Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Electronically sign documents via eIDEasy #4311

Closed
vmiklos opened this issue Dec 6, 2024 · 2 comments · Fixed by #4328
Closed

Electronically sign documents via eIDEasy #4311

vmiklos opened this issue Dec 6, 2024 · 2 comments · Fixed by #4328
Assignees
@vmiklos
Labels
enhancement New feature or request

Comments

@vmiklos
Copy link
Contributor

vmiklos commented Dec 6, 2024

Is your feature request related to a problem? Please describe.

This is related to #4123, which was about digital signing via software certificates.

Describe the solution you'd like

Collabora Online has support to use eIDEasy to sign PDF files without sending the actual PDF file to an external service, see https://docs.eideasy.com/electronic-signatures/api-flow-with-file-hashes-pdf.html for the details. The request here is to add the related settings (API URL, client id, secret) to the richdocuments admin settings, so Nextcloud users can use this feature.

Then these should be sent to COOL via the WOPI CheckFileInfo, so COOL can use the eIDEasy API as required.

In the future, perhaps it should be possible to restrict the eIDEasy usage to a specific group -- but it's just a possibility, nobody requested that so far.

Describe alternatives you've considered

There is already a dedicated Nextcloud app, which can also work with eIDEasy, see https://github.com/eideasy/nextcloud-electronic-signatures-plugin. One benefit of the request approach is that that when SecureView is enabled, then you can sign PDF files without giving the PDF to the user. Another benefit is that hash-based signing is possible with the Nextcloud all-in-one docker image, while the mentioned app would require a separate docker image for hash-based signing. (Previously it seemed hash-based signing is not possible at all with that app, but this is not true, it just requires a separate docker container to handle the PDF manipulation that is built into Collabora Online already.)

Additional context

CollaboraOnline/online#10630 is the Collabora Online side of this, there you can find some test API URL / client id / secret to try out this feature.

The Collabora Online side still has a few rough edges (e.g. the signing popup is not yet localized), but it's probably at a level where it makes sense to expose this feature on the settings UI.

I intend to work on this, just creating the issue to track the richdocuments progress at a single place.
@vmiklos vmiklos self-assigned this Dec 6, 2024
@juliusknorr juliusknorr added the enhancement New feature or request label Dec 6, 2024
@github-project-automation github-project-automation bot moved this to 🧭 Planning evaluation (don't pick) in 📝 Office team Dec 6, 2024
@juliusknorr juliusknorr moved this from 🧭 Planning evaluation (don't pick) to 🏗️ In progress in 📝 Office team Dec 6, 2024
@juliusknorr
Copy link
Member

I intend to work on this, just creating the issue to track the richdocuments progress at a single place.

Let us know if you need anything from our side.

vmiklos added a commit that referenced this issue Dec 10, 2024
@vmiklos
feat: electronic signing, add settings for eIDEasy (fixes #4311)
b8905c1 
Electronic signing needs to store settings as richdocuments settings.
This involves the API URL, a client ID visible to the browser and a
secret, which is only used during server-side requests.

The WOPI CheckFileInfo reply sends this information to the COOL server,
similar to how it's done for digital signing (via PEM files).

Add the settings as admin settings, otherwise normal users would be able
to use eIDEasy services outside richdocuments.

<CollaboraOnline/online#10630 (comment)>
has instructions on what test data to use to try out the service in a
test environment. Additionally, if the test CA is configured to be
trusted as a user setting, then the green stamp icon will show up in the
status bar.
vmiklos added a commit that referenced this issue Dec 10, 2024
@vmiklos
feat: electronic signing, add settings for eIDEasy (fixes #4311)
67bd10e 
Electronic signing needs to store settings as richdocuments settings.
This involves the API URL, a client ID visible to the browser and a
secret, which is only used during server-side requests.

The WOPI CheckFileInfo reply sends this information to the COOL server,
similar to how it's done for digital signing (via PEM files).

Add the settings as admin settings, otherwise normal users would be able
to use eIDEasy services outside richdocuments.

<CollaboraOnline/online#10630 (comment)>
has instructions on what test data to use to try out the service in a
test environment. Additionally, if the test CA is configured to be
trusted as a user setting, then the green stamp icon will show up in the
status bar.

Signed-off-by: Miklos Vajna <vmiklos@collabora.com>
@vmiklos vmiklos mentioned this issue Dec 10, 2024
Merged
3 tasks
@vmiklos
Copy link
Contributor Author

vmiklos commented Dec 10, 2024
edited
Loading

The above PR adds this section to the admin settings (these are just test tokens, nothing sensitive):

Image

CI has some failures, but seems that's unrelated (3 checks are broken on the baseline already, and the static analysis finds 2 places, but those lines are not touched in the PR), it seems to me.

vmiklos added a commit that referenced this issue Dec 12, 2024
@vmiklos
feat: electronic signing, add settings for eIDEasy (fixes #4311)
45875ff 
Electronic signing needs to store settings as richdocuments settings.
This involves the API URL, a client ID visible to the browser and a
secret, which is only used during server-side requests.

The WOPI CheckFileInfo reply sends this information to the COOL server,
similar to how it's done for digital signing (via PEM files).

Add the settings as admin settings, otherwise normal users would be able
to use eIDEasy services outside richdocuments.

<CollaboraOnline/online#10630 (comment)>
has instructions on what test data to use to try out the service in a
test environment. Additionally, if the test CA is configured to be
trusted as a user setting, then the green stamp icon will show up in the
status bar.

Signed-off-by: Miklos Vajna <vmiklos@collabora.com>
vmiklos added a commit that referenced this issue Dec 16, 2024
@vmiklos
feat: electronic signing, add settings for eIDEasy (fixes #4311)
b1ce7cd 
Electronic signing needs to store settings as richdocuments settings.
This involves the API URL, a client ID visible to the browser and a
secret, which is only used during server-side requests.

The WOPI CheckFileInfo reply sends this information to the COOL server,
similar to how it's done for digital signing (via PEM files).

Add the settings as admin settings, otherwise normal users would be able
to use eIDEasy services outside richdocuments.

<CollaboraOnline/online#10630 (comment)>
has instructions on what test data to use to try out the service in a
test environment. Additionally, if the test CA is configured to be
trusted as a user setting, then the green stamp icon will show up in the
status bar.

Signed-off-by: Miklos Vajna <vmiklos@collabora.com>
@github-project-automation github-project-automation bot moved this from 🏗️ In progress to ☑️ Done in 📝 Office team Dec 21, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@vmiklos vmiklos

Labels
enhancement New feature or request
Projects
📝 Office team
Status: ☑️ Done
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat: electronic signing, add settings for eIDEasy nextcloud/richdocuments
2 participants
@vmiklos @juliusknorr