don't create a recovery user, only generate recovery key similar to the public link share key

author: Björn Schießle <schiessle@owncloud.com> 2013-05-13 17:26:21 +0200
committer: Björn Schießle <schiessle@owncloud.com> 2013-05-13 17:26:21 +0200
commit: 517efdf952526ce0f0a03107874baca18742c49b (patch)
tree: 0e7f10e0808c13b9142bdbdffa993bd5ca8cf2bc /apps
parent: 2f4ba9d1e8ca6406abb509ad82869cfb6aca40c1 (diff)
download: nextcloud-server-517efdf952526ce0f0a03107874baca18742c49b.tar.gz
nextcloud-server-517efdf952526ce0f0a03107874baca18742c49b.zip
5 files changed, 63 insertions, 99 deletions
diff --git a/apps/files_encryption/ajax/adminrecovery.php b/apps/files_encryption/ajax/adminrecovery.php
index c3c19943c0d..6a056dc7b3d 100644
--- a/apps/files_encryption/ajax/adminrecovery.php
+++ b/apps/files_encryption/ajax/adminrecovery.php
@@ -1,4 +1,5 @@
 <?php
+
 /**
  * Copyright (c) 2013, Sam Tuke <samtuke@owncloud.com>
  * This file is licensed under the Affero General Public License version 3 or later.
@@ -6,87 +7,78 @@
  *
  * @brief Script to handle admin settings for encrypted key recovery
  */
-
 use OCA\Encryption;
 
 \OCP\JSON::checkAdminUser();
-\OCP\JSON::checkAppEnabled( 'files_encryption' );
+\OCP\JSON::checkAppEnabled('files_encryption');
 \OCP\JSON::callCheck();
 
-$return = $doSetup = false;
+$return = false;
 
 // Enable recoveryAdmin
-if ( 
-	isset( $_POST['adminEnableRecovery'] ) 
-	&& 1 == $_POST['adminEnableRecovery'] 
-// 	&& isset( $_POST['recoveryPassword'] ) 
-// 	&& ! empty ( $_POST['recoveryPassword'] )
+
+if (
+	isset($_POST['adminEnableRecovery'])
+	&& 1 == $_POST['adminEnableRecovery']
 ) {
 
-	// TODO: Let the admin set this themselves
-	$recoveryAdminUid = 'recoveryAdmin';
-	
-	// If desired recoveryAdmin UID is already in use
-	if ( ! \OC_User::userExists( $recoveryAdminUid ) ) {
-		
-		// Create new recoveryAdmin user
-		\OC_User::createUser( $recoveryAdminUid, $_POST['recoveryPassword'] );
-		
-		// Make recovery user an administrator
-		\OC_Group::addToGroup ( $recoveryAdminUid, 'admin' );
-		
-		$doSetup = true;
-		
-	} else {
-	
-		// Get list of admin users
-		$admins = OC_Group::usersInGroup( 'admin' );
-		
-		// If the existing recoveryAdmin UID is an admin
-		if ( in_array( $recoveryAdminUid, $admins ) ) {
-			
-			// The desired recoveryAdmi UID pre-exists and can be used
-			$doSetup = true;
-		
-		// If the recoveryAdmin UID exists but doesn't have admin rights
-		} else {
-		
-			$return = false;
-			
-		}
-		
+	$view = new \OC\Files\View('/');
+
+	$recoveryKeyId = OC_Appconfig::getValue('files_encryption', 'recoveryKeyId');
+
+	if ($recoveryKeyId === null) {
+		$recoveryKeyId = 'recovery_' . substr(md5(time()), 0, 8);
+		\OC_Appconfig::setValue('files_encryption', 'recoveryKeyId', $recoveryKeyId);
 	}
-	
-	// Setup recoveryAdmin user for encryption
-	if ( $doSetup ) {
-		
-		$view = new \OC_FilesystemView( '/' );
-		$util = new \OCA\Encryption\Util( $view, $recoveryAdminUid );
-		
-		// Ensure recoveryAdmin is ready for encryption (has usable keypair etc.)
-		$util->setupServerSide( $_POST['recoveryPassword'] );
-		
-		// Store the UID in the DB
-		OC_Appconfig::setValue( 'files_encryption', 'recoveryAdminUid', $recoveryAdminUid );
-		
-		$return = true;
-		
+
+	if (!$view->is_dir('/owncloud_private_key')) {
+		$view->mkdir('/owncloud_private_key');
 	}
-	
+
+	if (
+		(!$view->file_exists("/public-keys/" . $recoveryKeyId . ".public.key")
+		|| !$view->file_exists("/owncloud_private_key/" . $recoveryKeyId . ".private.key"))
+		&& isset($_POST['recoveryPassword'])
+		&& !empty($_POST['recoveryPassword'])
+	) {
+
+		$keypair = \OCA\Encryption\Crypt::createKeypair();
+
+		\OC_FileProxy::$enabled = false;
+
+		// Save public key
+
+		if (!$view->is_dir('/public-keys')) {
+			$view->mkdir('/public-keys');
+		}
+
+		$view->file_put_contents('/public-keys/' . $recoveryKeyId . '.public.key', $keypair['publicKey']);
+
+		// Encrypt private key empthy passphrase
+		$encryptedPrivateKey = \OCA\Encryption\Crypt::symmetricEncryptFileContent($keypair['privateKey'], $_POST['recoveryPassword']);
+
+		// Save private key
+		$view->file_put_contents('/owncloud_private_key/' . $recoveryKeyId . '.private.key', $encryptedPrivateKey);
+
+		\OC_FileProxy::$enabled = true;
+
+	}
+
 	// Set recoveryAdmin as enabled
-	OC_Appconfig::setValue( 'files_encryption', 'recoveryAdminEnabled', 1 );
+	OC_Appconfig::setValue('files_encryption', 'recoveryAdminEnabled', 1);
+
+	$return = true;
 
 // Disable recoveryAdmin
-} elseif ( 
-	isset( $_POST['adminEnableRecovery'] ) 
-	&& 0 == $_POST['adminEnableRecovery'] 
+} elseif (
+	isset($_POST['adminEnableRecovery'])
+	&& 0 == $_POST['adminEnableRecovery']
 ) {
-		
-		// Set recoveryAdmin as enabled
-		OC_Appconfig::setValue( 'files_encryption', 'recoveryAdminEnabled', 0 );
-		
-		$return = true;
 
+	// Set recoveryAdmin as enabled
+	OC_Appconfig::setValue('files_encryption', 'recoveryAdminEnabled', 0);
+
+	$return = true;
 }
 
 // Return success or failure
diff --git a/apps/files_encryption/js/settings-admin.js b/apps/files_encryption/js/settings-admin.js
index 8e9c8c22306..9cdb7aca68a 100644
--- a/apps/files_encryption/js/settings-admin.js
+++ b/apps/files_encryption/js/settings-admin.js
@@ -7,13 +7,6 @@
 
 
 $(document).ready(function(){
-	// Trigger ajax on filetype blacklist change
-	$('#encryption_blacklist').multiSelect({
-		oncheck:blackListChange,
-		onuncheck:blackListChange,
-		createText:'...'
-	});
-	
 	// Trigger ajax on recoveryAdmin status change
 	$( 'input:radio[name="adminEnableRecovery"]' ).change( 
 		function() {
@@ -24,7 +17,7 @@ $(document).ready(function(){
 			if ( '' == recoveryPassword ) {
 				
 				// FIXME: add proper OC notification
-				alert( 'You  must set a recovery account password first' );
+				alert( 'You must set a recovery account password first' );
 				
 			} else {
 			
diff --git a/apps/files_encryption/lib/session.php b/apps/files_encryption/lib/session.php
index 920f0b6a9a3..5444d0215ca 100644
--- a/apps/files_encryption/lib/session.php
+++ b/apps/files_encryption/lib/session.php
@@ -49,7 +49,7 @@ class Session {
 		$publicShareKeyId = \OC_Appconfig::getValue('files_encryption', 'publicShareKeyId');
 
 		if ($publicShareKeyId === null) {
-			$publicShareKeyId = substr(md5(time()),0,8);
+			$publicShareKeyId = 'pubShare_'.substr(md5(time()),0,8);
 			\OC_Appconfig::setValue('files_encryption', 'publicShareKeyId', $publicShareKeyId);
 		}
 		
@@ -57,13 +57,7 @@ class Session {
 			! $this->view->file_exists( "/public-keys/".$publicShareKeyId.".public.key" )
 			|| ! $this->view->file_exists( "/owncloud_private_key/".$publicShareKeyId.".private.key" )
 		) {
-		
-			//FIXME: Bug: for some reason file_exists is returning 
-			// false in above if statement, and causing new keys 
-			// to be generated on each page load. At last check 
-			// our app.php is being executed 18 times per page load
-			// , causing 18 new keypairs and huge performance hit.
-			
+				
  			$keypair = Crypt::createKeypair();
  			
  			\OC_FileProxy::$enabled = false;
diff --git a/apps/files_encryption/lib/util.php b/apps/files_encryption/lib/util.php
index 8162ae0a367..732f5fece85 100644
--- a/apps/files_encryption/lib/util.php
+++ b/apps/files_encryption/lib/util.php
@@ -958,10 +958,10 @@ class Util {
 		if ( $recoveryEnabled ) {
 			
 			// Find recoveryAdmin user ID
-			$recoveryAdminUid = \OC_Appconfig::getValue( 'files_encryption', 'recoveryAdminUid' );
+			$recoveryKeyId = \OC_Appconfig::getValue( 'files_encryption', 'recoveryKeyId' );
 			
 			// Add recoveryAdmin to list of users sharing
-			$userIds[] = $recoveryAdminUid;
+			$userIds[] = $recoveryKeyId;
 			
 		}
 
diff --git a/apps/files_encryption/templates/settings-admin.php b/apps/files_encryption/templates/settings-admin.php
index 863f1dfa9a5..be7beecf696 100644
--- a/apps/files_encryption/templates/settings-admin.php
+++ b/apps/files_encryption/templates/settings-admin.php
@@ -4,25 +4,10 @@
 		<p>
 			<strong><?php p($l->t( 'Encryption' )); ?></strong>
 			<br />
-			
-			<?php p($l->t( "Exclude the following file types from encryption:" )); ?>
-			<br />
-			
-			<select 
-			id='encryption_blacklist' 
-			title="<?php p($l->t( 'None' ))?>" 
-			multiple="multiple">
-			<?php foreach($_["blacklist"] as $type): ?>
-				<option selected="selected" value="<?php p($type); ?>"> <?php p($type); ?> </option>
-			<?php endforeach;?>
-			</select>
 		</p>
 		<p>
-			<strong>
-				<?php p($l->t( "Enable encryption passwords recovery account (allow sharing to recovery account):" )); ?>
+			<?php p($l->t( "Enable encryption passwords recovery key (allow sharing to recovery key):" )); ?>
 			<br />
-			</strong>
-			<?php p($l->t( "To perform a recovery log in using the 'recoveryAdmin' account and the specified password" )); ?>
 			<br />
 			<?php if ( empty( $_['recoveryAdminUid'] ) ): ?>
 				<input type="password" name="recoveryPassword" id="recoveryPassword" />
author	Björn Schießle <schiessle@owncloud.com>	2013-05-13 17:26:21 +0200
committer	Björn Schießle <schiessle@owncloud.com>	2013-05-13 17:26:21 +0200
commit	517efdf952526ce0f0a03107874baca18742c49b (patch)
tree	0e7f10e0808c13b9142bdbdffa993bd5ca8cf2bc /apps
parent	2f4ba9d1e8ca6406abb509ad82869cfb6aca40c1 (diff)
download	nextcloud-server-517efdf952526ce0f0a03107874baca18742c49b.tar.gz nextcloud-server-517efdf952526ce0f0a03107874baca18742c49b.zip