Merge pull request #43908 from nextcloud/feat/migrate-data-directory-setup-check

feat(settings): Migrate data directory protection check to `SetupCheck`

7 files changed, 227 insertions, 6 deletions

diff --git a/apps/settings/composer/composer/autoload_classmap.php b/apps/settings/composer/composer/autoload_classmap.php
index 067b24592e8..09f29352510 100644
--- a/apps/settings/composer/composer/autoload_classmap.php
+++ b/apps/settings/composer/composer/autoload_classmap.php
@@ -83,6 +83,7 @@ return array(
     'OCA\\Settings\\SetupChecks\\CodeIntegrity' => $baseDir . '/../lib/SetupChecks/CodeIntegrity.php',
     'OCA\\Settings\\SetupChecks\\CronErrors' => $baseDir . '/../lib/SetupChecks/CronErrors.php',
     'OCA\\Settings\\SetupChecks\\CronInfo' => $baseDir . '/../lib/SetupChecks/CronInfo.php',
+    'OCA\\Settings\\SetupChecks\\DataDirectoryProtected' => $baseDir . '/../lib/SetupChecks/DataDirectoryProtected.php',
     'OCA\\Settings\\SetupChecks\\DatabaseHasMissingColumns' => $baseDir . '/../lib/SetupChecks/DatabaseHasMissingColumns.php',
     'OCA\\Settings\\SetupChecks\\DatabaseHasMissingIndices' => $baseDir . '/../lib/SetupChecks/DatabaseHasMissingIndices.php',
     'OCA\\Settings\\SetupChecks\\DatabaseHasMissingPrimaryKeys' => $baseDir . '/../lib/SetupChecks/DatabaseHasMissingPrimaryKeys.php',
diff --git a/apps/settings/composer/composer/autoload_static.php b/apps/settings/composer/composer/autoload_static.php
index 44afee35d93..990d502e235 100644
--- a/apps/settings/composer/composer/autoload_static.php
+++ b/apps/settings/composer/composer/autoload_static.php
@@ -98,6 +98,7 @@ class ComposerStaticInitSettings
         'OCA\\Settings\\SetupChecks\\CodeIntegrity' => __DIR__ . '/..' . '/../lib/SetupChecks/CodeIntegrity.php',
         'OCA\\Settings\\SetupChecks\\CronErrors' => __DIR__ . '/..' . '/../lib/SetupChecks/CronErrors.php',
         'OCA\\Settings\\SetupChecks\\CronInfo' => __DIR__ . '/..' . '/../lib/SetupChecks/CronInfo.php',
+        'OCA\\Settings\\SetupChecks\\DataDirectoryProtected' => __DIR__ . '/..' . '/../lib/SetupChecks/DataDirectoryProtected.php',
         'OCA\\Settings\\SetupChecks\\DatabaseHasMissingColumns' => __DIR__ . '/..' . '/../lib/SetupChecks/DatabaseHasMissingColumns.php',
         'OCA\\Settings\\SetupChecks\\DatabaseHasMissingIndices' => __DIR__ . '/..' . '/../lib/SetupChecks/DatabaseHasMissingIndices.php',
         'OCA\\Settings\\SetupChecks\\DatabaseHasMissingPrimaryKeys' => __DIR__ . '/..' . '/../lib/SetupChecks/DatabaseHasMissingPrimaryKeys.php',
diff --git a/apps/settings/lib/AppInfo/Application.php b/apps/settings/lib/AppInfo/Application.php
index cfe8a306365..e125e68f864 100644
--- a/apps/settings/lib/AppInfo/Application.php
+++ b/apps/settings/lib/AppInfo/Application.php
@@ -58,6 +58,7 @@ use OCA\Settings\SetupChecks\DatabaseHasMissingColumns;
 use OCA\Settings\SetupChecks\DatabaseHasMissingIndices;
 use OCA\Settings\SetupChecks\DatabaseHasMissingPrimaryKeys;
 use OCA\Settings\SetupChecks\DatabasePendingBigIntConversions;
+use OCA\Settings\SetupChecks\DataDirectoryProtected;
 use OCA\Settings\SetupChecks\DebugMode;
 use OCA\Settings\SetupChecks\DefaultPhoneRegionSet;
 use OCA\Settings\SetupChecks\EmailTestSuccessful;
@@ -183,6 +184,7 @@ class Application extends App implements IBootstrap {
 		$context->registerSetupCheck(DatabaseHasMissingIndices::class);
 		$context->registerSetupCheck(DatabaseHasMissingPrimaryKeys::class);
 		$context->registerSetupCheck(DatabasePendingBigIntConversions::class);
+		$context->registerSetupCheck(DataDirectoryProtected::class);
 		$context->registerSetupCheck(DebugMode::class);
 		$context->registerSetupCheck(DefaultPhoneRegionSet::class);
 		$context->registerSetupCheck(EmailTestSuccessful::class);
diff --git a/apps/settings/lib/SetupChecks/CheckServerResponseTrait.php b/apps/settings/lib/SetupChecks/CheckServerResponseTrait.php
index 30ffa9a2977..bc757d27e48 100644
--- a/apps/settings/lib/SetupChecks/CheckServerResponseTrait.php
+++ b/apps/settings/lib/SetupChecks/CheckServerResponseTrait.php
@@ -74,11 +74,12 @@ trait CheckServerResponseTrait {
 	 * Run a HEAD request to check header
 	 * @param string $url The relative URL to check
 	 * @param bool $ignoreSSL Ignore SSL certificates
+	 * @param bool $httpErrors Ignore requests with HTTP errors (will not yield if request has a 4xx or 5xx response)
 	 * @return Generator<int, IResponse>
 	 */
-	protected function runHEAD(string $url, bool $ignoreSSL = true): Generator {
+	protected function runHEAD(string $url, bool $ignoreSSL = true, bool $httpErrors = true): Generator {
 		$client = $this->clientService->newClient();
-		$requestOptions = $this->getRequestOptions($ignoreSSL);
+		$requestOptions = $this->getRequestOptions($ignoreSSL, $httpErrors);
 
 		foreach ($this->getTestUrls($url) as $testURL) {
 			try {
@@ -89,9 +90,10 @@ trait CheckServerResponseTrait {
 		}
 	}
 
-	protected function getRequestOptions(bool $ignoreSSL): array {
+	protected function getRequestOptions(bool $ignoreSSL, bool $httpErrors): array {
 		$requestOptions = [
 			'connect_timeout' => 10,
+			'http_errors' => $httpErrors,
 			'nextcloud' => [
 				'allow_local_address' => true,
 			],
diff --git a/apps/settings/lib/SetupChecks/DataDirectoryProtected.php b/apps/settings/lib/SetupChecks/DataDirectoryProtected.php
new file mode 100644
index 00000000000..5ba92c809e4
--- /dev/null
+++ b/apps/settings/lib/SetupChecks/DataDirectoryProtected.php
@@ -0,0 +1,80 @@
+<?php
+
+declare(strict_types=1);
+
+/**
+ * @copyright Copyright (c) 2024 Ferdinand Thiessen <opensource@fthiessen.de>
+ *
+ * @author Ferdinand Thiessen <opensource@fthiessen.de>
+ *
+ * @license AGPL-3.0-or-later
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+namespace OCA\Settings\SetupChecks;
+
+use OCP\Http\Client\IClientService;
+use OCP\IConfig;
+use OCP\IL10N;
+use OCP\IURLGenerator;
+use OCP\SetupCheck\ISetupCheck;
+use OCP\SetupCheck\SetupResult;
+use Psr\Log\LoggerInterface;
+
+/**
+ * Checks if the data directory can not be accessed from outside
+ */
+class DataDirectoryProtected implements ISetupCheck {
+	use CheckServerResponseTrait;
+
+	public function __construct(
+		protected IL10N $l10n,
+		protected IConfig $config,
+		protected IURLGenerator $urlGenerator,
+		protected IClientService $clientService,
+		protected LoggerInterface $logger,
+	) {
+	}
+
+	public function getCategory(): string {
+		return 'network';
+	}
+
+	public function getName(): string {
+		return $this->l10n->t('Data directory protected');
+	}
+
+	public function run(): SetupResult {
+		$datadir = str_replace(\OC::$SERVERROOT . '/', '', $this->config->getSystemValue('datadirectory', ''));
+
+		$dataUrl = $this->urlGenerator->getWebroot() . '/' . $datadir . '/.ocdata';
+
+		$noResponse = true;
+		foreach ($this->runHEAD($dataUrl, httpErrors:false) as $response) {
+			$noResponse = false;
+			if ($response->getStatusCode() === 200) {
+				return SetupResult::error($this->l10n->t('Your data directory and files are probably accessible from the internet. The .htaccess file is not working. It is strongly recommended that you configure your web server so that the data directory is no longer accessible, or move the data directory outside the web server document root.'));
+			} else {
+				$this->logger->debug('[expected] Could not access data directory from outside.', ['url' => $dataUrl]);
+			}
+		}
+
+		if ($noResponse) {
+			return SetupResult::warning($this->l10n->t('Could not check that the data directory is protected. Please check manually that your server does not allow access to the data directory.') . "\n" . $this->serverConfigHelp());
+		}
+		return SetupResult::success();
+		
+	}
+}
diff --git a/apps/settings/src/admin.js b/apps/settings/src/admin.js
index a22c89f8666..b8f8e99ef80 100644
--- a/apps/settings/src/admin.js
+++ b/apps/settings/src/admin.js
@@ -108,9 +108,8 @@ window.addEventListener('DOMContentLoaded', () => {
 			OC.SetupChecks.checkWellKnownUrl('PROPFIND', '/.well-known/carddav', OC.theme.docPlaceholderUrl, $('#postsetupchecks').data('check-wellknown') === true),
 			OC.SetupChecks.checkSetup(),
 			OC.SetupChecks.checkGeneric(),
-			OC.SetupChecks.checkDataProtected(),
-		).then((check1, check2, check3, check4, check5, check6, check7, check8) => {
-			const messages = [].concat(check1, check2, check3, check4, check5, check6, check7, check8)
+		).then((check1, check2, check3, check4, check5, check6, check7) => {
+			const messages = [].concat(check1, check2, check3, check4, check5, check6, check7)
 			const $el = $('#postsetupchecks')
 			$('#security-warning-state-loading').addClass('hidden')
 
diff --git a/apps/settings/tests/SetupChecks/DataDirectoryProtectedTest.php b/apps/settings/tests/SetupChecks/DataDirectoryProtectedTest.php
new file mode 100644
index 00000000000..8eec24a51c4
--- /dev/null
+++ b/apps/settings/tests/SetupChecks/DataDirectoryProtectedTest.php
@@ -0,0 +1,136 @@
+<?php
+
+declare(strict_types=1);
+
+/**
+ * @copyright Copyright (c) 2024 Ferdinand Thiessen <opensource@fthiessen.de>
+ *
+ * @author Ferdinand Thiessen <opensource@fthiessen.de>
+ *
+ * @license AGPL-3.0-or-later
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+namespace OCA\Settings\Tests;
+
+use OCA\Settings\SetupChecks\DataDirectoryProtected;
+use OCP\Http\Client\IClientService;
+use OCP\Http\Client\IResponse;
+use OCP\IConfig;
+use OCP\IL10N;
+use OCP\IURLGenerator;
+use OCP\SetupCheck\SetupResult;
+use PHPUnit\Framework\MockObject\MockObject;
+use Psr\Log\LoggerInterface;
+use Test\TestCase;
+
+class DataDirectoryProtectedTest extends TestCase {
+	private IL10N|MockObject $l10n;
+	private IConfig|MockObject $config;
+	private IURLGenerator|MockObject $urlGenerator;
+	private IClientService|MockObject $clientService;
+	private LoggerInterface|MockObject $logger;
+	private DataDirectoryProtected|MockObject $setupcheck;
+
+	protected function setUp(): void {
+		parent::setUp();
+
+		/** @var IL10N|MockObject */
+		$this->l10n = $this->getMockBuilder(IL10N::class)
+			->disableOriginalConstructor()->getMock();
+		$this->l10n->expects($this->any())
+			->method('t')
+			->willReturnCallback(function ($message, array $replace) {
+				return vsprintf($message, $replace);
+			});
+
+		$this->config = $this->createMock(IConfig::class);
+		$this->urlGenerator = $this->createMock(IURLGenerator::class);
+		$this->clientService = $this->createMock(IClientService::class);
+		$this->logger = $this->createMock(LoggerInterface::class);
+
+		$this->setupcheck = $this->getMockBuilder(DataDirectoryProtected::class)
+			->onlyMethods(['runHEAD'])
+			->setConstructorArgs([
+				$this->l10n,
+				$this->config,
+				$this->urlGenerator,
+				$this->clientService,
+				$this->logger,
+			])
+			->getMock();
+	}
+
+	/**
+	 * @dataProvider dataTestStatusCode
+	 */
+	public function testStatusCode(array $status, string $expected): void {
+		$responses = array_map(function ($state) {
+			$response = $this->createMock(IResponse::class);
+			$response->expects($this->any())->method('getStatusCode')->willReturn($state);
+			return $response;
+		}, $status);
+
+		$this->setupcheck
+			->expects($this->once())
+			->method('runHEAD')
+			->will($this->generate($responses));
+
+		$this->config
+			->expects($this->once())
+			->method('getSystemValue')
+			->willReturn('');
+
+		$result = $this->setupcheck->run();
+		$this->assertEquals($expected, $result->getSeverity());
+	}
+
+	public function dataTestStatusCode(): array {
+		return [
+			'success: forbidden access' => [[403], SetupResult::SUCCESS],
+			'error: can access' => [[200], SetupResult::ERROR],
+			'error: one forbidden one can access' => [[403, 200], SetupResult::ERROR],
+			'warning: connection issue' => [[], SetupResult::WARNING],
+		];
+	}
+
+	public function testNoResponse(): void {
+		$response = $this->createMock(IResponse::class);
+		$response->expects($this->any())->method('getStatusCode')->willReturn(200);
+
+		$this->setupcheck
+			->expects($this->once())
+			->method('runHEAD')
+			->will($this->generate([]));
+
+		$this->config
+			->expects($this->once())
+			->method('getSystemValue')
+			->willReturn('');
+
+		$result = $this->setupcheck->run();
+		$this->assertEquals(SetupResult::WARNING, $result->getSeverity());
+		$this->assertMatchesRegularExpression('/^Could not check/', $result->getDescription());
+	}
+
+	/**
+	 * Helper function creates a nicer interface for mocking Generator behavior
+	 */
+	protected function generate(array $yield_values) {
+		return $this->returnCallback(function () use ($yield_values) {
+			yield from $yield_values;
+		});
+	}
+}