diff options
author | Bjoern Schiessle <schiessle@owncloud.com> | 2015-08-24 12:03:53 +0200 |
---|---|---|
committer | Bjoern Schiessle <schiessle@owncloud.com> | 2015-09-15 22:39:44 +0200 |
commit | 9bd4f2d41e5a211ad60a83bfcdc60b8633076a54 (patch) | |
tree | 345f1f4c89bd1ee1dcd50f8106e87238d53e3b64 /apps/encryption/lib | |
parent | 230029e5090b3deecb941e75bbc34a6bcb98c374 (diff) | |
download | nextcloud-server-9bd4f2d41e5a211ad60a83bfcdc60b8633076a54.tar.gz nextcloud-server-9bd4f2d41e5a211ad60a83bfcdc60b8633076a54.zip |
occ script to disable encryption and to decrypt all files again
Diffstat (limited to 'apps/encryption/lib')
-rw-r--r-- | apps/encryption/lib/crypto/decryptall.php | 143 | ||||
-rw-r--r-- | apps/encryption/lib/crypto/encryption.php | 36 | ||||
-rw-r--r-- | apps/encryption/lib/session.php | 60 |
3 files changed, 237 insertions, 2 deletions
diff --git a/apps/encryption/lib/crypto/decryptall.php b/apps/encryption/lib/crypto/decryptall.php new file mode 100644 index 00000000000..599cd82aa4d --- /dev/null +++ b/apps/encryption/lib/crypto/decryptall.php @@ -0,0 +1,143 @@ +<?php +/** + * @author Björn Schießle <schiessle@owncloud.com> + * + * @copyright Copyright (c) 2015, ownCloud, Inc. + * @license AGPL-3.0 + * + * This code is free software: you can redistribute it and/or modify + * it under the terms of the GNU Affero General Public License, version 3, + * as published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Affero General Public License for more details. + * + * You should have received a copy of the GNU Affero General Public License, version 3, + * along with this program. If not, see <http://www.gnu.org/licenses/> + * + */ + + +namespace OCA\Encryption\Crypto; + + +use OCA\Encryption\KeyManager; +use OCA\Encryption\Session; +use OCA\Encryption\Util; +use Symfony\Component\Console\Helper\QuestionHelper; +use Symfony\Component\Console\Input\InputInterface; +use Symfony\Component\Console\Output\OutputInterface; +use Symfony\Component\Console\Question\ConfirmationQuestion; +use Symfony\Component\Console\Question\Question; + +class DecryptAll { + + /** @var Util */ + protected $util; + + /** @var QuestionHelper */ + protected $questionHelper; + + /** @var Crypt */ + protected $crypt; + + /** @var KeyManager */ + protected $keyManager; + + /** @var Session */ + protected $session; + + /** + * @param Util $util + * @param KeyManager $keyManager + * @param Crypt $crypt + * @param Session $session + * @param QuestionHelper $questionHelper + */ + public function __construct( + Util $util, + KeyManager $keyManager, + Crypt $crypt, + Session $session, + QuestionHelper $questionHelper + ) { + $this->util = $util; + $this->keyManager = $keyManager; + $this->crypt = $crypt; + $this->session = $session; + $this->questionHelper = $questionHelper; + } + + /** + * prepare encryption module to decrypt all files + * + * @param InputInterface $input + * @param OutputInterface $output + * @param $user + * @return bool + */ + public function prepare(InputInterface $input, OutputInterface $output, $user) { + + $question = new Question('Please enter the recovery key password: '); + $recoveryKeyId = $this->keyManager->getRecoveryKeyId(); + + if (!empty($user)) { + $questionUseLoginPassword = new ConfirmationQuestion( + 'Do you want to use the users login password to decrypt all files? (y/n) ', + false + ); + $useLoginPassword = $this->questionHelper->ask($input, $output, $questionUseLoginPassword); + if ($useLoginPassword) { + $question = new Question('Please enter the users login password: '); + } else if ($this->util->isRecoveryEnabledForUser($user) === false) { + $output->writeln('No recovery key available for user ' . $user); + return false; + } else { + $user = $recoveryKeyId; + } + } else { + $user = $recoveryKeyId; + } + + $question->setHidden(true); + $question->setHiddenFallback(false); + $password = $this->questionHelper->ask($input, $output, $question); + $privateKey = $this->getPrivateKey($user, $password); + if ($privateKey !== false) { + $this->updateSession($user, $privateKey); + return true; + } else { + $output->writeln('Could not decrypt private key, maybe you entered the wrong password?'); + } + + + return false; + } + + /** + * get the private key which will be used to decrypt all files + * + * @param string $user + * @param string $password + * @return bool|string + * @throws \OCA\Encryption\Exceptions\PrivateKeyMissingException + */ + protected function getPrivateKey($user, $password) { + $recoveryKeyId = $this->keyManager->getRecoveryKeyId(); + if ($user === $recoveryKeyId) { + $recoveryKey = $this->keyManager->getSystemPrivateKey($recoveryKeyId); + $privateKey = $this->crypt->decryptPrivateKey($recoveryKey, $password); + } else { + $userKey = $this->keyManager->getPrivateKey($user); + $privateKey = $this->crypt->decryptPrivateKey($userKey, $password, $user); + } + + return $privateKey; + } + + protected function updateSession($user, $privateKey) { + $this->session->prepareDecryptAll($user, $privateKey); + } +} diff --git a/apps/encryption/lib/crypto/encryption.php b/apps/encryption/lib/crypto/encryption.php index c62afac83c1..fde4a2c4a9c 100644 --- a/apps/encryption/lib/crypto/encryption.php +++ b/apps/encryption/lib/crypto/encryption.php @@ -30,6 +30,7 @@ namespace OCA\Encryption\Crypto; use OC\Encryption\Exceptions\DecryptionFailedException; use OCA\Encryption\Exceptions\PublicKeyMissingException; +use OCA\Encryption\Session; use OCA\Encryption\Util; use OCP\Encryption\IEncryptionModule; use OCA\Encryption\KeyManager; @@ -75,6 +76,9 @@ class Encryption implements IEncryptionModule { /** @var Util */ private $util; + /** @var Session */ + private $session; + /** @var ILogger */ private $logger; @@ -87,25 +91,34 @@ class Encryption implements IEncryptionModule { /** @var bool */ private $useMasterPassword; + /** @var DecryptAll */ + private $decryptAll; + /** * * @param Crypt $crypt * @param KeyManager $keyManager * @param Util $util + * @param Session $session * @param EncryptAll $encryptAll + * @param DecryptAll $decryptAll * @param ILogger $logger * @param IL10N $il10n */ public function __construct(Crypt $crypt, KeyManager $keyManager, Util $util, + Session $session, EncryptAll $encryptAll, + DecryptAll $decryptAll, ILogger $logger, IL10N $il10n) { $this->crypt = $crypt; $this->keyManager = $keyManager; $this->util = $util; + $this->session = $session; $this->encryptAll = $encryptAll; + $this->decryptAll = $decryptAll; $this->logger = $logger; $this->l = $il10n; $this->useMasterPassword = $util->isMasterKeyEnabled(); @@ -150,7 +163,15 @@ class Encryption implements IEncryptionModule { $this->isWriteOperation = false; $this->writeCache = ''; - $this->fileKey = $this->keyManager->getFileKey($this->path, $this->user); + if ($this->session->decryptAllModeActivated()) { + $encryptedFileKey = $this->keyManager->getEncryptedFileKey($this->path); + $shareKey = $this->keyManager->getShareKey($this->path, $this->session->getDecryptAllUid()); + $this->fileKey = $this->crypt->multiKeyDecrypt($encryptedFileKey, + $shareKey, + $this->session->getDecryptAllKey()); + } else { + $this->fileKey = $this->keyManager->getFileKey($this->path, $this->user); + } if ( $mode === 'w' @@ -427,6 +448,19 @@ class Encryption implements IEncryptionModule { } /** + * prepare module to perform decrypt all operation + * + * @param InputInterface $input + * @param OutputInterface $output + * @param string $user + * @return bool + */ + public function prepareDecryptAll(InputInterface $input, OutputInterface $output, $user = '') { + return $this->decryptAll->prepare($input, $output, $user); + } + + + /** * @param string $path * @return string */ diff --git a/apps/encryption/lib/session.php b/apps/encryption/lib/session.php index c3759c3fc56..1d0c3711487 100644 --- a/apps/encryption/lib/session.php +++ b/apps/encryption/lib/session.php @@ -25,6 +25,7 @@ namespace OCA\Encryption; +use OCA\Encryption\Exceptions\PrivateKeyMissingException; use \OCP\ISession; class Session { @@ -106,6 +107,61 @@ class Session { $this->session->set('privateKey', $key); } + /** + * store data needed for the decrypt all operation in the session + * + * @param string $user + * @param string $key + */ + public function prepareDecryptAll($user, $key) { + $this->session->set('decryptAll', true); + $this->session->set('decryptAllKey', $key); + $this->session->set('decryptAllUid', $user); + } + + /** + * check if we are in decrypt all mode + * + * @return bool + */ + public function decryptAllModeActivated() { + $decryptAll = $this->session->get('decryptAll'); + return ($decryptAll === true); + } + + /** + * get uid used for decrypt all operation + * + * @return string + * @throws \Exception + */ + public function getDecryptAllUid() { + $uid = $this->session->get('decryptAllUid'); + if (is_null($uid) && $this->decryptAllModeActivated()) { + throw new \Exception('No uid found while in decrypt all mode'); + } elseif (is_null($uid)) { + throw new \Exception('Please activate decrypt all mode first'); + } + + return $uid; + } + + /** + * get private key for decrypt all operation + * + * @return string + * @throws PrivateKeyMissingException + */ + public function getDecryptAllKey() { + $privateKey = $this->session->get('decryptAllKey'); + if (is_null($privateKey) && $this->decryptAllModeActivated()) { + throw new PrivateKeyMissingException('No private key found while in decrypt all mode'); + } elseif (is_null($privateKey)) { + throw new PrivateKeyMissingException('Please activate decrypt all mode first'); + } + + return $privateKey; + } /** * remove keys from session @@ -114,7 +170,9 @@ class Session { $this->session->remove('publicSharePrivateKey'); $this->session->remove('privateKey'); $this->session->remove('encryptionInitialized'); - + $this->session->remove('decryptAll'); + $this->session->remove('decryptAllKey'); + $this->session->remove('decryptAllUid'); } } |