TrustedServers.php 5.3 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206
  1. <?php
  2. /**
  3. * SPDX-FileCopyrightText: 2016-2024 Nextcloud GmbH and Nextcloud contributors
  4. * SPDX-FileCopyrightText: 2016 ownCloud, Inc.
  5. * SPDX-License-Identifier: AGPL-3.0-only
  6. */
  7. namespace OCA\Federation;
  8. use OCA\Federation\BackgroundJob\RequestSharedSecret;
  9. use OCP\AppFramework\Http;
  10. use OCP\AppFramework\Utility\ITimeFactory;
  11. use OCP\BackgroundJob\IJobList;
  12. use OCP\DB\Exception;
  13. use OCP\EventDispatcher\IEventDispatcher;
  14. use OCP\Federation\Events\TrustedServerRemovedEvent;
  15. use OCP\HintException;
  16. use OCP\Http\Client\IClientService;
  17. use OCP\IConfig;
  18. use OCP\Security\ISecureRandom;
  19. use Psr\Log\LoggerInterface;
  20. class TrustedServers {
  21. /** after a user list was exchanged at least once successfully */
  22. public const STATUS_OK = 1;
  23. /** waiting for shared secret or initial user list exchange */
  24. public const STATUS_PENDING = 2;
  25. /** something went wrong, misconfigured server, software bug,... user interaction needed */
  26. public const STATUS_FAILURE = 3;
  27. /** remote server revoked access */
  28. public const STATUS_ACCESS_REVOKED = 4;
  29. private DbHandler $dbHandler;
  30. private IClientService $httpClientService;
  31. private LoggerInterface $logger;
  32. private IJobList $jobList;
  33. private ISecureRandom $secureRandom;
  34. private IConfig $config;
  35. private IEventDispatcher $dispatcher;
  36. private ITimeFactory $timeFactory;
  37. /** @var list<array{id: int, url: string, url_hash: string, shared_secret: ?string, status: int, sync_token: ?string}>|null */
  38. private ?array $trustedServersCache = null;
  39. public function __construct(
  40. DbHandler $dbHandler,
  41. IClientService $httpClientService,
  42. LoggerInterface $logger,
  43. IJobList $jobList,
  44. ISecureRandom $secureRandom,
  45. IConfig $config,
  46. IEventDispatcher $dispatcher,
  47. ITimeFactory $timeFactory
  48. ) {
  49. $this->dbHandler = $dbHandler;
  50. $this->httpClientService = $httpClientService;
  51. $this->logger = $logger;
  52. $this->jobList = $jobList;
  53. $this->secureRandom = $secureRandom;
  54. $this->config = $config;
  55. $this->dispatcher = $dispatcher;
  56. $this->timeFactory = $timeFactory;
  57. }
  58. /**
  59. * Add server to the list of trusted servers
  60. */
  61. public function addServer(string $url): int {
  62. $url = $this->updateProtocol($url);
  63. $result = $this->dbHandler->addServer($url);
  64. if ($result) {
  65. $token = $this->secureRandom->generate(16);
  66. $this->dbHandler->addToken($url, $token);
  67. $this->jobList->add(
  68. RequestSharedSecret::class,
  69. [
  70. 'url' => $url,
  71. 'token' => $token,
  72. 'created' => $this->timeFactory->getTime()
  73. ]
  74. );
  75. }
  76. return $result;
  77. }
  78. /**
  79. * Get shared secret for the given server
  80. */
  81. public function getSharedSecret(string $url): string {
  82. return $this->dbHandler->getSharedSecret($url);
  83. }
  84. /**
  85. * Add shared secret for the given server
  86. */
  87. public function addSharedSecret(string $url, string $sharedSecret): void {
  88. $this->dbHandler->addSharedSecret($url, $sharedSecret);
  89. }
  90. /**
  91. * Remove server from the list of trusted servers
  92. */
  93. public function removeServer(int $id): void {
  94. $server = $this->dbHandler->getServerById($id);
  95. $this->dbHandler->removeServer($id);
  96. $this->dispatcher->dispatchTyped(new TrustedServerRemovedEvent($server['url_hash']));
  97. }
  98. /**
  99. * Get all trusted servers
  100. *
  101. * @return list<array{id: int, url: string, url_hash: string, shared_secret: ?string, status: int, sync_token: ?string}>
  102. * @throws Exception
  103. */
  104. public function getServers() {
  105. if ($this->trustedServersCache === null) {
  106. $this->trustedServersCache = $this->dbHandler->getAllServer();
  107. }
  108. return $this->trustedServersCache;
  109. }
  110. /**
  111. * Check if given server is a trusted Nextcloud server
  112. */
  113. public function isTrustedServer(string $url): bool {
  114. return $this->dbHandler->serverExists($url);
  115. }
  116. /**
  117. * Set server status
  118. */
  119. public function setServerStatus(string $url, int $status): void {
  120. $this->dbHandler->setServerStatus($url, $status);
  121. }
  122. /**
  123. * Get server status
  124. */
  125. public function getServerStatus(string $url): int {
  126. return $this->dbHandler->getServerStatus($url);
  127. }
  128. /**
  129. * Check if URL point to a ownCloud/Nextcloud server
  130. */
  131. public function isNextcloudServer(string $url): bool {
  132. $isValidNextcloud = false;
  133. $client = $this->httpClientService->newClient();
  134. try {
  135. $result = $client->get(
  136. $url . '/status.php',
  137. [
  138. 'timeout' => 3,
  139. 'connect_timeout' => 3,
  140. ]
  141. );
  142. if ($result->getStatusCode() === Http::STATUS_OK) {
  143. $body = $result->getBody();
  144. if (is_resource($body)) {
  145. $body = stream_get_contents($body) ?: '';
  146. }
  147. $isValidNextcloud = $this->checkNextcloudVersion($body);
  148. }
  149. } catch (\Exception $e) {
  150. $this->logger->error('No Nextcloud server.', [
  151. 'app' => 'federation',
  152. 'exception' => $e,
  153. ]);
  154. return false;
  155. }
  156. return $isValidNextcloud;
  157. }
  158. /**
  159. * Check if ownCloud/Nextcloud version is >= 9.0
  160. * @throws HintException
  161. */
  162. protected function checkNextcloudVersion(string $status): bool {
  163. $decoded = json_decode($status, true);
  164. if (!empty($decoded) && isset($decoded['version'])) {
  165. if (!version_compare($decoded['version'], '9.0.0', '>=')) {
  166. throw new HintException('Remote server version is too low. 9.0 is required.');
  167. }
  168. return true;
  169. }
  170. return false;
  171. }
  172. /**
  173. * Check if the URL contain a protocol, if not add https
  174. */
  175. protected function updateProtocol(string $url): string {
  176. if (
  177. strpos($url, 'https://') === 0
  178. || strpos($url, 'http://') === 0
  179. ) {
  180. return $url;
  181. }
  182. return 'https://' . $url;
  183. }
  184. }