From 14451bdaf07f88c6ac46092c74b987a360b04547 Mon Sep 17 00:00:00 2001 From: Sam Tuke Date: Fri, 29 Mar 2013 21:11:29 +0100 Subject: [PATCH] Development snapshot; Fixed errors from Hooks::login(); Work on enable/disable recoveryAdmin for lost passwords in settings page (template, ajax, js); Work on fixing sharing files to users (still broken); --- apps/files_encryption/appinfo/spec.txt | 12 +++++ apps/files_encryption/hooks/hooks.php | 5 +- apps/files_encryption/js/settings.js | 14 +++++ apps/files_encryption/lib/keymanager.php | 4 +- apps/files_encryption/lib/proxy.php | 2 +- apps/files_encryption/lib/stream.php | 2 +- apps/files_encryption/lib/util.php | 56 ++++++++++++++++---- apps/files_encryption/settings.php | 6 +++ apps/files_encryption/templates/settings.php | 19 +++++++ 9 files changed, 106 insertions(+), 14 deletions(-) diff --git a/apps/files_encryption/appinfo/spec.txt b/apps/files_encryption/appinfo/spec.txt index 7a937a91439..bb15864cbb7 100644 --- a/apps/files_encryption/appinfo/spec.txt +++ b/apps/files_encryption/appinfo/spec.txt @@ -35,6 +35,18 @@ that file must have their sharekeys changed also. The keyfile and catfile however need only changing in the owners files, as there is only one copy of these. +Publicly shared files (public links) +------------------------------------ + +Files shared via public links use a separate system user account called 'ownCloud'. All public files are shared to that user's public key, and the private key is used to access the files when the public link is used in browser. + +This means that files shared via public links are accessible only to users who know the shared URL, or to admins who know the 'ownCloud' user password. + +Lost password recovery +---------------------- + +In order to enable users to read their encrypted files in the event of a password loss/reset scenario, administrators can choose to enable a 'recoveryAdmin' account. This is a user that all user files will automatically be shared to of the option is enabled. This allows the recoveryAdmin user to generate new keyfiles for the user. By default the UID of the recoveryAdmin is 'recoveryAdmin'. + Notes ----- diff --git a/apps/files_encryption/hooks/hooks.php b/apps/files_encryption/hooks/hooks.php index 302671889d3..43d3dfb5a6a 100644 --- a/apps/files_encryption/hooks/hooks.php +++ b/apps/files_encryption/hooks/hooks.php @@ -40,7 +40,7 @@ class Hooks { // Manually initialise Filesystem{} singleton with correct // fake root path, in order to avoid fatal webdav errors - \OC\Files\Filesystem::init( $params['uid'] . '/' . 'files' . '/' ); + \OC\Files\Filesystem::init( $params['uid'], '/' . 'files' . '/' ); $view = new \OC_FilesystemView( '/' ); @@ -194,7 +194,8 @@ class Hooks { $util = new Util( $view, $userId ); $path = $util->fileIdToPath( $params['itemSource'] ); - $usersSharing = \OCP\Share::getUsersSharingFile( $path, true ); + // Note: this currently doesn't include the owner due to \OC\Files\Filesystem::getOwner() + $usersSharing = $util->getUsersSharingFile( $path ); // Recursively expand path to include subfiles $allPaths = $util->getPaths( $path ); diff --git a/apps/files_encryption/js/settings.js b/apps/files_encryption/js/settings.js index 0be857bb73e..4f367f880db 100644 --- a/apps/files_encryption/js/settings.js +++ b/apps/files_encryption/js/settings.js @@ -6,12 +6,26 @@ $(document).ready(function(){ + // Trigger ajax on filetype blacklist change $('#encryption_blacklist').multiSelect({ oncheck:blackListChange, onuncheck:blackListChange, createText:'...' }); + // Trigger ajax on recoveryAdmin status change + $( 'input:radio[name="adminEnableRecovery"]' ).change( + function() { + $.post( + '../ajax/adminrecovery.php' + , $( this ).val() + , function( data ) { + // TODO: provide user with feedback of outcome + } + ); + } + ); + function blackListChange(){ var blackList=$('#encryption_blacklist').val().join(','); OC.AppConfig.setValue('files_encryption','type_blacklist',blackList); diff --git a/apps/files_encryption/lib/keymanager.php b/apps/files_encryption/lib/keymanager.php index 99516949afa..9bb062d0fdb 100755 --- a/apps/files_encryption/lib/keymanager.php +++ b/apps/files_encryption/lib/keymanager.php @@ -391,8 +391,10 @@ class Keymanager { $result = true; } - if ( !result ) { + if ( ! $result ) { + \OC_Log::write( 'Encryption library', 'Could not delete shareKey; does not exist: "' . $shareKeyPath, \OC_Log::ERROR ); + } \OC_FileProxy::$enabled = false; diff --git a/apps/files_encryption/lib/proxy.php b/apps/files_encryption/lib/proxy.php index a1eb76666d6..d5aa0f74f11 100644 --- a/apps/files_encryption/lib/proxy.php +++ b/apps/files_encryption/lib/proxy.php @@ -140,7 +140,7 @@ class Proxy extends \OC_FileProxy { if ( \OCP\Share::isEnabled() ) { // Find out who, if anyone, is sharing the file - $shareUids = \OCP\Share::getUsersSharingFile( $filePath, true ); + $shareUids = \OCP\Share::getUsersSharingFile( $filePath, true, true, true ); $userIds = array_merge( $userIds, $shareUids ); diff --git a/apps/files_encryption/lib/stream.php b/apps/files_encryption/lib/stream.php index 86439b4864f..9d01c2ca6c5 100644 --- a/apps/files_encryption/lib/stream.php +++ b/apps/files_encryption/lib/stream.php @@ -127,7 +127,7 @@ class Stream { if ( ! is_resource( $this->handle ) ) { - \OCP\Util::writeLog( 'files_encryption', 'failed to open file "'.$this->rootView . '"', \OCP\Util::ERROR ); + \OCP\Util::writeLog( 'files_encryption', 'failed to open file "' . $this->relPath . '"', \OCP\Util::ERROR ); } else { diff --git a/apps/files_encryption/lib/util.php b/apps/files_encryption/lib/util.php index 5276dae99a1..f6386ad84d9 100644 --- a/apps/files_encryption/lib/util.php +++ b/apps/files_encryption/lib/util.php @@ -638,7 +638,7 @@ class Util { /** * @brief Filter an array of UIDs to return only ones ready for sharing * @param array $unfilteredUsers users to be checked for sharing readiness - * @return array $userIds filtered users + * @return multi-dimensional array. keys: ready, unready */ public function filterShareReadyUsers( $unfilteredUsers ) { @@ -649,6 +649,8 @@ class Util { foreach ( $unfilteredUsers as $user ) { $util = new Util( $this->view, $user ); + + $readyIds = $unreadyIds = array(); // Check that the user is encryption capable, or is the // public system user 'ownCloud' (for public shares) @@ -657,22 +659,26 @@ class Util { or $user == 'ownCloud' ) { - // Construct array of just UIDs for Keymanager{} - $userIds[] = $user; + // Construct array of ready UIDs for Keymanager{} + $readyIds[] = $user; } else { - + + // Construct array of unready UIDs for Keymanager{} + $unreadyIds[] = $user; + // Log warning; we can't do necessary setup here // because we don't have the user passphrase - // TODO: Provide user feedback indicating that - // sharing failed \OC_Log::write( 'Encryption library', '"'.$user.'" is not setup for encryption', \OC_Log::WARN ); } } - return $userIds; + return array ( + 'ready' => $userIds + , 'unready' => $unreadyIds + ); } @@ -778,8 +784,18 @@ class Util { // Make sure users are capable of sharing $filteredUids = $this->filterShareReadyUsers( $users ); +// trigger_error( print_r($filteredUids, 1) ); + + if ( ! empty( $filteredUids['unready'] ) ) { + + // Notify user of unready userDir + // TODO: Move this out of here; it belongs somewhere else + \OCP\JSON::error(); + + } + // Get public keys for each user, ready for generating sharekeys - $userPubKeys = Keymanager::getPublicKeys( $this->view, $filteredUids ); // TODO: check this includes the owner's public key + $userPubKeys = Keymanager::getPublicKeys( $this->view, $filteredUids['ready'] ); // TODO: check this includes the owner's public key \OC_FileProxy::$enabled = false; @@ -814,8 +830,30 @@ class Util { return true; } + + /** + * @brief Returns the users who are sharing a file, including the file owner + * @param $path Relative path of the file, like files/file.txt + * @return $users array of UIDs + * @note This wraps the OCP\Share method, but includes the owner even if + * the file isn't registered in sharing API + */ + public function getUsersSharingFile( $path ) { + + $users = \OCP\Share::getUsersSharingFile( $path, true, true ); + + // FIXME: this is returning empty :/ + $owner = \OC\Files\Filesystem::getOwner( $path ); + +// trigger_error( var_export( $owner, 1)); + + $users[] = $owner; + + return array_unique( $users ); + + } - /** + /** * @brief get uid of the owners of the file and the path to the file * @param $filename * @return array diff --git a/apps/files_encryption/settings.php b/apps/files_encryption/settings.php index 85c616bca79..71d47f061af 100644 --- a/apps/files_encryption/settings.php +++ b/apps/files_encryption/settings.php @@ -12,8 +12,14 @@ $tmpl = new OCP\Template( 'files_encryption', 'settings' ); $blackList = explode( ',', \OCP\Config::getAppValue( 'files_encryption', 'type_blacklist', '' ) ); +// Check if an adminRecovery account is enabled for recovering files after lost pwd +$view = new OC_FilesystemView( '' ); +$util = new \OCA\Encryption\Util( $view, \OCP\USER::getUser() ); +$recoveryEnabled = $util->recoveryEnabled(); + $tmpl->assign( 'blacklist', $blackList ); $tmpl->assign( 'encryption_mode', \OC_Appconfig::getValue( 'files_encryption', 'mode', 'none' ) ); +$tmpl->assign( 'recoveryEnabled', $recoveryEnabled ); \OCP\Util::addscript( 'files_encryption', 'settings' ); \OCP\Util::addscript( 'core', 'multiselect' ); diff --git a/apps/files_encryption/templates/settings.php b/apps/files_encryption/templates/settings.php index b873d7f5aaf..6499d0c8e80 100644 --- a/apps/files_encryption/templates/settings.php +++ b/apps/files_encryption/templates/settings.php @@ -3,6 +3,7 @@

t( 'Encryption' )); ?> +
t( "Exclude the following file types from encryption:" )); ?>
@@ -16,5 +17,23 @@

+

+ t( "Enable encryption passwords recovery account (allow sharing to recovery account):" )); ?> +
+ /> + t( "Enabled" )); ?> +
+ + /> + t( "Disabled" )); ?> +

-- 2.39.5