SystemConfig.php 5.2 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221
  1. <?php
  2. /**
  3. * SPDX-FileCopyrightText: 2016-2024 Nextcloud GmbH and Nextcloud contributors
  4. * SPDX-FileCopyrightText: 2016 ownCloud, Inc.
  5. * SPDX-License-Identifier: AGPL-3.0-only
  6. */
  7. namespace OC;
  8. use OCP\IConfig;
  9. /**
  10. * Class which provides access to the system config values stored in config.php
  11. * Internal class for bootstrap only.
  12. * fixes cyclic DI: AllConfig needs AppConfig needs Database needs AllConfig
  13. */
  14. class SystemConfig {
  15. /** @var array */
  16. protected $sensitiveValues = [
  17. 'instanceid' => true,
  18. 'datadirectory' => true,
  19. 'dbname' => true,
  20. 'dbhost' => true,
  21. 'dbpassword' => true,
  22. 'dbuser' => true,
  23. 'dbreplica' => true,
  24. 'activity_dbname' => true,
  25. 'activity_dbhost' => true,
  26. 'activity_dbpassword' => true,
  27. 'activity_dbuser' => true,
  28. 'mail_from_address' => true,
  29. 'mail_domain' => true,
  30. 'mail_smtphost' => true,
  31. 'mail_smtpname' => true,
  32. 'mail_smtppassword' => true,
  33. 'passwordsalt' => true,
  34. 'secret' => true,
  35. 'updater.secret' => true,
  36. 'updater.server.url' => true,
  37. 'trusted_proxies' => true,
  38. 'preview_imaginary_url' => true,
  39. 'preview_imaginary_key' => true,
  40. 'proxyuserpwd' => true,
  41. 'sentry.dsn' => true,
  42. 'sentry.public-dsn' => true,
  43. 'zammad.download.secret' => true,
  44. 'zammad.portal.secret' => true,
  45. 'zammad.secret' => true,
  46. 'github.client_id' => true,
  47. 'github.client_secret' => true,
  48. 'log.condition' => [
  49. 'shared_secret' => true,
  50. 'matches' => true,
  51. ],
  52. 'license-key' => true,
  53. 'redis' => [
  54. 'host' => true,
  55. 'password' => true,
  56. ],
  57. 'redis.cluster' => [
  58. 'seeds' => true,
  59. 'password' => true,
  60. ],
  61. 'objectstore' => [
  62. 'arguments' => [
  63. // Legacy Swift (https://github.com/nextcloud/server/pull/17696#discussion_r341302207)
  64. 'options' => [
  65. 'credentials' => [
  66. 'key' => true,
  67. 'secret' => true,
  68. ]
  69. ],
  70. // S3
  71. 'key' => true,
  72. 'secret' => true,
  73. // Swift v2
  74. 'username' => true,
  75. 'password' => true,
  76. // Swift v3
  77. 'user' => [
  78. 'name' => true,
  79. 'password' => true,
  80. ],
  81. ],
  82. ],
  83. 'objectstore_multibucket' => [
  84. 'arguments' => [
  85. 'options' => [
  86. 'credentials' => [
  87. 'key' => true,
  88. 'secret' => true,
  89. ]
  90. ],
  91. // S3
  92. 'key' => true,
  93. 'secret' => true,
  94. // Swift v2
  95. 'username' => true,
  96. 'password' => true,
  97. // Swift v3
  98. 'user' => [
  99. 'name' => true,
  100. 'password' => true,
  101. ],
  102. ],
  103. ],
  104. 'onlyoffice' => [
  105. 'jwt_secret' => true,
  106. ],
  107. 'PASS' => true,
  108. ];
  109. public function __construct(
  110. private Config $config,
  111. ) {
  112. }
  113. /**
  114. * Since system config is admin controlled, we can tell psalm to ignore any taint
  115. *
  116. * @psalm-taint-escape sql
  117. * @psalm-taint-escape html
  118. * @psalm-taint-escape ldap
  119. * @psalm-taint-escape callable
  120. * @psalm-taint-escape file
  121. * @psalm-taint-escape ssrf
  122. * @psalm-taint-escape cookie
  123. * @psalm-taint-escape header
  124. * @psalm-taint-escape has_quotes
  125. * @psalm-pure
  126. */
  127. public static function trustSystemConfig(mixed $value): mixed {
  128. return $value;
  129. }
  130. /**
  131. * Lists all available config keys
  132. * @return array an array of key names
  133. */
  134. public function getKeys() {
  135. return $this->config->getKeys();
  136. }
  137. /**
  138. * Sets a new system wide value
  139. *
  140. * @param string $key the key of the value, under which will be saved
  141. * @param mixed $value the value that should be stored
  142. */
  143. public function setValue($key, $value) {
  144. $this->config->setValue($key, $value);
  145. }
  146. /**
  147. * Sets and deletes values and writes the config.php
  148. *
  149. * @param array $configs Associative array with `key => value` pairs
  150. * If value is null, the config key will be deleted
  151. */
  152. public function setValues(array $configs) {
  153. $this->config->setValues($configs);
  154. }
  155. /**
  156. * Looks up a system wide defined value
  157. *
  158. * @param string $key the key of the value, under which it was saved
  159. * @param mixed $default the default value to be returned if the value isn't set
  160. * @return mixed the value or $default
  161. */
  162. public function getValue($key, $default = '') {
  163. return $this->trustSystemConfig($this->config->getValue($key, $default));
  164. }
  165. /**
  166. * Looks up a system wide defined value and filters out sensitive data
  167. *
  168. * @param string $key the key of the value, under which it was saved
  169. * @param mixed $default the default value to be returned if the value isn't set
  170. * @return mixed the value or $default
  171. */
  172. public function getFilteredValue($key, $default = '') {
  173. $value = $this->getValue($key, $default);
  174. if (isset($this->sensitiveValues[$key])) {
  175. $value = $this->removeSensitiveValue($this->sensitiveValues[$key], $value);
  176. }
  177. return $value;
  178. }
  179. /**
  180. * Delete a system wide defined value
  181. *
  182. * @param string $key the key of the value, under which it was saved
  183. */
  184. public function deleteValue($key) {
  185. $this->config->deleteKey($key);
  186. }
  187. /**
  188. * @param bool|array $keysToRemove
  189. * @param mixed $value
  190. * @return mixed
  191. */
  192. protected function removeSensitiveValue($keysToRemove, $value) {
  193. if ($keysToRemove === true) {
  194. return IConfig::SENSITIVE_VALUE;
  195. }
  196. if (is_array($value)) {
  197. foreach ($keysToRemove as $keyToRemove => $valueToRemove) {
  198. if (isset($value[$keyToRemove])) {
  199. $value[$keyToRemove] = $this->removeSensitiveValue($valueToRemove, $value[$keyToRemove]);
  200. }
  201. }
  202. }
  203. return $value;
  204. }
  205. }