diff options
Diffstat (limited to 'apps/encryption/lib/Command')
| -rw-r--r-- | apps/encryption/lib/Command/DisableMasterKey.php | 89 | ||||
| -rw-r--r-- | apps/encryption/lib/Command/DropLegacyFileKey.php | 150 | ||||
| -rw-r--r-- | apps/encryption/lib/Command/EnableMasterKey.php | 81 | ||||
| -rw-r--r-- | apps/encryption/lib/Command/FixEncryptedVersion.php | 316 | ||||
| -rw-r--r-- | apps/encryption/lib/Command/FixKeyLocation.php | 400 | ||||
| -rw-r--r-- | apps/encryption/lib/Command/MigrateKeys.php | 127 | ||||
| -rw-r--r-- | apps/encryption/lib/Command/RecoverUser.php | 77 | ||||
| -rw-r--r-- | apps/encryption/lib/Command/ScanLegacyFormat.php | 100 |
8 files changed, 1094 insertions, 246 deletions
diff --git a/apps/encryption/lib/Command/DisableMasterKey.php b/apps/encryption/lib/Command/DisableMasterKey.php index 230de754bfc..0b8b8e39e78 100644 --- a/apps/encryption/lib/Command/DisableMasterKey.php +++ b/apps/encryption/lib/Command/DisableMasterKey.php @@ -1,30 +1,11 @@ <?php + /** - * @copyright Copyright (c) 2017 Bjoern Schiessle <bjoern@schiessle.org> - * - * @author Bjoern Schiessle <bjoern@schiessle.org> - * - * @license GNU AGPL version 3 or any later version - * - * This program is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License as - * published by the Free Software Foundation, either version 3 of the - * License, or (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License - * along with this program. If not, see <http://www.gnu.org/licenses/>. - * + * SPDX-FileCopyrightText: 2017 Nextcloud GmbH and Nextcloud contributors + * SPDX-License-Identifier: AGPL-3.0-or-later */ - - namespace OCA\Encryption\Command; - use OCA\Encryption\Util; use OCP\IConfig; use Symfony\Component\Console\Command\Command; @@ -34,58 +15,42 @@ use Symfony\Component\Console\Output\OutputInterface; use Symfony\Component\Console\Question\ConfirmationQuestion; class DisableMasterKey extends Command { - - /** @var Util */ - protected $util; - - /** @var IConfig */ - protected $config; - - /** @var QuestionHelper */ - protected $questionHelper; - - /** - * @param Util $util - * @param IConfig $config - * @param QuestionHelper $questionHelper - */ - public function __construct(Util $util, - IConfig $config, - QuestionHelper $questionHelper) { - - $this->util = $util; - $this->config = $config; - $this->questionHelper = $questionHelper; + public function __construct( + protected Util $util, + protected IConfig $config, + protected QuestionHelper $questionHelper, + ) { parent::__construct(); } - protected function configure() { + protected function configure(): void { $this ->setName('encryption:disable-master-key') ->setDescription('Disable the master key and use per-user keys instead. Only available for fresh installations with no existing encrypted data! There is no way to enable it again.'); } - protected function execute(InputInterface $input, OutputInterface $output) { - + protected function execute(InputInterface $input, OutputInterface $output): int { $isMasterKeyEnabled = $this->util->isMasterKeyEnabled(); - if(!$isMasterKeyEnabled) { + if (!$isMasterKeyEnabled) { $output->writeln('Master key already disabled'); - } else { - $question = new ConfirmationQuestion( - 'Warning: Only perform this operation for a fresh installations with no existing encrypted data! ' - . 'There is no way to enable the master key again. ' - . 'We strongly recommend to keep the master key, it provides significant performance improvements ' - . 'and is easier to handle for both, users and administrators. ' - . 'Do you really want to switch to per-user keys? (y/n) ', false); - if ($this->questionHelper->ask($input, $output, $question)) { - $this->config->setAppValue('encryption', 'useMasterKey', '0'); - $output->writeln('Master key successfully disabled.'); - } else { - $output->writeln('aborted.'); - } + return self::SUCCESS; } - } + $question = new ConfirmationQuestion( + 'Warning: Only perform this operation for a fresh installations with no existing encrypted data! ' + . 'There is no way to enable the master key again. ' + . 'We strongly recommend to keep the master key, it provides significant performance improvements ' + . 'and is easier to handle for both, users and administrators. ' + . 'Do you really want to switch to per-user keys? (y/n) ', false); + + if ($this->questionHelper->ask($input, $output, $question)) { + $this->config->setAppValue('encryption', 'useMasterKey', '0'); + $output->writeln('Master key successfully disabled.'); + return self::SUCCESS; + } + $output->writeln('aborted.'); + return self::FAILURE; + } } diff --git a/apps/encryption/lib/Command/DropLegacyFileKey.php b/apps/encryption/lib/Command/DropLegacyFileKey.php new file mode 100644 index 00000000000..a9add1ad93b --- /dev/null +++ b/apps/encryption/lib/Command/DropLegacyFileKey.php @@ -0,0 +1,150 @@ +<?php + +declare(strict_types=1); + +/** + * SPDX-FileCopyrightText: 2023 Nextcloud GmbH and Nextcloud contributors + * SPDX-License-Identifier: AGPL-3.0-or-later + */ + +namespace OCA\Encryption\Command; + +use OC\Encryption\Exceptions\DecryptionFailedException; +use OC\Files\FileInfo; +use OC\Files\View; +use OCA\Encryption\KeyManager; +use OCP\Encryption\Exceptions\GenericEncryptionException; +use OCP\IUserManager; +use Symfony\Component\Console\Command\Command; +use Symfony\Component\Console\Input\InputInterface; +use Symfony\Component\Console\Output\OutputInterface; + +class DropLegacyFileKey extends Command { + private View $rootView; + + public function __construct( + private IUserManager $userManager, + private KeyManager $keyManager, + ) { + parent::__construct(); + + $this->rootView = new View(); + } + + protected function configure(): void { + $this + ->setName('encryption:drop-legacy-filekey') + ->setDescription('Scan the files for the legacy filekey format using RC4 and get rid of it (if master key is enabled)'); + } + + protected function execute(InputInterface $input, OutputInterface $output): int { + $result = true; + + $output->writeln('<info>Scanning all files for legacy filekey</info>'); + + foreach ($this->userManager->getBackends() as $backend) { + $limit = 500; + $offset = 0; + do { + $users = $backend->getUsers('', $limit, $offset); + foreach ($users as $user) { + $output->writeln('Scanning all files for ' . $user); + $this->setupUserFS($user); + $result = $result && $this->scanFolder($output, '/' . $user); + } + $offset += $limit; + } while (count($users) >= $limit); + } + + if ($result) { + $output->writeln('All scanned files are properly encrypted.'); + return self::SUCCESS; + } + + return self::FAILURE; + } + + private function scanFolder(OutputInterface $output, string $folder): bool { + $clean = true; + + foreach ($this->rootView->getDirectoryContent($folder) as $item) { + $path = $folder . '/' . $item['name']; + if ($this->rootView->is_dir($path)) { + if ($this->scanFolder($output, $path) === false) { + $clean = false; + } + } else { + if (!$item->isEncrypted()) { + // ignore + continue; + } + + $stats = $this->rootView->stat($path); + if (!isset($stats['hasHeader']) || $stats['hasHeader'] === false) { + $clean = false; + $output->writeln('<error>' . $path . ' does not have a proper header</error>'); + } else { + try { + $legacyFileKey = $this->keyManager->getFileKey($path, null, true); + if ($legacyFileKey === '') { + $output->writeln('Got an empty legacy filekey for ' . $path . ', continuing', OutputInterface::VERBOSITY_VERBOSE); + continue; + } + } catch (GenericEncryptionException $e) { + $output->writeln('Got a decryption error for legacy filekey for ' . $path . ', continuing', OutputInterface::VERBOSITY_VERBOSE); + continue; + } + /* If that did not throw and filekey is not empty, a legacy filekey is used */ + $clean = false; + $output->writeln($path . ' is using a legacy filekey, migrating'); + $this->migrateSinglefile($path, $item, $output); + } + } + } + + return $clean; + } + + private function migrateSinglefile(string $path, FileInfo $fileInfo, OutputInterface $output): void { + $source = $path; + $target = $path . '.reencrypted.' . time(); + + try { + $this->rootView->copy($source, $target); + $copyResource = $this->rootView->fopen($target, 'r'); + $sourceResource = $this->rootView->fopen($source, 'w'); + if ($copyResource === false || $sourceResource === false) { + throw new DecryptionFailedException('Failed to open ' . $source . ' or ' . $target); + } + if (stream_copy_to_stream($copyResource, $sourceResource) === false) { + $output->writeln('<error>Failed to copy ' . $target . ' data into ' . $source . '</error>'); + $output->writeln('<error>Leaving both files in there to avoid data loss</error>'); + return; + } + $this->rootView->touch($source, $fileInfo->getMTime()); + $this->rootView->unlink($target); + $output->writeln('<info>Migrated ' . $source . '</info>', OutputInterface::VERBOSITY_VERBOSE); + } catch (DecryptionFailedException $e) { + if ($this->rootView->file_exists($target)) { + $this->rootView->unlink($target); + } + $output->writeln('<error>Failed to migrate ' . $path . '</error>'); + $output->writeln('<error>' . $e . '</error>', OutputInterface::VERBOSITY_VERBOSE); + } finally { + if (is_resource($copyResource)) { + fclose($copyResource); + } + if (is_resource($sourceResource)) { + fclose($sourceResource); + } + } + } + + /** + * setup user file system + */ + protected function setupUserFS(string $uid): void { + \OC_Util::tearDownFS(); + \OC_Util::setupFS($uid); + } +} diff --git a/apps/encryption/lib/Command/EnableMasterKey.php b/apps/encryption/lib/Command/EnableMasterKey.php index 6f0800c9340..0d8b893e0e2 100644 --- a/apps/encryption/lib/Command/EnableMasterKey.php +++ b/apps/encryption/lib/Command/EnableMasterKey.php @@ -1,29 +1,12 @@ <?php + /** - * @copyright Copyright (c) 2016, ownCloud, Inc. - * - * @author Björn Schießle <bjoern@schiessle.org> - * - * @license AGPL-3.0 - * - * This code is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License, version 3, - * as published by the Free Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License, version 3, - * along with this program. If not, see <http://www.gnu.org/licenses/> - * + * SPDX-FileCopyrightText: 2019-2024 Nextcloud GmbH and Nextcloud contributors + * SPDX-FileCopyrightText: 2016 ownCloud, Inc. + * SPDX-License-Identifier: AGPL-3.0-only */ - - namespace OCA\Encryption\Command; - use OCA\Encryption\Util; use OCP\IConfig; use Symfony\Component\Console\Command\Command; @@ -33,55 +16,39 @@ use Symfony\Component\Console\Output\OutputInterface; use Symfony\Component\Console\Question\ConfirmationQuestion; class EnableMasterKey extends Command { - - /** @var Util */ - protected $util; - - /** @var IConfig */ - protected $config; - - /** @var QuestionHelper */ - protected $questionHelper; - - /** - * @param Util $util - * @param IConfig $config - * @param QuestionHelper $questionHelper - */ - public function __construct(Util $util, - IConfig $config, - QuestionHelper $questionHelper) { - - $this->util = $util; - $this->config = $config; - $this->questionHelper = $questionHelper; + public function __construct( + protected Util $util, + protected IConfig $config, + protected QuestionHelper $questionHelper, + ) { parent::__construct(); } - protected function configure() { + protected function configure(): void { $this ->setName('encryption:enable-master-key') ->setDescription('Enable the master key. Only available for fresh installations with no existing encrypted data! There is also no way to disable it again.'); } - protected function execute(InputInterface $input, OutputInterface $output) { - + protected function execute(InputInterface $input, OutputInterface $output): int { $isAlreadyEnabled = $this->util->isMasterKeyEnabled(); - if($isAlreadyEnabled) { + if ($isAlreadyEnabled) { $output->writeln('Master key already enabled'); - } else { - $question = new ConfirmationQuestion( - 'Warning: Only available for fresh installations with no existing encrypted data! ' + return self::SUCCESS; + } + + $question = new ConfirmationQuestion( + 'Warning: Only available for fresh installations with no existing encrypted data! ' . 'There is also no way to disable it again. Do you want to continue? (y/n) ', false); - if ($this->questionHelper->ask($input, $output, $question)) { - $this->config->setAppValue('encryption', 'useMasterKey', '1'); - $output->writeln('Master key successfully enabled.'); - } else { - $output->writeln('aborted.'); - } + + if ($this->questionHelper->ask($input, $output, $question)) { + $this->config->setAppValue('encryption', 'useMasterKey', '1'); + $output->writeln('Master key successfully enabled.'); + return self::SUCCESS; } + $output->writeln('aborted.'); + return self::FAILURE; } - } diff --git a/apps/encryption/lib/Command/FixEncryptedVersion.php b/apps/encryption/lib/Command/FixEncryptedVersion.php new file mode 100644 index 00000000000..462e3a5cc2a --- /dev/null +++ b/apps/encryption/lib/Command/FixEncryptedVersion.php @@ -0,0 +1,316 @@ +<?php + +/** + * SPDX-FileCopyrightText: 2021-2024 Nextcloud GmbH and Nextcloud contributors + * SPDX-FileCopyrightText: 2019 ownCloud GmbH + * SPDX-License-Identifier: AGPL-3.0-only + */ + +namespace OCA\Encryption\Command; + +use OC\Files\Storage\Wrapper\Encryption; +use OC\Files\View; +use OC\ServerNotAvailableException; +use OCA\Encryption\Util; +use OCP\Encryption\Exceptions\InvalidHeaderException; +use OCP\Files\IRootFolder; +use OCP\HintException; +use OCP\IConfig; +use OCP\IUser; +use OCP\IUserManager; +use Psr\Log\LoggerInterface; +use Symfony\Component\Console\Command\Command; +use Symfony\Component\Console\Input\InputArgument; +use Symfony\Component\Console\Input\InputInterface; +use Symfony\Component\Console\Input\InputOption; +use Symfony\Component\Console\Output\OutputInterface; + +class FixEncryptedVersion extends Command { + private bool $supportLegacy = false; + + public function __construct( + private IConfig $config, + private LoggerInterface $logger, + private IRootFolder $rootFolder, + private IUserManager $userManager, + private Util $util, + private View $view, + ) { + parent::__construct(); + } + + protected function configure(): void { + parent::configure(); + + $this + ->setName('encryption:fix-encrypted-version') + ->setDescription('Fix the encrypted version if the encrypted file(s) are not downloadable.') + ->addArgument( + 'user', + InputArgument::OPTIONAL, + 'The id of the user whose files need fixing' + )->addOption( + 'path', + 'p', + InputOption::VALUE_REQUIRED, + 'Limit files to fix with path, e.g., --path="/Music/Artist". If path indicates a directory, all the files inside directory will be fixed.' + )->addOption( + 'all', + null, + InputOption::VALUE_NONE, + 'Run the fix for all users on the system, mutually exclusive with specifying a user id.' + ); + } + + protected function execute(InputInterface $input, OutputInterface $output): int { + $skipSignatureCheck = $this->config->getSystemValueBool('encryption_skip_signature_check', false); + $this->supportLegacy = $this->config->getSystemValueBool('encryption.legacy_format_support', false); + + if ($skipSignatureCheck) { + $output->writeln("<error>Repairing is not possible when \"encryption_skip_signature_check\" is set. Please disable this flag in the configuration.</error>\n"); + return self::FAILURE; + } + + if (!$this->util->isMasterKeyEnabled()) { + $output->writeln("<error>Repairing only works with master key encryption.</error>\n"); + return self::FAILURE; + } + + $user = $input->getArgument('user'); + $all = $input->getOption('all'); + $pathOption = \trim(($input->getOption('path') ?? ''), '/'); + + if (!$user && !$all) { + $output->writeln('Either a user id or --all needs to be provided'); + return self::FAILURE; + } + + if ($user) { + if ($all) { + $output->writeln('Specifying a user id and --all are mutually exclusive'); + return self::FAILURE; + } + + if ($this->userManager->get($user) === null) { + $output->writeln("<error>User id $user does not exist. Please provide a valid user id</error>"); + return self::FAILURE; + } + + return $this->runForUser($user, $pathOption, $output); + } + + $result = 0; + $this->userManager->callForSeenUsers(function (IUser $user) use ($pathOption, $output, &$result) { + $output->writeln('Processing files for ' . $user->getUID()); + $result = $this->runForUser($user->getUID(), $pathOption, $output); + return $result === 0; + }); + return $result; + } + + private function runForUser(string $user, string $pathOption, OutputInterface $output): int { + $pathToWalk = "/$user/files"; + if ($pathOption !== '') { + $pathToWalk = "$pathToWalk/$pathOption"; + } + return $this->walkPathOfUser($user, $pathToWalk, $output); + } + + /** + * @return int 0 for success, 1 for error + */ + private function walkPathOfUser(string $user, string $path, OutputInterface $output): int { + $this->setupUserFs($user); + if (!$this->view->file_exists($path)) { + $output->writeln("<error>Path \"$path\" does not exist. Please provide a valid path.</error>"); + return self::FAILURE; + } + + if ($this->view->is_file($path)) { + $output->writeln("Verifying the content of file \"$path\""); + $this->verifyFileContent($path, $output); + return self::SUCCESS; + } + $directories = []; + $directories[] = $path; + while ($root = \array_pop($directories)) { + $directoryContent = $this->view->getDirectoryContent($root); + foreach ($directoryContent as $file) { + $path = $root . '/' . $file['name']; + if ($this->view->is_dir($path)) { + $directories[] = $path; + } else { + $output->writeln("Verifying the content of file \"$path\""); + $this->verifyFileContent($path, $output); + } + } + } + return self::SUCCESS; + } + + /** + * @param bool $ignoreCorrectEncVersionCall, setting this variable to false avoids recursion + */ + private function verifyFileContent(string $path, OutputInterface $output, bool $ignoreCorrectEncVersionCall = true): bool { + try { + // since we're manually poking around the encrypted state we need to ensure that this isn't cached in the encryption wrapper + $mount = $this->view->getMount($path); + $storage = $mount->getStorage(); + if ($storage && $storage->instanceOfStorage(Encryption::class)) { + $storage->clearIsEncryptedCache(); + } + + /** + * In encryption, the files are read in a block size of 8192 bytes + * Read block size of 8192 and a bit more (808 bytes) + * If there is any problem, the first block should throw the signature + * mismatch error. Which as of now, is enough to proceed ahead to + * correct the encrypted version. + */ + $handle = $this->view->fopen($path, 'rb'); + + if ($handle === false) { + $output->writeln("<warning>Failed to open file: \"$path\" skipping</warning>"); + return true; + } + + if (\fread($handle, 9001) !== false) { + $fileInfo = $this->view->getFileInfo($path); + if (!$fileInfo) { + $output->writeln("<warning>File info not found for file: \"$path\"</warning>"); + return true; + } + $encryptedVersion = $fileInfo->getEncryptedVersion(); + $stat = $this->view->stat($path); + if (($encryptedVersion == 0) && isset($stat['hasHeader']) && ($stat['hasHeader'] == true)) { + // The file has encrypted to false but has an encryption header + if ($ignoreCorrectEncVersionCall === true) { + // Lets rectify the file by correcting encrypted version + $output->writeln("<info>Attempting to fix the path: \"$path\"</info>"); + return $this->correctEncryptedVersion($path, $output); + } + return false; + } + $output->writeln("<info>The file \"$path\" is: OK</info>"); + } + + \fclose($handle); + + return true; + } catch (ServerNotAvailableException|InvalidHeaderException $e) { + // not a "bad signature" error and likely "legacy cipher" exception + // this could mean that the file is maybe not encrypted but the encrypted version is set + if (!$this->supportLegacy && $ignoreCorrectEncVersionCall === true) { + $output->writeln("<info>Attempting to fix the path: \"$path\"</info>"); + return $this->correctEncryptedVersion($path, $output, true); + } + return false; + } catch (HintException $e) { + $this->logger->warning('Issue: ' . $e->getMessage()); + // If allowOnce is set to false, this becomes recursive. + if ($ignoreCorrectEncVersionCall === true) { + // Lets rectify the file by correcting encrypted version + $output->writeln("<info>Attempting to fix the path: \"$path\"</info>"); + return $this->correctEncryptedVersion($path, $output); + } + return false; + } + } + + /** + * @param bool $includeZero whether to try zero version for unencrypted file + */ + private function correctEncryptedVersion(string $path, OutputInterface $output, bool $includeZero = false): bool { + $fileInfo = $this->view->getFileInfo($path); + if (!$fileInfo) { + $output->writeln("<warning>File info not found for file: \"$path\"</warning>"); + return true; + } + $fileId = $fileInfo->getId(); + if ($fileId === null) { + $output->writeln("<warning>File info contains no id for file: \"$path\"</warning>"); + return true; + } + $encryptedVersion = $fileInfo->getEncryptedVersion(); + $wrongEncryptedVersion = $encryptedVersion; + + $storage = $fileInfo->getStorage(); + + $cache = $storage->getCache(); + $fileCache = $cache->get($fileId); + if (!$fileCache) { + $output->writeln("<warning>File cache entry not found for file: \"$path\"</warning>"); + return true; + } + + if ($storage->instanceOfStorage('OCA\Files_Sharing\ISharedStorage')) { + $output->writeln("<info>The file: \"$path\" is a share. Please also run the script for the owner of the share</info>"); + return true; + } + + // Save original encrypted version so we can restore it if decryption fails with all version + $originalEncryptedVersion = $encryptedVersion; + if ($encryptedVersion >= 0) { + if ($includeZero) { + // try with zero first + $cacheInfo = ['encryptedVersion' => 0, 'encrypted' => 0]; + $cache->put($fileCache->getPath(), $cacheInfo); + $output->writeln('<info>Set the encrypted version to 0 (unencrypted)</info>'); + if ($this->verifyFileContent($path, $output, false) === true) { + $output->writeln("<info>Fixed the file: \"$path\" with version 0 (unencrypted)</info>"); + return true; + } + } + + // Test by decrementing the value till 1 and if nothing works try incrementing + $encryptedVersion--; + while ($encryptedVersion > 0) { + $cacheInfo = ['encryptedVersion' => $encryptedVersion, 'encrypted' => $encryptedVersion]; + $cache->put($fileCache->getPath(), $cacheInfo); + $output->writeln("<info>Decrement the encrypted version to $encryptedVersion</info>"); + if ($this->verifyFileContent($path, $output, false) === true) { + $output->writeln("<info>Fixed the file: \"$path\" with version " . $encryptedVersion . '</info>'); + return true; + } + $encryptedVersion--; + } + + // So decrementing did not work. Now lets increment. Max increment is till 5 + $increment = 1; + while ($increment <= 5) { + /** + * The wrongEncryptedVersion would not be incremented so nothing to worry about here. + * Only the newEncryptedVersion is incremented. + * For example if the wrong encrypted version is 4 then + * cycle1 -> newEncryptedVersion = 5 ( 4 + 1) + * cycle2 -> newEncryptedVersion = 6 ( 4 + 2) + * cycle3 -> newEncryptedVersion = 7 ( 4 + 3) + */ + $newEncryptedVersion = $wrongEncryptedVersion + $increment; + + $cacheInfo = ['encryptedVersion' => $newEncryptedVersion, 'encrypted' => $newEncryptedVersion]; + $cache->put($fileCache->getPath(), $cacheInfo); + $output->writeln("<info>Increment the encrypted version to $newEncryptedVersion</info>"); + if ($this->verifyFileContent($path, $output, false) === true) { + $output->writeln("<info>Fixed the file: \"$path\" with version " . $newEncryptedVersion . '</info>'); + return true; + } + $increment++; + } + } + + $cacheInfo = ['encryptedVersion' => $originalEncryptedVersion, 'encrypted' => $originalEncryptedVersion]; + $cache->put($fileCache->getPath(), $cacheInfo); + $output->writeln("<info>No fix found for \"$path\", restored version to original: $originalEncryptedVersion</info>"); + + return false; + } + + /** + * Setup user file system + */ + private function setupUserFs(string $uid): void { + \OC_Util::tearDownFS(); + \OC_Util::setupFS($uid); + } +} diff --git a/apps/encryption/lib/Command/FixKeyLocation.php b/apps/encryption/lib/Command/FixKeyLocation.php new file mode 100644 index 00000000000..da529a4be2f --- /dev/null +++ b/apps/encryption/lib/Command/FixKeyLocation.php @@ -0,0 +1,400 @@ +<?php + +declare(strict_types=1); +/** + * SPDX-FileCopyrightText: 2022 Nextcloud GmbH and Nextcloud contributors + * SPDX-License-Identifier: AGPL-3.0-or-later + */ + +namespace OCA\Encryption\Command; + +use OC\Encryption\Manager; +use OC\Encryption\Util; +use OC\Files\Storage\Wrapper\Encryption; +use OC\Files\View; +use OCP\Encryption\IManager; +use OCP\Files\Config\ICachedMountInfo; +use OCP\Files\Config\IUserMountCache; +use OCP\Files\File; +use OCP\Files\Folder; +use OCP\Files\IRootFolder; +use OCP\Files\Node; +use OCP\IUser; +use OCP\IUserManager; +use Symfony\Component\Console\Command\Command; +use Symfony\Component\Console\Input\InputArgument; +use Symfony\Component\Console\Input\InputInterface; +use Symfony\Component\Console\Input\InputOption; +use Symfony\Component\Console\Output\OutputInterface; + +class FixKeyLocation extends Command { + private string $keyRootDirectory; + private View $rootView; + private Manager $encryptionManager; + + public function __construct( + private IUserManager $userManager, + private IUserMountCache $userMountCache, + private Util $encryptionUtil, + private IRootFolder $rootFolder, + IManager $encryptionManager, + ) { + $this->keyRootDirectory = rtrim($this->encryptionUtil->getKeyStorageRoot(), '/'); + $this->rootView = new View(); + if (!$encryptionManager instanceof Manager) { + throw new \Exception('Wrong encryption manager'); + } + $this->encryptionManager = $encryptionManager; + + parent::__construct(); + } + + + protected function configure(): void { + parent::configure(); + + $this + ->setName('encryption:fix-key-location') + ->setDescription('Fix the location of encryption keys for external storage') + ->addOption('dry-run', null, InputOption::VALUE_NONE, "Only list files that require key migration, don't try to perform any migration") + ->addArgument('user', InputArgument::REQUIRED, 'User id to fix the key locations for'); + } + + protected function execute(InputInterface $input, OutputInterface $output): int { + $dryRun = $input->getOption('dry-run'); + $userId = $input->getArgument('user'); + $user = $this->userManager->get($userId); + if (!$user) { + $output->writeln("<error>User $userId not found</error>"); + return self::FAILURE; + } + + \OC_Util::setupFS($user->getUID()); + + $mounts = $this->getSystemMountsForUser($user); + foreach ($mounts as $mount) { + $mountRootFolder = $this->rootFolder->get($mount->getMountPoint()); + if (!$mountRootFolder instanceof Folder) { + $output->writeln('<error>System wide mount point is not a directory, skipping: ' . $mount->getMountPoint() . '</error>'); + continue; + } + + $files = $this->getAllEncryptedFiles($mountRootFolder); + foreach ($files as $file) { + /** @var File $file */ + $hasSystemKey = $this->hasSystemKey($file); + $hasUserKey = $this->hasUserKey($user, $file); + if (!$hasSystemKey) { + if ($hasUserKey) { + // key was stored incorrectly as user key, migrate + + if ($dryRun) { + $output->writeln('<info>' . $file->getPath() . '</info> needs migration'); + } else { + $output->write('Migrating key for <info>' . $file->getPath() . '</info> '); + if ($this->copyUserKeyToSystemAndValidate($user, $file)) { + $output->writeln('<info>✓</info>'); + } else { + $output->writeln('<fg=red>❌</>'); + $output->writeln(' Failed to validate key for <error>' . $file->getPath() . '</error>, key will not be migrated'); + } + } + } else { + // no matching key, probably from a broken cross-storage move + + $shouldBeEncrypted = $file->getStorage()->instanceOfStorage(Encryption::class); + $isActuallyEncrypted = $this->isDataEncrypted($file); + if ($isActuallyEncrypted) { + if ($dryRun) { + if ($shouldBeEncrypted) { + $output->write('<info>' . $file->getPath() . '</info> needs migration'); + } else { + $output->write('<info>' . $file->getPath() . '</info> needs decryption'); + } + $foundKey = $this->findUserKeyForSystemFile($user, $file); + if ($foundKey) { + $output->writeln(', valid key found at <info>' . $foundKey . '</info>'); + } else { + $output->writeln(' <error>❌ No key found</error>'); + } + } else { + if ($shouldBeEncrypted) { + $output->write('<info>Migrating key for ' . $file->getPath() . '</info>'); + } else { + $output->write('<info>Decrypting ' . $file->getPath() . '</info>'); + } + $foundKey = $this->findUserKeyForSystemFile($user, $file); + if ($foundKey) { + if ($shouldBeEncrypted) { + $systemKeyPath = $this->getSystemKeyPath($file); + $this->rootView->copy($foundKey, $systemKeyPath); + $output->writeln(' Migrated key from <info>' . $foundKey . '</info>'); + } else { + $this->decryptWithSystemKey($file, $foundKey); + $output->writeln(' Decrypted with key from <info>' . $foundKey . '</info>'); + } + } else { + $output->writeln(' <error>❌ No key found</error>'); + } + } + } else { + if ($dryRun) { + $output->writeln('<info>' . $file->getPath() . ' needs to be marked as not encrypted</info>'); + } else { + $this->markAsUnEncrypted($file); + $output->writeln('<info>' . $file->getPath() . ' marked as not encrypted</info>'); + } + } + } + } + } + } + + return self::SUCCESS; + } + + private function getUserRelativePath(string $path): string { + $parts = explode('/', $path, 3); + if (count($parts) >= 3) { + return '/' . $parts[2]; + } else { + return ''; + } + } + + /** + * @return ICachedMountInfo[] + */ + private function getSystemMountsForUser(IUser $user): array { + return array_filter($this->userMountCache->getMountsForUser($user), function (ICachedMountInfo $mount) use ( + $user + ) { + $mountPoint = substr($mount->getMountPoint(), strlen($user->getUID() . '/')); + return $this->encryptionUtil->isSystemWideMountPoint($mountPoint, $user->getUID()); + }); + } + + /** + * Get all files in a folder which are marked as encrypted + * + * @return \Generator<File> + */ + private function getAllEncryptedFiles(Folder $folder) { + foreach ($folder->getDirectoryListing() as $child) { + if ($child instanceof Folder) { + yield from $this->getAllEncryptedFiles($child); + } else { + if (substr($child->getName(), -4) !== '.bak' && $child->isEncrypted()) { + yield $child; + } + } + } + } + + private function getSystemKeyPath(Node $node): string { + $path = $this->getUserRelativePath($node->getPath()); + return $this->keyRootDirectory . '/files_encryption/keys/' . $path . '/'; + } + + private function getUserBaseKeyPath(IUser $user): string { + return $this->keyRootDirectory . '/' . $user->getUID() . '/files_encryption/keys'; + } + + private function getUserKeyPath(IUser $user, Node $node): string { + $path = $this->getUserRelativePath($node->getPath()); + return $this->getUserBaseKeyPath($user) . '/' . $path . '/'; + } + + private function hasSystemKey(Node $node): bool { + // this uses View instead of the RootFolder because the keys might not be in the cache + return $this->rootView->file_exists($this->getSystemKeyPath($node)); + } + + private function hasUserKey(IUser $user, Node $node): bool { + // this uses View instead of the RootFolder because the keys might not be in the cache + return $this->rootView->file_exists($this->getUserKeyPath($user, $node)); + } + + /** + * Check that the user key stored for a file can decrypt the file + */ + private function copyUserKeyToSystemAndValidate(IUser $user, File $node): bool { + $path = trim(substr($node->getPath(), strlen($user->getUID()) + 1), '/'); + $systemKeyPath = $this->keyRootDirectory . '/files_encryption/keys/' . $path . '/'; + $userKeyPath = $this->keyRootDirectory . '/' . $user->getUID() . '/files_encryption/keys/' . $path . '/'; + + $this->rootView->copy($userKeyPath, $systemKeyPath); + if ($this->tryReadFile($node)) { + // cleanup wrong key location + $this->rootView->rmdir($userKeyPath); + return true; + } else { + // remove the copied key if we know it's invalid + $this->rootView->rmdir($systemKeyPath); + return false; + } + } + + private function tryReadFile(File $node): bool { + try { + $fh = $node->fopen('r'); + // read a single chunk + $data = fread($fh, 8192); + if ($data === false) { + return false; + } else { + return true; + } + } catch (\Exception $e) { + return false; + } + } + + /** + * Get the contents of a file without decrypting it + * + * @return resource + */ + private function openWithoutDecryption(File $node, string $mode) { + $storage = $node->getStorage(); + $internalPath = $node->getInternalPath(); + if ($storage->instanceOfStorage(Encryption::class)) { + /** @var Encryption $storage */ + try { + $storage->setEnabled(false); + $handle = $storage->fopen($internalPath, 'r'); + $storage->setEnabled(true); + } catch (\Exception $e) { + $storage->setEnabled(true); + throw $e; + } + } else { + $handle = $storage->fopen($internalPath, $mode); + } + /** @var resource|false $handle */ + if ($handle === false) { + throw new \Exception('Failed to open ' . $node->getPath()); + } + return $handle; + } + + /** + * Check if the data stored for a file is encrypted, regardless of it's metadata + */ + private function isDataEncrypted(File $node): bool { + $handle = $this->openWithoutDecryption($node, 'r'); + $firstBlock = fread($handle, $this->encryptionUtil->getHeaderSize()); + fclose($handle); + + $header = $this->encryptionUtil->parseRawHeader($firstBlock); + return isset($header['oc_encryption_module']); + } + + /** + * Attempt to find a key (stored for user) for a file (that needs a system key) even when it's not stored in the expected location + */ + private function findUserKeyForSystemFile(IUser $user, File $node): ?string { + $userKeyPath = $this->getUserBaseKeyPath($user); + $possibleKeys = $this->findKeysByFileName($userKeyPath, $node->getName()); + foreach ($possibleKeys as $possibleKey) { + if ($this->testSystemKey($user, $possibleKey, $node)) { + return $possibleKey; + } + } + return null; + } + + /** + * Attempt to find a key for a file even when it's not stored in the expected location + * + * @return \Generator<string> + */ + private function findKeysByFileName(string $basePath, string $name) { + if ($this->rootView->is_dir($basePath . '/' . $name . '/OC_DEFAULT_MODULE')) { + yield $basePath . '/' . $name; + } else { + /** @var false|resource $dh */ + $dh = $this->rootView->opendir($basePath); + if (!$dh) { + throw new \Exception('Invalid base path ' . $basePath); + } + while ($child = readdir($dh)) { + if ($child != '..' && $child != '.') { + $childPath = $basePath . '/' . $child; + + // recurse if the child is not a key folder + if ($this->rootView->is_dir($childPath) && !is_dir($childPath . '/OC_DEFAULT_MODULE')) { + yield from $this->findKeysByFileName($childPath, $name); + } + } + } + } + } + + /** + * Test if the provided key is valid as a system key for the file + */ + private function testSystemKey(IUser $user, string $key, File $node): bool { + $systemKeyPath = $this->getSystemKeyPath($node); + + if ($this->rootView->file_exists($systemKeyPath)) { + // already has a key, reject new key + return false; + } + + $this->rootView->copy($key, $systemKeyPath); + $isValid = $this->tryReadFile($node); + $this->rootView->rmdir($systemKeyPath); + return $isValid; + } + + /** + * Decrypt a file with the specified system key and mark the key as not-encrypted + */ + private function decryptWithSystemKey(File $node, string $key): void { + $storage = $node->getStorage(); + $name = $node->getName(); + + $node->move($node->getPath() . '.bak'); + $systemKeyPath = $this->getSystemKeyPath($node); + $this->rootView->copy($key, $systemKeyPath); + + try { + if (!$storage->instanceOfStorage(Encryption::class)) { + $storage = $this->encryptionManager->forceWrapStorage($node->getMountPoint(), $storage); + } + /** @var false|resource $source */ + $source = $storage->fopen($node->getInternalPath(), 'r'); + if (!$source) { + throw new \Exception('Failed to open ' . $node->getPath() . ' with ' . $key); + } + $decryptedNode = $node->getParent()->newFile($name); + + $target = $this->openWithoutDecryption($decryptedNode, 'w'); + stream_copy_to_stream($source, $target); + fclose($target); + fclose($source); + + $decryptedNode->getStorage()->getScanner()->scan($decryptedNode->getInternalPath()); + } catch (\Exception $e) { + $this->rootView->rmdir($systemKeyPath); + + // remove the .bak + $node->move(substr($node->getPath(), 0, -4)); + + throw $e; + } + + if ($this->isDataEncrypted($decryptedNode)) { + throw new \Exception($node->getPath() . ' still encrypted after attempting to decrypt with ' . $key); + } + + $this->markAsUnEncrypted($decryptedNode); + + $this->rootView->rmdir($systemKeyPath); + } + + private function markAsUnEncrypted(Node $node): void { + $node->getStorage()->getCache()->update($node->getId(), ['encrypted' => 0]); + } +} diff --git a/apps/encryption/lib/Command/MigrateKeys.php b/apps/encryption/lib/Command/MigrateKeys.php deleted file mode 100644 index 18eb6e710a6..00000000000 --- a/apps/encryption/lib/Command/MigrateKeys.php +++ /dev/null @@ -1,127 +0,0 @@ -<?php -/** - * @copyright Copyright (c) 2016, ownCloud, Inc. - * - * @author Björn Schießle <bjoern@schiessle.org> - * @author Thomas Müller <thomas.mueller@tmit.eu> - * - * @license AGPL-3.0 - * - * This code is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License, version 3, - * as published by the Free Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License, version 3, - * along with this program. If not, see <http://www.gnu.org/licenses/> - * - */ - -namespace OCA\Encryption\Command; - -use OC\Files\View; -use OCA\Encryption\Migration; -use OCP\IConfig; -use OCP\IDBConnection; -use OCP\ILogger; -use OCP\IUserBackend; -use OCP\IUserManager; -use Symfony\Component\Console\Command\Command; -use Symfony\Component\Console\Input\InputArgument; -use Symfony\Component\Console\Input\InputInterface; -use Symfony\Component\Console\Output\OutputInterface; - -class MigrateKeys extends Command { - - /** @var IUserManager */ - private $userManager; - /** @var View */ - private $view; - /** @var IDBConnection */ - private $connection; - /** @var IConfig */ - private $config; - /** @var ILogger */ - private $logger; - - /** - * @param IUserManager $userManager - * @param View $view - * @param IDBConnection $connection - * @param IConfig $config - * @param ILogger $logger - */ - public function __construct(IUserManager $userManager, - View $view, - IDBConnection $connection, - IConfig $config, - ILogger $logger) { - - $this->userManager = $userManager; - $this->view = $view; - $this->connection = $connection; - $this->config = $config; - $this->logger = $logger; - parent::__construct(); - } - - protected function configure() { - $this - ->setName('encryption:migrate') - ->setDescription('initial migration to encryption 2.0') - ->addArgument( - 'user_id', - InputArgument::OPTIONAL | InputArgument::IS_ARRAY, - 'will migrate keys of the given user(s)' - ); - } - - protected function execute(InputInterface $input, OutputInterface $output) { - - // perform system reorganization - $migration = new Migration($this->config, $this->view, $this->connection, $this->logger); - - $users = $input->getArgument('user_id'); - if (!empty($users)) { - foreach ($users as $user) { - if ($this->userManager->userExists($user)) { - $output->writeln("Migrating keys <info>$user</info>"); - $migration->reorganizeFolderStructureForUser($user); - } else { - $output->writeln("<error>Unknown user $user</error>"); - } - } - } else { - $output->writeln("Reorganize system folder structure"); - $migration->reorganizeSystemFolderStructure(); - $migration->updateDB(); - foreach($this->userManager->getBackends() as $backend) { - $name = get_class($backend); - - if ($backend instanceof IUserBackend) { - $name = $backend->getBackendName(); - } - - $output->writeln("Migrating keys for users on backend <info>$name</info>"); - - $limit = 500; - $offset = 0; - do { - $users = $backend->getUsers('', $limit, $offset); - foreach ($users as $user) { - $output->writeln(" <info>$user</info>"); - $migration->reorganizeFolderStructureForUser($user); - } - $offset += $limit; - } while(count($users) >= $limit); - } - } - - $migration->finalCleanUp(); - - } -} diff --git a/apps/encryption/lib/Command/RecoverUser.php b/apps/encryption/lib/Command/RecoverUser.php new file mode 100644 index 00000000000..8da962ac8b1 --- /dev/null +++ b/apps/encryption/lib/Command/RecoverUser.php @@ -0,0 +1,77 @@ +<?php + +/** + * SPDX-FileCopyrightText: 2018 Nextcloud GmbH and Nextcloud contributors + * SPDX-License-Identifier: AGPL-3.0-or-later + */ +namespace OCA\Encryption\Command; + +use OCA\Encryption\Util; +use OCP\IConfig; +use OCP\IUserManager; +use Symfony\Component\Console\Command\Command; +use Symfony\Component\Console\Helper\QuestionHelper; +use Symfony\Component\Console\Input\InputArgument; +use Symfony\Component\Console\Input\InputInterface; +use Symfony\Component\Console\Output\OutputInterface; +use Symfony\Component\Console\Question\Question; + +class RecoverUser extends Command { + public function __construct( + protected Util $util, + IConfig $config, + protected IUserManager $userManager, + protected QuestionHelper $questionHelper, + ) { + parent::__construct(); + } + + protected function configure(): void { + $this + ->setName('encryption:recover-user') + ->setDescription('Recover user data in case of password lost. This only works if the user enabled the recovery key.'); + + $this->addArgument( + 'user', + InputArgument::REQUIRED, + 'user which should be recovered' + ); + } + + protected function execute(InputInterface $input, OutputInterface $output): int { + $isMasterKeyEnabled = $this->util->isMasterKeyEnabled(); + + if ($isMasterKeyEnabled) { + $output->writeln('You use the master key, no individual user recovery needed.'); + return self::SUCCESS; + } + + $uid = $input->getArgument('user'); + $userExists = $this->userManager->userExists($uid); + if ($userExists === false) { + $output->writeln('User "' . $uid . '" unknown.'); + return self::FAILURE; + } + + $recoveryKeyEnabled = $this->util->isRecoveryEnabledForUser($uid); + if ($recoveryKeyEnabled === false) { + $output->writeln('Recovery key is not enabled for: ' . $uid); + return self::FAILURE; + } + + $question = new Question('Please enter the recovery key password: '); + $question->setHidden(true); + $question->setHiddenFallback(false); + $recoveryPassword = $this->questionHelper->ask($input, $output, $question); + + $question = new Question('Please enter the new login password for the user: '); + $question->setHidden(true); + $question->setHiddenFallback(false); + $newLoginPassword = $this->questionHelper->ask($input, $output, $question); + + $output->write('Start to recover users files... This can take some time...'); + $this->userManager->get($uid)->setPassword($newLoginPassword, $recoveryPassword); + $output->writeln('Done.'); + return self::SUCCESS; + } +} diff --git a/apps/encryption/lib/Command/ScanLegacyFormat.php b/apps/encryption/lib/Command/ScanLegacyFormat.php new file mode 100644 index 00000000000..1e46a3d7545 --- /dev/null +++ b/apps/encryption/lib/Command/ScanLegacyFormat.php @@ -0,0 +1,100 @@ +<?php + +declare(strict_types=1); + +/** + * SPDX-FileCopyrightText: 2020 Nextcloud GmbH and Nextcloud contributors + * SPDX-License-Identifier: AGPL-3.0-or-later + */ +namespace OCA\Encryption\Command; + +use OC\Files\View; +use OCA\Encryption\Util; +use OCP\IConfig; +use OCP\IUserManager; +use Symfony\Component\Console\Command\Command; +use Symfony\Component\Console\Helper\QuestionHelper; +use Symfony\Component\Console\Input\InputInterface; +use Symfony\Component\Console\Output\OutputInterface; + +class ScanLegacyFormat extends Command { + private View $rootView; + + public function __construct( + protected Util $util, + protected IConfig $config, + protected QuestionHelper $questionHelper, + private IUserManager $userManager, + ) { + parent::__construct(); + + $this->rootView = new View(); + } + + protected function configure(): void { + $this + ->setName('encryption:scan:legacy-format') + ->setDescription('Scan the files for the legacy format'); + } + + protected function execute(InputInterface $input, OutputInterface $output): int { + $result = true; + + $output->writeln('Scanning all files for legacy encryption'); + + foreach ($this->userManager->getBackends() as $backend) { + $limit = 500; + $offset = 0; + do { + $users = $backend->getUsers('', $limit, $offset); + foreach ($users as $user) { + $output->writeln('Scanning all files for ' . $user); + $this->setupUserFS($user); + $result = $result && $this->scanFolder($output, '/' . $user); + } + $offset += $limit; + } while (count($users) >= $limit); + } + + if ($result) { + $output->writeln('All scanned files are properly encrypted. You can disable the legacy compatibility mode.'); + return self::SUCCESS; + } + + return self::FAILURE; + } + + private function scanFolder(OutputInterface $output, string $folder): bool { + $clean = true; + + foreach ($this->rootView->getDirectoryContent($folder) as $item) { + $path = $folder . '/' . $item['name']; + if ($this->rootView->is_dir($path)) { + if ($this->scanFolder($output, $path) === false) { + $clean = false; + } + } else { + if (!$item->isEncrypted()) { + // ignore + continue; + } + + $stats = $this->rootView->stat($path); + if (!isset($stats['hasHeader']) || $stats['hasHeader'] === false) { + $clean = false; + $output->writeln($path . ' does not have a proper header'); + } + } + } + + return $clean; + } + + /** + * setup user file system + */ + protected function setupUserFS(string $uid): void { + \OC_Util::tearDownFS(); + \OC_Util::setupFS($uid); + } +} |