mirror of
https://github.com/nextcloud/all-in-one.git
synced 2026-05-21 10:50:10 +00:00
refactor(nextcloud): extract inline OAuth2 client PHP into standalone script
Agent-Logs-Url: https://github.com/nextcloud/all-in-one/sessions/b35a7dbb-ff0a-483c-9bc7-1cf43a192e92 Co-authored-by: szaimen <42591237+szaimen@users.noreply.github.com>
This commit is contained in:
copilot-swe-agent[bot]
committed by
GitHub
GitHub
parent
8925baf12f
commit
e1b13cda63
@@ -263,6 +263,8 @@ RUN set -ex; \
|
||||
mkdir -p /nc-updater; \
|
||||
chmod -R 777 /nc-updater
|
||||
|
||||
COPY --chmod=775 Containers/nextcloud/create-oauth2-client.php /create-oauth2-client.php
|
||||
|
||||
# hadolint ignore=DL3002
|
||||
USER root
|
||||
ENTRYPOINT ["/start.sh"]
|
||||
|
||||
60
Containers/nextcloud/create-oauth2-client.php
Normal file
60
Containers/nextcloud/create-oauth2-client.php
Normal file
@@ -0,0 +1,60 @@
|
||||
<?php
|
||||
|
||||
declare(strict_types=1);
|
||||
|
||||
/**
|
||||
* Creates a Nextcloud OAuth2 client and prints its credentials to stdout.
|
||||
*
|
||||
* Usage: php create-oauth2-client.php <name> <redirect-uri>
|
||||
*
|
||||
* Output (two lines):
|
||||
* <client_id>
|
||||
* <client_secret>
|
||||
*
|
||||
* Any existing client with the same name is deleted first so that the
|
||||
* operation is idempotent (stale clients whose secret has been lost are
|
||||
* replaced by a fresh one).
|
||||
*/
|
||||
|
||||
if ($argc !== 3) {
|
||||
fwrite(STDERR, "Usage: php create-oauth2-client.php <name> <redirect-uri>\n");
|
||||
exit(1);
|
||||
}
|
||||
|
||||
$name = $argv[1];
|
||||
$redirectUri = $argv[2];
|
||||
|
||||
define('OC_CONSOLE', 1);
|
||||
require_once '/var/www/html/lib/base.php';
|
||||
|
||||
\OC_App::loadApp('oauth2');
|
||||
|
||||
$container = \OC::getContainer();
|
||||
/** @var \OCA\OAuth2\Db\ClientMapper $mapper */
|
||||
$mapper = $container->get(\OCA\OAuth2\Db\ClientMapper::class);
|
||||
/** @var \OCP\Security\ICrypto $crypto */
|
||||
$crypto = $container->get(\OCP\Security\ICrypto::class);
|
||||
/** @var \OCP\Security\ISecureRandom $random */
|
||||
$random = $container->get(\OCP\Security\ISecureRandom::class);
|
||||
|
||||
// Delete any stale client with the same name that might have lost its secret.
|
||||
foreach ($mapper->getClients() as $existing) {
|
||||
if ($existing->getName() === $name) {
|
||||
$mapper->delete($existing);
|
||||
}
|
||||
}
|
||||
|
||||
$client = new \OCA\OAuth2\Db\Client();
|
||||
$client->setName($name);
|
||||
$client->setRedirectUri($redirectUri);
|
||||
|
||||
$secret = $random->generate(64, 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789');
|
||||
$client->setSecret(bin2hex($crypto->calculateHMAC($secret)));
|
||||
|
||||
$clientId = $random->generate(64, 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789');
|
||||
$client->setClientIdentifier($clientId);
|
||||
|
||||
$mapper->insert($client);
|
||||
|
||||
echo $clientId . "\n";
|
||||
echo $secret . "\n";
|
||||
@@ -1106,33 +1106,9 @@ if [ "$WINDMILL_ENABLED" = 'yes' ]; then
|
||||
WINDMILL_NC_OAUTH_CLIENT_SECRET="$(php /var/www/html/occ config:app:get windmill nc_oauth_client_secret 2>/dev/null)"
|
||||
if [ -z "$WINDMILL_NC_OAUTH_CLIENT_ID" ] || [ -z "$WINDMILL_NC_OAUTH_CLIENT_SECRET" ]; then
|
||||
WINDMILL_NC_REDIRECT_URI="https://$NC_DOMAIN/windmill/user/login_callback/nextcloud"
|
||||
# Bootstrap NC to create the oauth2 client using NC's own DI container
|
||||
WINDMILL_OAUTH_JSON="$(php -r "
|
||||
define('OC_CONSOLE', 1);
|
||||
require_once '/var/www/html/lib/base.php';
|
||||
\OC_App::loadApp('oauth2');
|
||||
\$container = \OC::getContainer();
|
||||
\$mapper = \$container->get(\OCA\OAuth2\Db\ClientMapper::class);
|
||||
\$crypto = \$container->get(\OCP\Security\ICrypto::class);
|
||||
\$random = \$container->get(\OCP\Security\ISecureRandom::class);
|
||||
\$redirectUri = '${WINDMILL_NC_REDIRECT_URI}';
|
||||
// Delete any stale 'Windmill' client that might have lost its secret
|
||||
foreach (\$mapper->getClients() as \$c) {
|
||||
if (\$c->getName() === 'Windmill') { \$mapper->delete(\$c); }
|
||||
}
|
||||
\$client = new \OCA\OAuth2\Db\Client();
|
||||
\$client->setName('Windmill');
|
||||
\$client->setRedirectUri(\$redirectUri);
|
||||
\$secret = \$random->generate(64, 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789');
|
||||
\$hashedSecret = bin2hex(\$crypto->calculateHMAC(\$secret));
|
||||
\$client->setSecret(\$hashedSecret);
|
||||
\$clientId = \$random->generate(64, 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789');
|
||||
\$client->setClientIdentifier(\$clientId);
|
||||
\$mapper->insert(\$client);
|
||||
echo json_encode(['client_id' => \$clientId, 'client_secret' => \$secret]);
|
||||
" 2>/dev/null)"
|
||||
WINDMILL_NC_OAUTH_CLIENT_ID="$(echo "$WINDMILL_OAUTH_JSON" | php -r "echo json_decode(stream_get_contents(STDIN))->client_id;")"
|
||||
WINDMILL_NC_OAUTH_CLIENT_SECRET="$(echo "$WINDMILL_OAUTH_JSON" | php -r "echo json_decode(stream_get_contents(STDIN))->client_secret;")"
|
||||
WINDMILL_OAUTH_OUTPUT="$(php /create-oauth2-client.php "Windmill" "$WINDMILL_NC_REDIRECT_URI" 2>/dev/null)"
|
||||
WINDMILL_NC_OAUTH_CLIENT_ID="$(printf '%s' "$WINDMILL_OAUTH_OUTPUT" | head -1)"
|
||||
WINDMILL_NC_OAUTH_CLIENT_SECRET="$(printf '%s' "$WINDMILL_OAUTH_OUTPUT" | tail -1)"
|
||||
php /var/www/html/occ config:app:set windmill nc_oauth_client_id --value="$WINDMILL_NC_OAUTH_CLIENT_ID"
|
||||
php /var/www/html/occ config:app:set windmill nc_oauth_client_secret --value="$WINDMILL_NC_OAUTH_CLIENT_SECRET"
|
||||
fi
|
||||
|
||||
Reference in New Issue
Block a user