nextcloud · ArtificialOwl · Dec 7, 2025
@@ -25,6 +25,15 @@
 			'url' => '/invite-accepted',
 			'verb' => 'POST',
 			'root' => '/ocm',
-		]
+		],
+
+		// needs to be kept at the bottom of the list
+		[
+			'name' => 'OCMRequest#manageOCMRequests',
+			'url' => '/{ocmPath}',
+			'requirements' => ['ocmPath' => '.*'],
+			'verb' => ['GET', 'POST', 'PUT', 'DELETE'],
+			'root' => '/ocm',
+		],
 	],
 ];
@@ -10,6 +10,7 @@
     'OCA\\CloudFederationAPI\\AppInfo\\Application' => $baseDir . '/../lib/AppInfo/Application.php',
     'OCA\\CloudFederationAPI\\Capabilities' => $baseDir . '/../lib/Capabilities.php',
     'OCA\\CloudFederationAPI\\Config' => $baseDir . '/../lib/Config.php',
+    'OCA\\CloudFederationAPI\\Controller\\OCMRequestController' => $baseDir . '/../lib/Controller/OCMRequestController.php',
     'OCA\\CloudFederationAPI\\Controller\\RequestHandlerController' => $baseDir . '/../lib/Controller/RequestHandlerController.php',
     'OCA\\CloudFederationAPI\\Db\\FederatedInvite' => $baseDir . '/../lib/Db/FederatedInvite.php',
     'OCA\\CloudFederationAPI\\Db\\FederatedInviteMapper' => $baseDir . '/../lib/Db/FederatedInviteMapper.php',

@@ -25,6 +25,7 @@ class ComposerStaticInitCloudFederationAPI
         'OCA\\CloudFederationAPI\\AppInfo\\Application' => __DIR__ . '/..' . '/../lib/AppInfo/Application.php',
         'OCA\\CloudFederationAPI\\Capabilities' => __DIR__ . '/..' . '/../lib/Capabilities.php',
         'OCA\\CloudFederationAPI\\Config' => __DIR__ . '/..' . '/../lib/Config.php',
+        'OCA\\CloudFederationAPI\\Controller\\OCMRequestController' => __DIR__ . '/..' . '/../lib/Controller/OCMRequestController.php',
         'OCA\\CloudFederationAPI\\Controller\\RequestHandlerController' => __DIR__ . '/..' . '/../lib/Controller/RequestHandlerController.php',
         'OCA\\CloudFederationAPI\\Db\\FederatedInvite' => __DIR__ . '/..' . '/../lib/Db/FederatedInvite.php',
         'OCA\\CloudFederationAPI\\Db\\FederatedInviteMapper' => __DIR__ . '/..' . '/../lib/Db/FederatedInviteMapper.php',

@@ -0,0 +1,90 @@
+<?php
+
+declare(strict_types=1);
+
+/**
+ * SPDX-FileCopyrightText: 2025 Nextcloud GmbH and Nextcloud contributors
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ */
+
+namespace OCA\CloudFederationAPI\Controller;
+
+use JsonException;
+use NCU\Security\Signature\Exceptions\IncomingRequestException;
+use OCP\AppFramework\Controller;
+use OCP\AppFramework\Http;
+use OCP\AppFramework\Http\Attribute\BruteForceProtection;
+use OCP\AppFramework\Http\Attribute\NoCSRFRequired;
+use OCP\AppFramework\Http\Attribute\PublicPage;
+use OCP\AppFramework\Http\DataResponse;
+use OCP\AppFramework\Http\JSONResponse;
+use OCP\AppFramework\Http\Response;
+use OCP\EventDispatcher\IEventDispatcher;
+use OCP\IRequest;
+use OCP\OCM\Events\OCMEndpointRequestEvent;
+use OCP\OCM\Exceptions\OCMArgumentException;
+use OCP\OCM\IOCMDiscoveryService;
+use Psr\Log\LoggerInterface;
+
+class OCMRequestController extends Controller {
+	public function __construct(
+		string $appName,
+		IRequest $request,
+		private readonly IEventDispatcher $eventDispatcher,
+		private readonly IOCMDiscoveryService $ocmDiscoveryService,
+		private readonly LoggerInterface $logger,
+	) {
+		parent::__construct($appName, $request);
+	}
+
+	/**
+	 * Method will catch any request done to /ocm/[...] and will broadcast an event.
+	 * The first parameter of the remaining subpath (post-/ocm/) is defined as
+	 * capability and should be used by listeners to filter incoming requests.
+	 *
+	 * @see OCMEndpointRequestEvent
+	 * @see OCMEndpointRequestEvent::getArgs
+	 *
+	 * @param string $ocmPath
+	 * @return Response
+	 * @throws OCMArgumentException
+	 */
+	#[NoCSRFRequired]
+	#[PublicPage]
+	#[BruteForceProtection(action: 'receiveOcmRequest')]
+	public function manageOCMRequests(string $ocmPath): Response {
+		try {
+			json_encode($ocmPath, JSON_THROW_ON_ERROR | JSON_UNESCAPED_SLASHES);
+		} catch (JsonException) {
+			throw new OCMArgumentException('path is not UTF-8');
+		}
+
+		try {
+			// if request is signed and well signed, no exceptions are thrown
+			// if request is not signed and host is known for not supporting signed request, no exceptions are thrown
+			$signedRequest = $this->ocmDiscoveryService->getIncomingSignedRequest();
+		} catch (IncomingRequestException $e) {
+			$this->logger->warning('incoming ocm request exception', ['exception' => $e]);
+			return new JSONResponse(['message' => $e->getMessage(), 'validationErrors' => []], Http::STATUS_BAD_REQUEST);
+		}
+
+		// assuming that ocm request contains a json array
+		$payload = $signedRequest?->getBody() ?? file_get_contents('php://input');
+		try {
+			$payload = (!$payload) ? null : json_decode($payload, true, 512, JSON_THROW_ON_ERROR);
+		} catch (JsonException $e) {
+			$this->logger->debug('json decode error', ['exception' => $e]);
+			$payload = null;
+		}
+
+		$event = new OCMEndpointRequestEvent(
+			$this->request->getMethod(),
+			str_replace('//', '/', $ocmPath),
+			$payload,
+			$signedRequest?->getOrigin()
+		);
+		$this->eventDispatcher->dispatchTyped($event);
+
+		return $event->getResponse() ?? new DataResponse('', Http::STATUS_NOT_FOUND);
+	}
+}
@@ -11,11 +11,8 @@
 use NCU\Security\Signature\Exceptions\IdentityNotFoundException;
 use NCU\Security\Signature\Exceptions\IncomingRequestException;
 use NCU\Security\Signature\Exceptions\SignatoryNotFoundException;
-use NCU\Security\Signature\Exceptions\SignatureException;
-use NCU\Security\Signature\Exceptions\SignatureNotFoundException;
 use NCU\Security\Signature\IIncomingSignedRequest;
 use NCU\Security\Signature\ISignatureManager;
-use OC\OCM\OCMSignatoryManager;
 use OCA\CloudFederationAPI\Config;
 use OCA\CloudFederationAPI\Db\FederatedInviteMapper;
 use OCA\CloudFederationAPI\Events\FederatedInviteAcceptedEvent;
@@ -39,11 +36,11 @@
 use OCP\Federation\ICloudFederationFactory;
 use OCP\Federation\ICloudFederationProviderManager;
 use OCP\Federation\ICloudIdManager;
-use OCP\IAppConfig;
 use OCP\IGroupManager;
 use OCP\IRequest;
 use OCP\IURLGenerator;
 use OCP\IUserManager;
+use OCP\OCM\IOCMDiscoveryService;
 use OCP\Share\Exceptions\ShareNotFound;
 use OCP\Util;
 use Psr\Log\LoggerInterface;
@@ -71,11 +68,10 @@ public function __construct(
 		private IEventDispatcher $dispatcher,
 		private FederatedInviteMapper $federatedInviteMapper,
 		private readonly AddressHandler $addressHandler,
-		private readonly IAppConfig $appConfig,
 		private ICloudFederationFactory $factory,
 		private ICloudIdManager $cloudIdManager,
+		private readonly IOCMDiscoveryService $ocmDiscoveryService,
 		private readonly ISignatureManager $signatureManager,
-		private readonly OCMSignatoryManager $signatoryManager,
 		private ITimeFactory $timeFactory,
 	) {
 		parent::__construct($appName, $request);
@@ -107,9 +103,9 @@ public function __construct(
 	#[BruteForceProtection(action: 'receiveFederatedShare')]
 	public function addShare($shareWith, $name, $description, $providerId, $owner, $ownerDisplayName, $sharedBy, $sharedByDisplayName, $protocol, $shareType, $resourceType) {
 		try {
-			// if request is signed and well signed, no exception are thrown
+			// if request is signed and well signed, no exceptions are thrown
 			// if request is not signed and host is known for not supporting signed request, no exception are thrown
-			$signedRequest = $this->getSignedRequest();
+			$signedRequest = $this->ocmDiscoveryService->getIncomingSignedRequest();
 			$this->confirmSignedOrigin($signedRequest, 'owner', $owner);
 		} catch (IncomingRequestException $e) {
 			$this->logger->warning('incoming request exception', ['exception' => $e]);
@@ -357,7 +353,7 @@ public function receiveNotification($notificationType, $resourceType, $providerI
 		try {
 			// if request is signed and well signed, no exception are thrown
 			// if request is not signed and host is known for not supporting signed request, no exception are thrown
-			$signedRequest = $this->getSignedRequest();
+			$signedRequest = $this->ocmDiscoveryService->getIncomingSignedRequest();
 			$this->confirmNotificationIdentity($signedRequest, $resourceType, $notification);
 		} catch (IncomingRequestException $e) {
 			$this->logger->warning('incoming request exception', ['exception' => $e]);
@@ -430,37 +426,6 @@ private function mapUid($uid) {
 	}
 
 
-	/**
-	 * returns signed request if available.
-	 * throw an exception:
-	 * - if request is signed, but wrongly signed
-	 * - if request is not signed but instance is configured to only accept signed ocm request
-	 *
-	 * @return IIncomingSignedRequest|null null if remote does not (and never did) support signed request
-	 * @throws IncomingRequestException
-	 */
-	private function getSignedRequest(): ?IIncomingSignedRequest {
-		try {
-			$signedRequest = $this->signatureManager->getIncomingSignedRequest($this->signatoryManager);
-			$this->logger->debug('signed request available', ['signedRequest' => $signedRequest]);
-			return $signedRequest;
-		} catch (SignatureNotFoundException|SignatoryNotFoundException $e) {
-			$this->logger->debug('remote does not support signed request', ['exception' => $e]);
-			// remote does not support signed request.
-			// currently we still accept unsigned request until lazy appconfig
-			// core.enforce_signed_ocm_request is set to true (default: false)
-			if ($this->appConfig->getValueBool('core', OCMSignatoryManager::APPCONFIG_SIGN_ENFORCED, lazy: true)) {
-				$this->logger->notice('ignored unsigned request', ['exception' => $e]);
-				throw new IncomingRequestException('Unsigned request');
-			}
-		} catch (SignatureException $e) {
-			$this->logger->warning('wrongly signed request', ['exception' => $e]);
-			throw new IncomingRequestException('Invalid signature');
-		}
-		return null;
-	}
-
-
 	/**
 	 * confirm that the value related to $key entry from the payload is in format userid@hostname
 	 * and compare hostname with the origin of the signed request.

@@ -10,7 +10,6 @@
 namespace OCA\CloudFederationApi\Tests;
 
 use NCU\Security\Signature\ISignatureManager;
-use OC\OCM\OCMSignatoryManager;
 use OCA\CloudFederationAPI\Config;
 use OCA\CloudFederationAPI\Controller\RequestHandlerController;
 use OCA\CloudFederationAPI\Db\FederatedInvite;
@@ -23,12 +22,12 @@
 use OCP\Federation\ICloudFederationFactory;
 use OCP\Federation\ICloudFederationProviderManager;
 use OCP\Federation\ICloudIdManager;
-use OCP\IAppConfig;
 use OCP\IGroupManager;
 use OCP\IRequest;
 use OCP\IURLGenerator;
 use OCP\IUser;
 use OCP\IUserManager;
+use OCP\OCM\IOCMDiscoveryService;
 use PHPUnit\Framework\MockObject\MockObject;
 use Psr\Log\LoggerInterface;
 use Test\TestCase;
@@ -44,11 +43,10 @@ class RequestHandlerControllerTest extends TestCase {
 	private IEventDispatcher&MockObject $eventDispatcher;
 	private FederatedInviteMapper&MockObject $federatedInviteMapper;
 	private AddressHandler&MockObject $addressHandler;
-	private IAppConfig&MockObject $appConfig;
 	private ICloudFederationFactory&MockObject $cloudFederationFactory;
 	private ICloudIdManager&MockObject $cloudIdManager;
+	private IOCMDiscoveryService&MockObject $discoveryService;
 	private ISignatureManager&MockObject $signatureManager;
-	private OCMSignatoryManager&MockObject $signatoryManager;
 	private ITimeFactory&MockObject $timeFactory;
 
 	private RequestHandlerController $requestHandlerController;
@@ -66,11 +64,10 @@ protected function setUp(): void {
 		$this->eventDispatcher = $this->createMock(IEventDispatcher::class);
 		$this->federatedInviteMapper = $this->createMock(FederatedInviteMapper::class);
 		$this->addressHandler = $this->createMock(AddressHandler::class);
-		$this->appConfig = $this->createMock(IAppConfig::class);
 		$this->cloudFederationFactory = $this->createMock(ICloudFederationFactory::class);
 		$this->cloudIdManager = $this->createMock(ICloudIdManager::class);
+		$this->discoveryService = $this->createMock(IOCMDiscoveryService::class);
 		$this->signatureManager = $this->createMock(ISignatureManager::class);
-		$this->signatoryManager = $this->createMock(OCMSignatoryManager::class);
 		$this->timeFactory = $this->createMock(ITimeFactory::class);
 
 		$this->requestHandlerController = new RequestHandlerController(
@@ -85,11 +82,10 @@ protected function setUp(): void {
 			$this->eventDispatcher,
 			$this->federatedInviteMapper,
 			$this->addressHandler,
-			$this->appConfig,
 			$this->cloudFederationFactory,
 			$this->cloudIdManager,
+			$this->discoveryService,
 			$this->signatureManager,
-			$this->signatoryManager,
 			$this->timeFactory,
 		);
 	}

@@ -716,9 +716,14 @@
     'OCP\\Notification\\InvalidValueException' => $baseDir . '/lib/public/Notification/InvalidValueException.php',
     'OCP\\Notification\\NotificationPreloadReason' => $baseDir . '/lib/public/Notification/NotificationPreloadReason.php',
     'OCP\\Notification\\UnknownNotificationException' => $baseDir . '/lib/public/Notification/UnknownNotificationException.php',
+    'OCP\\OCM\\Enum\\ParamType' => $baseDir . '/lib/public/OCM/Enum/ParamType.php',
+    'OCP\\OCM\\Events\\LocalOCMDiscoveryEvent' => $baseDir . '/lib/public/OCM/Events/LocalOCMDiscoveryEvent.php',
+    'OCP\\OCM\\Events\\OCMEndpointRequestEvent' => $baseDir . '/lib/public/OCM/Events/OCMEndpointRequestEvent.php',
     'OCP\\OCM\\Events\\ResourceTypeRegisterEvent' => $baseDir . '/lib/public/OCM/Events/ResourceTypeRegisterEvent.php',
     'OCP\\OCM\\Exceptions\\OCMArgumentException' => $baseDir . '/lib/public/OCM/Exceptions/OCMArgumentException.php',
+    'OCP\\OCM\\Exceptions\\OCMCapabilityException' => $baseDir . '/lib/public/OCM/Exceptions/OCMCapabilityException.php',
     'OCP\\OCM\\Exceptions\\OCMProviderException' => $baseDir . '/lib/public/OCM/Exceptions/OCMProviderException.php',
+    'OCP\\OCM\\Exceptions\\OCMRequestException' => $baseDir . '/lib/public/OCM/Exceptions/OCMRequestException.php',
     'OCP\\OCM\\ICapabilityAwareOCMProvider' => $baseDir . '/lib/public/OCM/ICapabilityAwareOCMProvider.php',
     'OCP\\OCM\\IOCMDiscoveryService' => $baseDir . '/lib/public/OCM/IOCMDiscoveryService.php',
     'OCP\\OCM\\IOCMProvider' => $baseDir . '/lib/public/OCM/IOCMProvider.php',

@@ -757,9 +757,14 @@ class ComposerStaticInit749170dad3f5e7f9ca158f5a9f04f6a2
         'OCP\\Notification\\InvalidValueException' => __DIR__ . '/../../..' . '/lib/public/Notification/InvalidValueException.php',
         'OCP\\Notification\\NotificationPreloadReason' => __DIR__ . '/../../..' . '/lib/public/Notification/NotificationPreloadReason.php',
         'OCP\\Notification\\UnknownNotificationException' => __DIR__ . '/../../..' . '/lib/public/Notification/UnknownNotificationException.php',
+        'OCP\\OCM\\Enum\\ParamType' => __DIR__ . '/../../..' . '/lib/public/OCM/Enum/ParamType.php',
+        'OCP\\OCM\\Events\\LocalOCMDiscoveryEvent' => __DIR__ . '/../../..' . '/lib/public/OCM/Events/LocalOCMDiscoveryEvent.php',
+        'OCP\\OCM\\Events\\OCMEndpointRequestEvent' => __DIR__ . '/../../..' . '/lib/public/OCM/Events/OCMEndpointRequestEvent.php',
         'OCP\\OCM\\Events\\ResourceTypeRegisterEvent' => __DIR__ . '/../../..' . '/lib/public/OCM/Events/ResourceTypeRegisterEvent.php',
         'OCP\\OCM\\Exceptions\\OCMArgumentException' => __DIR__ . '/../../..' . '/lib/public/OCM/Exceptions/OCMArgumentException.php',
+        'OCP\\OCM\\Exceptions\\OCMCapabilityException' => __DIR__ . '/../../..' . '/lib/public/OCM/Exceptions/OCMCapabilityException.php',
         'OCP\\OCM\\Exceptions\\OCMProviderException' => __DIR__ . '/../../..' . '/lib/public/OCM/Exceptions/OCMProviderException.php',
+        'OCP\\OCM\\Exceptions\\OCMRequestException' => __DIR__ . '/../../..' . '/lib/public/OCM/Exceptions/OCMRequestException.php',
         'OCP\\OCM\\ICapabilityAwareOCMProvider' => __DIR__ . '/../../..' . '/lib/public/OCM/ICapabilityAwareOCMProvider.php',
         'OCP\\OCM\\IOCMDiscoveryService' => __DIR__ . '/../../..' . '/lib/public/OCM/IOCMDiscoveryService.php',
         'OCP\\OCM\\IOCMProvider' => __DIR__ . '/../../..' . '/lib/public/OCM/IOCMProvider.php',

@@ -75,7 +75,6 @@ private function processRoute(array $route, string $appName, string $routeNamePr
 		$root = $this->buildRootPrefix($route, $appName, $routeNamePrefix);
 
 		$url = $root . '/' . ltrim($route['url'], '/');
-		$verb = strtoupper($route['verb'] ?? 'GET');
 
 		$split = explode('#', $name, 3);
 		if (count($split) !== 2) {
@@ -95,7 +94,7 @@ private function processRoute(array $route, string $appName, string $routeNamePr
 		$routeName = strtolower($routeNamePrefix . $appName . '.' . $controller . '.' . $action . $postfix);
 
 		$routeObject = new Route($url);
-		$routeObject->method($verb);
+		$routeObject->method((array)($route['verb'] ?? ['GET']));
 
 		// optionally register requirements for route. This is used to
 		// tell the route parser how url parameters should be matched
@@ -174,7 +173,6 @@ private function processResources(array $resources, string $appName, string $rou
 				$url = $root . '/' . ltrim($config['url'], '/');
 				$method = $action['name'];
 
-				$verb = strtoupper($action['verb'] ?? 'GET');
 				$collectionAction = $action['on-collection'] ?? false;
 				if (!$collectionAction) {
 					$url .= '/{id}';
@@ -188,7 +186,7 @@ private function processResources(array $resources, string $appName, string $rou
 				$routeName = $routeNamePrefix . $appName . '.' . strtolower($resource) . '.' . $method;
 
 				$route = new Route($url);
-				$route->method($verb);
+				$route->method((array)($action['verb'] ?? ['GET']));
 
 				$route->defaults(['caller' => [$appName, $controllerName, $actionName]]);