Commit Graph

68 Commits

Author SHA1 Message Date
Lukas Reschke 933f60e314 Update author information
Probably nice for the people that contributed to 9.0 to see themselves in the AUTHORS file :)
2016-03-01 17:25:15 +01:00
Thomas Müller c5a200c419 Merge pull request #21653 from owncloud/update-license-headers-2016
Update license headers 2016
2016-01-13 08:29:42 +01:00
Thomas Müller 682821c71e Happy new year! 2016-01-12 15:02:18 +01:00
Robin Appelman c15cab7ed6 Allow admins to add system wide root certificates 2016-01-12 12:50:59 +01:00
Lukas Reschke 4971015544 Add code integrity check
This PR implements the base foundation of the code signing and integrity check. In this PR implemented is the signing and verification logic, as well as commands to sign single apps or the core repository.

Furthermore, there is a basic implementation to display problems with the code integrity on the update screen.

Code signing basically happens the following way:

- There is a ownCloud Root Certificate authority stored `resources/codesigning/root.crt` (in this PR I also ship the private key which we obviously need to change before a release 😉). This certificate is not intended to be used for signing directly and only is used to sign new certificates.
- Using the `integrity:sign-core` and `integrity:sign-app` commands developers can sign either the core release or a single app. The core release needs to be signed with a certificate that has a CN of `core`,  apps need to be signed with a certificate that either has a CN of `core` (shipped apps!)  or the AppID.
- The command generates a signature.json file of the following format:
```json
{
    "hashes": {
        "/filename.php": "2401fed2eea6f2c1027c482a633e8e25cd46701f811e2d2c10dc213fd95fa60e350bccbbebdccc73a042b1a2799f673fbabadc783284cc288e4f1a1eacb74e3d",
        "/lib/base.php": "55548cc16b457cd74241990cc9d3b72b6335f2e5f45eee95171da024087d114fcbc2effc3d5818a6d5d55f2ae960ab39fd0414d0c542b72a3b9e08eb21206dd9"
    },
    "certificate": "-----BEGIN CERTIFICATE-----MIIBvTCCASagAwIBAgIUPvawyqJwCwYazcv7iz16TWxfeUMwDQYJKoZIhvcNAQEF\nBQAwIzEhMB8GA1UECgwYb3duQ2xvdWQgQ29kZSBTaWduaW5nIENBMB4XDTE1MTAx\nNDEzMTcxMFoXDTE2MTAxNDEzMTcxMFowEzERMA8GA1UEAwwIY29udGFjdHMwgZ8w\nDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANoQesGdCW0L2L+a2xITYipixkScrIpB\nkX5Snu3fs45MscDb61xByjBSlFgR4QI6McoCipPw4SUr28EaExVvgPSvqUjYLGps\nfiv0Cvgquzbx/X3mUcdk9LcFo1uWGtrTfkuXSKX41PnJGTr6RQWGIBd1V52q1qbC\nJKkfzyeMeuQfAgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAvF/KIhRMQ3tYTmgHWsiM\nwDMgIDb7iaHF0fS+/Nvo4PzoTO/trev6tMyjLbJ7hgdCpz/1sNzE11Cibf6V6dsz\njCE9invP368Xv0bTRObRqeSNsGogGl5ceAvR0c9BG+NRIKHcly3At3gLkS2791bC\niG+UxI/MNcWV0uJg9S63LF8=\n-----END CERTIFICATE-----",
    "signature": "U29tZVNpZ25lZERhdGFFeGFtcGxl"
}
```
`hashes` is an array of all files in the folder with their corresponding SHA512 hashes (this is actually quite cheap to calculate), the `certificate` is the  certificate used for signing. It has to be issued by the ownCloud Root Authority and it's CN needs to be permitted to perform the required action. The `signature` is then a signature of the `hashes` which can be verified using the `certificate`.

Steps to do in other PRs, this is already a quite huge one:
- Add nag screen in case the code check fails to ensure that administrators are aware of this.
- Add code verification also to OCC upgrade and unify display code more.
- Add enforced code verification to apps shipped from the appstore with a level of "official"
- Add enfocrced code verification to apps shipped from the appstore that were already signed in a previous release
- Add some developer documentation on how devs can request their own certificate
- Check when installing ownCloud
- Add support for CRLs to allow revoking certificates

**Note:** The upgrade checks are only run when the instance has a defined release channel of `stable` (defined in `version.php`). If you want to test this, you need to change the channel thus and then generate the core signature:

```
➜  master git:(add-integrity-checker) ✗ ./occ integrity:sign-core --privateKey=resources/codesigning/core.key --certificate=resources/codesigning/core.crt
Successfully signed "core"
```

Then increase the version and you should see something like the following:

![2015-11-04_12-02-57](https://cloud.githubusercontent.com/assets/878997/10936336/6adb1d14-82ec-11e5-8f06-9a74801c9abf.png)

As you can see a failed code check will not prevent the further update. It will instead just be a notice to the admin. In a next step we will add some nag screen.

For packaging stable releases this requires the following additional steps as a last action before zipping:
1. Run `./occ integrity:sign-core` once
2. Run `./occ integrity:sign-app` _for each_ app. However, this can be simply automated using a simple foreach on the apps folder.
2015-12-01 11:55:20 +01:00
Roeland Jago Douma 0265bcfdae Moved changedisplayname to usercontroller
Killed the old static route to change a users display name and moved it
to a properly testable controller.
2015-11-20 16:05:43 +01:00
Vincent Petry 781bca2437 Fix everyone count for subadmins
Also moved the logic to the UsersController
2015-10-29 17:41:49 +01:00
Morris Jobke f63915d0c8 update license headers and authors 2015-06-25 14:13:49 +02:00
Lukas Reschke 20a6073a9f Migrate personal certificate handling into AppFramework controllers
Also added unit-tests and better error-handling
2015-04-20 12:58:58 +02:00
Bjoern Schiessle d2ef73367c allow user to start migration in admin settings if no external user back-ends are enabled 2015-04-16 14:15:04 +02:00
Lukas Reschke ba52f6f8fc Merge pull request #15314 from owncloud/app-categories-15274
Add different trust levels to AppStore interface
2015-04-09 10:07:32 +02:00
Thomas Müller bf809ac85a Removing left overs from old encryption app 2015-04-07 13:30:29 +02:00
Lukas Reschke 0816cf9142 Add experimental applications switch
Allows administrators to disable or enabled experimental applications as well as show the trust level.
2015-04-03 13:21:24 +02:00
Lukas Reschke 65202d2a18 Add check for activated local memcache
Also used the opportunity to refactor it into an AppFramework controller so that we can unit test it.

Fixes https://github.com/owncloud/core/issues/14956
2015-03-28 13:59:22 +01:00
Jenkins for ownCloud b585d87d9d Update license headers 2015-03-26 11:44:36 +01:00
Lukas Reschke bbd5f28415 Let users configure security headers in their Webserver
Doing this in the PHP code is not the right approach for multiple reasons:

1. A bug in the PHP code prevents them from being added to the response.
2. They are only added when something is served via PHP and not in other cases (that makes for example the newest IE UXSS which is not yet patched by Microsoft exploitable on ownCloud)
3. Some headers such as the Strict-Transport-Security might require custom modifications by administrators. This was not possible before and lead to buggy situations.

This pull request moves those headers out of the PHP code and adds a security check to the admin settings performed via JS.
2015-03-02 19:07:46 +01:00
Morris Jobke 06aef4e8b1 Revert "Updating license headers"
This reverts commit 6a1a4880f0.
2015-02-26 11:37:37 +01:00
Jenkins for ownCloud 6a1a4880f0 Updating license headers 2015-02-23 12:13:59 +01:00
Lukas Reschke 7e45f5d27b Remove unused function and correct PHPDoc 2015-02-16 13:46:45 +01:00
Georg Ehrke f579f2bd94 add Download logfile button to admin settings
add logSettingsController

add download logfile button

move getEntries to LogSettingsController

move set log level to logsettingscontroller.php

add warning if logfile is bigger than 100MB

add unit test for set log level

fix typecasting, add new line at EoF

show log and logfile download only if log_type is set to owncloud

add unit test for getFilenameForDownload
2015-01-07 14:55:53 +01:00
Morris Jobke 5913af8a72 Mail address of users is now changable in the user management
* introduced new route settings/users/{id}/mailAddress
* kept old responses
* better error messages
* dropped lostpassword.php from settings/ajax
* cleaned up the UserList.add() and hand in user object instead of
  each attribute as another parameter
* check for change permission of mail address
* proper response messages
2014-12-18 22:43:09 +01:00
Lukas Reschke fe7d9a7ca0 Add REST route for user & group management
First step of a somewhat testable user management. - I know, the JSON returns are in an ugly format but the JS expects it that way. So let's keep it that way until we have time to fix the JS in the future.
2014-12-08 12:11:01 +01:00
Lukas Reschke e73ccbd4ca Migrate "setsecurity.php" to the AppFramework
Add switch to enforce SSL for subdomains

Add unit tests

Add test for boolean values

Camel-case

Fix ugly JS
2014-11-03 16:53:03 +01:00
Lukas Reschke e4227658d9 Migrate new app settings to AppFramework
Let's migrate those two new files.
2014-10-15 22:01:56 +02:00
Lukas Reschke f48c973876 Merge pull request #11570 from owncloud/backport-11408-master
Backport 11408 master
2014-10-15 21:21:45 +02:00
Thomas Müller b091394a90 introduce new app page layout
filter installed and not-installed apps properly

kill unneeded file

load category 'Installed' on page load

adding documentation links

new apps mgmt: first style adjustment

apps mgmt: only show license and preview if they exist

adding buttons

new apps mgmt: fix for mobile

use app icon if available

new apps mgmt: position enable/disable toggle to the right

new apps mgmt: proper display of icons or previews

new apps mgmt: fix loading spinner

reenable group selection for apps

new apps mgmt: position enable button normally again

new apps mgmt: clarify wording from 'Installed' to 'Enabled'

reintroduce enable/disable

Move rating image path generation to client-side

Move expression outside of l10n

fix group handling

add buttons for 'More apps' and 'Add your app' again

disable changed date of app for now

adding recommended label

style 'Recommended' app tag

fixing php warning

sort by rating

adding meta-category 'Recommended'

 Only show existing documentation links

lacy loading of screenshots

making group based app activation work again

adding support to get the app icon not only by the app name but also simply by the fixed name 'app.svg'

adding app.svg for all core apps

query string '?installed' is not longer needed

update and uninstall is back + error feedback

remove unneeded parameter

fix alignment of 'recommended' label
2014-10-15 15:21:40 +02:00
Lukas Reschke 13b1b45ee4 Refactor MailSettings controller
- Do not store the password (fixes https://github.com/owncloud/core/issues/11385)
- Refactor to AppFramework
- Add unit tests

Conflicts:
	settings/admin/controller.php
2014-10-14 15:38:34 +02:00
Vincent Petry e65ceb08fc Moved WebDAV and internet checks to client side JS
- Added setup checks in JavaScript
- Moved isWebDAVWorking to JS using SetupChecks
- Moved internet connection checks to an ajax call that goes through the
  server
2014-09-23 11:16:14 +02:00
Lukas Reschke ffee4da397 Merge pull request #10740 from owncloud/fix-everyone-group-count
Using countUsers method to return true count of users
2014-09-08 18:29:11 +02:00
Clark Tomlinson 6a56e03d48 Using countUsers method to return true count of users 2014-09-05 11:23:59 -04:00
Robin Appelman 1361bbb1e6 Cleanup routes 2014-08-31 10:47:50 +02:00
Robin Appelman c1b11571ea Move certificate management interface from files_external to core 2014-08-31 10:47:50 +02:00
Georg Ehrke 0fe8f77c17 Merge branch 'master' into update_shipped_apps_from_appstore
Conflicts:
	lib/private/app.php
	settings/templates/apps.php
2014-06-05 22:54:27 +02:00
Arthur Schiwon 249e42c4cd enable group filtering 2014-06-02 12:53:55 +02:00
raghunayyar 970f899726 Initial Commit : Changes Storage to Quota, Implements GroupName editing. 2014-06-02 12:52:53 +02:00
raghunayyar b506388b75 Reverts last commit, implements user in group count. 2014-06-02 12:52:52 +02:00
raghunayyar b2ca595509 Add GroupList Ajax to Users. 2014-06-02 12:52:52 +02:00
Georg Ehrke 020255b4e5 add button for properly uninstalling apps 2014-05-31 17:50:39 +02:00
Bjoern Schiessle 12338e0ef0 allow admin to disable sharing for specific groups of users 2014-05-22 10:43:44 +02:00
Bjoern Schiessle a9ac11718e backup the encryption key after the encryption was disabled so that the user
can restore them if needed
2014-05-13 12:35:25 +02:00
Thomas Müller 4900ad9119 update type hint in PHPDoc 2014-03-25 22:59:42 +01:00
Thomas Müller 32b29c9d73 Merge branch 'master' into fix-7307
Conflicts:
	core/js/router.js
	settings/js/admin.js
2014-03-06 00:15:08 +01:00
Joas Schilling 5b8cde48dc Add button to send a test mail after changing the email settings
Fix #7175
2014-03-05 10:01:34 +01:00
Thomas Müller 1291303c5a Replace OC.Router.generate() with OC.generateUrl() 2014-03-02 22:30:24 +01:00
Jan-Christoph Borchardt d9a153dbe9 Merge pull request #7174 from owncloud/issue/7166
Add option to change email settings in admin section
2014-02-26 14:41:07 +01:00
Lukas Reschke 16262e3fd2 Move isadmin to template and rename it to oc_isadmin 2014-02-19 17:56:12 +01:00
Joas Schilling 8387cd8ae3 Add option to change email settings in admin section
Fix issue #7166
2014-02-18 14:26:03 +01:00
kondou 18da2f9cf7 Improve changepassword route naming 2013-09-13 17:07:23 +02:00
kondou 306a8681c5 Move ajax/changepassword to changepassword/controller to use autoloading 2013-09-13 17:03:13 +02:00
kondou f6faec0e0b Use a controller instead of two files for changepassword.php 2013-09-11 16:35:13 +02:00