Merge pull request #79 from CollaboraOnline/issue-75-wopi-proof

Issue #75: WOPI proof
CollaboraOnline · Jan 8, 2025 · 2dc47be · 2dc47be
2 parents 0869615 + 2d0896c
commit 2dc47be
Show file tree

Hide file tree

Showing 23 changed files with 1,268 additions and 323 deletions.
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -61,6 +61,13 @@ jobs:
         run: |
           docker-compose exec -T web ./vendor/bin/phpcs -s
 
+      - name: Generate proof key
+        run: |
+          set -x
+          docker-compose exec -T collabora coolconfig generate-proof-key
+          # Collabora becomes unavailable after the above command.
+          docker-compose restart collabora
+
       - name: Drupal site install
         run: |
           docker-compose exec -T web ./vendor/bin/run drupal:site-install

diff --git a/README.md b/README.md
@@ -21,7 +21,14 @@ For a local demo or test installation, [see below](#development--demo-installati
 - (optional) For the 'Collabora Online Group' sub-module, you also need the
   [Group](https://drupa.org/project/group) and [Group Media](https://drupa.org/project/groupmedia) modules.
 
-### Installation steps
+### Collabora Online server preparation
+
+It is recommended to generate a proof key as documented here:\
+https://sdk.collaboraonline.com/docs/advanced_integration.html#wopi-proof
+
+If not, the proof mechanism needs to be disabled in the module settings.
+
+### Module installation steps
 
 See the [Drupal guide to install
 modules](https://www.drupal.org/docs/extending-drupal/installing-modules).
@@ -39,7 +46,7 @@ field in the `composer.json` of your project.
 Then you can go into Drupal logged as an admin and go to _Extend_. In
 the list you should be able to find _Collabora Online_ and enable it.
 
-From there you can access the module specific configuration.
+From there you can access the module-specific configuration.
 
 Please check the "Configuration" section below!
 
@@ -69,6 +76,9 @@ docker-compose up -d
 
 docker-compose exec web composer install
 docker-compose exec web ./vendor/bin/run drupal:site-install
+
+docker-compose exec collabora coolconfig generate-proof-key
+docker-compose restart collabora
 ```
 
 Optionally, generate an admin login link.

diff --git a/collabora_online.post_update.php b/collabora_online.post_update.php
@@ -0,0 +1,24 @@
+<?php
+
+/*
+ * Copyright the Collabora Online contributors.
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+
+declare(strict_types=1);
+
+/**
+ * Sets an initial value for the new 'wopi_proof' setting.
+ */
+function collabora_online_post_update_add_wopi_proof_setting(): void {
+  $config = \Drupal::configFactory()->getEditable('collabora_online.settings');
+  $cool_settings = $config->get('cool') ?? [];
+  $cool_settings['wopi_proof'] ??= TRUE;
+  $config->set('cool', $cool_settings);
+  $config->save();
+}
diff --git a/collabora_online.routing.yml b/collabora_online.routing.yml
@@ -47,7 +47,8 @@ collabora-online.wopi.info:
     action: 'info'
   methods: [ GET ]
   requirements:
-    _permission: 'access content'
+    _collabora_online_wopi_access: 'TRUE'
+    _format: 'collabora_online_wopi'
   options:
     parameters:
       action:
@@ -62,7 +63,8 @@ collabora-online.wopi.contents:
     action: 'content'
   methods: [ GET ]
   requirements:
-    _permission: 'access content'
+    _collabora_online_wopi_access: 'TRUE'
+    _format: 'collabora_online_wopi'
   options:
     parameters:
       action:
@@ -77,7 +79,8 @@ collabora-online.wopi.save:
     action: 'save'
   methods: [ POST ]
   requirements:
-    _permission: 'access content'
+    _collabora_online_wopi_access: 'TRUE'
+    _format: 'collabora_online_wopi'
   options:
     parameters:
       action:

diff --git a/collabora_online.services.yml b/collabora_online.services.yml
@@ -12,3 +12,7 @@ services:
     class: Drupal\collabora_online\Jwt\JwtTranscoder
   Drupal\collabora_online\MediaHelperInterface:
     class: Drupal\collabora_online\MediaHelper
+  Drupal\collabora_online\EventSubscriber\ExceptionWopiSubscriber: { }
+  Drupal\collabora_online\Access\WopiProofAccessCheck:
+    tags:
+      - { name: access_check, applies_to: _collabora_online_wopi_access }
diff --git a/composer.json b/composer.json
@@ -12,7 +12,9 @@
     "require": {
         "php": ">=8.1",
         "drupal/key": "^1.19",
-        "firebase/php-jwt": "^6.10"
+        "firebase/php-jwt": "^6.10",
+        "phpseclib/phpseclib": "^3.0",
+        "symfony/error-handler": "^6.4|^7.1"
     },
     "require-dev": {
         "composer/installers": "^2",

diff --git a/config/install/collabora_online.settings.yml b/config/install/collabora_online.settings.yml
@@ -10,5 +10,6 @@ cool:
   access_token_ttl: 86400
   # Disable cert checks.
   disable_cert_check: false
+  wopi_proof: true
   # Allow fullscreen - Enabled by default for functionality.
   allowfullscreen: true
diff --git a/config/schema/collabora_online.schema.yml b/config/schema/collabora_online.schema.yml
@@ -21,6 +21,9 @@ collabora_online.settings:
         disable_cert_check:
           type: boolean
           label: 'Disable cert checks.'
+        wopi_proof:
+          type: boolean
+          label: 'Verify WOPI proof header and timestamp.'
         allowfullscreen:
           type: boolean
           label: 'Allow full-screen.'