feat: electronic signing, add settings for eIDEasy #4328
Conversation
|
@juliusknorr could you please review this when you have time? How to test, if you want: take the eideasy test url/clientid/secret from CollaboraOnline/online#10630 (comment), go to the richdocuments admin settings and configure the 3 values. Then open a PDF in COOL, Insert menu -> add electronic signature, you'll need to decide what provider to use, accept the default. Then you need a test personal ID, use the value from the above GH comment. Once the popup is closed, you will notice a signature green sign / warning sign in the statusbar (depending on if the test CA is manually trusted), you can view the signature there. #4311 (comment) has a screenshot on how this looks like on my end currently. Thanks. |
|
Oh and forgot to mention: it seems to me that none of the 4 failing checks are related to the changes in this PR, but please let me know if I overlooked something. Thanks. |
|
One more small thing: the properties used here are now documented at https://sdk.collaboraonline.com/docs/advanced_integration.html#electronic-signature-handling, so it's a bit safer to depend on them here. |
juliusknorr
added
enhancement
|
Yes, CI failures are unrelated 👍 |
lib/Controller/WopiController.php
Outdated
| } | ||
| $eSignatureClientId = $this->config->getAppValue(Application::APPNAME, 'esignature_client_id'); | ||
| if ($eSignatureClientId !== '') { | ||
| $response['UserPrivateInfo']['ESignatureClientId'] = $eSignatureClientId; |
There was a problem hiding this comment.
Confuses me a bit that this is in UserPrivateInfo, while it is not specific to the user and rather an instance wide setting.
There was a problem hiding this comment.
This is probably because of my limited experience with WOPI: do you suggest to move this to a toplevel field in the response or something else?
The eid secret is something that the cool server should have access to, but we intentionally don't push it to the client.
Thanks.
There was a problem hiding this comment.
Yes, top level or nested like this should be fine I think, but maybe worth to check if there are more strong opinions from others working on WOPI on your side.
$response['ElectronicSignature']['ClientId'] = $eSignatureClientId;
There was a problem hiding this comment.
I would tend to go with a ServerPrivateInfo toplevel field to contain not just esign properties, but anything where it's important to configure the WOPI allowlist. As you suggest, I'll check with others on the Collabora side and get back to you on this.
| <h2>{{ t('richdocuments', 'Electronic signature settings') }}</h2> | ||
| <SettingsInputText v-model="settings.esignature_base_url" | ||
| :label="t('richdocuments', 'URL for the electronic signature API')" | ||
| :hint="t('richdocuments', 'The production API URL is https://id.eideasy.com, the test API URL is https://test.eideasy.com.')" |
There was a problem hiding this comment.
Not a blocker, just curious, apart from development is there any reason to configure the test API URL in productive usage? If not I'd remove the input for this one and rather document how to set this value with the CLI for developers.
There was a problem hiding this comment.
Yes, this is basically for development only, you're right. Where to document this, is docs/app_settings.md a good place to mention it?
There was a problem hiding this comment.
Yes, that sounds good, there might be more undocumented ones, but that is the best place from my perspective 👍
|
Left some quick comments, but generally looks fine from my side. 👍 Have not tested yet. |
Electronic signing needs to store settings as richdocuments settings. This involves the API URL, a client ID visible to the browser and a secret, which is only used during server-side requests. The WOPI CheckFileInfo reply sends this information to the COOL server, similar to how it's done for digital signing (via PEM files). Add the settings as admin settings, otherwise normal users would be able to use eIDEasy services outside richdocuments. <CollaboraOnline/online#10630 (comment)> has instructions on what test data to use to try out the service in a test environment. Additionally, if the test CA is configured to be trusted as a user setting, then the green stamp icon will show up in the status bar. Signed-off-by: Miklos Vajna <[email protected]>
vmiklos
force-pushed
the
private/vmiklos/main
branch
from
67bd10e to
45875ff
Compare
|
Just pushing what I have so far, I still need to address the comment about making the API URL cmdline-only + moving to ServerPrivateInfo. |
Summary
Electronic signing needs to store settings as richdocuments settings. This involves the API URL, a client ID visible to the browser and a secret, which is only used during server-side requests.
The WOPI CheckFileInfo reply sends this information to the COOL server, similar to how it's done for digital signing (via PEM files).
Add the settings as admin settings, otherwise normal users would be able to use eIDEasy services outside richdocuments.
CollaboraOnline/online#10630 (comment) has instructions on what test data to use to try out the service in a test environment. Additionally, if the test CA is configured to be trusted as a user setting, then the green stamp icon will show up in the status bar.
Checklist