Commit Graph

85 Commits

Author SHA1 Message Date
Thomas Müller 3fd976995a Merge pull request #21668 from owncloud/add-super-evil-and-hidden-config-switch-to-disable-integrity-checks-really-just-do-not-use-this
Add hidden config switch to disable code integrity checking
2016-01-13 10:30:02 +01:00
Lukas Reschke 08e73d2c8f Add hidden config switch to disable code integrity checking
This adds a hidden config flag that allows somebody to disable the code integrity check. If `integrity.check.disabled` is set to `true` in the config file:

1. The integrity check functions will return always an empty result
2. The integrity check is not performed when installing apps
3. The integrity check is not performed when updating apps
4. The integrity check is not performed when updating the core

Furthermore this adds support for a list of channels that the code checker will run on. At the moment this is only stable because I didn't want to break any build scripts that we have. Once we have a proper CA setup and updated the build process to sign the releases we can add the RC, alpha, beta as well as daily releases. So everything except "git" basically.
2016-01-12 18:48:36 +01:00
Thomas Müller 682821c71e Happy new year! 2016-01-12 15:02:18 +01:00
Joas Schilling fd7ed93937 Allow downgrades for our brave developers, that switch between branches 2016-01-07 14:18:33 +01:00
Morris Jobke ed98cdf532 Use OCP\Util::getVersion instead of the internal private implementation 2015-12-18 15:26:54 +01:00
Thomas Müller b3c8e9ca32 Clear xml errors in updater 2015-12-17 17:46:07 +01:00
Lukas Reschke 4971015544 Add code integrity check
This PR implements the base foundation of the code signing and integrity check. In this PR implemented is the signing and verification logic, as well as commands to sign single apps or the core repository.

Furthermore, there is a basic implementation to display problems with the code integrity on the update screen.

Code signing basically happens the following way:

- There is a ownCloud Root Certificate authority stored `resources/codesigning/root.crt` (in this PR I also ship the private key which we obviously need to change before a release 😉). This certificate is not intended to be used for signing directly and only is used to sign new certificates.
- Using the `integrity:sign-core` and `integrity:sign-app` commands developers can sign either the core release or a single app. The core release needs to be signed with a certificate that has a CN of `core`,  apps need to be signed with a certificate that either has a CN of `core` (shipped apps!)  or the AppID.
- The command generates a signature.json file of the following format:
```json
{
    "hashes": {
        "/filename.php": "2401fed2eea6f2c1027c482a633e8e25cd46701f811e2d2c10dc213fd95fa60e350bccbbebdccc73a042b1a2799f673fbabadc783284cc288e4f1a1eacb74e3d",
        "/lib/base.php": "55548cc16b457cd74241990cc9d3b72b6335f2e5f45eee95171da024087d114fcbc2effc3d5818a6d5d55f2ae960ab39fd0414d0c542b72a3b9e08eb21206dd9"
    },
    "certificate": "-----BEGIN CERTIFICATE-----MIIBvTCCASagAwIBAgIUPvawyqJwCwYazcv7iz16TWxfeUMwDQYJKoZIhvcNAQEF\nBQAwIzEhMB8GA1UECgwYb3duQ2xvdWQgQ29kZSBTaWduaW5nIENBMB4XDTE1MTAx\nNDEzMTcxMFoXDTE2MTAxNDEzMTcxMFowEzERMA8GA1UEAwwIY29udGFjdHMwgZ8w\nDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANoQesGdCW0L2L+a2xITYipixkScrIpB\nkX5Snu3fs45MscDb61xByjBSlFgR4QI6McoCipPw4SUr28EaExVvgPSvqUjYLGps\nfiv0Cvgquzbx/X3mUcdk9LcFo1uWGtrTfkuXSKX41PnJGTr6RQWGIBd1V52q1qbC\nJKkfzyeMeuQfAgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAvF/KIhRMQ3tYTmgHWsiM\nwDMgIDb7iaHF0fS+/Nvo4PzoTO/trev6tMyjLbJ7hgdCpz/1sNzE11Cibf6V6dsz\njCE9invP368Xv0bTRObRqeSNsGogGl5ceAvR0c9BG+NRIKHcly3At3gLkS2791bC\niG+UxI/MNcWV0uJg9S63LF8=\n-----END CERTIFICATE-----",
    "signature": "U29tZVNpZ25lZERhdGFFeGFtcGxl"
}
```
`hashes` is an array of all files in the folder with their corresponding SHA512 hashes (this is actually quite cheap to calculate), the `certificate` is the  certificate used for signing. It has to be issued by the ownCloud Root Authority and it's CN needs to be permitted to perform the required action. The `signature` is then a signature of the `hashes` which can be verified using the `certificate`.

Steps to do in other PRs, this is already a quite huge one:
- Add nag screen in case the code check fails to ensure that administrators are aware of this.
- Add code verification also to OCC upgrade and unify display code more.
- Add enforced code verification to apps shipped from the appstore with a level of "official"
- Add enfocrced code verification to apps shipped from the appstore that were already signed in a previous release
- Add some developer documentation on how devs can request their own certificate
- Check when installing ownCloud
- Add support for CRLs to allow revoking certificates

**Note:** The upgrade checks are only run when the instance has a defined release channel of `stable` (defined in `version.php`). If you want to test this, you need to change the channel thus and then generate the core signature:

```
➜  master git:(add-integrity-checker) ✗ ./occ integrity:sign-core --privateKey=resources/codesigning/core.key --certificate=resources/codesigning/core.crt
Successfully signed "core"
```

Then increase the version and you should see something like the following:

![2015-11-04_12-02-57](https://cloud.githubusercontent.com/assets/878997/10936336/6adb1d14-82ec-11e5-8f06-9a74801c9abf.png)

As you can see a failed code check will not prevent the further update. It will instead just be a notice to the admin. In a next step we will add some nag screen.

For packaging stable releases this requires the following additional steps as a last action before zipping:
1. Run `./occ integrity:sign-core` once
2. Run `./occ integrity:sign-app` _for each_ app. However, this can be simply automated using a simple foreach on the apps folder.
2015-12-01 11:55:20 +01:00
Lukas Reschke 8f09d5b67c Update license headers 2015-10-26 14:04:01 +01:00
Thomas Müller f7f2a160dd Merge pull request #19918 from owncloud/send-begin-message
Update: state which step we are going to start and warn if it might b…
2015-10-21 14:52:19 +02:00
Thomas Müller d8276af301 Install new shipped apps on upgrade -fixes #19925 2015-10-21 11:14:12 +02:00
Joas Schilling 9200bbeaba Update: state which step we are going to start and warn if it might be slow 2015-10-21 09:17:38 +02:00
Thomas Müller 4cb5970947 Always pass in ILogger 2015-10-09 14:08:22 +02:00
Thomas Müller bd21e5925c Clean code 2015-10-09 13:46:59 +02:00
Thomas Müller 38143d670b Catch exceptions during app upgrade - fixes #16240 2015-10-09 13:44:30 +02:00
Morris Jobke 5acb38b5b3 [upgrade] switch to debug logging on upgrade
* resets afterwards
* adds output about the previous log level
2015-09-29 14:35:32 +02:00
Lukas Reschke a8e8a9dfb9 Move certificate bundle into resources/config/ 2015-09-22 16:43:28 +02:00
Vincent Petry 6ccbf4bce6 Improved update version detection logic 2015-08-31 18:35:35 +02:00
Vincent Petry 3b37c20319 Simplify comparison algo 2015-08-31 14:31:17 +02:00
Vincent Petry 2b08659f7d Restrict upgrades to explicit allowed version
version.php now contains the previous ownCloud version from which
upgrades are allowed. Any other upgrades will show a message that the
upgrade/downgrade is not supported.
2015-08-30 18:04:18 +02:00
Lukas Reschke 40b87b1394 Add warning for not existing CA bundle when updating
For newer releases we shall use an integrity check. But that's a good alternative for now.
2015-08-19 15:03:33 +02:00
Morris Jobke b5c9196ffc Merge pull request #17088 from owncloud/add-verbosity-to-upgrade
[upgrade] add verbosity check and show repair info & steps
2015-07-01 08:56:06 +02:00
Lukas Reschke 04fe9e05f0 Use new updater URL + add unit tests
Uses the new updater url "https://updates.owncloud.com/server/"
2015-06-28 11:25:28 +02:00
Morris Jobke f63915d0c8 update license headers and authors 2015-06-25 14:13:49 +02:00
Morris Jobke 5ff536b45a [upgrade] add verbosity check and show repair info & steps 2015-06-24 10:25:05 +02:00
Morris Jobke 02b2b60581 Merge pull request #17095 from owncloud/proper-error-handling
Proper error handling
2015-06-23 17:40:55 +02:00
Morris Jobke c86e129ce9 [updater] keep maintenance active on failure and mark failure in red 2015-06-23 14:45:53 +02:00
Morris Jobke 1ba9fd3ada [upgrade] print update message before running the update code
* otherwise you don't know during which app update something failed
2015-06-23 13:13:44 +02:00
Morris Jobke fe42553e8a [updater] propagate error case properly
* add $success to the updateEnd hook
* add new return code for a update failure
* add exception class to failure hook message
2015-06-23 10:03:27 +02:00
Thomas Müller 739c3f01aa Merge pull request #16434 from owncloud/persist-maintenance-state
Persist the state of the maintenance after an upgrade
2015-06-03 13:56:17 +02:00
Steffen Lindner 48040c46cb Skip disable3rdParty Apps 2015-05-20 17:06:00 +02:00
Morris Jobke 064f5204cc Persist the state of the maintenance after an upgrade
* if maintenance mode was enabled before an upgrade
  it will be enabled afterwards too
* fixes #16429
2015-05-19 10:56:04 +02:00
Morris Jobke fbba7a61cb Use internally \OCP\ILogger instead of \OC\Log
* this is the preparation for some upcoming logger related changes
* also fixes an issue in the public interface where we request
  an internal class as parameter
2015-04-30 11:52:30 +02:00
Jenkins for ownCloud b585d87d9d Update license headers 2015-03-26 11:44:36 +01:00
Morris Jobke 17b10ef9b4 Add spaces 2015-03-16 10:52:29 +01:00
Thomas Müller 0bd2b3cb0c [WIP] upgrade app store apps during console upgrade 2015-03-13 12:16:16 +01:00
Morris Jobke dbd2bb66e9 Merge pull request #14357 from owncloud/fix/1373
Run `updateDataDirectory` after Update
2015-03-11 18:33:51 +01:00
Lukas Reschke c3c993446e Run `updateDataDirectory` after Update
Fixes https://github.com/owncloud/core/issues/13731
2015-03-02 19:39:17 +01:00
Vincent Petry 22bc37cb82 Properly forward repair errors and warnings
This makes repair errors and warnings visible for the user when
upgrading on the command line or in the web UI.
2015-02-27 12:44:04 +01:00
Morris Jobke 06aef4e8b1 Revert "Updating license headers"
This reverts commit 6a1a4880f0.
2015-02-26 11:37:37 +01:00
Thomas Müller 80cafe29a8 3rd-party apps are only disabled in case core is upgraded 2015-02-24 12:51:55 +01:00
Thomas Müller fe7e7677e9 shipped and 3rd-party apps of type authentication and session will remain enabled during update 2015-02-24 12:02:37 +01:00
Thomas Müller bbf7f56f94 3rd-party apps are disabled on upgrade - refs #14026 2015-02-24 12:02:36 +01:00
Thomas Müller 1fd1b355e4 Fix namespace of OC_Setup -> \OC\Setup 2015-02-23 16:44:40 +01:00
Jenkins for ownCloud 6a1a4880f0 Updating license headers 2015-02-23 12:13:59 +01:00
Arthur Schiwon 7ada41259c Port of #14041 to master
on ownCloud upgrade: upgrade all apps in order, load important ones

Fix "other" app update stack
2015-02-19 14:38:22 +01:00
Lukas Reschke 7fbb7f4dc4 Add version to .htaccess
Currently if a user does not replace the .htaccess file with the new update this can lead to serious problems in case Apache is used as webserver.

This commit adds the version to the .htaccess file and the update routine fails in case not the newest version is specified in there. This obviously means that every release has to update the version specified in .htaccess as well. But I see no better solution for it.

Conflicts:
	lib/private/updater.php
2015-01-08 12:49:02 +01:00
Victor Dubiniuk c9fd3c9d29 Inject config 2014-12-10 01:13:38 +03:00
Victor Dubiniuk 81d5712419 Fix tests. Add two more test cases 2014-12-08 22:16:47 +03:00
Victor Dubiniuk 303fce44f4 Use httphelper and cache response even when it empty 2014-12-06 20:17:47 +03:00
Lukas Reschke 5f8fb8d1ee Run preupdate before an update
The update routine tries to test the database migration before actually performing the update.

However, this will fail hard if the schema has changed (for example an unique key has been added). App developers can convert the DB in preupdate.php, however it is not called before and therefore the update fails.

This actually breaks ownCloud updates from ownCloud 6 to ownCloud 7 when the files_antivirus app is enabled.
2014-11-13 12:07:49 +01:00