Merge pull request #32963 from nextcloud/s3-crt-bundle-download

also use nextcloud certificate bundle when downloading from s3
2025-03-13 07:53:51 +00:00 · 2022-07-18 09:51:19 +02:00 · 2022-07-18 09:51:19 +02:00 · 52dc51cde3
commit 52dc51cde3
parent 9457ec8d49 f1486890d7
2 changed files with 24 additions and 12 deletions
--- a/lib/private/Files/ObjectStore/S3ConnectionTrait.php
+++ b/lib/private/Files/ObjectStore/S3ConnectionTrait.php
@ -28,6 +28,7 @@
 * along with this program. If not, see <http://www.gnu.org/licenses/>.
 *
 */
+
 namespace OC\Files\ObjectStore;

 use Aws\ClientResolver;
@ -121,15 +122,6 @@ trait S3ConnectionTrait {
 			)
 		);

-		// since we store the certificate bundles on the primary storage, we can't get the bundle while setting up the primary storage
-		if (!isset($this->params['primary_storage'])) {
-			/** @var ICertificateManager $certManager */
-			$certManager = \OC::$server->get(ICertificateManager::class);
-			$certPath = $certManager->getAbsoluteBundlePath();
-		} else {
-			$certPath = \OC::$SERVERROOT . '/resources/config/ca-bundle.crt';
-		}
-
 		$options = [
 			'version' => isset($this->params['version']) ? $this->params['version'] : 'latest',
 			'credentials' => $provider,
@ -139,7 +131,7 @@ trait S3ConnectionTrait {
 			'signature_provider' => \Aws\or_chain([self::class, 'legacySignatureProvider'], ClientResolver::_default_signature_provider()),
 			'csm' => false,
 			'use_arn_region' => false,
-			'http' => ['verify' => $certPath],
+			'http' => ['verify' => $this->getCertificateBundlePath()],
 		];
 		if ($this->getProxy()) {
 			$options['http']['proxy'] = $this->getProxy();
@ -152,7 +144,7 @@ trait S3ConnectionTrait {
 		if (!$this->connection::isBucketDnsCompatible($this->bucket)) {
 			$logger = \OC::$server->get(LoggerInterface::class);
 			$logger->debug('Bucket "' . $this->bucket . '" This bucket name is not dns compatible, it may contain invalid characters.',
-					 ['app' => 'objectstore']);
+				['app' => 'objectstore']);
 		}

 		if ($this->params['verify_bucket_exists'] && !$this->connection->doesBucketExist($this->bucket)) {
@ -203,7 +195,7 @@ trait S3ConnectionTrait {
 	/**
 	 * This function creates a credential provider based on user parameter file
 	 */
-	protected function paramCredentialProvider() : callable {
+	protected function paramCredentialProvider(): callable {
 		return function () {
 			$key = empty($this->params['key']) ? null : $this->params['key'];
 			$secret = empty($this->params['secret']) ? null : $this->params['secret'];
@ -218,4 +210,19 @@ trait S3ConnectionTrait {
 			return new RejectedPromise(new CredentialsException($msg));
 		};
 	}
+
+	protected function getCertificateBundlePath(): ?string {
+		if ((int)($this->params['use_nextcloud_bundle'] ?? "0")) {
+			// since we store the certificate bundles on the primary storage, we can't get the bundle while setting up the primary storage
+			if (!isset($this->params['primary_storage'])) {
+				/** @var ICertificateManager $certManager */
+				$certManager = \OC::$server->get(ICertificateManager::class);
+				return $certManager->getAbsoluteBundlePath();
+			} else {
+				return \OC::$SERVERROOT . '/resources/config/ca-bundle.crt';
+			}
+		} else {
+			return null;
+		}
+	}
 }
--- a/lib/private/Files/ObjectStore/S3ObjectTrait.php
+++ b/lib/private/Files/ObjectStore/S3ObjectTrait.php
@ -43,6 +43,8 @@ trait S3ObjectTrait {
 	 */
 	abstract protected function getConnection();

+	abstract protected function getCertificateBundlePath(): ?string;
+
 	/**
 	 * @param string $urn the unified resource name used to identify the object
 	 * @return resource stream with the read data
@ -68,6 +70,9 @@ trait S3ObjectTrait {
 					'protocol_version' => $request->getProtocolVersion(),
 					'header' => $headers,
 				],
+				'ssl' => [
+					'cafile' => $this->getCertificateBundlePath()
+				]
 			];

 			if ($this->getProxy()) {