AppConfig and UserConfig unconditionally queried NC-only columns (type,
lazy, flags, indexed) that don't exist in ownCloud's database schema,
breaking ownCloud → Nextcloud upgrades entirely before the schema
migration steps could run.
Restore the fallback pattern in both classes: on first loadConfig() call,
if a DBException with REASON_INVALID_FIELD_NAME is thrown, set
$migrationCompleted = false and retry selecting only the columns present
in ownCloud's schema. INSERT and UPDATE statements also omit NC-only
columns when $migrationCompleted is false.
The catch block also guards against infinite recursion: if $migrationCompleted
is already false when the exception fires, the exception is re-thrown
instead of triggering another recursive call.
Fixes: https://github.com/nextcloud/server/issues/57340
Signed-off-by: Anna Larch <anna@nextcloud.com>
AI-Assisted-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Add @BeforeScenario hooks to reset auth/server state and sharing state
between scenarios, preventing state bleed across test runs.
- BasicStructure: reset currentUser, currentServer, baseUrl, apiVersion,
requestToken and cookieJar (baseUrl and currentServer go together via
usingServer(), so both must be reset)
- Sharing: reset lastShareData, storedShareData and savedShareId
Signed-off-by: Anna Larch <anna@nextcloud.com>
AI-Assisted-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Replace assertTrue(true), addToAssertionCount(1) and delete-without-assert
patterns with meaningful assertions or proper test removal.
Signed-off-by: Anna Larch <anna@nextcloud.com>
AI-Assisted-By: Claude Sonnet 4.6 <noreply@anthropic.com>
PHPUnit's enforceTimeLimit was disabled, meaning the timeoutForSmallTests,
timeoutForMediumTests and timeoutForLargeTests config values had no effect.
Enable enforcement and set realistic limits: 60s/300s/600s for
small/medium/large, with a 300s default for unannotated tests.
Also clear disable_functions in the PHP development ini preset across all
PHPUnit workflows so pcntl_signal is available — without it the signal
handler that drives timeout enforcement cannot be registered.
Signed-off-by: Anna Larch <anna@nextcloud.com>
AI-Assisted-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Signed-off-by: Anna Larch <anna@nextcloud.com>
The Cypress init job ran npm ci from scratch on every invocation.
Add buildjet cache restore/save steps around npm ci, keyed on
package-lock.json hash, so subsequent runs with unchanged dependencies
skip the registry download entirely.
Uses buildjet/cache (v4.0.2) to match the existing context caching
already in this workflow.
Signed-off-by: Anna Larch <anna@nextcloud.com>
AI-Assisted-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Signed-off-by: Anna Larch <anna@nextcloud.com>
Two CI failures introduced by the test additions in this PR:
1. testEd25519VerifyAcceptedWhenSodiumLoaded calls setSignature() to inject
an externally-produced Ed25519 signature (since Algorithm::sign() rejects
Ed25519 by design). setSignature was declared protected, so the test
couldn't call it from outside the class hierarchy. Make it public —
SignedRequest lives in the OC\ private namespace, so this widens
internal-only visibility, not the public API surface.
2. testParseKeyRejectsContradictoryAlg expected firebase/php-jwt's
JWK::parseKey() to throw on a kty=OKP/crv=Ed25519/alg=ES256 key. The
current firebase/php-jwt version does not validate that coherence at
parse time, so the test now fails to see any throwable. The actual
security check happens at Algorithm::verify() time and is covered by
testVerifyEd25519KeyAgainstES256Alg right above it. Skip the parse-time
test with a comment pointing at the verify-time coverage.
Signed-off-by: Micke Nordin <kano@sunet.se>
Apps implementing OCM endpoints via OCMEndpointRequestEvent (e.g.
SUNET/nextcloud-ocm_request_share for request-share, nextcloud/contacts
for invite-accepted) need to apply the same identity check that the
built-in addShare and receiveNotification handlers apply, so it makes
sense to make it publicly accessible.
It also allows us to refactor RequestHandlerController::confirmSignedOrigin
to use the new public method and drop the confirmNotificationIdentity helper.
Signed-off-by: Micke Nordin <kano@sunet.se>
This commit switches the default signature algorithm to
ecdsa-p256-sha256 instead of Ed25519. This allows us to make sodium
optional again, and we only pull it in to use it for verifying incomming
signatures. If sodium is not installed, we throw on Ed25519 signatures
instead. At least it is easy for most people to make their Nextcloud
install fully RFC compliant by installing sodium.
I also renamed all the Ed25519 function names to be more precis, using
Jwks for the JSON Web Keys, and RFC9421 for the http-signature code,
where it is needed to distinguish from draft-cavage signatures.
Signed-off-by: Micke Nordin <kano@sunet.se>
Throw when one of the headers are empty
Enumerate all the allowed algorithms in th NATIVE constant
Co-authored-by: Carl Schwan <carl@carlschwan.eu>
Signed-off-by: Micke Nordin <kano@sunet.se>
Use constants instead of 0/1
Also fix PHPDoc to use correct return values.
Co-authored-by: Carl Schwan <carl@carlschwan.eu>
Signed-off-by: Micke Nordin <kano@sunet.se>
ocm:keys:list list known keys with their slot and kid
ocm:keys:stage generate a pending key, advertise via JWKS
ocm:keys:activate promote pending -> active, demote previous active
ocm:keys:retire delete the retiring key (kid stops resolving)
Plus the autoloader regen covering the new classes from this branch.
Signed-off-by: Micke Nordin <kano@sunet.se>
OCM dual-stack integration of RFC 9421 alongside the existing cavage
publicKey path:
- OCMSignatoryManager: Ed25519 active/pending/retiring slot rotation
backed by numbered pool appkeys, getRemoteKey for inbound JWK lookup
with per-origin cache + cache-miss refetch, and getLocalEd25519Jwks
for the JWKS endpoint.
- Rfc9421SignatoryManager: per-call wrapper that swaps in the Ed25519
signatory and toggles `rfc9421.format`.
- OCMJwksHandler: serves /.well-known/jwks.json (RFC 7517) when signing
is enabled.
- OCMDiscoveryService: advertises `http-sig` in capabilities when
signing is enabled, and picks the signature scheme on outbound based
on the remote's advertised capabilities.
- Application.php: register the JWKS well-known handler.
Signed-off-by: Micke Nordin <kano@sunet.se>
Add Manager::generateEd25519AppKey: persist a sodium-generated
Ed25519 keypair (raw 32-byte public, 64-byte secret) under the same
appdata layout the existing RSA path uses. Used by OCMSignatoryManager
for the slotted RFC 9421 signing keys.
Signed-off-by: Micke Nordin <kano@sunet.se>
Add the RFC 9421 (HTTP Message Signatures) sign/verify path alongside
the existing draft-cavage implementation:
- Algorithm: sodium for Ed25519, JWT::sign for RSA / ECDSA, ecdsaRawToDer
for the ECDSA wire format. JWK parsing via JWK::parseKey.
- SignatureBase: RFC 9421 §2.5 base construction for the derived
components OCM uses plus plain HTTP fields.
- ContentDigest: RFC 9530 helpers used as a covered component.
- Rfc9421IncomingSignedRequest / Rfc9421OutgoingSignedRequest:
request models. Parsing of Signature-Input / Signature delegates
to gapple\\StructuredFields\\Parser.
- IJwkResolvingSignatoryManager: capability bit signatory managers
advertise to participate in RFC 9421 verification.
- OcmProfile: OCM-mandated dictionary label.
- SignatureManager: dispatch to RFC 9421 inbound when Signature-Input
is present, outbound when rfc9421.format is set.
Plus tests for each primitive and a full round-trip across the model.
Signed-off-by: Micke Nordin <kano@sunet.se>
Promote ext-sodium from recommended to required so RFC 9421 Ed25519
signing/verifying can rely on libsodium unconditionally. Add the
matching openssl + sodium psalm stubs.
Signed-off-by: Micke Nordin <kano@sunet.se>
Anna
Andy Scherzinger
rakekniven
Stephan Orbaugh
Louis
nextcloud-command
Ferdinand Thiessen
Kate
github-actions[bot]
Julius Knorr
dependabot[bot]
Nextcloud bot
Micke Nordin
Peter Ringelmann
F. E Noel Nfebe
Micke Nordin