[stable32] feat: docmdp implementation

REUSE.toml

@@ -50,6 +50,7 @@ path = [
     "src/types/openapi/openapi.ts",
     "tests/php/Unit/Handler/mock/cert.json",
     "tests/php/fixtures/cfssl/newcert-with-success.json",
+    "tests/php/fixtures/real_jsignpdf_level1.pdf",
     "tests/php/fixtures/small_valid-signed.pdf",
     "tests/php/fixtures/small_valid.pdf",
     "tests/integration/composer.json",

lib/Controller/AdminController.php

@@ -10,13 +10,15 @@
 
 use DateTimeInterface;
 use OCA\Libresign\AppInfo\Application;
+use OCA\Libresign\Enum\DocMdpLevel;
 use OCA\Libresign\Exception\LibresignException;
 use OCA\Libresign\Handler\CertificateEngine\CertificateEngineFactory;
 use OCA\Libresign\Handler\CertificateEngine\IEngineHandler;
 use OCA\Libresign\Helper\ConfigureCheckHelper;
 use OCA\Libresign\ResponseDefinitions;
 use OCA\Libresign\Service\Certificate\ValidateService;
 use OCA\Libresign\Service\CertificatePolicyService;
+use OCA\Libresign\Service\DocMdpConfigService;
 use OCA\Libresign\Service\FooterService;
 use OCA\Libresign\Service\Install\ConfigureCheckService;
 use OCA\Libresign\Service\Install\InstallService;
@@ -64,6 +66,7 @@ public function __construct(
 		private ValidateService $validateService,
 		private ReminderService $reminderService,
 		private FooterService $footerService,
+		private DocMdpConfigService $docMdpConfigService,
 	) {
 		parent::__construct(Application::APP_ID, $request);
 		$this->eventSource = $this->eventSourceFactory->create();
@@ -857,4 +860,41 @@ public function footerTemplatePreviewPdf(string $template = '', int $width = 595
 			], Http::STATUS_BAD_REQUEST);
 		}
 	}
+
+	/**
+	 * Set DocMDP configuration
+	 *
+	 * @param bool $enabled Enable or disable DocMDP certification
+	 * @param int $defaultLevel Default DocMDP level (0-3): 0=none, 1=no changes, 2=form fill, 3=form fill + annotations
+	 * @return DataResponse<Http::STATUS_OK, array{message: string}, array{}>|DataResponse<Http::STATUS_BAD_REQUEST, array{error: string}, array{}>|DataResponse<Http::STATUS_INTERNAL_SERVER_ERROR, array{error: string}, array{}>
+	 *
+	 * 200: Configuration saved successfully
+	 * 400: Invalid DocMDP level provided
+	 * 500: Internal server error
+	 */
+	#[ApiRoute(verb: 'POST', url: '/api/{apiVersion}/admin/docmdp/config', requirements: ['apiVersion' => '(v1)'])]
+	public function setDocMdpConfig(bool $enabled, int $defaultLevel): DataResponse {
+		try {
+			$this->docMdpConfigService->setEnabled($enabled);
+
+			if ($enabled) {
+				$level = DocMdpLevel::tryFrom($defaultLevel);
+				if ($level === null) {
+					return new DataResponse([
+						'error' => $this->l10n->t('Invalid DocMDP level'),
+					], Http::STATUS_BAD_REQUEST);
+				}
+
+				$this->docMdpConfigService->setLevel($level);
+			}
+
+			return new DataResponse([
+				'message' => $this->l10n->t('Settings saved'),
+			]);
+		} catch (\Exception $e) {
+			return new DataResponse([
+				'error' => $e->getMessage(),
+			], Http::STATUS_INTERNAL_SERVER_ERROR);
+		}
+	}
 }

lib/Db/SignRequest.php

@@ -30,6 +30,8 @@
  * @method string getDisplayName()
  * @method void setMetadata(array $metadata)
  * @method ?array getMetadata()
+ * @method void setDocmdpLevel(int $docmdpLevel)
+ * @method int getDocmdpLevel()
  */
 class SignRequest extends Entity {
 	protected ?int $fileId = null;
@@ -40,6 +42,7 @@ class SignRequest extends Entity {
 	protected ?\DateTime $signed = null;
 	protected ?string $signedHash = null;
 	protected ?array $metadata = null;
+	protected int $docmdpLevel = 0;
 	public function __construct() {
 		$this->addType('id', Types::INTEGER);
 		$this->addType('fileId', Types::INTEGER);
@@ -50,5 +53,6 @@ public function __construct() {
 		$this->addType('signed', Types::DATETIME);
 		$this->addType('signedHash', Types::STRING);
 		$this->addType('metadata', Types::JSON);
+		$this->addType('docmdpLevel', Types::SMALLINT);
 	}
 }

lib/Enum/DocMdpLevel.php

@@ -25,17 +25,17 @@ public function getLabel(IL10N $l10n): string {
 		return match($this) {
 			self::NOT_CERTIFIED => $l10n->t('No certification'),
 			self::CERTIFIED_NO_CHANGES_ALLOWED => $l10n->t('No changes allowed'),
-			self::CERTIFIED_FORM_FILLING => $l10n->t('Form filling and additional signatures'),
-			self::CERTIFIED_FORM_FILLING_AND_ANNOTATIONS => $l10n->t('Form filling, annotations and additional signatures'),
+			self::CERTIFIED_FORM_FILLING => $l10n->t('Form filling allowed'),
+			self::CERTIFIED_FORM_FILLING_AND_ANNOTATIONS => $l10n->t('Form filling and commenting allowed'),
 		};
 	}
 
 	public function getDescription(IL10N $l10n): string {
 		return match($this) {
-			self::NOT_CERTIFIED => $l10n->t('Document is not certified. No restrictions on modifications.'),
-			self::CERTIFIED_NO_CHANGES_ALLOWED => $l10n->t('No changes allowed. Additional approval signatures are prohibited.'),
-			self::CERTIFIED_FORM_FILLING => $l10n->t('Form filling allowed. Additional approval signatures are allowed.'),
-			self::CERTIFIED_FORM_FILLING_AND_ANNOTATIONS => $l10n->t('Form filling and annotations allowed. Additional approval signatures are allowed.'),
+			self::NOT_CERTIFIED => $l10n->t('The document is not certified; edits and new signatures are allowed, but any change will mark previous signatures as modified.'),
+			self::CERTIFIED_NO_CHANGES_ALLOWED => $l10n->t('After the first signature, no further edits or signatures are allowed; any change invalidates the certification.'),
+			self::CERTIFIED_FORM_FILLING => $l10n->t('After the first signature, only form filling and additional signatures are allowed; other changes invalidate the certification.'),
+			self::CERTIFIED_FORM_FILLING_AND_ANNOTATIONS => $l10n->t('After the first signature, form filling, comments, and additional signatures are allowed; other changes invalidate the certification.'),
 		};
 	}
 }

lib/Handler/DocMdpHandler.php

@@ -26,6 +26,12 @@ public function __construct(
 	) {
 	}
 
+	public function allowsAdditionalSignatures($resource): bool {
+		$docmdpLevel = $this->extractDocMdpLevel($resource);
+
+		return $docmdpLevel !== DocMdpLevel::CERTIFIED_NO_CHANGES_ALLOWED;
+	}
+
 	public function extractDocMdpData($resource): array {
 		if (!is_resource($resource)) {
 			return [];
@@ -160,15 +166,15 @@ private function extractPValueFromIndirectReference(string $content, string $ind
 	 * @return array Array of objects with keys: objNum, dict, position
 	 */
 	private function parsePdfObjects(string $content): array {
-		if (!preg_match_all('/(\d+)\s+\d+\s+obj\s*(<<.*?>>)\s*endobj/s', $content, $matches, PREG_SET_ORDER | PREG_OFFSET_CAPTURE)) {
+		if (!preg_match_all('/(\d+)\s+\d+\s+obj(.*?)endobj/s', $content, $matches, PREG_SET_ORDER | PREG_OFFSET_CAPTURE)) {
 			return [];
 		}
 
 		$objects = [];
 		foreach ($matches as $match) {
 			$objects[] = [
 				'objNum' => $match[1][0],
-				'dict' => $match[2][0],
+				'dict' => trim($match[2][0]),
 				'position' => $match[2][1],
 			];
 		}
@@ -452,16 +458,11 @@ private function validateSignatureDictionary(string $content): bool {
 		return $this->validateDictionaryEntries($sigDict);
 	}
 
-	/**
-	 * Find signature dictionary with /Reference entry
-	 *
-	 * @param array $objects Parsed PDF objects
-	 * @return string|null Dictionary content or null
-	 */
 	private function findSignatureDictionary(array $objects): ?string {
 		foreach ($objects as $obj) {
-			if (preg_match('/\/Reference\s*\[/', $obj['dict'])) {
-				return $obj['dict'];
+			$dict = $obj['dict'];
+			if (preg_match('/\/Type\s*\/Sig\b/', $dict) && preg_match('/\/Reference\s*\[/', $dict)) {
+				return $dict;
 			}
 		}
 		return null;
@@ -474,7 +475,7 @@ private function findSignatureDictionary(array $objects): ?string {
 	 * @return bool True if all required entries are valid
 	 */
 	private function validateDictionaryEntries(string $dict): bool {
-		if (preg_match('/\/Type\s*\/(\w+)/', $dict, $typeMatch) && $typeMatch[1] !== 'Sig') {
+		if (!preg_match('/\/Type\s*\/Sig\b/', $dict)) {
 			return false;
 		}
 

lib/Handler/SignEngine/JSignPdfHandler.php

@@ -14,6 +14,7 @@
 use OCA\Libresign\Exception\LibresignException;
 use OCA\Libresign\Handler\CertificateEngine\CertificateEngineFactory;
 use OCA\Libresign\Helper\JavaHelper;
+use OCA\Libresign\Service\DocMdpConfigService;
 use OCA\Libresign\Service\Install\InstallService;
 use OCA\Libresign\Service\SignatureBackgroundService;
 use OCA\Libresign\Service\SignatureTextService;
@@ -40,6 +41,7 @@ public function __construct(
 		private SignatureBackgroundService $signatureBackgroundService,
 		protected CertificateEngineFactory $certificateEngineFactory,
 		protected JavaHelper $javaHelper,
+		private DocMdpConfigService $docMdpConfigService,
 	) {
 	}
 
@@ -86,6 +88,11 @@ public function getJSignParam(): JSignParam {
 					. ' -Duser.home=' . escapeshellarg($this->getHome()) . ' '
 				);
 			}
+
+			$certificationLevel = $this->getCertificationLevel();
+			if ($certificationLevel !== null) {
+				$this->jSignParam->setJSignParameters(' -cl ' . $certificationLevel);
+			}
 		}
 		return $this->jSignParam;
 	}
@@ -147,6 +154,15 @@ private function getHashAlgorithm(): string {
 		return 'SHA256';
 	}
 
+	private function getCertificationLevel(): ?string {
+		if (!$this->docMdpConfigService->isEnabled()) {
+			return null;
+		}
+
+		return $this->docMdpConfigService->getLevel()->name;
+	}
+
+	#[\Override]
 	public function sign(): File {
 		$this->beforeSign();
 
@@ -155,6 +171,7 @@ public function sign(): File {
 		return $this->getInputFile();
 	}
 
+	#[\Override]
 	public function getSignedContent(): string {
 		$param = $this->getJSignParam()
 			->setCertificate($this->getCertificate())
@@ -280,6 +297,7 @@ private function getScaleFactor(float $width): float {
 	}
 
 
+	#[\Override]
 	public function readCertificate(): array {
 		$result = $this->certificateEngineFactory
 			->getEngine()

lib/Migration/Version14000Date20251206120000.php

@@ -25,17 +25,29 @@ class Version14000Date20251206120000 extends SimpleMigrationStep {
 	public function changeSchema(IOutput $output, Closure $schemaClosure, array $options): ?ISchemaWrapper {
 		/** @var ISchemaWrapper $schema */
 		$schema = $schemaClosure();
-		$table = $schema->getTable('libresign_file');
 
-		if (!$table->hasColumn('modification_status')) {
-			$table->addColumn('modification_status', Types::SMALLINT, [
-				'notnull' => true,
-				'default' => 0,
-				'comment' => 'DocMDP modification detection status: 0=unchecked, 1=unmodified, 2=allowed, 3=violation',
-			]);
-			return $schema;
+		if ($schema->hasTable('libresign_sign_request')) {
+			$tableSignRequest = $schema->getTable('libresign_sign_request');
+			if (!$tableSignRequest->hasColumn('docmdp_level')) {
+				$tableSignRequest->addColumn('docmdp_level', Types::SMALLINT, [
+					'notnull' => true,
+					'default' => 0,
+					'comment' => 'DocMDP permission level: 0=none, 1=no changes, 2=form fill, 3=form fill + annotations',
+				]);
+			}
 		}
 
-		return null;
+		if ($schema->hasTable('libresign_file')) {
+			$tableFile = $schema->getTable('libresign_file');
+			if (!$tableFile->hasColumn('modification_status')) {
+				$tableFile->addColumn('modification_status', Types::SMALLINT, [
+					'notnull' => true,
+					'default' => 0,
+					'comment' => 'DocMDP modification detection status: 0=unchecked, 1=unmodified, 2=allowed, 3=violation',
+				]);
+			}
+		}
+
+		return $schema;
 	}
 }

lib/Service/DocMdpConfigService.php

@@ -0,0 +1,63 @@
+<?php
+
+declare(strict_types=1);
+
+/**
+ * SPDX-FileCopyrightText: 2025 LibreCode coop and contributors
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ */
+
+namespace OCA\Libresign\Service;
+
+use OCA\Libresign\AppInfo\Application;
+use OCA\Libresign\Enum\DocMdpLevel;
+use OCP\IAppConfig;
+use OCP\IL10N;
+
+class DocMdpConfigService {
+	private const CONFIG_KEY_LEVEL = 'docmdp_level';
+
+	public function __construct(
+		private IAppConfig $appConfig,
+		private IL10N $l10n,
+	) {
+	}
+
+	public function isEnabled(): bool {
+		return $this->appConfig->hasKey(Application::APP_ID, self::CONFIG_KEY_LEVEL);
+	}
+
+	public function setEnabled(bool $enabled): void {
+		if (!$enabled) {
+			$this->appConfig->deleteKey(Application::APP_ID, self::CONFIG_KEY_LEVEL);
+		}
+	}
+
+	public function getLevel(): DocMdpLevel {
+		$level = $this->appConfig->getValueInt(Application::APP_ID, self::CONFIG_KEY_LEVEL, DocMdpLevel::NOT_CERTIFIED->value);
+		return DocMdpLevel::from($level);
+	}
+
+	public function setLevel(DocMdpLevel $level): void {
+		$this->appConfig->setValueInt(Application::APP_ID, self::CONFIG_KEY_LEVEL, $level->value);
+	}
+
+	public function getConfig(): array {
+		return [
+			'enabled' => $this->isEnabled(),
+			'defaultLevel' => $this->getLevel()->value,
+			'availableLevels' => $this->getAvailableLevels(),
+		];
+	}
+
+	private function getAvailableLevels(): array {
+		return array_map(
+			fn (DocMdpLevel $level) => [
+				'value' => $level->value,
+				'label' => $level->getLabel($this->l10n),
+				'description' => $level->getDescription($this->l10n),
+			],
+			DocMdpLevel::cases()
+		);
+	}
+}