nextcloud/lib/private/security/certificatemanager.php

<?php
/**
 * Copyright (c) 2014 Robin Appelman <icewind@owncloud.com>
 * This file is licensed under the Affero General Public License version 3 or
 * later.
 * See the COPYING-README file.
 */

namespace OC\Security;

use OC\Files\Filesystem;
use OCP\ICertificateManager;

/**
 * Manage trusted certificates for users
 */
class CertificateManager implements ICertificateManager {
	/**
	 * @var string
	 */
	protected $uid;

	/**
	 * @var \OC\Files\View
	 */
	protected $view;

	/**
	 * @param string $uid
	 * @param \OC\Files\View $view relative zu data/
	 */
	public function __construct($uid, \OC\Files\View $view) {
		$this->uid = $uid;
		$this->view = $view;
	}

	/**
	 * Returns all certificates trusted by the user
	 *
	 * @return \OCP\ICertificate[]
	 */
	public function listCertificates() {
		$path = $this->getPathToCertificates() . 'uploads/';
		if (!$this->view->is_dir($path)) {
			return array();
		}
		$result = array();
		$handle = $this->view->opendir($path);
		if (!is_resource($handle)) {
			return array();
		}
		while (false !== ($file = readdir($handle))) {
			if ($file != '.' && $file != '..') {
				try {
					$result[] = new Certificate($this->view->file_get_contents($path . $file), $file);
				} catch(\Exception $e) {}
			}
		}
		closedir($handle);
		return $result;
	}

	/**
	 * create the certificate bundle of all trusted certificated
	 */
	public function createCertificateBundle() {
		$path = $this->getPathToCertificates();
		$certs = $this->listCertificates();

		$fh_certs = $this->view->fopen($path . '/rootcerts.crt', 'w');

		// Write user certificates
		foreach ($certs as $cert) {
			$file = $path . '/uploads/' . $cert->getName();
			$data = $this->view->file_get_contents($file);
			if (strpos($data, 'BEGIN CERTIFICATE')) {
				fwrite($fh_certs, $data);
				fwrite($fh_certs, "\r\n");
			}
		}

		// Append the default certificates
		$defaultCertificates = file_get_contents(\OC::$SERVERROOT . '/config/ca-bundle.crt');
		fwrite($fh_certs, $defaultCertificates);
		fclose($fh_certs);
	}

	/**
	 * Save the certificate and re-generate the certificate bundle
	 *
	 * @param string $certificate the certificate data
	 * @param string $name the filename for the certificate
	 * @return \OCP\ICertificate|void|bool
	 * @throws \Exception If the certificate could not get added
	 */
	public function addCertificate($certificate, $name) {
		if (!Filesystem::isValidPath($name) or Filesystem::isFileBlacklisted($name)) {
			return false;
		}

		$dir = $this->getPathToCertificates() . 'uploads/';
		if (!$this->view->file_exists($dir)) {
			$this->view->mkdir($dir);
		}

		try {
			$file = $dir . $name;
			$certificateObject = new Certificate($certificate, $name);
			$this->view->file_put_contents($file, $certificate);
			$this->createCertificateBundle();
			return $certificateObject;
		} catch (\Exception $e) {
			throw $e;
		}

	}

	/**
	 * Remove the certificate and re-generate the certificate bundle
	 *
	 * @param string $name
	 * @return bool
	 */
	public function removeCertificate($name) {
		if (!Filesystem::isValidPath($name)) {
			return false;
		}
		$path = $this->getPathToCertificates() . 'uploads/';
		if ($this->view->file_exists($path . $name)) {
			$this->view->unlink($path . $name);
			$this->createCertificateBundle();
		}
		return true;
	}

	/**
	 * Get the path to the certificate bundle for this user
	 *
	 * @return string
	 */
	public function getCertificateBundle() {
		return $this->getPathToCertificates() . 'rootcerts.crt';
	}

	/**
	 * @return string
	 */
	private function getPathToCertificates() {
		$path = is_null($this->uid) ? '/files_external/' : '/' . $this->uid . '/files_external/';

		return $path;
	}
}
Move certificate management code to core 2014-08-14 16:24:10 +04:00			`<?php`
			`/**`
Revert "Updating license headers" This reverts commit 6a1a4880f0d556fb090f19a5019fec31916f5c36. 2015-02-26 13:37:37 +03:00			`* Copyright (c) 2014 Robin Appelman <icewind@owncloud.com>`
			`* This file is licensed under the Affero General Public License version 3 or`
			`* later.`
			`* See the COPYING-README file.`
Move certificate management code to core 2014-08-14 16:24:10 +04:00			`*/`
Revert "Updating license headers" This reverts commit 6a1a4880f0d556fb090f19a5019fec31916f5c36. 2015-02-26 13:37:37 +03:00
Rename namespace 2014-08-18 18:30:23 +04:00			`namespace OC\Security;`
Move certificate management code to core 2014-08-14 16:24:10 +04:00
Cleanup certificate code 2014-08-18 15:57:38 +04:00			`use OC\Files\Filesystem;`
Verify names of certificates 2014-08-14 17:47:23 +04:00			`use OCP\ICertificateManager;`

Move certificate management code to core 2014-08-14 16:24:10 +04:00			`/**`
			`* Manage trusted certificates for users`
			`*/`
Verify names of certificates 2014-08-14 17:47:23 +04:00			`class CertificateManager implements ICertificateManager {`
Move certificate management code to core 2014-08-14 16:24:10 +04:00			`/**`
certificate manager only needs the user-id, no need to pass on the complete user object 2015-01-20 19:00:29 +03:00			`* @var string`
Move certificate management code to core 2014-08-14 16:24:10 +04:00			`*/`
certificate manager only needs the user-id, no need to pass on the complete user object 2015-01-20 19:00:29 +03:00			`protected $uid;`
Move certificate management code to core 2014-08-14 16:24:10 +04:00
certificate manager should always use a \OC\Files\View otherwise we will get problems for different primary storages 2015-01-20 22:34:34 +03:00			`/**`
			`* @var \OC\Files\View`
			`*/`
			`protected $view;`

Move certificate management code to core 2014-08-14 16:24:10 +04:00			`/**`
certificate manager only needs the user-id, no need to pass on the complete user object 2015-01-20 19:00:29 +03:00			`* @param string $uid`
certificate manager should always use a \OC\Files\View otherwise we will get problems for different primary storages 2015-01-20 22:34:34 +03:00			`* @param \OC\Files\View $view relative zu data/`
Move certificate management code to core 2014-08-14 16:24:10 +04:00			`*/`
certificate manager should always use a \OC\Files\View otherwise we will get problems for different primary storages 2015-01-20 22:34:34 +03:00			`public function __construct($uid, \OC\Files\View $view) {`
certificate manager only needs the user-id, no need to pass on the complete user object 2015-01-20 19:00:29 +03:00			`$this->uid = $uid;`
certificate manager should always use a \OC\Files\View otherwise we will get problems for different primary storages 2015-01-20 22:34:34 +03:00			`$this->view = $view;`
Move certificate management code to core 2014-08-14 16:24:10 +04:00			`}`

			`/**`
			`* Returns all certificates trusted by the user`
			`*`
Move certificate management interface from files_external to core 2014-08-15 19:18:46 +04:00			`* @return \OCP\ICertificate[]`
Move certificate management code to core 2014-08-14 16:24:10 +04:00			`*/`
			`public function listCertificates() {`
Next step in server-to-server sharing next generation, see #12285 Beside some small improvements and bug fixes this will probably the final state for OC8. To test this you need to set up two ownCloud instances. Let's say: URL: myPC/firstOwnCloud user: user1 URL: myPC/secondOwnCloud user: user2 Now user1 can share a file with user2 by entering the username and the URL to the second ownCloud to the share-drop-down, in this case "user2@myPC/secondOwnCloud". The next time user2 login he will get a notification that he received a server-to-server share with the option to accept/decline it. If he accept it the share will be mounted. In both cases a event will be send back to user1 and add a notification to the activity stream that the share was accepted/declined. If user1 decides to unshare the file again from user2 the share will automatically be removed from the second ownCloud server and user2 will see a notification in his activity stream that user1@myPC/firstOwnCloud has unshared the file/folder from him. 2014-12-04 21:51:04 +03:00			`$path = $this->getPathToCertificates() . 'uploads/';`
certificate manager should always use a \OC\Files\View otherwise we will get problems for different primary storages 2015-01-20 22:34:34 +03:00			`if (!$this->view->is_dir($path)) {`
Cleanup certificate code 2014-08-18 15:57:38 +04:00			`return array();`
Move certificate management code to core 2014-08-14 16:24:10 +04:00			`}`
			`$result = array();`
certificate manager should always use a \OC\Files\View otherwise we will get problems for different primary storages 2015-01-20 22:34:34 +03:00			`$handle = $this->view->opendir($path);`
Move certificate management code to core 2014-08-14 16:24:10 +04:00			`if (!is_resource($handle)) {`
			`return array();`
			`}`
			`while (false !== ($file = readdir($handle))) {`
Move certificate management interface from files_external to core 2014-08-15 19:18:46 +04:00			`if ($file != '.' && $file != '..') {`
Add unit tests and fix rootcerts creation bug 2014-08-27 18:28:51 +04:00			`try {`
certificate manager should always use a \OC\Files\View otherwise we will get problems for different primary storages 2015-01-20 22:34:34 +03:00			`$result[] = new Certificate($this->view->file_get_contents($path . $file), $file);`
Add unit tests and fix rootcerts creation bug 2014-08-27 18:28:51 +04:00			`} catch(\Exception $e) {}`
Move certificate management interface from files_external to core 2014-08-15 19:18:46 +04:00			`}`
Move certificate management code to core 2014-08-14 16:24:10 +04:00			`}`
Correctly close handle of directory when listing certificates 2014-11-07 11:46:37 +03:00			`closedir($handle);`
Move certificate management code to core 2014-08-14 16:24:10 +04:00			`return $result;`
			`}`

			`/**`
			`* create the certificate bundle of all trusted certificated`
			`*/`
Add wrapper for Guzzle 2015-03-16 13:28:23 +03:00			`public function createCertificateBundle() {`
Next step in server-to-server sharing next generation, see #12285 Beside some small improvements and bug fixes this will probably the final state for OC8. To test this you need to set up two ownCloud instances. Let's say: URL: myPC/firstOwnCloud user: user1 URL: myPC/secondOwnCloud user: user2 Now user1 can share a file with user2 by entering the username and the URL to the second ownCloud to the share-drop-down, in this case "user2@myPC/secondOwnCloud". The next time user2 login he will get a notification that he received a server-to-server share with the option to accept/decline it. If he accept it the share will be mounted. In both cases a event will be send back to user1 and add a notification to the activity stream that the share was accepted/declined. If user1 decides to unshare the file again from user2 the share will automatically be removed from the second ownCloud server and user2 will see a notification in his activity stream that user1@myPC/firstOwnCloud has unshared the file/folder from him. 2014-12-04 21:51:04 +03:00			`$path = $this->getPathToCertificates();`
Move certificate management code to core 2014-08-14 16:24:10 +04:00			`$certs = $this->listCertificates();`

certificate manager should always use a \OC\Files\View otherwise we will get problems for different primary storages 2015-01-20 22:34:34 +03:00			`$fh_certs = $this->view->fopen($path . '/rootcerts.crt', 'w');`
Add wrapper for Guzzle 2015-03-16 13:28:23 +03:00
			`// Write user certificates`
Move certificate management code to core 2014-08-14 16:24:10 +04:00			`foreach ($certs as $cert) {`
Add unit tests and fix rootcerts creation bug 2014-08-27 18:28:51 +04:00			`$file = $path . '/uploads/' . $cert->getName();`
certificate manager should always use a \OC\Files\View otherwise we will get problems for different primary storages 2015-01-20 22:34:34 +03:00			`$data = $this->view->file_get_contents($file);`
Move certificate management code to core 2014-08-14 16:24:10 +04:00			`if (strpos($data, 'BEGIN CERTIFICATE')) {`
			`fwrite($fh_certs, $data);`
			`fwrite($fh_certs, "\r\n");`
			`}`
			`}`

Add wrapper for Guzzle 2015-03-16 13:28:23 +03:00			`// Append the default certificates`
			`$defaultCertificates = file_get_contents(\OC::$SERVERROOT . '/config/ca-bundle.crt');`
			`fwrite($fh_certs, $defaultCertificates);`
Move certificate management code to core 2014-08-14 16:24:10 +04:00			`fclose($fh_certs);`
			`}`

			`/**`
Cleanup certificate code 2014-08-18 15:57:38 +04:00			`* Save the certificate and re-generate the certificate bundle`
			`*`
Move certificate management code to core 2014-08-14 16:24:10 +04:00			`* @param string $certificate the certificate data`
			`* @param string $name the filename for the certificate`
Add unit tests and fix rootcerts creation bug 2014-08-27 18:28:51 +04:00			`* @return \OCP\ICertificate\|void\|bool`
			`* @throws \Exception If the certificate could not get added`
Move certificate management code to core 2014-08-14 16:24:10 +04:00			`*/`
			`public function addCertificate($certificate, $name) {`
check for blacklisted file certificate filenames 2014-08-21 16:09:40 +04:00			`if (!Filesystem::isValidPath($name) or Filesystem::isFileBlacklisted($name)) {`
Verify names of certificates 2014-08-14 17:47:23 +04:00			`return false;`
			`}`
Move certificate management code to core 2014-08-14 16:24:10 +04:00
Next step in server-to-server sharing next generation, see #12285 Beside some small improvements and bug fixes this will probably the final state for OC8. To test this you need to set up two ownCloud instances. Let's say: URL: myPC/firstOwnCloud user: user1 URL: myPC/secondOwnCloud user: user2 Now user1 can share a file with user2 by entering the username and the URL to the second ownCloud to the share-drop-down, in this case "user2@myPC/secondOwnCloud". The next time user2 login he will get a notification that he received a server-to-server share with the option to accept/decline it. If he accept it the share will be mounted. In both cases a event will be send back to user1 and add a notification to the activity stream that the share was accepted/declined. If user1 decides to unshare the file again from user2 the share will automatically be removed from the second ownCloud server and user2 will see a notification in his activity stream that user1@myPC/firstOwnCloud has unshared the file/folder from him. 2014-12-04 21:51:04 +03:00			`$dir = $this->getPathToCertificates() . 'uploads/';`
certificate manager should always use a \OC\Files\View otherwise we will get problems for different primary storages 2015-01-20 22:34:34 +03:00			`if (!$this->view->file_exists($dir)) {`
			`$this->view->mkdir($dir);`
Move certificate management code to core 2014-08-14 16:24:10 +04:00			`}`

Add unit tests and fix rootcerts creation bug 2014-08-27 18:28:51 +04:00			`try {`
Cleanup certificate code 2014-08-18 15:57:38 +04:00			`$file = $dir . $name;`
Add unit tests and fix rootcerts creation bug 2014-08-27 18:28:51 +04:00			`$certificateObject = new Certificate($certificate, $name);`
certificate manager should always use a \OC\Files\View otherwise we will get problems for different primary storages 2015-01-20 22:34:34 +03:00			`$this->view->file_put_contents($file, $certificate);`
Move certificate management code to core 2014-08-14 16:24:10 +04:00			`$this->createCertificateBundle();`
Add unit tests and fix rootcerts creation bug 2014-08-27 18:28:51 +04:00			`return $certificateObject;`
			`} catch (\Exception $e) {`
			`throw $e;`
Move certificate management code to core 2014-08-14 16:24:10 +04:00			`}`
Add unit tests and fix rootcerts creation bug 2014-08-27 18:28:51 +04:00
Move certificate management code to core 2014-08-14 16:24:10 +04:00			`}`

			`/**`
Cleanup certificate code 2014-08-18 15:57:38 +04:00			`* Remove the certificate and re-generate the certificate bundle`
			`*`
Move certificate management code to core 2014-08-14 16:24:10 +04:00			`* @param string $name`
Verify names of certificates 2014-08-14 17:47:23 +04:00			`* @return bool`
Move certificate management code to core 2014-08-14 16:24:10 +04:00			`*/`
			`public function removeCertificate($name) {`
Cleanup certificate code 2014-08-18 15:57:38 +04:00			`if (!Filesystem::isValidPath($name)) {`
Verify names of certificates 2014-08-14 17:47:23 +04:00			`return false;`
			`}`
Next step in server-to-server sharing next generation, see #12285 Beside some small improvements and bug fixes this will probably the final state for OC8. To test this you need to set up two ownCloud instances. Let's say: URL: myPC/firstOwnCloud user: user1 URL: myPC/secondOwnCloud user: user2 Now user1 can share a file with user2 by entering the username and the URL to the second ownCloud to the share-drop-down, in this case "user2@myPC/secondOwnCloud". The next time user2 login he will get a notification that he received a server-to-server share with the option to accept/decline it. If he accept it the share will be mounted. In both cases a event will be send back to user1 and add a notification to the activity stream that the share was accepted/declined. If user1 decides to unshare the file again from user2 the share will automatically be removed from the second ownCloud server and user2 will see a notification in his activity stream that user1@myPC/firstOwnCloud has unshared the file/folder from him. 2014-12-04 21:51:04 +03:00			`$path = $this->getPathToCertificates() . 'uploads/';`
certificate manager should always use a \OC\Files\View otherwise we will get problems for different primary storages 2015-01-20 22:34:34 +03:00			`if ($this->view->file_exists($path . $name)) {`
			`$this->view->unlink($path . $name);`
Move certificate management code to core 2014-08-14 16:24:10 +04:00			`$this->createCertificateBundle();`
			`}`
Cleanup certificate code 2014-08-18 15:57:38 +04:00			`return true;`
Move certificate management code to core 2014-08-14 16:24:10 +04:00			`}`

			`/**`
			`* Get the path to the certificate bundle for this user`
			`*`
			`* @return string`
			`*/`
			`public function getCertificateBundle() {`
Next step in server-to-server sharing next generation, see #12285 Beside some small improvements and bug fixes this will probably the final state for OC8. To test this you need to set up two ownCloud instances. Let's say: URL: myPC/firstOwnCloud user: user1 URL: myPC/secondOwnCloud user: user2 Now user1 can share a file with user2 by entering the username and the URL to the second ownCloud to the share-drop-down, in this case "user2@myPC/secondOwnCloud". The next time user2 login he will get a notification that he received a server-to-server share with the option to accept/decline it. If he accept it the share will be mounted. In both cases a event will be send back to user1 and add a notification to the activity stream that the share was accepted/declined. If user1 decides to unshare the file again from user2 the share will automatically be removed from the second ownCloud server and user2 will see a notification in his activity stream that user1@myPC/firstOwnCloud has unshared the file/folder from him. 2014-12-04 21:51:04 +03:00			`return $this->getPathToCertificates() . 'rootcerts.crt';`
			`}`

Add wrapper for Guzzle 2015-03-16 13:28:23 +03:00			`/**`
			`* @return string`
			`*/`
Next step in server-to-server sharing next generation, see #12285 Beside some small improvements and bug fixes this will probably the final state for OC8. To test this you need to set up two ownCloud instances. Let's say: URL: myPC/firstOwnCloud user: user1 URL: myPC/secondOwnCloud user: user2 Now user1 can share a file with user2 by entering the username and the URL to the second ownCloud to the share-drop-down, in this case "user2@myPC/secondOwnCloud". The next time user2 login he will get a notification that he received a server-to-server share with the option to accept/decline it. If he accept it the share will be mounted. In both cases a event will be send back to user1 and add a notification to the activity stream that the share was accepted/declined. If user1 decides to unshare the file again from user2 the share will automatically be removed from the second ownCloud server and user2 will see a notification in his activity stream that user1@myPC/firstOwnCloud has unshared the file/folder from him. 2014-12-04 21:51:04 +03:00			`private function getPathToCertificates() {`
certificate manager only needs the user-id, no need to pass on the complete user object 2015-01-20 19:00:29 +03:00			`$path = is_null($this->uid) ? '/files_external/' : '/' . $this->uid . '/files_external/';`
Next step in server-to-server sharing next generation, see #12285 Beside some small improvements and bug fixes this will probably the final state for OC8. To test this you need to set up two ownCloud instances. Let's say: URL: myPC/firstOwnCloud user: user1 URL: myPC/secondOwnCloud user: user2 Now user1 can share a file with user2 by entering the username and the URL to the second ownCloud to the share-drop-down, in this case "user2@myPC/secondOwnCloud". The next time user2 login he will get a notification that he received a server-to-server share with the option to accept/decline it. If he accept it the share will be mounted. In both cases a event will be send back to user1 and add a notification to the activity stream that the share was accepted/declined. If user1 decides to unshare the file again from user2 the share will automatically be removed from the second ownCloud server and user2 will see a notification in his activity stream that user1@myPC/firstOwnCloud has unshared the file/folder from him. 2014-12-04 21:51:04 +03:00
			`return $path;`
Move certificate management code to core 2014-08-14 16:24:10 +04:00			`}`
			`}`