From: Bjoern Schiessle Date: Tue, 31 Mar 2015 11:48:03 +0000 (+0200) Subject: fix set recovery key and implement change password X-Git-Tag: v8.1.0alpha1~78^2~67 X-Git-Url: https://source.dussan.org/?a=commitdiff_plain;h=4b4aeaa5b2e13ae4272bf8f4b44564e5b8cb046a;p=nextcloud-server.git fix set recovery key and implement change password --- diff --git a/apps/encryption/appinfo/routes.php b/apps/encryption/appinfo/routes.php index b2c00c83349..030e7617816 100644 --- a/apps/encryption/appinfo/routes.php +++ b/apps/encryption/appinfo/routes.php @@ -33,6 +33,11 @@ namespace OCA\Encryption\AppInfo; 'name' => 'Recovery#userRecovery', 'url' => '/ajax/userRecovery', 'verb' => 'POST' + ], + [ + 'name' => 'Recovery#changeRecoveryPassword', + 'url' => '/ajax/changeRecoveryPassword', + 'verb' => 'POST' ] diff --git a/apps/encryption/controller/recoverycontroller.php b/apps/encryption/controller/recoverycontroller.php index abea8993336..e7bfd374903 100644 --- a/apps/encryption/controller/recoverycontroller.php +++ b/apps/encryption/controller/recoverycontroller.php @@ -28,7 +28,7 @@ use OCP\IConfig; use OCP\IL10N; use OCP\IRequest; use OCP\JSON; -use Symfony\Component\HttpFoundation\JsonResponse; +use OCP\AppFramework\Http\DataResponse; class RecoveryController extends Controller { /** @@ -62,32 +62,60 @@ class RecoveryController extends Controller { // Check if both passwords are the same if (empty($recoveryPassword)) { $errorMessage = $this->l->t('Missing recovery key password'); - return new JsonResponse(['data' => ['message' => $errorMessage]], 500); + return new DataResponse(['data' => ['message' => $errorMessage]], 500); } if (empty($confirmPassword)) { $errorMessage = $this->l->t('Please repeat the recovery key password'); - return new JsonResponse(['data' => ['message' => $errorMessage]], 500); + return new DataResponse(['data' => ['message' => $errorMessage]], 500); } if ($recoveryPassword !== $confirmPassword) { $errorMessage = $this->l->t('Repeated recovery key password does not match the provided recovery key password'); - return new JsonResponse(['data' => ['message' => $errorMessage]], 500); + return new DataResponse(['data' => ['message' => $errorMessage]], 500); } - // Enable recoveryAdmin - $recoveryKeyId = $this->config->getAppValue('encryption', 'recoveryKeyId'); - if (isset($adminEnableRecovery) && $adminEnableRecovery === '1') { - if ($this->recovery->enableAdminRecovery($recoveryKeyId, $recoveryPassword)) { - return new JsonResponse(['data' => array('message' => $this->l->t('Recovery key successfully enabled'))]); + if ($this->recovery->enableAdminRecovery($recoveryPassword)) { + return new DataResponse(['status' =>'success', 'data' => array('message' => $this->l->t('Recovery key successfully enabled'))]); } - return new JsonResponse(['data' => array('message' => $this->l->t('Could not enable recovery key. Please check your recovery key password!'))]); + return new DataResponse(['data' => array('message' => $this->l->t('Could not enable recovery key. Please check your recovery key password!'))]); } elseif (isset($adminEnableRecovery) && $adminEnableRecovery === '0') { - if ($this->recovery->disableAdminRecovery($recoveryKeyId, $recoveryPassword)) { - return new JsonResponse(['data' => array('message' => $this->l->t('Recovery key successfully disabled'))]); + if ($this->recovery->disableAdminRecovery($recoveryPassword)) { + return new DataResponse(['data' => array('message' => $this->l->t('Recovery key successfully disabled'))]); } - return new JsonResponse(['data' => array('message' => $this->l->t('Could not disable recovery key. Please check your recovery key password!'))]); + return new DataResponse(['data' => array('message' => $this->l->t('Could not disable recovery key. Please check your recovery key password!'))]); + } + } + + public function changeRecoveryPassword($newPassword, $oldPassword, $confirmPassword) { + //check if both passwords are the same + if (empty($oldPassword)) { + $errorMessage = $this->l->t('Please provide the old recovery password'); + return new DataResponse(array('data' => array('message' => $errorMessage))); + } + + if (empty($newPassword)) { + $errorMessage = $this->l->t('Please provide a new recovery password'); + return new DataResponse (array('data' => array('message' => $errorMessage))); + } + + if (empty($confirmPassword)) { + $errorMessage = $this->l->t('Please repeat the new recovery password'); + return new DataResponse(array('data' => array('message' => $errorMessage))); + } + + if ($newPassword !== $confirmPassword) { + $errorMessage = $this->l->t('Repeated recovery key password does not match the provided recovery key password'); + return new DataResponse(array('data' => array('message' => $errorMessage))); + } + + $result = $this->recovery->changeRecoveryKeyPassword($newPassword, $oldPassword); + + if ($result) { + return new DataResponse(array('status' => 'success' ,'data' => array('message' => $this->l->t('Password successfully changed.')))); + } else { + return new DataResponse(array('data' => array('message' => $this->l->t('Could not change the password. Maybe the old password was not correct.')))); } } diff --git a/apps/encryption/js/settings-admin.js b/apps/encryption/js/settings-admin.js index e5d3bebb208..36765adf3e4 100644 --- a/apps/encryption/js/settings-admin.js +++ b/apps/encryption/js/settings-admin.js @@ -44,7 +44,7 @@ $(document).ready(function(){ var confirmNewPassword = $('#repeatedNewEncryptionRecoveryPassword').val(); OC.msg.startSaving('#encryptionChangeRecoveryKey .msg'); $.post( - OC.filePath( 'encryption', 'ajax', 'changeRecoveryPassword.php' ) + OC.generateUrl('/apps/encryption/ajax/changeRecoveryPassword') , { oldPassword: oldRecoveryPassword, newPassword: newRecoveryPassword, confirmPassword: confirmNewPassword } , function( data ) { OC.msg.finishedSaving('#encryptionChangeRecoveryKey .msg', data); diff --git a/apps/encryption/lib/exceptions/privatekeymissingexception.php b/apps/encryption/lib/exceptions/privatekeymissingexception.php index e06940f7ac8..ddc3d11cdbc 100644 --- a/apps/encryption/lib/exceptions/privatekeymissingexception.php +++ b/apps/encryption/lib/exceptions/privatekeymissingexception.php @@ -23,6 +23,6 @@ namespace OCA\Encryption\Exceptions; -class PrivateKeyMissingException extends GenericEncryptionException{ +class PrivateKeyMissingException extends \Exception{ } diff --git a/apps/encryption/lib/keymanager.php b/apps/encryption/lib/keymanager.php index 87b19fe35ea..67a32d75908 100644 --- a/apps/encryption/lib/keymanager.php +++ b/apps/encryption/lib/keymanager.php @@ -108,6 +108,14 @@ class KeyManager { $this->config = $config; $this->recoveryKeyId = $this->config->getAppValue('encryption', 'recoveryKeyId'); + if (empty($this->recoveryKeyId)) { + $this->recoveryKeyId = 'recoveryKey_' . substr(md5(time()), 0, 8); + $this->config->setAppValue('encryption', + 'recoveryKeyId', + $this->recoveryKeyId); + } + + $this->publicShareKeyId = $this->config->getAppValue('encryption', 'publicShareKeyId'); $this->log = $log; @@ -171,7 +179,7 @@ class KeyManager { * @return bool */ public function checkRecoveryPassword($password) { - $recoveryKey = $this->keyStorage->getSystemUserKey($this->recoveryKeyId); + $recoveryKey = $this->keyStorage->getSystemUserKey($this->recoveryKeyId . '.privateKey'); $decryptedRecoveryKey = $this->crypt->decryptPrivateKey($recoveryKey, $password); @@ -202,6 +210,26 @@ class KeyManager { return false; } + /** + * @param string $uid + * @param string $password + * @param array $keyPair + * @return bool + */ + public function setRecoveryKey($password, $keyPair) { + // Save Public Key + $this->keyStorage->setSystemUserKey($this->getRecoveryKeyId(). '.publicKey', $keyPair['publicKey']); + + $encryptedKey = $this->crypt->symmetricEncryptFileContent($keyPair['privateKey'], + $password); + + if ($encryptedKey) { + $this->setSystemPrivateKey($this->getRecoveryKeyId(), $encryptedKey); + return true; + } + return false; + } + /** * @param $userId * @param $key @@ -428,9 +456,19 @@ class KeyManager { } /** + * @param string $keyId + * @return string returns openssl key + */ + public function getSystemPrivateKey($keyId) { + return $this->keyStorage->getSystemUserKey($keyId . '.' . $this->privateKeyId); + } + + /** + * @param string $keyId + * @param string $key * @return string returns openssl key */ - public function getSystemPrivateKey() { - return $this->keyStorage->getSystemUserKey($this->privateKeyId); + public function setSystemPrivateKey($keyId, $key) { + return $this->keyStorage->setSystemUserKey($keyId . '.' . $this->privateKeyId, $key); } } diff --git a/apps/encryption/lib/recovery.php b/apps/encryption/lib/recovery.php index 376d3ef83ba..0426c3746ed 100644 --- a/apps/encryption/lib/recovery.php +++ b/apps/encryption/lib/recovery.php @@ -88,24 +88,14 @@ class Recovery { * @param $password * @return bool */ - public function enableAdminRecovery($recoveryKeyId, $password) { + public function enableAdminRecovery($password) { $appConfig = $this->config; - - if ($recoveryKeyId === null) { - $recoveryKeyId = $this->random->getLowStrengthGenerator(); - $appConfig->setAppValue('encryption', - 'recoveryKeyId', - $recoveryKeyId); - } - $keyManager = $this->keyManager; if (!$keyManager->recoveryKeyExists()) { $keyPair = $this->crypt->createKeyPair(); - return $this->keyManager->storeKeyPair($this->user->getUID(), - $password, - $keyPair); + $this->keyManager->setRecoveryKey($password, $keyPair); } if ($keyManager->checkRecoveryPassword($password)) { @@ -116,6 +106,23 @@ class Recovery { return false; } + /** + * change recovery key id + * + * @param string $newPassword + * @param string $oldPassword + */ + public function changeRecoveryKeyPassword($newPassword, $oldPassword) { + $recoveryKey = $this->keyManager->getSystemPrivateKey($this->keyManager->getRecoveryKeyId()); + $decryptedRecoveryKey = $this->crypt->decryptPrivateKey($recoveryKey, $oldPassword); + $encryptedRecoveryKey = $this->crypt->symmetricEncryptFileContent($decryptedRecoveryKey, $newPassword); + if ($encryptedRecoveryKey) { + $this->keyManager->setSystemPrivateKey($this->keyManager->getRecoveryKeyId(), $encryptedRecoveryKey); + return true; + } + return false; + } + /** * @param $recoveryPassword * @return bool