Merge pull request #9159 from nextcloud/i2h3/fix/9686104-sharing

Fix: Resolving file provider services based on security-scoped URL access

Author: i2h3

shell_integration/MacOSX/NextcloudIntegration/FileProviderUIExt/Authentication/AuthenticationViewController.swift

@@ -23,6 +23,8 @@ class AuthenticationViewController: NSViewController {
         }
     }
 
+    var serviceResolver: ServiceResolver?
+
     @IBOutlet var activityDescription: NSTextField!
     @IBOutlet var cancellationButton: NSButton!
     @IBOutlet var progressIndicator: NSProgressIndicator!
@@ -96,9 +98,15 @@ class AuthenticationViewController: NSViewController {
 
         let url = try await manager.getUserVisibleURL(for: .rootContainer)
 
-        let connection = try await serviceConnection(url: url, interruptionHandler: {
-            self.logger.error("Service connection interrupted")
-        })
+        guard let log else {
+            fatalError("Log is not available yet!")
+        }
+
+        guard let serviceResolver else {
+            fatalError("Service resolver is not available yet!")
+        }
+
+        let connection = try await serviceResolver.getService(at: url)
 
         if let error = await connection.authenticate() {
             logger.error("An error was returned from the authentication call: \(error.localizedDescription)")

shell_integration/MacOSX/NextcloudIntegration/FileProviderUIExt/DocumentActionViewController.swift

@@ -28,20 +28,26 @@ class DocumentActionViewController: FPUIActionExtensionViewController {
     ///
     var logger: FileProviderLogger!
 
+    var serviceResolver: ServiceResolver!
+
     // MARK: - Lifecycle
 
-    func setUpLogger() {
+    func setUp() {
         if log == nil {
             log = FileProviderLog(fileProviderDomainIdentifier: domain.identifier)
         }
 
         if logger == nil, let log {
             logger = FileProviderLogger(category: "DocumentActionViewController", log: log)
         }
+
+        if serviceResolver == nil, let log {
+            serviceResolver = ServiceResolver(log: log)
+        }
     }
 
     func prepare(childViewController: NSViewController) {
-        setUpLogger()
+        setUp()
         addChild(childViewController)
         view.addSubview(childViewController.view)
 
@@ -54,16 +60,16 @@ class DocumentActionViewController: FPUIActionExtensionViewController {
     }
 
     override func prepare(forAction actionIdentifier: String, itemIdentifiers: [NSFileProviderItemIdentifier]) {
-        setUpLogger()
+        setUp()
         logger?.info("Preparing action: \(actionIdentifier)")
 
         switch (actionIdentifier) {
             case "com.nextcloud.desktopclient.FileProviderUIExt.ShareAction":
-                prepare(childViewController: ShareViewController(itemIdentifiers, log: log))
+                prepare(childViewController: ShareViewController(itemIdentifiers, serviceResolver: serviceResolver, log: log))
             case "com.nextcloud.desktopclient.FileProviderUIExt.LockFileAction":
-                prepare(childViewController: LockViewController(itemIdentifiers, locking: true, log: log))
+                prepare(childViewController: LockViewController(itemIdentifiers, locking: true, serviceResolver: serviceResolver, log: log))
             case "com.nextcloud.desktopclient.FileProviderUIExt.UnlockFileAction":
-                prepare(childViewController: LockViewController(itemIdentifiers, locking: false, log: log))
+                prepare(childViewController: LockViewController(itemIdentifiers, locking: false, serviceResolver: serviceResolver, log: log))
             case "com.nextcloud.desktopclient.FileProviderUIExt.EvictAction":
                 evict(itemsWithIdentifiers: itemIdentifiers, inDomain: domain);
                 extensionContext.completeRequest();
@@ -73,12 +79,13 @@ class DocumentActionViewController: FPUIActionExtensionViewController {
     }
 
     override func prepare(forError error: Error) {
-        setUpLogger()
+        setUp()
         logger?.info("Preparing for error.", [.error: error])
 
         let storyboard = NSStoryboard(name: "Authentication", bundle: Bundle(for: type(of: self)))
         let viewController = storyboard.instantiateInitialController() as! AuthenticationViewController
         viewController.log = log
+        viewController.serviceResolver = serviceResolver
 
         prepare(childViewController: viewController)
     }

shell_integration/MacOSX/NextcloudIntegration/FileProviderUIExt/FileProviderCommunication.swift

@@ -19,6 +19,7 @@ class LockViewController: NSViewController {
     let locking: Bool
     let log: any FileProviderLogging
     let logger: FileProviderLogger
+    let serviceResolver: ServiceResolver
 
     @IBOutlet weak var fileNameIcon: NSImageView!
     @IBOutlet weak var fileNameLabel: NSTextField!
@@ -35,11 +36,13 @@ class LockViewController: NSViewController {
         return parent as? DocumentActionViewController
     }
 
-    init(_ itemIdentifiers: [NSFileProviderItemIdentifier], locking: Bool, log: any FileProviderLogging) {
+    init(_ itemIdentifiers: [NSFileProviderItemIdentifier], locking: Bool, serviceResolver: ServiceResolver, log: any FileProviderLogging) {
         self.itemIdentifiers = itemIdentifiers
         self.locking = locking
         self.log = log
         self.logger = FileProviderLogger(category: "LockViewController", log: log)
+        self.serviceResolver = serviceResolver
+
         super.init(nibName: nil, bundle: nil)
     }
 
@@ -161,9 +164,7 @@ class LockViewController: NSViewController {
         }
 
         do {
-            let connection = try await serviceConnection(url: localItemUrl, interruptionHandler: {
-                self.presentError("File provider service connection interrupted!")
-            })
+            let connection = try await serviceResolver.getService(at: localItemUrl)
 
             guard let serverPath = await connection.itemServerPath(identifier: itemIdentifier),
                   let credentials = await connection.credentials() as? Dictionary<String, String>,

shell_integration/MacOSX/NextcloudIntegration/FileProviderUIExt/Locking/LockViewController.swift

@@ -0,0 +1,90 @@
+//  SPDX-FileCopyrightText: 2025 Nextcloud GmbH and Nextcloud contributors
+//  SPDX-License-Identifier: GPL-2.0-or-later
+
+import Foundation
+import NextcloudFileProviderKit
+
+///
+/// Facility to establish and handle an XPC connection to the file provider extension.
+///
+final class ServiceResolver {
+    enum ServiceResolverError: Error {
+        case failedConnection
+        case remoteProxyObjectInvalid
+        case serviceNotFound
+    }
+
+    let log: any FileProviderLogging
+    let logger: FileProviderLogger
+
+    init(log: any FileProviderLogging) {
+        self.log = log
+        self.logger = FileProviderLogger(category: "ServiceResolver", log: log)
+    }
+
+    ///
+    /// Logs the interruption of a connection.
+    ///
+    private func interruptionHandler() {
+        logger.error("Interruption handler called. Possibly, the remote file provider extension process exited or crashed.")
+    }
+
+    ///
+    /// Logs the invalidation of a connection.
+    ///
+    private func invalidationHandler() {
+        logger.error("Invalidation handler called. Possibly, the remote file provider extension process exited or crashed.")
+    }
+
+    func getService(at url: URL) async throws -> FPUIExtensionService {
+        logger.info("Getting service for item at location.", [.url: url])
+
+        var services: [NSFileProviderServiceName : NSFileProviderService] = [:]
+
+        do {
+            if url.startAccessingSecurityScopedResource() {
+                logger.debug("Started accessing security-scoped resource.", [.url: url])
+                services = try await FileManager().fileProviderServicesForItem(at: url)
+                url.stopAccessingSecurityScopedResource()
+                logger.debug("Stopped accessing security-scoped resource.", [.url: url])
+            } else {
+                logger.error("Failed to access security-scoped resource!", [.url: url])
+            }
+        } catch {
+            logger.error("Failed to get file provider services for item!", [.url: url])
+            throw error
+        }
+
+        guard let service = services[fpUiExtensionServiceName] else {
+            logger.error("Failed to find service by name in array of returned services!", [.name: fpUiExtensionServiceName])
+            throw ServiceResolverError.serviceNotFound
+        }
+
+        let connection: NSXPCConnection?
+
+        do {
+            connection = try await service.fileProviderConnection()
+        } catch {
+            logger.error("Failed to establish XPC connection!")
+            throw ServiceResolverError.failedConnection
+        }
+
+        guard let connection else {
+            throw ServiceResolverError.failedConnection
+        }
+
+        connection.remoteObjectInterface = NSXPCInterface(with: FPUIExtensionService.self)
+        connection.interruptionHandler = interruptionHandler
+        connection.invalidationHandler = invalidationHandler
+        connection.resume()
+
+        guard let proxy = connection.remoteObjectProxy as? FPUIExtensionService else {
+            logger.error("The remote object proxy does not conform to the expected protocol!")
+            throw ServiceResolverError.remoteProxyObjectInvalid
+        }
+
+        logger.info("Providing service.")
+
+        return proxy
+    }
+}