diff options
Diffstat (limited to 'apps/encryption/lib/Controller')
| -rw-r--r-- | apps/encryption/lib/Controller/RecoveryController.php | 158 | ||||
| -rw-r--r-- | apps/encryption/lib/Controller/SettingsController.php | 118 | ||||
| -rw-r--r-- | apps/encryption/lib/Controller/StatusController.php | 76 |
3 files changed, 352 insertions, 0 deletions
diff --git a/apps/encryption/lib/Controller/RecoveryController.php b/apps/encryption/lib/Controller/RecoveryController.php new file mode 100644 index 00000000000..d75406e6319 --- /dev/null +++ b/apps/encryption/lib/Controller/RecoveryController.php @@ -0,0 +1,158 @@ +<?php + +/** + * SPDX-FileCopyrightText: 2019-2024 Nextcloud GmbH and Nextcloud contributors + * SPDX-FileCopyrightText: 2016 ownCloud, Inc. + * SPDX-License-Identifier: AGPL-3.0-only + */ +namespace OCA\Encryption\Controller; + +use OCA\Encryption\Recovery; +use OCP\AppFramework\Controller; +use OCP\AppFramework\Http; +use OCP\AppFramework\Http\Attribute\NoAdminRequired; +use OCP\AppFramework\Http\DataResponse; +use OCP\IConfig; +use OCP\IL10N; +use OCP\IRequest; + +class RecoveryController extends Controller { + /** + * @param string $AppName + * @param IRequest $request + * @param IConfig $config + * @param IL10N $l + * @param Recovery $recovery + */ + public function __construct( + $AppName, + IRequest $request, + private IConfig $config, + private IL10N $l, + private Recovery $recovery, + ) { + parent::__construct($AppName, $request); + } + + /** + * @param string $recoveryPassword + * @param string $confirmPassword + * @param string $adminEnableRecovery + * @return DataResponse + */ + public function adminRecovery($recoveryPassword, $confirmPassword, $adminEnableRecovery) { + // Check if both passwords are the same + if (empty($recoveryPassword)) { + $errorMessage = $this->l->t('Missing recovery key password'); + return new DataResponse(['data' => ['message' => $errorMessage]], + Http::STATUS_BAD_REQUEST); + } + + if (empty($confirmPassword)) { + $errorMessage = $this->l->t('Please repeat the recovery key password'); + return new DataResponse(['data' => ['message' => $errorMessage]], + Http::STATUS_BAD_REQUEST); + } + + if ($recoveryPassword !== $confirmPassword) { + $errorMessage = $this->l->t('Repeated recovery key password does not match the provided recovery key password'); + return new DataResponse(['data' => ['message' => $errorMessage]], + Http::STATUS_BAD_REQUEST); + } + + if (isset($adminEnableRecovery) && $adminEnableRecovery === '1') { + if ($this->recovery->enableAdminRecovery($recoveryPassword)) { + return new DataResponse(['data' => ['message' => $this->l->t('Recovery key successfully enabled')]]); + } + return new DataResponse(['data' => ['message' => $this->l->t('Could not enable recovery key. Please check your recovery key password!')]], Http::STATUS_BAD_REQUEST); + } elseif (isset($adminEnableRecovery) && $adminEnableRecovery === '0') { + if ($this->recovery->disableAdminRecovery($recoveryPassword)) { + return new DataResponse(['data' => ['message' => $this->l->t('Recovery key successfully disabled')]]); + } + return new DataResponse(['data' => ['message' => $this->l->t('Could not disable recovery key. Please check your recovery key password!')]], Http::STATUS_BAD_REQUEST); + } + // this response should never be sent but just in case. + return new DataResponse(['data' => ['message' => $this->l->t('Missing parameters')]], Http::STATUS_BAD_REQUEST); + } + + /** + * @param string $newPassword + * @param string $oldPassword + * @param string $confirmPassword + * @return DataResponse + */ + public function changeRecoveryPassword($newPassword, $oldPassword, $confirmPassword) { + //check if both passwords are the same + if (empty($oldPassword)) { + $errorMessage = $this->l->t('Please provide the old recovery password'); + return new DataResponse(['data' => ['message' => $errorMessage]], Http::STATUS_BAD_REQUEST); + } + + if (empty($newPassword)) { + $errorMessage = $this->l->t('Please provide a new recovery password'); + return new DataResponse(['data' => ['message' => $errorMessage]], Http::STATUS_BAD_REQUEST); + } + + if (empty($confirmPassword)) { + $errorMessage = $this->l->t('Please repeat the new recovery password'); + return new DataResponse(['data' => ['message' => $errorMessage]], Http::STATUS_BAD_REQUEST); + } + + if ($newPassword !== $confirmPassword) { + $errorMessage = $this->l->t('Repeated recovery key password does not match the provided recovery key password'); + return new DataResponse(['data' => ['message' => $errorMessage]], Http::STATUS_BAD_REQUEST); + } + + $result = $this->recovery->changeRecoveryKeyPassword($newPassword, + $oldPassword); + + if ($result) { + return new DataResponse( + [ + 'data' => [ + 'message' => $this->l->t('Password successfully changed.')] + ] + ); + } + return new DataResponse( + [ + 'data' => [ + 'message' => $this->l->t('Could not change the password. Maybe the old password was not correct.') + ] + ], Http::STATUS_BAD_REQUEST); + } + + /** + * @param string $userEnableRecovery + * @return DataResponse + */ + #[NoAdminRequired] + public function userSetRecovery($userEnableRecovery) { + if ($userEnableRecovery === '0' || $userEnableRecovery === '1') { + $result = $this->recovery->setRecoveryForUser($userEnableRecovery); + + if ($result) { + if ($userEnableRecovery === '0') { + return new DataResponse( + [ + 'data' => [ + 'message' => $this->l->t('Recovery Key disabled')] + ] + ); + } + return new DataResponse( + [ + 'data' => [ + 'message' => $this->l->t('Recovery Key enabled')] + ] + ); + } + } + return new DataResponse( + [ + 'data' => [ + 'message' => $this->l->t('Could not enable the recovery key, please try again or contact your administrator') + ] + ], Http::STATUS_BAD_REQUEST); + } +} diff --git a/apps/encryption/lib/Controller/SettingsController.php b/apps/encryption/lib/Controller/SettingsController.php new file mode 100644 index 00000000000..8548ea51c04 --- /dev/null +++ b/apps/encryption/lib/Controller/SettingsController.php @@ -0,0 +1,118 @@ +<?php + +/** + * SPDX-FileCopyrightText: 2019-2024 Nextcloud GmbH and Nextcloud contributors + * SPDX-FileCopyrightText: 2016 ownCloud, Inc. + * SPDX-License-Identifier: AGPL-3.0-only + */ +namespace OCA\Encryption\Controller; + +use OCA\Encryption\Crypto\Crypt; +use OCA\Encryption\KeyManager; +use OCA\Encryption\Session; +use OCA\Encryption\Util; +use OCP\AppFramework\Controller; +use OCP\AppFramework\Http; +use OCP\AppFramework\Http\Attribute\NoAdminRequired; +use OCP\AppFramework\Http\Attribute\UseSession; +use OCP\AppFramework\Http\DataResponse; +use OCP\IL10N; +use OCP\IRequest; +use OCP\ISession; +use OCP\IUserManager; +use OCP\IUserSession; + +class SettingsController extends Controller { + + /** + * @param string $AppName + * @param IRequest $request + * @param IL10N $l + * @param IUserManager $userManager + * @param IUserSession $userSession + * @param KeyManager $keyManager + * @param Crypt $crypt + * @param Session $session + * @param ISession $ocSession + * @param Util $util + */ + public function __construct( + $AppName, + IRequest $request, + private IL10N $l, + private IUserManager $userManager, + private IUserSession $userSession, + private KeyManager $keyManager, + private Crypt $crypt, + private Session $session, + private ISession $ocSession, + private Util $util, + ) { + parent::__construct($AppName, $request); + } + + + /** + * @param string $oldPassword + * @param string $newPassword + * @return DataResponse + */ + #[NoAdminRequired] + #[UseSession] + public function updatePrivateKeyPassword($oldPassword, $newPassword) { + $result = false; + $uid = $this->userSession->getUser()->getUID(); + $errorMessage = $this->l->t('Could not update the private key password.'); + + //check if password is correct + $passwordCorrect = $this->userManager->checkPassword($uid, $newPassword); + if ($passwordCorrect === false) { + // if check with uid fails we need to check the password with the login name + // e.g. in the ldap case. For local user we need to check the password with + // the uid because in this case the login name is case insensitive + $loginName = $this->ocSession->get('loginname'); + $passwordCorrect = $this->userManager->checkPassword($loginName, $newPassword); + } + + if ($passwordCorrect !== false) { + $encryptedKey = $this->keyManager->getPrivateKey($uid); + $decryptedKey = $this->crypt->decryptPrivateKey($encryptedKey, $oldPassword, $uid); + + if ($decryptedKey) { + $encryptedKey = $this->crypt->encryptPrivateKey($decryptedKey, $newPassword, $uid); + $header = $this->crypt->generateHeader(); + if ($encryptedKey) { + $this->keyManager->setPrivateKey($uid, $header . $encryptedKey); + $this->session->setPrivateKey($decryptedKey); + $result = true; + } + } else { + $errorMessage = $this->l->t('The old password was not correct, please try again.'); + } + } else { + $errorMessage = $this->l->t('The current log-in password was not correct, please try again.'); + } + + if ($result === true) { + $this->session->setStatus(Session::INIT_SUCCESSFUL); + return new DataResponse( + ['message' => $this->l->t('Private key password successfully updated.')] + ); + } else { + return new DataResponse( + ['message' => $errorMessage], + Http::STATUS_BAD_REQUEST + ); + } + } + + /** + * @param bool $encryptHomeStorage + * @return DataResponse + */ + #[UseSession] + public function setEncryptHomeStorage($encryptHomeStorage) { + $this->util->setEncryptHomeStorage($encryptHomeStorage); + return new DataResponse(); + } +} diff --git a/apps/encryption/lib/Controller/StatusController.php b/apps/encryption/lib/Controller/StatusController.php new file mode 100644 index 00000000000..341ad6bc49f --- /dev/null +++ b/apps/encryption/lib/Controller/StatusController.php @@ -0,0 +1,76 @@ +<?php + +/** + * SPDX-FileCopyrightText: 2016-2024 Nextcloud GmbH and Nextcloud contributors + * SPDX-FileCopyrightText: 2016 ownCloud, Inc. + * SPDX-License-Identifier: AGPL-3.0-only + */ +namespace OCA\Encryption\Controller; + +use OCA\Encryption\Session; +use OCP\AppFramework\Controller; +use OCP\AppFramework\Http\Attribute\NoAdminRequired; +use OCP\AppFramework\Http\DataResponse; +use OCP\Encryption\IManager; +use OCP\IL10N; +use OCP\IRequest; + +class StatusController extends Controller { + + /** + * @param string $AppName + * @param IRequest $request + * @param IL10N $l + * @param Session $session + * @param IManager $encryptionManager + */ + public function __construct( + $AppName, + IRequest $request, + private IL10N $l, + private Session $session, + private IManager $encryptionManager, + ) { + parent::__construct($AppName, $request); + } + + /** + * @return DataResponse + */ + #[NoAdminRequired] + public function getStatus() { + $status = 'error'; + $message = 'no valid init status'; + switch ($this->session->getStatus()) { + case Session::INIT_EXECUTED: + $status = 'interactionNeeded'; + $message = $this->l->t( + 'Invalid private key for encryption app. Please update your private key password in your personal settings to recover access to your encrypted files.' + ); + break; + case Session::NOT_INITIALIZED: + $status = 'interactionNeeded'; + if ($this->encryptionManager->isEnabled()) { + $message = $this->l->t( + 'Encryption App is enabled, but your keys are not initialized. Please log-out and log-in again.' + ); + } else { + $message = $this->l->t( + 'Please enable server side encryption in the admin settings in order to use the encryption module.' + ); + } + break; + case Session::INIT_SUCCESSFUL: + $status = 'success'; + $message = $this->l->t('Encryption app is enabled and ready'); + } + + return new DataResponse( + [ + 'status' => $status, + 'data' => [ + 'message' => $message] + ] + ); + } +} |