Commit Graph

39 Commits

Author SHA1 Message Date
Joas Schilling 68481c10e6
Fix namespaces in security/ 2016-05-19 09:02:58 +02:00
Lukas Reschke 06a4da43ec
[master] Ignore certificate file if it starts with file:// 2016-04-21 19:02:31 +02:00
Lukas Reschke dc6789fd5b Explicitly check for port
The setup uses `\OCP\IRequest::getInsecureServerHost` which in some cases can also include a port. This makes the trusted domain check fail thus.

I've decided to add this here that way because adjusting the setup would require parsing the host properly. This is not something that can be done very good in PHP. Check the following example for why `parse_url` is not our friend: https://3v4l.org/k501Z
2016-03-10 22:32:29 +01:00
Lukas Reschke 809ff5ac95 Add public API to give developers the possibility to adjust the global CSP defaults
Allows to inject something into the default content policy. This is for
example useful when you're injecting Javascript code into a view belonging
to another controller and cannot modify its Content-Security-Policy itself.
Note that the adjustment is only applied to applications that use AppFramework
controllers.

To use this from your `app.php` use `\OC::$server->getContentSecurityPolicyManager()->addDefaultPolicy($policy)`,
$policy has to be of type `\OCP\AppFramework\Http\ContentSecurityPolicy`.

To test this add something like the following into an `app.php` of any enabled app:
```
$manager = \OC::$server->getContentSecurityPolicyManager();
$policy = new \OCP\AppFramework\Http\ContentSecurityPolicy(false);
$policy->addAllowedFrameDomain('asdf');
$policy->addAllowedScriptDomain('yolo.com');

$policy->allowInlineScript(false);
$manager->addDefaultPolicy($policy);
$policy = new \OCP\AppFramework\Http\ContentSecurityPolicy(false);
$policy->addAllowedFontDomain('yolo.com');
$manager->addDefaultPolicy($policy);

$policy = new \OCP\AppFramework\Http\ContentSecurityPolicy(false);
$policy->addAllowedFrameDomain('banana.com');
$manager->addDefaultPolicy($policy);
```

If you now open the files app the policy should be:

```
Content-Security-Policy:default-src 'none';script-src yolo.com 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src yolo.com 'self';connect-src 'self';media-src 'self';frame-src asdf banana.com 'self'
```
2016-01-28 18:36:46 +01:00
Lukas Reschke a977465af5 Add new CSRF manager for unit testing purposes
This adds a new CSRF manager for unit testing purposes, it's interface is based upon https://github.com/symfony/security-csrf. Due to some of our required custom changes it is however not possible to use the Symfony component directly.
2016-01-25 20:03:40 +01:00
Robin Appelman 7ba715d144 fix test 2016-01-18 12:08:58 +01:00
Robin McCorkell da4127d23b Introduce CredentialsManager for storage of credentials in DB
CredentialsManager performs a simple role, of storing and retrieving
encrypted credentials from the database. Credentials are stored by user
ID (which may be null) and credentials identifier. Credentials
themselves may be of any type that can be JSON encoded.

The rationale behind this is to avoid further (mis)use of
oc_preferences, which was being used for all manner of data not related
to user preferences.
2016-01-18 11:10:41 +01:00
Robin Appelman c15cab7ed6 Allow admins to add system wide root certificates 2016-01-12 12:50:59 +01:00
Roeland Jago Douma 876fb83ddc getMediumStrengthGenerator is deprecated and does not do anything anymore 2016-01-11 20:06:30 +01:00
Roeland Jago Douma 98c4951f45 getLowStrengthGenerator does not do anything anymore 2016-01-11 19:59:15 +01:00
Roeland Jago Douma 1f715289bf Removed deprecated function OC_User::deleteUser
Replaced with proper OCP calls
2015-12-17 16:18:40 +01:00
Roeland Jago Douma 835911bce5 Removed deprecated private OC_User::createUser
All function calls are replaced with the recommended (which was already
the body of the function).
2015-12-17 16:18:40 +01:00
Lukas Reschke f3360d51c6 Use PHP polyfills 2015-12-11 08:47:36 +01:00
Lukas Reschke 8289943a0f Do not trust casting 2015-12-08 08:50:00 +01:00
Thomas Müller 3bb6dcea64 Apply DB group annotation ... 2015-11-30 10:55:05 +01:00
Bjoern Schiessle 37513f9411 don't read certificates if ownCloud is not installed 2015-08-30 19:00:03 +02:00
Lukas Reschke ab87274930 Use certificates that expire in 10 years
🙊 🙊 🙊
2015-08-27 22:23:08 +02:00
Joas Schilling d3e3a84cae Move the helpful method to the TestCase class 2015-06-03 12:33:29 +02:00
Lukas Reschke 9bc48451b9 Adjust tests and statuscode 2015-04-20 13:00:02 +02:00
Lukas Reschke 21f0476d31 Fix files 2015-04-20 13:00:02 +02:00
Lukas Reschke 9f61cf60d4 Verify if returned object is an array
The error has to be thrown at this point as otherwise errors and notices are thrown since the time cannot be parsed in L60 and L61
2015-04-20 12:58:57 +02:00
Lukas Reschke 886bda5f81 Refactor OC_Request into TrustedDomainHelper and IRequest
This changeset removes the static class `OC_Request` and moves the functions either into `IRequest` which is accessible via `\OC::$server::->getRequest()` or into a separated `TrustedDomainHelper` class for some helper methods which should not be publicly exposed.

This changes only internal methods and nothing on the public API. Some public functions in `util.php` have been deprecated though in favour of the new non-static functions.

Unfortunately some part of this code uses things like `__DIR__` and thus is not completely unit-testable. Where tests where possible they ahve been added though.

Fixes https://github.com/owncloud/core/issues/13976 which was requested in https://github.com/owncloud/core/pull/13973#issuecomment-73492969
2015-02-16 22:13:00 +01:00
Bjoern Schiessle 5ba19ba7fc certificate manager should always use a \OC\Files\View otherwise we will get problems for different primary storages 2015-01-26 16:58:52 +01:00
Bjoern Schiessle 67da1f7e5a certificate manager only needs the user-id, no need to pass on the complete user object 2015-01-26 16:58:52 +01:00
Joas Schilling 6202ca33ba Make remaining files extend the test base 2014-11-19 14:53:59 +01:00
Morris Jobke 146cb920c9 Merge pull request #12218 from owncloud/issue/10991-fixes
Issue/10991 Make unit tests pass on windows
2014-11-17 16:44:45 +01:00
Joas Schilling 39ae569c5c Correctly close handle of directory when listing certificates 2014-11-17 10:48:14 +01:00
Lukas Reschke 24ca2d858f Add OCP\Security\IHasher
Public interface for hashing which also works with legacy ownCloud hashes and supports updating the legacy hash via a passed reference.

Follow-up of https://github.com/owncloud/core/pull/10219#issuecomment-61624662
Requires https://github.com/owncloud/3rdparty/pull/136
2014-11-06 15:16:14 +01:00
Lukas Reschke d07d5915c9 Remove unused and overflowing function
Resolves https://github.com/owncloud/core/issues/10991 failure 4
2014-09-18 10:21:28 +02:00
Lukas Reschke 373d1c5e9f Merge pull request #10642 from owncloud/securityutils
Add some security utilities
2014-09-03 15:28:42 +02:00
Lukas Reschke a54af89d8a Add test for the second argument 2014-09-03 14:13:12 +02:00
Lukas Reschke 1ccbaae846 Refactor tests a little bit 2014-09-03 13:51:44 +02:00
Lukas Reschke 50b430ee7c Add char consts, hash the specified password for the HMAC 2014-09-03 11:03:27 +02:00
Robin Appelman 3a85767182 5.3 syntax... 2014-08-31 13:16:28 +02:00
Robin Appelman bfa0c4b78a Explicitly set the timezones 2014-08-31 11:06:18 +02:00
Lukas Reschke 4bc9980f4b Add test for expired certificate
Will only work after tomorrow
2014-08-31 10:47:50 +02:00
Lukas Reschke 4efe6f6240 Add unit tests and fix rootcerts creation bug 2014-08-31 10:47:50 +02:00
Lukas Reschke 3329e0f2b2 Use DI 2014-08-27 00:49:53 +02:00
Lukas Reschke d26a9c3c58 Add some security utilities
This adds some security utilities to core including:
- A library for basic crypto operations (e.g. to encrypt passwords)
- A better library for cryptographic actions which allows you to specify the charset
- A library for secure string comparisions

Remove .htaccess

Remove .htaccess

Fix typo

Add public API

Use timing constant comparision

Remove CBC constant

Adjust code

Remove confusing $this
2014-08-27 00:18:04 +02:00