create new encryption keys on password reset and backup the old onetags/v12.0.0beta1
@@ -40,6 +40,13 @@ use OCA\Encryption\Session; | |||
use OCA\Encryption\Recovery; | |||
class UserHooks implements IHook { | |||
/** | |||
* list of user for which we perform a password reset | |||
* @var array | |||
*/ | |||
protected static $passwordResetUsers = []; | |||
/** | |||
* @var KeyManager | |||
*/ | |||
@@ -132,6 +139,16 @@ class UserHooks implements IHook { | |||
$this, | |||
'preSetPassphrase'); | |||
OCUtil::connectHook('\OC\Core\LostPassword\Controller\LostController', | |||
'post_passwordReset', | |||
$this, | |||
'postPasswordReset'); | |||
OCUtil::connectHook('\OC\Core\LostPassword\Controller\LostController', | |||
'pre_passwordReset', | |||
$this, | |||
'prePasswordReset'); | |||
OCUtil::connectHook('OC_User', | |||
'post_createUser', | |||
$this, | |||
@@ -202,6 +219,22 @@ class UserHooks implements IHook { | |||
} | |||
} | |||
public function prePasswordReset($params) { | |||
if (App::isEnabled('encryption')) { | |||
$user = $params['uid']; | |||
self::$passwordResetUsers[$user] = true; | |||
} | |||
} | |||
public function postPasswordReset($params) { | |||
$uid = $params['uid']; | |||
$password = $params['password']; | |||
$this->keyManager->backupUserKeys('passwordReset', $uid); | |||
$this->keyManager->deleteUserKeys($uid); | |||
$this->userSetup->setupUser($uid, $password); | |||
unset(self::$passwordResetUsers[$uid]); | |||
} | |||
/** | |||
* If the password can't be changed within ownCloud, than update the key password in advance. | |||
* | |||
@@ -209,13 +242,10 @@ class UserHooks implements IHook { | |||
* @return boolean|null | |||
*/ | |||
public function preSetPassphrase($params) { | |||
if (App::isEnabled('encryption')) { | |||
$user = $this->userManager->get($params['uid']); | |||
$user = $this->userManager->get($params['uid']); | |||
if ($user && !$user->canChangePassword()) { | |||
$this->setPassphrase($params); | |||
} | |||
if ($user && !$user->canChangePassword()) { | |||
$this->setPassphrase($params); | |||
} | |||
} | |||
@@ -227,6 +257,12 @@ class UserHooks implements IHook { | |||
*/ | |||
public function setPassphrase($params) { | |||
// if we are in the process to resetting a user password, we have nothing | |||
// to do here | |||
if (isset(self::$passwordResetUsers[$params['uid']])) { | |||
return true; | |||
} | |||
// Get existing decrypted private key | |||
$privateKey = $this->session->getPrivateKey(); | |||
$user = $this->user->getUser(); | |||
@@ -299,19 +335,6 @@ class UserHooks implements IHook { | |||
Filesystem::initMountPoints($user); | |||
} | |||
/** | |||
* after password reset we create a new key pair for the user | |||
* | |||
* @param array $params | |||
*/ | |||
public function postPasswordReset($params) { | |||
$password = $params['password']; | |||
$this->keyManager->deleteUserKeys($params['uid']); | |||
$this->userSetup->setupUser($params['uid'], $password); | |||
} | |||
/** | |||
* setup file system for user | |||
* |
@@ -560,11 +560,10 @@ class KeyManager { | |||
/** | |||
* @param string $purpose | |||
* @param bool $timestamp | |||
* @param bool $includeUserKeys | |||
* @param string $uid | |||
*/ | |||
public function backupAllKeys($purpose, $timestamp = true, $includeUserKeys = true) { | |||
// $backupDir = $this->keyStorage->; | |||
public function backupUserKeys($purpose, $uid) { | |||
$this->keyStorage->backupUserKeys(Encryption::ID, $purpose, $uid); | |||
} | |||
/** | |||
@@ -573,7 +572,6 @@ class KeyManager { | |||
* @param string $uid | |||
*/ | |||
public function deleteUserKeys($uid) { | |||
$this->backupAllKeys('password_reset'); | |||
$this->deletePublicKey($uid); | |||
$this->deletePrivateKey($uid); | |||
} |
@@ -120,6 +120,31 @@ class UserHooksTest extends TestCase { | |||
$this->assertTrue(true); | |||
} | |||
public function testPrePasswordReset() { | |||
$params = ['uid' => 'user1']; | |||
$expected = ['user1' => true]; | |||
$this->instance->prePasswordReset($params); | |||
$passwordResetUsers = $this->invokePrivate($this->instance, 'passwordResetUsers'); | |||
$this->assertSame($expected, $passwordResetUsers); | |||
} | |||
public function testPostPasswordReset() { | |||
$params = ['uid' => 'user1', 'password' => 'password']; | |||
$this->invokePrivate($this->instance, 'passwordResetUsers', [['user1' => true]]); | |||
$this->keyManagerMock->expects($this->once())->method('backupUserKeys') | |||
->with('passwordReset', 'user1'); | |||
$this->keyManagerMock->expects($this->once())->method('deleteUserKeys') | |||
->with('user1'); | |||
$this->userSetupMock->expects($this->once())->method('setupUser') | |||
->with('user1', 'password'); | |||
$this->instance->postPasswordReset($params); | |||
$passwordResetUsers = $this->invokePrivate($this->instance, 'passwordResetUsers'); | |||
$this->assertEmpty($passwordResetUsers); | |||
} | |||
/** | |||
* @dataProvider dataTestPreSetPassphrase | |||
*/ | |||
@@ -252,6 +277,15 @@ class UserHooksTest extends TestCase { | |||
$this->assertNull($this->instance->setPassphrase($this->params)); | |||
} | |||
public function testSetPassphraseResetUserMode() { | |||
$params = ['uid' => 'user1', 'password' => 'password']; | |||
$this->invokePrivate($this->instance, 'passwordResetUsers', [[$params['uid'] => true]]); | |||
$this->sessionMock->expects($this->never())->method('getPrivateKey'); | |||
$this->keyManagerMock->expects($this->never())->method('setPrivateKey'); | |||
$this->assertTrue($this->instance->setPassphrase($params)); | |||
$this->invokePrivate($this->instance, 'passwordResetUsers', [[]]); | |||
} | |||
public function testSetPasswordNoUser() { | |||
$this->sessionMock->expects($this->once()) | |||
->method('getPrivateKey') | |||
@@ -287,19 +321,6 @@ class UserHooksTest extends TestCase { | |||
$this->assertNull($userHooks->setPassphrase($this->params)); | |||
} | |||
public function testPostPasswordReset() { | |||
$this->keyManagerMock->expects($this->once()) | |||
->method('deleteUserKeys') | |||
->with('testUser'); | |||
$this->userSetupMock->expects($this->once()) | |||
->method('setupUser') | |||
->with('testUser', 'password'); | |||
$this->instance->postPasswordReset($this->params); | |||
$this->assertTrue(true); | |||
} | |||
protected function setUp() { | |||
parent::setUp(); | |||
$this->loggerMock = $this->createMock(ILogger::class); |
@@ -657,4 +657,10 @@ class KeyManagerTest extends TestCase { | |||
$this->instance->setVersion('/admin/files/myfile.txt', 5, $view); | |||
} | |||
public function testBackupUserKeys() { | |||
$this->keyStorageMock->expects($this->once())->method('backupUserKeys') | |||
->with('OC_DEFAULT_MODULE', 'test', 'user1'); | |||
$this->instance->backupUserKeys('test', 'user1'); | |||
} | |||
} |
@@ -234,6 +234,8 @@ class LostController extends Controller { | |||
$this->checkPasswordResetToken($token, $userId); | |||
$user = $this->userManager->get($userId); | |||
\OC_Hook::emit('\OC\Core\LostPassword\Controller\LostController', 'pre_passwordReset', array('uid' => $userId, 'password' => $password)); | |||
if (!$user->setPassword($password)) { | |||
throw new \Exception(); | |||
} | |||
@@ -242,11 +244,6 @@ class LostController extends Controller { | |||
$this->config->deleteUserValue($userId, 'core', 'lostpassword'); | |||
@\OC_User::unsetMagicInCookie(); | |||
} catch (PrivateKeyMissingException $e) { | |||
// in this case it is OK if we couldn't reset the users private key | |||
// They chose explicitely to continue at the password reset dialog | |||
// (see $proceed flag) | |||
return $this->success(); | |||
} catch (\Exception $e){ | |||
return $this->error($e->getMessage()); | |||
} |
@@ -4,7 +4,7 @@ OC.Lostpassword = { | |||
sendSuccessMsg : t('core', 'The link to reset your password has been sent to your email. If you do not receive it within a reasonable amount of time, check your spam/junk folders.<br>If it is not there ask your local administrator.'), | |||
encryptedMsg : t('core', "Your files are encrypted. If you haven't enabled the recovery key, there will be no way to get your data back after your password is reset.<br />If you are not sure what to do, please contact your administrator before you continue. <br />Do you really want to continue?") | |||
encryptedMsg : t('core', "Your files are encrypted. There will be no way to get your data back after your password is reset.<br />If you are not sure what to do, please contact your administrator before you continue. <br />Do you really want to continue?") | |||
+ ('<br /><input type="checkbox" id="encrypted-continue" value="Yes" />') | |||
+ '<label for="encrypted-continue">' | |||
+ t('core', 'I know what I\'m doing') |
@@ -51,6 +51,9 @@ class Storage implements IStorage { | |||
/** @var string */ | |||
private $encryption_base_dir; | |||
/** @var string */ | |||
private $backup_base_dir; | |||
/** @var array */ | |||
private $keyCache = []; | |||
@@ -64,6 +67,7 @@ class Storage implements IStorage { | |||
$this->encryption_base_dir = '/files_encryption'; | |||
$this->keys_base_dir = $this->encryption_base_dir .'/keys'; | |||
$this->backup_base_dir = $this->encryption_base_dir .'/backup'; | |||
$this->root_dir = $this->util->getKeyStorageRoot(); | |||
} | |||
@@ -286,6 +290,37 @@ class Storage implements IStorage { | |||
return false; | |||
} | |||
/** | |||
* backup keys of a given encryption module | |||
* | |||
* @param string $encryptionModuleId | |||
* @param string $purpose | |||
* @param string $uid | |||
* @return bool | |||
* @since 12.0.0 | |||
*/ | |||
public function backupUserKeys($encryptionModuleId, $purpose, $uid) { | |||
$source = $uid . $this->encryption_base_dir . '/' . $encryptionModuleId; | |||
$backupDir = $uid . $this->backup_base_dir; | |||
if (!$this->view->file_exists($backupDir)) { | |||
$this->view->mkdir($backupDir); | |||
} | |||
$backupDir = $backupDir . '/' . $purpose . '.' . $encryptionModuleId . '.' . $this->getTimestamp(); | |||
$this->view->mkdir($backupDir); | |||
return $this->view->copy($source, $backupDir); | |||
} | |||
/** | |||
* get the current timestamp | |||
* | |||
* @return int | |||
*/ | |||
protected function getTimestamp() { | |||
return time(); | |||
} | |||
/** | |||
* get system wide path and detect mount points | |||
* |
@@ -170,4 +170,14 @@ interface IStorage { | |||
*/ | |||
public function copyKeys($source, $target); | |||
/** | |||
* backup keys of a given encryption module | |||
* | |||
* @param string $encryptionModuleId | |||
* @param string $purpose | |||
* @param string $uid | |||
* @return bool | |||
* @since 12.0.0 | |||
*/ | |||
public function backupUserKeys($encryptionModuleId, $purpose, $uid); | |||
} |
@@ -591,42 +591,4 @@ class LostControllerTest extends \Test\TestCase { | |||
$this->assertSame($expectedResponse, $response); | |||
} | |||
public function testSetPasswordEncryptionProceed() { | |||
/** @var LostController | PHPUnit_Framework_MockObject_MockObject $lostController */ | |||
$lostController = $this->getMockBuilder(LostController::class) | |||
->setConstructorArgs( | |||
[ | |||
'Core', | |||
$this->request, | |||
$this->urlGenerator, | |||
$this->userManager, | |||
$this->defaults, | |||
$this->l10n, | |||
$this->config, | |||
$this->secureRandom, | |||
'lostpassword-noreply@localhost', | |||
$this->encryptionManager, | |||
$this->mailer, | |||
$this->timeFactory, | |||
$this->crypto | |||
] | |||
)->setMethods(['checkPasswordResetToken'])->getMock(); | |||
$lostController->expects($this->once())->method('checkPasswordResetToken')->willReturn(true); | |||
$user = $this->createMock(IUser::class); | |||
$user->method('setPassword')->willReturnCallback( | |||
function() { | |||
throw new PrivateKeyMissingException('user'); | |||
} | |||
); | |||
$this->userManager->method('get')->with('user')->willReturn($user); | |||
$response = $lostController->setPassword('myToken', 'user', 'newpass', true); | |||
$expectedResponse = ['status' => 'success']; | |||
$this->assertSame($expectedResponse, $response); | |||
} | |||
} |
@@ -510,4 +510,47 @@ class StorageTest extends TestCase { | |||
]; | |||
} | |||
/** | |||
* @dataProvider dataTestBackupUserKeys | |||
* @param bool $createBackupDir | |||
*/ | |||
public function testBackupUserKeys($createBackupDir) { | |||
$storage = $this->getMockBuilder('OC\Encryption\Keys\Storage') | |||
->setConstructorArgs([$this->view, $this->util]) | |||
->setMethods(['getTimestamp']) | |||
->getMock(); | |||
$storage->expects($this->any())->method('getTimestamp')->willReturn('1234567'); | |||
$this->view->expects($this->once())->method('file_exists') | |||
->with('user1/files_encryption/backup')->willReturn(!$createBackupDir); | |||
if ($createBackupDir) { | |||
$this->view->expects($this->at(1))->method('mkdir') | |||
->with('user1/files_encryption/backup'); | |||
$this->view->expects($this->at(2))->method('mkdir') | |||
->with('user1/files_encryption/backup/test.encryptionModule.1234567'); | |||
} else { | |||
$this->view->expects($this->once())->method('mkdir') | |||
->with('user1/files_encryption/backup/test.encryptionModule.1234567'); | |||
} | |||
$this->view->expects($this->once())->method('copy') | |||
->with( | |||
'user1/files_encryption/encryptionModule', | |||
'user1/files_encryption/backup/test.encryptionModule.1234567' | |||
)->willReturn(true); | |||
$this->assertTrue($storage->backupUserKeys('encryptionModule', 'test', 'user1')); | |||
} | |||
public function dataTestBackupUserKeys() { | |||
return [ | |||
[true], [false] | |||
]; | |||
} | |||
} |