The manager itself does not need to know what hardcoded-things an app provides,
instead the apps itself should handle this.
Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
The behaviour of getAppNameFromPath is really different from what was
mocked, so I’m not sure whether the class behaves as initially
intended. I adapted the test to match the class behavior for now.
Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>
The diff can be checked using: git diff --ignore-all-space --ignore-blank-lines
To see only the changes not related to blank lines.
Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>
AppConfig and UserConfig unconditionally queried NC-only columns (type,
lazy, flags, indexed) that don't exist in ownCloud's database schema,
breaking ownCloud → Nextcloud upgrades entirely before the schema
migration steps could run.
Restore the fallback pattern in both classes: on first loadConfig() call,
if a DBException with REASON_INVALID_FIELD_NAME is thrown, set
$migrationCompleted = false and retry selecting only the columns present
in ownCloud's schema. INSERT and UPDATE statements also omit NC-only
columns when $migrationCompleted is false.
The catch block also guards against infinite recursion: if $migrationCompleted
is already false when the exception fires, the exception is re-thrown
instead of triggering another recursive call.
Fixes: https://github.com/nextcloud/server/issues/57340
Signed-off-by: Anna Larch <anna@nextcloud.com>
AI-Assisted-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Replace assertTrue(true), addToAssertionCount(1) and delete-without-assert
patterns with meaningful assertions or proper test removal.
Signed-off-by: Anna Larch <anna@nextcloud.com>
AI-Assisted-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Two CI failures introduced by the test additions in this PR:
1. testEd25519VerifyAcceptedWhenSodiumLoaded calls setSignature() to inject
an externally-produced Ed25519 signature (since Algorithm::sign() rejects
Ed25519 by design). setSignature was declared protected, so the test
couldn't call it from outside the class hierarchy. Make it public —
SignedRequest lives in the OC\ private namespace, so this widens
internal-only visibility, not the public API surface.
2. testParseKeyRejectsContradictoryAlg expected firebase/php-jwt's
JWK::parseKey() to throw on a kty=OKP/crv=Ed25519/alg=ES256 key. The
current firebase/php-jwt version does not validate that coherence at
parse time, so the test now fails to see any throwable. The actual
security check happens at Algorithm::verify() time and is covered by
testVerifyEd25519KeyAgainstES256Alg right above it. Skip the parse-time
test with a comment pointing at the verify-time coverage.
Signed-off-by: Micke Nordin <kano@sunet.se>
This commit switches the default signature algorithm to
ecdsa-p256-sha256 instead of Ed25519. This allows us to make sodium
optional again, and we only pull it in to use it for verifying incomming
signatures. If sodium is not installed, we throw on Ed25519 signatures
instead. At least it is easy for most people to make their Nextcloud
install fully RFC compliant by installing sodium.
I also renamed all the Ed25519 function names to be more precis, using
Jwks for the JSON Web Keys, and RFC9421 for the http-signature code,
where it is needed to distinguish from draft-cavage signatures.
Signed-off-by: Micke Nordin <kano@sunet.se>
OCM dual-stack integration of RFC 9421 alongside the existing cavage
publicKey path:
- OCMSignatoryManager: Ed25519 active/pending/retiring slot rotation
backed by numbered pool appkeys, getRemoteKey for inbound JWK lookup
with per-origin cache + cache-miss refetch, and getLocalEd25519Jwks
for the JWKS endpoint.
- Rfc9421SignatoryManager: per-call wrapper that swaps in the Ed25519
signatory and toggles `rfc9421.format`.
- OCMJwksHandler: serves /.well-known/jwks.json (RFC 7517) when signing
is enabled.
- OCMDiscoveryService: advertises `http-sig` in capabilities when
signing is enabled, and picks the signature scheme on outbound based
on the remote's advertised capabilities.
- Application.php: register the JWKS well-known handler.
Signed-off-by: Micke Nordin <kano@sunet.se>
Add the RFC 9421 (HTTP Message Signatures) sign/verify path alongside
the existing draft-cavage implementation:
- Algorithm: sodium for Ed25519, JWT::sign for RSA / ECDSA, ecdsaRawToDer
for the ECDSA wire format. JWK parsing via JWK::parseKey.
- SignatureBase: RFC 9421 §2.5 base construction for the derived
components OCM uses plus plain HTTP fields.
- ContentDigest: RFC 9530 helpers used as a covered component.
- Rfc9421IncomingSignedRequest / Rfc9421OutgoingSignedRequest:
request models. Parsing of Signature-Input / Signature delegates
to gapple\\StructuredFields\\Parser.
- IJwkResolvingSignatoryManager: capability bit signatory managers
advertise to participate in RFC 9421 verification.
- OcmProfile: OCM-mandated dictionary label.
- SignatureManager: dispatch to RFC 9421 inbound when Signature-Input
is present, outbound when rfc9421.format is set.
Plus tests for each primitive and a full round-trip across the model.
Signed-off-by: Micke Nordin <kano@sunet.se>
Eight test classes overrode tearDown() for custom DB cleanup but never
called parent::tearDown(). TestCase::tearDown() does three things these
tests were silently skipping after every test method:
- ILockingProvider::releaseAll() — unreleased locks bleed into subsequent
tests and can cause deadlocks or unexpected NotFoundException
- Storage::getGlobalCache()->clearCache() — stale filecache entries from
share/storage tests cause unrelated ObjectStore tests to receive false
from fopen() (fseek() then fails with "Argument must be of type resource")
- UserMountCache::flush() — stale mount cache causes share lookups in
later tests to fail with ShareNotFound
AI-Assisted-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Signed-off-by: Anna Larch <anna@nextcloud.com>
When decrypting a v3 ciphertext with a mismatched secret, the first
attempt throws an Exception (HMAC mismatch). The fallback then calls
decryptWithoutSecret() with an empty string, which causes hash_hkdf()
to throw a ValueError. Since ValueError extends \Error rather than
\Exception, it bypassed the catch block and propagated as an unhandled
error, crashing the whole request.
Wrap the fallback in its own try/catch(\Throwable) and rethrow the
original Exception so callers get a meaningful HMAC mismatch error.
Signed-off-by: Anna Larch <anna@nextcloud.com>
AI-Assisted-By: Claude Sonnet 4.6 <noreply@anthropic.com>
When an ownCloud-migrated group share (which has no per-user USERGROUP
subshare) is renamed for the first time, DefaultShareProvider::move()
inserted a new USERGROUP row without setting `accepted`. The column
defaulted to 0 (STATUS_PENDING), causing MountProvider to skip the
share on the next login — the shared file disappeared for the recipient.
Fix: set accepted = STATUS_ACCEPTED explicitly on the INSERT in
DefaultShareProvider::move() for the TYPE_GROUP branch.
Secondary fix: SharedMount::moveMount() silently returned true when
updateFileTarget() threw (e.g. group no longer exists on an OC-migrated
instance). Set $result = false in the catch block so View::rename()
propagates the failure instead of silently corrupting VFS state.
An opt-in occ command (sharing:fix-owncloud-group-shares) with --dry-run
support is included to repair existing broken instances. It targets only
TYPE_USERGROUP subshares with accepted=STATUS_PENDING and permissions!=0
(shares that were accepted but broken by the missing column default),
leaving explicitly declined shares (permissions=0) untouched.
AI-Assisted-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Signed-off-by: Anna Larch <anna@nextcloud.com>
- Attempt delete before logging the warning, so the warning only fires
when we know recovery will succeed
- Log an error (not silently return) when delete itself fails
- Use catch (\Exception) without variable (PHP 8)
- Replace willReturnArgument(1) with explicit willReturn(true) in test
- Add blank lines between logical blocks in test for readability
Signed-off-by: Anna Larch <anna@nextcloud.com>
AI-Assisted-By: Claude Sonnet 4.6 <noreply@anthropic.com>
When the appstore cache file exists but getContent() throws a
GenericFileException (I/O error or OS-level permission failure), explicitly
delete the file and recreate it before writing fresh data — mirroring the
NotFoundException recovery path. If deletion itself fails, return [] cleanly.
Previously, the unhandled exception caused the entire apps settings page to
crash. The new test covers both the recovery path and deletion failure.
Signed-off-by: Anna Larch <anna@nextcloud.com>
AI-Assisted-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Robin Appelman
Carl Schwan
Tobias Kaminsky
Ferdinand Thiessen
Carl Schwan
Benjamin Gaussorgues
Côme Chilliet
provokateurin
Josh
Anna
Stephan Orbaugh
Micke Nordin
Kate
Micke Nordin
Anna Larch
nextcloud-command
Daniel