From f486bd49639cbe90a6e96b18af56b017f81ac518 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 2 Apr 2022 07:47:56 +0000 Subject: [PATCH 01/26] Bump minimist from 1.2.5 to 1.2.6 in /docker/sftp-ws-server/app Bumps [minimist](https://github.com/substack/minimist) from 1.2.5 to 1.2.6. - [Release notes](https://github.com/substack/minimist/releases) - [Commits](https://github.com/substack/minimist/compare/1.2.5...1.2.6) --- updated-dependencies: - dependency-name: minimist dependency-type: indirect ... Signed-off-by: dependabot[bot] --- docker/sftp-ws-server/app/yarn.lock | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docker/sftp-ws-server/app/yarn.lock b/docker/sftp-ws-server/app/yarn.lock index 133a4cb..4eca2cb 100644 --- a/docker/sftp-ws-server/app/yarn.lock +++ b/docker/sftp-ws-server/app/yarn.lock @@ -379,9 +379,9 @@ mime@1.6.0: brace-expansion "^1.1.7" minimist@^1.2.5: - version "1.2.5" - resolved "https://registry.yarnpkg.com/minimist/-/minimist-1.2.5.tgz#67d66014b66a6a8aaa0c083c5fd58df4e4e97602" - integrity sha512-FM9nNUYrRBAELZQT3xeZQ7fmMOBg6nWNmJKTcgsJeaLstP/UODVpGsr5OhXhhXg6f+qtJ8uiZ+PUxkDWcgIXLw== + version "1.2.6" + resolved "https://registry.yarnpkg.com/minimist/-/minimist-1.2.6.tgz#8637a5b759ea0d6e98702cfb3a9283323c93af44" + integrity sha512-Jsjnk4bw3YJqYzbdyBiNsPWHPfO++UGG749Cxs6peCu5Xg4nrena6OVxOYxrQTqww0Jmwt+Ref8rggumkTLz9Q== mkdirp@~0.5.1: version "0.5.5" From 4e57be659aaf6d88f43956fbbd3d8a39aa64b03f Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 9 Apr 2022 15:18:12 +0000 Subject: [PATCH 02/26] Bump moment from 2.29.0 to 2.29.2 in /docker/sftp-ws-server/app Bumps [moment](https://github.com/moment/moment) from 2.29.0 to 2.29.2. - [Release notes](https://github.com/moment/moment/releases) - [Changelog](https://github.com/moment/moment/blob/develop/CHANGELOG.md) - [Commits](https://github.com/moment/moment/compare/2.29.0...2.29.2) --- updated-dependencies: - dependency-name: moment dependency-type: indirect ... Signed-off-by: dependabot[bot] --- docker/sftp-ws-server/app/yarn.lock | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docker/sftp-ws-server/app/yarn.lock b/docker/sftp-ws-server/app/yarn.lock index 133a4cb..f5141f8 100644 --- a/docker/sftp-ws-server/app/yarn.lock +++ b/docker/sftp-ws-server/app/yarn.lock @@ -391,9 +391,9 @@ mkdirp@~0.5.1: minimist "^1.2.5" moment@^2.19.3: - version "2.29.0" - resolved "https://registry.yarnpkg.com/moment/-/moment-2.29.0.tgz#fcbef955844d91deb55438613ddcec56e86a3425" - integrity sha512-z6IJ5HXYiuxvFTI6eiQ9dm77uE0gyy1yXNApVHqTcnIKfY9tIwEjlzsZ6u1LQXvVgKeTnv9Xm7NDvJ7lso3MtA== + version "2.29.2" + resolved "https://registry.yarnpkg.com/moment/-/moment-2.29.2.tgz#00910c60b20843bcba52d37d58c628b47b1f20e4" + integrity sha512-UgzG4rvxYpN15jgCmVJwac49h9ly9NurikMWGPdVxm8GZD6XjkKPxDTjQQ43gtGgnV3X0cAyWDdP2Wexoquifg== ms@2.0.0: version "2.0.0" From e55c48919dc7a35cf6cd5a572ac517754b173ba9 Mon Sep 17 00:00:00 2001 From: Brandon McWhirter Date: Wed, 7 Sep 2022 17:44:16 -0400 Subject: [PATCH 03/26] Added cleanup tasks to Nextcloud Added trashbin config to empty user trashbins regularly. Also added script to nextcloud-cron to clear failed uploads after 7 days. Created cronjob to run script added to nextcloud-cron. --- .../cronjob-nextcloud-tmp-cleanup.yaml | 96 +++++++++++++++++++ .../config/trashbin.config.php | 4 + docker/nextcloud-cron/Dockerfile | 2 + docker/nextcloud-cron/cleanup_uploads.sh | 16 ++++ 4 files changed, 118 insertions(+) create mode 100644 base/manifests/cronjob-nextcloud-tmp-cleanup.yaml create mode 100644 docker/nextcloud-common/config/trashbin.config.php create mode 100644 docker/nextcloud-cron/cleanup_uploads.sh diff --git a/base/manifests/cronjob-nextcloud-tmp-cleanup.yaml b/base/manifests/cronjob-nextcloud-tmp-cleanup.yaml new file mode 100644 index 0000000..8e05f9a --- /dev/null +++ b/base/manifests/cronjob-nextcloud-tmp-cleanup.yaml @@ -0,0 +1,96 @@ +## +# Kubernetes deployment manifest for clearing failed uploads older than 7 days +# every hour. +# +# @author Guy Elsmore-Paddock (guy@inveniem.com) +# @author Brandon McWhirter (brandon.mcwhirter@inveniem.com) +# @copyright Copyright (c) 2022, Inveniem +# @license GNU AGPL version 3 or any later version +# +apiVersion: batch/v1 +kind: CronJob +metadata: + name: nextcloud-tmp-cleanup +spec: + schedule: "0 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: Never + containers: + - name: cron-nextcloud + image: "inveniem/nextcloud-cron:latest" + args: + - '-s' + - 'bash' + - '/cleanup_uploads.sh' + resources: + requests: + cpu: 25m + memory: 128Mi + limits: + cpu: 1500m + memory: 512Mi + volumeMounts: + - name: volume-nextcloud-app + mountPath: /var/www/html + env: + - name: NEXTCLOUD_FILE_LOCKING_ENABLED + valueFrom: + configMapKeyRef: + name: environment + key: enableFileLocking + - name: NEXTCLOUD_TRUSTED_DOMAINS + valueFrom: + configMapKeyRef: + name: environment + key: trustedDomains + - name: NEXTCLOUD_ADMIN_USER + valueFrom: + secretKeyRef: + name: "nextcloud-admin-creds" + key: username + - name: NEXTCLOUD_ADMIN_PASSWORD + valueFrom: + secretKeyRef: + name: "nextcloud-admin-creds" + key: password + - name: MYSQL_HOST + valueFrom: + secretKeyRef: + name: "nextcloud-mysql-creds" + key: hostname + - name: MYSQL_PORT + valueFrom: + secretKeyRef: + name: "nextcloud-mysql-creds" + key: port + - name: MYSQL_DATABASE + valueFrom: + secretKeyRef: + name: "nextcloud-mysql-creds" + key: database + - name: MYSQL_USER + valueFrom: + secretKeyRef: + name: "nextcloud-mysql-creds" + key: username + - name: MYSQL_PASSWORD + valueFrom: + secretKeyRef: + name: "nextcloud-mysql-creds" + key: password + - name: REDIS_HOST + value: "internal-redis" + - name: REDIS_PORT + value: "6379" + - name: REDIS_KEY + valueFrom: + secretKeyRef: + name: "nextcloud-redis-creds" + key: password + volumes: + # Ephemeral volume that contains the loaded Nextcloud software + - name: volume-nextcloud-app + emptyDir: {} diff --git a/docker/nextcloud-common/config/trashbin.config.php b/docker/nextcloud-common/config/trashbin.config.php new file mode 100644 index 0000000..54f2229 --- /dev/null +++ b/docker/nextcloud-common/config/trashbin.config.php @@ -0,0 +1,4 @@ + "auto, 14", +); diff --git a/docker/nextcloud-cron/Dockerfile b/docker/nextcloud-cron/Dockerfile index dbbcbd7..4e8fcad 100644 --- a/docker/nextcloud-cron/Dockerfile +++ b/docker/nextcloud-cron/Dockerfile @@ -19,6 +19,8 @@ RUN rm -f /usr/src/nextcloud/config/redis.config.php COPY nextcloud-cron/entrypoint.sh / COPY nextcloud-common/config/* /usr/src/nextcloud/config/ +COPY nextcloud-cron/cleanup_uploads.sh / + # Ensure custom apps are available during cron runs. # We supply all custom apps via Docker image; app store is disabled COPY nextcloud-common/custom_apps/. /usr/src/nextcloud/custom_apps/ diff --git a/docker/nextcloud-cron/cleanup_uploads.sh b/docker/nextcloud-cron/cleanup_uploads.sh new file mode 100644 index 0000000..7105472 --- /dev/null +++ b/docker/nextcloud-cron/cleanup_uploads.sh @@ -0,0 +1,16 @@ +#!/bin/sh + +## +# Nextcloud Docker script to clean up failed uploads for Nextcloud cron runs. +# +# @author Guy Elsmore-Paddock (guy@inveniem.com) +# @author Brandon McWhirter (brandon.mcwhirter@inveniem.com) +# @copyright Copyright (c) 2022, Inveniem +# @license GNU AGPL version 3 or any later version +# + +set -eu + +cd /var/www/html/ + +find . -wholename "*uploads/web-file-upload*" -type d ! -mtime 7 -exec rm -rvf "{}" ";" From 7406ceeae29d3fdb3e0fca363782dc4aab1ff2eb Mon Sep 17 00:00:00 2001 From: Brandon McWhirter Date: Thu, 8 Sep 2022 11:50:39 -0400 Subject: [PATCH 04/26] Renamed failed upload cronjob --- ...leanup.yaml => cronjob-nextcloud-failed-upload-cleanup.yaml} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename base/manifests/{cronjob-nextcloud-tmp-cleanup.yaml => cronjob-nextcloud-failed-upload-cleanup.yaml} (98%) diff --git a/base/manifests/cronjob-nextcloud-tmp-cleanup.yaml b/base/manifests/cronjob-nextcloud-failed-upload-cleanup.yaml similarity index 98% rename from base/manifests/cronjob-nextcloud-tmp-cleanup.yaml rename to base/manifests/cronjob-nextcloud-failed-upload-cleanup.yaml index 8e05f9a..5dab5b5 100644 --- a/base/manifests/cronjob-nextcloud-tmp-cleanup.yaml +++ b/base/manifests/cronjob-nextcloud-failed-upload-cleanup.yaml @@ -10,7 +10,7 @@ apiVersion: batch/v1 kind: CronJob metadata: - name: nextcloud-tmp-cleanup + name: nextcloud-failed-upload-cleanup spec: schedule: "0 * * * *" jobTemplate: From 3a98b61b4335d0a0bca40f0b7499a47fa9245533 Mon Sep 17 00:00:00 2001 From: Brandon McWhirter Date: Thu, 8 Sep 2022 12:17:13 -0400 Subject: [PATCH 05/26] Fix rigger launch-shell to grab the correct pod by label instead --- bin/rigger | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/bin/rigger b/bin/rigger index e1f80b2..e67ab20 100644 --- a/bin/rigger +++ b/bin/rigger @@ -53,6 +53,7 @@ docker_image_names=( ) nextcloud_deployment_name="nextcloud" +nextcloud_backend_pod_label="backend-nextcloud" environment_config_path="manifests/config-environment.yaml" @@ -761,10 +762,11 @@ sub_scale() { # sub_launch_shell() { declare -g nextcloud_deployment_name + declare -g nextcloud_backend_pod_label declare -g error_bad_environment pod_name=$( - kubectl get pods -n "${namespace}" -o name | + kubectl get pods -n "${namespace}" --selector="app=${nextcloud_backend_pod_label}" -o name | grep -m1 "${nextcloud_deployment_name}" || echo "" ) From 03997a6346b6f5348490ea07adaa2b77e7e2e2f4 Mon Sep 17 00:00:00 2001 From: Guy Elsmore-Paddock Date: Thu, 8 Sep 2022 22:18:00 -0400 Subject: [PATCH 06/26] Fix Redis `role` Annotation This prevents multiple `PodDisruptionBudget` resources from targeting Redis. --- base/manifests/app-redis.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/base/manifests/app-redis.yaml b/base/manifests/app-redis.yaml index 79da7af..7961afa 100644 --- a/base/manifests/app-redis.yaml +++ b/base/manifests/app-redis.yaml @@ -24,7 +24,7 @@ spec: metadata: labels: app: db-redis - role: backend + role: database spec: initContainers: # This is needed to address this warning from Redis: From 9bb8cc0d553da52670a7719b7211a3b056b8b252 Mon Sep 17 00:00:00 2001 From: Brandon McWhirter Date: Fri, 9 Sep 2022 11:45:36 -0400 Subject: [PATCH 07/26] Added failed upload cleanup cronjob to kustomization config --- base/kustomization.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/base/kustomization.yaml b/base/kustomization.yaml index 72e48cb..f98842f 100644 --- a/base/kustomization.yaml +++ b/base/kustomization.yaml @@ -12,5 +12,6 @@ resources: - manifests/app-clamav.yaml - manifests/app-redis.yaml - manifests/cronjob-nextcloud-cron.yaml + - manifests/cronjob-nextcloud-failed-upload-cleanup.yaml - manifests/cronjob-nextcloud-file-scan.yaml - manifests/pod-disruption-budgets.yaml From 2c6aa225f3274830ce5543b989be365840e9ed77 Mon Sep 17 00:00:00 2001 From: Guy Elsmore-Paddock Date: Thu, 8 Sep 2022 22:40:58 -0400 Subject: [PATCH 08/26] [ITSA-1309] Prevent CronJobs from Overlapping This ensures that each cronjob does not start until its previous run has finished. --- base/manifests/cronjob-nextcloud-cron.yaml | 1 + base/manifests/cronjob-nextcloud-failed-upload-cleanup.yaml | 1 + base/manifests/cronjob-nextcloud-file-scan.yaml | 1 + 3 files changed, 3 insertions(+) diff --git a/base/manifests/cronjob-nextcloud-cron.yaml b/base/manifests/cronjob-nextcloud-cron.yaml index 3ef74b7..ea8e2e0 100644 --- a/base/manifests/cronjob-nextcloud-cron.yaml +++ b/base/manifests/cronjob-nextcloud-cron.yaml @@ -11,6 +11,7 @@ metadata: name: nextcloud-cron spec: schedule: "*/5 * * * *" + concurrencyPolicy: Forbid jobTemplate: spec: template: diff --git a/base/manifests/cronjob-nextcloud-failed-upload-cleanup.yaml b/base/manifests/cronjob-nextcloud-failed-upload-cleanup.yaml index 5dab5b5..285d14a 100644 --- a/base/manifests/cronjob-nextcloud-failed-upload-cleanup.yaml +++ b/base/manifests/cronjob-nextcloud-failed-upload-cleanup.yaml @@ -13,6 +13,7 @@ metadata: name: nextcloud-failed-upload-cleanup spec: schedule: "0 * * * *" + concurrencyPolicy: Forbid jobTemplate: spec: template: diff --git a/base/manifests/cronjob-nextcloud-file-scan.yaml b/base/manifests/cronjob-nextcloud-file-scan.yaml index de1d88a..6d2a97f 100644 --- a/base/manifests/cronjob-nextcloud-file-scan.yaml +++ b/base/manifests/cronjob-nextcloud-file-scan.yaml @@ -11,6 +11,7 @@ metadata: name: nextcloud-file-scan spec: schedule: "0 12,20 * * *" + concurrencyPolicy: Forbid jobTemplate: spec: template: From 1bc6af238c9d654e0ee0019e5d406a47294858ba Mon Sep 17 00:00:00 2001 From: Guy Elsmore-Paddock Date: Mon, 12 Sep 2022 22:18:42 -0400 Subject: [PATCH 09/26] [ITSA-583] Clean-up Upload Clean-up Job --- docker/nextcloud-cron/cleanup_uploads.sh | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/docker/nextcloud-cron/cleanup_uploads.sh b/docker/nextcloud-cron/cleanup_uploads.sh index 7105472..e6376a6 100644 --- a/docker/nextcloud-cron/cleanup_uploads.sh +++ b/docker/nextcloud-cron/cleanup_uploads.sh @@ -11,6 +11,8 @@ set -eu -cd /var/www/html/ - -find . -wholename "*uploads/web-file-upload*" -type d ! -mtime 7 -exec rm -rvf "{}" ";" +find /var/www/html/ \ + -wholename "*uploads/web-file-upload*" \ + -type d \ + ! -mtime 7 \ + -exec rm -rvf "{}" ";" From ef882d8f6e784d8817a6b9744b95c7a2b3adf4da Mon Sep 17 00:00:00 2001 From: Guy Elsmore-Paddock Date: Mon, 12 Sep 2022 22:31:28 -0400 Subject: [PATCH 10/26] [ITSA-583] Fix Shell for Nextcloud Cleanup Cron --- base/manifests/cronjob-nextcloud-failed-upload-cleanup.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/base/manifests/cronjob-nextcloud-failed-upload-cleanup.yaml b/base/manifests/cronjob-nextcloud-failed-upload-cleanup.yaml index 285d14a..7c6d115 100644 --- a/base/manifests/cronjob-nextcloud-failed-upload-cleanup.yaml +++ b/base/manifests/cronjob-nextcloud-failed-upload-cleanup.yaml @@ -24,7 +24,7 @@ spec: image: "inveniem/nextcloud-cron:latest" args: - '-s' - - 'bash' + - '/bin/sh' - '/cleanup_uploads.sh' resources: requests: From 2c4d96e85dd7806353295b47c9e7c3375dd4e8bb Mon Sep 17 00:00:00 2001 From: Guy Elsmore-Paddock Date: Sat, 10 Sep 2022 20:49:30 -0400 Subject: [PATCH 11/26] Fix 'Cannot write into "config\" directory!' Error when Running `occ` This ensures that `occ` is capable of detecting that the config is mounted read-only in a similar way to `entrypoint.sh`. --- .../config/readonly.config.php | 26 +++++++++++++------ 1 file changed, 18 insertions(+), 8 deletions(-) diff --git a/docker/nextcloud-common/config/readonly.config.php b/docker/nextcloud-common/config/readonly.config.php index d1bf4d0..17982f7 100644 --- a/docker/nextcloud-common/config/readonly.config.php +++ b/docker/nextcloud-common/config/readonly.config.php @@ -1,11 +1,21 @@ $read_only_bool, - ); +// If our own config file isn't writable, we know we're running in a read-only +// FS. +if (!is_writable(__FILE__)) { + $is_read_only = TRUE; +} + +$CONFIG = array( + 'config_is_read_only' => $is_read_only, +); From 3e60b0df1359ca5d85eaace83d949d3ba54b5996 Mon Sep 17 00:00:00 2001 From: Guy Elsmore-Paddock Date: Sat, 10 Sep 2022 20:54:16 -0400 Subject: [PATCH 12/26] Prevent `launch-shell` from Selecting Terminated Pods This ensures that `launch-shell` can be run quickly after deploying, without accidentally targeting a `Terminating` pod. --- bin/rigger | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/bin/rigger b/bin/rigger index e67ab20..54ba8aa 100644 --- a/bin/rigger +++ b/bin/rigger @@ -766,8 +766,11 @@ sub_launch_shell() { declare -g error_bad_environment pod_name=$( - kubectl get pods -n "${namespace}" --selector="app=${nextcloud_backend_pod_label}" -o name | - grep -m1 "${nextcloud_deployment_name}" || echo "" + (kubectl get pods -n "${namespace}" \ + --selector="app=${nextcloud_backend_pod_label}" \ + --field-selector=status.phase=Running \ + -o name | + grep -m1 "${nextcloud_deployment_name}") || echo "" ) if [[ -z "${pod_name}" ]]; then From ba1b2b57cdbf79c522e11bae370386a1360757bb Mon Sep 17 00:00:00 2001 From: Guy Elsmore-Paddock Date: Sun, 11 Sep 2022 00:05:39 -0400 Subject: [PATCH 13/26] Update to Nextcloud 23.0.9 + Add Support for Initialization Locking This toggles on the new locking support added to 23.0.4 in: https://github.com/nextcloud/docker/pull/1728 It can be disabled with NEXTCLOUD_INIT_LOCK being set to `false`, but we default it on in our image since we support multiple pods by default. --- docker/backend-nextcloud-apache/Dockerfile | 3 +- docker/backend-nextcloud-fpm/Dockerfile | 3 +- docker/middle-nextcloud-nginx/nginx.conf | 3 + docker/nextcloud-common/entrypoint.sh | 81 ++++++++++++++++++++-- docker/nextcloud-cron/Dockerfile | 2 +- 5 files changed, 84 insertions(+), 8 deletions(-) diff --git a/docker/backend-nextcloud-apache/Dockerfile b/docker/backend-nextcloud-apache/Dockerfile index 87b840a..d7ae21d 100644 --- a/docker/backend-nextcloud-apache/Dockerfile +++ b/docker/backend-nextcloud-apache/Dockerfile @@ -8,9 +8,10 @@ # @copyright Copyright (c) 2019, Inveniem # @license GNU AGPL version 3 or any later version # -FROM nextcloud:23.0.2-apache +FROM nextcloud:23.0.9-apache ENV NEXTCLOUD_CONFIG_READ_ONLY "false" +ENV NEXTCLOUD_INIT_LOCK "true" # Eliminate default APCu configuration (we're using Redis) # diff --git a/docker/backend-nextcloud-fpm/Dockerfile b/docker/backend-nextcloud-fpm/Dockerfile index 20d2970..cfdca4e 100644 --- a/docker/backend-nextcloud-fpm/Dockerfile +++ b/docker/backend-nextcloud-fpm/Dockerfile @@ -57,9 +57,10 @@ RUN set -eux;\ ################################################################################ # This is the container that actually gets pushed. # -FROM nextcloud:23.0.2-fpm-alpine +FROM nextcloud:23.0.9-fpm-alpine ENV NEXTCLOUD_CONFIG_READ_ONLY "false" +ENV NEXTCLOUD_INIT_LOCK "true" # Fix-up www-data UID from 82 to 33. # diff --git a/docker/middle-nextcloud-nginx/nginx.conf b/docker/middle-nextcloud-nginx/nginx.conf index b310c04..16feadc 100644 --- a/docker/middle-nextcloud-nginx/nginx.conf +++ b/docker/middle-nextcloud-nginx/nginx.conf @@ -27,6 +27,9 @@ http { sendfile on; #tcp_nopush on; + # Prevent nginx HTTP Server Detection + server_tokens off; + ## Customizations for the Inveniem AKS Image ## keepalive_timeout 65; diff --git a/docker/nextcloud-common/entrypoint.sh b/docker/nextcloud-common/entrypoint.sh index df06bd7..4d8eacb 100755 --- a/docker/nextcloud-common/entrypoint.sh +++ b/docker/nextcloud-common/entrypoint.sh @@ -15,12 +15,46 @@ set -eu +acquire_lock() { + # If another process is syncing the html folder, wait for it to be done, + # then escape initialization. + # + # You need to define the NEXTCLOUD_INIT_LOCK environment variable + lock=/var/www/html/nextcloud-init-sync.lock + count=0 + limit=10 + + if [ -f "${lock}" ] && [ "${NEXTCLOUD_INIT_LOCK:-}" = "true" ]; then + until [ ! -f "${lock}" ] || [ "$count" -gt "${limit}" ]; do + count=$((count+1)) + wait=$((count*10)) + + echo "Another process is initializing Nextcloud. Waiting ${wait} seconds..." + sleep $wait + done + + if [ "${count}" -gt "${limit}" ]; then + echo "Timeout while waiting for an ongoing initialization" + exit 1 + fi + + echo "The other process is done, assuming complete initialization" + else + # Prevent multiple images syncing simultaneously + touch "${lock}" + fi +} + +release_lock() { + rm "${lock}" +} + initialize_environment_vars() { - if ! touch "/var/www/html/config/.writable" 1>/dev/null 2>&1; then - # Force environment variable to `true` whenever the config folder is mounted - # read-only, even if the var was not explicitly set as such. - export NEXTCLOUD_CONFIG_READ_ONLY="true" - fi + if ! touch "/var/www/html/config/.writable" 1>/dev/null 2>&1; then + # Force environment variable to `true` whenever the config folder is mounted + # read-only, even if the var was not explicitly set as such. + export NEXTCLOUD_CONFIG_READ_ONLY="true" + fi } initialize_container() { @@ -40,6 +74,7 @@ initialize_container() { image_version="$(php -r 'require "/usr/src/nextcloud/version.php"; echo implode(".", $OC_Version);')" ensure_compatible_image "${installed_version}" "${image_version}" + acquire_lock deploy_nextcloud_release setup_redis tune_php @@ -58,6 +93,7 @@ initialize_container() { fi update_htaccess + release_lock fi } @@ -264,6 +300,13 @@ capture_install_options() { install_options=$install_options' --data-dir "$NEXTCLOUD_DATA_DIR"' fi + file_env MYSQL_DATABASE + file_env MYSQL_PASSWORD + file_env MYSQL_USER + file_env POSTGRES_DB + file_env POSTGRES_PASSWORD + file_env POSTGRES_USER + install_type="None" if [ -n "${SQLITE_DATABASE+x}" ]; then @@ -385,6 +428,34 @@ run_as() { fi } +# usage: file_env VAR [DEFAULT] +# ie: file_env 'XYZ_DB_PASSWORD' 'example' +# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of +# "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature) +file_env() { + var="$1" + fileVar="${var}_FILE" + def="${2:-}" + varValue=$(env | grep -E "^${var}=" | sed -E -e "s/^${var}=//") + fileVarValue=$(env | grep -E "^${fileVar}=" | sed -E -e "s/^${fileVar}=//") + + if [ -n "${varValue}" ] && [ -n "${fileVarValue}" ]; then + echo >&2 "error: both $var and $fileVar are set (but are exclusive)" + exit 1 + fi + + if [ -n "${varValue}" ]; then + export "$var"="${varValue}" + elif [ -n "${fileVarValue}" ]; then + export "$var"="$(cat "${fileVarValue}")" + elif [ -n "${def}" ]; then + export "$var"="$def" + fi + + unset "$fileVar" +} + + container_type="${1:-none}" initialize_environment_vars diff --git a/docker/nextcloud-cron/Dockerfile b/docker/nextcloud-cron/Dockerfile index 4e8fcad..47cc40b 100644 --- a/docker/nextcloud-cron/Dockerfile +++ b/docker/nextcloud-cron/Dockerfile @@ -7,7 +7,7 @@ # @copyright Copyright (c) 2019-2020, Inveniem # @license GNU AGPL version 3 or any later version # -FROM nextcloud:23.0.2-fpm +FROM nextcloud:23.0.9-fpm ENV NEXTCLOUD_CONFIG_READ_ONLY "true" From 9c2966ca3905d9c6d7912048a5f2f8c2b5111a22 Mon Sep 17 00:00:00 2001 From: Guy Elsmore-Paddock Date: Sun, 11 Sep 2022 00:05:56 -0400 Subject: [PATCH 14/26] Remove Write-test Touch File after Test --- docker/nextcloud-common/entrypoint.sh | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/docker/nextcloud-common/entrypoint.sh b/docker/nextcloud-common/entrypoint.sh index 4d8eacb..58569f6 100755 --- a/docker/nextcloud-common/entrypoint.sh +++ b/docker/nextcloud-common/entrypoint.sh @@ -50,7 +50,11 @@ release_lock() { } initialize_environment_vars() { - if ! touch "/var/www/html/config/.writable" 1>/dev/null 2>&1; then + touch_file="/var/www/html/config/.writable" + + if touch "${touch_file}" 1>/dev/null 2>&1; then + rm "${touch_file}" + else # Force environment variable to `true` whenever the config folder is mounted # read-only, even if the var was not explicitly set as such. export NEXTCLOUD_CONFIG_READ_ONLY="true" From b24853fd768046a22c61b5ca0b4fdb9efe8f6d53 Mon Sep 17 00:00:00 2001 From: Guy Elsmore-Paddock Date: Sun, 11 Sep 2022 00:39:48 -0400 Subject: [PATCH 15/26] Add Workaround for https://github.com/nextcloud/docker/issues/1819 Nextcloud 23.0.9-fpm is not available for 64-bit Linux, for reasons unbeknownst to me. --- docker/nextcloud-cron/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker/nextcloud-cron/Dockerfile b/docker/nextcloud-cron/Dockerfile index 47cc40b..5a9c70d 100644 --- a/docker/nextcloud-cron/Dockerfile +++ b/docker/nextcloud-cron/Dockerfile @@ -7,7 +7,7 @@ # @copyright Copyright (c) 2019-2020, Inveniem # @license GNU AGPL version 3 or any later version # -FROM nextcloud:23.0.9-fpm +FROM nextcloud:23.0.9-apache ENV NEXTCLOUD_CONFIG_READ_ONLY "true" From 827d881b72861b12bbf5eec59e39f67b64ec78f6 Mon Sep 17 00:00:00 2001 From: Guy Elsmore-Paddock Date: Sun, 11 Sep 2022 00:40:26 -0400 Subject: [PATCH 16/26] Upgrade to NGINX 1.23.1 --- docker/middle-nextcloud-nginx/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker/middle-nextcloud-nginx/Dockerfile b/docker/middle-nextcloud-nginx/Dockerfile index a878068..e46bb2b 100644 --- a/docker/middle-nextcloud-nginx/Dockerfile +++ b/docker/middle-nextcloud-nginx/Dockerfile @@ -6,6 +6,6 @@ # @copyright Copyright (c) 2019-2022, Inveniem # @license GNU AGPL version 3 or any later version # -FROM nginx:1.21.3-alpine +FROM nginx:1.23.1-alpine COPY nginx.conf /etc/nginx/nginx.conf From 88bebe9150c1190494f7cefb3fe70baa6d51e0a3 Mon Sep 17 00:00:00 2001 From: Guy Elsmore-Paddock Date: Sun, 11 Sep 2022 01:15:48 -0400 Subject: [PATCH 17/26] Upgrade to Alpine 3.16 + Musl C 1.2.3 for FPM Images This fixes the following error when starting the new NC 23.0.9 images: ``` Warning: PHP Startup: Unable to load dynamic library 'imagick' (tried: /usr/local/lib/php/extensions/no-debug-non-zts-20200930/imagick (Error loading shared library /usr/local/lib/php/extensions/no-debug-non-zts-20200930/imagick: No such file or directory), /usr/local/lib/php/extensions/no-debug-non-zts-20200930/imagick.so (Error relocating /usr/lib/libX11.so.6: reallocarray: symbol not found)) in Unknown on line 0 ``` `reallocarray` was added in Musl v1.2.2 according to: https://musl.libc.org/releases.html --- docker/backend-nextcloud-fpm/Dockerfile | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/docker/backend-nextcloud-fpm/Dockerfile b/docker/backend-nextcloud-fpm/Dockerfile index cfdca4e..4611bff 100644 --- a/docker/backend-nextcloud-fpm/Dockerfile +++ b/docker/backend-nextcloud-fpm/Dockerfile @@ -17,7 +17,9 @@ # Patch Alpine musl to work around this issue: # https://gitlab.alpinelinux.org/alpine/aports/issues/10960 # -FROM alpine:3.10 as musl_compile +FROM alpine:3.16 as musl_compile + +ENV MUSL_VERSION="1.2.3" RUN set -eux;\ apk add --update \ @@ -39,13 +41,13 @@ RUN set -eux;\ gpg --batch --keyserver hkp://pgp.mit.edu:80 --recv-keys "$key" ; \ done; \ \ - curl -O https://www.musl-libc.org/releases/musl-1.1.24.tar.gz; \ - curl -O https://www.musl-libc.org/releases/musl-1.1.24.tar.gz.asc; \ + curl -O https://www.musl-libc.org/releases/musl-${MUSL_VERSION}.tar.gz; \ + curl -O https://www.musl-libc.org/releases/musl-${MUSL_VERSION}.tar.gz.asc; \ \ - gpg --batch --verify musl-1.1.24.tar.gz.asc musl-1.1.24.tar.gz; \ + gpg --batch --verify musl-${MUSL_VERSION}.tar.gz.asc musl-${MUSL_VERSION}.tar.gz; \ \ - tar -xvzf musl-1.1.24.tar.gz; \ - cd ./musl-1.1.24; \ + tar -xvzf musl-${MUSL_VERSION}.tar.gz; \ + cd ./musl-${MUSL_VERSION}; \ sed -i 's/char buf\[2048\]/char buf\[8192\]/' ./src/dirent/__dirent.h; \ \ ./configure; \ From 801a95119bbcc6b62bc280bd28929ed0dac4aa98 Mon Sep 17 00:00:00 2001 From: Guy Elsmore-Paddock Date: Sun, 11 Sep 2022 01:18:49 -0400 Subject: [PATCH 18/26] Increase NGINX Timeouts to 30 mins for Long Uploads Trying to mitigate https://github.com/nextcloud/server/issues/17992. --- docker/middle-nextcloud-nginx/nginx.conf | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/docker/middle-nextcloud-nginx/nginx.conf b/docker/middle-nextcloud-nginx/nginx.conf index 16feadc..a039626 100644 --- a/docker/middle-nextcloud-nginx/nginx.conf +++ b/docker/middle-nextcloud-nginx/nginx.conf @@ -33,6 +33,10 @@ http { ## Customizations for the Inveniem AKS Image ## keepalive_timeout 65; + proxy_connect_timeout 60; + proxy_send_timeout 1800; + proxy_read_timeout 1800; + set_real_ip_from 10.0.0.0/8; set_real_ip_from 172.16.0.0/12; set_real_ip_from 192.168.0.0/16; From c71974e4a965d1bd15bf845b8452f8c4f78afa82 Mon Sep 17 00:00:00 2001 From: Guy Elsmore-Paddock Date: Sun, 11 Sep 2022 02:53:48 -0400 Subject: [PATCH 19/26] Remove Limit on Image Dimensions With a sufficiently large deployment (7 pods), this is no longer necessary. --- docker/nextcloud-common/config/previews.config.php | 2 -- 1 file changed, 2 deletions(-) diff --git a/docker/nextcloud-common/config/previews.config.php b/docker/nextcloud-common/config/previews.config.php index 0ee4cdb..7ead414 100644 --- a/docker/nextcloud-common/config/previews.config.php +++ b/docker/nextcloud-common/config/previews.config.php @@ -3,6 +3,4 @@ $CONFIG = array( 'preview_max_filesize_image' => 50, 'enable_previews' => true, - 'preview_max_x' => 1024, - 'preview_max_y' => 1024, ); From 64149ac6d2df064797b379bb0ad031f117e79571 Mon Sep 17 00:00:00 2001 From: Guy Elsmore-Paddock Date: Tue, 13 Sep 2022 14:24:18 -0400 Subject: [PATCH 20/26] [10.1.0] Bump Version to 10.1.0 in Sample --- overlays/00-sample/kustomization.yaml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/overlays/00-sample/kustomization.yaml b/overlays/00-sample/kustomization.yaml index 3b4479b..102b644 100644 --- a/overlays/00-sample/kustomization.yaml +++ b/overlays/00-sample/kustomization.yaml @@ -96,20 +96,20 @@ images: - name: inveniem/nextcloud-cron newName: your-acr-instance.azurecr.io/inveniem/nextcloud-cron - newTag: "10.0.1" + newTag: "10.1.0" - name: inveniem/nextcloud-apache newName: your-acr-instance.azurecr.io/inveniem/nextcloud-apache - newTag: "10.0.1" + newTag: "10.1.0" - name: inveniem/nextcloud-fpm newName: your-acr-instance.azurecr.io/inveniem/nextcloud-fpm - newTag: "10.0.1" + newTag: "10.1.0" - name: inveniem/nextcloud-nginx-middleware newName: your-acr-instance.azurecr.io/inveniem/nextcloud-nginx-middleware - newTag: "10.0.1" + newTag: "10.1.0" - name: inveniem/sftp-ws-server newName: your-acr-instance.azurecr.io/inveniem/sftp-ws-server - newTag: "10.0.1" + newTag: "10.1.0" From ff9d5e72378de77e95eb0a0124c1de6a5fbab34b Mon Sep 17 00:00:00 2001 From: Guy Elsmore-Paddock Date: Tue, 13 Sep 2022 14:45:19 -0400 Subject: [PATCH 21/26] Upgrade Plugins to Latest Available Versions for NC 23.x --- ...le_entity_loader_is_deprecated-4.1.x.patch | 981 ------------------ overlays/00-sample/publish.profile | 19 +- 2 files changed, 10 insertions(+), 990 deletions(-) delete mode 100644 docker/nextcloud-common/bundled-patches/user_saml-issue_548-libxml_disable_entity_loader_is_deprecated-4.1.x.patch diff --git a/docker/nextcloud-common/bundled-patches/user_saml-issue_548-libxml_disable_entity_loader_is_deprecated-4.1.x.patch b/docker/nextcloud-common/bundled-patches/user_saml-issue_548-libxml_disable_entity_loader_is_deprecated-4.1.x.patch deleted file mode 100644 index 757c634..0000000 --- a/docker/nextcloud-common/bundled-patches/user_saml-issue_548-libxml_disable_entity_loader_is_deprecated-4.1.x.patch +++ /dev/null @@ -1,981 +0,0 @@ -diff --git a/custom_apps/user_saml/3rdparty/vendor/composer/installed.json b/custom_apps/user_saml/3rdparty/vendor/composer/installed.json -index 3e4a3a0..a76a1c2 100644 ---- a/custom_apps/user_saml/3rdparty/vendor/composer/installed.json -+++ b/custom_apps/user_saml/3rdparty/vendor/composer/installed.json -@@ -1,146 +1,140 @@ --{ -- "packages": [ -- { -- "name": "firebase/php-jwt", -- "version": "v4.0.0", -- "version_normalized": "4.0.0.0", -- "source": { -- "type": "git", -- "url": "https://github.com/firebase/php-jwt.git", -- "reference": "dccf163dc8ed7ed6a00afc06c51ee5186a428d35" -- }, -- "dist": { -- "type": "zip", -- "url": "https://api.github.com/repos/firebase/php-jwt/zipball/dccf163dc8ed7ed6a00afc06c51ee5186a428d35", -- "reference": "dccf163dc8ed7ed6a00afc06c51ee5186a428d35", -- "shasum": "" -- }, -- "require": { -- "php": ">=5.3.0" -- }, -- "time": "2016-07-18T04:51:16+00:00", -- "type": "library", -- "installation-source": "dist", -- "autoload": { -- "psr-4": { -- "Firebase\\JWT\\": "src" -- } -- }, -- "notification-url": "https://packagist.org/downloads/", -- "license": [ -- "BSD-3-Clause" -- ], -- "authors": [ -- { -- "name": "Neuman Vong", -- "email": "neuman+pear@twilio.com", -- "role": "Developer" -- }, -- { -- "name": "Anant Narayanan", -- "email": "anant@php.net", -- "role": "Developer" -- } -- ], -- "description": "A simple library to encode and decode JSON Web Tokens (JWT) in PHP. Should conform to the current spec.", -- "homepage": "https://github.com/firebase/php-jwt", -- "install-path": "../firebase/php-jwt" -- }, -- { -- "name": "onelogin/php-saml", -- "version": "3.4.1", -- "version_normalized": "3.4.1.0", -- "source": { -- "type": "git", -- "url": "https://github.com/onelogin/php-saml.git", -- "reference": "5fbf3486704ac9835b68184023ab54862c95f213" -- }, -- "dist": { -- "type": "zip", -- "url": "https://api.github.com/repos/onelogin/php-saml/zipball/5fbf3486704ac9835b68184023ab54862c95f213", -- "reference": "5fbf3486704ac9835b68184023ab54862c95f213", -- "shasum": "" -- }, -- "require": { -- "php": ">=5.4", -- "robrichards/xmlseclibs": ">=3.0.4" -- }, -- "require-dev": { -- "pdepend/pdepend": "^2.5.0", -- "php-coveralls/php-coveralls": "^1.0.2 || ^2.0", -- "phploc/phploc": "^2.1 || ^3.0 || ^4.0", -- "phpunit/phpunit": "^4.8.35 || ^5.7 || ^6.5 || ^7.1", -- "sebastian/phpcpd": "^2.0 || ^3.0 || ^4.0", -- "squizlabs/php_codesniffer": "^3.1.1" -- }, -- "suggest": { -- "ext-curl": "Install curl lib to be able to use the IdPMetadataParser for parsing remote XMLs", -- "ext-gettext": "Install gettext and php5-gettext libs to handle translations", -- "ext-openssl": "Install openssl lib in order to handle with x509 certs (require to support sign and encryption)" -- }, -- "time": "2019-11-25T17:30:07+00:00", -- "type": "library", -- "installation-source": "dist", -- "autoload": { -- "psr-4": { -- "OneLogin\\": "src/" -- } -- }, -- "notification-url": "https://packagist.org/downloads/", -- "license": [ -- "MIT" -- ], -- "description": "OneLogin PHP SAML Toolkit", -- "homepage": "https://developers.onelogin.com/saml/php", -- "keywords": [ -- "SAML2", -- "onelogin", -- "saml" -- ], -- "install-path": "../onelogin/php-saml" -- }, -- { -- "name": "robrichards/xmlseclibs", -- "version": "3.1.1", -- "version_normalized": "3.1.1.0", -- "source": { -- "type": "git", -- "url": "https://github.com/robrichards/xmlseclibs.git", -- "reference": "f8f19e58f26cdb42c54b214ff8a820760292f8df" -- }, -- "dist": { -- "type": "zip", -- "url": "https://api.github.com/repos/robrichards/xmlseclibs/zipball/f8f19e58f26cdb42c54b214ff8a820760292f8df", -- "reference": "f8f19e58f26cdb42c54b214ff8a820760292f8df", -- "shasum": "" -- }, -- "require": { -- "ext-openssl": "*", -- "php": ">= 5.4" -- }, -- "time": "2020-09-05T13:00:25+00:00", -- "type": "library", -- "installation-source": "dist", -- "autoload": { -- "psr-4": { -- "RobRichards\\XMLSecLibs\\": "src" -- } -- }, -- "notification-url": "https://packagist.org/downloads/", -- "license": [ -- "BSD-3-Clause" -- ], -- "description": "A PHP library for XML Security", -- "homepage": "https://github.com/robrichards/xmlseclibs", -- "keywords": [ -- "security", -- "signature", -- "xml", -- "xmldsig" -- ], -- "install-path": "../robrichards/xmlseclibs" -- } -- ], -- "dev": false, -- "dev-package-names": [] --} -+[ -+ { -+ "name": "firebase/php-jwt", -+ "version": "v4.0.0", -+ "version_normalized": "4.0.0.0", -+ "source": { -+ "type": "git", -+ "url": "https://github.com/firebase/php-jwt.git", -+ "reference": "dccf163dc8ed7ed6a00afc06c51ee5186a428d35" -+ }, -+ "dist": { -+ "type": "zip", -+ "url": "https://api.github.com/repos/firebase/php-jwt/zipball/dccf163dc8ed7ed6a00afc06c51ee5186a428d35", -+ "reference": "dccf163dc8ed7ed6a00afc06c51ee5186a428d35", -+ "shasum": "" -+ }, -+ "require": { -+ "php": ">=5.3.0" -+ }, -+ "time": "2016-07-18T04:51:16+00:00", -+ "type": "library", -+ "installation-source": "dist", -+ "autoload": { -+ "psr-4": { -+ "Firebase\\JWT\\": "src" -+ } -+ }, -+ "notification-url": "https://packagist.org/downloads/", -+ "license": [ -+ "BSD-3-Clause" -+ ], -+ "authors": [ -+ { -+ "name": "Neuman Vong", -+ "email": "neuman+pear@twilio.com", -+ "role": "Developer" -+ }, -+ { -+ "name": "Anant Narayanan", -+ "email": "anant@php.net", -+ "role": "Developer" -+ } -+ ], -+ "description": "A simple library to encode and decode JSON Web Tokens (JWT) in PHP. Should conform to the current spec.", -+ "homepage": "https://github.com/firebase/php-jwt" -+ }, -+ { -+ "name": "onelogin/php-saml", -+ "version": "4.0.0", -+ "version_normalized": "4.0.0.0", -+ "source": { -+ "type": "git", -+ "url": "https://github.com/onelogin/php-saml.git", -+ "reference": "f30f5062f3653c4d2082892d207f4dc3e577d979" -+ }, -+ "dist": { -+ "type": "zip", -+ "url": "https://api.github.com/repos/onelogin/php-saml/zipball/f30f5062f3653c4d2082892d207f4dc3e577d979", -+ "reference": "f30f5062f3653c4d2082892d207f4dc3e577d979", -+ "shasum": "" -+ }, -+ "require": { -+ "php": ">=7.3", -+ "robrichards/xmlseclibs": ">=3.1.1" -+ }, -+ "require-dev": { -+ "pdepend/pdepend": "^2.8.0", -+ "php-coveralls/php-coveralls": "^2.0", -+ "phploc/phploc": "^4.0 || ^5.0 || ^6.0 || ^7.0", -+ "phpunit/phpunit": "^9.5", -+ "sebastian/phpcpd": "^4.0 || ^5.0 || ^6.0 ", -+ "squizlabs/php_codesniffer": "^3.5.8" -+ }, -+ "suggest": { -+ "ext-curl": "Install curl lib to be able to use the IdPMetadataParser for parsing remote XMLs", -+ "ext-dom": "Install xml lib", -+ "ext-openssl": "Install openssl lib in order to handle with x509 certs (require to support sign and encryption)", -+ "ext-zlib": "Install zlib" -+ }, -+ "time": "2021-03-02T10:19:19+00:00", -+ "type": "library", -+ "installation-source": "dist", -+ "autoload": { -+ "psr-4": { -+ "OneLogin\\": "src/" -+ } -+ }, -+ "notification-url": "https://packagist.org/downloads/", -+ "license": [ -+ "MIT" -+ ], -+ "description": "OneLogin PHP SAML Toolkit", -+ "homepage": "https://developers.onelogin.com/saml/php", -+ "keywords": [ -+ "SAML2", -+ "onelogin", -+ "saml" -+ ] -+ }, -+ { -+ "name": "robrichards/xmlseclibs", -+ "version": "3.1.1", -+ "version_normalized": "3.1.1.0", -+ "source": { -+ "type": "git", -+ "url": "https://github.com/robrichards/xmlseclibs.git", -+ "reference": "f8f19e58f26cdb42c54b214ff8a820760292f8df" -+ }, -+ "dist": { -+ "type": "zip", -+ "url": "https://api.github.com/repos/robrichards/xmlseclibs/zipball/f8f19e58f26cdb42c54b214ff8a820760292f8df", -+ "reference": "f8f19e58f26cdb42c54b214ff8a820760292f8df", -+ "shasum": "" -+ }, -+ "require": { -+ "ext-openssl": "*", -+ "php": ">= 5.4" -+ }, -+ "time": "2020-09-05T13:00:25+00:00", -+ "type": "library", -+ "installation-source": "dist", -+ "autoload": { -+ "psr-4": { -+ "RobRichards\\XMLSecLibs\\": "src" -+ } -+ }, -+ "notification-url": "https://packagist.org/downloads/", -+ "license": [ -+ "BSD-3-Clause" -+ ], -+ "description": "A PHP library for XML Security", -+ "homepage": "https://github.com/robrichards/xmlseclibs", -+ "keywords": [ -+ "security", -+ "signature", -+ "xml", -+ "xmldsig" -+ ] -+ } -+] -diff --git a/custom_apps/user_saml/3rdparty/vendor/onelogin/php-saml/CHANGELOG b/custom_apps/user_saml/3rdparty/vendor/onelogin/php-saml/CHANGELOG -index 019196b..27a4b2b 100644 ---- a/custom_apps/user_saml/3rdparty/vendor/onelogin/php-saml/CHANGELOG -+++ b/custom_apps/user_saml/3rdparty/vendor/onelogin/php-saml/CHANGELOG -@@ -1,5 +1,27 @@ - CHANGELOG - ========= -+v4.0.0 -+* Supports PHP 8.X -+ -+v3.6.1 -+* [#467](https://github.com/onelogin/php-saml/issues/467) Fix bug on getSelfRoutedURLNoQuery method -+ -+v3.6.0 -+* Add AES128_GCM encryption on generateNameId method. New setting parameter encryption_algorithm. If you set a encryption method different than AES128_CBC then the algorithm RSA_OAEP_MGF1P will be used as well instead RSA_1_5 -+* PHP 8.0 support -+ -+v3.5.1 -+* 3.5.0 packagist/github release due a confusion were using the master (2.X branch). I'm releasing 3.5.1 to fix this issue and go back to 3.X branch -+ -+v3.5.0 -+* [#412](https://github.com/onelogin/php-saml/pull/412) Empty instead of unset the $_SESSION variable -+* [#433](https://github.com/onelogin/php-saml/issues/443) Fix Incorrect Destination in LogoutResponse when using responseUrl #443 -+* Update xmlseclibs to 3.1.1 -+* Add support for SMARTCARD_PKI and RSA_TOKEN Auth Contexts -+* Get lib path dinamically -+* Check for x509Cert of the IdP when loading settings, even if the security index was not provided -+* Support Statements with Attribute elements with the same name enabling the allowRepeatAttributeName setting -+ - v3.4.1 - * Add setSchemasPath to Auth class and fix backward compatibility - -diff --git a/custom_apps/user_saml/3rdparty/vendor/onelogin/php-saml/README.md b/custom_apps/user_saml/3rdparty/vendor/onelogin/php-saml/README.md -index 7ad8b48..d2199ec 100644 ---- a/custom_apps/user_saml/3rdparty/vendor/onelogin/php-saml/README.md -+++ b/custom_apps/user_saml/3rdparty/vendor/onelogin/php-saml/README.md -@@ -1,4 +1,4 @@ --# OneLogin's SAML PHP Toolkit Compatible with PHP 5.X & 7.X -+# OneLogin's SAML PHP Toolkit Compatible with PHP 7.X & 8.X - - [![Build Status](https://api.travis-ci.org/onelogin/php-saml.png?branch=master)](http://travis-ci.org/onelogin/php-saml) [![Coverage Status](https://coveralls.io/repos/onelogin/php-saml/badge.png)](https://coveralls.io/r/onelogin/php-saml) [![License](https://poser.pugx.org/onelogin/php-saml/license.png)](https://packagist.org/packages/onelogin/php-saml) - -@@ -10,15 +10,7 @@ and supported by OneLogin Inc. - Warning - ------- - --Version 3.4.0 introduces the 'rejectUnsolicitedResponsesWithInResponseTo' setting parameter, by default disabled, that will allow invalidate unsolicited SAMLResponse. This version as well will reject SAMLResponse if requestId was provided to the validator but the SAMLResponse does not contain a InResponseTo attribute. And an additional setting parameter 'destinationStrictlyMatches', by default disabled, that will force that the Destination URL should strictly match to the address that process the SAMLResponse. -- --Version 3.3.1 updates xmlseclibs to 3.0.4 (CVE-2019-3465), but php-saml was not directly affected since it implements additional checks that prevent to exploit that vulnerability. -- --Version 3.3.0 sets strict mode active by default -- --Update php-saml to 3.1.0, this version includes a security patch related to XEE attacks. -- --This version is compatible with PHP 7.X and does not include xmlseclibs (you will need to install it via composer, dependency described in composer.json) -+This version is compatible with PHP >=7.3 and 8.X and does not include xmlseclibs (you will need to install it via composer, dependency described in composer.json) - - Security Guidelines - ------------------- -@@ -132,7 +124,9 @@ Your settings are at risk of being deleted when updating packages using `compose - Compatibility - ------------- - --This 3.X.X supports PHP 7.X. but can be used with PHP >=5.4 as well (5.6.24+ recommended for security reasons). -+This 4.X.X supports PHP >=7.3 . -+ -+It is not compatible with PHP5.6 or PHP7.0. - - Namespaces - ---------- -@@ -472,7 +466,7 @@ $advancedSettings = array( - // Set to false and no AuthContext will be sent in the AuthNRequest. - // Set true or don't present this parameter and you will get an AuthContext 'exact' 'urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport'. - // Set an array with the possible auth context values: array('urn:oasis:names:tc:SAML:2.0:ac:classes:Password', 'urn:oasis:names:tc:SAML:2.0:ac:classes:X509'). -- 'requestedAuthnContext' => true, -+ 'requestedAuthnContext' => false, - - // Indicates if the SP will validate all received xmls. - // (In order to validate the xml, 'strict' and 'wantXMLValidation' must be true). -@@ -488,6 +482,10 @@ $advancedSettings = array( - // will be accepted. - 'destinationStrictlyMatches' => false, - -+ // If true, the toolkit will not raised an error when the Statement Element -+ // contain atribute elements with name duplicated -+ 'allowRepeatAttributeName' => false, -+ - // If true, SAMLResponses with an InResponseTo value will be rejectd if not - // AuthNRequest ID provided to the validation method. - 'rejectUnsolicitedResponsesWithInResponseTo' => false, -@@ -509,6 +507,17 @@ $advancedSettings = array( - // Notice that sha1 is a deprecated algorithm and should not be used - 'digestAlgorithm' => 'http://www.w3.org/2001/04/xmlenc#sha256', - -+ // Algorithm that the toolkit will use for encryption process. Options: -+ // 'http://www.w3.org/2001/04/xmlenc#tripledes-cbc' -+ // 'http://www.w3.org/2001/04/xmlenc#aes128-cbc' -+ // 'http://www.w3.org/2001/04/xmlenc#aes192-cbc' -+ // 'http://www.w3.org/2001/04/xmlenc#aes256-cbc' -+ // 'http://www.w3.org/2009/xmlenc11#aes128-gcm' -+ // 'http://www.w3.org/2009/xmlenc11#aes192-gcm' -+ // 'http://www.w3.org/2009/xmlenc11#aes256-gcm'; -+ // Notice that aes-cbc are not consider secure anymore so should not be used -+ 'encryption_algorithm' => 'http://www.w3.org/2009/xmlenc11#aes128-gcm', -+ - // ADFS URL-Encodes SAML data as lowercase, and the toolkit by default uses - // uppercase. Turn it True for ADFS compatibility on signature verification - 'lowercaseUrlencoding' => false, -@@ -1202,7 +1211,7 @@ Main class of OneLogin PHP Toolkit - * `getNameId` - Returns the nameID - * `getNameIdFormat` - Gets the NameID Format provided by the SAML response from the IdP. - * `getNameIdNameQualifier` - Gets the NameID NameQualifier provided from the SAML Response String. -- * `getNameIdNameSPQualifier` - Gets the NameID SP NameQualifier provided from the SAML Response String. -+ * `getNameIdSPNameQualifier` - Gets the NameID SP NameQualifier provided from the SAML Response String. - * `getSessionIndex` - Gets the SessionIndex from the AuthnStatement. - * `getErrors` - Returns if there were any error - * `getSSOurl` - Gets the SSO url. -@@ -1240,7 +1249,7 @@ SAML 2 Authentication Response class - * `getNameId` - Gets the NameID provided by the SAML response from the IdP. - * `getNameIdFormat` - Gets the NameID Format provided by the SAML response from the IdP. - * `getNameIdNameQualifier` - Gets the NameID NameQualifier provided from the SAML Response String. -- * `getNameIdNameSPQualifier` - Gets the NameID SP NameQualifier provided from the SAML Response String. -+ * `getNameIdSPNameQualifier` - Gets the NameID SP NameQualifier provided from the SAML Response String. - * `getSessionNotOnOrAfter` - Gets the SessionNotOnOrAfter from the - AuthnStatement - * `getSessionIndex` - Gets the SessionIndex from the AuthnStatement. -diff --git a/custom_apps/user_saml/3rdparty/vendor/onelogin/php-saml/advanced_settings_example.php b/custom_apps/user_saml/3rdparty/vendor/onelogin/php-saml/advanced_settings_example.php -index 1d1552c..d9c16e2 100644 ---- a/custom_apps/user_saml/3rdparty/vendor/onelogin/php-saml/advanced_settings_example.php -+++ b/custom_apps/user_saml/3rdparty/vendor/onelogin/php-saml/advanced_settings_example.php -@@ -91,6 +91,10 @@ $advancedSettings = array( - // will be accepted. - 'destinationStrictlyMatches' => false, - -+ // If true, the toolkit will not raised an error when the Statement Element -+ // contain atribute elements with name duplicated -+ 'allowRepeatAttributeName' => false, -+ - // If true, SAMLResponses with an InResponseTo value will be rejectd if not - // AuthNRequest ID provided to the validation method. - 'rejectUnsolicitedResponsesWithInResponseTo' => false, -@@ -112,6 +116,17 @@ $advancedSettings = array( - // Notice that sha1 is a deprecated algorithm and should not be used - 'digestAlgorithm' => 'http://www.w3.org/2001/04/xmlenc#sha256', - -+ // Algorithm that the toolkit will use for encryption process. Options: -+ // 'http://www.w3.org/2001/04/xmlenc#tripledes-cbc' -+ // 'http://www.w3.org/2001/04/xmlenc#aes128-cbc' -+ // 'http://www.w3.org/2001/04/xmlenc#aes192-cbc' -+ // 'http://www.w3.org/2001/04/xmlenc#aes256-cbc' -+ // 'http://www.w3.org/2009/xmlenc11#aes128-gcm' -+ // 'http://www.w3.org/2009/xmlenc11#aes192-gcm' -+ // 'http://www.w3.org/2009/xmlenc11#aes256-gcm'; -+ // Notice that aes-cbc are not consider secure anymore so should not be used -+ 'encryption_algorithm' => 'http://www.w3.org/2009/xmlenc11#aes128-gcm', -+ - // ADFS URL-Encodes SAML data as lowercase, and the toolkit by default uses - // uppercase. Turn it True for ADFS compatibility on signature verification - 'lowercaseUrlencoding' => false, -diff --git a/custom_apps/user_saml/3rdparty/vendor/onelogin/php-saml/composer.json b/custom_apps/user_saml/3rdparty/vendor/onelogin/php-saml/composer.json -index 2cae8af..42290e8 100644 ---- a/custom_apps/user_saml/3rdparty/vendor/onelogin/php-saml/composer.json -+++ b/custom_apps/user_saml/3rdparty/vendor/onelogin/php-saml/composer.json -@@ -15,20 +15,28 @@ - "source": "https://github.com/onelogin/php-saml/" - }, - "require": { -- "php": ">=5.4", -- "robrichards/xmlseclibs": ">=3.0.4" -+ "php": ">=7.3", -+ "robrichards/xmlseclibs": ">=3.1.1" - }, - "require-dev": { -- "php-coveralls/php-coveralls": "^1.0.2 || ^2.0", -- "phpunit/phpunit": "^4.8.35 || ^5.7 || ^6.5 || ^7.1", -- "sebastian/phpcpd": "^2.0 || ^3.0 || ^4.0", -- "phploc/phploc": "^2.1 || ^3.0 || ^4.0", -- "pdepend/pdepend": "^2.5.0", -- "squizlabs/php_codesniffer": "^3.1.1" -+ "phpunit/phpunit": "^9.5", -+ "php-coveralls/php-coveralls": "^2.0", -+ "sebastian/phpcpd": "^4.0 || ^5.0 || ^6.0 ", -+ "phploc/phploc": "^4.0 || ^5.0 || ^6.0 || ^7.0", -+ "pdepend/pdepend": "^2.8.0", -+ "squizlabs/php_codesniffer": "^3.5.8" -+ }, -+ "config": { -+ "platform": { -+ "php": "7.3.0" -+ }, -+ "optimize-autoloader": true, -+ "sort-packages": true - }, - "suggest": { - "ext-openssl": "Install openssl lib in order to handle with x509 certs (require to support sign and encryption)", - "ext-curl": "Install curl lib to be able to use the IdPMetadataParser for parsing remote XMLs", -- "ext-gettext": "Install gettext and php5-gettext libs to handle translations" -+ "ext-dom": "Install xml lib", -+ "ext-zlib": "Install zlib" - } - } -diff --git a/custom_apps/user_saml/3rdparty/vendor/onelogin/php-saml/phpunit.xml b/custom_apps/user_saml/3rdparty/vendor/onelogin/php-saml/phpunit.xml -index 3629f27..600c3ba 100644 ---- a/custom_apps/user_saml/3rdparty/vendor/onelogin/php-saml/phpunit.xml -+++ b/custom_apps/user_saml/3rdparty/vendor/onelogin/php-saml/phpunit.xml -@@ -1,18 +1,20 @@ -- -- -- -- ./tests/src -- -- -- -- -- ./src -- -- -- -- -- -- -- -- -+ -+ -+ -+ -+ ./src -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ -+ ./tests/src -+ -+ -+ - -diff --git a/custom_apps/user_saml/3rdparty/vendor/onelogin/php-saml/src/Saml2/Auth.php b/custom_apps/user_saml/3rdparty/vendor/onelogin/php-saml/src/Saml2/Auth.php -index 5f603a1..70a8715 100644 ---- a/custom_apps/user_saml/3rdparty/vendor/onelogin/php-saml/src/Saml2/Auth.php -+++ b/custom_apps/user_saml/3rdparty/vendor/onelogin/php-saml/src/Saml2/Auth.php -@@ -618,46 +618,37 @@ class Auth - return $this->redirectTo($sloUrl, $parameters, $stay); - } - -- /** -- * Gets the SSO url. -+ /** -+ * Gets the IdP SSO url. - * -- * @return string The url of the Single Sign On Service -+ * @return string The url of the IdP Single Sign On Service - */ - public function getSSOurl() - { -- $idpData = $this->_settings->getIdPData(); -- return $idpData['singleSignOnService']['url']; -+ return $this->_settings->getIdPSSOUrl(); - } - - /** -- * Gets the SLO url. -+ * Gets the IdP SLO url. - * -- * @return string|null The url of the Single Logout Service -+ * @return string|null The url of the IdP Single Logout Service - */ - public function getSLOurl() - { -- $url = null; -- $idpData = $this->_settings->getIdPData(); -- if (isset($idpData['singleLogoutService']) && isset($idpData['singleLogoutService']['url'])) { -- $url = $idpData['singleLogoutService']['url']; -- } -- return $url; -+ return $this->_settings->getIdPSLOUrl(); - } - - /** -- * Gets the SLO response url. -+ * Gets the IdP SLO response url. - * -- * @return string|null The response url of the Single Logout Service -+ * @return string|null The response url of the IdP Single Logout Service - */ - public function getSLOResponseUrl() - { -- $idpData = $this->_settings->getIdPData(); -- if (isset($idpData['singleLogoutService']) && isset($idpData['singleLogoutService']['responseUrl'])) { -- return $idpData['singleLogoutService']['responseUrl']; -- } -- return $this->getSLOurl(); -+ return $this->_settings->getIdPSLOResponseUrl(); - } - -+ - /** - * Gets the ID of the last AuthNRequest or LogoutRequest generated by the Service Provider. - * -diff --git a/custom_apps/user_saml/3rdparty/vendor/onelogin/php-saml/src/Saml2/AuthnRequest.php b/custom_apps/user_saml/3rdparty/vendor/onelogin/php-saml/src/Saml2/AuthnRequest.php -index a1311f7..fd9afb5 100644 ---- a/custom_apps/user_saml/3rdparty/vendor/onelogin/php-saml/src/Saml2/AuthnRequest.php -+++ b/custom_apps/user_saml/3rdparty/vendor/onelogin/php-saml/src/Saml2/AuthnRequest.php -@@ -55,7 +55,6 @@ class AuthnRequest - $this->_settings = $settings; - - $spData = $this->_settings->getSPData(); -- $idpData = $this->_settings->getIdPData(); - $security = $this->_settings->getSecurityData(); - - $id = Utils::generateUniqueID(); -@@ -150,6 +149,7 @@ REQUESTEDAUTHN; - - $spEntityId = htmlspecialchars($spData['entityId'], ENT_QUOTES); - $acsUrl = htmlspecialchars($spData['assertionConsumerService']['url'], ENT_QUOTES); -+ $destination = $this->_settings->getIdPSSOUrl(); - $request = << - {$spEntityId}{$subjectStr}{$nameIdPolicyStr}{$requestedAuthnStr} -diff --git a/custom_apps/user_saml/3rdparty/vendor/onelogin/php-saml/src/Saml2/Constants.php b/custom_apps/user_saml/3rdparty/vendor/onelogin/php-saml/src/Saml2/Constants.php -index 21261fb..1b467dd 100644 ---- a/custom_apps/user_saml/3rdparty/vendor/onelogin/php-saml/src/Saml2/Constants.php -+++ b/custom_apps/user_saml/3rdparty/vendor/onelogin/php-saml/src/Saml2/Constants.php -@@ -64,9 +64,11 @@ class Constants - const AC_PASSWORD_PROTECTED = 'urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport'; - const AC_X509 = 'urn:oasis:names:tc:SAML:2.0:ac:classes:X509'; - const AC_SMARTCARD = 'urn:oasis:names:tc:SAML:2.0:ac:classes:Smartcard'; -+ const AC_SMARTCARD_PKI = 'urn:oasis:names:tc:SAML:2.0:ac:classes:SmartcardPKI'; - const AC_KERBEROS = 'urn:oasis:names:tc:SAML:2.0:ac:classes:Kerberos'; - const AC_WINDOWS = 'urn:federation:authentication:windows'; - const AC_TLS = 'urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient'; -+ const AC_RSATOKEN = 'urn:oasis:names:tc:SAML:2.0:ac:classes:TimeSyncToken'; - - // Subject Confirmation - const CM_BEARER = 'urn:oasis:names:tc:SAML:2.0:cm:bearer'; -diff --git a/custom_apps/user_saml/3rdparty/vendor/onelogin/php-saml/src/Saml2/LogoutRequest.php b/custom_apps/user_saml/3rdparty/vendor/onelogin/php-saml/src/Saml2/LogoutRequest.php -index d540c22..108c49b 100644 ---- a/custom_apps/user_saml/3rdparty/vendor/onelogin/php-saml/src/Saml2/LogoutRequest.php -+++ b/custom_apps/user_saml/3rdparty/vendor/onelogin/php-saml/src/Saml2/LogoutRequest.php -@@ -122,12 +122,14 @@ class LogoutRequest - $nameIdSPNameQualifier, - $nameIdFormat, - $cert, -- $nameIdNameQualifier -+ $nameIdNameQualifier, -+ $security['encryption_algorithm'] - ); - - $sessionIndexStr = isset($sessionIndex) ? "{$sessionIndex}" : ""; - - $spEntityId = htmlspecialchars($spData['entityId'], ENT_QUOTES); -+ $destination = $this->_settings->getIdPSLOUrl(); - $logoutRequest = << -+ Destination="{$destination}"> - {$spEntityId} - {$nameIdObj} - {$sessionIndexStr} -diff --git a/custom_apps/user_saml/3rdparty/vendor/onelogin/php-saml/src/Saml2/LogoutResponse.php b/custom_apps/user_saml/3rdparty/vendor/onelogin/php-saml/src/Saml2/LogoutResponse.php -index 700feb0..9c3f020 100644 ---- a/custom_apps/user_saml/3rdparty/vendor/onelogin/php-saml/src/Saml2/LogoutResponse.php -+++ b/custom_apps/user_saml/3rdparty/vendor/onelogin/php-saml/src/Saml2/LogoutResponse.php -@@ -258,19 +258,18 @@ class LogoutResponse - { - - $spData = $this->_settings->getSPData(); -- $idpData = $this->_settings->getIdPData(); - - $this->id = Utils::generateUniqueID(); - $issueInstant = Utils::parseTime2SAML(time()); -- - $spEntityId = htmlspecialchars($spData['entityId'], ENT_QUOTES); -+ $destination = $this->_settings->getIdPSLOResponseUrl(); - $logoutResponse = << - {$spEntityId} -diff --git a/custom_apps/user_saml/3rdparty/vendor/onelogin/php-saml/src/Saml2/Response.php b/custom_apps/user_saml/3rdparty/vendor/onelogin/php-saml/src/Saml2/Response.php -index b34297f..a2f8d6d 100644 ---- a/custom_apps/user_saml/3rdparty/vendor/onelogin/php-saml/src/Saml2/Response.php -+++ b/custom_apps/user_saml/3rdparty/vendor/onelogin/php-saml/src/Saml2/Response.php -@@ -804,6 +804,9 @@ class Response - { - $attributes = array(); - $entries = $this->_queryAssertion('/saml:AttributeStatement/saml:Attribute'); -+ -+ $security = $this->_settings->getSecurityData(); -+ $allowRepeatAttributeName = $security['allowRepeatAttributeName']; - /** @var $entry DOMNode */ - foreach ($entries as $entry) { - $attributeKeyNode = $entry->attributes->getNamedItem($keyName); -@@ -812,10 +815,12 @@ class Response - } - $attributeKeyName = $attributeKeyNode->nodeValue; - if (in_array($attributeKeyName, array_keys($attributes))) { -- throw new ValidationError( -- "Found an Attribute element with duplicated ".$keyName, -- ValidationError::DUPLICATED_ATTRIBUTE_NAME_FOUND -- ); -+ if (!$allowRepeatAttributeName) { -+ throw new ValidationError( -+ "Found an Attribute element with duplicated ".$keyName, -+ ValidationError::DUPLICATED_ATTRIBUTE_NAME_FOUND -+ ); -+ } - } - $attributeValues = array(); - foreach ($entry->childNodes as $childNode) { -@@ -824,7 +829,12 @@ class Response - $attributeValues[] = $childNode->nodeValue; - } - } -- $attributes[$attributeKeyName] = $attributeValues; -+ -+ if (in_array($attributeKeyName, array_keys($attributes))) { -+ $attributes[$attributeKeyName] = array_merge($attributes[$attributeKeyName], $attributeValues); -+ } else { -+ $attributes[$attributeKeyName] = $attributeValues; -+ } - } - return $attributes; - } -diff --git a/custom_apps/user_saml/3rdparty/vendor/onelogin/php-saml/src/Saml2/Settings.php b/custom_apps/user_saml/3rdparty/vendor/onelogin/php-saml/src/Saml2/Settings.php -index 3c953fc..43457ba 100644 ---- a/custom_apps/user_saml/3rdparty/vendor/onelogin/php-saml/src/Saml2/Settings.php -+++ b/custom_apps/user_saml/3rdparty/vendor/onelogin/php-saml/src/Saml2/Settings.php -@@ -164,7 +164,7 @@ class Settings - 'base' => $basePath, - 'config' => $basePath, - 'cert' => $basePath.'certs/', -- 'lib' => $basePath.'src/Saml2/' -+ 'lib' => __DIR__ . '/', - ); - - if (defined('ONELOGIN_CUSTOMPATH')) { -@@ -397,6 +397,11 @@ class Settings - $this->_security['destinationStrictlyMatches'] = false; - } - -+ // Allow duplicated Attribute Names -+ if (!isset($this->_security['allowRepeatAttributeName'])) { -+ $this->_security['allowRepeatAttributeName'] = false; -+ } -+ - // InResponseTo - if (!isset($this->_security['rejectUnsolicitedResponsesWithInResponseTo'])) { - $this->_security['rejectUnsolicitedResponsesWithInResponseTo'] = false; -@@ -425,6 +430,11 @@ class Settings - $this->_security['digestAlgorithm'] = XMLSecurityDSig::SHA256; - } - -+ // EncryptionAlgorithm -+ if (!isset($this->_security['encryption_algorithm'])) { -+ $this->_security['encryption_algorithm'] = XMLSecurityKey::AES128_CBC; -+ } -+ - if (!isset($this->_security['lowercaseUrlencoding'])) { - $this->_security['lowercaseUrlencoding'] = false; - } -@@ -552,19 +562,18 @@ class Settings - $errors[] = 'idp_slo_response_url_invalid'; - } - -- if (isset($settings['security'])) { -- $security = $settings['security']; -+ $existsX509 = isset($idp['x509cert']) && !empty($idp['x509cert']); -+ $existsMultiX509Sign = isset($idp['x509certMulti']) && isset($idp['x509certMulti']['signing']) && !empty($idp['x509certMulti']['signing']); -+ $existsFingerprint = isset($idp['certFingerprint']) && !empty($idp['certFingerprint']); -+ if (!($existsX509 || $existsFingerprint || $existsMultiX509Sign) -+ ) { -+ $errors[] = 'idp_cert_or_fingerprint_not_found_and_required'; -+ } - -- $existsX509 = isset($idp['x509cert']) && !empty($idp['x509cert']); -- $existsMultiX509Sign = isset($idp['x509certMulti']) && isset($idp['x509certMulti']['signing']) && !empty($idp['x509certMulti']['signing']); -+ if (isset($settings['security'])) { - $existsMultiX509Enc = isset($idp['x509certMulti']) && isset($idp['x509certMulti']['encryption']) && !empty($idp['x509certMulti']['encryption']); - -- $existsFingerprint = isset($idp['certFingerprint']) && !empty($idp['certFingerprint']); -- if (!($existsX509 || $existsFingerprint || $existsMultiX509Sign) -- ) { -- $errors[] = 'idp_cert_or_fingerprint_not_found_and_required'; -- } -- if ((isset($security['nameIdEncrypted']) && $security['nameIdEncrypted'] == true) -+ if ((isset($settings['security']['nameIdEncrypted']) && $settings['security']['nameIdEncrypted'] == true) - && !($existsX509 || $existsMultiX509Enc) - ) { - $errors[] = 'idp_cert_not_found_and_required'; -@@ -821,6 +830,47 @@ class Settings - return $this->_compress['responses']; - } - -+ /** -+ * Gets the IdP SSO url. -+ * -+ * @return string|null The url of the IdP Single Sign On Service -+ */ -+ public function getIdPSSOUrl() -+ { -+ $ssoUrl = null; -+ if (isset($this->_idp['singleSignOnService']) && isset($this->_idp['singleSignOnService']['url'])) { -+ $ssoUrl = $this->_idp['singleSignOnService']['url']; -+ } -+ return $ssoUrl; -+ } -+ -+ /** -+ * Gets the IdP SLO url. -+ * -+ * @return string|null The request url of the IdP Single Logout Service -+ */ -+ public function getIdPSLOUrl() -+ { -+ $sloUrl = null; -+ if (isset($this->_idp['singleLogoutService']) && isset($this->_idp['singleLogoutService']['url'])) { -+ $sloUrl = $this->_idp['singleLogoutService']['url']; -+ } -+ return $sloUrl; -+ } -+ -+ /** -+ * Gets the IdP SLO response url. -+ * -+ * @return string|null The response url of the IdP Single Logout Service -+ */ -+ public function getIdPSLOResponseUrl() -+ { -+ if (isset($this->_idp['singleLogoutService']) && isset($this->_idp['singleLogoutService']['responseUrl'])) { -+ return $this->_idp['singleLogoutService']['responseUrl']; -+ } -+ return $this->getIdPSLOUrl(); -+ } -+ - /** - * Gets the SP metadata. The XML representation. - * -diff --git a/custom_apps/user_saml/3rdparty/vendor/onelogin/php-saml/src/Saml2/Utils.php b/custom_apps/user_saml/3rdparty/vendor/onelogin/php-saml/src/Saml2/Utils.php -index 50d3d41..582c117 100644 ---- a/custom_apps/user_saml/3rdparty/vendor/onelogin/php-saml/src/Saml2/Utils.php -+++ b/custom_apps/user_saml/3rdparty/vendor/onelogin/php-saml/src/Saml2/Utils.php -@@ -82,11 +82,16 @@ class Utils - assert($dom instanceof DOMDocument); - assert(is_string($xml)); - -- $oldEntityLoader = libxml_disable_entity_loader(true); -+ $oldEntityLoader = null; -+ if (PHP_VERSION_ID < 80000) { -+ $oldEntityLoader = libxml_disable_entity_loader(true); -+ } - - $res = $dom->loadXML($xml); - -- libxml_disable_entity_loader($oldEntityLoader); -+ if (PHP_VERSION_ID < 80000) { -+ libxml_disable_entity_loader($oldEntityLoader); -+ } - - foreach ($dom->childNodes as $child) { - if ($child->nodeType === XML_DOCUMENT_TYPE_NODE) { -@@ -141,9 +146,14 @@ class Utils - $schemaFile = __DIR__ . '/schemas/' . $schema; - } - -- $oldEntityLoader = libxml_disable_entity_loader(false); -+ $oldEntityLoader = null; -+ if (PHP_VERSION_ID < 80000) { -+ $oldEntityLoader = libxml_disable_entity_loader(false); -+ } - $res = $dom->schemaValidate($schemaFile); -- libxml_disable_entity_loader($oldEntityLoader); -+ if (PHP_VERSION_ID < 80000) { -+ libxml_disable_entity_loader($oldEntityLoader); -+ } - if (!$res) { - $xmlErrors = libxml_get_errors(); - syslog(LOG_INFO, 'Error validating the metadata: '.var_export($xmlErrors, true)); -@@ -644,7 +654,7 @@ class Utils - - $pos = strpos($selfRoutedURLNoQuery, "?"); - if ($pos !== false) { -- $selfRoutedURLNoQuery = substr($selfRoutedURLNoQuery, 0, $pos-1); -+ $selfRoutedURLNoQuery = substr($selfRoutedURLNoQuery, 0, $pos); - } - - return $selfRoutedURLNoQuery; -@@ -964,12 +974,12 @@ class Utils - */ - public static function deleteLocalSession() - { -- - if (Utils::isSessionStarted()) { -+ session_unset(); - session_destroy(); -+ } else { -+ $_SESSION = array(); - } -- -- unset($_SESSION); - } - - /** -@@ -1046,12 +1056,13 @@ class Utils - * @param string|null $format SP Format - * @param string|null $cert IdP Public cert to encrypt the nameID - * @param string|null $nq IdP Name Qualifier -+ * @param string|null $encAlg Encryption algorithm - * - * @return string $nameIDElement DOMElement | XMLSec nameID - * - * @throws Exception - */ -- public static function generateNameId($value, $spnq, $format = null, $cert = null, $nq = null) -+ public static function generateNameId($value, $spnq, $format = null, $cert = null, $nq = null, $encAlg = XMLSecurityKey::AES128_CBC) - { - - $doc = new DOMDocument(); -@@ -1071,14 +1082,18 @@ class Utils - $doc->appendChild($nameId); - - if (!empty($cert)) { -- $seckey = new XMLSecurityKey(XMLSecurityKey::RSA_1_5, array('type'=>'public')); -+ if ($encAlg == XMLSecurityKey::AES128_CBC) { -+ $seckey = new XMLSecurityKey(XMLSecurityKey::RSA_1_5, array('type'=>'public')); -+ } else { -+ $seckey = new XMLSecurityKey(XMLSecurityKey::RSA_OAEP_MGF1P, array('type'=>'public')); -+ } - $seckey->loadKey($cert); - - $enc = new XMLSecEnc(); - $enc->setNode($nameId); - $enc->type = XMLSecEnc::Element; - -- $symmetricKey = new XMLSecurityKey(XMLSecurityKey::AES128_CBC); -+ $symmetricKey = new XMLSecurityKey($encAlg); - $symmetricKey->generateSessionKey(); - $enc->encryptKey($seckey, $symmetricKey); - -@@ -1390,7 +1405,7 @@ class Utils - * Validates a signature (Message or Assertion). - * - * @param string|\DomNode $xml The element we should validate -- * @param string|null $cert The pubic cert -+ * @param string|null $cert The public cert - * @param string|null $fingerprint The fingerprint of the public cert - * @param string|null $fingerprintalg The algorithm used to get the fingerprint - * @param string|null $xpath The xpath of the signed element -diff --git a/custom_apps/user_saml/3rdparty/vendor/onelogin/php-saml/src/Saml2/version.json b/custom_apps/user_saml/3rdparty/vendor/onelogin/php-saml/src/Saml2/version.json -index 0fdfc33..220f250 100644 ---- a/custom_apps/user_saml/3rdparty/vendor/onelogin/php-saml/src/Saml2/version.json -+++ b/custom_apps/user_saml/3rdparty/vendor/onelogin/php-saml/src/Saml2/version.json -@@ -1,7 +1,7 @@ - { - "php-saml": { -- "version": "3.4.1", -- "released": "25/11/2019" -+ "version": "4.0.0", -+ "released": "02/03/2021" - } - } - diff --git a/overlays/00-sample/publish.profile b/overlays/00-sample/publish.profile index ad74ed6..36dc91f 100644 --- a/overlays/00-sample/publish.profile +++ b/overlays/00-sample/publish.profile @@ -38,16 +38,17 @@ CONTAINER_ENGINE="docker" # available in the deployed image. # NEXTCLOUD_CUSTOM_APPS=( - 'https://github.com/westberliner/checksum/releases/download/v1.1.3/checksum.tar.gz' - 'https://github.com/nextcloud/files_antivirus/releases/download/v3.2.2/files_antivirus.tar.gz' - 'https://github.com/nextcloud-releases/files_automatedtagging/releases/download/v1.13.0/files_automatedtagging-v1.13.0.tar.gz' - 'https://github.com/nextcloud-releases/files_downloadactivity/releases/download/v1.12.0/files_downloadactivity-v1.12.0.tar.gz' + 'https://github.com/westberliner/checksum/releases/download/v1.1.4/checksum.tar.gz' + 'https://github.com/nextcloud/files_antivirus/releases/download/v3.3.1/files_antivirus.tar.gz' + 'https://github.com/nextcloud-releases/files_automatedtagging/releases/download/v1.14.0/files_automatedtagging-v1.14.0.tar.gz' + 'https://github.com/nextcloud-releases/files_downloadactivity/releases/download/v1.13.0/files_downloadactivity-v1.13.0.tar.gz' + 'https://github.com/Inveniem/nextcloud-files-excludedirs/releases/download/v1.0.0-beta/nextcloud_files_excludedirs-v1.0.0-beta.tar.gz' 'https://github.com/nextcloud/files_rightclick/releases/download/v0.15.1/files_rightclick.tar.gz' - 'https://github.com/gino0631/nextcloud-metadata/releases/latest/download/metadata.tar.gz' - 'https://github.com/owncloud/music/releases/download/v1.5.1/music_1.5.1_for_nextcloud.tar.gz' - 'https://github.com/nextcloud-releases/previewgenerator/releases/download/v4.0.0/previewgenerator.tar.gz' - 'https://github.com/nextcloud/user_external/releases/download/v2.1.0/user_external-2.1.0.tar.gz' - 'https://github.com/nextcloud/user_saml/releases/download/v4.1.1/user_saml-4.1.1.tar.gz' + 'https://github.com/gino0631/nextcloud-metadata/releases/download/v0.16.0/metadata.tar.gz' + 'https://github.com/owncloud/music/releases/download/v1.6.0/music_1.6.0_for_nextcloud.tar.gz' + 'https://github.com/nextcloud-releases/previewgenerator/releases/download/v5.0.0/previewgenerator-v5.0.0.tar.gz' + 'https://github.com/nextcloud-releases/user_external/releases/download/v3.0.0/user_external-v3.0.0.tar.gz' + 'https://github.com/nextcloud-releases/user_saml/releases/download/v5.0.3/user_saml-v5.0.3.tar.gz' ) ################################################################################ From 2442458b176197399b73c10b24ac810bf4ed57de Mon Sep 17 00:00:00 2001 From: Guy Elsmore-Paddock Date: Mon, 10 Oct 2022 20:15:53 -0400 Subject: [PATCH 22/26] Update to Nextcloud 23.0.10 --- docker/backend-nextcloud-apache/Dockerfile | 2 +- docker/backend-nextcloud-fpm/Dockerfile | 2 +- docker/nextcloud-cron/Dockerfile | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/docker/backend-nextcloud-apache/Dockerfile b/docker/backend-nextcloud-apache/Dockerfile index d7ae21d..9b8b50a 100644 --- a/docker/backend-nextcloud-apache/Dockerfile +++ b/docker/backend-nextcloud-apache/Dockerfile @@ -8,7 +8,7 @@ # @copyright Copyright (c) 2019, Inveniem # @license GNU AGPL version 3 or any later version # -FROM nextcloud:23.0.9-apache +FROM nextcloud:23.0.10-apache ENV NEXTCLOUD_CONFIG_READ_ONLY "false" ENV NEXTCLOUD_INIT_LOCK "true" diff --git a/docker/backend-nextcloud-fpm/Dockerfile b/docker/backend-nextcloud-fpm/Dockerfile index 4611bff..65663d4 100644 --- a/docker/backend-nextcloud-fpm/Dockerfile +++ b/docker/backend-nextcloud-fpm/Dockerfile @@ -59,7 +59,7 @@ RUN set -eux;\ ################################################################################ # This is the container that actually gets pushed. # -FROM nextcloud:23.0.9-fpm-alpine +FROM nextcloud:23.0.10-fpm-alpine ENV NEXTCLOUD_CONFIG_READ_ONLY "false" ENV NEXTCLOUD_INIT_LOCK "true" diff --git a/docker/nextcloud-cron/Dockerfile b/docker/nextcloud-cron/Dockerfile index 5a9c70d..71ccd1b 100644 --- a/docker/nextcloud-cron/Dockerfile +++ b/docker/nextcloud-cron/Dockerfile @@ -7,7 +7,7 @@ # @copyright Copyright (c) 2019-2020, Inveniem # @license GNU AGPL version 3 or any later version # -FROM nextcloud:23.0.9-apache +FROM nextcloud:23.0.10-apache ENV NEXTCLOUD_CONFIG_READ_ONLY "true" From e3fd10daf8a08a6410680c3a8d09f00dfac90302 Mon Sep 17 00:00:00 2001 From: Guy Elsmore-Paddock Date: Mon, 10 Oct 2022 20:18:37 -0400 Subject: [PATCH 23/26] Update New Relic Agent Version in Sample Publish Profile --- overlays/00-sample/publish.profile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/overlays/00-sample/publish.profile b/overlays/00-sample/publish.profile index 36dc91f..a3777fe 100644 --- a/overlays/00-sample/publish.profile +++ b/overlays/00-sample/publish.profile @@ -70,7 +70,7 @@ NEW_RELIC_KEY="" # # Leave blank if you do not use New Relic monitoring. # -NEW_RELIC_AGENT_URL="https://download.newrelic.com/php_agent/release/newrelic-php5-9.19.0.309-linux.tar.gz" +NEW_RELIC_AGENT_URL="https://download.newrelic.com/php_agent/release/newrelic-php5-10.2.0.314-linux.tar.gz" ## # The name by which you would like Nextcloud to identify itself in New Relic. From a6931dace0943beea1b1d38548421a5ba78638d9 Mon Sep 17 00:00:00 2001 From: Guy Elsmore-Paddock Date: Mon, 10 Oct 2022 20:50:27 -0400 Subject: [PATCH 24/26] Update to v1.0.1 of Inveniem "Exclude Directories" Plugin in Sample --- overlays/00-sample/publish.profile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/overlays/00-sample/publish.profile b/overlays/00-sample/publish.profile index a3777fe..f59b24b 100644 --- a/overlays/00-sample/publish.profile +++ b/overlays/00-sample/publish.profile @@ -42,7 +42,7 @@ NEXTCLOUD_CUSTOM_APPS=( 'https://github.com/nextcloud/files_antivirus/releases/download/v3.3.1/files_antivirus.tar.gz' 'https://github.com/nextcloud-releases/files_automatedtagging/releases/download/v1.14.0/files_automatedtagging-v1.14.0.tar.gz' 'https://github.com/nextcloud-releases/files_downloadactivity/releases/download/v1.13.0/files_downloadactivity-v1.13.0.tar.gz' - 'https://github.com/Inveniem/nextcloud-files-excludedirs/releases/download/v1.0.0-beta/nextcloud_files_excludedirs-v1.0.0-beta.tar.gz' + 'https://github.com/Inveniem/nextcloud-files-excludedirs/releases/download/v1.0.1-beta/nextcloud_files_excludedirs-v1.0.1-beta.tar.gz' 'https://github.com/nextcloud/files_rightclick/releases/download/v0.15.1/files_rightclick.tar.gz' 'https://github.com/gino0631/nextcloud-metadata/releases/download/v0.16.0/metadata.tar.gz' 'https://github.com/owncloud/music/releases/download/v1.6.0/music_1.6.0_for_nextcloud.tar.gz' From 27c9ded0313af12e9c9221424b17c995d5f56da4 Mon Sep 17 00:00:00 2001 From: Guy Elsmore-Paddock Date: Mon, 10 Oct 2022 22:34:30 -0400 Subject: [PATCH 25/26] Upgrade Plugins to Latest Available Versions for NC 23.0.10 --- overlays/00-sample/publish.profile | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/overlays/00-sample/publish.profile b/overlays/00-sample/publish.profile index f59b24b..4cf9407 100644 --- a/overlays/00-sample/publish.profile +++ b/overlays/00-sample/publish.profile @@ -40,13 +40,13 @@ CONTAINER_ENGINE="docker" NEXTCLOUD_CUSTOM_APPS=( 'https://github.com/westberliner/checksum/releases/download/v1.1.4/checksum.tar.gz' 'https://github.com/nextcloud/files_antivirus/releases/download/v3.3.1/files_antivirus.tar.gz' - 'https://github.com/nextcloud-releases/files_automatedtagging/releases/download/v1.14.0/files_automatedtagging-v1.14.0.tar.gz' - 'https://github.com/nextcloud-releases/files_downloadactivity/releases/download/v1.13.0/files_downloadactivity-v1.13.0.tar.gz' + 'https://github.com/nextcloud-releases/files_automatedtagging/releases/download/v1.13.0/files_automatedtagging-v1.13.0.tar.gz' + 'https://github.com/nextcloud-releases/files_downloadactivity/releases/download/v1.15.0/files_downloadactivity-v1.15.0.tar.gz' 'https://github.com/Inveniem/nextcloud-files-excludedirs/releases/download/v1.0.1-beta/nextcloud_files_excludedirs-v1.0.1-beta.tar.gz' 'https://github.com/nextcloud/files_rightclick/releases/download/v0.15.1/files_rightclick.tar.gz' 'https://github.com/gino0631/nextcloud-metadata/releases/download/v0.16.0/metadata.tar.gz' 'https://github.com/owncloud/music/releases/download/v1.6.0/music_1.6.0_for_nextcloud.tar.gz' - 'https://github.com/nextcloud-releases/previewgenerator/releases/download/v5.0.0/previewgenerator-v5.0.0.tar.gz' + 'https://github.com/nextcloud-releases/previewgenerator/releases/download/v5.1.0/previewgenerator-v5.1.0.tar.gz' 'https://github.com/nextcloud-releases/user_external/releases/download/v3.0.0/user_external-v3.0.0.tar.gz' 'https://github.com/nextcloud-releases/user_saml/releases/download/v5.0.3/user_saml-v5.0.3.tar.gz' ) From 151b737dc7de00f8600fc4c8d006b933e28fee74 Mon Sep 17 00:00:00 2001 From: Guy Elsmore-Paddock Date: Mon, 10 Oct 2022 22:40:28 -0400 Subject: [PATCH 26/26] Add "OpenID Connect Login" App to Sample Publish Profile This may provide better UX for Azure AD than the SAML plug-in. This is experimental and needs to be tested. --- overlays/00-sample/publish.profile | 1 + 1 file changed, 1 insertion(+) diff --git a/overlays/00-sample/publish.profile b/overlays/00-sample/publish.profile index 4cf9407..cf4e557 100644 --- a/overlays/00-sample/publish.profile +++ b/overlays/00-sample/publish.profile @@ -47,6 +47,7 @@ NEXTCLOUD_CUSTOM_APPS=( 'https://github.com/gino0631/nextcloud-metadata/releases/download/v0.16.0/metadata.tar.gz' 'https://github.com/owncloud/music/releases/download/v1.6.0/music_1.6.0_for_nextcloud.tar.gz' 'https://github.com/nextcloud-releases/previewgenerator/releases/download/v5.1.0/previewgenerator-v5.1.0.tar.gz' + 'https://github.com/pulsejet/nextcloud-oidc-login/releases/download/v2.3.3/oidc_login.tar.gz' 'https://github.com/nextcloud-releases/user_external/releases/download/v3.0.0/user_external-v3.0.0.tar.gz' 'https://github.com/nextcloud-releases/user_saml/releases/download/v5.0.3/user_saml-v5.0.3.tar.gz' )