From ba5cacaa44e598da53c4c94970a19f0b1cfd87df Mon Sep 17 00:00:00 2001
From: Joachim Bauch <bauch@struktur.de>
Date: Mon, 8 May 2023 12:01:42 +0200
Subject: [PATCH 1/2] Remove flag "allow_local_address" from client requests.

---
 lib/Client.php | 15 ---------------
 1 file changed, 15 deletions(-)

diff --git a/lib/Client.php b/lib/Client.php
index 25c1bbb4..588ae138 100644
--- a/lib/Client.php
+++ b/lib/Client.php
@@ -98,9 +98,6 @@ public function shareFile(File $file, array $recipients, ?array $metadata, array
 			'headers' => $headers,
 			'multipart' => $multipart,
 			'verify' => false,
-			'nextcloud' => [
-				'allow_local_address' => true,
-			],
 		]);
 		$body = $response->getBody();
 		return json_decode($body, true);
@@ -118,9 +115,6 @@ public function signFile(string $id, array $multipart, array $account, string $s
 			'headers' => $headers,
 			'multipart' => $multipart,
 			'verify' => false,
-			'nextcloud' => [
-				'allow_local_address' => true,
-			],
 		]);
 		$body = $response->getBody();
 		return json_decode($body, true);
@@ -137,9 +131,6 @@ public function deleteFile(string $id, array $account, string $server): array {
 		$response = $client->delete($server . 'api/v1/files/' . rawurlencode($account['id']) . '/' . rawurlencode($id), [
 			'headers' => $headers,
 			'verify' => false,
-			'nextcloud' => [
-				'allow_local_address' => true,
-			],
 		]);
 		$body = $response->getBody();
 		return json_decode($body, true);
@@ -176,9 +167,6 @@ public function downloadSignedFile(string $id, array $account, string $server) {
 		$response = $client->get($url, [
 			'headers' => $headers,
 			'verify' => false,
-			'nextcloud' => [
-				'allow_local_address' => true,
-			],
 		]);
 		$body = $response->getBody();
 		return $body;
@@ -197,9 +185,6 @@ public function getSignatureDetails(string $id, array $account, string $server,
 		$response = $client->get($url, [
 			'headers' => $headers,
 			'verify' => false,
-			'nextcloud' => [
-				'allow_local_address' => true,
-			],
 		]);
 		$body = $response->getBody();
 		return $body;

From f185a11e9a592b76b61471ab60f75bd8f124bc1e Mon Sep 17 00:00:00 2001
From: Joachim Bauch <bauch@struktur.de>
Date: Mon, 8 May 2023 12:08:47 +0200
Subject: [PATCH 2/2] Add admin option to control HTTPS verification.

---
 lib/Client.php                                | 13 +++++----
 lib/Config.php                                |  4 +++
 lib/Settings/Admin/AdminSettings.php          |  1 +
 .../AdminSettings/InstanceSettings.vue        | 28 +++++++++++++++++++
 4 files changed, 41 insertions(+), 5 deletions(-)

diff --git a/lib/Client.php b/lib/Client.php
index 588ae138..86f48753 100644
--- a/lib/Client.php
+++ b/lib/Client.php
@@ -34,6 +34,7 @@
 class Client {
 	private LoggerInterface $logger;
 	private IClientService $clientService;
+	private Config $config;
 	private Tokens $tokens;
 	private string $nextcloudVersion;
 	private string $appVersion;
@@ -42,9 +43,11 @@ public function __construct(LoggerInterface $logger,
 		IClientService $clientService,
 		IAppManager $appManager,
 		IConfig $systemConfig,
+		Config $config,
 		Tokens $tokens) {
 		$this->logger = $logger;
 		$this->clientService = $clientService;
+		$this->config = $config;
 		$this->tokens = $tokens;
 		$this->appVersion = $appManager->getAppVersion(Application::APP_ID);
 		$this->nextcloudVersion = $systemConfig->getSystemValueString('version', '0.0.0');
@@ -97,7 +100,7 @@ public function shareFile(File $file, array $recipients, ?array $metadata, array
 		$response = $client->post($server . 'api/v1/files/' . rawurlencode($account['id']), [
 			'headers' => $headers,
 			'multipart' => $multipart,
-			'verify' => false,
+			'verify' => !$this->config->insecureSkipVerify(),
 		]);
 		$body = $response->getBody();
 		return json_decode($body, true);
@@ -114,7 +117,7 @@ public function signFile(string $id, array $multipart, array $account, string $s
 		$response = $client->post($server . 'api/v1/files/' . rawurlencode($account['id']) . '/sign/' . rawurlencode($id), [
 			'headers' => $headers,
 			'multipart' => $multipart,
-			'verify' => false,
+			'verify' => !$this->config->insecureSkipVerify(),
 		]);
 		$body = $response->getBody();
 		return json_decode($body, true);
@@ -130,7 +133,7 @@ public function deleteFile(string $id, array $account, string $server): array {
 		]);
 		$response = $client->delete($server . 'api/v1/files/' . rawurlencode($account['id']) . '/' . rawurlencode($id), [
 			'headers' => $headers,
-			'verify' => false,
+			'verify' => !$this->config->insecureSkipVerify(),
 		]);
 		$body = $response->getBody();
 		return json_decode($body, true);
@@ -166,7 +169,7 @@ public function downloadSignedFile(string $id, array $account, string $server) {
 		$client = $this->clientService->newClient();
 		$response = $client->get($url, [
 			'headers' => $headers,
-			'verify' => false,
+			'verify' => !$this->config->insecureSkipVerify(),
 		]);
 		$body = $response->getBody();
 		return $body;
@@ -184,7 +187,7 @@ public function getSignatureDetails(string $id, array $account, string $server,
 		$client = $this->clientService->newClient();
 		$response = $client->get($url, [
 			'headers' => $headers,
-			'verify' => false,
+			'verify' => !$this->config->insecureSkipVerify(),
 		]);
 		$body = $response->getBody();
 		return $body;
diff --git a/lib/Config.php b/lib/Config.php
index 178a2711..848f51f6 100644
--- a/lib/Config.php
+++ b/lib/Config.php
@@ -77,6 +77,10 @@ public function isIntranetInstance(): bool {
 		return $this->config->getAppValue('esig', 'intranet_instance', 'false') === 'true';
 	}
 
+	public function insecureSkipVerify(): bool {
+		return $this->config->getAppValue('esig', 'insecure_skip_verify', 'false') === 'true';
+	}
+
 	public function getSignatureImage(IUser $user): ?ISimpleFile {
 		try {
 			$folder = $this->appData->getFolder($user->getUID());
diff --git a/lib/Settings/Admin/AdminSettings.php b/lib/Settings/Admin/AdminSettings.php
index 3c971c17..e7a4994b 100644
--- a/lib/Settings/Admin/AdminSettings.php
+++ b/lib/Settings/Admin/AdminSettings.php
@@ -71,6 +71,7 @@ public function getForm(): TemplateResponse {
 		$this->initialState->provideInitialState('settings', [
 			'signed_save_mode' => $this->config->getSignedSaveMode(),
 			'intranet_instance' => $this->config->isIntranetInstance(),
+			'insecure_skip_verify' => $this->config->insecureSkipVerify(),
 			'delete_max_age' => $this->config->getDeleteMaxAge(),
 		]);
 
diff --git a/src/components/AdminSettings/InstanceSettings.vue b/src/components/AdminSettings/InstanceSettings.vue
index ee73c5a4..41ac29e8 100644
--- a/src/components/AdminSettings/InstanceSettings.vue
+++ b/src/components/AdminSettings/InstanceSettings.vue
@@ -29,6 +29,14 @@
 				{{ t('esig', 'If this is set, links to the instance will not be sent to external users.') }}
 			</NcCheckboxRadioSwitch>
 		</div>
+		<div>
+			<NcCheckboxRadioSwitch :checked.sync="settings.insecure_skip_verify"
+				type="switch"
+				@update:checked="debounceUpdateInsecureVerify">
+				{{ t('esig', 'Skip verification of certificates when communicating with the backend service.') }}
+				{{ t('esig', 'This is potentially insecure and should only be enabled during development (if necessary).') }}
+			</NcCheckboxRadioSwitch>
+		</div>
 	</NcSettingsSection>
 </template>
 
@@ -78,6 +86,26 @@ export default {
 				},
 			})
 		},
+
+		debounceUpdateInsecureVerify: debounce(function() {
+			this.updateInsecureSkipVerify()
+		}, 500),
+
+		updateInsecureSkipVerify() {
+			this.loading = true
+
+			const self = this
+			OCP.AppConfig.setValue('esig', 'insecure_skip_verify', this.settings.insecure_skip_verify, {
+				success() {
+					showSuccess(t('esig', 'Settings saved'))
+					self.loading = false
+				},
+				error() {
+					showError(t('esig', 'Could not save settings'))
+					self.loading = false
+				},
+			})
+		},
 	},
 }
 </script>