Commit Graph

45 Commits

Author SHA1 Message Date
Lukas Reschke 4971015544 Add code integrity check
This PR implements the base foundation of the code signing and integrity check. In this PR implemented is the signing and verification logic, as well as commands to sign single apps or the core repository.

Furthermore, there is a basic implementation to display problems with the code integrity on the update screen.

Code signing basically happens the following way:

- There is a ownCloud Root Certificate authority stored `resources/codesigning/root.crt` (in this PR I also ship the private key which we obviously need to change before a release 😉). This certificate is not intended to be used for signing directly and only is used to sign new certificates.
- Using the `integrity:sign-core` and `integrity:sign-app` commands developers can sign either the core release or a single app. The core release needs to be signed with a certificate that has a CN of `core`,  apps need to be signed with a certificate that either has a CN of `core` (shipped apps!)  or the AppID.
- The command generates a signature.json file of the following format:
```json
{
    "hashes": {
        "/filename.php": "2401fed2eea6f2c1027c482a633e8e25cd46701f811e2d2c10dc213fd95fa60e350bccbbebdccc73a042b1a2799f673fbabadc783284cc288e4f1a1eacb74e3d",
        "/lib/base.php": "55548cc16b457cd74241990cc9d3b72b6335f2e5f45eee95171da024087d114fcbc2effc3d5818a6d5d55f2ae960ab39fd0414d0c542b72a3b9e08eb21206dd9"
    },
    "certificate": "-----BEGIN CERTIFICATE-----MIIBvTCCASagAwIBAgIUPvawyqJwCwYazcv7iz16TWxfeUMwDQYJKoZIhvcNAQEF\nBQAwIzEhMB8GA1UECgwYb3duQ2xvdWQgQ29kZSBTaWduaW5nIENBMB4XDTE1MTAx\nNDEzMTcxMFoXDTE2MTAxNDEzMTcxMFowEzERMA8GA1UEAwwIY29udGFjdHMwgZ8w\nDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANoQesGdCW0L2L+a2xITYipixkScrIpB\nkX5Snu3fs45MscDb61xByjBSlFgR4QI6McoCipPw4SUr28EaExVvgPSvqUjYLGps\nfiv0Cvgquzbx/X3mUcdk9LcFo1uWGtrTfkuXSKX41PnJGTr6RQWGIBd1V52q1qbC\nJKkfzyeMeuQfAgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAvF/KIhRMQ3tYTmgHWsiM\nwDMgIDb7iaHF0fS+/Nvo4PzoTO/trev6tMyjLbJ7hgdCpz/1sNzE11Cibf6V6dsz\njCE9invP368Xv0bTRObRqeSNsGogGl5ceAvR0c9BG+NRIKHcly3At3gLkS2791bC\niG+UxI/MNcWV0uJg9S63LF8=\n-----END CERTIFICATE-----",
    "signature": "U29tZVNpZ25lZERhdGFFeGFtcGxl"
}
```
`hashes` is an array of all files in the folder with their corresponding SHA512 hashes (this is actually quite cheap to calculate), the `certificate` is the  certificate used for signing. It has to be issued by the ownCloud Root Authority and it's CN needs to be permitted to perform the required action. The `signature` is then a signature of the `hashes` which can be verified using the `certificate`.

Steps to do in other PRs, this is already a quite huge one:
- Add nag screen in case the code check fails to ensure that administrators are aware of this.
- Add code verification also to OCC upgrade and unify display code more.
- Add enforced code verification to apps shipped from the appstore with a level of "official"
- Add enfocrced code verification to apps shipped from the appstore that were already signed in a previous release
- Add some developer documentation on how devs can request their own certificate
- Check when installing ownCloud
- Add support for CRLs to allow revoking certificates

**Note:** The upgrade checks are only run when the instance has a defined release channel of `stable` (defined in `version.php`). If you want to test this, you need to change the channel thus and then generate the core signature:

```
➜  master git:(add-integrity-checker) ✗ ./occ integrity:sign-core --privateKey=resources/codesigning/core.key --certificate=resources/codesigning/core.crt
Successfully signed "core"
```

Then increase the version and you should see something like the following:

![2015-11-04_12-02-57](https://cloud.githubusercontent.com/assets/878997/10936336/6adb1d14-82ec-11e5-8f06-9a74801c9abf.png)

As you can see a failed code check will not prevent the further update. It will instead just be a notice to the admin. In a next step we will add some nag screen.

For packaging stable releases this requires the following additional steps as a last action before zipping:
1. Run `./occ integrity:sign-core` once
2. Run `./occ integrity:sign-app` _for each_ app. However, this can be simply automated using a simple foreach on the apps folder.
2015-12-01 11:55:20 +01:00
Lukas Reschke f3e9106864 Don't trust update server
In case the update server may deliver malicious content this would allow an adversary to inject arbitrary HTML into the response. So very bad stuff.

While signing the response would be better and something we can also do in the future (considering the code signing work), this is already a good first start.
2015-11-28 12:21:53 +01:00
Thomas Müller 4cb5970947 Always pass in ILogger 2015-10-09 14:08:22 +02:00
Thomas Müller 766b69a0c8 User upstream class SeparatorFilter 2015-09-28 22:52:45 +02:00
Thomas Müller d40867d855 Suer JSqueezeFilter instead of JSMinFilter 2015-09-28 22:51:43 +02:00
Thomas Müller 2ea2ec0004 Show 'Apps' in the browser title when app management is open 2015-09-23 15:00:58 +02:00
Morris Jobke f63915d0c8 update license headers and authors 2015-06-25 14:13:49 +02:00
Clark Tomlinson 62286f00a1 fixing setting page titles 2015-06-11 11:39:34 -04:00
Morris Jobke cd516eedcd Use OC.Notification for update notifications
* instead of a static rendering inside PHP use the
  JS OC.Notification.showTemporary to hide the
  notification after 7 seconds automatically
* fixes #14811
2015-05-03 17:26:03 +02:00
Lukas Reschke 0816cf9142 Add experimental applications switch
Allows administrators to disable or enabled experimental applications as well as show the trust level.
2015-04-03 13:21:24 +02:00
Jenkins for ownCloud b585d87d9d Update license headers 2015-03-26 11:44:36 +01:00
Adam Williamson fa1be7d296 fall back to absolute path for pipelined assets (#14940)
If the asset is, for example, in an apps directory that is
outside the $SERVERROOT, we won't be able to get a relative
path. We shouldn't just fail hard in this case. Fall back to
using the absolute path instead (as we used to).
2015-03-16 19:08:11 -07:00
Joas Schilling 716ba49a82 Log errors and create 404 in network list when a css or js is missing 2015-03-04 17:56:33 +01:00
Morris Jobke 06aef4e8b1 Revert "Updating license headers"
This reverts commit 6a1a4880f0.
2015-02-26 11:37:37 +01:00
Thomas Müller bbf7f56f94 3rd-party apps are disabled on upgrade - refs #14026 2015-02-24 12:02:36 +01:00
Jenkins for ownCloud 6a1a4880f0 Updating license headers 2015-02-23 12:13:59 +01:00
Lukas Reschke 886bda5f81 Refactor OC_Request into TrustedDomainHelper and IRequest
This changeset removes the static class `OC_Request` and moves the functions either into `IRequest` which is accessible via `\OC::$server::->getRequest()` or into a separated `TrustedDomainHelper` class for some helper methods which should not be publicly exposed.

This changes only internal methods and nothing on the public API. Some public functions in `util.php` have been deprecated though in favour of the new non-static functions.

Unfortunately some part of this code uses things like `__DIR__` and thus is not completely unit-testable. Where tests where possible they ahve been added though.

Fixes https://github.com/owncloud/core/issues/13976 which was requested in https://github.com/owncloud/core/pull/13973#issuecomment-73492969
2015-02-16 22:13:00 +01:00
Thomas Müller 24daee836a include core version into js/css version tag - fixes #13702 2015-02-02 13:02:11 +01:00
Thomas Müller 4628e98cfc Merge pull request #13063 from AdamWill/assets-relocate
allow css/js asset directory to be relocated ('assetdirectory')
2015-01-07 09:36:26 +01:00
Adam Williamson bb79aac78a allow css/js asset directory to be relocated (#13053)
This allows the directory where CSS/JS asset collections are
written to be changed, in case SERVERROOT is not writeable. Note
it does *not* allow the expected URL to be changed: whatever
directory is used, the server must be configured to serve it
at WEBROOT/assets. It may be possible to add another config
parameter to allow the admin to specify a custom asset URL,
but I thought I'd keep the first implementation simple.
2015-01-05 15:24:23 -08:00
Robin McCorkell 2c44bc1768 Fix JS asset generation
At some point SeparatorFilter should be included upstream
(kriswallsmith/assetic), then lib/private/assetic/separatorfilter.php can be
removed and the `use` in lib/private/templatelayout.php rewritten.

SeparatorFilter inserts a separator between assets, preventing issues when
files are incorrectly terminated. For JS this is a semicolon.
2015-01-05 15:48:04 +00:00
Victor Dubiniuk c9fd3c9d29 Inject config 2014-12-10 01:13:38 +03:00
Victor Dubiniuk 303fce44f4 Use httphelper and cache response even when it empty 2014-12-06 20:17:47 +03:00
Morris Jobke 952abdc51a Drop form_factor that is appended to JS, CSS and template filenames 2014-11-12 13:07:23 +01:00
Vincent Petry aee1edf6b5 Merge pull request #11708 from owncloud/fix-momentjs
Setting moment locale based on user selection
2014-10-27 10:30:47 +01:00
kondou 729dffed5e Load avatar in header via PHP
* fix #7484
* use UID, css, and div instead of span
2014-10-23 23:17:18 +02:00
Clark Tomlinson ca5abe5744 Setting moment locale based on user selection 2014-10-23 10:32:47 -04:00
Lukas Reschke cb36666600 Merge pull request #11630 from owncloud/kill-some-legacy
remove legacy class OC_Updater
2014-10-21 14:01:49 +02:00
Lukas Reschke 7b94c7f9c1 Refer to relative path instead of absolute path
There is no need to refer to the absolute path here if we can use the relative one.

Conflicts:
	lib/private/templatelayout.php
2014-10-20 15:09:43 +02:00
Thomas Müller 6af0e76a03 remove legacy class OC_Updater 2014-10-20 14:44:42 +02:00
Thomas Müller 93b0f1a3bf adding cssmin and jssmin(minify)
adding argument deleteSelf to rmdirr() - if false the directory itself will not be deleted only it's content

adding repair step to clean the asset cache after upgrade + coding style adjustments
2014-10-17 12:22:26 +02:00
Thomas Müller a04159090f include the apps' versions hash to invalidate the cached assets 2014-10-16 13:29:51 +02:00
Lukas Reschke 6ccda2ae98 Add app version to JS and CSS
This leads to the regeneration of the hash in case a single application is updated.

Fixes https://github.com/owncloud/core/issues/11374
2014-10-15 14:00:20 +02:00
Victor Dubiniuk b6087ea79b Add CssImportFilter. More elegant fix for documents#348 2014-10-06 19:39:02 +03:00
Remco Brenninkmeijer f930b356e6 Error needs to push body-id for new guest layout 2014-09-17 18:02:18 +02:00
Lukas Reschke 7d2c521b46 Step one, open guest layout for different styles.
Conflicts:
	core/templates/layout.guest.php

Step one, open guest layout for different styles.
2014-09-11 11:41:02 +02:00
Robin Appelman 3de69ff81b Don't register the call when rendering error pages 2014-08-29 15:44:39 +02:00
Vincent Petry 04f73275ba Now settings CSS class with appid in content DIV 2014-05-15 17:51:04 +02:00
Robin McCorkell 87b548ed91 Fix all PHPDoc types and variable names, in /lib 2014-05-13 19:08:14 +01:00
Lukas Reschke e88731a477 Some more PHPDoc fixes 2014-04-21 15:44:54 +02:00
Thomas Müller 02726acbc8 adding checks and log messages regarding the assets folder 2014-04-15 16:26:12 +02:00
Thomas Müller 8cf73ca42f integrate assetic for asset pipeline-ing 2014-02-20 13:28:27 +01:00
Jörn Friedrich Dreyer 2a6a9a8cef polish documentation based on scrutinizer patches 2014-02-06 17:02:21 +01:00
Joas Schilling 009e25788f correctly mark app management active 2013-12-09 15:53:31 +01:00
Thomas Müller 9c9dc276b7 move the private namespace OC into lib/private - OCP will stay in lib/public
Conflicts:
	lib/private/vcategories.php
2013-09-30 16:36:59 +02:00