Merge pull request #8492 from nextcloud/feature/store-recording

appinfo/routes/routesRecordingController.php

@@ -34,5 +34,7 @@ return [
 		['name' => 'Recording#startRecording', 'url' => '/api/{apiVersion}/recording/{token}', 'verb' => 'POST', 'requirements' => $requirements],
 		/** @see \OCA\Talk\Controller\RecordingController::stopRecording() */
 		['name' => 'Recording#stopRecording', 'url' => '/api/{apiVersion}/recording/{token}', 'verb' => 'DELETE', 'requirements' => $requirements],
+		/** @see \OCA\Talk\Controller\RecordingController::store() */
+		['name' => 'Recording#store', 'url' => '/api/{apiVersion}/recording/{token}/store', 'verb' => 'POST', 'requirements' => $requirements],
 	],
 ];

docs/recording.md

@@ -37,3 +37,38 @@
         + `400 Bad Request` Message: `call`. Call is not activated.
         + `403 Forbidden` When the user is not a moderator/owner.
         + `412 Precondition Failed` When the lobby is active and the user is not a moderator.
+
+## Store call recording
+
+* Required capability: `recording-v1`
+* Method: `POST`
+* Endpoint: `/recording/{token}/store`
+
+* Header:
+
+| field                     | type   | Description                                                                                                                |
+| ------------------------- | ------ | -------------------------------------------------------------------------------------------------------------------------- |
+| `TALK_SIPBRIDGE_RANDOM`   | string | Random string that needs to be concatenated with room token to generate the checksum using the `sip_bridge_shared_secret`. |
+| `TALK_SIPBRIDGE_CHECKSUM` | string | The checksum generated with `TALK_SIPBRIDGE_RANDOM`.                                                                       |
+
+* Data:
+
+| field   | type   | Description                                               |
+| ------- | ------ | --------------------------------------------------------- |
+| `file`  | string | File with the recording in a multipart/form-data request. |
+| `owner` | string | The person that started the recording.                    |
+
+* Response:
+    - Status code:
+        + `200 OK`
+        + `400 Bad Request` Error: `invalid_file`: File in block list or invalid
+        + `400 Bad Request` Error: `empty_file`: Invalid file extension
+        + `400 Bad Request` Error: `file_mimetype`: Invalid mimetype
+        + `400 Bad Request` Error: `file_name`. :nvalid file name
+        + `400 Bad Request` Error: `file_extension`: Invalid file extension
+        + `400 Bad Request` Error: `owner_participant`: Owner is not to be a participant of room
+        + `400 Bad Request` Error: `owner_invalid`: Owner invalid
+        + `400 Bad Request` Error: `owner_permission`: Owner have not permission to store record file
+        + `401 Unauthorized` When the validation as SIP bridge failed
+        + `404 Not Found` Room not found
+        + `429 Too Many Request` Brute force protection

lib/Config.php

@@ -34,7 +34,6 @@ use OCP\IURLGenerator;
 use OCP\IUser;
 use OCP\IUserManager;
 use OCP\Security\ISecureRandom;
-use OCP\Server;
 
 class Config {
 	public const SIGNALING_INTERNAL = 'internal';
@@ -153,6 +152,15 @@ class Config {
 		return $isSignalingOk && $recordingEnabled;
 	}
 
+	public function getRecordingFolder(string $userId): string {
+		return $this->config->getUserValue(
+			$userId,
+			'spreed',
+			'recording_folder',
+			$this->getAttachmentFolder($userId) . '/Recording'
+		);
+	}
+
 	public function isDisabledForUser(IUser $user): bool {
 		$allowedGroups = $this->getAllowedTalkGroupIds();
 		if (empty($allowedGroups)) {

lib/Controller/RecordingController.php

@@ -26,18 +26,32 @@ declare(strict_types=1);
 namespace OCA\Talk\Controller;
 
 use InvalidArgumentException;
+use OCA\Talk\Config;
+use OCA\Talk\Exceptions\UnauthorizedException;
+use OCA\Talk\Service\RecordingService;
 use OCA\Talk\Service\RoomService;
+use OCA\Talk\Service\SIPBridgeService;
 use OCP\AppFramework\Http;
 use OCP\AppFramework\Http\DataResponse;
 use OCP\IRequest;
 
 class RecordingController extends AEnvironmentAwareController {
+	private Config $talkConfig;
+	private SIPBridgeService $SIPBridgeService;
+	private RecordingService $recordingService;
 	private RoomService $roomService;
 
+
 	public function __construct(string $appName,
 								IRequest $request,
+								Config $talkConfig,
+								SIPBridgeService $SIPBridgeService,
+								RecordingService $recordingService,
 								RoomService $roomService) {
 		parent::__construct($appName, $request);
+		$this->talkConfig = $talkConfig;
+		$this->SIPBridgeService = $SIPBridgeService;
+		$this->recordingService = $recordingService;
 		$this->roomService = $roomService;
 	}
 
@@ -66,4 +80,34 @@ class RecordingController extends AEnvironmentAwareController {
 		}
 		return new DataResponse();
 	}
+
+	/**
+	 * @PublicPage
+	 * @RequireRoom
+	 * @BruteForceProtection(action=talkSipBridgeSecret)
+	 *
+	 * @return DataResponse
+	 */
+	public function store(string $owner): DataResponse {
+		try {
+			$random = $this->request->getHeader('TALK_SIPBRIDGE_RANDOM');
+			$checksum = $this->request->getHeader('TALK_SIPBRIDGE_CHECKSUM');
+			$secret = $this->talkConfig->getSIPSharedSecret();
+			if (!$this->SIPBridgeService->validateSIPBridgeRequest($random, $checksum, $secret, $this->room->getToken())) {
+				throw new UnauthorizedException();
+			}
+		} catch (UnauthorizedException $e) {
+			$response = new DataResponse([], Http::STATUS_UNAUTHORIZED);
+			$response->throttle();
+			return $response;
+		}
+
+		try {
+			$file = $this->request->getUploadedFile('file');
+			$this->recordingService->store($this->getRoom(), $owner, $file);
+		} catch (InvalidArgumentException $e) {
+			return new DataResponse(['error' => $e->getMessage()], Http::STATUS_BAD_REQUEST);
+		}
+		return new DataResponse();
+	}
 }

lib/Controller/RoomController.php

@@ -50,6 +50,7 @@ use OCA\Talk\Service\BreakoutRoomService;
 use OCA\Talk\Service\ParticipantService;
 use OCA\Talk\Service\RoomService;
 use OCA\Talk\Service\SessionService;
+use OCA\Talk\Service\SIPBridgeService;
 use OCA\Talk\TalkSession;
 use OCA\Talk\Webinary;
 use OCP\App\IAppManager;
@@ -94,6 +95,7 @@ class RoomController extends AEnvironmentAwareController {
 	protected MessageParser $messageParser;
 	protected ITimeFactory $timeFactory;
 	protected AvatarService $avatarService;
+	protected SIPBridgeService $SIPBridgeService;
 	protected IL10N $l10n;
 	protected IConfig $config;
 	protected Config $talkConfig;
@@ -121,6 +123,7 @@ class RoomController extends AEnvironmentAwareController {
 								MessageParser $messageParser,
 								ITimeFactory $timeFactory,
 								AvatarService $avatarService,
+								SIPBridgeService $SIPBridgeService,
 								IL10N $l10n,
 								IConfig $config,
 								Config $talkConfig,
@@ -145,6 +148,7 @@ class RoomController extends AEnvironmentAwareController {
 		$this->messageParser = $messageParser;
 		$this->timeFactory = $timeFactory;
 		$this->avatarService = $avatarService;
+		$this->SIPBridgeService = $SIPBridgeService;
 		$this->l10n = $l10n;
 		$this->config = $config;
 		$this->talkConfig = $talkConfig;
@@ -347,37 +351,15 @@ class RoomController extends AEnvironmentAwareController {
 	 * and the body of the request, calculated with the shared secret from the
 	 * configuration.
 	 *
-	 * @param string $data
+	 * @param string $token
 	 * @return bool True if the request is from the SIP bridge and valid, false if not from SIP bridge
 	 * @throws UnauthorizedException when the request tried to sign as SIP bridge but is not valid
 	 */
-	private function validateSIPBridgeRequest(string $data): bool {
+	private function validateSIPBridgeRequest(string $token): bool {
 		$random = $this->request->getHeader('TALK_SIPBRIDGE_RANDOM');
 		$checksum = $this->request->getHeader('TALK_SIPBRIDGE_CHECKSUM');
-
-		if ($random === '' && $checksum === '') {
-			return false;
-		}
-
-		if (strlen($random) < 32) {
-			throw new UnauthorizedException('Invalid random provided');
-		}
-
-		if (empty($checksum)) {
-			throw new UnauthorizedException('Invalid checksum provided');
-		}
-
 		$secret = $this->talkConfig->getSIPSharedSecret();
-		if (empty($secret)) {
-			throw new UnauthorizedException('No shared SIP secret provided');
-		}
-		$hash = hash_hmac('sha256', $random . $data, $secret);
-
-		if (hash_equals($hash, strtolower($checksum))) {
-			return true;
-		}
-
-		throw new UnauthorizedException('Invalid HMAC provided');
+		return $this->SIPBridgeService->validateSIPBridgeRequest($random, $checksum, $secret, $token);
 	}
 
 	protected function formatRoom(Room $room, ?Participant $currentParticipant, ?array $statuses = null, bool $isSIPBridgeRequest = false, bool $isListingBreakoutRooms = false): array {

lib/Service/RecordingService.php

@@ -0,0 +1,131 @@
+<?php
+
+declare(strict_types=1);
+/**
+ * @copyright Copyright (c) 2022 Vitor Mattos <vitor@php.rio>
+ *
+ * @author Vitor Mattos <vitor@php.rio>
+ *
+ * @license GNU AGPL version 3 or any later version
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+namespace OCA\Talk\Service;
+
+use InvalidArgumentException;
+use OC\User\NoUserException;
+use OCA\Talk\Config;
+use OCA\Talk\Exceptions\ParticipantNotFoundException;
+use OCA\Talk\Room;
+use OCP\Files\Folder;
+use OCP\Files\IMimeTypeDetector;
+use OCP\Files\IRootFolder;
+use OCP\Files\NotFoundException;
+use OCP\Files\NotPermittedException;
+
+class RecordingService {
+	public const DEFAULT_ALLOWED_RECORDING_FORMATS = [
+		'audio/ogg' => ['ogg'],
+		'video/ogg' => ['ogv'],
+		'video/x-matroska' => ['mkv'],
+	];
+	private IMimeTypeDetector $mimeTypeDetector;
+	private ParticipantService $participantService;
+	private IRootFolder $rootFolder;
+	private Config $config;
+
+	public function __construct(
+		IMimeTypeDetector $mimeTypeDetector,
+		ParticipantService $participantService,
+		IRootFolder $rootFolder,
+		Config $config
+	) {
+		$this->mimeTypeDetector = $mimeTypeDetector;
+		$this->participantService = $participantService;
+		$this->rootFolder = $rootFolder;
+		$this->config = $config;
+	}
+
+	public function store(Room $room, string $owner, array $file): void {
+		$content = $this->getContentFromFileArray($file);
+
+		$fileName = basename($file['name']);
+		$this->validateFileFormat($fileName, $content);
+
+		try {
+			$this->participantService->getParticipant($room, $owner);
+		} catch (ParticipantNotFoundException $e) {
+			throw new InvalidArgumentException('owner_participant');
+		}
+
+		try {
+			$recordingFolder = $this->getRecordingFolder($owner, $room->getToken());
+			$recordingFolder->newFile($fileName, $content);
+		} catch (NoUserException $e) {
+			throw new InvalidArgumentException('owner_invalid');
+		} catch (NotPermittedException $e) {
+			throw new InvalidArgumentException('owner_permission');
+		}
+	}
+
+	public function getContentFromFileArray(array $file): string {
+		if (
+			$file['error'] !== 0 ||
+			!is_uploaded_file($file['tmp_name'])
+		) {
+			throw new InvalidArgumentException('invalid_file');
+		}
+
+		$content = file_get_contents($file['tmp_name']);
+		unlink($file['tmp_name']);
+
+		if (!$content) {
+			throw new InvalidArgumentException('empty_file');
+		}
+		return $content;
+	}
+
+	public function validateFileFormat(string $fileName, $content): void {
+		$mimeType = $this->mimeTypeDetector->detectString($content);
+		$allowed = self::DEFAULT_ALLOWED_RECORDING_FORMATS;
+		if (!array_key_exists($mimeType, $allowed)) {
+			throw new InvalidArgumentException('file_mimetype');
+		}
+
+		$extension = strtolower(pathinfo($fileName, PATHINFO_EXTENSION));
+		if (!$extension || !in_array($extension, $allowed[$mimeType])) {
+			throw new InvalidArgumentException('file_extension');
+		}
+	}
+
+	private function getRecordingFolder(string $owner, string $token): Folder {
+		$userFolder = $this->rootFolder->getUserFolder($owner);
+		$recordingRootFolderName = $this->config->getRecordingFolder($owner);
+		try {
+			/** @var \OCP\Files\Folder */
+			$recordingRootFolder = $userFolder->get($recordingRootFolderName);
+		} catch (NotFoundException $e) {
+			/** @var \OCP\Files\Folder */
+			$recordingRootFolder = $userFolder->newFolder($recordingRootFolderName);
+		}
+		try {
+			$recordingFolder = $recordingRootFolder->get($token);
+		} catch (NotFoundException $e) {
+			$recordingFolder = $recordingRootFolder->newFolder($token);
+		}
+		return $recordingFolder;
+	}
+}

lib/Service/SIPBridgeService.php

@@ -0,0 +1,68 @@
+<?php
+/*
+ * @copyright Copyright (c) 2022 Vitor Mattos <vitor@php.rio>
+ *
+ * @author Vitor Mattos <vitor@php.rio>
+ *
+ * @license GNU AGPL version 3 or any later version
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+namespace OCA\Talk\Service;
+
+use OCA\Talk\Exceptions\UnauthorizedException;
+
+class SIPBridgeService {
+	/**
+	 * Check if the current request is coming from an allowed backend.
+	 *
+	 * The SIP bridge is sending the custom header "Talk-SIPBridge-Random"
+	 * containing at least 32 bytes random data, and the header
+	 * "Talk-SIPBridge-Checksum", which is the SHA256-HMAC of the random data
+	 * and the body of the request, calculated with the shared secret from the
+	 * configuration.
+	 *
+	 * @param string $random
+	 * @param string $checksum
+	 * @param string $secret
+	 * @param string $token
+	 * @return bool True if the request is from the SIP bridge and valid, false if not from SIP bridge
+	 * @throws UnauthorizedException when the request tried to sign as SIP bridge but is not valid
+	 */
+	public function validateSIPBridgeRequest(string $random, string $checksum, string $secret, string $token): bool {
+		if ($random === '' && $checksum === '') {
+			return false;
+		}
+
+		if (strlen($random) < 32) {
+			throw new UnauthorizedException('Invalid random provided');
+		}
+
+		if (empty($checksum)) {
+			throw new UnauthorizedException('Invalid checksum provided');
+		}
+
+		if (empty($secret)) {
+			throw new UnauthorizedException('No shared SIP secret provided');
+		}
+		$hash = hash_hmac('sha256', $random . $token, $secret);
+
+		if (hash_equals($hash, strtolower($checksum))) {
+			return true;
+		}
+
+		throw new UnauthorizedException('Invalid HMAC provided');
+	}
+}

tests/integration/features/bootstrap/FeatureContext.php

@@ -3083,6 +3083,42 @@ class FeatureContext implements Context, SnippetAcceptingContext {
 		$this->assertStatusCode($this->response, $statusCode);
 	}
 
+	/**
+	 * @When /^user "([^"]*)" store recording file "([^"]*)" in room "([^"]*)" with (\d+)(?: \((v1)\))?$/
+	 */
+	public function userStoreRecordingFileInRoom(string $user, string $file, string $identifier, int $statusCode, string $apiVersion = 'v1'): void {
+		$this->setCurrentUser($user);
+
+		$sipBridgeSharedSecret = 'the secret';
+		$this->setAppConfig('spreed', new TableNode([['sip_bridge_shared_secret', $sipBridgeSharedSecret]]));
+		$validRandom = md5((string) rand());
+		$validChecksum = hash_hmac('sha256', $validRandom . self::$identifierToToken[$identifier], $sipBridgeSharedSecret);
+		$headers = [
+			'TALK_SIPBRIDGE_RANDOM' => $validRandom,
+			'TALK_SIPBRIDGE_CHECKSUM' => $validChecksum,
+		];
+		$options = [
+			'multipart' => [
+				[
+					'name' => 'file',
+					'contents' => $file !== 'invalid' ? fopen(__DIR__ . '/../../../..' . $file, 'r') : '',
+				],
+				[
+					'name' => 'owner',
+					'contents' => $user,
+				],
+			],
+		];
+		$this->sendRequest(
+			'POST',
+			'/apps/spreed/api/' . $apiVersion . '/recording/' . self::$identifierToToken[$identifier] . '/store',
+			null,
+			$headers,
+			$options
+		);
+		$this->assertStatusCode($this->response, $statusCode);
+	}
+
 	/**
 	 * @Then the response error matches with :error
 	 */

tests/integration/features/callapi/recording.feature

@@ -116,3 +116,10 @@ Feature: callapi/recording
     And the response error matches with "call"
     Then user "participant1" starts "audio" recording in room "room1" with 400 (v1)
     And the response error matches with "call"
+
+  Scenario: Store recording
+    Given user "participant1" creates room "room1" (v4)
+      | roomType | 2 |
+      | roomName | room1 |
+    And user "participant1" joins room "room1" with 200 (v4)
+    Then user "participant1" store recording file "/img/join_call.ogg" in room "room1" with 200 (v1)

tests/php/Service/RecordingServiceTest.php

@@ -0,0 +1,124 @@
+<?php
+
+declare(strict_types=1);
+/**
+ * @copyright Copyright (c) 2022, Vitor Mattos <vitor@php.rio>
+ *
+ * @author Vitor Mattos <vitor@php.rio>
+ *
+ * @license GNU AGPL version 3 or any later version
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+namespace OCA\Talk\Service;
+
+/**
+ * Overwrite is_uploaded_file in the OCA\Talk\Service namespace
+ * to allow proper unit testing of the postAvatar call.
+ */
+function is_uploaded_file($filename) {
+	return file_exists($filename);
+}
+
+namespace OCA\Talk\Tests\php\Service;
+
+use OCA\Talk\Config;
+use OCA\Talk\Service\ParticipantService;
+use OCA\Talk\Service\RecordingService;
+use OCP\Files\IMimeTypeDetector;
+use OCP\Files\IRootFolder;
+use PHPUnit\Framework\MockObject\MockObject;
+use Test\TestCase;
+
+class RecordingServiceTest extends TestCase {
+	/** @var IMimeTypeDetector */
+	private $mimeTypeDetector;
+	/** @var ParticipantService|MockObject */
+	private $participantService;
+	/** @var IRootFolder|MockObject */
+	private $rootFolder;
+	/** @var Config|MockObject */
+	private $config;
+	/** @var RecordingService */
+	protected $recordingService;
+
+	public function setUp(): void {
+		parent::setUp();
+
+		$this->mimeTypeDetector = \OC::$server->get(IMimeTypeDetector::class);
+		$this->participantService = $this->createMock(ParticipantService::class);
+		$this->rootFolder = $this->createMock(IRootFolder::class);
+		$this->config = $this->createMock(Config::class);
+
+		$this->recordingService = new RecordingService(
+			$this->mimeTypeDetector,
+			$this->participantService,
+			$this->rootFolder,
+			$this->config
+		);
+	}
+
+	/** @dataProvider dataValidateFileFormat */
+	public function testValidateFileFormat(string $fileName, string $content, string $exceptionMessage):void {
+		if ($exceptionMessage) {
+			$this->expectExceptionMessage($exceptionMessage);
+		} else {
+			$this->expectNotToPerformAssertions();
+		}
+		$this->recordingService->validateFileFormat($fileName, $content);
+	}
+
+	public function dataValidateFileFormat(): array {
+		return [
+			# file_mimetype
+			['', '', 'file_mimetype'],
+			['', file_get_contents(__DIR__ . '/../../../img/app.svg'), 'file_mimetype'],
+			['name.ogg', file_get_contents(__DIR__ . '/../../../img/app.svg'), 'file_mimetype'],
+			# file_extension
+			['', file_get_contents(__DIR__ . '/../../../img/join_call.ogg'), 'file_extension'],
+			['name', file_get_contents(__DIR__ . '/../../../img/join_call.ogg'), 'file_extension'],
+			['name.mp3', file_get_contents(__DIR__ . '/../../../img/join_call.ogg'), 'file_extension'],
+			# Success
+			['name.ogg', file_get_contents(__DIR__ . '/../../../img/join_call.ogg'), ''],
+		];
+	}
+
+	/**
+	 * @dataProvider dataGetContentFromFileArray
+	 */
+	public function testGetContentFromFileArray(array $file, $expected, string $exceptionMessage): void {
+		if ($exceptionMessage) {
+			$this->expectExceptionMessage($exceptionMessage);
+		}
+
+		$actual = $this->recordingService->getContentFromFileArray($file);
+		$this->assertEquals($expected, $actual);
+		$this->assertFileDoesNotExist($file['tmp_name']);
+	}
+
+	public function dataGetContentFromFileArray(): array {
+		$fileWithContent = tempnam(sys_get_temp_dir(), 'txt');
+		file_put_contents($fileWithContent, 'bla');
+		return [
+			[['error' => 0, 'tmp_name' => ''], '', 'invalid_file'],
+			[['error' => 0, 'tmp_name' => 'a'], '', 'invalid_file'],
+			# Empty file
+			[['error' => 0, 'tmp_name' => tempnam(sys_get_temp_dir(), 'txt')], '', 'empty_file'],
+			# file with content
+			[['error' => 0, 'tmp_name' => $fileWithContent], 'bla', ''],
+		];
+	}
+}

tests/php/Service/SIPBridgeServiceTest.php

@@ -0,0 +1,70 @@
+<?php
+
+declare(strict_types=1);
+/**
+ * @copyright Copyright (c) 2022, Vitor Mattos <vitor@php.rio>
+ *
+ * @author Vitor Mattos <vitor@php.rio>
+ *
+ * @license GNU AGPL version 3 or any later version
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+namespace OCA\Talk\Tests\php\Service;
+
+use OCA\Talk\Exceptions\UnauthorizedException;
+use OCA\Talk\Service\SIPBridgeService;
+use Test\TestCase;
+
+class SIPBridgeServiceTest extends TestCase {
+	/** @var SIPBridgeService */
+	protected $SIPBridgeService;
+
+	public function setUp(): void {
+		parent::setUp();
+
+		$this->SIPBridgeService = new SIPBridgeService();
+	}
+
+	/**
+	 * @dataProvider dataValidateSIPBridgeRequest
+	 */
+	public function testValidateSIPBridgeRequest(string $random, string $checksum, string $secret, string $token, string $exceptionMessage, bool $expectedReturn): void {
+		if ($exceptionMessage) {
+			$this->expectException(UnauthorizedException::class);
+			$this->expectErrorMessage($exceptionMessage);
+		}
+		$actual = $this->SIPBridgeService->validateSIPBridgeRequest($random, $checksum, $secret, $token);
+		if (!$exceptionMessage) {
+			$this->assertEquals($expectedReturn, $actual);
+		}
+	}
+
+	public function dataValidateSIPBridgeRequest(): array {
+		$validRandom = md5((string) rand());
+		$fakeData = json_encode(['fake' => 'data']);
+		$validSecret = 'valid secret';
+		$validChecksum = hash_hmac('sha256', $validRandom . $fakeData, $validSecret);
+		return [
+			['', '', '', '', '', false],
+			['1234', '', '', '', 'Invalid random provided', false],
+			[str_repeat('1', 32), '', '', '', 'Invalid checksum provided', false],
+			[str_repeat('1', 32), 'fake', '', '', 'No shared SIP secret provided', false],
+			[str_repeat('1', 32), 'fake', 'invalid', '', 'Invalid HMAC provided', false],
+			[$validRandom, $validChecksum, $validSecret, $fakeData, '', true],
+		];
+	}
+}

tests/psalm-baseline.xml

@@ -235,6 +235,12 @@
       <code>\OC_Image</code>
     </UndefinedClass>
   </file>
+  <file src="lib/Service/RecordingService.php">
+    <UndefinedClass occurrences="2">
+      <code>Filesystem</code>
+      <code>NoUserException</code>
+    </UndefinedClass>
+  </file>
   <file src="lib/Share/Listener.php">
     <InvalidArgument occurrences="1">
       <code>[self::class, 'listenPreShare']</code>