add occ command to recover encrypted files in case of password lost

Signed-off-by: Bjoern Schiessle <bjoern@schiessle.org>

2 files changed, 134 insertions, 2 deletions

diff --git a/apps/encryption/lib/Command/RecoverUser.php b/apps/encryption/lib/Command/RecoverUser.php
new file mode 100644
index 00000000000..8de105b5382
--- /dev/null
+++ b/apps/encryption/lib/Command/RecoverUser.php
@@ -0,0 +1,118 @@
+<?php
+/**
+ * @copyright Copyright (c) 2018 Bjoern Schiessle <bjoern@schiessle.org>
+ *
+ * @license GNU AGPL version 3 or any later version
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+namespace OCA\Encryption\Command;
+
+
+use OC\Files\Filesystem;
+use OC\User\NoUserException;
+use OCA\Encryption\Crypto\Crypt;
+use OCA\Encryption\KeyManager;
+use OCA\Encryption\Recovery;
+use OCA\Encryption\Util;
+use OCP\IConfig;
+use OCP\IUserManager;
+use Symfony\Component\Console\Command\Command;
+use Symfony\Component\Console\Helper\QuestionHelper;
+use Symfony\Component\Console\Input\InputArgument;
+use Symfony\Component\Console\Input\InputInterface;
+use Symfony\Component\Console\Output\OutputInterface;
+use Symfony\Component\Console\Question\Question;
+
+class RecoverUser extends Command {
+
+	/** @var Util */
+	protected $util;
+
+	/** @var IUserManager */
+	protected $userManager;
+
+	/** @var  QuestionHelper */
+	protected $questionHelper;
+
+	/**
+	 * @param Util $util
+	 * @param IConfig $config
+	 * @param IUserManager $userManager
+	 * @param QuestionHelper $questionHelper
+	 */
+	public function __construct(Util $util,
+								IConfig $config,
+								IUserManager $userManager,
+								QuestionHelper $questionHelper) {
+
+		$this->util = $util;
+		$this->questionHelper = $questionHelper;
+		$this->userManager = $userManager;
+		parent::__construct();
+	}
+
+	protected function configure() {
+		$this
+			->setName('encryption:recover-user')
+			->setDescription('Recover user data in case of password lost. This only works if the user enabled the recovery key.');
+
+		$this->addArgument(
+			'user',
+			InputArgument::REQUIRED,
+			'user which should be recovered'
+		);
+	}
+
+	protected function execute(InputInterface $input, OutputInterface $output) {
+
+		$isMasterKeyEnabled = $this->util->isMasterKeyEnabled();
+
+		if($isMasterKeyEnabled) {
+			$output->writeln('You use the master key, no individual user recovery needed.');
+			return;
+		}
+
+		$uid = $input->getArgument('user');
+		$userExists = $this->userManager->userExists($uid);
+		if ($userExists === false) {
+			$output->writeln('User "' . $uid . '" unknown.');
+			return;
+		}
+
+		$recoveryKeyEnabled = $this->util->isRecoveryEnabledForUser($uid);
+		if($recoveryKeyEnabled === false) {
+			$output->writeln('Recovery key is not enabled for: ' . $uid);
+			return;
+		}
+
+		$question = new Question('Please enter the recovery key password: ');
+		$question->setHidden(true);
+		$question->setHiddenFallback(false);
+		$recoveryPassword = $this->questionHelper->ask($input, $output, $question);
+
+		$question = new Question('Please enter the new login password for the user: ');
+		$question->setHidden(true);
+		$question->setHiddenFallback(false);
+		$newLoginPassword = $this->questionHelper->ask($input, $output, $question);
+
+		$output->write('Start to recover users files... This can take some time...');
+		$this->userManager->get($uid)->setPassword($newLoginPassword, $recoveryPassword);
+		$output->writeln('Done.');
+
+	}
+
+}
diff --git a/apps/encryption/lib/Hooks/UserHooks.php b/apps/encryption/lib/Hooks/UserHooks.php
index dc3a4d3c428..48815892900 100644
--- a/apps/encryption/lib/Hooks/UserHooks.php
+++ b/apps/encryption/lib/Hooks/UserHooks.php
@@ -28,6 +28,7 @@ namespace OCA\Encryption\Hooks;
 
 
 use OC\Files\Filesystem;
+use OCP\Encryption\Exceptions\GenericEncryptionException;
 use OCP\IUserManager;
 use OCP\Util as OCUtil;
 use OCA\Encryption\Hooks\Contracts\IHook;
@@ -252,11 +253,12 @@ class UserHooks implements IHook {
 		}
 
 		// Get existing decrypted private key
-		$privateKey = $this->session->getPrivateKey();
 		$user = $this->user->getUser();
 
 		// current logged in user changes his own password
-		if ($user && $params['uid'] === $user->getUID() && $privateKey) {
+		if ($user && $params['uid'] === $user->getUID()) {
+
+			$privateKey = $this->session->getPrivateKey();
 
 			// Encrypt private key with new user pwd as passphrase
 			$encryptedPrivateKey = $this->crypt->encryptPrivateKey($privateKey, $params['password'], $params['uid']);
@@ -277,6 +279,18 @@ class UserHooks implements IHook {
 			$this->initMountPoints($user);
 			$recoveryPassword = isset($params['recoveryPassword']) ? $params['recoveryPassword'] : null;
 
+			$recoveryKeyId = $this->keyManager->getRecoveryKeyId();
+			$recoveryKey = $this->keyManager->getSystemPrivateKey($recoveryKeyId);
+			try {
+				$decryptedRecoveryKey = $this->crypt->decryptPrivateKey($recoveryKey, $recoveryPassword);
+			} catch (\Exception $e) {
+				$decryptedRecoveryKey = false;
+			}
+			if ($decryptedRecoveryKey === false) {
+				$message = 'Can not decrypt the recovery key. Maybe you provided the wrong password. Try again.';
+				throw new GenericEncryptionException($message, $message);
+			}
+
 			// we generate new keys if...
 			// ...we have a recovery password and the user enabled the recovery key
 			// ...encryption was activated for the first time (no keys exists)