base foundation of the code signing and integrity check. In this PR implemented is the signing and verification logic, as well as commands to sign single apps or the core repository. Furthermore, there is a basic implementation to display problems with the code integrity on the update screen. Code signing basically happens the following way: - There is a ownCloud Root Certificate authority stored `resources/codesigning/root.crt` (in this PR I also ship the private key which we obviously need to change before a release :wink:). This certificate is not intended to be used for signing directly and only is used to sign new certificates. - Using the `integrity:sign-core` and `integrity:sign-app` commands developers can sign either the core release or a single app. The core release needs to be signed with a certificate that has a CN of `core`, apps need to be signed with a certificate that either has a CN of `core` (shipped apps!) or the AppID. - The command generates a signature.json file of the following format: ```json { "hashes": { "/filename.php": "2401fed2eea6f2c1027c482a633e8e25cd46701f811e2d2c10dc213fd95fa60e350bccbbebdccc73a042b1a2799f673fbabadc783284cc288e4f1a1eacb74e3d", "/lib/base.php": "55548cc16b457cd74241990cc9d3b72b6335f2e5f45eee95171da024087d114fcbc2effc3d5818a6d5d55f2ae960ab39fd0414d0c542b72a3b9e08eb21206dd9" }, "certificate": "-----BEGIN CERTIFICATE-----MIIBvTCCASagAwIBAgIUPvawyqJwCwYazcv7iz16TWxfeUMwDQYJKoZIhvcNAQEF\nBQAwIzEhMB8GA1UECgwYb3duQ2xvdWQgQ29kZSBTaWduaW5nIENBMB4XDTE1MTAx\nNDEzMTcxMFoXDTE2MTAxNDEzMTcxMFowEzERMA8GA1UEAwwIY29udGFjdHMwgZ8w\nDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANoQesGdCW0L2L+a2xITYipixkScrIpB\nkX5Snu3fs45MscDb61xByjBSlFgR4QI6McoCipPw4SUr28EaExVvgPSvqUjYLGps\nfiv0Cvgquzbx/X3mUcdk9LcFo1uWGtrTfkuXSKX41PnJGTr6RQWGIBd1V52q1qbC\nJKkfzyeMeuQfAgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAvF/KIhRMQ3tYTmgHWsiM\nwDMgIDb7iaHF0fS+/Nvo4PzoTO/trev6tMyjLbJ7hgdCpz/1sNzE11Cibf6V6dsz\njCE9invP368Xv0bTRObRqeSNsGogGl5ceAvR0c9BG+NRIKHcly3At3gLkS2791bC\niG+UxI/MNcWV0uJg9S63LF8=\n-----END CERTIFICATE-----", "signature": "U29tZVNpZ25lZERhdGFFeGFtcGxl" } ``` `hashes` is an array of all files in the folder with their corresponding SHA512 hashes (this is actually quite cheap to calculate), the `certificate` is the certificate used for signing. It has to be issued by the ownCloud Root Authority and it's CN needs to be permitted to perform the required action. The `signature` is then a signature of the `hashes` which can be verified using the `certificate`. Steps to do in other PRs, this is already a quite huge one: - Add nag screen in case the code check fails to ensure that administrators are aware of this. - Add code verification also to OCC upgrade and unify display code more. - Add enforced code verification to apps shipped from the appstore with a level of "official" - Add enfocrced code verification to apps shipped from the appstore that were already signed in a previous release - Add some developer documentation on how devs can request their own certificate - Check when installing ownCloud - Add support for CRLs to allow revoking certificates **Note:** The upgrade checks are only run when the instance has a defined release channel of `stable` (defined in `version.php`). If you want to test this, you need to change the channel thus and then generate the core signature: ``` ➜ master git:(add-integrity-checker) ✗ ./occ integrity:sign-core --privateKey=resources/codesigning/core.key --certificate=resources/codesigning/core.crt Successfully signed "core" ``` Then increase the version and you should see something like the following: ![2015-11-04_12-02-57](https://cloud.githubusercontent.com/assets/878997/10936336/6adb1d14-82ec-11e5-8f06-9a74801c9abf.png) As you can see a failed code check will not prevent the further update. It will instead just be a notice to the admin. In a next step we will add some nag screen. For packaging stable releases this requires the following additional steps as a last action before zipping: 1. Run `./occ integrity:sign-core` once 2. Run `./occ integrity:sign-app` _for each_ app. However, this can be simply automated using a simple foreach on the apps folder.
2015-11-03 22:26:06 +03:00
/**
* @return \OC\IntegrityCheck\Checker
*/
public function getIntegrityCodeChecker() {
return $this->query('IntegrityCodeChecker');
}
/**
* @return \OC\Session\CryptoWrapper
*/
public function getSessionCryptoWrapper() {
return $this->query('CryptoWrapper');
}
/**
* @return CsrfTokenManager
*/
public function getCsrfTokenManager() {
return $this->query(CsrfTokenManager::class);
}
/**
* @return Throttler
*/
public function getBruteForceThrottler() {
return $this->query(Throttler::class);
}
Add public API to give developers the possibility to adjust the global CSP defaults Allows to inject something into the default content policy. This is for example useful when you're injecting Javascript code into a view belonging to another controller and cannot modify its Content-Security-Policy itself. Note that the adjustment is only applied to applications that use AppFramework controllers. To use this from your `app.php` use `\OC::$server->getContentSecurityPolicyManager()->addDefaultPolicy($policy)`, $policy has to be of type `\OCP\AppFramework\Http\ContentSecurityPolicy`. To test this add something like the following into an `app.php` of any enabled app: ``` $manager = \OC::$server->getContentSecurityPolicyManager(); $policy = new \OCP\AppFramework\Http\ContentSecurityPolicy(false); $policy->addAllowedFrameDomain('asdf'); $policy->addAllowedScriptDomain('yolo.com'); $policy->allowInlineScript(false); $manager->addDefaultPolicy($policy); $policy = new \OCP\AppFramework\Http\ContentSecurityPolicy(false); $policy->addAllowedFontDomain('yolo.com'); $manager->addDefaultPolicy($policy); $policy = new \OCP\AppFramework\Http\ContentSecurityPolicy(false); $policy->addAllowedFrameDomain('banana.com'); $manager->addDefaultPolicy($policy); ``` If you now open the files app the policy should be: ``` Content-Security-Policy:default-src 'none';script-src yolo.com 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src yolo.com 'self';connect-src 'self';media-src 'self';frame-src asdf banana.com 'self' ```
2016-01-28 16:33:02 +03:00
/**
* @return IContentSecurityPolicyManager
*/
public function getContentSecurityPolicyManager() {
return $this->query(ContentSecurityPolicyManager::class);
Add public API to give developers the possibility to adjust the global CSP defaults Allows to inject something into the default content policy. This is for example useful when you're injecting Javascript code into a view belonging to another controller and cannot modify its Content-Security-Policy itself. Note that the adjustment is only applied to applications that use AppFramework controllers. To use this from your `app.php` use `\OC::$server->getContentSecurityPolicyManager()->addDefaultPolicy($policy)`, $policy has to be of type `\OCP\AppFramework\Http\ContentSecurityPolicy`. To test this add something like the following into an `app.php` of any enabled app: ``` $manager = \OC::$server->getContentSecurityPolicyManager(); $policy = new \OCP\AppFramework\Http\ContentSecurityPolicy(false); $policy->addAllowedFrameDomain('asdf'); $policy->addAllowedScriptDomain('yolo.com'); $policy->allowInlineScript(false); $manager->addDefaultPolicy($policy); $policy = new \OCP\AppFramework\Http\ContentSecurityPolicy(false); $policy->addAllowedFontDomain('yolo.com'); $manager->addDefaultPolicy($policy); $policy = new \OCP\AppFramework\Http\ContentSecurityPolicy(false); $policy->addAllowedFrameDomain('banana.com'); $manager->addDefaultPolicy($policy); ``` If you now open the files app the policy should be: ``` Content-Security-Policy:default-src 'none';script-src yolo.com 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src yolo.com 'self';connect-src 'self';media-src 'self';frame-src asdf banana.com 'self' ```
2016-01-28 16:33:02 +03:00
}
/**
* @return ContentSecurityPolicyNonceManager
*/
public function getContentSecurityPolicyNonceManager() {
return $this->query('ContentSecurityPolicyNonceManager');
}
/**
* Not a public API as of 8.2, wait for 9.0
2015-12-03 16:10:05 +03:00
*
* @return \OCA\Files_External\Service\BackendService
*/
public function getStoragesBackendService() {
return $this->query(BackendService::class);
}
/**
* Not a public API as of 8.2, wait for 9.0
2015-12-03 16:10:05 +03:00
*
* @return \OCA\Files_External\Service\GlobalStoragesService
*/
public function getGlobalStoragesService() {
return $this->query(GlobalStoragesService::class);
}
/**
* Not a public API as of 8.2, wait for 9.0
2015-12-03 16:10:05 +03:00
*
* @return \OCA\Files_External\Service\UserGlobalStoragesService
*/
public function getUserGlobalStoragesService() {
return $this->query(UserGlobalStoragesService::class);
}
/**
* Not a public API as of 8.2, wait for 9.0
2015-12-03 16:10:05 +03:00
*
* @return \OCA\Files_External\Service\UserStoragesService
*/
public function getUserStoragesService() {
return $this->query(UserStoragesService::class);
}
/**
* @return \OCP\Share\IManager
*/
public function getShareManager() {
return $this->query(\OCP\Share\IManager::class);
}
2015-12-03 16:10:05 +03:00
/**
* @return \OCP\Collaboration\Collaborators\ISearch
*/
public function getCollaboratorSearch() {
return $this->query(\OCP\Collaboration\Collaborators\ISearch::class);
}
/**
* @return \OCP\Collaboration\AutoComplete\IManager
*/
public function getAutoCompleteManager() {
return $this->query(IManager::class);
}
2016-07-22 11:46:29 +03:00
/**
* Returns the LDAP Provider
*
* @return \OCP\LDAP\ILDAPProvider
*/
public function getLDAPProvider() {
return $this->query('LDAPProvider');
}
/**
* @return \OCP\Settings\IManager
*/
public function getSettingsManager() {
return $this->query('SettingsManager');
}
/**
* @return \OCP\Files\IAppData
*/
public function getAppDataDir($app) {
/** @var \OC\Files\AppData\Factory $factory */
$factory = $this->query(\OC\Files\AppData\Factory::class);
return $factory->get($app);
}
/**
* @return \OCP\Lockdown\ILockdownManager
*/
public function getLockdownManager() {
return $this->query('LockdownManager');
}
/**
* @return \OCP\Federation\ICloudIdManager
*/
public function getCloudIdManager() {
return $this->query(ICloudIdManager::class);
}
/**
* @return \OCP\GlobalScale\IConfig
*/
public function getGlobalScaleConfig() {
return $this->query(IConfig::class);
}
/**
* @return \OCP\Federation\ICloudFederationProviderManager
*/
public function getCloudFederationProviderManager() {
return $this->query(ICloudFederationProviderManager::class);
}
/**
* @return \OCP\Remote\Api\IApiFactory
*/
public function getRemoteApiFactory() {
return $this->query(IApiFactory::class);
}
/**
* @return \OCP\Federation\ICloudFederationFactory
*/
public function getCloudFederationFactory() {
return $this->query(ICloudFederationFactory::class);
}
/**
* @return \OCP\Remote\IInstanceFactory
*/
public function getRemoteInstanceFactory() {
return $this->query(IInstanceFactory::class);
}
/**
* @return IStorageFactory
*/
public function getStorageFactory() {
return $this->query(IStorageFactory::class);
}
/**
* Get the Preview GeneratorHelper
*
* @return GeneratorHelper
* @since 17.0.0
*/
public function getGeneratorHelper() {
return $this->query(\OC\Preview\GeneratorHelper::class);
}
private function registerDeprecatedAlias(string $alias, string $target) {
$this->registerService($alias, function (IContainer $container) use ($target, $alias) {
try {
/** @var ILogger $logger */
$logger = $container->query(ILogger::class);
$logger->debug('The requested alias "' . $alias . '" is depreacted. Please request "' . $target . '" directly. This alias will be removed in a future Nextcloud version.', ['app' => 'serverDI']);
} catch (QueryException $e) {
// Could not get logger. Continue
}
return $container->query($target);
}, false);
}
2013-08-21 02:58:15 +04:00
}