diff options
| author | Sam Tuke <samtuke@owncloud.com> | 2013-02-09 18:39:32 +0000 |
|---|---|---|
| committer | Sam Tuke <samtuke@owncloud.com> | 2013-02-09 18:39:32 +0000 |
| commit | b3e59ca1e31f162d7ac720d8729958f438b23a02 (patch) | |
| tree | 97a87081392554086ce010d603125cba9f8ea9e3 | |
| parent | 1aba986d9f219a872c83b5f8b46f641e2699a222 (diff) | |
| download | nextcloud-server-b3e59ca1e31f162d7ac720d8729958f438b23a02.tar.gz nextcloud-server-b3e59ca1e31f162d7ac720d8729958f438b23a02.zip | |
Work on post_share hook for files_encryption
New method in OCP\Share{}:: getUsersSharingFile()
Development shapshot
| -rw-r--r-- | apps/files_encryption/hooks/hooks.php | 71 | ||||
| -rwxr-xr-x | apps/files_encryption/lib/keymanager.php | 585 | ||||
| -rw-r--r-- | apps/files_encryption/lib/proxy.php | 32 | ||||
| -rw-r--r-- | lib/public/share.php | 54 |
4 files changed, 430 insertions, 312 deletions
diff --git a/apps/files_encryption/hooks/hooks.php b/apps/files_encryption/hooks/hooks.php index 8bdeee0937b..c6d4c16115a 100644 --- a/apps/files_encryption/hooks/hooks.php +++ b/apps/files_encryption/hooks/hooks.php @@ -166,14 +166,77 @@ class Hooks { */
public static function postShared( $params ) {
- // Delete existing catfile
- Keymanager::deleteFileKey( );
+ // NOTE: $params is an array with these keys:
+ // itemSource -> int, filecache file ID
+ // shareWith -> string, uid of user being shared to
+ // fileTarget -> path of file being shared
+ // uidOwner -> owner of the original file being shared
- // Generate new catfile and env keys
- Crypt::multiKeyEncrypt( $plainContent, $publicKeys );
+ $view = new \OC_FilesystemView( '/' );
+ $userId = \OCP\User::getUser();
+ $util = new Util( $view, $userId );
+
+ $shares = \OCP\Share::getUsersSharingFile( $params['fileTarget'] );
+
+ $userIds = array();
+
+ foreach ( $shares as $share ) {
+
+ $util = new Util( $view, $share['userId'] );
+
+ // Check that the user is encryption capable
+ if ( $util->ready() ) {
+
+ // Construct array of just UIDs for Keymanager{}
+ $userIds[] = $share['userId'];
+
+ } else {
+
+ // Log warning; we can't do necessary setup here
+ // because we don't have the user passphrase
+ // TODO: Provide user feedback indicating that
+ // sharing failed
+ \OC_Log::write( 'Encryption library', 'File cannot be shared: user "'.$share['userId'].'" is not setup for encryption', \OC_Log::WARN );
+
+ }
+
+ }
+
+ trigger_error("UIDS = ".var_export($userIds, 1));
+
+ $userPubKeys = Keymanager::getPublicKeys( $view, $userIds );
+
+// trigger_error("PUB KEYS = ".var_export($userPubKeys, 1));
+
+ // TODO: Fetch path from Crypt{} getter
+ $plainContent = $view->file_get_contents( $userId . '/' . 'files'. '/' . $params['fileTarget'] );
+
+ // Generate new catfile and share keys
+ if ( ! $encrypted = Crypt::multiKeyEncrypt( $plainContent, $userPubKeys ) ) {
+
+ // If the re-encryption failed, don't risk deleting data
+ return false;
+
+ }
+
+ trigger_error("ENCRYPTED = ". var_export($encrypted, 1));
// Save env keys to user folders
+ foreach ( $encrypted['keys'] as $key ) {
+
+// Keymanager::setShareKey( $view, $params['fileTarget'], $userId, $key );
+
+ }
+ // Delete existing catfile
+ // Check if keyfile exists (it won't if file has been shared before)
+ // Do this last to ensure file is recoverable in case of error
+ if ( $util->isEncryptedPath( $params['fileTarget'] ) ) {
+
+ // NOTE: This will trigger an error if keyfile isn't found
+// Keymanager::deleteFileKey( $params['fileTarget'] );
+
+ }
}
diff --git a/apps/files_encryption/lib/keymanager.php b/apps/files_encryption/lib/keymanager.php index 0d0380db6ec..3160572ba1b 100755 --- a/apps/files_encryption/lib/keymanager.php +++ b/apps/files_encryption/lib/keymanager.php @@ -1,267 +1,244 @@ -<?php - -/** - * ownCloud - * - * @author Bjoern Schiessle - * @copyright 2012 Bjoern Schiessle <schiessle@owncloud.com> - * - * This library is free software; you can redistribute it and/or - * modify it under the terms of the GNU AFFERO GENERAL PUBLIC LICENSE - * License as published by the Free Software Foundation; either - * version 3 of the License, or any later version. - * - * This library is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU AFFERO GENERAL PUBLIC LICENSE for more details. - * - * You should have received a copy of the GNU Affero General Public - * License along with this library. If not, see <http://www.gnu.org/licenses/>. - * - */ - -namespace OCA\Encryption; - -/** - * @brief Class to manage storage and retrieval of encryption keys - * @note Where a method requires a view object, it's root must be '/' - */ -class Keymanager { -
- /** - * @brief retrieve the ENCRYPTED private key from a user - * - * @return string private key or false - * @note the key returned by this method must be decrypted before use - */ - public static function getPrivateKey( \OC_FilesystemView $view, $user ) { - - $path = '/' . $user . '/' . 'files_encryption' . '/' . $user.'.private.key'; - - $key = $view->file_get_contents( $path ); - - return $key; - } - - /** - * @brief retrieve public key for a specified user +<?php
+
+/**
+ * ownCloud
+ *
+ * @author Bjoern Schiessle
+ * @copyright 2012 Bjoern Schiessle <schiessle@owncloud.com>
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU AFFERO GENERAL PUBLIC LICENSE
+ * License as published by the Free Software Foundation; either
+ * version 3 of the License, or any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU AFFERO GENERAL PUBLIC LICENSE for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public
+ * License along with this library. If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+namespace OCA\Encryption;
+
+/**
+ * @brief Class to manage storage and retrieval of encryption keys
+ * @note Where a method requires a view object, it's root must be '/'
+ */
+class Keymanager {
+
+ /**
+ * @brief retrieve the ENCRYPTED private key from a user
+ *
+ * @return string private key or false
+ * @note the key returned by this method must be decrypted before use
+ */
+ public static function getPrivateKey( \OC_FilesystemView $view, $user ) {
+
+ $path = '/' . $user . '/' . 'files_encryption' . '/' . $user.'.private.key';
+
+ $key = $view->file_get_contents( $path );
+
+ return $key;
+ }
+
+ /**
+ * @brief retrieve public key for a specified user
* @param \OC_FilesystemView $view
* @param $userId
- * @return string public key or false - */ - public static function getPublicKey( \OC_FilesystemView $view, $userId ) { - - return $view->file_get_contents( '/public-keys/' . '/' . $userId . '.public.key' ); - - } - - /** - * @brief retrieve both keys from a user (private and public) + * @return string public key or false
+ */
+ public static function getPublicKey( \OC_FilesystemView $view, $userId ) {
+
+ return $view->file_get_contents( '/public-keys/' . '/' . $userId . '.public.key' );
+
+ }
+
+ /**
+ * @brief Retrieve a user's public and private key
* @param \OC_FilesystemView $view
* @param $userId
- * @return array keys: privateKey, publicKey - */ - public static function getUserKeys( \OC_FilesystemView $view, $userId ) { - - return array( - 'publicKey' => self::getPublicKey( $view, $userId ) - , 'privateKey' => self::getPrivateKey( $view, $userId ) - ); - - } - - /** - * @brief Retrieve public keys of all users with access to a file - * @param string $path Path to file - * @return array of public keys for the given file - * @note Checks that the sharing app is enabled should be performed - * by client code, that isn't checked here - */ - public static function getPublicKeys( \OC_FilesystemView $view, $userId, $filePath ) { - - $path = ltrim( $path, '/' ); - - $filepath = '/' . $userId . '/files/' . $filePath; - - // Check if sharing is enabled - if ( OC_App::isEnabled( 'files_sharing' ) ) { - - - - } else { - - // check if it is a file owned by the user and not shared at all - $userview = new \OC_FilesystemView( '/'.$userId.'/files/' ); - - if ( $userview->file_exists( $path ) ) { - - $users[] = $userId; - - } - - } - - $view = new \OC_FilesystemView( '/public-keys/' ); - - $keylist = array(); - - $count = 0; - - foreach ( $users as $user ) { - - $keylist['key'.++$count] = $view->file_get_contents( $user.'.public.key' ); - - } - - return $keylist; - - } - - /** - * @brief store file encryption key - * - * @param string $path relative path of the file, including filename - * @param string $key - * @return bool true/false - * @note The keyfile is not encrypted here. Client code must - * asymmetrically encrypt the keyfile before passing it to this method - */ - public static function setFileKey( \OC_FilesystemView $view, $path, $userId, $catfile ) { - - $basePath = '/' . $userId . '/files_encryption/keyfiles'; - - $targetPath = self::keySetPreparation( $view, $path, $basePath, $userId ); - - if ( $view->is_dir( $basePath . '/' . $targetPath ) ) { - - - - } else { - - // Save the keyfile in parallel directory - return $view->file_put_contents( $basePath . '/' . $targetPath . '.key', $catfile ); - - } - - } - - /** - * @brief retrieve keyfile for an encrypted file + * @return array keys: privateKey, publicKey
+ */
+ public static function getUserKeys( \OC_FilesystemView $view, $userId ) {
+
+ return array(
+ 'publicKey' => self::getPublicKey( $view, $userId )
+ , 'privateKey' => self::getPrivateKey( $view, $userId )
+ );
+
+ }
+
+ /**
+ * @brief Retrieve public keys for given users
+ * @param \OC_FilesystemView $view
+ * @param array $userIds
+ * @return array of public keys for the specified users
+ */
+ public static function getPublicKeys( \OC_FilesystemView $view, $userIds ) {
+
+ $i = 0;
+ $keys = array();
+
+ foreach ( $userIds as $userId ) {
+
+ $i++;
+ $keys[$userId] = self::getPublicKey( $view, $userId );
+
+ }
+
+ $keys['total'] = $i;
+
+ return $keys;
+
+ }
+
+ /**
+ * @brief store file encryption key
+ *
+ * @param string $path relative path of the file, including filename
+ * @param string $key
+ * @return bool true/false
+ * @note The keyfile is not encrypted here. Client code must
+ * asymmetrically encrypt the keyfile before passing it to this method
+ */
+ public static function setFileKey( \OC_FilesystemView $view, $path, $userId, $catfile ) {
+
+ $basePath = '/' . $userId . '/files_encryption/keyfiles';
+
+ $targetPath = self::keySetPreparation( $view, $path, $basePath, $userId );
+
+ if ( $view->is_dir( $basePath . '/' . $targetPath ) ) {
+
+
+
+ } else {
+
+ // Save the keyfile in parallel directory
+ return $view->file_put_contents( $basePath . '/' . $targetPath . '.key', $catfile );
+
+ }
+
+ }
+
+ /**
+ * @brief retrieve keyfile for an encrypted file
* @param \OC_FilesystemView $view
* @param $userId
* @param $filePath
* @internal param \OCA\Encryption\file $string name
* @return string file key or false
- * @note The keyfile returned is asymmetrically encrypted. Decryption - * of the keyfile must be performed by client code - */ - public static function getFileKey( \OC_FilesystemView $view, $userId, $filePath ) { - - $filePath_f = ltrim( $filePath, '/' ); - - $catfilePath = '/' . $userId . '/files_encryption/keyfiles/' . $filePath_f . '.key'; - - if ( $view->file_exists( $catfilePath ) ) { - - return $view->file_get_contents( $catfilePath ); - - } else { - - return false; - - } - - } - - /** - * @brief Delete a keyfile - * + * @note The keyfile returned is asymmetrically encrypted. Decryption
+ * of the keyfile must be performed by client code
+ */
+ public static function getFileKey( \OC_FilesystemView $view, $userId, $filePath ) {
+
+ $filePath_f = ltrim( $filePath, '/' );
+
+ $catfilePath = '/' . $userId . '/files_encryption/keyfiles/' . $filePath_f . '.key';
+
+ if ( $view->file_exists( $catfilePath ) ) {
+
+ return $view->file_get_contents( $catfilePath );
+
+ } else {
+
+ return false;
+
+ }
+
+ }
+
+ /**
+ * @brief Delete a keyfile
+ *
* @param OC_FilesystemView $view
* @param string $userId username
* @param string $path path of the file the key belongs to
* @return bool Outcome of unlink operation
* @note $path must be relative to data/user/files. e.g. mydoc.txt NOT
* /data/admin/files/mydoc.txt
- */ - public static function deleteFileKey( \OC_FilesystemView $view, $userId, $path ) { - - $trimmed = ltrim( $path, '/' ); - $keyPath = '/' . $userId . '/files_encryption/keyfiles/' . $trimmed . '.key'; - - // Unlink doesn't tell us if file was deleted (not found returns - // true), so we perform our own test - if ( $view->file_exists( $keyPath ) ) { - - return $view->unlink( $keyPath ); - - } else { - - \OC_Log::write( 'Encryption library', 'Could not delete keyfile; does not exist: "' . $keyPath, \OC_Log::ERROR ); - - return false; - - } - - } - - /** - * @brief store private key from the user - * @param string key - * @return bool - * @note Encryption of the private key must be performed by client code - * as no encryption takes place here - */ - public static function setPrivateKey( $key ) { - - $user = \OCP\User::getUser(); - - $view = new \OC_FilesystemView( '/' . $user . '/files_encryption' ); - - \OC_FileProxy::$enabled = false; - - if ( !$view->file_exists( '' ) ) $view->mkdir( '' ); - - return $view->file_put_contents( $user . '.private.key', $key ); - - \OC_FileProxy::$enabled = true; - - } - - /** - * @brief store private keys from the user - * - * @param string privatekey - * @param string publickey - * @return bool true/false - */ - public static function setUserKeys($privatekey, $publickey) { - - return ( self::setPrivateKey( $privatekey ) && self::setPublicKey( $publickey ) ); - - } - - /** - * @brief store public key of the user - * - * @param string key - * @return bool true/false - */ - public static function setPublicKey( $key ) { - - $view = new \OC_FilesystemView( '/public-keys' ); - - \OC_FileProxy::$enabled = false; - - if ( !$view->file_exists( '' ) ) $view->mkdir( '' ); - - return $view->file_put_contents( \OCP\User::getUser() . '.public.key', $key ); - - \OC_FileProxy::$enabled = true; - - } - - /** + */
+ public static function deleteFileKey( \OC_FilesystemView $view, $userId, $path ) {
+
+ $trimmed = ltrim( $path, '/' );
+ $keyPath = '/' . $userId . '/files_encryption/keyfiles/' . $trimmed . '.key';
+
+ // Unlink doesn't tell us if file was deleted (not found returns
+ // true), so we perform our own test
+ if ( $view->file_exists( $keyPath ) ) {
+
+ return $view->unlink( $keyPath );
+
+ } else {
+
+ \OC_Log::write( 'Encryption library', 'Could not delete keyfile; does not exist: "' . $keyPath, \OC_Log::ERROR );
+
+ return false;
+
+ }
+
+ }
+
+ /**
+ * @brief store private key from the user
+ * @param string key
+ * @return bool
+ * @note Encryption of the private key must be performed by client code
+ * as no encryption takes place here
+ */
+ public static function setPrivateKey( $key ) {
+
+ $user = \OCP\User::getUser();
+
+ $view = new \OC_FilesystemView( '/' . $user . '/files_encryption' );
+
+ \OC_FileProxy::$enabled = false;
+
+ if ( !$view->file_exists( '' ) ) $view->mkdir( '' );
+
+ return $view->file_put_contents( $user . '.private.key', $key );
+
+ \OC_FileProxy::$enabled = true;
+
+ }
+
+ /**
+ * @brief store private keys from the user
+ *
+ * @param string privatekey
+ * @param string publickey
+ * @return bool true/false
+ */
+ public static function setUserKeys($privatekey, $publickey) {
+
+ return ( self::setPrivateKey( $privatekey ) && self::setPublicKey( $publickey ) );
+
+ }
+
+ /**
+ * @brief store public key of the user
+ *
+ * @param string key
+ * @return bool true/false
+ */
+ public static function setPublicKey( $key ) {
+
+ $view = new \OC_FilesystemView( '/public-keys' );
+
+ \OC_FileProxy::$enabled = false;
+
+ if ( !$view->file_exists( '' ) ) $view->mkdir( '' );
+
+ return $view->file_put_contents( \OCP\User::getUser() . '.public.key', $key );
+
+ \OC_FileProxy::$enabled = true;
+
+ }
+
+ /**
* @brief store file encryption key
*
* @param string $path relative path of the file, including filename
@@ -271,70 +248,70 @@ class Keymanager { * @return bool true/false
* @note The keyfile is not encrypted here. Client code must
* asymmetrically encrypt the keyfile before passing it to this method
- */ - public static function setShareKey( \OC_FilesystemView $view, $path, $userId, $shareKey ) { - - $basePath = '/' . $userId . '/files_encryption/share-keys'; - - $shareKeyPath = self::keySetPreparation( $view, $path, $basePath, $userId ); - - return $view->file_put_contents( $basePath . '/' . $shareKeyPath . '.shareKey', $shareKey ); - + */
+ public static function setShareKey( \OC_FilesystemView $view, $path, $userId, $shareKey ) {
+
+ $basePath = '/' . $userId . '/files_encryption/share-keys';
+
+ $shareKeyPath = self::keySetPreparation( $view, $path, $basePath, $userId );
+
+ return $view->file_put_contents( $basePath . '/' . $shareKeyPath . '.shareKey', $shareKey );
+
}
/**
* @brief Make preparations to vars and filesystem for saving a keyfile
*/
public static function keySetPreparation( \OC_FilesystemView $view, $path, $basePath, $userId ) {
- - $targetPath = ltrim( $path, '/' ); - - $path_parts = pathinfo( $targetPath ); - - // If the file resides within a subdirectory, create it +
+ $targetPath = ltrim( $path, '/' );
+
+ $path_parts = pathinfo( $targetPath );
+
+ // If the file resides within a subdirectory, create it
if (
isset( $path_parts['dirname'] )
&& ! $view->file_exists( $basePath . '/' . $path_parts['dirname'] )
- ) { - - $view->mkdir( $basePath . '/' . $path_parts['dirname'] ); - - } - + ) {
+
+ $view->mkdir( $basePath . '/' . $path_parts['dirname'] );
+
+ }
+
return $targetPath;
- } - - /** - * @brief change password of private encryption key - * - * @param string $oldpasswd old password - * @param string $newpasswd new password - * @return bool true/false - */ - public static function changePasswd($oldpasswd, $newpasswd) { - - if ( \OCP\User::checkPassword(\OCP\User::getUser(), $newpasswd) ) { - return Crypt::changekeypasscode($oldpasswd, $newpasswd); - } - return false; - - } - - /** - * @brief Fetch the legacy encryption key from user files - * @param string $login used to locate the legacy key - * @param string $passphrase used to decrypt the legacy key - * @return true / false - * - * if the key is left out, the default handeler will be used - */ - public function getLegacyKey() { - - $user = \OCP\User::getUser(); - $view = new \OC_FilesystemView( '/' . $user ); - return $view->file_get_contents( 'encryption.key' ); - - } - + }
+
+ /**
+ * @brief change password of private encryption key
+ *
+ * @param string $oldpasswd old password
+ * @param string $newpasswd new password
+ * @return bool true/false
+ */
+ public static function changePasswd($oldpasswd, $newpasswd) {
+
+ if ( \OCP\User::checkPassword(\OCP\User::getUser(), $newpasswd) ) {
+ return Crypt::changekeypasscode($oldpasswd, $newpasswd);
+ }
+ return false;
+
+ }
+
+ /**
+ * @brief Fetch the legacy encryption key from user files
+ * @param string $login used to locate the legacy key
+ * @param string $passphrase used to decrypt the legacy key
+ * @return true / false
+ *
+ * if the key is left out, the default handeler will be used
+ */
+ public function getLegacyKey() {
+
+ $user = \OCP\User::getUser();
+ $view = new \OC_FilesystemView( '/' . $user );
+ return $view->file_get_contents( 'encryption.key' );
+
+ }
+
}
\ No newline at end of file diff --git a/apps/files_encryption/lib/proxy.php b/apps/files_encryption/lib/proxy.php index 7ae36e34ce1..58b9bc0725b 100644 --- a/apps/files_encryption/lib/proxy.php +++ b/apps/files_encryption/lib/proxy.php @@ -95,7 +95,8 @@ class Proxy extends \OC_FileProxy { if ( self::shouldEncrypt( $path ) ) { - if ( !is_resource( $data ) ) { //stream put contents should have been converted to fopen + // Stream put contents should have been converted to fopen + if ( !is_resource( $data ) ) { $userId = \OCP\USER::getUser(); @@ -107,10 +108,33 @@ class Proxy extends \OC_FileProxy { // Disable encryption proxy to prevent recursive calls \OC_FileProxy::$enabled = false; - // TODO: Check if file is shared, if so, use multiKeyEncrypt + $fileOwner = \OC\Files\Filesystem::getOwner( $path ); - // Encrypt plain data and fetch key - $encrypted = Crypt::keyEncryptKeyfile( $data, Keymanager::getPublicKey( $rootView, $userId ) ); + // Check if the keyfile needs to be shared + if ( + $fileOwner !== true + or $fileOwner !== $userId + ) { + + // Shared storage backend isn't loaded + + $users = \OCP\Share::getItemShared( 'file', $path, \OC_Share_backend_File::FORMAT_SHARED_STORAGE ); +// + trigger_error("SHARE USERS = ". var_export($users, 1)); +// +// $publicKeys = Keymanager::getPublicKeys( $rootView, $users); +// +// // Encrypt plain data to multiple users +// $encrypted = Crypt::multiKeyEncrypt( $data, $publicKeys ); + + } else { + + $publicKey = Keymanager::getPublicKey( $rootView, $userId ); + + // Encrypt plain data to a single user + $encrypted = Crypt::keyEncryptKeyfile( $data, $publicKey ); + + } // Replace plain content with encrypted content by reference $data = $encrypted['data']; diff --git a/lib/public/share.php b/lib/public/share.php index af2a538e252..936f85021c0 100644 --- a/lib/public/share.php +++ b/lib/public/share.php @@ -91,6 +91,60 @@ class Share { } return false; } + + /** + * @brief Find which users can access a shared item + * @param string Item type + * @param int Format (optional) Format type must be defined by the backend + * @param int Number of items to return (optional) Returns all by default + * @return Return depends on format + */ + public static function getUsersSharingFile( $path ) { + + // Fetch all shares of this file path from DB + $query = \OC_DB::prepare( + 'SELECT + share_type + , share_with + , permissions + FROM + `*PREFIX*share` + WHERE + file_target = ?' + ); + + $result = $query->execute( array( $path ) ); + + if ( \OC_DB::isError( $result ) ) { + + \OC_Log::write( 'OCP\Share', \OC_DB::getErrorMessage($result) . ', path=' . $path, \OC_Log::ERROR ); + + } + + $shares = array(); + + while( $row = $result->fetchRow() ) { + + // Set helpful array keys + $shares[] = array( + 'userId' => $row['share_with'] + , 'shareType' => $row['share_type'] + , 'permissions' => $row['permissions'] + ); + + } + + if ( ! empty( $shares ) ) { + + return $shares; + + } else { + + return false; + + } + + } /** * @brief Get the items of item type shared with the current user |