mirror of
https://github.com/nextcloud/server.git
synced 2026-06-13 18:50:47 -04:00
3b5107bc96
OCM dual-stack integration of RFC 9421 alongside the existing cavage publicKey path: - OCMSignatoryManager: Ed25519 active/pending/retiring slot rotation backed by numbered pool appkeys, getRemoteKey for inbound JWK lookup with per-origin cache + cache-miss refetch, and getLocalEd25519Jwks for the JWKS endpoint. - Rfc9421SignatoryManager: per-call wrapper that swaps in the Ed25519 signatory and toggles `rfc9421.format`. - OCMJwksHandler: serves /.well-known/jwks.json (RFC 7517) when signing is enabled. - OCMDiscoveryService: advertises `http-sig` in capabilities when signing is enabled, and picks the signature scheme on outbound based on the remote's advertised capabilities. - Application.php: register the JWKS well-known handler. Signed-off-by: Micke Nordin <kano@sunet.se>
177 lines
6.4 KiB
PHP
177 lines
6.4 KiB
PHP
<?php
|
|
|
|
declare(strict_types=1);
|
|
|
|
/**
|
|
* SPDX-FileCopyrightText: 2026 Nextcloud GmbH and Nextcloud contributors
|
|
* SPDX-License-Identifier: AGPL-3.0-or-later
|
|
*/
|
|
|
|
namespace Test\OCM;
|
|
|
|
use OC\OCM\OCMSignatoryManager;
|
|
use OC\Security\IdentityProof\Manager as IdentityProofManager;
|
|
use OCP\Http\Client\IClient;
|
|
use OCP\Http\Client\IClientService;
|
|
use OCP\Http\Client\IResponse;
|
|
use OCP\IAppConfig;
|
|
use OCP\ICacheFactory;
|
|
use OCP\IConfig;
|
|
use OCP\IURLGenerator;
|
|
use OCP\Security\Signature\ISignatureManager;
|
|
use PHPUnit\Framework\MockObject\MockObject;
|
|
use Psr\Log\LoggerInterface;
|
|
use Test\TestCase;
|
|
|
|
class OCMSignatoryManagerJwksTest extends TestCase {
|
|
private IAppConfig&MockObject $appConfig;
|
|
private ISignatureManager&MockObject $signatureManager;
|
|
private IURLGenerator&MockObject $urlGenerator;
|
|
private IdentityProofManager&MockObject $identityProofManager;
|
|
private IClientService&MockObject $clientService;
|
|
private IConfig&MockObject $config;
|
|
private LoggerInterface&MockObject $logger;
|
|
private IClient&MockObject $client;
|
|
private OCMSignatoryManager $signatoryManager;
|
|
|
|
#[\Override]
|
|
protected function setUp(): void {
|
|
parent::setUp();
|
|
|
|
$this->appConfig = $this->createMock(IAppConfig::class);
|
|
$this->signatureManager = $this->createMock(ISignatureManager::class);
|
|
$this->urlGenerator = $this->createMock(IURLGenerator::class);
|
|
$this->identityProofManager = $this->createMock(IdentityProofManager::class);
|
|
$this->clientService = $this->createMock(IClientService::class);
|
|
$this->config = $this->createMock(IConfig::class);
|
|
$this->logger = $this->createMock(LoggerInterface::class);
|
|
$this->client = $this->createMock(IClient::class);
|
|
|
|
$this->clientService->method('newClient')->willReturn($this->client);
|
|
|
|
$cacheFactory = $this->createMock(ICacheFactory::class);
|
|
$cacheFactory->method('createDistributed')->willReturn(new \OC\Memcache\ArrayCache(''));
|
|
|
|
$this->signatoryManager = new OCMSignatoryManager(
|
|
$this->appConfig,
|
|
$this->signatureManager,
|
|
$this->urlGenerator,
|
|
$this->identityProofManager,
|
|
$this->clientService,
|
|
$this->config,
|
|
$cacheFactory,
|
|
$this->logger,
|
|
);
|
|
}
|
|
|
|
public function testGetRemoteKeyFetchesAndMatchesByKid(): void {
|
|
$kid = 'sender.example.org#key1';
|
|
$jwks = [
|
|
'keys' => [
|
|
['kty' => 'OKP', 'crv' => 'Ed25519', 'kid' => 'other', 'x' => 'AAAA'],
|
|
['kty' => 'OKP', 'crv' => 'Ed25519', 'kid' => $kid, 'x' => 'BBBB'],
|
|
],
|
|
];
|
|
$this->respondWith($jwks);
|
|
|
|
$key = $this->signatoryManager->getRemoteKey('sender.example.org', $kid);
|
|
$this->assertNotNull($key);
|
|
$this->assertSame('EdDSA', $key->getAlgorithm());
|
|
// Key stores OKP material as plain base64 of the raw bytes.
|
|
$this->assertSame('BBBB', $key->getKeyMaterial());
|
|
}
|
|
|
|
public function testGetRemoteKeyReturnsNullWhenKidMissing(): void {
|
|
$this->respondWith(['keys' => [['kty' => 'OKP', 'crv' => 'Ed25519', 'kid' => 'unrelated', 'x' => 'AAAA']]]);
|
|
$this->assertNull($this->signatoryManager->getRemoteKey('sender.example.org', 'other-kid'));
|
|
}
|
|
|
|
public function testGetRemoteKeyReturnsNullOnHttpError(): void {
|
|
$this->client->method('get')->willThrowException(new \RuntimeException('boom'));
|
|
$this->logger->expects($this->once())->method('warning');
|
|
$this->assertNull($this->signatoryManager->getRemoteKey('sender.example.org', 'kid'));
|
|
}
|
|
|
|
public function testGetRemoteKeyReturnsNullOnInvalidJson(): void {
|
|
$response = $this->createMock(IResponse::class);
|
|
$response->method('getBody')->willReturn('not json');
|
|
$this->client->method('get')->willReturn($response);
|
|
$this->logger->expects($this->once())->method('warning');
|
|
$this->assertNull($this->signatoryManager->getRemoteKey('sender.example.org', 'kid'));
|
|
}
|
|
|
|
public function testGetRemoteKeyReturnsNullWhenKeysMissing(): void {
|
|
$this->respondWith(['no-keys-here' => []]);
|
|
$this->assertNull($this->signatoryManager->getRemoteKey('sender.example.org', 'kid'));
|
|
}
|
|
|
|
public function testGetRemoteKeyReturnsNullOnUnparseableJwk(): void {
|
|
// JWK with kty=OKP but no crv: parseKey rejects.
|
|
$this->respondWith(['keys' => [['kty' => 'OKP', 'kid' => 'kid', 'x' => 'AAAA']]]);
|
|
$this->logger->expects($this->once())->method('warning');
|
|
$this->assertNull($this->signatoryManager->getRemoteKey('sender.example.org', 'kid'));
|
|
}
|
|
|
|
public function testGetRemoteKeyUsesWellKnownPath(): void {
|
|
$this->client->expects($this->once())
|
|
->method('get')
|
|
->with(
|
|
$this->equalTo('https://sender.example.org/.well-known/jwks.json'),
|
|
$this->isType('array'),
|
|
)
|
|
->willReturn($this->jsonResponse(['keys' => []]));
|
|
|
|
$this->signatoryManager->getRemoteKey('sender.example.org', 'kid');
|
|
}
|
|
|
|
public function testGetRemoteKeyPassesSelfSignedFlagThrough(): void {
|
|
$this->config->method('getSystemValueBool')
|
|
->with('sharing.federation.allowSelfSignedCertificates')
|
|
->willReturn(true);
|
|
|
|
$this->client->expects($this->once())
|
|
->method('get')
|
|
->with(
|
|
$this->anything(),
|
|
$this->callback(static fn (array $opts): bool => ($opts['verify'] ?? null) === false),
|
|
)
|
|
->willReturn($this->jsonResponse(['keys' => []]));
|
|
|
|
$this->signatoryManager->getRemoteKey('sender.example.org', 'kid');
|
|
}
|
|
|
|
public function testJwksCachedAcrossCallsToTheSameOrigin(): void {
|
|
$kid = 'sender.example.org#key1';
|
|
$jwks = ['keys' => [['kty' => 'OKP', 'crv' => 'Ed25519', 'kid' => $kid, 'x' => 'AAAA']]];
|
|
$this->client->expects($this->once())
|
|
->method('get')
|
|
->willReturn($this->jsonResponse($jwks));
|
|
|
|
$this->assertNotNull($this->signatoryManager->getRemoteKey('sender.example.org', $kid));
|
|
$this->assertNotNull($this->signatoryManager->getRemoteKey('sender.example.org', $kid));
|
|
}
|
|
|
|
public function testCacheMissOnNewKidTriggersRefetchOnce(): void {
|
|
$first = ['keys' => [['kty' => 'OKP', 'crv' => 'Ed25519', 'kid' => 'old', 'x' => 'AAAA']]];
|
|
$second = ['keys' => [['kty' => 'OKP', 'crv' => 'Ed25519', 'kid' => 'new', 'x' => 'BBBB']]];
|
|
$this->client->expects($this->exactly(2))
|
|
->method('get')
|
|
->willReturnOnConsecutiveCalls(
|
|
$this->jsonResponse($first),
|
|
$this->jsonResponse($second),
|
|
);
|
|
|
|
$this->assertNotNull($this->signatoryManager->getRemoteKey('sender.example.org', 'old'));
|
|
$this->assertNotNull($this->signatoryManager->getRemoteKey('sender.example.org', 'new'));
|
|
}
|
|
|
|
private function respondWith(array $body): void {
|
|
$this->client->method('get')->willReturn($this->jsonResponse($body));
|
|
}
|
|
|
|
private function jsonResponse(array $body): IResponse {
|
|
$response = $this->createMock(IResponse::class);
|
|
$response->method('getBody')->willReturn(json_encode($body, JSON_THROW_ON_ERROR));
|
|
return $response;
|
|
}
|
|
}
|