mirrors
/
nextcloud
mirror of https://github.com/nextcloud/server.git
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 1008 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
73618 Commits
420 Branches
Tree: fef9fb3bc0
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'fef9fb3bc0'
${ noResults }
nextcloud/lib/private/Encryption/Util.php

Util.php 11KB
Raw Blame History

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409 
  1. <?php

  2. /**

  3.  * @copyright Copyright (c) 2016, ownCloud, Inc.

  4.  *

  5.  * @author Bjoern Schiessle <bjoern@schiessle.org>

  6.  * @author Björn Schießle <bjoern@schiessle.org>

  7.  * @author Christoph Wurst <christoph@winzerhof-wurst.at>

  8.  * @author Jan-Christoph Borchardt <hey@jancborchardt.net>

  9.  * @author Morris Jobke <hey@morrisjobke.de>

  10.  * @author Roeland Jago Douma <roeland@famdouma.nl>

  11.  * @author Thomas Müller <thomas.mueller@tmit.eu>

  12.  *

  13.  * @license AGPL-3.0

  14.  *

  15.  * This code is free software: you can redistribute it and/or modify

  16.  * it under the terms of the GNU Affero General Public License, version 3,

  17.  * as published by the Free Software Foundation.

  18.  *

  19.  * This program is distributed in the hope that it will be useful,

  20.  * but WITHOUT ANY WARRANTY; without even the implied warranty of

  21.  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the

  22.  * GNU Affero General Public License for more details.

  23.  *

  24.  * You should have received a copy of the GNU Affero General Public License, version 3,

  25.  * along with this program. If not, see <http://www.gnu.org/licenses/>

  26.  *

  27.  */

  28. namespace OC\Encryption;

  29. 

  30. use OC\Encryption\Exceptions\EncryptionHeaderKeyExistsException;

  31. use OC\Encryption\Exceptions\EncryptionHeaderToLargeException;

  32. use OC\Encryption\Exceptions\ModuleDoesNotExistsException;

  33. use OC\Files\Filesystem;

  34. use OC\Files\View;

  35. use OCP\Encryption\IEncryptionModule;

  36. use OCP\Files\Mount\ISystemMountPoint;

  37. use OCP\IConfig;

  38. use OCP\IGroupManager;

  39. use OCP\IUser;

  40. use OCP\IUserManager;

  41. 

  42. class Util {

  43. 	public const HEADER_START = 'HBEGIN';

  44. 	public const HEADER_END = 'HEND';

  45. 	public const HEADER_PADDING_CHAR = '-';

  46. 

  47. 	public const HEADER_ENCRYPTION_MODULE_KEY = 'oc_encryption_module';

  48. 

  49. 	/**

  50. 	 * block size will always be 8192 for a PHP stream

  51. 	 * @see https://bugs.php.net/bug.php?id=21641

  52. 	 * @var integer

  53. 	 */

  54. 	protected $headerSize = 8192;

  55. 

  56. 	/**

  57. 	 * block size will always be 8192 for a PHP stream

  58. 	 * @see https://bugs.php.net/bug.php?id=21641

  59. 	 * @var integer

  60. 	 */

  61. 	protected $blockSize = 8192;

  62. 

  63. 	/** @var View */

  64. 	protected $rootView;

  65. 

  66. 	/** @var array */

  67. 	protected $ocHeaderKeys;

  68. 

  69. 	/** @var IConfig */

  70. 	protected $config;

  71. 

  72. 	/** @var array paths excluded from encryption */

  73. 	protected array $excludedPaths = [];

  74. 	protected IGroupManager $groupManager;

  75. 	protected IUserManager $userManager;

  76. 

  77. 	/**

  78. 	 *

  79. 	 * @param View $rootView

  80. 	 * @param IConfig $config

  81. 	 */

  82. 	public function __construct(

  83. 		View $rootView,

  84. 		IUserManager $userManager,

  85. 		IGroupManager $groupManager,

  86. 		IConfig $config) {

  87. 		$this->ocHeaderKeys = [

  88. 			self::HEADER_ENCRYPTION_MODULE_KEY

  89. 		];

  90. 

  91. 		$this->rootView = $rootView;

  92. 		$this->userManager = $userManager;

  93. 		$this->groupManager = $groupManager;

  94. 		$this->config = $config;

  95. 

  96. 		$this->excludedPaths[] = 'files_encryption';

  97. 		$this->excludedPaths[] = 'appdata_' . $config->getSystemValueString('instanceid');

  98. 		$this->excludedPaths[] = 'files_external';

  99. 	}

  100. 

  101. 	/**

  102. 	 * read encryption module ID from header

  103. 	 *

  104. 	 * @param array $header

  105. 	 * @return string

  106. 	 * @throws ModuleDoesNotExistsException

  107. 	 */

  108. 	public function getEncryptionModuleId(array $header = null) {

  109. 		$id = '';

  110. 		$encryptionModuleKey = self::HEADER_ENCRYPTION_MODULE_KEY;

  111. 

  112. 		if (isset($header[$encryptionModuleKey])) {

  113. 			$id = $header[$encryptionModuleKey];

  114. 		} elseif (isset($header['cipher'])) {

  115. 			if (class_exists('\OCA\Encryption\Crypto\Encryption')) {

  116. 				// fall back to default encryption if the user migrated from

  117. 				// ownCloud <= 8.0 with the old encryption

  118. 				$id = \OCA\Encryption\Crypto\Encryption::ID;

  119. 			} else {

  120. 				throw new ModuleDoesNotExistsException('Default encryption module missing');

  121. 			}

  122. 		}

  123. 

  124. 		return $id;

  125. 	}

  126. 

  127. 	/**

  128. 	 * create header for encrypted file

  129. 	 *

  130. 	 * @param array $headerData

  131. 	 * @param IEncryptionModule $encryptionModule

  132. 	 * @return string

  133. 	 * @throws EncryptionHeaderToLargeException if header has to many arguments

  134. 	 * @throws EncryptionHeaderKeyExistsException if header key is already in use

  135. 	 */

  136. 	public function createHeader(array $headerData, IEncryptionModule $encryptionModule) {

  137. 		$header = self::HEADER_START . ':' . self::HEADER_ENCRYPTION_MODULE_KEY . ':' . $encryptionModule->getId() . ':';

  138. 		foreach ($headerData as $key => $value) {

  139. 			if (in_array($key, $this->ocHeaderKeys)) {

  140. 				throw new EncryptionHeaderKeyExistsException($key);

  141. 			}

  142. 			$header .= $key . ':' . $value . ':';

  143. 		}

  144. 		$header .= self::HEADER_END;

  145. 

  146. 		if (strlen($header) > $this->getHeaderSize()) {

  147. 			throw new EncryptionHeaderToLargeException();

  148. 		}

  149. 

  150. 		$paddedHeader = str_pad($header, $this->headerSize, self::HEADER_PADDING_CHAR, STR_PAD_RIGHT);

  151. 

  152. 		return $paddedHeader;

  153. 	}

  154. 

  155. 	/**

  156. 	 * go recursively through a dir and collect all files and sub files.

  157. 	 *

  158. 	 * @param string $dir relative to the users files folder

  159. 	 * @return array with list of files relative to the users files folder

  160. 	 */

  161. 	public function getAllFiles($dir) {

  162. 		$result = [];

  163. 		$dirList = [$dir];

  164. 

  165. 		while ($dirList) {

  166. 			$dir = array_pop($dirList);

  167. 			$content = $this->rootView->getDirectoryContent($dir);

  168. 

  169. 			foreach ($content as $c) {

  170. 				if ($c->getType() === 'dir') {

  171. 					$dirList[] = $c->getPath();

  172. 				} else {

  173. 					$result[] = $c->getPath();

  174. 				}

  175. 			}

  176. 		}

  177. 

  178. 		return $result;

  179. 	}

  180. 

  181. 	/**

  182. 	 * check if it is a file uploaded by the user stored in data/user/files

  183. 	 * or a metadata file

  184. 	 *

  185. 	 * @param string $path relative to the data/ folder

  186. 	 * @return boolean

  187. 	 */

  188. 	public function isFile($path) {

  189. 		$parts = explode('/', Filesystem::normalizePath($path), 4);

  190. 		if (isset($parts[2]) && $parts[2] === 'files') {

  191. 			return true;

  192. 		}

  193. 		return false;

  194. 	}

  195. 

  196. 	/**

  197. 	 * return size of encryption header

  198. 	 *

  199. 	 * @return integer

  200. 	 */

  201. 	public function getHeaderSize() {

  202. 		return $this->headerSize;

  203. 	}

  204. 

  205. 	/**

  206. 	 * return size of block read by a PHP stream

  207. 	 *

  208. 	 * @return integer

  209. 	 */

  210. 	public function getBlockSize() {

  211. 		return $this->blockSize;

  212. 	}

  213. 

  214. 	/**

  215. 	 * get the owner and the path for the file relative to the owners files folder

  216. 	 *

  217. 	 * @param string $path

  218. 	 * @return array{0: string, 1: string}

  219. 	 * @throws \BadMethodCallException

  220. 	 */

  221. 	public function getUidAndFilename($path) {

  222. 		$parts = explode('/', $path);

  223. 		$uid = '';

  224. 		if (count($parts) > 2) {

  225. 			$uid = $parts[1];

  226. 		}

  227. 		if (!$this->userManager->userExists($uid)) {

  228. 			throw new \BadMethodCallException(

  229. 				'path needs to be relative to the system wide data folder and point to a user specific file'

  230. 			);

  231. 		}

  232. 

  233. 		$ownerPath = implode('/', array_slice($parts, 2));

  234. 

  235. 		return [$uid, Filesystem::normalizePath($ownerPath)];

  236. 	}

  237. 

  238. 	/**

  239. 	 * Remove .path extension from a file path

  240. 	 * @param string $path Path that may identify a .part file

  241. 	 * @return string File path without .part extension

  242. 	 * @note this is needed for reusing keys

  243. 	 */

  244. 	public function stripPartialFileExtension($path) {

  245. 		$extension = pathinfo($path, PATHINFO_EXTENSION);

  246. 

  247. 		if ($extension === 'part') {

  248. 			$newLength = strlen($path) - 5; // 5 = strlen(".part")

  249. 			$fPath = substr($path, 0, $newLength);

  250. 

  251. 			// if path also contains a transaction id, we remove it too

  252. 			$extension = pathinfo($fPath, PATHINFO_EXTENSION);

  253. 			if (substr($extension, 0, 12) === 'ocTransferId') { // 12 = strlen("ocTransferId")

  254. 				$newLength = strlen($fPath) - strlen($extension) - 1;

  255. 				$fPath = substr($fPath, 0, $newLength);

  256. 			}

  257. 			return $fPath;

  258. 		} else {

  259. 			return $path;

  260. 		}

  261. 	}

  262. 

  263. 	public function getUserWithAccessToMountPoint($users, $groups) {

  264. 		$result = [];

  265. 		if ($users === [] && $groups === []) {

  266. 			$users = $this->userManager->search('', null, null);

  267. 			$result = array_map(function (IUser $user) {

  268. 				return $user->getUID();

  269. 			}, $users);

  270. 		} else {

  271. 			$result = array_merge($result, $users);

  272. 

  273. 			$groupManager = $this->groupManager;

  274. 			foreach ($groups as $group) {

  275. 				$groupObject = $groupManager->get($group);

  276. 				if ($groupObject) {

  277. 					$foundUsers = $groupObject->searchUsers('', -1, 0);

  278. 					$userIds = [];

  279. 					foreach ($foundUsers as $user) {

  280. 						$userIds[] = $user->getUID();

  281. 					}

  282. 					$result = array_merge($result, $userIds);

  283. 				}

  284. 			}

  285. 		}

  286. 

  287. 		return $result;

  288. 	}

  289. 

  290. 	/**

  291. 	 * check if the file is stored on a system wide mount point

  292. 	 * @param string $path relative to /data/user with leading '/'

  293. 	 * @param string $uid

  294. 	 * @return boolean

  295. 	 */

  296. 	public function isSystemWideMountPoint(string $path, string $uid) {

  297. 		$mount = Filesystem::getMountManager()->find('/' . $uid . $path);

  298. 		return $mount instanceof ISystemMountPoint;

  299. 	}

  300. 

  301. 	/**

  302. 	 * check if it is a path which is excluded by ownCloud from encryption

  303. 	 *

  304. 	 * @param string $path

  305. 	 * @return boolean

  306. 	 */

  307. 	public function isExcluded($path) {

  308. 		$normalizedPath = Filesystem::normalizePath($path);

  309. 		$root = explode('/', $normalizedPath, 4);

  310. 		if (count($root) > 1) {

  311. 			// detect alternative key storage root

  312. 			$rootDir = $this->getKeyStorageRoot();

  313. 			if ($rootDir !== '' &&

  314. 				str_starts_with(Filesystem::normalizePath($path), Filesystem::normalizePath($rootDir))

  315. 			) {

  316. 				return true;

  317. 			}

  318. 

  319. 

  320. 			//detect system wide folders

  321. 			if (in_array($root[1], $this->excludedPaths)) {

  322. 				return true;

  323. 			}

  324. 

  325. 			// detect user specific folders

  326. 			if ($this->userManager->userExists($root[1])

  327. 				&& in_array($root[2], $this->excludedPaths)) {

  328. 				return true;

  329. 			}

  330. 		}

  331. 		return false;

  332. 	}

  333. 

  334. 	/**

  335. 	 * Check if recovery key is enabled for user

  336. 	 */

  337. 	public function recoveryEnabled(string $uid): bool {

  338. 		$enabled = $this->config->getUserValue($uid, 'encryption', 'recovery_enabled', '0');

  339. 

  340. 		return $enabled === '1';

  341. 	}

  342. 

  343. 	/**

  344. 	 * Set new key storage root

  345. 	 *

  346. 	 * @param string $root new key store root relative to the data folder

  347. 	 */

  348. 	public function setKeyStorageRoot(string $root): void {

  349. 		$this->config->setAppValue('core', 'encryption_key_storage_root', $root);

  350. 	}

  351. 

  352. 	/**

  353. 	 * Get key storage root

  354. 	 *

  355. 	 * @return string key storage root

  356. 	 */

  357. 	public function getKeyStorageRoot(): string {

  358. 		return $this->config->getAppValue('core', 'encryption_key_storage_root', '');

  359. 	}

  360. 

  361. 	/**

  362. 	 * parse raw header to array

  363. 	 *

  364. 	 * @param string $rawHeader

  365. 	 * @return array

  366. 	 */

  367. 	public function parseRawHeader(string $rawHeader) {

  368. 		$result = [];

  369. 		if (str_starts_with($rawHeader, Util::HEADER_START)) {

  370. 			$header = $rawHeader;

  371. 			$endAt = strpos($header, Util::HEADER_END);

  372. 			if ($endAt !== false) {

  373. 				$header = substr($header, 0, $endAt + strlen(Util::HEADER_END));

  374. 

  375. 				// +1 to not start with an ':' which would result in empty element at the beginning

  376. 				$exploded = explode(':', substr($header, strlen(Util::HEADER_START) + 1));

  377. 

  378. 				$element = array_shift($exploded);

  379. 				while ($element !== Util::HEADER_END && $element !== null) {

  380. 					$result[$element] = array_shift($exploded);

  381. 					$element = array_shift($exploded);

  382. 				}

  383. 			}

  384. 		}

  385. 

  386. 		return $result;

  387. 	}

  388. 

  389. 	/**

  390. 	 * get path to key folder for a given file

  391. 	 *

  392. 	 * @param string $encryptionModuleId

  393. 	 * @param string $path path to the file, relative to data/

  394. 	 * @return string

  395. 	 */

  396. 	public function getFileKeyDir(string $encryptionModuleId, string $path): string {

  397. 		[$owner, $filename] = $this->getUidAndFilename($path);

  398. 		$root = $this->getKeyStorageRoot();

  399. 

  400. 		// in case of system-wide mount points the keys are stored directly in the data directory

  401. 		if ($this->isSystemWideMountPoint($filename, $owner)) {

  402. 			$keyPath = $root . '/' . '/files_encryption/keys' . $filename . '/';

  403. 		} else {

  404. 			$keyPath = $root . '/' . $owner . '/files_encryption/keys' . $filename . '/';

  405. 		}

  406. 

  407. 		return Filesystem::normalizePath($keyPath . $encryptionModuleId . '/', false);

  408. 	}

  409. }