Issue #603 - Add support for TLS client certificates #11314
Conversation
|
Thanks for this awesome PR! 👏 I followed this tutorial: https://www.openlogic.com/blog/mutual-authentication-using-apache-and-web-client |
Gee, thanks 😊
Okay, sounds good so far.
Hm, I installed my key+cert quite a while ago... but I just checked: I also used a .p12 container for that.
Okay, I followed that guide (at least the part to export the keypair) and I get the same error as you when trying to import the key, although I chose a trivial password (to avoid typos... I know myself) and copied the file using Android Studio's device file manager (to avoid file corruption during transfer)... But I found a solution: It seems, (The |
|
Awesome! Many thanks for pointing out how to do it! |
|
Hi @Elv1zz , |
Hi @kushmittal2009, thanks for testing the PR again! Ok, I'll do not use the branding feature, so I have no experience with that and also did not test it. I hope, I can set it up. But I'll only have time for that not before next week.
Erm, does this work as expected with a NextCloud server that does not require TLS client certificates? Because, if you kill the app, I would expect it to stop background tasks as well... Thanks :) |
|
Is there anything we can do to progress this? I have seen a lot of people in the community desperate for this feature :) |
Depends :) There are two problems with the current implementation:
Regarding the failing tests, I started a while ago to address them, but could not finish (again, due to lack of time). I just pushed my latest improvements and a merge with upstream to stay in sync. So, if you have any insights in the mentioned problems, that would be helpful and could create some progress. I hope to find time in the next weeks to look into this again -- I also really would like to have this feature in the official nextcloud client. |
|
master-IT test failed: https://www.kaminsky.me/nc-dev/android-integrationTests/8921-IT-master-22-59 |
Elv1zz
force-pushed
the
master
branch
4 times, most recently
from
b7910ba
to
cedafc0
Compare
|
Dear reviewers, the current state of both PRs (this and PR 1048 towards the android-library) are ready for review. The upload problem mentioned above could be solved. The branding problem is not as big as it sounds: The branding information is correctly retrieved and applied. Only the header showing the custom logo and server name cannot be updated, since the used |
|
@tobiasKaminsky - I was running @stephanritscher mTLS version - and this version is a significant improvement - the documents are syncing straight away. I would recommend the QR scanning as it removes any hurdles during the configuration. I've noticed that @AlvaroBrey is no longer working full time on the project but is still assigned as reviewer. |
AndyScherzinger
requested review from
ZetaTom
and removed request for
AlvaroBrey
|
@Elv1zz could you please add apk in actions artifacts or release in https://github.com/Elv1zz/nextcloud-android/actions? |
@ippocratis I've forked their repo and reconfigured the QA workflow so you can pull the apk from here: Related PR for transparency: |
Thanks so much. |
Thanks for fixing the workflow! I never managed to fix it -- and actually still do not understand why it broke 🤔 |
|
@Elv1zz I've created a PR against your repo. The QA workflow is what builds the APK and creates the comment containing the download URL. Unfortunately this only works for this repo and not forks because that workflow actually uses secrets we don't have access to, in order to upload the APK to @tobiasKaminsky Nextcloud server. My changes just create a Github artifact instead so that you can download it directly from Github! |
Using the new `AdvancedX509KeyManager` class from the `nextcloud-android-library` to add support for servers that require a TLS client certificate to connect. Signed-off-by: Elv1zz <elv1zz.git@gmail.com>
Since the official nextcloud android-library does not have the new `AdvancedX509KeyManager`, the automated tests cannot build th e app. So for that I refer to my fork of the android-library for now. This commit shall be reverted before merge. Signed-off-by: Elv1zz <elv1zz.git@gmail.com>
All interaction with the nextcloud server is handled by the `NextCloudWebViewClient`, so TLS client certificate handling should be done by that class. Since `AuthenticatorActivity` only extends `NextCloudWebViewClient` with some additional methods, it is enough to have the certificate handling in one place. Signed-off-by: Elv1zz <elv1zz.git@gmail.com>
Isntead of having to find the hostname and port from an URL (which might be more tricky than expected), we now can simply pass down the URL and `AdvancedX509KeyManager` will take care of finding the port from the URL. Signed-off-by: Elv1zz <elv1zz.git@gmail.com>
Improving code quality a bit by avoiding magic numbers. Signed-off-by: Elv1zz <elv1zz.git@gmail.com>
The method `onReceivedHttpError` did have 3 exit points (`return`), but Codacy only allows us 2, so error handling for `request?.url` and `view?.context` was combined. Seems debatable, what's more readable, but the rules are the rules. Signed-off-by: Elv1zz <elv1zz.git@gmail.com>
The `nextcloud-android-library` uses version `8.2.1` of the gradle plugin, so we have to use the same version for successful builds. Signed-off-by: Elv1zz <elv1zz.git@gmail.com>
|
Merged via #12408 |
This PR uses the new
AdvancedX509KeyManagerclass which should be added by PR #1048 to thenextcloud/android-libraryto add support for servers that require a TLS client certificate to connect.Since most logic is added to the
android-librarythe changes to the app itself are rather small.No tests were written, since I do not see how this can be tested automatically, as it would either require communication to a server requesting a client certificate -- which typically becomes very unreliable, and is also disregarded in the CONTRIBUTING guidelines -- or probably lots of mocked classes. If the second approach is required, I'd need some guidance on how to setup the test and what to mock.
Thanks for reviewing.