also use nextcloud certificate bundle when downloading from s3

Signed-off-by: Robin Appelman <robin@icewind.nl>
nextcloud · Jul 5, 2022 · bffa67c · bffa67c
1 parent de35041
commit bffa67c
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 10 deletions.
diff --git a/lib/private/Files/ObjectStore/S3ConnectionTrait.php b/lib/private/Files/ObjectStore/S3ConnectionTrait.php
@@ -121,15 +121,6 @@ public function getConnection() {
 			)
 		);
 
-		// since we store the certificate bundles on the primary storage, we can't get the bundle while setting up the primary storage
-		if (!isset($this->params['primary_storage'])) {
-			/** @var ICertificateManager $certManager */
-			$certManager = \OC::$server->get(ICertificateManager::class);
-			$certPath = $certManager->getAbsoluteBundlePath();
-		} else {
-			$certPath = \OC::$SERVERROOT . '/resources/config/ca-bundle.crt';
-		}
-
 		$options = [
 			'version' => isset($this->params['version']) ? $this->params['version'] : 'latest',
 			'credentials' => $provider,
@@ -139,7 +130,7 @@ public function getConnection() {
 			'signature_provider' => \Aws\or_chain([self::class, 'legacySignatureProvider'], ClientResolver::_default_signature_provider()),
 			'csm' => false,
 			'use_arn_region' => false,
-			'http' => ['verify' => $certPath],
+			'http' => ['verify' => $this->getCertificateBundlePath()],
 		];
 		if ($this->getProxy()) {
 			$options['http']['proxy'] = $this->getProxy();
@@ -218,4 +209,15 @@ protected function paramCredentialProvider() : callable {
 			return new RejectedPromise(new CredentialsException($msg));
 		};
 	}
+
+	protected function getCertificateBundlePath(): string {
+		// since we store the certificate bundles on the primary storage, we can't get the bundle while setting up the primary storage
+		if (!isset($this->params['primary_storage'])) {
+			/** @var ICertificateManager $certManager */
+			$certManager = \OC::$server->get(ICertificateManager::class);
+			return $certManager->getAbsoluteBundlePath();
+		} else {
+			return \OC::$SERVERROOT . '/resources/config/ca-bundle.crt';
+		}
+	}
 }
diff --git a/lib/private/Files/ObjectStore/S3ObjectTrait.php b/lib/private/Files/ObjectStore/S3ObjectTrait.php
@@ -43,6 +43,8 @@ trait S3ObjectTrait {
 	 */
 	abstract protected function getConnection();
 
+	abstract protected function getCertificateBundlePath(): string;
+
 	/**
 	 * @param string $urn the unified resource name used to identify the object
 	 * @return resource stream with the read data
@@ -68,6 +70,9 @@ public function readObject($urn) {
 					'protocol_version' => $request->getProtocolVersion(),
 					'header' => $headers,
 				],
+				'ssl' => [
+					'cafile' => $this->getCertificateBundlePath()
+				]
 			];
 
 			if ($this->getProxy()) {