Current code blindy adds any resources to the ocm disocvery, this makes
it so that different cloud federation providers can not add different
protocols for the same resourceType without the resourceType being
duplicated, something that OCM does not allow:
```
REQUIRED: resourceTypes (array) - A list of all resource types this
server supports in both the Sending Server role and the Receiving
Server role, with their access protocols. Each item in this list MUST
itself be an object containing the following fields:
name (string) - A supported resource type (file, calendar, contact, ...).
Implementations MUST offer support for at least one resource type, where
file is the commonly supported one. Each resource type is identified by
its name: the list MUST NOT contain more than one resource type object
per given name.
...
```
https://datatracker.ietf.org/doc/html/draft-ietf-ocm-open-cloud-mesh-04#name-fields
This patch changes this behaviour from this example result:
```
{
"name": "folder",
"shareTypes": [
"user"
],
"protocols": {
"webapp": {}
}
},
{
"name": "folder",
"shareTypes": [
"user"
],
"protocols": {
"webapp-receive": {
"targets": [
"blank",
"iframe"
]
}
}
```
to:
```
{
"name": "folder",
"shareTypes": [
"user"
],
"protocols": {
"webapp": {},
"webapp-receive": {
"targets": [
"blank",
"iframe"
]
}
}
```
which is the correct behaviour according to OCM.
Signed-off-by: Micke Nordin <kano@sunet.se>
The diff can be checked using: git diff --ignore-all-space --ignore-blank-lines
To see only the changes not related to blank lines.
Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>
Apps implementing OCM endpoints via OCMEndpointRequestEvent (e.g.
SUNET/nextcloud-ocm_request_share for request-share, nextcloud/contacts
for invite-accepted) need to apply the same identity check that the
built-in addShare and receiveNotification handlers apply, so it makes
sense to make it publicly accessible.
It also allows us to refactor RequestHandlerController::confirmSignedOrigin
to use the new public method and drop the confirmNotificationIdentity helper.
Signed-off-by: Micke Nordin <kano@sunet.se>
This commit switches the default signature algorithm to
ecdsa-p256-sha256 instead of Ed25519. This allows us to make sodium
optional again, and we only pull it in to use it for verifying incomming
signatures. If sodium is not installed, we throw on Ed25519 signatures
instead. At least it is easy for most people to make their Nextcloud
install fully RFC compliant by installing sodium.
I also renamed all the Ed25519 function names to be more precis, using
Jwks for the JSON Web Keys, and RFC9421 for the http-signature code,
where it is needed to distinguish from draft-cavage signatures.
Signed-off-by: Micke Nordin <kano@sunet.se>
OCM dual-stack integration of RFC 9421 alongside the existing cavage
publicKey path:
- OCMSignatoryManager: Ed25519 active/pending/retiring slot rotation
backed by numbered pool appkeys, getRemoteKey for inbound JWK lookup
with per-origin cache + cache-miss refetch, and getLocalEd25519Jwks
for the JWKS endpoint.
- Rfc9421SignatoryManager: per-call wrapper that swaps in the Ed25519
signatory and toggles `rfc9421.format`.
- OCMJwksHandler: serves /.well-known/jwks.json (RFC 7517) when signing
is enabled.
- OCMDiscoveryService: advertises `http-sig` in capabilities when
signing is enabled, and picks the signature scheme on outbound based
on the remote's advertised capabilities.
- Application.php: register the JWKS well-known handler.
Signed-off-by: Micke Nordin <kano@sunet.se>
- Add `provider` to `jsonSerialize()` output of OCMProvider.
- Ensures discovery consumers receive provider identifier along with
endpoint, version, and resources.
Signed-off-by: Micke Nordin <kano@sunet.se>
- Call `setCapabilities()` with `capabilities` field when available.
- Prevents loss of provider capability information during discovery.
Signed-off-by: Micke Nordin <kano@sunet.se>
When the public key feature is disabled null is returned for
`publicKey`. So in this case we need to adjust the capabilities
and return type of `jsonSerialize()`.
Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
