search

owncloud / ocis

:atom_symbol: ownCloud Infinite Scale Stack
https://doc.owncloud.com/ocis/next/
Apache License 2.0
1.37k stars 181 forks source link

[wopi] Check file info return 500 when COLLABORATION_APP_PROOF_DISABLE set false #10195

Closed amrita-shrestha closed 4 days ago

amrita-shrestha commented 4 days ago

Describe the bug

try to get file info inside projects using wopi, which returns 500 when COLLABORATION_APP_PROOF_DISABLE set to true

Steps to reproduce

  1. create file test.txt inside project space new-space
  2. get access token and URL using endpoint /app/open?app_name=$app&file_id=$fileId&view_mode=$viewMode returns 
    "app_url":"https://host.docker.internal:9980/browser/d5ebff5/cool.html?WOPISrc=https%3A%2F%2Fhost.docker.internal%3A9300%2Fwopi%2Ffiles%2F667803bae99efa72b803fd01131514d95dc2f1ef880be032da20f5ff6ccdbaed",
"method":"POST",
"form_parameters":{"access_token":"eyJhbGciOiJIUzI1NiIjl0BboY4ktwyLYivcSK08",
"access_token_ttl":"1727850048000"
}
  3. using WOPISrc and access_token from the above response send get request return 500 status code
collaboration-1     | {"level":"error","service":"collaboration","request-id":"","proto":"HTTP/1.1","method":"GET","path":"/wopi/files/667803bae99efa72b803fd01131514d95dc2f1ef880be032da20f5ff6ccdbaed","WopiSessionId":"","WopiOverride":"","WopiProof":"","WopiProofOld":"","WopiStamp":"","FileReference":"resource_id:{storage_id:\"48e4a2bf-9500-42d5-9294-147c544343cf\" opaque_id:\"9ee81667-30f8-4939-ab6d-51b81c3cf0e9\" space_id:\"4068e0a9-e76e-43fb-883d-0b47146f8fd8\"} path:\".\"","ViewMode":"VIEW_MODE_VIEW_ONLY","Requester":"idp:\"https://host.docker.internal:9200\" opaque_id:\"64fd0d40-ef6a-428a-b372-d805d9e42b9c\" type:USER_TYPE_PRIMARY","error":"Invalid timestamp","time":"2024-10-01T06:27:10Z","line":"github.com/owncloud/ocis/v2/services/collaboration/pkg/middleware/proofkeys.go:55","message":"ProofKeys verification failed"}
collaboration-1     | {"level":"info","service":"collaboration","proto":"HTTP/1.1","request-id":"e7a2b2c5f26f/uOXBipWHg9-000023","traceid":"00000000000000000000000000000000","remote-addr":"172.18.0.3:33384","method":"GET","wopi-action":"","status":500,"path":"/wopi/files/667803bae99efa72b803fd01131514d95dc2f1ef880be032da20f5ff6ccdbaed","duration":0.219521,"bytes":22,"time":"2024-10-01T06:27:10Z","line":"github.com/owncloud/ocis/v2/services/collaboration/pkg/middleware/accesslog.go:35","message":"access-log"}

Expected behavior

HTTP status code should not be 500

Actual behavior

Returns 500 status code

Setup

Please describe how you started the server and provide a list of relevant environment variables or configuration files.

```console ownCloud Infinite Scale Edition Community Version 6.4.0+ee8a3d48b Web client version 10.3.0 ```

micbar commented 4 days ago

@amrita-shrestha There is a security mechanism called „proof keys“ which prevents that api call.

It should not give a 500 error though (@jvillafanez please check which could be an appropriate response code)

You can disable proof key validation for testing purposes.

amrita-shrestha commented 4 days ago

@amrita-shrestha There is a security mechanism called „proof keys“ which prevents that api call.

It should not give a 500 error though (@jvillafanez please check which could be an appropriate response code)

You can disable proof key validation for testing purposes.

i will update issue according to your comment

jvillafanez commented 4 days ago

From https://learn.microsoft.com/en-us/microsoft-365/cloud-storage-partner-program/online/scenarios/proofkeys :

When validating proof keys, if a request isn't signed properly, the host must return a 500 Internal Server Error

According to the logs, no proof key has been sent, so I think it can fall under that case. I don't see any other information about the proper error code we should send.

amrita-shrestha commented 4 days ago

its look expected behavior so closing this issue

micbar commented 4 days ago

From https://learn.microsoft.com/en-us/microsoft-365/cloud-storage-partner-program/online/scenarios/proofkeys :

When validating proof keys, if a request isn't signed properly, the host must return a 500 Internal Server Error

According to the logs, no proof key has been sent, so I think it can fall under that case. I don't see any other information about the proper error code we should send.

We could also return status 400.

jvillafanez commented 4 days ago

There are some headers that should be filled for a proper validation (https://github.com/owncloud/ocis/blob/master/services/collaboration/pkg/middleware/proofkeys.go#L42-L52), so we could return a 400 if any of them is missing or with an empty value. However, I think we should still return a 500 if the "official" validation fails, as it's documented. I think this is a good compromise.