feat: electronic signing, add settings for eIDEasy (fixes #4311)

Electronic signing needs to store settings as richdocuments settings. This involves the API URL, a client ID visible to the browser and a secret, which is only used during server-side requests. The WOPI CheckFileInfo reply sends this information to the COOL server, similar to how it's done for digital signing (via PEM files). Add the settings as admin settings, otherwise normal users would be able to use eIDEasy services outside richdocuments. <CollaboraOnline/online#10630 (comment)> has instructions on what test data to use to try out the service in a test environment. Additionally, if the test CA is configured to be trusted as a user setting, then the green stamp icon will show up in the status bar. Signed-off-by: Miklos Vajna <vmiklos@collabora.com>
nextcloud · Dec 12, 2024 · 45875ff · 45875ff
1 parent bbb63d9
commit 45875ff
Show file tree

Hide file tree

Showing 4 changed files with 69 additions and 0 deletions.
diff --git a/lib/Controller/SettingsController.php b/lib/Controller/SettingsController.php
@@ -110,6 +110,9 @@ private function getSettingsData(): array {
 			'product_name' => $this->capabilitiesService->getServerProductName(),
 			'product_version' => $this->capabilitiesService->getProductVersion(),
 			'product_hash' => $this->capabilitiesService->getProductHash(),
+			'esignature_base_url' => $this->appConfig->getAppValue('esignature_base_url'),
+			'esignature_client_id' => $this->appConfig->getAppValue('esignature_client_id'),
+			'esignature_secret' => $this->appConfig->getAppValue('esignature_secret'),
 		];
 	}
 
@@ -122,6 +125,9 @@ public function setSettings(
 		?string $doc_format,
 		?string $external_apps,
 		?string $canonical_webroot,
+		?string $esignature_base_url,
+		?string $esignature_client_id,
+		?string $esignature_secret,
 	): JSONResponse {
 		if ($wopi_url !== null) {
 			$this->appConfig->setAppValue('wopi_url', $wopi_url);
@@ -158,6 +164,18 @@ public function setSettings(
 			$this->appConfig->setAppValue('canonical_webroot', $canonical_webroot);
 		}
 
+		if ($esignature_base_url !== null) {
+			$this->appConfig->setAppValue('esignature_base_url', $esignature_base_url);
+		}
+
+		if ($esignature_client_id !== null) {
+			$this->appConfig->setAppValue('esignature_client_id', $esignature_client_id);
+		}
+
+		if ($esignature_secret !== null) {
+			$this->appConfig->setAppValue('esignature_secret', $esignature_secret);
+		}
+
 		try {
 			$output = new NullOutput();
 			$this->connectivityService->testDiscovery($output);

diff --git a/lib/Controller/WopiController.php b/lib/Controller/WopiController.php
@@ -159,6 +159,7 @@ public function checkFileInfo(string $fileId, string $access_token): JSONRespons
 			'IsUserLocked' => $this->permissionManager->userIsFeatureLocked($wopi->getEditorUid()),
 			'EnableRemoteLinkPicker' => (bool)$wopi->getCanwrite() && !$isPublic && !$wopi->getDirect(),
 			'HasContentRange' => true,
+			'ServerPrivateInfo' => [],
 		];
 
 		$enableZotero = $this->config->getAppValue(Application::APPNAME, 'zoteroEnabled', 'yes') === 'yes';
@@ -174,6 +175,19 @@ public function checkFileInfo(string $fileId, string $access_token): JSONRespons
 			$response['UserPrivateInfo']['SignatureKey'] = $documentSigningKey;
 			$documentSigningCa = $this->config->getUserValue($wopi->getEditorUid(), 'richdocuments', 'documentSigningCa', '');
 			$response['UserPrivateInfo']['SignatureCa'] = $documentSigningCa;
+
+			$eSignatureBaseUrl = $this->config->getAppValue(Application::APPNAME, 'esignature_base_url');
+			if ($eSignatureBaseUrl !== '') {
+				$response['ServerPrivateInfo']['ESignatureBaseUrl'] = $eSignatureBaseUrl;
+			}
+			$eSignatureClientId = $this->config->getAppValue(Application::APPNAME, 'esignature_client_id');
+			if ($eSignatureClientId !== '') {
+				$response['ServerPrivateInfo']['ESignatureClientId'] = $eSignatureClientId;
+			}
+			$eSignatureSecret = $this->config->getAppValue(Application::APPNAME, 'esignature_secret');
+			if ($eSignatureSecret !== '') {
+				$response['ServerPrivateInfo']['ESignatureSecret'] = $eSignatureSecret;
+			}
 		}
 		if ($wopi->hasTemplateId()) {
 			$response['TemplateSource'] = $this->getWopiUrlForTemplate($wopi);

diff --git a/lib/Settings/Admin.php b/lib/Settings/Admin.php
@@ -53,6 +53,9 @@ public function getForm(): TemplateResponse {
 					'os_family' => PHP_VERSION_ID >= 70200 ? PHP_OS_FAMILY : PHP_OS,
 					'platform' => php_uname('m'),
 					'fonts' => $this->fontService->getFontFileNames(),
+					'esignature_base_url' => $this->config->getAppValue('richdocuments', 'esignature_base_url'),
+					'esignature_client_id' => $this->config->getAppValue('richdocuments', 'esignature_client_id'),
+					'esignature_secret' => $this->config->getAppValue('richdocuments', 'esignature_secret'),
 				],
 			],
 			'blank'

diff --git a/src/components/AdminSettings.vue b/src/components/AdminSettings.vue
@@ -391,6 +391,25 @@
 			</div>
 		</div>
 
+		<div v-if="isSetup" id="esignature-settings" class="section">
+			<h2>{{ t('richdocuments', 'Electronic signature settings') }}</h2>
+			<SettingsInputText v-model="settings.esignature_base_url"
+				:label="t('richdocuments', 'URL for the electronic signature API')"
+				:hint="t('richdocuments', 'The production API URL is https://id.eideasy.com, the test API URL is https://test.eideasy.com.')"
+				:disabled="updating"
+				@update="updateESignatureBaseUrl" />
+			<SettingsInputText v-model="settings.esignature_client_id"
+				:label="t('richdocuments', 'Client ID for the electronic signature API')"
+				:hint="t('richdocuments', 'Fill in the registration form at https://eideasy.com/signup to obtain a client ID and secret.')"
+				:disabled="updating"
+				@update="updateESignatureClientId" />
+			<SettingsInputText v-model="settings.esignature_secret"
+				:label="t('richdocuments', 'Secret for the electronic signature API')"
+				:hint="t('richdocuments', 'The secret may be downloadable via WOPI requests if WOPI allow list is not correctly configured.')"
+				:disabled="updating"
+				@update="updateESignatureSecret" />
+		</div>
+
 		<GlobalTemplates v-if="isSetup" />
 	</div>
 </template>
@@ -688,6 +707,21 @@ export default {
 				wopi_allowlist: allowlist,
 			})
 		},
+		async updateESignatureBaseUrl(url) {
+			await this.updateSettings({
+				esignature_base_url: url,
+			})
+		},
+		async updateESignatureClientId(id) {
+			await this.updateSettings({
+				esignature_client_id: id,
+			})
+		},
+		async updateESignatureSecret(secret) {
+			await this.updateSettings({
+				esignature_secret: secret,
+			})
+		},
 		async updateOoxml(enabled) {
 			this.settings.doc_format = enabled ? 'ooxml' : ''
 			await this.updateSettings({