nextcloud/lib/private/Server.php

1981 lines
57 KiB
PHP
Raw Normal View History

2013-08-21 02:58:15 +04:00
<?php
2015-03-26 13:44:34 +03:00
/**
2016-07-21 18:07:57 +03:00
* @copyright Copyright (c) 2016, ownCloud, Inc.
* @copyright Copyright (c) 2016, Lukas Reschke <lukas@statuscode.ch>
2016-07-21 18:07:57 +03:00
*
2016-05-26 20:56:05 +03:00
* @author Arthur Schiwon <blizzz@arthur-schiwon.de>
2015-03-26 13:44:34 +03:00
* @author Bart Visscher <bartv@thisnet.nl>
* @author Bernhard Posselt <dev@bernhard-posselt.com>
* @author Bernhard Reiter <ockham@raz.or.at>
2016-07-21 18:07:57 +03:00
* @author Bjoern Schiessle <bjoern@schiessle.org>
2016-05-26 20:56:05 +03:00
* @author Björn Schießle <bjoern@schiessle.org>
2016-07-21 18:07:57 +03:00
* @author Christoph Wurst <christoph@owncloud.com>
* @author Christopher Schäpers <kondou@ts.unde.re>
* @author Damjan Georgievski <gdamjan@gmail.com>
2016-07-21 18:07:57 +03:00
* @author Joas Schilling <coding@schilljs.com>
* @author John Molakvoæ (skjnldsv) <skjnldsv@protonmail.com>
* @author Julius Haertl <jus@bitgrid.net>
* @author Julius Härtl <jus@bitgrid.net>
2015-03-26 13:44:34 +03:00
* @author Jörn Friedrich Dreyer <jfd@butonic.de>
2016-05-26 20:56:05 +03:00
* @author Lukas Reschke <lukas@statuscode.ch>
2015-03-26 13:44:34 +03:00
* @author Morris Jobke <hey@morrisjobke.de>
* @author Piotr Mrówczyński <mrow4a@yahoo.com>
2016-07-21 19:13:36 +03:00
* @author Robin Appelman <robin@icewind.nl>
2016-01-12 17:02:16 +03:00
* @author Robin McCorkell <robin@mccorkell.me.uk>
2016-07-21 18:07:57 +03:00
* @author Roeland Jago Douma <roeland@famdouma.nl>
* @author root <root@localhost.localdomain>
2015-03-26 13:44:34 +03:00
* @author Sander <brantje@gmail.com>
* @author Thomas Müller <thomas.mueller@tmit.eu>
* @author Thomas Tanghus <thomas@tanghus.net>
* @author Vincent Petry <pvince81@owncloud.com>
*
* @license AGPL-3.0
*
* This code is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License, version 3,
* as published by the Free Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License, version 3,
* along with this program. If not, see <http://www.gnu.org/licenses/>
*
*/
2017-08-24 17:21:50 +03:00
2013-08-21 02:58:15 +04:00
namespace OC;
2014-12-05 21:56:29 +03:00
use bantu\IniGetWrapper\IniGetWrapper;
use OC\Accounts\AccountManager;
use OC\App\AppManager;
use OC\App\AppStore\Bundles\BundleFetcher;
use OC\App\AppStore\Fetcher\AppFetcher;
use OC\App\AppStore\Fetcher\CategoryFetcher;
2013-09-05 01:45:11 +04:00
use OC\AppFramework\Http\Request;
use OC\AppFramework\Utility\SimpleContainer;
use OC\AppFramework\Utility\TimeFactory;
use OC\Authentication\LoginCredentials\Store;
use OC\Authentication\Token\IProvider;
use OC\Collaboration\Collaborators\GroupPlugin;
use OC\Collaboration\Collaborators\MailPlugin;
use OC\Collaboration\Collaborators\RemotePlugin;
use OC\Collaboration\Collaborators\UserPlugin;
use OC\Command\CronBus;
use OC\Comments\ManagerFactory as CommentsManagerFactory;
use OC\Contacts\ContactsMenu\ActionFactory;
use OC\Contacts\ContactsMenu\ContactsStore;
2014-10-03 22:39:09 +04:00
use OC\Diagnostics\EventLogger;
use OC\Diagnostics\QueryLogger;
use OC\Federation\CloudIdManager;
2015-11-26 19:47:53 +03:00
use OC\Files\Config\UserMountCache;
2015-12-03 16:10:05 +03:00
use OC\Files\Config\UserMountCacheListener;
use OC\Files\Mount\CacheMountProvider;
use OC\Files\Mount\LocalHomeMountProvider;
use OC\Files\Mount\ObjectHomeMountProvider;
use OC\Files\Node\HookConnector;
2016-03-11 16:00:36 +03:00
use OC\Files\Node\LazyRoot;
2015-06-11 12:29:27 +03:00
use OC\Files\Node\Root;
use OC\Files\View;
use OC\Http\Client\ClientService;
Add code integrity check This PR implements the base foundation of the code signing and integrity check. In this PR implemented is the signing and verification logic, as well as commands to sign single apps or the core repository. Furthermore, there is a basic implementation to display problems with the code integrity on the update screen. Code signing basically happens the following way: - There is a ownCloud Root Certificate authority stored `resources/codesigning/root.crt` (in this PR I also ship the private key which we obviously need to change before a release :wink:). This certificate is not intended to be used for signing directly and only is used to sign new certificates. - Using the `integrity:sign-core` and `integrity:sign-app` commands developers can sign either the core release or a single app. The core release needs to be signed with a certificate that has a CN of `core`, apps need to be signed with a certificate that either has a CN of `core` (shipped apps!) or the AppID. - The command generates a signature.json file of the following format: ```json { "hashes": { "/filename.php": "2401fed2eea6f2c1027c482a633e8e25cd46701f811e2d2c10dc213fd95fa60e350bccbbebdccc73a042b1a2799f673fbabadc783284cc288e4f1a1eacb74e3d", "/lib/base.php": "55548cc16b457cd74241990cc9d3b72b6335f2e5f45eee95171da024087d114fcbc2effc3d5818a6d5d55f2ae960ab39fd0414d0c542b72a3b9e08eb21206dd9" }, "certificate": "-----BEGIN CERTIFICATE-----MIIBvTCCASagAwIBAgIUPvawyqJwCwYazcv7iz16TWxfeUMwDQYJKoZIhvcNAQEF\nBQAwIzEhMB8GA1UECgwYb3duQ2xvdWQgQ29kZSBTaWduaW5nIENBMB4XDTE1MTAx\nNDEzMTcxMFoXDTE2MTAxNDEzMTcxMFowEzERMA8GA1UEAwwIY29udGFjdHMwgZ8w\nDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANoQesGdCW0L2L+a2xITYipixkScrIpB\nkX5Snu3fs45MscDb61xByjBSlFgR4QI6McoCipPw4SUr28EaExVvgPSvqUjYLGps\nfiv0Cvgquzbx/X3mUcdk9LcFo1uWGtrTfkuXSKX41PnJGTr6RQWGIBd1V52q1qbC\nJKkfzyeMeuQfAgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAvF/KIhRMQ3tYTmgHWsiM\nwDMgIDb7iaHF0fS+/Nvo4PzoTO/trev6tMyjLbJ7hgdCpz/1sNzE11Cibf6V6dsz\njCE9invP368Xv0bTRObRqeSNsGogGl5ceAvR0c9BG+NRIKHcly3At3gLkS2791bC\niG+UxI/MNcWV0uJg9S63LF8=\n-----END CERTIFICATE-----", "signature": "U29tZVNpZ25lZERhdGFFeGFtcGxl" } ``` `hashes` is an array of all files in the folder with their corresponding SHA512 hashes (this is actually quite cheap to calculate), the `certificate` is the certificate used for signing. It has to be issued by the ownCloud Root Authority and it's CN needs to be permitted to perform the required action. The `signature` is then a signature of the `hashes` which can be verified using the `certificate`. Steps to do in other PRs, this is already a quite huge one: - Add nag screen in case the code check fails to ensure that administrators are aware of this. - Add code verification also to OCC upgrade and unify display code more. - Add enforced code verification to apps shipped from the appstore with a level of "official" - Add enfocrced code verification to apps shipped from the appstore that were already signed in a previous release - Add some developer documentation on how devs can request their own certificate - Check when installing ownCloud - Add support for CRLs to allow revoking certificates **Note:** The upgrade checks are only run when the instance has a defined release channel of `stable` (defined in `version.php`). If you want to test this, you need to change the channel thus and then generate the core signature: ``` ➜ master git:(add-integrity-checker) ✗ ./occ integrity:sign-core --privateKey=resources/codesigning/core.key --certificate=resources/codesigning/core.crt Successfully signed "core" ``` Then increase the version and you should see something like the following: ![2015-11-04_12-02-57](https://cloud.githubusercontent.com/assets/878997/10936336/6adb1d14-82ec-11e5-8f06-9a74801c9abf.png) As you can see a failed code check will not prevent the further update. It will instead just be a notice to the admin. In a next step we will add some nag screen. For packaging stable releases this requires the following additional steps as a last action before zipping: 1. Run `./occ integrity:sign-core` once 2. Run `./occ integrity:sign-app` _for each_ app. However, this can be simply automated using a simple foreach on the apps folder.
2015-11-03 22:26:06 +03:00
use OC\IntegrityCheck\Checker;
use OC\IntegrityCheck\Helpers\AppLocator;
use OC\IntegrityCheck\Helpers\EnvironmentHelper;
use OC\IntegrityCheck\Helpers\FileAccessHelper;
use OC\Lock\DBLockingProvider;
use OC\Lock\MemcacheLockingProvider;
2015-05-21 17:11:10 +03:00
use OC\Lock\NoopLockingProvider;
use OC\Lockdown\LockdownManager;
use OC\Log\LogFactory;
use OC\Mail\Mailer;
use OC\Memcache\ArrayCache;
use OC\Memcache\Factory;
2015-08-31 13:24:37 +03:00
use OC\Notification\Manager;
use OC\OCS\DiscoveryService;
use OC\Remote\Api\ApiFactory;
use OC\Remote\InstanceFactory;
use OC\RichObjectStrings\Validator;
use OC\Security\Bruteforce\Throttler;
2014-08-18 18:30:23 +04:00
use OC\Security\CertificateManager;
Add public API to give developers the possibility to adjust the global CSP defaults Allows to inject something into the default content policy. This is for example useful when you're injecting Javascript code into a view belonging to another controller and cannot modify its Content-Security-Policy itself. Note that the adjustment is only applied to applications that use AppFramework controllers. To use this from your `app.php` use `\OC::$server->getContentSecurityPolicyManager()->addDefaultPolicy($policy)`, $policy has to be of type `\OCP\AppFramework\Http\ContentSecurityPolicy`. To test this add something like the following into an `app.php` of any enabled app: ``` $manager = \OC::$server->getContentSecurityPolicyManager(); $policy = new \OCP\AppFramework\Http\ContentSecurityPolicy(false); $policy->addAllowedFrameDomain('asdf'); $policy->addAllowedScriptDomain('yolo.com'); $policy->allowInlineScript(false); $manager->addDefaultPolicy($policy); $policy = new \OCP\AppFramework\Http\ContentSecurityPolicy(false); $policy->addAllowedFontDomain('yolo.com'); $manager->addDefaultPolicy($policy); $policy = new \OCP\AppFramework\Http\ContentSecurityPolicy(false); $policy->addAllowedFrameDomain('banana.com'); $manager->addDefaultPolicy($policy); ``` If you now open the files app the policy should be: ``` Content-Security-Policy:default-src 'none';script-src yolo.com 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src yolo.com 'self';connect-src 'self';media-src 'self';frame-src asdf banana.com 'self' ```
2016-01-28 16:33:02 +03:00
use OC\Security\CSP\ContentSecurityPolicyManager;
use OC\Security\Crypto;
use OC\Security\CSP\ContentSecurityPolicyNonceManager;
use OC\Security\CSRF\CsrfTokenGenerator;
use OC\Security\CSRF\CsrfTokenManager;
use OC\Security\CSRF\TokenStorage\SessionStorage;
use OC\Security\Hasher;
use OC\Security\CredentialsManager;
use OC\Security\SecureRandom;
2015-02-17 00:12:47 +03:00
use OC\Security\TrustedDomainHelper;
use OC\Session\CryptoWrapper;
use OC\Share20\ProviderFactory;
use OC\Share20\ShareHelper;
use OC\SystemTag\ManagerFactory as SystemTagManagerFactory;
use OC\Tagging\TagMapper;
use OC\Template\JSCombiner;
use OC\Template\SCSSCacher;
use OCA\Theming\ImageManager;
use OCA\Theming\ThemingDefaults;
use OCP\App\IAppManager;
use OCP\AppFramework\Utility\ITimeFactory;
use OCP\Collaboration\AutoComplete\IManager;
use OCP\Contacts\ContactsMenu\IContactsStore;
use OCP\Defaults;
use OCA\Theming\Util;
use OCP\Federation\ICloudIdManager;
use OCP\Authentication\LoginCredentials\IStore;
use OCP\Files\NotFoundException;
use OCP\ICacheFactory;
use OCP\IDBConnection;
use OCP\IL10N;
2015-06-11 12:29:27 +03:00
use OCP\IServerContainer;
use OCP\ITempManager;
use OCP\Contacts\ContactsMenu\IActionFactory;
use OCP\IUser;
use OCP\Lock\ILockingProvider;
use OCP\Log\ILogFactory;
use OCP\Remote\Api\IApiFactory;
use OCP\Remote\IInstanceFactory;
use OCP\RichObjectStrings\IValidator;
Add public API to give developers the possibility to adjust the global CSP defaults Allows to inject something into the default content policy. This is for example useful when you're injecting Javascript code into a view belonging to another controller and cannot modify its Content-Security-Policy itself. Note that the adjustment is only applied to applications that use AppFramework controllers. To use this from your `app.php` use `\OC::$server->getContentSecurityPolicyManager()->addDefaultPolicy($policy)`, $policy has to be of type `\OCP\AppFramework\Http\ContentSecurityPolicy`. To test this add something like the following into an `app.php` of any enabled app: ``` $manager = \OC::$server->getContentSecurityPolicyManager(); $policy = new \OCP\AppFramework\Http\ContentSecurityPolicy(false); $policy->addAllowedFrameDomain('asdf'); $policy->addAllowedScriptDomain('yolo.com'); $policy->allowInlineScript(false); $manager->addDefaultPolicy($policy); $policy = new \OCP\AppFramework\Http\ContentSecurityPolicy(false); $policy->addAllowedFontDomain('yolo.com'); $manager->addDefaultPolicy($policy); $policy = new \OCP\AppFramework\Http\ContentSecurityPolicy(false); $policy->addAllowedFrameDomain('banana.com'); $manager->addDefaultPolicy($policy); ``` If you now open the files app the policy should be: ``` Content-Security-Policy:default-src 'none';script-src yolo.com 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src yolo.com 'self';connect-src 'self';media-src 'self';frame-src asdf banana.com 'self' ```
2016-01-28 16:33:02 +03:00
use OCP\Security\IContentSecurityPolicyManager;
use OCP\Share\IShareHelper;
use Symfony\Component\EventDispatcher\EventDispatcher;
use Symfony\Component\EventDispatcher\EventDispatcherInterface;
use Symfony\Component\EventDispatcher\GenericEvent;
2013-08-21 02:58:15 +04:00
/**
* Class Server
2014-07-16 16:25:31 +04:00
*
2013-08-21 02:58:15 +04:00
* @package OC
*
* TODO: hookup all manager classes
*/
class Server extends ServerContainer implements IServerContainer {
2014-11-27 16:50:14 +03:00
/** @var string */
private $webRoot;
/**
* @param string $webRoot
2015-12-18 13:24:15 +03:00
* @param \OC\Config $config
2014-11-27 16:50:14 +03:00
*/
2015-12-18 13:24:15 +03:00
public function __construct($webRoot, \OC\Config $config) {
parent::__construct();
2014-11-27 16:50:14 +03:00
$this->webRoot = $webRoot;
// To find out if we are running from CLI or not
$this->registerParameter('isCLI', \OC::$CLI);
2017-08-24 17:21:50 +03:00
$this->registerService(\OCP\IServerContainer::class, function (IServerContainer $c) {
return $c;
});
$this->registerAlias(\OCP\Calendar\IManager::class, \OC\Calendar\Manager::class);
$this->registerAlias('CalendarManager', \OC\Calendar\Manager::class);
$this->registerAlias(\OCP\Contacts\IManager::class, \OC\ContactsManager::class);
$this->registerAlias('ContactsManager', \OCP\Contacts\IManager::class);
$this->registerAlias(IActionFactory::class, ActionFactory::class);
$this->registerService(\OCP\IPreview::class, function (Server $c) {
return new PreviewManager(
$c->getConfig(),
$c->getRootFolder(),
$c->getAppDataDir('preview'),
$c->getEventDispatcher(),
$c->getSession()->get('user_id')
);
2013-09-05 01:45:11 +04:00
});
$this->registerAlias('PreviewManager', \OCP\IPreview::class);
$this->registerService(\OC\Preview\Watcher::class, function (Server $c) {
return new \OC\Preview\Watcher(
$c->getAppDataDir('preview')
);
});
$this->registerService('EncryptionManager', function (Server $c) {
$view = new View();
$util = new Encryption\Util(
$view,
$c->getUserManager(),
$c->getGroupManager(),
$c->getConfig()
);
return new Encryption\Manager(
$c->getConfig(),
$c->getLogger(),
$c->getL10N('core'),
new View(),
$util,
new ArrayCache()
);
});
$this->registerService('EncryptionFileHelper', function (Server $c) {
$util = new Encryption\Util(
new View(),
$c->getUserManager(),
$c->getGroupManager(),
$c->getConfig()
);
return new Encryption\File(
$util,
$c->getRootFolder(),
$c->getShareManager()
);
});
$this->registerService('EncryptionKeyStorage', function (Server $c) {
$view = new View();
$util = new Encryption\Util(
$view,
$c->getUserManager(),
$c->getGroupManager(),
$c->getConfig()
);
return new Encryption\Keys\Storage($view, $util);
});
2015-12-03 16:10:05 +03:00
$this->registerService('TagMapper', function (Server $c) {
return new TagMapper($c->getDatabaseConnection());
});
$this->registerService(\OCP\ITagManager::class, function (Server $c) {
$tagMapper = $c->query('TagMapper');
2014-12-10 17:59:41 +03:00
return new TagManager($tagMapper, $c->getUserSession());
});
$this->registerAlias('TagManager', \OCP\ITagManager::class);
$this->registerService('SystemTagManagerFactory', function (Server $c) {
$config = $c->getConfig();
$factoryClass = $config->getSystemValue('systemtags.managerFactory', SystemTagManagerFactory::class);
return new $factoryClass($this);
});
$this->registerService(\OCP\SystemTag\ISystemTagManager::class, function (Server $c) {
return $c->query('SystemTagManagerFactory')->getManager();
});
$this->registerAlias('SystemTagManager', \OCP\SystemTag\ISystemTagManager::class);
$this->registerService(\OCP\SystemTag\ISystemTagObjectMapper::class, function (Server $c) {
return $c->query('SystemTagManagerFactory')->getObjectMapper();
});
$this->registerService('RootFolder', function (Server $c) {
$manager = \OC\Files\Filesystem::getMountManager(null);
$view = new View();
$root = new Root(
$manager,
$view,
null,
$c->getUserMountCache(),
$this->getLogger(),
$this->getUserManager()
);
$connector = new HookConnector($root, $view);
$connector->viewToNode();
$previewConnector = new \OC\Preview\WatcherConnector($root, $c->getSystemConfig());
$previewConnector->connectWatcher();
return $root;
});
$this->registerAlias('SystemTagObjectMapper', \OCP\SystemTag\ISystemTagObjectMapper::class);
2017-08-24 17:21:50 +03:00
$this->registerService(\OCP\Files\IRootFolder::class, function (Server $c) {
return new LazyRoot(function () use ($c) {
2016-08-26 13:13:34 +03:00
return $c->query('RootFolder');
2016-03-11 16:00:36 +03:00
});
});
$this->registerAlias('LazyRootFolder', \OCP\Files\IRootFolder::class);
$this->registerService(\OC\User\Manager::class, function (Server $c) {
$config = $c->getConfig();
return new \OC\User\Manager($config);
2013-09-20 14:45:56 +04:00
});
$this->registerAlias('UserManager', \OC\User\Manager::class);
$this->registerAlias(\OCP\IUserManager::class, \OC\User\Manager::class);
$this->registerService(\OCP\IGroupManager::class, function (Server $c) {
$groupManager = new \OC\Group\Manager($this->getUserManager(), $this->getLogger());
$groupManager->listen('\OC\Group', 'preCreate', function ($gid) {
\OC_Hook::emit('OC_Group', 'pre_createGroup', array('run' => true, 'gid' => $gid));
});
$groupManager->listen('\OC\Group', 'postCreate', function (\OC\Group\Group $gid) {
\OC_Hook::emit('OC_User', 'post_createGroup', array('gid' => $gid->getGID()));
});
$groupManager->listen('\OC\Group', 'preDelete', function (\OC\Group\Group $group) {
\OC_Hook::emit('OC_Group', 'pre_deleteGroup', array('run' => true, 'gid' => $group->getGID()));
});
$groupManager->listen('\OC\Group', 'postDelete', function (\OC\Group\Group $group) {
\OC_Hook::emit('OC_User', 'post_deleteGroup', array('gid' => $group->getGID()));
});
$groupManager->listen('\OC\Group', 'preAddUser', function (\OC\Group\Group $group, \OC\User\User $user) {
\OC_Hook::emit('OC_Group', 'pre_addToGroup', array('run' => true, 'uid' => $user->getUID(), 'gid' => $group->getGID()));
});
$groupManager->listen('\OC\Group', 'postAddUser', function (\OC\Group\Group $group, \OC\User\User $user) {
\OC_Hook::emit('OC_Group', 'post_addToGroup', array('uid' => $user->getUID(), 'gid' => $group->getGID()));
//Minimal fix to keep it backward compatible TODO: clean up all the GroupManager hooks
\OC_Hook::emit('OC_User', 'post_addToGroup', array('uid' => $user->getUID(), 'gid' => $group->getGID()));
});
return $groupManager;
2014-07-16 16:25:31 +04:00
});
$this->registerAlias('GroupManager', \OCP\IGroupManager::class);
2017-08-24 17:21:50 +03:00
$this->registerService(Store::class, function (Server $c) {
$session = $c->getSession();
if (\OC::$server->getSystemConfig()->getValue('installed', false)) {
$tokenProvider = $c->query(IProvider::class);
} else {
$tokenProvider = null;
}
$logger = $c->getLogger();
return new Store($session, $logger, $tokenProvider);
});
$this->registerAlias(IStore::class, Store::class);
$this->registerService(Authentication\Token\DefaultTokenMapper::class, function (Server $c) {
$dbConnection = $c->getDatabaseConnection();
return new Authentication\Token\DefaultTokenMapper($dbConnection);
});
$this->registerAlias(IProvider::class, Authentication\Token\Manager::class);
$this->registerService(\OCP\IUserSession::class, function (Server $c) {
$manager = $c->getUserManager();
$session = new \OC\Session\Memory('');
2016-05-02 20:58:19 +03:00
$timeFactory = new TimeFactory();
2016-04-27 13:01:13 +03:00
// Token providers might require a working database. This code
// might however be called when ownCloud is not yet setup.
if (\OC::$server->getSystemConfig()->getValue('installed', false)) {
$defaultTokenProvider = $c->query(IProvider::class);
2016-04-27 13:01:13 +03:00
} else {
$defaultTokenProvider = null;
}
2016-06-24 18:53:37 +03:00
$dispatcher = $c->getEventDispatcher();
$userSession = new \OC\User\Session(
$manager,
$session,
$timeFactory,
$defaultTokenProvider,
$c->getConfig(),
$c->getSecureRandom(),
$c->getLockdownManager(),
$c->getLogger()
);
2013-09-20 14:45:56 +04:00
$userSession->listen('\OC\User', 'preCreateUser', function ($uid, $password) {
\OC_Hook::emit('OC_User', 'pre_createUser', array('run' => true, 'uid' => $uid, 'password' => $password));
});
$userSession->listen('\OC\User', 'postCreateUser', function ($user, $password) {
/** @var $user \OC\User\User */
\OC_Hook::emit('OC_User', 'post_createUser', array('uid' => $user->getUID(), 'password' => $password));
});
$userSession->listen('\OC\User', 'preDelete', function ($user) use ($dispatcher) {
2013-09-20 14:45:56 +04:00
/** @var $user \OC\User\User */
\OC_Hook::emit('OC_User', 'pre_deleteUser', array('run' => true, 'uid' => $user->getUID()));
$dispatcher->dispatch('OCP\IUser::preDelete', new GenericEvent($user));
2013-09-20 14:45:56 +04:00
});
$userSession->listen('\OC\User', 'postDelete', function ($user) {
/** @var $user \OC\User\User */
\OC_Hook::emit('OC_User', 'post_deleteUser', array('uid' => $user->getUID()));
});
$userSession->listen('\OC\User', 'preSetPassword', function ($user, $password, $recoveryPassword) {
/** @var $user \OC\User\User */
\OC_Hook::emit('OC_User', 'pre_setPassword', array('run' => true, 'uid' => $user->getUID(), 'password' => $password, 'recoveryPassword' => $recoveryPassword));
});
$userSession->listen('\OC\User', 'postSetPassword', function ($user, $password, $recoveryPassword) {
/** @var $user \OC\User\User */
\OC_Hook::emit('OC_User', 'post_setPassword', array('run' => true, 'uid' => $user->getUID(), 'password' => $password, 'recoveryPassword' => $recoveryPassword));
});
$userSession->listen('\OC\User', 'preLogin', function ($uid, $password) {
\OC_Hook::emit('OC_User', 'pre_login', array('run' => true, 'uid' => $uid, 'password' => $password));
});
$userSession->listen('\OC\User', 'postLogin', function ($user, $password) {
/** @var $user \OC\User\User */
\OC_Hook::emit('OC_User', 'post_login', array('run' => true, 'uid' => $user->getUID(), 'password' => $password));
});
$userSession->listen('\OC\User', 'postRememberedLogin', function ($user, $password) {
/** @var $user \OC\User\User */
\OC_Hook::emit('OC_User', 'post_login', array('run' => true, 'uid' => $user->getUID(), 'password' => $password));
});
2013-09-20 14:45:56 +04:00
$userSession->listen('\OC\User', 'logout', function () {
\OC_Hook::emit('OC_User', 'logout', array());
});
$userSession->listen('\OC\User', 'changeUser', function ($user, $feature, $value, $oldValue) use ($dispatcher) {
/** @var $user \OC\User\User */
\OC_Hook::emit('OC_User', 'changeUser', array('run' => true, 'user' => $user, 'feature' => $feature, 'value' => $value, 'old_value' => $oldValue));
$dispatcher->dispatch('OCP\IUser::changeUser', new GenericEvent($user, ['feature' => $feature, 'oldValue' => $oldValue, 'value' => $value]));
});
2013-09-20 14:45:56 +04:00
return $userSession;
});
$this->registerAlias('UserSession', \OCP\IUserSession::class);
2016-05-11 12:23:25 +03:00
$this->registerService(\OC\Authentication\TwoFactorAuth\Manager::class, function (Server $c) {
return new \OC\Authentication\TwoFactorAuth\Manager(
$c->getAppManager(),
$c->getSession(),
$c->getConfig(),
$c->getActivityManager(),
$c->getLogger(),
$c->query(IProvider::class),
$c->query(ITimeFactory::class),
$c->query(EventDispatcherInterface::class)
);
2016-05-11 12:23:25 +03:00
});
$this->registerAlias(\OCP\INavigationManager::class, \OC\NavigationManager::class);
$this->registerAlias('NavigationManager', \OCP\INavigationManager::class);
$this->registerService(\OC\AllConfig::class, function (Server $c) {
return new \OC\AllConfig(
$c->getSystemConfig()
);
});
$this->registerAlias('AllConfig', \OC\AllConfig::class);
$this->registerAlias(\OCP\IConfig::class, \OC\AllConfig::class);
2015-12-18 13:24:15 +03:00
$this->registerService('SystemConfig', function ($c) use ($config) {
return new \OC\SystemConfig($config);
});
$this->registerService(\OC\AppConfig::class, function (Server $c) {
2016-01-07 12:26:00 +03:00
return new \OC\AppConfig($c->getDatabaseConnection());
});
$this->registerAlias('AppConfig', \OC\AppConfig::class);
$this->registerAlias(\OCP\IAppConfig::class, \OC\AppConfig::class);
$this->registerService(\OCP\L10N\IFactory::class, function (Server $c) {
return new \OC\L10N\Factory(
$c->getConfig(),
$c->getRequest(),
$c->getUserSession(),
\OC::$SERVERROOT
);
2013-09-25 20:34:01 +04:00
});
$this->registerAlias('L10NFactory', \OCP\L10N\IFactory::class);
$this->registerService(\OCP\IURLGenerator::class, function (Server $c) {
$config = $c->getConfig();
$cacheFactory = $c->getMemCacheFactory();
$request = $c->getRequest();
return new \OC\URLGenerator(
$config,
$cacheFactory,
$request
);
});
$this->registerAlias('URLGenerator', \OCP\IURLGenerator::class);
$this->registerAlias('AppFetcher', AppFetcher::class);
$this->registerAlias('CategoryFetcher', CategoryFetcher::class);
$this->registerService(\OCP\ICache::class, function ($c) {
return new Cache\File();
});
$this->registerAlias('UserCache', \OCP\ICache::class);
$this->registerService(Factory::class, function (Server $c) {
$arrayCacheFactory = new \OC\Memcache\Factory('', $c->getLogger(),
ArrayCache::class,
ArrayCache::class,
ArrayCache::class
);
$config = $c->getConfig();
$request = $c->getRequest();
$urlGenerator = new URLGenerator($config, $arrayCacheFactory, $request);
2015-12-03 16:10:05 +03:00
if ($config->getSystemValue('installed', false) && !(defined('PHPUNIT_RUN') && PHPUNIT_RUN)) {
$v = \OC_App::getAppVersions();
$v['core'] = implode(',', \OC_Util::getVersion());
$version = implode(',', $v);
$instanceId = \OC_Util::getInstanceId();
$path = \OC::$SERVERROOT;
$prefix = md5($instanceId . '-' . $version . '-' . $path);
return new \OC\Memcache\Factory($prefix, $c->getLogger(),
$config->getSystemValue('memcache.local', null),
$config->getSystemValue('memcache.distributed', null),
$config->getSystemValue('memcache.locking', null)
);
}
return $arrayCacheFactory;
2014-01-06 15:55:56 +04:00
});
$this->registerAlias('MemCacheFactory', Factory::class);
$this->registerAlias(ICacheFactory::class, Factory::class);
$this->registerService('RedisFactory', function (Server $c) {
$systemConfig = $c->getSystemConfig();
return new RedisFactory($systemConfig);
});
$this->registerService(\OCP\Activity\IManager::class, function (Server $c) {
2016-05-02 12:57:24 +03:00
return new \OC\Activity\Manager(
$c->getRequest(),
$c->getUserSession(),
$c->getConfig(),
$c->query(IValidator::class)
);
});
$this->registerAlias('ActivityManager', \OCP\Activity\IManager::class);
$this->registerService(\OCP\Activity\IEventMerger::class, function (Server $c) {
return new \OC\Activity\EventMerger(
$c->getL10N('lib')
);
});
$this->registerAlias(IValidator::class, Validator::class);
$this->registerService(\OCP\IAvatarManager::class, function (Server $c) {
return new AvatarManager(
$c->query(\OC\User\Manager::class),
$c->getAppDataDir('avatar'),
$c->getL10N('lib'),
$c->getLogger(),
$c->getConfig()
);
2013-09-20 13:46:11 +04:00
});
$this->registerAlias('AvatarManager', \OCP\IAvatarManager::class);
$this->registerAlias(\OCP\Support\CrashReport\IRegistry::class, \OC\Support\CrashReport\Registry::class);
$this->registerService(\OCP\ILogger::class, function (Server $c) {
$logType = $c->query('AllConfig')->getSystemValue('log_type', 'file');
$factory = new LogFactory($c, $this->getSystemConfig());
$logger = $factory->get($logType);
$registry = $c->query(\OCP\Support\CrashReport\IRegistry::class);
return new Log($logger, $this->getSystemConfig(), null, $registry);
});
$this->registerAlias('Logger', \OCP\ILogger::class);
$this->registerService(ILogFactory::class, function (Server $c) {
return new LogFactory($c, $this->getSystemConfig());
});
$this->registerService(\OCP\BackgroundJob\IJobList::class, function (Server $c) {
$config = $c->getConfig();
return new \OC\BackgroundJob\JobList(
$c->getDatabaseConnection(),
$config,
new TimeFactory()
);
});
$this->registerAlias('JobList', \OCP\BackgroundJob\IJobList::class);
$this->registerService(\OCP\Route\IRouter::class, function (Server $c) {
$cacheFactory = $c->getMemCacheFactory();
2015-11-27 15:51:20 +03:00
$logger = $c->getLogger();
if ($cacheFactory->isLocalCacheAvailable()) {
$router = new \OC\Route\CachingRouter($cacheFactory->createLocal('route'), $logger);
} else {
2015-11-27 15:51:20 +03:00
$router = new \OC\Route\Router($logger);
}
return $router;
});
$this->registerAlias('Router', \OCP\Route\IRouter::class);
$this->registerService(\OCP\ISearch::class, function ($c) {
return new Search();
});
$this->registerAlias('Search', \OCP\ISearch::class);
$this->registerService(\OC\Security\RateLimiting\Limiter::class, function (Server $c) {
return new \OC\Security\RateLimiting\Limiter(
$this->getUserSession(),
$this->getRequest(),
new \OC\AppFramework\Utility\TimeFactory(),
$c->query(\OC\Security\RateLimiting\Backend\IBackend::class)
);
});
2017-08-24 17:21:50 +03:00
$this->registerService(\OC\Security\RateLimiting\Backend\IBackend::class, function ($c) {
return new \OC\Security\RateLimiting\Backend\MemoryCache(
$this->getMemCacheFactory(),
new \OC\AppFramework\Utility\TimeFactory()
);
});
$this->registerService(\OCP\Security\ISecureRandom::class, function ($c) {
return new SecureRandom();
});
$this->registerAlias('SecureRandom', \OCP\Security\ISecureRandom::class);
$this->registerService(\OCP\Security\ICrypto::class, function (Server $c) {
return new Crypto($c->getConfig(), $c->getSecureRandom());
});
$this->registerAlias('Crypto', \OCP\Security\ICrypto::class);
$this->registerService(\OCP\Security\IHasher::class, function (Server $c) {
return new Hasher($c->getConfig());
});
$this->registerAlias('Hasher', \OCP\Security\IHasher::class);
$this->registerService(\OCP\Security\ICredentialsManager::class, function (Server $c) {
return new CredentialsManager($c->getCrypto(), $c->getDatabaseConnection());
});
$this->registerAlias('CredentialsManager', \OCP\Security\ICredentialsManager::class);
$this->registerService(IDBConnection::class, function (Server $c) {
$systemConfig = $c->getSystemConfig();
$factory = new \OC\DB\ConnectionFactory($systemConfig);
$type = $systemConfig->getValue('dbtype', 'sqlite');
if (!$factory->isValidType($type)) {
throw new \OC\DatabaseException('Invalid database type');
}
$connectionParams = $factory->createConnectionParams();
$connection = $factory->getConnection($type, $connectionParams);
$connection->getConfiguration()->setSQLLogger($c->getQueryLogger());
return $connection;
});
$this->registerAlias('DatabaseConnection', IDBConnection::class);
$this->registerService(\OCP\Http\Client\IClientService::class, function (Server $c) {
2015-03-16 13:28:23 +03:00
$user = \OC_User::getUser();
$uid = $user ? $user : null;
return new ClientService(
$c->getConfig(),
new \OC\Security\CertificateManager(
$uid,
new View(),
$c->getConfig(),
$c->getLogger(),
$c->getSecureRandom()
)
2015-03-16 13:28:23 +03:00
);
});
$this->registerAlias('HttpClientService', \OCP\Http\Client\IClientService::class);
$this->registerService(\OCP\Diagnostics\IEventLogger::class, function (Server $c) {
$eventLogger = new EventLogger();
if ($c->getSystemConfig()->getValue('debug', false)) {
// In debug mode, module is being activated by default
$eventLogger->activate();
}
return $eventLogger;
});
$this->registerAlias('EventLogger', \OCP\Diagnostics\IEventLogger::class);
$this->registerService(\OCP\Diagnostics\IQueryLogger::class, function (Server $c) {
$queryLogger = new QueryLogger();
if ($c->getSystemConfig()->getValue('debug', false)) {
// In debug mode, module is being activated by default
$queryLogger->activate();
}
return $queryLogger;
});
$this->registerAlias('QueryLogger', \OCP\Diagnostics\IQueryLogger::class);
$this->registerService(TempManager::class, function (Server $c) {
return new TempManager(
$c->getLogger(),
$c->getConfig()
);
});
$this->registerAlias('TempManager', TempManager::class);
$this->registerAlias(ITempManager::class, TempManager::class);
$this->registerService(AppManager::class, function (Server $c) {
return new \OC\App\AppManager(
$c->getUserSession(),
$c->query(\OC\AppConfig::class),
$c->getGroupManager(),
$c->getMemCacheFactory(),
$c->getEventDispatcher()
);
});
$this->registerAlias('AppManager', AppManager::class);
$this->registerAlias(IAppManager::class, AppManager::class);
$this->registerService(\OCP\IDateTimeZone::class, function (Server $c) {
2014-12-16 17:34:55 +03:00
return new DateTimeZone(
$c->getConfig(),
$c->getSession()
);
});
$this->registerAlias('DateTimeZone', \OCP\IDateTimeZone::class);
$this->registerService(\OCP\IDateTimeFormatter::class, function (Server $c) {
$language = $c->getConfig()->getUserValue($c->getSession()->get('user_id'), 'core', 'lang', null);
2014-12-16 17:34:55 +03:00
return new DateTimeFormatter(
$c->getDateTimeZone()->getTimeZone(),
$c->getL10N('lib', $language)
);
});
$this->registerAlias('DateTimeFormatter', \OCP\IDateTimeFormatter::class);
$this->registerService(\OCP\Files\Config\IUserMountCache::class, function (Server $c) {
2015-12-03 16:10:05 +03:00
$mountCache = new UserMountCache($c->getDatabaseConnection(), $c->getUserManager(), $c->getLogger());
$listener = new UserMountCacheListener($mountCache);
$listener->listen($c->getUserManager());
return $mountCache;
});
$this->registerAlias('UserMountCache', \OCP\Files\Config\IUserMountCache::class);
$this->registerService(\OCP\Files\Config\IMountProviderCollection::class, function (Server $c) {
$loader = \OC\Files\Filesystem::getLoader();
2015-12-03 16:10:05 +03:00
$mountCache = $c->query('UserMountCache');
2017-08-24 17:21:50 +03:00
$manager = new \OC\Files\Config\MountProviderCollection($loader, $mountCache);
// builtin providers
$config = $c->getConfig();
$manager->registerProvider(new CacheMountProvider($config));
$manager->registerHomeProvider(new LocalHomeMountProvider());
$manager->registerHomeProvider(new ObjectHomeMountProvider($config));
return $manager;
});
$this->registerAlias('MountConfigManager', \OCP\Files\Config\IMountProviderCollection::class);
2014-12-05 21:56:29 +03:00
$this->registerService('IniWrapper', function ($c) {
return new IniGetWrapper();
2014-12-05 21:56:29 +03:00
});
$this->registerService('AsyncCommandBus', function (Server $c) {
2017-08-24 17:21:50 +03:00
$busClass = $c->getConfig()->getSystemValue('commandbus');
if ($busClass) {
list($app, $class) = explode('::', $busClass, 2);
if ($c->getAppManager()->isInstalled($app)) {
\OC_App::loadApp($app);
return $c->query($class);
} else {
throw new ServiceUnavailableException("The app providing the command bus ($app) is not enabled");
}
} else {
$jobList = $c->getJobList();
return new CronBus($jobList);
}
});
2015-02-17 00:12:47 +03:00
$this->registerService('TrustedDomainHelper', function ($c) {
return new TrustedDomainHelper($this->getConfig());
});
2017-08-24 17:21:50 +03:00
$this->registerService('Throttler', function (Server $c) {
return new Throttler(
$c->getDatabaseConnection(),
new TimeFactory(),
$c->getLogger(),
$c->getConfig()
);
});
Add code integrity check This PR implements the base foundation of the code signing and integrity check. In this PR implemented is the signing and verification logic, as well as commands to sign single apps or the core repository. Furthermore, there is a basic implementation to display problems with the code integrity on the update screen. Code signing basically happens the following way: - There is a ownCloud Root Certificate authority stored `resources/codesigning/root.crt` (in this PR I also ship the private key which we obviously need to change before a release :wink:). This certificate is not intended to be used for signing directly and only is used to sign new certificates. - Using the `integrity:sign-core` and `integrity:sign-app` commands developers can sign either the core release or a single app. The core release needs to be signed with a certificate that has a CN of `core`, apps need to be signed with a certificate that either has a CN of `core` (shipped apps!) or the AppID. - The command generates a signature.json file of the following format: ```json { "hashes": { "/filename.php": "2401fed2eea6f2c1027c482a633e8e25cd46701f811e2d2c10dc213fd95fa60e350bccbbebdccc73a042b1a2799f673fbabadc783284cc288e4f1a1eacb74e3d", "/lib/base.php": "55548cc16b457cd74241990cc9d3b72b6335f2e5f45eee95171da024087d114fcbc2effc3d5818a6d5d55f2ae960ab39fd0414d0c542b72a3b9e08eb21206dd9" }, "certificate": "-----BEGIN CERTIFICATE-----MIIBvTCCASagAwIBAgIUPvawyqJwCwYazcv7iz16TWxfeUMwDQYJKoZIhvcNAQEF\nBQAwIzEhMB8GA1UECgwYb3duQ2xvdWQgQ29kZSBTaWduaW5nIENBMB4XDTE1MTAx\nNDEzMTcxMFoXDTE2MTAxNDEzMTcxMFowEzERMA8GA1UEAwwIY29udGFjdHMwgZ8w\nDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANoQesGdCW0L2L+a2xITYipixkScrIpB\nkX5Snu3fs45MscDb61xByjBSlFgR4QI6McoCipPw4SUr28EaExVvgPSvqUjYLGps\nfiv0Cvgquzbx/X3mUcdk9LcFo1uWGtrTfkuXSKX41PnJGTr6RQWGIBd1V52q1qbC\nJKkfzyeMeuQfAgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAvF/KIhRMQ3tYTmgHWsiM\nwDMgIDb7iaHF0fS+/Nvo4PzoTO/trev6tMyjLbJ7hgdCpz/1sNzE11Cibf6V6dsz\njCE9invP368Xv0bTRObRqeSNsGogGl5ceAvR0c9BG+NRIKHcly3At3gLkS2791bC\niG+UxI/MNcWV0uJg9S63LF8=\n-----END CERTIFICATE-----", "signature": "U29tZVNpZ25lZERhdGFFeGFtcGxl" } ``` `hashes` is an array of all files in the folder with their corresponding SHA512 hashes (this is actually quite cheap to calculate), the `certificate` is the certificate used for signing. It has to be issued by the ownCloud Root Authority and it's CN needs to be permitted to perform the required action. The `signature` is then a signature of the `hashes` which can be verified using the `certificate`. Steps to do in other PRs, this is already a quite huge one: - Add nag screen in case the code check fails to ensure that administrators are aware of this. - Add code verification also to OCC upgrade and unify display code more. - Add enforced code verification to apps shipped from the appstore with a level of "official" - Add enfocrced code verification to apps shipped from the appstore that were already signed in a previous release - Add some developer documentation on how devs can request their own certificate - Check when installing ownCloud - Add support for CRLs to allow revoking certificates **Note:** The upgrade checks are only run when the instance has a defined release channel of `stable` (defined in `version.php`). If you want to test this, you need to change the channel thus and then generate the core signature: ``` ➜ master git:(add-integrity-checker) ✗ ./occ integrity:sign-core --privateKey=resources/codesigning/core.key --certificate=resources/codesigning/core.crt Successfully signed "core" ``` Then increase the version and you should see something like the following: ![2015-11-04_12-02-57](https://cloud.githubusercontent.com/assets/878997/10936336/6adb1d14-82ec-11e5-8f06-9a74801c9abf.png) As you can see a failed code check will not prevent the further update. It will instead just be a notice to the admin. In a next step we will add some nag screen. For packaging stable releases this requires the following additional steps as a last action before zipping: 1. Run `./occ integrity:sign-core` once 2. Run `./occ integrity:sign-app` _for each_ app. However, this can be simply automated using a simple foreach on the apps folder.
2015-11-03 22:26:06 +03:00
$this->registerService('IntegrityCodeChecker', function (Server $c) {
// IConfig and IAppManager requires a working database. This code
// might however be called when ownCloud is not yet setup.
2017-08-24 17:21:50 +03:00
if (\OC::$server->getSystemConfig()->getValue('installed', false)) {
Add code integrity check This PR implements the base foundation of the code signing and integrity check. In this PR implemented is the signing and verification logic, as well as commands to sign single apps or the core repository. Furthermore, there is a basic implementation to display problems with the code integrity on the update screen. Code signing basically happens the following way: - There is a ownCloud Root Certificate authority stored `resources/codesigning/root.crt` (in this PR I also ship the private key which we obviously need to change before a release :wink:). This certificate is not intended to be used for signing directly and only is used to sign new certificates. - Using the `integrity:sign-core` and `integrity:sign-app` commands developers can sign either the core release or a single app. The core release needs to be signed with a certificate that has a CN of `core`, apps need to be signed with a certificate that either has a CN of `core` (shipped apps!) or the AppID. - The command generates a signature.json file of the following format: ```json { "hashes": { "/filename.php": "2401fed2eea6f2c1027c482a633e8e25cd46701f811e2d2c10dc213fd95fa60e350bccbbebdccc73a042b1a2799f673fbabadc783284cc288e4f1a1eacb74e3d", "/lib/base.php": "55548cc16b457cd74241990cc9d3b72b6335f2e5f45eee95171da024087d114fcbc2effc3d5818a6d5d55f2ae960ab39fd0414d0c542b72a3b9e08eb21206dd9" }, "certificate": "-----BEGIN CERTIFICATE-----MIIBvTCCASagAwIBAgIUPvawyqJwCwYazcv7iz16TWxfeUMwDQYJKoZIhvcNAQEF\nBQAwIzEhMB8GA1UECgwYb3duQ2xvdWQgQ29kZSBTaWduaW5nIENBMB4XDTE1MTAx\nNDEzMTcxMFoXDTE2MTAxNDEzMTcxMFowEzERMA8GA1UEAwwIY29udGFjdHMwgZ8w\nDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANoQesGdCW0L2L+a2xITYipixkScrIpB\nkX5Snu3fs45MscDb61xByjBSlFgR4QI6McoCipPw4SUr28EaExVvgPSvqUjYLGps\nfiv0Cvgquzbx/X3mUcdk9LcFo1uWGtrTfkuXSKX41PnJGTr6RQWGIBd1V52q1qbC\nJKkfzyeMeuQfAgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAvF/KIhRMQ3tYTmgHWsiM\nwDMgIDb7iaHF0fS+/Nvo4PzoTO/trev6tMyjLbJ7hgdCpz/1sNzE11Cibf6V6dsz\njCE9invP368Xv0bTRObRqeSNsGogGl5ceAvR0c9BG+NRIKHcly3At3gLkS2791bC\niG+UxI/MNcWV0uJg9S63LF8=\n-----END CERTIFICATE-----", "signature": "U29tZVNpZ25lZERhdGFFeGFtcGxl" } ``` `hashes` is an array of all files in the folder with their corresponding SHA512 hashes (this is actually quite cheap to calculate), the `certificate` is the certificate used for signing. It has to be issued by the ownCloud Root Authority and it's CN needs to be permitted to perform the required action. The `signature` is then a signature of the `hashes` which can be verified using the `certificate`. Steps to do in other PRs, this is already a quite huge one: - Add nag screen in case the code check fails to ensure that administrators are aware of this. - Add code verification also to OCC upgrade and unify display code more. - Add enforced code verification to apps shipped from the appstore with a level of "official" - Add enfocrced code verification to apps shipped from the appstore that were already signed in a previous release - Add some developer documentation on how devs can request their own certificate - Check when installing ownCloud - Add support for CRLs to allow revoking certificates **Note:** The upgrade checks are only run when the instance has a defined release channel of `stable` (defined in `version.php`). If you want to test this, you need to change the channel thus and then generate the core signature: ``` ➜ master git:(add-integrity-checker) ✗ ./occ integrity:sign-core --privateKey=resources/codesigning/core.key --certificate=resources/codesigning/core.crt Successfully signed "core" ``` Then increase the version and you should see something like the following: ![2015-11-04_12-02-57](https://cloud.githubusercontent.com/assets/878997/10936336/6adb1d14-82ec-11e5-8f06-9a74801c9abf.png) As you can see a failed code check will not prevent the further update. It will instead just be a notice to the admin. In a next step we will add some nag screen. For packaging stable releases this requires the following additional steps as a last action before zipping: 1. Run `./occ integrity:sign-core` once 2. Run `./occ integrity:sign-app` _for each_ app. However, this can be simply automated using a simple foreach on the apps folder.
2015-11-03 22:26:06 +03:00
$config = $c->getConfig();
$appManager = $c->getAppManager();
} else {
$config = null;
$appManager = null;
}
return new Checker(
2017-08-24 17:21:50 +03:00
new EnvironmentHelper(),
new FileAccessHelper(),
new AppLocator(),
$config,
$c->getMemCacheFactory(),
$appManager,
$c->getTempManager()
Add code integrity check This PR implements the base foundation of the code signing and integrity check. In this PR implemented is the signing and verification logic, as well as commands to sign single apps or the core repository. Furthermore, there is a basic implementation to display problems with the code integrity on the update screen. Code signing basically happens the following way: - There is a ownCloud Root Certificate authority stored `resources/codesigning/root.crt` (in this PR I also ship the private key which we obviously need to change before a release :wink:). This certificate is not intended to be used for signing directly and only is used to sign new certificates. - Using the `integrity:sign-core` and `integrity:sign-app` commands developers can sign either the core release or a single app. The core release needs to be signed with a certificate that has a CN of `core`, apps need to be signed with a certificate that either has a CN of `core` (shipped apps!) or the AppID. - The command generates a signature.json file of the following format: ```json { "hashes": { "/filename.php": "2401fed2eea6f2c1027c482a633e8e25cd46701f811e2d2c10dc213fd95fa60e350bccbbebdccc73a042b1a2799f673fbabadc783284cc288e4f1a1eacb74e3d", "/lib/base.php": "55548cc16b457cd74241990cc9d3b72b6335f2e5f45eee95171da024087d114fcbc2effc3d5818a6d5d55f2ae960ab39fd0414d0c542b72a3b9e08eb21206dd9" }, "certificate": "-----BEGIN CERTIFICATE-----MIIBvTCCASagAwIBAgIUPvawyqJwCwYazcv7iz16TWxfeUMwDQYJKoZIhvcNAQEF\nBQAwIzEhMB8GA1UECgwYb3duQ2xvdWQgQ29kZSBTaWduaW5nIENBMB4XDTE1MTAx\nNDEzMTcxMFoXDTE2MTAxNDEzMTcxMFowEzERMA8GA1UEAwwIY29udGFjdHMwgZ8w\nDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANoQesGdCW0L2L+a2xITYipixkScrIpB\nkX5Snu3fs45MscDb61xByjBSlFgR4QI6McoCipPw4SUr28EaExVvgPSvqUjYLGps\nfiv0Cvgquzbx/X3mUcdk9LcFo1uWGtrTfkuXSKX41PnJGTr6RQWGIBd1V52q1qbC\nJKkfzyeMeuQfAgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAvF/KIhRMQ3tYTmgHWsiM\nwDMgIDb7iaHF0fS+/Nvo4PzoTO/trev6tMyjLbJ7hgdCpz/1sNzE11Cibf6V6dsz\njCE9invP368Xv0bTRObRqeSNsGogGl5ceAvR0c9BG+NRIKHcly3At3gLkS2791bC\niG+UxI/MNcWV0uJg9S63LF8=\n-----END CERTIFICATE-----", "signature": "U29tZVNpZ25lZERhdGFFeGFtcGxl" } ``` `hashes` is an array of all files in the folder with their corresponding SHA512 hashes (this is actually quite cheap to calculate), the `certificate` is the certificate used for signing. It has to be issued by the ownCloud Root Authority and it's CN needs to be permitted to perform the required action. The `signature` is then a signature of the `hashes` which can be verified using the `certificate`. Steps to do in other PRs, this is already a quite huge one: - Add nag screen in case the code check fails to ensure that administrators are aware of this. - Add code verification also to OCC upgrade and unify display code more. - Add enforced code verification to apps shipped from the appstore with a level of "official" - Add enfocrced code verification to apps shipped from the appstore that were already signed in a previous release - Add some developer documentation on how devs can request their own certificate - Check when installing ownCloud - Add support for CRLs to allow revoking certificates **Note:** The upgrade checks are only run when the instance has a defined release channel of `stable` (defined in `version.php`). If you want to test this, you need to change the channel thus and then generate the core signature: ``` ➜ master git:(add-integrity-checker) ✗ ./occ integrity:sign-core --privateKey=resources/codesigning/core.key --certificate=resources/codesigning/core.crt Successfully signed "core" ``` Then increase the version and you should see something like the following: ![2015-11-04_12-02-57](https://cloud.githubusercontent.com/assets/878997/10936336/6adb1d14-82ec-11e5-8f06-9a74801c9abf.png) As you can see a failed code check will not prevent the further update. It will instead just be a notice to the admin. In a next step we will add some nag screen. For packaging stable releases this requires the following additional steps as a last action before zipping: 1. Run `./occ integrity:sign-core` once 2. Run `./occ integrity:sign-app` _for each_ app. However, this can be simply automated using a simple foreach on the apps folder.
2015-11-03 22:26:06 +03:00
);
});
$this->registerService(\OCP\IRequest::class, function ($c) {
if (isset($this['urlParams'])) {
$urlParams = $this['urlParams'];
} else {
$urlParams = [];
}
if (defined('PHPUNIT_RUN') && PHPUNIT_RUN
&& in_array('fakeinput', stream_get_wrappers())
) {
$stream = 'fakeinput://data';
} else {
$stream = 'php://input';
}
return new Request(
[
'get' => $_GET,
'post' => $_POST,
'files' => $_FILES,
'server' => $_SERVER,
'env' => $_ENV,
'cookies' => $_COOKIE,
'method' => (isset($_SERVER) && isset($_SERVER['REQUEST_METHOD']))
? $_SERVER['REQUEST_METHOD']
: '',
'urlParams' => $urlParams,
],
$this->getSecureRandom(),
$this->getConfig(),
$this->getCsrfTokenManager(),
$stream
);
});
$this->registerAlias('Request', \OCP\IRequest::class);
$this->registerService(\OCP\Mail\IMailer::class, function (Server $c) {
2015-03-16 15:01:17 +03:00
return new Mailer(
$c->getConfig(),
$c->getLogger(),
$c->query(Defaults::class),
$c->getURLGenerator(),
$c->getL10N('lib')
2015-03-16 15:01:17 +03:00
);
});
$this->registerAlias('Mailer', \OCP\Mail\IMailer::class);
2017-08-24 17:21:50 +03:00
$this->registerService('LDAPProvider', function (Server $c) {
2016-07-22 11:46:29 +03:00
$config = $c->getConfig();
$factoryClass = $config->getSystemValue('ldapProviderFactory', null);
2017-08-24 17:21:50 +03:00
if (is_null($factoryClass)) {
2016-07-22 11:46:29 +03:00
throw new \Exception('ldapProviderFactory not set');
}
/** @var \OCP\LDAP\ILDAPProviderFactory $factory */
$factory = new $factoryClass($this);
return $factory->getLDAPProvider();
});
$this->registerService(ILockingProvider::class, function (Server $c) {
2016-03-24 16:07:43 +03:00
$ini = $c->getIniWrapper();
$config = $c->getConfig();
$ttl = $config->getSystemValue('filelocking.ttl', max(3600, $ini->getNumeric('max_execution_time')));
if ($config->getSystemValue('filelocking.enabled', true) or (defined('PHPUNIT_RUN') && PHPUNIT_RUN)) {
2015-05-21 17:11:10 +03:00
/** @var \OC\Memcache\Factory $memcacheFactory */
$memcacheFactory = $c->getMemCacheFactory();
$memcache = $memcacheFactory->createLocking('lock');
2015-09-02 17:55:37 +03:00
if (!($memcache instanceof \OC\Memcache\NullCache)) {
2016-03-24 16:07:43 +03:00
return new MemcacheLockingProvider($memcache, $ttl);
2015-09-02 17:55:37 +03:00
}
return new DBLockingProvider(
$c->getDatabaseConnection(),
$c->getLogger(),
new TimeFactory(),
$ttl,
!\OC::$CLI
);
2015-05-21 17:11:10 +03:00
}
return new NoopLockingProvider();
});
$this->registerAlias('LockingProvider', ILockingProvider::class);
$this->registerService(\OCP\Files\Mount\IMountManager::class, function () {
return new \OC\Files\Mount\Manager();
});
$this->registerAlias('MountManager', \OCP\Files\Mount\IMountManager::class);
$this->registerService(\OCP\Files\IMimeTypeDetector::class, function (Server $c) {
return new \OC\Files\Type\Detection(
$c->getURLGenerator(),
\OC::$configDir,
\OC::$SERVERROOT . '/resources/config/'
2015-12-03 16:10:05 +03:00
);
});
$this->registerAlias('MimeTypeDetector', \OCP\Files\IMimeTypeDetector::class);
$this->registerService(\OCP\Files\IMimeTypeLoader::class, function (Server $c) {
2015-09-03 21:48:42 +03:00
return new \OC\Files\Type\Loader(
$c->getDatabaseConnection()
);
});
$this->registerAlias('MimeTypeLoader', \OCP\Files\IMimeTypeLoader::class);
$this->registerService(BundleFetcher::class, function () {
return new BundleFetcher($this->getL10N('lib'));
});
$this->registerService(\OCP\Notification\IManager::class, function (Server $c) {
return new Manager(
$c->query(IValidator::class)
);
2015-08-31 13:24:37 +03:00
});
$this->registerAlias('NotificationManager', \OCP\Notification\IManager::class);
$this->registerService(\OC\CapabilitiesManager::class, function (Server $c) {
$manager = new \OC\CapabilitiesManager($c->getLogger());
2015-12-03 16:10:05 +03:00
$manager->registerCapability(function () use ($c) {
return new \OC\OCS\CoreCapabilities($c->getConfig());
2015-07-21 22:44:59 +03:00
});
$manager->registerCapability(function () use ($c) {
return $c->query(\OC\Security\Bruteforce\Capabilities::class);
});
2015-07-21 22:44:59 +03:00
return $manager;
});
$this->registerAlias('CapabilitiesManager', \OC\CapabilitiesManager::class);
2017-08-24 17:21:50 +03:00
$this->registerService(\OCP\Comments\ICommentsManager::class, function (Server $c) {
$config = $c->getConfig();
$factoryClass = $config->getSystemValue('comments.managerFactory', CommentsManagerFactory::class);
/** @var \OCP\Comments\ICommentsManagerFactory $factory */
$factory = new $factoryClass($this);
$manager = $factory->getManager();
$manager->registerDisplayNameResolver('user', function($id) use ($c) {
$manager = $c->getUserManager();
$user = $manager->get($id);
if(is_null($user)) {
$l = $c->getL10N('core');
$displayName = $l->t('Unknown user');
} else {
$displayName = $user->getDisplayName();
}
return $displayName;
});
return $manager;
});
$this->registerAlias('CommentsManager', \OCP\Comments\ICommentsManager::class);
2017-08-24 17:21:50 +03:00
$this->registerService('ThemingDefaults', function (Server $c) {
/*
* Dark magic for autoloader.
* If we do a class_exists it will try to load the class which will
* make composer cache the result. Resulting in errors when enabling
* the theming app.
*/
$prefixes = \OC::$composerAutoloader->getPrefixesPsr4();
if (isset($prefixes['OCA\\Theming\\'])) {
$classExists = true;
} else {
2016-07-22 17:49:33 +03:00
$classExists = false;
}
if ($classExists && $c->getConfig()->getSystemValue('installed', false) && $c->getAppManager()->isInstalled('theming') && $c->getTrustedDomainHelper()->isTrustedDomain($c->getRequest()->getInsecureServerHost())) {
return new ThemingDefaults(
$c->getConfig(),
$c->getL10N('theming'),
$c->getURLGenerator(),
$c->getMemCacheFactory(),
new Util($c->getConfig(), $this->getAppManager(), $c->getAppDataDir('theming')),
new ImageManager($c->getConfig(), $c->getAppDataDir('theming'), $c->getURLGenerator(), $this->getMemCacheFactory(), $this->getLogger()),
$c->getAppManager()
);
}
return new \OC_Defaults();
});
2017-08-24 17:21:50 +03:00
$this->registerService(SCSSCacher::class, function (Server $c) {
/** @var Factory $cacheFactory */
$cacheFactory = $c->query(Factory::class);
return new SCSSCacher(
$c->getLogger(),
$c->query(\OC\Files\AppData\Factory::class),
$c->getURLGenerator(),
$c->getConfig(),
$c->getThemingDefaults(),
\OC::$SERVERROOT,
$this->getMemCacheFactory()
);
});
$this->registerService(JSCombiner::class, function (Server $c) {
/** @var Factory $cacheFactory */
$cacheFactory = $c->query(Factory::class);
return new JSCombiner(
$c->getAppDataDir('js'),
$c->getURLGenerator(),
$this->getMemCacheFactory(),
$c->getSystemConfig(),
$c->getLogger()
);
});
$this->registerService(EventDispatcher::class, function () {
return new EventDispatcher();
});
$this->registerAlias('EventDispatcher', EventDispatcher::class);
$this->registerAlias(EventDispatcherInterface::class, EventDispatcher::class);
$this->registerService('CryptoWrapper', function (Server $c) {
// FIXME: Instantiiated here due to cyclic dependency
$request = new Request(
[
'get' => $_GET,
'post' => $_POST,
'files' => $_FILES,
'server' => $_SERVER,
'env' => $_ENV,
'cookies' => $_COOKIE,
'method' => (isset($_SERVER) && isset($_SERVER['REQUEST_METHOD']))
? $_SERVER['REQUEST_METHOD']
: null,
],
$c->getSecureRandom(),
$c->getConfig()
);
return new CryptoWrapper(
$c->getConfig(),
$c->getCrypto(),
$c->getSecureRandom(),
$request
);
});
$this->registerService('CsrfTokenManager', function (Server $c) {
$tokenGenerator = new CsrfTokenGenerator($c->getSecureRandom());
return new CsrfTokenManager(
$tokenGenerator,
$c->query(SessionStorage::class)
);
});
$this->registerService(SessionStorage::class, function (Server $c) {
return new SessionStorage($c->getSession());
});
$this->registerService(\OCP\Security\IContentSecurityPolicyManager::class, function (Server $c) {
Add public API to give developers the possibility to adjust the global CSP defaults Allows to inject something into the default content policy. This is for example useful when you're injecting Javascript code into a view belonging to another controller and cannot modify its Content-Security-Policy itself. Note that the adjustment is only applied to applications that use AppFramework controllers. To use this from your `app.php` use `\OC::$server->getContentSecurityPolicyManager()->addDefaultPolicy($policy)`, $policy has to be of type `\OCP\AppFramework\Http\ContentSecurityPolicy`. To test this add something like the following into an `app.php` of any enabled app: ``` $manager = \OC::$server->getContentSecurityPolicyManager(); $policy = new \OCP\AppFramework\Http\ContentSecurityPolicy(false); $policy->addAllowedFrameDomain('asdf'); $policy->addAllowedScriptDomain('yolo.com'); $policy->allowInlineScript(false); $manager->addDefaultPolicy($policy); $policy = new \OCP\AppFramework\Http\ContentSecurityPolicy(false); $policy->addAllowedFontDomain('yolo.com'); $manager->addDefaultPolicy($policy); $policy = new \OCP\AppFramework\Http\ContentSecurityPolicy(false); $policy->addAllowedFrameDomain('banana.com'); $manager->addDefaultPolicy($policy); ``` If you now open the files app the policy should be: ``` Content-Security-Policy:default-src 'none';script-src yolo.com 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src yolo.com 'self';connect-src 'self';media-src 'self';frame-src asdf banana.com 'self' ```
2016-01-28 16:33:02 +03:00
return new ContentSecurityPolicyManager();
});
$this->registerAlias('ContentSecurityPolicyManager', \OCP\Security\IContentSecurityPolicyManager::class);
2017-08-24 17:21:50 +03:00
$this->registerService('ContentSecurityPolicyNonceManager', function (Server $c) {
return new ContentSecurityPolicyNonceManager(
$c->getCsrfTokenManager(),
$c->getRequest()
);
});
2017-08-24 17:21:50 +03:00
$this->registerService(\OCP\Share\IManager::class, function (Server $c) {
$config = $c->getConfig();
$factoryClass = $config->getSystemValue('sharing.managerFactory', ProviderFactory::class);
2016-05-02 12:59:54 +03:00
/** @var \OCP\Share\IProviderFactory $factory */
2016-01-20 10:30:37 +03:00
$factory = new $factoryClass($this);
$manager = new \OC\Share20\Manager(
$c->getLogger(),
$c->getConfig(),
$c->getSecureRandom(),
$c->getHasher(),
$c->getMountManager(),
$c->getGroupManager(),
$c->getL10N('lib'),
$c->getL10NFactory(),
2016-02-02 23:02:09 +03:00
$factory,
$c->getUserManager(),
2016-06-24 18:53:37 +03:00
$c->getLazyRootFolder(),
$c->getEventDispatcher(),
$c->getMailer(),
$c->getURLGenerator(),
$c->getThemingDefaults()
);
return $manager;
});
$this->registerAlias('ShareManager', \OCP\Share\IManager::class);
$this->registerService(\OCP\Collaboration\Collaborators\ISearch::class, function(Server $c) {
$instance = new Collaboration\Collaborators\Search($c);
// register default plugins
$instance->registerPlugin(['shareType' => 'SHARE_TYPE_USER', 'class' => UserPlugin::class]);
$instance->registerPlugin(['shareType' => 'SHARE_TYPE_GROUP', 'class' => GroupPlugin::class]);
$instance->registerPlugin(['shareType' => 'SHARE_TYPE_EMAIL', 'class' => MailPlugin::class]);
$instance->registerPlugin(['shareType' => 'SHARE_TYPE_REMOTE', 'class' => RemotePlugin::class]);
return $instance;
});
$this->registerAlias('CollaboratorSearch', \OCP\Collaboration\Collaborators\ISearch::class);
$this->registerAlias(\OCP\Collaboration\AutoComplete\IManager::class, \OC\Collaboration\AutoComplete\Manager::class);
2017-08-24 17:21:50 +03:00
$this->registerService('SettingsManager', function (Server $c) {
$manager = new \OC\Settings\Manager(
$c->getLogger(),
$c->getDatabaseConnection(),
$c->getL10N('lib'),
$c->getConfig(),
$c->getEncryptionManager(),
2016-08-12 17:52:20 +03:00
$c->getUserManager(),
$c->getLockingProvider(),
$c->getRequest(),
$c->getURLGenerator(),
$c->query(AccountManager::class),
$c->getGroupManager(),
$c->getL10NFactory(),
$c->getAppManager()
);
return $manager;
});
$this->registerService(\OC\Files\AppData\Factory::class, function (Server $c) {
return new \OC\Files\AppData\Factory(
$c->getRootFolder(),
$c->getSystemConfig()
);
});
$this->registerService('LockdownManager', function (Server $c) {
2017-08-24 17:21:50 +03:00
return new LockdownManager(function () use ($c) {
return $c->getSession();
});
});
$this->registerService(\OCP\OCS\IDiscoveryService::class, function (Server $c) {
return new DiscoveryService($c->getMemCacheFactory(), $c->getHTTPClientService());
});
$this->registerService(ICloudIdManager::class, function (Server $c) {
return new CloudIdManager();
});
$this->registerAlias(\OCP\AppFramework\Utility\IControllerMethodReflector::class, \OC\AppFramework\Utility\ControllerMethodReflector::class);
$this->registerAlias('ControllerMethodReflector', \OCP\AppFramework\Utility\IControllerMethodReflector::class);
$this->registerAlias(\OCP\AppFramework\Utility\ITimeFactory::class, \OC\AppFramework\Utility\TimeFactory::class);
$this->registerAlias('TimeFactory', \OCP\AppFramework\Utility\ITimeFactory::class);
$this->registerService(Defaults::class, function (Server $c) {
return new Defaults(
$c->getThemingDefaults()
);
});
$this->registerAlias('Defaults', \OCP\Defaults::class);
2017-08-24 17:21:50 +03:00
$this->registerService(\OCP\ISession::class, function (SimpleContainer $c) {
return $c->query(\OCP\IUserSession::class)->getSession();
});
2017-08-24 17:21:50 +03:00
$this->registerService(IShareHelper::class, function (Server $c) {
return new ShareHelper(
$c->query(\OCP\Share\IManager::class)
);
});
$this->registerService(Installer::class, function(Server $c) {
return new Installer(
$c->getAppFetcher(),
$c->getHTTPClientService(),
$c->getTempManager(),
$c->getLogger(),
$c->getConfig()
);
});
$this->registerService(IApiFactory::class, function(Server $c) {
return new ApiFactory($c->getHTTPClientService());
});
$this->registerService(IInstanceFactory::class, function(Server $c) {
$memcacheFactory = $c->getMemCacheFactory();
return new InstanceFactory($memcacheFactory->createLocal('remoteinstance.'), $c->getHTTPClientService());
});
$this->registerService(IContactsStore::class, function(Server $c) {
return new ContactsStore(
$c->getContactsManager(),
$c->getConfig(),
$c->getUserManager(),
$c->getGroupManager()
);
});
$this->registerAlias(IContactsStore::class, ContactsStore::class);
$this->connectDispatcher();
}
/**
* @return \OCP\Calendar\IManager
*/
public function getCalendarManager() {
return $this->query('CalendarManager');
}
private function connectDispatcher() {
$dispatcher = $this->getEventDispatcher();
// Delete avatar on user deletion
$dispatcher->addListener('OCP\IUser::preDelete', function(GenericEvent $e) {
$logger = $this->getLogger();
$manager = $this->getAvatarManager();
/** @var IUser $user */
$user = $e->getSubject();
try {
$avatar = $manager->getAvatar($user->getUID());
$avatar->remove();
} catch (NotFoundException $e) {
// no avatar to remove
} catch (\Exception $e) {
// Ignore exceptions
$logger->info('Could not cleanup avatar of ' . $user->getUID());
}
});
$dispatcher->addListener('OCP\IUser::changeUser', function (GenericEvent $e) {
$manager = $this->getAvatarManager();
/** @var IUser $user */
$user = $e->getSubject();
$feature = $e->getArgument('feature');
$oldValue = $e->getArgument('oldValue');
$value = $e->getArgument('value');
try {
$avatar = $manager->getAvatar($user->getUID());
$avatar->userChanged($feature, $oldValue, $value);
} catch (NotFoundException $e) {
// no avatar to remove
}
});
}
/**
* @return \OCP\Contacts\IManager
*/
public function getContactsManager() {
return $this->query('ContactsManager');
}
/**
* @return \OC\Encryption\Manager
*/
public function getEncryptionManager() {
return $this->query('EncryptionManager');
}
/**
* @return \OC\Encryption\File
*/
public function getEncryptionFilesHelper() {
return $this->query('EncryptionFileHelper');
}
/**
* @return \OCP\Encryption\Keys\IStorage
*/
public function getEncryptionKeyStorage() {
return $this->query('EncryptionKeyStorage');
}
/**
* The current request object holding all information about the request
* currently being processed is returned from this method.
* In case the current execution was not initiated by a web request null is returned
*
2015-04-01 13:13:49 +03:00
* @return \OCP\IRequest
*/
public function getRequest() {
return $this->query('Request');
}
2013-09-05 01:45:11 +04:00
/**
* Returns the preview manager which can create preview images for a given file
*
* @return \OCP\IPreview
*/
public function getPreviewManager() {
2013-09-05 01:45:11 +04:00
return $this->query('PreviewManager');
}
/**
* Returns the tag manager which can get and set tags for different object types
*
* @see \OCP\ITagManager::load()
* @return \OCP\ITagManager
*/
public function getTagManager() {
return $this->query('TagManager');
}
/**
* Returns the system-tag manager
*
* @return \OCP\SystemTag\ISystemTagManager
*
* @since 9.0.0
*/
public function getSystemTagManager() {
return $this->query('SystemTagManager');
}
/**
* Returns the system-tag object mapper
*
* @return \OCP\SystemTag\ISystemTagObjectMapper
*
* @since 9.0.0
*/
public function getSystemTagObjectMapper() {
return $this->query('SystemTagObjectMapper');
}
2013-09-20 13:46:11 +04:00
/**
* Returns the avatar manager, used for avatar functionality
*
2013-11-22 15:34:37 +04:00
* @return \OCP\IAvatarManager
2013-09-20 13:46:11 +04:00
*/
public function getAvatarManager() {
2013-09-20 13:46:11 +04:00
return $this->query('AvatarManager');
}
/**
* Returns the root folder of ownCloud's data directory
*
* @return \OCP\Files\IRootFolder
*/
public function getRootFolder() {
2016-08-26 13:13:34 +03:00
return $this->query('LazyRootFolder');
}
2016-03-11 16:00:36 +03:00
/**
* Returns the root folder of ownCloud's data directory
* This is the lazy variant so this gets only initialized once it
* is actually used.
*
* @return \OCP\Files\IRootFolder
*/
public function getLazyRootFolder() {
return $this->query('LazyRootFolder');
}
2013-09-18 16:25:12 +04:00
/**
* Returns a view to ownCloud's files folder
*
* @param string $userId user ID
* @return \OCP\Files\Folder|null
2013-09-18 16:25:12 +04:00
*/
public function getUserFolder($userId = null) {
if ($userId === null) {
$user = $this->getUserSession()->getUser();
if (!$user) {
return null;
}
$userId = $user->getUID();
}
2013-09-18 16:25:12 +04:00
$root = $this->getRootFolder();
return $root->getUserFolder($userId);
2013-09-18 16:25:12 +04:00
}
/**
* Returns an app-specific view in ownClouds data directory
*
* @return \OCP\Files\Folder
* @deprecated since 9.2.0 use IAppData
2013-09-18 16:25:12 +04:00
*/
public function getAppFolder() {
2014-07-22 21:45:01 +04:00
$dir = '/' . \OC_App::getCurrentApp();
2013-09-18 16:25:12 +04:00
$root = $this->getRootFolder();
2014-07-16 16:25:31 +04:00
if (!$root->nodeExists($dir)) {
2013-09-18 16:25:12 +04:00
$folder = $root->newFolder($dir);
} else {
$folder = $root->get($dir);
}
return $folder;
}
2013-09-20 14:45:56 +04:00
/**
* @return \OC\User\Manager
*/
public function getUserManager() {
2013-09-20 14:45:56 +04:00
return $this->query('UserManager');
}
2014-07-16 16:25:31 +04:00
/**
* @return \OC\Group\Manager
*/
public function getGroupManager() {
2014-07-16 16:25:31 +04:00
return $this->query('GroupManager');
}
2013-09-20 14:45:56 +04:00
/**
* @return \OC\User\Session
*/
public function getUserSession() {
2013-09-20 14:45:56 +04:00
return $this->query('UserSession');
}
/**
* @return \OCP\ISession
*/
public function getSession() {
return $this->query('UserSession')->getSession();
}
/**
* @param \OCP\ISession $session
*/
public function setSession(\OCP\ISession $session) {
$this->query(SessionStorage::class)->setSession($session);
$this->query('UserSession')->setSession($session);
$this->query(Store::class)->setSession($session);
}
2016-05-11 12:23:25 +03:00
/**
* @return \OC\Authentication\TwoFactorAuth\Manager
*/
public function getTwoFactorAuthManager() {
return $this->query('\OC\Authentication\TwoFactorAuth\Manager');
}
/**
* @return \OC\NavigationManager
*/
public function getNavigationManager() {
return $this->query('NavigationManager');
}
/**
* @return \OCP\IConfig
*/
public function getConfig() {
return $this->query('AllConfig');
}
/**
* @return \OC\SystemConfig
*/
public function getSystemConfig() {
return $this->query('SystemConfig');
}
/**
* Returns the app config manager
*
* @return \OCP\IAppConfig
*/
public function getAppConfig() {
return $this->query('AppConfig');
}
/**
* @return \OCP\L10N\IFactory
*/
public function getL10NFactory() {
return $this->query('L10NFactory');
}
2013-09-25 20:34:01 +04:00
/**
* get an L10N instance
2014-07-16 16:25:31 +04:00
*
2014-03-01 00:03:43 +04:00
* @param string $app appid
2014-08-31 12:05:59 +04:00
* @param string $lang
* @return IL10N
2013-09-25 20:34:01 +04:00
*/
public function getL10N($app, $lang = null) {
return $this->getL10NFactory()->get($app, $lang);
2013-09-25 20:34:01 +04:00
}
/**
* @return \OCP\IURLGenerator
*/
public function getURLGenerator() {
return $this->query('URLGenerator');
}
/**
* @return AppFetcher
*/
public function getAppFetcher() {
return $this->query(AppFetcher::class);
}
/**
* Returns an ICache instance. Since 8.1.0 it returns a fake cache. Use
* getMemCacheFactory() instead.
*
* @return \OCP\ICache
* @deprecated 8.1.0 use getMemCacheFactory to obtain a proper cache
*/
public function getCache() {
return $this->query('UserCache');
}
2014-01-06 15:55:56 +04:00
/**
2014-01-08 18:51:40 +04:00
* Returns an \OCP\CacheFactory instance
2014-01-06 15:55:56 +04:00
*
* @return \OCP\ICacheFactory
2014-01-06 15:55:56 +04:00
*/
public function getMemCacheFactory() {
return $this->query('MemCacheFactory');
2014-01-06 15:55:56 +04:00
}
/**
* Returns an \OC\RedisFactory instance
*
* @return \OC\RedisFactory
*/
public function getGetRedisFactory() {
return $this->query('RedisFactory');
}
/**
* Returns the current session
2013-09-20 16:33:45 +04:00
*
* @return \OCP\IDBConnection
*/
public function getDatabaseConnection() {
return $this->query('DatabaseConnection');
2013-09-20 16:33:45 +04:00
}
/**
* Returns the activity manager
*
* @return \OCP\Activity\IManager
*/
public function getActivityManager() {
return $this->query('ActivityManager');
2013-09-20 16:33:45 +04:00
}
/**
* Returns an job list for controlling background jobs
*
* @return \OCP\BackgroundJob\IJobList
*/
public function getJobList() {
return $this->query('JobList');
}
/**
* Returns a logger instance
*
* @return \OCP\ILogger
*/
public function getLogger() {
return $this->query('Logger');
}
/**
* @return ILogFactory
* @throws \OCP\AppFramework\QueryException
*/
public function getLogFactory() {
return $this->query(ILogFactory::class);
}
/**
* Returns a router for generating and matching urls
*
* @return \OCP\Route\IRouter
*/
public function getRouter() {
return $this->query('Router');
}
2014-04-19 21:30:12 +04:00
/**
* Returns a search instance
2014-07-16 16:25:31 +04:00
*
* @return \OCP\ISearch
*/
public function getSearch() {
return $this->query('Search');
}
2014-04-19 21:30:12 +04:00
/**
* Returns a SecureRandom instance
*
* @return \OCP\Security\ISecureRandom
*/
public function getSecureRandom() {
return $this->query('SecureRandom');
}
/**
* Returns a Crypto instance
*
* @return \OCP\Security\ICrypto
*/
public function getCrypto() {
return $this->query('Crypto');
}
/**
* Returns a Hasher instance
*
* @return \OCP\Security\IHasher
*/
public function getHasher() {
return $this->query('Hasher');
}
/**
* Returns a CredentialsManager instance
*
* @return \OCP\Security\ICredentialsManager
*/
public function getCredentialsManager() {
return $this->query('CredentialsManager');
}
/**
* Get the certificate manager for the user
*
* @param string $userId (optional) if not specified the current loggedin user is used, use null to get the system certificate manager
2015-06-17 16:47:45 +03:00
* @return \OCP\ICertificateManager | null if $uid is null and no user is logged in
*/
public function getCertificateManager($userId = '') {
if ($userId === '') {
$userSession = $this->getUserSession();
$user = $userSession->getUser();
if (is_null($user)) {
return null;
}
$userId = $user->getUID();
}
return new CertificateManager(
$userId,
new View(),
$this->getConfig(),
$this->getLogger(),
$this->getSecureRandom()
);
}
2014-08-29 19:19:38 +04:00
2015-03-16 13:28:23 +03:00
/**
* Returns an instance of the HTTP client service
*
* @return \OCP\Http\Client\IClientService
*/
public function getHTTPClientService() {
2015-03-16 13:28:23 +03:00
return $this->query('HttpClientService');
}
2014-08-29 19:19:38 +04:00
/**
2014-09-04 03:10:02 +04:00
* Create a new event source
2014-08-29 19:19:38 +04:00
*
* @return \OCP\IEventSource
*/
public function createEventSource() {
2014-08-29 19:19:38 +04:00
return new \OC_EventSource();
}
/**
* Get the active event logger
*
* The returned logger only logs data when debug mode is enabled
*
2014-10-03 22:39:09 +04:00
* @return \OCP\Diagnostics\IEventLogger
*/
public function getEventLogger() {
return $this->query('EventLogger');
}
/**
* Get the active query logger
*
* The returned logger only logs data when debug mode is enabled
*
2014-10-03 22:39:09 +04:00
* @return \OCP\Diagnostics\IQueryLogger
*/
public function getQueryLogger() {
2014-10-03 22:39:09 +04:00
return $this->query('QueryLogger');
}
/**
* Get the manager for temporary files and folders
*
* @return \OCP\ITempManager
*/
public function getTempManager() {
return $this->query('TempManager');
}
/**
* Get the app manager
*
* @return \OCP\App\IAppManager
*/
public function getAppManager() {
return $this->query('AppManager');
}
2014-11-27 16:36:11 +03:00
/**
* Creates a new mailer
*
* @return \OCP\Mail\IMailer
*/
public function getMailer() {
return $this->query('Mailer');
}
2014-11-27 16:36:11 +03:00
/**
* Get the webroot
*
* @return string
*/
public function getWebRoot() {
2014-11-27 16:50:14 +03:00
return $this->webRoot;
2014-11-27 16:36:11 +03:00
}
/**
* @return \OC\OCSClient
*/
public function getOcsClient() {
return $this->query('OcsClient');
}
/**
2014-12-16 17:34:55 +03:00
* @return \OCP\IDateTimeZone
*/
2014-12-16 17:34:55 +03:00
public function getDateTimeZone() {
return $this->query('DateTimeZone');
}
/**
* @return \OCP\IDateTimeFormatter
*/
public function getDateTimeFormatter() {
return $this->query('DateTimeFormatter');
}
/**
* @return \OCP\Files\Config\IMountProviderCollection
*/
2015-12-03 16:10:05 +03:00
public function getMountProviderCollection() {
return $this->query('MountConfigManager');
}
2014-12-05 21:56:29 +03:00
/**
* Get the IniWrapper
*
* @return IniGetWrapper
2014-12-05 21:56:29 +03:00
*/
public function getIniWrapper() {
return $this->query('IniWrapper');
2014-12-05 21:56:29 +03:00
}
2015-02-17 00:12:47 +03:00
/**
* @return \OCP\Command\IBus
*/
2015-12-03 16:10:05 +03:00
public function getCommandBus() {
return $this->query('AsyncCommandBus');
}
2015-02-17 00:12:47 +03:00
/**
* Get the trusted domain helper
*
* @return TrustedDomainHelper
*/
public function getTrustedDomainHelper() {
return $this->query('TrustedDomainHelper');
}
/**
* Get the locking provider
*
* @return \OCP\Lock\ILockingProvider
* @since 8.1.0
*/
public function getLockingProvider() {
return $this->query('LockingProvider');
}
/**
* @return \OCP\Files\Mount\IMountManager
**/
function getMountManager() {
return $this->query('MountManager');
}
/** @return \OCP\Files\Config\IUserMountCache */
function getUserMountCache() {
return $this->query('UserMountCache');
}
2016-05-03 11:30:07 +03:00
/**
* Get the MimeTypeDetector
*
* @return \OCP\Files\IMimeTypeDetector
*/
public function getMimeTypeDetector() {
return $this->query('MimeTypeDetector');
}
2015-09-03 21:48:42 +03:00
/**
* Get the MimeTypeLoader
*
* @return \OCP\Files\IMimeTypeLoader
*/
public function getMimeTypeLoader() {
return $this->query('MimeTypeLoader');
}
/**
* Get the manager of all the capabilities
*
* @return \OC\CapabilitiesManager
*/
public function getCapabilitiesManager() {
return $this->query('CapabilitiesManager');
}
/**
* Get the EventDispatcher
*
* @return EventDispatcherInterface
* @since 8.2.0
*/
public function getEventDispatcher() {
return $this->query('EventDispatcher');
}
2015-08-31 13:24:37 +03:00
/**
* Get the Notification Manager
*
* @return \OCP\Notification\IManager
2015-08-31 13:24:37 +03:00
* @since 8.2.0
*/
public function getNotificationManager() {
return $this->query('NotificationManager');
}
/**
* @return \OCP\Comments\ICommentsManager
*/
public function getCommentsManager() {
return $this->query('CommentsManager');
}
/**
* @return \OCA\Theming\ThemingDefaults
*/
public function getThemingDefaults() {
return $this->query('ThemingDefaults');
}
Add code integrity check This PR implements the base foundation of the code signing and integrity check. In this PR implemented is the signing and verification logic, as well as commands to sign single apps or the core repository. Furthermore, there is a basic implementation to display problems with the code integrity on the update screen. Code signing basically happens the following way: - There is a ownCloud Root Certificate authority stored `resources/codesigning/root.crt` (in this PR I also ship the private key which we obviously need to change before a release :wink:). This certificate is not intended to be used for signing directly and only is used to sign new certificates. - Using the `integrity:sign-core` and `integrity:sign-app` commands developers can sign either the core release or a single app. The core release needs to be signed with a certificate that has a CN of `core`, apps need to be signed with a certificate that either has a CN of `core` (shipped apps!) or the AppID. - The command generates a signature.json file of the following format: ```json { "hashes": { "/filename.php": "2401fed2eea6f2c1027c482a633e8e25cd46701f811e2d2c10dc213fd95fa60e350bccbbebdccc73a042b1a2799f673fbabadc783284cc288e4f1a1eacb74e3d", "/lib/base.php": "55548cc16b457cd74241990cc9d3b72b6335f2e5f45eee95171da024087d114fcbc2effc3d5818a6d5d55f2ae960ab39fd0414d0c542b72a3b9e08eb21206dd9" }, "certificate": "-----BEGIN CERTIFICATE-----MIIBvTCCASagAwIBAgIUPvawyqJwCwYazcv7iz16TWxfeUMwDQYJKoZIhvcNAQEF\nBQAwIzEhMB8GA1UECgwYb3duQ2xvdWQgQ29kZSBTaWduaW5nIENBMB4XDTE1MTAx\nNDEzMTcxMFoXDTE2MTAxNDEzMTcxMFowEzERMA8GA1UEAwwIY29udGFjdHMwgZ8w\nDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANoQesGdCW0L2L+a2xITYipixkScrIpB\nkX5Snu3fs45MscDb61xByjBSlFgR4QI6McoCipPw4SUr28EaExVvgPSvqUjYLGps\nfiv0Cvgquzbx/X3mUcdk9LcFo1uWGtrTfkuXSKX41PnJGTr6RQWGIBd1V52q1qbC\nJKkfzyeMeuQfAgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAvF/KIhRMQ3tYTmgHWsiM\nwDMgIDb7iaHF0fS+/Nvo4PzoTO/trev6tMyjLbJ7hgdCpz/1sNzE11Cibf6V6dsz\njCE9invP368Xv0bTRObRqeSNsGogGl5ceAvR0c9BG+NRIKHcly3At3gLkS2791bC\niG+UxI/MNcWV0uJg9S63LF8=\n-----END CERTIFICATE-----", "signature": "U29tZVNpZ25lZERhdGFFeGFtcGxl" } ``` `hashes` is an array of all files in the folder with their corresponding SHA512 hashes (this is actually quite cheap to calculate), the `certificate` is the certificate used for signing. It has to be issued by the ownCloud Root Authority and it's CN needs to be permitted to perform the required action. The `signature` is then a signature of the `hashes` which can be verified using the `certificate`. Steps to do in other PRs, this is already a quite huge one: - Add nag screen in case the code check fails to ensure that administrators are aware of this. - Add code verification also to OCC upgrade and unify display code more. - Add enforced code verification to apps shipped from the appstore with a level of "official" - Add enfocrced code verification to apps shipped from the appstore that were already signed in a previous release - Add some developer documentation on how devs can request their own certificate - Check when installing ownCloud - Add support for CRLs to allow revoking certificates **Note:** The upgrade checks are only run when the instance has a defined release channel of `stable` (defined in `version.php`). If you want to test this, you need to change the channel thus and then generate the core signature: ``` ➜ master git:(add-integrity-checker) ✗ ./occ integrity:sign-core --privateKey=resources/codesigning/core.key --certificate=resources/codesigning/core.crt Successfully signed "core" ``` Then increase the version and you should see something like the following: ![2015-11-04_12-02-57](https://cloud.githubusercontent.com/assets/878997/10936336/6adb1d14-82ec-11e5-8f06-9a74801c9abf.png) As you can see a failed code check will not prevent the further update. It will instead just be a notice to the admin. In a next step we will add some nag screen. For packaging stable releases this requires the following additional steps as a last action before zipping: 1. Run `./occ integrity:sign-core` once 2. Run `./occ integrity:sign-app` _for each_ app. However, this can be simply automated using a simple foreach on the apps folder.
2015-11-03 22:26:06 +03:00
/**
* @return \OC\IntegrityCheck\Checker
*/
public function getIntegrityCodeChecker() {
return $this->query('IntegrityCodeChecker');
}
/**
* @return \OC\Session\CryptoWrapper
*/
public function getSessionCryptoWrapper() {
return $this->query('CryptoWrapper');
}
/**
* @return CsrfTokenManager
*/
public function getCsrfTokenManager() {
return $this->query('CsrfTokenManager');
}
/**
* @return Throttler
*/
public function getBruteForceThrottler() {
return $this->query('Throttler');
}
Add public API to give developers the possibility to adjust the global CSP defaults Allows to inject something into the default content policy. This is for example useful when you're injecting Javascript code into a view belonging to another controller and cannot modify its Content-Security-Policy itself. Note that the adjustment is only applied to applications that use AppFramework controllers. To use this from your `app.php` use `\OC::$server->getContentSecurityPolicyManager()->addDefaultPolicy($policy)`, $policy has to be of type `\OCP\AppFramework\Http\ContentSecurityPolicy`. To test this add something like the following into an `app.php` of any enabled app: ``` $manager = \OC::$server->getContentSecurityPolicyManager(); $policy = new \OCP\AppFramework\Http\ContentSecurityPolicy(false); $policy->addAllowedFrameDomain('asdf'); $policy->addAllowedScriptDomain('yolo.com'); $policy->allowInlineScript(false); $manager->addDefaultPolicy($policy); $policy = new \OCP\AppFramework\Http\ContentSecurityPolicy(false); $policy->addAllowedFontDomain('yolo.com'); $manager->addDefaultPolicy($policy); $policy = new \OCP\AppFramework\Http\ContentSecurityPolicy(false); $policy->addAllowedFrameDomain('banana.com'); $manager->addDefaultPolicy($policy); ``` If you now open the files app the policy should be: ``` Content-Security-Policy:default-src 'none';script-src yolo.com 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src yolo.com 'self';connect-src 'self';media-src 'self';frame-src asdf banana.com 'self' ```
2016-01-28 16:33:02 +03:00
/**
* @return IContentSecurityPolicyManager
*/
public function getContentSecurityPolicyManager() {
return $this->query('ContentSecurityPolicyManager');
}
/**
* @return ContentSecurityPolicyNonceManager
*/
public function getContentSecurityPolicyNonceManager() {
return $this->query('ContentSecurityPolicyNonceManager');
}
/**
* Not a public API as of 8.2, wait for 9.0
2015-12-03 16:10:05 +03:00
*
* @return \OCA\Files_External\Service\BackendService
*/
public function getStoragesBackendService() {
return $this->query('OCA\\Files_External\\Service\\BackendService');
}
/**
* Not a public API as of 8.2, wait for 9.0
2015-12-03 16:10:05 +03:00
*
* @return \OCA\Files_External\Service\GlobalStoragesService
*/
public function getGlobalStoragesService() {
return $this->query('OCA\\Files_External\\Service\\GlobalStoragesService');
}
/**
* Not a public API as of 8.2, wait for 9.0
2015-12-03 16:10:05 +03:00
*
* @return \OCA\Files_External\Service\UserGlobalStoragesService
*/
public function getUserGlobalStoragesService() {
return $this->query('OCA\\Files_External\\Service\\UserGlobalStoragesService');
}
/**
* Not a public API as of 8.2, wait for 9.0
2015-12-03 16:10:05 +03:00
*
* @return \OCA\Files_External\Service\UserStoragesService
*/
public function getUserStoragesService() {
return $this->query('OCA\\Files_External\\Service\\UserStoragesService');
}
/**
* @return \OCP\Share\IManager
*/
public function getShareManager() {
return $this->query('ShareManager');
}
2015-12-03 16:10:05 +03:00
/**
* @return \OCP\Collaboration\Collaborators\ISearch
*/
public function getCollaboratorSearch() {
return $this->query('CollaboratorSearch');
}
/**
* @return \OCP\Collaboration\AutoComplete\IManager
*/
public function getAutoCompleteManager(){
return $this->query(IManager::class);
}
2016-07-22 11:46:29 +03:00
/**
* Returns the LDAP Provider
*
* @return \OCP\LDAP\ILDAPProvider
*/
public function getLDAPProvider() {
return $this->query('LDAPProvider');
}
/**
* @return \OCP\Settings\IManager
*/
public function getSettingsManager() {
return $this->query('SettingsManager');
}
/**
* @return \OCP\Files\IAppData
*/
public function getAppDataDir($app) {
/** @var \OC\Files\AppData\Factory $factory */
$factory = $this->query(\OC\Files\AppData\Factory::class);
return $factory->get($app);
}
/**
* @return \OCP\Lockdown\ILockdownManager
*/
public function getLockdownManager() {
return $this->query('LockdownManager');
}
/**
* @return \OCP\Federation\ICloudIdManager
*/
public function getCloudIdManager() {
return $this->query(ICloudIdManager::class);
}
/**
* @return \OCP\Remote\Api\IApiFactory
*/
public function getRemoteApiFactory() {
return $this->query(IApiFactory::class);
}
/**
* @return \OCP\Remote\IInstanceFactory
*/
public function getRemoteInstanceFactory() {
return $this->query(IInstanceFactory::class);
}
2013-08-21 02:58:15 +04:00
}