Merge pull request #3101 from nextcloud/backport/3079/stable32

nickvergessen · web-flow · commit 44d9d5500f0c · 2026-06-15T08:57:06.000+02:00
[stable32] chore: extend testing of `encryptAndSign` and make the methods discoverable by psalm
diff --git a/lib/Push.php b/lib/Push.php
@@ -296,7 +296,7 @@ public function pushToDevice(int $id, INotification $notification): void {
 			}
 
 			try {
-				$payload = json_encode($this->encryptAndSign($userKey, $device, $id, $notification, $isTalkNotification), JSON_THROW_ON_ERROR);
+				$payload = json_encode($this->encryptAndSign($userKey->getPrivate(), $device, $id, $notification, $isTalkNotification), JSON_THROW_ON_ERROR);
 
 				$proxyServer = rtrim($device['proxyserver'], '/');
 				if (!isset($this->payloadsToSend[$proxyServer])) {
@@ -393,7 +393,7 @@ public function pushDeleteToDevice(string $userId, ?array $notificationIds, stri
 				}
 
 				if ($deleteAll) {
-					$data = $this->encryptAndSignDelete($userKey, $device, null);
+					$data = $this->encryptAndSignDelete($userKey->getPrivate(), $device, null);
 					try {
 						$this->payloadsToSend[$proxyServer][] = json_encode($data['payload'], JSON_THROW_ON_ERROR);
 					} catch (\JsonException $e) {
@@ -403,7 +403,7 @@ public function pushDeleteToDevice(string $userId, ?array $notificationIds, stri
 					$temp = $notificationIds;
 
 					while (!empty($temp)) {
-						$data = $this->encryptAndSignDelete($userKey, $device, $temp);
+						$data = $this->encryptAndSignDelete($userKey->getPrivate(), $device, $temp);
 						$temp = $data['remaining'];
 						try {
 							$this->payloadsToSend[$proxyServer][] = json_encode($data['payload'], JSON_THROW_ON_ERROR);
@@ -602,7 +602,7 @@ protected function callSafelyForToken(IToken $token, string $method): ?int {
 	}
 
 	/**
-	 * @param Key $userKey
+	 * @param string $userPrivateKey
 	 * @param array $device
 	 * @param int $id
 	 * @param INotification $notification
@@ -612,7 +612,7 @@ protected function callSafelyForToken(IToken $token, string $method): ?int {
 	 * @throws InvalidTokenException
 	 * @throws \InvalidArgumentException
 	 */
-	protected function encryptAndSign(Key $userKey, array $device, int $id, INotification $notification, bool $isTalkNotification): array {
+	protected function encryptAndSign(string $userPrivateKey, array $device, int $id, INotification $notification, bool $isTalkNotification): array {
 		$data = [
 			'nid' => $id,
 			'app' => $notification->getApp(),
@@ -621,9 +621,11 @@ protected function encryptAndSign(Key $userKey, array $device, int $id, INotific
 			'id' => $notification->getObjectId(),
 		];
 
+		$jsonData = (string)json_encode($data);
+
 		// Max length of encryption is ~240, so we need to make sure the subject is shorter.
 		// Also, subtract two for encapsulating quotes will be added.
-		$maxDataLength = 200 - strlen(json_encode($data)) - 2;
+		$maxDataLength = 200 - strlen($jsonData) - 2;
 		$data['subject'] = Util::shortenMultibyteString($notification->getParsedSubject(), $maxDataLength);
 		if ($notification->getParsedSubject() !== $data['subject']) {
 			$data['subject'] .= '…';
@@ -641,17 +643,17 @@ protected function encryptAndSign(Key $userKey, array $device, int $id, INotific
 		}
 
 		$this->printInfo('Device public key size: ' . strlen($device['devicepublickey']));
-		$this->printInfo('Data to encrypt is: ' . json_encode($data));
+		$this->printInfo('Data to encrypt is: ' . $jsonData);
 
 		$padding = $this->appConfig->getAppValueString('push_encryption_padding', 'PKCS1') === 'OAEP' ? OPENSSL_PKCS1_OAEP_PADDING : OPENSSL_PKCS1_PADDING;
-		if (!openssl_public_encrypt(json_encode($data), $encryptedSubject, $device['devicepublickey'], $padding)) {
-			$error = openssl_error_string();
+		if (!openssl_public_encrypt($jsonData, $encryptedSubject, $device['devicepublickey'], $padding)) {
+			$error = openssl_error_string() ?: 'Unknown OpenSSL error';
 			$this->log->error($error, ['app' => 'notifications']);
 			$this->printInfo('<error>Error while encrypting data: "' . $error . '"</error>');
 			throw new \InvalidArgumentException('Failed to encrypt message for device');
 		}
 
-		if (openssl_sign($encryptedSubject, $signature, $userKey->getPrivate(), OPENSSL_ALGO_SHA512)) {
+		if (openssl_sign($encryptedSubject, $signature, $userPrivateKey, OPENSSL_ALGO_SHA512)) {
 			$this->printInfo('Signed encrypted push subject');
 		} else {
 			$this->printInfo('<error>Failed to signed encrypted push subject</error>');
@@ -670,15 +672,15 @@ protected function encryptAndSign(Key $userKey, array $device, int $id, INotific
 	}
 
 	/**
-	 * @param Key $userKey
+	 * @param string $userPrivateKey
 	 * @param array $device
 	 * @param ?int[] $ids
 	 * @return array
-	 * @psalm-return array{remaining: list<int>, payload: array{deviceIdentifier: string, pushTokenHash: string, subject: string, signature: string, priority: string, type: string}}
+	 * @psalm-return array{remaining: array<array-key, int>, payload: array{deviceIdentifier: string, pushTokenHash: string, subject: string, signature: string, priority: string, type: string}}
 	 * @throws InvalidTokenException
 	 * @throws \InvalidArgumentException
 	 */
-	protected function encryptAndSignDelete(Key $userKey, array $device, ?array $ids): array {
+	protected function encryptAndSignDelete(string $userPrivateKey, array $device, ?array $ids): array {
 		$remainingIds = [];
 		if ($ids === null) {
 			$data = [
@@ -698,12 +700,13 @@ protected function encryptAndSignDelete(Key $userKey, array $device, ?array $ids
 		}
 
 		$padding = $this->appConfig->getAppValueString('push_encryption_padding', 'PKCS1') === 'OAEP' ? OPENSSL_PKCS1_OAEP_PADDING : OPENSSL_PKCS1_PADDING;
-		if (!openssl_public_encrypt(json_encode($data), $encryptedSubject, $device['devicepublickey'], $padding)) {
-			$this->log->error(openssl_error_string(), ['app' => 'notifications']);
+		if (!openssl_public_encrypt(json_encode($data, JSON_THROW_ON_ERROR), $encryptedSubject, $device['devicepublickey'], $padding)) {
+			$error = openssl_error_string() ?: 'Unknown OpenSSL error';
+			$this->log->error($error, ['app' => 'notifications']);
 			throw new \InvalidArgumentException('Failed to encrypt message for device');
 		}
 
-		openssl_sign($encryptedSubject, $signature, $userKey->getPrivate(), OPENSSL_ALGO_SHA512);
+		openssl_sign($encryptedSubject, $signature, $userPrivateKey, OPENSSL_ALGO_SHA512);
 		$base64EncryptedSubject = base64_encode($encryptedSubject);
 		$base64Signature = base64_encode($signature);
 
diff --git a/tests/Unit/PushTest.php b/tests/Unit/PushTest.php
@@ -434,16 +434,18 @@ public function testPushToDeviceNoFairUse(): void {
 
 	public static function dataPushToDeviceSending(): array {
 		return [
-			[true],
-			[false],
+			[true, 'PKCS1'],
+			[true, 'OAEP'],
+			[false, 'PKCS1'],
+			[false, 'OAEP'],
 		];
 	}
 
 	/**
 	 * @dataProvider dataPushToDeviceSending
 	 */
-	public function testPushToDeviceSending(bool $isDebug): void {
-		$push = $this->getPush(['createFakeUserObject', 'getDevicesForUser', 'encryptAndSign', 'deletePushToken', 'validateToken', 'deletePushTokenByDeviceIdentifier']);
+	public function testPushToDeviceSending(bool $isDebug, string $padding): void {
+		$push = $this->getPush(['createFakeUserObject', 'getDevicesForUser', 'deletePushToken', 'validateToken', 'deletePushTokenByDeviceIdentifier']);
 
 		/** @var INotification&MockObject $notification */
 		$notification = $this->createMock(INotification::class);
@@ -459,38 +461,66 @@ public function testPushToDeviceSending(bool $isDebug): void {
 			->with('valid')
 			->willReturn($user);
 
+		$devicePublicKey = '-----BEGIN PUBLIC KEY-----
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1SN9sDJGNifnEv/y1UkP
+tggJA0xks5b0WN/Ida3GYK4Zy/ZWTa3wAknCerKkZC2rrFbcP55HA/oSp8fuUJC3
+q4b59znuhGoQtvvdAwUx6qSIPheAGs/gfMpNWO/bfH02oBu+98eTkxciuNKPxBFk
+wRdSSUxsHwkzCOw+er6oxriVSkc7tsNVaXg+ZpzW15cUQugjT6JDDjg5ftSeGsLj
+VV70QXge4uD3ege/lsa1N8iUVCjeMJHobyQm/hhGE990b6BzTgOIC1pGsOPbOsZB
+/5n54G4EUX9dixSSF90fDJs83GWQ+AIjf/uHmj3vFMe1bnqIwq9P17+IWe5x9Z04
+FQIDAQAB
+-----END PUBLIC KEY-----';
+
 		$push->expects($this->once())
 			->method('getDevicesForUser')
 			->willReturn([
 				[
 					'proxyserver' => 'proxyserver1',
 					'token' => 16,
 					'apptype' => 'other',
+					'devicepublickey' => $devicePublicKey,
+					'deviceidentifier' => 'ident16',
+					'pushtokenhash' => 'hash16',
 				],
 				[
 					'proxyserver' => 'proxyserver1/',
 					'token' => 23,
 					'apptype' => 'other',
+					'devicepublickey' => $devicePublicKey,
+					'deviceidentifier' => 'ident23',
+					'pushtokenhash' => 'hash23',
 				],
 				[
 					'proxyserver' => 'badrequest',
 					'token' => 42,
 					'apptype' => 'other',
+					'devicepublickey' => $devicePublicKey,
+					'deviceidentifier' => 'ident42',
+					'pushtokenhash' => 'hash42',
 				],
 				[
 					'proxyserver' => 'unavailable',
 					'token' => 48,
 					'apptype' => 'other',
+					'devicepublickey' => $devicePublicKey,
+					'deviceidentifier' => 'ident48',
+					'pushtokenhash' => 'hash48',
 				],
 				[
 					'proxyserver' => 'ok',
 					'token' => 64,
 					'apptype' => 'other',
+					'devicepublickey' => $devicePublicKey,
+					'deviceidentifier' => 'ident64',
+					'pushtokenhash' => 'hash64',
 				],
 				[
 					'proxyserver' => 'badrequest-with-devices',
 					'token' => 128,
 					'apptype' => 'other',
+					'devicepublickey' => $devicePublicKey,
+					'deviceidentifier' => 'ident128',
+					'pushtokenhash' => 'hash128',
 				],
 			]);
 
@@ -506,6 +536,12 @@ public function testPushToDeviceSending(bool $isDebug): void {
 				['support', 'subscription_key', '', ''],
 			]);
 
+		$this->appConfig
+			->expects($this->exactly(6))
+			->method('getAppValueString')
+			->with('push_encryption_padding', 'PKCS1')
+			->willReturn($padding);
+
 		$this->l10nFactory
 			->method('getUserLanguage')
 			->with($user)
@@ -519,6 +555,36 @@ public function testPushToDeviceSending(bool $isDebug): void {
 		/** @var Key&MockObject $key */
 		$key = $this->createMock(Key::class);
 
+		$key->method('getPrivate')
+			->willReturn('-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCkGi7rj6BWi9U8
+lptb1rBKVFENFJjq690Ap8wAdR9cxGYE+nzdFxlcRxh17GwyWaBDEPWtL5WDPxi0
+8XjQWpwfYFzjMLLzGMZaj7Jiam5rJM12qFEvYyw9s26LzebeLTzvp28L2TIWCswi
+dM0OvrYGGvL9f+N+6Oev5cwiSJk0WrHceL+P/wFH3mmOdOBHmKkofeDZoS1XkNOE
+o1EpwepvDibUjc3vHPk1IHg4hsfKk1O9+uHiBf9xqm//M9MKrM9mlOButbo2bOhu
+1YN/2wKww7bU/c7JYgVeljpfN0sMuKmhMiuje2KqOU8v8yIREkKMyxd4+B+s3eNG
+PdVBf57FAgMBAAECggEAAMegdOm3xPyXMk+f0yNlh5kzDKE1itCL4aYIA6LZnLmp
+bHHJWZI4kTT1IHPdgDeYlPBjgAOuEFEsjhLySoXwoF4BIIgErCKD9xa9pBIojmVm
+LovlNfFlvScDKgsjUed+5ZguDLcYO7gyQvqTzS6ivXzq6TezeVDfeUgBTg3JG6n/
+BjgIek1jV4q9OrQTOdR3eAPwW6pbLG820OB87Cx/A0JHdEgCevFCHmMUbk7yXQrh
+W/JwTrnV66LBPjSWQcsHUNWrl2nqV08BYoC1uy32uTpUlejCdWDuHuB1DYOpn0KY
+nyiVTNF/MZ0E9sOsKKgbodBz4n3cc6v7NckpFpKMHwKBgQDUeaakKYwatNg6YEHP
+OB3iH62bAe7Ej6vg0EPYgr6fzRjAETzTrpZZfzmrGwTxFBczFrx8hOPsyDkpiEU5
+77L90jMOb9NSasjS8Pv0GM2LY/8H8Ck4RwXF/E3maSbc2bAY9ZXH6m82YW6iHnfc
+G9L0xVCq549axd1tWUnXdukiuwKBgQDFt9KDtlwMutuQOj+Eup7L0sMAxO4jlghH
+hTxSAqQ5mlodbQhULXRk4QWGMjjKG0y4XY2rw+VgBQzFT8W3jlThR3BMWKNv3P+M
+zlzkoxcoOio7K25im4Yb0NheOnaxaqhLcRwXcxa5E9kn+108xYIYAACZgmkZo7ab
+PCoQicnsfwKBgAzyEIYmBeRGqnn8DWZru95gIbq1BnAxdL5w0gFqDeU8oMprAnK/
+S2fOiZv0PHvXxoYVV4yaqCxwEpOGOvmJsjUmzneNtqlp2iyIBEHeFP/uKsa4Cjrk
+kOR8N97W/0grd0A+Dk8s6HO+wffctV7SzyqcrwqKq0BTl+cmrooTM6crAoGATjjT
+iFh1QnQKuZzR1GkgufLAQ2Wl8V5CGEmV+7wfzMpMLKgeS29QRTjhPp5P6WWzjJ02
+l2YBMWPOEaHlzyD4Y8gnnYzT3EXKtKJQDgSX/MpGOvKL0WdGP2r4rw7iNn7D5lTx
+kDVwH/jCSRchZBGfzm7xzcnSWtpyPCgpXDGnOXECgYEAyqDrBeKlUDDltoe6xs4K
+gEG+V5E5cwZqvSoOlYHqbtP9Dms6z6G8TvPZblwlbgwXFofrd5LN/vK3pZPiU5Y+
+sd7MhWnjKf7EX9GJD0VhLabFY/KrloJkyL7gOY21xFvmnNqwvH60eOxbVPzlYjaN
+96rK6qkqEdUgXj0CpJZHAMw=
+-----END PRIVATE KEY-----');
+
 		$this->keyManager->expects($this->once())
 			->method('getKey')
 			->with($user)
@@ -528,10 +594,6 @@ public function testPushToDeviceSending(bool $isDebug): void {
 			->method('validateToken')
 			->willReturn(true);
 
-		$push->expects($this->exactly(6))
-			->method('encryptAndSign')
-			->willReturn(['Payload']);
-
 		$push->expects($this->never())
 			->method('deletePushToken');
 
diff --git a/tests/psalm-baseline.xml b/tests/psalm-baseline.xml
@@ -27,8 +27,6 @@
       <code><![CDATA[$this->keyManager]]></code>
       <code><![CDATA[$this->tokenProvider]]></code>
       <code><![CDATA[ClientException]]></code>
-      <code><![CDATA[Key]]></code>
-      <code><![CDATA[Key]]></code>
       <code><![CDATA[ServerException]]></code>
       <code><![CDATA[protected]]></code>
       <code><![CDATA[protected]]></code>
