Issue #75: WOPI proof #79
Conversation
donquixote
force-pushed
the
issue-75-wopi-proof
branch
from
d3465fa to
c5b5dea
Compare
This will allow to use the regular route access layer for proofing and authorization.
…f the custom response.
donquixote
force-pushed
the
issue-75-wopi-proof
branch
6 times, most recently
from
f37d4ff to
9789290
Compare
donquixote
force-pushed
the
issue-75-wopi-proof
branch
3 times, most recently
from
a58c0f4 to
6fa5037
Compare
donquixote
force-pushed
the
issue-75-wopi-proof
branch
from
6fa5037 to
7ead437
Compare
| // Unfortunately, is_numeric() confuses the IDE's static analysis, so use | ||
| // regular expression instead. | ||
| if (!preg_match('#^[1-9]\d+$#', $wopi_ticks_str)) { |
There was a problem hiding this comment.
The IDE should never be the driver for how we write the code. Let's put the is_numeric() call.
| * | ||
| * Note that the X-WOPI-Timestamp is in DotNet ticks. | ||
| */ | ||
| class WopiTimeoutAccessCheck implements AccessInterface { |
There was a problem hiding this comment.
In the end, the timestamp is used also in the other class, and we basically need one single method from here, while we need to duplicate quite a bit of code. Let's merge all into a single class.
There was a problem hiding this comment.
One motivation for the split was the distinct service dependencies.
We can fully keep out the crypto stuff from the timeout checker, and we can fully keep out the dotnet time conversion from the proof checker. We get two independent buckets of control flow.
The shared code is the config check and the timestamp header value.
| @@ -10,5 +10,6 @@ cool: | |||
| access_token_ttl: 86400 | |||
| # Disable cert checks. | |||
| disable_cert_check: false | |||
| wopi_proof: true | |||
There was a problem hiding this comment.
We should provide a post_update hook to set this value.
There was a problem hiding this comment.
I was not sure if we have an upgrade path.
But I also don't mind to add it.
| protected function getSignatures(Request $request): array { | ||
| // Get the current and old proof header. | ||
| // Remove empty values. | ||
| // If both are the same, keep only the current one. |
There was a problem hiding this comment.
Is this actually a possible scenario? Like, is it written in some documentation?
Because this piece of code makes me think that it's part of the WOPI protocol.
What would be the implications if we left not-unique headers?
There was a problem hiding this comment.
If the keys are not changed regularly, then we will have identical old and new key, and identical old and new signature. You will see that in the existing discovery.xml.
The only implication of keeping duplicates is that we will do redundant checks. So not a big deal, but also easy enough to avoid.
There was a problem hiding this comment.
The redundant checks would only happen in the non-happy path, so it is not really the main scenario to optimize for.
The wopi-lib has explicit vars for old and new key and proof and does the 3 checks explicitly with &&.
We could do that.
Currently with the array_filter() and then foreach() we silently ignore if an old key is missing in discovery.xml, or the old proof is missing in the request.
Instead, we could simply fail if the old key or proof is not present.
This would reveal if e.g. we are using the wrong xpath or wrong header name, or if the WOPI client behaves differently due to an update.
| $assert_session->fieldValueEquals('Disable TLS certificate check for COOL.', ''); | ||
| $assert_session->fieldValueEquals('Verify proof header and timestamp in incoming WOPI requests.', '1'); | ||
| $assert_session->fieldValueEquals('Allow COOL to use fullscreen mode.', '1'); |
There was a problem hiding this comment.
Let's convert this to checkboxChecked/checkboxNotChecked.
| public static function provideAllMethods(): array { | ||
| return [ | ||
| // Closures in data providers are ok in unit tests. | ||
| 'getWopiClientURL' => [fn (CollaboraDiscoveryInterface $discovery) => $discovery->getWopiClientURL()], | ||
| 'getProofKey' => [fn (CollaboraDiscoveryInterface $discovery) => $discovery->getProofKey()], | ||
| 'getProofKeyOld' => [fn (CollaboraDiscoveryInterface $discovery) => $discovery->getProofKeyOld()], | ||
| ]; | ||
| } |
There was a problem hiding this comment.
We can simplify this:
return [
'getWopiClientURL' => ['getWopiClientURL'],
'getProofKey' => ['getProofKey'],
'getProofKeyOld' => ['getProofKeyOld'],
];
And then just call_user_func([$discovery, $callback]);
There was a problem hiding this comment.
It works as long as there are no arguments, which is ok for now.
It also means that static analysis would find usages of the methods.
But I think we can change it, overall it will become simpler, so ok.
| 'current' => $this->discovery->getProofKey(), | ||
| 'old' => $this->discovery->getProofKeyOld(), |
There was a problem hiding this comment.
These two methods make each an HTTP request to retrieve the XML. This happens for each request to the three routes.
I found some information about the fact that the proof key is rotated every certain amount of time (https://learn.microsoft.com/en-us/microsoft-365/cloud-storage-partner-program/online/discovery).
We can check for Collabora, but I wold say that implementing a caching system that keeps the discovery XML cached for one hour will already greatly reduce the amount of requests we make.
There was a problem hiding this comment.
Absolutely. I think somewhere it was documented that this should be 20 minutes.
But I wanted to do a dedicated PR to add caching to the discovery.
If we implement caching, we need to determine when this should be reset. We can do the < 20 min TTL, and ofc the dependency on the config record. But perhaps we also need a different mechanism to force this reset.
src/Cool/CollaboraDiscovery.php
Outdated
|
|
||
| /** | ||
| * Service to get a WOPI client url for a given MIME type. | ||
| * Service to get a WOPI client URL for a given MIME type. |
There was a problem hiding this comment.
This is not true now. This service is now a representation of the Collabora discovery file.
| ### Installation steps | ||
| ### Collabora Online server preparation | ||
|
|
||
| It is recommended to generate a proof key as documented here:\ |
There was a problem hiding this comment.
I think there might be a link missing.
|
|
||
| /** | ||
| * Service to get a WOPI client url for a given MIME type. | ||
| * Service to get a WOPI client URL for a given MIME type. | ||
| */ | ||
| class CollaboraDiscovery implements CollaboraDiscoveryInterface { |
There was a problem hiding this comment.
We need to rethink a bit how this service works. Probably we should gather once per initialization the file from the fetcher?
I would like a class that completely wraps the XML, and the single methods return the parsed information from it, like a sort of value object.
There was a problem hiding this comment.
I was thinking that too. But, once we have a value object, we can't have it respond to config changes etc.
Perhaps this is all ok, but I would like a separate issue to think about this.
There was a problem hiding this comment.
One idea I had was a proxy object that deals with the config etc and which then creates the value object to delegate calls to.
When the config changes, we could drop the value object and create a new one.
Or, do we actually need that? Do we care if config changes at runtime, or only between requests?
As a compromise we can have a property that has the cached parsed xml, and then a persistent cache for the xml string. TBD.
donquixote
force-pushed
the
issue-75-wopi-proof
branch
from
b81f05a to
46608d6
Compare
Fixes #75
This also contains some refactoring of WopiController, moving access checks to the routing layer.
I could split this out but I would prefer not to..