signatories

Signed-off-by: Maxence Lange <maxence@artificial-owl.com>

apps/cloud_federation_api/lib/Capabilities.php

@@ -9,17 +9,24 @@
 
 namespace OCA\CloudFederationAPI;
 
+use OC\OCM\OCMSignatoryManager;
+use OC\Security\Signature\Model\Signatory;
 use OCP\Capabilities\ICapability;
 use OCP\IURLGenerator;
 use OCP\OCM\Exceptions\OCMArgumentException;
 use OCP\OCM\IOCMProvider;
+use OCP\Security\Signature\Exceptions\SignatoryException;
+use OCP\Security\Signature\Model\ISignatory;
+use Psr\Log\LoggerInterface;
 
 class Capabilities implements ICapability {
-	public const API_VERSION = '1.0-proposal1';
+	public const API_VERSION = '1.1'; // informative, real version.
 
 	public function __construct(
 		private IURLGenerator $urlGenerator,
 		private IOCMProvider $provider,
+		private readonly OCMSignatoryManager $ocmSignatoryManager,
+		private readonly LoggerInterface $logger,
 	) {
 	}
 
@@ -60,6 +67,12 @@ public function getCapabilities() {
 
 		$this->provider->addResourceType($resource);
 
+		try {
+			$this->provider->setSignatory($this->ocmSignatoryManager->getLocalSignatory());
+		} catch (SignatoryException $e) {
+			$this->logger->warning('cannot generate local signatory', ['exception' => $e]);
+		}
+
 		return ['ocm' => $this->provider->jsonSerialize()];
 	}
 }

apps/cloud_federation_api/lib/Controller/RequestHandlerController.php

@@ -5,6 +5,7 @@
  */
 namespace OCA\CloudFederationAPI\Controller;
 
+use OC\OCM\OCMSignatoryManager;
 use OCA\CloudFederationAPI\Config;
 use OCA\CloudFederationAPI\ResponseDefinitions;
 use OCP\AppFramework\Controller;
@@ -19,10 +20,16 @@
 use OCP\Federation\ICloudFederationFactory;
 use OCP\Federation\ICloudFederationProviderManager;
 use OCP\Federation\ICloudIdManager;
+use OCP\IAppConfig;
 use OCP\IGroupManager;
 use OCP\IRequest;
 use OCP\IURLGenerator;
 use OCP\IUserManager;
+use OCP\Security\Signature\Exceptions\IncomingRequestException;
+use OCP\Security\Signature\Exceptions\SignatoryNotFoundException;
+use OCP\Security\Signature\Exceptions\SignatureException;
+use OCP\Security\Signature\ISignatureManager;
+use OCP\Security\Signature\Model\IIncomingSignedRequest;
 use OCP\Share\Exceptions\ShareNotFound;
 use Psr\Log\LoggerInterface;
 
@@ -46,8 +53,11 @@ public function __construct(
 		private IURLGenerator $urlGenerator,
 		private ICloudFederationProviderManager $cloudFederationProviderManager,
 		private Config $config,
+		private readonly IAppConfig $appConfig,
 		private ICloudFederationFactory $factory,
-		private ICloudIdManager $cloudIdManager
+		private ICloudIdManager $cloudIdManager,
+		private readonly ISignatureManager $signatureManager,
+		private readonly OCMSignatoryManager $signatoryManager,
 	) {
 		parent::__construct($appName, $request);
 	}
@@ -77,6 +87,19 @@ public function __construct(
 	 * 501: Share type or the resource type is not supported
 	 */
 	public function addShare($shareWith, $name, $description, $providerId, $owner, $ownerDisplayName, $sharedBy, $sharedByDisplayName, $protocol, $shareType, $resourceType) {
+		try {
+			$this->logger->warning('___1');
+
+			$signedRequest = $this->getSignedRequest();
+			if ($signedRequest !== null && $signedRequest->getOrigin()) {
+				\OC::$server->getLogger()->log(3,' ### SIGNED REQUEST -- ' . $signedRequest->getBody());
+			}
+		} catch (IncomingRequestException $e) {
+			$this->logger->warning('incoming request exception', ['exception' => $e]);
+			return new JSONResponse(['message' => $e->getMessage(), 'validationErrors' => []],
+									Http::STATUS_BAD_REQUEST);
+		}
+
 		// check if all required parameters are set
 		if ($shareWith === null ||
 			$name === null ||
@@ -99,6 +122,7 @@ public function addShare($shareWith, $name, $description, $providerId, $owner, $
 			);
 		}
 
+
 		$supportedShareTypes = $this->config->getSupportedShareTypes($resourceType);
 		if (!in_array($shareType, $supportedShareTypes)) {
 			return new JSONResponse(
@@ -279,4 +303,27 @@ private function mapUid($uid) {
 
 		return $uid;
 	}
+
+
+	/**
+	 * @return IIncomingSignedRequest|null null if remote is not yet compatible with signed request and we ignore this fact
+	 * @throws IncomingRequestException
+	 */
+	private function getSignedRequest(): ?IIncomingSignedRequest {
+		try {
+ 			return $this->signatureManager->getIncomingSignedRequest($this->signatoryManager);
+		} catch (SignatoryNotFoundException $e) {
+			// remote does not support signed request.
+			// currently we still accept unsigned request until lazy appconfig
+			// core.enforce_signed_ocm_request is set to true (default: false)
+			if ($this->appConfig->getValueBool('enforce_signed_ocm_request', false, lazy: true)) {
+				$this->logger->notice('ignored unsigned request', ['exception' => $e]);
+				throw new IncomingRequestException('Unsigned request');
+			}
+		} catch (SignatureException $e) {
+			$this->logger->notice('wrongly signed request', ['exception' => $e]);
+			throw new IncomingRequestException('Invalid signature');
+		}
+		return null;
+	}
 }

apps/files_sharing/lib/External/Cache.php

@@ -22,7 +22,10 @@ class Cache extends \OC\Files\Cache\Cache {
 	public function __construct($storage, ICloudId $cloudId) {
 		$this->cloudId = $cloudId;
 		$this->storage = $storage;
-		[, $remote] = explode('://', $cloudId->getRemote(), 2);
+		$remote = $cloudId->getRemote();
+		if (str_contains($remote, '://')) {
+			[, $remote] = explode('://', $cloudId->getRemote(), 2);
+		}
 		$this->remote = $remote;
 		$this->remoteUser = $cloudId->getUser();
 		parent::__construct($storage);

core/Controller/OCMController.php

@@ -15,6 +15,7 @@
 use OCP\AppFramework\Http\Attribute\FrontpageRoute;
 use OCP\AppFramework\Http\DataResponse;
 use OCP\Capabilities\ICapability;
+use OCP\IAppConfig;
 use OCP\IConfig;
 use OCP\IRequest;
 use OCP\Server;
@@ -29,7 +30,7 @@
 class OCMController extends Controller {
 	public function __construct(
 		IRequest $request,
-		private IConfig $config,
+		private readonly IAppConfig $appConfig,
 		private LoggerInterface $logger
 	) {
 		parent::__construct('core', $request);
@@ -52,10 +53,10 @@ public function __construct(
 	public function discovery(): DataResponse {
 		try {
 			$cap = Server::get(
-				$this->config->getAppValue(
-					'core',
-					'ocm_providers',
-					'\OCA\CloudFederationAPI\Capabilities'
+				$this->appConfig->getValueString(
+					'core', 'ocm_providers',
+					\OCA\CloudFederationAPI\Capabilities::class,
+					lazy: true
 				)
 			);
 

core/Migrations/Version30000Date20240101084401.php

@@ -0,0 +1,105 @@
+<?php
+
+declare(strict_types=1);
+
+/**
+ * SPDX-FileCopyrightText: 2024 Nextcloud GmbH and Nextcloud contributors
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ */
+namespace OC\Core\Migrations;
+
+use Closure;
+use OCP\DB\ISchemaWrapper;
+use OCP\DB\Types;
+use OCP\Migration\IOutput;
+use OCP\Migration\SimpleMigrationStep;
+
+/**
+ *
+ */
+class Version30000Date20240101084401 extends SimpleMigrationStep {
+	/**
+	 * @param IOutput $output
+	 * @param Closure $schemaClosure The `\Closure` returns a `ISchemaWrapper`
+	 * @param array $options
+	 * @return null|ISchemaWrapper
+	 */
+	public function changeSchema(IOutput $output, Closure $schemaClosure, array $options): ?ISchemaWrapper {
+		/** @var ISchemaWrapper $schema */
+		$schema = $schemaClosure();
+
+		if (!$schema->hasTable('sec_signatory')) {
+			$table = $schema->createTable('sec_signatory');
+			$table->addColumn('id', Types::BIGINT, [
+				'notnull' => true,
+				'length' => 64,
+				'autoincrement' => true,
+				'unsigned' => true,
+			]);
+			// key_id_sum will store a hash version of the key_id, more appropriate for search/index
+			$table->addColumn('key_id_sum', Types::STRING, [
+				'notnull' => true,
+				'length' => 127,
+			]);
+			$table->addColumn('key_id', Types::STRING, [
+				'notnull' => true,
+				'length' => 512
+			]);
+			// host/provider_id/account will help generate a unique entry, not based on key_id
+			// this way, a spoofed instance cannot publish a new key_id for same host+provider_id
+			// account will be used only to stored multiple keys for the same provider_id/host
+			$table->addColumn('host', Types::STRING, [
+				'notnull' => true,
+				'length' => 127
+			]);
+			$table->addColumn('provider_id', Types::STRING, [
+				'notnull' => true,
+				'length' => 31,
+			]);
+			$table->addColumn('account', Types::STRING, [
+				'notnull' => false,
+				'length' => 127,
+				'default' => ''
+			]);
+			$table->addColumn('public_key', Types::TEXT, [
+				'notnull' => true,
+				'default' => ''
+			]);
+			$table->addColumn('metadata', Types::TEXT, [
+				'notnull' => true,
+				'default' => '[]'
+			]);
+			// type+status are informative about the trustability of remote instance and status of the signatory
+			$table->addColumn('type', Types::SMALLINT, [
+				'notnull' => true,
+				'length' => 2,
+				'default' => 9
+			]);
+			$table->addColumn('status', Types::SMALLINT, [
+				'notnull' => true,
+				'length' => 2,
+				'default' => 0,
+			]);
+			$table->addColumn('creation', Types::INTEGER, [
+				'notnull' => false,
+				'length' => 4,
+				'default' => 0,
+				'unsigned' => true,
+			]);
+			$table->addColumn('last_updated', Types::INTEGER, [
+				'notnull' => false,
+				'length' => 4,
+				'default' => 0,
+				'unsigned' => true,
+			]);
+
+			$table->setPrimaryKey(['id'], 'sec_sig_id');
+			$table->addUniqueIndex(['provider_id', 'host', 'account'], 'sec_sig_unic');
+			$table->addIndex(['key_id_sum', 'provider_id'], 'sec_sig_key');
+
+			return $schema;
+		}
+
+		return null;
+	}
+}

lib/private/AppFramework/Http/Request.php

@@ -352,7 +352,7 @@ public function getCookie(string $key) {
 	 *
 	 * @throws \LogicException
 	 */
-	protected function getContent() {
+	public function getContent() {
 		// If the content can't be parsed into an array then return a stream resource.
 		if ($this->isPutStreamContent()) {
 			if ($this->content === false) {

lib/private/Federation/CloudFederationProviderManager.php

@@ -9,6 +9,7 @@
 namespace OC\Federation;
 
 use OC\AppFramework\Http;
+use OC\OCM\OCMSignatoryManager;
 use OCP\App\IAppManager;
 use OCP\Federation\Exceptions\ProviderDoesNotExistsException;
 use OCP\Federation\ICloudFederationNotification;
@@ -21,6 +22,7 @@
 use OCP\IConfig;
 use OCP\OCM\Exceptions\OCMProviderException;
 use OCP\OCM\IOCMDiscoveryService;
+use OCP\Security\Signature\ISignatureManager;
 use Psr\Log\LoggerInterface;
 
 /**
@@ -40,7 +42,9 @@ public function __construct(
 		private IClientService $httpClientService,
 		private ICloudIdManager $cloudIdManager,
 		private IOCMDiscoveryService $discoveryService,
-		private LoggerInterface $logger
+		private readonly ISignatureManager $signatureManager,
+		private readonly OCMSignatoryManager $signatoryManager,
+		private LoggerInterface $logger,
 	) {
 	}
 
@@ -106,13 +110,18 @@ public function sendShare(ICloudFederationShare $share) {
 
 		$client = $this->httpClientService->newClient();
 		try {
-			$response = $client->post($ocmProvider->getEndPoint() . '/shares', [
-				'body' => json_encode($share->getShare()),
-				'headers' => ['content-type' => 'application/json'],
-				'verify' => !$this->config->getSystemValueBool('sharing.federation.allowSelfSignedCertificates', false),
-				'timeout' => 10,
-				'connect_timeout' => 10,
-			]);
+			$uri = $ocmProvider->getEndPoint() . '/shares';
+			$signedPayload = $this->signatureManager->signOutgoingRequestIClientPayload(
+				$this->signatoryManager,
+				[
+					'body' => json_encode($share->getShare()),
+					'headers' => ['content-type' => 'application/json'],
+					'verify' => !$this->config->getSystemValueBool('sharing.federation.allowSelfSignedCertificates', false),
+					'timeout' => 10,
+					'connect_timeout' => 10,
+				],
+			'post', $uri);
+			$response = $client->post($uri, $signedPayload);
 
 			if ($response->getStatusCode() === Http::STATUS_CREATED) {
 				$result = json_decode($response->getBody(), true);