Merge branch 'master' into fix/s3-primary-storage-encryption

Author: cuppett

.github/workflows/files-external-smb-kerberos.yml

@@ -107,7 +107,7 @@ jobs:
           echo "$FILEPATH:"
           docker exec --user 33 apache cat $FILEPATH
 
-  sftp-summary:
+  smb-kerberos-sso-summary:
     runs-on: ubuntu-latest-low
     needs: [changes, files-external-smb-kerberos]
 

.github/workflows/files-external-smb.yml

@@ -53,7 +53,13 @@ jobs:
 
     services:
       samba:
-        image: ghcr.io/nextcloud/continuous-integration-samba:latest # zizmor: ignore[unpinned-images]
+        image: ghcr.io/servercontainers/samba:smbd-only-a3.18.0-s4.18.2-r0
+        env:
+          ACCOUNT_test: test
+          UID_test: 1000
+          SAMBA_VOLUME_CONFIG_test: "[public]; path=/tmp; valid users = test; guest ok = no; read only = no; browseable = yes"
+        options: >-
+          --health-cmd=true
         ports:
           - 445:445
 

.github/workflows/static-code-analysis.yml

@@ -15,6 +15,7 @@ on:
 
 permissions:
   contents: read
+  security-events: write
 
 concurrency:
   group: static-code-analysis-${{ github.head_ref || github.run_id }}

.nextcloudignore

@@ -0,0 +1,29 @@
+# SPDX-FileCopyrightText: 2026 Nextcloud GmbH and Nextcloud contributors
+# SPDX-License-Identifier: AGPL-3.0-only
+# Files removed at build time
+
+# Global exclude
+.editorconfig
+.git
+.git-blame-ignore-revs
+.gitattributes
+.github
+.gitignore
+.gitmodules
+.idea
+.l10nignore
+.nextcloudignore
+.noopenapi
+.tx
+cypress
+tests
+
+# Server specific
+/.devcontainer
+/__mocks__
+/__tests__
+/autotest*.sh
+/build
+/config/config.php
+/contribute
+/data

3rdparty

@@ -18,7 +18,7 @@ public function createTag(ISystemTag $tag): void {
 		$this->log('System tag "%s" (%s, %s) created',
 			[
 				'name' => $tag->getName(),
-				'visbility' => $tag->isUserVisible() ? 'visible' : 'invisible',
+				'visibility' => $tag->isUserVisible() ? 'visible' : 'invisible',
 				'assignable' => $tag->isUserAssignable() ? 'user assignable' : 'system only',
 			],
 			['name', 'visibility', 'assignable']

apps/admin_audit/lib/Actions/TagManagement.php

@@ -25,6 +25,15 @@
 			'url' => '/invite-accepted',
 			'verb' => 'POST',
 			'root' => '/ocm',
-		]
+		],
+
+		// needs to be kept at the bottom of the list
+		[
+			'name' => 'OCMRequest#manageOCMRequests',
+			'url' => '/{ocmPath}',
+			'requirements' => ['ocmPath' => '.*'],
+			'verb' => ['GET', 'POST', 'PUT', 'DELETE'],
+			'root' => '/ocm',
+		],
 	],
 ];

apps/cloud_federation_api/appinfo/routes.php

@@ -10,6 +10,7 @@
     'OCA\\CloudFederationAPI\\AppInfo\\Application' => $baseDir . '/../lib/AppInfo/Application.php',
     'OCA\\CloudFederationAPI\\Capabilities' => $baseDir . '/../lib/Capabilities.php',
     'OCA\\CloudFederationAPI\\Config' => $baseDir . '/../lib/Config.php',
+    'OCA\\CloudFederationAPI\\Controller\\OCMRequestController' => $baseDir . '/../lib/Controller/OCMRequestController.php',
     'OCA\\CloudFederationAPI\\Controller\\RequestHandlerController' => $baseDir . '/../lib/Controller/RequestHandlerController.php',
     'OCA\\CloudFederationAPI\\Db\\FederatedInvite' => $baseDir . '/../lib/Db/FederatedInvite.php',
     'OCA\\CloudFederationAPI\\Db\\FederatedInviteMapper' => $baseDir . '/../lib/Db/FederatedInviteMapper.php',

apps/cloud_federation_api/composer/composer/autoload_classmap.php

@@ -25,6 +25,7 @@ class ComposerStaticInitCloudFederationAPI
         'OCA\\CloudFederationAPI\\AppInfo\\Application' => __DIR__ . '/..' . '/../lib/AppInfo/Application.php',
         'OCA\\CloudFederationAPI\\Capabilities' => __DIR__ . '/..' . '/../lib/Capabilities.php',
         'OCA\\CloudFederationAPI\\Config' => __DIR__ . '/..' . '/../lib/Config.php',
+        'OCA\\CloudFederationAPI\\Controller\\OCMRequestController' => __DIR__ . '/..' . '/../lib/Controller/OCMRequestController.php',
         'OCA\\CloudFederationAPI\\Controller\\RequestHandlerController' => __DIR__ . '/..' . '/../lib/Controller/RequestHandlerController.php',
         'OCA\\CloudFederationAPI\\Db\\FederatedInvite' => __DIR__ . '/..' . '/../lib/Db/FederatedInvite.php',
         'OCA\\CloudFederationAPI\\Db\\FederatedInviteMapper' => __DIR__ . '/..' . '/../lib/Db/FederatedInviteMapper.php',

apps/cloud_federation_api/composer/composer/autoload_static.php

@@ -0,0 +1,87 @@
+<?php
+
+declare(strict_types=1);
+
+/**
+ * SPDX-FileCopyrightText: 2025 Nextcloud GmbH and Nextcloud contributors
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ */
+
+namespace OCA\CloudFederationAPI\Controller;
+
+use JsonException;
+use OCP\AppFramework\Controller;
+use OCP\AppFramework\Http;
+use OCP\AppFramework\Http\Attribute\BruteForceProtection;
+use OCP\AppFramework\Http\Attribute\NoCSRFRequired;
+use OCP\AppFramework\Http\Attribute\PublicPage;
+use OCP\AppFramework\Http\JSONResponse;
+use OCP\AppFramework\Http\Response;
+use OCP\EventDispatcher\IEventDispatcher;
+use OCP\IRequest;
+use OCP\OCM\Events\OCMEndpointRequestEvent;
+use OCP\OCM\Exceptions\OCMArgumentException;
+use OCP\OCM\IOCMDiscoveryService;
+use OCP\Security\Signature\Exceptions\IncomingRequestException;
+use Psr\Log\LoggerInterface;
+
+class OCMRequestController extends Controller {
+	public function __construct(
+		string $appName,
+		IRequest $request,
+		private readonly IEventDispatcher $eventDispatcher,
+		private readonly IOCMDiscoveryService $ocmDiscoveryService,
+		private readonly LoggerInterface $logger,
+	) {
+		parent::__construct($appName, $request);
+	}
+
+	/**
+	 * Method will catch any request done to /ocm/[...] and will broadcast an event.
+	 * The first parameter of the remaining subpath (post-/ocm/) is defined as
+	 * capability and should be used by listeners to filter incoming requests.
+	 *
+	 * @see OCMEndpointRequestEvent
+	 * @see OCMEndpointRequestEvent::getArgs
+	 *
+	 * @param string $ocmPath
+	 * @return Response
+	 * @throws OCMArgumentException
+	 */
+	#[NoCSRFRequired]
+	#[PublicPage]
+	#[BruteForceProtection(action: 'receiveOcmRequest')]
+	public function manageOCMRequests(string $ocmPath): Response {
+		if (!mb_check_encoding($ocmPath, 'UTF-8')) {
+			throw new OCMArgumentException('path is not UTF-8');
+		}
+
+		try {
+			// if request is signed and well signed, no exceptions are thrown
+			// if request is not signed and host is known for not supporting signed request, no exceptions are thrown
+			$signedRequest = $this->ocmDiscoveryService->getIncomingSignedRequest();
+		} catch (IncomingRequestException $e) {
+			$this->logger->warning('incoming ocm request exception', ['exception' => $e]);
+			return new JSONResponse(['message' => $e->getMessage(), 'validationErrors' => []], Http::STATUS_BAD_REQUEST);
+		}
+
+		// assuming that ocm request contains a json array
+		$payload = $signedRequest?->getBody() ?? file_get_contents('php://input');
+		try {
+			$payload = ($payload) ? json_decode($payload, true, 512, JSON_THROW_ON_ERROR) : null;
+		} catch (JsonException $e) {
+			$this->logger->debug('json decode error', ['exception' => $e]);
+			$payload = null;
+		}
+
+		$event = new OCMEndpointRequestEvent(
+			$this->request->getMethod(),
+			preg_replace('@/+@', '/', $ocmPath),
+			$payload,
+			$signedRequest?->getOrigin()
+		);
+		$this->eventDispatcher->dispatchTyped($event);
+
+		return $event->getResponse() ?? new Response(Http::STATUS_NOT_FOUND);
+	}
+}