feat(ocm): advertise exchange-token capability and token endpoint

Co-authored-by: Micke Nordin <kano@sunet.se>
Signed-off-by: Micke Nordin <kano@sunet.se>
Signed-off-by: Enrique Pérez Arnaud <enrique@cazalla.net>

Author: enriquepablo

lib/private/Federation/CloudFederationFactory.php

@@ -9,8 +9,18 @@
 use OCP\Federation\ICloudFederationFactory;
 use OCP\Federation\ICloudFederationNotification;
 use OCP\Federation\ICloudFederationShare;
+use OCP\Federation\ICloudIdManager;
+use OCP\OCM\Exceptions\OCMProviderException;
+use OCP\OCM\IOCMDiscoveryService;
+use Psr\Log\LoggerInterface;
 
 class CloudFederationFactory implements ICloudFederationFactory {
+	public function __construct(
+		private IOCMDiscoveryService $ocmDiscoveryService,
+		private ICloudIdManager $cloudIdManager,
+		private LoggerInterface $logger,
+	) {
+	}
 	/**
 	 * get a CloudFederationShare Object to prepare a share you want to send
 	 *
@@ -31,7 +41,51 @@ class CloudFederationFactory implements ICloudFederationFactory {
 	 */
 	#[\Override]
 	public function getCloudFederationShare($shareWith, $name, $description, $providerId, $owner, $ownerDisplayName, $sharedBy, $sharedByDisplayName, $sharedSecret, $shareType, $resourceType) {
-		return new CloudFederationShare($shareWith, $name, $description, $providerId, $owner, $ownerDisplayName, $sharedBy, $sharedByDisplayName, $shareType, $resourceType, $sharedSecret);
+		$useExchangeToken = false;
+		$remoteDomain = null;
+
+		try {
+			$cloudId = $this->cloudIdManager->resolveCloudId($shareWith);
+			$remoteDomain = $cloudId->getRemote();
+
+			try {
+				$remoteProvider = $this->ocmDiscoveryService->discover($remoteDomain);
+				$capabilities = $remoteProvider->getCapabilities();
+				$useExchangeToken = $capabilities->hasExchangeToken();
+
+				$this->logger->debug('OCM provider capabilities discovered', [
+					'remote' => $remoteDomain,
+					'capabilities' => $capabilities->toArray(),
+					'useExchangeToken' => $useExchangeToken,
+				]);
+			} catch (OCMProviderException $e) {
+				$this->logger->warning('Failed to discover OCM provider, using legacy share method', [
+					'remote' => $remoteDomain,
+					'exception' => $e->getMessage(),
+				]);
+			}
+		} catch (\InvalidArgumentException $e) {
+			$this->logger->warning('Invalid cloud ID format, using legacy share method', [
+				'shareWith' => $shareWith,
+				'exception' => $e->getMessage(),
+			]);
+		}
+
+		return new CloudFederationShare(
+			$shareWith,
+			$name,
+			$description,
+			$providerId,
+			$owner,
+			$ownerDisplayName,
+			$sharedBy,
+			$sharedByDisplayName,
+			$shareType,
+			$resourceType,
+			$sharedSecret,
+			$useExchangeToken,
+			$remoteDomain
+		);
 	}
 
 	/**

lib/private/Federation/CloudFederationShare.php

@@ -40,6 +40,8 @@ class CloudFederationShare implements ICloudFederationShare {
 	 * @param string $shareType ('group' or 'user' share)
 	 * @param string $resourceType ('file', 'calendar',...)
 	 * @param string $sharedSecret
+	 * @param bool $useExchangeToken whether to use exchange-token protocol (new way) or sharedSecret (old way)
+	 * @param string|null $remoteDomain remote domain for constructing webdav URI
 	 */
 	public function __construct($shareWith = '',
 		$name = '',
@@ -52,6 +54,8 @@ public function __construct($shareWith = '',
 		$shareType = '',
 		$resourceType = '',
 		$sharedSecret = '',
+		$useExchangeToken = false,
+		$remoteDomain = null,
 	) {
 		$this->setShareWith($shareWith);
 		$this->setResourceName($name);
@@ -61,13 +65,27 @@ public function __construct($shareWith = '',
 		$this->setOwnerDisplayName($ownerDisplayName);
 		$this->setSharedBy($sharedBy);
 		$this->setSharedByDisplayName($sharedByDisplayName);
-		$this->setProtocol([
-			'name' => 'webdav',
-			'options' => [
-				'sharedSecret' => $sharedSecret,
-				'permissions' => '{http://open-cloud-mesh.org/ns}share-permissions'
-			]
-		]);
+
+		if ($useExchangeToken) {
+			$webdavUri = $remoteDomain ? 'https://' . $remoteDomain . '/public.php/webdav/' : '';
+			$this->setProtocol([
+				'name' => 'webdav',
+				'webdav' => [
+					'uri' => $webdavUri,
+					'sharedSecret' => $sharedSecret,
+					'permissions' => ['{http://open-cloud-mesh.org/ns}share-permissions']
+				]
+			]);
+		} else {
+			$this->setProtocol([
+				'name' => 'webdav',
+				'options' => [
+					'sharedSecret' => $sharedSecret,
+					'permissions' => '{http://open-cloud-mesh.org/ns}share-permissions'
+				]
+			]);
+		}
+
 		$this->setShareType($shareType);
 		$this->setResourceType($resourceType);
 	}
@@ -351,7 +369,19 @@ public function getShareType() {
 	 */
 	#[\Override]
 	public function getShareSecret() {
-		return $this->share['protocol']['options']['sharedSecret'];
+		$protocol = $this->share['protocol'];
+		if (isset($protocol['options']['sharedSecret'])) {
+			return $protocol['options']['sharedSecret'];
+		}
+
+		if (isset($protocol['name'])) {
+			$protocolName = $protocol['name'];
+			if (isset($protocol[$protocolName]['sharedSecret'])) {
+				return $protocol[$protocolName]['sharedSecret'];
+			}
+		}
+
+		return '';
 	}
 
 	/**

lib/private/OCM/Model/OCMProvider.php

@@ -13,6 +13,7 @@
 use OCP\OCM\Exceptions\OCMProviderException;
 use OCP\OCM\IOCMProvider;
 use OCP\OCM\IOCMResource;
+use OCP\OCM\OCMCapabilities;
 use OCP\Security\Signature\Model\Signatory;
 
 /**
@@ -24,6 +25,7 @@ class OCMProvider implements IOCMProvider {
 	private string $inviteAcceptDialog = '';
 	private array $capabilities = [];
 	private string $endPoint = '';
+	private string $tokenEndPoint = '';
 	/** @var IOCMResource[] */
 	private array $resourceTypes = [];
 	private ?Signatory $signatory = null;
@@ -119,6 +121,29 @@ public function getEndPoint(): string {
 		return $this->endPoint;
 	}
 
+	/**
+	 * @param string $tokenEndPoint
+	 *
+	 * @return $this
+	 */
+	#[\Override]
+	public function setTokenEndPoint(string $endPoint): static {
+		$this->tokenEndPoint = $endPoint;
+
+		return $this;
+	}
+
+	/**
+	 * @return string
+	 */
+	#[\Override]
+	public function getTokenEndPoint(): string {
+		if (in_array('exchange-token', $this->capabilities)) {
+			return $this->tokenEndPoint;
+		}
+		return '';
+	}
+
 	/**
 	 * @return string
 	 */
@@ -141,12 +166,9 @@ public function setCapabilities(array $capabilities): static {
 		return $this;
 	}
 
-	/**
-	 * @return array
-	 */
 	#[\Override]
-	public function getCapabilities(): array {
-		return $this->capabilities;
+	public function getCapabilities(): OCMCapabilities {
+		return new OCMCapabilities($this->capabilities);
 	}
 
 	/**
@@ -268,6 +290,12 @@ public function import(array $data): static {
 				$this->setSignatory($signatory);
 			}
 		}
+		if (isset($data['capabilities'])) {
+			$this->setCapabilities($data['capabilities']);
+		}
+		if (isset($data['tokenEndPoint'])) {
+			$this->setTokenEndPoint($data['tokenEndPoint']);
+		}
 
 		if (!$this->looksValid()) {
 			throw new OCMProviderException('remote provider does not look valid');
@@ -304,9 +332,12 @@ public function jsonSerialize(): array {
 			'resourceTypes' => $resourceTypes
 		];
 
-		$capabilities = $this->getCapabilities();
-		if ($capabilities) {
-			$response['capabilities'] = $capabilities;
+		if ($this->capabilities !== []) {
+			$response['capabilities'] = $this->capabilities;
+		}
+		$tokenEndpoint = $this->getTokenEndPoint();
+		if ($tokenEndpoint) {
+			$response['tokenEndPoint'] = $tokenEndpoint;
 		}
 		$inviteAcceptDialog = $this->getInviteAcceptDialog();
 		if ($inviteAcceptDialog !== '') {

lib/private/OCM/OCMDiscoveryService.php

@@ -50,7 +50,7 @@
 #[Consumable(since: '28.0.0')]
 final class OCMDiscoveryService implements IOCMDiscoveryService {
 	private ICache $cache;
-	public const API_VERSION = '1.1.0';
+	public const API_VERSION = '1.1.2';
 	private ?IOCMProvider $localProvider = null;
 	/** @var array<string, IOCMProvider> */
 	private array $remoteProviders = [];
@@ -94,6 +94,7 @@ public function discover(string $remote, bool $skipCache = false): IOCMProvider
 		}
 
 		if (array_key_exists($remote, $this->remoteProviders)) {
+
 			return $this->remoteProviders[$remote];
 		}
 
@@ -130,7 +131,6 @@ public function discover(string $remote, bool $skipCache = false): IOCMProvider
 				$remote . '/ocm-provider',
 			];
 
-
 			foreach ($urls as $url) {
 				$exception = null;
 				$body = null;
@@ -195,6 +195,7 @@ public function getLocalOCMProvider(bool $fullDetails = true): IOCMProvider {
 		}
 
 		$url = $this->urlGenerator->linkToRouteAbsolute('cloud_federation_api.requesthandlercontroller.addShare');
+		$tokenUrl = $this->urlGenerator->linkToRouteAbsolute('cloud_federation_api.Token.accessToken');
 		$pos = strrpos($url, '/');
 		if ($pos === false) {
 			$this->logger->debug('generated route should contain a slash character');
@@ -206,7 +207,8 @@ public function getLocalOCMProvider(bool $fullDetails = true): IOCMProvider {
 		$provider->setEnabled(true);
 		$provider->setApiVersion(self::API_VERSION);
 		$provider->setEndPoint(substr($url, 0, $pos));
-		$provider->setCapabilities(['invite-accepted', 'notifications', 'shares']);
+		$provider->setCapabilities(['invite-accepted', 'notifications', 'shares', 'exchange-token']);
+		$provider->setTokenEndPoint($tokenUrl);
 		if ($signingEnabled) {
 			$provider->setCapabilities(['http-sig']);
 		}

lib/private/Server.php

@@ -1206,7 +1206,11 @@ public function __construct(
 		$this->registerAlias(\OCP\GlobalScale\IConfig::class, \OC\GlobalScale\Config::class);
 		$this->registerAlias(ICloudFederationProviderManager::class, CloudFederationProviderManager::class);
 		$this->registerService(ICloudFederationFactory::class, function (Server $c) {
-			return new CloudFederationFactory();
+			return new CloudFederationFactory(
+				$c->get(\OCP\OCM\IOCMDiscoveryService::class),
+				$c->get(\OCP\Federation\ICloudIdManager::class),
+				$c->get(\Psr\Log\LoggerInterface::class)
+			);
 		});
 
 		$this->registerAlias(IControllerMethodReflector::class, ControllerMethodReflector::class);

lib/public/OCM/ICapabilityAwareOCMProvider.php

@@ -15,4 +15,23 @@
  * @deprecated 33.0.0 {@see IOCMProvider}
  */
 interface ICapabilityAwareOCMProvider extends IOCMProvider {
+	/**
+	 * get the token endpoint URL
+	 *
+	 * @return string
+	 * @since 32.0.0
+	 */
+	#[\Override]
+	public function getTokenEndPoint(): string;
+
+	/**
+	 * set the token endpoint URL
+	 *
+	 * @param string $endPoint
+	 *
+	 * @return $this
+	 * @since 32.0.0
+	 */
+	#[\Override]
+	public function setTokenEndPoint(string $endPoint): static;
 }

lib/public/OCM/IOCMProvider.php

@@ -110,12 +110,11 @@ public function setResourceTypes(array $resourceTypes): static;
 	public function getResourceTypes(): array;
 
 	/**
-	 * get the capabilities
+	 * get the capabilities advertised by this provider
 	 *
-	 * @return array
 	 * @since 33.0.0
 	 */
-	public function getCapabilities(): array;
+	public function getCapabilities(): OCMCapabilities;
 
 	/**
 	 * return if provider supports $capability
@@ -158,8 +157,25 @@ public function setCapabilities(array $capabilities): static;
 	 * @return $this
 	 * @since 33.0.0
 	 */
-
 	public function setInviteAcceptDialog(string $inviteAcceptDialog): static;
+
+	/**
+	 * get the token endpoint URL
+	 *
+	 * @return string
+	 * @since 33.0.0
+	 */
+	public function getTokenEndPoint(): string;
+
+	/**
+	 * set the token endpoint URL
+	 *
+	 * @param string $endPoint
+	 *
+	 * @return $this
+	 * @since 33.0.0
+	 */
+	public function setTokenEndPoint(string $endPoint): static;
 	/**
 	 * extract a specific string value from the listing of protocols, based on resource-name and protocol-name
 	 *