feat(wopi): WOPI proof

[elzody]

• Target version: main

Summary

WOPI proof validation ensures that WOPI requests are genuine. It also helps in cases that prevent download, as without it anyone with an access token and the WOPI source URL can still get the file contents.

You can generate a key pair by running:

sudo coolconfig generate-proof-key

or if you are using a configuration directory other than /etc, you can manually invoke ssh-keygen:

ssh-keygen -t rsa -N "" -m PEM -f /some/path/proof_key

If you are using Docker you need to mount the key pair into the container as a volume.

Once generated, you need to restart coolwsd for the server to start using it. Nextcloud will automatically detect that a proof is being sent with the request and begin verifying each request from there on out. If you remove the key pair, the Collabora server will still continue to use them until it is restarted. Again, Nextcloud would detect this and stop verifying requests. It does this by detecting discrepancies between the cached discovery information from the Collabora server and whether or not the server is sending a proof in the X-WOPI-Proof header. If necessary, the discovery information will be re-fetched and cached in order to obtain the proof key as well as the RSA modulus and exponent so that it can verify the signature of the proof sent in the request header.

TODO

• Unit tests

Checklist

• Code is properly formatted
• Sign-off message is added to all commits
• Documentation (manuals or wiki) has been updated or is not required