nextcloud/lib/private/Server.php

1301 lines
35 KiB
PHP
Raw Normal View History

2013-08-21 02:58:15 +04:00
<?php
2015-03-26 13:44:34 +03:00
/**
2015-06-25 12:43:55 +03:00
* @author Arthur Schiwon <blizzz@owncloud.com>
2015-03-26 13:44:34 +03:00
* @author Bart Visscher <bartv@thisnet.nl>
* @author Bernhard Posselt <dev@bernhard-posselt.com>
* @author Bernhard Reiter <ockham@raz.or.at>
* @author Björn Schießle <schiessle@owncloud.com>
* @author Christopher Schäpers <kondou@ts.unde.re>
* @author Joas Schilling <nickvergessen@owncloud.com>
* @author Jörn Friedrich Dreyer <jfd@butonic.de>
* @author Lukas Reschke <lukas@owncloud.com>
* @author Morris Jobke <hey@morrisjobke.de>
* @author Robin Appelman <icewind@owncloud.com>
2016-01-12 17:02:16 +03:00
* @author Robin McCorkell <robin@mccorkell.me.uk>
2015-10-26 15:54:55 +03:00
* @author Roeland Jago Douma <rullzer@owncloud.com>
2015-03-26 13:44:34 +03:00
* @author Sander <brantje@gmail.com>
* @author Thomas Müller <thomas.mueller@tmit.eu>
* @author Thomas Tanghus <thomas@tanghus.net>
* @author Vincent Petry <pvince81@owncloud.com>
*
2016-01-12 17:02:16 +03:00
* @copyright Copyright (c) 2016, ownCloud, Inc.
2015-03-26 13:44:34 +03:00
* @license AGPL-3.0
*
* This code is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License, version 3,
* as published by the Free Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License, version 3,
* along with this program. If not, see <http://www.gnu.org/licenses/>
*
*/
2013-08-21 02:58:15 +04:00
namespace OC;
2014-12-05 21:56:29 +03:00
use bantu\IniGetWrapper\IniGetWrapper;
2013-09-05 01:45:11 +04:00
use OC\AppFramework\Http\Request;
2014-04-19 21:30:12 +04:00
use OC\AppFramework\Db\Db;
use OC\AppFramework\Utility\TimeFactory;
use OC\Command\AsyncBus;
2014-10-03 22:39:09 +04:00
use OC\Diagnostics\EventLogger;
2015-06-11 12:29:27 +03:00
use OC\Diagnostics\NullEventLogger;
use OC\Diagnostics\NullQueryLogger;
2014-10-03 22:39:09 +04:00
use OC\Diagnostics\QueryLogger;
2015-11-26 19:47:53 +03:00
use OC\Files\Config\UserMountCache;
2015-12-03 16:10:05 +03:00
use OC\Files\Config\UserMountCacheListener;
use OC\Files\Node\HookConnector;
2016-03-11 16:00:36 +03:00
use OC\Files\Node\LazyRoot;
2015-06-11 12:29:27 +03:00
use OC\Files\Node\Root;
use OC\Files\View;
use OC\Http\Client\ClientService;
Add code integrity check This PR implements the base foundation of the code signing and integrity check. In this PR implemented is the signing and verification logic, as well as commands to sign single apps or the core repository. Furthermore, there is a basic implementation to display problems with the code integrity on the update screen. Code signing basically happens the following way: - There is a ownCloud Root Certificate authority stored `resources/codesigning/root.crt` (in this PR I also ship the private key which we obviously need to change before a release :wink:). This certificate is not intended to be used for signing directly and only is used to sign new certificates. - Using the `integrity:sign-core` and `integrity:sign-app` commands developers can sign either the core release or a single app. The core release needs to be signed with a certificate that has a CN of `core`, apps need to be signed with a certificate that either has a CN of `core` (shipped apps!) or the AppID. - The command generates a signature.json file of the following format: ```json { "hashes": { "/filename.php": "2401fed2eea6f2c1027c482a633e8e25cd46701f811e2d2c10dc213fd95fa60e350bccbbebdccc73a042b1a2799f673fbabadc783284cc288e4f1a1eacb74e3d", "/lib/base.php": "55548cc16b457cd74241990cc9d3b72b6335f2e5f45eee95171da024087d114fcbc2effc3d5818a6d5d55f2ae960ab39fd0414d0c542b72a3b9e08eb21206dd9" }, "certificate": "-----BEGIN CERTIFICATE-----MIIBvTCCASagAwIBAgIUPvawyqJwCwYazcv7iz16TWxfeUMwDQYJKoZIhvcNAQEF\nBQAwIzEhMB8GA1UECgwYb3duQ2xvdWQgQ29kZSBTaWduaW5nIENBMB4XDTE1MTAx\nNDEzMTcxMFoXDTE2MTAxNDEzMTcxMFowEzERMA8GA1UEAwwIY29udGFjdHMwgZ8w\nDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANoQesGdCW0L2L+a2xITYipixkScrIpB\nkX5Snu3fs45MscDb61xByjBSlFgR4QI6McoCipPw4SUr28EaExVvgPSvqUjYLGps\nfiv0Cvgquzbx/X3mUcdk9LcFo1uWGtrTfkuXSKX41PnJGTr6RQWGIBd1V52q1qbC\nJKkfzyeMeuQfAgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAvF/KIhRMQ3tYTmgHWsiM\nwDMgIDb7iaHF0fS+/Nvo4PzoTO/trev6tMyjLbJ7hgdCpz/1sNzE11Cibf6V6dsz\njCE9invP368Xv0bTRObRqeSNsGogGl5ceAvR0c9BG+NRIKHcly3At3gLkS2791bC\niG+UxI/MNcWV0uJg9S63LF8=\n-----END CERTIFICATE-----", "signature": "U29tZVNpZ25lZERhdGFFeGFtcGxl" } ``` `hashes` is an array of all files in the folder with their corresponding SHA512 hashes (this is actually quite cheap to calculate), the `certificate` is the certificate used for signing. It has to be issued by the ownCloud Root Authority and it's CN needs to be permitted to perform the required action. The `signature` is then a signature of the `hashes` which can be verified using the `certificate`. Steps to do in other PRs, this is already a quite huge one: - Add nag screen in case the code check fails to ensure that administrators are aware of this. - Add code verification also to OCC upgrade and unify display code more. - Add enforced code verification to apps shipped from the appstore with a level of "official" - Add enfocrced code verification to apps shipped from the appstore that were already signed in a previous release - Add some developer documentation on how devs can request their own certificate - Check when installing ownCloud - Add support for CRLs to allow revoking certificates **Note:** The upgrade checks are only run when the instance has a defined release channel of `stable` (defined in `version.php`). If you want to test this, you need to change the channel thus and then generate the core signature: ``` ➜ master git:(add-integrity-checker) ✗ ./occ integrity:sign-core --privateKey=resources/codesigning/core.key --certificate=resources/codesigning/core.crt Successfully signed "core" ``` Then increase the version and you should see something like the following: ![2015-11-04_12-02-57](https://cloud.githubusercontent.com/assets/878997/10936336/6adb1d14-82ec-11e5-8f06-9a74801c9abf.png) As you can see a failed code check will not prevent the further update. It will instead just be a notice to the admin. In a next step we will add some nag screen. For packaging stable releases this requires the following additional steps as a last action before zipping: 1. Run `./occ integrity:sign-core` once 2. Run `./occ integrity:sign-app` _for each_ app. However, this can be simply automated using a simple foreach on the apps folder.
2015-11-03 22:26:06 +03:00
use OC\IntegrityCheck\Checker;
use OC\IntegrityCheck\Helpers\AppLocator;
use OC\IntegrityCheck\Helpers\EnvironmentHelper;
use OC\IntegrityCheck\Helpers\FileAccessHelper;
use OC\Lock\DBLockingProvider;
use OC\Lock\MemcacheLockingProvider;
2015-05-21 17:11:10 +03:00
use OC\Lock\NoopLockingProvider;
use OC\Mail\Mailer;
use OC\Memcache\ArrayCache;
2015-08-31 13:24:37 +03:00
use OC\Notification\Manager;
2014-08-18 18:30:23 +04:00
use OC\Security\CertificateManager;
Add public API to give developers the possibility to adjust the global CSP defaults Allows to inject something into the default content policy. This is for example useful when you're injecting Javascript code into a view belonging to another controller and cannot modify its Content-Security-Policy itself. Note that the adjustment is only applied to applications that use AppFramework controllers. To use this from your `app.php` use `\OC::$server->getContentSecurityPolicyManager()->addDefaultPolicy($policy)`, $policy has to be of type `\OCP\AppFramework\Http\ContentSecurityPolicy`. To test this add something like the following into an `app.php` of any enabled app: ``` $manager = \OC::$server->getContentSecurityPolicyManager(); $policy = new \OCP\AppFramework\Http\ContentSecurityPolicy(false); $policy->addAllowedFrameDomain('asdf'); $policy->addAllowedScriptDomain('yolo.com'); $policy->allowInlineScript(false); $manager->addDefaultPolicy($policy); $policy = new \OCP\AppFramework\Http\ContentSecurityPolicy(false); $policy->addAllowedFontDomain('yolo.com'); $manager->addDefaultPolicy($policy); $policy = new \OCP\AppFramework\Http\ContentSecurityPolicy(false); $policy->addAllowedFrameDomain('banana.com'); $manager->addDefaultPolicy($policy); ``` If you now open the files app the policy should be: ``` Content-Security-Policy:default-src 'none';script-src yolo.com 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src yolo.com 'self';connect-src 'self';media-src 'self';frame-src asdf banana.com 'self' ```
2016-01-28 16:33:02 +03:00
use OC\Security\CSP\ContentSecurityPolicyManager;
use OC\Security\Crypto;
use OC\Security\CSRF\CsrfTokenGenerator;
use OC\Security\CSRF\CsrfTokenManager;
use OC\Security\CSRF\TokenStorage\SessionStorage;
use OC\Security\Hasher;
use OC\Security\CredentialsManager;
use OC\Security\SecureRandom;
2015-02-17 00:12:47 +03:00
use OC\Security\TrustedDomainHelper;
use OC\Session\CryptoWrapper;
use OC\Tagging\TagMapper;
use OCP\IL10N;
2015-06-11 12:29:27 +03:00
use OCP\IServerContainer;
Add public API to give developers the possibility to adjust the global CSP defaults Allows to inject something into the default content policy. This is for example useful when you're injecting Javascript code into a view belonging to another controller and cannot modify its Content-Security-Policy itself. Note that the adjustment is only applied to applications that use AppFramework controllers. To use this from your `app.php` use `\OC::$server->getContentSecurityPolicyManager()->addDefaultPolicy($policy)`, $policy has to be of type `\OCP\AppFramework\Http\ContentSecurityPolicy`. To test this add something like the following into an `app.php` of any enabled app: ``` $manager = \OC::$server->getContentSecurityPolicyManager(); $policy = new \OCP\AppFramework\Http\ContentSecurityPolicy(false); $policy->addAllowedFrameDomain('asdf'); $policy->addAllowedScriptDomain('yolo.com'); $policy->allowInlineScript(false); $manager->addDefaultPolicy($policy); $policy = new \OCP\AppFramework\Http\ContentSecurityPolicy(false); $policy->addAllowedFontDomain('yolo.com'); $manager->addDefaultPolicy($policy); $policy = new \OCP\AppFramework\Http\ContentSecurityPolicy(false); $policy->addAllowedFrameDomain('banana.com'); $manager->addDefaultPolicy($policy); ``` If you now open the files app the policy should be: ``` Content-Security-Policy:default-src 'none';script-src yolo.com 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src yolo.com 'self';connect-src 'self';media-src 'self';frame-src asdf banana.com 'self' ```
2016-01-28 16:33:02 +03:00
use OCP\Security\IContentSecurityPolicyManager;
use Symfony\Component\EventDispatcher\EventDispatcher;
use Symfony\Component\EventDispatcher\EventDispatcherInterface;
2013-08-21 02:58:15 +04:00
/**
* Class Server
2014-07-16 16:25:31 +04:00
*
2013-08-21 02:58:15 +04:00
* @package OC
*
* TODO: hookup all manager classes
*/
class Server extends ServerContainer implements IServerContainer {
2014-11-27 16:50:14 +03:00
/** @var string */
private $webRoot;
/**
* @param string $webRoot
2015-12-18 13:24:15 +03:00
* @param \OC\Config $config
2014-11-27 16:50:14 +03:00
*/
2015-12-18 13:24:15 +03:00
public function __construct($webRoot, \OC\Config $config) {
parent::__construct();
2014-11-27 16:50:14 +03:00
$this->webRoot = $webRoot;
2014-07-16 16:25:31 +04:00
$this->registerService('ContactsManager', function ($c) {
return new ContactsManager();
});
2015-03-12 14:08:31 +03:00
$this->registerService('PreviewManager', function (Server $c) {
return new PreviewManager($c->getConfig());
2013-09-05 01:45:11 +04:00
});
$this->registerService('EncryptionManager', function (Server $c) {
$view = new View();
$util = new Encryption\Util(
$view,
$c->getUserManager(),
$c->getGroupManager(),
$c->getConfig()
);
return new Encryption\Manager(
$c->getConfig(),
$c->getLogger(),
$c->getL10N('core'),
new View(),
$util,
new ArrayCache()
);
});
$this->registerService('EncryptionFileHelper', function (Server $c) {
$util = new Encryption\Util(
new View(),
$c->getUserManager(),
$c->getGroupManager(),
$c->getConfig()
);
return new Encryption\File($util);
});
$this->registerService('EncryptionKeyStorage', function (Server $c) {
$view = new View();
$util = new Encryption\Util(
$view,
$c->getUserManager(),
$c->getGroupManager(),
$c->getConfig()
);
return new Encryption\Keys\Storage($view, $util);
});
2015-12-03 16:10:05 +03:00
$this->registerService('TagMapper', function (Server $c) {
return new TagMapper($c->getDatabaseConnection());
});
$this->registerService('TagManager', function (Server $c) {
$tagMapper = $c->query('TagMapper');
2014-12-10 17:59:41 +03:00
return new TagManager($tagMapper, $c->getUserSession());
});
$this->registerService('SystemTagManagerFactory', function (Server $c) {
$config = $c->getConfig();
$factoryClass = $config->getSystemValue('systemtags.managerFactory', '\OC\SystemTag\ManagerFactory');
/** @var \OC\SystemTag\ManagerFactory $factory */
$factory = new $factoryClass($this);
return $factory;
});
$this->registerService('SystemTagManager', function (Server $c) {
return $c->query('SystemTagManagerFactory')->getManager();
});
$this->registerService('SystemTagObjectMapper', function (Server $c) {
return $c->query('SystemTagManagerFactory')->getObjectMapper();
});
2016-02-18 15:55:28 +03:00
$this->registerService('RootFolder', function () {
$manager = \OC\Files\Filesystem::getMountManager(null);
$view = new View();
$root = new Root($manager, $view, null);
$connector = new HookConnector($root, $view);
$connector->viewToNode();
return $root;
});
2016-03-11 16:00:36 +03:00
$this->registerService('LazyRootFolder', function(Server $c) {
return new LazyRoot(function() use ($c) {
return $c->getRootFolder();
});
});
$this->registerService('UserManager', function (Server $c) {
$config = $c->getConfig();
return new \OC\User\Manager($config);
2013-09-20 14:45:56 +04:00
});
$this->registerService('GroupManager', function (Server $c) {
$groupManager = new \OC\Group\Manager($this->getUserManager());
$groupManager->listen('\OC\Group', 'preCreate', function ($gid) {
\OC_Hook::emit('OC_Group', 'pre_createGroup', array('run' => true, 'gid' => $gid));
});
$groupManager->listen('\OC\Group', 'postCreate', function (\OC\Group\Group $gid) {
\OC_Hook::emit('OC_User', 'post_createGroup', array('gid' => $gid->getGID()));
});
$groupManager->listen('\OC\Group', 'preDelete', function (\OC\Group\Group $group) {
\OC_Hook::emit('OC_Group', 'pre_deleteGroup', array('run' => true, 'gid' => $group->getGID()));
});
$groupManager->listen('\OC\Group', 'postDelete', function (\OC\Group\Group $group) {
\OC_Hook::emit('OC_User', 'post_deleteGroup', array('gid' => $group->getGID()));
});
$groupManager->listen('\OC\Group', 'preAddUser', function (\OC\Group\Group $group, \OC\User\User $user) {
\OC_Hook::emit('OC_Group', 'pre_addToGroup', array('run' => true, 'uid' => $user->getUID(), 'gid' => $group->getGID()));
});
$groupManager->listen('\OC\Group', 'postAddUser', function (\OC\Group\Group $group, \OC\User\User $user) {
\OC_Hook::emit('OC_Group', 'post_addToGroup', array('uid' => $user->getUID(), 'gid' => $group->getGID()));
//Minimal fix to keep it backward compatible TODO: clean up all the GroupManager hooks
\OC_Hook::emit('OC_User', 'post_addToGroup', array('uid' => $user->getUID(), 'gid' => $group->getGID()));
});
return $groupManager;
2014-07-16 16:25:31 +04:00
});
$this->registerService('UserSession', function (Server $c) {
$manager = $c->getUserManager();
$session = new \OC\Session\Memory('');
$userSession = new \OC\User\Session($manager, $session);
2013-09-20 14:45:56 +04:00
$userSession->listen('\OC\User', 'preCreateUser', function ($uid, $password) {
\OC_Hook::emit('OC_User', 'pre_createUser', array('run' => true, 'uid' => $uid, 'password' => $password));
});
$userSession->listen('\OC\User', 'postCreateUser', function ($user, $password) {
/** @var $user \OC\User\User */
\OC_Hook::emit('OC_User', 'post_createUser', array('uid' => $user->getUID(), 'password' => $password));
});
$userSession->listen('\OC\User', 'preDelete', function ($user) {
/** @var $user \OC\User\User */
\OC_Hook::emit('OC_User', 'pre_deleteUser', array('run' => true, 'uid' => $user->getUID()));
});
$userSession->listen('\OC\User', 'postDelete', function ($user) {
/** @var $user \OC\User\User */
\OC_Hook::emit('OC_User', 'post_deleteUser', array('uid' => $user->getUID()));
});
$userSession->listen('\OC\User', 'preSetPassword', function ($user, $password, $recoveryPassword) {
/** @var $user \OC\User\User */
\OC_Hook::emit('OC_User', 'pre_setPassword', array('run' => true, 'uid' => $user->getUID(), 'password' => $password, 'recoveryPassword' => $recoveryPassword));
});
$userSession->listen('\OC\User', 'postSetPassword', function ($user, $password, $recoveryPassword) {
/** @var $user \OC\User\User */
\OC_Hook::emit('OC_User', 'post_setPassword', array('run' => true, 'uid' => $user->getUID(), 'password' => $password, 'recoveryPassword' => $recoveryPassword));
});
$userSession->listen('\OC\User', 'preLogin', function ($uid, $password) {
\OC_Hook::emit('OC_User', 'pre_login', array('run' => true, 'uid' => $uid, 'password' => $password));
});
$userSession->listen('\OC\User', 'postLogin', function ($user, $password) {
/** @var $user \OC\User\User */
\OC_Hook::emit('OC_User', 'post_login', array('run' => true, 'uid' => $user->getUID(), 'password' => $password));
});
$userSession->listen('\OC\User', 'logout', function () {
\OC_Hook::emit('OC_User', 'logout', array());
});
$userSession->listen('\OC\User', 'changeUser', function ($user, $feature, $value) {
/** @var $user \OC\User\User */
\OC_Hook::emit('OC_User', 'changeUser', array('run' => true, 'user' => $user, 'feature' => $feature, 'value' => $value));
});
2013-09-20 14:45:56 +04:00
return $userSession;
});
2014-07-16 16:25:31 +04:00
$this->registerService('NavigationManager', function ($c) {
return new \OC\NavigationManager();
});
$this->registerService('AllConfig', function (Server $c) {
return new \OC\AllConfig(
$c->getSystemConfig()
);
});
2015-12-18 13:24:15 +03:00
$this->registerService('SystemConfig', function ($c) use ($config) {
return new \OC\SystemConfig($config);
});
2016-01-07 12:26:00 +03:00
$this->registerService('AppConfig', function (Server $c) {
return new \OC\AppConfig($c->getDatabaseConnection());
});
$this->registerService('L10NFactory', function (Server $c) {
return new \OC\L10N\Factory(
$c->getConfig(),
$c->getRequest(),
$c->getUserSession(),
\OC::$SERVERROOT
);
2013-09-25 20:34:01 +04:00
});
$this->registerService('URLGenerator', function (Server $c) {
$config = $c->getConfig();
$cacheFactory = $c->getMemCacheFactory();
return new \OC\URLGenerator(
$config,
$cacheFactory
);
});
2014-07-16 16:25:31 +04:00
$this->registerService('AppHelper', function ($c) {
return new \OC\AppHelper();
});
$this->registerService('UserCache', function ($c) {
return new Cache\File();
});
$this->registerService('MemCacheFactory', function (Server $c) {
$config = $c->getConfig();
2015-12-03 16:10:05 +03:00
if ($config->getSystemValue('installed', false) && !(defined('PHPUNIT_RUN') && PHPUNIT_RUN)) {
$v = \OC_App::getAppVersions();
$v['core'] = md5(file_get_contents(\OC::$SERVERROOT . '/version.php'));
$version = implode(',', $v);
$instanceId = \OC_Util::getInstanceId();
$path = \OC::$SERVERROOT;
2015-12-03 16:10:05 +03:00
$prefix = md5($instanceId . '-' . $version . '-' . $path);
return new \OC\Memcache\Factory($prefix, $c->getLogger(),
$config->getSystemValue('memcache.local', null),
$config->getSystemValue('memcache.distributed', null),
$config->getSystemValue('memcache.locking', null)
);
}
return new \OC\Memcache\Factory('', $c->getLogger(),
'\\OC\\Memcache\\ArrayCache',
'\\OC\\Memcache\\ArrayCache',
'\\OC\\Memcache\\ArrayCache'
);
2014-01-06 15:55:56 +04:00
});
$this->registerService('ActivityManager', function (Server $c) {
return new ActivityManager(
$c->getRequest(),
$c->getUserSession(),
$c->getConfig()
);
});
$this->registerService('AvatarManager', function (Server $c) {
return new AvatarManager(
$c->getUserManager(),
$c->getRootFolder(),
$c->getL10N('lib'),
$c->getLogger()
);
2013-09-20 13:46:11 +04:00
});
$this->registerService('Logger', function (Server $c) {
$logClass = $c->query('AllConfig')->getSystemValue('log_type', 'owncloud');
$logger = 'OC_Log_' . ucfirst($logClass);
call_user_func(array($logger, 'init'));
return new Log($logger);
});
$this->registerService('JobList', function (Server $c) {
$config = $c->getConfig();
return new \OC\BackgroundJob\JobList($c->getDatabaseConnection(), $config);
});
$this->registerService('Router', function (Server $c) {
$cacheFactory = $c->getMemCacheFactory();
2015-11-27 15:51:20 +03:00
$logger = $c->getLogger();
if ($cacheFactory->isAvailable()) {
2015-11-27 15:51:20 +03:00
$router = new \OC\Route\CachingRouter($cacheFactory->create('route'), $logger);
} else {
2015-11-27 15:51:20 +03:00
$router = new \OC\Route\Router($logger);
}
return $router;
});
2014-07-16 16:25:31 +04:00
$this->registerService('Search', function ($c) {
return new Search();
});
$this->registerService('SecureRandom', function ($c) {
return new SecureRandom();
});
$this->registerService('Crypto', function (Server $c) {
return new Crypto($c->getConfig(), $c->getSecureRandom());
});
$this->registerService('Hasher', function (Server $c) {
return new Hasher($c->getConfig());
});
$this->registerService('CredentialsManager', function (Server $c) {
return new CredentialsManager($c->getCrypto(), $c->getDatabaseConnection());
});
$this->registerService('DatabaseConnection', function (Server $c) {
$factory = new \OC\DB\ConnectionFactory();
$systemConfig = $c->getSystemConfig();
$type = $systemConfig->getValue('dbtype', 'sqlite');
if (!$factory->isValidType($type)) {
throw new \OC\DatabaseException('Invalid database type');
}
$connectionParams = $factory->createConnectionParams($systemConfig);
$connection = $factory->getConnection($type, $connectionParams);
$connection->getConfiguration()->setSQLLogger($c->getQueryLogger());
return $connection;
});
$this->registerService('Db', function (Server $c) {
return new Db($c->getDatabaseConnection());
2014-04-19 21:30:12 +04:00
});
$this->registerService('HTTPHelper', function (Server $c) {
$config = $c->getConfig();
2015-03-16 13:28:23 +03:00
return new HTTPHelper(
$config,
$c->getHTTPClientService()
);
});
$this->registerService('HttpClientService', function (Server $c) {
$user = \OC_User::getUser();
$uid = $user ? $user : null;
return new ClientService(
$c->getConfig(),
new \OC\Security\CertificateManager($uid, new View(), $c->getConfig())
2015-03-16 13:28:23 +03:00
);
});
$this->registerService('EventLogger', function (Server $c) {
if ($c->getSystemConfig()->getValue('debug', false)) {
return new EventLogger();
} else {
2014-10-14 17:49:00 +04:00
return new NullEventLogger();
}
});
$this->registerService('QueryLogger', function (Server $c) {
if ($c->getSystemConfig()->getValue('debug', false)) {
return new QueryLogger();
} else {
2014-10-14 17:49:00 +04:00
return new NullQueryLogger();
}
});
2014-11-27 16:50:14 +03:00
$this->registerService('TempManager', function (Server $c) {
return new TempManager(
$c->getLogger(),
$c->getConfig()
);
});
2015-12-03 16:10:05 +03:00
$this->registerService('AppManager', function (Server $c) {
return new \OC\App\AppManager(
$c->getUserSession(),
$c->getAppConfig(),
$c->getGroupManager(),
$c->getMemCacheFactory(),
$c->getEventDispatcher()
);
});
2015-12-03 16:10:05 +03:00
$this->registerService('DateTimeZone', function (Server $c) {
2014-12-16 17:34:55 +03:00
return new DateTimeZone(
$c->getConfig(),
$c->getSession()
);
});
2015-12-03 16:10:05 +03:00
$this->registerService('DateTimeFormatter', function (Server $c) {
$language = $c->getConfig()->getUserValue($c->getSession()->get('user_id'), 'core', 'lang', null);
2014-12-16 17:34:55 +03:00
return new DateTimeFormatter(
$c->getDateTimeZone()->getTimeZone(),
$c->getL10N('lib', $language)
);
});
2015-12-03 16:10:05 +03:00
$this->registerService('UserMountCache', function (Server $c) {
$mountCache = new UserMountCache($c->getDatabaseConnection(), $c->getUserManager(), $c->getLogger());
$listener = new UserMountCacheListener($mountCache);
$listener->listen($c->getUserManager());
return $mountCache;
});
2015-11-26 19:47:53 +03:00
$this->registerService('MountConfigManager', function (Server $c) {
$loader = \OC\Files\Filesystem::getLoader();
2015-12-03 16:10:05 +03:00
$mountCache = $c->query('UserMountCache');
2015-11-26 19:47:53 +03:00
return new \OC\Files\Config\MountProviderCollection($loader, $mountCache);
});
2014-12-05 21:56:29 +03:00
$this->registerService('IniWrapper', function ($c) {
return new IniGetWrapper();
2014-12-05 21:56:29 +03:00
});
$this->registerService('AsyncCommandBus', function (Server $c) {
$jobList = $c->getJobList();
return new AsyncBus($jobList);
});
2015-02-17 00:12:47 +03:00
$this->registerService('TrustedDomainHelper', function ($c) {
return new TrustedDomainHelper($this->getConfig());
});
Add code integrity check This PR implements the base foundation of the code signing and integrity check. In this PR implemented is the signing and verification logic, as well as commands to sign single apps or the core repository. Furthermore, there is a basic implementation to display problems with the code integrity on the update screen. Code signing basically happens the following way: - There is a ownCloud Root Certificate authority stored `resources/codesigning/root.crt` (in this PR I also ship the private key which we obviously need to change before a release :wink:). This certificate is not intended to be used for signing directly and only is used to sign new certificates. - Using the `integrity:sign-core` and `integrity:sign-app` commands developers can sign either the core release or a single app. The core release needs to be signed with a certificate that has a CN of `core`, apps need to be signed with a certificate that either has a CN of `core` (shipped apps!) or the AppID. - The command generates a signature.json file of the following format: ```json { "hashes": { "/filename.php": "2401fed2eea6f2c1027c482a633e8e25cd46701f811e2d2c10dc213fd95fa60e350bccbbebdccc73a042b1a2799f673fbabadc783284cc288e4f1a1eacb74e3d", "/lib/base.php": "55548cc16b457cd74241990cc9d3b72b6335f2e5f45eee95171da024087d114fcbc2effc3d5818a6d5d55f2ae960ab39fd0414d0c542b72a3b9e08eb21206dd9" }, "certificate": "-----BEGIN CERTIFICATE-----MIIBvTCCASagAwIBAgIUPvawyqJwCwYazcv7iz16TWxfeUMwDQYJKoZIhvcNAQEF\nBQAwIzEhMB8GA1UECgwYb3duQ2xvdWQgQ29kZSBTaWduaW5nIENBMB4XDTE1MTAx\nNDEzMTcxMFoXDTE2MTAxNDEzMTcxMFowEzERMA8GA1UEAwwIY29udGFjdHMwgZ8w\nDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANoQesGdCW0L2L+a2xITYipixkScrIpB\nkX5Snu3fs45MscDb61xByjBSlFgR4QI6McoCipPw4SUr28EaExVvgPSvqUjYLGps\nfiv0Cvgquzbx/X3mUcdk9LcFo1uWGtrTfkuXSKX41PnJGTr6RQWGIBd1V52q1qbC\nJKkfzyeMeuQfAgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAvF/KIhRMQ3tYTmgHWsiM\nwDMgIDb7iaHF0fS+/Nvo4PzoTO/trev6tMyjLbJ7hgdCpz/1sNzE11Cibf6V6dsz\njCE9invP368Xv0bTRObRqeSNsGogGl5ceAvR0c9BG+NRIKHcly3At3gLkS2791bC\niG+UxI/MNcWV0uJg9S63LF8=\n-----END CERTIFICATE-----", "signature": "U29tZVNpZ25lZERhdGFFeGFtcGxl" } ``` `hashes` is an array of all files in the folder with their corresponding SHA512 hashes (this is actually quite cheap to calculate), the `certificate` is the certificate used for signing. It has to be issued by the ownCloud Root Authority and it's CN needs to be permitted to perform the required action. The `signature` is then a signature of the `hashes` which can be verified using the `certificate`. Steps to do in other PRs, this is already a quite huge one: - Add nag screen in case the code check fails to ensure that administrators are aware of this. - Add code verification also to OCC upgrade and unify display code more. - Add enforced code verification to apps shipped from the appstore with a level of "official" - Add enfocrced code verification to apps shipped from the appstore that were already signed in a previous release - Add some developer documentation on how devs can request their own certificate - Check when installing ownCloud - Add support for CRLs to allow revoking certificates **Note:** The upgrade checks are only run when the instance has a defined release channel of `stable` (defined in `version.php`). If you want to test this, you need to change the channel thus and then generate the core signature: ``` ➜ master git:(add-integrity-checker) ✗ ./occ integrity:sign-core --privateKey=resources/codesigning/core.key --certificate=resources/codesigning/core.crt Successfully signed "core" ``` Then increase the version and you should see something like the following: ![2015-11-04_12-02-57](https://cloud.githubusercontent.com/assets/878997/10936336/6adb1d14-82ec-11e5-8f06-9a74801c9abf.png) As you can see a failed code check will not prevent the further update. It will instead just be a notice to the admin. In a next step we will add some nag screen. For packaging stable releases this requires the following additional steps as a last action before zipping: 1. Run `./occ integrity:sign-core` once 2. Run `./occ integrity:sign-app` _for each_ app. However, this can be simply automated using a simple foreach on the apps folder.
2015-11-03 22:26:06 +03:00
$this->registerService('IntegrityCodeChecker', function (Server $c) {
// IConfig and IAppManager requires a working database. This code
// might however be called when ownCloud is not yet setup.
if(\OC::$server->getSystemConfig()->getValue('installed', false)) {
$config = $c->getConfig();
$appManager = $c->getAppManager();
} else {
$config = null;
$appManager = null;
}
return new Checker(
new EnvironmentHelper(),
new FileAccessHelper(),
new AppLocator(),
$config,
$c->getMemCacheFactory(),
$appManager,
$c->getTempManager()
Add code integrity check This PR implements the base foundation of the code signing and integrity check. In this PR implemented is the signing and verification logic, as well as commands to sign single apps or the core repository. Furthermore, there is a basic implementation to display problems with the code integrity on the update screen. Code signing basically happens the following way: - There is a ownCloud Root Certificate authority stored `resources/codesigning/root.crt` (in this PR I also ship the private key which we obviously need to change before a release :wink:). This certificate is not intended to be used for signing directly and only is used to sign new certificates. - Using the `integrity:sign-core` and `integrity:sign-app` commands developers can sign either the core release or a single app. The core release needs to be signed with a certificate that has a CN of `core`, apps need to be signed with a certificate that either has a CN of `core` (shipped apps!) or the AppID. - The command generates a signature.json file of the following format: ```json { "hashes": { "/filename.php": "2401fed2eea6f2c1027c482a633e8e25cd46701f811e2d2c10dc213fd95fa60e350bccbbebdccc73a042b1a2799f673fbabadc783284cc288e4f1a1eacb74e3d", "/lib/base.php": "55548cc16b457cd74241990cc9d3b72b6335f2e5f45eee95171da024087d114fcbc2effc3d5818a6d5d55f2ae960ab39fd0414d0c542b72a3b9e08eb21206dd9" }, "certificate": "-----BEGIN CERTIFICATE-----MIIBvTCCASagAwIBAgIUPvawyqJwCwYazcv7iz16TWxfeUMwDQYJKoZIhvcNAQEF\nBQAwIzEhMB8GA1UECgwYb3duQ2xvdWQgQ29kZSBTaWduaW5nIENBMB4XDTE1MTAx\nNDEzMTcxMFoXDTE2MTAxNDEzMTcxMFowEzERMA8GA1UEAwwIY29udGFjdHMwgZ8w\nDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANoQesGdCW0L2L+a2xITYipixkScrIpB\nkX5Snu3fs45MscDb61xByjBSlFgR4QI6McoCipPw4SUr28EaExVvgPSvqUjYLGps\nfiv0Cvgquzbx/X3mUcdk9LcFo1uWGtrTfkuXSKX41PnJGTr6RQWGIBd1V52q1qbC\nJKkfzyeMeuQfAgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAvF/KIhRMQ3tYTmgHWsiM\nwDMgIDb7iaHF0fS+/Nvo4PzoTO/trev6tMyjLbJ7hgdCpz/1sNzE11Cibf6V6dsz\njCE9invP368Xv0bTRObRqeSNsGogGl5ceAvR0c9BG+NRIKHcly3At3gLkS2791bC\niG+UxI/MNcWV0uJg9S63LF8=\n-----END CERTIFICATE-----", "signature": "U29tZVNpZ25lZERhdGFFeGFtcGxl" } ``` `hashes` is an array of all files in the folder with their corresponding SHA512 hashes (this is actually quite cheap to calculate), the `certificate` is the certificate used for signing. It has to be issued by the ownCloud Root Authority and it's CN needs to be permitted to perform the required action. The `signature` is then a signature of the `hashes` which can be verified using the `certificate`. Steps to do in other PRs, this is already a quite huge one: - Add nag screen in case the code check fails to ensure that administrators are aware of this. - Add code verification also to OCC upgrade and unify display code more. - Add enforced code verification to apps shipped from the appstore with a level of "official" - Add enfocrced code verification to apps shipped from the appstore that were already signed in a previous release - Add some developer documentation on how devs can request their own certificate - Check when installing ownCloud - Add support for CRLs to allow revoking certificates **Note:** The upgrade checks are only run when the instance has a defined release channel of `stable` (defined in `version.php`). If you want to test this, you need to change the channel thus and then generate the core signature: ``` ➜ master git:(add-integrity-checker) ✗ ./occ integrity:sign-core --privateKey=resources/codesigning/core.key --certificate=resources/codesigning/core.crt Successfully signed "core" ``` Then increase the version and you should see something like the following: ![2015-11-04_12-02-57](https://cloud.githubusercontent.com/assets/878997/10936336/6adb1d14-82ec-11e5-8f06-9a74801c9abf.png) As you can see a failed code check will not prevent the further update. It will instead just be a notice to the admin. In a next step we will add some nag screen. For packaging stable releases this requires the following additional steps as a last action before zipping: 1. Run `./occ integrity:sign-core` once 2. Run `./occ integrity:sign-app` _for each_ app. However, this can be simply automated using a simple foreach on the apps folder.
2015-11-03 22:26:06 +03:00
);
});
$this->registerService('Request', function ($c) {
if (isset($this['urlParams'])) {
$urlParams = $this['urlParams'];
} else {
$urlParams = [];
}
if (defined('PHPUNIT_RUN') && PHPUNIT_RUN
&& in_array('fakeinput', stream_get_wrappers())
) {
$stream = 'fakeinput://data';
} else {
$stream = 'php://input';
}
return new Request(
[
'get' => $_GET,
'post' => $_POST,
'files' => $_FILES,
'server' => $_SERVER,
'env' => $_ENV,
'cookies' => $_COOKIE,
'method' => (isset($_SERVER) && isset($_SERVER['REQUEST_METHOD']))
? $_SERVER['REQUEST_METHOD']
: null,
'urlParams' => $urlParams,
],
$this->getSecureRandom(),
$this->getConfig(),
$this->getCsrfTokenManager(),
$stream
);
});
2015-12-03 16:10:05 +03:00
$this->registerService('Mailer', function (Server $c) {
2015-03-16 15:01:17 +03:00
return new Mailer(
$c->getConfig(),
$c->getLogger(),
new \OC_Defaults()
);
});
2015-12-03 16:10:05 +03:00
$this->registerService('OcsClient', function (Server $c) {
return new OCSClient(
$this->getHTTPClientService(),
$this->getConfig(),
$this->getLogger()
);
});
$this->registerService('LockingProvider', function (Server $c) {
2016-03-24 16:07:43 +03:00
$ini = $c->getIniWrapper();
$config = $c->getConfig();
$ttl = $config->getSystemValue('filelocking.ttl', max(3600, $ini->getNumeric('max_execution_time')));
if ($config->getSystemValue('filelocking.enabled', true) or (defined('PHPUNIT_RUN') && PHPUNIT_RUN)) {
2015-05-21 17:11:10 +03:00
/** @var \OC\Memcache\Factory $memcacheFactory */
$memcacheFactory = $c->getMemCacheFactory();
$memcache = $memcacheFactory->createLocking('lock');
2015-09-02 17:55:37 +03:00
if (!($memcache instanceof \OC\Memcache\NullCache)) {
2016-03-24 16:07:43 +03:00
return new MemcacheLockingProvider($memcache, $ttl);
2015-09-02 17:55:37 +03:00
}
2016-03-24 16:07:43 +03:00
return new DBLockingProvider($c->getDatabaseConnection(), $c->getLogger(), new TimeFactory(), $ttl);
2015-05-21 17:11:10 +03:00
}
return new NoopLockingProvider();
});
$this->registerService('MountManager', function () {
return new \OC\Files\Mount\Manager();
});
2015-12-03 16:10:05 +03:00
$this->registerService('MimeTypeDetector', function (Server $c) {
return new \OC\Files\Type\Detection(
$c->getURLGenerator(),
\OC::$SERVERROOT . '/config/',
\OC::$SERVERROOT . '/resources/config/'
2015-12-03 16:10:05 +03:00
);
});
2015-12-03 16:10:05 +03:00
$this->registerService('MimeTypeLoader', function (Server $c) {
2015-09-03 21:48:42 +03:00
return new \OC\Files\Type\Loader(
$c->getDatabaseConnection()
);
});
2015-12-03 16:10:05 +03:00
$this->registerService('NotificationManager', function () {
2015-08-31 13:24:37 +03:00
return new Manager();
});
2015-07-21 22:44:59 +03:00
$this->registerService('CapabilitiesManager', function (Server $c) {
$manager = new \OC\CapabilitiesManager();
2015-12-03 16:10:05 +03:00
$manager->registerCapability(function () use ($c) {
return new \OC\OCS\CoreCapabilities($c->getConfig());
2015-07-21 22:44:59 +03:00
});
return $manager;
});
$this->registerService('CommentsManager', function(Server $c) {
$config = $c->getConfig();
$factoryClass = $config->getSystemValue('comments.managerFactory', '\OC\Comments\ManagerFactory');
/** @var \OCP\Comments\ICommentsManagerFactory $factory */
$factory = new $factoryClass($this);
return $factory->getManager();
});
2015-12-03 16:10:05 +03:00
$this->registerService('EventDispatcher', function () {
return new EventDispatcher();
});
$this->registerService('CryptoWrapper', function (Server $c) {
// FIXME: Instantiiated here due to cyclic dependency
$request = new Request(
[
'get' => $_GET,
'post' => $_POST,
'files' => $_FILES,
'server' => $_SERVER,
'env' => $_ENV,
'cookies' => $_COOKIE,
'method' => (isset($_SERVER) && isset($_SERVER['REQUEST_METHOD']))
? $_SERVER['REQUEST_METHOD']
: null,
],
$c->getSecureRandom(),
$c->getConfig()
);
return new CryptoWrapper(
$c->getConfig(),
$c->getCrypto(),
$c->getSecureRandom(),
$request
);
});
$this->registerService('CsrfTokenManager', function (Server $c) {
$tokenGenerator = new CsrfTokenGenerator($c->getSecureRandom());
$sessionStorage = new SessionStorage($c->getSession());
return new CsrfTokenManager(
$tokenGenerator,
$sessionStorage
);
});
Add public API to give developers the possibility to adjust the global CSP defaults Allows to inject something into the default content policy. This is for example useful when you're injecting Javascript code into a view belonging to another controller and cannot modify its Content-Security-Policy itself. Note that the adjustment is only applied to applications that use AppFramework controllers. To use this from your `app.php` use `\OC::$server->getContentSecurityPolicyManager()->addDefaultPolicy($policy)`, $policy has to be of type `\OCP\AppFramework\Http\ContentSecurityPolicy`. To test this add something like the following into an `app.php` of any enabled app: ``` $manager = \OC::$server->getContentSecurityPolicyManager(); $policy = new \OCP\AppFramework\Http\ContentSecurityPolicy(false); $policy->addAllowedFrameDomain('asdf'); $policy->addAllowedScriptDomain('yolo.com'); $policy->allowInlineScript(false); $manager->addDefaultPolicy($policy); $policy = new \OCP\AppFramework\Http\ContentSecurityPolicy(false); $policy->addAllowedFontDomain('yolo.com'); $manager->addDefaultPolicy($policy); $policy = new \OCP\AppFramework\Http\ContentSecurityPolicy(false); $policy->addAllowedFrameDomain('banana.com'); $manager->addDefaultPolicy($policy); ``` If you now open the files app the policy should be: ``` Content-Security-Policy:default-src 'none';script-src yolo.com 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src yolo.com 'self';connect-src 'self';media-src 'self';frame-src asdf banana.com 'self' ```
2016-01-28 16:33:02 +03:00
$this->registerService('ContentSecurityPolicyManager', function (Server $c) {
return new ContentSecurityPolicyManager();
});
$this->registerService('ShareManager', function(Server $c) {
$config = $c->getConfig();
$factoryClass = $config->getSystemValue('sharing.managerFactory', '\OC\Share20\ProviderFactory');
/** @var \OC\Share20\IProviderFactory $factory */
2016-01-20 10:30:37 +03:00
$factory = new $factoryClass($this);
$manager = new \OC\Share20\Manager(
$c->getLogger(),
$c->getConfig(),
$c->getSecureRandom(),
$c->getHasher(),
$c->getMountManager(),
$c->getGroupManager(),
$c->getL10N('core'),
2016-02-02 23:02:09 +03:00
$factory,
$c->getUserManager(),
2016-03-11 16:00:36 +03:00
$c->getLazyRootFolder()
);
return $manager;
});
}
/**
* @return \OCP\Contacts\IManager
*/
public function getContactsManager() {
return $this->query('ContactsManager');
}
/**
* @return \OC\Encryption\Manager
*/
public function getEncryptionManager() {
return $this->query('EncryptionManager');
}
/**
* @return \OC\Encryption\File
*/
public function getEncryptionFilesHelper() {
return $this->query('EncryptionFileHelper');
}
/**
* @return \OCP\Encryption\Keys\IStorage
*/
public function getEncryptionKeyStorage() {
return $this->query('EncryptionKeyStorage');
}
/**
* The current request object holding all information about the request
* currently being processed is returned from this method.
* In case the current execution was not initiated by a web request null is returned
*
2015-04-01 13:13:49 +03:00
* @return \OCP\IRequest
*/
public function getRequest() {
return $this->query('Request');
}
2013-09-05 01:45:11 +04:00
/**
* Returns the preview manager which can create preview images for a given file
*
* @return \OCP\IPreview
*/
public function getPreviewManager() {
2013-09-05 01:45:11 +04:00
return $this->query('PreviewManager');
}
/**
* Returns the tag manager which can get and set tags for different object types
*
* @see \OCP\ITagManager::load()
* @return \OCP\ITagManager
*/
public function getTagManager() {
return $this->query('TagManager');
}
/**
* Returns the system-tag manager
*
* @return \OCP\SystemTag\ISystemTagManager
*
* @since 9.0.0
*/
public function getSystemTagManager() {
return $this->query('SystemTagManager');
}
/**
* Returns the system-tag object mapper
*
* @return \OCP\SystemTag\ISystemTagObjectMapper
*
* @since 9.0.0
*/
public function getSystemTagObjectMapper() {
return $this->query('SystemTagObjectMapper');
}
2013-09-20 13:46:11 +04:00
/**
* Returns the avatar manager, used for avatar functionality
*
2013-11-22 15:34:37 +04:00
* @return \OCP\IAvatarManager
2013-09-20 13:46:11 +04:00
*/
public function getAvatarManager() {
2013-09-20 13:46:11 +04:00
return $this->query('AvatarManager');
}
/**
* Returns the root folder of ownCloud's data directory
*
* @return \OCP\Files\IRootFolder
*/
public function getRootFolder() {
return $this->query('RootFolder');
}
2016-03-11 16:00:36 +03:00
/**
* Returns the root folder of ownCloud's data directory
* This is the lazy variant so this gets only initialized once it
* is actually used.
*
* @return \OCP\Files\IRootFolder
*/
public function getLazyRootFolder() {
return $this->query('LazyRootFolder');
}
2013-09-18 16:25:12 +04:00
/**
* Returns a view to ownCloud's files folder
*
* @param string $userId user ID
* @return \OCP\Files\Folder|null
2013-09-18 16:25:12 +04:00
*/
public function getUserFolder($userId = null) {
if ($userId === null) {
$user = $this->getUserSession()->getUser();
if (!$user) {
return null;
}
$userId = $user->getUID();
}
2013-09-18 16:25:12 +04:00
$root = $this->getRootFolder();
return $root->getUserFolder($userId);
2013-09-18 16:25:12 +04:00
}
/**
* Returns an app-specific view in ownClouds data directory
*
* @return \OCP\Files\Folder
*/
public function getAppFolder() {
2014-07-22 21:45:01 +04:00
$dir = '/' . \OC_App::getCurrentApp();
2013-09-18 16:25:12 +04:00
$root = $this->getRootFolder();
2014-07-16 16:25:31 +04:00
if (!$root->nodeExists($dir)) {
2013-09-18 16:25:12 +04:00
$folder = $root->newFolder($dir);
} else {
$folder = $root->get($dir);
}
return $folder;
}
2013-09-20 14:45:56 +04:00
/**
* @return \OC\User\Manager
*/
public function getUserManager() {
2013-09-20 14:45:56 +04:00
return $this->query('UserManager');
}
2014-07-16 16:25:31 +04:00
/**
* @return \OC\Group\Manager
*/
public function getGroupManager() {
2014-07-16 16:25:31 +04:00
return $this->query('GroupManager');
}
2013-09-20 14:45:56 +04:00
/**
* @return \OC\User\Session
*/
public function getUserSession() {
2013-09-20 14:45:56 +04:00
return $this->query('UserSession');
}
/**
* @return \OCP\ISession
*/
public function getSession() {
return $this->query('UserSession')->getSession();
}
/**
* @param \OCP\ISession $session
*/
public function setSession(\OCP\ISession $session) {
return $this->query('UserSession')->setSession($session);
}
/**
* @return \OC\NavigationManager
*/
public function getNavigationManager() {
return $this->query('NavigationManager');
}
/**
* @return \OCP\IConfig
*/
public function getConfig() {
return $this->query('AllConfig');
}
/**
* For internal use only
*
* @return \OC\SystemConfig
*/
public function getSystemConfig() {
return $this->query('SystemConfig');
}
/**
* Returns the app config manager
*
* @return \OCP\IAppConfig
*/
public function getAppConfig() {
return $this->query('AppConfig');
}
/**
* @return \OCP\L10N\IFactory
*/
public function getL10NFactory() {
return $this->query('L10NFactory');
}
2013-09-25 20:34:01 +04:00
/**
* get an L10N instance
2014-07-16 16:25:31 +04:00
*
2014-03-01 00:03:43 +04:00
* @param string $app appid
2014-08-31 12:05:59 +04:00
* @param string $lang
* @return IL10N
2013-09-25 20:34:01 +04:00
*/
public function getL10N($app, $lang = null) {
return $this->getL10NFactory()->get($app, $lang);
2013-09-25 20:34:01 +04:00
}
/**
* @return \OCP\IURLGenerator
*/
public function getURLGenerator() {
return $this->query('URLGenerator');
}
/**
* @return \OCP\IHelper
*/
public function getHelper() {
return $this->query('AppHelper');
}
/**
* Returns an ICache instance. Since 8.1.0 it returns a fake cache. Use
* getMemCacheFactory() instead.
*
* @return \OCP\ICache
* @deprecated 8.1.0 use getMemCacheFactory to obtain a proper cache
*/
public function getCache() {
return $this->query('UserCache');
}
2014-01-06 15:55:56 +04:00
/**
2014-01-08 18:51:40 +04:00
* Returns an \OCP\CacheFactory instance
2014-01-06 15:55:56 +04:00
*
* @return \OCP\ICacheFactory
2014-01-06 15:55:56 +04:00
*/
public function getMemCacheFactory() {
return $this->query('MemCacheFactory');
2014-01-06 15:55:56 +04:00
}
/**
* Returns the current session
2013-09-20 16:33:45 +04:00
*
* @return \OCP\IDBConnection
*/
public function getDatabaseConnection() {
return $this->query('DatabaseConnection');
2013-09-20 16:33:45 +04:00
}
/**
* Returns the activity manager
*
* @return \OCP\Activity\IManager
*/
public function getActivityManager() {
return $this->query('ActivityManager');
2013-09-20 16:33:45 +04:00
}
/**
* Returns an job list for controlling background jobs
*
* @return \OCP\BackgroundJob\IJobList
*/
public function getJobList() {
return $this->query('JobList');
}
/**
* Returns a logger instance
*
* @return \OCP\ILogger
*/
public function getLogger() {
return $this->query('Logger');
}
/**
* Returns a router for generating and matching urls
*
* @return \OCP\Route\IRouter
*/
public function getRouter() {
return $this->query('Router');
}
2014-04-19 21:30:12 +04:00
/**
* Returns a search instance
2014-07-16 16:25:31 +04:00
*
* @return \OCP\ISearch
*/
public function getSearch() {
return $this->query('Search');
}
2014-04-19 21:30:12 +04:00
/**
* Returns a SecureRandom instance
*
* @return \OCP\Security\ISecureRandom
*/
public function getSecureRandom() {
return $this->query('SecureRandom');
}
/**
* Returns a Crypto instance
*
* @return \OCP\Security\ICrypto
*/
public function getCrypto() {
return $this->query('Crypto');
}
/**
* Returns a Hasher instance
*
* @return \OCP\Security\IHasher
*/
public function getHasher() {
return $this->query('Hasher');
}
/**
* Returns a CredentialsManager instance
*
* @return \OCP\Security\ICredentialsManager
*/
public function getCredentialsManager() {
return $this->query('CredentialsManager');
}
2014-04-19 21:30:12 +04:00
/**
* Returns an instance of the db facade
2015-12-03 16:10:05 +03:00
*
2015-02-24 19:15:21 +03:00
* @deprecated use getDatabaseConnection, will be removed in ownCloud 10
2014-04-19 21:30:12 +04:00
* @return \OCP\IDb
*/
public function getDb() {
2014-04-19 21:30:12 +04:00
return $this->query('Db');
}
/**
* Returns an instance of the HTTP helper class
2015-12-03 16:10:05 +03:00
*
2015-03-16 13:28:23 +03:00
* @deprecated Use getHTTPClientService()
* @return \OC\HTTPHelper
*/
public function getHTTPHelper() {
return $this->query('HTTPHelper');
}
/**
* Get the certificate manager for the user
*
* @param string $userId (optional) if not specified the current loggedin user is used, use null to get the system certificate manager
2015-06-17 16:47:45 +03:00
* @return \OCP\ICertificateManager | null if $uid is null and no user is logged in
*/
public function getCertificateManager($userId = '') {
if ($userId === '') {
$userSession = $this->getUserSession();
$user = $userSession->getUser();
if (is_null($user)) {
return null;
}
$userId = $user->getUID();
}
return new CertificateManager($userId, new View(), $this->getConfig());
}
2014-08-29 19:19:38 +04:00
2015-03-16 13:28:23 +03:00
/**
* Returns an instance of the HTTP client service
*
* @return \OCP\Http\Client\IClientService
*/
public function getHTTPClientService() {
2015-03-16 13:28:23 +03:00
return $this->query('HttpClientService');
}
2014-08-29 19:19:38 +04:00
/**
2014-09-04 03:10:02 +04:00
* Create a new event source
2014-08-29 19:19:38 +04:00
*
* @return \OCP\IEventSource
*/
public function createEventSource() {
2014-08-29 19:19:38 +04:00
return new \OC_EventSource();
}
/**
* Get the active event logger
*
* The returned logger only logs data when debug mode is enabled
*
2014-10-03 22:39:09 +04:00
* @return \OCP\Diagnostics\IEventLogger
*/
public function getEventLogger() {
return $this->query('EventLogger');
}
/**
* Get the active query logger
*
* The returned logger only logs data when debug mode is enabled
*
2014-10-03 22:39:09 +04:00
* @return \OCP\Diagnostics\IQueryLogger
*/
public function getQueryLogger() {
2014-10-03 22:39:09 +04:00
return $this->query('QueryLogger');
}
/**
* Get the manager for temporary files and folders
*
* @return \OCP\ITempManager
*/
public function getTempManager() {
return $this->query('TempManager');
}
/**
* Get the app manager
*
* @return \OCP\App\IAppManager
*/
public function getAppManager() {
return $this->query('AppManager');
}
2014-11-27 16:36:11 +03:00
/**
* Creates a new mailer
*
* @return \OCP\Mail\IMailer
*/
public function getMailer() {
return $this->query('Mailer');
}
2014-11-27 16:36:11 +03:00
/**
* Get the webroot
*
* @return string
*/
public function getWebRoot() {
2014-11-27 16:50:14 +03:00
return $this->webRoot;
2014-11-27 16:36:11 +03:00
}
/**
* @return \OC\OCSClient
*/
public function getOcsClient() {
return $this->query('OcsClient');
}
/**
2014-12-16 17:34:55 +03:00
* @return \OCP\IDateTimeZone
*/
2014-12-16 17:34:55 +03:00
public function getDateTimeZone() {
return $this->query('DateTimeZone');
}
/**
* @return \OCP\IDateTimeFormatter
*/
public function getDateTimeFormatter() {
return $this->query('DateTimeFormatter');
}
/**
* @return \OCP\Files\Config\IMountProviderCollection
*/
2015-12-03 16:10:05 +03:00
public function getMountProviderCollection() {
return $this->query('MountConfigManager');
}
2014-12-05 21:56:29 +03:00
/**
* Get the IniWrapper
*
* @return IniGetWrapper
2014-12-05 21:56:29 +03:00
*/
public function getIniWrapper() {
return $this->query('IniWrapper');
2014-12-05 21:56:29 +03:00
}
2015-02-17 00:12:47 +03:00
/**
* @return \OCP\Command\IBus
*/
2015-12-03 16:10:05 +03:00
public function getCommandBus() {
return $this->query('AsyncCommandBus');
}
2015-02-17 00:12:47 +03:00
/**
* Get the trusted domain helper
*
* @return TrustedDomainHelper
*/
public function getTrustedDomainHelper() {
return $this->query('TrustedDomainHelper');
}
/**
* Get the locking provider
*
* @return \OCP\Lock\ILockingProvider
* @since 8.1.0
*/
public function getLockingProvider() {
return $this->query('LockingProvider');
}
/**
* @return \OCP\Files\Mount\IMountManager
**/
function getMountManager() {
return $this->query('MountManager');
}
/*
* Get the MimeTypeDetector
*
* @return \OCP\Files\IMimeTypeDetector
*/
public function getMimeTypeDetector() {
return $this->query('MimeTypeDetector');
}
2015-09-03 21:48:42 +03:00
/**
* Get the MimeTypeLoader
*
* @return \OCP\Files\IMimeTypeLoader
*/
public function getMimeTypeLoader() {
return $this->query('MimeTypeLoader');
}
/**
* Get the manager of all the capabilities
*
* @return \OC\CapabilitiesManager
*/
public function getCapabilitiesManager() {
return $this->query('CapabilitiesManager');
}
/**
* Get the EventDispatcher
*
* @return EventDispatcherInterface
* @since 8.2.0
*/
public function getEventDispatcher() {
return $this->query('EventDispatcher');
}
2015-08-31 13:24:37 +03:00
/**
* Get the Notification Manager
*
* @return \OCP\Notification\IManager
2015-08-31 13:24:37 +03:00
* @since 8.2.0
*/
public function getNotificationManager() {
return $this->query('NotificationManager');
}
/**
* @return \OCP\Comments\ICommentsManager
*/
public function getCommentsManager() {
return $this->query('CommentsManager');
}
Add code integrity check This PR implements the base foundation of the code signing and integrity check. In this PR implemented is the signing and verification logic, as well as commands to sign single apps or the core repository. Furthermore, there is a basic implementation to display problems with the code integrity on the update screen. Code signing basically happens the following way: - There is a ownCloud Root Certificate authority stored `resources/codesigning/root.crt` (in this PR I also ship the private key which we obviously need to change before a release :wink:). This certificate is not intended to be used for signing directly and only is used to sign new certificates. - Using the `integrity:sign-core` and `integrity:sign-app` commands developers can sign either the core release or a single app. The core release needs to be signed with a certificate that has a CN of `core`, apps need to be signed with a certificate that either has a CN of `core` (shipped apps!) or the AppID. - The command generates a signature.json file of the following format: ```json { "hashes": { "/filename.php": "2401fed2eea6f2c1027c482a633e8e25cd46701f811e2d2c10dc213fd95fa60e350bccbbebdccc73a042b1a2799f673fbabadc783284cc288e4f1a1eacb74e3d", "/lib/base.php": "55548cc16b457cd74241990cc9d3b72b6335f2e5f45eee95171da024087d114fcbc2effc3d5818a6d5d55f2ae960ab39fd0414d0c542b72a3b9e08eb21206dd9" }, "certificate": "-----BEGIN CERTIFICATE-----MIIBvTCCASagAwIBAgIUPvawyqJwCwYazcv7iz16TWxfeUMwDQYJKoZIhvcNAQEF\nBQAwIzEhMB8GA1UECgwYb3duQ2xvdWQgQ29kZSBTaWduaW5nIENBMB4XDTE1MTAx\nNDEzMTcxMFoXDTE2MTAxNDEzMTcxMFowEzERMA8GA1UEAwwIY29udGFjdHMwgZ8w\nDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANoQesGdCW0L2L+a2xITYipixkScrIpB\nkX5Snu3fs45MscDb61xByjBSlFgR4QI6McoCipPw4SUr28EaExVvgPSvqUjYLGps\nfiv0Cvgquzbx/X3mUcdk9LcFo1uWGtrTfkuXSKX41PnJGTr6RQWGIBd1V52q1qbC\nJKkfzyeMeuQfAgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAvF/KIhRMQ3tYTmgHWsiM\nwDMgIDb7iaHF0fS+/Nvo4PzoTO/trev6tMyjLbJ7hgdCpz/1sNzE11Cibf6V6dsz\njCE9invP368Xv0bTRObRqeSNsGogGl5ceAvR0c9BG+NRIKHcly3At3gLkS2791bC\niG+UxI/MNcWV0uJg9S63LF8=\n-----END CERTIFICATE-----", "signature": "U29tZVNpZ25lZERhdGFFeGFtcGxl" } ``` `hashes` is an array of all files in the folder with their corresponding SHA512 hashes (this is actually quite cheap to calculate), the `certificate` is the certificate used for signing. It has to be issued by the ownCloud Root Authority and it's CN needs to be permitted to perform the required action. The `signature` is then a signature of the `hashes` which can be verified using the `certificate`. Steps to do in other PRs, this is already a quite huge one: - Add nag screen in case the code check fails to ensure that administrators are aware of this. - Add code verification also to OCC upgrade and unify display code more. - Add enforced code verification to apps shipped from the appstore with a level of "official" - Add enfocrced code verification to apps shipped from the appstore that were already signed in a previous release - Add some developer documentation on how devs can request their own certificate - Check when installing ownCloud - Add support for CRLs to allow revoking certificates **Note:** The upgrade checks are only run when the instance has a defined release channel of `stable` (defined in `version.php`). If you want to test this, you need to change the channel thus and then generate the core signature: ``` ➜ master git:(add-integrity-checker) ✗ ./occ integrity:sign-core --privateKey=resources/codesigning/core.key --certificate=resources/codesigning/core.crt Successfully signed "core" ``` Then increase the version and you should see something like the following: ![2015-11-04_12-02-57](https://cloud.githubusercontent.com/assets/878997/10936336/6adb1d14-82ec-11e5-8f06-9a74801c9abf.png) As you can see a failed code check will not prevent the further update. It will instead just be a notice to the admin. In a next step we will add some nag screen. For packaging stable releases this requires the following additional steps as a last action before zipping: 1. Run `./occ integrity:sign-core` once 2. Run `./occ integrity:sign-app` _for each_ app. However, this can be simply automated using a simple foreach on the apps folder.
2015-11-03 22:26:06 +03:00
/**
* @return \OC\IntegrityCheck\Checker
*/
public function getIntegrityCodeChecker() {
return $this->query('IntegrityCodeChecker');
}
/**
* @return \OC\Session\CryptoWrapper
*/
public function getSessionCryptoWrapper() {
return $this->query('CryptoWrapper');
}
/**
* @return CsrfTokenManager
*/
public function getCsrfTokenManager() {
return $this->query('CsrfTokenManager');
}
Add public API to give developers the possibility to adjust the global CSP defaults Allows to inject something into the default content policy. This is for example useful when you're injecting Javascript code into a view belonging to another controller and cannot modify its Content-Security-Policy itself. Note that the adjustment is only applied to applications that use AppFramework controllers. To use this from your `app.php` use `\OC::$server->getContentSecurityPolicyManager()->addDefaultPolicy($policy)`, $policy has to be of type `\OCP\AppFramework\Http\ContentSecurityPolicy`. To test this add something like the following into an `app.php` of any enabled app: ``` $manager = \OC::$server->getContentSecurityPolicyManager(); $policy = new \OCP\AppFramework\Http\ContentSecurityPolicy(false); $policy->addAllowedFrameDomain('asdf'); $policy->addAllowedScriptDomain('yolo.com'); $policy->allowInlineScript(false); $manager->addDefaultPolicy($policy); $policy = new \OCP\AppFramework\Http\ContentSecurityPolicy(false); $policy->addAllowedFontDomain('yolo.com'); $manager->addDefaultPolicy($policy); $policy = new \OCP\AppFramework\Http\ContentSecurityPolicy(false); $policy->addAllowedFrameDomain('banana.com'); $manager->addDefaultPolicy($policy); ``` If you now open the files app the policy should be: ``` Content-Security-Policy:default-src 'none';script-src yolo.com 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src yolo.com 'self';connect-src 'self';media-src 'self';frame-src asdf banana.com 'self' ```
2016-01-28 16:33:02 +03:00
/**
* @return IContentSecurityPolicyManager
*/
public function getContentSecurityPolicyManager() {
return $this->query('ContentSecurityPolicyManager');
}
/**
* Not a public API as of 8.2, wait for 9.0
2015-12-03 16:10:05 +03:00
*
* @return \OCA\Files_External\Service\BackendService
*/
public function getStoragesBackendService() {
return \OC_Mount_Config::$app->getContainer()->query('OCA\\Files_External\\Service\\BackendService');
}
/**
* Not a public API as of 8.2, wait for 9.0
2015-12-03 16:10:05 +03:00
*
* @return \OCA\Files_External\Service\GlobalStoragesService
*/
public function getGlobalStoragesService() {
return \OC_Mount_Config::$app->getContainer()->query('OCA\\Files_External\\Service\\GlobalStoragesService');
}
/**
* Not a public API as of 8.2, wait for 9.0
2015-12-03 16:10:05 +03:00
*
* @return \OCA\Files_External\Service\UserGlobalStoragesService
*/
public function getUserGlobalStoragesService() {
return \OC_Mount_Config::$app->getContainer()->query('OCA\\Files_External\\Service\\UserGlobalStoragesService');
}
/**
* Not a public API as of 8.2, wait for 9.0
2015-12-03 16:10:05 +03:00
*
* @return \OCA\Files_External\Service\UserStoragesService
*/
public function getUserStoragesService() {
return \OC_Mount_Config::$app->getContainer()->query('OCA\\Files_External\\Service\\UserStoragesService');
}
/**
* @return \OCP\Share\IManager
*/
public function getShareManager() {
return $this->query('ShareManager');
}
2015-12-03 16:10:05 +03:00
2013-08-21 02:58:15 +04:00
}