Merge branch 'stable26' into backport/46013/stable26

Author: artonge

.git-blame-ignore-revs

@@ -0,0 +1,4 @@
+# .git-blame-ignore-revs
+
+# SPDX-FileCopyrightText: 2024 Nextcloud GmbH and Nextcloud contributors
+# SPDX-License-Identifier: AGPL-3.0-or-later

.github/workflows/smb-kerberos.yml

@@ -1,42 +1,48 @@
 name: Samba Kerberos SSO
 on:
-  push:
-    branches:
-      - master
-      - stable*
-    paths:
-      - 'apps/files_external/**'
-      - '.github/workflows/smb-kerberos.yml'
   pull_request:
     paths:
       - 'apps/files_external/**'
       - '.github/workflows/smb-kerberos.yml'
 
+concurrency:
+  group: smb-kerberos-${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
 jobs:
   smb-kerberos-tests:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
 
     if: ${{ github.repository_owner != 'nextcloud-gmbh' }}
 
     name: smb-kerberos-sso
 
     steps:
       - name: Checkout server
-        uses: actions/checkout@v3
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
         with:
           submodules: true
+      - name: Checkout user_saml
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        with:
+          repository: nextcloud/user_saml
+          path: apps/user_saml
+          ref: stable-5.2
       - name: Pull images
         run: |
-          docker pull icewind1991/samba-krb-test-dc
-          docker pull icewind1991/samba-krb-test-apache
-          docker pull icewind1991/samba-krb-test-client
+          docker pull ghcr.io/icewind1991/samba-krb-test-dc
+          docker pull ghcr.io/icewind1991/samba-krb-test-apache
+          docker pull ghcr.io/icewind1991/samba-krb-test-client
+          docker tag ghcr.io/icewind1991/samba-krb-test-dc icewind1991/samba-krb-test-dc
+          docker tag ghcr.io/icewind1991/samba-krb-test-apache icewind1991/samba-krb-test-apache
+          docker tag ghcr.io/icewind1991/samba-krb-test-client icewind1991/samba-krb-test-client
       - name: Setup AD-DC
         run: |
-          cp apps/files_external/tests/*.sh .
           mkdir data
           sudo chown -R 33 data apps config
-          DC_IP=$(./start-dc.sh)
-          ./start-apache.sh $DC_IP $PWD
+          DC_IP=$(apps/files_external/tests/start-dc.sh)
+          sleep 1
+          apps/files_external/tests/start-apache.sh $DC_IP $PWD
           echo "DC_IP=$DC_IP" >> $GITHUB_ENV
       - name: Set up Nextcloud
         run: |
@@ -61,14 +67,15 @@ jobs:
           chmod 0777 /tmp/shared/cookies
 
           echo "SAML login"
-          ./client-cmd.sh ${{ env.DC_IP }} curl -c /shared/cookies/jar -s --negotiate -u testuser@DOMAIN.TEST: --delegation always http://httpd.domain.test/index.php/apps/user_saml/saml/login
+          apps/files_external/tests/client-cmd.sh ${{ env.DC_IP }} curl -c /shared/cookies/jar -s --negotiate -u testuser@DOMAIN.TEST: --delegation always http://httpd.domain.test/index.php/apps/user_saml/saml/login
           echo "Check we are logged in"
-          CONTENT=$(./client-cmd.sh ${{ env.DC_IP }} curl -b /shared/cookies/jar -s --negotiate -u testuser@DOMAIN.TEST: --delegation always http://httpd.domain.test/remote.php/webdav/smb/test.txt)
+          CONTENT=$(apps/files_external/tests/client-cmd.sh ${{ env.DC_IP }} curl -b /shared/cookies/jar -s --negotiate -u testuser@DOMAIN.TEST: --delegation always http://httpd.domain.test/remote.php/webdav/smb/test.txt)
           CONTENT=$(echo $CONTENT | head -n 1 | tr -d '[:space:]')
           [[ $CONTENT == "testfile" ]]
       - name: Show logs
         if: failure()
         run: |
           docker exec --user 33 apache ./occ log:file
           FILEPATH=$(docker exec --user 33 apache ./occ log:file | grep "Log file:" | cut -d' ' -f3)
+          echo "$FILEPATH:"
           docker exec --user 33 apache cat $FILEPATH

.github/workflows/static-code-analysis.yml

@@ -23,7 +23,7 @@ jobs:
         uses: shivammathur/setup-php@v2
         with:
           php-version: '8.0'
-          extensions: apcu,ctype,curl,dom,fileinfo,ftp,gd,intl,json,ldap,mbstring,openssl,pdo_sqlite,posix,sqlite,xml,zip
+          extensions: apcu,ctype,curl,dom,fileinfo,ftp,gd,imagick,intl,json,ldap,mbstring,openssl,pdo_sqlite,posix,sqlite,xml,zip
           coverage: none
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@ -57,7 +57,7 @@ jobs:
         uses: shivammathur/setup-php@master
         with:
           php-version: '8.0'
-          extensions: ctype,curl,dom,fileinfo,gd,intl,json,mbstring,openssl,pdo_sqlite,posix,sqlite,xml,zip
+          extensions: ctype,curl,dom,fileinfo,gd,imagick,intl,json,mbstring,openssl,pdo_sqlite,posix,sqlite,xml,zip
           coverage: none
 
       - name: Composer install
@@ -85,7 +85,7 @@ jobs:
         uses: shivammathur/setup-php@v2
         with:
           php-version: '8.0'
-          extensions: ctype,curl,dom,fileinfo,gd,intl,json,mbstring,openssl,pdo_sqlite,posix,sqlite,xml,zip
+          extensions: ctype,curl,dom,fileinfo,gd,imagick,intl,json,mbstring,openssl,pdo_sqlite,posix,sqlite,xml,zip
           coverage: none
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

apps/dav/composer/composer/autoload_classmap.php

@@ -235,7 +235,7 @@
     'OCA\\DAV\\Events\\SubscriptionUpdatedEvent' => $baseDir . '/../lib/Events/SubscriptionUpdatedEvent.php',
     'OCA\\DAV\\Exception\\ServerMaintenanceMode' => $baseDir . '/../lib/Exception/ServerMaintenanceMode.php',
     'OCA\\DAV\\Exception\\UnsupportedLimitOnInitialSyncException' => $baseDir . '/../lib/Exception/UnsupportedLimitOnInitialSyncException.php',
-    'OCA\\DAV\\Files\\BrowserErrorPagePlugin' => $baseDir . '/../lib/Files/BrowserErrorPagePlugin.php',
+    'OCA\\DAV\\Files\\ErrorPagePlugin' => $baseDir . '/../lib/Files/ErrorPagePlugin.php',
     'OCA\\DAV\\Files\\FileSearchBackend' => $baseDir . '/../lib/Files/FileSearchBackend.php',
     'OCA\\DAV\\Files\\FilesHome' => $baseDir . '/../lib/Files/FilesHome.php',
     'OCA\\DAV\\Files\\LazySearchBackend' => $baseDir . '/../lib/Files/LazySearchBackend.php',

apps/dav/composer/composer/autoload_static.php

@@ -250,7 +250,7 @@ class ComposerStaticInitDAV
         'OCA\\DAV\\Events\\SubscriptionUpdatedEvent' => __DIR__ . '/..' . '/../lib/Events/SubscriptionUpdatedEvent.php',
         'OCA\\DAV\\Exception\\ServerMaintenanceMode' => __DIR__ . '/..' . '/../lib/Exception/ServerMaintenanceMode.php',
         'OCA\\DAV\\Exception\\UnsupportedLimitOnInitialSyncException' => __DIR__ . '/..' . '/../lib/Exception/UnsupportedLimitOnInitialSyncException.php',
-        'OCA\\DAV\\Files\\BrowserErrorPagePlugin' => __DIR__ . '/..' . '/../lib/Files/BrowserErrorPagePlugin.php',
+        'OCA\\DAV\\Files\\ErrorPagePlugin' => __DIR__ . '/..' . '/../lib/Files/ErrorPagePlugin.php',
         'OCA\\DAV\\Files\\FileSearchBackend' => __DIR__ . '/..' . '/../lib/Files/FileSearchBackend.php',
         'OCA\\DAV\\Files\\FilesHome' => __DIR__ . '/..' . '/../lib/Files/FilesHome.php',
         'OCA\\DAV\\Files\\LazySearchBackend' => __DIR__ . '/..' . '/../lib/Files/LazySearchBackend.php',

apps/dav/lib/CalDAV/WebcalCaching/RefreshWebcalService.php

@@ -31,18 +31,14 @@
 namespace OCA\DAV\CalDAV\WebcalCaching;
 
 use Exception;
-use GuzzleHttp\HandlerStack;
-use GuzzleHttp\Middleware;
+use GuzzleHttp\RequestOptions;
 use OCA\DAV\CalDAV\CalDavBackend;
 use OCP\Http\Client\IClientService;
 use OCP\Http\Client\LocalServerException;
 use OCP\IConfig;
-use Psr\Http\Message\RequestInterface;
-use Psr\Http\Message\ResponseInterface;
 use Psr\Log\LoggerInterface;
 use Sabre\DAV\Exception\BadRequest;
 use Sabre\DAV\PropPatch;
-use Sabre\DAV\Xml\Property\Href;
 use Sabre\VObject\Component;
 use Sabre\VObject\DateTimeParser;
 use Sabre\VObject\InvalidDataException;
@@ -76,15 +72,15 @@ public function __construct(CalDavBackend $calDavBackend, IClientService $client
 		$this->logger = $logger;
 	}
 
-	public function refreshSubscription(string $principalUri, string $uri) {
+	public function refreshSubscription(string $principalUri, string $uri): void {
 		$subscription = $this->getSubscription($principalUri, $uri);
 		$mutations = [];
 		if (!$subscription) {
 			return;
 		}
 
 		$webcalData = $this->queryWebcalFeed($subscription, $mutations);
-		if (!$webcalData) {
+		if ($webcalData === null) {
 			return;
 		}
 
@@ -127,7 +123,7 @@ public function refreshSubscription(string $principalUri, string $uri) {
 				$calendarData = $vObject->serialize();
 				try {
 					$this->calDavBackend->createCalendarObject($subscription['id'], $objectUri, $calendarData, CalDavBackend::CALENDAR_TYPE_SUBSCRIPTION);
-				} catch (NoInstancesException | BadRequest $ex) {
+				} catch (NoInstancesException|BadRequest $ex) {
 					$this->logger->error('Unable to create calendar object from subscription {subscriptionId}', ['exception' => $ex, 'subscriptionId' => $subscription['id'], 'source' => $subscription['source']]);
 				}
 			}
@@ -139,7 +135,7 @@ public function refreshSubscription(string $principalUri, string $uri) {
 
 			$this->updateSubscription($subscription, $mutations);
 		} catch (ParseException $ex) {
-			$this->logger->error("Subscription {subscriptionId} could not be refreshed due to a parsing error", ['exception' => $ex, 'subscriptionId' => $subscription['id']]);
+			$this->logger->error('Subscription {subscriptionId} could not be refreshed due to a parsing error', ['exception' => $ex, 'subscriptionId' => $subscription['id']]);
 		}
 	}
 
@@ -165,106 +161,81 @@ function ($sub) use ($uri) {
 	 * gets webcal feed from remote server
 	 */
 	private function queryWebcalFeed(array $subscription, array &$mutations): ?string {
-		$client = $this->clientService->newClient();
-
-		$didBreak301Chain = false;
-		$latestLocation = null;
-
-		$handlerStack = HandlerStack::create();
-		$handlerStack->push(Middleware::mapRequest(function (RequestInterface $request) {
-			return $request
-				->withHeader('Accept', 'text/calendar, application/calendar+json, application/calendar+xml')
-				->withHeader('User-Agent', 'Nextcloud Webcal Service');
-		}));
-		$handlerStack->push(Middleware::mapResponse(function (ResponseInterface $response) use (&$didBreak301Chain, &$latestLocation) {
-			if (!$didBreak301Chain) {
-				if ($response->getStatusCode() !== 301) {
-					$didBreak301Chain = true;
-				} else {
-					$latestLocation = $response->getHeader('Location');
-				}
-			}
-			return $response;
-		}));
-
-		$allowLocalAccess = $this->config->getAppValue('dav', 'webcalAllowLocalAccess', 'no');
 		$subscriptionId = $subscription['id'];
 		$url = $this->cleanURL($subscription['source']);
 		if ($url === null) {
 			return null;
 		}
 
-		try {
-			$params = [
-				'allow_redirects' => [
-					'redirects' => 10
-				],
-				'handler' => $handlerStack,
-				'nextcloud' => [
-					'allow_local_address' => $allowLocalAccess === 'yes',
-				]
-			];
-
-			$user = parse_url($subscription['source'], PHP_URL_USER);
-			$pass = parse_url($subscription['source'], PHP_URL_PASS);
-			if ($user !== null && $pass !== null) {
-				$params['auth'] = [$user, $pass];
-			}
-
-			$response = $client->get($url, $params);
-			$body = $response->getBody();
+		$allowLocalAccess = $this->config->getAppValue('dav', 'webcalAllowLocalAccess', 'no');
 
-			if ($latestLocation) {
-				$mutations['{http://calendarserver.org/ns/}source'] = new Href($latestLocation);
-			}
+		$params = [
+			'nextcloud' => [
+				'allow_local_address' => $allowLocalAccess === 'yes',
+			],
+			RequestOptions::HEADERS => [
+				'User-Agent' => 'Nextcloud Webcal Service',
+				'Accept' => 'text/calendar, application/calendar+json, application/calendar+xml',
+			],
+		];
+
+		$user = parse_url($subscription['source'], PHP_URL_USER);
+		$pass = parse_url($subscription['source'], PHP_URL_PASS);
+		if ($user !== null && $pass !== null) {
+			$params[RequestOptions::AUTH] = [$user, $pass];
+		}
 
-			$contentType = $response->getHeader('Content-Type');
-			$contentType = explode(';', $contentType, 2)[0];
-			switch ($contentType) {
-				case 'application/calendar+json':
-					try {
-						$jCalendar = Reader::readJson($body, Reader::OPTION_FORGIVING);
-					} catch (Exception $ex) {
-						// In case of a parsing error return null
-						$this->logger->warning("Subscription $subscriptionId could not be parsed", ['exception' => $ex]);
-						return null;
-					}
-					return $jCalendar->serialize();
-
-				case 'application/calendar+xml':
-					try {
-						$xCalendar = Reader::readXML($body);
-					} catch (Exception $ex) {
-						// In case of a parsing error return null
-						$this->logger->warning("Subscription $subscriptionId could not be parsed", ['exception' => $ex]);
-						return null;
-					}
-					return $xCalendar->serialize();
-
-				case 'text/calendar':
-				default:
-					try {
-						$vCalendar = Reader::read($body);
-					} catch (Exception $ex) {
-						// In case of a parsing error return null
-						$this->logger->warning("Subscription $subscriptionId could not be parsed", ['exception' => $ex]);
-						return null;
-					}
-					return $vCalendar->serialize();
-			}
+		try {
+			$client = $this->clientService->newClient();
+			$response = $client->get($url, $params);
 		} catch (LocalServerException $ex) {
 			$this->logger->warning("Subscription $subscriptionId was not refreshed because it violates local access rules", [
 				'exception' => $ex,
 			]);
-
 			return null;
 		} catch (Exception $ex) {
 			$this->logger->warning("Subscription $subscriptionId could not be refreshed due to a network error", [
 				'exception' => $ex,
 			]);
-
 			return null;
 		}
+
+		$body = $response->getBody();
+
+		$contentType = $response->getHeader('Content-Type');
+		$contentType = explode(';', $contentType, 2)[0];
+		switch ($contentType) {
+			case 'application/calendar+json':
+				try {
+					$jCalendar = Reader::readJson($body, Reader::OPTION_FORGIVING);
+				} catch (Exception $ex) {
+					// In case of a parsing error return null
+					$this->logger->warning("Subscription $subscriptionId could not be parsed", ['exception' => $ex]);
+					return null;
+				}
+				return $jCalendar->serialize();
+
+			case 'application/calendar+xml':
+				try {
+					$xCalendar = Reader::readXML($body);
+				} catch (Exception $ex) {
+					// In case of a parsing error return null
+					$this->logger->warning("Subscription $subscriptionId could not be parsed", ['exception' => $ex]);
+					return null;
+				}
+				return $xCalendar->serialize();
+
+			case 'text/calendar':
+			default:
+				try {
+					$vCalendar = Reader::read($body);
+				} catch (Exception $ex) {
+					// In case of a parsing error return null
+					$this->logger->warning("Subscription $subscriptionId could not be parsed", ['exception' => $ex]);
+					return null;
+				}
+				return $vCalendar->serialize();
+		}
 	}
 
 	/**

apps/dav/lib/Connector/Sabre/Server.php

@@ -43,4 +43,27 @@ public function __construct($treeOrNode = null) {
 		self::$exposeVersion = false;
 		$this->enablePropfindDepthInfinity = true;
 	}
+
+	// Copied from 3rdparty/sabre/dav/lib/DAV/Server.php
+	// Should be them exact same without the exception output.
+	public function start(): void {
+		try {
+			// If nginx (pre-1.2) is used as a proxy server, and SabreDAV as an
+			// origin, we must make sure we send back HTTP/1.0 if this was
+			// requested.
+			// This is mainly because nginx doesn't support Chunked Transfer
+			// Encoding, and this forces the webserver SabreDAV is running on,
+			// to buffer entire responses to calculate Content-Length.
+			$this->httpResponse->setHTTPVersion($this->httpRequest->getHTTPVersion());
+
+			// Setting the base url
+			$this->httpRequest->setBaseUrl($this->getBaseUri());
+			$this->invokeMethod($this->httpRequest, $this->httpResponse);
+		} catch (\Throwable $e) {
+			try {
+				$this->emit('exception', [$e]);
+			} catch (\Exception $ignore) {
+			}
+		}
+	}
 }

apps/dav/lib/Connector/Sabre/ServerFactory.php

@@ -34,7 +34,7 @@
 use OCP\Files\Folder;
 use OCA\DAV\AppInfo\PluginManager;
 use OCA\DAV\DAV\ViewOnlyPlugin;
-use OCA\DAV\Files\BrowserErrorPagePlugin;
+use OCA\DAV\Files\ErrorPagePlugin;
 use OCP\Files\Mount\IMountManager;
 use OCP\IConfig;
 use OCP\IDBConnection;
@@ -120,9 +120,7 @@ public function createServer(string $baseUri,
 			$server->addPlugin(new \OCA\DAV\Connector\Sabre\FakeLockerPlugin());
 		}
 
-		if (BrowserErrorPagePlugin::isBrowserRequest($this->request)) {
-			$server->addPlugin(new BrowserErrorPagePlugin());
-		}
+		$server->addPlugin(new ErrorPagePlugin($this->request, $this->config));
 
 		// wait with registering these until auth is handled and the filesystem is setup
 		$server->on('beforeMethod:*', function () use ($server, $objectTree, $viewCallBack) {