added EX-APP-VERSION handling (#80)

Reject requests with different from ours `EX-APP-VERSION`

Signed-off-by: Alexander Piskun <bigcat88@icloud.com>

Author: bigcat88

.run/_app_security_checks.run.xml

@@ -0,0 +1,26 @@
+<component name="ProjectRunConfigurationManager">
+  <configuration default="false" name="_app_security_checks" type="PythonConfigurationType" factoryName="Python" nameIsGenerated="true">
+    <module name="nc_py_api" />
+    <option name="INTERPRETER_OPTIONS" value="" />
+    <option name="PARENT_ENVS" value="true" />
+    <envs>
+      <env name="APP_ID" value="nc_py_api" />
+      <env name="APP_SECRET" value="12345" />
+      <env name="PYTHONUNBUFFERED" value="1" />
+    </envs>
+    <option name="SDK_HOME" value="" />
+    <option name="WORKING_DIRECTORY" value="$PROJECT_DIR$/tests" />
+    <option name="IS_MODULE_SDK" value="true" />
+    <option name="ADD_CONTENT_ROOTS" value="true" />
+    <option name="ADD_SOURCE_ROOTS" value="true" />
+    <EXTENSION ID="PythonCoverageRunConfigurationExtension" runner="coverage.py" />
+    <option name="SCRIPT_NAME" value="$PROJECT_DIR$/tests/_app_security_checks.py" />
+    <option name="PARAMETERS" value="http://127.0.0.1:9009" />
+    <option name="SHOW_COMMAND_LINE" value="false" />
+    <option name="EMULATE_TERMINAL" value="false" />
+    <option name="MODULE_MODE" value="false" />
+    <option name="REDIRECT_INPUT" value="false" />
+    <option name="INPUT_FILE" value="" />
+    <method v="2" />
+  </configuration>
+</component>

.run/register.run.xml

@@ -0,0 +1,29 @@
+<component name="ProjectRunConfigurationManager">
+  <configuration default="false" name="register" type="PythonConfigurationType" factoryName="Python">
+    <module name="nc_py_api" />
+    <option name="INTERPRETER_OPTIONS" value="" />
+    <option name="PARENT_ENVS" value="true" />
+    <envs>
+      <env name="APP_ID" value="nc_py_api" />
+      <env name="APP_PORT" value="9009" />
+      <env name="APP_SECRET" value="12345" />
+      <env name="APP_VERSION" value="1.0.0" />
+      <env name="NEXTCLOUD_URL" value="http://nextcloud.local/index.php" />
+      <env name="PYTHONUNBUFFERED" value="1" />
+    </envs>
+    <option name="SDK_HOME" value="" />
+    <option name="WORKING_DIRECTORY" value="$PROJECT_DIR$/tests" />
+    <option name="IS_MODULE_SDK" value="true" />
+    <option name="ADD_CONTENT_ROOTS" value="true" />
+    <option name="ADD_SOURCE_ROOTS" value="true" />
+    <EXTENSION ID="PythonCoverageRunConfigurationExtension" runner="coverage.py" />
+    <option name="SCRIPT_NAME" value="$PROJECT_DIR$/tests/_install.py" />
+    <option name="PARAMETERS" value="" />
+    <option name="SHOW_COMMAND_LINE" value="false" />
+    <option name="EMULATE_TERMINAL" value="false" />
+    <option name="MODULE_MODE" value="false" />
+    <option name="REDIRECT_INPUT" value="false" />
+    <option name="INPUT_FILE" value="" />
+    <method v="2" />
+  </configuration>
+</component>

nc_py_api/_session.py

@@ -369,7 +369,7 @@ def sign_request(self, method: str, url_params: str, headers: dict, data: Option
         if "NC-USER-ID" in sign_headers:
             headers["NC-USER-ID"] = sign_headers["NC-USER-ID"]
 
-    def sign_check(self, request: Request):
+    def sign_check(self, request: Request) -> None:
         current_time = int(datetime.now(timezone.utc).timestamp())
         headers = {
             "AE-VERSION": request.headers.get("AE-VERSION", ""),
@@ -386,8 +386,9 @@ def sign_check(self, request: Request):
         if empty_headers:
             raise ValueError(f"Missing required headers:{empty_headers}")
 
-        if headers["EX-APP-VERSION"] != self.adapter.headers.get("EX-APP-VERSION"):
-            pass  # TO-DO: we should reject all requests and ask server to update our app version
+        our_version = self.adapter.headers.get("EX-APP-VERSION", "")
+        if headers["EX-APP-VERSION"] != our_version:
+            raise ValueError(f"Invalid EX-APP-VERSION:{headers['EX-APP-VERSION']} <=> {our_version}")
 
         request_time = int(headers["AE-SIGN-TIME"])
         if request_time < current_time - 5 * 60 or request_time > current_time + 5 * 60:
@@ -411,4 +412,3 @@ def sign_check(self, request: Request):
             raise ValueError(f"Invalid AE-DATA-HASH:{ae_data_hash} !={headers['AE-DATA-HASH']}")
         if headers["EX-APP-ID"] != self.cfg.app_name:
             raise ValueError(f"Invalid EX-APP-ID:{headers['EX-APP-ID']} != {self.cfg.app_name}")
-        return True

nc_py_api/_version.py

@@ -1,3 +1,3 @@
 """Version of nc_py_api."""
 
-__version__ = "0.0.29"
+__version__ = "0.0.30.dev"

tests/_app_security_checks.py

@@ -58,6 +58,19 @@ def sign_request(url: str, req_headers: dict, time: int = 0):
     # Invalid AE-DATA-HASH
     result = requests.put(request_url, headers=headers, data=b"some_data")
     assert result.status_code == 401
+    # Invalid EX-APP-VERSION
+    sign_request("/sec_check?value=0", headers)
+    result = requests.put(request_url, headers=headers)
+    assert result.status_code == 200
+    old_version = headers["EX-APP-VERSION"]
+    headers["EX-APP-VERSION"] = "999.0.0"
+    sign_request("/sec_check?value=0", headers)
+    result = requests.put(request_url, headers=headers)
+    assert result.status_code == 401
+    headers["EX-APP-VERSION"] = old_version
+    sign_request("/sec_check?value=0", headers)
+    result = requests.put(request_url, headers=headers)
+    assert result.status_code == 200
     # Sign time
     sign_request("/sec_check?value=0", headers, time=int(datetime.now(timezone.utc).timestamp()))
     result = requests.put(request_url, headers=headers)