Signed requests

apps/cloud_federation_api/lib/Capabilities.php

@@ -6,20 +6,27 @@
  * SPDX-FileCopyrightText: 2017 Nextcloud GmbH and Nextcloud contributors
  * SPDX-License-Identifier: AGPL-3.0-or-later
  */
-
 namespace OCA\CloudFederationAPI;
 
+use NCU\Security\Signature\Exceptions\IdentityNotFoundException;
+use NCU\Security\Signature\Exceptions\SignatoryException;
+use OC\OCM\OCMSignatoryManager;
 use OCP\Capabilities\ICapability;
+use OCP\IAppConfig;
 use OCP\IURLGenerator;
 use OCP\OCM\Exceptions\OCMArgumentException;
 use OCP\OCM\IOCMProvider;
+use Psr\Log\LoggerInterface;
 
 class Capabilities implements ICapability {
-	public const API_VERSION = '1.0-proposal1';
+	public const API_VERSION = '1.1'; // informative, real version.
 
 	public function __construct(
 		private IURLGenerator $urlGenerator,
+		private IAppConfig $appConfig,
 		private IOCMProvider $provider,
+		private readonly OCMSignatoryManager $ocmSignatoryManager,
+		private readonly LoggerInterface $logger,
 	) {
 	}
 
@@ -28,15 +35,20 @@ public function __construct(
 	 *
 	 * @return array{
 	 *     ocm: array{
+	 *     	   apiVersion: '1.0-proposal1',
 	 *         enabled: bool,
-	 *         apiVersion: string,
 	 *         endPoint: string,
+	 *         publicKey: array{
+	 *             keyId: string,
+	 *             publicKeyPem: string,
+	 *         },
 	 *         resourceTypes: list<array{
 	 *             name: string,
 	 *             shareTypes: list<string>,
 	 *             protocols: array<string, string>
-	 *           }>,
-	 *       },
+	 *         }>,
+	 *         version: string
+	 *     }
 	 * }
 	 * @throws OCMArgumentException
 	 */
@@ -60,6 +72,17 @@ public function getCapabilities() {
 
 		$this->provider->addResourceType($resource);
 
-		return ['ocm' => $this->provider->jsonSerialize()];
+		// Adding a public key to the ocm discovery
+		try {
+			if (!$this->appConfig->getValueBool('core', OCMSignatoryManager::APPCONFIG_SIGN_DISABLED, lazy: true)) {
+				$this->provider->setSignatory($this->ocmSignatoryManager->getLocalSignatory());
+			} else {
+				$this->logger->debug('ocm public key feature disabled');
+			}
+		} catch (SignatoryException|IdentityNotFoundException $e) {
+			$this->logger->warning('cannot generate local signatory', ['exception' => $e]);
+		}
+
+		return ['ocm' => json_decode(json_encode($this->provider->jsonSerialize()), true)];
 	}
 }

apps/cloud_federation_api/lib/Controller/RequestHandlerController.php

@@ -5,6 +5,14 @@
  */
 namespace OCA\CloudFederationAPI\Controller;
 
+use NCU\Security\Signature\Exceptions\IdentityNotFoundException;
+use NCU\Security\Signature\Exceptions\IncomingRequestException;
+use NCU\Security\Signature\Exceptions\SignatoryNotFoundException;
+use NCU\Security\Signature\Exceptions\SignatureException;
+use NCU\Security\Signature\Exceptions\SignatureNotFoundException;
+use NCU\Security\Signature\ISignatureManager;
+use NCU\Security\Signature\Model\IIncomingSignedRequest;
+use OC\OCM\OCMSignatoryManager;
 use OCA\CloudFederationAPI\Config;
 use OCA\CloudFederationAPI\ResponseDefinitions;
 use OCP\AppFramework\Controller;
@@ -22,11 +30,14 @@
 use OCP\Federation\ICloudFederationFactory;
 use OCP\Federation\ICloudFederationProviderManager;
 use OCP\Federation\ICloudIdManager;
+use OCP\IAppConfig;
 use OCP\IGroupManager;
 use OCP\IRequest;
 use OCP\IURLGenerator;
 use OCP\IUserManager;
 use OCP\Share\Exceptions\ShareNotFound;
+use OCP\Share\IProviderFactory;
+use OCP\Share\IShare;
 use OCP\Util;
 use Psr\Log\LoggerInterface;
 
@@ -50,8 +61,12 @@ public function __construct(
 		private IURLGenerator $urlGenerator,
 		private ICloudFederationProviderManager $cloudFederationProviderManager,
 		private Config $config,
+		private readonly IAppConfig $appConfig,
 		private ICloudFederationFactory $factory,
 		private ICloudIdManager $cloudIdManager,
+		private readonly ISignatureManager $signatureManager,
+		private readonly OCMSignatoryManager $signatoryManager,
+		private readonly IProviderFactory $shareProviderFactory,
 	) {
 		parent::__construct($appName, $request);
 	}
@@ -81,11 +96,20 @@ public function __construct(
 	#[NoCSRFRequired]
 	#[BruteForceProtection(action: 'receiveFederatedShare')]
 	public function addShare($shareWith, $name, $description, $providerId, $owner, $ownerDisplayName, $sharedBy, $sharedByDisplayName, $protocol, $shareType, $resourceType) {
+		try {
+			// if request is signed and well signed, no exception are thrown
+			// if request is not signed and host is known for not supporting signed request, no exception are thrown
+			$signedRequest = $this->getSignedRequest();
+			$this->confirmSignedOrigin($signedRequest, 'owner', $owner);
+		} catch (IncomingRequestException $e) {
+			$this->logger->warning('incoming request exception', ['exception' => $e]);
+			return new JSONResponse(['message' => $e->getMessage(), 'validationErrors' => []], Http::STATUS_BAD_REQUEST);
+		}
+
 		// check if all required parameters are set
 		if ($shareWith === null ||
 			$name === null ||
 			$providerId === null ||
-			$owner === null ||
 			$resourceType === null ||
 			$shareType === null ||
 			!is_array($protocol) ||
@@ -208,6 +232,16 @@ public function addShare($shareWith, $name, $description, $providerId, $owner, $
 	#[PublicPage]
 	#[BruteForceProtection(action: 'receiveFederatedShareNotification')]
 	public function receiveNotification($notificationType, $resourceType, $providerId, ?array $notification) {
+		try {
+			// if request is signed and well signed, no exception are thrown
+			// if request is not signed and host is known for not supporting signed request, no exception are thrown
+			$signedRequest = $this->getSignedRequest();
+			$this->confirmShareOrigin($signedRequest, $notification['sharedSecret'] ?? '');
+		} catch (IncomingRequestException $e) {
+			$this->logger->warning('incoming request exception', ['exception' => $e]);
+			return new JSONResponse(['message' => $e->getMessage(), 'validationErrors' => []], Http::STATUS_BAD_REQUEST);
+		}
+
 		// check if all required parameters are set
 		if ($notificationType === null ||
 			$resourceType === null ||
@@ -256,6 +290,7 @@ public function receiveNotification($notificationType, $resourceType, $providerI
 			$response->throttle();
 			return $response;
 		} catch (\Exception $e) {
+			$this->logger->warning('incoming notification exception', ['exception' => $e]);
 			return new JSONResponse(
 				[
 					'message' => 'Internal error at ' . $this->urlGenerator->getBaseUrl(),
@@ -286,4 +321,118 @@ private function mapUid($uid) {
 
 		return $uid;
 	}
+
+
+	/**
+	 * returns signed request if available.
+	 * throw an exception:
+	 * - if request is signed, but wrongly signed
+	 * - if request is not signed but instance is configured to only accept signed ocm request
+	 *
+	 * @return IIncomingSignedRequest|null null if remote does not (and never did) support signed request
+	 * @throws IncomingRequestException
+	 */
+	private function getSignedRequest(): ?IIncomingSignedRequest {
+		try {
+			return $this->signatureManager->getIncomingSignedRequest($this->signatoryManager);
+		} catch (SignatureNotFoundException|SignatoryNotFoundException $e) {
+			// remote does not support signed request.
+			// currently we still accept unsigned request until lazy appconfig
+			// core.enforce_signed_ocm_request is set to true (default: false)
+			if ($this->appConfig->getValueBool('core', OCMSignatoryManager::APPCONFIG_SIGN_ENFORCED, lazy: true)) {
+				$this->logger->notice('ignored unsigned request', ['exception' => $e]);
+				throw new IncomingRequestException('Unsigned request');
+			}
+		} catch (SignatureException $e) {
+			$this->logger->notice('wrongly signed request', ['exception' => $e]);
+			throw new IncomingRequestException('Invalid signature');
+		}
+		return null;
+	}
+
+
+	/**
+	 * confirm that the value related to $key entry from the payload is in format userid@hostname
+	 * and compare hostname with the origin of the signed request.
+	 *
+	 * If request is not signed, we still verify that the hostname from the extracted value does,
+	 * actually, not support signed request
+	 *
+	 * @param IIncomingSignedRequest|null $signedRequest
+	 * @param string $key entry from data available in data
+	 * @param string $value value itself used in case request is not signed
+	 *
+	 * @throws IncomingRequestException
+	 */
+	private function confirmSignedOrigin(?IIncomingSignedRequest $signedRequest, string $key, string $value): void {
+		if ($signedRequest === null) {
+			$instance = $this->getHostFromFederationId($value);
+			try {
+				$this->signatureManager->searchSignatory($instance);
+				throw new IncomingRequestException('instance is supposed to sign its request');
+			} catch (SignatoryNotFoundException) {
+				return;
+			}
+		}
+
+		$body = json_decode($signedRequest->getBody(), true) ?? [];
+		$entry = trim($body[$key] ?? '', '@');
+		if ($this->getHostFromFederationId($entry) !== $signedRequest->getOrigin()) {
+			throw new IncomingRequestException('share initiation from different instance');
+		}
+	}
+
+
+	/**
+	 *  confirm that the value related to share token is in format userid@hostname
+	 *  and compare hostname with the origin of the signed request.
+	 *
+	 *  If request is not signed, we still verify that the hostname from the extracted value does,
+	 *  actually, not support signed request
+	 *
+	 * @param IIncomingSignedRequest|null $signedRequest
+	 * @param string $token
+	 *
+	 * @return void
+	 * @throws IncomingRequestException
+	 */
+	private function confirmShareOrigin(?IIncomingSignedRequest $signedRequest, string $token): void {
+		if ($token === '') {
+			throw new BadRequestException(['sharedSecret']);
+		}
+
+		$provider = $this->shareProviderFactory->getProviderForType(IShare::TYPE_REMOTE);
+		$share = $provider->getShareByToken($token);
+		$entry = $share->getSharedWith();
+
+		$instance = $this->getHostFromFederationId($entry);
+		if ($signedRequest === null) {
+			try {
+				$this->signatureManager->searchSignatory($instance);
+				throw new IncomingRequestException('instance is supposed to sign its request');
+			} catch (SignatoryNotFoundException) {
+				return;
+			}
+		} elseif ($instance !== $signedRequest->getOrigin()) {
+			throw new IncomingRequestException('token sharedWith from different instance');
+		}
+	}
+
+	/**
+	 * @param string $entry
+	 * @return string
+	 * @throws IncomingRequestException
+	 */
+	private function getHostFromFederationId(string $entry): string {
+		if (!str_contains($entry, '@')) {
+			throw new IncomingRequestException('entry does not contains @');
+		}
+		[, $rightPart] = explode('@', $entry, 2);
+
+		try {
+			return $this->signatureManager->extractIdentityFromUri('https://' . $rightPart);
+		} catch (IdentityNotFoundException) {
+			throw new IncomingRequestException('invalid host within federation id: ' . $entry);
+		}
+	}
 }

apps/cloud_federation_api/openapi.json

@@ -43,21 +43,41 @@
                     "ocm": {
                         "type": "object",
                         "required": [
-                            "enabled",
                             "apiVersion",
+                            "enabled",
                             "endPoint",
-                            "resourceTypes"
+                            "publicKey",
+                            "resourceTypes",
+                            "version"
                         ],
                         "properties": {
+                            "apiVersion": {
+                                "type": "string",
+                                "enum": [
+                                    "1.0-proposal1"
+                                ]
+                            },
                             "enabled": {
                                 "type": "boolean"
                             },
-                            "apiVersion": {
-                                "type": "string"
-                            },
                             "endPoint": {
                                 "type": "string"
                             },
+                            "publicKey": {
+                                "type": "object",
+                                "required": [
+                                    "keyId",
+                                    "publicKeyPem"
+                                ],
+                                "properties": {
+                                    "keyId": {
+                                        "type": "string"
+                                    },
+                                    "publicKeyPem": {
+                                        "type": "string"
+                                    }
+                                }
+                            },
                             "resourceTypes": {
                                 "type": "array",
                                 "items": {
@@ -85,6 +105,9 @@
                                         }
                                     }
                                 }
+                            },
+                            "version": {
+                                "type": "string"
                             }
                         }
                     }

apps/federatedfilesharing/lib/FederatedShareProvider.php

@@ -250,7 +250,8 @@ protected function askOwnerToReShare($shareWith, IShare $share, $shareId) {
 			$remote,
 			$shareWith,
 			$share->getPermissions(),
-			$share->getNode()->getName()
+			$share->getNode()->getName(),
+			$share->getShareType(),
 		);
 
 		return [$token, $remoteId];

apps/federatedfilesharing/lib/Notifications.php

@@ -108,12 +108,13 @@ public function sendRemoteShare($token, $shareWith, $name, $remoteId, $owner, $o
 	 * @throws HintException
 	 * @throws \OC\ServerNotAvailableException
 	 */
-	public function requestReShare($token, $id, $shareId, $remote, $shareWith, $permission, $filename) {
+	public function requestReShare($token, $id, $shareId, $remote, $shareWith, $permission, $filename, $shareType) {
 		$fields = [
 			'shareWith' => $shareWith,
 			'token' => $token,
 			'permission' => $permission,
 			'remoteId' => $shareId,
+			'shareType' => $shareType,
 		];
 
 		$ocmFields = $fields;

apps/files_sharing/lib/External/Storage.php

@@ -88,6 +88,7 @@ public function __construct($options) {
 		parent::__construct(
 			[
 				'secure' => ((parse_url($remote, PHP_URL_SCHEME) ?? 'https') === 'https'),
+				'verify' => !$this->config->getSystemValueBool('sharing.federation.allowSelfSignedCertificates', false),
 				'host' => $host,
 				'root' => $webDavEndpoint,
 				'user' => $options['token'],