diff options
| author | Roeland Jago Douma <rullzer@users.noreply.github.com> | 2021-01-19 09:35:52 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2021-01-19 09:35:52 +0100 |
| commit | 0893bba369aba50bca7b9bba09b7e8be7a8a7f61 (patch) | |
| tree | 40b3ad5a42cbf5df217f8e93a3cdef1707cd5e2c | |
| parent | 91864aeb40b0ebd61ac6f57fe49f477f885c3808 (diff) | |
| parent | 7ef7c3e3f2729c2518ff62fbac063f63be429160 (diff) | |
| download | nextcloud-server-0893bba369aba50bca7b9bba09b7e8be7a8a7f61.tar.gz nextcloud-server-0893bba369aba50bca7b9bba09b7e8be7a8a7f61.zip | |
Merge pull request #25153 from nextcloud/bugfix/noid/force-signature-verification-on-occ
Force signature verification of apps on occ
| -rw-r--r-- | core/Command/Integrity/CheckApp.php | 2 | ||||
| -rw-r--r-- | core/Command/Integrity/CheckCore.php | 5 | ||||
| -rw-r--r-- | core/Command/Upgrade.php | 2 | ||||
| -rw-r--r-- | lib/private/IntegrityCheck/Checker.php | 29 | ||||
| -rw-r--r-- | lib/private/Server.php | 1 | ||||
| -rw-r--r-- | tests/lib/IntegrityCheck/CheckerTest.php | 2 |
6 files changed, 20 insertions, 21 deletions
diff --git a/core/Command/Integrity/CheckApp.php b/core/Command/Integrity/CheckApp.php index 7bf92001cc8..b95d879941e 100644 --- a/core/Command/Integrity/CheckApp.php +++ b/core/Command/Integrity/CheckApp.php @@ -70,7 +70,7 @@ class CheckApp extends Base { protected function execute(InputInterface $input, OutputInterface $output): int { $appid = $input->getArgument('appid'); $path = (string)$input->getOption('path'); - $result = $this->checker->verifyAppSignature($appid, $path); + $result = $this->checker->verifyAppSignature($appid, $path, true); $this->writeArrayInOutputFormat($input, $output, $result); if (count($result) > 0) { return 1; diff --git a/core/Command/Integrity/CheckCore.php b/core/Command/Integrity/CheckCore.php index 6f319abdf74..cca72535f36 100644 --- a/core/Command/Integrity/CheckCore.php +++ b/core/Command/Integrity/CheckCore.php @@ -61,6 +61,11 @@ class CheckCore extends Base { * {@inheritdoc } */ protected function execute(InputInterface $input, OutputInterface $output): int { + if (!$this->checker->isCodeCheckEnforced()) { + $output->writeln('<comment>integrity:check-core can not be used on git checkouts</comment>'); + return 2; + } + $result = $this->checker->verifyCoreSignature(); $this->writeArrayInOutputFormat($input, $output, $result); if (count($result) > 0) { diff --git a/core/Command/Upgrade.php b/core/Command/Upgrade.php index b5361382190..7ab5fe8e5fd 100644 --- a/core/Command/Upgrade.php +++ b/core/Command/Upgrade.php @@ -263,7 +263,7 @@ class Upgrade extends Command { return self::ERROR_SUCCESS; } elseif ($this->config->getSystemValueBool('maintenance')) { //Possible scenario: Nextcloud core is updated but an app failed - $output->writeln('<warning>Nextcloud is in maintenance mode</warning>'); + $output->writeln('<comment>Nextcloud is in maintenance mode</comment>'); $output->write('<comment>Maybe an upgrade is already in process. Please check the ' . 'logfile (data/nextcloud.log). If you want to re-run the ' . 'upgrade procedure, remove the "maintenance mode" from ' diff --git a/lib/private/IntegrityCheck/Checker.php b/lib/private/IntegrityCheck/Checker.php index 504cd391c42..fc28d0e7393 100644 --- a/lib/private/IntegrityCheck/Checker.php +++ b/lib/private/IntegrityCheck/Checker.php @@ -44,7 +44,6 @@ use OCP\Files\IMimeTypeDetector; use OCP\ICache; use OCP\ICacheFactory; use OCP\IConfig; -use OCP\ITempManager; use phpseclib\Crypt\RSA; use phpseclib\File\X509; @@ -66,14 +65,12 @@ class Checker { private $appLocator; /** @var FileAccessHelper */ private $fileAccessHelper; - /** @var IConfig */ + /** @var IConfig|null */ private $config; /** @var ICache */ private $cache; - /** @var IAppManager */ + /** @var IAppManager|null */ private $appManager; - /** @var ITempManager */ - private $tempManager; /** @var IMimeTypeDetector */ private $mimeTypeDetector; @@ -81,19 +78,17 @@ class Checker { * @param EnvironmentHelper $environmentHelper * @param FileAccessHelper $fileAccessHelper * @param AppLocator $appLocator - * @param IConfig $config + * @param IConfig|null $config * @param ICacheFactory $cacheFactory - * @param IAppManager $appManager - * @param ITempManager $tempManager + * @param IAppManager|null $appManager * @param IMimeTypeDetector $mimeTypeDetector */ public function __construct(EnvironmentHelper $environmentHelper, FileAccessHelper $fileAccessHelper, AppLocator $appLocator, - IConfig $config = null, + ?IConfig $config, ICacheFactory $cacheFactory, - IAppManager $appManager = null, - ITempManager $tempManager, + ?IAppManager $appManager, IMimeTypeDetector $mimeTypeDetector) { $this->environmentHelper = $environmentHelper; $this->fileAccessHelper = $fileAccessHelper; @@ -101,7 +96,6 @@ class Checker { $this->config = $config; $this->cache = $cacheFactory->createDistributed(self::CACHE_KEY); $this->appManager = $appManager; - $this->tempManager = $tempManager; $this->mimeTypeDetector = $mimeTypeDetector; } @@ -311,12 +305,13 @@ class Checker { * @param string $signaturePath * @param string $basePath * @param string $certificateCN + * @param bool $forceVerify * @return array * @throws InvalidSignatureException * @throws \Exception */ - private function verify(string $signaturePath, string $basePath, string $certificateCN): array { - if (!$this->isCodeCheckEnforced()) { + private function verify(string $signaturePath, string $basePath, string $certificateCN, bool $forceVerify = false): array { + if (!$forceVerify && !$this->isCodeCheckEnforced()) { return []; } @@ -495,9 +490,10 @@ class Checker { * * @param string $appId * @param string $path Optional path. If none is given it will be guessed. + * @param bool $forceVerify * @return array */ - public function verifyAppSignature(string $appId, string $path = ''): array { + public function verifyAppSignature(string $appId, string $path = '', bool $forceVerify = false): array { try { if ($path === '') { $path = $this->appLocator->getAppPath($appId); @@ -505,7 +501,8 @@ class Checker { $result = $this->verify( $path . '/appinfo/signature.json', $path, - $appId + $appId, + $forceVerify ); } catch (\Exception $e) { $result = [ diff --git a/lib/private/Server.php b/lib/private/Server.php index 680eea3beca..1114e60f475 100644 --- a/lib/private/Server.php +++ b/lib/private/Server.php @@ -942,7 +942,6 @@ class Server extends ServerContainer implements IServerContainer { $config, $c->get(ICacheFactory::class), $appManager, - $c->get(ITempManager::class), $c->get(IMimeTypeDetector::class) ); }); diff --git a/tests/lib/IntegrityCheck/CheckerTest.php b/tests/lib/IntegrityCheck/CheckerTest.php index 995b0c68e30..bc1987bedab 100644 --- a/tests/lib/IntegrityCheck/CheckerTest.php +++ b/tests/lib/IntegrityCheck/CheckerTest.php @@ -77,7 +77,6 @@ class CheckerTest extends TestCase { $this->config, $this->cacheFactory, $this->appManager, - \OC::$server->getTempManager(), $this->mimeTypeDetector ); } @@ -1279,7 +1278,6 @@ class CheckerTest extends TestCase { $this->config, $this->cacheFactory, $this->appManager, - \OC::$server->getTempManager(), $this->mimeTypeDetector, ]) ->setMethods([ |