Let the Nextcloud-Container trust custom CAs (e.g. for using LDAPS) 2

Signed-off-by: Lorenzo Marroccoli <lollo0296@gmail.com> Signed-off-by: szaimen <szaimen@e.mail.de> Co-Authored-By: Simon L. <szaimen@e.mail.de>
2024-09-20 14:56:08 +08:00 · 2022-08-31 22:50:19 +02:00 · 2022-08-31 22:50:19 +02:00 · 935d4aab11
parent bfcbc41141
commit 935d4aab11
10 changed files with 48 additions and 1 deletions
--- a/Containers/mastercontainer/start.sh
+++ b/Containers/mastercontainer/start.sh
@ -161,6 +161,14 @@ It is set to '$DOCKER_SOCKET_PATH'."
        exit 1
    fi
 fi
+if [ -n "$TRUSTED_CACERTS_DIR" ]; then
+    if ! echo "$TRUSTED_CACERTS_DIR" | grep -q "^/" || echo "$TRUSTED_CACERTS_DIR" | grep -q "/$"; then
+        echo "You've set TRUSTED_CACERTS_DIR but not to an allowed value.
+It should be an absolute path to a directory that starts with '/' but not end with '/'.
+It is set to '$TRUSTED_CACERTS_DIR '."
+        exit 1
+    fi
+fi

 # Check DNS resolution
 # Prevents issues like https://github.com/nextcloud/all-in-one/discussions/565
--- a/Containers/nextcloud/start.sh
+++ b/Containers/nextcloud/start.sh
@ -22,6 +22,12 @@ if [ -f "/var/www/html/config/config.php" ]; then
    # sed -i "s|'dbpassword'.*=>.*$|'dbpassword' => '$POSTGRES_PASSWORD',|" /var/www/html/config/config.php
 fi

+# Trust additional Cacerts, if the user provided $TRUSTED_CACERTS_DIR
+if [ -n "$TRUSTED_CACERTS_DIR" ]; then
+    echo "User required to trust additional CA certificates, running 'update-ca-certificates."
+    update-ca-certificates
+fi
+
 # Run original entrypoint
 if ! bash /entrypoint.sh; then
    exit 1
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -26,6 +26,7 @@ services:
      # - DISABLE_BACKUP_SECTION=true # Setting this to true allows to hide the backup section in the AIO interface.
      # - NEXTCLOUD_UPLOAD_LIMIT=10G # Can be adjusted if you need more. See https://github.com/nextcloud/all-in-one#how-to-adjust-the-upload-limit-for-nextcloud
      # - NEXTCLOUD_MAX_TIME=3600 # Can be adjusted if you need more. See https://github.com/nextcloud/all-in-one#how-to-adjust-the-max-execution-time-for-nextcloud
+      # - TRUSTED_CACERTS_DIR=/path/to/my/cacerts # CA certificates in this directory will be trusted by the OS of the nexcloud container (Useful e.g. for LDAPS) See See https://github.com/nextcloud/all-in-one#how-to-trust-user-defiend-certification-authorities-(ca)

  # # Optional: Caddy reverse proxy. See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md
  # # You can find further examples here: https://github.com/nextcloud/all-in-one/discussions/588
--- a/manual-install/update-yaml.sh
+++ b/manual-install/update-yaml.sh
@ -64,6 +64,7 @@ sed -i 's|NEXTCLOUD_DATADIR=|NEXTCLOUD_DATADIR=nextcloud_aio_nextcloud_data
 sed -i 's|NEXTCLOUD_MOUNT=|NEXTCLOUD_MOUNT=/mnt/          # This allows the Nextcloud container to access directories on the host. It must never be equal to the value of NEXTCLOUD_DATADIR!|' sample.conf
 sed -i 's|NEXTCLOUD_UPLOAD_LIMIT=|NEXTCLOUD_UPLOAD_LIMIT=10G          # This allows to change the upload limit of the Nextcloud container|' sample.conf
 sed -i 's|NEXTCLOUD_MAX_TIME=|NEXTCLOUD_MAX_TIME=3600          # This allows to change the upload time limit of the Nextcloud container|' sample.conf
+sed -i 's|TRUSTED_CACERTS_DIR=|TRUSTED_CACERTS_DIR=/path/to/my/cacerts          # Nextcloud container will trust all the Certification Authorities, whose certificates are included in the given directory.|' sample.conf
 sed -i 's|UPDATE_NEXTCLOUD_APPS=|UPDATE_NEXTCLOUD_APPS=no          # When setting to yes, it will automatically update all installed Nextcloud apps upon container startup on saturdays.|' sample.conf
 sed -i 's|APACHE_PORT=|APACHE_PORT=443          # Changing this to a different value than 443 will allow you to run it behind a reverse proxy.|' sample.conf
 sed -i 's|TALK_PORT=|TALK_PORT=3478          # This allows to adjust the port that the talk container is using.|' sample.conf
--- a/php/containers.json
+++ b/php/containers.json
@ -112,6 +112,11 @@
          "name": "%NEXTCLOUD_MOUNT%",
          "location": "%NEXTCLOUD_MOUNT%",
          "writeable": true
+        },
+        {
+          "name": "%TRUSTED_CACERTS_DIR%",
+          "location": "/usr/local/share/ca-certificates",
+          "writeable": false
        }
      ],
      "environmentVariables": [
@ -148,7 +153,8 @@
        "PHP_UPLOAD_LIMIT=%NEXTCLOUD_UPLOAD_LIMIT%",
        "FULLTEXTSEARCH_ENABLED=%FULLTEXTSEARCH_ENABLED%",
        "FULLTEXTSEARCH_HOST=nextcloud-aio-fulltextsearch",
-        "PHP_MAX_TIME=%NEXTCLOUD_MAX_TIME%"
+        "PHP_MAX_TIME=%NEXTCLOUD_MAX_TIME%",
+        "TRUSTED_CACERTS_DIR=%TRUSTED_CACERTS_DIR%"
      ],
      "maxShutdownTime": 10,
      "restartPolicy": "unless-stopped"
--- a/php/src/ContainerDefinitionFetcher.php
+++ b/php/src/ContainerDefinitionFetcher.php
@ -120,6 +120,11 @@ class ContainerDefinitionFetcher
                    if($value['name'] === '') {
                        continue;
                    }
+                } elseif ($value['name'] === '%TRUSTED_CACERTS_DIR%') {
+                    $value['name'] = $this->configurationManager->GetTrustedCacertsDir();
+                    if($value['name'] === '') {
+                        continue;
+                    }
                }
                if ($value['location'] === '%NEXTCLOUD_MOUNT%') {
                    $value['location'] = $this->configurationManager->GetNextcloudMount();
--- a/php/src/Data/ConfigurationManager.php
+++ b/php/src/Data/ConfigurationManager.php
@ -538,6 +538,13 @@ class ConfigurationManager
        return $this->GetEnvironmentalVariableOrConfig($envVariableName, $configName, $defaultValue);
    }

+    public function GetTrustedCacertsDir() : string {
+        $envVariableName = 'TRUSTED_CACERTS_DIR';
+        $configName = 'trusted_cacerts_dir';
+        $defaultValue = '';
+        return $this->GetEnvironmentalVariableOrConfig($envVariableName, $configName, $defaultValue);
+    }
+
    /**
     * @throws InvalidSettingConfigurationException
     */
--- a/php/src/Docker/DockerActionManager.php
+++ b/php/src/Docker/DockerActionManager.php
@ -314,6 +314,8 @@ class DockerActionManager
                    $replacements[1] = $this->configurationManager->GetNextcloudUploadLimit();
                } elseif ($out[1] === 'NEXTCLOUD_MAX_TIME') {
                    $replacements[1] = $this->configurationManager->GetNextcloudMaxTime();
+                } elseif ($out[1] === 'TRUSTED_CACERTS_DIR') {
+                    $replacements[1] = $this->configurationManager->GetTrustedCacertsDir();
                } elseif ($out[1] === 'ADDITIONAL_DIRECTORIES_BACKUP') {
                    if ($this->configurationManager->GetAdditionalBackupDirectoriesString() !== '') {
                        $replacements[1] = 'yes';
--- a/readme.md
+++ b/readme.md
@ -490,3 +490,12 @@ What are the requirements?
 3. The feature that gets added into Nextcloud by adding the container must be maintained by the Nextcloud GmbH. 
 4. It must be possible to run the container without big quirks inside docker containers. Big quirks means e.g. needing to change the capabilities or security options. 
 5. The container should not mount directories from the host into the container: only docker volumes should be used.
+
+### How to trust user-defiend Certification Authorities (CA)?
+For some applications it might be necessary to enstablish a secured connection to a host / server which is using a certificated issued by a Certification Authority that is not trusted out of the box. An example could be configuring LDAPS against the Domain Controller (ActiveDirectory) of an organization
+
+You can make the Nextcloud container trust any Certification Authority by providing the environmental variable `TRUSTED_CACERTS_DIR` when starting the AIO-mastercontainer. The value of the variables should be set to the absolute path to a directory on the host, which contains one or more Certification Authority's certificate. You should use X.509 certificates, Base64 encoded. (Other formats may work but have not been tested!) All the certificates in the directory will be trusted.
+
+When using `docker run`, the environmental variable can be set with `-e TRUSTED_CACERTS_DIR=/path/to/my/cacerts`.
+
+In order for the value to be valid, the path should start with `/` and not end with '/' and point to an existing **directory**. Pointing the variable directly to a certificate **file** will not work and may also break things.
--- a/tests/QA/060-environmental-variables.md
+++ b/tests/QA/060-environmental-variables.md
@ -11,5 +11,7 @@
 - [ ] When starting the mastercontainer with `-e NEXTCLOUD_MAX_TIME=4000` it should change Nextclouds upload max time 4000s. See https://github.com/nextcloud/all-in-one#how-to-adjust-the-max-execution-time-for-nextcloud for allowed values.
 - [ ] When starting the mastercontainer with `-e DOCKER_SOCKET_PATH="/var/run/docker.sock.raw"` it should map `/var/run/docker.sock.raw` to `/var/run/docker.sock` inside the watchtower container which allow to update the mastercontainer on macos and with docker rootless.
 - [ ] When starting the mastercontainer with `-e DISABLE_BACKUP_SECTION=true` it should hide the backup section that gets shown after AIO is set up (everything of [020-backup-and-restore](./020-backup-and-restore.md)) and simply show that the backup section is disabled.
+- [ ] When starting the mastercontainer with `-e TRUSTED_CACERTS_DIR=/path/to/my/cacerts`, the resulting nextcloud container should trust all the Certification Authorities, whose certificates are included in the directory `/path/to/my/cacerts` on the host.
+See https://github.com/nextcloud/all-in-one#how-to-trust-user-defiend-certification-authorities-(ca)

 You can now continue with [070-timezone-change.md](./070-timezone-change.md)