diff options
author | Joas Schilling <nickvergessen@owncloud.com> | 2015-07-20 12:59:04 +0200 |
---|---|---|
committer | Lukas Reschke <lukas@owncloud.com> | 2015-08-21 17:59:23 +0200 |
commit | 36eef2ddabd77ff6279f3bd6896ced4959f1c370 (patch) | |
tree | 82f28ac58905ed449d5678ffb505eec4d3ec7fde | |
parent | 510010e774c4019b7fc616c90085649abb7afac3 (diff) | |
download | nextcloud-server-36eef2ddabd77ff6279f3bd6896ced4959f1c370.tar.gz nextcloud-server-36eef2ddabd77ff6279f3bd6896ced4959f1c370.zip |
Add a session wrapper to encrypt the data before storing it on disk
-rw-r--r-- | cron.php | 5 | ||||
-rw-r--r-- | lib/base.php | 12 | ||||
-rw-r--r-- | lib/private/server.php | 42 | ||||
-rw-r--r-- | lib/private/session/cryptosessiondata.php | 140 | ||||
-rw-r--r-- | lib/private/session/cryptowrapper.php | 81 | ||||
-rw-r--r-- | tests/lib/server.php | 1 | ||||
-rw-r--r-- | tests/lib/session/cryptosessiondatatest.php | 53 | ||||
-rw-r--r-- | tests/lib/session/cryptowrappingtest.php | 81 |
8 files changed, 381 insertions, 34 deletions
@@ -52,7 +52,10 @@ try { \OC::$server->getSession()->close(); // initialize a dummy memory session - \OC::$server->setSession(new \OC\Session\Memory('')); + $session = new \OC\Session\Memory(''); + $cryptoWrapper = \OC::$server->getSessionCryptoWrapper(); + $session = $cryptoWrapper->wrapSession($session); + \OC::$server->setSession($session); $logger = \OC::$server->getLogger(); diff --git a/lib/base.php b/lib/base.php index 42e1d7f8586..98305a19df2 100644 --- a/lib/base.php +++ b/lib/base.php @@ -463,13 +463,15 @@ class OC { $useCustomSession = false; $session = self::$server->getSession(); OC_Hook::emit('OC', 'initSession', array('session' => &$session, 'sessionName' => &$sessionName, 'useCustomSession' => &$useCustomSession)); - if($useCustomSession) { - // use the session reference as the new Session - self::$server->setSession($session); - } else { + if (!$useCustomSession) { // set the session name to the instance id - which is unique - self::$server->setSession(new \OC\Session\Internal($sessionName)); + $session = new \OC\Session\Internal($sessionName); } + + $cryptoWrapper = \OC::$server->getSessionCryptoWrapper(); + $session = $cryptoWrapper->wrapSession($session); + self::$server->setSession($session); + // if session cant be started break with http 500 error } catch (Exception $e) { \OCP\Util::logException('base', $e); diff --git a/lib/private/server.php b/lib/private/server.php index 89001567219..61eb3c736bf 100644 --- a/lib/private/server.php +++ b/lib/private/server.php @@ -56,6 +56,7 @@ use OC\Security\Crypto; use OC\Security\Hasher; use OC\Security\SecureRandom; use OC\Security\TrustedDomainHelper; +use OC\Session\CryptoWrapper; use OC\Tagging\TagMapper; use OCP\IServerContainer; use Symfony\Component\EventDispatcher\EventDispatcher; @@ -159,7 +160,12 @@ class Server extends SimpleContainer implements IServerContainer { }); $this->registerService('UserSession', function (Server $c) { $manager = $c->getUserManager(); - $userSession = new \OC\User\Session($manager, new \OC\Session\Memory('')); + + $session = new \OC\Session\Memory(''); + $cryptoWrapper = $c->getSessionCryptoWrapper(); + $session = $cryptoWrapper->wrapSession($session); + + $userSession = new \OC\User\Session($manager, $session); $userSession->listen('\OC\User', 'preCreateUser', function ($uid, $password) { \OC_Hook::emit('OC_User', 'pre_createUser', array('run' => true, 'uid' => $uid, 'password' => $password)); }); @@ -461,6 +467,13 @@ class Server extends SimpleContainer implements IServerContainer { $this->registerService('EventDispatcher', function() { return new EventDispatcher(); }); + $this->registerService('CryptoWrapper', function (Server $c) { + return new CryptoWrapper( + $c->getConfig(), + $c->getCrypto(), + $c->getSecureRandom() + ); + }); } /** @@ -949,31 +962,4 @@ class Server extends SimpleContainer implements IServerContainer { return $this->query('MountManager'); } - /* - * Get the MimeTypeDetector - * - * @return \OCP\Files\IMimeTypeDetector - */ - public function getMimeTypeDetector() { - return $this->query('MimeTypeDetector'); - } - - /** - * Get the manager of all the capabilities - * - * @return \OC\CapabilitiesManager - */ - public function getCapabilitiesManager() { - return $this->query('CapabilitiesManager'); - } - - /** - * Get the EventDispatcher - * - * @return EventDispatcherInterface - * @since 8.2.0 - */ - public function getEventDispatcher() { - return $this->query('EventDispatcher'); - } } diff --git a/lib/private/session/cryptosessiondata.php b/lib/private/session/cryptosessiondata.php new file mode 100644 index 00000000000..9a3cd928826 --- /dev/null +++ b/lib/private/session/cryptosessiondata.php @@ -0,0 +1,140 @@ +<?php +/** + * @author Joas Schilling <nickvergessen@owncloud.com> + * + * @copyright Copyright (c) 2015, ownCloud, Inc. + * @license AGPL-3.0 + * + * This code is free software: you can redistribute it and/or modify + * it under the terms of the GNU Affero General Public License, version 3, + * as published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Affero General Public License for more details. + * + * You should have received a copy of the GNU Affero General Public License, version 3, + * along with this program. If not, see <http://www.gnu.org/licenses/> + * + */ + +namespace OC\Session; + + +use OCP\ISession; +use OCP\Security\ICrypto; + +class CryptoSessionData implements \ArrayAccess, ISession { + /** @var ISession */ + protected $session; + + /** @var \OCP\Security\ICrypto */ + protected $crypto; + + /** @var string */ + protected $passphrase; + + /** + * @param ISession $session + * @param ICrypto $crypto + * @param string $passphrase + */ + public function __construct(ISession $session, ICrypto $crypto, $passphrase) { + $this->crypto = $crypto; + $this->session = $session; + $this->passphrase = $passphrase; + } + + /** + * Set a value in the session + * + * @param string $key + * @param mixed $value + */ + public function set($key, $value) { + $encryptedValue = $this->crypto->encrypt($value, $this->passphrase); + $this->session->set($key, $encryptedValue); + } + + /** + * Get a value from the session + * + * @param string $key + * @return mixed should return null if $key does not exist + * @throws \Exception when the data could not be decrypted + */ + public function get($key) { + $encryptedValue = $this->session->get($key); + if ($encryptedValue === null) { + return null; + } + + $value = $this->crypto->decrypt($encryptedValue, $this->passphrase); + return $value; + } + + /** + * Check if a named key exists in the session + * + * @param string $key + * @return bool + */ + public function exists($key) { + return $this->session->exists($key); + } + + /** + * Remove a $key/$value pair from the session + * + * @param string $key + */ + public function remove($key) { + $this->session->remove($key); + } + + /** + * Reset and recreate the session + */ + public function clear() { + $this->session->clear(); + } + + /** + * Close the session and release the lock + */ + public function close() { + $this->session->close(); + } + + /** + * @param mixed $offset + * @return bool + */ + public function offsetExists($offset) { + return $this->exists($offset); + } + + /** + * @param mixed $offset + * @return mixed + */ + public function offsetGet($offset) { + return $this->get($offset); + } + + /** + * @param mixed $offset + * @param mixed $value + */ + public function offsetSet($offset, $value) { + $this->set($offset, $value); + } + + /** + * @param mixed $offset + */ + public function offsetUnset($offset) { + $this->remove($offset); + } +} diff --git a/lib/private/session/cryptowrapper.php b/lib/private/session/cryptowrapper.php new file mode 100644 index 00000000000..8bc41ac1242 --- /dev/null +++ b/lib/private/session/cryptowrapper.php @@ -0,0 +1,81 @@ +<?php +/** + * @author Joas Schilling <nickvergessen@owncloud.com> + * + * @copyright Copyright (c) 2015, ownCloud, Inc. + * @license AGPL-3.0 + * + * This code is free software: you can redistribute it and/or modify + * it under the terms of the GNU Affero General Public License, version 3, + * as published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Affero General Public License for more details. + * + * You should have received a copy of the GNU Affero General Public License, version 3, + * along with this program. If not, see <http://www.gnu.org/licenses/> + * + */ + +namespace OC\Session; + +use OCP\IConfig; +use OCP\ISession; +use OCP\Security\ICrypto; +use OCP\Security\ISecureRandom; + +class CryptoWrapper { + const COOKIE_NAME = 'oc_sessionPassphrase'; + + /** @var ISession */ + protected $session; + + /** @var \OCP\Security\ICrypto */ + protected $crypto; + + /** @var ISecureRandom */ + protected $random; + + /** + * @param IConfig $config + * @param ICrypto $crypto + * @param ISecureRandom $random + */ + public function __construct(IConfig $config, ICrypto $crypto, ISecureRandom $random) { + $this->crypto = $crypto; + $this->config = $config; + $this->random = $random; + + if (isset($_COOKIE[self::COOKIE_NAME])) { + // TODO circular dependency +// $request = \OC::$server->getRequest(); +// $this->passphrase = $request->getCookie(self::COOKIE_NAME); + $this->passphrase = $_COOKIE[self::COOKIE_NAME]; + } else { + $this->passphrase = $this->random->getMediumStrengthGenerator()->generate(128); + + // TODO circular dependency + // $secureCookie = \OC::$server->getRequest()->getServerProtocol() === 'https'; + $secureCookie = false; + $expires = time() + $this->config->getSystemValue('remember_login_cookie_lifetime', 60 * 60 * 24 * 15); + + if (!defined('PHPUNIT_RUN')) { + setcookie(self::COOKIE_NAME, $this->passphrase, $expires, \OC::$WEBROOT, '', $secureCookie); + } + } + } + + /** + * @param ISession $session + * @return ISession + */ + public function wrapSession(ISession $session) { + if (!($session instanceof CryptoSessionData) && $this->config->getSystemValue('encrypt.session', false)) { + return new \OC\Session\CryptoSessionData($session, $this->crypto, $this->passphrase); + } + + return $session; + } +} diff --git a/tests/lib/server.php b/tests/lib/server.php index 9c5c83ceb5c..bc44c50a22a 100644 --- a/tests/lib/server.php +++ b/tests/lib/server.php @@ -56,6 +56,7 @@ class Server extends \Test\TestCase { ['ContactsManager', '\OCP\Contacts\IManager'], ['Crypto', '\OC\Security\Crypto'], ['Crypto', '\OCP\Security\ICrypto'], + ['CryptoWrapper', '\OC\Session\CryptoWrapper'], ['DatabaseConnection', '\OC\DB\Connection'], ['DatabaseConnection', '\OCP\IDBConnection'], diff --git a/tests/lib/session/cryptosessiondatatest.php b/tests/lib/session/cryptosessiondatatest.php new file mode 100644 index 00000000000..ee6bcbf11c1 --- /dev/null +++ b/tests/lib/session/cryptosessiondatatest.php @@ -0,0 +1,53 @@ +<?php +/** + * @author Joas Schilling <nickvergessen@owncloud.com> + * + * @copyright Copyright (c) 2015, ownCloud, Inc. + * @license AGPL-3.0 + * + * This code is free software: you can redistribute it and/or modify + * it under the terms of the GNU Affero General Public License, version 3, + * as published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Affero General Public License for more details. + * + * You should have received a copy of the GNU Affero General Public License, version 3, + * along with this program. If not, see <http://www.gnu.org/licenses/> + * + */ + +namespace Test\Session; + +use OC\Session\CryptoSessionData; + +class CryptoSessionDataTest extends Session { + /** @var \PHPUnit_Framework_MockObject_MockObject|\OCP\Security\ICrypto */ + protected $crypto; + + /** @var \OCP\ISession */ + protected $wrappedSession; + + protected function setUp() { + parent::setUp(); + + $this->wrappedSession = new \OC\Session\Memory($this->getUniqueID()); + $this->crypto = $this->getMockBuilder('OCP\Security\ICrypto') + ->disableOriginalConstructor() + ->getMock(); + $this->crypto->expects($this->any()) + ->method('encrypt') + ->willReturnCallback(function ($input) { + return '#' . $input . '#'; + }); + $this->crypto->expects($this->any()) + ->method('decrypt') + ->willReturnCallback(function ($input) { + return substr($input, 1, -1); + }); + + $this->instance = new CryptoSessionData($this->wrappedSession, $this->crypto, 'PASS'); + } +} diff --git a/tests/lib/session/cryptowrappingtest.php b/tests/lib/session/cryptowrappingtest.php new file mode 100644 index 00000000000..6a3f6959962 --- /dev/null +++ b/tests/lib/session/cryptowrappingtest.php @@ -0,0 +1,81 @@ +<?php +/** + * @author Joas Schilling <nickvergessen@owncloud.com> + * + * @copyright Copyright (c) 2015, ownCloud, Inc. + * @license AGPL-3.0 + * + * This code is free software: you can redistribute it and/or modify + * it under the terms of the GNU Affero General Public License, version 3, + * as published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Affero General Public License for more details. + * + * You should have received a copy of the GNU Affero General Public License, version 3, + * along with this program. If not, see <http://www.gnu.org/licenses/> + * + */ + +namespace Test\Session; + +use OC\Session\CryptoSessionData; +use Test\TestCase; + +class CryptoWrappingTest extends TestCase { + /** @var \PHPUnit_Framework_MockObject_MockObject|\OCP\Security\ICrypto */ + protected $crypto; + + /** @var \PHPUnit_Framework_MockObject_MockObject|\OCP\ISession */ + protected $wrappedSession; + + /** @var \OC\Session\CryptoSessionData */ + protected $instance; + + protected function setUp() { + parent::setUp(); + + $this->wrappedSession = $this->getMockBuilder('OCP\ISession') + ->disableOriginalConstructor() + ->getMock(); + $this->crypto = $this->getMockBuilder('OCP\Security\ICrypto') + ->disableOriginalConstructor() + ->getMock(); + $this->crypto->expects($this->any()) + ->method('encrypt') + ->willReturnCallback(function ($input) { + return '#' . $input . '#'; + }); + $this->crypto->expects($this->any()) + ->method('decrypt') + ->willReturnCallback(function ($input) { + return substr($input, 1, -1); + }); + + $this->instance = new CryptoSessionData($this->wrappedSession, $this->crypto, 'PASS'); + } + + public function testWrappingSet() { + $unencryptedValue = 'foobar'; + + $this->wrappedSession->expects($this->once()) + ->method('set') + ->with('key', $this->crypto->encrypt($unencryptedValue)); + $this->instance->set('key', $unencryptedValue); + } + + public function testUnwrappingGet() { + $unencryptedValue = 'foobar'; + $encryptedValue = $this->crypto->encrypt($unencryptedValue); + + $this->wrappedSession->expects($this->once()) + ->method('get') + ->with('key') + ->willReturnCallback(function () use ($encryptedValue) { + return $encryptedValue; + }); + $this->assertSame($unencryptedValue, $this->instance->get('key')); + } +} |