nextcloud / server

lib/private/IntegrityCheck/Checker.php

Indentation +549 added lines, -549 removed lines

@@ -58,553 +58,553 @@
  * @package OC\IntegrityCheck
  */
 class Checker {
-	public const CACHE_KEY = 'oc.integritycheck.checker';
-	/** @var EnvironmentHelper */
-	private $environmentHelper;
-	/** @var AppLocator */
-	private $appLocator;
-	/** @var FileAccessHelper */
-	private $fileAccessHelper;
-	/** @var IConfig|null */
-	private $config;
-	/** @var ICache */
-	private $cache;
-	/** @var IAppManager|null */
-	private $appManager;
-	/** @var IMimeTypeDetector */
-	private $mimeTypeDetector;
-
-	/**
-	 * @param EnvironmentHelper $environmentHelper
-	 * @param FileAccessHelper $fileAccessHelper
-	 * @param AppLocator $appLocator
-	 * @param IConfig|null $config
-	 * @param ICacheFactory $cacheFactory
-	 * @param IAppManager|null $appManager
-	 * @param IMimeTypeDetector $mimeTypeDetector
-	 */
-	public function __construct(EnvironmentHelper $environmentHelper,
-								FileAccessHelper $fileAccessHelper,
-								AppLocator $appLocator,
-								?IConfig $config,
-								ICacheFactory $cacheFactory,
-								?IAppManager $appManager,
-								IMimeTypeDetector $mimeTypeDetector) {
-		$this->environmentHelper = $environmentHelper;
-		$this->fileAccessHelper = $fileAccessHelper;
-		$this->appLocator = $appLocator;
-		$this->config = $config;
-		$this->cache = $cacheFactory->createDistributed(self::CACHE_KEY);
-		$this->appManager = $appManager;
-		$this->mimeTypeDetector = $mimeTypeDetector;
-	}
-
-	/**
-	 * Whether code signing is enforced or not.
-	 *
-	 * @return bool
-	 */
-	public function isCodeCheckEnforced(): bool {
-		$notSignedChannels = [ '', 'git'];
-		if (\in_array($this->environmentHelper->getChannel(), $notSignedChannels, true)) {
-			return false;
-		}
-
-		/**
-		 * This config option is undocumented and supposed to be so, it's only
-		 * applicable for very specific scenarios and we should not advertise it
-		 * too prominent. So please do not add it to config.sample.php.
-		 */
-		$isIntegrityCheckDisabled = false;
-		if ($this->config !== null) {
-			$isIntegrityCheckDisabled = $this->config->getSystemValue('integrity.check.disabled', false);
-		}
-		if ($isIntegrityCheckDisabled === true) {
-			return false;
-		}
-
-		return true;
-	}
-
-	/**
-	 * Enumerates all files belonging to the folder. Sensible defaults are excluded.
-	 *
-	 * @param string $folderToIterate
-	 * @param string $root
-	 * @return \RecursiveIteratorIterator
-	 * @throws \Exception
-	 */
-	private function getFolderIterator(string $folderToIterate, string $root = ''): \RecursiveIteratorIterator {
-		$dirItr = new \RecursiveDirectoryIterator(
-			$folderToIterate,
-			\RecursiveDirectoryIterator::SKIP_DOTS
-		);
-		if ($root === '') {
-			$root = \OC::$SERVERROOT;
-		}
-		$root = rtrim($root, '/');
-
-		$excludeGenericFilesIterator = new ExcludeFileByNameFilterIterator($dirItr);
-		$excludeFoldersIterator = new ExcludeFoldersByPathFilterIterator($excludeGenericFilesIterator, $root);
-
-		return new \RecursiveIteratorIterator(
-			$excludeFoldersIterator,
-			\RecursiveIteratorIterator::SELF_FIRST
-		);
-	}
-
-	/**
-	 * Returns an array of ['filename' => 'SHA512-hash-of-file'] for all files found
-	 * in the iterator.
-	 *
-	 * @param \RecursiveIteratorIterator $iterator
-	 * @param string $path
-	 * @return array Array of hashes.
-	 */
-	private function generateHashes(\RecursiveIteratorIterator $iterator,
-									string $path): array {
-		$hashes = [];
-
-		$baseDirectoryLength = \strlen($path);
-		foreach ($iterator as $filename => $data) {
-			/** @var \DirectoryIterator $data */
-			if ($data->isDir()) {
-				continue;
-			}
-
-			$relativeFileName = substr($filename, $baseDirectoryLength);
-			$relativeFileName = ltrim($relativeFileName, '/');
-
-			// Exclude signature.json files in the appinfo and root folder
-			if ($relativeFileName === 'appinfo/signature.json') {
-				continue;
-			}
-			// Exclude signature.json files in the appinfo and core folder
-			if ($relativeFileName === 'core/signature.json') {
-				continue;
-			}
-
-			// The .htaccess file in the root folder of ownCloud can contain
-			// custom content after the installation due to the fact that dynamic
-			// content is written into it at installation time as well. This
-			// includes for example the 404 and 403 instructions.
-			// Thus we ignore everything below the first occurrence of
-			// "#### DO NOT CHANGE ANYTHING ABOVE THIS LINE ####" and have the
-			// hash generated based on this.
-			if ($filename === $this->environmentHelper->getServerRoot() . '/.htaccess') {
-				$fileContent = file_get_contents($filename);
-				$explodedArray = explode('#### DO NOT CHANGE ANYTHING ABOVE THIS LINE ####', $fileContent);
-				if (\count($explodedArray) === 2) {
-					$hashes[$relativeFileName] = hash('sha512', $explodedArray[0]);
-					continue;
-				}
-			}
-			if ($filename === $this->environmentHelper->getServerRoot() . '/core/js/mimetypelist.js') {
-				$oldMimetypeList = new GenerateMimetypeFileBuilder();
-				$newFile = $oldMimetypeList->generateFile($this->mimeTypeDetector->getAllAliases());
-				if ($newFile === file_get_contents($filename)) {
-					$hashes[$relativeFileName] = hash('sha512', $oldMimetypeList->generateFile($this->mimeTypeDetector->getOnlyDefaultAliases()));
-					continue;
-				}
-			}
-
-			$hashes[$relativeFileName] = hash_file('sha512', $filename);
-		}
-
-		return $hashes;
-	}
-
-	/**
-	 * Creates the signature data
-	 *
-	 * @param array $hashes
-	 * @param X509 $certificate
-	 * @param RSA $privateKey
-	 * @return array
-	 */
-	private function createSignatureData(array $hashes,
-										 X509 $certificate,
-										 RSA $privateKey): array {
-		ksort($hashes);
-
-		$privateKey->setSignatureMode(RSA::SIGNATURE_PSS);
-		$privateKey->setMGFHash('sha512');
-		// See https://tools.ietf.org/html/rfc3447#page-38
-		$privateKey->setSaltLength(0);
-		$signature = $privateKey->sign(json_encode($hashes));
-
-		return [
-			'hashes' => $hashes,
-			'signature' => base64_encode($signature),
-			'certificate' => $certificate->saveX509($certificate->currentCert),
-		];
-	}
-
-	/**
-	 * Write the signature of the app in the specified folder
-	 *
-	 * @param string $path
-	 * @param X509 $certificate
-	 * @param RSA $privateKey
-	 * @throws \Exception
-	 */
-	public function writeAppSignature($path,
-									  X509 $certificate,
-									  RSA $privateKey) {
-		$appInfoDir = $path . '/appinfo';
-		try {
-			$this->fileAccessHelper->assertDirectoryExists($appInfoDir);
-
-			$iterator = $this->getFolderIterator($path);
-			$hashes = $this->generateHashes($iterator, $path);
-			$signature = $this->createSignatureData($hashes, $certificate, $privateKey);
-			$this->fileAccessHelper->file_put_contents(
-					$appInfoDir . '/signature.json',
-				json_encode($signature, JSON_PRETTY_PRINT)
-			);
-		} catch (\Exception $e) {
-			if (!$this->fileAccessHelper->is_writable($appInfoDir)) {
-				throw new \Exception($appInfoDir . ' is not writable');
-			}
-			throw $e;
-		}
-	}
-
-	/**
-	 * Write the signature of core
-	 *
-	 * @param X509 $certificate
-	 * @param RSA $rsa
-	 * @param string $path
-	 * @throws \Exception
-	 */
-	public function writeCoreSignature(X509 $certificate,
-									   RSA $rsa,
-									   $path) {
-		$coreDir = $path . '/core';
-		try {
-			$this->fileAccessHelper->assertDirectoryExists($coreDir);
-			$iterator = $this->getFolderIterator($path, $path);
-			$hashes = $this->generateHashes($iterator, $path);
-			$signatureData = $this->createSignatureData($hashes, $certificate, $rsa);
-			$this->fileAccessHelper->file_put_contents(
-				$coreDir . '/signature.json',
-				json_encode($signatureData, JSON_PRETTY_PRINT)
-			);
-		} catch (\Exception $e) {
-			if (!$this->fileAccessHelper->is_writable($coreDir)) {
-				throw new \Exception($coreDir . ' is not writable');
-			}
-			throw $e;
-		}
-	}
-
-	/**
-	 * Split the certificate file in individual certs
-	 *
-	 * @param string $cert
-	 * @return string[]
-	 */
-	private function splitCerts(string $cert): array {
-		preg_match_all('([\-]{3,}[\S\ ]+?[\-]{3,}[\S\s]+?[\-]{3,}[\S\ ]+?[\-]{3,})', $cert, $matches);
-
-		return $matches[0];
-	}
-
-	/**
-	 * Verifies the signature for the specified path.
-	 *
-	 * @param string $signaturePath
-	 * @param string $basePath
-	 * @param string $certificateCN
-	 * @param bool $forceVerify
-	 * @return array
-	 * @throws InvalidSignatureException
-	 * @throws \Exception
-	 */
-	private function verify(string $signaturePath, string $basePath, string $certificateCN, bool $forceVerify = false): array {
-		if (!$forceVerify && !$this->isCodeCheckEnforced()) {
-			return [];
-		}
-
-		$content = $this->fileAccessHelper->file_get_contents($signaturePath);
-		$signatureData = null;
-
-		if (\is_string($content)) {
-			$signatureData = json_decode($content, true);
-		}
-		if (!\is_array($signatureData)) {
-			throw new InvalidSignatureException('Signature data not found.');
-		}
-
-		$expectedHashes = $signatureData['hashes'];
-		ksort($expectedHashes);
-		$signature = base64_decode($signatureData['signature']);
-		$certificate = $signatureData['certificate'];
-
-		// Check if certificate is signed by Nextcloud Root Authority
-		$x509 = new \phpseclib\File\X509();
-		$rootCertificatePublicKey = $this->fileAccessHelper->file_get_contents($this->environmentHelper->getServerRoot().'/resources/codesigning/root.crt');
-
-		$rootCerts = $this->splitCerts($rootCertificatePublicKey);
-		foreach ($rootCerts as $rootCert) {
-			$x509->loadCA($rootCert);
-		}
-		$x509->loadX509($certificate);
-		if (!$x509->validateSignature()) {
-			throw new InvalidSignatureException('Certificate is not valid.');
-		}
-		// Verify if certificate has proper CN. "core" CN is always trusted.
-		if ($x509->getDN(X509::DN_OPENSSL)['CN'] !== $certificateCN && $x509->getDN(X509::DN_OPENSSL)['CN'] !== 'core') {
-			throw new InvalidSignatureException(
-					sprintf('Certificate is not valid for required scope. (Requested: %s, current: CN=%s)', $certificateCN, $x509->getDN(true)['CN'])
-			);
-		}
-
-		// Check if the signature of the files is valid
-		$rsa = new \phpseclib\Crypt\RSA();
-		$rsa->loadKey($x509->currentCert['tbsCertificate']['subjectPublicKeyInfo']['subjectPublicKey']);
-		$rsa->setSignatureMode(RSA::SIGNATURE_PSS);
-		$rsa->setMGFHash('sha512');
-		// See https://tools.ietf.org/html/rfc3447#page-38
-		$rsa->setSaltLength(0);
-		if (!$rsa->verify(json_encode($expectedHashes), $signature)) {
-			throw new InvalidSignatureException('Signature could not get verified.');
-		}
-
-		// Fixes for the updater as shipped with ownCloud 9.0.x: The updater is
-		// replaced after the code integrity check is performed.
-		//
-		// Due to this reason we exclude the whole updater/ folder from the code
-		// integrity check.
-		if ($basePath === $this->environmentHelper->getServerRoot()) {
-			foreach ($expectedHashes as $fileName => $hash) {
-				if (strpos($fileName, 'updater/') === 0) {
-					unset($expectedHashes[$fileName]);
-				}
-			}
-		}
-
-		// Compare the list of files which are not identical
-		$currentInstanceHashes = $this->generateHashes($this->getFolderIterator($basePath), $basePath);
-		$differencesA = array_diff($expectedHashes, $currentInstanceHashes);
-		$differencesB = array_diff($currentInstanceHashes, $expectedHashes);
-		$differences = array_unique(array_merge($differencesA, $differencesB));
-		$differenceArray = [];
-		foreach ($differences as $filename => $hash) {
-			// Check if file should not exist in the new signature table
-			if (!array_key_exists($filename, $expectedHashes)) {
-				$differenceArray['EXTRA_FILE'][$filename]['expected'] = '';
-				$differenceArray['EXTRA_FILE'][$filename]['current'] = $hash;
-				continue;
-			}
-
-			// Check if file is missing
-			if (!array_key_exists($filename, $currentInstanceHashes)) {
-				$differenceArray['FILE_MISSING'][$filename]['expected'] = $expectedHashes[$filename];
-				$differenceArray['FILE_MISSING'][$filename]['current'] = '';
-				continue;
-			}
-
-			// Check if hash does mismatch
-			if ($expectedHashes[$filename] !== $currentInstanceHashes[$filename]) {
-				$differenceArray['INVALID_HASH'][$filename]['expected'] = $expectedHashes[$filename];
-				$differenceArray['INVALID_HASH'][$filename]['current'] = $currentInstanceHashes[$filename];
-				continue;
-			}
-
-			// Should never happen.
-			throw new \Exception('Invalid behaviour in file hash comparison experienced. Please report this error to the developers.');
-		}
-
-		return $differenceArray;
-	}
-
-	/**
-	 * Whether the code integrity check has passed successful or not
-	 *
-	 * @return bool
-	 */
-	public function hasPassedCheck(): bool {
-		$results = $this->getResults();
-		if (empty($results)) {
-			return true;
-		}
-
-		return false;
-	}
-
-	/**
-	 * @return array
-	 */
-	public function getResults(): array {
-		$cachedResults = $this->cache->get(self::CACHE_KEY);
-		if (!\is_null($cachedResults)) {
-			return json_decode($cachedResults, true);
-		}
-
-		if ($this->config !== null) {
-			return json_decode($this->config->getAppValue('core', self::CACHE_KEY, '{}'), true);
-		}
-		return [];
-	}
-
-	/**
-	 * Stores the results in the app config as well as cache
-	 *
-	 * @param string $scope
-	 * @param array $result
-	 */
-	private function storeResults(string $scope, array $result) {
-		$resultArray = $this->getResults();
-		unset($resultArray[$scope]);
-		if (!empty($result)) {
-			$resultArray[$scope] = $result;
-		}
-		if ($this->config !== null) {
-			$this->config->setAppValue('core', self::CACHE_KEY, json_encode($resultArray));
-		}
-		$this->cache->set(self::CACHE_KEY, json_encode($resultArray));
-	}
-
-	/**
-	 *
-	 * Clean previous results for a proper rescanning. Otherwise
-	 */
-	private function cleanResults() {
-		$this->config->deleteAppValue('core', self::CACHE_KEY);
-		$this->cache->remove(self::CACHE_KEY);
-	}
-
-	/**
-	 * Verify the signature of $appId. Returns an array with the following content:
-	 * [
-	 * 	'FILE_MISSING' =>
-	 * 	[
-	 * 		'filename' => [
-	 * 			'expected' => 'expectedSHA512',
-	 * 			'current' => 'currentSHA512',
-	 * 		],
-	 * 	],
-	 * 	'EXTRA_FILE' =>
-	 * 	[
-	 * 		'filename' => [
-	 * 			'expected' => 'expectedSHA512',
-	 * 			'current' => 'currentSHA512',
-	 * 		],
-	 * 	],
-	 * 	'INVALID_HASH' =>
-	 * 	[
-	 * 		'filename' => [
-	 * 			'expected' => 'expectedSHA512',
-	 * 			'current' => 'currentSHA512',
-	 * 		],
-	 * 	],
-	 * ]
-	 *
-	 * Array may be empty in case no problems have been found.
-	 *
-	 * @param string $appId
-	 * @param string $path Optional path. If none is given it will be guessed.
-	 * @param bool $forceVerify
-	 * @return array
-	 */
-	public function verifyAppSignature(string $appId, string $path = '', bool $forceVerify = false): array {
-		try {
-			if ($path === '') {
-				$path = $this->appLocator->getAppPath($appId);
-			}
-			$result = $this->verify(
-					$path . '/appinfo/signature.json',
-					$path,
-					$appId,
-					$forceVerify
-			);
-		} catch (\Exception $e) {
-			$result = [
-				'EXCEPTION' => [
-					'class' => \get_class($e),
-					'message' => $e->getMessage(),
-				],
-			];
-		}
-		$this->storeResults($appId, $result);
-
-		return $result;
-	}
-
-	/**
-	 * Verify the signature of core. Returns an array with the following content:
-	 * [
-	 * 	'FILE_MISSING' =>
-	 * 	[
-	 * 		'filename' => [
-	 * 			'expected' => 'expectedSHA512',
-	 * 			'current' => 'currentSHA512',
-	 * 		],
-	 * 	],
-	 * 	'EXTRA_FILE' =>
-	 * 	[
-	 * 		'filename' => [
-	 * 			'expected' => 'expectedSHA512',
-	 * 			'current' => 'currentSHA512',
-	 * 		],
-	 * 	],
-	 * 	'INVALID_HASH' =>
-	 * 	[
-	 * 		'filename' => [
-	 * 			'expected' => 'expectedSHA512',
-	 * 			'current' => 'currentSHA512',
-	 * 		],
-	 * 	],
-	 * ]
-	 *
-	 * Array may be empty in case no problems have been found.
-	 *
-	 * @return array
-	 */
-	public function verifyCoreSignature(): array {
-		try {
-			$result = $this->verify(
-					$this->environmentHelper->getServerRoot() . '/core/signature.json',
-					$this->environmentHelper->getServerRoot(),
-					'core'
-			);
-		} catch (\Exception $e) {
-			$result = [
-				'EXCEPTION' => [
-					'class' => \get_class($e),
-					'message' => $e->getMessage(),
-				],
-			];
-		}
-		$this->storeResults('core', $result);
-
-		return $result;
-	}
-
-	/**
-	 * Verify the core code of the instance as well as all applicable applications
-	 * and store the results.
-	 */
-	public function runInstanceVerification() {
-		$this->cleanResults();
-		$this->verifyCoreSignature();
-		$appIds = $this->appLocator->getAllApps();
-		foreach ($appIds as $appId) {
-			// If an application is shipped a valid signature is required
-			$isShipped = $this->appManager->isShipped($appId);
-			$appNeedsToBeChecked = false;
-			if ($isShipped) {
-				$appNeedsToBeChecked = true;
-			} elseif ($this->fileAccessHelper->file_exists($this->appLocator->getAppPath($appId) . '/appinfo/signature.json')) {
-				// Otherwise only if the application explicitly ships a signature.json file
-				$appNeedsToBeChecked = true;
-			}
-
-			if ($appNeedsToBeChecked) {
-				$this->verifyAppSignature($appId);
-			}
-		}
-	}
+    public const CACHE_KEY = 'oc.integritycheck.checker';
+    /** @var EnvironmentHelper */
+    private $environmentHelper;
+    /** @var AppLocator */
+    private $appLocator;
+    /** @var FileAccessHelper */
+    private $fileAccessHelper;
+    /** @var IConfig|null */
+    private $config;
+    /** @var ICache */
+    private $cache;
+    /** @var IAppManager|null */
+    private $appManager;
+    /** @var IMimeTypeDetector */
+    private $mimeTypeDetector;
+
+    /**
+     * @param EnvironmentHelper $environmentHelper
+     * @param FileAccessHelper $fileAccessHelper
+     * @param AppLocator $appLocator
+     * @param IConfig|null $config
+     * @param ICacheFactory $cacheFactory
+     * @param IAppManager|null $appManager
+     * @param IMimeTypeDetector $mimeTypeDetector
+     */
+    public function __construct(EnvironmentHelper $environmentHelper,
+                                FileAccessHelper $fileAccessHelper,
+                                AppLocator $appLocator,
+                                ?IConfig $config,
+                                ICacheFactory $cacheFactory,
+                                ?IAppManager $appManager,
+                                IMimeTypeDetector $mimeTypeDetector) {
+        $this->environmentHelper = $environmentHelper;
+        $this->fileAccessHelper = $fileAccessHelper;
+        $this->appLocator = $appLocator;
+        $this->config = $config;
+        $this->cache = $cacheFactory->createDistributed(self::CACHE_KEY);
+        $this->appManager = $appManager;
+        $this->mimeTypeDetector = $mimeTypeDetector;
+    }
+
+    /**
+     * Whether code signing is enforced or not.
+     *
+     * @return bool
+     */
+    public function isCodeCheckEnforced(): bool {
+        $notSignedChannels = [ '', 'git'];
+        if (\in_array($this->environmentHelper->getChannel(), $notSignedChannels, true)) {
+            return false;
+        }
+
+        /**
+         * This config option is undocumented and supposed to be so, it's only
+         * applicable for very specific scenarios and we should not advertise it
+         * too prominent. So please do not add it to config.sample.php.
+         */
+        $isIntegrityCheckDisabled = false;
+        if ($this->config !== null) {
+            $isIntegrityCheckDisabled = $this->config->getSystemValue('integrity.check.disabled', false);
+        }
+        if ($isIntegrityCheckDisabled === true) {
+            return false;
+        }
+
+        return true;
+    }
+
+    /**
+     * Enumerates all files belonging to the folder. Sensible defaults are excluded.
+     *
+     * @param string $folderToIterate
+     * @param string $root
+     * @return \RecursiveIteratorIterator
+     * @throws \Exception
+     */
+    private function getFolderIterator(string $folderToIterate, string $root = ''): \RecursiveIteratorIterator {
+        $dirItr = new \RecursiveDirectoryIterator(
+            $folderToIterate,
+            \RecursiveDirectoryIterator::SKIP_DOTS
+        );
+        if ($root === '') {
+            $root = \OC::$SERVERROOT;
+        }
+        $root = rtrim($root, '/');
+
+        $excludeGenericFilesIterator = new ExcludeFileByNameFilterIterator($dirItr);
+        $excludeFoldersIterator = new ExcludeFoldersByPathFilterIterator($excludeGenericFilesIterator, $root);
+
+        return new \RecursiveIteratorIterator(
+            $excludeFoldersIterator,
+            \RecursiveIteratorIterator::SELF_FIRST
+        );
+    }
+
+    /**
+     * Returns an array of ['filename' => 'SHA512-hash-of-file'] for all files found
+     * in the iterator.
+     *
+     * @param \RecursiveIteratorIterator $iterator
+     * @param string $path
+     * @return array Array of hashes.
+     */
+    private function generateHashes(\RecursiveIteratorIterator $iterator,
+                                    string $path): array {
+        $hashes = [];
+
+        $baseDirectoryLength = \strlen($path);
+        foreach ($iterator as $filename => $data) {
+            /** @var \DirectoryIterator $data */
+            if ($data->isDir()) {
+                continue;
+            }
+
+            $relativeFileName = substr($filename, $baseDirectoryLength);
+            $relativeFileName = ltrim($relativeFileName, '/');
+
+            // Exclude signature.json files in the appinfo and root folder
+            if ($relativeFileName === 'appinfo/signature.json') {
+                continue;
+            }
+            // Exclude signature.json files in the appinfo and core folder
+            if ($relativeFileName === 'core/signature.json') {
+                continue;
+            }
+
+            // The .htaccess file in the root folder of ownCloud can contain
+            // custom content after the installation due to the fact that dynamic
+            // content is written into it at installation time as well. This
+            // includes for example the 404 and 403 instructions.
+            // Thus we ignore everything below the first occurrence of
+            // "#### DO NOT CHANGE ANYTHING ABOVE THIS LINE ####" and have the
+            // hash generated based on this.
+            if ($filename === $this->environmentHelper->getServerRoot() . '/.htaccess') {
+                $fileContent = file_get_contents($filename);
+                $explodedArray = explode('#### DO NOT CHANGE ANYTHING ABOVE THIS LINE ####', $fileContent);
+                if (\count($explodedArray) === 2) {
+                    $hashes[$relativeFileName] = hash('sha512', $explodedArray[0]);
+                    continue;
+                }
+            }
+            if ($filename === $this->environmentHelper->getServerRoot() . '/core/js/mimetypelist.js') {
+                $oldMimetypeList = new GenerateMimetypeFileBuilder();
+                $newFile = $oldMimetypeList->generateFile($this->mimeTypeDetector->getAllAliases());
+                if ($newFile === file_get_contents($filename)) {
+                    $hashes[$relativeFileName] = hash('sha512', $oldMimetypeList->generateFile($this->mimeTypeDetector->getOnlyDefaultAliases()));
+                    continue;
+                }
+            }
+
+            $hashes[$relativeFileName] = hash_file('sha512', $filename);
+        }
+
+        return $hashes;
+    }
+
+    /**
+     * Creates the signature data
+     *
+     * @param array $hashes
+     * @param X509 $certificate
+     * @param RSA $privateKey
+     * @return array
+     */
+    private function createSignatureData(array $hashes,
+                                            X509 $certificate,
+                                            RSA $privateKey): array {
+        ksort($hashes);
+
+        $privateKey->setSignatureMode(RSA::SIGNATURE_PSS);
+        $privateKey->setMGFHash('sha512');
+        // See https://tools.ietf.org/html/rfc3447#page-38
+        $privateKey->setSaltLength(0);
+        $signature = $privateKey->sign(json_encode($hashes));
+
+        return [
+            'hashes' => $hashes,
+            'signature' => base64_encode($signature),
+            'certificate' => $certificate->saveX509($certificate->currentCert),
+        ];
+    }
+
+    /**
+     * Write the signature of the app in the specified folder
+     *
+     * @param string $path
+     * @param X509 $certificate
+     * @param RSA $privateKey
+     * @throws \Exception
+     */
+    public function writeAppSignature($path,
+                                        X509 $certificate,
+                                        RSA $privateKey) {
+        $appInfoDir = $path . '/appinfo';
+        try {
+            $this->fileAccessHelper->assertDirectoryExists($appInfoDir);
+
+            $iterator = $this->getFolderIterator($path);
+            $hashes = $this->generateHashes($iterator, $path);
+            $signature = $this->createSignatureData($hashes, $certificate, $privateKey);
+            $this->fileAccessHelper->file_put_contents(
+                    $appInfoDir . '/signature.json',
+                json_encode($signature, JSON_PRETTY_PRINT)
+            );
+        } catch (\Exception $e) {
+            if (!$this->fileAccessHelper->is_writable($appInfoDir)) {
+                throw new \Exception($appInfoDir . ' is not writable');
+            }
+            throw $e;
+        }
+    }
+
+    /**
+     * Write the signature of core
+     *
+     * @param X509 $certificate
+     * @param RSA $rsa
+     * @param string $path
+     * @throws \Exception
+     */
+    public function writeCoreSignature(X509 $certificate,
+                                        RSA $rsa,
+                                        $path) {
+        $coreDir = $path . '/core';
+        try {
+            $this->fileAccessHelper->assertDirectoryExists($coreDir);
+            $iterator = $this->getFolderIterator($path, $path);
+            $hashes = $this->generateHashes($iterator, $path);
+            $signatureData = $this->createSignatureData($hashes, $certificate, $rsa);
+            $this->fileAccessHelper->file_put_contents(
+                $coreDir . '/signature.json',
+                json_encode($signatureData, JSON_PRETTY_PRINT)
+            );
+        } catch (\Exception $e) {
+            if (!$this->fileAccessHelper->is_writable($coreDir)) {
+                throw new \Exception($coreDir . ' is not writable');
+            }
+            throw $e;
+        }
+    }
+
+    /**
+     * Split the certificate file in individual certs
+     *
+     * @param string $cert
+     * @return string[]
+     */
+    private function splitCerts(string $cert): array {
+        preg_match_all('([\-]{3,}[\S\ ]+?[\-]{3,}[\S\s]+?[\-]{3,}[\S\ ]+?[\-]{3,})', $cert, $matches);
+
+        return $matches[0];
+    }
+
+    /**
+     * Verifies the signature for the specified path.
+     *
+     * @param string $signaturePath
+     * @param string $basePath
+     * @param string $certificateCN
+     * @param bool $forceVerify
+     * @return array
+     * @throws InvalidSignatureException
+     * @throws \Exception
+     */
+    private function verify(string $signaturePath, string $basePath, string $certificateCN, bool $forceVerify = false): array {
+        if (!$forceVerify && !$this->isCodeCheckEnforced()) {
+            return [];
+        }
+
+        $content = $this->fileAccessHelper->file_get_contents($signaturePath);
+        $signatureData = null;
+
+        if (\is_string($content)) {
+            $signatureData = json_decode($content, true);
+        }
+        if (!\is_array($signatureData)) {
+            throw new InvalidSignatureException('Signature data not found.');
+        }
+
+        $expectedHashes = $signatureData['hashes'];
+        ksort($expectedHashes);
+        $signature = base64_decode($signatureData['signature']);
+        $certificate = $signatureData['certificate'];
+
+        // Check if certificate is signed by Nextcloud Root Authority
+        $x509 = new \phpseclib\File\X509();
+        $rootCertificatePublicKey = $this->fileAccessHelper->file_get_contents($this->environmentHelper->getServerRoot().'/resources/codesigning/root.crt');
+
+        $rootCerts = $this->splitCerts($rootCertificatePublicKey);
+        foreach ($rootCerts as $rootCert) {
+            $x509->loadCA($rootCert);
+        }
+        $x509->loadX509($certificate);
+        if (!$x509->validateSignature()) {
+            throw new InvalidSignatureException('Certificate is not valid.');
+        }
+        // Verify if certificate has proper CN. "core" CN is always trusted.
+        if ($x509->getDN(X509::DN_OPENSSL)['CN'] !== $certificateCN && $x509->getDN(X509::DN_OPENSSL)['CN'] !== 'core') {
+            throw new InvalidSignatureException(
+                    sprintf('Certificate is not valid for required scope. (Requested: %s, current: CN=%s)', $certificateCN, $x509->getDN(true)['CN'])
+            );
+        }
+
+        // Check if the signature of the files is valid
+        $rsa = new \phpseclib\Crypt\RSA();
+        $rsa->loadKey($x509->currentCert['tbsCertificate']['subjectPublicKeyInfo']['subjectPublicKey']);
+        $rsa->setSignatureMode(RSA::SIGNATURE_PSS);
+        $rsa->setMGFHash('sha512');
+        // See https://tools.ietf.org/html/rfc3447#page-38
+        $rsa->setSaltLength(0);
+        if (!$rsa->verify(json_encode($expectedHashes), $signature)) {
+            throw new InvalidSignatureException('Signature could not get verified.');
+        }
+
+        // Fixes for the updater as shipped with ownCloud 9.0.x: The updater is
+        // replaced after the code integrity check is performed.
+        //
+        // Due to this reason we exclude the whole updater/ folder from the code
+        // integrity check.
+        if ($basePath === $this->environmentHelper->getServerRoot()) {
+            foreach ($expectedHashes as $fileName => $hash) {
+                if (strpos($fileName, 'updater/') === 0) {
+                    unset($expectedHashes[$fileName]);
+                }
+            }
+        }
+
+        // Compare the list of files which are not identical
+        $currentInstanceHashes = $this->generateHashes($this->getFolderIterator($basePath), $basePath);
+        $differencesA = array_diff($expectedHashes, $currentInstanceHashes);
+        $differencesB = array_diff($currentInstanceHashes, $expectedHashes);
+        $differences = array_unique(array_merge($differencesA, $differencesB));
+        $differenceArray = [];
+        foreach ($differences as $filename => $hash) {
+            // Check if file should not exist in the new signature table
+            if (!array_key_exists($filename, $expectedHashes)) {
+                $differenceArray['EXTRA_FILE'][$filename]['expected'] = '';
+                $differenceArray['EXTRA_FILE'][$filename]['current'] = $hash;
+                continue;
+            }
+
+            // Check if file is missing
+            if (!array_key_exists($filename, $currentInstanceHashes)) {
+                $differenceArray['FILE_MISSING'][$filename]['expected'] = $expectedHashes[$filename];
+                $differenceArray['FILE_MISSING'][$filename]['current'] = '';
+                continue;
+            }
+
+            // Check if hash does mismatch
+            if ($expectedHashes[$filename] !== $currentInstanceHashes[$filename]) {
+                $differenceArray['INVALID_HASH'][$filename]['expected'] = $expectedHashes[$filename];
+                $differenceArray['INVALID_HASH'][$filename]['current'] = $currentInstanceHashes[$filename];
+                continue;
+            }
+
+            // Should never happen.
+            throw new \Exception('Invalid behaviour in file hash comparison experienced. Please report this error to the developers.');
+        }
+
+        return $differenceArray;
+    }
+
+    /**
+     * Whether the code integrity check has passed successful or not
+     *
+     * @return bool
+     */
+    public function hasPassedCheck(): bool {
+        $results = $this->getResults();
+        if (empty($results)) {
+            return true;
+        }
+
+        return false;
+    }
+
+    /**
+     * @return array
+     */
+    public function getResults(): array {
+        $cachedResults = $this->cache->get(self::CACHE_KEY);
+        if (!\is_null($cachedResults)) {
+            return json_decode($cachedResults, true);
+        }
+
+        if ($this->config !== null) {
+            return json_decode($this->config->getAppValue('core', self::CACHE_KEY, '{}'), true);
+        }
+        return [];
+    }
+
+    /**
+     * Stores the results in the app config as well as cache
+     *
+     * @param string $scope
+     * @param array $result
+     */
+    private function storeResults(string $scope, array $result) {
+        $resultArray = $this->getResults();
+        unset($resultArray[$scope]);
+        if (!empty($result)) {
+            $resultArray[$scope] = $result;
+        }
+        if ($this->config !== null) {
+            $this->config->setAppValue('core', self::CACHE_KEY, json_encode($resultArray));
+        }
+        $this->cache->set(self::CACHE_KEY, json_encode($resultArray));
+    }
+
+    /**
+     *
+     * Clean previous results for a proper rescanning. Otherwise
+     */
+    private function cleanResults() {
+        $this->config->deleteAppValue('core', self::CACHE_KEY);
+        $this->cache->remove(self::CACHE_KEY);
+    }
+
+    /**
+     * Verify the signature of $appId. Returns an array with the following content:
+     * [
+     * 	'FILE_MISSING' =>
+     * 	[
+     * 		'filename' => [
+     * 			'expected' => 'expectedSHA512',
+     * 			'current' => 'currentSHA512',
+     * 		],
+     * 	],
+     * 	'EXTRA_FILE' =>
+     * 	[
+     * 		'filename' => [
+     * 			'expected' => 'expectedSHA512',
+     * 			'current' => 'currentSHA512',
+     * 		],
+     * 	],
+     * 	'INVALID_HASH' =>
+     * 	[
+     * 		'filename' => [
+     * 			'expected' => 'expectedSHA512',
+     * 			'current' => 'currentSHA512',
+     * 		],
+     * 	],
+     * ]
+     *
+     * Array may be empty in case no problems have been found.
+     *
+     * @param string $appId
+     * @param string $path Optional path. If none is given it will be guessed.
+     * @param bool $forceVerify
+     * @return array
+     */
+    public function verifyAppSignature(string $appId, string $path = '', bool $forceVerify = false): array {
+        try {
+            if ($path === '') {
+                $path = $this->appLocator->getAppPath($appId);
+            }
+            $result = $this->verify(
+                    $path . '/appinfo/signature.json',
+                    $path,
+                    $appId,
+                    $forceVerify
+            );
+        } catch (\Exception $e) {
+            $result = [
+                'EXCEPTION' => [
+                    'class' => \get_class($e),
+                    'message' => $e->getMessage(),
+                ],
+            ];
+        }
+        $this->storeResults($appId, $result);
+
+        return $result;
+    }
+
+    /**
+     * Verify the signature of core. Returns an array with the following content:
+     * [
+     * 	'FILE_MISSING' =>
+     * 	[
+     * 		'filename' => [
+     * 			'expected' => 'expectedSHA512',
+     * 			'current' => 'currentSHA512',
+     * 		],
+     * 	],
+     * 	'EXTRA_FILE' =>
+     * 	[
+     * 		'filename' => [
+     * 			'expected' => 'expectedSHA512',
+     * 			'current' => 'currentSHA512',
+     * 		],
+     * 	],
+     * 	'INVALID_HASH' =>
+     * 	[
+     * 		'filename' => [
+     * 			'expected' => 'expectedSHA512',
+     * 			'current' => 'currentSHA512',
+     * 		],
+     * 	],
+     * ]
+     *
+     * Array may be empty in case no problems have been found.
+     *
+     * @return array
+     */
+    public function verifyCoreSignature(): array {
+        try {
+            $result = $this->verify(
+                    $this->environmentHelper->getServerRoot() . '/core/signature.json',
+                    $this->environmentHelper->getServerRoot(),
+                    'core'
+            );
+        } catch (\Exception $e) {
+            $result = [
+                'EXCEPTION' => [
+                    'class' => \get_class($e),
+                    'message' => $e->getMessage(),
+                ],
+            ];
+        }
+        $this->storeResults('core', $result);
+
+        return $result;
+    }
+
+    /**
+     * Verify the core code of the instance as well as all applicable applications
+     * and store the results.
+     */
+    public function runInstanceVerification() {
+        $this->cleanResults();
+        $this->verifyCoreSignature();
+        $appIds = $this->appLocator->getAllApps();
+        foreach ($appIds as $appId) {
+            // If an application is shipped a valid signature is required
+            $isShipped = $this->appManager->isShipped($appId);
+            $appNeedsToBeChecked = false;
+            if ($isShipped) {
+                $appNeedsToBeChecked = true;
+            } elseif ($this->fileAccessHelper->file_exists($this->appLocator->getAppPath($appId) . '/appinfo/signature.json')) {
+                // Otherwise only if the application explicitly ships a signature.json file
+                $appNeedsToBeChecked = true;
+            }
+
+            if ($appNeedsToBeChecked) {
+                $this->verifyAppSignature($appId);
+            }
+        }
+    }
 }

lib/private/Installer.php

Indentation +596 added lines, -596 removed lines

@@ -59,600 +59,600 @@
  * This class provides the functionality needed to install, update and remove apps
  */
 class Installer {
-	/** @var AppFetcher */
-	private $appFetcher;
-	/** @var IClientService */
-	private $clientService;
-	/** @var ITempManager */
-	private $tempManager;
-	/** @var ILogger */
-	private $logger;
-	/** @var IConfig */
-	private $config;
-	/** @var array - for caching the result of app fetcher */
-	private $apps = null;
-	/** @var bool|null - for caching the result of the ready status */
-	private $isInstanceReadyForUpdates = null;
-	/** @var bool */
-	private $isCLI;
-
-	/**
-	 * @param AppFetcher $appFetcher
-	 * @param IClientService $clientService
-	 * @param ITempManager $tempManager
-	 * @param ILogger $logger
-	 * @param IConfig $config
-	 */
-	public function __construct(
-		AppFetcher $appFetcher,
-		IClientService $clientService,
-		ITempManager $tempManager,
-		ILogger $logger,
-		IConfig $config,
-		bool $isCLI
-	) {
-		$this->appFetcher = $appFetcher;
-		$this->clientService = $clientService;
-		$this->tempManager = $tempManager;
-		$this->logger = $logger;
-		$this->config = $config;
-		$this->isCLI = $isCLI;
-	}
-
-	/**
-	 * Installs an app that is located in one of the app folders already
-	 *
-	 * @param string $appId App to install
-	 * @param bool $forceEnable
-	 * @throws \Exception
-	 * @return string app ID
-	 */
-	public function installApp(string $appId, bool $forceEnable = false): string {
-		$app = \OC_App::findAppInDirectories($appId);
-		if ($app === false) {
-			throw new \Exception('App not found in any app directory');
-		}
-
-		$basedir = $app['path'].'/'.$appId;
-		$info = OC_App::getAppInfo($basedir.'/appinfo/info.xml', true);
-
-		$l = \OC::$server->getL10N('core');
-
-		if (!is_array($info)) {
-			throw new \Exception(
-				$l->t('App "%s" cannot be installed because appinfo file cannot be read.',
-					[$appId]
-				)
-			);
-		}
-
-		$ignoreMaxApps = $this->config->getSystemValue('app_install_overwrite', []);
-		$ignoreMax = $forceEnable || in_array($appId, $ignoreMaxApps, true);
-
-		$version = implode('.', \OCP\Util::getVersion());
-		if (!\OC_App::isAppCompatible($version, $info, $ignoreMax)) {
-			throw new \Exception(
-				// TODO $l
-				$l->t('App "%s" cannot be installed because it is not compatible with this version of the server.',
-					[$info['name']]
-				)
-			);
-		}
-
-		// check for required dependencies
-		\OC_App::checkAppDependencies($this->config, $l, $info, $ignoreMax);
-		/** @var Coordinator $coordinator */
-		$coordinator = \OC::$server->get(Coordinator::class);
-		$coordinator->runLazyRegistration($appId);
-		\OC_App::registerAutoloading($appId, $basedir);
-
-		$previousVersion = $this->config->getAppValue($info['id'], 'installed_version', false);
-		if ($previousVersion) {
-			OC_App::executeRepairSteps($appId, $info['repair-steps']['pre-migration']);
-		}
-
-		//install the database
-		if (is_file($basedir.'/appinfo/database.xml')) {
-			if (\OC::$server->getConfig()->getAppValue($info['id'], 'installed_version') === null) {
-				OC_DB::createDbFromStructure($basedir.'/appinfo/database.xml');
-			} else {
-				OC_DB::updateDbFromStructure($basedir.'/appinfo/database.xml');
-			}
-		} else {
-			$ms = new \OC\DB\MigrationService($info['id'], \OC::$server->get(Connection::class));
-			$ms->migrate('latest', true);
-		}
-		if ($previousVersion) {
-			OC_App::executeRepairSteps($appId, $info['repair-steps']['post-migration']);
-		}
-
-		\OC_App::setupBackgroundJobs($info['background-jobs']);
-
-		//run appinfo/install.php
-		self::includeAppScript($basedir . '/appinfo/install.php');
-
-		$appData = OC_App::getAppInfo($appId);
-		OC_App::executeRepairSteps($appId, $appData['repair-steps']['install']);
-
-		//set the installed version
-		\OC::$server->getConfig()->setAppValue($info['id'], 'installed_version', OC_App::getAppVersion($info['id'], false));
-		\OC::$server->getConfig()->setAppValue($info['id'], 'enabled', 'no');
-
-		//set remote/public handlers
-		foreach ($info['remote'] as $name => $path) {
-			\OC::$server->getConfig()->setAppValue('core', 'remote_'.$name, $info['id'].'/'.$path);
-		}
-		foreach ($info['public'] as $name => $path) {
-			\OC::$server->getConfig()->setAppValue('core', 'public_'.$name, $info['id'].'/'.$path);
-		}
-
-		OC_App::setAppTypes($info['id']);
-
-		return $info['id'];
-	}
-
-	/**
-	 * Updates the specified app from the appstore
-	 *
-	 * @param string $appId
-	 * @param bool [$allowUnstable] Allow unstable releases
-	 * @return bool
-	 */
-	public function updateAppstoreApp($appId, $allowUnstable = false) {
-		if ($this->isUpdateAvailable($appId, $allowUnstable)) {
-			try {
-				$this->downloadApp($appId, $allowUnstable);
-			} catch (\Exception $e) {
-				$this->logger->logException($e, [
-					'level' => ILogger::ERROR,
-					'app' => 'core',
-				]);
-				return false;
-			}
-			return OC_App::updateApp($appId);
-		}
-
-		return false;
-	}
-
-	/**
-	 * Split the certificate file in individual certs
-	 *
-	 * @param string $cert
-	 * @return string[]
-	 */
-	private function splitCerts(string $cert): array {
-		preg_match_all('([\-]{3,}[\S\ ]+?[\-]{3,}[\S\s]+?[\-]{3,}[\S\ ]+?[\-]{3,})', $cert, $matches);
-
-		return $matches[0];
-	}
-
-	/**
-	 * Downloads an app and puts it into the app directory
-	 *
-	 * @param string $appId
-	 * @param bool [$allowUnstable]
-	 *
-	 * @throws \Exception If the installation was not successful
-	 */
-	public function downloadApp($appId, $allowUnstable = false) {
-		$appId = strtolower($appId);
-
-		$apps = $this->appFetcher->get($allowUnstable);
-		foreach ($apps as $app) {
-			if ($app['id'] === $appId) {
-				// Load the certificate
-				$certificate = new X509();
-				$rootCrt = file_get_contents(__DIR__ . '/../../resources/codesigning/root.crt');
-				$rootCrts = $this->splitCerts($rootCrt);
-				foreach ($rootCrts as $rootCrt) {
-					$certificate->loadCA($rootCrt);
-				}
-				$loadedCertificate = $certificate->loadX509($app['certificate']);
-
-				// Verify if the certificate has been revoked
-				$crl = new X509();
-				foreach ($rootCrts as $rootCrt) {
-					$crl->loadCA($rootCrt);
-				}
-				$crl->loadCRL(file_get_contents(__DIR__ . '/../../resources/codesigning/root.crl'));
-				if ($crl->validateSignature() !== true) {
-					throw new \Exception('Could not validate CRL signature');
-				}
-				$csn = $loadedCertificate['tbsCertificate']['serialNumber']->toString();
-				$revoked = $crl->getRevoked($csn);
-				if ($revoked !== false) {
-					throw new \Exception(
-						sprintf(
-							'Certificate "%s" has been revoked',
-							$csn
-						)
-					);
-				}
-
-				// Verify if the certificate has been issued by the Nextcloud Code Authority CA
-				if ($certificate->validateSignature() !== true) {
-					throw new \Exception(
-						sprintf(
-							'App with id %s has a certificate not issued by a trusted Code Signing Authority',
-							$appId
-						)
-					);
-				}
-
-				// Verify if the certificate is issued for the requested app id
-				$certInfo = openssl_x509_parse($app['certificate']);
-				if (!isset($certInfo['subject']['CN'])) {
-					throw new \Exception(
-						sprintf(
-							'App with id %s has a cert with no CN',
-							$appId
-						)
-					);
-				}
-				if ($certInfo['subject']['CN'] !== $appId) {
-					throw new \Exception(
-						sprintf(
-							'App with id %s has a cert issued to %s',
-							$appId,
-							$certInfo['subject']['CN']
-						)
-					);
-				}
-
-				// Download the release
-				$tempFile = $this->tempManager->getTemporaryFile('.tar.gz');
-				$timeout = $this->isCLI ? 0 : 120;
-				$client = $this->clientService->newClient();
-				$client->get($app['releases'][0]['download'], ['sink' => $tempFile, 'timeout' => $timeout]);
-
-				// Check if the signature actually matches the downloaded content
-				$certificate = openssl_get_publickey($app['certificate']);
-				$verified = (bool)openssl_verify(file_get_contents($tempFile), base64_decode($app['releases'][0]['signature']), $certificate, OPENSSL_ALGO_SHA512);
-				openssl_free_key($certificate);
-
-				if ($verified === true) {
-					// Seems to match, let's proceed
-					$extractDir = $this->tempManager->getTemporaryFolder();
-					$archive = new TAR($tempFile);
-
-					if ($archive) {
-						if (!$archive->extract($extractDir)) {
-							$errorMessage = 'Could not extract app ' . $appId;
-
-							$archiveError = $archive->getError();
-							if ($archiveError instanceof \PEAR_Error) {
-								$errorMessage .= ': ' . $archiveError->getMessage();
-							}
-
-							throw new \Exception($errorMessage);
-						}
-						$allFiles = scandir($extractDir);
-						$folders = array_diff($allFiles, ['.', '..']);
-						$folders = array_values($folders);
-
-						if (count($folders) > 1) {
-							throw new \Exception(
-								sprintf(
-									'Extracted app %s has more than 1 folder',
-									$appId
-								)
-							);
-						}
-
-						// Check if appinfo/info.xml has the same app ID as well
-						$loadEntities = libxml_disable_entity_loader(false);
-						$xml = simplexml_load_file($extractDir . '/' . $folders[0] . '/appinfo/info.xml');
-						libxml_disable_entity_loader($loadEntities);
-						if ((string)$xml->id !== $appId) {
-							throw new \Exception(
-								sprintf(
-									'App for id %s has a wrong app ID in info.xml: %s',
-									$appId,
-									(string)$xml->id
-								)
-							);
-						}
-
-						// Check if the version is lower than before
-						$currentVersion = OC_App::getAppVersion($appId);
-						$newVersion = (string)$xml->version;
-						if (version_compare($currentVersion, $newVersion) === 1) {
-							throw new \Exception(
-								sprintf(
-									'App for id %s has version %s and tried to update to lower version %s',
-									$appId,
-									$currentVersion,
-									$newVersion
-								)
-							);
-						}
-
-						$baseDir = OC_App::getInstallPath() . '/' . $appId;
-						// Remove old app with the ID if existent
-						OC_Helper::rmdirr($baseDir);
-						// Move to app folder
-						if (@mkdir($baseDir)) {
-							$extractDir .= '/' . $folders[0];
-							OC_Helper::copyr($extractDir, $baseDir);
-						}
-						OC_Helper::copyr($extractDir, $baseDir);
-						OC_Helper::rmdirr($extractDir);
-						return;
-					} else {
-						throw new \Exception(
-							sprintf(
-								'Could not extract app with ID %s to %s',
-								$appId,
-								$extractDir
-							)
-						);
-					}
-				} else {
-					// Signature does not match
-					throw new \Exception(
-						sprintf(
-							'App with id %s has invalid signature',
-							$appId
-						)
-					);
-				}
-			}
-		}
-
-		throw new \Exception(
-			sprintf(
-				'Could not download app %s',
-				$appId
-			)
-		);
-	}
-
-	/**
-	 * Check if an update for the app is available
-	 *
-	 * @param string $appId
-	 * @param bool $allowUnstable
-	 * @return string|false false or the version number of the update
-	 */
-	public function isUpdateAvailable($appId, $allowUnstable = false) {
-		if ($this->isInstanceReadyForUpdates === null) {
-			$installPath = OC_App::getInstallPath();
-			if ($installPath === false || $installPath === null) {
-				$this->isInstanceReadyForUpdates = false;
-			} else {
-				$this->isInstanceReadyForUpdates = true;
-			}
-		}
-
-		if ($this->isInstanceReadyForUpdates === false) {
-			return false;
-		}
-
-		if ($this->isInstalledFromGit($appId) === true) {
-			return false;
-		}
-
-		if ($this->apps === null) {
-			$this->apps = $this->appFetcher->get($allowUnstable);
-		}
-
-		foreach ($this->apps as $app) {
-			if ($app['id'] === $appId) {
-				$currentVersion = OC_App::getAppVersion($appId);
-
-				if (!isset($app['releases'][0]['version'])) {
-					return false;
-				}
-				$newestVersion = $app['releases'][0]['version'];
-				if ($currentVersion !== '0' && version_compare($newestVersion, $currentVersion, '>')) {
-					return $newestVersion;
-				} else {
-					return false;
-				}
-			}
-		}
-
-		return false;
-	}
-
-	/**
-	 * Check if app has been installed from git
-	 * @param string $name name of the application to remove
-	 * @return boolean
-	 *
-	 * The function will check if the path contains a .git folder
-	 */
-	private function isInstalledFromGit($appId) {
-		$app = \OC_App::findAppInDirectories($appId);
-		if ($app === false) {
-			return false;
-		}
-		$basedir = $app['path'].'/'.$appId;
-		return file_exists($basedir.'/.git/');
-	}
-
-	/**
-	 * Check if app is already downloaded
-	 * @param string $name name of the application to remove
-	 * @return boolean
-	 *
-	 * The function will check if the app is already downloaded in the apps repository
-	 */
-	public function isDownloaded($name) {
-		foreach (\OC::$APPSROOTS as $dir) {
-			$dirToTest = $dir['path'];
-			$dirToTest .= '/';
-			$dirToTest .= $name;
-			$dirToTest .= '/';
-
-			if (is_dir($dirToTest)) {
-				return true;
-			}
-		}
-
-		return false;
-	}
-
-	/**
-	 * Removes an app
-	 * @param string $appId ID of the application to remove
-	 * @return boolean
-	 *
-	 *
-	 * This function works as follows
-	 *   -# call uninstall repair steps
-	 *   -# removing the files
-	 *
-	 * The function will not delete preferences, tables and the configuration,
-	 * this has to be done by the function oc_app_uninstall().
-	 */
-	public function removeApp($appId) {
-		if ($this->isDownloaded($appId)) {
-			if (\OC::$server->getAppManager()->isShipped($appId)) {
-				return false;
-			}
-			$appDir = OC_App::getInstallPath() . '/' . $appId;
-			OC_Helper::rmdirr($appDir);
-			return true;
-		} else {
-			\OCP\Util::writeLog('core', 'can\'t remove app '.$appId.'. It is not installed.', ILogger::ERROR);
-
-			return false;
-		}
-	}
-
-	/**
-	 * Installs the app within the bundle and marks the bundle as installed
-	 *
-	 * @param Bundle $bundle
-	 * @throws \Exception If app could not get installed
-	 */
-	public function installAppBundle(Bundle $bundle) {
-		$appIds = $bundle->getAppIdentifiers();
-		foreach ($appIds as $appId) {
-			if (!$this->isDownloaded($appId)) {
-				$this->downloadApp($appId);
-			}
-			$this->installApp($appId);
-			$app = new OC_App();
-			$app->enable($appId);
-		}
-		$bundles = json_decode($this->config->getAppValue('core', 'installed.bundles', json_encode([])), true);
-		$bundles[] = $bundle->getIdentifier();
-		$this->config->setAppValue('core', 'installed.bundles', json_encode($bundles));
-	}
-
-	/**
-	 * Installs shipped apps
-	 *
-	 * This function installs all apps found in the 'apps' directory that should be enabled by default;
-	 * @param bool $softErrors When updating we ignore errors and simply log them, better to have a
-	 *                         working ownCloud at the end instead of an aborted update.
-	 * @return array Array of error messages (appid => Exception)
-	 */
-	public static function installShippedApps($softErrors = false) {
-		$appManager = \OC::$server->getAppManager();
-		$config = \OC::$server->getConfig();
-		$errors = [];
-		foreach (\OC::$APPSROOTS as $app_dir) {
-			if ($dir = opendir($app_dir['path'])) {
-				while (false !== ($filename = readdir($dir))) {
-					if ($filename[0] !== '.' and is_dir($app_dir['path']."/$filename")) {
-						if (file_exists($app_dir['path']."/$filename/appinfo/info.xml")) {
-							if ($config->getAppValue($filename, "installed_version", null) === null) {
-								$info = OC_App::getAppInfo($filename);
-								$enabled = isset($info['default_enable']);
-								if (($enabled || in_array($filename, $appManager->getAlwaysEnabledApps()))
-									  && $config->getAppValue($filename, 'enabled') !== 'no') {
-									if ($softErrors) {
-										try {
-											Installer::installShippedApp($filename);
-										} catch (HintException $e) {
-											if ($e->getPrevious() instanceof TableExistsException) {
-												$errors[$filename] = $e;
-												continue;
-											}
-											throw $e;
-										}
-									} else {
-										Installer::installShippedApp($filename);
-									}
-									$config->setAppValue($filename, 'enabled', 'yes');
-								}
-							}
-						}
-					}
-				}
-				closedir($dir);
-			}
-		}
-
-		return $errors;
-	}
-
-	/**
-	 * install an app already placed in the app folder
-	 * @param string $app id of the app to install
-	 * @return integer
-	 */
-	public static function installShippedApp($app) {
-		//install the database
-		$appPath = OC_App::getAppPath($app);
-		\OC_App::registerAutoloading($app, $appPath);
-
-		if (is_file("$appPath/appinfo/database.xml")) {
-			try {
-				OC_DB::createDbFromStructure("$appPath/appinfo/database.xml");
-			} catch (TableExistsException $e) {
-				throw new HintException(
-					'Failed to enable app ' . $app,
-					'Please ask for help via one of our <a href="https://nextcloud.com/support/" target="_blank" rel="noreferrer noopener">support channels</a>.',
-					0, $e
-				);
-			}
-		} else {
-			$ms = new \OC\DB\MigrationService($app, \OC::$server->get(Connection::class));
-			$ms->migrate('latest', true);
-		}
-
-		//run appinfo/install.php
-		self::includeAppScript("$appPath/appinfo/install.php");
-
-		$info = OC_App::getAppInfo($app);
-		if (is_null($info)) {
-			return false;
-		}
-		\OC_App::setupBackgroundJobs($info['background-jobs']);
-
-		OC_App::executeRepairSteps($app, $info['repair-steps']['install']);
-
-		$config = \OC::$server->getConfig();
-
-		$config->setAppValue($app, 'installed_version', OC_App::getAppVersion($app));
-		if (array_key_exists('ocsid', $info)) {
-			$config->setAppValue($app, 'ocsid', $info['ocsid']);
-		}
-
-		//set remote/public handlers
-		foreach ($info['remote'] as $name => $path) {
-			$config->setAppValue('core', 'remote_'.$name, $app.'/'.$path);
-		}
-		foreach ($info['public'] as $name => $path) {
-			$config->setAppValue('core', 'public_'.$name, $app.'/'.$path);
-		}
-
-		OC_App::setAppTypes($info['id']);
-
-		return $info['id'];
-	}
-
-	/**
-	 * @param string $script
-	 */
-	private static function includeAppScript($script) {
-		if (file_exists($script)) {
-			include $script;
-		}
-	}
+    /** @var AppFetcher */
+    private $appFetcher;
+    /** @var IClientService */
+    private $clientService;
+    /** @var ITempManager */
+    private $tempManager;
+    /** @var ILogger */
+    private $logger;
+    /** @var IConfig */
+    private $config;
+    /** @var array - for caching the result of app fetcher */
+    private $apps = null;
+    /** @var bool|null - for caching the result of the ready status */
+    private $isInstanceReadyForUpdates = null;
+    /** @var bool */
+    private $isCLI;
+
+    /**
+     * @param AppFetcher $appFetcher
+     * @param IClientService $clientService
+     * @param ITempManager $tempManager
+     * @param ILogger $logger
+     * @param IConfig $config
+     */
+    public function __construct(
+        AppFetcher $appFetcher,
+        IClientService $clientService,
+        ITempManager $tempManager,
+        ILogger $logger,
+        IConfig $config,
+        bool $isCLI
+    ) {
+        $this->appFetcher = $appFetcher;
+        $this->clientService = $clientService;
+        $this->tempManager = $tempManager;
+        $this->logger = $logger;
+        $this->config = $config;
+        $this->isCLI = $isCLI;
+    }
+
+    /**
+     * Installs an app that is located in one of the app folders already
+     *
+     * @param string $appId App to install
+     * @param bool $forceEnable
+     * @throws \Exception
+     * @return string app ID
+     */
+    public function installApp(string $appId, bool $forceEnable = false): string {
+        $app = \OC_App::findAppInDirectories($appId);
+        if ($app === false) {
+            throw new \Exception('App not found in any app directory');
+        }
+
+        $basedir = $app['path'].'/'.$appId;
+        $info = OC_App::getAppInfo($basedir.'/appinfo/info.xml', true);
+
+        $l = \OC::$server->getL10N('core');
+
+        if (!is_array($info)) {
+            throw new \Exception(
+                $l->t('App "%s" cannot be installed because appinfo file cannot be read.',
+                    [$appId]
+                )
+            );
+        }
+
+        $ignoreMaxApps = $this->config->getSystemValue('app_install_overwrite', []);
+        $ignoreMax = $forceEnable || in_array($appId, $ignoreMaxApps, true);
+
+        $version = implode('.', \OCP\Util::getVersion());
+        if (!\OC_App::isAppCompatible($version, $info, $ignoreMax)) {
+            throw new \Exception(
+                // TODO $l
+                $l->t('App "%s" cannot be installed because it is not compatible with this version of the server.',
+                    [$info['name']]
+                )
+            );
+        }
+
+        // check for required dependencies
+        \OC_App::checkAppDependencies($this->config, $l, $info, $ignoreMax);
+        /** @var Coordinator $coordinator */
+        $coordinator = \OC::$server->get(Coordinator::class);
+        $coordinator->runLazyRegistration($appId);
+        \OC_App::registerAutoloading($appId, $basedir);
+
+        $previousVersion = $this->config->getAppValue($info['id'], 'installed_version', false);
+        if ($previousVersion) {
+            OC_App::executeRepairSteps($appId, $info['repair-steps']['pre-migration']);
+        }
+
+        //install the database
+        if (is_file($basedir.'/appinfo/database.xml')) {
+            if (\OC::$server->getConfig()->getAppValue($info['id'], 'installed_version') === null) {
+                OC_DB::createDbFromStructure($basedir.'/appinfo/database.xml');
+            } else {
+                OC_DB::updateDbFromStructure($basedir.'/appinfo/database.xml');
+            }
+        } else {
+            $ms = new \OC\DB\MigrationService($info['id'], \OC::$server->get(Connection::class));
+            $ms->migrate('latest', true);
+        }
+        if ($previousVersion) {
+            OC_App::executeRepairSteps($appId, $info['repair-steps']['post-migration']);
+        }
+
+        \OC_App::setupBackgroundJobs($info['background-jobs']);
+
+        //run appinfo/install.php
+        self::includeAppScript($basedir . '/appinfo/install.php');
+
+        $appData = OC_App::getAppInfo($appId);
+        OC_App::executeRepairSteps($appId, $appData['repair-steps']['install']);
+
+        //set the installed version
+        \OC::$server->getConfig()->setAppValue($info['id'], 'installed_version', OC_App::getAppVersion($info['id'], false));
+        \OC::$server->getConfig()->setAppValue($info['id'], 'enabled', 'no');
+
+        //set remote/public handlers
+        foreach ($info['remote'] as $name => $path) {
+            \OC::$server->getConfig()->setAppValue('core', 'remote_'.$name, $info['id'].'/'.$path);
+        }
+        foreach ($info['public'] as $name => $path) {
+            \OC::$server->getConfig()->setAppValue('core', 'public_'.$name, $info['id'].'/'.$path);
+        }
+
+        OC_App::setAppTypes($info['id']);
+
+        return $info['id'];
+    }
+
+    /**
+     * Updates the specified app from the appstore
+     *
+     * @param string $appId
+     * @param bool [$allowUnstable] Allow unstable releases
+     * @return bool
+     */
+    public function updateAppstoreApp($appId, $allowUnstable = false) {
+        if ($this->isUpdateAvailable($appId, $allowUnstable)) {
+            try {
+                $this->downloadApp($appId, $allowUnstable);
+            } catch (\Exception $e) {
+                $this->logger->logException($e, [
+                    'level' => ILogger::ERROR,
+                    'app' => 'core',
+                ]);
+                return false;
+            }
+            return OC_App::updateApp($appId);
+        }
+
+        return false;
+    }
+
+    /**
+     * Split the certificate file in individual certs
+     *
+     * @param string $cert
+     * @return string[]
+     */
+    private function splitCerts(string $cert): array {
+        preg_match_all('([\-]{3,}[\S\ ]+?[\-]{3,}[\S\s]+?[\-]{3,}[\S\ ]+?[\-]{3,})', $cert, $matches);
+
+        return $matches[0];
+    }
+
+    /**
+     * Downloads an app and puts it into the app directory
+     *
+     * @param string $appId
+     * @param bool [$allowUnstable]
+     *
+     * @throws \Exception If the installation was not successful
+     */
+    public function downloadApp($appId, $allowUnstable = false) {
+        $appId = strtolower($appId);
+
+        $apps = $this->appFetcher->get($allowUnstable);
+        foreach ($apps as $app) {
+            if ($app['id'] === $appId) {
+                // Load the certificate
+                $certificate = new X509();
+                $rootCrt = file_get_contents(__DIR__ . '/../../resources/codesigning/root.crt');
+                $rootCrts = $this->splitCerts($rootCrt);
+                foreach ($rootCrts as $rootCrt) {
+                    $certificate->loadCA($rootCrt);
+                }
+                $loadedCertificate = $certificate->loadX509($app['certificate']);
+
+                // Verify if the certificate has been revoked
+                $crl = new X509();
+                foreach ($rootCrts as $rootCrt) {
+                    $crl->loadCA($rootCrt);
+                }
+                $crl->loadCRL(file_get_contents(__DIR__ . '/../../resources/codesigning/root.crl'));
+                if ($crl->validateSignature() !== true) {
+                    throw new \Exception('Could not validate CRL signature');
+                }
+                $csn = $loadedCertificate['tbsCertificate']['serialNumber']->toString();
+                $revoked = $crl->getRevoked($csn);
+                if ($revoked !== false) {
+                    throw new \Exception(
+                        sprintf(
+                            'Certificate "%s" has been revoked',
+                            $csn
+                        )
+                    );
+                }
+
+                // Verify if the certificate has been issued by the Nextcloud Code Authority CA
+                if ($certificate->validateSignature() !== true) {
+                    throw new \Exception(
+                        sprintf(
+                            'App with id %s has a certificate not issued by a trusted Code Signing Authority',
+                            $appId
+                        )
+                    );
+                }
+
+                // Verify if the certificate is issued for the requested app id
+                $certInfo = openssl_x509_parse($app['certificate']);
+                if (!isset($certInfo['subject']['CN'])) {
+                    throw new \Exception(
+                        sprintf(
+                            'App with id %s has a cert with no CN',
+                            $appId
+                        )
+                    );
+                }
+                if ($certInfo['subject']['CN'] !== $appId) {
+                    throw new \Exception(
+                        sprintf(
+                            'App with id %s has a cert issued to %s',
+                            $appId,
+                            $certInfo['subject']['CN']
+                        )
+                    );
+                }
+
+                // Download the release
+                $tempFile = $this->tempManager->getTemporaryFile('.tar.gz');
+                $timeout = $this->isCLI ? 0 : 120;
+                $client = $this->clientService->newClient();
+                $client->get($app['releases'][0]['download'], ['sink' => $tempFile, 'timeout' => $timeout]);
+
+                // Check if the signature actually matches the downloaded content
+                $certificate = openssl_get_publickey($app['certificate']);
+                $verified = (bool)openssl_verify(file_get_contents($tempFile), base64_decode($app['releases'][0]['signature']), $certificate, OPENSSL_ALGO_SHA512);
+                openssl_free_key($certificate);
+
+                if ($verified === true) {
+                    // Seems to match, let's proceed
+                    $extractDir = $this->tempManager->getTemporaryFolder();
+                    $archive = new TAR($tempFile);
+
+                    if ($archive) {
+                        if (!$archive->extract($extractDir)) {
+                            $errorMessage = 'Could not extract app ' . $appId;
+
+                            $archiveError = $archive->getError();
+                            if ($archiveError instanceof \PEAR_Error) {
+                                $errorMessage .= ': ' . $archiveError->getMessage();
+                            }
+
+                            throw new \Exception($errorMessage);
+                        }
+                        $allFiles = scandir($extractDir);
+                        $folders = array_diff($allFiles, ['.', '..']);
+                        $folders = array_values($folders);
+
+                        if (count($folders) > 1) {
+                            throw new \Exception(
+                                sprintf(
+                                    'Extracted app %s has more than 1 folder',
+                                    $appId
+                                )
+                            );
+                        }
+
+                        // Check if appinfo/info.xml has the same app ID as well
+                        $loadEntities = libxml_disable_entity_loader(false);
+                        $xml = simplexml_load_file($extractDir . '/' . $folders[0] . '/appinfo/info.xml');
+                        libxml_disable_entity_loader($loadEntities);
+                        if ((string)$xml->id !== $appId) {
+                            throw new \Exception(
+                                sprintf(
+                                    'App for id %s has a wrong app ID in info.xml: %s',
+                                    $appId,
+                                    (string)$xml->id
+                                )
+                            );
+                        }
+
+                        // Check if the version is lower than before
+                        $currentVersion = OC_App::getAppVersion($appId);
+                        $newVersion = (string)$xml->version;
+                        if (version_compare($currentVersion, $newVersion) === 1) {
+                            throw new \Exception(
+                                sprintf(
+                                    'App for id %s has version %s and tried to update to lower version %s',
+                                    $appId,
+                                    $currentVersion,
+                                    $newVersion
+                                )
+                            );
+                        }
+
+                        $baseDir = OC_App::getInstallPath() . '/' . $appId;
+                        // Remove old app with the ID if existent
+                        OC_Helper::rmdirr($baseDir);
+                        // Move to app folder
+                        if (@mkdir($baseDir)) {
+                            $extractDir .= '/' . $folders[0];
+                            OC_Helper::copyr($extractDir, $baseDir);
+                        }
+                        OC_Helper::copyr($extractDir, $baseDir);
+                        OC_Helper::rmdirr($extractDir);
+                        return;
+                    } else {
+                        throw new \Exception(
+                            sprintf(
+                                'Could not extract app with ID %s to %s',
+                                $appId,
+                                $extractDir
+                            )
+                        );
+                    }
+                } else {
+                    // Signature does not match
+                    throw new \Exception(
+                        sprintf(
+                            'App with id %s has invalid signature',
+                            $appId
+                        )
+                    );
+                }
+            }
+        }
+
+        throw new \Exception(
+            sprintf(
+                'Could not download app %s',
+                $appId
+            )
+        );
+    }
+
+    /**
+     * Check if an update for the app is available
+     *
+     * @param string $appId
+     * @param bool $allowUnstable
+     * @return string|false false or the version number of the update
+     */
+    public function isUpdateAvailable($appId, $allowUnstable = false) {
+        if ($this->isInstanceReadyForUpdates === null) {
+            $installPath = OC_App::getInstallPath();
+            if ($installPath === false || $installPath === null) {
+                $this->isInstanceReadyForUpdates = false;
+            } else {
+                $this->isInstanceReadyForUpdates = true;
+            }
+        }
+
+        if ($this->isInstanceReadyForUpdates === false) {
+            return false;
+        }
+
+        if ($this->isInstalledFromGit($appId) === true) {
+            return false;
+        }
+
+        if ($this->apps === null) {
+            $this->apps = $this->appFetcher->get($allowUnstable);
+        }
+
+        foreach ($this->apps as $app) {
+            if ($app['id'] === $appId) {
+                $currentVersion = OC_App::getAppVersion($appId);
+
+                if (!isset($app['releases'][0]['version'])) {
+                    return false;
+                }
+                $newestVersion = $app['releases'][0]['version'];
+                if ($currentVersion !== '0' && version_compare($newestVersion, $currentVersion, '>')) {
+                    return $newestVersion;
+                } else {
+                    return false;
+                }
+            }
+        }
+
+        return false;
+    }
+
+    /**
+     * Check if app has been installed from git
+     * @param string $name name of the application to remove
+     * @return boolean
+     *
+     * The function will check if the path contains a .git folder
+     */
+    private function isInstalledFromGit($appId) {
+        $app = \OC_App::findAppInDirectories($appId);
+        if ($app === false) {
+            return false;
+        }
+        $basedir = $app['path'].'/'.$appId;
+        return file_exists($basedir.'/.git/');
+    }
+
+    /**
+     * Check if app is already downloaded
+     * @param string $name name of the application to remove
+     * @return boolean
+     *
+     * The function will check if the app is already downloaded in the apps repository
+     */
+    public function isDownloaded($name) {
+        foreach (\OC::$APPSROOTS as $dir) {
+            $dirToTest = $dir['path'];
+            $dirToTest .= '/';
+            $dirToTest .= $name;
+            $dirToTest .= '/';
+
+            if (is_dir($dirToTest)) {
+                return true;
+            }
+        }
+
+        return false;
+    }
+
+    /**
+     * Removes an app
+     * @param string $appId ID of the application to remove
+     * @return boolean
+     *
+     *
+     * This function works as follows
+     *   -# call uninstall repair steps
+     *   -# removing the files
+     *
+     * The function will not delete preferences, tables and the configuration,
+     * this has to be done by the function oc_app_uninstall().
+     */
+    public function removeApp($appId) {
+        if ($this->isDownloaded($appId)) {
+            if (\OC::$server->getAppManager()->isShipped($appId)) {
+                return false;
+            }
+            $appDir = OC_App::getInstallPath() . '/' . $appId;
+            OC_Helper::rmdirr($appDir);
+            return true;
+        } else {
+            \OCP\Util::writeLog('core', 'can\'t remove app '.$appId.'. It is not installed.', ILogger::ERROR);
+
+            return false;
+        }
+    }
+
+    /**
+     * Installs the app within the bundle and marks the bundle as installed
+     *
+     * @param Bundle $bundle
+     * @throws \Exception If app could not get installed
+     */
+    public function installAppBundle(Bundle $bundle) {
+        $appIds = $bundle->getAppIdentifiers();
+        foreach ($appIds as $appId) {
+            if (!$this->isDownloaded($appId)) {
+                $this->downloadApp($appId);
+            }
+            $this->installApp($appId);
+            $app = new OC_App();
+            $app->enable($appId);
+        }
+        $bundles = json_decode($this->config->getAppValue('core', 'installed.bundles', json_encode([])), true);
+        $bundles[] = $bundle->getIdentifier();
+        $this->config->setAppValue('core', 'installed.bundles', json_encode($bundles));
+    }
+
+    /**
+     * Installs shipped apps
+     *
+     * This function installs all apps found in the 'apps' directory that should be enabled by default;
+     * @param bool $softErrors When updating we ignore errors and simply log them, better to have a
+     *                         working ownCloud at the end instead of an aborted update.
+     * @return array Array of error messages (appid => Exception)
+     */
+    public static function installShippedApps($softErrors = false) {
+        $appManager = \OC::$server->getAppManager();
+        $config = \OC::$server->getConfig();
+        $errors = [];
+        foreach (\OC::$APPSROOTS as $app_dir) {
+            if ($dir = opendir($app_dir['path'])) {
+                while (false !== ($filename = readdir($dir))) {
+                    if ($filename[0] !== '.' and is_dir($app_dir['path']."/$filename")) {
+                        if (file_exists($app_dir['path']."/$filename/appinfo/info.xml")) {
+                            if ($config->getAppValue($filename, "installed_version", null) === null) {
+                                $info = OC_App::getAppInfo($filename);
+                                $enabled = isset($info['default_enable']);
+                                if (($enabled || in_array($filename, $appManager->getAlwaysEnabledApps()))
+                                      && $config->getAppValue($filename, 'enabled') !== 'no') {
+                                    if ($softErrors) {
+                                        try {
+                                            Installer::installShippedApp($filename);
+                                        } catch (HintException $e) {
+                                            if ($e->getPrevious() instanceof TableExistsException) {
+                                                $errors[$filename] = $e;
+                                                continue;
+                                            }
+                                            throw $e;
+                                        }
+                                    } else {
+                                        Installer::installShippedApp($filename);
+                                    }
+                                    $config->setAppValue($filename, 'enabled', 'yes');
+                                }
+                            }
+                        }
+                    }
+                }
+                closedir($dir);
+            }
+        }
+
+        return $errors;
+    }
+
+    /**
+     * install an app already placed in the app folder
+     * @param string $app id of the app to install
+     * @return integer
+     */
+    public static function installShippedApp($app) {
+        //install the database
+        $appPath = OC_App::getAppPath($app);
+        \OC_App::registerAutoloading($app, $appPath);
+
+        if (is_file("$appPath/appinfo/database.xml")) {
+            try {
+                OC_DB::createDbFromStructure("$appPath/appinfo/database.xml");
+            } catch (TableExistsException $e) {
+                throw new HintException(
+                    'Failed to enable app ' . $app,
+                    'Please ask for help via one of our <a href="https://nextcloud.com/support/" target="_blank" rel="noreferrer noopener">support channels</a>.',
+                    0, $e
+                );
+            }
+        } else {
+            $ms = new \OC\DB\MigrationService($app, \OC::$server->get(Connection::class));
+            $ms->migrate('latest', true);
+        }
+
+        //run appinfo/install.php
+        self::includeAppScript("$appPath/appinfo/install.php");
+
+        $info = OC_App::getAppInfo($app);
+        if (is_null($info)) {
+            return false;
+        }
+        \OC_App::setupBackgroundJobs($info['background-jobs']);
+
+        OC_App::executeRepairSteps($app, $info['repair-steps']['install']);
+
+        $config = \OC::$server->getConfig();
+
+        $config->setAppValue($app, 'installed_version', OC_App::getAppVersion($app));
+        if (array_key_exists('ocsid', $info)) {
+            $config->setAppValue($app, 'ocsid', $info['ocsid']);
+        }
+
+        //set remote/public handlers
+        foreach ($info['remote'] as $name => $path) {
+            $config->setAppValue('core', 'remote_'.$name, $app.'/'.$path);
+        }
+        foreach ($info['public'] as $name => $path) {
+            $config->setAppValue('core', 'public_'.$name, $app.'/'.$path);
+        }
+
+        OC_App::setAppTypes($info['id']);
+
+        return $info['id'];
+    }
+
+    /**
+     * @param string $script
+     */
+    private static function includeAppScript($script) {
+        if (file_exists($script)) {
+            include $script;
+        }
+    }
 }

Spacing +14 added lines, -14 removed lines

@@ -169,7 +169,7 @@ 
 		\OC_App::setupBackgroundJobs($info['background-jobs']);
 
 		//run appinfo/install.php
-		self::includeAppScript($basedir . '/appinfo/install.php');
+		self::includeAppScript($basedir.'/appinfo/install.php');
 
 		$appData = OC_App::getAppInfo($appId);
 		OC_App::executeRepairSteps($appId, $appData['repair-steps']['install']);
@@ -243,7 +243,7 @@ 
 			if ($app['id'] === $appId) {
 				// Load the certificate
 				$certificate = new X509();
-				$rootCrt = file_get_contents(__DIR__ . '/../../resources/codesigning/root.crt');
+				$rootCrt = file_get_contents(__DIR__.'/../../resources/codesigning/root.crt');
 				$rootCrts = $this->splitCerts($rootCrt);
 				foreach ($rootCrts as $rootCrt) {
 					$certificate->loadCA($rootCrt);
@@ -255,7 +255,7 @@ 
 				foreach ($rootCrts as $rootCrt) {
 					$crl->loadCA($rootCrt);
 				}
-				$crl->loadCRL(file_get_contents(__DIR__ . '/../../resources/codesigning/root.crl'));
+				$crl->loadCRL(file_get_contents(__DIR__.'/../../resources/codesigning/root.crl'));
 				if ($crl->validateSignature() !== true) {
 					throw new \Exception('Could not validate CRL signature');
 				}
@@ -308,7 +308,7 @@ 
 
 				// Check if the signature actually matches the downloaded content
 				$certificate = openssl_get_publickey($app['certificate']);
-				$verified = (bool)openssl_verify(file_get_contents($tempFile), base64_decode($app['releases'][0]['signature']), $certificate, OPENSSL_ALGO_SHA512);
+				$verified = (bool) openssl_verify(file_get_contents($tempFile), base64_decode($app['releases'][0]['signature']), $certificate, OPENSSL_ALGO_SHA512);
 				openssl_free_key($certificate);
 
 				if ($verified === true) {
@@ -318,11 +318,11 @@ 
 
 					if ($archive) {
 						if (!$archive->extract($extractDir)) {
-							$errorMessage = 'Could not extract app ' . $appId;
+							$errorMessage = 'Could not extract app '.$appId;
 
 							$archiveError = $archive->getError();
 							if ($archiveError instanceof \PEAR_Error) {
-								$errorMessage .= ': ' . $archiveError->getMessage();
+								$errorMessage .= ': '.$archiveError->getMessage();
 							}
 
 							throw new \Exception($errorMessage);
@@ -342,21 +342,21 @@ 
 
 						// Check if appinfo/info.xml has the same app ID as well
 						$loadEntities = libxml_disable_entity_loader(false);
-						$xml = simplexml_load_file($extractDir . '/' . $folders[0] . '/appinfo/info.xml');
+						$xml = simplexml_load_file($extractDir.'/'.$folders[0].'/appinfo/info.xml');
 						libxml_disable_entity_loader($loadEntities);
-						if ((string)$xml->id !== $appId) {
+						if ((string) $xml->id !== $appId) {
 							throw new \Exception(
 								sprintf(
 									'App for id %s has a wrong app ID in info.xml: %s',
 									$appId,
-									(string)$xml->id
+									(string) $xml->id
 								)
 							);
 						}
 
 						// Check if the version is lower than before
 						$currentVersion = OC_App::getAppVersion($appId);
-						$newVersion = (string)$xml->version;
+						$newVersion = (string) $xml->version;
 						if (version_compare($currentVersion, $newVersion) === 1) {
 							throw new \Exception(
 								sprintf(
@@ -368,12 +368,12 @@ 
 							);
 						}
 
-						$baseDir = OC_App::getInstallPath() . '/' . $appId;
+						$baseDir = OC_App::getInstallPath().'/'.$appId;
 						// Remove old app with the ID if existent
 						OC_Helper::rmdirr($baseDir);
 						// Move to app folder
 						if (@mkdir($baseDir)) {
-							$extractDir .= '/' . $folders[0];
+							$extractDir .= '/'.$folders[0];
 							OC_Helper::copyr($extractDir, $baseDir);
 						}
 						OC_Helper::copyr($extractDir, $baseDir);
@@ -512,7 +512,7 @@ 
 			if (\OC::$server->getAppManager()->isShipped($appId)) {
 				return false;
 			}
-			$appDir = OC_App::getInstallPath() . '/' . $appId;
+			$appDir = OC_App::getInstallPath().'/'.$appId;
 			OC_Helper::rmdirr($appDir);
 			return true;
 		} else {
@@ -606,7 +606,7 @@ 
 				OC_DB::createDbFromStructure("$appPath/appinfo/database.xml");
 			} catch (TableExistsException $e) {
 				throw new HintException(
-					'Failed to enable app ' . $app,
+					'Failed to enable app '.$app,
 					'Please ask for help via one of our <a href="https://nextcloud.com/support/" target="_blank" rel="noreferrer noopener">support channels</a>.',
 					0, $e
 				);

apps/files_external/lib/Lib/Storage/SFTP.php

Indentation +428 added lines, -428 removed lines

@@ -46,432 +46,432 @@
  * provide access to SFTP servers.
  */
 class SFTP extends \OC\Files\Storage\Common {
-	private $host;
-	private $user;
-	private $root;
-	private $port = 22;
-
-	private $auth = [];
-
-	/**
-	 * @var \phpseclib\Net\SFTP
-	 */
-	protected $client;
-
-	/**
-	 * @param string $host protocol://server:port
-	 * @return array [$server, $port]
-	 */
-	private function splitHost($host) {
-		$input = $host;
-		if (strpos($host, '://') === false) {
-			// add a protocol to fix parse_url behavior with ipv6
-			$host = 'http://' . $host;
-		}
-
-		$parsed = parse_url($host);
-		if (is_array($parsed) && isset($parsed['port'])) {
-			return [$parsed['host'], $parsed['port']];
-		} elseif (is_array($parsed)) {
-			return [$parsed['host'], 22];
-		} else {
-			return [$input, 22];
-		}
-	}
-
-	/**
-	 * {@inheritdoc}
-	 */
-	public function __construct($params) {
-		// Register sftp://
-		Stream::register();
-
-		$parsedHost = $this->splitHost($params['host']);
-
-		$this->host = $parsedHost[0];
-		$this->port = $parsedHost[1];
-
-		if (!isset($params['user'])) {
-			throw new \UnexpectedValueException('no authentication parameters specified');
-		}
-		$this->user = $params['user'];
-
-		if (isset($params['public_key_auth'])) {
-			$this->auth[] = $params['public_key_auth'];
-		}
-		if (isset($params['password']) && $params['password'] !== '') {
-			$this->auth[] = $params['password'];
-		}
-
-		if ($this->auth === []) {
-			throw new \UnexpectedValueException('no authentication parameters specified');
-		}
-
-		$this->root
-			= isset($params['root']) ? $this->cleanPath($params['root']) : '/';
-
-		$this->root = '/' . ltrim($this->root, '/');
-		$this->root = rtrim($this->root, '/') . '/';
-	}
-
-	/**
-	 * Returns the connection.
-	 *
-	 * @return \phpseclib\Net\SFTP connected client instance
-	 * @throws \Exception when the connection failed
-	 */
-	public function getConnection() {
-		if (!is_null($this->client)) {
-			return $this->client;
-		}
-
-		$hostKeys = $this->readHostKeys();
-		$this->client = new \phpseclib\Net\SFTP($this->host, $this->port);
-
-		// The SSH Host Key MUST be verified before login().
-		$currentHostKey = $this->client->getServerPublicHostKey();
-		if (array_key_exists($this->host, $hostKeys)) {
-			if ($hostKeys[$this->host] !== $currentHostKey) {
-				throw new \Exception('Host public key does not match known key');
-			}
-		} else {
-			$hostKeys[$this->host] = $currentHostKey;
-			$this->writeHostKeys($hostKeys);
-		}
-
-		$login = false;
-		foreach ($this->auth as $auth) {
-			/** @psalm-suppress TooManyArguments */
-			$login = $this->client->login($this->user, $auth);
-			if ($login === true) {
-				break;
-			}
-		}
-
-		if ($login === false) {
-			throw new \Exception('Login failed');
-		}
-		return $this->client;
-	}
-
-	/**
-	 * {@inheritdoc}
-	 */
-	public function test() {
-		if (
-			!isset($this->host)
-			|| !isset($this->user)
-		) {
-			return false;
-		}
-		return $this->getConnection()->nlist() !== false;
-	}
-
-	/**
-	 * {@inheritdoc}
-	 */
-	public function getId() {
-		$id = 'sftp::' . $this->user . '@' . $this->host;
-		if ($this->port !== 22) {
-			$id .= ':' . $this->port;
-		}
-		// note: this will double the root slash,
-		// we should not change it to keep compatible with
-		// old storage ids
-		$id .= '/' . $this->root;
-		return $id;
-	}
-
-	/**
-	 * @return string
-	 */
-	public function getHost() {
-		return $this->host;
-	}
-
-	/**
-	 * @return string
-	 */
-	public function getRoot() {
-		return $this->root;
-	}
-
-	/**
-	 * @return mixed
-	 */
-	public function getUser() {
-		return $this->user;
-	}
-
-	/**
-	 * @param string $path
-	 * @return string
-	 */
-	private function absPath($path) {
-		return $this->root . $this->cleanPath($path);
-	}
-
-	/**
-	 * @return string|false
-	 */
-	private function hostKeysPath() {
-		try {
-			$storage_view = \OCP\Files::getStorage('files_external');
-			if ($storage_view) {
-				return \OC::$server->getConfig()->getSystemValue('datadirectory', \OC::$SERVERROOT . '/data') .
-					$storage_view->getAbsolutePath('') .
-					'ssh_hostKeys';
-			}
-		} catch (\Exception $e) {
-		}
-		return false;
-	}
-
-	/**
-	 * @param $keys
-	 * @return bool
-	 */
-	protected function writeHostKeys($keys) {
-		try {
-			$keyPath = $this->hostKeysPath();
-			if ($keyPath && file_exists($keyPath)) {
-				$fp = fopen($keyPath, 'w');
-				foreach ($keys as $host => $key) {
-					fwrite($fp, $host . '::' . $key . "\n");
-				}
-				fclose($fp);
-				return true;
-			}
-		} catch (\Exception $e) {
-		}
-		return false;
-	}
-
-	/**
-	 * @return array
-	 */
-	protected function readHostKeys() {
-		try {
-			$keyPath = $this->hostKeysPath();
-			if (file_exists($keyPath)) {
-				$hosts = [];
-				$keys = [];
-				$lines = file($keyPath, FILE_IGNORE_NEW_LINES | FILE_SKIP_EMPTY_LINES);
-				if ($lines) {
-					foreach ($lines as $line) {
-						$hostKeyArray = explode("::", $line, 2);
-						if (count($hostKeyArray) === 2) {
-							$hosts[] = $hostKeyArray[0];
-							$keys[] = $hostKeyArray[1];
-						}
-					}
-					return array_combine($hosts, $keys);
-				}
-			}
-		} catch (\Exception $e) {
-		}
-		return [];
-	}
-
-	/**
-	 * {@inheritdoc}
-	 */
-	public function mkdir($path) {
-		try {
-			return $this->getConnection()->mkdir($this->absPath($path));
-		} catch (\Exception $e) {
-			return false;
-		}
-	}
-
-	/**
-	 * {@inheritdoc}
-	 */
-	public function rmdir($path) {
-		try {
-			$result = $this->getConnection()->delete($this->absPath($path), true);
-			// workaround: stray stat cache entry when deleting empty folders
-			// see https://github.com/phpseclib/phpseclib/issues/706
-			$this->getConnection()->clearStatCache();
-			return $result;
-		} catch (\Exception $e) {
-			return false;
-		}
-	}
-
-	/**
-	 * {@inheritdoc}
-	 */
-	public function opendir($path) {
-		try {
-			$list = $this->getConnection()->nlist($this->absPath($path));
-			if ($list === false) {
-				return false;
-			}
-
-			$id = md5('sftp:' . $path);
-			$dirStream = [];
-			foreach ($list as $file) {
-				if ($file !== '.' && $file !== '..') {
-					$dirStream[] = $file;
-				}
-			}
-			return IteratorDirectory::wrap($dirStream);
-		} catch (\Exception $e) {
-			return false;
-		}
-	}
-
-	/**
-	 * {@inheritdoc}
-	 */
-	public function filetype($path) {
-		try {
-			$stat = $this->getConnection()->stat($this->absPath($path));
-			if ((int) $stat['type'] === NET_SFTP_TYPE_REGULAR) {
-				return 'file';
-			}
-
-			if ((int) $stat['type'] === NET_SFTP_TYPE_DIRECTORY) {
-				return 'dir';
-			}
-		} catch (\Exception $e) {
-		}
-		return false;
-	}
-
-	/**
-	 * {@inheritdoc}
-	 */
-	public function file_exists($path) {
-		try {
-			return $this->getConnection()->stat($this->absPath($path)) !== false;
-		} catch (\Exception $e) {
-			return false;
-		}
-	}
-
-	/**
-	 * {@inheritdoc}
-	 */
-	public function unlink($path) {
-		try {
-			return $this->getConnection()->delete($this->absPath($path), true);
-		} catch (\Exception $e) {
-			return false;
-		}
-	}
-
-	/**
-	 * {@inheritdoc}
-	 */
-	public function fopen($path, $mode) {
-		try {
-			$absPath = $this->absPath($path);
-			switch ($mode) {
-				case 'r':
-				case 'rb':
-					if (!$this->file_exists($path)) {
-						return false;
-					}
-					SFTPReadStream::register();
-					$context = stream_context_create(['sftp' => ['session' => $this->getConnection()]]);
-					$handle = fopen('sftpread://' . trim($absPath, '/'), 'r', false, $context);
-					return RetryWrapper::wrap($handle);
-				case 'w':
-				case 'wb':
-					SFTPWriteStream::register();
-					$context = stream_context_create(['sftp' => ['session' => $this->getConnection()]]);
-					return fopen('sftpwrite://' . trim($absPath, '/'), 'w', false, $context);
-				case 'a':
-				case 'ab':
-				case 'r+':
-				case 'w+':
-				case 'wb+':
-				case 'a+':
-				case 'x':
-				case 'x+':
-				case 'c':
-				case 'c+':
-					$context = stream_context_create(['sftp' => ['session' => $this->getConnection()]]);
-					$handle = fopen($this->constructUrl($path), $mode, false, $context);
-					return RetryWrapper::wrap($handle);
-			}
-		} catch (\Exception $e) {
-		}
-		return false;
-	}
-
-	/**
-	 * {@inheritdoc}
-	 */
-	public function touch($path, $mtime = null) {
-		try {
-			if (!is_null($mtime)) {
-				return false;
-			}
-			if (!$this->file_exists($path)) {
-				$this->getConnection()->put($this->absPath($path), '');
-			} else {
-				return false;
-			}
-		} catch (\Exception $e) {
-			return false;
-		}
-		return true;
-	}
-
-	/**
-	 * @param string $path
-	 * @param string $target
-	 * @throws \Exception
-	 */
-	public function getFile($path, $target) {
-		$this->getConnection()->get($path, $target);
-	}
-
-	/**
-	 * {@inheritdoc}
-	 */
-	public function rename($source, $target) {
-		try {
-			if ($this->file_exists($target)) {
-				$this->unlink($target);
-			}
-			return $this->getConnection()->rename(
-				$this->absPath($source),
-				$this->absPath($target)
-			);
-		} catch (\Exception $e) {
-			return false;
-		}
-	}
-
-	/**
-	 * {@inheritdoc}
-	 */
-	public function stat($path) {
-		try {
-			$stat = $this->getConnection()->stat($this->absPath($path));
-
-			$mtime = $stat ? $stat['mtime'] : -1;
-			$size = $stat ? $stat['size'] : 0;
-
-			return ['mtime' => $mtime, 'size' => $size, 'ctime' => -1];
-		} catch (\Exception $e) {
-			return false;
-		}
-	}
-
-	/**
-	 * @param string $path
-	 * @return string
-	 */
-	public function constructUrl($path) {
-		// Do not pass the password here. We want to use the Net_SFTP object
-		// supplied via stream context or fail. We only supply username and
-		// hostname because this might show up in logs (they are not used).
-		$url = 'sftp://' . urlencode($this->user) . '@' . $this->host . ':' . $this->port . $this->root . $path;
-		return $url;
-	}
+    private $host;
+    private $user;
+    private $root;
+    private $port = 22;
+
+    private $auth = [];
+
+    /**
+     * @var \phpseclib\Net\SFTP
+     */
+    protected $client;
+
+    /**
+     * @param string $host protocol://server:port
+     * @return array [$server, $port]
+     */
+    private function splitHost($host) {
+        $input = $host;
+        if (strpos($host, '://') === false) {
+            // add a protocol to fix parse_url behavior with ipv6
+            $host = 'http://' . $host;
+        }
+
+        $parsed = parse_url($host);
+        if (is_array($parsed) && isset($parsed['port'])) {
+            return [$parsed['host'], $parsed['port']];
+        } elseif (is_array($parsed)) {
+            return [$parsed['host'], 22];
+        } else {
+            return [$input, 22];
+        }
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function __construct($params) {
+        // Register sftp://
+        Stream::register();
+
+        $parsedHost = $this->splitHost($params['host']);
+
+        $this->host = $parsedHost[0];
+        $this->port = $parsedHost[1];
+
+        if (!isset($params['user'])) {
+            throw new \UnexpectedValueException('no authentication parameters specified');
+        }
+        $this->user = $params['user'];
+
+        if (isset($params['public_key_auth'])) {
+            $this->auth[] = $params['public_key_auth'];
+        }
+        if (isset($params['password']) && $params['password'] !== '') {
+            $this->auth[] = $params['password'];
+        }
+
+        if ($this->auth === []) {
+            throw new \UnexpectedValueException('no authentication parameters specified');
+        }
+
+        $this->root
+            = isset($params['root']) ? $this->cleanPath($params['root']) : '/';
+
+        $this->root = '/' . ltrim($this->root, '/');
+        $this->root = rtrim($this->root, '/') . '/';
+    }
+
+    /**
+     * Returns the connection.
+     *
+     * @return \phpseclib\Net\SFTP connected client instance
+     * @throws \Exception when the connection failed
+     */
+    public function getConnection() {
+        if (!is_null($this->client)) {
+            return $this->client;
+        }
+
+        $hostKeys = $this->readHostKeys();
+        $this->client = new \phpseclib\Net\SFTP($this->host, $this->port);
+
+        // The SSH Host Key MUST be verified before login().
+        $currentHostKey = $this->client->getServerPublicHostKey();
+        if (array_key_exists($this->host, $hostKeys)) {
+            if ($hostKeys[$this->host] !== $currentHostKey) {
+                throw new \Exception('Host public key does not match known key');
+            }
+        } else {
+            $hostKeys[$this->host] = $currentHostKey;
+            $this->writeHostKeys($hostKeys);
+        }
+
+        $login = false;
+        foreach ($this->auth as $auth) {
+            /** @psalm-suppress TooManyArguments */
+            $login = $this->client->login($this->user, $auth);
+            if ($login === true) {
+                break;
+            }
+        }
+
+        if ($login === false) {
+            throw new \Exception('Login failed');
+        }
+        return $this->client;
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function test() {
+        if (
+            !isset($this->host)
+            || !isset($this->user)
+        ) {
+            return false;
+        }
+        return $this->getConnection()->nlist() !== false;
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function getId() {
+        $id = 'sftp::' . $this->user . '@' . $this->host;
+        if ($this->port !== 22) {
+            $id .= ':' . $this->port;
+        }
+        // note: this will double the root slash,
+        // we should not change it to keep compatible with
+        // old storage ids
+        $id .= '/' . $this->root;
+        return $id;
+    }
+
+    /**
+     * @return string
+     */
+    public function getHost() {
+        return $this->host;
+    }
+
+    /**
+     * @return string
+     */
+    public function getRoot() {
+        return $this->root;
+    }
+
+    /**
+     * @return mixed
+     */
+    public function getUser() {
+        return $this->user;
+    }
+
+    /**
+     * @param string $path
+     * @return string
+     */
+    private function absPath($path) {
+        return $this->root . $this->cleanPath($path);
+    }
+
+    /**
+     * @return string|false
+     */
+    private function hostKeysPath() {
+        try {
+            $storage_view = \OCP\Files::getStorage('files_external');
+            if ($storage_view) {
+                return \OC::$server->getConfig()->getSystemValue('datadirectory', \OC::$SERVERROOT . '/data') .
+                    $storage_view->getAbsolutePath('') .
+                    'ssh_hostKeys';
+            }
+        } catch (\Exception $e) {
+        }
+        return false;
+    }
+
+    /**
+     * @param $keys
+     * @return bool
+     */
+    protected function writeHostKeys($keys) {
+        try {
+            $keyPath = $this->hostKeysPath();
+            if ($keyPath && file_exists($keyPath)) {
+                $fp = fopen($keyPath, 'w');
+                foreach ($keys as $host => $key) {
+                    fwrite($fp, $host . '::' . $key . "\n");
+                }
+                fclose($fp);
+                return true;
+            }
+        } catch (\Exception $e) {
+        }
+        return false;
+    }
+
+    /**
+     * @return array
+     */
+    protected function readHostKeys() {
+        try {
+            $keyPath = $this->hostKeysPath();
+            if (file_exists($keyPath)) {
+                $hosts = [];
+                $keys = [];
+                $lines = file($keyPath, FILE_IGNORE_NEW_LINES | FILE_SKIP_EMPTY_LINES);
+                if ($lines) {
+                    foreach ($lines as $line) {
+                        $hostKeyArray = explode("::", $line, 2);
+                        if (count($hostKeyArray) === 2) {
+                            $hosts[] = $hostKeyArray[0];
+                            $keys[] = $hostKeyArray[1];
+                        }
+                    }
+                    return array_combine($hosts, $keys);
+                }
+            }
+        } catch (\Exception $e) {
+        }
+        return [];
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function mkdir($path) {
+        try {
+            return $this->getConnection()->mkdir($this->absPath($path));
+        } catch (\Exception $e) {
+            return false;
+        }
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function rmdir($path) {
+        try {
+            $result = $this->getConnection()->delete($this->absPath($path), true);
+            // workaround: stray stat cache entry when deleting empty folders
+            // see https://github.com/phpseclib/phpseclib/issues/706
+            $this->getConnection()->clearStatCache();
+            return $result;
+        } catch (\Exception $e) {
+            return false;
+        }
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function opendir($path) {
+        try {
+            $list = $this->getConnection()->nlist($this->absPath($path));
+            if ($list === false) {
+                return false;
+            }
+
+            $id = md5('sftp:' . $path);
+            $dirStream = [];
+            foreach ($list as $file) {
+                if ($file !== '.' && $file !== '..') {
+                    $dirStream[] = $file;
+                }
+            }
+            return IteratorDirectory::wrap($dirStream);
+        } catch (\Exception $e) {
+            return false;
+        }
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function filetype($path) {
+        try {
+            $stat = $this->getConnection()->stat($this->absPath($path));
+            if ((int) $stat['type'] === NET_SFTP_TYPE_REGULAR) {
+                return 'file';
+            }
+
+            if ((int) $stat['type'] === NET_SFTP_TYPE_DIRECTORY) {
+                return 'dir';
+            }
+        } catch (\Exception $e) {
+        }
+        return false;
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function file_exists($path) {
+        try {
+            return $this->getConnection()->stat($this->absPath($path)) !== false;
+        } catch (\Exception $e) {
+            return false;
+        }
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function unlink($path) {
+        try {
+            return $this->getConnection()->delete($this->absPath($path), true);
+        } catch (\Exception $e) {
+            return false;
+        }
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function fopen($path, $mode) {
+        try {
+            $absPath = $this->absPath($path);
+            switch ($mode) {
+                case 'r':
+                case 'rb':
+                    if (!$this->file_exists($path)) {
+                        return false;
+                    }
+                    SFTPReadStream::register();
+                    $context = stream_context_create(['sftp' => ['session' => $this->getConnection()]]);
+                    $handle = fopen('sftpread://' . trim($absPath, '/'), 'r', false, $context);
+                    return RetryWrapper::wrap($handle);
+                case 'w':
+                case 'wb':
+                    SFTPWriteStream::register();
+                    $context = stream_context_create(['sftp' => ['session' => $this->getConnection()]]);
+                    return fopen('sftpwrite://' . trim($absPath, '/'), 'w', false, $context);
+                case 'a':
+                case 'ab':
+                case 'r+':
+                case 'w+':
+                case 'wb+':
+                case 'a+':
+                case 'x':
+                case 'x+':
+                case 'c':
+                case 'c+':
+                    $context = stream_context_create(['sftp' => ['session' => $this->getConnection()]]);
+                    $handle = fopen($this->constructUrl($path), $mode, false, $context);
+                    return RetryWrapper::wrap($handle);
+            }
+        } catch (\Exception $e) {
+        }
+        return false;
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function touch($path, $mtime = null) {
+        try {
+            if (!is_null($mtime)) {
+                return false;
+            }
+            if (!$this->file_exists($path)) {
+                $this->getConnection()->put($this->absPath($path), '');
+            } else {
+                return false;
+            }
+        } catch (\Exception $e) {
+            return false;
+        }
+        return true;
+    }
+
+    /**
+     * @param string $path
+     * @param string $target
+     * @throws \Exception
+     */
+    public function getFile($path, $target) {
+        $this->getConnection()->get($path, $target);
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function rename($source, $target) {
+        try {
+            if ($this->file_exists($target)) {
+                $this->unlink($target);
+            }
+            return $this->getConnection()->rename(
+                $this->absPath($source),
+                $this->absPath($target)
+            );
+        } catch (\Exception $e) {
+            return false;
+        }
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function stat($path) {
+        try {
+            $stat = $this->getConnection()->stat($this->absPath($path));
+
+            $mtime = $stat ? $stat['mtime'] : -1;
+            $size = $stat ? $stat['size'] : 0;
+
+            return ['mtime' => $mtime, 'size' => $size, 'ctime' => -1];
+        } catch (\Exception $e) {
+            return false;
+        }
+    }
+
+    /**
+     * @param string $path
+     * @return string
+     */
+    public function constructUrl($path) {
+        // Do not pass the password here. We want to use the Net_SFTP object
+        // supplied via stream context or fail. We only supply username and
+        // hostname because this might show up in logs (they are not used).
+        $url = 'sftp://' . urlencode($this->user) . '@' . $this->host . ':' . $this->port . $this->root . $path;
+        return $url;
+    }
 }