Merge pull request #190646 from Ma27/bump-nextcloud
This commit is contained in:
commit
f0f614616f
|
@ -47,9 +47,8 @@ in {
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
services.redis = {
|
services.redis.servers."nextcloud".enable = true;
|
||||||
enable = true;
|
services.redis.servers."nextcloud".port = 6379;
|
||||||
};
|
|
||||||
|
|
||||||
systemd.services.nextcloud-setup= {
|
systemd.services.nextcloud-setup= {
|
||||||
requires = ["postgresql.service"];
|
requires = ["postgresql.service"];
|
||||||
|
|
|
@ -37,9 +37,8 @@ in {
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
services.redis = {
|
services.redis.servers."nextcloud".enable = true;
|
||||||
enable = true;
|
services.redis.servers."nextcloud".port = 6379;
|
||||||
};
|
|
||||||
|
|
||||||
systemd.services.nextcloud-setup= {
|
systemd.services.nextcloud-setup= {
|
||||||
requires = ["postgresql.service"];
|
requires = ["postgresql.service"];
|
||||||
|
|
|
@ -0,0 +1,135 @@
|
||||||
|
From 045f33745f863ba20acfc3fe335c575d9cd87884 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Maximilian Bosch <maximilian@mbosch.me>
|
||||||
|
Date: Sat, 10 Sep 2022 15:18:05 +0200
|
||||||
|
Subject: [PATCH] Setup: remove custom dbuser creation behavior
|
||||||
|
|
||||||
|
Both PostgreSQL and MySQL can be authenticated against from Nextcloud by
|
||||||
|
supplying a database password. Now, during setup the following things
|
||||||
|
happen:
|
||||||
|
|
||||||
|
* When using postgres and the db user has elevated permissions, a new
|
||||||
|
unprivileged db user is created and the settings `dbuser`/`dbpass` are
|
||||||
|
altered in `config.php`.
|
||||||
|
|
||||||
|
* When using MySQL, the password is **always** regenerated since
|
||||||
|
24.0.5/23.0.9[1].
|
||||||
|
|
||||||
|
I consider both cases problematic: the reason why people do configuration
|
||||||
|
management is to have it as single source of truth! So, IMHO any
|
||||||
|
application that silently alters config and thus causes deployed
|
||||||
|
nodes to diverge from the configuration is harmful for that.
|
||||||
|
|
||||||
|
I guess it was sheer luck that it worked for so long in NixOS because
|
||||||
|
nobody has apparently used password authentication with a privileged
|
||||||
|
user to operate Nextcloud (which is a good thing in fact).
|
||||||
|
|
||||||
|
[1] https://github.com/nextcloud/server/pull/33513
|
||||||
|
---
|
||||||
|
lib/private/Setup/MySQL.php | 53 --------------------------------
|
||||||
|
lib/private/Setup/PostgreSQL.php | 26 ----------------
|
||||||
|
2 files changed, 79 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/lib/private/Setup/MySQL.php b/lib/private/Setup/MySQL.php
|
||||||
|
index 2c16cac3d2..9b2265091f 100644
|
||||||
|
--- a/lib/private/Setup/MySQL.php
|
||||||
|
+++ b/lib/private/Setup/MySQL.php
|
||||||
|
@@ -142,59 +142,6 @@ class MySQL extends AbstractDatabase {
|
||||||
|
$rootUser = $this->dbUser;
|
||||||
|
$rootPassword = $this->dbPassword;
|
||||||
|
|
||||||
|
- //create a random password so we don't need to store the admin password in the config file
|
||||||
|
- $saveSymbols = str_replace(['\"', '\\', '\'', '`'], '', ISecureRandom::CHAR_SYMBOLS);
|
||||||
|
- $password = $this->random->generate(22, ISecureRandom::CHAR_ALPHANUMERIC . $saveSymbols)
|
||||||
|
- . $this->random->generate(2, ISecureRandom::CHAR_UPPER)
|
||||||
|
- . $this->random->generate(2, ISecureRandom::CHAR_LOWER)
|
||||||
|
- . $this->random->generate(2, ISecureRandom::CHAR_DIGITS)
|
||||||
|
- . $this->random->generate(2, $saveSymbols)
|
||||||
|
- ;
|
||||||
|
- $this->dbPassword = str_shuffle($password);
|
||||||
|
-
|
||||||
|
- try {
|
||||||
|
- //user already specified in config
|
||||||
|
- $oldUser = $this->config->getValue('dbuser', false);
|
||||||
|
-
|
||||||
|
- //we don't have a dbuser specified in config
|
||||||
|
- if ($this->dbUser !== $oldUser) {
|
||||||
|
- //add prefix to the admin username to prevent collisions
|
||||||
|
- $adminUser = substr('oc_' . $username, 0, 16);
|
||||||
|
-
|
||||||
|
- $i = 1;
|
||||||
|
- while (true) {
|
||||||
|
- //this should be enough to check for admin rights in mysql
|
||||||
|
- $query = 'SELECT user FROM mysql.user WHERE user=?';
|
||||||
|
- $result = $connection->executeQuery($query, [$adminUser]);
|
||||||
|
-
|
||||||
|
- //current dbuser has admin rights
|
||||||
|
- $data = $result->fetchAll();
|
||||||
|
- $result->closeCursor();
|
||||||
|
- //new dbuser does not exist
|
||||||
|
- if (count($data) === 0) {
|
||||||
|
- //use the admin login data for the new database user
|
||||||
|
- $this->dbUser = $adminUser;
|
||||||
|
- $this->createDBUser($connection);
|
||||||
|
-
|
||||||
|
- break;
|
||||||
|
- } else {
|
||||||
|
- //repeat with different username
|
||||||
|
- $length = strlen((string)$i);
|
||||||
|
- $adminUser = substr('oc_' . $username, 0, 16 - $length) . $i;
|
||||||
|
- $i++;
|
||||||
|
- }
|
||||||
|
- }
|
||||||
|
- }
|
||||||
|
- } catch (\Exception $ex) {
|
||||||
|
- $this->logger->info('Can not create a new MySQL user, will continue with the provided user.', [
|
||||||
|
- 'exception' => $ex,
|
||||||
|
- 'app' => 'mysql.setup',
|
||||||
|
- ]);
|
||||||
|
- // Restore the original credentials
|
||||||
|
- $this->dbUser = $rootUser;
|
||||||
|
- $this->dbPassword = $rootPassword;
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
$this->config->setValues([
|
||||||
|
'dbuser' => $this->dbUser,
|
||||||
|
'dbpassword' => $this->dbPassword,
|
||||||
|
diff --git a/lib/private/Setup/PostgreSQL.php b/lib/private/Setup/PostgreSQL.php
|
||||||
|
index bc24909dc3..e49e5508e1 100644
|
||||||
|
--- a/lib/private/Setup/PostgreSQL.php
|
||||||
|
+++ b/lib/private/Setup/PostgreSQL.php
|
||||||
|
@@ -45,32 +45,6 @@ class PostgreSQL extends AbstractDatabase {
|
||||||
|
$connection = $this->connect([
|
||||||
|
'dbname' => 'postgres'
|
||||||
|
]);
|
||||||
|
- //check for roles creation rights in postgresql
|
||||||
|
- $builder = $connection->getQueryBuilder();
|
||||||
|
- $builder->automaticTablePrefix(false);
|
||||||
|
- $query = $builder
|
||||||
|
- ->select('rolname')
|
||||||
|
- ->from('pg_roles')
|
||||||
|
- ->where($builder->expr()->eq('rolcreaterole', new Literal('TRUE')))
|
||||||
|
- ->andWhere($builder->expr()->eq('rolname', $builder->createNamedParameter($this->dbUser)));
|
||||||
|
-
|
||||||
|
- try {
|
||||||
|
- $result = $query->execute();
|
||||||
|
- $canCreateRoles = $result->rowCount() > 0;
|
||||||
|
- } catch (DatabaseException $e) {
|
||||||
|
- $canCreateRoles = false;
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
- if ($canCreateRoles) {
|
||||||
|
- //use the admin login data for the new database user
|
||||||
|
-
|
||||||
|
- //add prefix to the postgresql user name to prevent collisions
|
||||||
|
- $this->dbUser = 'oc_' . strtolower($username);
|
||||||
|
- //create a new password so we don't need to store the admin config in the config file
|
||||||
|
- $this->dbPassword = \OC::$server->getSecureRandom()->generate(30, ISecureRandom::CHAR_ALPHANUMERIC);
|
||||||
|
-
|
||||||
|
- $this->createDBUser($connection);
|
||||||
|
- }
|
||||||
|
|
||||||
|
$this->config->setValues([
|
||||||
|
'dbuser' => $this->dbUser,
|
||||||
|
--
|
||||||
|
2.36.2
|
||||||
|
|
|
@ -13,6 +13,8 @@ let
|
||||||
inherit sha256;
|
inherit sha256;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
patches = [ ./0001-Setup-remove-custom-dbuser-creation-behavior.patch ];
|
||||||
|
|
||||||
passthru.tests = nixosTests.nextcloud;
|
passthru.tests = nixosTests.nextcloud;
|
||||||
|
|
||||||
installPhase = ''
|
installPhase = ''
|
||||||
|
@ -46,13 +48,13 @@ in {
|
||||||
'';
|
'';
|
||||||
|
|
||||||
nextcloud23 = generic {
|
nextcloud23 = generic {
|
||||||
version = "23.0.8";
|
version = "23.0.9";
|
||||||
sha256 = "ac3d042253399be25a2aa01c799dec75a1459b6ae453874414f6528cc2ee5061";
|
sha256 = "sha256-Ysxapp8IpRcRBC3CRM4yxoGYCuedAVURT3FhDD4jNBY=";
|
||||||
};
|
};
|
||||||
|
|
||||||
nextcloud24 = generic {
|
nextcloud24 = generic {
|
||||||
version = "24.0.4";
|
version = "24.0.5";
|
||||||
sha256 = "d107426f8e1c193db882a04c844f9bc7e7eeb7c21e46c46197e5154d6d6ac28e";
|
sha256 = "sha256-sieIN3zLk5Hn+eztP2mpI2Zprqqy4OpSUKc+318e8CY=";
|
||||||
};
|
};
|
||||||
|
|
||||||
# tip: get the sha with:
|
# tip: get the sha with:
|
||||||
|
|
Loading…
Reference in New Issue
Block a user