summaryrefslogtreecommitdiffstats
path: root/lib
diff options
context:
space:
mode:
Diffstat (limited to 'lib')
-rw-r--r--lib/private/http/client/client.php9
-rw-r--r--lib/private/security/certificatemanager.php89
-rw-r--r--lib/private/server.php6
-rw-r--r--lib/public/icertificatemanager.php12
-rw-r--r--lib/public/iservercontainer.php2
5 files changed, 97 insertions, 21 deletions
diff --git a/lib/private/http/client/client.php b/lib/private/http/client/client.php
index 5f298e1acd7..8cddfc3ae03 100644
--- a/lib/private/http/client/client.php
+++ b/lib/private/http/client/client.php
@@ -58,12 +58,11 @@ class Client implements IClient {
* Sets the default options to the client
*/
private function setDefaultOptions() {
- // Either use default bundle or the user bundle if nothing is specified
- if($this->certificateManager->listCertificates() !== []) {
- $dataDir = $this->config->getSystemValue('datadirectory');
- $this->client->setDefaultOption('verify', $dataDir.'/'.$this->certificateManager->getCertificateBundle());
+ // Either use user bundle or the system bundle if nothing is specified
+ if ($this->certificateManager->listCertificates() !== []) {
+ $this->client->setDefaultOption('verify', $this->certificateManager->getAbsoluteBundlePath());
} else {
- $this->client->setDefaultOption('verify', \OC::$SERVERROOT . '/resources/config/ca-bundle.crt');
+ $this->client->setDefaultOption('verify', $this->certificateManager->getAbsoluteBundlePath(null));
}
$this->client->setDefaultOption('headers/User-Agent', 'ownCloud Server Crawler');
diff --git a/lib/private/security/certificatemanager.php b/lib/private/security/certificatemanager.php
index ded81863a73..ce0d330c4b2 100644
--- a/lib/private/security/certificatemanager.php
+++ b/lib/private/security/certificatemanager.php
@@ -50,7 +50,7 @@ class CertificateManager implements ICertificateManager {
/**
* @param string $uid
- * @param \OC\Files\View $view relative zu data/
+ * @param \OC\Files\View $view relative to data/
* @param IConfig $config
*/
public function __construct($uid, \OC\Files\View $view, IConfig $config) {
@@ -83,7 +83,8 @@ class CertificateManager implements ICertificateManager {
if ($file != '.' && $file != '..') {
try {
$result[] = new Certificate($this->view->file_get_contents($path . $file), $file);
- } catch(\Exception $e) {}
+ } catch (\Exception $e) {
+ }
}
}
closedir($handle);
@@ -97,22 +98,34 @@ class CertificateManager implements ICertificateManager {
$path = $this->getPathToCertificates();
$certs = $this->listCertificates();
- $fh_certs = $this->view->fopen($path . '/rootcerts.crt', 'w');
+ if (!$this->view->file_exists($path)) {
+ $this->view->mkdir($path);
+ }
+
+ $fhCerts = $this->view->fopen($path . '/rootcerts.crt', 'w');
// Write user certificates
foreach ($certs as $cert) {
$file = $path . '/uploads/' . $cert->getName();
$data = $this->view->file_get_contents($file);
if (strpos($data, 'BEGIN CERTIFICATE')) {
- fwrite($fh_certs, $data);
- fwrite($fh_certs, "\r\n");
+ fwrite($fhCerts, $data);
+ fwrite($fhCerts, "\r\n");
}
}
// Append the default certificates
$defaultCertificates = file_get_contents(\OC::$SERVERROOT . '/resources/config/ca-bundle.crt');
- fwrite($fh_certs, $defaultCertificates);
- fclose($fh_certs);
+ fwrite($fhCerts, $defaultCertificates);
+
+ // Append the system certificate bundle
+ $systemBundle = $this->getCertificateBundle(null);
+ if ($this->view->file_exists($systemBundle)) {
+ $systemCertificates = $this->view->file_get_contents($systemBundle);
+ fwrite($fhCerts, $systemCertificates);
+ }
+
+ fclose($fhCerts);
}
/**
@@ -166,18 +179,72 @@ class CertificateManager implements ICertificateManager {
/**
* Get the path to the certificate bundle for this user
*
+ * @param string $uid (optional) user to get the certificate bundle for, use `null` to get the system bundle
* @return string
*/
- public function getCertificateBundle() {
- return $this->getPathToCertificates() . 'rootcerts.crt';
+ public function getCertificateBundle($uid = '') {
+ if ($uid === '') {
+ $uid = $this->uid;
+ }
+ return $this->getPathToCertificates($uid) . 'rootcerts.crt';
+ }
+
+ /**
+ * Get the full local path to the certificate bundle for this user
+ *
+ * @param string $uid (optional) user to get the certificate bundle for, use `null` to get the system bundle
+ * @return string
+ */
+ public function getAbsoluteBundlePath($uid = '') {
+ if ($uid === '') {
+ $uid = $this->uid;
+ }
+ if ($this->needsRebundling($uid)) {
+ if (is_null($uid)) {
+ $manager = new CertificateManager(null, $this->view, $this->config);
+ $manager->createCertificateBundle();
+ } else {
+ $this->createCertificateBundle();
+ }
+ }
+ return $this->view->getLocalFile($this->getCertificateBundle($uid));
}
/**
+ * @param string $uid (optional) user to get the certificate path for, use `null` to get the system path
* @return string
*/
- private function getPathToCertificates() {
- $path = is_null($this->uid) ? '/files_external/' : '/' . $this->uid . '/files_external/';
+ private function getPathToCertificates($uid = '') {
+ if ($uid === '') {
+ $uid = $this->uid;
+ }
+ $path = is_null($uid) ? '/files_external/' : '/' . $uid . '/files_external/';
return $path;
}
+
+ /**
+ * Check if we need to re-bundle the certificates because one of the sources has updated
+ *
+ * @param string $uid (optional) user to get the certificate path for, use `null` to get the system path
+ * @return bool
+ */
+ private function needsRebundling($uid = '') {
+ if ($uid === '') {
+ $uid = $this->uid;
+ }
+ $sourceMTimes = [filemtime(\OC::$SERVERROOT . '/resources/config/ca-bundle.crt')];
+ $targetBundle = $this->getCertificateBundle($uid);
+ if (!$this->view->file_exists($targetBundle)) {
+ return true;
+ }
+ if (!is_null($uid)) { // also depend on the system bundle
+ $sourceBundles[] = $this->view->filemtime($this->getCertificateBundle(null));
+ }
+
+ $sourceMTime = array_reduce($sourceMTimes, function ($max, $mtime) {
+ return max($max, $mtime);
+ }, 0);
+ return $sourceMTime > $this->view->filemtime($targetBundle);
+ }
}
diff --git a/lib/private/server.php b/lib/private/server.php
index ead9fa95db8..414f59af612 100644
--- a/lib/private/server.php
+++ b/lib/private/server.php
@@ -921,11 +921,11 @@ class Server extends ServerContainer implements IServerContainer {
/**
* Get the certificate manager for the user
*
- * @param string $userId (optional) if not specified the current loggedin user is used
+ * @param string $userId (optional) if not specified the current loggedin user is used, use null to get the system certificate manager
* @return \OCP\ICertificateManager | null if $uid is null and no user is logged in
*/
- public function getCertificateManager($userId = null) {
- if (is_null($userId)) {
+ public function getCertificateManager($userId = '') {
+ if ($userId === '') {
$userSession = $this->getUserSession();
$user = $userSession->getUser();
if (is_null($user)) {
diff --git a/lib/public/icertificatemanager.php b/lib/public/icertificatemanager.php
index b1a16d8b5ee..3872fdd765d 100644
--- a/lib/public/icertificatemanager.php
+++ b/lib/public/icertificatemanager.php
@@ -54,8 +54,18 @@ interface ICertificateManager {
/**
* Get the path to the certificate bundle for this user
*
+ * @param string $uid (optional) user to get the certificate bundle for, use `null` to get the system bundle (since 9.0.0)
* @return string
* @since 8.0.0
*/
- public function getCertificateBundle();
+ public function getCertificateBundle($uid = '');
+
+ /**
+ * Get the full local path to the certificate bundle for this user
+ *
+ * @param string $uid (optional) user to get the certificate bundle for, use `null` to get the system bundle
+ * @return string
+ * @since 9.0.0
+ */
+ public function getAbsoluteBundlePath($uid = '');
}
diff --git a/lib/public/iservercontainer.php b/lib/public/iservercontainer.php
index 267e5dc4d31..e706750bb21 100644
--- a/lib/public/iservercontainer.php
+++ b/lib/public/iservercontainer.php
@@ -326,7 +326,7 @@ interface IServerContainer {
/**
* Get the certificate manager for the user
*
- * @param string $userId (optional) if not specified the current loggedin user is used
+ * @param string $userId (optional) if not specified the current loggedin user is used, use null to get the system certificate manager
* @return \OCP\ICertificateManager | null if $userId is null and no user is logged in
* @since 8.0.0
*/
generated by cgit v1.2.3 (git 2.39.1) at 2025-01-11 15:44:47 +0000