From 92f06243be62945b5ff5e7542e9984f7bb45d74b Mon Sep 17 00:00:00 2001 From: Sam Tuke Date: Mon, 11 Feb 2013 10:21:23 +0000 Subject: [PATCH] Implementing sharing support New file-specific methods in lib/public/share Changes to how keyfiles are stored --- apps/files_encryption/hooks/hooks.php | 47 +++++----- apps/files_encryption/lib/crypt.php | 41 +++++--- apps/files_encryption/lib/keymanager.php | 97 +++++++++++++++++-- apps/files_encryption/lib/proxy.php | 113 +++++++++++++---------- apps/files_encryption/test/crypt.php | 8 +- lib/public/share.php | 82 ++++++++++++++-- 6 files changed, 283 insertions(+), 105 deletions(-) diff --git a/apps/files_encryption/hooks/hooks.php b/apps/files_encryption/hooks/hooks.php index c6d4c16115a..9252a341fb7 100644 --- a/apps/files_encryption/hooks/hooks.php +++ b/apps/files_encryption/hooks/hooks.php @@ -82,8 +82,12 @@ class Hooks { } + \OC_FileProxy::$enabled = false; + $publicKey = Keymanager::getPublicKey( $view, $params['uid'] ); + \OC_FileProxy::$enabled = false; + // Encrypt existing user files: // This serves to upgrade old versions of the encryption // app (see appinfo/spec.txt) @@ -175,8 +179,9 @@ class Hooks { $view = new \OC_FilesystemView( '/' ); $userId = \OCP\User::getUser(); $util = new Util( $view, $userId ); + $session = new Session(); - $shares = \OCP\Share::getUsersSharingFile( $params['fileTarget'] ); + $shares = \OCP\Share::getUsersSharingFile( $params['fileTarget'], 1 ); $userIds = array(); @@ -202,41 +207,35 @@ class Hooks { } - trigger_error("UIDS = ".var_export($userIds, 1)); - $userPubKeys = Keymanager::getPublicKeys( $view, $userIds ); -// trigger_error("PUB KEYS = ".var_export($userPubKeys, 1)); - - // TODO: Fetch path from Crypt{} getter - $plainContent = $view->file_get_contents( $userId . '/' . 'files'. '/' . $params['fileTarget'] ); + \OC_FileProxy::$enabled = false; - // Generate new catfile and share keys - if ( ! $encrypted = Crypt::multiKeyEncrypt( $plainContent, $userPubKeys ) ) { + // get the keyfile + $encKeyfile = Keymanager::getFileKey( $view, $userId, $params['fileTarget'] ); - // If the re-encryption failed, don't risk deleting data - return false; - - } + $privateKey = $session->getPrivateKey(); - trigger_error("ENCRYPTED = ". var_export($encrypted, 1)); + // decrypt the keyfile + $plainKeyfile = Crypt::keyDecrypt( $encKeyfile, $privateKey ); - // Save env keys to user folders - foreach ( $encrypted['keys'] as $key ) { + // re-enc keyfile to sharekeys + $shareKeys = Crypt::multiKeyEncrypt( $plainKeyfile, $userPubKeys ); -// Keymanager::setShareKey( $view, $params['fileTarget'], $userId, $key ); + // save sharekeys + if ( ! Keymanager::setShareKeys( $view, $params['fileTarget'], $shareKeys['keys'] ) ) { + trigger_error( "SET Share keys failed" ); + } - // Delete existing catfile - // Check if keyfile exists (it won't if file has been shared before) + // Delete existing keyfile // Do this last to ensure file is recoverable in case of error - if ( $util->isEncryptedPath( $params['fileTarget'] ) ) { - - // NOTE: This will trigger an error if keyfile isn't found -// Keymanager::deleteFileKey( $params['fileTarget'] ); +// Keymanager::deleteFileKey( $view, $userId, $params['fileTarget'] ); - } + \OC_FileProxy::$enabled = true; + + return true; } diff --git a/apps/files_encryption/lib/crypt.php b/apps/files_encryption/lib/crypt.php index e3d23023db3..fdee03eeaf5 100755 --- a/apps/files_encryption/lib/crypt.php +++ b/apps/files_encryption/lib/crypt.php @@ -370,22 +370,41 @@ class Crypt { /** * @brief Create asymmetrically encrypted keyfile content using a generated key * @param string $plainContent content to be encrypted - * @returns array keys: key, encrypted - * @note symmetricDecryptFileContent() can be used to decrypt files created using this method - * - * This function decrypts a file + * @param array $publicKeys array keys must be the userId of corresponding user + * @returns array keys: keys (array, key = userId), encrypted + * @note symmetricDecryptFileContent() can decrypt files created using this method */ public static function multiKeyEncrypt( $plainContent, array $publicKeys ) { - + + // openssl_seal returns false without errors if $plainContent + // is empty, so trigger our own error + if ( empty( $plainContent ) ) { + + trigger_error( "Cannot mutliKeyEncrypt empty plain content" ); + throw new \Exception( 'Cannot mutliKeyEncrypt empty plain content' ); + + } + // Set empty vars to be set by openssl by reference $sealed = ''; - $envKeys = array(); + $shareKeys = array(); - if( openssl_seal( $plainContent, $sealed, $envKeys, $publicKeys ) ) { + if( openssl_seal( $plainContent, $sealed, $shareKeys, $publicKeys ) ) { + + $i = 0; + + // Ensure each shareKey is labelled with its + // corresponding userId + foreach ( $publicKeys as $userId => $publicKey ) { + + $mappedShareKeys[$userId] = $shareKeys[$i]; + $i++; + + } return array( - 'keys' => $envKeys - , 'encrypted' => $sealed + 'keys' => $mappedShareKeys + , 'data' => $sealed ); } else { @@ -404,7 +423,7 @@ class Crypt { * * This function decrypts a file */ - public static function multiKeyDecrypt( $encryptedContent, $envKey, $privateKey ) { + public static function multiKeyDecrypt( $encryptedContent, $shareKey, $privateKey ) { if ( !$encryptedContent ) { @@ -412,7 +431,7 @@ class Crypt { } - if ( openssl_open( $encryptedContent, $plainContent, $envKey, $privateKey ) ) { + if ( openssl_open( $encryptedContent, $plainContent, $shareKey, $privateKey ) ) { return $plainContent; diff --git a/apps/files_encryption/lib/keymanager.php b/apps/files_encryption/lib/keymanager.php index 3160572ba1b..5f9eea1a0bc 100755 --- a/apps/files_encryption/lib/keymanager.php +++ b/apps/files_encryption/lib/keymanager.php @@ -52,8 +52,11 @@ class Keymanager { */ public static function getPublicKey( \OC_FilesystemView $view, $userId ) { + \OC_FileProxy::$enabled = false; + return $view->file_get_contents( '/public-keys/' . '/' . $userId . '.public.key' ); + \OC_FileProxy::$enabled = true; } /** @@ -77,20 +80,16 @@ class Keymanager { * @param array $userIds * @return array of public keys for the specified users */ - public static function getPublicKeys( \OC_FilesystemView $view, $userIds ) { + public static function getPublicKeys( \OC_FilesystemView $view, array $userIds ) { - $i = 0; $keys = array(); foreach ( $userIds as $userId ) { - $i++; $keys[$userId] = self::getPublicKey( $view, $userId ); } - $keys['total'] = $i; - return $keys; } @@ -137,11 +136,11 @@ class Keymanager { $filePath_f = ltrim( $filePath, '/' ); - $catfilePath = '/' . $userId . '/files_encryption/keyfiles/' . $filePath_f . '.key'; + $keyfilePath = '/' . $userId . '/files_encryption/keyfiles/' . $filePath_f . '.key'; - if ( $view->file_exists( $catfilePath ) ) { + if ( $view->file_exists( $keyfilePath ) ) { - return $view->file_get_contents( $catfilePath ); + return $view->file_get_contents( $keyfilePath ); } else { @@ -239,7 +238,7 @@ class Keymanager { } /** - * @brief store file encryption key + * @brief store share key * * @param string $path relative path of the file, including filename * @param string $key @@ -255,7 +254,85 @@ class Keymanager { $shareKeyPath = self::keySetPreparation( $view, $path, $basePath, $userId ); - return $view->file_put_contents( $basePath . '/' . $shareKeyPath . '.shareKey', $shareKey ); + $writePath = $basePath . '/' . $shareKeyPath . '.shareKey'; + + \OC_FileProxy::$enabled = false; + + $result = $view->file_put_contents( $writePath, $shareKey ); + + if ( + is_int( $result ) + && $result > 0 + ) { + + return true; + + } else { + + return false; + + } + + } + + /** + * @brief store multiple share keys for a single file + * @return bool + */ + public static function setShareKeys( \OC_FilesystemView $view, $path, array $shareKeys ) { + + // $shareKeys must be an array with the following format: + // [userId] => [encrypted key] + + $result = true; + + foreach ( $shareKeys as $userId => $shareKey ) { + + if ( ! self::setShareKey( $view, $path, $userId, $shareKey ) ) { + + // If any of the keys are not set, flag false + $result = false; + + } + + } + + // Returns false if any of the keys weren't set + return $result; + + } + + /** + * @brief retrieve shareKey for an encrypted file + * @param \OC_FilesystemView $view + * @param $userId + * @param $filePath + * @internal param \OCA\Encryption\file $string name + * @return string file key or false + * @note The sharekey returned is encrypted. Decryption + * of the keyfile must be performed by client code + */ + public static function getShareKey( \OC_FilesystemView $view, $userId, $filePath ) { + + \OC_FileProxy::$enabled = false; + + $filePath_f = ltrim( $filePath, '/' ); + + $shareKeyPath = '/' . $userId . '/files_encryption/share-keys/' . $filePath_f . '.shareKey'; + + if ( $view->file_exists( $shareKeyPath ) ) { + + $result = $view->file_get_contents( $shareKeyPath ); + + } else { + + $result = false; + + } + + \OC_FileProxy::$enabled = true; + + return $result; } diff --git a/apps/files_encryption/lib/proxy.php b/apps/files_encryption/lib/proxy.php index 58b9bc0725b..b5e59e89b9e 100644 --- a/apps/files_encryption/lib/proxy.php +++ b/apps/files_encryption/lib/proxy.php @@ -99,58 +99,65 @@ class Proxy extends \OC_FileProxy { if ( !is_resource( $data ) ) { $userId = \OCP\USER::getUser(); - $rootView = new \OC_FilesystemView( '/' ); - + $util = new Util( $rootView, $userId ); + $filePath = $util->stripUserFilesPath( $path ); // Set the filesize for userland, before encrypting $size = strlen( $data ); // Disable encryption proxy to prevent recursive calls \OC_FileProxy::$enabled = false; - $fileOwner = \OC\Files\Filesystem::getOwner( $path ); + // Encrypt data + $encData = Crypt::symmetricEncryptFileContentKeyfile( $data ); // Check if the keyfile needs to be shared - if ( - $fileOwner !== true - or $fileOwner !== $userId - ) { + if ( \OCP\Share::isSharedFile( $filePath ) ) { + +// $fileOwner = \OC\Files\Filesystem::getOwner( $path ); + + // List everyone sharing the file + $shares = \OCP\Share::getUsersSharingFile( $filePath, 1 ); + + $userIds = array(); + + foreach ( $shares as $share ) { + + $userIds[] = $share['userId']; + + } + + $publicKeys = Keymanager::getPublicKeys( $rootView, $userIds ); + + \OC_FileProxy::$enabled = false; + + // Encrypt plain keyfile to multiple sharefiles + $multiEncrypted = Crypt::multiKeyEncrypt( $encData['key'], $publicKeys ); + + // Save sharekeys to user folders + Keymanager::setShareKeys( $rootView, $filePath, $multiEncrypted['keys'] ); + + // Set encrypted keyfile as common varname + $encKey = $multiEncrypted['encrypted']; - // Shared storage backend isn't loaded - $users = \OCP\Share::getItemShared( 'file', $path, \OC_Share_backend_File::FORMAT_SHARED_STORAGE ); -// - trigger_error("SHARE USERS = ". var_export($users, 1)); -// -// $publicKeys = Keymanager::getPublicKeys( $rootView, $users); -// -// // Encrypt plain data to multiple users -// $encrypted = Crypt::multiKeyEncrypt( $data, $publicKeys ); } else { $publicKey = Keymanager::getPublicKey( $rootView, $userId ); // Encrypt plain data to a single user - $encrypted = Crypt::keyEncryptKeyfile( $data, $publicKey ); + $encKey = Crypt::keyEncrypt( $encData['key'], $publicKey ); } - // Replace plain content with encrypted content by reference - $data = $encrypted['data']; - - $filePath = explode( '/', $path ); - - $filePath = array_slice( $filePath, 3 ); - - $filePath = '/' . implode( '/', $filePath ); - - // TODO: make keyfile dir dynamic from app config - - $view = new \OC_FilesystemView( '/' ); + // TODO: Replace userID with ownerId so keyfile is saved centrally // Save keyfile for newly encrypted file in parallel directory tree - Keymanager::setFileKey( $view, $filePath, $userId, $encrypted['key'] ); + Keymanager::setFileKey( $rootView, $filePath, $userId, $encKey ); + + // Replace plain content with encrypted content by reference + $data = $encData['encrypted']; // Update the file cache with file info \OC\Files\Filesystem::putFileInfo( $path, array( 'encrypted'=>true, 'size' => $size ), '' ); @@ -168,8 +175,6 @@ class Proxy extends \OC_FileProxy { * @param string $data Data that has been read from file */ public function postFile_get_contents( $path, $data ) { - - // TODO: Use dependency injection to add required args for view and user etc. to this method // Disable encryption proxy to prevent recursive calls \OC_FileProxy::$enabled = false; @@ -180,45 +185,55 @@ class Proxy extends \OC_FileProxy { && Crypt::isCatfile( $data ) ) { - $split = explode( '/', $path ); - - $filePath = array_slice( $split, 3 ); + $view = new \OC_FilesystemView( '/' ); + $userId = \OCP\USER::getUser(); + $session = new Session(); + $util = new Util( $view, $userId ); + $filePath = $util->stripUserFilesPath( $path ); + $privateKey = $session->getPrivateKey( $userId ); - $filePath = '/' . implode( '/', $filePath ); + // Get the encrypted keyfile + $encKeyfile = Keymanager::getFileKey( $view, $userId, $filePath ); - //$cached = \OC\Files\Filesystem::getFileInfo( $path, '' ); + // Check if key is shared or not + if ( \OCP\Share::isSharedFile( $filePath ) ) { - $view = new \OC_FilesystemView( '' ); + // If key is shared, fetch the user's shareKey + $shareKey = Keymanager::getShareKey( $view, $userId, $filePath ); + + \OC_FileProxy::$enabled = false; + + // Decrypt keyfile with shareKey + $plainKeyfile = Crypt::multiKeyDecrypt( $encKeyfile, $shareKey, $privateKey ); - $userId = \OCP\USER::getUser(); + } else { + + // If key is unshared, decrypt with user private key + $plainKeyfile = Crypt::keyDecrypt( $encKeyfile, $privateKey ); - // TODO: Check if file is shared, if so, use multiKeyDecrypt + } - $encryptedKeyfile = Keymanager::getFileKey( $view, $userId, $filePath ); + $plainData = Crypt::symmetricDecryptFileContent( $data, $plainKeyfile ); - $session = new Session(); - - $decrypted = Crypt::keyDecryptKeyfile( $data, $encryptedKeyfile, $session->getPrivateKey( $split[1] ) ); - } elseif ( Crypt::mode() == 'server' && isset( $_SESSION['legacyenckey'] ) && Crypt::isEncryptedMeta( $path ) ) { - $decrypted = Crypt::legacyDecrypt( $data, $_SESSION['legacyenckey'] ); + $plainData = Crypt::legacyDecrypt( $data, $session->getLegacyKey() ); } \OC_FileProxy::$enabled = true; - if ( ! isset( $decrypted ) ) { + if ( ! isset( $plainData ) ) { - $decrypted = $data; + $plainData = $data; } - return $decrypted; + return $plainData; } diff --git a/apps/files_encryption/test/crypt.php b/apps/files_encryption/test/crypt.php index aa87ec32821..48ad2ee0075 100755 --- a/apps/files_encryption/test/crypt.php +++ b/apps/files_encryption/test/crypt.php @@ -439,14 +439,14 @@ class Test_Crypt extends \PHPUnit_Framework_TestCase { $this->assertTrue( strlen( $pair1['privateKey'] ) > 1 ); - $crypted = Encryption\Crypt::multiKeyEncrypt( $this->dataUrl, array( $pair1['publicKey'] ) ); + $crypted = Encryption\Crypt::multiKeyEncrypt( $this->dataShort, array( $pair1['publicKey'] ) ); - $this->assertNotEquals( $this->dataUrl, $crypted['encrypted'] ); + $this->assertNotEquals( $this->dataShort, $crypted['data'] ); - $decrypt = Encryption\Crypt::multiKeyDecrypt( $crypted['encrypted'], $crypted['keys'][0], $pair1['privateKey'] ); + $decrypt = Encryption\Crypt::multiKeyDecrypt( $crypted['data'], $crypted['keys'][0], $pair1['privateKey'] ); - $this->assertEquals( $this->dataUrl, $decrypt ); + $this->assertEquals( $this->dataShort, $decrypt ); } diff --git a/lib/public/share.php b/lib/public/share.php index 936f85021c0..4170783d71e 100644 --- a/lib/public/share.php +++ b/lib/public/share.php @@ -92,20 +92,73 @@ class Share { return false; } + /** + * @brief Prepare a path to be passed to DB as file_target + * @return string Prepared path + */ + public static function prepFileTarget( $path ) { + + // Paths in DB are stored with leading slashes, so add one if necessary + if ( substr( $path, 0, 1 ) !== '/' ) { + + $path = '/' . $path; + + } + + return $path; + + } + + public static function isSharedFile( $path ) { + + $fPath = self::prepFileTarget( $path ); + + // Fetch all shares of this file path from DB + $query = \OC_DB::prepare( + 'SELECT + id + FROM + `*PREFIX*share` + WHERE + file_target = ?' + ); + + $result = $query->execute( array( $fPath ) ); + + if ( \OC_DB::isError( $result ) ) { + + \OC_Log::write( 'OCP\Share', \OC_DB::getErrorMessage( $result ) . ', path=' . $fPath, \OC_Log::ERROR ); + + } + + if ( $result->fetchRow() !== false ) { + + return true; + + } else { + + return false; + + } + + } + /** * @brief Find which users can access a shared item - * @param string Item type - * @param int Format (optional) Format type must be defined by the backend - * @param int Number of items to return (optional) Returns all by default - * @return Return depends on format + * @return bool / array + * @note $path needs to be relative to user data dir, e.g. 'file.txt' + * not '/admin/data/file.txt' */ - public static function getUsersSharingFile( $path ) { + public static function getUsersSharingFile( $path, $includeOwner = 0 ) { + + $fPath = self::prepFileTarget( $path ); // Fetch all shares of this file path from DB $query = \OC_DB::prepare( 'SELECT share_type , share_with + , uid_owner , permissions FROM `*PREFIX*share` @@ -113,11 +166,11 @@ class Share { file_target = ?' ); - $result = $query->execute( array( $path ) ); + $result = $query->execute( array( $fPath ) ); if ( \OC_DB::isError( $result ) ) { - \OC_Log::write( 'OCP\Share', \OC_DB::getErrorMessage($result) . ', path=' . $path, \OC_Log::ERROR ); + \OC_Log::write( 'OCP\Share', \OC_DB::getErrorMessage($result) . ', path=' . $fPath, \OC_Log::ERROR ); } @@ -128,6 +181,7 @@ class Share { // Set helpful array keys $shares[] = array( 'userId' => $row['share_with'] + , 'owner' => $row['uid_owner'] // we just set this so it can be used once, hugly hack :/ , 'shareType' => $row['share_type'] , 'permissions' => $row['permissions'] ); @@ -136,6 +190,20 @@ class Share { if ( ! empty( $shares ) ) { + // Include owner in list of users, if requested + if ( $includeOwner == 1 ) { + + // NOTE: The values are incorrect for shareType and + // permissions of the owner; we just include them for + // optional convenience + $shares[] = array( + 'userId' => $shares[0]['owner'] + , 'shareType' => 0 + , 'permissions' => 0 + ); + + } + return $shares; } else { -- 2.39.5