CheckSetupController.php 11 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379
  1. <?php
  2. /**
  3. * @copyright Copyright (c) 2016, ownCloud, Inc.
  4. *
  5. * @author Joas Schilling <coding@schilljs.com>
  6. * @author Lukas Reschke <lukas@statuscode.ch>
  7. * @author Morris Jobke <hey@morrisjobke.de>
  8. * @author Robin McCorkell <robin@mccorkell.me.uk>
  9. * @author Roeland Jago Douma <roeland@famdouma.nl>
  10. *
  11. * @license AGPL-3.0
  12. *
  13. * This code is free software: you can redistribute it and/or modify
  14. * it under the terms of the GNU Affero General Public License, version 3,
  15. * as published by the Free Software Foundation.
  16. *
  17. * This program is distributed in the hope that it will be useful,
  18. * but WITHOUT ANY WARRANTY; without even the implied warranty of
  19. * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  20. * GNU Affero General Public License for more details.
  21. *
  22. * You should have received a copy of the GNU Affero General Public License, version 3,
  23. * along with this program. If not, see <http://www.gnu.org/licenses/>
  24. *
  25. */
  26. namespace OC\Settings\Controller;
  27. use GuzzleHttp\Exception\ClientException;
  28. use OC\AppFramework\Http;
  29. use OC\IntegrityCheck\Checker;
  30. use OCP\AppFramework\Controller;
  31. use OCP\AppFramework\Http\DataDisplayResponse;
  32. use OCP\AppFramework\Http\DataResponse;
  33. use OCP\AppFramework\Http\RedirectResponse;
  34. use OCP\Http\Client\IClientService;
  35. use OCP\IConfig;
  36. use OCP\IL10N;
  37. use OCP\ILogger;
  38. use OCP\IRequest;
  39. use OC_Util;
  40. use OCP\IURLGenerator;
  41. /**
  42. * @package OC\Settings\Controller
  43. */
  44. class CheckSetupController extends Controller {
  45. /** @var IConfig */
  46. private $config;
  47. /** @var IClientService */
  48. private $clientService;
  49. /** @var \OC_Util */
  50. private $util;
  51. /** @var IURLGenerator */
  52. private $urlGenerator;
  53. /** @var IL10N */
  54. private $l10n;
  55. /** @var Checker */
  56. private $checker;
  57. /** @var ILogger */
  58. private $logger;
  59. /**
  60. * @param string $AppName
  61. * @param IRequest $request
  62. * @param IConfig $config
  63. * @param IClientService $clientService
  64. * @param IURLGenerator $urlGenerator
  65. * @param \OC_Util $util
  66. * @param IL10N $l10n
  67. * @param Checker $checker
  68. * @param ILogger $logger
  69. */
  70. public function __construct($AppName,
  71. IRequest $request,
  72. IConfig $config,
  73. IClientService $clientService,
  74. IURLGenerator $urlGenerator,
  75. \OC_Util $util,
  76. IL10N $l10n,
  77. Checker $checker,
  78. ILogger $logger) {
  79. parent::__construct($AppName, $request);
  80. $this->config = $config;
  81. $this->clientService = $clientService;
  82. $this->util = $util;
  83. $this->urlGenerator = $urlGenerator;
  84. $this->l10n = $l10n;
  85. $this->checker = $checker;
  86. $this->logger = $logger;
  87. }
  88. /**
  89. * Checks if the ownCloud server can connect to the internet using HTTPS and HTTP
  90. * @return bool
  91. */
  92. private function isInternetConnectionWorking() {
  93. if ($this->config->getSystemValue('has_internet_connection', true) === false) {
  94. return false;
  95. }
  96. $siteArray = ['www.nextcloud.com',
  97. 'www.google.com',
  98. 'www.github.com'];
  99. foreach($siteArray as $site) {
  100. if ($this->isSiteReachable($site)) {
  101. return true;
  102. }
  103. }
  104. return false;
  105. }
  106. /**
  107. * Chceks if the ownCloud server can connect to a specific URL using both HTTPS and HTTP
  108. * @return bool
  109. */
  110. private function isSiteReachable($sitename) {
  111. $httpSiteName = 'http://' . $sitename . '/';
  112. $httpsSiteName = 'https://' . $sitename . '/';
  113. try {
  114. $client = $this->clientService->newClient();
  115. $client->get($httpSiteName);
  116. $client->get($httpsSiteName);
  117. } catch (\Exception $e) {
  118. $this->logger->logException($e, ['app' => 'internet_connection_check']);
  119. return false;
  120. }
  121. return true;
  122. }
  123. /**
  124. * Checks whether a local memcache is installed or not
  125. * @return bool
  126. */
  127. private function isMemcacheConfigured() {
  128. return $this->config->getSystemValue('memcache.local', null) !== null;
  129. }
  130. /**
  131. * Whether /dev/urandom is available to the PHP controller
  132. *
  133. * @return bool
  134. */
  135. private function isUrandomAvailable() {
  136. if(@file_exists('/dev/urandom')) {
  137. $file = fopen('/dev/urandom', 'rb');
  138. if($file) {
  139. fclose($file);
  140. return true;
  141. }
  142. }
  143. return false;
  144. }
  145. /**
  146. * Public for the sake of unit-testing
  147. *
  148. * @return array
  149. */
  150. protected function getCurlVersion() {
  151. return curl_version();
  152. }
  153. /**
  154. * Check if the used SSL lib is outdated. Older OpenSSL and NSS versions do
  155. * have multiple bugs which likely lead to problems in combination with
  156. * functionality required by ownCloud such as SNI.
  157. *
  158. * @link https://github.com/owncloud/core/issues/17446#issuecomment-122877546
  159. * @link https://bugzilla.redhat.com/show_bug.cgi?id=1241172
  160. * @return string
  161. */
  162. private function isUsedTlsLibOutdated() {
  163. // Don't run check when:
  164. // 1. Server has `has_internet_connection` set to false
  165. // 2. AppStore AND S2S is disabled
  166. if(!$this->config->getSystemValue('has_internet_connection', true)) {
  167. return '';
  168. }
  169. if(!$this->config->getSystemValue('appstoreenabled', true)
  170. && $this->config->getAppValue('files_sharing', 'outgoing_server2server_share_enabled', 'yes') === 'no'
  171. && $this->config->getAppValue('files_sharing', 'incoming_server2server_share_enabled', 'yes') === 'no') {
  172. return '';
  173. }
  174. $versionString = $this->getCurlVersion();
  175. if(isset($versionString['ssl_version'])) {
  176. $versionString = $versionString['ssl_version'];
  177. } else {
  178. return '';
  179. }
  180. $features = (string)$this->l10n->t('installing and updating apps via the app store or Federated Cloud Sharing');
  181. if(!$this->config->getSystemValue('appstoreenabled', true)) {
  182. $features = (string)$this->l10n->t('Federated Cloud Sharing');
  183. }
  184. // Check if at least OpenSSL after 1.01d or 1.0.2b
  185. if(strpos($versionString, 'OpenSSL/') === 0) {
  186. $majorVersion = substr($versionString, 8, 5);
  187. $patchRelease = substr($versionString, 13, 6);
  188. if(($majorVersion === '1.0.1' && ord($patchRelease) < ord('d')) ||
  189. ($majorVersion === '1.0.2' && ord($patchRelease) < ord('b'))) {
  190. return (string) $this->l10n->t('cURL is using an outdated %s version (%s). Please update your operating system or features such as %s will not work reliably.', ['OpenSSL', $versionString, $features]);
  191. }
  192. }
  193. // Check if NSS and perform heuristic check
  194. if(strpos($versionString, 'NSS/') === 0) {
  195. try {
  196. $firstClient = $this->clientService->newClient();
  197. $firstClient->get('https://www.owncloud.org/');
  198. $secondClient = $this->clientService->newClient();
  199. $secondClient->get('https://owncloud.org/');
  200. } catch (ClientException $e) {
  201. if($e->getResponse()->getStatusCode() === 400) {
  202. return (string) $this->l10n->t('cURL is using an outdated %s version (%s). Please update your operating system or features such as %s will not work reliably.', ['NSS', $versionString, $features]);
  203. }
  204. }
  205. }
  206. return '';
  207. }
  208. /**
  209. * Whether the version is outdated
  210. *
  211. * @return bool
  212. */
  213. protected function isPhpOutdated() {
  214. if (version_compare(PHP_VERSION, '5.5.0') === -1) {
  215. return true;
  216. }
  217. return false;
  218. }
  219. /**
  220. * Whether the php version is still supported (at time of release)
  221. * according to: https://secure.php.net/supported-versions.php
  222. *
  223. * @return array
  224. */
  225. private function isPhpSupported() {
  226. return ['eol' => $this->isPhpOutdated(), 'version' => PHP_VERSION];
  227. }
  228. /**
  229. * Check if the reverse proxy configuration is working as expected
  230. *
  231. * @return bool
  232. */
  233. private function forwardedForHeadersWorking() {
  234. $trustedProxies = $this->config->getSystemValue('trusted_proxies', []);
  235. $remoteAddress = $this->request->getRemoteAddress();
  236. if (is_array($trustedProxies) && in_array($remoteAddress, $trustedProxies)) {
  237. return false;
  238. }
  239. // either not enabled or working correctly
  240. return true;
  241. }
  242. /**
  243. * Checks if the correct memcache module for PHP is installed. Only
  244. * fails if memcached is configured and the working module is not installed.
  245. *
  246. * @return bool
  247. */
  248. private function isCorrectMemcachedPHPModuleInstalled() {
  249. if ($this->config->getSystemValue('memcache.distributed', null) !== '\OC\Memcache\Memcached') {
  250. return true;
  251. }
  252. // there are two different memcached modules for PHP
  253. // we only support memcached and not memcache
  254. // https://code.google.com/p/memcached/wiki/PHPClientComparison
  255. return !(!extension_loaded('memcached') && extension_loaded('memcache'));
  256. }
  257. /**
  258. * @return RedirectResponse
  259. */
  260. public function rescanFailedIntegrityCheck() {
  261. $this->checker->runInstanceVerification();
  262. return new RedirectResponse(
  263. $this->urlGenerator->linkToRoute('settings.AdminSettings.index')
  264. );
  265. }
  266. /**
  267. * @NoCSRFRequired
  268. * @return DataResponse
  269. */
  270. public function getFailedIntegrityCheckFiles() {
  271. if(!$this->checker->isCodeCheckEnforced()) {
  272. return new DataDisplayResponse('Integrity checker has been disabled. Integrity cannot be verified.');
  273. }
  274. $completeResults = $this->checker->getResults();
  275. if(!empty($completeResults)) {
  276. $formattedTextResponse = 'Technical information
  277. =====================
  278. The following list covers which files have failed the integrity check. Please read
  279. the previous linked documentation to learn more about the errors and how to fix
  280. them.
  281. Results
  282. =======
  283. ';
  284. foreach($completeResults as $context => $contextResult) {
  285. $formattedTextResponse .= "- $context\n";
  286. foreach($contextResult as $category => $result) {
  287. $formattedTextResponse .= "\t- $category\n";
  288. if($category !== 'EXCEPTION') {
  289. foreach ($result as $key => $results) {
  290. $formattedTextResponse .= "\t\t- $key\n";
  291. }
  292. } else {
  293. foreach ($result as $key => $results) {
  294. $formattedTextResponse .= "\t\t- $results\n";
  295. }
  296. }
  297. }
  298. }
  299. $formattedTextResponse .= '
  300. Raw output
  301. ==========
  302. ';
  303. $formattedTextResponse .= print_r($completeResults, true);
  304. } else {
  305. $formattedTextResponse = 'No errors have been found.';
  306. }
  307. $response = new DataDisplayResponse(
  308. $formattedTextResponse,
  309. Http::STATUS_OK,
  310. [
  311. 'Content-Type' => 'text/plain',
  312. ]
  313. );
  314. return $response;
  315. }
  316. /**
  317. * @return DataResponse
  318. */
  319. public function check() {
  320. return new DataResponse(
  321. [
  322. 'serverHasInternetConnection' => $this->isInternetConnectionWorking(),
  323. 'isMemcacheConfigured' => $this->isMemcacheConfigured(),
  324. 'memcacheDocs' => $this->urlGenerator->linkToDocs('admin-performance'),
  325. 'isUrandomAvailable' => $this->isUrandomAvailable(),
  326. 'securityDocs' => $this->urlGenerator->linkToDocs('admin-security'),
  327. 'isUsedTlsLibOutdated' => $this->isUsedTlsLibOutdated(),
  328. 'phpSupported' => $this->isPhpSupported(),
  329. 'forwardedForHeadersWorking' => $this->forwardedForHeadersWorking(),
  330. 'reverseProxyDocs' => $this->urlGenerator->linkToDocs('admin-reverse-proxy'),
  331. 'isCorrectMemcachedPHPModuleInstalled' => $this->isCorrectMemcachedPHPModuleInstalled(),
  332. 'hasPassedCodeIntegrityCheck' => $this->checker->hasPassedCheck(),
  333. 'codeIntegrityCheckerDocumentation' => $this->urlGenerator->linkToDocs('admin-code-integrity'),
  334. ]
  335. );
  336. }
  337. }