nextcloud/tests/lib/OCM/Rfc9421SignatoryManagerTest.php

<?php

declare(strict_types=1);

/**
 * SPDX-FileCopyrightText: 2026 Nextcloud GmbH and Nextcloud contributors
 * SPDX-License-Identifier: AGPL-3.0-or-later
 */

namespace Test\OCM;

use Firebase\JWT\Key;
use OC\OCM\OCMSignatoryManager;
use OC\OCM\Rfc9421SignatoryManager;
use OCP\Security\Signature\Exceptions\IdentityNotFoundException;
use OCP\Security\Signature\Model\Signatory;
use PHPUnit\Framework\MockObject\MockObject;
use Test\TestCase;

class Rfc9421SignatoryManagerTest extends TestCase {
	private OCMSignatoryManager&MockObject $delegate;
	private Rfc9421SignatoryManager $wrapper;

	#[\Override]
	protected function setUp(): void {
		parent::setUp();
		$this->delegate = $this->createMock(OCMSignatoryManager::class);
		$this->wrapper = new Rfc9421SignatoryManager($this->delegate);
	}

	public function testGetOptionsForcesRfc9421Format(): void {
		$this->delegate->method('getOptions')->willReturn([
			'algorithm' => 'rsa-sha512',
			'rfc9421.format' => false,
		]);

		$options = $this->wrapper->getOptions();
		$this->assertTrue($options['rfc9421.format']);
		$this->assertSame('rsa-sha512', $options['algorithm']);
	}

	public function testGetLocalSignatoryReturnsJwksKey(): void {
		$signatory = $this->createMock(Signatory::class);
		$this->delegate->method('getLocalJwksSignatory')->willReturn($signatory);

		$this->assertSame($signatory, $this->wrapper->getLocalSignatory());
	}

	public function testGetLocalSignatoryThrowsWhenJwksKeyUnavailable(): void {
		$this->delegate->method('getLocalJwksSignatory')->willReturn(null);

		$this->expectException(IdentityNotFoundException::class);
		$this->wrapper->getLocalSignatory();
	}

	public function testProviderIdDelegated(): void {
		$this->delegate->method('getProviderId')->willReturn('ocm');
		$this->assertSame('ocm', $this->wrapper->getProviderId());
	}

	public function testRemoteSignatoryDelegated(): void {
		$signatory = $this->createMock(Signatory::class);
		$this->delegate->expects($this->once())
			->method('getRemoteSignatory')
			->with('sender.example.org')
			->willReturn($signatory);
		$this->assertSame($signatory, $this->wrapper->getRemoteSignatory('sender.example.org'));
	}

	public function testRemoteKeyDelegated(): void {
		$key = $this->createMock(Key::class);
		$this->delegate->expects($this->once())
			->method('getRemoteKey')
			->with('sender.example.org', 'kid-1')
			->willReturn($key);
		$this->assertSame($key, $this->wrapper->getRemoteKey('sender.example.org', 'kid-1'));
	}
}
feat(http-sig): OCM Ed25519 keys, JWKS endpoint, http-sig capability OCM dual-stack integration of RFC 9421 alongside the existing cavage publicKey path: - OCMSignatoryManager: Ed25519 active/pending/retiring slot rotation backed by numbered pool appkeys, getRemoteKey for inbound JWK lookup with per-origin cache + cache-miss refetch, and getLocalEd25519Jwks for the JWKS endpoint. - Rfc9421SignatoryManager: per-call wrapper that swaps in the Ed25519 signatory and toggles `rfc9421.format`. - OCMJwksHandler: serves /.well-known/jwks.json (RFC 7517) when signing is enabled. - OCMDiscoveryService: advertises `http-sig` in capabilities when signing is enabled, and picks the signature scheme on outbound based on the remote's advertised capabilities. - Application.php: register the JWKS well-known handler. Signed-off-by: Micke Nordin <kano@sunet.se> 2026-05-05 10:29:45 -04:00			`<?php`

			`declare(strict_types=1);`

			`/**`
			`* SPDX-FileCopyrightText: 2026 Nextcloud GmbH and Nextcloud contributors`
			`* SPDX-License-Identifier: AGPL-3.0-or-later`
			`*/`

			`namespace Test\OCM;`

			`use Firebase\JWT\Key;`
			`use OC\OCM\OCMSignatoryManager;`
			`use OC\OCM\Rfc9421SignatoryManager;`
			`use OCP\Security\Signature\Exceptions\IdentityNotFoundException;`
			`use OCP\Security\Signature\Model\Signatory;`
			`use PHPUnit\Framework\MockObject\MockObject;`
			`use Test\TestCase;`

			`class Rfc9421SignatoryManagerTest extends TestCase {`
			`private OCMSignatoryManager&MockObject $delegate;`
			`private Rfc9421SignatoryManager $wrapper;`

			`#[\Override]`
			`protected function setUp(): void {`
			`parent::setUp();`
			`$this->delegate = $this->createMock(OCMSignatoryManager::class);`
			`$this->wrapper = new Rfc9421SignatoryManager($this->delegate);`
			`}`

			`public function testGetOptionsForcesRfc9421Format(): void {`
			`$this->delegate->method('getOptions')->willReturn([`
			`'algorithm' => 'rsa-sha512',`
			`'rfc9421.format' => false,`
			`]);`

			`$options = $this->wrapper->getOptions();`
			`$this->assertTrue($options['rfc9421.format']);`
			`$this->assertSame('rsa-sha512', $options['algorithm']);`
			`}`

fix: Make sodium optional This commit switches the default signature algorithm to ecdsa-p256-sha256 instead of Ed25519. This allows us to make sodium optional again, and we only pull it in to use it for verifying incomming signatures. If sodium is not installed, we throw on Ed25519 signatures instead. At least it is easy for most people to make their Nextcloud install fully RFC compliant by installing sodium. I also renamed all the Ed25519 function names to be more precis, using Jwks for the JSON Web Keys, and RFC9421 for the http-signature code, where it is needed to distinguish from draft-cavage signatures. Signed-off-by: Micke Nordin <kano@sunet.se> 2026-05-11 10:13:13 -04:00			`public function testGetLocalSignatoryReturnsJwksKey(): void {`
feat(http-sig): OCM Ed25519 keys, JWKS endpoint, http-sig capability OCM dual-stack integration of RFC 9421 alongside the existing cavage publicKey path: - OCMSignatoryManager: Ed25519 active/pending/retiring slot rotation backed by numbered pool appkeys, getRemoteKey for inbound JWK lookup with per-origin cache + cache-miss refetch, and getLocalEd25519Jwks for the JWKS endpoint. - Rfc9421SignatoryManager: per-call wrapper that swaps in the Ed25519 signatory and toggles `rfc9421.format`. - OCMJwksHandler: serves /.well-known/jwks.json (RFC 7517) when signing is enabled. - OCMDiscoveryService: advertises `http-sig` in capabilities when signing is enabled, and picks the signature scheme on outbound based on the remote's advertised capabilities. - Application.php: register the JWKS well-known handler. Signed-off-by: Micke Nordin <kano@sunet.se> 2026-05-05 10:29:45 -04:00			`$signatory = $this->createMock(Signatory::class);`
fix: Make sodium optional This commit switches the default signature algorithm to ecdsa-p256-sha256 instead of Ed25519. This allows us to make sodium optional again, and we only pull it in to use it for verifying incomming signatures. If sodium is not installed, we throw on Ed25519 signatures instead. At least it is easy for most people to make their Nextcloud install fully RFC compliant by installing sodium. I also renamed all the Ed25519 function names to be more precis, using Jwks for the JSON Web Keys, and RFC9421 for the http-signature code, where it is needed to distinguish from draft-cavage signatures. Signed-off-by: Micke Nordin <kano@sunet.se> 2026-05-11 10:13:13 -04:00			`$this->delegate->method('getLocalJwksSignatory')->willReturn($signatory);`
feat(http-sig): OCM Ed25519 keys, JWKS endpoint, http-sig capability OCM dual-stack integration of RFC 9421 alongside the existing cavage publicKey path: - OCMSignatoryManager: Ed25519 active/pending/retiring slot rotation backed by numbered pool appkeys, getRemoteKey for inbound JWK lookup with per-origin cache + cache-miss refetch, and getLocalEd25519Jwks for the JWKS endpoint. - Rfc9421SignatoryManager: per-call wrapper that swaps in the Ed25519 signatory and toggles `rfc9421.format`. - OCMJwksHandler: serves /.well-known/jwks.json (RFC 7517) when signing is enabled. - OCMDiscoveryService: advertises `http-sig` in capabilities when signing is enabled, and picks the signature scheme on outbound based on the remote's advertised capabilities. - Application.php: register the JWKS well-known handler. Signed-off-by: Micke Nordin <kano@sunet.se> 2026-05-05 10:29:45 -04:00
			`$this->assertSame($signatory, $this->wrapper->getLocalSignatory());`
			`}`

fix: Make sodium optional This commit switches the default signature algorithm to ecdsa-p256-sha256 instead of Ed25519. This allows us to make sodium optional again, and we only pull it in to use it for verifying incomming signatures. If sodium is not installed, we throw on Ed25519 signatures instead. At least it is easy for most people to make their Nextcloud install fully RFC compliant by installing sodium. I also renamed all the Ed25519 function names to be more precis, using Jwks for the JSON Web Keys, and RFC9421 for the http-signature code, where it is needed to distinguish from draft-cavage signatures. Signed-off-by: Micke Nordin <kano@sunet.se> 2026-05-11 10:13:13 -04:00			`public function testGetLocalSignatoryThrowsWhenJwksKeyUnavailable(): void {`
			`$this->delegate->method('getLocalJwksSignatory')->willReturn(null);`
feat(http-sig): OCM Ed25519 keys, JWKS endpoint, http-sig capability OCM dual-stack integration of RFC 9421 alongside the existing cavage publicKey path: - OCMSignatoryManager: Ed25519 active/pending/retiring slot rotation backed by numbered pool appkeys, getRemoteKey for inbound JWK lookup with per-origin cache + cache-miss refetch, and getLocalEd25519Jwks for the JWKS endpoint. - Rfc9421SignatoryManager: per-call wrapper that swaps in the Ed25519 signatory and toggles `rfc9421.format`. - OCMJwksHandler: serves /.well-known/jwks.json (RFC 7517) when signing is enabled. - OCMDiscoveryService: advertises `http-sig` in capabilities when signing is enabled, and picks the signature scheme on outbound based on the remote's advertised capabilities. - Application.php: register the JWKS well-known handler. Signed-off-by: Micke Nordin <kano@sunet.se> 2026-05-05 10:29:45 -04:00
			`$this->expectException(IdentityNotFoundException::class);`
			`$this->wrapper->getLocalSignatory();`
			`}`

			`public function testProviderIdDelegated(): void {`
			`$this->delegate->method('getProviderId')->willReturn('ocm');`
			`$this->assertSame('ocm', $this->wrapper->getProviderId());`
			`}`

			`public function testRemoteSignatoryDelegated(): void {`
			`$signatory = $this->createMock(Signatory::class);`
			`$this->delegate->expects($this->once())`
			`->method('getRemoteSignatory')`
			`->with('sender.example.org')`
			`->willReturn($signatory);`
			`$this->assertSame($signatory, $this->wrapper->getRemoteSignatory('sender.example.org'));`
			`}`

			`public function testRemoteKeyDelegated(): void {`
			`$key = $this->createMock(Key::class);`
			`$this->delegate->expects($this->once())`
			`->method('getRemoteKey')`
			`->with('sender.example.org', 'kid-1')`
			`->willReturn($key);`
			`$this->assertSame($key, $this->wrapper->getRemoteKey('sender.example.org', 'kid-1'));`
			`}`
			`}`