Mirrors
/
nextcloud-server
mirror of https://github.com/nextcloud/server
3
0
Fork 0
Code Releases Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
44439 Commits
737 Branches
1186 Tags
4.1 GiB
Tree: 9bd48e7c0d
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '9bd48e7c0d'
${ noResults }
nextcloud-server/settings/Controller/CheckSetupController.php

563 lines
16 KiB
Raw Normal View History

Add check for activated local memcache Also used the opportunity to refactor it into an AppFramework controller so that we can unit test it. Fixes https://github.com/owncloud/core/issues/14956
11 years ago
Fix others
10 years ago
Update license headers Signed-off-by: Morris Jobke <hey@morrisjobke.de>
8 years ago
Fix others
10 years ago
Update license headers Signed-off-by: Morris Jobke <hey@morrisjobke.de>
8 years ago
Update license headers
10 years ago
update license headers and authors
11 years ago
Happy new year!
10 years ago
Fix others
10 years ago
Add check for activated local memcache Also used the opportunity to refactor it into an AppFramework controller so that we can unit test it. Fixes https://github.com/owncloud/core/issues/14956
11 years ago
Show info in admin settings about PHP opcache if disabled Signed-off-by: Morris Jobke <hey@morrisjobke.de>
9 years ago
Merge all setup checks into one controller * renamed hasMissingIndexes to missingIndexes Signed-off-by: Morris Jobke <hey@morrisjobke.de>
8 years ago
Detect old NSS and OpenSSL versions This will detect old NSS and OpenSSL versions and show appropriate errors in the admin interface. Fixes https://github.com/owncloud/core/issues/17901
11 years ago
Add code integrity check This PR implements the base foundation of the code signing and integrity check. In this PR implemented is the signing and verification logic, as well as commands to sign single apps or the core repository. Furthermore, there is a basic implementation to display problems with the code integrity on the update screen. Code signing basically happens the following way: - There is a ownCloud Root Certificate authority stored `resources/codesigning/root.crt` (in this PR I also ship the private key which we obviously need to change before a release :wink:). This certificate is not intended to be used for signing directly and only is used to sign new certificates. - Using the `integrity:sign-core` and `integrity:sign-app` commands developers can sign either the core release or a single app. The core release needs to be signed with a certificate that has a CN of `core`, apps need to be signed with a certificate that either has a CN of `core` (shipped apps!) or the AppID. - The command generates a signature.json file of the following format: ```json { "hashes": { "/filename.php": "2401fed2eea6f2c1027c482a633e8e25cd46701f811e2d2c10dc213fd95fa60e350bccbbebdccc73a042b1a2799f673fbabadc783284cc288e4f1a1eacb74e3d", "/lib/base.php": "55548cc16b457cd74241990cc9d3b72b6335f2e5f45eee95171da024087d114fcbc2effc3d5818a6d5d55f2ae960ab39fd0414d0c542b72a3b9e08eb21206dd9" }, "certificate": "-----BEGIN CERTIFICATE-----MIIBvTCCASagAwIBAgIUPvawyqJwCwYazcv7iz16TWxfeUMwDQYJKoZIhvcNAQEF\nBQAwIzEhMB8GA1UECgwYb3duQ2xvdWQgQ29kZSBTaWduaW5nIENBMB4XDTE1MTAx\nNDEzMTcxMFoXDTE2MTAxNDEzMTcxMFowEzERMA8GA1UEAwwIY29udGFjdHMwgZ8w\nDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANoQesGdCW0L2L+a2xITYipixkScrIpB\nkX5Snu3fs45MscDb61xByjBSlFgR4QI6McoCipPw4SUr28EaExVvgPSvqUjYLGps\nfiv0Cvgquzbx/X3mUcdk9LcFo1uWGtrTfkuXSKX41PnJGTr6RQWGIBd1V52q1qbC\nJKkfzyeMeuQfAgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAvF/KIhRMQ3tYTmgHWsiM\nwDMgIDb7iaHF0fS+/Nvo4PzoTO/trev6tMyjLbJ7hgdCpz/1sNzE11Cibf6V6dsz\njCE9invP368Xv0bTRObRqeSNsGogGl5ceAvR0c9BG+NRIKHcly3At3gLkS2791bC\niG+UxI/MNcWV0uJg9S63LF8=\n-----END CERTIFICATE-----", "signature": "U29tZVNpZ25lZERhdGFFeGFtcGxl" } ``` `hashes` is an array of all files in the folder with their corresponding SHA512 hashes (this is actually quite cheap to calculate), the `certificate` is the certificate used for signing. It has to be issued by the ownCloud Root Authority and it's CN needs to be permitted to perform the required action. The `signature` is then a signature of the `hashes` which can be verified using the `certificate`. Steps to do in other PRs, this is already a quite huge one: - Add nag screen in case the code check fails to ensure that administrators are aware of this. - Add code verification also to OCC upgrade and unify display code more. - Add enforced code verification to apps shipped from the appstore with a level of "official" - Add enfocrced code verification to apps shipped from the appstore that were already signed in a previous release - Add some developer documentation on how devs can request their own certificate - Check when installing ownCloud - Add support for CRLs to allow revoking certificates **Note:** The upgrade checks are only run when the instance has a defined release channel of `stable` (defined in `version.php`). If you want to test this, you need to change the channel thus and then generate the core signature: ``` ➜ master git:(add-integrity-checker) ✗ ./occ integrity:sign-core --privateKey=resources/codesigning/core.key --certificate=resources/codesigning/core.crt Successfully signed "core" ``` Then increase the version and you should see something like the following: ![2015-11-04_12-02-57](https://cloud.githubusercontent.com/assets/878997/10936336/6adb1d14-82ec-11e5-8f06-9a74801c9abf.png) As you can see a failed code check will not prevent the further update. It will instead just be a notice to the admin. In a next step we will add some nag screen. For packaging stable releases this requires the following additional steps as a last action before zipping: 1. Run `./occ integrity:sign-core` once 2. Run `./occ integrity:sign-app` _for each_ app. However, this can be simply automated using a simple foreach on the apps folder.
10 years ago
Merge all setup checks into one controller * renamed hasMissingIndexes to missingIndexes Signed-off-by: Morris Jobke <hey@morrisjobke.de>
8 years ago
Add a hint that some indexes are not added yet * gives the admin a chance to discover the missing indexes and improve the performance of the instance without digging through the manual * nicely integrated in the setup checks where this kind of hints belong to * also adds an option to integrate this from an app based on events * fix style of setting warnings Signed-off-by: Morris Jobke <hey@morrisjobke.de>
8 years ago
Add code integrity check This PR implements the base foundation of the code signing and integrity check. In this PR implemented is the signing and verification logic, as well as commands to sign single apps or the core repository. Furthermore, there is a basic implementation to display problems with the code integrity on the update screen. Code signing basically happens the following way: - There is a ownCloud Root Certificate authority stored `resources/codesigning/root.crt` (in this PR I also ship the private key which we obviously need to change before a release :wink:). This certificate is not intended to be used for signing directly and only is used to sign new certificates. - Using the `integrity:sign-core` and `integrity:sign-app` commands developers can sign either the core release or a single app. The core release needs to be signed with a certificate that has a CN of `core`, apps need to be signed with a certificate that either has a CN of `core` (shipped apps!) or the AppID. - The command generates a signature.json file of the following format: ```json { "hashes": { "/filename.php": "2401fed2eea6f2c1027c482a633e8e25cd46701f811e2d2c10dc213fd95fa60e350bccbbebdccc73a042b1a2799f673fbabadc783284cc288e4f1a1eacb74e3d", "/lib/base.php": "55548cc16b457cd74241990cc9d3b72b6335f2e5f45eee95171da024087d114fcbc2effc3d5818a6d5d55f2ae960ab39fd0414d0c542b72a3b9e08eb21206dd9" }, "certificate": "-----BEGIN CERTIFICATE-----MIIBvTCCASagAwIBAgIUPvawyqJwCwYazcv7iz16TWxfeUMwDQYJKoZIhvcNAQEF\nBQAwIzEhMB8GA1UECgwYb3duQ2xvdWQgQ29kZSBTaWduaW5nIENBMB4XDTE1MTAx\nNDEzMTcxMFoXDTE2MTAxNDEzMTcxMFowEzERMA8GA1UEAwwIY29udGFjdHMwgZ8w\nDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANoQesGdCW0L2L+a2xITYipixkScrIpB\nkX5Snu3fs45MscDb61xByjBSlFgR4QI6McoCipPw4SUr28EaExVvgPSvqUjYLGps\nfiv0Cvgquzbx/X3mUcdk9LcFo1uWGtrTfkuXSKX41PnJGTr6RQWGIBd1V52q1qbC\nJKkfzyeMeuQfAgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAvF/KIhRMQ3tYTmgHWsiM\nwDMgIDb7iaHF0fS+/Nvo4PzoTO/trev6tMyjLbJ7hgdCpz/1sNzE11Cibf6V6dsz\njCE9invP368Xv0bTRObRqeSNsGogGl5ceAvR0c9BG+NRIKHcly3At3gLkS2791bC\niG+UxI/MNcWV0uJg9S63LF8=\n-----END CERTIFICATE-----", "signature": "U29tZVNpZ25lZERhdGFFeGFtcGxl" } ``` `hashes` is an array of all files in the folder with their corresponding SHA512 hashes (this is actually quite cheap to calculate), the `certificate` is the certificate used for signing. It has to be issued by the ownCloud Root Authority and it's CN needs to be permitted to perform the required action. The `signature` is then a signature of the `hashes` which can be verified using the `certificate`. Steps to do in other PRs, this is already a quite huge one: - Add nag screen in case the code check fails to ensure that administrators are aware of this. - Add code verification also to OCC upgrade and unify display code more. - Add enforced code verification to apps shipped from the appstore with a level of "official" - Add enfocrced code verification to apps shipped from the appstore that were already signed in a previous release - Add some developer documentation on how devs can request their own certificate - Check when installing ownCloud - Add support for CRLs to allow revoking certificates **Note:** The upgrade checks are only run when the instance has a defined release channel of `stable` (defined in `version.php`). If you want to test this, you need to change the channel thus and then generate the core signature: ``` ➜ master git:(add-integrity-checker) ✗ ./occ integrity:sign-core --privateKey=resources/codesigning/core.key --certificate=resources/codesigning/core.crt Successfully signed "core" ``` Then increase the version and you should see something like the following: ![2015-11-04_12-02-57](https://cloud.githubusercontent.com/assets/878997/10936336/6adb1d14-82ec-11e5-8f06-9a74801c9abf.png) As you can see a failed code check will not prevent the further update. It will instead just be a notice to the admin. In a next step we will add some nag screen. For packaging stable releases this requires the following additional steps as a last action before zipping: 1. Run `./occ integrity:sign-core` once 2. Run `./occ integrity:sign-app` _for each_ app. However, this can be simply automated using a simple foreach on the apps folder.
10 years ago
Merge all setup checks into one controller * renamed hasMissingIndexes to missingIndexes Signed-off-by: Morris Jobke <hey@morrisjobke.de>
8 years ago
Add check for activated local memcache Also used the opportunity to refactor it into an AppFramework controller so that we can unit test it. Fixes https://github.com/owncloud/core/issues/14956
11 years ago
Add code integrity check This PR implements the base foundation of the code signing and integrity check. In this PR implemented is the signing and verification logic, as well as commands to sign single apps or the core repository. Furthermore, there is a basic implementation to display problems with the code integrity on the update screen. Code signing basically happens the following way: - There is a ownCloud Root Certificate authority stored `resources/codesigning/root.crt` (in this PR I also ship the private key which we obviously need to change before a release :wink:). This certificate is not intended to be used for signing directly and only is used to sign new certificates. - Using the `integrity:sign-core` and `integrity:sign-app` commands developers can sign either the core release or a single app. The core release needs to be signed with a certificate that has a CN of `core`, apps need to be signed with a certificate that either has a CN of `core` (shipped apps!) or the AppID. - The command generates a signature.json file of the following format: ```json { "hashes": { "/filename.php": "2401fed2eea6f2c1027c482a633e8e25cd46701f811e2d2c10dc213fd95fa60e350bccbbebdccc73a042b1a2799f673fbabadc783284cc288e4f1a1eacb74e3d", "/lib/base.php": "55548cc16b457cd74241990cc9d3b72b6335f2e5f45eee95171da024087d114fcbc2effc3d5818a6d5d55f2ae960ab39fd0414d0c542b72a3b9e08eb21206dd9" }, "certificate": "-----BEGIN CERTIFICATE-----MIIBvTCCASagAwIBAgIUPvawyqJwCwYazcv7iz16TWxfeUMwDQYJKoZIhvcNAQEF\nBQAwIzEhMB8GA1UECgwYb3duQ2xvdWQgQ29kZSBTaWduaW5nIENBMB4XDTE1MTAx\nNDEzMTcxMFoXDTE2MTAxNDEzMTcxMFowEzERMA8GA1UEAwwIY29udGFjdHMwgZ8w\nDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANoQesGdCW0L2L+a2xITYipixkScrIpB\nkX5Snu3fs45MscDb61xByjBSlFgR4QI6McoCipPw4SUr28EaExVvgPSvqUjYLGps\nfiv0Cvgquzbx/X3mUcdk9LcFo1uWGtrTfkuXSKX41PnJGTr6RQWGIBd1V52q1qbC\nJKkfzyeMeuQfAgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAvF/KIhRMQ3tYTmgHWsiM\nwDMgIDb7iaHF0fS+/Nvo4PzoTO/trev6tMyjLbJ7hgdCpz/1sNzE11Cibf6V6dsz\njCE9invP368Xv0bTRObRqeSNsGogGl5ceAvR0c9BG+NRIKHcly3At3gLkS2791bC\niG+UxI/MNcWV0uJg9S63LF8=\n-----END CERTIFICATE-----", "signature": "U29tZVNpZ25lZERhdGFFeGFtcGxl" } ``` `hashes` is an array of all files in the folder with their corresponding SHA512 hashes (this is actually quite cheap to calculate), the `certificate` is the certificate used for signing. It has to be issued by the ownCloud Root Authority and it's CN needs to be permitted to perform the required action. The `signature` is then a signature of the `hashes` which can be verified using the `certificate`. Steps to do in other PRs, this is already a quite huge one: - Add nag screen in case the code check fails to ensure that administrators are aware of this. - Add code verification also to OCC upgrade and unify display code more. - Add enforced code verification to apps shipped from the appstore with a level of "official" - Add enfocrced code verification to apps shipped from the appstore that were already signed in a previous release - Add some developer documentation on how devs can request their own certificate - Check when installing ownCloud - Add support for CRLs to allow revoking certificates **Note:** The upgrade checks are only run when the instance has a defined release channel of `stable` (defined in `version.php`). If you want to test this, you need to change the channel thus and then generate the core signature: ``` ➜ master git:(add-integrity-checker) ✗ ./occ integrity:sign-core --privateKey=resources/codesigning/core.key --certificate=resources/codesigning/core.crt Successfully signed "core" ``` Then increase the version and you should see something like the following: ![2015-11-04_12-02-57](https://cloud.githubusercontent.com/assets/878997/10936336/6adb1d14-82ec-11e5-8f06-9a74801c9abf.png) As you can see a failed code check will not prevent the further update. It will instead just be a notice to the admin. In a next step we will add some nag screen. For packaging stable releases this requires the following additional steps as a last action before zipping: 1. Run `./occ integrity:sign-core` once 2. Run `./occ integrity:sign-app` _for each_ app. However, this can be simply automated using a simple foreach on the apps folder.
10 years ago
Add check for activated local memcache Also used the opportunity to refactor it into an AppFramework controller so that we can unit test it. Fixes https://github.com/owncloud/core/issues/14956
11 years ago
Add code integrity check This PR implements the base foundation of the code signing and integrity check. In this PR implemented is the signing and verification logic, as well as commands to sign single apps or the core repository. Furthermore, there is a basic implementation to display problems with the code integrity on the update screen. Code signing basically happens the following way: - There is a ownCloud Root Certificate authority stored `resources/codesigning/root.crt` (in this PR I also ship the private key which we obviously need to change before a release :wink:). This certificate is not intended to be used for signing directly and only is used to sign new certificates. - Using the `integrity:sign-core` and `integrity:sign-app` commands developers can sign either the core release or a single app. The core release needs to be signed with a certificate that has a CN of `core`, apps need to be signed with a certificate that either has a CN of `core` (shipped apps!) or the AppID. - The command generates a signature.json file of the following format: ```json { "hashes": { "/filename.php": "2401fed2eea6f2c1027c482a633e8e25cd46701f811e2d2c10dc213fd95fa60e350bccbbebdccc73a042b1a2799f673fbabadc783284cc288e4f1a1eacb74e3d", "/lib/base.php": "55548cc16b457cd74241990cc9d3b72b6335f2e5f45eee95171da024087d114fcbc2effc3d5818a6d5d55f2ae960ab39fd0414d0c542b72a3b9e08eb21206dd9" }, "certificate": "-----BEGIN CERTIFICATE-----MIIBvTCCASagAwIBAgIUPvawyqJwCwYazcv7iz16TWxfeUMwDQYJKoZIhvcNAQEF\nBQAwIzEhMB8GA1UECgwYb3duQ2xvdWQgQ29kZSBTaWduaW5nIENBMB4XDTE1MTAx\nNDEzMTcxMFoXDTE2MTAxNDEzMTcxMFowEzERMA8GA1UEAwwIY29udGFjdHMwgZ8w\nDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANoQesGdCW0L2L+a2xITYipixkScrIpB\nkX5Snu3fs45MscDb61xByjBSlFgR4QI6McoCipPw4SUr28EaExVvgPSvqUjYLGps\nfiv0Cvgquzbx/X3mUcdk9LcFo1uWGtrTfkuXSKX41PnJGTr6RQWGIBd1V52q1qbC\nJKkfzyeMeuQfAgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAvF/KIhRMQ3tYTmgHWsiM\nwDMgIDb7iaHF0fS+/Nvo4PzoTO/trev6tMyjLbJ7hgdCpz/1sNzE11Cibf6V6dsz\njCE9invP368Xv0bTRObRqeSNsGogGl5ceAvR0c9BG+NRIKHcly3At3gLkS2791bC\niG+UxI/MNcWV0uJg9S63LF8=\n-----END CERTIFICATE-----", "signature": "U29tZVNpZ25lZERhdGFFeGFtcGxl" } ``` `hashes` is an array of all files in the folder with their corresponding SHA512 hashes (this is actually quite cheap to calculate), the `certificate` is the certificate used for signing. It has to be issued by the ownCloud Root Authority and it's CN needs to be permitted to perform the required action. The `signature` is then a signature of the `hashes` which can be verified using the `certificate`. Steps to do in other PRs, this is already a quite huge one: - Add nag screen in case the code check fails to ensure that administrators are aware of this. - Add code verification also to OCC upgrade and unify display code more. - Add enforced code verification to apps shipped from the appstore with a level of "official" - Add enfocrced code verification to apps shipped from the appstore that were already signed in a previous release - Add some developer documentation on how devs can request their own certificate - Check when installing ownCloud - Add support for CRLs to allow revoking certificates **Note:** The upgrade checks are only run when the instance has a defined release channel of `stable` (defined in `version.php`). If you want to test this, you need to change the channel thus and then generate the core signature: ``` ➜ master git:(add-integrity-checker) ✗ ./occ integrity:sign-core --privateKey=resources/codesigning/core.key --certificate=resources/codesigning/core.crt Successfully signed "core" ``` Then increase the version and you should see something like the following: ![2015-11-04_12-02-57](https://cloud.githubusercontent.com/assets/878997/10936336/6adb1d14-82ec-11e5-8f06-9a74801c9abf.png) As you can see a failed code check will not prevent the further update. It will instead just be a notice to the admin. In a next step we will add some nag screen. For packaging stable releases this requires the following additional steps as a last action before zipping: 1. Run `./occ integrity:sign-core` once 2. Run `./occ integrity:sign-app` _for each_ app. However, this can be simply automated using a simple foreach on the apps folder.
10 years ago
Add check for activated local memcache Also used the opportunity to refactor it into an AppFramework controller so that we can unit test it. Fixes https://github.com/owncloud/core/issues/14956
11 years ago
Merge all setup checks into one controller * renamed hasMissingIndexes to missingIndexes Signed-off-by: Morris Jobke <hey@morrisjobke.de>
8 years ago
Add a hint that some indexes are not added yet * gives the admin a chance to discover the missing indexes and improve the performance of the instance without digging through the manual * nicely integrated in the setup checks where this kind of hints belong to * also adds an option to integrate this from an app based on events * fix style of setting warnings Signed-off-by: Morris Jobke <hey@morrisjobke.de>
8 years ago
Detect old NSS and OpenSSL versions This will detect old NSS and OpenSSL versions and show appropriate errors in the admin interface. Fixes https://github.com/owncloud/core/issues/17901
11 years ago
Log exception that is thrown by internet connection check
10 years ago
Add check for activated local memcache Also used the opportunity to refactor it into an AppFramework controller so that we can unit test it. Fixes https://github.com/owncloud/core/issues/14956
11 years ago
Remove hardcoded link to performance docs
11 years ago
Merge all setup checks into one controller * renamed hasMissingIndexes to missingIndexes Signed-off-by: Morris Jobke <hey@morrisjobke.de>
8 years ago
Add a hint that some indexes are not added yet * gives the admin a chance to discover the missing indexes and improve the performance of the instance without digging through the manual * nicely integrated in the setup checks where this kind of hints belong to * also adds an option to integrate this from an app based on events * fix style of setting warnings Signed-off-by: Morris Jobke <hey@morrisjobke.de>
8 years ago
Add check for activated local memcache Also used the opportunity to refactor it into an AppFramework controller so that we can unit test it. Fixes https://github.com/owncloud/core/issues/14956
11 years ago
Remove hardcoded link to performance docs
11 years ago
Detect old NSS and OpenSSL versions This will detect old NSS and OpenSSL versions and show appropriate errors in the admin interface. Fixes https://github.com/owncloud/core/issues/17901
11 years ago
Add code integrity check This PR implements the base foundation of the code signing and integrity check. In this PR implemented is the signing and verification logic, as well as commands to sign single apps or the core repository. Furthermore, there is a basic implementation to display problems with the code integrity on the update screen. Code signing basically happens the following way: - There is a ownCloud Root Certificate authority stored `resources/codesigning/root.crt` (in this PR I also ship the private key which we obviously need to change before a release :wink:). This certificate is not intended to be used for signing directly and only is used to sign new certificates. - Using the `integrity:sign-core` and `integrity:sign-app` commands developers can sign either the core release or a single app. The core release needs to be signed with a certificate that has a CN of `core`, apps need to be signed with a certificate that either has a CN of `core` (shipped apps!) or the AppID. - The command generates a signature.json file of the following format: ```json { "hashes": { "/filename.php": "2401fed2eea6f2c1027c482a633e8e25cd46701f811e2d2c10dc213fd95fa60e350bccbbebdccc73a042b1a2799f673fbabadc783284cc288e4f1a1eacb74e3d", "/lib/base.php": "55548cc16b457cd74241990cc9d3b72b6335f2e5f45eee95171da024087d114fcbc2effc3d5818a6d5d55f2ae960ab39fd0414d0c542b72a3b9e08eb21206dd9" }, "certificate": "-----BEGIN CERTIFICATE-----MIIBvTCCASagAwIBAgIUPvawyqJwCwYazcv7iz16TWxfeUMwDQYJKoZIhvcNAQEF\nBQAwIzEhMB8GA1UECgwYb3duQ2xvdWQgQ29kZSBTaWduaW5nIENBMB4XDTE1MTAx\nNDEzMTcxMFoXDTE2MTAxNDEzMTcxMFowEzERMA8GA1UEAwwIY29udGFjdHMwgZ8w\nDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANoQesGdCW0L2L+a2xITYipixkScrIpB\nkX5Snu3fs45MscDb61xByjBSlFgR4QI6McoCipPw4SUr28EaExVvgPSvqUjYLGps\nfiv0Cvgquzbx/X3mUcdk9LcFo1uWGtrTfkuXSKX41PnJGTr6RQWGIBd1V52q1qbC\nJKkfzyeMeuQfAgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAvF/KIhRMQ3tYTmgHWsiM\nwDMgIDb7iaHF0fS+/Nvo4PzoTO/trev6tMyjLbJ7hgdCpz/1sNzE11Cibf6V6dsz\njCE9invP368Xv0bTRObRqeSNsGogGl5ceAvR0c9BG+NRIKHcly3At3gLkS2791bC\niG+UxI/MNcWV0uJg9S63LF8=\n-----END CERTIFICATE-----", "signature": "U29tZVNpZ25lZERhdGFFeGFtcGxl" } ``` `hashes` is an array of all files in the folder with their corresponding SHA512 hashes (this is actually quite cheap to calculate), the `certificate` is the certificate used for signing. It has to be issued by the ownCloud Root Authority and it's CN needs to be permitted to perform the required action. The `signature` is then a signature of the `hashes` which can be verified using the `certificate`. Steps to do in other PRs, this is already a quite huge one: - Add nag screen in case the code check fails to ensure that administrators are aware of this. - Add code verification also to OCC upgrade and unify display code more. - Add enforced code verification to apps shipped from the appstore with a level of "official" - Add enfocrced code verification to apps shipped from the appstore that were already signed in a previous release - Add some developer documentation on how devs can request their own certificate - Check when installing ownCloud - Add support for CRLs to allow revoking certificates **Note:** The upgrade checks are only run when the instance has a defined release channel of `stable` (defined in `version.php`). If you want to test this, you need to change the channel thus and then generate the core signature: ``` ➜ master git:(add-integrity-checker) ✗ ./occ integrity:sign-core --privateKey=resources/codesigning/core.key --certificate=resources/codesigning/core.crt Successfully signed "core" ``` Then increase the version and you should see something like the following: ![2015-11-04_12-02-57](https://cloud.githubusercontent.com/assets/878997/10936336/6adb1d14-82ec-11e5-8f06-9a74801c9abf.png) As you can see a failed code check will not prevent the further update. It will instead just be a notice to the admin. In a next step we will add some nag screen. For packaging stable releases this requires the following additional steps as a last action before zipping: 1. Run `./occ integrity:sign-core` once 2. Run `./occ integrity:sign-app` _for each_ app. However, this can be simply automated using a simple foreach on the apps folder.
10 years ago
Log exception that is thrown by internet connection check
10 years ago
Add a hint that some indexes are not added yet * gives the admin a chance to discover the missing indexes and improve the performance of the instance without digging through the manual * nicely integrated in the setup checks where this kind of hints belong to * also adds an option to integrate this from an app based on events * fix style of setting warnings Signed-off-by: Morris Jobke <hey@morrisjobke.de>
8 years ago
Merge all setup checks into one controller * renamed hasMissingIndexes to missingIndexes Signed-off-by: Morris Jobke <hey@morrisjobke.de>
8 years ago
Add check for activated local memcache Also used the opportunity to refactor it into an AppFramework controller so that we can unit test it. Fixes https://github.com/owncloud/core/issues/14956
11 years ago
Remove hardcoded link to performance docs
11 years ago
Detect old NSS and OpenSSL versions This will detect old NSS and OpenSSL versions and show appropriate errors in the admin interface. Fixes https://github.com/owncloud/core/issues/17901
11 years ago
Add code integrity check This PR implements the base foundation of the code signing and integrity check. In this PR implemented is the signing and verification logic, as well as commands to sign single apps or the core repository. Furthermore, there is a basic implementation to display problems with the code integrity on the update screen. Code signing basically happens the following way: - There is a ownCloud Root Certificate authority stored `resources/codesigning/root.crt` (in this PR I also ship the private key which we obviously need to change before a release :wink:). This certificate is not intended to be used for signing directly and only is used to sign new certificates. - Using the `integrity:sign-core` and `integrity:sign-app` commands developers can sign either the core release or a single app. The core release needs to be signed with a certificate that has a CN of `core`, apps need to be signed with a certificate that either has a CN of `core` (shipped apps!) or the AppID. - The command generates a signature.json file of the following format: ```json { "hashes": { "/filename.php": "2401fed2eea6f2c1027c482a633e8e25cd46701f811e2d2c10dc213fd95fa60e350bccbbebdccc73a042b1a2799f673fbabadc783284cc288e4f1a1eacb74e3d", "/lib/base.php": "55548cc16b457cd74241990cc9d3b72b6335f2e5f45eee95171da024087d114fcbc2effc3d5818a6d5d55f2ae960ab39fd0414d0c542b72a3b9e08eb21206dd9" }, "certificate": "-----BEGIN CERTIFICATE-----MIIBvTCCASagAwIBAgIUPvawyqJwCwYazcv7iz16TWxfeUMwDQYJKoZIhvcNAQEF\nBQAwIzEhMB8GA1UECgwYb3duQ2xvdWQgQ29kZSBTaWduaW5nIENBMB4XDTE1MTAx\nNDEzMTcxMFoXDTE2MTAxNDEzMTcxMFowEzERMA8GA1UEAwwIY29udGFjdHMwgZ8w\nDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANoQesGdCW0L2L+a2xITYipixkScrIpB\nkX5Snu3fs45MscDb61xByjBSlFgR4QI6McoCipPw4SUr28EaExVvgPSvqUjYLGps\nfiv0Cvgquzbx/X3mUcdk9LcFo1uWGtrTfkuXSKX41PnJGTr6RQWGIBd1V52q1qbC\nJKkfzyeMeuQfAgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAvF/KIhRMQ3tYTmgHWsiM\nwDMgIDb7iaHF0fS+/Nvo4PzoTO/trev6tMyjLbJ7hgdCpz/1sNzE11Cibf6V6dsz\njCE9invP368Xv0bTRObRqeSNsGogGl5ceAvR0c9BG+NRIKHcly3At3gLkS2791bC\niG+UxI/MNcWV0uJg9S63LF8=\n-----END CERTIFICATE-----", "signature": "U29tZVNpZ25lZERhdGFFeGFtcGxl" } ``` `hashes` is an array of all files in the folder with their corresponding SHA512 hashes (this is actually quite cheap to calculate), the `certificate` is the certificate used for signing. It has to be issued by the ownCloud Root Authority and it's CN needs to be permitted to perform the required action. The `signature` is then a signature of the `hashes` which can be verified using the `certificate`. Steps to do in other PRs, this is already a quite huge one: - Add nag screen in case the code check fails to ensure that administrators are aware of this. - Add code verification also to OCC upgrade and unify display code more. - Add enforced code verification to apps shipped from the appstore with a level of "official" - Add enfocrced code verification to apps shipped from the appstore that were already signed in a previous release - Add some developer documentation on how devs can request their own certificate - Check when installing ownCloud - Add support for CRLs to allow revoking certificates **Note:** The upgrade checks are only run when the instance has a defined release channel of `stable` (defined in `version.php`). If you want to test this, you need to change the channel thus and then generate the core signature: ``` ➜ master git:(add-integrity-checker) ✗ ./occ integrity:sign-core --privateKey=resources/codesigning/core.key --certificate=resources/codesigning/core.crt Successfully signed "core" ``` Then increase the version and you should see something like the following: ![2015-11-04_12-02-57](https://cloud.githubusercontent.com/assets/878997/10936336/6adb1d14-82ec-11e5-8f06-9a74801c9abf.png) As you can see a failed code check will not prevent the further update. It will instead just be a notice to the admin. In a next step we will add some nag screen. For packaging stable releases this requires the following additional steps as a last action before zipping: 1. Run `./occ integrity:sign-core` once 2. Run `./occ integrity:sign-app` _for each_ app. However, this can be simply automated using a simple foreach on the apps folder.
10 years ago
Log exception that is thrown by internet connection check
10 years ago
Add a hint that some indexes are not added yet * gives the admin a chance to discover the missing indexes and improve the performance of the instance without digging through the manual * nicely integrated in the setup checks where this kind of hints belong to * also adds an option to integrate this from an app based on events * fix style of setting warnings Signed-off-by: Morris Jobke <hey@morrisjobke.de>
8 years ago
Merge all setup checks into one controller * renamed hasMissingIndexes to missingIndexes Signed-off-by: Morris Jobke <hey@morrisjobke.de>
8 years ago
Add check for activated local memcache Also used the opportunity to refactor it into an AppFramework controller so that we can unit test it. Fixes https://github.com/owncloud/core/issues/14956
11 years ago
Remove hardcoded link to performance docs
11 years ago
Detect old NSS and OpenSSL versions This will detect old NSS and OpenSSL versions and show appropriate errors in the admin interface. Fixes https://github.com/owncloud/core/issues/17901
11 years ago
Add code integrity check This PR implements the base foundation of the code signing and integrity check. In this PR implemented is the signing and verification logic, as well as commands to sign single apps or the core repository. Furthermore, there is a basic implementation to display problems with the code integrity on the update screen. Code signing basically happens the following way: - There is a ownCloud Root Certificate authority stored `resources/codesigning/root.crt` (in this PR I also ship the private key which we obviously need to change before a release :wink:). This certificate is not intended to be used for signing directly and only is used to sign new certificates. - Using the `integrity:sign-core` and `integrity:sign-app` commands developers can sign either the core release or a single app. The core release needs to be signed with a certificate that has a CN of `core`, apps need to be signed with a certificate that either has a CN of `core` (shipped apps!) or the AppID. - The command generates a signature.json file of the following format: ```json { "hashes": { "/filename.php": "2401fed2eea6f2c1027c482a633e8e25cd46701f811e2d2c10dc213fd95fa60e350bccbbebdccc73a042b1a2799f673fbabadc783284cc288e4f1a1eacb74e3d", "/lib/base.php": "55548cc16b457cd74241990cc9d3b72b6335f2e5f45eee95171da024087d114fcbc2effc3d5818a6d5d55f2ae960ab39fd0414d0c542b72a3b9e08eb21206dd9" }, "certificate": "-----BEGIN CERTIFICATE-----MIIBvTCCASagAwIBAgIUPvawyqJwCwYazcv7iz16TWxfeUMwDQYJKoZIhvcNAQEF\nBQAwIzEhMB8GA1UECgwYb3duQ2xvdWQgQ29kZSBTaWduaW5nIENBMB4XDTE1MTAx\nNDEzMTcxMFoXDTE2MTAxNDEzMTcxMFowEzERMA8GA1UEAwwIY29udGFjdHMwgZ8w\nDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANoQesGdCW0L2L+a2xITYipixkScrIpB\nkX5Snu3fs45MscDb61xByjBSlFgR4QI6McoCipPw4SUr28EaExVvgPSvqUjYLGps\nfiv0Cvgquzbx/X3mUcdk9LcFo1uWGtrTfkuXSKX41PnJGTr6RQWGIBd1V52q1qbC\nJKkfzyeMeuQfAgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAvF/KIhRMQ3tYTmgHWsiM\nwDMgIDb7iaHF0fS+/Nvo4PzoTO/trev6tMyjLbJ7hgdCpz/1sNzE11Cibf6V6dsz\njCE9invP368Xv0bTRObRqeSNsGogGl5ceAvR0c9BG+NRIKHcly3At3gLkS2791bC\niG+UxI/MNcWV0uJg9S63LF8=\n-----END CERTIFICATE-----", "signature": "U29tZVNpZ25lZERhdGFFeGFtcGxl" } ``` `hashes` is an array of all files in the folder with their corresponding SHA512 hashes (this is actually quite cheap to calculate), the `certificate` is the certificate used for signing. It has to be issued by the ownCloud Root Authority and it's CN needs to be permitted to perform the required action. The `signature` is then a signature of the `hashes` which can be verified using the `certificate`. Steps to do in other PRs, this is already a quite huge one: - Add nag screen in case the code check fails to ensure that administrators are aware of this. - Add code verification also to OCC upgrade and unify display code more. - Add enforced code verification to apps shipped from the appstore with a level of "official" - Add enfocrced code verification to apps shipped from the appstore that were already signed in a previous release - Add some developer documentation on how devs can request their own certificate - Check when installing ownCloud - Add support for CRLs to allow revoking certificates **Note:** The upgrade checks are only run when the instance has a defined release channel of `stable` (defined in `version.php`). If you want to test this, you need to change the channel thus and then generate the core signature: ``` ➜ master git:(add-integrity-checker) ✗ ./occ integrity:sign-core --privateKey=resources/codesigning/core.key --certificate=resources/codesigning/core.crt Successfully signed "core" ``` Then increase the version and you should see something like the following: ![2015-11-04_12-02-57](https://cloud.githubusercontent.com/assets/878997/10936336/6adb1d14-82ec-11e5-8f06-9a74801c9abf.png) As you can see a failed code check will not prevent the further update. It will instead just be a notice to the admin. In a next step we will add some nag screen. For packaging stable releases this requires the following additional steps as a last action before zipping: 1. Run `./occ integrity:sign-core` once 2. Run `./occ integrity:sign-app` _for each_ app. However, this can be simply automated using a simple foreach on the apps folder.
10 years ago
Log exception that is thrown by internet connection check
10 years ago
Add a hint that some indexes are not added yet * gives the admin a chance to discover the missing indexes and improve the performance of the instance without digging through the manual * nicely integrated in the setup checks where this kind of hints belong to * also adds an option to integrate this from an app based on events * fix style of setting warnings Signed-off-by: Morris Jobke <hey@morrisjobke.de>
8 years ago
Merge all setup checks into one controller * renamed hasMissingIndexes to missingIndexes Signed-off-by: Morris Jobke <hey@morrisjobke.de>
8 years ago
Add check for activated local memcache Also used the opportunity to refactor it into an AppFramework controller so that we can unit test it. Fixes https://github.com/owncloud/core/issues/14956
11 years ago
Fix typo in PHPDoc Signed-off-by: Morris Jobke <hey@morrisjobke.de>
8 years ago
Add check for activated local memcache Also used the opportunity to refactor it into an AppFramework controller so that we can unit test it. Fixes https://github.com/owncloud/core/issues/14956
11 years ago
Alters 'No Internet Connection' error message. #181
10 years ago
Ping more privacy respecting organizations Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
8 years ago
Alters 'No Internet Connection' error message. #181
10 years ago
Ping more privacy respecting organizations Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
8 years ago
Alters 'No Internet Connection' error message. #181
10 years ago
Add check for activated local memcache Also used the opportunity to refactor it into an AppFramework controller so that we can unit test it. Fixes https://github.com/owncloud/core/issues/14956
11 years ago
Alters 'No Internet Connection' error message. #181
10 years ago
Add check for activated local memcache Also used the opportunity to refactor it into an AppFramework controller so that we can unit test it. Fixes https://github.com/owncloud/core/issues/14956
11 years ago
Log exception that is thrown by internet connection check
10 years ago
Add check for activated local memcache Also used the opportunity to refactor it into an AppFramework controller so that we can unit test it. Fixes https://github.com/owncloud/core/issues/14956
11 years ago
Alters 'No Internet Connection' error message. #181
10 years ago
Add check for activated local memcache Also used the opportunity to refactor it into an AppFramework controller so that we can unit test it. Fixes https://github.com/owncloud/core/issues/14956
11 years ago
Add check for availability of /dev/urandom Without /dev/urandom being available to read the medium RNG will rely only on the following components on a Linux system: 1. MicroTime: microtime() . memory_get_usage() as seed and then a garbage collected microtime for loop 2. MTRand: chr((mt_rand() ^ mt_rand()) % 256) 3. Rand: chr((rand() ^ rand()) % 256) 4. UniqId: Plain uniqid() An adversary with the possibility to predict the seed used by the PHP process may thus be able to predict future tokens which is an unwanted behaviour. One should note that this behaviour is documented in our documentation to ensure that users get aware of this even without reading our documentation this will add a post setup check to the administrative interface. Thanks to David Black from d1b.org for bringing this again to our attention.
11 years ago
Detect old NSS and OpenSSL versions This will detect old NSS and OpenSSL versions and show appropriate errors in the admin interface. Fixes https://github.com/owncloud/core/issues/17901
11 years ago
Don't perform checks for outdated TLS libs when no internet connection This change makes the check return a positive result when: - The instance has been configured to not use the internet AND/OR - S2S AND the appstore is disabled
11 years ago
Detect old NSS and OpenSSL versions This will detect old NSS and OpenSSL versions and show appropriate errors in the admin interface. Fixes https://github.com/owncloud/core/issues/17901
11 years ago
Add setup check for reverse proxy header configuration
11 years ago
Detect old NSS and OpenSSL versions This will detect old NSS and OpenSSL versions and show appropriate errors in the admin interface. Fixes https://github.com/owncloud/core/issues/17901
11 years ago
Don't perform checks for outdated TLS libs when no internet connection This change makes the check return a positive result when: - The instance has been configured to not use the internet AND/OR - S2S AND the appstore is disabled
11 years ago
Deprecate getEditionString()
10 years ago
Don't perform checks for outdated TLS libs when no internet connection This change makes the check return a positive result when: - The instance has been configured to not use the internet AND/OR - S2S AND the appstore is disabled
11 years ago
Detect old NSS and OpenSSL versions This will detect old NSS and OpenSSL versions and show appropriate errors in the admin interface. Fixes https://github.com/owncloud/core/issues/17901
11 years ago
Deprecate getEditionString()
10 years ago
Detect old NSS and OpenSSL versions This will detect old NSS and OpenSSL versions and show appropriate errors in the admin interface. Fixes https://github.com/owncloud/core/issues/17901
11 years ago
fix url Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>
9 years ago
Detect old NSS and OpenSSL versions This will detect old NSS and OpenSSL versions and show appropriate errors in the admin interface. Fixes https://github.com/owncloud/core/issues/17901
11 years ago
fix url Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>
9 years ago
Detect old NSS and OpenSSL versions This will detect old NSS and OpenSSL versions and show appropriate errors in the admin interface. Fixes https://github.com/owncloud/core/issues/17901
11 years ago
Fix memcached/memcache module check
11 years ago
Fix CheckSetupController tests
10 years ago
Show hint that PHP 5.6 will not be supported in Nextcloud 14 anymore Signed-off-by: Morris Jobke <hey@morrisjobke.de>
8 years ago
Fix CheckSetupController tests
10 years ago
Fix comment syntax
11 years ago
Display warning in security & setup warnings if php version is EOL
11 years ago
Fix CheckSetupController tests
10 years ago
Display warning in security & setup warnings if php version is EOL
11 years ago
Detect old NSS and OpenSSL versions This will detect old NSS and OpenSSL versions and show appropriate errors in the admin interface. Fixes https://github.com/owncloud/core/issues/17901
11 years ago
Fix comment syntax
11 years ago
Add setup check for reverse proxy header configuration
11 years ago
[admin] check for correct PHP memcached module
11 years ago
Fix memcached/memcache module check
11 years ago
[admin] check for correct PHP memcached module
11 years ago
Add warning on admin screen when set_time_limit is unavailable
9 years ago
Add code integrity check This PR implements the base foundation of the code signing and integrity check. In this PR implemented is the signing and verification logic, as well as commands to sign single apps or the core repository. Furthermore, there is a basic implementation to display problems with the code integrity on the update screen. Code signing basically happens the following way: - There is a ownCloud Root Certificate authority stored `resources/codesigning/root.crt` (in this PR I also ship the private key which we obviously need to change before a release :wink:). This certificate is not intended to be used for signing directly and only is used to sign new certificates. - Using the `integrity:sign-core` and `integrity:sign-app` commands developers can sign either the core release or a single app. The core release needs to be signed with a certificate that has a CN of `core`, apps need to be signed with a certificate that either has a CN of `core` (shipped apps!) or the AppID. - The command generates a signature.json file of the following format: ```json { "hashes": { "/filename.php": "2401fed2eea6f2c1027c482a633e8e25cd46701f811e2d2c10dc213fd95fa60e350bccbbebdccc73a042b1a2799f673fbabadc783284cc288e4f1a1eacb74e3d", "/lib/base.php": "55548cc16b457cd74241990cc9d3b72b6335f2e5f45eee95171da024087d114fcbc2effc3d5818a6d5d55f2ae960ab39fd0414d0c542b72a3b9e08eb21206dd9" }, "certificate": "-----BEGIN CERTIFICATE-----MIIBvTCCASagAwIBAgIUPvawyqJwCwYazcv7iz16TWxfeUMwDQYJKoZIhvcNAQEF\nBQAwIzEhMB8GA1UECgwYb3duQ2xvdWQgQ29kZSBTaWduaW5nIENBMB4XDTE1MTAx\nNDEzMTcxMFoXDTE2MTAxNDEzMTcxMFowEzERMA8GA1UEAwwIY29udGFjdHMwgZ8w\nDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANoQesGdCW0L2L+a2xITYipixkScrIpB\nkX5Snu3fs45MscDb61xByjBSlFgR4QI6McoCipPw4SUr28EaExVvgPSvqUjYLGps\nfiv0Cvgquzbx/X3mUcdk9LcFo1uWGtrTfkuXSKX41PnJGTr6RQWGIBd1V52q1qbC\nJKkfzyeMeuQfAgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAvF/KIhRMQ3tYTmgHWsiM\nwDMgIDb7iaHF0fS+/Nvo4PzoTO/trev6tMyjLbJ7hgdCpz/1sNzE11Cibf6V6dsz\njCE9invP368Xv0bTRObRqeSNsGogGl5ceAvR0c9BG+NRIKHcly3At3gLkS2791bC\niG+UxI/MNcWV0uJg9S63LF8=\n-----END CERTIFICATE-----", "signature": "U29tZVNpZ25lZERhdGFFeGFtcGxl" } ``` `hashes` is an array of all files in the folder with their corresponding SHA512 hashes (this is actually quite cheap to calculate), the `certificate` is the certificate used for signing. It has to be issued by the ownCloud Root Authority and it's CN needs to be permitted to perform the required action. The `signature` is then a signature of the `hashes` which can be verified using the `certificate`. Steps to do in other PRs, this is already a quite huge one: - Add nag screen in case the code check fails to ensure that administrators are aware of this. - Add code verification also to OCC upgrade and unify display code more. - Add enforced code verification to apps shipped from the appstore with a level of "official" - Add enfocrced code verification to apps shipped from the appstore that were already signed in a previous release - Add some developer documentation on how devs can request their own certificate - Check when installing ownCloud - Add support for CRLs to allow revoking certificates **Note:** The upgrade checks are only run when the instance has a defined release channel of `stable` (defined in `version.php`). If you want to test this, you need to change the channel thus and then generate the core signature: ``` ➜ master git:(add-integrity-checker) ✗ ./occ integrity:sign-core --privateKey=resources/codesigning/core.key --certificate=resources/codesigning/core.crt Successfully signed "core" ``` Then increase the version and you should see something like the following: ![2015-11-04_12-02-57](https://cloud.githubusercontent.com/assets/878997/10936336/6adb1d14-82ec-11e5-8f06-9a74801c9abf.png) As you can see a failed code check will not prevent the further update. It will instead just be a notice to the admin. In a next step we will add some nag screen. For packaging stable releases this requires the following additional steps as a last action before zipping: 1. Run `./occ integrity:sign-core` once 2. Run `./occ integrity:sign-app` _for each_ app. However, this can be simply automated using a simple foreach on the apps folder.
10 years ago
Initial work on Apps page split: * interfaces for the Admin settings (IAdmin) and section (ISection) * SettingsManager service * example setup with LDAP app
10 years ago
Add code integrity check This PR implements the base foundation of the code signing and integrity check. In this PR implemented is the signing and verification logic, as well as commands to sign single apps or the core repository. Furthermore, there is a basic implementation to display problems with the code integrity on the update screen. Code signing basically happens the following way: - There is a ownCloud Root Certificate authority stored `resources/codesigning/root.crt` (in this PR I also ship the private key which we obviously need to change before a release :wink:). This certificate is not intended to be used for signing directly and only is used to sign new certificates. - Using the `integrity:sign-core` and `integrity:sign-app` commands developers can sign either the core release or a single app. The core release needs to be signed with a certificate that has a CN of `core`, apps need to be signed with a certificate that either has a CN of `core` (shipped apps!) or the AppID. - The command generates a signature.json file of the following format: ```json { "hashes": { "/filename.php": "2401fed2eea6f2c1027c482a633e8e25cd46701f811e2d2c10dc213fd95fa60e350bccbbebdccc73a042b1a2799f673fbabadc783284cc288e4f1a1eacb74e3d", "/lib/base.php": "55548cc16b457cd74241990cc9d3b72b6335f2e5f45eee95171da024087d114fcbc2effc3d5818a6d5d55f2ae960ab39fd0414d0c542b72a3b9e08eb21206dd9" }, "certificate": "-----BEGIN CERTIFICATE-----MIIBvTCCASagAwIBAgIUPvawyqJwCwYazcv7iz16TWxfeUMwDQYJKoZIhvcNAQEF\nBQAwIzEhMB8GA1UECgwYb3duQ2xvdWQgQ29kZSBTaWduaW5nIENBMB4XDTE1MTAx\nNDEzMTcxMFoXDTE2MTAxNDEzMTcxMFowEzERMA8GA1UEAwwIY29udGFjdHMwgZ8w\nDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANoQesGdCW0L2L+a2xITYipixkScrIpB\nkX5Snu3fs45MscDb61xByjBSlFgR4QI6McoCipPw4SUr28EaExVvgPSvqUjYLGps\nfiv0Cvgquzbx/X3mUcdk9LcFo1uWGtrTfkuXSKX41PnJGTr6RQWGIBd1V52q1qbC\nJKkfzyeMeuQfAgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAvF/KIhRMQ3tYTmgHWsiM\nwDMgIDb7iaHF0fS+/Nvo4PzoTO/trev6tMyjLbJ7hgdCpz/1sNzE11Cibf6V6dsz\njCE9invP368Xv0bTRObRqeSNsGogGl5ceAvR0c9BG+NRIKHcly3At3gLkS2791bC\niG+UxI/MNcWV0uJg9S63LF8=\n-----END CERTIFICATE-----", "signature": "U29tZVNpZ25lZERhdGFFeGFtcGxl" } ``` `hashes` is an array of all files in the folder with their corresponding SHA512 hashes (this is actually quite cheap to calculate), the `certificate` is the certificate used for signing. It has to be issued by the ownCloud Root Authority and it's CN needs to be permitted to perform the required action. The `signature` is then a signature of the `hashes` which can be verified using the `certificate`. Steps to do in other PRs, this is already a quite huge one: - Add nag screen in case the code check fails to ensure that administrators are aware of this. - Add code verification also to OCC upgrade and unify display code more. - Add enforced code verification to apps shipped from the appstore with a level of "official" - Add enfocrced code verification to apps shipped from the appstore that were already signed in a previous release - Add some developer documentation on how devs can request their own certificate - Check when installing ownCloud - Add support for CRLs to allow revoking certificates **Note:** The upgrade checks are only run when the instance has a defined release channel of `stable` (defined in `version.php`). If you want to test this, you need to change the channel thus and then generate the core signature: ``` ➜ master git:(add-integrity-checker) ✗ ./occ integrity:sign-core --privateKey=resources/codesigning/core.key --certificate=resources/codesigning/core.crt Successfully signed "core" ``` Then increase the version and you should see something like the following: ![2015-11-04_12-02-57](https://cloud.githubusercontent.com/assets/878997/10936336/6adb1d14-82ec-11e5-8f06-9a74801c9abf.png) As you can see a failed code check will not prevent the further update. It will instead just be a notice to the admin. In a next step we will add some nag screen. For packaging stable releases this requires the following additional steps as a last action before zipping: 1. Run `./occ integrity:sign-core` once 2. Run `./occ integrity:sign-app` _for each_ app. However, this can be simply automated using a simple foreach on the apps folder.
10 years ago
Add note if integrity check is disabled Our issue template states that users should post the output of `/index.php/settings/integrity/failed`, at the moment it displays that all passes have been passed if the integrity checker has been disabled. This is however a wrong approach considering that some distributions are gonna package Frankenstein releases and makes it harder for us to detect such issues. Thus if the integrity code checker is disabled (using the config switch) it displays now: `Appcode checker has been disabled. Integrity cannot be verified.` This is not displayed anywhere else in the UI except these URL used for us for debugging purposes.
10 years ago
Add code integrity check This PR implements the base foundation of the code signing and integrity check. In this PR implemented is the signing and verification logic, as well as commands to sign single apps or the core repository. Furthermore, there is a basic implementation to display problems with the code integrity on the update screen. Code signing basically happens the following way: - There is a ownCloud Root Certificate authority stored `resources/codesigning/root.crt` (in this PR I also ship the private key which we obviously need to change before a release :wink:). This certificate is not intended to be used for signing directly and only is used to sign new certificates. - Using the `integrity:sign-core` and `integrity:sign-app` commands developers can sign either the core release or a single app. The core release needs to be signed with a certificate that has a CN of `core`, apps need to be signed with a certificate that either has a CN of `core` (shipped apps!) or the AppID. - The command generates a signature.json file of the following format: ```json { "hashes": { "/filename.php": "2401fed2eea6f2c1027c482a633e8e25cd46701f811e2d2c10dc213fd95fa60e350bccbbebdccc73a042b1a2799f673fbabadc783284cc288e4f1a1eacb74e3d", "/lib/base.php": "55548cc16b457cd74241990cc9d3b72b6335f2e5f45eee95171da024087d114fcbc2effc3d5818a6d5d55f2ae960ab39fd0414d0c542b72a3b9e08eb21206dd9" }, "certificate": "-----BEGIN CERTIFICATE-----MIIBvTCCASagAwIBAgIUPvawyqJwCwYazcv7iz16TWxfeUMwDQYJKoZIhvcNAQEF\nBQAwIzEhMB8GA1UECgwYb3duQ2xvdWQgQ29kZSBTaWduaW5nIENBMB4XDTE1MTAx\nNDEzMTcxMFoXDTE2MTAxNDEzMTcxMFowEzERMA8GA1UEAwwIY29udGFjdHMwgZ8w\nDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANoQesGdCW0L2L+a2xITYipixkScrIpB\nkX5Snu3fs45MscDb61xByjBSlFgR4QI6McoCipPw4SUr28EaExVvgPSvqUjYLGps\nfiv0Cvgquzbx/X3mUcdk9LcFo1uWGtrTfkuXSKX41PnJGTr6RQWGIBd1V52q1qbC\nJKkfzyeMeuQfAgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAvF/KIhRMQ3tYTmgHWsiM\nwDMgIDb7iaHF0fS+/Nvo4PzoTO/trev6tMyjLbJ7hgdCpz/1sNzE11Cibf6V6dsz\njCE9invP368Xv0bTRObRqeSNsGogGl5ceAvR0c9BG+NRIKHcly3At3gLkS2791bC\niG+UxI/MNcWV0uJg9S63LF8=\n-----END CERTIFICATE-----", "signature": "U29tZVNpZ25lZERhdGFFeGFtcGxl" } ``` `hashes` is an array of all files in the folder with their corresponding SHA512 hashes (this is actually quite cheap to calculate), the `certificate` is the certificate used for signing. It has to be issued by the ownCloud Root Authority and it's CN needs to be permitted to perform the required action. The `signature` is then a signature of the `hashes` which can be verified using the `certificate`. Steps to do in other PRs, this is already a quite huge one: - Add nag screen in case the code check fails to ensure that administrators are aware of this. - Add code verification also to OCC upgrade and unify display code more. - Add enforced code verification to apps shipped from the appstore with a level of "official" - Add enfocrced code verification to apps shipped from the appstore that were already signed in a previous release - Add some developer documentation on how devs can request their own certificate - Check when installing ownCloud - Add support for CRLs to allow revoking certificates **Note:** The upgrade checks are only run when the instance has a defined release channel of `stable` (defined in `version.php`). If you want to test this, you need to change the channel thus and then generate the core signature: ``` ➜ master git:(add-integrity-checker) ✗ ./occ integrity:sign-core --privateKey=resources/codesigning/core.key --certificate=resources/codesigning/core.crt Successfully signed "core" ``` Then increase the version and you should see something like the following: ![2015-11-04_12-02-57](https://cloud.githubusercontent.com/assets/878997/10936336/6adb1d14-82ec-11e5-8f06-9a74801c9abf.png) As you can see a failed code check will not prevent the further update. It will instead just be a notice to the admin. In a next step we will add some nag screen. For packaging stable releases this requires the following additional steps as a last action before zipping: 1. Run `./occ integrity:sign-core` once 2. Run `./occ integrity:sign-app` _for each_ app. However, this can be simply automated using a simple foreach on the apps folder.
10 years ago
Show info in admin settings about PHP opcache if disabled Signed-off-by: Morris Jobke <hey@morrisjobke.de>
9 years ago
Don't assume the admin didn't configure Opcache correctly... Signed-off-by: Joas Schilling <coding@schilljs.com>
9 years ago
Show info in admin settings about PHP opcache if disabled Signed-off-by: Morris Jobke <hey@morrisjobke.de>
9 years ago
Add warning regarding freetype support Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
8 years ago
Fix wrong hint about missing indexes Signed-off-by: Morris Jobke <hey@morrisjobke.de>
8 years ago
Add a hint that some indexes are not added yet * gives the admin a chance to discover the missing indexes and improve the performance of the instance without digging through the manual * nicely integrated in the setup checks where this kind of hints belong to * also adds an option to integrate this from an app based on events * fix style of setting warnings Signed-off-by: Morris Jobke <hey@morrisjobke.de>
8 years ago
Merge all setup checks into one controller * renamed hasMissingIndexes to missingIndexes Signed-off-by: Morris Jobke <hey@morrisjobke.de>
8 years ago
Merge tips & tricks section into setup checks Signed-off-by: Morris Jobke <hey@morrisjobke.de>
8 years ago
Merge all setup checks into one controller * renamed hasMissingIndexes to missingIndexes Signed-off-by: Morris Jobke <hey@morrisjobke.de>
8 years ago
If cronErros is empty json_decode will return NULL Fixes #9867 Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
8 years ago
Add check for activated local memcache Also used the opportunity to refactor it into an AppFramework controller so that we can unit test it. Fixes https://github.com/owncloud/core/issues/14956
11 years ago
Merge all setup checks into one controller * renamed hasMissingIndexes to missingIndexes Signed-off-by: Morris Jobke <hey@morrisjobke.de>
8 years ago
If cronErros is empty json_decode will return NULL Fixes #9867 Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
8 years ago
Add check for activated local memcache Also used the opportunity to refactor it into an AppFramework controller so that we can unit test it. Fixes https://github.com/owncloud/core/issues/14956
11 years ago
Remove hardcoded link to performance docs
11 years ago
Add check for availability of /dev/urandom Without /dev/urandom being available to read the medium RNG will rely only on the following components on a Linux system: 1. MicroTime: microtime() . memory_get_usage() as seed and then a garbage collected microtime for loop 2. MTRand: chr((mt_rand() ^ mt_rand()) % 256) 3. Rand: chr((rand() ^ rand()) % 256) 4. UniqId: Plain uniqid() An adversary with the possibility to predict the seed used by the PHP process may thus be able to predict future tokens which is an unwanted behaviour. One should note that this behaviour is documented in our documentation to ensure that users get aware of this even without reading our documentation this will add a post setup check to the administrative interface. Thanks to David Black from d1b.org for bringing this again to our attention.
11 years ago
Detect old NSS and OpenSSL versions This will detect old NSS and OpenSSL versions and show appropriate errors in the admin interface. Fixes https://github.com/owncloud/core/issues/17901
11 years ago
Display warning in security & setup warnings if php version is EOL
11 years ago
Add setup check for reverse proxy header configuration
11 years ago
Add code integrity check This PR implements the base foundation of the code signing and integrity check. In this PR implemented is the signing and verification logic, as well as commands to sign single apps or the core repository. Furthermore, there is a basic implementation to display problems with the code integrity on the update screen. Code signing basically happens the following way: - There is a ownCloud Root Certificate authority stored `resources/codesigning/root.crt` (in this PR I also ship the private key which we obviously need to change before a release :wink:). This certificate is not intended to be used for signing directly and only is used to sign new certificates. - Using the `integrity:sign-core` and `integrity:sign-app` commands developers can sign either the core release or a single app. The core release needs to be signed with a certificate that has a CN of `core`, apps need to be signed with a certificate that either has a CN of `core` (shipped apps!) or the AppID. - The command generates a signature.json file of the following format: ```json { "hashes": { "/filename.php": "2401fed2eea6f2c1027c482a633e8e25cd46701f811e2d2c10dc213fd95fa60e350bccbbebdccc73a042b1a2799f673fbabadc783284cc288e4f1a1eacb74e3d", "/lib/base.php": "55548cc16b457cd74241990cc9d3b72b6335f2e5f45eee95171da024087d114fcbc2effc3d5818a6d5d55f2ae960ab39fd0414d0c542b72a3b9e08eb21206dd9" }, "certificate": "-----BEGIN CERTIFICATE-----MIIBvTCCASagAwIBAgIUPvawyqJwCwYazcv7iz16TWxfeUMwDQYJKoZIhvcNAQEF\nBQAwIzEhMB8GA1UECgwYb3duQ2xvdWQgQ29kZSBTaWduaW5nIENBMB4XDTE1MTAx\nNDEzMTcxMFoXDTE2MTAxNDEzMTcxMFowEzERMA8GA1UEAwwIY29udGFjdHMwgZ8w\nDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANoQesGdCW0L2L+a2xITYipixkScrIpB\nkX5Snu3fs45MscDb61xByjBSlFgR4QI6McoCipPw4SUr28EaExVvgPSvqUjYLGps\nfiv0Cvgquzbx/X3mUcdk9LcFo1uWGtrTfkuXSKX41PnJGTr6RQWGIBd1V52q1qbC\nJKkfzyeMeuQfAgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAvF/KIhRMQ3tYTmgHWsiM\nwDMgIDb7iaHF0fS+/Nvo4PzoTO/trev6tMyjLbJ7hgdCpz/1sNzE11Cibf6V6dsz\njCE9invP368Xv0bTRObRqeSNsGogGl5ceAvR0c9BG+NRIKHcly3At3gLkS2791bC\niG+UxI/MNcWV0uJg9S63LF8=\n-----END CERTIFICATE-----", "signature": "U29tZVNpZ25lZERhdGFFeGFtcGxl" } ``` `hashes` is an array of all files in the folder with their corresponding SHA512 hashes (this is actually quite cheap to calculate), the `certificate` is the certificate used for signing. It has to be issued by the ownCloud Root Authority and it's CN needs to be permitted to perform the required action. The `signature` is then a signature of the `hashes` which can be verified using the `certificate`. Steps to do in other PRs, this is already a quite huge one: - Add nag screen in case the code check fails to ensure that administrators are aware of this. - Add code verification also to OCC upgrade and unify display code more. - Add enforced code verification to apps shipped from the appstore with a level of "official" - Add enfocrced code verification to apps shipped from the appstore that were already signed in a previous release - Add some developer documentation on how devs can request their own certificate - Check when installing ownCloud - Add support for CRLs to allow revoking certificates **Note:** The upgrade checks are only run when the instance has a defined release channel of `stable` (defined in `version.php`). If you want to test this, you need to change the channel thus and then generate the core signature: ``` ➜ master git:(add-integrity-checker) ✗ ./occ integrity:sign-core --privateKey=resources/codesigning/core.key --certificate=resources/codesigning/core.crt Successfully signed "core" ``` Then increase the version and you should see something like the following: ![2015-11-04_12-02-57](https://cloud.githubusercontent.com/assets/878997/10936336/6adb1d14-82ec-11e5-8f06-9a74801c9abf.png) As you can see a failed code check will not prevent the further update. It will instead just be a notice to the admin. In a next step we will add some nag screen. For packaging stable releases this requires the following additional steps as a last action before zipping: 1. Run `./occ integrity:sign-core` once 2. Run `./occ integrity:sign-app` _for each_ app. However, this can be simply automated using a simple foreach on the apps folder.
10 years ago
Show info in admin settings about PHP opcache if disabled Signed-off-by: Morris Jobke <hey@morrisjobke.de>
9 years ago
Add warning on admin screen when set_time_limit is unavailable
9 years ago
Add warning regarding freetype support Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
8 years ago
Merge all setup checks into one controller * renamed hasMissingIndexes to missingIndexes Signed-off-by: Morris Jobke <hey@morrisjobke.de>
8 years ago
Merge tips & tricks section into setup checks Signed-off-by: Morris Jobke <hey@morrisjobke.de>
8 years ago
Add check for activated local memcache Also used the opportunity to refactor it into an AppFramework controller so that we can unit test it. Fixes https://github.com/owncloud/core/issues/14956
11 years ago
  1. <?php
  2. /**
  3. * @copyright Copyright (c) 2016, ownCloud, Inc.
  4. *
  5. * @author Arthur Schiwon <blizzz@arthur-schiwon.de>
  6. * @author Bjoern Schiessle <bjoern@schiessle.org>
  7. * @author Derek <derek.kelly27@gmail.com>
  8. * @author Joas Schilling <coding@schilljs.com>
  9. * @author Ko- <k.stoffelen@cs.ru.nl>
  10. * @author Lukas Reschke <lukas@statuscode.ch>
  11. * @author Morris Jobke <hey@morrisjobke.de>
  12. * @author Robin McCorkell <robin@mccorkell.me.uk>
  13. * @author Roeland Jago Douma <roeland@famdouma.nl>
  14. *
  15. * @license AGPL-3.0
  16. *
  17. * This code is free software: you can redistribute it and/or modify
  18. * it under the terms of the GNU Affero General Public License, version 3,
  19. * as published by the Free Software Foundation.
  20. *
  21. * This program is distributed in the hope that it will be useful,
  22. * but WITHOUT ANY WARRANTY; without even the implied warranty of
  23. * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  24. * GNU Affero General Public License for more details.
  25. *
  26. * You should have received a copy of the GNU Affero General Public License, version 3,
  27. * along with this program. If not, see <http://www.gnu.org/licenses/>
  28. *
  29. */
  31. namespace OC\Settings\Controller;
  33. use bantu\IniGetWrapper\IniGetWrapper;
  34. use Doctrine\DBAL\DBALException;
  35. use Doctrine\DBAL\Platforms\SqlitePlatform;
  36. use GuzzleHttp\Exception\ClientException;
  37. use OC\AppFramework\Http;
  38. use OC\DB\Connection;
  39. use OC\DB\MissingIndexInformation;
  40. use OC\IntegrityCheck\Checker;
  41. use OC\Lock\NoopLockingProvider;
  42. use OCP\AppFramework\Controller;
  43. use OCP\AppFramework\Http\DataDisplayResponse;
  44. use OCP\AppFramework\Http\DataResponse;
  45. use OCP\AppFramework\Http\RedirectResponse;
  46. use OCP\Http\Client\IClientService;
  47. use OCP\IConfig;
  48. use OCP\IDateTimeFormatter;
  49. use OCP\IDBConnection;
  50. use OCP\IL10N;
  51. use OCP\ILogger;
  52. use OCP\IRequest;
  53. use OCP\IURLGenerator;
  54. use OCP\Lock\ILockingProvider;
  55. use Symfony\Component\EventDispatcher\EventDispatcherInterface;
  56. use Symfony\Component\EventDispatcher\GenericEvent;
  58. /**
  59. * @package OC\Settings\Controller
  60. */
  61. class CheckSetupController extends Controller {
  62. /** @var IConfig */
  63. private $config;
  64. /** @var IClientService */
  65. private $clientService;
  66. /** @var \OC_Util */
  67. private $util;
  68. /** @var IURLGenerator */
  69. private $urlGenerator;
  70. /** @var IL10N */
  71. private $l10n;
  72. /** @var Checker */
  73. private $checker;
  74. /** @var ILogger */
  75. private $logger;
  76. /** @var EventDispatcherInterface */
  77. private $dispatcher;
  78. /** @var IDBConnection|Connection */
  79. private $db;
  80. /** @var ILockingProvider */
  81. private $lockingProvider;
  82. /** @var IDateTimeFormatter */
  83. private $dateTimeFormatter;
  85. public function __construct($AppName,
  86. IRequest $request,
  87. IConfig $config,
  88. IClientService $clientService,
  89. IURLGenerator $urlGenerator,
  90. \OC_Util $util,
  91. IL10N $l10n,
  92. Checker $checker,
  93. ILogger $logger,
  94. EventDispatcherInterface $dispatcher,
  95. IDBConnection $db,
  96. ILockingProvider $lockingProvider,
  97. IDateTimeFormatter $dateTimeFormatter) {
  98. parent::__construct($AppName, $request);
  99. $this->config = $config;
  100. $this->clientService = $clientService;
  101. $this->util = $util;
  102. $this->urlGenerator = $urlGenerator;
  103. $this->l10n = $l10n;
  104. $this->checker = $checker;
  105. $this->logger = $logger;
  106. $this->dispatcher = $dispatcher;
  107. $this->db = $db;
  108. $this->lockingProvider = $lockingProvider;
  109. $this->dateTimeFormatter = $dateTimeFormatter;
  110. }
  112. /**
  113. * Checks if the server can connect to the internet using HTTPS and HTTP
  114. * @return bool
  115. */
  116. private function isInternetConnectionWorking() {
  117. if ($this->config->getSystemValue('has_internet_connection', true) === false) {
  118. return false;
  119. }
  121. $siteArray = ['www.nextcloud.com',
  122. 'www.startpage.com',
  123. 'www.eff.org',
  124. 'www.edri.org',
  125. ];
  127. foreach($siteArray as $site) {
  128. if ($this->isSiteReachable($site)) {
  129. return true;
  130. }
  131. }
  132. return false;
  133. }
  135. /**
  136. * Checks if the Nextcloud server can connect to a specific URL using both HTTPS and HTTP
  137. * @return bool
  138. */
  139. private function isSiteReachable($sitename) {
  140. $httpSiteName = 'http://' . $sitename . '/';
  141. $httpsSiteName = 'https://' . $sitename . '/';
  143. try {
  144. $client = $this->clientService->newClient();
  145. $client->get($httpSiteName);
  146. $client->get($httpsSiteName);
  147. } catch (\Exception $e) {
  148. $this->logger->logException($e, ['app' => 'internet_connection_check']);
  149. return false;
  150. }
  151. return true;
  152. }
  154. /**
  155. * Checks whether a local memcache is installed or not
  156. * @return bool
  157. */
  158. private function isMemcacheConfigured() {
  159. return $this->config->getSystemValue('memcache.local', null) !== null;
  160. }
  162. /**
  163. * Whether /dev/urandom is available to the PHP controller
  164. *
  165. * @return bool
  166. */
  167. private function isUrandomAvailable() {
  168. if(@file_exists('/dev/urandom')) {
  169. $file = fopen('/dev/urandom', 'rb');
  170. if($file) {
  171. fclose($file);
  172. return true;
  173. }
  174. }
  176. return false;
  177. }
  179. /**
  180. * Public for the sake of unit-testing
  181. *
  182. * @return array
  183. */
  184. protected function getCurlVersion() {
  185. return curl_version();
  186. }
  188. /**
  189. * Check if the used SSL lib is outdated. Older OpenSSL and NSS versions do
  190. * have multiple bugs which likely lead to problems in combination with
  191. * functionality required by ownCloud such as SNI.
  192. *
  193. * @link https://github.com/owncloud/core/issues/17446#issuecomment-122877546
  194. * @link https://bugzilla.redhat.com/show_bug.cgi?id=1241172
  195. * @return string
  196. */
  197. private function isUsedTlsLibOutdated() {
  198. // Don't run check when:
  199. // 1. Server has `has_internet_connection` set to false
  200. // 2. AppStore AND S2S is disabled
  201. if(!$this->config->getSystemValue('has_internet_connection', true)) {
  202. return '';
  203. }
  204. if(!$this->config->getSystemValue('appstoreenabled', true)
  205. && $this->config->getAppValue('files_sharing', 'outgoing_server2server_share_enabled', 'yes') === 'no'
  206. && $this->config->getAppValue('files_sharing', 'incoming_server2server_share_enabled', 'yes') === 'no') {
  207. return '';
  208. }
  210. $versionString = $this->getCurlVersion();
  211. if(isset($versionString['ssl_version'])) {
  212. $versionString = $versionString['ssl_version'];
  213. } else {
  214. return '';
  215. }
  217. $features = (string)$this->l10n->t('installing and updating apps via the app store or Federated Cloud Sharing');
  218. if(!$this->config->getSystemValue('appstoreenabled', true)) {
  219. $features = (string)$this->l10n->t('Federated Cloud Sharing');
  220. }
  222. // Check if at least OpenSSL after 1.01d or 1.0.2b
  223. if(strpos($versionString, 'OpenSSL/') === 0) {
  224. $majorVersion = substr($versionString, 8, 5);
  225. $patchRelease = substr($versionString, 13, 6);
  227. if(($majorVersion === '1.0.1' && ord($patchRelease) < ord('d')) ||
  228. ($majorVersion === '1.0.2' && ord($patchRelease) < ord('b'))) {
  229. return (string) $this->l10n->t('cURL is using an outdated %s version (%s). Please update your operating system or features such as %s will not work reliably.', ['OpenSSL', $versionString, $features]);
  230. }
  231. }
  233. // Check if NSS and perform heuristic check
  234. if(strpos($versionString, 'NSS/') === 0) {
  235. try {
  236. $firstClient = $this->clientService->newClient();
  237. $firstClient->get('https://nextcloud.com/');
  239. $secondClient = $this->clientService->newClient();
  240. $secondClient->get('https://nextcloud.com/');
  241. } catch (ClientException $e) {
  242. if($e->getResponse()->getStatusCode() === 400) {
  243. return (string) $this->l10n->t('cURL is using an outdated %s version (%s). Please update your operating system or features such as %s will not work reliably.', ['NSS', $versionString, $features]);
  244. }
  245. }
  246. }
  248. return '';
  249. }
  251. /**
  252. * Whether the version is outdated
  253. *
  254. * @return bool
  255. */
  256. protected function isPhpOutdated() {
  257. if (version_compare(PHP_VERSION, '7.0.0', '<')) {
  258. return true;
  259. }
  261. return false;
  262. }
  264. /**
  265. * Whether the php version is still supported (at time of release)
  266. * according to: https://secure.php.net/supported-versions.php
  267. *
  268. * @return array
  269. */
  270. private function isPhpSupported() {
  271. return ['eol' => $this->isPhpOutdated(), 'version' => PHP_VERSION];
  272. }
  274. /**
  275. * Check if the reverse proxy configuration is working as expected
  276. *
  277. * @return bool
  278. */
  279. private function forwardedForHeadersWorking() {
  280. $trustedProxies = $this->config->getSystemValue('trusted_proxies', []);
  281. $remoteAddress = $this->request->getRemoteAddress();
  283. if (is_array($trustedProxies) && in_array($remoteAddress, $trustedProxies)) {
  284. return false;
  285. }
  287. // either not enabled or working correctly
  288. return true;
  289. }
  291. /**
  292. * Checks if the correct memcache module for PHP is installed. Only
  293. * fails if memcached is configured and the working module is not installed.
  294. *
  295. * @return bool
  296. */
  297. private function isCorrectMemcachedPHPModuleInstalled() {
  298. if ($this->config->getSystemValue('memcache.distributed', null) !== '\OC\Memcache\Memcached') {
  299. return true;
  300. }
  302. // there are two different memcached modules for PHP
  303. // we only support memcached and not memcache
  304. // https://code.google.com/p/memcached/wiki/PHPClientComparison
  305. return !(!extension_loaded('memcached') && extension_loaded('memcache'));
  306. }
  308. /**
  309. * Checks if set_time_limit is not disabled.
  310. *
  311. * @return bool
  312. */
  313. private function isSettimelimitAvailable() {
  314. if (function_exists('set_time_limit')
  315. && strpos(@ini_get('disable_functions'), 'set_time_limit') === false) {
  316. return true;
  317. }
  319. return false;
  320. }
  322. /**
  323. * @return RedirectResponse
  324. */
  325. public function rescanFailedIntegrityCheck() {
  326. $this->checker->runInstanceVerification();
  327. return new RedirectResponse(
  328. $this->urlGenerator->linkToRoute('settings.AdminSettings.index')
  329. );
  330. }
  332. /**
  333. * @NoCSRFRequired
  334. * @return DataResponse
  335. */
  336. public function getFailedIntegrityCheckFiles() {
  337. if(!$this->checker->isCodeCheckEnforced()) {
  338. return new DataDisplayResponse('Integrity checker has been disabled. Integrity cannot be verified.');
  339. }
  341. $completeResults = $this->checker->getResults();
  343. if(!empty($completeResults)) {
  344. $formattedTextResponse = 'Technical information
  345. =====================
  346. The following list covers which files have failed the integrity check. Please read
  347. the previous linked documentation to learn more about the errors and how to fix
  348. them.
  350. Results
  351. =======
  352. ';
  353. foreach($completeResults as $context => $contextResult) {
  354. $formattedTextResponse .= "- $context\n";
  356. foreach($contextResult as $category => $result) {
  357. $formattedTextResponse .= "\t- $category\n";
  358. if($category !== 'EXCEPTION') {
  359. foreach ($result as $key => $results) {
  360. $formattedTextResponse .= "\t\t- $key\n";
  361. }
  362. } else {
  363. foreach ($result as $key => $results) {
  364. $formattedTextResponse .= "\t\t- $results\n";
  365. }
  366. }
  368. }
  369. }
  371. $formattedTextResponse .= '
  372. Raw output
  373. ==========
  374. ';
  375. $formattedTextResponse .= print_r($completeResults, true);
  376. } else {
  377. $formattedTextResponse = 'No errors have been found.';
  378. }
  381. $response = new DataDisplayResponse(
  382. $formattedTextResponse,
  383. Http::STATUS_OK,
  384. [
  385. 'Content-Type' => 'text/plain',
  386. ]
  387. );
  389. return $response;
  390. }
  392. /**
  393. * Checks whether a PHP opcache is properly set up
  394. * @return bool
  395. */
  396. protected function isOpcacheProperlySetup() {
  397. $iniWrapper = new IniGetWrapper();
  399. $isOpcacheProperlySetUp = true;
  401. if(!$iniWrapper->getBool('opcache.enable')) {
  402. $isOpcacheProperlySetUp = false;
  403. }
  405. if(!$iniWrapper->getBool('opcache.save_comments')) {
  406. $isOpcacheProperlySetUp = false;
  407. }
  409. if(!$iniWrapper->getBool('opcache.enable_cli')) {
  410. $isOpcacheProperlySetUp = false;
  411. }
  413. if($iniWrapper->getNumeric('opcache.max_accelerated_files') < 10000) {
  414. $isOpcacheProperlySetUp = false;
  415. }
  417. if($iniWrapper->getNumeric('opcache.memory_consumption') < 128) {
  418. $isOpcacheProperlySetUp = false;
  419. }
  421. if($iniWrapper->getNumeric('opcache.interned_strings_buffer') < 8) {
  422. $isOpcacheProperlySetUp = false;
  423. }
  425. return $isOpcacheProperlySetUp;
  426. }
  428. /**
  429. * Check if the required FreeType functions are present
  430. * @return bool
  431. */
  432. protected function hasFreeTypeSupport() {
  433. return function_exists('imagettfbbox') && function_exists('imagettftext');
  434. }
  436. protected function hasMissingIndexes(): array {
  437. $indexInfo = new MissingIndexInformation();
  438. // Dispatch event so apps can also hint for pending index updates if needed
  439. $event = new GenericEvent($indexInfo);
  440. $this->dispatcher->dispatch(IDBConnection::CHECK_MISSING_INDEXES_EVENT, $event);
  442. return $indexInfo->getListOfMissingIndexes();
  443. }
  445. /**
  446. * warn if outdated version of a memcache module is used
  447. */
  448. protected function getOutdatedCaches(): array {
  449. $caches = [
  450. 'apcu' => ['name' => 'APCu', 'version' => '4.0.6'],
  451. 'redis' => ['name' => 'Redis', 'version' => '2.2.5'],
  452. ];
  453. $outdatedCaches = [];
  454. foreach ($caches as $php_module => $data) {
  455. $isOutdated = extension_loaded($php_module) && version_compare(phpversion($php_module), $data['version'], '<');
  456. if ($isOutdated) {
  457. $outdatedCaches[] = $data;
  458. }
  459. }
  461. return $outdatedCaches;
  462. }
  464. protected function isSqliteUsed() {
  465. return strpos($this->config->getSystemValue('dbtype'), 'sqlite') !== false;
  466. }
  468. protected function isReadOnlyConfig(): bool {
  469. return \OC_Helper::isReadOnlyConfigEnabled();
  470. }
  472. protected function hasValidTransactionIsolationLevel(): bool {
  473. try {
  474. if ($this->db->getDatabasePlatform() instanceof SqlitePlatform) {
  475. return true;
  476. }
  478. return $this->db->getTransactionIsolation() === Connection::TRANSACTION_READ_COMMITTED;
  479. } catch (DBALException $e) {
  480. // ignore
  481. }
  483. return true;
  484. }
  486. protected function hasFileinfoInstalled(): bool {
  487. return \OC_Util::fileInfoLoaded();
  488. }
  490. protected function hasWorkingFileLocking(): bool {
  491. return !($this->lockingProvider instanceof NoopLockingProvider);
  492. }
  494. protected function getSuggestedOverwriteCliURL(): string {
  495. $suggestedOverwriteCliUrl = '';
  496. if ($this->config->getSystemValue('overwrite.cli.url', '') === '') {
  497. $suggestedOverwriteCliUrl = $this->request->getServerProtocol() . '://' . $this->request->getInsecureServerHost() . \OC::$WEBROOT;
  498. if (!$this->config->getSystemValue('config_is_read_only', false)) {
  499. // Set the overwrite URL when it was not set yet.
  500. $this->config->setSystemValue('overwrite.cli.url', $suggestedOverwriteCliUrl);
  501. $suggestedOverwriteCliUrl = '';
  502. }
  503. }
  504. return $suggestedOverwriteCliUrl;
  505. }
  507. protected function getLastCronInfo(): array {
  508. $lastCronRun = $this->config->getAppValue('core', 'lastcron', 0);
  509. return [
  510. 'diffInSeconds' => time() - $lastCronRun,
  511. 'relativeTime' => $this->dateTimeFormatter->formatTimeSpan($lastCronRun),
  512. 'backgroundJobsUrl' => $this->urlGenerator->linkToRoute('settings.AdminSettings.index', ['section' => 'server']) . '#backgroundjobs',
  513. ];
  514. }
  516. protected function getCronErrors() {
  517. $errors = json_decode($this->config->getAppValue('core', 'cronErrors', ''), true);
  519. if (is_array($errors)) {
  520. return $errors;
  521. }
  523. return [];
  524. }
  526. /**
  527. * @return DataResponse
  528. */
  529. public function check() {
  530. return new DataResponse(
  531. [
  532. 'isGetenvServerWorking' => !empty(getenv('PATH')),
  533. 'isReadOnlyConfig' => $this->isReadOnlyConfig(),
  534. 'hasValidTransactionIsolationLevel' => $this->hasValidTransactionIsolationLevel(),
  535. 'outdatedCaches' => $this->getOutdatedCaches(),
  536. 'hasFileinfoInstalled' => $this->hasFileinfoInstalled(),
  537. 'hasWorkingFileLocking' => $this->hasWorkingFileLocking(),
  538. 'suggestedOverwriteCliURL' => $this->getSuggestedOverwriteCliURL(),
  539. 'cronInfo' => $this->getLastCronInfo(),
  540. 'cronErrors' => $this->getCronErrors(),
  541. 'serverHasInternetConnection' => $this->isInternetConnectionWorking(),
  542. 'isMemcacheConfigured' => $this->isMemcacheConfigured(),
  543. 'memcacheDocs' => $this->urlGenerator->linkToDocs('admin-performance'),
  544. 'isUrandomAvailable' => $this->isUrandomAvailable(),
  545. 'securityDocs' => $this->urlGenerator->linkToDocs('admin-security'),
  546. 'isUsedTlsLibOutdated' => $this->isUsedTlsLibOutdated(),
  547. 'phpSupported' => $this->isPhpSupported(),
  548. 'forwardedForHeadersWorking' => $this->forwardedForHeadersWorking(),
  549. 'reverseProxyDocs' => $this->urlGenerator->linkToDocs('admin-reverse-proxy'),
  550. 'isCorrectMemcachedPHPModuleInstalled' => $this->isCorrectMemcachedPHPModuleInstalled(),
  551. 'hasPassedCodeIntegrityCheck' => $this->checker->hasPassedCheck(),
  552. 'codeIntegrityCheckerDocumentation' => $this->urlGenerator->linkToDocs('admin-code-integrity'),
  553. 'isOpcacheProperlySetup' => $this->isOpcacheProperlySetup(),
  554. 'phpOpcacheDocumentation' => $this->urlGenerator->linkToDocs('admin-php-opcache'),
  555. 'isSettimelimitAvailable' => $this->isSettimelimitAvailable(),
  556. 'hasFreeTypeSupport' => $this->hasFreeTypeSupport(),
  557. 'missingIndexes' => $this->hasMissingIndexes(),
  558. 'isSqliteUsed' => $this->isSqliteUsed(),
  559. 'databaseConversionDocumentation' => $this->urlGenerator->linkToDocs('admin-db-conversion'),
  560. ]
  561. );
  562. }
  563. }