Mirrors
/
nextcloud-server
mirror of https://github.com/nextcloud/server
3
0
Fork 0
Code Releases Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
78299 Commits
574 Branches
1160 Tags
4.0 GiB
Tree: 4591430c9c
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '4591430c9c'
${ noResults }
nextcloud-server/lib/private/OCM/OCMSignatoryManager.php

149 lines
4.5 KiB
Raw Normal View History

feat(ocm): signing ocm requests Signed-off-by: Maxence Lange <maxence@artificial-owl.com>
1 year ago
  1. <?php
  3. declare(strict_types=1);
  5. /**
  6. * SPDX-FileCopyrightText: 2024 Nextcloud GmbH and Nextcloud contributors
  7. * SPDX-License-Identifier: AGPL-3.0-or-later
  8. */
  9. namespace OC\OCM;
  11. use NCU\Security\PublicPrivateKeyPairs\Exceptions\KeyPairConflictException;
  12. use NCU\Security\PublicPrivateKeyPairs\Exceptions\KeyPairNotFoundException;
  13. use NCU\Security\PublicPrivateKeyPairs\IKeyPairManager;
  14. use NCU\Security\Signature\Exceptions\IdentityNotFoundException;
  15. use NCU\Security\Signature\ISignatoryManager;
  16. use NCU\Security\Signature\ISignatureManager;
  17. use NCU\Security\Signature\Model\IIncomingSignedRequest;
  18. use NCU\Security\Signature\Model\ISignatory;
  19. use NCU\Security\Signature\Model\SignatoryType;
  20. use OC\Security\Signature\Model\Signatory;
  21. use OCP\IAppConfig;
  22. use OCP\IURLGenerator;
  23. use OCP\OCM\Exceptions\OCMProviderException;
  25. /**
  26. * @inheritDoc
  27. *
  28. * returns local signatory using IKeyPairManager
  29. * extract optional signatory (keyId+public key) from ocm discovery service on remote instance
  30. *
  31. * @since 31.0.0
  32. */
  33. class OCMSignatoryManager implements ISignatoryManager {
  34. public const PROVIDER_ID = 'ocm';
  35. public const APPCONFIG_SIGN_IDENTITY_EXTERNAL = 'ocm_signed_request_identity_external';
  36. public const APPCONFIG_SIGN_DISABLED = 'ocm_signed_request_disabled';
  37. public const APPCONFIG_SIGN_ENFORCED = 'ocm_signed_request_enforced';
  39. public function __construct(
  40. private readonly IAppConfig $appConfig,
  41. private readonly ISignatureManager $signatureManager,
  42. private readonly IURLGenerator $urlGenerator,
  43. private readonly IKeyPairManager $keyPairManager,
  44. private readonly OCMDiscoveryService $ocmDiscoveryService,
  45. ) {
  46. }
  48. /**
  49. * @inheritDoc
  50. *
  51. * @since 31.0.0
  52. * @return string
  53. */
  54. public function getProviderId(): string {
  55. return self::PROVIDER_ID;
  56. }
  58. /**
  59. * @inheritDoc
  60. *
  61. * @since 31.0.0
  62. * @return array
  63. */
  64. public function getOptions(): array {
  65. return [];
  66. }
  68. /**
  69. * @inheritDoc
  70. *
  71. * @return ISignatory
  72. * @throws KeyPairConflictException
  73. * @throws IdentityNotFoundException
  74. * @since 31.0.0
  75. */
  76. public function getLocalSignatory(): ISignatory {
  77. /**
  78. * TODO: manage multiple identity (external, internal, ...) to allow a limitation
  79. * based on the requested interface (ie. only accept shares from globalscale)
  80. */
  81. if ($this->appConfig->hasKey('core', self::APPCONFIG_SIGN_IDENTITY_EXTERNAL, true)) {
  82. $identity = $this->appConfig->getValueString('core', self::APPCONFIG_SIGN_IDENTITY_EXTERNAL, lazy: true);
  83. $keyId = 'https://' . $identity . '/ocm#signature';
  84. } else {
  85. $keyId = $this->generateKeyId();
  86. }
  88. try {
  89. $keyPair = $this->keyPairManager->getKeyPair('core', 'ocm_external');
  90. } catch (KeyPairNotFoundException) {
  91. $keyPair = $this->keyPairManager->generateKeyPair('core', 'ocm_external');
  92. }
  94. return new Signatory($keyId, $keyPair->getPublicKey(), $keyPair->getPrivateKey(), local: true);
  95. }
  97. /**
  98. * - tries to generate a keyId using global configuration (from signature manager) if available
  99. * - generate a keyId using the current route to ocm shares
  100. *
  101. * @return string
  102. * @throws IdentityNotFoundException
  103. */
  104. private function generateKeyId(): string {
  105. try {
  106. return $this->signatureManager->generateKeyIdFromConfig('/ocm#signature');
  107. } catch (IdentityNotFoundException) {
  108. }
  110. $url = $this->urlGenerator->linkToRouteAbsolute('cloud_federation_api.requesthandlercontroller.addShare');
  111. $identity = $this->signatureManager->extractIdentityFromUri($url);
  113. // catching possible subfolder to create a keyId like 'https://hostname/subfolder/ocm#signature
  114. $path = parse_url($url, PHP_URL_PATH);
  115. $pos = strpos($path, '/ocm/shares');
  116. $sub = ($pos) ? substr($path, 0, $pos) : '';
  118. return 'https://' . $identity . $sub . '/ocm#signature';
  119. }
  121. /**
  122. * @inheritDoc
  123. *
  124. * @param IIncomingSignedRequest $signedRequest
  125. *
  126. * @return ISignatory|null must be NULL if no signatory is found
  127. * @throws OCMProviderException on fail to discover ocm services
  128. * @since 31.0.0
  129. */
  130. public function getRemoteSignatory(IIncomingSignedRequest $signedRequest): ?ISignatory {
  131. return $this->getRemoteSignatoryFromHost($signedRequest->getOrigin());
  132. }
  134. /**
  135. * As host is enough to generate signatory using OCMDiscoveryService
  136. *
  137. * @param string $host
  138. *
  139. * @return ISignatory|null
  140. * @throws OCMProviderException on fail to discover ocm services
  141. * @since 31.0.0
  142. */
  143. public function getRemoteSignatoryFromHost(string $host): ?ISignatory {
  144. $ocmProvider = $this->ocmDiscoveryService->discover($host, true);
  145. $signatory = $ocmProvider->getSignatory();
  147. return $signatory?->setType(SignatoryType::TRUSTED);
  148. }
  149. }