server/core/Controller/OccController.php
VicDeo 854352d9a0 occ web executor (#24957)
* Initial web executor

* Fix PHPDoc

Fix broken integration test

OccControllerTests do not require database access - moch them all!

Kill unused sprintf
2016-06-22 13:12:36 +02:00

147 lines
3.9 KiB
PHP

<?php
/**
* @author Victor Dubiniuk <dubiniuk@owncloud.com>
*
* @copyright Copyright (c) 2016, ownCloud, Inc.
* @license AGPL-3.0
*
* This code is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License, version 3,
* as published by the Free Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License, version 3,
* along with this program. If not, see <http://www.gnu.org/licenses/>
*
*/
namespace OC\Core\Controller;
use OCP\AppFramework\Controller;
use OCP\AppFramework\Http\JSONResponse;
use OC\Console\Application;
use OCP\IConfig;
use OCP\IRequest;
use Symfony\Component\Console\Input\ArrayInput;
use Symfony\Component\Console\Output\BufferedOutput;
class OccController extends Controller {
/** @var array */
private $allowedCommands = [
'app:disable',
'app:enable',
'app:getpath',
'app:list',
'check',
'config:list',
'maintenance:mode',
'status',
'upgrade'
];
/** @var IConfig */
private $config;
/** @var Application */
private $console;
/**
* OccController constructor.
*
* @param string $appName
* @param IRequest $request
* @param IConfig $config
* @param Application $console
*/
public function __construct($appName, IRequest $request,
IConfig $config, Application $console) {
parent::__construct($appName, $request);
$this->config = $config;
$this->console = $console;
}
/**
* @PublicPage
* @NoCSRFRequired
*
* Execute occ command
* Sample request
* POST http://domain.tld/index.php/occ/status',
* {
* 'params': {
* '--no-warnings':'1',
* '--output':'json'
* },
* 'token': 'someToken'
* }
*
* @param string $command
* @param string $token
* @param array $params
*
* @return JSONResponse
* @throws \Exception
*/
public function execute($command, $token, $params = []) {
try {
$this->validateRequest($command, $token);
$output = new BufferedOutput();
$formatter = $output->getFormatter();
$formatter->setDecorated(false);
$this->console->setAutoExit(false);
$this->console->loadCommands(new ArrayInput([]), $output);
$inputArray = array_merge(['command' => $command], $params);
$input = new ArrayInput($inputArray);
$exitCode = $this->console->run($input, $output);
$response = $output->fetch();
$json = [
'exitCode' => $exitCode,
'response' => $response
];
} catch (\UnexpectedValueException $e){
$json = [
'exitCode' => 126,
'response' => 'Not allowed',
'details' => $e->getMessage()
];
}
return new JSONResponse($json);
}
/**
* Check if command is allowed and has a valid security token
* @param $command
* @param $token
*/
protected function validateRequest($command, $token){
if (!in_array($this->request->getRemoteAddress(), ['::1', '127.0.0.1', 'localhost'])) {
throw new \UnexpectedValueException('Web executor is not allowed to run from a different host');
}
if (!in_array($command, $this->allowedCommands)) {
throw new \UnexpectedValueException(sprintf('Command "%s" is not allowed to run via web request', $command));
}
$coreToken = $this->config->getSystemValue('updater.secret', '');
if ($coreToken === '') {
throw new \UnexpectedValueException(
'updater.secret is undefined in config/config.php. Either browse the admin settings in your ownCloud and click "Open updater" or define a strong secret using <pre>php -r \'echo password_hash("MyStrongSecretDoUseYourOwn!", PASSWORD_DEFAULT)."\n";\'</pre> and set this in the config.php.'
);
}
if (!password_verify($token, $coreToken)) {
throw new \UnexpectedValueException(
'updater.secret does not match the provided token'
);
}
}
}