diff options
Diffstat (limited to 'lib/unstable/Security/Signature')
20 files changed, 969 insertions, 0 deletions
diff --git a/lib/unstable/Security/Signature/Enum/DigestAlgorithm.php b/lib/unstable/Security/Signature/Enum/DigestAlgorithm.php new file mode 100644 index 00000000000..465f33fd2c3 --- /dev/null +++ b/lib/unstable/Security/Signature/Enum/DigestAlgorithm.php @@ -0,0 +1,34 @@ +<?php + +declare(strict_types=1); + +/** + * SPDX-FileCopyrightText: 2018 Nextcloud GmbH and Nextcloud contributors + * SPDX-License-Identifier: AGPL-3.0-or-later + */ +namespace NCU\Security\Signature\Enum; + +/** + * list of available algorithm when generating digest from body + * + * @experimental 31.0.0 + */ +enum DigestAlgorithm: string { + /** @experimental 31.0.0 */ + case SHA256 = 'SHA-256'; + /** @experimental 31.0.0 */ + case SHA512 = 'SHA-512'; + + /** + * returns hashing algorithm to be used when generating digest + * + * @return string + * @experimental 31.0.0 + */ + public function getHashingAlgorithm(): string { + return match($this) { + self::SHA256 => 'sha256', + self::SHA512 => 'sha512', + }; + } +} diff --git a/lib/unstable/Security/Signature/Enum/SignatoryStatus.php b/lib/unstable/Security/Signature/Enum/SignatoryStatus.php new file mode 100644 index 00000000000..1e460aed449 --- /dev/null +++ b/lib/unstable/Security/Signature/Enum/SignatoryStatus.php @@ -0,0 +1,24 @@ +<?php + +declare(strict_types=1); + +/** + * SPDX-FileCopyrightText: 2024 Nextcloud GmbH and Nextcloud contributors + * SPDX-License-Identifier: AGPL-3.0-or-later + */ +namespace NCU\Security\Signature\Enum; + +/** + * current status of signatory. is it trustable or not ? + * + * - SYNCED = the remote instance is trustable. + * - BROKEN = the remote instance does not use the same key pairs than previously + * + * @experimental 31.0.0 + */ +enum SignatoryStatus: int { + /** @experimental 31.0.0 */ + case SYNCED = 1; + /** @experimental 31.0.0 */ + case BROKEN = 9; +} diff --git a/lib/unstable/Security/Signature/Enum/SignatoryType.php b/lib/unstable/Security/Signature/Enum/SignatoryType.php new file mode 100644 index 00000000000..de3e5568479 --- /dev/null +++ b/lib/unstable/Security/Signature/Enum/SignatoryType.php @@ -0,0 +1,30 @@ +<?php + +declare(strict_types=1); + +/** + * SPDX-FileCopyrightText: 2024 Nextcloud GmbH and Nextcloud contributors + * SPDX-License-Identifier: AGPL-3.0-or-later + */ +namespace NCU\Security\Signature\Enum; + +/** + * type of link between local and remote instance + * + * - FORGIVABLE = the keypair can be deleted and refreshed anytime; silently + * - REFRESHABLE = the keypair can be refreshed but a notice will be generated + * - TRUSTED = any changes of keypair will require human interaction, warning will be issued + * - STATIC = error will be issued on conflict, assume keypair cannot be reset. + * + * @experimental 31.0.0 + */ +enum SignatoryType: int { + /** @experimental 31.0.0 */ + case FORGIVABLE = 1; // no notice on refresh + /** @experimental 31.0.0 */ + case REFRESHABLE = 4; // notice on refresh + /** @experimental 31.0.0 */ + case TRUSTED = 8; // warning on refresh + /** @experimental 31.0.0 */ + case STATIC = 9; // error on refresh +} diff --git a/lib/unstable/Security/Signature/Enum/SignatureAlgorithm.php b/lib/unstable/Security/Signature/Enum/SignatureAlgorithm.php new file mode 100644 index 00000000000..5afa8a3f810 --- /dev/null +++ b/lib/unstable/Security/Signature/Enum/SignatureAlgorithm.php @@ -0,0 +1,21 @@ +<?php + +declare(strict_types=1); + +/** + * SPDX-FileCopyrightText: 2018 Nextcloud GmbH and Nextcloud contributors + * SPDX-License-Identifier: AGPL-3.0-or-later + */ +namespace NCU\Security\Signature\Enum; + +/** + * list of available algorithm when signing payload + * + * @experimental 31.0.0 + */ +enum SignatureAlgorithm: string { + /** @experimental 31.0.0 */ + case RSA_SHA256 = 'rsa-sha256'; + /** @experimental 31.0.0 */ + case RSA_SHA512 = 'rsa-sha512'; +} diff --git a/lib/unstable/Security/Signature/Exceptions/IdentityNotFoundException.php b/lib/unstable/Security/Signature/Exceptions/IdentityNotFoundException.php new file mode 100644 index 00000000000..c8c700033e6 --- /dev/null +++ b/lib/unstable/Security/Signature/Exceptions/IdentityNotFoundException.php @@ -0,0 +1,15 @@ +<?php + +declare(strict_types=1); +/** + * SPDX-FileCopyrightText: 2023 Nextcloud GmbH and Nextcloud contributors + * SPDX-License-Identifier: AGPL-3.0-or-later + */ + +namespace NCU\Security\Signature\Exceptions; + +/** + * @experimental 31.0.0 + */ +class IdentityNotFoundException extends SignatureException { +} diff --git a/lib/unstable/Security/Signature/Exceptions/IncomingRequestException.php b/lib/unstable/Security/Signature/Exceptions/IncomingRequestException.php new file mode 100644 index 00000000000..c334090fdc3 --- /dev/null +++ b/lib/unstable/Security/Signature/Exceptions/IncomingRequestException.php @@ -0,0 +1,15 @@ +<?php + +declare(strict_types=1); + +/** + * SPDX-FileCopyrightText: 2023 Nextcloud GmbH and Nextcloud contributors + * SPDX-License-Identifier: AGPL-3.0-or-later + */ +namespace NCU\Security\Signature\Exceptions; + +/** + * @experimental 31.0.0 + */ +class IncomingRequestException extends SignatureException { +} diff --git a/lib/unstable/Security/Signature/Exceptions/InvalidKeyOriginException.php b/lib/unstable/Security/Signature/Exceptions/InvalidKeyOriginException.php new file mode 100644 index 00000000000..3d8fa78077f --- /dev/null +++ b/lib/unstable/Security/Signature/Exceptions/InvalidKeyOriginException.php @@ -0,0 +1,15 @@ +<?php + +declare(strict_types=1); + +/** + * SPDX-FileCopyrightText: 2023 Nextcloud GmbH and Nextcloud contributors + * SPDX-License-Identifier: AGPL-3.0-or-later + */ +namespace NCU\Security\Signature\Exceptions; + +/** + * @experimental 31.0.0 + */ +class InvalidKeyOriginException extends SignatureException { +} diff --git a/lib/unstable/Security/Signature/Exceptions/InvalidSignatureException.php b/lib/unstable/Security/Signature/Exceptions/InvalidSignatureException.php new file mode 100644 index 00000000000..351637ef201 --- /dev/null +++ b/lib/unstable/Security/Signature/Exceptions/InvalidSignatureException.php @@ -0,0 +1,15 @@ +<?php + +declare(strict_types=1); + +/** + * SPDX-FileCopyrightText: 2023 Nextcloud GmbH and Nextcloud contributors + * SPDX-License-Identifier: AGPL-3.0-or-later + */ +namespace NCU\Security\Signature\Exceptions; + +/** + * @experimental 31.0.0 + */ +class InvalidSignatureException extends SignatureException { +} diff --git a/lib/unstable/Security/Signature/Exceptions/SignatoryConflictException.php b/lib/unstable/Security/Signature/Exceptions/SignatoryConflictException.php new file mode 100644 index 00000000000..e078071e970 --- /dev/null +++ b/lib/unstable/Security/Signature/Exceptions/SignatoryConflictException.php @@ -0,0 +1,15 @@ +<?php + +declare(strict_types=1); +/** + * SPDX-FileCopyrightText: 2024 Nextcloud GmbH and Nextcloud contributors + * SPDX-License-Identifier: AGPL-3.0-or-later + */ + +namespace NCU\Security\Signature\Exceptions; + +/** + * @experimental 31.0.0 + */ +class SignatoryConflictException extends SignatoryException { +} diff --git a/lib/unstable/Security/Signature/Exceptions/SignatoryException.php b/lib/unstable/Security/Signature/Exceptions/SignatoryException.php new file mode 100644 index 00000000000..92409ab3d98 --- /dev/null +++ b/lib/unstable/Security/Signature/Exceptions/SignatoryException.php @@ -0,0 +1,15 @@ +<?php + +declare(strict_types=1); +/** + * SPDX-FileCopyrightText: 2024 Nextcloud GmbH and Nextcloud contributors + * SPDX-License-Identifier: AGPL-3.0-or-later + */ + +namespace NCU\Security\Signature\Exceptions; + +/** + * @experimental 31.0.0 + */ +class SignatoryException extends SignatureException { +} diff --git a/lib/unstable/Security/Signature/Exceptions/SignatoryNotFoundException.php b/lib/unstable/Security/Signature/Exceptions/SignatoryNotFoundException.php new file mode 100644 index 00000000000..0234b3e7d5c --- /dev/null +++ b/lib/unstable/Security/Signature/Exceptions/SignatoryNotFoundException.php @@ -0,0 +1,15 @@ +<?php + +declare(strict_types=1); +/** + * SPDX-FileCopyrightText: 2024 Nextcloud GmbH and Nextcloud contributors + * SPDX-License-Identifier: AGPL-3.0-or-later + */ + +namespace NCU\Security\Signature\Exceptions; + +/** + * @experimental 31.0.0 + */ +class SignatoryNotFoundException extends SignatoryException { +} diff --git a/lib/unstable/Security/Signature/Exceptions/SignatureElementNotFoundException.php b/lib/unstable/Security/Signature/Exceptions/SignatureElementNotFoundException.php new file mode 100644 index 00000000000..ca0fa1c2194 --- /dev/null +++ b/lib/unstable/Security/Signature/Exceptions/SignatureElementNotFoundException.php @@ -0,0 +1,15 @@ +<?php + +declare(strict_types=1); + +/** + * SPDX-FileCopyrightText: 2023 Nextcloud GmbH and Nextcloud contributors + * SPDX-License-Identifier: AGPL-3.0-or-later + */ +namespace NCU\Security\Signature\Exceptions; + +/** + * @experimental 31.0.0 + */ +class SignatureElementNotFoundException extends SignatureException { +} diff --git a/lib/unstable/Security/Signature/Exceptions/SignatureException.php b/lib/unstable/Security/Signature/Exceptions/SignatureException.php new file mode 100644 index 00000000000..12353a8e61b --- /dev/null +++ b/lib/unstable/Security/Signature/Exceptions/SignatureException.php @@ -0,0 +1,17 @@ +<?php + +declare(strict_types=1); +/** + * SPDX-FileCopyrightText: 2024 Nextcloud GmbH and Nextcloud contributors + * SPDX-License-Identifier: AGPL-3.0-or-later + */ + +namespace NCU\Security\Signature\Exceptions; + +use Exception; + +/** + * @experimental 31.0.0 + */ +class SignatureException extends Exception { +} diff --git a/lib/unstable/Security/Signature/Exceptions/SignatureNotFoundException.php b/lib/unstable/Security/Signature/Exceptions/SignatureNotFoundException.php new file mode 100644 index 00000000000..f015b07673b --- /dev/null +++ b/lib/unstable/Security/Signature/Exceptions/SignatureNotFoundException.php @@ -0,0 +1,15 @@ +<?php + +declare(strict_types=1); + +/** + * SPDX-FileCopyrightText: 2023 Nextcloud GmbH and Nextcloud contributors + * SPDX-License-Identifier: AGPL-3.0-or-later + */ +namespace NCU\Security\Signature\Exceptions; + +/** + * @experimental 31.0.0 + */ +class SignatureNotFoundException extends SignatureException { +} diff --git a/lib/unstable/Security/Signature/IIncomingSignedRequest.php b/lib/unstable/Security/Signature/IIncomingSignedRequest.php new file mode 100644 index 00000000000..5c06c41c394 --- /dev/null +++ b/lib/unstable/Security/Signature/IIncomingSignedRequest.php @@ -0,0 +1,66 @@ +<?php + +declare(strict_types=1); + +/** + * SPDX-FileCopyrightText: 2024 Nextcloud GmbH and Nextcloud contributors + * SPDX-License-Identifier: AGPL-3.0-or-later + */ +namespace NCU\Security\Signature; + +use NCU\Security\Signature\Exceptions\SignatoryNotFoundException; +use NCU\Security\Signature\Exceptions\SignatureElementNotFoundException; +use NCU\Security\Signature\Exceptions\SignatureException; +use OCP\IRequest; + +/** + * model wrapping an actual incoming request, adding details about the signature and the + * authenticity of the origin of the request. + * + * This interface must not be implemented in your application but + * instead obtained from {@see ISignatureManager::getIncomingSignedRequest}. + * + * ```php + * $signedRequest = $this->signatureManager->getIncomingSignedRequest($mySignatoryManager); + * ``` + * + * @see ISignatureManager for details on signature + * @experimental 31.0.0 + */ +interface IIncomingSignedRequest extends ISignedRequest { + /** + * returns the base IRequest + * + * @return IRequest + * @experimental 31.0.0 + */ + public function getRequest(): IRequest; + + /** + * get the hostname at the source of the base request. + * based on the keyId defined in the signature header. + * + * @return string + * @experimental 31.0.0 + */ + public function getOrigin(): string; + + /** + * returns the keyId extracted from the signature headers. + * keyId is a mandatory entry in the headers of a signed request. + * + * @return string + * @throws SignatureElementNotFoundException + * @experimental 31.0.0 + */ + public function getKeyId(): string; + + /** + * confirm the current signed request's identity is correct + * + * @throws SignatureException + * @throws SignatoryNotFoundException + * @experimental 31.0.0 + */ + public function verify(): void; +} diff --git a/lib/unstable/Security/Signature/IOutgoingSignedRequest.php b/lib/unstable/Security/Signature/IOutgoingSignedRequest.php new file mode 100644 index 00000000000..e9af12ea4b4 --- /dev/null +++ b/lib/unstable/Security/Signature/IOutgoingSignedRequest.php @@ -0,0 +1,112 @@ +<?php + +declare(strict_types=1); + +/** + * SPDX-FileCopyrightText: 2024 Nextcloud GmbH and Nextcloud contributors + * SPDX-License-Identifier: AGPL-3.0-or-later + */ +namespace NCU\Security\Signature; + +use NCU\Security\Signature\Enum\SignatureAlgorithm; +use NCU\Security\Signature\Exceptions\SignatoryException; +use NCU\Security\Signature\Exceptions\SignatoryNotFoundException; + +/** + * extends ISignedRequest to add info requested at the generation of the signature + * + * This interface must not be implemented in your application but + * instead obtained from {@see ISignatureManager::getIncomingSignedRequest}. + * + * ```php + * $signedRequest = $this->signatureManager->getIncomingSignedRequest($mySignatoryManager); + * ``` + * + * @see ISignatureManager for details on signature + * @experimental 31.0.0 + */ +interface IOutgoingSignedRequest extends ISignedRequest { + /** + * set the host of the recipient of the request. + * + * @param string $host + * @return self + * @experimental 31.0.0 + */ + public function setHost(string $host): self; + + /** + * get the host of the recipient of the request. + * - on incoming request, this is the local hostname of current instance. + * - on outgoing request, this is the remote instance. + * + * @return string + * @experimental 31.0.0 + */ + public function getHost(): string; + + /** + * add a key/value pair to the headers of the request + * + * @param string $key + * @param string|int|float $value + * + * @return self + * @experimental 31.0.0 + */ + public function addHeader(string $key, string|int|float $value): self; + + /** + * returns list of headers value that will be added to the base request + * + * @return array + * @experimental 31.0.0 + */ + public function getHeaders(): array; + + /** + * set the ordered list of used headers in the Signature + * + * @param list<string> $list + * + * @return self + * @experimental 31.0.0 + */ + public function setHeaderList(array $list): self; + + /** + * returns ordered list of used headers in the Signature + * + * @return list<string> + * @experimental 31.0.0 + */ + public function getHeaderList(): array; + + /** + * set algorithm to be used to sign the signature + * + * @param SignatureAlgorithm $algorithm + * + * @return self + * @experimental 31.0.0 + */ + public function setAlgorithm(SignatureAlgorithm $algorithm): self; + + /** + * returns the algorithm set to sign the signature + * + * @return SignatureAlgorithm + * @experimental 31.0.0 + */ + public function getAlgorithm(): SignatureAlgorithm; + + /** + * sign outgoing request providing a certificate that it emanate from this instance + * + * @return self + * @throws SignatoryException + * @throws SignatoryNotFoundException + * @experimental 31.0.0 + */ + public function sign(): self; +} diff --git a/lib/unstable/Security/Signature/ISignatoryManager.php b/lib/unstable/Security/Signature/ISignatoryManager.php new file mode 100644 index 00000000000..c16dace1bde --- /dev/null +++ b/lib/unstable/Security/Signature/ISignatoryManager.php @@ -0,0 +1,73 @@ +<?php + +declare(strict_types=1); + +/** + * SPDX-FileCopyrightText: 2024 Nextcloud GmbH and Nextcloud contributors + * SPDX-License-Identifier: AGPL-3.0-or-later + */ +namespace NCU\Security\Signature; + +use NCU\Security\Signature\Model\Signatory; + +/** + * ISignatoryManager contains a group of method that will help + * - signing outgoing request + * - confirm the authenticity of incoming signed request. + * + * This interface must be implemented to generate a `SignatoryManager` to + * be used with {@see ISignatureManager} + * + * @experimental 31.0.0 + */ +interface ISignatoryManager { + /** + * id of the signatory manager. + * This is used to store, confirm uniqueness and avoid conflict of the remote key pairs. + * + * Must be unique. + * + * @return string + * @experimental 31.0.0 + */ + public function getProviderId(): string; + + /** + * options that might affect the way the whole process is handled: + * [ + * 'bodyMaxSize' => 10000, + * 'ttl' => 300, + * 'ttlSignatory' => 86400*3, + * 'extraSignatureHeaders' => [], + * 'algorithm' => 'sha256', + * 'dateHeader' => "D, d M Y H:i:s T", + * ] + * + * @return array + * @experimental 31.0.0 + */ + public function getOptions(): array; + + /** + * generate and returns local signatory including private and public key pair. + * + * Used to sign outgoing request + * + * @return Signatory + * @experimental 31.0.0 + */ + public function getLocalSignatory(): Signatory; + + /** + * retrieve details and generate signatory from remote instance. + * If signatory cannot be found, returns NULL. + * + * Used to confirm authenticity of incoming request. + * + * @param string $remote + * + * @return Signatory|null must be NULL if no signatory is found + * @experimental 31.0.0 + */ + public function getRemoteSignatory(string $remote): ?Signatory; +} diff --git a/lib/unstable/Security/Signature/ISignatureManager.php b/lib/unstable/Security/Signature/ISignatureManager.php new file mode 100644 index 00000000000..655454f67e7 --- /dev/null +++ b/lib/unstable/Security/Signature/ISignatureManager.php @@ -0,0 +1,136 @@ +<?php + +declare(strict_types=1); + +/** + * SPDX-FileCopyrightText: 2024 Nextcloud GmbH and Nextcloud contributors + * SPDX-License-Identifier: AGPL-3.0-or-later + */ +namespace NCU\Security\Signature; + +use NCU\Security\Signature\Exceptions\IdentityNotFoundException; +use NCU\Security\Signature\Exceptions\IncomingRequestException; +use NCU\Security\Signature\Exceptions\SignatoryNotFoundException; +use NCU\Security\Signature\Exceptions\SignatureException; +use NCU\Security\Signature\Exceptions\SignatureNotFoundException; +use NCU\Security\Signature\Model\Signatory; + +/** + * ISignatureManager is a service integrated to core that provide tools + * to set/get authenticity of/from outgoing/incoming request. + * + * Quick description of the signature, added to the headers + * { + * "(request-target)": "post /path", + * "content-length": 385, + * "date": "Mon, 08 Jul 2024 14:16:20 GMT", + * "digest": "SHA-256=U7gNVUQiixe5BRbp4Tg0xCZMTcSWXXUZI2\\/xtHM40S0=", + * "host": "hostname.of.the.recipient", + * "Signature": "keyId=\"https://author.hostname/key\",algorithm=\"sha256\",headers=\"content-length date digest host\",signature=\"DzN12OCS1rsA[...]o0VmxjQooRo6HHabg==\"" + * } + * + * 'content-length' is the total length of the data/content + * 'date' is the datetime the request have been initiated + * 'digest' is a checksum of the data/content + * 'host' is the hostname of the recipient of the request (remote when signing outgoing request, local on incoming request) + * 'Signature' contains the signature generated using the private key, and metadata: + * - 'keyId' is a unique id, formatted as an url. hostname is used to retrieve the public key via custom discovery + * - 'algorithm' define the algorithm used to generate signature + * - 'headers' contains a list of element used during the generation of the signature + * - 'signature' is the encrypted string, using local private key, of an array containing elements + * listed in 'headers' and their value. Some elements (content-length date digest host) are mandatory + * to ensure authenticity override protection. + * + * This interface can be used to inject {@see SignatureManager} in your code: + * + * ```php + * public function __construct( + * private ISignatureManager $signatureManager, + * ) {} + * ``` + * + * instead obtained from {@see ISignatureManager::getIncomingSignedRequest}. + * + * @experimental 31.0.0 + */ +interface ISignatureManager { + /** + * Extracting data from headers and body from the incoming request. + * Compare headers and body to confirm authenticity of remote instance. + * Returns details about the signed request or throws exception. + * + * Should be called from Controller. + * + * @param ISignatoryManager $signatoryManager used to get details about remote instance + * @param string|null $body if NULL, body will be extracted from php://input + * + * @return IIncomingSignedRequest + * @throws IncomingRequestException if anything looks wrong with the incoming request + * @throws SignatureNotFoundException if incoming request is not signed + * @throws SignatureException if signature could not be confirmed + * @experimental 31.0.0 + */ + public function getIncomingSignedRequest(ISignatoryManager $signatoryManager, ?string $body = null): IIncomingSignedRequest; + + /** + * Preparing signature (and headers) to sign an outgoing request. + * Returns a IOutgoingSignedRequest containing all details to finalise the packaging of the whole payload + * + * @param ISignatoryManager $signatoryManager + * @param string $content body to be signed + * @param string $method needed in the signature + * @param string $uri needed in the signature + * + * @return IOutgoingSignedRequest + * @experimental 31.0.0 + */ + public function getOutgoingSignedRequest(ISignatoryManager $signatoryManager, string $content, string $method, string $uri): IOutgoingSignedRequest; + + /** + * Complete the full process of signing and filling headers from payload when generating + * an outgoing request with IClient + * + * @param ISignatoryManager $signatoryManager + * @param array $payload original payload, will be used to sign and completed with new headers with signature elements + * @param string $method needed in the signature + * @param string $uri needed in the signature + * + * @return array new payload to be sent, including original payload and signature elements in headers + * @experimental 31.0.0 + */ + public function signOutgoingRequestIClientPayload(ISignatoryManager $signatoryManager, array $payload, string $method, string $uri): array; + + /** + * returns remote signatory stored in local database, based on the remote host. + * + * @param string $host remote host + * @param string $account linked account, should be used when multiple signature can exist for the same host + * + * @return Signatory + * @throws SignatoryNotFoundException if entry does not exist in local database + * @experimental 31.0.0 + */ + public function getSignatory(string $host, string $account = ''): Signatory; + + /** + * returns a fully formatted keyId, based on a fix hostname and path + * + * @param string $path + * + * @return string + * @throws IdentityNotFoundException if hostname is not set + * @experimental 31.0.0 + */ + public function generateKeyIdFromConfig(string $path): string; + + /** + * returns hostname:port extracted from an uri + * + * @param string $uri + * + * @return string + * @throws IdentityNotFoundException if identity cannot be extracted + * @experimental 31.0.0 + */ + public function extractIdentityFromUri(string $uri): string; +} diff --git a/lib/unstable/Security/Signature/ISignedRequest.php b/lib/unstable/Security/Signature/ISignedRequest.php new file mode 100644 index 00000000000..6bf5e7e7dbc --- /dev/null +++ b/lib/unstable/Security/Signature/ISignedRequest.php @@ -0,0 +1,121 @@ +<?php + +declare(strict_types=1); + +/** + * SPDX-FileCopyrightText: 2024 Nextcloud GmbH and Nextcloud contributors + * SPDX-License-Identifier: AGPL-3.0-or-later + */ +namespace NCU\Security\Signature; + +use NCU\Security\Signature\Enum\DigestAlgorithm; +use NCU\Security\Signature\Exceptions\SignatoryNotFoundException; +use NCU\Security\Signature\Exceptions\SignatureElementNotFoundException; +use NCU\Security\Signature\Model\Signatory; + +/** + * model that store data related to a possible signature. + * those details will be used: + * - to confirm authenticity of a signed incoming request + * - to sign an outgoing request + * + * This interface must not be implemented in your application: + * @see IIncomingSignedRequest + * @see IOutgoingSignedRequest + * + * @experimental 31.0.0 + */ +interface ISignedRequest { + /** + * payload of the request + * + * @return string + * @experimental 31.0.0 + */ + public function getBody(): string; + + /** + * get algorithm used to generate digest + * + * @return DigestAlgorithm + * @experimental 31.0.0 + */ + public function getDigestAlgorithm(): DigestAlgorithm; + + /** + * checksum of the payload of the request + * + * @return string + * @experimental 31.0.0 + */ + public function getDigest(): string; + + /** + * set the list of headers related to the signature of the request + * + * @param array $elements + * + * @return self + * @experimental 31.0.0 + */ + public function setSigningElements(array $elements): self; + + /** + * get the list of elements in the Signature header of the request + * + * @return array + * @experimental 31.0.0 + */ + public function getSigningElements(): array; + + /** + * @param string $key + * + * @return string + * @throws SignatureElementNotFoundException + * @experimental 31.0.0 + */ + public function getSigningElement(string $key): string; + + /** + * returns data used to generate signature + * + * @return array + * @experimental 31.0.0 + */ + public function getSignatureData(): array; + + /** + * get the signed version of the signature + * + * @return string + * @experimental 31.0.0 + */ + public function getSignature(): string; + + /** + * set the signatory, containing keys and details, related to this request + * + * @param Signatory $signatory + * @return self + * @experimental 31.0.0 + */ + public function setSignatory(Signatory $signatory): self; + + /** + * get the signatory, containing keys and details, related to this request + * + * @return Signatory + * @throws SignatoryNotFoundException + * @experimental 31.0.0 + */ + public function getSignatory(): Signatory; + + /** + * returns if a signatory related to this request have been found and defined + * + * @return bool + * @experimental 31.0.0 + */ + public function hasSignatory(): bool; +} diff --git a/lib/unstable/Security/Signature/Model/Signatory.php b/lib/unstable/Security/Signature/Model/Signatory.php new file mode 100644 index 00000000000..6bd50bb1098 --- /dev/null +++ b/lib/unstable/Security/Signature/Model/Signatory.php @@ -0,0 +1,200 @@ +<?php + +declare(strict_types=1); + +/** + * SPDX-FileCopyrightText: 2024 Nextcloud GmbH and Nextcloud contributors + * SPDX-License-Identifier: AGPL-3.0-or-later + */ +namespace NCU\Security\Signature\Model; + +use JsonSerializable; +use NCU\Security\Signature\Enum\SignatoryStatus; +use NCU\Security\Signature\Enum\SignatoryType; +use NCU\Security\Signature\Exceptions\IdentityNotFoundException; +use OCP\AppFramework\Db\Entity; + +/** + * model that store keys and details related to host and in use protocol + * mandatory details are providerId, host, keyId and public key. + * private key is only used for local signatory, used to sign outgoing request + * + * the pair providerId+host is unique, meaning only one signatory can exist for each host + * and protocol + * + * @experimental 31.0.0 + * + * @method void setProviderId(string $providerId) + * @method string getProviderId() + * @method string getKeyId() + * @method void setKeyIdSum(string $keyIdSum) + * @method string getKeyIdSum() + * @method void setPublicKey(string $publicKey) + * @method string getPublicKey() + * @method void setPrivateKey(string $privateKey) + * @method string getPrivateKey() + * @method void setHost(string $host) + * @method string getHost() + * @method int getType() + * @method void setType(int $type) + * @method int getStatus() + * @method void setStatus(int $status) + * @method void setAccount(?string $account) + * @method void setMetadata(array $metadata) + * @method ?array getMetadata() + * @method void setCreation(int $creation) + * @method int getCreation() + * @method void setLastUpdated(int $creation) + * @method int getLastUpdated() + * @psalm-suppress PropertyNotSetInConstructor + */ +class Signatory extends Entity implements JsonSerializable { + protected string $keyId = ''; + protected string $keyIdSum = ''; + protected string $providerId = ''; + protected string $host = ''; + protected string $publicKey = ''; + protected string $privateKey = ''; + protected ?string $account = ''; + protected int $type = 9; + protected int $status = 1; + protected ?array $metadata = null; + protected int $creation = 0; + protected int $lastUpdated = 0; + + /** + * @param bool $local only set to TRUE when managing local signatory + * + * @experimental 31.0.0 + */ + public function __construct( + private readonly bool $local = false, + ) { + $this->addType('providerId', 'string'); + $this->addType('host', 'string'); + $this->addType('account', 'string'); + $this->addType('keyId', 'string'); + $this->addType('keyIdSum', 'string'); + $this->addType('publicKey', 'string'); + $this->addType('metadata', 'json'); + $this->addType('type', 'integer'); + $this->addType('status', 'integer'); + $this->addType('creation', 'integer'); + $this->addType('lastUpdated', 'integer'); + } + + /** + * @param string $keyId + * + * @experimental 31.0.0 + * @throws IdentityNotFoundException if identity cannot be extracted from keyId + */ + public function setKeyId(string $keyId): void { + // if set as local (for current instance), we apply some filters. + if ($this->local) { + // to avoid conflict with duplicate key pairs (ie generated url from the occ command), we enforce https as prefix + if (str_starts_with($keyId, 'http://')) { + $keyId = 'https://' . substr($keyId, 7); + } + + // removing /index.php from generated url + $path = parse_url($keyId, PHP_URL_PATH); + if (str_starts_with($path, '/index.php/')) { + $pos = strpos($keyId, '/index.php'); + if ($pos !== false) { + $keyId = substr_replace($keyId, '', $pos, 10); + } + } + } + $this->setter('keyId', [$keyId]); // needed to trigger the update in database + $this->setKeyIdSum(hash('sha256', $keyId)); + + $this->setHost(self::extractIdentityFromUri($this->getKeyId())); + } + + /** + * @param SignatoryType $type + * @experimental 31.0.0 + */ + public function setSignatoryType(SignatoryType $type): void { + $this->setType($type->value); + } + + /** + * @return SignatoryType + * @experimental 31.0.0 + */ + public function getSignatoryType(): SignatoryType { + return SignatoryType::from($this->getType()); + } + + /** + * @param SignatoryStatus $status + * @experimental 31.0.0 + */ + public function setSignatoryStatus(SignatoryStatus $status): void { + $this->setStatus($status->value); + } + + /** + * @return SignatoryStatus + * @experimental 31.0.0 + */ + public function getSignatoryStatus(): SignatoryStatus { + return SignatoryStatus::from($this->getStatus()); + } + + /** + * @experimental 31.0.0 + */ + public function getAccount(): string { + return $this->account ?? ''; + } + + /** + * update an entry in metadata + * + * @param string $key + * @param string|int|float|bool|array $value + * @experimental 31.0.0 + */ + public function setMetaValue(string $key, string|int|float|bool|array $value): void { + $this->metadata[$key] = $value; + $this->setter('metadata', [$this->metadata]); + } + + /** + * @return array + * @experimental 31.0.0 + */ + public function jsonSerialize(): array { + return [ + 'keyId' => $this->getKeyId(), + 'publicKeyPem' => $this->getPublicKey() + ]; + } + + /** + * static is needed to make this easily callable from outside the model + * + * @param string $uri + * + * @return string + * @throws IdentityNotFoundException if identity cannot be extracted + * @experimental 31.0.0 + */ + public static function extractIdentityFromUri(string $uri): string { + $identity = parse_url($uri, PHP_URL_HOST); + $port = parse_url($uri, PHP_URL_PORT); + if ($identity === null || $identity === false) { + throw new IdentityNotFoundException('cannot extract identity from ' . $uri); + } + + if ($port !== null && $port !== false) { + $identity .= ':' . $port; + } + + return $identity; + } + +} |