From 45875ffec9be4eca6450cd648213ad5a41ffcd8c Mon Sep 17 00:00:00 2001
From: Miklos Vajna <vmiklos@collabora.com>
Date: Tue, 10 Dec 2024 08:45:19 +0100
Subject: [PATCH] feat: electronic signing, add settings for eIDEasy (fixes
 #4311)

Electronic signing needs to store settings as richdocuments settings.
This involves the API URL, a client ID visible to the browser and a
secret, which is only used during server-side requests.

The WOPI CheckFileInfo reply sends this information to the COOL server,
similar to how it's done for digital signing (via PEM files).

Add the settings as admin settings, otherwise normal users would be able
to use eIDEasy services outside richdocuments.

<https://github.com/CollaboraOnline/online/issues/10630#issuecomment-2510923379>
has instructions on what test data to use to try out the service in a
test environment. Additionally, if the test CA is configured to be
trusted as a user setting, then the green stamp icon will show up in the
status bar.

Signed-off-by: Miklos Vajna <vmiklos@collabora.com>
---
 lib/Controller/SettingsController.php | 18 ++++++++++++++
 lib/Controller/WopiController.php     | 14 +++++++++++
 lib/Settings/Admin.php                |  3 +++
 src/components/AdminSettings.vue      | 34 +++++++++++++++++++++++++++
 4 files changed, 69 insertions(+)

diff --git a/lib/Controller/SettingsController.php b/lib/Controller/SettingsController.php
index 0ae90da07a..6dee13062f 100644
--- a/lib/Controller/SettingsController.php
+++ b/lib/Controller/SettingsController.php
@@ -110,6 +110,9 @@ private function getSettingsData(): array {
 			'product_name' => $this->capabilitiesService->getServerProductName(),
 			'product_version' => $this->capabilitiesService->getProductVersion(),
 			'product_hash' => $this->capabilitiesService->getProductHash(),
+			'esignature_base_url' => $this->appConfig->getAppValue('esignature_base_url'),
+			'esignature_client_id' => $this->appConfig->getAppValue('esignature_client_id'),
+			'esignature_secret' => $this->appConfig->getAppValue('esignature_secret'),
 		];
 	}
 
@@ -122,6 +125,9 @@ public function setSettings(
 		?string $doc_format,
 		?string $external_apps,
 		?string $canonical_webroot,
+		?string $esignature_base_url,
+		?string $esignature_client_id,
+		?string $esignature_secret,
 	): JSONResponse {
 		if ($wopi_url !== null) {
 			$this->appConfig->setAppValue('wopi_url', $wopi_url);
@@ -158,6 +164,18 @@ public function setSettings(
 			$this->appConfig->setAppValue('canonical_webroot', $canonical_webroot);
 		}
 
+		if ($esignature_base_url !== null) {
+			$this->appConfig->setAppValue('esignature_base_url', $esignature_base_url);
+		}
+
+		if ($esignature_client_id !== null) {
+			$this->appConfig->setAppValue('esignature_client_id', $esignature_client_id);
+		}
+
+		if ($esignature_secret !== null) {
+			$this->appConfig->setAppValue('esignature_secret', $esignature_secret);
+		}
+
 		try {
 			$output = new NullOutput();
 			$this->connectivityService->testDiscovery($output);
diff --git a/lib/Controller/WopiController.php b/lib/Controller/WopiController.php
index cef78e99d5..df3af275ea 100644
--- a/lib/Controller/WopiController.php
+++ b/lib/Controller/WopiController.php
@@ -159,6 +159,7 @@ public function checkFileInfo(string $fileId, string $access_token): JSONRespons
 			'IsUserLocked' => $this->permissionManager->userIsFeatureLocked($wopi->getEditorUid()),
 			'EnableRemoteLinkPicker' => (bool)$wopi->getCanwrite() && !$isPublic && !$wopi->getDirect(),
 			'HasContentRange' => true,
+			'ServerPrivateInfo' => [],
 		];
 
 		$enableZotero = $this->config->getAppValue(Application::APPNAME, 'zoteroEnabled', 'yes') === 'yes';
@@ -174,6 +175,19 @@ public function checkFileInfo(string $fileId, string $access_token): JSONRespons
 			$response['UserPrivateInfo']['SignatureKey'] = $documentSigningKey;
 			$documentSigningCa = $this->config->getUserValue($wopi->getEditorUid(), 'richdocuments', 'documentSigningCa', '');
 			$response['UserPrivateInfo']['SignatureCa'] = $documentSigningCa;
+
+			$eSignatureBaseUrl = $this->config->getAppValue(Application::APPNAME, 'esignature_base_url');
+			if ($eSignatureBaseUrl !== '') {
+				$response['ServerPrivateInfo']['ESignatureBaseUrl'] = $eSignatureBaseUrl;
+			}
+			$eSignatureClientId = $this->config->getAppValue(Application::APPNAME, 'esignature_client_id');
+			if ($eSignatureClientId !== '') {
+				$response['ServerPrivateInfo']['ESignatureClientId'] = $eSignatureClientId;
+			}
+			$eSignatureSecret = $this->config->getAppValue(Application::APPNAME, 'esignature_secret');
+			if ($eSignatureSecret !== '') {
+				$response['ServerPrivateInfo']['ESignatureSecret'] = $eSignatureSecret;
+			}
 		}
 		if ($wopi->hasTemplateId()) {
 			$response['TemplateSource'] = $this->getWopiUrlForTemplate($wopi);
diff --git a/lib/Settings/Admin.php b/lib/Settings/Admin.php
index a5e9778923..7dc7158bb6 100644
--- a/lib/Settings/Admin.php
+++ b/lib/Settings/Admin.php
@@ -53,6 +53,9 @@ public function getForm(): TemplateResponse {
 					'os_family' => PHP_VERSION_ID >= 70200 ? PHP_OS_FAMILY : PHP_OS,
 					'platform' => php_uname('m'),
 					'fonts' => $this->fontService->getFontFileNames(),
+					'esignature_base_url' => $this->config->getAppValue('richdocuments', 'esignature_base_url'),
+					'esignature_client_id' => $this->config->getAppValue('richdocuments', 'esignature_client_id'),
+					'esignature_secret' => $this->config->getAppValue('richdocuments', 'esignature_secret'),
 				],
 			],
 			'blank'
diff --git a/src/components/AdminSettings.vue b/src/components/AdminSettings.vue
index d701bd6466..0023ba5705 100644
--- a/src/components/AdminSettings.vue
+++ b/src/components/AdminSettings.vue
@@ -391,6 +391,25 @@
 			</div>
 		</div>
 
+		<div v-if="isSetup" id="esignature-settings" class="section">
+			<h2>{{ t('richdocuments', 'Electronic signature settings') }}</h2>
+			<SettingsInputText v-model="settings.esignature_base_url"
+				:label="t('richdocuments', 'URL for the electronic signature API')"
+				:hint="t('richdocuments', 'The production API URL is https://id.eideasy.com, the test API URL is https://test.eideasy.com.')"
+				:disabled="updating"
+				@update="updateESignatureBaseUrl" />
+			<SettingsInputText v-model="settings.esignature_client_id"
+				:label="t('richdocuments', 'Client ID for the electronic signature API')"
+				:hint="t('richdocuments', 'Fill in the registration form at https://eideasy.com/signup to obtain a client ID and secret.')"
+				:disabled="updating"
+				@update="updateESignatureClientId" />
+			<SettingsInputText v-model="settings.esignature_secret"
+				:label="t('richdocuments', 'Secret for the electronic signature API')"
+				:hint="t('richdocuments', 'The secret may be downloadable via WOPI requests if WOPI allow list is not correctly configured.')"
+				:disabled="updating"
+				@update="updateESignatureSecret" />
+		</div>
+
 		<GlobalTemplates v-if="isSetup" />
 	</div>
 </template>
@@ -688,6 +707,21 @@ export default {
 				wopi_allowlist: allowlist,
 			})
 		},
+		async updateESignatureBaseUrl(url) {
+			await this.updateSettings({
+				esignature_base_url: url,
+			})
+		},
+		async updateESignatureClientId(id) {
+			await this.updateSettings({
+				esignature_client_id: id,
+			})
+		},
+		async updateESignatureSecret(secret) {
+			await this.updateSettings({
+				esignature_secret: secret,
+			})
+		},
 		async updateOoxml(enabled) {
 			this.settings.doc_format = enabled ? 'ooxml' : ''
 			await this.updateSettings({