Merge pull request #124 from GDATASoftwareAG/backport-v29

Backport v29

.devcontainer/postCreateCommands.sh

@@ -5,10 +5,14 @@ sudo apt-get install -y bash-completion vim iputils-ping telnet
 sudo bash -c "docker completion bash > /usr/share/bash-completion/completions/docker"
 sudo bash -c "composer completion bash > /usr/share/bash-completion/completions/composer"
 sudo bash -c "npm completion > /usr/share/bash-completion/completions/npm"
+sudo cp xdebug.local.ini /usr/local/etc/php/conf.d/xdebug.ini
+sudo curl -sS https://webi.sh/gh | sh
 
 echo ". /usr/share/bash-completion/bash_completion" >> /home/vscode/.bashrc
 
 NEXTCLOUD_VERSION=$(grep -oP "[0-9]+\.[0-9]+\.[0-9]+" install.sh)
+mkdir -p ~/.ssh/
+ssh-keyscan -t rsa github.com >> ~/.ssh/known_hosts
 git clone --depth 1 --recurse-submodules --single-branch --branch v$NEXTCLOUD_VERSION git@github.com:nextcloud/server.git ./nextcloud-server
 cd nextcloud-server
 git submodule update --init

.github/workflows/release-app.yml

@@ -52,29 +52,47 @@ jobs:
           CLIENT_ID: ${{ secrets.VAAS_CLIENT_ID }}
           CLIENT_SECRET: ${{ secrets.VAAS_CLIENT_SECRET }}
         run: |
-          composer install --quiet
+          composer install
           ./vendor/bin/phpunit --bootstrap tests/unittests/bootstrap.php tests/unittests/ --testdox
 
       - name: install nextcloud
         env:
           CLIENT_ID: ${{ secrets.VAAS_CLIENT_ID }}
           CLIENT_SECRET: ${{ secrets.VAAS_CLIENT_SECRET }}
-        run: ./install.sh ${{ matrix.nextcloud_version }}
+        run: ./install.sh ${{ matrix.nextcloud_version }} 1
 
       - name: run tests
+        id: bats-tests
         env:
           CLIENT_ID: ${{ secrets.VAAS_CLIENT_ID }}
           CLIENT_SECRET: ${{ secrets.VAAS_CLIENT_SECRET }}
-        run: bats --no-parallelize-across-files --jobs 2 ./tests/bats
+        run: |
+          if bats --verbose-run --timing --trace --no-parallelize-across-files --jobs 2 ./tests/bats; then
+            echo "bats_run=success" | tee -a "$GITHUB_OUTPUT";
+          else
+            echo "bats_run=fail" | tee -a "$GITHUB_OUTPUT";
+          fi
 
       - uses: actions/upload-artifact@master
         with:
+          overwrite: true
+          name: core-dump
+          path: coredumps/*
+
+      - name: fail if bats tests did fail
+        if: steps.bats-tests.outputs.bats_run == 'fail'
+        run: exit 1
+
+      - uses: actions/upload-artifact@master
+        with:
+          overwrite: true
           name: build-dir
           path: build/
 
   release:
     needs:
       - test
+      - define-matrix
     runs-on: ubuntu-latest
     if: startsWith(github.ref, 'refs/tags/')
     steps:

.gitignore

@@ -4,6 +4,7 @@
 .idea
 *.local
 *.iml
+*.local.php
 /build/
 node_modules/
 /.php_cs.cache
@@ -64,5 +65,8 @@ js/
 .uuid
 eicar.com.txt
 tmp/
-
-nextcloud-server/
+core.1
+nextcloud-server/
+core-dump.zip
+apache/
+**/vendor/*

.vscode/launch.json

@@ -26,7 +26,7 @@
             "name": "Listen for Xdebug",
             "type": "php",
             "request": "launch",
-            "port": 9000
+            "port": 9003
         },
         {
             "name": "Launch currently open script",

Dockerfile.Nextcloud

@@ -1,8 +1,36 @@
-ARG NEXTCLOUD_VERSION=29.0.4
+ARG NEXTCLOUD_VERSION=29.0.6
+ARG INSTALL_XDEBUG=1
 
 FROM nextcloud:${NEXTCLOUD_VERSION}
 
-RUN apt update && apt install -y less vim telnet iputils-ping
+RUN apt update && apt install -y \
+    less vim telnet iputils-ping gdb libexpat1-dev libapr1-dev libaprutil1-dev devscripts debmake \
+    bison jdupes libbrotli-dev liblua5.4-dev libnghttp2-dev libssl-dev libxml2-dev libcurl4-openssl-dev libjansson-dev
+# RUN curl -L -o /tmp/apache2_2.4.61.orig.tar.gz https://launchpad.net/debian/+archive/primary/+sourcefiles/apache2/2.4.61-1/apache2_2.4.61.orig.tar.gz \
+#     && tar -xzf /tmp/apache2_2.4.61.orig.tar.gz -C /tmp \
+#     && mv /tmp/httpd-2.4.61 /tmp/apache2-2.4.61 \
+#     && curl -L -o /tmp/apache2_2.4.61-1.debian.tar.xz https://launchpad.net/debian/+archive/primary/+sourcefiles/apache2/2.4.61-1/apache2_2.4.61-1.debian.tar.xz \
+#     && tar -xf /tmp/apache2_2.4.61-1.debian.tar.xz -C /tmp \
+#     && mv /tmp/debian /tmp/apache2-2.4.61/debian \
+#     && cd /tmp/apache2-2.4.61 \
+#     && debuild || echo "no signature"
+RUN curl -o /root/.gdbinit https://raw.githubusercontent.com/php/php-src/master/.gdbinit
+RUN ulimit -c unlimited
+RUN mkdir -p /tmp/apache2-coredump \
+    && chown -R www-data:www-data /tmp/apache2-coredump \
+    && chmod 777 /tmp/apache2-coredump \
+    && echo "CoreDumpDirectory /tmp/apache2-coredump" >> /etc/apache2/apache2.conf
 ADD --chmod=0755 https://github.com/mlocati/docker-php-extension-installer/releases/latest/download/install-php-extensions /usr/local/bin/
-RUN install-php-extensions gd xdebug
-COPY xdebug.ini /usr/local/etc/php/conf.d/docker-php-ext-xdebug.ini
+RUN mv "$PHP_INI_DIR/php.ini-development" "$PHP_INI_DIR/php.ini"
+RUN sed -i 's/max_execution_time = 30/max_execution_time = -1/g' "$PHP_INI_DIR/php.ini"
+RUN sed -i 's/max_input_time = 60/max_input_time = -1/g' "$PHP_INI_DIR/php.ini"
+RUN sed -i 's/memory_limit = 128M/memory_limit = -1/g' "$PHP_INI_DIR/php.ini"
+RUN echo "error_log = /var/www/html/data/php.log" >> "$PHP_INI_DIR/php.ini"
+RUN sed -i 's/#LogLevel info ssl:warn/LogLevel debug/g' /etc/apache2/sites-available/000-default.conf
+
+COPY xdebug.ini /tmp/xdebug.ini
+RUN if [[ "$INSTALL_XDEBUG" == "1" ]]; then \
+    install-php-extensions gd xdebug; \
+    mv /tmp/xdebug.ini /usr/local/etc/php/conf.d/docker-php-ext-xdebug.ini; \
+    fi
+

Makefile

@@ -121,6 +121,16 @@ appstore: build
 	tar czf $(appstore_package_name).tar.gz \
 	--transform s/$(app_directory_name)/$(app_real_name)/ \
 	--exclude-vcs \
+	--exclude="../$(app_directory_name)/opcache-disabled.ini" \
+	--exclude="../$(app_directory_name)/opcache-blacklist.txt" \
+	--exclude="../$(app_directory_name)/artifacts" \
+	--exclude="../$(app_directory_name)/tmp*" \
+	--exclude="../$(app_directory_name)/Dockerfile*" \
+	--exclude="../$(app_directory_name)/nextcloud-server*" \
+	--exclude="../$(app_directory_name)/compose-install.yaml" \
+	--exclude="../$(app_directory_name)/empty-skeleton.config.php" \
+	--exclude="../$(app_directory_name)/get-matrix.sh" \
+	--exclude="../$(app_directory_name)/xdebug.*" \
 	--exclude="../$(app_directory_name)/build" \
 	--exclude="../$(app_directory_name)/tests" \
 	--exclude="../$(app_directory_name)/Makefile" \

README.md

@@ -54,6 +54,51 @@ The app offers a variety of settings to customize the behavior of the antivirus.
 
 If you want to self-host the scanning backend, take a look at the [repository of our helm chart](https://github.com/GDATASoftwareAG/vaas-helm).
 
+## Nextcloud Commands
+
+The following commands are available for managing and interacting with the G DATA VaaS app in your Nextcloud instance:
+
+#### `gdatavaas:scan`
+
+- **Description**: Scans files for malware.
+- **Usage**: `php occ gdatavaas:scan`
+- **Docker Usage**: `docker exec --user www-data nextcloud-container php occ gdatavaas:scan`
+- **Details**: This command scans all files in the Nextcloud instance for malware and logs the results.
+
+#### `gdatavaas:get-tags-for-file`
+
+- **Description**: Retrieves tags for a specified file.
+- **Usage**: `php occ gdatavaas:get-tags-for-file <file-path>`
+- **Docker Usage**: `docker exec --user www-data nextcloud-container php occ gdatavaas:get-tags-for-file <file-path>`
+- **Arguments**:
+   - `<file-path>`: The path to the file (e.g., `username/files/filename`).
+- **Details**: This command fetches and logs all tags associated with the specified file.
+
+#### `gdatavaas:remove-tag`
+
+- **Description**: Deletes a specified tag.
+- **Usage**: `php occ gdatavaas:remove-tag <tag-name>`
+- **Docker Usage**: `docker exec --user www-data nextcloud-container php occ gdatavaas:remove-tag <tag-name>`
+- **Arguments**:
+   - `<tag-name>`: The name of the tag to delete.
+- **Details**: This command removes the specified tag from the system. If the tag does not exist, an error is logged.
+
+#### `gdatavaas:tag-unscanned`
+
+- **Description**: Tags all files without a tag from this app as unscanned.
+- **Usage**: `php occ gdatavaas:tag-unscanned`
+- **Docker Usage**: `docker exec --user www-data nextcloud-container php occ gdatavaas:tag-unscanned`
+- **Details**: This command tags all files that have not been tagged by the G DATA VaaS app as "unscanned" and logs the results.
+
+#### `gdatavaas:get-tag-id`
+
+- **Description**: Gets the ID of a specified tag.
+- **Usage**: `php occ gdatavaas:get-tag-id <tag-name>`
+- **Docker Usage**: `docker exec --user www-data nextcloud-container php occ gdatavaas:get-tag-id <tag-name>`
+- **Arguments**:
+   - `<tag-name>`: The name of the tag to get the ID for.
+- **Details**: This command retrieves and logs the ID of the specified tag. If the tag does not exist, an error is logged.
+
 ## Setting up a development environment
 
 Before you start, make sure you have the following tools installed:
@@ -69,23 +114,34 @@ You always need to do this before you start the development environment or copy
 If you copy the app directory manually in your Nextcloud instance you have to rename the folder to ```gdatavaas```. 
 
 ### Windows
-For Windows you can also just start the docker-compose.yaml or the powershell script ```start-dev-environment.ps1```
+For Windows, you can also just start the docker-compose.yaml or the powershell script ```start-dev-environment.ps1```
 
 ### Linux
-* For a quick development environment you can use the provided ```start-dev-environment.sh``` script. Or you use the following steps:
-* Make sure you have docker compose installed
-* Run the following command with bash in the folder where you want your Nextcloud in
-```bash
-git clone https://github.com/juliushaertl/nextcloud-docker-dev
-cd nextcloud-docker-dev
-./bootstrap.sh
-sudo sh -c "echo '127.0.0.1 nextcloud.local' >> /etc/hosts"
-docker-compose up nextcloud proxy
-```
-The command may take a while and starts Nextcloud directly. Nextcloud can then be accessed with your browser at http://nextcloud.local.
+* For a quick lite development environment you can use the provided ```start-dev-environment.sh``` script. Or you use the following steps:
+* Make sure you have the tools mentioned above installed.
+* With the provided ./install.sh script you can install the dependencies and build the node modules.
+
+### `install.sh` Script
+
+The `install.sh` script is used to set up and configure a Nextcloud instance with the G DATA VaaS app and Smtp4Dev. Below is an explanation of the script's features:
+
+1. **Environment Variables in `.env-local`**:
+    - `CLIENT_ID`: Sets the client ID for the G DATA VaaS app.
+    - `CLIENT_SECRET`: Sets the client secret for the G DATA VaaS app.
+
+   If you want to use the ResourceOwnerPasswordFlow you have to set these settings manually in the Nextcloud settings after the installation.
+
+2. **Specify the Nextcloud server version**:
+    - The Nextcloud version defaults to 29.0.6
+    - You can start the `install.sh` script with the desired Nextcloud version as an argument, e.g. `./install.sh 29`
+
+3. **Smtp4Dev**:
+    - Starts a container with the Smtp4Dev tool to capture emails sent by Nextcloud.
+    - The tool is accessible at `http://localhost:8081` and can be used to view emails sent by Nextcloud.
+
+4. **Additional Install Script**:
+    - Sources `install.local` if it exists for any additional installation steps.
 
-In the future, Nextcloud can then be started again by changing to the
-folder "nextcloud-docker-dev" and running ```docker compose up nextcloud proxy```. For more information see the [Nextcloud app development tutorials](https://cloud.nextcloud.com/s/iyNGp8ryWxc7Efa). These steps set up the official Nextcloud Dev Environment. It uses an SQLite databse. If you want to test on a production like instance you can set up a real Nextcloud Server using this [compose file](compose.yaml).
 
 ### Useful commands
 
@@ -96,3 +152,59 @@ folder "nextcloud-docker-dev" and running ```docker compose up nextcloud proxy``
 | Watch logs                | `docker exec --user www-data nextcloud-container php occ log:watch`                                      |
 | Watch raw logs            | `docker exec --user www-data nextcloud-container php occ log:watch --raw \| jq .message`                 |
 | Set log level to debug    | `docker exec --user www-data nextcloud-container php occ log:manage --level DEBUG`                       |
+
+
+## Smtp4Dev
+
+For more information about Smtp4Dev, please refer to the [official README](https://github.com/rnwood/smtp4dev/blob/master/README.md).
+
+
+### Configuring via the command line
+
+In addition to the graphical configuration via the VaaS settings page in Nextcloud, configuration is possible via PHP OCC commands:
+
+```
+# The authentication flow to use (depends on available credentials). Default: ResourceOwnerPassword
+php occ config:app:set gdatavaas authMethod <ResourceOwnerPassword|ClientCredentials>
+
+# Username + Password are used only in ResourceOwnerPassword authMethod
+php occ config:app:set gdatavaas username <string>
+php occ config:app:set gdatavaas password <string>
+
+# ClientID + ClientSecret are used only in ClientCredentials authMethod
+php occ config:app:set gdatavaas clientId <string>
+php occ config:app:set gdatavaas clientSecret <string>
+
+# VaaS server address. Default: wss://gateway.staging.vaas.gdatasecurity.de
+php occ config:app:set gdatavaas vaasUrl <URL>
+# Authentication server. Default: https://account-staging.gdata.de/realms/vaas-staging/protocol/openid-connect/token
+php occ config:app:set gdatavaas tokenEndpoint <URL>
+
+# Name of quarantine folder. Default: Quarantine
+php occ config:app:set gdatavaas quarantineFolder <string>
+# Whether to enable the automatic file scan. Default: false
+php occ config:app:set gdatavaas autoScanFiles <true|false>
+# Whether to add a prefix to malicious files. Default: false
+php occ config:app:set gdatavaas prefixMalicious <true|false>
+# Whether to disable the unscanned tag. Default: false
+php occ config:app:set gdatavaas disableUnscannedTag <true|false>
+# Comma-separated list of files/folders that should be scanned. Default: Empty string (all files)
+php occ config:app:set gdatavaas scanOnlyThis <string>
+# Comma-separated list of files/folders that should **not** be scanned. Default: Empty string (no files excluded)
+php occ config:app:set gdatavaas doNotScanThis <string>
+# Email address to send notifications to, when infected files are uploaded. Default: None
+php occ config:app:set gdatavaas notifyMail <email>
+# Whether to send email notifications on upload, when files are infected. Default: false
+php occ config:app:set gdatavaas sendMailOnVirusUpload <true|false>
+# Whether to send a weekly summary of malicious files to an administrator. Default: false
+php occ config:app:set gdatavaas notifyAdminEnabled <true|false>
+```
+
+You can also install and/or update the app via OCC:
+
+```
+# Install
+php occ app:install gdatavaas
+# Upgrade
+php occ app:update gdatavaas
+```

appinfo/info.xml

@@ -17,9 +17,22 @@
 * ❓ **Use the activity app!** See what happened in your Nextcloud instance
 * ✅ **no additional software required!** The app uses the G DATA Verdict as a Service (VaaS) API to scan files
 
-This app is based on the G DATA Verdict as a Service (VaaS) API. For more information, visit the [G DATA website](https://www.gdata.de/business/security-services/verdict-as-a-service).
-If you have any questions about scanning, usage or similar, please feel free to write an e-mail to vaas@gdata.de.
-	]]></description>
+## Getting started
+
+This app is based on the G DATA Verdict as a Service (VaaS) API. To get started with the app, you have to register via our [registration page](https://account-staging.gdata.de/realms/vaas-staging/login-actions/registration?client_id=landing-page&tab_id=VDSGSP4oQL0).
+
+<img style="display: block; margin: auto; height: 500px;" src="https://raw.githubusercontent.com/GDATASoftwareAG/nextcloud-gdata-antivirus/main/img/vaas-registration.png" />
+
+After the registration you can use these credentials within your nextcloud installation. To do this go to your Administration Settings.
+
+<img style="display: block; margin: auto; height: 500px;" src="https://raw.githubusercontent.com/GDATASoftwareAG/nextcloud-gdata-antivirus/main/img/administration-settings.png" />
+
+There you will find the "Verdict-as-a-Service" section under the "Administration" section.
+
+<img style="display: block; margin: auto; height: 500px;" src="https://raw.githubusercontent.com/GDATASoftwareAG/nextcloud-gdata-antivirus/main/img/verdict-as-a-service-section.png" />
+
+Please make sure the "Authentication Method" "Resource Owner Password Flow" is selected. Now you can put your credentials into the 'username' and 'password' field and click save afterwards.
+]]></description>
     <version>0.0.0</version>
     <licence>agpl</licence>
     <author mail="vaas@gdata.de" homepage="https://www.gdata.de/oem/verdict-as-a-service">Lennart Dohmann</author>
@@ -44,7 +57,7 @@ If you have any questions about scanning, usage or similar, please feel free to
         <command>OCA\GDataVaas\Command\GetTagsForFileCommand</command>
 	</commands>
     <dependencies>
-        <nextcloud min-version="27" max-version="28"/>
+        <nextcloud min-version="28" max-version="28"/>
     </dependencies>
 	<background-jobs>
 		<job>OCA\GDataVaas\BackgroundJobs\ScanJob</job>

compose-install.yaml

@@ -5,22 +5,23 @@ services:
       dockerfile: Dockerfile.Nextcloud
       args:
         - NEXTCLOUD_VERSION=${NEXTCLOUD_VERSION:-29.0.3}
+        - INSTALL_XDEBUG=${INSTALL_XDEBUG:-1}
     environment:
-      - XDEBUG_MODE=${XDEBUG_MODE:-develop}
+      XDEBUG_MODE: ${XDEBUG_MODE:-develop}
     ports:
       - "80:80"
+    privileged: true
+    # cap_add:
+    #   - SYS_PTRACE
+    #   - SYS_ADMIN
+    #   - NET_ADMIN
     container_name: nextcloud-container
     hostname: nextcloud-container
     depends_on:
       - smtp
     restart: unless-stopped
     networks:
       - nextcloud-network
-    healthcheck:
-      test: 'php occ status | grep "installed: false"'
-      interval: 5s
-      timeout: 2s
-      retries: 10
   smtp:
     image: rnwood/smtp4dev:v3
     container_name: smtp
@@ -34,4 +35,4 @@ services:
       - nextcloud-network
 
 networks:
-  nextcloud-network:
+  nextcloud-network: