secureRandom = $secureRandom; $this->jobList = $jobList; $this->trustedServers = $trustedServers; $this->dbHandler = $dbHandler; $this->logger = $logger; $this->timeFactory = $timeFactory; $this->throttler = $throttler; } /** * Request received to ask remote server for a shared secret, for legacy end-points * * @NoCSRFRequired * @PublicPage * @BruteForceProtection(action=federationSharedSecret) * * @param string $url URL of the server * @param string $token Token of the server * @return DataResponse, array{}> * @throws OCSForbiddenException Requesting shared secret is not allowed * * 200: Shared secret requested successfully */ public function requestSharedSecretLegacy(string $url, string $token): DataResponse { return $this->requestSharedSecret($url, $token); } /** * Create shared secret and return it, for legacy end-points * * @NoCSRFRequired * @PublicPage * @BruteForceProtection(action=federationSharedSecret) * * @param string $url URL of the server * @param string $token Token of the server * @return DataResponse * @throws OCSForbiddenException Getting shared secret is not allowed * * 200: Shared secret returned */ public function getSharedSecretLegacy(string $url, string $token): DataResponse { return $this->getSharedSecret($url, $token); } /** * Request received to ask remote server for a shared secret * * @NoCSRFRequired * @PublicPage * @BruteForceProtection(action=federationSharedSecret) * * @param string $url URL of the server * @param string $token Token of the server * @return DataResponse, array{}> * @throws OCSForbiddenException Requesting shared secret is not allowed * * 200: Shared secret requested successfully */ public function requestSharedSecret(string $url, string $token): DataResponse { if ($this->trustedServers->isTrustedServer($url) === false) { $this->throttler->registerAttempt('federationSharedSecret', $this->request->getRemoteAddress()); $this->logger->error('remote server not trusted (' . $url . ') while requesting shared secret', ['app' => 'federation']); throw new OCSForbiddenException(); } // if both server initiated the exchange of the shared secret the greater // token wins $localToken = $this->dbHandler->getToken($url); if (strcmp($localToken, $token) > 0) { $this->logger->info( 'remote server (' . $url . ') presented lower token. We will initiate the exchange of the shared secret.', ['app' => 'federation'] ); throw new OCSForbiddenException(); } $this->jobList->add( 'OCA\Federation\BackgroundJob\GetSharedSecret', [ 'url' => $url, 'token' => $token, 'created' => $this->timeFactory->getTime() ] ); return new DataResponse(); } /** * Create shared secret and return it * * @NoCSRFRequired * @PublicPage * @BruteForceProtection(action=federationSharedSecret) * * @param string $url URL of the server * @param string $token Token of the server * @return DataResponse * @throws OCSForbiddenException Getting shared secret is not allowed * * 200: Shared secret returned */ public function getSharedSecret(string $url, string $token): DataResponse { if ($this->trustedServers->isTrustedServer($url) === false) { $this->throttler->registerAttempt('federationSharedSecret', $this->request->getRemoteAddress()); $this->logger->error('remote server not trusted (' . $url . ') while getting shared secret', ['app' => 'federation']); throw new OCSForbiddenException(); } if ($this->isValidToken($url, $token) === false) { $this->throttler->registerAttempt('federationSharedSecret', $this->request->getRemoteAddress()); $expectedToken = $this->dbHandler->getToken($url); $this->logger->error( 'remote server (' . $url . ') didn\'t send a valid token (got "' . $token . '" but expected "'. $expectedToken . '") while getting shared secret', ['app' => 'federation'] ); throw new OCSForbiddenException(); } $sharedSecret = $this->secureRandom->generate(32); $this->trustedServers->addSharedSecret($url, $sharedSecret); return new DataResponse([ 'sharedSecret' => $sharedSecret ]); } protected function isValidToken(string $url, string $token): bool { $storedToken = $this->dbHandler->getToken($url); return hash_equals($storedToken, $token); } }