Merge branch 'master' into enh/file_versions/fix_behaviourenh/file_versions/fix_behaviour

Signed-off-by: Raul <raul@nextcloud.com>

# Conflicts:
#	lib/Backgroundjobs/Cleanup.php
#	lib/Db/WopiMapper.php

5 files changed, 47 insertions, 21 deletions

diff --git a/lib/AppConfig.php b/lib/AppConfig.php
index bcb2ef9d..c983c7c8 100644
--- a/lib/AppConfig.php
+++ b/lib/AppConfig.php
@@ -16,6 +16,10 @@ use \OCP\IConfig;
 
 class AppConfig {
 
+	public const FEDERATION_USE_TRUSTED_DOMAINS = 'federation_use_trusted_domains';
+
+	public const SYSTEM_GS_TRUSTED_HOSTS = 'gs.trustedHosts';
+
 	private $defaults = [
 		'wopi_url' => '',
 		'timeout' => 15,
@@ -23,7 +27,7 @@ class AppConfig {
 		'watermark_allGroupsList' => [],
 		'watermark_allTagsList' => [],
 		'watermark_linkTagsList' => [],
-
+		'token_ttl' => 36000, // 10 hours
 	];
 
 	const WATERMARK_APP_NAMESPACE = 'files';
@@ -107,4 +111,18 @@ class AppConfig {
 		return $result;
 	}
 
+	/**
+	 * Returns a list of trusted domains from the gs.trustedHosts config
+	 */
+	public function getTrustedDomains(): array {
+		return $this->config->getSystemValue(self::SYSTEM_GS_TRUSTED_HOSTS, []);
+	}
+
+	/**
+	 * Returns if federation trusted domains should be always allowed for federated editing
+	 */
+	public function isTrustedDomainAllowedForFederation(): bool {
+		return $this->config->getAppValue(Application::APPNAME, self::FEDERATION_USE_TRUSTED_DOMAINS, 'no') === 'yes';
+	}
+
  }
diff --git a/lib/Backgroundjobs/Cleanup.php b/lib/Backgroundjobs/Cleanup.php
index 08128186..ce8d880a 100644
--- a/lib/Backgroundjobs/Cleanup.php
+++ b/lib/Backgroundjobs/Cleanup.php
@@ -32,6 +32,7 @@ class Cleanup extends TimedJob {
 
 	/** @var IDBConnection */
 	private $db;
+
 	/** @var $wopiMapper */
 	private $wopiMapper;
 
diff --git a/lib/Controller/WopiController.php b/lib/Controller/WopiController.php
index 18f4a8b9..7d57da67 100644
--- a/lib/Controller/WopiController.php
+++ b/lib/Controller/WopiController.php
@@ -208,7 +208,7 @@ class WopiController extends Controller {
 			'LastModifiedTime' => Helper::toISO8601($file->getMTime()),
 			'SupportsRename' => !$isVersion,
 			'UserCanRename' => !$isPublic && !$isVersion,
-			'EnableInsertRemoteImage' => true,
+			'EnableInsertRemoteImage' => !$isPublic,
 			'EnableShare' => $file->isShareable() && !$isVersion,
 			'HideUserList' => '',
 			'DisablePrint' => $wopi->getHideDownload(),
diff --git a/lib/Db/WopiMapper.php b/lib/Db/WopiMapper.php
index 3d09eed3..09bbf0ed 100644
--- a/lib/Db/WopiMapper.php
+++ b/lib/Db/WopiMapper.php
@@ -22,6 +22,7 @@
  */
 namespace OCA\Richdocuments\Db;
 
+use OCA\Richdocuments\AppConfig;
 use OCA\Richdocuments\Exceptions\ExpiredTokenException;
 use OCA\Richdocuments\Exceptions\UnknownTokenException;
 use OCP\AppFramework\Db\Mapper;
@@ -32,11 +33,6 @@ use OCP\ILogger;
 use OCP\Security\ISecureRandom;
 
 class WopiMapper extends Mapper {
-	// Tokens expire after this many seconds.
-	// 10 hours is the recommended value on the spec doc:
-	// https://docs.microsoft.com/en-us/microsoft-365/cloud-storage-partner-program/rest/concepts#access_token_ttl
-	const TOKEN_LIFETIME_SECONDS = 36000;
-
 	/** @var ISecureRandom */
 	private $random;
 
@@ -46,15 +42,20 @@ class WopiMapper extends Mapper {
 	/** @var ITimeFactory */
 	private $timeFactory;
 
+	/** @var AppConfig */
+	private $appConfig;
+
 	public function __construct(IDBConnection $db,
 								ISecureRandom $random,
 								ILogger $logger,
-								ITimeFactory $timeFactory) {
+								ITimeFactory $timeFactory,
+								AppConfig $appConfig) {
 		parent::__construct($db, 'richdocuments_wopi', Wopi::class);
 
 		$this->random = $random;
 		$this->logger = $logger;
 		$this->timeFactory = $timeFactory;
+		$this->appConfig = $appConfig;
 	}
 
 	/**
@@ -79,7 +80,7 @@ class WopiMapper extends Mapper {
 			'canwrite' => $updatable,
 			'serverHost' => $serverHost,
 			'token' => $token,
-			'expiry' => $this->timeFactory->getTime() + self::TOKEN_LIFETIME_SECONDS,
+			'expiry' => $this->calculateNewTokenExpiry(),
 			'guestDisplayname' => $guestDisplayname,
 			'templateDestination' => $templateDestination,
 			'hideDownload' => $hideDownload,
@@ -104,7 +105,7 @@ class WopiMapper extends Mapper {
 			'fileid' => 0,
 			'editorUid' => $uid,
 			'token' => $token,
-			'expiry' => $this->timeFactory->getTime() + self::TOKEN_LIFETIME_SECONDS,
+			'expiry' => $this->calculateNewTokenExpiry(),
 			'remoteServer' => $remoteServer,
 			'tokenType' => Wopi::TOKEN_TYPE_INITIATOR
 		]);
@@ -168,13 +169,21 @@ class WopiMapper extends Mapper {
 	}
 
 	/**
+	 * Calculates the expiry TTL for a newly created token.
+	 *
+	 * @return int
+	 */
+	private function calculateNewTokenExpiry(): int {
+		return $this->timeFactory->getTime() + (int) $this->appConfig->getAppValue('token_ttl');
+	}
+
+	/**
 	 * @param int|null $limit
 	 * @param int|null $offset
 	 * @return int[]
 	 * @throws \OCP\DB\Exception
 	 */
-	public function getExpiredTokenIds(?int $limit = null, ?int $offset = null)
-	{
+	public function getExpiredTokenIds(?int $limit = null, ?int $offset = null): array {
 		$qb = $this->db->getQueryBuilder();
 		$qb->select('id')
 			->from('richdocuments_wopi')
diff --git a/lib/Service/FederationService.php b/lib/Service/FederationService.php
index f8d3e5f7..ac541f54 100644
--- a/lib/Service/FederationService.php
+++ b/lib/Service/FederationService.php
@@ -26,11 +26,10 @@ namespace OCA\Richdocuments\Service;
 
 use OCA\Federation\TrustedServers;
 use OCA\Files_Sharing\External\Storage as SharingExternalStorage;
+use OCA\Richdocuments\AppConfig;
 use OCA\Richdocuments\Db\Direct;
 use OCA\Richdocuments\Db\Wopi;
-use OCA\Richdocuments\Db\WopiMapper;
 use OCA\Richdocuments\TokenManager;
-use OCP\AppFramework\Http\RedirectResponse;
 use OCP\AppFramework\QueryException;
 use OCP\Files\File;
 use OCP\Files\InvalidPathException;
@@ -38,7 +37,6 @@ use OCP\Files\NotFoundException;
 use OCP\Http\Client\IClientService;
 use OCP\ICache;
 use OCP\ICacheFactory;
-use OCP\IConfig;
 use OCP\ILogger;
 use OCP\IRequest;
 use OCP\IURLGenerator;
@@ -54,8 +52,8 @@ class FederationService {
 	private $logger;
 	/** @var TrustedServers */
 	private $trustedServers;
-	/** @var IConfig */
-	private $config;
+	/** @var AppConfig */
+	private $appConfig;
 	/** @var TokenManager */
 	private $tokenManager;
 	/** @var IRequest */
@@ -63,12 +61,12 @@ class FederationService {
 	/** @var IURLGenerator */
 	private $urlGenerator;
 
-	public function __construct(ICacheFactory $cacheFactory, IClientService $clientService, ILogger $logger, TokenManager $tokenManager, IConfig $config, IRequest $request, IURLGenerator $urlGenerator) {
+	public function __construct(ICacheFactory $cacheFactory, IClientService $clientService, ILogger $logger, TokenManager $tokenManager, AppConfig $appConfig, IRequest $request, IURLGenerator $urlGenerator) {
 		$this->cache = $cacheFactory->createDistributed('richdocuments_remote/');
 		$this->clientService = $clientService;
 		$this->logger = $logger;
 		$this->tokenManager = $tokenManager;
-		$this->config = $config;
+		$this->appConfig = $appConfig;
 		$this->request = $request;
 		$this->urlGenerator = $urlGenerator;
 		try {
@@ -114,13 +112,13 @@ class FederationService {
 			$domainWithPort = parse_url($domainWithPort, PHP_URL_HOST) . ($port ? ':' . $port : '');
 		}
 
-		if ($this->trustedServers !== null && $this->trustedServers->isTrustedServer($domainWithPort)) {
+		if ($this->appConfig->isTrustedDomainAllowedForFederation() && $this->trustedServers !== null && $this->trustedServers->isTrustedServer($domainWithPort)) {
 			return true;
 		}
 
 		$domain = $this->getDomainWithoutPort($domainWithPort);
 
-		$trustedList = array_merge($this->config->getSystemValue('gs.trustedHosts', []), [$this->request->getServerHost()]);
+		$trustedList = array_merge($this->appConfig->getTrustedDomains(), [$this->request->getServerHost()]);
 		if (!is_array($trustedList)) {
 			return false;
 		}