From 39733c8da1c12cc79b7d650edf2ea1074330ee5f Mon Sep 17 00:00:00 2001 From: Clark Tomlinson Date: Tue, 24 Feb 2015 13:05:19 -0500 Subject: Initial commit --- apps/encryption/controller/recoverycontroller.php | 106 ++++++++++++++++++++++ 1 file changed, 106 insertions(+) create mode 100644 apps/encryption/controller/recoverycontroller.php (limited to 'apps/encryption/controller') diff --git a/apps/encryption/controller/recoverycontroller.php b/apps/encryption/controller/recoverycontroller.php new file mode 100644 index 00000000000..abea8993336 --- /dev/null +++ b/apps/encryption/controller/recoverycontroller.php @@ -0,0 +1,106 @@ + + * @since 2/19/15, 11:25 AM + * @copyright Copyright (c) 2015, ownCloud, Inc. + * @license AGPL-3.0 + * + * This code is free software: you can redistribute it and/or modify + * it under the terms of the GNU Affero General Public License, version 3, + * as published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Affero General Public License for more details. + * + * You should have received a copy of the GNU Affero General Public License, version 3, + * along with this program. If not, see + * + */ + +namespace OCA\Encryption\Controller; + + +use OCA\Encryption\Recovery; +use OCP\AppFramework\Controller; +use OCP\IConfig; +use OCP\IL10N; +use OCP\IRequest; +use OCP\JSON; +use Symfony\Component\HttpFoundation\JsonResponse; + +class RecoveryController extends Controller { + /** + * @var IConfig + */ + private $config; + /** + * @var IL10N + */ + private $l; + /** + * @var Recovery + */ + private $recovery; + + /** + * @param string $AppName + * @param IRequest $request + * @param IConfig $config + * @param IL10N $l10n + * @param Recovery $recovery + */ + public function __construct($AppName, IRequest $request, IConfig $config, IL10N $l10n, Recovery $recovery) { + parent::__construct($AppName, $request); + $this->config = $config; + $this->l = $l10n; + $this->recovery = $recovery; + } + + public function adminRecovery($recoveryPassword, $confirmPassword, $adminEnableRecovery) { + // Check if both passwords are the same + if (empty($recoveryPassword)) { + $errorMessage = $this->l->t('Missing recovery key password'); + return new JsonResponse(['data' => ['message' => $errorMessage]], 500); + } + + if (empty($confirmPassword)) { + $errorMessage = $this->l->t('Please repeat the recovery key password'); + return new JsonResponse(['data' => ['message' => $errorMessage]], 500); + } + + if ($recoveryPassword !== $confirmPassword) { + $errorMessage = $this->l->t('Repeated recovery key password does not match the provided recovery key password'); + return new JsonResponse(['data' => ['message' => $errorMessage]], 500); + } + + // Enable recoveryAdmin + $recoveryKeyId = $this->config->getAppValue('encryption', 'recoveryKeyId'); + + if (isset($adminEnableRecovery) && $adminEnableRecovery === '1') { + if ($this->recovery->enableAdminRecovery($recoveryKeyId, $recoveryPassword)) { + return new JsonResponse(['data' => array('message' => $this->l->t('Recovery key successfully enabled'))]); + } + return new JsonResponse(['data' => array('message' => $this->l->t('Could not enable recovery key. Please check your recovery key password!'))]); + } elseif (isset($adminEnableRecovery) && $adminEnableRecovery === '0') { + if ($this->recovery->disableAdminRecovery($recoveryKeyId, $recoveryPassword)) { + return new JsonResponse(['data' => array('message' => $this->l->t('Recovery key successfully disabled'))]); + } + return new JsonResponse(['data' => array('message' => $this->l->t('Could not disable recovery key. Please check your recovery key password!'))]); + } + } + + public function userRecovery($userEnableRecovery) { + if (isset($userEnableRecovery) && ($userEnableRecovery === '0' || $userEnableRecovery === '1')) { + $userId = $this->user->getUID(); + if ($userEnableRecovery === '1') { + // Todo xxx figure out if we need keyid's here or what. + return $this->recovery->addRecoveryKeys(); + } + // Todo xxx see :98 + return $this->recovery->removeRecoveryKeys(); + } + } + +} -- cgit v1.2.3 From 4b4aeaa5b2e13ae4272bf8f4b44564e5b8cb046a Mon Sep 17 00:00:00 2001 From: Bjoern Schiessle Date: Tue, 31 Mar 2015 13:48:03 +0200 Subject: fix set recovery key and implement change password --- apps/encryption/appinfo/routes.php | 5 ++ apps/encryption/controller/recoverycontroller.php | 54 ++++++++++++++++------ apps/encryption/js/settings-admin.js | 2 +- .../lib/exceptions/privatekeymissingexception.php | 2 +- apps/encryption/lib/keymanager.php | 44 ++++++++++++++++-- apps/encryption/lib/recovery.php | 31 ++++++++----- 6 files changed, 108 insertions(+), 30 deletions(-) (limited to 'apps/encryption/controller') diff --git a/apps/encryption/appinfo/routes.php b/apps/encryption/appinfo/routes.php index b2c00c83349..030e7617816 100644 --- a/apps/encryption/appinfo/routes.php +++ b/apps/encryption/appinfo/routes.php @@ -33,6 +33,11 @@ namespace OCA\Encryption\AppInfo; 'name' => 'Recovery#userRecovery', 'url' => '/ajax/userRecovery', 'verb' => 'POST' + ], + [ + 'name' => 'Recovery#changeRecoveryPassword', + 'url' => '/ajax/changeRecoveryPassword', + 'verb' => 'POST' ] diff --git a/apps/encryption/controller/recoverycontroller.php b/apps/encryption/controller/recoverycontroller.php index abea8993336..e7bfd374903 100644 --- a/apps/encryption/controller/recoverycontroller.php +++ b/apps/encryption/controller/recoverycontroller.php @@ -28,7 +28,7 @@ use OCP\IConfig; use OCP\IL10N; use OCP\IRequest; use OCP\JSON; -use Symfony\Component\HttpFoundation\JsonResponse; +use OCP\AppFramework\Http\DataResponse; class RecoveryController extends Controller { /** @@ -62,32 +62,60 @@ class RecoveryController extends Controller { // Check if both passwords are the same if (empty($recoveryPassword)) { $errorMessage = $this->l->t('Missing recovery key password'); - return new JsonResponse(['data' => ['message' => $errorMessage]], 500); + return new DataResponse(['data' => ['message' => $errorMessage]], 500); } if (empty($confirmPassword)) { $errorMessage = $this->l->t('Please repeat the recovery key password'); - return new JsonResponse(['data' => ['message' => $errorMessage]], 500); + return new DataResponse(['data' => ['message' => $errorMessage]], 500); } if ($recoveryPassword !== $confirmPassword) { $errorMessage = $this->l->t('Repeated recovery key password does not match the provided recovery key password'); - return new JsonResponse(['data' => ['message' => $errorMessage]], 500); + return new DataResponse(['data' => ['message' => $errorMessage]], 500); } - // Enable recoveryAdmin - $recoveryKeyId = $this->config->getAppValue('encryption', 'recoveryKeyId'); - if (isset($adminEnableRecovery) && $adminEnableRecovery === '1') { - if ($this->recovery->enableAdminRecovery($recoveryKeyId, $recoveryPassword)) { - return new JsonResponse(['data' => array('message' => $this->l->t('Recovery key successfully enabled'))]); + if ($this->recovery->enableAdminRecovery($recoveryPassword)) { + return new DataResponse(['status' =>'success', 'data' => array('message' => $this->l->t('Recovery key successfully enabled'))]); } - return new JsonResponse(['data' => array('message' => $this->l->t('Could not enable recovery key. Please check your recovery key password!'))]); + return new DataResponse(['data' => array('message' => $this->l->t('Could not enable recovery key. Please check your recovery key password!'))]); } elseif (isset($adminEnableRecovery) && $adminEnableRecovery === '0') { - if ($this->recovery->disableAdminRecovery($recoveryKeyId, $recoveryPassword)) { - return new JsonResponse(['data' => array('message' => $this->l->t('Recovery key successfully disabled'))]); + if ($this->recovery->disableAdminRecovery($recoveryPassword)) { + return new DataResponse(['data' => array('message' => $this->l->t('Recovery key successfully disabled'))]); } - return new JsonResponse(['data' => array('message' => $this->l->t('Could not disable recovery key. Please check your recovery key password!'))]); + return new DataResponse(['data' => array('message' => $this->l->t('Could not disable recovery key. Please check your recovery key password!'))]); + } + } + + public function changeRecoveryPassword($newPassword, $oldPassword, $confirmPassword) { + //check if both passwords are the same + if (empty($oldPassword)) { + $errorMessage = $this->l->t('Please provide the old recovery password'); + return new DataResponse(array('data' => array('message' => $errorMessage))); + } + + if (empty($newPassword)) { + $errorMessage = $this->l->t('Please provide a new recovery password'); + return new DataResponse (array('data' => array('message' => $errorMessage))); + } + + if (empty($confirmPassword)) { + $errorMessage = $this->l->t('Please repeat the new recovery password'); + return new DataResponse(array('data' => array('message' => $errorMessage))); + } + + if ($newPassword !== $confirmPassword) { + $errorMessage = $this->l->t('Repeated recovery key password does not match the provided recovery key password'); + return new DataResponse(array('data' => array('message' => $errorMessage))); + } + + $result = $this->recovery->changeRecoveryKeyPassword($newPassword, $oldPassword); + + if ($result) { + return new DataResponse(array('status' => 'success' ,'data' => array('message' => $this->l->t('Password successfully changed.')))); + } else { + return new DataResponse(array('data' => array('message' => $this->l->t('Could not change the password. Maybe the old password was not correct.')))); } } diff --git a/apps/encryption/js/settings-admin.js b/apps/encryption/js/settings-admin.js index e5d3bebb208..36765adf3e4 100644 --- a/apps/encryption/js/settings-admin.js +++ b/apps/encryption/js/settings-admin.js @@ -44,7 +44,7 @@ $(document).ready(function(){ var confirmNewPassword = $('#repeatedNewEncryptionRecoveryPassword').val(); OC.msg.startSaving('#encryptionChangeRecoveryKey .msg'); $.post( - OC.filePath( 'encryption', 'ajax', 'changeRecoveryPassword.php' ) + OC.generateUrl('/apps/encryption/ajax/changeRecoveryPassword') , { oldPassword: oldRecoveryPassword, newPassword: newRecoveryPassword, confirmPassword: confirmNewPassword } , function( data ) { OC.msg.finishedSaving('#encryptionChangeRecoveryKey .msg', data); diff --git a/apps/encryption/lib/exceptions/privatekeymissingexception.php b/apps/encryption/lib/exceptions/privatekeymissingexception.php index e06940f7ac8..ddc3d11cdbc 100644 --- a/apps/encryption/lib/exceptions/privatekeymissingexception.php +++ b/apps/encryption/lib/exceptions/privatekeymissingexception.php @@ -23,6 +23,6 @@ namespace OCA\Encryption\Exceptions; -class PrivateKeyMissingException extends GenericEncryptionException{ +class PrivateKeyMissingException extends \Exception{ } diff --git a/apps/encryption/lib/keymanager.php b/apps/encryption/lib/keymanager.php index 87b19fe35ea..67a32d75908 100644 --- a/apps/encryption/lib/keymanager.php +++ b/apps/encryption/lib/keymanager.php @@ -108,6 +108,14 @@ class KeyManager { $this->config = $config; $this->recoveryKeyId = $this->config->getAppValue('encryption', 'recoveryKeyId'); + if (empty($this->recoveryKeyId)) { + $this->recoveryKeyId = 'recoveryKey_' . substr(md5(time()), 0, 8); + $this->config->setAppValue('encryption', + 'recoveryKeyId', + $this->recoveryKeyId); + } + + $this->publicShareKeyId = $this->config->getAppValue('encryption', 'publicShareKeyId'); $this->log = $log; @@ -171,7 +179,7 @@ class KeyManager { * @return bool */ public function checkRecoveryPassword($password) { - $recoveryKey = $this->keyStorage->getSystemUserKey($this->recoveryKeyId); + $recoveryKey = $this->keyStorage->getSystemUserKey($this->recoveryKeyId . '.privateKey'); $decryptedRecoveryKey = $this->crypt->decryptPrivateKey($recoveryKey, $password); @@ -202,6 +210,26 @@ class KeyManager { return false; } + /** + * @param string $uid + * @param string $password + * @param array $keyPair + * @return bool + */ + public function setRecoveryKey($password, $keyPair) { + // Save Public Key + $this->keyStorage->setSystemUserKey($this->getRecoveryKeyId(). '.publicKey', $keyPair['publicKey']); + + $encryptedKey = $this->crypt->symmetricEncryptFileContent($keyPair['privateKey'], + $password); + + if ($encryptedKey) { + $this->setSystemPrivateKey($this->getRecoveryKeyId(), $encryptedKey); + return true; + } + return false; + } + /** * @param $userId * @param $key @@ -428,9 +456,19 @@ class KeyManager { } /** + * @param string $keyId + * @return string returns openssl key + */ + public function getSystemPrivateKey($keyId) { + return $this->keyStorage->getSystemUserKey($keyId . '.' . $this->privateKeyId); + } + + /** + * @param string $keyId + * @param string $key * @return string returns openssl key */ - public function getSystemPrivateKey() { - return $this->keyStorage->getSystemUserKey($this->privateKeyId); + public function setSystemPrivateKey($keyId, $key) { + return $this->keyStorage->setSystemUserKey($keyId . '.' . $this->privateKeyId, $key); } } diff --git a/apps/encryption/lib/recovery.php b/apps/encryption/lib/recovery.php index 376d3ef83ba..0426c3746ed 100644 --- a/apps/encryption/lib/recovery.php +++ b/apps/encryption/lib/recovery.php @@ -88,24 +88,14 @@ class Recovery { * @param $password * @return bool */ - public function enableAdminRecovery($recoveryKeyId, $password) { + public function enableAdminRecovery($password) { $appConfig = $this->config; - - if ($recoveryKeyId === null) { - $recoveryKeyId = $this->random->getLowStrengthGenerator(); - $appConfig->setAppValue('encryption', - 'recoveryKeyId', - $recoveryKeyId); - } - $keyManager = $this->keyManager; if (!$keyManager->recoveryKeyExists()) { $keyPair = $this->crypt->createKeyPair(); - return $this->keyManager->storeKeyPair($this->user->getUID(), - $password, - $keyPair); + $this->keyManager->setRecoveryKey($password, $keyPair); } if ($keyManager->checkRecoveryPassword($password)) { @@ -116,6 +106,23 @@ class Recovery { return false; } + /** + * change recovery key id + * + * @param string $newPassword + * @param string $oldPassword + */ + public function changeRecoveryKeyPassword($newPassword, $oldPassword) { + $recoveryKey = $this->keyManager->getSystemPrivateKey($this->keyManager->getRecoveryKeyId()); + $decryptedRecoveryKey = $this->crypt->decryptPrivateKey($recoveryKey, $oldPassword); + $encryptedRecoveryKey = $this->crypt->symmetricEncryptFileContent($decryptedRecoveryKey, $newPassword); + if ($encryptedRecoveryKey) { + $this->keyManager->setSystemPrivateKey($this->keyManager->getRecoveryKeyId(), $encryptedRecoveryKey); + return true; + } + return false; + } + /** * @param $recoveryPassword * @return bool -- cgit v1.2.3 From e4895bda01f9c94fc33e094ae9466e1cf5502916 Mon Sep 17 00:00:00 2001 From: Bjoern Schiessle Date: Tue, 31 Mar 2015 16:23:31 +0200 Subject: add helper class accessible for encryption modules to ask for a list of users with access to a file, needed to apply the recovery key to all files --- apps/encryption/appinfo/application.php | 4 +- apps/encryption/appinfo/routes.php | 5 ++ apps/encryption/controller/recoverycontroller.php | 61 ++++++++++++---- apps/encryption/js/settings-personal.js | 29 +------- apps/encryption/lib/recovery.php | 87 +++++++++++++++++++---- apps/encryption/settings/settings-personal.php | 6 +- apps/encryption/templates/settings-personal.php | 2 + lib/base.php | 1 + lib/private/encryption/file.php | 81 +++++++++++++++++++++ lib/private/encryption/update.php | 8 ++- lib/private/encryption/util.php | 47 +----------- lib/private/files/stream/encryption.php | 9 ++- lib/private/server.php | 12 ++++ lib/public/encryption/ifile.php | 36 ++++++++++ lib/public/encryption/imanager.php | 4 +- lib/public/iservercontainer.php | 5 ++ 16 files changed, 290 insertions(+), 107 deletions(-) create mode 100644 lib/private/encryption/file.php create mode 100644 lib/public/encryption/ifile.php (limited to 'apps/encryption/controller') diff --git a/apps/encryption/appinfo/application.php b/apps/encryption/appinfo/application.php index e8f10798bb4..372d49e5ef7 100644 --- a/apps/encryption/appinfo/application.php +++ b/apps/encryption/appinfo/application.php @@ -139,7 +139,9 @@ class Application extends \OCP\AppFramework\App { $server->getSecureRandom(), $c->query('KeyManager'), $server->getConfig(), - $server->getEncryptionKeyStorage(\OCA\Encryption\Crypto\Encryption::ID)); + $server->getEncryptionKeyStorage(\OCA\Encryption\Crypto\Encryption::ID), + $server->getEncryptionFilesHelper(), + new \OC\Files\View()); }); $container->registerService('RecoveryController', function (IAppContainer $c) { diff --git a/apps/encryption/appinfo/routes.php b/apps/encryption/appinfo/routes.php index 030e7617816..1a6cf18fbed 100644 --- a/apps/encryption/appinfo/routes.php +++ b/apps/encryption/appinfo/routes.php @@ -38,6 +38,11 @@ namespace OCA\Encryption\AppInfo; 'name' => 'Recovery#changeRecoveryPassword', 'url' => '/ajax/changeRecoveryPassword', 'verb' => 'POST' + ], + [ + 'name' => 'Recovery#userSetRecovery', + 'url' => '/ajax/userSetRecovery', + 'verb' => 'POST' ] diff --git a/apps/encryption/controller/recoverycontroller.php b/apps/encryption/controller/recoverycontroller.php index e7bfd374903..d115feb8e39 100644 --- a/apps/encryption/controller/recoverycontroller.php +++ b/apps/encryption/controller/recoverycontroller.php @@ -61,61 +61,72 @@ class RecoveryController extends Controller { public function adminRecovery($recoveryPassword, $confirmPassword, $adminEnableRecovery) { // Check if both passwords are the same if (empty($recoveryPassword)) { - $errorMessage = $this->l->t('Missing recovery key password'); + $errorMessage = (string) $this->l->t('Missing recovery key password'); return new DataResponse(['data' => ['message' => $errorMessage]], 500); } if (empty($confirmPassword)) { - $errorMessage = $this->l->t('Please repeat the recovery key password'); + $errorMessage = (string) $this->l->t('Please repeat the recovery key password'); return new DataResponse(['data' => ['message' => $errorMessage]], 500); } if ($recoveryPassword !== $confirmPassword) { - $errorMessage = $this->l->t('Repeated recovery key password does not match the provided recovery key password'); + $errorMessage = (string) $this->l->t('Repeated recovery key password does not match the provided recovery key password'); return new DataResponse(['data' => ['message' => $errorMessage]], 500); } if (isset($adminEnableRecovery) && $adminEnableRecovery === '1') { if ($this->recovery->enableAdminRecovery($recoveryPassword)) { - return new DataResponse(['status' =>'success', 'data' => array('message' => $this->l->t('Recovery key successfully enabled'))]); + return new DataResponse(['status' =>'success', 'data' => array('message' => (string) $this->l->t('Recovery key successfully enabled'))]); } - return new DataResponse(['data' => array('message' => $this->l->t('Could not enable recovery key. Please check your recovery key password!'))]); + return new DataResponse(['data' => array('message' => (string) $this->l->t('Could not enable recovery key. Please check your recovery key password!'))]); } elseif (isset($adminEnableRecovery) && $adminEnableRecovery === '0') { if ($this->recovery->disableAdminRecovery($recoveryPassword)) { - return new DataResponse(['data' => array('message' => $this->l->t('Recovery key successfully disabled'))]); + return new DataResponse(['data' => array('message' => (string) $this->l->t('Recovery key successfully disabled'))]); } - return new DataResponse(['data' => array('message' => $this->l->t('Could not disable recovery key. Please check your recovery key password!'))]); + return new DataResponse(['data' => array('message' => (string) $this->l->t('Could not disable recovery key. Please check your recovery key password!'))]); } } public function changeRecoveryPassword($newPassword, $oldPassword, $confirmPassword) { //check if both passwords are the same if (empty($oldPassword)) { - $errorMessage = $this->l->t('Please provide the old recovery password'); + $errorMessage = (string) $this->l->t('Please provide the old recovery password'); return new DataResponse(array('data' => array('message' => $errorMessage))); } if (empty($newPassword)) { - $errorMessage = $this->l->t('Please provide a new recovery password'); + $errorMessage = (string) $this->l->t('Please provide a new recovery password'); return new DataResponse (array('data' => array('message' => $errorMessage))); } if (empty($confirmPassword)) { - $errorMessage = $this->l->t('Please repeat the new recovery password'); + $errorMessage = (string) $this->l->t('Please repeat the new recovery password'); return new DataResponse(array('data' => array('message' => $errorMessage))); } if ($newPassword !== $confirmPassword) { - $errorMessage = $this->l->t('Repeated recovery key password does not match the provided recovery key password'); + $errorMessage = (string) $this->l->t('Repeated recovery key password does not match the provided recovery key password'); return new DataResponse(array('data' => array('message' => $errorMessage))); } $result = $this->recovery->changeRecoveryKeyPassword($newPassword, $oldPassword); if ($result) { - return new DataResponse(array('status' => 'success' ,'data' => array('message' => $this->l->t('Password successfully changed.')))); + return new DataResponse( + array( + 'status' => 'success' , + 'data' => array( + 'message' => (string) $this->l->t('Password successfully changed.')) + ) + ); } else { - return new DataResponse(array('data' => array('message' => $this->l->t('Could not change the password. Maybe the old password was not correct.')))); + return new DataResponse( + array( + 'data' => array + ('message' => (string) $this->l->t('Could not change the password. Maybe the old password was not correct.')) + ) + ); } } @@ -131,4 +142,28 @@ class RecoveryController extends Controller { } } + public function userSetRecovery($userEnableRecovery) { + if ($userEnableRecovery === '0' || $userEnableRecovery === '1') { + + $result = $this->recovery->setRecoveryForUser($userEnableRecovery); + + if ($result) { + return new DataResponse( + array( + 'status' => 'success', + 'data' => array( + 'message' => (string) $this->l->t('Recovery Key enabled')) + ) + ); + } else { + return new DataResponse( + array( + 'data' => array + ('message' => (string) $this->l->t('Could not enable the recovery key, please try again or contact your administrator')) + ) + ); + } + } + } + } diff --git a/apps/encryption/js/settings-personal.js b/apps/encryption/js/settings-personal.js index b798ba7e4e1..7f0f4c6c26d 100644 --- a/apps/encryption/js/settings-personal.js +++ b/apps/encryption/js/settings-personal.js @@ -29,7 +29,7 @@ $(document).ready(function(){ var recoveryStatus = $( this ).val(); OC.msg.startAction('#userEnableRecovery .msg', 'Updating recovery keys. This can take some time...'); $.post( - OC.filePath( 'files_encryption', 'ajax', 'userrecovery.php' ) + OC.generateUrl('/apps/encryption/ajax/userSetRecovery') , { userEnableRecovery: recoveryStatus } , function( data ) { OC.msg.finishedAction('#userEnableRecovery .msg', data); @@ -40,33 +40,6 @@ $(document).ready(function(){ } ); - $("#encryptAll").click( - function(){ - - // Hide feedback messages in case they're already visible - $('#encryptAllSuccess').hide(); - $('#encryptAllError').hide(); - - var userPassword = $( '#userPassword' ).val(); - var encryptAll = $( '#encryptAll' ).val(); - - $.post( - OC.filePath( 'files_encryption', 'ajax', 'encryptall.php' ) - , { encryptAll: encryptAll, userPassword: userPassword } - , function( data ) { - if ( data.status == "success" ) { - $('#encryptAllSuccess').show(); - } else { - $('#encryptAllError').show(); - } - } - ); - // Ensure page is not reloaded on form submit - return false; - } - - ); - // update private key password $('input:password[name="changePrivateKeyPassword"]').keyup(function(event) { diff --git a/apps/encryption/lib/recovery.php b/apps/encryption/lib/recovery.php index 0426c3746ed..701c0934c95 100644 --- a/apps/encryption/lib/recovery.php +++ b/apps/encryption/lib/recovery.php @@ -29,7 +29,8 @@ use OCP\IUser; use OCP\IUserSession; use OCP\PreConditionNotMetException; use OCP\Security\ISecureRandom; -use OCP\Share; +use OC\Files\View; +use OCP\Encryption\IFile; class Recovery { @@ -58,7 +59,17 @@ class Recovery { * @var IStorage */ private $keyStorage; - + /** + * @var View + */ + private $view; + /** + * @var IFile + */ + private $file; + /** + * @var string + */ private $recoveryKeyId; /** @@ -68,19 +79,25 @@ class Recovery { * @param KeyManager $keyManager * @param IConfig $config * @param IStorage $keyStorage + * @param IFile $file + * @param View $view */ public function __construct(IUserSession $user, Crypt $crypt, ISecureRandom $random, KeyManager $keyManager, IConfig $config, - IStorage $keyStorage) { + IStorage $keyStorage, + IFile $file, + View $view) { $this->user = $user && $user->isLoggedIn() ? $user->getUser() : false; $this->crypt = $crypt; $this->random = $random; $this->keyManager = $keyManager; $this->config = $config; $this->keyStorage = $keyStorage; + $this->view = $view; + $this->file = $file; } /** @@ -138,14 +155,6 @@ class Recovery { return false; } - public function addRecoveryKeys($keyId) { - // No idea new way to do this.... - } - - public function removeRecoveryKeys() { - // No idea new way to do this.... - } - /** * @return bool */ @@ -159,23 +168,73 @@ class Recovery { } /** - * @param $enabled + * @param string $value * @return bool */ - public function setRecoveryForUser($enabled) { - $value = $enabled ? '1' : '0'; + public function setRecoveryForUser($value) { try { $this->config->setUserValue($this->user->getUID(), 'encryption', 'recoveryEnabled', $value); + + if ($value === '1') { + $this->addRecoveryKeys('/' . $this->user . '/files/'); + } else { + $this->removeRecoveryKeys(); + } + return true; } catch (PreConditionNotMetException $e) { return false; } } + /** + * add recovery key to all encrypted files + */ + private function addRecoveryKeys($path = '/') { + $dirContent = $this->view->getDirectoryContent($path); + foreach ($dirContent as $item) { + // get relative path from files_encryption/keyfiles/ + $filePath = $item['path']; + if ($item['type'] === 'dir') { + $this->addRecoveryKeys($filePath . '/'); + } else { + $fileKey = $this->keyManager->getFileKey($filePath, $this->user); + if (!empty($fileKey)) { + $accessList = $this->file->getAccessList($path); + $publicKeys = array(); + foreach ($accessList['users'] as $uid) { + $publicKeys[$uid] = $this->keymanager->getPublicKey($uid); + } + + $encryptedKeyfiles = $this->crypt->multiKeyEncrypt($fileKey, $publicKeys); + $this->keymanager->setAllFileKeys($path, $encryptedKeyfiles); + } + } + } + } + + /** + * remove recovery key to all encrypted files + */ + private function removeRecoveryKeys($path = '/') { + $dirContent = $this->view->getDirectoryContent($this->keyfilesPath . $path); + foreach ($dirContent as $item) { + // get relative path from files_encryption/keyfiles + $filePath = substr($item['path'], strlen('files_encryption/keyfiles')); + if ($item['type'] === 'dir') { + $this->removeRecoveryKeys($filePath . '/'); + } else { + // remove '.key' extension from path e.g. 'file.txt.key' to 'file.txt' + $file = substr($filePath, 0, -4); + $this->view->unlink($this->shareKeysPath . '/' . $file . '.' . $this->recoveryKeyId . '.shareKey'); + } + } + } + /** * @param $recoveryPassword */ diff --git a/apps/encryption/settings/settings-personal.php b/apps/encryption/settings/settings-personal.php index a4173dbd40f..8caacbd19ca 100644 --- a/apps/encryption/settings/settings-personal.php +++ b/apps/encryption/settings/settings-personal.php @@ -29,7 +29,11 @@ $user = \OCP\User::getUser(); $view = new \OC\Files\View('/'); $util = new \OCA\Encryption\Util( - new \OC\Files\View(), $crypt, $keymanager, \OC::$server->getLogger(), \OC::$server->getUserSession(), \OC::$server->getConfig()); + new \OC\Files\View(), + $crypt, $keymanager, + \OC::$server->getLogger(), + \OC::$server->getUserSession(), + \OC::$server->getConfig()); $privateKeySet = $session->isPrivateKeySet(); // did we tried to initialize the keys for this session? diff --git a/apps/encryption/templates/settings-personal.php b/apps/encryption/templates/settings-personal.php index cefd6f4ad5c..6b8821ca8a8 100644 --- a/apps/encryption/templates/settings-personal.php +++ b/apps/encryption/templates/settings-personal.php @@ -1,6 +1,8 @@

t('ownCloud basic encryption module')); ?>

diff --git a/lib/base.php b/lib/base.php index a5ca08123ac..1d536464153 100644 --- a/lib/base.php +++ b/lib/base.php @@ -723,6 +723,7 @@ class OC { \OC::$server->getConfig()), \OC\Files\Filesystem::getMountManager(), \OC::$server->getEncryptionManager(), + \OC::$server->getEncryptionFilesHelper(), $uid ); \OCP\Util::connectHook('OCP\Share', 'post_shared', $updater, 'postShared'); diff --git a/lib/private/encryption/file.php b/lib/private/encryption/file.php new file mode 100644 index 00000000000..f231500fb02 --- /dev/null +++ b/lib/private/encryption/file.php @@ -0,0 +1,81 @@ + + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU AFFERO GENERAL PUBLIC LICENSE + * License as published by the Free Software Foundation; either + * version 3 of the License, or any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU AFFERO GENERAL PUBLIC LICENSE for more details. + * + * You should have received a copy of the GNU Affero General Public + * License along with this library. If not, see . + */ + +namespace OC\Encryption; + +use OC\Encryption\Util; + +class File implements \OCP\Encryption\IFile { + + /** @var Util */ + protected $util; + + public function __construct(Util $util) { + $this->util = $util; + } + + + /** + * get list of users with access to the file + * + * @param $path to the file + * @return array + */ + public function getAccessList($path) { + + // Make sure that a share key is generated for the owner too + list($owner, $ownerPath) = $this->util->getUidAndFilename($path); + + // always add owner to the list of users with access to the file + $userIds = array($owner); + + if (!$this->util->isFile($ownerPath)) { + return array('users' => $userIds, 'public' => false); + } + + $ownerPath = substr($ownerPath, strlen('/files')); + $ownerPath = $this->util->stripPartialFileExtension($ownerPath); + + // Find out who, if anyone, is sharing the file + $result = \OCP\Share::getUsersSharingFile($ownerPath, $owner); + $userIds = \array_merge($userIds, $result['users']); + $public = $result['public'] || $result['remote']; + + // check if it is a group mount + if (\OCP\App::isEnabled("files_external")) { + $mounts = \OC_Mount_Config::getSystemMountPoints(); + foreach ($mounts as $mount) { + if ($mount['mountpoint'] == substr($ownerPath, 1, strlen($mount['mountpoint']))) { + $mountedFor = $this->util->getUserWithAccessToMountPoint($mount['applicable']['users'], $mount['applicable']['groups']); + $userIds = array_merge($userIds, $mountedFor); + } + } + } + + // Remove duplicate UIDs + $uniqueUserIds = array_unique($userIds); + + return array('users' => $uniqueUserIds, 'public' => $public); + } + +} \ No newline at end of file diff --git a/lib/private/encryption/update.php b/lib/private/encryption/update.php index 06dc330151e..21cedde6140 100644 --- a/lib/private/encryption/update.php +++ b/lib/private/encryption/update.php @@ -46,12 +46,16 @@ class Update { /** @var string */ protected $uid; + /** @var \OC\Encryption\File */ + protected $file; + /** * * @param \OC\Files\View $view * @param \OC\Encryption\Util $util * @param \OC\Files\Mount\Manager $mountManager * @param \OC\Encryption\Manager $encryptionManager + * @param \OC\Encryption\File $file * @param string $uid */ public function __construct( @@ -59,6 +63,7 @@ class Update { Util $util, Mount\Manager $mountManager, Manager $encryptionManager, + File $file, $uid ) { @@ -66,6 +71,7 @@ class Update { $this->util = $util; $this->mountManager = $mountManager; $this->encryptionManager = $encryptionManager; + $this->file = $file; $this->uid = $uid; } @@ -103,7 +109,7 @@ class Update { $encryptionModule = $this->encryptionManager->getDefaultEncryptionModule(); foreach ($allFiles as $path) { - $usersSharing = $this->util->getSharingUsersArray($path); + $usersSharing = $this->file->getAccessList($path); $encryptionModule->update($absPath, $this->uid, $usersSharing); } } diff --git a/lib/private/encryption/util.php b/lib/private/encryption/util.php index 1308d27c924..734da741fdd 100644 --- a/lib/private/encryption/util.php +++ b/lib/private/encryption/util.php @@ -162,49 +162,6 @@ class Util { return $paddedHeader; } - /** - * Find, sanitise and format users sharing a file - * @note This wraps other methods into a portable bundle - * @param string $path path relative to current users files folder - * @return array - */ - public function getSharingUsersArray($path) { - - // Make sure that a share key is generated for the owner too - list($owner, $ownerPath) = $this->getUidAndFilename($path); - - // always add owner to the list of users with access to the file - $userIds = array($owner); - - if (!$this->isFile($ownerPath)) { - return array('users' => $userIds, 'public' => false); - } - - $ownerPath = substr($ownerPath, strlen('/files')); - $ownerPath = $this->stripPartialFileExtension($ownerPath); - - // Find out who, if anyone, is sharing the file - $result = \OCP\Share::getUsersSharingFile($ownerPath, $owner); - $userIds = \array_merge($userIds, $result['users']); - $public = $result['public'] || $result['remote']; - - // check if it is a group mount - if (\OCP\App::isEnabled("files_external")) { - $mounts = \OC_Mount_Config::getSystemMountPoints(); - foreach ($mounts as $mount) { - if ($mount['mountpoint'] == substr($ownerPath, 1, strlen($mount['mountpoint']))) { - $mountedFor = $this->getUserWithAccessToMountPoint($mount['applicable']['users'], $mount['applicable']['groups']); - $userIds = array_merge($userIds, $mountedFor); - } - } - } - - // Remove duplicate UIDs - $uniqueUserIds = array_unique($userIds); - - return array('users' => $uniqueUserIds, 'public' => $public); - } - /** * go recursively through a dir and collect all files and sub files. * @@ -243,7 +200,7 @@ class Util { * @param string $path * @return boolean */ - protected function isFile($path) { + public function isFile($path) { if (substr($path, 0, strlen('/files/')) === '/files/') { return true; } @@ -361,7 +318,7 @@ class Util { } } - protected function getUserWithAccessToMountPoint($users, $groups) { + public function getUserWithAccessToMountPoint($users, $groups) { $result = array(); if (in_array('all', $users)) { $result = \OCP\User::getUsers(); diff --git a/lib/private/files/stream/encryption.php b/lib/private/files/stream/encryption.php index e3927edff2c..a96d573723c 100644 --- a/lib/private/files/stream/encryption.php +++ b/lib/private/files/stream/encryption.php @@ -31,6 +31,9 @@ class Encryption extends Wrapper { /** @var \OC\Encryption\Util */ protected $util; + /** @var \OC\Encryption\File */ + protected $file; + /** @var \OCP\Encryption\IEncryptionModule */ protected $encryptionModule; @@ -97,6 +100,7 @@ class Encryption extends Wrapper { 'encryptionModule', 'header', 'uid', + 'file', 'util', 'size', 'unencryptedSize', @@ -117,6 +121,7 @@ class Encryption extends Wrapper { * @param \OC\Files\Storage\Storage $storage * @param \OC\Files\Storage\Wrapper\Encryption $encStorage * @param \OC\Encryption\Util $util + * @param \OC\Encryption\File $file * @param string $mode * @param int $size * @param int $unencryptedSize @@ -130,6 +135,7 @@ class Encryption extends Wrapper { \OC\Files\Storage\Storage $storage, \OC\Files\Storage\Wrapper\Encryption $encStorage, \OC\Encryption\Util $util, + \OC\Encryption\File $file, $mode, $size, $unencryptedSize) { @@ -144,6 +150,7 @@ class Encryption extends Wrapper { 'header' => $header, 'uid' => $uid, 'util' => $util, + 'file' => $file, 'size' => $size, 'unencryptedSize' => $unencryptedSize, 'encryptionStorage' => $encStorage @@ -229,7 +236,7 @@ class Encryption extends Wrapper { $sharePath = dirname($path); } - $accessList = $this->util->getSharingUsersArray($sharePath); + $accessList = $this->file->getAccessList($sharePath); $this->newHeader = $this->encryptionModule->begin($this->fullPath, $this->uid, $this->header, $accessList); return true; diff --git a/lib/private/server.php b/lib/private/server.php index a38096cf740..661aaf6786d 100644 --- a/lib/private/server.php +++ b/lib/private/server.php @@ -87,6 +87,11 @@ class Server extends SimpleContainer implements IServerContainer { return new Encryption\Manager($c->getConfig()); }); + $this->registerService('EncryptionFileHelper', function (Server $c) { + $util = new \OC\Encryption\Util(new \OC\Files\View(), $c->getUserManager(), $c->getConfig()); + return new Encryption\File($util); + }); + $this->registerService('EncryptionKeyStorageFactory', function ($c) { return new Encryption\Keys\Factory(); }); @@ -407,6 +412,13 @@ class Server extends SimpleContainer implements IServerContainer { return $this->query('EncryptionManager'); } + /** + * @return \OC\Encryption\File + */ + function getEncryptionFilesHelper() { + return $this->query('EncryptionFileHelper'); + } + /** * @param string $encryptionModuleId encryption module ID * diff --git a/lib/public/encryption/ifile.php b/lib/public/encryption/ifile.php new file mode 100644 index 00000000000..cb4faea0625 --- /dev/null +++ b/lib/public/encryption/ifile.php @@ -0,0 +1,36 @@ + + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU AFFERO GENERAL PUBLIC LICENSE + * License as published by the Free Software Foundation; either + * version 3 of the License, or any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU AFFERO GENERAL PUBLIC LICENSE for more details. + * + * You should have received a copy of the GNU Affero General Public + * License along with this library. If not, see . + */ + +namespace OCP\Encryption; + +interface IFile { + + /** + * get list of users with access to the file + * + * @param $path to the file + * @return array + */ + public function getAccessList($path); + +} \ No newline at end of file diff --git a/lib/public/encryption/imanager.php b/lib/public/encryption/imanager.php index 9a12e401593..2691604ac37 100644 --- a/lib/public/encryption/imanager.php +++ b/lib/public/encryption/imanager.php @@ -22,9 +22,7 @@ */ namespace OCP\Encryption; -// -// TODO: move exceptions to OCP -// + use OC\Encryption\Exceptions\ModuleDoesNotExistsException; use OC\Encryption\Exceptions\ModuleAlreadyExistsException; diff --git a/lib/public/iservercontainer.php b/lib/public/iservercontainer.php index 9e36bc31bed..509e5894d47 100644 --- a/lib/public/iservercontainer.php +++ b/lib/public/iservercontainer.php @@ -183,6 +183,11 @@ interface IServerContainer { */ function getEncryptionManager(); + /** + * @return \OC\Encryption\File + */ + function getEncryptionFilesHelper(); + /** * @param string $encryptionModuleId encryption module ID * -- cgit v1.2.3 From a057108c0c1ec77b6f61f6f387c0714c84653254 Mon Sep 17 00:00:00 2001 From: Bjoern Schiessle Date: Wed, 1 Apr 2015 14:24:56 +0200 Subject: make recovery key work --- apps/encryption/appinfo/application.php | 1 + apps/encryption/controller/recoverycontroller.php | 3 + apps/encryption/hooks/userhooks.php | 23 ++++-- apps/encryption/lib/keymanager.php | 14 +++- apps/encryption/lib/recovery.php | 95 ++++++++++++----------- settings/changepassword/controller.php | 37 +++++++-- settings/users.php | 4 +- 7 files changed, 116 insertions(+), 61 deletions(-) (limited to 'apps/encryption/controller') diff --git a/apps/encryption/appinfo/application.php b/apps/encryption/appinfo/application.php index 955146f7182..0d1bd0d6bed 100644 --- a/apps/encryption/appinfo/application.php +++ b/apps/encryption/appinfo/application.php @@ -75,6 +75,7 @@ class Application extends \OCP\AppFramework\App { $server->getUserSession(), $container->query('Util'), new \OCA\Encryption\Session($server->getSession()), + $container->query('Crypt'), $container->query('Recovery')) ]); diff --git a/apps/encryption/controller/recoverycontroller.php b/apps/encryption/controller/recoverycontroller.php index d115feb8e39..24d7f5a06ed 100644 --- a/apps/encryption/controller/recoverycontroller.php +++ b/apps/encryption/controller/recoverycontroller.php @@ -142,6 +142,9 @@ class RecoveryController extends Controller { } } + /** + * @NoAdminRequired + */ public function userSetRecovery($userEnableRecovery) { if ($userEnableRecovery === '0' || $userEnableRecovery === '1') { diff --git a/apps/encryption/hooks/userhooks.php b/apps/encryption/hooks/userhooks.php index 330d8a873ba..3b56135c36b 100644 --- a/apps/encryption/hooks/userhooks.php +++ b/apps/encryption/hooks/userhooks.php @@ -25,6 +25,7 @@ namespace OCA\Encryption\Hooks; use OCP\Util as OCUtil; use OCA\Encryption\Hooks\Contracts\IHook; use OCA\Encryption\KeyManager; +use OCA\Encryption\Crypto\Crypt; use OCA\Encryption\Users\Setup; use OCP\App; use OCP\ILogger; @@ -62,6 +63,10 @@ class UserHooks implements IHook { * @var Recovery */ private $recovery; + /** + * @var Crypt + */ + private $crypt; /** * UserHooks constructor. @@ -72,6 +77,7 @@ class UserHooks implements IHook { * @param IUserSession $user * @param Util $util * @param Session $session + * @param Crypt $crypt * @param Recovery $recovery */ public function __construct(KeyManager $keyManager, @@ -80,6 +86,7 @@ class UserHooks implements IHook { IUserSession $user, Util $util, Session $session, + Crypt $crypt, Recovery $recovery) { $this->keyManager = $keyManager; @@ -89,6 +96,7 @@ class UserHooks implements IHook { $this->util = $util; $this->session = $session; $this->recovery = $recovery; + $this->crypt = $crypt; } /** @@ -214,7 +222,7 @@ class UserHooks implements IHook { // Save private key if ($encryptedPrivateKey) { - $this->setPrivateKey($this->user->getUser()->getUID(), + $this->keyManager->setPrivateKey($this->user->getUser()->getUID(), $encryptedPrivateKey); } else { $this->log->error('Encryption could not update users encryption password'); @@ -231,28 +239,31 @@ class UserHooks implements IHook { // ...we have a recovery password and the user enabled the recovery key // ...encryption was activated for the first time (no keys exists) // ...the user doesn't have any files - if (($util->recoveryEnabledForUser() && $recoveryPassword) || !$this->userHasKeys($user) || !$util->userHasFiles($user) + if ( + ($this->recovery->isRecoveryEnabledForUser($user) && $recoveryPassword) + || !$this->keyManager->userHasKeys($user) + || !$this->util->userHasFiles($user) ) { // backup old keys - $this->backupAllKeys('recovery'); + //$this->backupAllKeys('recovery'); $newUserPassword = $params['password']; $keyPair = $this->crypt->createKeyPair(); // Save public key - $this->setPublicKey($user, $keyPair['publicKey']); + $this->keyManager->setPublicKey($user, $keyPair['publicKey']); // Encrypt private key with new password $encryptedKey = $this->crypt->symmetricEncryptFileContent($keyPair['privateKey'], $newUserPassword); if ($encryptedKey) { - $this->setPrivateKey($user, $encryptedKey); + $this->keyManager->setPrivateKey($user, $encryptedKey); if ($recoveryPassword) { // if recovery key is set we can re-encrypt the key files - $this->recovery->recoverUsersFiles($recoveryPassword); + $this->recovery->recoverUsersFiles($recoveryPassword, $user); } } else { $this->log->error('Encryption Could not update users encryption password'); diff --git a/apps/encryption/lib/keymanager.php b/apps/encryption/lib/keymanager.php index f3f96b9ef21..4c5cb1365ea 100644 --- a/apps/encryption/lib/keymanager.php +++ b/apps/encryption/lib/keymanager.php @@ -206,7 +206,6 @@ class KeyManager { if ($encryptedKey) { $this->setPrivateKey($uid, $encryptedKey); - $this->config->setAppValue('encryption', 'recoveryAdminEnabled', 0); return true; } return false; @@ -355,6 +354,19 @@ class KeyManager { throw new FileKeyMissingException(); } + /** + * get the encrypted file key + * + * @param $path + * @return string + */ + public function getEncryptedFileKey($path) { + $encryptedFileKey = $this->keyStorage->getFileKey($path, + $this->fileKeyId); + + return $encryptedFileKey; + } + /** * delete share key * diff --git a/apps/encryption/lib/recovery.php b/apps/encryption/lib/recovery.php index 4201b829ec9..34acdd0a6e3 100644 --- a/apps/encryption/lib/recovery.php +++ b/apps/encryption/lib/recovery.php @@ -156,10 +156,15 @@ class Recovery { } /** + * check if recovery is enabled for user + * + * @param string $user if no user is given we check the current logged-in user + * * @return bool */ - public function recoveryEnabledForUser() { - $recoveryMode = $this->config->getUserValue($this->user->getUID(), + public function isRecoveryEnabledForUser($user = '') { + $uid = empty($user) ? $this->user->getUID() : $user; + $recoveryMode = $this->config->getUserValue($uid, 'encryption', 'recoveryEnabled', 0); @@ -167,6 +172,17 @@ class Recovery { return ($recoveryMode === '1'); } + /** + * check if recovery is key is enabled by the administrator + * + * @return bool + */ + public function isRecoveryKeyEnabled() { + $enabled = $this->config->getAppValue('encryption', 'recoveryAdminEnabled', 0); + + return ($enabled === '1'); + } + /** * @param string $value * @return bool @@ -234,15 +250,18 @@ class Recovery { } /** - * @param $recoveryPassword + * recover users files with the recovery key + * + * @param string $recoveryPassword + * @param string $user */ - public function recoverUsersFiles($recoveryPassword) { - $encryptedKey = $this->keyManager->getSystemPrivateKey(); + public function recoverUsersFiles($recoveryPassword, $user) { + $encryptedKey = $this->keyManager->getSystemPrivateKey($this->keyManager->getRecoveryKeyId()); $privateKey = $this->crypt->decryptPrivateKey($encryptedKey, $recoveryPassword); - $this->recoverAllFiles('/', $privateKey); + $this->recoverAllFiles('/' . $user . '/files/', $privateKey); } /** @@ -250,12 +269,12 @@ class Recovery { * @param $privateKey */ private function recoverAllFiles($path, $privateKey) { - $dirContent = $this->files->getDirectoryContent($path); + $dirContent = $this->view->getDirectoryContent($path); foreach ($dirContent as $item) { // Get relative path from encryption/keyfiles - $filePath = substr($item['path'], strlen('encryption/keys')); - if ($this->files->is_dir($this->user->getUID() . '/files' . '/' . $filePath)) { + $filePath = $item->getPath(); + if ($this->view->is_dir($filePath)) { $this->recoverAllFiles($filePath . '/', $privateKey); } else { $this->recoverFile($filePath, $privateKey); @@ -265,50 +284,32 @@ class Recovery { } /** - * @param $filePath - * @param $privateKey + * @param string $path + * @param string $privateKey */ - private function recoverFile($filePath, $privateKey) { - $sharingEnabled = Share::isEnabled(); - $uid = $this->user->getUID(); - - // Find out who, if anyone, is sharing the file - if ($sharingEnabled) { - $result = Share::getUsersSharingFile($filePath, - $uid, - true); - $userIds = $result['users']; - $userIds[] = 'public'; - } else { - $userIds = [ - $uid, - $this->recoveryKeyId - ]; + private function recoverFile($path, $privateKey) { + $encryptedFileKey = $this->keyManager->getEncryptedFileKey($path); + $shareKey = $this->keyManager->getShareKey($path, $this->keyManager->getRecoveryKeyId()); + + if ($encryptedFileKey && $shareKey && $privateKey) { + $fileKey = $this->crypt->multiKeyDecrypt($encryptedFileKey, + $shareKey, + $privateKey); } - $filteredUids = $this->filterShareReadyUsers($userIds); - // Decrypt file key - $encKeyFile = $this->keyManager->getFileKey($filePath, - $uid); - - $shareKey = $this->keyManager->getShareKey($filePath, - $uid); - - $plainKeyFile = $this->crypt->multiKeyDecrypt($encKeyFile, - $shareKey, - $privateKey); + if (!empty($fileKey)) { + $accessList = $this->file->getAccessList($path); + $publicKeys = array(); + foreach ($accessList['users'] as $uid) { + $publicKeys[$uid] = $this->keyManager->getPublicKey($uid); + } - // Encrypt the file key again to all users, this time with the new publick keyt for the recovered user - $userPublicKeys = $this->keyManager->getPublicKeys($filteredUids['ready']); - $multiEncryptionKey = $this->crypt->multiKeyEncrypt($plainKeyFile, - $userPublicKeys); + $publicKeys = $this->keyManager->addSystemKeys($accessList, $publicKeys); - $this->keyManager->setFileKey($multiEncryptionKey['data'], - $uid); + $encryptedKeyfiles = $this->crypt->multiKeyEncrypt($fileKey, $publicKeys); + $this->keyManager->setAllFileKeys($path, $encryptedKeyfiles); + } - $this->keyManager->setShareKey($filePath, - $uid, - $multiEncryptionKey['keys']); } diff --git a/settings/changepassword/controller.php b/settings/changepassword/controller.php index 1be30b725df..f041cb5b29f 100644 --- a/settings/changepassword/controller.php +++ b/settings/changepassword/controller.php @@ -77,16 +77,43 @@ class Controller { exit(); } - if (\OC_App::isEnabled('files_encryption')) { + if (\OC_App::isEnabled('encryption')) { //handle the recovery case - $util = new \OCA\Files_Encryption\Util(new \OC\Files\View('/'), $username); - $recoveryAdminEnabled = \OC_Appconfig::getValue('files_encryption', 'recoveryAdminEnabled'); + $crypt = new \OCA\Encryption\Crypto\Crypt( + \OC::$server->getLogger(), + \OC::$server->getUserSession(), + \OC::$server->getConfig()); + $keyStorage = \OC::$server->getEncryptionKeyStorage(\OCA\Encryption\Crypto\Encryption::ID); + $util = new \OCA\Encryption\Util( + new \OC\Files\View(), + $crypt, + \OC::$server->getLogger(), + \OC::$server->getUserSession(), + \OC::$server->getConfig()); + $keyManager = new \OCA\Encryption\KeyManager( + $keyStorage, + $crypt, + \OC::$server->getConfig(), + \OC::$server->getUserSession(), + new \OCA\Encryption\Session(\OC::$server->getSession()), + \OC::$server->getLogger(), + $util); + $recovery = new \OCA\Encryption\Recovery( + \OC::$server->getUserSession(), + $crypt, + \OC::$server->getSecureRandom(), + $keyManager, + \OC::$server->getConfig(), + $keyStorage, + \OC::$server->getEncryptionFilesHelper(), + new \OC\Files\View()); + $recoveryAdminEnabled = $recovery->isRecoveryKeyEnabled(); $validRecoveryPassword = false; $recoveryEnabledForUser = false; if ($recoveryAdminEnabled) { - $validRecoveryPassword = $util->checkRecoveryPassword($recoveryPassword); - $recoveryEnabledForUser = $util->recoveryEnabledForUser(); + $validRecoveryPassword = $keyManager->checkRecoveryPassword($recoveryPassword); + $recoveryEnabledForUser = $recovery->isRecoveryEnabledForUser(); } if ($recoveryEnabledForUser && $recoveryPassword === '') { diff --git a/settings/users.php b/settings/users.php index 08498edec29..0fc9fbeafc2 100644 --- a/settings/users.php +++ b/settings/users.php @@ -45,8 +45,8 @@ $groupsInfo = new \OC\Group\MetaData(OC_User::getUser(), $isAdmin, $groupManager $groupsInfo->setSorting($groupsInfo::SORT_USERCOUNT); list($adminGroup, $groups) = $groupsInfo->get(); -$recoveryAdminEnabled = OC_App::isEnabled('files_encryption') && - $config->getAppValue( 'files_encryption', 'recoveryAdminEnabled', null ); +$recoveryAdminEnabled = OC_App::isEnabled('encryption') && + $config->getAppValue( 'encryption', 'recoveryAdminEnabled', null ); if($isAdmin) { $subadmins = OC_SubAdmin::getAllSubAdmins(); -- cgit v1.2.3 From b9e4e61759b4cc3cdf5c0cabd8e5a8d6828d5528 Mon Sep 17 00:00:00 2001 From: Bjoern Schiessle Date: Thu, 2 Apr 2015 17:36:51 +0200 Subject: userRecovery() was replaced by setRecoveryForUser() --- apps/encryption/appinfo/routes.php | 5 ----- apps/encryption/controller/recoverycontroller.php | 12 ------------ 2 files changed, 17 deletions(-) (limited to 'apps/encryption/controller') diff --git a/apps/encryption/appinfo/routes.php b/apps/encryption/appinfo/routes.php index 1a6cf18fbed..d4867f5fdaa 100644 --- a/apps/encryption/appinfo/routes.php +++ b/apps/encryption/appinfo/routes.php @@ -29,11 +29,6 @@ namespace OCA\Encryption\AppInfo; 'url' => '/ajax/adminRecovery', 'verb' => 'POST' ], - [ - 'name' => 'Recovery#userRecovery', - 'url' => '/ajax/userRecovery', - 'verb' => 'POST' - ], [ 'name' => 'Recovery#changeRecoveryPassword', 'url' => '/ajax/changeRecoveryPassword', diff --git a/apps/encryption/controller/recoverycontroller.php b/apps/encryption/controller/recoverycontroller.php index 24d7f5a06ed..da55d81f63a 100644 --- a/apps/encryption/controller/recoverycontroller.php +++ b/apps/encryption/controller/recoverycontroller.php @@ -130,18 +130,6 @@ class RecoveryController extends Controller { } } - public function userRecovery($userEnableRecovery) { - if (isset($userEnableRecovery) && ($userEnableRecovery === '0' || $userEnableRecovery === '1')) { - $userId = $this->user->getUID(); - if ($userEnableRecovery === '1') { - // Todo xxx figure out if we need keyid's here or what. - return $this->recovery->addRecoveryKeys(); - } - // Todo xxx see :98 - return $this->recovery->removeRecoveryKeys(); - } - } - /** * @NoAdminRequired */ -- cgit v1.2.3