fix(certificate manager): add a simple fallback to store certificates…

… in data directory CertificateManager doesn't work propertly if the files_external app is disabled, so let's store directly in /data/certificate_manager the bundled certificates. This always has to be done on local disk as curl currently requires a path to the cert bundle. When we require PHP 8.1 we will be able to simply store the certificate bundle in database/memory/cache and pass it through the CURLOPT_SSLCERT_BLOB option. Signed-off-by: Thomas Citharel <tcit@tcit.fr>
nextcloud · Jan 14, 2024 · d2d9ba7 · d2d9ba7
1 parent eaa6d96
commit d2d9ba7
Showing 1 changed file with 10 additions and 1 deletion.
diff --git a/lib/private/Security/CertificateManager.php b/lib/private/Security/CertificateManager.php
@@ -34,6 +34,7 @@
 
 use OC\Files\Filesystem;
 use OC\Files\View;
+use OCP\App\IAppManager;
 use OCP\ICertificate;
 use OCP\ICertificateManager;
 use OCP\IConfig;
@@ -51,6 +52,7 @@ public function __construct(
 		protected IConfig $config,
 		protected LoggerInterface $logger,
 		protected ISecureRandom $random,
+		protected IAppManager $appManager
 	) {
 	}
 
@@ -249,7 +251,14 @@ public function getAbsoluteBundlePath(): string {
 	}
 
 	private function getPathToCertificates(): string {
-		return '/files_external/';
+		if ($this->appManager->isAppLoaded('files_external')) {
+			return '/files_external/';
+		}
+		$fallbackPath = \OC::$SERVERROOT . '/data/certificate_manager';
+		if (!is_dir($fallbackPath) && false === @mkdir($fallbackPath, 0644, true) && !is_dir($fallbackPath)) {
+			throw new \RuntimeException(sprintf('Unable to create the certificate bundle storage directory (%s).', $fallbackPath));
+		}
+		return $fallbackPath;
 	}
 
 	/**