Merge pull request #10420 from owncloud/external-share-self-signed

Make external shares work with imported self signed certificates

8 files changed, 16 insertions, 135 deletions

diff --git a/apps/files_external/ajax/addRootCertificate.php b/apps/files_external/ajax/addRootCertificate.php
deleted file mode 100644
index fcd3a617ada..00000000000
--- a/apps/files_external/ajax/addRootCertificate.php
+++ /dev/null
@@ -1,45 +0,0 @@
-<?php
-
-OCP\JSON::checkAppEnabled('files_external');
-OCP\JSON::callCheck();
-
-if ( ! ($filename = $_FILES['rootcert_import']['name']) ) {
-	header('Location:' . OCP\Util::linkToRoute( "settings_personal" ));
-	exit;
-}
-
-$fh = fopen($_FILES['rootcert_import']['tmp_name'], 'r');
-$data = fread($fh, filesize($_FILES['rootcert_import']['tmp_name']));
-fclose($fh);
-$filename = $_FILES['rootcert_import']['name'];
-
-$view = new \OC\Files\View('/'.\OCP\User::getUser().'/files_external/uploads');
-if (!$view->file_exists('')) {
-	$view->mkdir('');
-}
-
-$isValid = openssl_pkey_get_public($data);
-
-//maybe it was just the wrong file format, try to convert it...
-if ($isValid == false) {
-	$data = chunk_split(base64_encode($data), 64, "\n");
-	$data = "-----BEGIN CERTIFICATE-----\n".$data."-----END CERTIFICATE-----\n";
-	$isValid = openssl_pkey_get_public($data);
-}
-
-// add the certificate if it could be verified
-if ( $isValid ) {
-	// disable proxy to prevent multiple fopen calls
-	$proxyStatus = \OC_FileProxy::$enabled;
-	\OC_FileProxy::$enabled = false;
-	$view->file_put_contents($filename, $data);
-	OC_Mount_Config::createCertificateBundle();
-	\OC_FileProxy::$enabled = $proxyStatus;
-} else {
-	OCP\Util::writeLog('files_external',
-			'Couldn\'t import SSL root certificate ('.$filename.'), allowed formats: PEM and DER',
-			OCP\Util::WARN);
-}
-
-header('Location:' . OCP\Util::linkToRoute( "settings_personal" ));
-exit;
diff --git a/apps/files_external/ajax/removeRootCertificate.php b/apps/files_external/ajax/removeRootCertificate.php
deleted file mode 100644
index 664b3937e97..00000000000
--- a/apps/files_external/ajax/removeRootCertificate.php
+++ /dev/null
@@ -1,13 +0,0 @@
-<?php
-
-OCP\JSON::checkAppEnabled('files_external');
-OCP\JSON::checkLoggedIn();
-OCP\JSON::callCheck();
-
-$view = \OCP\Files::getStorage("files_external");
-$file = 'uploads/'.ltrim($_POST['cert'], "/\\.");
-
-if ( $view->file_exists($file) ) {
-	$view->unlink($file);
-	OC_Mount_Config::createCertificateBundle();
-}
diff --git a/apps/files_external/lib/config.php b/apps/files_external/lib/config.php
index 85e36fd9043..952463b8015 100755
--- a/apps/files_external/lib/config.php
+++ b/apps/files_external/lib/config.php
@@ -620,53 +620,6 @@ class OC_Mount_Config {
 	}
 
 	/**
-	 * Returns all user uploaded ssl root certificates
-	 * @return array
-	 */
-	public static function getCertificates() {
-		$path=OC_User::getHome(OC_User::getUser()) . '/files_external/uploads/';
-		\OCP\Util::writeLog('files_external', 'checking path '.$path, \OCP\Util::INFO);
-		if ( ! is_dir($path)) {
-			//path might not exist (e.g. non-standard OC_User::getHome() value)
-			//in this case create full path using 3rd (recursive=true) parameter.
-			mkdir($path, 0777, true);
-		}
-		$result = array();
-		$handle = opendir($path);
-		if(!is_resource($handle)) {
-			return array();
-		}
-		while (false !== ($file = readdir($handle))) {
-			if ($file != '.' && $file != '..') $result[] = $file;
-		}
-		return $result;
-	}
-
-	/**
-	 * creates certificate bundle
-	 */
-	public static function createCertificateBundle() {
-		$path=OC_User::getHome(OC_User::getUser()) . '/files_external';
-
-		$certs = OC_Mount_Config::getCertificates();
-		$fh_certs = fopen($path."/rootcerts.crt", 'w');
-		foreach ($certs as $cert) {
-			$file=$path.'/uploads/'.$cert;
-			$fh = fopen($file, "r");
-			$data = fread($fh, filesize($file));
-			fclose($fh);
-			if (strpos($data, 'BEGIN CERTIFICATE')) {
-				fwrite($fh_certs, $data);
-				fwrite($fh_certs, "\r\n");
-			}
-		}
-
-		fclose($fh_certs);
-
-		return true;
-	}
-
-	/**
 	 * check dependencies
 	 */
 	public static function checkDependencies() {
diff --git a/apps/files_external/personal.php b/apps/files_external/personal.php
index 90d7afed28b..a279163ff70 100755
--- a/apps/files_external/personal.php
+++ b/apps/files_external/personal.php
@@ -27,7 +27,6 @@ $backends = OC_Mount_Config::getPersonalBackends();
 $tmpl = new OCP\Template('files_external', 'settings');
 $tmpl->assign('isAdminPage', false);
 $tmpl->assign('mounts', OC_Mount_Config::getPersonalMountPoints());
-$tmpl->assign('certs', OC_Mount_Config::getCertificates());
 $tmpl->assign('dependencies', OC_Mount_Config::checkDependencies());
 $tmpl->assign('backends', $backends);
 return $tmpl->fetchPage();
diff --git a/apps/files_external/templates/settings.php b/apps/files_external/templates/settings.php
index dd283f9ff55..072f856dfbd 100644
--- a/apps/files_external/templates/settings.php
+++ b/apps/files_external/templates/settings.php
@@ -119,30 +119,3 @@
 		</p>
 	<?php endif; ?>
 </form>
-
-<?php if ( ! $_['isAdminPage']):  ?>
-<form id="files_external" class="section"
-	  method="post"
-	  enctype="multipart/form-data"
-	  action="<?php p(OCP\Util::linkTo('files_external', 'ajax/addRootCertificate.php')); ?>">
-		<h2><?php p($l->t('SSL root certificates'));?></h2>
-		<table id="sslCertificate" data-admin='<?php print_unescaped(json_encode($_['isAdminPage'])); ?>'>
-			<tbody>
-			<?php foreach ($_['certs'] as $rootCert): ?>
-			<tr id="<?php p($rootCert) ?>">
-			<td class="rootCert"><?php p($rootCert) ?></td>
-			<td <?php if ($rootCert != ''): ?>class="remove"
-				<?php else: ?>style="visibility:hidden;"
-				<?php endif; ?>><img alt="<?php p($l->t('Delete')); ?>"
-									 title="<?php p($l->t('Delete')); ?>"
-									 class="svg action"
-									 src="<?php print_unescaped(image_path('core', 'actions/delete.svg')); ?>" /></td>
-			</tr>
-			<?php endforeach; ?>
-			</tbody>
-		</table>
-		<input type="hidden" name="requesttoken" value="<?php p($_['requesttoken']); ?>">
-		<input type="file" id="rootcert_import" name="rootcert_import">
-		<input type="submit" name="cert_import" value="<?php p($l->t('Import Root Certificate')); ?>" />
-</form>
-<?php endif; ?>
diff --git a/apps/files_sharing/lib/external/manager.php b/apps/files_sharing/lib/external/manager.php
index dda283f4952..8176302a86a 100644
--- a/apps/files_sharing/lib/external/manager.php
+++ b/apps/files_sharing/lib/external/manager.php
@@ -113,9 +113,11 @@ class Manager {
 	 * @return Mount
 	 */
 	protected function mountShare($data) {
+		$user = $this->userSession->getUser();
 		$data['manager'] = $this;
-		$mountPoint = '/' . $this->userSession->getUser()->getUID() . '/files' . $data['mountpoint'];
+		$mountPoint = '/' . $user->getUID() . '/files' . $data['mountpoint'];
 		$data['mountpoint'] = $mountPoint;
+		$data['certificateManager'] = \OC::$server->getCertificateManager($user);
 		$mount = new Mount(self::STORAGE, $mountPoint, $data, $this, $this->storageLoader);
 		$this->mountManager->addMount($mount);
 		return $mount;
diff --git a/apps/files_sharing/lib/external/storage.php b/apps/files_sharing/lib/external/storage.php
index 855be2872b5..92d8f92b380 100644
--- a/apps/files_sharing/lib/external/storage.php
+++ b/apps/files_sharing/lib/external/storage.php
@@ -37,6 +37,11 @@ class Storage extends DAV implements ISharedStorage {
 	 */
 	private $token;
 
+	/**
+	 * @var \OCP\ICertificateManager
+	 */
+	private $certificateManager;
+
 	private $updateChecked = false;
 
 	/**
@@ -46,6 +51,7 @@ class Storage extends DAV implements ISharedStorage {
 
 	public function __construct($options) {
 		$this->manager = $options['manager'];
+		$this->certificateManager = $options['certificateManager'];
 		$this->remote = $options['remote'];
 		$this->remoteUser = $options['owner'];
 		list($protocol, $remote) = explode('://', $this->remote);
@@ -190,6 +196,10 @@ class Storage extends DAV implements ISharedStorage {
 			http_build_query(array('password' => $password)));
 		curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
 
+		curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true);
+		curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2);
+		curl_setopt($ch, CURLOPT_CAINFO, $this->certificateManager->getCertificateBundle());
+
 		$result = curl_exec($ch);
 
 		$status = curl_getinfo($ch, CURLINFO_HTTP_CODE);
diff --git a/apps/files_sharing/tests/externalstorage.php b/apps/files_sharing/tests/externalstorage.php
index 1258148af53..2e93afa1987 100644
--- a/apps/files_sharing/tests/externalstorage.php
+++ b/apps/files_sharing/tests/externalstorage.php
@@ -65,6 +65,7 @@ class Test_Files_Sharing_External_Storage extends \PHPUnit_Framework_TestCase {
 	 * @dataProvider optionsProvider
 	 */
 	public function testStorageMountOptions($inputUri, $baseUri) {
+		$certificateManager = \OC::$server->getCertificateManager();
 		$storage = new TestSharingExternalStorage(
 			array(
 				'remote' => $inputUri,
@@ -72,7 +73,8 @@ class Test_Files_Sharing_External_Storage extends \PHPUnit_Framework_TestCase {
 				'mountpoint' => 'remoteshare',
 				'token' => 'abcdef',
 				'password' => '',
-				'manager' => null
+				'manager' => null,
+				'certificateManager' => $certificateManager
 			)
 		);
 		$this->assertEquals($baseUri, $storage->getBaseUri());