diff options
| author | Björn Schießle <schiessle@owncloud.com> | 2013-05-13 17:26:21 +0200 |
|---|---|---|
| committer | Björn Schießle <schiessle@owncloud.com> | 2013-05-13 17:26:21 +0200 |
| commit | 517efdf952526ce0f0a03107874baca18742c49b (patch) | |
| tree | 0e7f10e0808c13b9142bdbdffa993bd5ca8cf2bc /apps/files_encryption/ajax/adminrecovery.php | |
| parent | 2f4ba9d1e8ca6406abb509ad82869cfb6aca40c1 (diff) | |
| download | nextcloud-server-517efdf952526ce0f0a03107874baca18742c49b.tar.gz nextcloud-server-517efdf952526ce0f0a03107874baca18742c49b.zip | |
don't create a recovery user, only generate recovery key similar to the public link share key
Diffstat (limited to 'apps/files_encryption/ajax/adminrecovery.php')
| -rw-r--r-- | apps/files_encryption/ajax/adminrecovery.php | 122 |
1 files changed, 57 insertions, 65 deletions
diff --git a/apps/files_encryption/ajax/adminrecovery.php b/apps/files_encryption/ajax/adminrecovery.php index c3c19943c0d..6a056dc7b3d 100644 --- a/apps/files_encryption/ajax/adminrecovery.php +++ b/apps/files_encryption/ajax/adminrecovery.php @@ -1,4 +1,5 @@ <?php + /** * Copyright (c) 2013, Sam Tuke <samtuke@owncloud.com> * This file is licensed under the Affero General Public License version 3 or later. @@ -6,87 +7,78 @@ * * @brief Script to handle admin settings for encrypted key recovery */ - use OCA\Encryption; \OCP\JSON::checkAdminUser(); -\OCP\JSON::checkAppEnabled( 'files_encryption' ); +\OCP\JSON::checkAppEnabled('files_encryption'); \OCP\JSON::callCheck(); -$return = $doSetup = false; +$return = false; // Enable recoveryAdmin -if ( - isset( $_POST['adminEnableRecovery'] ) - && 1 == $_POST['adminEnableRecovery'] -// && isset( $_POST['recoveryPassword'] ) -// && ! empty ( $_POST['recoveryPassword'] ) + +if ( + isset($_POST['adminEnableRecovery']) + && 1 == $_POST['adminEnableRecovery'] ) { - // TODO: Let the admin set this themselves - $recoveryAdminUid = 'recoveryAdmin'; - - // If desired recoveryAdmin UID is already in use - if ( ! \OC_User::userExists( $recoveryAdminUid ) ) { - - // Create new recoveryAdmin user - \OC_User::createUser( $recoveryAdminUid, $_POST['recoveryPassword'] ); - - // Make recovery user an administrator - \OC_Group::addToGroup ( $recoveryAdminUid, 'admin' ); - - $doSetup = true; - - } else { - - // Get list of admin users - $admins = OC_Group::usersInGroup( 'admin' ); - - // If the existing recoveryAdmin UID is an admin - if ( in_array( $recoveryAdminUid, $admins ) ) { - - // The desired recoveryAdmi UID pre-exists and can be used - $doSetup = true; - - // If the recoveryAdmin UID exists but doesn't have admin rights - } else { - - $return = false; - - } - + $view = new \OC\Files\View('/'); + + $recoveryKeyId = OC_Appconfig::getValue('files_encryption', 'recoveryKeyId'); + + if ($recoveryKeyId === null) { + $recoveryKeyId = 'recovery_' . substr(md5(time()), 0, 8); + \OC_Appconfig::setValue('files_encryption', 'recoveryKeyId', $recoveryKeyId); } - - // Setup recoveryAdmin user for encryption - if ( $doSetup ) { - - $view = new \OC_FilesystemView( '/' ); - $util = new \OCA\Encryption\Util( $view, $recoveryAdminUid ); - - // Ensure recoveryAdmin is ready for encryption (has usable keypair etc.) - $util->setupServerSide( $_POST['recoveryPassword'] ); - - // Store the UID in the DB - OC_Appconfig::setValue( 'files_encryption', 'recoveryAdminUid', $recoveryAdminUid ); - - $return = true; - + + if (!$view->is_dir('/owncloud_private_key')) { + $view->mkdir('/owncloud_private_key'); } - + + if ( + (!$view->file_exists("/public-keys/" . $recoveryKeyId . ".public.key") + || !$view->file_exists("/owncloud_private_key/" . $recoveryKeyId . ".private.key")) + && isset($_POST['recoveryPassword']) + && !empty($_POST['recoveryPassword']) + ) { + + $keypair = \OCA\Encryption\Crypt::createKeypair(); + + \OC_FileProxy::$enabled = false; + + // Save public key + + if (!$view->is_dir('/public-keys')) { + $view->mkdir('/public-keys'); + } + + $view->file_put_contents('/public-keys/' . $recoveryKeyId . '.public.key', $keypair['publicKey']); + + // Encrypt private key empthy passphrase + $encryptedPrivateKey = \OCA\Encryption\Crypt::symmetricEncryptFileContent($keypair['privateKey'], $_POST['recoveryPassword']); + + // Save private key + $view->file_put_contents('/owncloud_private_key/' . $recoveryKeyId . '.private.key', $encryptedPrivateKey); + + \OC_FileProxy::$enabled = true; + + } + // Set recoveryAdmin as enabled - OC_Appconfig::setValue( 'files_encryption', 'recoveryAdminEnabled', 1 ); + OC_Appconfig::setValue('files_encryption', 'recoveryAdminEnabled', 1); + + $return = true; // Disable recoveryAdmin -} elseif ( - isset( $_POST['adminEnableRecovery'] ) - && 0 == $_POST['adminEnableRecovery'] +} elseif ( + isset($_POST['adminEnableRecovery']) + && 0 == $_POST['adminEnableRecovery'] ) { - - // Set recoveryAdmin as enabled - OC_Appconfig::setValue( 'files_encryption', 'recoveryAdminEnabled', 0 ); - - $return = true; + // Set recoveryAdmin as enabled + OC_Appconfig::setValue('files_encryption', 'recoveryAdminEnabled', 0); + + $return = true; } // Return success or failure |