Made encryptAll() (file migration for unencrypted + legacy encrypted files) run only on first login for each user (status stored in DB)
Made recoveryAdmin user member of 'admin' user group automatically
Set recoveryadmin settings to only display on user settings if enabled by an admin
Updated encryption db xml schema
// Create new recoveryAdmin user
\OC_User::createUser( $recoveryAdminUid, $_POST['recoveryPassword'] );
+ // Make recovery user an administrator
+ \OC_Group::addToGroup ( $recoveryAdminUid, 'admin' );
+
$doSetup = true;
} else {
<default>0</default>
<comments>Whether encryption key recovery is enabled</comments>
</field>
+ <field>
+ <name>migrationStatus</name>
+ <type>boolean</type>
+ <notnull>true</notnull>
+ <default>0</default>
+ <comments>Whether encryption migration has been performed</comments>
+ </field>
</declaration>
</table>
</database>
\ No newline at end of file
$session = new Session( $view );\r
\r
$session->setPrivateKey( $privateKey, $params['uid'] );\r
-\r
- //FIXME: disabled because it gets called each time a user do an operation on iPhone\r
- //FIXME: we need a better place doing this and maybe only one time or by user\r
- /*$view1 = new \OC_FilesystemView( '/' . $params['uid'] );\r
- \r
- // Set legacy encryption key if it exists, to support \r
- // depreciated encryption system\r
- if ( \r
- $view1->file_exists( 'encryption.key' )\r
- && $encLegacyKey = $view1->file_get_contents( 'encryption.key' ) \r
- ) {\r
- \r
- $plainLegacyKey = Crypt::legacyDecrypt( $encLegacyKey, $params['password'] );\r
- \r
- $session->setLegacyKey( $plainLegacyKey );\r
- \r
- }\r
\r
- \OC_FileProxy::$enabled = false;\r
- \r
- $publicKey = Keymanager::getPublicKey( $view, $params['uid'] );\r
+ // Check if first-run file migration has already been performed\r
+ $migrationCompleted = $util->getMigrationStatus();\r
\r
- \OC_FileProxy::$enabled = false;*/\r
+ // If migration not yet done\r
+ if ( ! $migrationCompleted ) {\r
\r
- // Encrypt existing user files:\r
- // This serves to upgrade old versions of the encryption\r
- // app (see appinfo/spec.txt)\r
- /*if (\r
- $util->encryptAll( $publicKey, '/' . $params['uid'] . '/' . 'files', $session->getLegacyKey(), $params['password'] )\r
- ) {\r
+ $view1 = new \OC_FilesystemView( '/' . $params['uid'] );\r
+ \r
+ // Set legacy encryption key if it exists, to support \r
+ // depreciated encryption system\r
+ if ( \r
+ $view1->file_exists( 'encryption.key' )\r
+ && $encLegacyKey = $view1->file_get_contents( 'encryption.key' ) \r
+ ) {\r
\r
- \OC_Log::write( \r
- 'Encryption library', 'Encryption of existing files belonging to "' . $params['uid'] . '" started at login'\r
- , \OC_Log::INFO \r
- );\r
+ $plainLegacyKey = Crypt::legacyDecrypt( $encLegacyKey, $params['password'] );\r
+ \r
+ $session->setLegacyKey( $plainLegacyKey );\r
+ \r
+ }\r
+ \r
+ \OC_FileProxy::$enabled = false;\r
+ \r
+ $publicKey = Keymanager::getPublicKey( $view, $params['uid'] );\r
+ \r
+ \OC_FileProxy::$enabled = false;\r
+ \r
+ // Encrypt existing user files:\r
+ // This serves to upgrade old versions of the encryption\r
+ // app (see appinfo/spec.txt)\r
+ if (\r
+ $util->encryptAll( $publicKey, '/' . $params['uid'] . '/' . 'files', $session->getLegacyKey(), $params['password'] )\r
+ ) {\r
+ \r
+ \OC_Log::write( \r
+ 'Encryption library', 'Encryption of existing files belonging to "' . $params['uid'] . '" completed'\r
+ , \OC_Log::INFO \r
+ );\r
+ \r
+ }\r
+ \r
+ // Register successful migration in DB\r
+ $util->setMigrationStatus( 1 );\r
\r
- }*/\r
+ }\r
\r
return true;\r
\r
function() {
var recoveryStatus = $( this ).val();
+ var recoveryPassword = $( '#recoveryPassword' ).val();
- $.post(
- OC.filePath( 'files_encryption', 'ajax', 'adminrecovery.php' )
- , { adminEnableRecovery: recoveryStatus, recoveryPassword: 'password' }
- , function( data ) {
- alert( data );
- }
- );
+ if ( '' == recoveryPassword ) {
+
+ // FIXME: add proper OC notification
+ alert( 'You must set a recovery account password first' );
+
+ } else {
+
+ $.post(
+ OC.filePath( 'files_encryption', 'ajax', 'adminrecovery.php' )
+ , { adminEnableRecovery: recoveryStatus, recoveryPassword: recoveryPassword }
+ , function( data ) {
+ alert( data );
+ }
+ );
+
+ }
}
);
// our app.php is being executed 18 times per page load
// , causing 18 new keypairs and huge performance hit.
- $keypair = Crypt::createKeypair();
-
- \OC_FileProxy::$enabled = false;
-
- // Save public key
-
- if (!$view->is_dir('/public-keys')) {
- $view->mkdir('/public-keys');
- }
-
- $this->view->file_put_contents( '/public-keys/owncloud.public.key', $keypair['publicKey'] );
-
- // Encrypt private key empthy passphrase
- $encryptedPrivateKey = Crypt::symmetricEncryptFileContent( $keypair['privateKey'], '' );
-
- // Save private key
- $this->view->file_put_contents( '/owncloud_private_key/owncloud.private.key', $encryptedPrivateKey );
+// $keypair = Crypt::createKeypair();
+//
+// \OC_FileProxy::$enabled = false;
+//
+// // Save public key
+//
+// if (!$view->is_dir('/public-keys')) {
+// $view->mkdir('/public-keys');
+// }
+//
+// $this->view->file_put_contents( '/public-keys/owncloud.public.key', $keypair['publicKey'] );
+//
+// // Encrypt private key empthy passphrase
+// $encryptedPrivateKey = Crypt::symmetricEncryptFileContent( $keypair['privateKey'], '' );
+//
+// // Save private key
+// $this->view->file_put_contents( '/owncloud_private_key/owncloud.private.key', $encryptedPrivateKey );
\OC_FileProxy::$enabled = true;
// Make sure users are capable of sharing
$filteredUids = $this->filterShareReadyUsers( $users );
-// trigger_error( print_r($filteredUids, 1) );
-
if ( ! empty( $filteredUids['unready'] ) ) {
// Notify user of unready userDir
public function getSharingUsersArray( $sharingEnabled, $filePath, $currentUserId = false ) {
// Check if key recovery is enabled
- $recoveryEnabled = $this->recoveryEnabledForUser();
+ if (
+ \OC_Appconfig::getValue( 'files_encryption', 'recoveryAdminEnabled' )
+ && $this->recoveryEnabledForUser()
+ ) {
+
+ $recoveryEnabled = true;
+
+ } else {
+
+ $recoveryEnabled = false;
+
+ }
// Make sure that a share key is generated for the owner too
- list($owner, $ownerPath) = $this->getUidAndFilename($filePath);
+ list( $owner, $ownerPath ) = $this->getUidAndFilename( $filePath );
if ( $sharingEnabled ) {
// If recovery is enabled, add the
// Admin UID to list of users to share to
if ( $recoveryEnabled ) {
-
- // FIXME: Create a separate admin user purely for recovery, and create method in util for fetching this id from DB?
- $adminUid = 'recoveryAdmin';
-
- $userIds[] = $adminUid;
+
+ // Find recoveryAdmin user ID
+ $recoveryAdminUid = \OC_Appconfig::getValue( 'files_encryption', 'recoveryAdminUid' );
+
+ // Add recoveryAdmin to list of users sharing
+ $userIds[] = $recoveryAdminUid;
}
- // add current user if given
- if($currentUserId != false) {
- $userIds[] = $currentUserId;
- }
+ // add current user if given
+ if ( $currentUserId != false ) {
+
+ $userIds[] = $currentUserId;
+
+ }
// Remove duplicate UIDs
$uniqueUserIds = array_unique ( $userIds );
return $uniqueUserIds;
}
+
+ /**
+ * @brief Set file migration status for user
+ */
+ public function setMigrationStatus( $status ) {
+
+ $sql = 'UPDATE
+ *PREFIX*encryption
+ SET
+ migrationStatus = ?
+ WHERE
+ uid = ?';
+
+ $args = array( $status, $this->userId );
+
+ $query = \OCP\DB::prepare( $sql );
+
+ if ( $query->execute( $args ) ) {
+
+ return true;
+
+ } else {
+
+ return false;
+
+ }
+
+ }
+
+ /**
+ * @brief Check whether pwd recovery is enabled for a given user
+ * @return 1 = yes, 0 = no, false = no record
+ * @note If records are not being returned, check for a hidden space
+ * at the start of the uid in db
+ */
+ public function getMigrationStatus() {
+
+ $sql = 'SELECT
+ migrationStatus
+ FROM
+ `*PREFIX*encryption`
+ WHERE
+ uid = ?';
+
+ $args = array( $this->userId );
+
+ $query = \OCP\DB::prepare( $sql );
+
+ $result = $query->execute( $args );
+
+ $migrationStatus = array();
+
+ while( $row = $result->fetchRow() ) {
+
+ $migrationStatus[] = $row['migrationStatus'];
+
+ }
+
+ // If no record is found
+ if ( empty( $migrationStatus ) ) {
+
+ return false;
+
+ // If a record is found
+ } else {
+
+ return $migrationStatus[0];
+
+ }
+
+ }
/**
* @brief get uid of the owners of the file and the path to the file
$tmpl->assign( 'blacklist', $blackList );
$tmpl->assign( 'encryption_mode', \OC_Appconfig::getValue( 'files_encryption', 'mode', 'none' ) );
$tmpl->assign( 'recoveryEnabled', $recoveryAdminEnabled );
+$tmpl->assign( 'recoveryAdminUid', $recoveryAdminUid );
\OCP\Util::addscript( 'files_encryption', 'settings-admin' );
\OCP\Util::addscript( 'core', 'multiselect' );
$view = new \OC_FilesystemView( '/' );\r
$util = new \OCA\Encryption\Util( $view, $user );\r
\r
+$recoveryAdminEnabled = OC_Appconfig::getValue( 'files_encryption', 'recoveryAdminEnabled' );\r
$recoveryEnabledForUser = $util->recoveryEnabledForUser();\r
\r
\OCP\Util::addscript( 'files_encryption', 'settings-personal' );\r
\r
-$tmpl->assign( 'recoveryEnabled', $recoveryEnabledForUser );\r
+$tmpl->assign( 'recoveryEnabled', $recoveryAdminEnabled );\r
+$tmpl->assign( 'recoveryEnabledForUser', $recoveryEnabledForUser );\r
$tmpl->assign( 'blacklist', $blackList );\r
\r
return $tmpl->fetchPage();\r
</select>
</p>
<p>
- <?php p($l->t( "Enable encryption passwords recovery account (allow sharing to recovery account):" )); ?>
+ <strong>
+ <?php p($l->t( "Enable encryption passwords recovery account (allow sharing to recovery account):" )); ?>
<br />
+ </strong>
+ <?php p($l->t( "To perform a recovery log in using the 'recoveryAdmin' account and the specified password" )); ?>
+ <br />
+ <?php if ( empty( $_['recoveryAdminUid'] ) ): ?>
+ <input type="password" name="recoveryPassword" id="recoveryPassword" />
+ <label for="recoveryPassword">Recovery account password</label>
+ <br />
+ <?php endif; ?>
<input
type='radio'
name='adminEnableRecovery'
</ul>\r
<?php endif; ?>\r
\r
- <p>\r
- <?php p($l->t( "Enable password recovery by sharing all files with administrator:" )); ?>\r
- <br />\r
- <input \r
- type='radio'\r
- name='userEnableRecovery'\r
- value='1'\r
- <?php echo ( $_["recoveryEnabled"] == 1 ? 'checked="checked"' : '' ); ?> />\r
- <?php p($l->t( "Enabled" )); ?>\r
- <br />\r
- \r
- <input \r
- type='radio'\r
- name='userEnableRecovery'\r
- value='0'\r
- <?php echo ( $_["recoveryEnabled"] == 0 ? 'checked="checked"' : '' ); ?> />\r
- <?php p($l->t( "Disabled" )); ?>\r
- </p>\r
+ <?php if ( $_["recoveryEnabled"] ): ?>\r
+ <p>\r
+ <?php p($l->t( "Enable password recovery by sharing all files with administrator:" )); ?>\r
+ <br />\r
+ <input \r
+ type='radio'\r
+ name='userEnableRecovery'\r
+ value='1'\r
+ <?php echo ( $_["recoveryEnabledForUser"] == 1 ? 'checked="checked"' : '' ); ?> />\r
+ <?php p($l->t( "Enabled" )); ?>\r
+ <br />\r
+ \r
+ <input \r
+ type='radio'\r
+ name='userEnableRecovery'\r
+ value='0'\r
+ <?php echo ( $_["recoveryEnabledForUser"] == 0 ? 'checked="checked"' : '' ); ?> />\r
+ <?php p($l->t( "Disabled" )); ?>\r
+ </p>\r
+ <?php endif; ?>\r
\r
</fieldset>\r
</form>\r
projects / nextcloud-server.git / commitdiff