feat: add support for sensitive Declarative settings values encryption

Signed-off-by: Andrey Borysenko <[email protected]>

Author: andrey18106

apps/settings/appinfo/routes.php

@@ -67,6 +67,7 @@
 	],
 	'ocs' => [
 		['name' => 'DeclarativeSettings#setValue', 'url' => '/settings/api/declarative/value', 'verb' => 'POST', 'root' => ''],
+		['name' => 'DeclarativeSettings#setSensitiveValue', 'url' => '/settings/api/declarative/value-sensitive', 'verb' => 'POST', 'root' => ''],
 		['name' => 'DeclarativeSettings#getForms', 'url' => '/settings/api/declarative/forms', 'verb' => 'GET', 'root' => ''],
 	],
 ];

apps/settings/lib/Controller/CommonSettingsTrait.php

@@ -144,6 +144,14 @@ private function getIndexResponse(string $type, string $section): TemplateRespon
 		$this->declarativeSettingsManager->loadSchemas();
 		$declarativeSettings = $this->declarativeSettingsManager->getFormsWithValues($user, $type, $section);
 
+		foreach ($declarativeSettings as &$form) {
+			foreach ($form['fields'] as &$field) {
+				if (isset($field['sensitive']) && $field['sensitive'] && !empty($field['value'])) {
+					$field['value'] = 'dummySecret';
+				}
+			}
+		}
+
 		if ($type === 'personal') {
 			$settings = array_values($this->settingsManager->getPersonalSettings($section));
 			if ($section === 'theming') {

apps/settings/lib/Controller/DeclarativeSettingsController.php

@@ -15,6 +15,7 @@
 use OCA\Settings\ResponseDefinitions;
 use OCP\AppFramework\Http;
 use OCP\AppFramework\Http\Attribute\NoAdminRequired;
+use OCP\AppFramework\Http\Attribute\PasswordConfirmationRequired;
 use OCP\AppFramework\Http\DataResponse;
 use OCP\AppFramework\OCS\OCSBadRequestException;
 use OCP\AppFramework\OCSController;
@@ -53,6 +54,31 @@ public function __construct(
 	 */
 	#[NoAdminRequired]
 	public function setValue(string $app, string $formId, string $fieldId, mixed $value): DataResponse {
+		return $this->saveValue($app, $formId, $fieldId, $value);
+	}
+
+	/**
+	 * Sets a declarative settings value.
+	 * Password confirmation is required for sensitive values.
+	 *
+	 * @param string $app ID of the app
+	 * @param string $formId ID of the form
+	 * @param string $fieldId ID of the field
+	 * @param mixed $value Value to be saved
+	 * @return DataResponse<Http::STATUS_OK, null, array{}>
+	 * @throws NotLoggedInException Not logged in or not an admin user
+	 * @throws NotAdminException Not logged in or not an admin user
+	 * @throws OCSBadRequestException Invalid arguments to save value
+	 *
+	 * 200: Value set successfully
+	 */
+	#[NoAdminRequired]
+	#[PasswordConfirmationRequired]
+	public function setSensitiveValue(string $app, string $formId, string $fieldId, mixed $value): DataResponse {
+		return $this->saveValue($app, $formId, $fieldId, $value);
+	}
+
+	private function saveValue(string $app, string $formId, string $fieldId, mixed $value): DataResponse {
 		$user = $this->userSession->getUser();
 		if ($user === null) {
 			throw new NotLoggedInException();

apps/settings/lib/ResponseDefinitions.php

@@ -20,6 +20,7 @@
  *   default: mixed,
  *   options?: list<string|array{name: string, value: mixed}>,
  *   value: string|int|float|bool|list<string>,
+ *   sensitive?: boolean,
  * }
  *
  * @psalm-type SettingsDeclarativeForm = array{

apps/settings/src/components/DeclarativeSettings/DeclarativeSection.vue

@@ -119,6 +119,7 @@ import NcSettingsSection from '@nextcloud/vue/components/NcSettingsSection'
 import NcInputField from '@nextcloud/vue/components/NcInputField'
 import NcSelect from '@nextcloud/vue/components/NcSelect'
 import NcCheckboxRadioSwitch from '@nextcloud/vue/components/NcCheckboxRadioSwitch'
+import { confirmPassword } from '@nextcloud/password-confirmation'
 
 export default {
 	name: 'DeclarativeSection',
@@ -202,9 +203,19 @@ export default {
 			}
 		},
 
-		updateDeclarativeSettingsValue(formField, value = null) {
+		async updateDeclarativeSettingsValue(formField, value = null) {
 			try {
-				return axios.post(generateOcsUrl('settings/api/declarative/value'), {
+				let url = generateOcsUrl('settings/api/declarative/value')
+				if (formField?.sensitive) {
+					url = generateOcsUrl('settings/api/declarative/value-sensitive')
+					try {
+						await confirmPassword()
+					} catch (err) {
+						showError(t('settings', 'Password confirmation is required'))
+						return
+					}
+				}
+				return axios.post(url, {
 					app: this.formApp,
 					formId: this.form.id.replace(this.formApp + '_', ''), // Remove app prefix to send clean form id
 					fieldId: formField.id,

apps/settings/src/main-declarative-settings-forms.ts

@@ -20,6 +20,7 @@ interface DeclarativeFormField {
 	options: Array<unknown>|null,
 	value: unknown,
 	default: unknown,
+	sensitive: boolean,
 }
 
 interface DeclarativeForm {

apps/testing/lib/Settings/DeclarativeSettingsForm.php

@@ -169,6 +169,26 @@ public function getSchema(): array {
 						],
 					],
 				],
+				[
+					'id' => 'test_sensitive_field',
+					'title' => 'Sensitive text field',
+					'description' => 'Set some secure value setting that is stored encrypted',
+					'type' => DeclarativeSettingsTypes::TEXT,
+					'label' => 'Sensitive field',
+					'placeholder' => 'Set secure value',
+					'default' => '',
+					'sensitive' => true, // only for TEXT, PASSWORD types
+				],
+				[
+					'id' => 'test_sensitive_field_2',
+					'title' => 'Sensitive password field',
+					'description' => 'Set some password setting that is stored encrypted',
+					'type' => DeclarativeSettingsTypes::PASSWORD,
+					'label' => 'Sensitive field',
+					'placeholder' => 'Set secure value',
+					'default' => '',
+					'sensitive' => true, // only for TEXT, PASSWORD types
+				],
 			],
 		];
 	}

lib/private/Settings/DeclarativeManager.php

@@ -15,6 +15,7 @@
 use OCP\IConfig;
 use OCP\IGroupManager;
 use OCP\IUser;
+use OCP\Security\ICrypto;
 use OCP\Server;
 use OCP\Settings\DeclarativeSettingsTypes;
 use OCP\Settings\Events\DeclarativeSettingsGetValueEvent;
@@ -49,6 +50,7 @@ public function __construct(
 		private IConfig $config,
 		private IAppConfig $appConfig,
 		private LoggerInterface $logger,
+		private ICrypto $crypto,
 	) {
 	}
 
@@ -266,7 +268,7 @@ public function setValue(IUser $user, string $app, string $formId, string $field
 				$this->eventDispatcher->dispatchTyped(new DeclarativeSettingsSetValueEvent($user, $app, $formId, $fieldId, $value));
 				break;
 			case DeclarativeSettingsTypes::STORAGE_TYPE_INTERNAL:
-				$this->saveInternalValue($user, $app, $fieldId, $value);
+				$this->saveInternalValue($user, $app, $formId, $fieldId, $value);
 				break;
 			default:
 				throw new Exception('Unknown storage type "' . $storageType . '"');
@@ -290,18 +292,54 @@ private function getForm(string $app, string $formId): ?IDeclarativeSettingsForm
 	private function getInternalValue(IUser $user, string $app, string $formId, string $fieldId): mixed {
 		$sectionType = $this->getSectionType($app, $fieldId);
 		$defaultValue = $this->getDefaultValue($app, $formId, $fieldId);
+
+		$form = $this->getForm($app, $fieldId);
+		if ($form === null) {
+			$field = $this->getSchemaField($app, $formId, $fieldId);
+		} else {
+			$field = $this->getSchemaField($app, $formId, $fieldId, $form);
+		}
+		$isSensitive = $field !== null && isset($field['sensitive']) && $field['sensitive'];
+
 		switch ($sectionType) {
 			case DeclarativeSettingsTypes::SECTION_TYPE_ADMIN:
-				return $this->config->getAppValue($app, $fieldId, $defaultValue);
+				$value = $this->config->getAppValue($app, $fieldId, $defaultValue);
+				break;
 			case DeclarativeSettingsTypes::SECTION_TYPE_PERSONAL:
-				return $this->config->getUserValue($user->getUID(), $app, $fieldId, $defaultValue);
+				$value = $this->config->getUserValue($user->getUID(), $app, $fieldId, $defaultValue);
+				break;
 			default:
 				throw new Exception('Unknown section type "' . $sectionType . '"');
 		}
+		if ($isSensitive && !empty($value)) {
+			try {
+				$value = $this->crypto->decrypt($value);
+			} catch (Exception $e) {
+				$this->logger->warning(sprintf('Failed to decrypt sensitive value for field "%s" in app "%s": %s', $fieldId, $app, $e->getMessage()));
+				$value = $defaultValue;
+			}
+		}
+		return $value;
 	}
 
-	private function saveInternalValue(IUser $user, string $app, string $fieldId, mixed $value): void {
+	private function saveInternalValue(IUser $user, string $app, string $formId, string $fieldId, mixed $value): void {
 		$sectionType = $this->getSectionType($app, $fieldId);
+
+		$form = $this->getForm($app, $formId);
+		if ($form === null) {
+			$field = $this->getSchemaField($app, $formId, $fieldId);
+		} else {
+			$field = $this->getSchemaField($app, $formId, $fieldId, $form);
+		}
+		if ($field !== null && isset($field['sensitive']) && $field['sensitive'] && !empty($value) && $value !== 'dummySecret') {
+			try {
+				$value = $this->crypto->encrypt($value);
+			} catch (Exception $e) {
+				$this->logger->warning(sprintf('Failed to encrypt sensitive value for field "%s" in app "%s": %s', $fieldId, $app, $e->getMessage()));
+				throw new Exception('Failed to encrypt sensitive value');
+			}
+		}
+
 		switch ($sectionType) {
 			case DeclarativeSettingsTypes::SECTION_TYPE_ADMIN:
 				$this->appConfig->setValueString($app, $fieldId, $value);
@@ -314,6 +352,26 @@ private function saveInternalValue(IUser $user, string $app, string $fieldId, mi
 		}
 	}
 
+	private function getSchemaField(string $app, string $formId, string $fieldId, ?IDeclarativeSettingsForm $form = null): ?array {
+		if ($form !== null) {
+			foreach ($form->getSchema()['fields'] as $field) {
+				if ($field['id'] === $fieldId) {
+					return $field;
+				}
+			}
+		}
+		foreach ($this->appSchemas[$app] ?? [] as $schema) {
+			if ($schema['id'] === $formId) {
+				foreach ($schema['fields'] as $field) {
+					if ($field['id'] === $fieldId) {
+						return $field;
+					}
+				}
+			}
+		}
+		return null;
+	}
+
 	private function getDefaultValue(string $app, string $formId, string $fieldId): mixed {
 		foreach ($this->appSchemas[$app] as $schema) {
 			if ($schema['id'] === $formId) {
@@ -391,6 +449,12 @@ private function validateSchema(string $appId, array $schema): bool {
 				]);
 				return false;
 			}
+			if (!in_array($field['type'], [DeclarativeSettingsTypes::TEXT, DeclarativeSettingsTypes::PASSWORD]) && isset($field['sensitive']) && $field['sensitive']) {
+				$this->logger->warning('Declarative settings: sensitive field type is supported only for TEXT and PASSWORD types', [
+					'app' => $appId, 'form_id' => $formId, 'field_id' => $fieldId,
+				]);
+				return false;
+			}
 			if (!$this->validateField($appId, $formId, $field)) {
 				return false;
 			}

lib/public/Settings/IDeclarativeSettingsForm.php

@@ -27,6 +27,7 @@
  *   label?: string,
  *   default: mixed,
  *   options?: list<string|array{name: string, value: mixed}>,
+ *   sensitive?: boolean,
  * }
  *
  * @psalm-type DeclarativeSettingsFormFieldWithValue = DeclarativeSettingsFormField&array{