diff options
author | Thomas Müller <thomas.mueller@tmit.eu> | 2016-03-01 08:23:27 +0100 |
---|---|---|
committer | Thomas Müller <thomas.mueller@tmit.eu> | 2016-03-01 08:23:27 +0100 |
commit | eb740d1dac0c4cc0c8d0752006673a270ab97a72 (patch) | |
tree | 5bf3c775c85978143f7b751bdf3823cfc7b3ba33 /apps/encryption | |
parent | da18d04b384c591534436a99c38870792f782d31 (diff) | |
parent | 95ea2ccb53e96ce91738c5c4aa4f36c520d76bd9 (diff) | |
download | nextcloud-server-eb740d1dac0c4cc0c8d0752006673a270ab97a72.tar.gz nextcloud-server-eb740d1dac0c4cc0c8d0752006673a270ab97a72.zip |
Merge pull request #22727 from owncloud/decrypt_all_master_key
make decrypt all work with the master key
Diffstat (limited to 'apps/encryption')
-rw-r--r-- | apps/encryption/lib/crypto/decryptall.php | 57 | ||||
-rw-r--r-- | apps/encryption/lib/keymanager.php | 2 | ||||
-rw-r--r-- | apps/encryption/tests/lib/crypto/decryptalltest.php | 14 |
3 files changed, 46 insertions, 27 deletions
diff --git a/apps/encryption/lib/crypto/decryptall.php b/apps/encryption/lib/crypto/decryptall.php index fa9a3e0db95..694aba2fb89 100644 --- a/apps/encryption/lib/crypto/decryptall.php +++ b/apps/encryption/lib/crypto/decryptall.php @@ -81,35 +81,42 @@ class DecryptAll { public function prepare(InputInterface $input, OutputInterface $output, $user) { $question = new Question('Please enter the recovery key password: '); - $recoveryKeyId = $this->keyManager->getRecoveryKeyId(); - if (!empty($user)) { - $output->writeln('You can only decrypt the users files if you know'); - $output->writeln('the users password or if he activated the recovery key.'); - $output->writeln(''); - $questionUseLoginPassword = new ConfirmationQuestion( - 'Do you want to use the users login password to decrypt all files? (y/n) ', - false - ); - $useLoginPassword = $this->questionHelper->ask($input, $output, $questionUseLoginPassword); - if ($useLoginPassword) { - $question = new Question('Please enter the user\'s login password: '); - } else if ($this->util->isRecoveryEnabledForUser($user) === false) { - $output->writeln('No recovery key available for user ' . $user); - return false; + if($this->util->isMasterKeyEnabled()) { + $output->writeln('Use master key to decrypt all files'); + $user = $this->keyManager->getMasterKeyId(); + $password =$this->keyManager->getMasterKeyPassword(); + } else { + $recoveryKeyId = $this->keyManager->getRecoveryKeyId(); + if (!empty($user)) { + $output->writeln('You can only decrypt the users files if you know'); + $output->writeln('the users password or if he activated the recovery key.'); + $output->writeln(''); + $questionUseLoginPassword = new ConfirmationQuestion( + 'Do you want to use the users login password to decrypt all files? (y/n) ', + false + ); + $useLoginPassword = $this->questionHelper->ask($input, $output, $questionUseLoginPassword); + if ($useLoginPassword) { + $question = new Question('Please enter the user\'s login password: '); + } else if ($this->util->isRecoveryEnabledForUser($user) === false) { + $output->writeln('No recovery key available for user ' . $user); + return false; + } else { + $user = $recoveryKeyId; + } } else { + $output->writeln('You can only decrypt the files of all users if the'); + $output->writeln('recovery key is enabled by the admin and activated by the users.'); + $output->writeln(''); $user = $recoveryKeyId; } - } else { - $output->writeln('You can only decrypt the files of all users if the'); - $output->writeln('recovery key is enabled by the admin and activated by the users.'); - $output->writeln(''); - $user = $recoveryKeyId; + + $question->setHidden(true); + $question->setHiddenFallback(false); + $password = $this->questionHelper->ask($input, $output, $question); } - $question->setHidden(true); - $question->setHiddenFallback(false); - $password = $this->questionHelper->ask($input, $output, $question); $privateKey = $this->getPrivateKey($user, $password); if ($privateKey !== false) { $this->updateSession($user, $privateKey); @@ -132,9 +139,13 @@ class DecryptAll { */ protected function getPrivateKey($user, $password) { $recoveryKeyId = $this->keyManager->getRecoveryKeyId(); + $masterKeyId = $this->keyManager->getMasterKeyId(); if ($user === $recoveryKeyId) { $recoveryKey = $this->keyManager->getSystemPrivateKey($recoveryKeyId); $privateKey = $this->crypt->decryptPrivateKey($recoveryKey, $password); + } elseif ($user === $masterKeyId) { + $masterKey = $this->keyManager->getSystemPrivateKey($masterKeyId); + $privateKey = $this->crypt->decryptPrivateKey($masterKey, $password, $masterKeyId); } else { $userKey = $this->keyManager->getPrivateKey($user); $privateKey = $this->crypt->decryptPrivateKey($userKey, $password, $user); diff --git a/apps/encryption/lib/keymanager.php b/apps/encryption/lib/keymanager.php index 0c957e12012..4169569d8b2 100644 --- a/apps/encryption/lib/keymanager.php +++ b/apps/encryption/lib/keymanager.php @@ -658,7 +658,7 @@ class KeyManager { * @return string * @throws \Exception */ - protected function getMasterKeyPassword() { + public function getMasterKeyPassword() { $password = $this->config->getSystemValue('secret'); if (empty($password)){ throw new \Exception('Can not get secret from ownCloud instance'); diff --git a/apps/encryption/tests/lib/crypto/decryptalltest.php b/apps/encryption/tests/lib/crypto/decryptalltest.php index 84819aa73bd..0945692e427 100644 --- a/apps/encryption/tests/lib/crypto/decryptalltest.php +++ b/apps/encryption/tests/lib/crypto/decryptalltest.php @@ -87,7 +87,7 @@ class DecryptAllTest extends TestCase { * @param string $user * @param string $recoveryKeyId */ - public function testGetPrivateKey($user, $recoveryKeyId) { + public function testGetPrivateKey($user, $recoveryKeyId, $masterKeyId) { $password = 'passwd'; $recoveryKey = 'recoveryKey'; $userKey = 'userKey'; @@ -102,6 +102,13 @@ class DecryptAllTest extends TestCase { $this->keyManager->expects($this->never())->method('getPrivateKey'); $this->crypt->expects($this->once())->method('decryptPrivateKey') ->with($recoveryKey, $password)->willReturn($unencryptedKey); + } elseif ($user === $masterKeyId) { + $this->keyManager->expects($this->once())->method('getSystemPrivateKey') + ->with($masterKeyId)->willReturn($masterKey); + $this->keyManager->expects($this->never())->method('getPrivateKey'); + $this->crypt->expects($this->once())->method('decryptPrivateKey') + ->with($masterKey, $password, $masterKeyId)->willReturn($unencryptedKey); + } else { $this->keyManager->expects($this->never())->method('getSystemPrivateKey'); $this->keyManager->expects($this->once())->method('getPrivateKey') @@ -117,8 +124,9 @@ class DecryptAllTest extends TestCase { public function dataTestGetPrivateKey() { return [ - ['user1', 'recoveryKey'], - ['recoveryKeyId', 'recoveryKeyId'] + ['user1', 'recoveryKey', 'masterKeyId'], + ['recoveryKeyId', 'recoveryKeyId', 'masterKeyId'], + ['masterKeyId', 'masterKeyId', 'masterKeyId'] ]; } |