aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJoas Schilling <nickvergessen@owncloud.com>2015-07-20 12:59:04 +0200
committerLukas Reschke <lukas@owncloud.com>2015-08-21 17:59:23 +0200
commit36eef2ddabd77ff6279f3bd6896ced4959f1c370 (patch)
tree82f28ac58905ed449d5678ffb505eec4d3ec7fde
parent510010e774c4019b7fc616c90085649abb7afac3 (diff)
downloadnextcloud-server-36eef2ddabd77ff6279f3bd6896ced4959f1c370.tar.gz
nextcloud-server-36eef2ddabd77ff6279f3bd6896ced4959f1c370.zip
Add a session wrapper to encrypt the data before storing it on disk
-rw-r--r--cron.php5
-rw-r--r--lib/base.php12
-rw-r--r--lib/private/server.php42
-rw-r--r--lib/private/session/cryptosessiondata.php140
-rw-r--r--lib/private/session/cryptowrapper.php81
-rw-r--r--tests/lib/server.php1
-rw-r--r--tests/lib/session/cryptosessiondatatest.php53
-rw-r--r--tests/lib/session/cryptowrappingtest.php81
8 files changed, 381 insertions, 34 deletions
diff --git a/cron.php b/cron.php
index 987c7dbca7f..ed2a20a1e1f 100644
--- a/cron.php
+++ b/cron.php
@@ -52,7 +52,10 @@ try {
\OC::$server->getSession()->close();
// initialize a dummy memory session
- \OC::$server->setSession(new \OC\Session\Memory(''));
+ $session = new \OC\Session\Memory('');
+ $cryptoWrapper = \OC::$server->getSessionCryptoWrapper();
+ $session = $cryptoWrapper->wrapSession($session);
+ \OC::$server->setSession($session);
$logger = \OC::$server->getLogger();
diff --git a/lib/base.php b/lib/base.php
index 42e1d7f8586..98305a19df2 100644
--- a/lib/base.php
+++ b/lib/base.php
@@ -463,13 +463,15 @@ class OC {
$useCustomSession = false;
$session = self::$server->getSession();
OC_Hook::emit('OC', 'initSession', array('session' => &$session, 'sessionName' => &$sessionName, 'useCustomSession' => &$useCustomSession));
- if($useCustomSession) {
- // use the session reference as the new Session
- self::$server->setSession($session);
- } else {
+ if (!$useCustomSession) {
// set the session name to the instance id - which is unique
- self::$server->setSession(new \OC\Session\Internal($sessionName));
+ $session = new \OC\Session\Internal($sessionName);
}
+
+ $cryptoWrapper = \OC::$server->getSessionCryptoWrapper();
+ $session = $cryptoWrapper->wrapSession($session);
+ self::$server->setSession($session);
+
// if session cant be started break with http 500 error
} catch (Exception $e) {
\OCP\Util::logException('base', $e);
diff --git a/lib/private/server.php b/lib/private/server.php
index 89001567219..61eb3c736bf 100644
--- a/lib/private/server.php
+++ b/lib/private/server.php
@@ -56,6 +56,7 @@ use OC\Security\Crypto;
use OC\Security\Hasher;
use OC\Security\SecureRandom;
use OC\Security\TrustedDomainHelper;
+use OC\Session\CryptoWrapper;
use OC\Tagging\TagMapper;
use OCP\IServerContainer;
use Symfony\Component\EventDispatcher\EventDispatcher;
@@ -159,7 +160,12 @@ class Server extends SimpleContainer implements IServerContainer {
});
$this->registerService('UserSession', function (Server $c) {
$manager = $c->getUserManager();
- $userSession = new \OC\User\Session($manager, new \OC\Session\Memory(''));
+
+ $session = new \OC\Session\Memory('');
+ $cryptoWrapper = $c->getSessionCryptoWrapper();
+ $session = $cryptoWrapper->wrapSession($session);
+
+ $userSession = new \OC\User\Session($manager, $session);
$userSession->listen('\OC\User', 'preCreateUser', function ($uid, $password) {
\OC_Hook::emit('OC_User', 'pre_createUser', array('run' => true, 'uid' => $uid, 'password' => $password));
});
@@ -461,6 +467,13 @@ class Server extends SimpleContainer implements IServerContainer {
$this->registerService('EventDispatcher', function() {
return new EventDispatcher();
});
+ $this->registerService('CryptoWrapper', function (Server $c) {
+ return new CryptoWrapper(
+ $c->getConfig(),
+ $c->getCrypto(),
+ $c->getSecureRandom()
+ );
+ });
}
/**
@@ -949,31 +962,4 @@ class Server extends SimpleContainer implements IServerContainer {
return $this->query('MountManager');
}
- /*
- * Get the MimeTypeDetector
- *
- * @return \OCP\Files\IMimeTypeDetector
- */
- public function getMimeTypeDetector() {
- return $this->query('MimeTypeDetector');
- }
-
- /**
- * Get the manager of all the capabilities
- *
- * @return \OC\CapabilitiesManager
- */
- public function getCapabilitiesManager() {
- return $this->query('CapabilitiesManager');
- }
-
- /**
- * Get the EventDispatcher
- *
- * @return EventDispatcherInterface
- * @since 8.2.0
- */
- public function getEventDispatcher() {
- return $this->query('EventDispatcher');
- }
}
diff --git a/lib/private/session/cryptosessiondata.php b/lib/private/session/cryptosessiondata.php
new file mode 100644
index 00000000000..9a3cd928826
--- /dev/null
+++ b/lib/private/session/cryptosessiondata.php
@@ -0,0 +1,140 @@
+<?php
+/**
+ * @author Joas Schilling <nickvergessen@owncloud.com>
+ *
+ * @copyright Copyright (c) 2015, ownCloud, Inc.
+ * @license AGPL-3.0
+ *
+ * This code is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License, version 3,
+ * as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License, version 3,
+ * along with this program. If not, see <http://www.gnu.org/licenses/>
+ *
+ */
+
+namespace OC\Session;
+
+
+use OCP\ISession;
+use OCP\Security\ICrypto;
+
+class CryptoSessionData implements \ArrayAccess, ISession {
+ /** @var ISession */
+ protected $session;
+
+ /** @var \OCP\Security\ICrypto */
+ protected $crypto;
+
+ /** @var string */
+ protected $passphrase;
+
+ /**
+ * @param ISession $session
+ * @param ICrypto $crypto
+ * @param string $passphrase
+ */
+ public function __construct(ISession $session, ICrypto $crypto, $passphrase) {
+ $this->crypto = $crypto;
+ $this->session = $session;
+ $this->passphrase = $passphrase;
+ }
+
+ /**
+ * Set a value in the session
+ *
+ * @param string $key
+ * @param mixed $value
+ */
+ public function set($key, $value) {
+ $encryptedValue = $this->crypto->encrypt($value, $this->passphrase);
+ $this->session->set($key, $encryptedValue);
+ }
+
+ /**
+ * Get a value from the session
+ *
+ * @param string $key
+ * @return mixed should return null if $key does not exist
+ * @throws \Exception when the data could not be decrypted
+ */
+ public function get($key) {
+ $encryptedValue = $this->session->get($key);
+ if ($encryptedValue === null) {
+ return null;
+ }
+
+ $value = $this->crypto->decrypt($encryptedValue, $this->passphrase);
+ return $value;
+ }
+
+ /**
+ * Check if a named key exists in the session
+ *
+ * @param string $key
+ * @return bool
+ */
+ public function exists($key) {
+ return $this->session->exists($key);
+ }
+
+ /**
+ * Remove a $key/$value pair from the session
+ *
+ * @param string $key
+ */
+ public function remove($key) {
+ $this->session->remove($key);
+ }
+
+ /**
+ * Reset and recreate the session
+ */
+ public function clear() {
+ $this->session->clear();
+ }
+
+ /**
+ * Close the session and release the lock
+ */
+ public function close() {
+ $this->session->close();
+ }
+
+ /**
+ * @param mixed $offset
+ * @return bool
+ */
+ public function offsetExists($offset) {
+ return $this->exists($offset);
+ }
+
+ /**
+ * @param mixed $offset
+ * @return mixed
+ */
+ public function offsetGet($offset) {
+ return $this->get($offset);
+ }
+
+ /**
+ * @param mixed $offset
+ * @param mixed $value
+ */
+ public function offsetSet($offset, $value) {
+ $this->set($offset, $value);
+ }
+
+ /**
+ * @param mixed $offset
+ */
+ public function offsetUnset($offset) {
+ $this->remove($offset);
+ }
+}
diff --git a/lib/private/session/cryptowrapper.php b/lib/private/session/cryptowrapper.php
new file mode 100644
index 00000000000..8bc41ac1242
--- /dev/null
+++ b/lib/private/session/cryptowrapper.php
@@ -0,0 +1,81 @@
+<?php
+/**
+ * @author Joas Schilling <nickvergessen@owncloud.com>
+ *
+ * @copyright Copyright (c) 2015, ownCloud, Inc.
+ * @license AGPL-3.0
+ *
+ * This code is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License, version 3,
+ * as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License, version 3,
+ * along with this program. If not, see <http://www.gnu.org/licenses/>
+ *
+ */
+
+namespace OC\Session;
+
+use OCP\IConfig;
+use OCP\ISession;
+use OCP\Security\ICrypto;
+use OCP\Security\ISecureRandom;
+
+class CryptoWrapper {
+ const COOKIE_NAME = 'oc_sessionPassphrase';
+
+ /** @var ISession */
+ protected $session;
+
+ /** @var \OCP\Security\ICrypto */
+ protected $crypto;
+
+ /** @var ISecureRandom */
+ protected $random;
+
+ /**
+ * @param IConfig $config
+ * @param ICrypto $crypto
+ * @param ISecureRandom $random
+ */
+ public function __construct(IConfig $config, ICrypto $crypto, ISecureRandom $random) {
+ $this->crypto = $crypto;
+ $this->config = $config;
+ $this->random = $random;
+
+ if (isset($_COOKIE[self::COOKIE_NAME])) {
+ // TODO circular dependency
+// $request = \OC::$server->getRequest();
+// $this->passphrase = $request->getCookie(self::COOKIE_NAME);
+ $this->passphrase = $_COOKIE[self::COOKIE_NAME];
+ } else {
+ $this->passphrase = $this->random->getMediumStrengthGenerator()->generate(128);
+
+ // TODO circular dependency
+ // $secureCookie = \OC::$server->getRequest()->getServerProtocol() === 'https';
+ $secureCookie = false;
+ $expires = time() + $this->config->getSystemValue('remember_login_cookie_lifetime', 60 * 60 * 24 * 15);
+
+ if (!defined('PHPUNIT_RUN')) {
+ setcookie(self::COOKIE_NAME, $this->passphrase, $expires, \OC::$WEBROOT, '', $secureCookie);
+ }
+ }
+ }
+
+ /**
+ * @param ISession $session
+ * @return ISession
+ */
+ public function wrapSession(ISession $session) {
+ if (!($session instanceof CryptoSessionData) && $this->config->getSystemValue('encrypt.session', false)) {
+ return new \OC\Session\CryptoSessionData($session, $this->crypto, $this->passphrase);
+ }
+
+ return $session;
+ }
+}
diff --git a/tests/lib/server.php b/tests/lib/server.php
index 9c5c83ceb5c..bc44c50a22a 100644
--- a/tests/lib/server.php
+++ b/tests/lib/server.php
@@ -56,6 +56,7 @@ class Server extends \Test\TestCase {
['ContactsManager', '\OCP\Contacts\IManager'],
['Crypto', '\OC\Security\Crypto'],
['Crypto', '\OCP\Security\ICrypto'],
+ ['CryptoWrapper', '\OC\Session\CryptoWrapper'],
['DatabaseConnection', '\OC\DB\Connection'],
['DatabaseConnection', '\OCP\IDBConnection'],
diff --git a/tests/lib/session/cryptosessiondatatest.php b/tests/lib/session/cryptosessiondatatest.php
new file mode 100644
index 00000000000..ee6bcbf11c1
--- /dev/null
+++ b/tests/lib/session/cryptosessiondatatest.php
@@ -0,0 +1,53 @@
+<?php
+/**
+ * @author Joas Schilling <nickvergessen@owncloud.com>
+ *
+ * @copyright Copyright (c) 2015, ownCloud, Inc.
+ * @license AGPL-3.0
+ *
+ * This code is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License, version 3,
+ * as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License, version 3,
+ * along with this program. If not, see <http://www.gnu.org/licenses/>
+ *
+ */
+
+namespace Test\Session;
+
+use OC\Session\CryptoSessionData;
+
+class CryptoSessionDataTest extends Session {
+ /** @var \PHPUnit_Framework_MockObject_MockObject|\OCP\Security\ICrypto */
+ protected $crypto;
+
+ /** @var \OCP\ISession */
+ protected $wrappedSession;
+
+ protected function setUp() {
+ parent::setUp();
+
+ $this->wrappedSession = new \OC\Session\Memory($this->getUniqueID());
+ $this->crypto = $this->getMockBuilder('OCP\Security\ICrypto')
+ ->disableOriginalConstructor()
+ ->getMock();
+ $this->crypto->expects($this->any())
+ ->method('encrypt')
+ ->willReturnCallback(function ($input) {
+ return '#' . $input . '#';
+ });
+ $this->crypto->expects($this->any())
+ ->method('decrypt')
+ ->willReturnCallback(function ($input) {
+ return substr($input, 1, -1);
+ });
+
+ $this->instance = new CryptoSessionData($this->wrappedSession, $this->crypto, 'PASS');
+ }
+}
diff --git a/tests/lib/session/cryptowrappingtest.php b/tests/lib/session/cryptowrappingtest.php
new file mode 100644
index 00000000000..6a3f6959962
--- /dev/null
+++ b/tests/lib/session/cryptowrappingtest.php
@@ -0,0 +1,81 @@
+<?php
+/**
+ * @author Joas Schilling <nickvergessen@owncloud.com>
+ *
+ * @copyright Copyright (c) 2015, ownCloud, Inc.
+ * @license AGPL-3.0
+ *
+ * This code is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License, version 3,
+ * as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License, version 3,
+ * along with this program. If not, see <http://www.gnu.org/licenses/>
+ *
+ */
+
+namespace Test\Session;
+
+use OC\Session\CryptoSessionData;
+use Test\TestCase;
+
+class CryptoWrappingTest extends TestCase {
+ /** @var \PHPUnit_Framework_MockObject_MockObject|\OCP\Security\ICrypto */
+ protected $crypto;
+
+ /** @var \PHPUnit_Framework_MockObject_MockObject|\OCP\ISession */
+ protected $wrappedSession;
+
+ /** @var \OC\Session\CryptoSessionData */
+ protected $instance;
+
+ protected function setUp() {
+ parent::setUp();
+
+ $this->wrappedSession = $this->getMockBuilder('OCP\ISession')
+ ->disableOriginalConstructor()
+ ->getMock();
+ $this->crypto = $this->getMockBuilder('OCP\Security\ICrypto')
+ ->disableOriginalConstructor()
+ ->getMock();
+ $this->crypto->expects($this->any())
+ ->method('encrypt')
+ ->willReturnCallback(function ($input) {
+ return '#' . $input . '#';
+ });
+ $this->crypto->expects($this->any())
+ ->method('decrypt')
+ ->willReturnCallback(function ($input) {
+ return substr($input, 1, -1);
+ });
+
+ $this->instance = new CryptoSessionData($this->wrappedSession, $this->crypto, 'PASS');
+ }
+
+ public function testWrappingSet() {
+ $unencryptedValue = 'foobar';
+
+ $this->wrappedSession->expects($this->once())
+ ->method('set')
+ ->with('key', $this->crypto->encrypt($unencryptedValue));
+ $this->instance->set('key', $unencryptedValue);
+ }
+
+ public function testUnwrappingGet() {
+ $unencryptedValue = 'foobar';
+ $encryptedValue = $this->crypto->encrypt($unencryptedValue);
+
+ $this->wrappedSession->expects($this->once())
+ ->method('get')
+ ->with('key')
+ ->willReturnCallback(function () use ($encryptedValue) {
+ return $encryptedValue;
+ });
+ $this->assertSame($unencryptedValue, $this->instance->get('key'));
+ }
+}