diff options
| author | provokateurin <kate@provokateurin.de> | 2025-05-11 16:40:26 +0200 |
|---|---|---|
| committer | provokateurin <kate@provokateurin.de> | 2025-05-11 16:40:26 +0200 |
| commit | cacc724d601721f1aae9c71c9097c85601507ef3 (patch) | |
| tree | 986d9dcd5ab2ae0954e32155cce764a3e533f146 | |
| parent | 195dbad119c0567ae5b486efc1a4d0102844d3df (diff) | |
| download | nextcloud-server-feat/certificatemanager/default-bundle-path-option.tar.gz nextcloud-server-feat/certificatemanager/default-bundle-path-option.zip | |
feat(CertificateManager): Add option to specify the default certificates bundle pathfeat/certificatemanager/default-bundle-path-option
Signed-off-by: provokateurin <kate@provokateurin.de>
| -rw-r--r-- | config/config.sample.php | 9 | ||||
| -rw-r--r-- | lib/private/Files/ObjectStore/S3ConnectionTrait.php | 6 | ||||
| -rw-r--r-- | lib/private/Http/Client/Client.php | 2 | ||||
| -rw-r--r-- | lib/private/Security/CertificateManager.php | 12 | ||||
| -rw-r--r-- | lib/public/ICertificateManager.php | 7 | ||||
| -rw-r--r-- | tests/lib/Http/Client/ClientTest.php | 4 | ||||
| -rw-r--r-- | tests/lib/Security/CertificateManagerTest.php | 5 |
7 files changed, 37 insertions, 8 deletions
diff --git a/config/config.sample.php b/config/config.sample.php index ac15d9f5aeb..27ff31fa451 100644 --- a/config/config.sample.php +++ b/config/config.sample.php @@ -2743,4 +2743,13 @@ $CONFIG = [ * Defaults to true. */ 'files.trash.delete' => true, + +/** + * Change the default certificates bundle used for trusting certificates. + * + * Nextcloud ships its own up-to-date certificates bundle, but in certain cases admins may wish to specify a different bundle, for example the one shipped by their distro. + * + * Defaults to `\OC::$SERVERROOT . '/resources/config/ca-bundle.crt'`. + */ +'default_certificates_bundle_path' => \OC::$SERVERROOT . '/resources/config/ca-bundle.crt', ]; diff --git a/lib/private/Files/ObjectStore/S3ConnectionTrait.php b/lib/private/Files/ObjectStore/S3ConnectionTrait.php index b7017583dc2..c4ca703c43c 100644 --- a/lib/private/Files/ObjectStore/S3ConnectionTrait.php +++ b/lib/private/Files/ObjectStore/S3ConnectionTrait.php @@ -205,13 +205,13 @@ trait S3ConnectionTrait { protected function getCertificateBundlePath(): ?string { if ((int)($this->params['use_nextcloud_bundle'] ?? '0')) { + /** @var ICertificateManager $certManager */ + $certManager = Server::get(ICertificateManager::class); // since we store the certificate bundles on the primary storage, we can't get the bundle while setting up the primary storage if (!isset($this->params['primary_storage'])) { - /** @var ICertificateManager $certManager */ - $certManager = Server::get(ICertificateManager::class); return $certManager->getAbsoluteBundlePath(); } else { - return \OC::$SERVERROOT . '/resources/config/ca-bundle.crt'; + return $certManager->getDefaultCertificatesBundlePath(); } } else { return null; diff --git a/lib/private/Http/Client/Client.php b/lib/private/Http/Client/Client.php index c3f8f589827..f6895e5f2b6 100644 --- a/lib/private/Http/Client/Client.php +++ b/lib/private/Http/Client/Client.php @@ -102,7 +102,7 @@ class Client implements IClient { // $this->certificateManager->getAbsoluteBundlePath() tries to instantiate // a view if (!$this->config->getSystemValueBool('installed', false)) { - return \OC::$SERVERROOT . '/resources/config/ca-bundle.crt'; + return $this->certificateManager->getDefaultCertificatesBundlePath(); } return $this->certificateManager->getAbsoluteBundlePath(); diff --git a/lib/private/Security/CertificateManager.php b/lib/private/Security/CertificateManager.php index 00babff735f..d8a988261db 100644 --- a/lib/private/Security/CertificateManager.php +++ b/lib/private/Security/CertificateManager.php @@ -100,7 +100,7 @@ class CertificateManager implements ICertificateManager { $this->view->mkdir($path); } - $defaultCertificates = file_get_contents(\OC::$SERVERROOT . '/resources/config/ca-bundle.crt'); + $defaultCertificates = file_get_contents($this->getDefaultCertificatesBundlePath()); if (strlen($defaultCertificates) < 1024) { // sanity check to verify that we have some content for our bundle // log as exception so we have a stacktrace $e = new \Exception('Shipped ca-bundle is empty, refusing to create certificate bundle'); @@ -204,7 +204,7 @@ class CertificateManager implements ICertificateManager { try { if ($this->bundlePath === null) { if (!$this->hasCertificates()) { - $this->bundlePath = \OC::$SERVERROOT . '/resources/config/ca-bundle.crt'; + $this->bundlePath = $this->getDefaultCertificatesBundlePath(); } else { if ($this->needsRebundling()) { $this->createCertificateBundle(); @@ -221,7 +221,7 @@ class CertificateManager implements ICertificateManager { return $this->bundlePath; } catch (\Exception $e) { $this->logger->error('Failed to get absolute bundle path. Fallback to default ca-bundle.crt', ['exception' => $e]); - return \OC::$SERVERROOT . '/resources/config/ca-bundle.crt'; + return $this->getDefaultCertificatesBundlePath(); } } @@ -246,6 +246,10 @@ class CertificateManager implements ICertificateManager { * get mtime of ca-bundle shipped by Nextcloud */ protected function getFilemtimeOfCaBundle(): int { - return filemtime(\OC::$SERVERROOT . '/resources/config/ca-bundle.crt'); + return filemtime($this->getDefaultCertificatesBundlePath()); + } + + public function getDefaultCertificatesBundlePath(): string { + return $this->config->getSystemValueString('default_certificates_bundle_path', \OC::$SERVERROOT . '/resources/config/ca-bundle.crt'); } } diff --git a/lib/public/ICertificateManager.php b/lib/public/ICertificateManager.php index 2f2304b6f55..e0f67a223a9 100644 --- a/lib/public/ICertificateManager.php +++ b/lib/public/ICertificateManager.php @@ -52,4 +52,11 @@ interface ICertificateManager { * @since 9.0.0 */ public function getAbsoluteBundlePath(): string; + + /** + * Get the path of the default certificates bundle. + * + * @since 32.0.0 + */ + public function getDefaultCertificatesBundlePath(): string; } diff --git a/tests/lib/Http/Client/ClientTest.php b/tests/lib/Http/Client/ClientTest.php index 92e5f04d7f0..063df5acb11 100644 --- a/tests/lib/Http/Client/ClientTest.php +++ b/tests/lib/Http/Client/ClientTest.php @@ -465,6 +465,10 @@ class ClientTest extends \Test\TestCase { $this->certificateManager ->expects($this->never()) ->method('listCertificates'); + $this->certificateManager + ->expects($this->once()) + ->method('getDefaultCertificatesBundlePath') + ->willReturn(\OC::$SERVERROOT . '/resources/config/ca-bundle.crt'); $this->assertEquals([ 'verify' => \OC::$SERVERROOT . '/resources/config/ca-bundle.crt', diff --git a/tests/lib/Security/CertificateManagerTest.php b/tests/lib/Security/CertificateManagerTest.php index 1c168228b6a..c015711d75a 100644 --- a/tests/lib/Security/CertificateManagerTest.php +++ b/tests/lib/Security/CertificateManagerTest.php @@ -48,6 +48,11 @@ class CertificateManagerTest extends \Test\TestCase { $config = $this->createMock(IConfig::class); $config->expects($this->any())->method('getSystemValueBool') ->with('installed', false)->willReturn(true); + $config + ->expects($this->any()) + ->method('getSystemValueString') + ->with('default_certificates_bundle_path', \OC::$SERVERROOT . '/resources/config/ca-bundle.crt') + ->willReturn(\OC::$SERVERROOT . '/resources/config/ca-bundle.crt'); $this->random = $this->createMock(ISecureRandom::class); $this->random->method('generate') |