diff options
Diffstat (limited to 'lib/private/Encryption/Keys/Storage.php')
| -rw-r--r-- | lib/private/Encryption/Keys/Storage.php | 448 |
1 files changed, 448 insertions, 0 deletions
diff --git a/lib/private/Encryption/Keys/Storage.php b/lib/private/Encryption/Keys/Storage.php new file mode 100644 index 00000000000..cce22b9138a --- /dev/null +++ b/lib/private/Encryption/Keys/Storage.php @@ -0,0 +1,448 @@ +<?php + +/** + * SPDX-FileCopyrightText: 2016-2024 Nextcloud GmbH and Nextcloud contributors + * SPDX-FileCopyrightText: 2016 ownCloud, Inc. + * SPDX-License-Identifier: AGPL-3.0-only + */ +namespace OC\Encryption\Keys; + +use OC\Encryption\Util; +use OC\Files\Filesystem; +use OC\Files\View; +use OC\ServerNotAvailableException; +use OC\User\NoUserException; +use OCP\Encryption\Keys\IStorage; +use OCP\IConfig; +use OCP\Security\ICrypto; + +class Storage implements IStorage { + // hidden file which indicate that the folder is a valid key storage + public const KEY_STORAGE_MARKER = '.oc_key_storage'; + + /** @var View */ + private $view; + + /** @var Util */ + private $util; + + // base dir where all the file related keys are stored + /** @var string */ + private $keys_base_dir; + + // root of the key storage default is empty which means that we use the data folder + /** @var string */ + private $root_dir; + + /** @var string */ + private $encryption_base_dir; + + /** @var string */ + private $backup_base_dir; + + /** @var array */ + private $keyCache = []; + + /** @var ICrypto */ + private $crypto; + + /** @var IConfig */ + private $config; + + /** + * @param View $view + * @param Util $util + */ + public function __construct(View $view, Util $util, ICrypto $crypto, IConfig $config) { + $this->view = $view; + $this->util = $util; + + $this->encryption_base_dir = '/files_encryption'; + $this->keys_base_dir = $this->encryption_base_dir . '/keys'; + $this->backup_base_dir = $this->encryption_base_dir . '/backup'; + $this->root_dir = $this->util->getKeyStorageRoot(); + $this->crypto = $crypto; + $this->config = $config; + } + + /** + * @inheritdoc + */ + public function getUserKey($uid, $keyId, $encryptionModuleId) { + $path = $this->constructUserKeyPath($encryptionModuleId, $keyId, $uid); + return base64_decode($this->getKeyWithUid($path, $uid)); + } + + /** + * @inheritdoc + */ + public function getFileKey($path, $keyId, $encryptionModuleId) { + $realFile = $this->util->stripPartialFileExtension($path); + $keyDir = $this->util->getFileKeyDir($encryptionModuleId, $realFile); + $key = $this->getKey($keyDir . $keyId)['key']; + + if ($key === '' && $realFile !== $path) { + // Check if the part file has keys and use them, if no normal keys + // exist. This is required to fix copyBetweenStorage() when we + // rename a .part file over storage borders. + $keyDir = $this->util->getFileKeyDir($encryptionModuleId, $path); + $key = $this->getKey($keyDir . $keyId)['key']; + } + + return base64_decode($key); + } + + /** + * @inheritdoc + */ + public function getSystemUserKey($keyId, $encryptionModuleId) { + $path = $this->constructUserKeyPath($encryptionModuleId, $keyId, null); + return base64_decode($this->getKeyWithUid($path, null)); + } + + /** + * @inheritdoc + */ + public function setUserKey($uid, $keyId, $key, $encryptionModuleId) { + $path = $this->constructUserKeyPath($encryptionModuleId, $keyId, $uid); + return $this->setKey($path, [ + 'key' => base64_encode($key), + 'uid' => $uid, + ]); + } + + /** + * @inheritdoc + */ + public function setFileKey($path, $keyId, $key, $encryptionModuleId) { + $keyDir = $this->util->getFileKeyDir($encryptionModuleId, $path); + return $this->setKey($keyDir . $keyId, [ + 'key' => base64_encode($key), + ]); + } + + /** + * @inheritdoc + */ + public function setSystemUserKey($keyId, $key, $encryptionModuleId) { + $path = $this->constructUserKeyPath($encryptionModuleId, $keyId, null); + return $this->setKey($path, [ + 'key' => base64_encode($key), + 'uid' => null, + ]); + } + + /** + * @inheritdoc + */ + public function deleteUserKey($uid, $keyId, $encryptionModuleId) { + try { + $path = $this->constructUserKeyPath($encryptionModuleId, $keyId, $uid); + return !$this->view->file_exists($path) || $this->view->unlink($path); + } catch (NoUserException $e) { + // this exception can come from initMountPoints() from setupUserMounts() + // for a deleted user. + // + // It means, that: + // - we are not running in alternative storage mode because we don't call + // initMountPoints() in that mode + // - the keys were in the user's home but since the user was deleted, the + // user's home is gone and so are the keys + // + // So there is nothing to do, just ignore. + } + } + + /** + * @inheritdoc + */ + public function deleteFileKey($path, $keyId, $encryptionModuleId) { + $keyDir = $this->util->getFileKeyDir($encryptionModuleId, $path); + return !$this->view->file_exists($keyDir . $keyId) || $this->view->unlink($keyDir . $keyId); + } + + /** + * @inheritdoc + */ + public function deleteAllFileKeys($path) { + $keyDir = $this->util->getFileKeyDir('', $path); + return !$this->view->file_exists($keyDir) || $this->view->deleteAll($keyDir); + } + + /** + * @inheritdoc + */ + public function deleteSystemUserKey($keyId, $encryptionModuleId) { + $path = $this->constructUserKeyPath($encryptionModuleId, $keyId, null); + return !$this->view->file_exists($path) || $this->view->unlink($path); + } + + /** + * construct path to users key + * + * @param string $encryptionModuleId + * @param string $keyId + * @param string $uid + * @return string + */ + protected function constructUserKeyPath($encryptionModuleId, $keyId, $uid) { + if ($uid === null) { + $path = $this->root_dir . '/' . $this->encryption_base_dir . '/' . $encryptionModuleId . '/' . $keyId; + } else { + $path = $this->root_dir . '/' . $uid . $this->encryption_base_dir . '/' + . $encryptionModuleId . '/' . $uid . '.' . $keyId; + } + + return \OC\Files\Filesystem::normalizePath($path); + } + + /** + * @param string $path + * @param string|null $uid + * @return string + * @throws ServerNotAvailableException + * + * Small helper function to fetch the key and verify the value for user and system keys + */ + private function getKeyWithUid(string $path, ?string $uid): string { + $data = $this->getKey($path); + + if (!isset($data['key'])) { + throw new ServerNotAvailableException('Key is invalid'); + } + + if ($data['key'] === '') { + return ''; + } + + if (!array_key_exists('uid', $data) || $data['uid'] !== $uid) { + // If the migration is done we error out + $versionFromBeforeUpdate = $this->config->getSystemValueString('version', '0.0.0.0'); + if (version_compare($versionFromBeforeUpdate, '20.0.0.1', '<=')) { + return $data['key']; + } + + if ($this->config->getSystemValueBool('encryption.key_storage_migrated', true)) { + throw new ServerNotAvailableException('Key has been modified'); + } else { + //Otherwise we migrate + $data['uid'] = $uid; + $this->setKey($path, $data); + } + } + + return $data['key']; + } + + /** + * read key from hard disk + * + * @param string $path to key + * @return array containing key as base64encoded key, and possible the uid + */ + private function getKey($path): array { + $key = [ + 'key' => '', + ]; + + if ($this->view->file_exists($path)) { + if (isset($this->keyCache[$path])) { + $key = $this->keyCache[$path]; + } else { + $data = $this->view->file_get_contents($path); + + // Version <20.0.0.1 doesn't have this + $versionFromBeforeUpdate = $this->config->getSystemValueString('version', '0.0.0.0'); + if (version_compare($versionFromBeforeUpdate, '20.0.0.1', '<=')) { + $key = [ + 'key' => base64_encode($data), + ]; + } else { + if ($this->config->getSystemValueBool('encryption.key_storage_migrated', true)) { + try { + $clearData = $this->crypto->decrypt($data); + } catch (\Exception $e) { + throw new ServerNotAvailableException('Could not decrypt key', 0, $e); + } + + $dataArray = json_decode($clearData, true); + if ($dataArray === null) { + throw new ServerNotAvailableException('Invalid encryption key'); + } + + $key = $dataArray; + } else { + /* + * Even if not all keys are migrated we should still try to decrypt it (in case some have moved). + * However it is only a failure now if it is an array and decryption fails + */ + $fallback = false; + try { + $clearData = $this->crypto->decrypt($data); + } catch (\Throwable $e) { + $fallback = true; + } + + if (!$fallback) { + $dataArray = json_decode($clearData, true); + if ($dataArray === null) { + throw new ServerNotAvailableException('Invalid encryption key'); + } + $key = $dataArray; + } else { + $key = [ + 'key' => base64_encode($data), + ]; + } + } + } + + $this->keyCache[$path] = $key; + } + } + + return $key; + } + + /** + * write key to disk + * + * + * @param string $path path to key directory + * @param array $key key + * @return bool + */ + private function setKey($path, $key) { + $this->keySetPreparation(dirname($path)); + + $versionFromBeforeUpdate = $this->config->getSystemValueString('version', '0.0.0.0'); + if (version_compare($versionFromBeforeUpdate, '20.0.0.1', '<=')) { + // Only store old format if this happens during the migration. + // TODO: Remove for 21 + $data = base64_decode($key['key']); + } else { + // Wrap the data + $data = $this->crypto->encrypt(json_encode($key)); + } + + $result = $this->view->file_put_contents($path, $data); + + if (is_int($result) && $result > 0) { + $this->keyCache[$path] = $key; + return true; + } + + return false; + } + + /** + * move keys if a file was renamed + * + * @param string $source + * @param string $target + * @return boolean + */ + public function renameKeys($source, $target) { + $sourcePath = $this->getPathToKeys($source); + $targetPath = $this->getPathToKeys($target); + + if ($this->view->file_exists($sourcePath)) { + $this->keySetPreparation(dirname($targetPath)); + $this->view->rename($sourcePath, $targetPath); + + return true; + } + + return false; + } + + + /** + * copy keys if a file was renamed + * + * @param string $source + * @param string $target + * @return boolean + */ + public function copyKeys($source, $target) { + $sourcePath = $this->getPathToKeys($source); + $targetPath = $this->getPathToKeys($target); + + if ($this->view->file_exists($sourcePath)) { + $this->keySetPreparation(dirname($targetPath)); + $this->view->copy($sourcePath, $targetPath); + return true; + } + + return false; + } + + /** + * backup keys of a given encryption module + * + * @param string $encryptionModuleId + * @param string $purpose + * @param string $uid + * @return bool + * @since 12.0.0 + */ + public function backupUserKeys($encryptionModuleId, $purpose, $uid) { + $source = $uid . $this->encryption_base_dir . '/' . $encryptionModuleId; + $backupDir = $uid . $this->backup_base_dir; + if (!$this->view->file_exists($backupDir)) { + $this->view->mkdir($backupDir); + } + + $backupDir = $backupDir . '/' . $purpose . '.' . $encryptionModuleId . '.' . $this->getTimestamp(); + $this->view->mkdir($backupDir); + + return $this->view->copy($source, $backupDir); + } + + /** + * get the current timestamp + * + * @return int + */ + protected function getTimestamp() { + return time(); + } + + /** + * get system wide path and detect mount points + * + * @param string $path + * @return string + */ + protected function getPathToKeys($path) { + [$owner, $relativePath] = $this->util->getUidAndFilename($path); + $systemWideMountPoint = $this->util->isSystemWideMountPoint($relativePath, $owner); + + if ($systemWideMountPoint) { + $systemPath = $this->root_dir . '/' . $this->keys_base_dir . $relativePath . '/'; + } else { + $systemPath = $this->root_dir . '/' . $owner . $this->keys_base_dir . $relativePath . '/'; + } + + return Filesystem::normalizePath($systemPath, false); + } + + /** + * Make preparations to filesystem for saving a key file + * + * @param string $path relative to the views root + */ + protected function keySetPreparation($path) { + // If the file resides within a subdirectory, create it + if (!$this->view->file_exists($path)) { + $sub_dirs = explode('/', ltrim($path, '/')); + $dir = ''; + foreach ($sub_dirs as $sub_dir) { + $dir .= '/' . $sub_dir; + if (!$this->view->is_dir($dir)) { + $this->view->mkdir($dir); + } + } + } + } +} |