New SSE key format
* Encrypt the keys with the instance secret * Store them as json (so we can add other things if needed) Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
This commit is contained in:
parent
886466d510
commit
5340ab3a75
|
@ -0,0 +1,261 @@
|
|||
<?php
|
||||
|
||||
declare(strict_types=1);
|
||||
/**
|
||||
* @copyright Copyright (c) 2020, Roeland Jago Douma <roeland@famdouma.nl>
|
||||
*
|
||||
* @author Roeland Jago Douma <roeland@famdouma.nl>
|
||||
*
|
||||
* @license GNU AGPL version 3 or any later version
|
||||
*
|
||||
* This program is free software: you can redistribute it and/or modify
|
||||
* it under the terms of the GNU Affero General Public License as
|
||||
* published by the Free Software Foundation, either version 3 of the
|
||||
* License, or (at your option) any later version.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
* GNU Affero General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU Affero General Public License
|
||||
* along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
*
|
||||
*/
|
||||
|
||||
|
||||
namespace OC\Core\Command\Encryption;
|
||||
|
||||
use OC\Encryption\Keys\Storage;
|
||||
use OC\Encryption\Util;
|
||||
use OC\Files\View;
|
||||
use OCP\IConfig;
|
||||
use OCP\IUserManager;
|
||||
use OCP\Security\ICrypto;
|
||||
use Symfony\Component\Console\Command\Command;
|
||||
use Symfony\Component\Console\Helper\ProgressBar;
|
||||
use Symfony\Component\Console\Helper\QuestionHelper;
|
||||
use Symfony\Component\Console\Input\InputInterface;
|
||||
use Symfony\Component\Console\Output\OutputInterface;
|
||||
|
||||
class MigrateKeyStorage extends Command {
|
||||
|
||||
/** @var View */
|
||||
protected $rootView;
|
||||
|
||||
/** @var IUserManager */
|
||||
protected $userManager;
|
||||
|
||||
/** @var IConfig */
|
||||
protected $config;
|
||||
|
||||
/** @var Util */
|
||||
protected $util;
|
||||
|
||||
/** @var QuestionHelper */
|
||||
protected $questionHelper;
|
||||
/**
|
||||
* @var ICrypto
|
||||
*/
|
||||
private $crypto;
|
||||
|
||||
public function __construct(View $view, IUserManager $userManager, IConfig $config, Util $util, ICrypto $crypto) {
|
||||
parent::__construct();
|
||||
$this->rootView = $view;
|
||||
$this->userManager = $userManager;
|
||||
$this->config = $config;
|
||||
$this->util = $util;
|
||||
$this->crypto = $crypto;
|
||||
}
|
||||
|
||||
protected function configure() {
|
||||
parent::configure();
|
||||
$this
|
||||
->setName('encryption:migrate-key-storage-format')
|
||||
->setDescription('Migrate the format of the keystorage to a newer format');
|
||||
}
|
||||
|
||||
protected function execute(InputInterface $input, OutputInterface $output): int {
|
||||
$root = $this->util->getKeyStorageRoot();
|
||||
|
||||
$output->writeln("Updating key storage format");
|
||||
$this->updateKeys($root, $output);
|
||||
$output->writeln("Key storage format successfully updated");
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
/**
|
||||
* move keys to new key storage root
|
||||
*
|
||||
* @param string $root
|
||||
* @param OutputInterface $output
|
||||
* @return bool
|
||||
* @throws \Exception
|
||||
*/
|
||||
protected function updateKeys(string $root, OutputInterface $output) {
|
||||
$output->writeln("Start to update the keys:");
|
||||
|
||||
$this->updateSystemKeys($root);
|
||||
$this->updateUsersKeys($root, $output);
|
||||
$this->config->deleteSystemValue('encryption.key_storage_migrated');
|
||||
return true;
|
||||
}
|
||||
|
||||
/**
|
||||
* move system key folder
|
||||
*
|
||||
* @param string $root
|
||||
*/
|
||||
protected function updateSystemKeys($root) {
|
||||
if (!$this->rootView->is_dir($root . '/files_encryption')) {
|
||||
return;
|
||||
}
|
||||
|
||||
$this->traverseKeys($root . '/files_encryption', null);
|
||||
}
|
||||
|
||||
private function traverseKeys(string $folder, ?string $uid) {
|
||||
$listing = $this->rootView->getDirectoryContent($folder);
|
||||
|
||||
foreach ($listing as $node) {
|
||||
if ($node['mimetype'] === 'httpd/unix-directory') {
|
||||
//ignore
|
||||
} else {
|
||||
$endsWith = function ($haystack, $needle) {
|
||||
$length = strlen($needle);
|
||||
if ($length === 0) {
|
||||
return true;
|
||||
}
|
||||
|
||||
return (substr($haystack, -$length) === $needle);
|
||||
};
|
||||
|
||||
if ($node['name'] === 'fileKey' ||
|
||||
$endsWith($node['name'], '.privateKey') ||
|
||||
$endsWith($node['name'], '.publicKey') ||
|
||||
$endsWith($node['name'], '.shareKey')) {
|
||||
$path = $folder . '/' . $node['name'];
|
||||
|
||||
$content = $this->rootView->file_get_contents($path);
|
||||
|
||||
try {
|
||||
$this->crypto->decrypt($content);
|
||||
continue;
|
||||
} catch (\Exception $e) {
|
||||
// Ignore we now update the data.
|
||||
}
|
||||
|
||||
$data = [
|
||||
'key' => base64_encode($content),
|
||||
'uid' => $uid,
|
||||
];
|
||||
|
||||
$enc = $this->crypto->encrypt(json_encode($data));
|
||||
$this->rootView->file_put_contents($path, $enc);
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
private function traverseFileKeys(string $folder) {
|
||||
$listing = $this->rootView->getDirectoryContent($folder);
|
||||
|
||||
foreach ($listing as $node) {
|
||||
if ($node['mimetype'] === 'httpd/unix-directory') {
|
||||
$this->traverseFileKeys($folder . '/' . $node['name']);
|
||||
} else {
|
||||
$endsWith = function ($haystack, $needle) {
|
||||
$length = strlen($needle);
|
||||
if ($length === 0) {
|
||||
return true;
|
||||
}
|
||||
|
||||
return (substr($haystack, -$length) === $needle);
|
||||
};
|
||||
|
||||
if ($node['name'] === 'fileKey' ||
|
||||
$endsWith($node['name'], '.privateKey') ||
|
||||
$endsWith($node['name'], '.publicKey') ||
|
||||
$endsWith($node['name'], '.shareKey')) {
|
||||
$path = $folder . '/' . $node['name'];
|
||||
|
||||
$content = $this->rootView->file_get_contents($path);
|
||||
|
||||
try {
|
||||
$this->crypto->decrypt($content);
|
||||
continue;
|
||||
} catch (\Exception $e) {
|
||||
// Ignore we now update the data.
|
||||
}
|
||||
|
||||
$data = [
|
||||
'key' => base64_encode($content)
|
||||
];
|
||||
|
||||
$enc = $this->crypto->encrypt(json_encode($data));
|
||||
$this->rootView->file_put_contents($path, $enc);
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
/**
|
||||
* setup file system for the given user
|
||||
*
|
||||
* @param string $uid
|
||||
*/
|
||||
protected function setupUserFS($uid) {
|
||||
\OC_Util::tearDownFS();
|
||||
\OC_Util::setupFS($uid);
|
||||
}
|
||||
|
||||
|
||||
/**
|
||||
* iterate over each user and move the keys to the new storage
|
||||
*
|
||||
* @param string $root
|
||||
* @param OutputInterface $output
|
||||
*/
|
||||
protected function updateUsersKeys(string $root, OutputInterface $output) {
|
||||
$progress = new ProgressBar($output);
|
||||
$progress->start();
|
||||
|
||||
foreach ($this->userManager->getBackends() as $backend) {
|
||||
$limit = 500;
|
||||
$offset = 0;
|
||||
do {
|
||||
$users = $backend->getUsers('', $limit, $offset);
|
||||
foreach ($users as $user) {
|
||||
$progress->advance();
|
||||
$this->setupUserFS($user);
|
||||
$this->updateUserKeys($root, $user);
|
||||
}
|
||||
$offset += $limit;
|
||||
} while (count($users) >= $limit);
|
||||
}
|
||||
$progress->finish();
|
||||
}
|
||||
|
||||
/**
|
||||
* move user encryption folder to new root folder
|
||||
*
|
||||
* @param string $root
|
||||
* @param string $user
|
||||
* @throws \Exception
|
||||
*/
|
||||
protected function updateUserKeys(string $root, string $user) {
|
||||
if ($this->userManager->userExists($user)) {
|
||||
$source = $root . '/' . $user . '/files_encryption/OC_DEFAULT_MODULE';
|
||||
if ($this->rootView->is_dir($source)) {
|
||||
$this->traverseKeys($source, $user);
|
||||
}
|
||||
|
||||
$source = $root . '/' . $user . '/files_encryption/keys';
|
||||
if ($this->rootView->is_dir($source)) {
|
||||
$this->traverseFileKeys($source);
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
|
@ -139,6 +139,14 @@ if (\OC::$server->getConfig()->getSystemValue('installed', false)) {
|
|||
)
|
||||
);
|
||||
$application->add(new OC\Core\Command\Encryption\ShowKeyStorageRoot($util));
|
||||
$application->add(new OC\Core\Command\Encryption\MigrateKeyStorage(
|
||||
$view,
|
||||
\OC::$server->getUserManager(),
|
||||
\OC::$server->getConfig(),
|
||||
$util,
|
||||
\OC::$server->getCrypto()
|
||||
)
|
||||
);
|
||||
|
||||
$application->add(new OC\Core\Command\Maintenance\DataFingerprint(\OC::$server->getConfig(), new \OC\AppFramework\Utility\TimeFactory()));
|
||||
$application->add(new OC\Core\Command\Maintenance\Mimetype\UpdateDB(\OC::$server->getMimeTypeDetector(), \OC::$server->getMimeTypeLoader()));
|
||||
|
|
|
@ -808,6 +808,7 @@ return array(
|
|||
'OC\\Core\\Command\\Encryption\\Enable' => $baseDir . '/core/Command/Encryption/Enable.php',
|
||||
'OC\\Core\\Command\\Encryption\\EncryptAll' => $baseDir . '/core/Command/Encryption/EncryptAll.php',
|
||||
'OC\\Core\\Command\\Encryption\\ListModules' => $baseDir . '/core/Command/Encryption/ListModules.php',
|
||||
'OC\\Core\\Command\\Encryption\\MigrateKeyStorage' => $baseDir . '/core/Command/Encryption/MigrateKeyStorage.php',
|
||||
'OC\\Core\\Command\\Encryption\\SetDefaultModule' => $baseDir . '/core/Command/Encryption/SetDefaultModule.php',
|
||||
'OC\\Core\\Command\\Encryption\\ShowKeyStorageRoot' => $baseDir . '/core/Command/Encryption/ShowKeyStorageRoot.php',
|
||||
'OC\\Core\\Command\\Encryption\\Status' => $baseDir . '/core/Command/Encryption/Status.php',
|
||||
|
@ -1248,6 +1249,7 @@ return array(
|
|||
'OC\\Repair\\NC16\\ClearCollectionsAccessCache' => $baseDir . '/lib/private/Repair/NC16/ClearCollectionsAccessCache.php',
|
||||
'OC\\Repair\\NC18\\ResetGeneratedAvatarFlag' => $baseDir . '/lib/private/Repair/NC18/ResetGeneratedAvatarFlag.php',
|
||||
'OC\\Repair\\NC20\\EncryptionLegacyCipher' => $baseDir . '/lib/private/Repair/NC20/EncryptionLegacyCipher.php',
|
||||
'OC\\Repair\\NC20\\EncryptionMigration' => $baseDir . '/lib/private/Repair/NC20/EncryptionMigration.php',
|
||||
'OC\\Repair\\OldGroupMembershipShares' => $baseDir . '/lib/private/Repair/OldGroupMembershipShares.php',
|
||||
'OC\\Repair\\Owncloud\\DropAccountTermsTable' => $baseDir . '/lib/private/Repair/Owncloud/DropAccountTermsTable.php',
|
||||
'OC\\Repair\\Owncloud\\SaveAccountsTableData' => $baseDir . '/lib/private/Repair/Owncloud/SaveAccountsTableData.php',
|
||||
|
|
|
@ -837,6 +837,7 @@ class ComposerStaticInit53792487c5a8370acc0b06b1a864ff4c
|
|||
'OC\\Core\\Command\\Encryption\\Enable' => __DIR__ . '/../../..' . '/core/Command/Encryption/Enable.php',
|
||||
'OC\\Core\\Command\\Encryption\\EncryptAll' => __DIR__ . '/../../..' . '/core/Command/Encryption/EncryptAll.php',
|
||||
'OC\\Core\\Command\\Encryption\\ListModules' => __DIR__ . '/../../..' . '/core/Command/Encryption/ListModules.php',
|
||||
'OC\\Core\\Command\\Encryption\\MigrateKeyStorage' => __DIR__ . '/../../..' . '/core/Command/Encryption/MigrateKeyStorage.php',
|
||||
'OC\\Core\\Command\\Encryption\\SetDefaultModule' => __DIR__ . '/../../..' . '/core/Command/Encryption/SetDefaultModule.php',
|
||||
'OC\\Core\\Command\\Encryption\\ShowKeyStorageRoot' => __DIR__ . '/../../..' . '/core/Command/Encryption/ShowKeyStorageRoot.php',
|
||||
'OC\\Core\\Command\\Encryption\\Status' => __DIR__ . '/../../..' . '/core/Command/Encryption/Status.php',
|
||||
|
@ -1277,6 +1278,7 @@ class ComposerStaticInit53792487c5a8370acc0b06b1a864ff4c
|
|||
'OC\\Repair\\NC16\\ClearCollectionsAccessCache' => __DIR__ . '/../../..' . '/lib/private/Repair/NC16/ClearCollectionsAccessCache.php',
|
||||
'OC\\Repair\\NC18\\ResetGeneratedAvatarFlag' => __DIR__ . '/../../..' . '/lib/private/Repair/NC18/ResetGeneratedAvatarFlag.php',
|
||||
'OC\\Repair\\NC20\\EncryptionLegacyCipher' => __DIR__ . '/../../..' . '/lib/private/Repair/NC20/EncryptionLegacyCipher.php',
|
||||
'OC\\Repair\\NC20\\EncryptionMigration' => __DIR__ . '/../../..' . '/lib/private/Repair/NC20/EncryptionMigration.php',
|
||||
'OC\\Repair\\OldGroupMembershipShares' => __DIR__ . '/../../..' . '/lib/private/Repair/OldGroupMembershipShares.php',
|
||||
'OC\\Repair\\Owncloud\\DropAccountTermsTable' => __DIR__ . '/../../..' . '/lib/private/Repair/Owncloud/DropAccountTermsTable.php',
|
||||
'OC\\Repair\\Owncloud\\SaveAccountsTableData' => __DIR__ . '/../../..' . '/lib/private/Repair/Owncloud/SaveAccountsTableData.php',
|
||||
|
|
|
@ -31,8 +31,11 @@ namespace OC\Encryption\Keys;
|
|||
use OC\Encryption\Util;
|
||||
use OC\Files\Filesystem;
|
||||
use OC\Files\View;
|
||||
use OC\ServerNotAvailableException;
|
||||
use OC\User\NoUserException;
|
||||
use OCP\Encryption\Keys\IStorage;
|
||||
use OCP\IConfig;
|
||||
use OCP\Security\ICrypto;
|
||||
|
||||
class Storage implements IStorage {
|
||||
|
||||
|
@ -62,11 +65,17 @@ class Storage implements IStorage {
|
|||
/** @var array */
|
||||
private $keyCache = [];
|
||||
|
||||
/** @var ICrypto */
|
||||
private $crypto;
|
||||
|
||||
/** @var IConfig */
|
||||
private $config;
|
||||
|
||||
/**
|
||||
* @param View $view
|
||||
* @param Util $util
|
||||
*/
|
||||
public function __construct(View $view, Util $util) {
|
||||
public function __construct(View $view, Util $util, ICrypto $crypto, IConfig $config) {
|
||||
$this->view = $view;
|
||||
$this->util = $util;
|
||||
|
||||
|
@ -74,6 +83,8 @@ class Storage implements IStorage {
|
|||
$this->keys_base_dir = $this->encryption_base_dir .'/keys';
|
||||
$this->backup_base_dir = $this->encryption_base_dir .'/backup';
|
||||
$this->root_dir = $this->util->getKeyStorageRoot();
|
||||
$this->crypto = $crypto;
|
||||
$this->config = $config;
|
||||
}
|
||||
|
||||
/**
|
||||
|
@ -81,7 +92,7 @@ class Storage implements IStorage {
|
|||
*/
|
||||
public function getUserKey($uid, $keyId, $encryptionModuleId) {
|
||||
$path = $this->constructUserKeyPath($encryptionModuleId, $keyId, $uid);
|
||||
return $this->getKey($path);
|
||||
return base64_decode($this->getKeyWithUid($path, $uid));
|
||||
}
|
||||
|
||||
/**
|
||||
|
@ -90,17 +101,17 @@ class Storage implements IStorage {
|
|||
public function getFileKey($path, $keyId, $encryptionModuleId) {
|
||||
$realFile = $this->util->stripPartialFileExtension($path);
|
||||
$keyDir = $this->getFileKeyDir($encryptionModuleId, $realFile);
|
||||
$key = $this->getKey($keyDir . $keyId);
|
||||
$key = $this->getKey($keyDir . $keyId)['key'];
|
||||
|
||||
if ($key === '' && $realFile !== $path) {
|
||||
// Check if the part file has keys and use them, if no normal keys
|
||||
// exist. This is required to fix copyBetweenStorage() when we
|
||||
// rename a .part file over storage borders.
|
||||
$keyDir = $this->getFileKeyDir($encryptionModuleId, $path);
|
||||
$key = $this->getKey($keyDir . $keyId);
|
||||
$key = $this->getKey($keyDir . $keyId)['key'];
|
||||
}
|
||||
|
||||
return $key;
|
||||
return base64_decode($key);
|
||||
}
|
||||
|
||||
/**
|
||||
|
@ -108,7 +119,7 @@ class Storage implements IStorage {
|
|||
*/
|
||||
public function getSystemUserKey($keyId, $encryptionModuleId) {
|
||||
$path = $this->constructUserKeyPath($encryptionModuleId, $keyId, null);
|
||||
return $this->getKey($path);
|
||||
return base64_decode($this->getKeyWithUid($path, null));
|
||||
}
|
||||
|
||||
/**
|
||||
|
@ -116,7 +127,10 @@ class Storage implements IStorage {
|
|||
*/
|
||||
public function setUserKey($uid, $keyId, $key, $encryptionModuleId) {
|
||||
$path = $this->constructUserKeyPath($encryptionModuleId, $keyId, $uid);
|
||||
return $this->setKey($path, $key);
|
||||
return $this->setKey($path, [
|
||||
'key' => base64_encode($key),
|
||||
'uid' => $uid,
|
||||
]);
|
||||
}
|
||||
|
||||
/**
|
||||
|
@ -124,7 +138,9 @@ class Storage implements IStorage {
|
|||
*/
|
||||
public function setFileKey($path, $keyId, $key, $encryptionModuleId) {
|
||||
$keyDir = $this->getFileKeyDir($encryptionModuleId, $path);
|
||||
return $this->setKey($keyDir . $keyId, $key);
|
||||
return $this->setKey($keyDir . $keyId, [
|
||||
'key' => base64_encode($key),
|
||||
]);
|
||||
}
|
||||
|
||||
/**
|
||||
|
@ -132,7 +148,10 @@ class Storage implements IStorage {
|
|||
*/
|
||||
public function setSystemUserKey($keyId, $key, $encryptionModuleId) {
|
||||
$path = $this->constructUserKeyPath($encryptionModuleId, $keyId, null);
|
||||
return $this->setKey($path, $key);
|
||||
return $this->setKey($path, [
|
||||
'key' => base64_encode($key),
|
||||
'uid' => null,
|
||||
]);
|
||||
}
|
||||
|
||||
/**
|
||||
|
@ -199,20 +218,107 @@ class Storage implements IStorage {
|
|||
return \OC\Files\Filesystem::normalizePath($path);
|
||||
}
|
||||
|
||||
/**
|
||||
* @param string $path
|
||||
* @param string|null $uid
|
||||
* @return string
|
||||
* @throws ServerNotAvailableException
|
||||
*
|
||||
* Small helper function to fetch the key and verify the value for user and system keys
|
||||
*/
|
||||
private function getKeyWithUid(string $path, ?string $uid): string {
|
||||
$data = $this->getKey($path);
|
||||
|
||||
if (!isset($data['key'])) {
|
||||
throw new ServerNotAvailableException('Key is invalid');
|
||||
}
|
||||
|
||||
if ($data['key'] === '') {
|
||||
return '';
|
||||
}
|
||||
|
||||
if (!array_key_exists('uid', $data) || $data['uid'] !== $uid) {
|
||||
// If the migration is done we error out
|
||||
$versionFromBeforeUpdate = $this->config->getSystemValue('version', '0.0.0.0');
|
||||
if (version_compare($versionFromBeforeUpdate, '20.0.0.1', '<=')) {
|
||||
return $data['key'];
|
||||
}
|
||||
|
||||
if ($this->config->getSystemValueBool('encryption.key_storage_migrated', true)) {
|
||||
throw new ServerNotAvailableException('Key has been modified');
|
||||
} else {
|
||||
//Otherwise we migrate
|
||||
$data['uid'] = $uid;
|
||||
$this->setKey($path, $data);
|
||||
}
|
||||
}
|
||||
|
||||
return $data['key'];
|
||||
}
|
||||
|
||||
/**
|
||||
* read key from hard disk
|
||||
*
|
||||
* @param string $path to key
|
||||
* @return string
|
||||
* @return array containing key as base64encoded key, and possible the uid
|
||||
*/
|
||||
private function getKey($path) {
|
||||
$key = '';
|
||||
private function getKey($path): array {
|
||||
$key = [
|
||||
'key' => '',
|
||||
];
|
||||
|
||||
if ($this->view->file_exists($path)) {
|
||||
if (isset($this->keyCache[$path])) {
|
||||
$key = $this->keyCache[$path];
|
||||
} else {
|
||||
$key = $this->view->file_get_contents($path);
|
||||
$data = $this->view->file_get_contents($path);
|
||||
|
||||
// Version <20.0.0.1 doesn't have this
|
||||
$versionFromBeforeUpdate = $this->config->getSystemValue('version', '0.0.0.0');
|
||||
if (version_compare($versionFromBeforeUpdate, '20.0.0.1', '<=')) {
|
||||
$key = [
|
||||
'key' => base64_encode($data),
|
||||
];
|
||||
} else {
|
||||
if ($this->config->getSystemValueBool('encryption.key_storage_migrated', true)) {
|
||||
try {
|
||||
$clearData = $this->crypto->decrypt($data);
|
||||
} catch (\Exception $e) {
|
||||
throw new ServerNotAvailableException('Could not decrypt key', 0, $e);
|
||||
}
|
||||
|
||||
$dataArray = json_decode($clearData, true);
|
||||
if ($dataArray === null) {
|
||||
throw new ServerNotAvailableException('Invalid encryption key');
|
||||
}
|
||||
|
||||
$key = $dataArray;
|
||||
} else {
|
||||
/*
|
||||
* Even if not all keys are migrated we should still try to decrypt it (in case some have moved).
|
||||
* However it is only a failure now if it is an array and decryption fails
|
||||
*/
|
||||
$fallback = false;
|
||||
try {
|
||||
$clearData = $this->crypto->decrypt($data);
|
||||
} catch (\Exception $e) {
|
||||
$fallback = true;
|
||||
}
|
||||
|
||||
if (!$fallback) {
|
||||
$dataArray = json_decode($clearData, true);
|
||||
if ($dataArray === null) {
|
||||
throw new ServerNotAvailableException('Invalid encryption key');
|
||||
}
|
||||
$key = $dataArray;
|
||||
} else {
|
||||
$key = [
|
||||
'key' => base64_encode($data),
|
||||
];
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
$this->keyCache[$path] = $key;
|
||||
}
|
||||
}
|
||||
|
@ -225,13 +331,23 @@ class Storage implements IStorage {
|
|||
*
|
||||
*
|
||||
* @param string $path path to key directory
|
||||
* @param string $key key
|
||||
* @param array $key key
|
||||
* @return bool
|
||||
*/
|
||||
private function setKey($path, $key) {
|
||||
$this->keySetPreparation(dirname($path));
|
||||
|
||||
$result = $this->view->file_put_contents($path, $key);
|
||||
$versionFromBeforeUpdate = $this->config->getSystemValue('version', '0.0.0.0');
|
||||
if (version_compare($versionFromBeforeUpdate, '20.0.0.1', '<=')) {
|
||||
// Only store old format if this happens during the migration.
|
||||
// TODO: Remove for 21
|
||||
$data = base64_decode($key['key']);
|
||||
} else {
|
||||
// Wrap the data
|
||||
$data = $this->crypto->encrypt(json_encode($key));
|
||||
}
|
||||
|
||||
$result = $this->view->file_put_contents($path, $data);
|
||||
|
||||
if (is_int($result) && $result > 0) {
|
||||
$this->keyCache[$path] = $key;
|
||||
|
|
|
@ -49,6 +49,7 @@ use OC\Repair\NC16\CleanupCardDAVPhotoCache;
|
|||
use OC\Repair\NC16\ClearCollectionsAccessCache;
|
||||
use OC\Repair\NC18\ResetGeneratedAvatarFlag;
|
||||
use OC\Repair\NC20\EncryptionLegacyCipher;
|
||||
use OC\Repair\NC20\EncryptionMigration;
|
||||
use OC\Repair\OldGroupMembershipShares;
|
||||
use OC\Repair\Owncloud\DropAccountTermsTable;
|
||||
use OC\Repair\Owncloud\SaveAccountsTableData;
|
||||
|
@ -158,6 +159,7 @@ class Repair implements IOutput {
|
|||
new ClearCollectionsAccessCache(\OC::$server->getConfig(), \OC::$server->query(IManager::class)),
|
||||
\OC::$server->query(ResetGeneratedAvatarFlag::class),
|
||||
\OC::$server->query(EncryptionLegacyCipher::class),
|
||||
\OC::$server->query(EncryptionMigration::class),
|
||||
];
|
||||
}
|
||||
|
||||
|
|
|
@ -0,0 +1,62 @@
|
|||
<?php
|
||||
|
||||
declare(strict_types=1);
|
||||
/**
|
||||
* @copyright Copyright (c) 2020, Roeland Jago Douma <roeland@famdouma.nl>
|
||||
*
|
||||
* @author Roeland Jago Douma <roeland@famdouma.nl>
|
||||
*
|
||||
* @license GNU AGPL version 3 or any later version
|
||||
*
|
||||
* This program is free software: you can redistribute it and/or modify
|
||||
* it under the terms of the GNU Affero General Public License as
|
||||
* published by the Free Software Foundation, either version 3 of the
|
||||
* License, or (at your option) any later version.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
* GNU Affero General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU Affero General Public License
|
||||
* along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
*
|
||||
*/
|
||||
|
||||
namespace OC\Repair\NC20;
|
||||
|
||||
use OCP\Encryption\IManager;
|
||||
use OCP\IConfig;
|
||||
use OCP\Migration\IOutput;
|
||||
use OCP\Migration\IRepairStep;
|
||||
|
||||
class EncryptionMigration implements IRepairStep {
|
||||
|
||||
/** @var IConfig */
|
||||
private $config;
|
||||
/** @var IManager */
|
||||
private $manager;
|
||||
|
||||
public function __construct(IConfig $config,
|
||||
IManager $manager) {
|
||||
$this->config = $config;
|
||||
$this->manager = $manager;
|
||||
}
|
||||
|
||||
public function getName(): string {
|
||||
return 'Check encryption key format';
|
||||
}
|
||||
|
||||
private function shouldRun(): bool {
|
||||
$versionFromBeforeUpdate = $this->config->getSystemValue('version', '0.0.0.0');
|
||||
return version_compare($versionFromBeforeUpdate, '20.0.0.1', '<=');
|
||||
}
|
||||
|
||||
public function run(IOutput $output): void {
|
||||
if ($this->manager->isEnabled()) {
|
||||
if ($this->config->getSystemValue('encryption.key_storage_migrated', '') === '') {
|
||||
$this->config->setSystemValue('encryption.key_storage_migrated', false);
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
|
@ -348,7 +348,7 @@ class Server extends ServerContainer implements IServerContainer {
|
|||
$c->getConfig()
|
||||
);
|
||||
|
||||
return new Encryption\Keys\Storage($view, $util);
|
||||
return new Encryption\Keys\Storage($view, $util, $c->getCrypto(), $c->getConfig());
|
||||
});
|
||||
/** @deprecated 20.0.0 */
|
||||
$this->registerDeprecatedAlias('TagMapper', TagMapper::class);
|
||||
|
|
|
@ -26,6 +26,8 @@ namespace Test\Encryption\Keys;
|
|||
use OC\Encryption\Keys\Storage;
|
||||
use OC\Files\View;
|
||||
use OCP\IConfig;
|
||||
use OCP\Security\ICrypto;
|
||||
use PHPUnit\Framework\MockObject\MockObject;
|
||||
use Test\TestCase;
|
||||
|
||||
class StorageTest extends TestCase {
|
||||
|
@ -42,6 +44,9 @@ class StorageTest extends TestCase {
|
|||
/** @var \PHPUnit\Framework\MockObject\MockObject */
|
||||
protected $config;
|
||||
|
||||
/** @var MockObject|ICrypto */
|
||||
protected $crypto;
|
||||
|
||||
protected function setUp(): void {
|
||||
parent::setUp();
|
||||
|
||||
|
@ -53,14 +58,27 @@ class StorageTest extends TestCase {
|
|||
->disableOriginalConstructor()
|
||||
->getMock();
|
||||
|
||||
$this->crypto = $this->createMock(ICrypto::class);
|
||||
$this->crypto->method('encrypt')
|
||||
->willReturnCallback(function ($data, $pass) {
|
||||
return $data;
|
||||
});
|
||||
$this->crypto->method('decrypt')
|
||||
->willReturnCallback(function ($data, $pass) {
|
||||
return $data;
|
||||
});
|
||||
|
||||
$this->config = $this->getMockBuilder(IConfig::class)
|
||||
->disableOriginalConstructor()
|
||||
->getMock();
|
||||
|
||||
$this->storage = new Storage($this->view, $this->util);
|
||||
$this->storage = new Storage($this->view, $this->util, $this->crypto, $this->config);
|
||||
}
|
||||
|
||||
public function testSetFileKey() {
|
||||
$this->config->method('getSystemValue')
|
||||
->with('version')
|
||||
->willReturn('20.0.0.2');
|
||||
$this->util->expects($this->any())
|
||||
->method('getUidAndFilename')
|
||||
->willReturn(['user1', '/files/foo.txt']);
|
||||
|
@ -70,6 +88,34 @@ class StorageTest extends TestCase {
|
|||
$this->util->expects($this->any())
|
||||
->method('isSystemWideMountPoint')
|
||||
->willReturn(false);
|
||||
|
||||
$data = json_encode(['key' => base64_encode('key')]);
|
||||
$this->view->expects($this->once())
|
||||
->method('file_put_contents')
|
||||
->with($this->equalTo('/user1/files_encryption/keys/files/foo.txt/encModule/fileKey'),
|
||||
$this->equalTo($data))
|
||||
->willReturn(strlen($data));
|
||||
|
||||
$this->assertTrue(
|
||||
$this->storage->setFileKey('user1/files/foo.txt', 'fileKey', 'key', 'encModule')
|
||||
);
|
||||
}
|
||||
|
||||
public function testSetFileOld() {
|
||||
$this->config->method('getSystemValue')
|
||||
->with('version')
|
||||
->willReturn('20.0.0.0');
|
||||
$this->util->expects($this->any())
|
||||
->method('getUidAndFilename')
|
||||
->willReturn(['user1', '/files/foo.txt']);
|
||||
$this->util->expects($this->any())
|
||||
->method('stripPartialFileExtension')
|
||||
->willReturnArgument(0);
|
||||
$this->util->expects($this->any())
|
||||
->method('isSystemWideMountPoint')
|
||||
->willReturn(false);
|
||||
$this->crypto->expects($this->never())
|
||||
->method('encrypt');
|
||||
$this->view->expects($this->once())
|
||||
->method('file_put_contents')
|
||||
->with($this->equalTo('/user1/files_encryption/keys/files/foo.txt/encModule/fileKey'),
|
||||
|
@ -98,6 +144,9 @@ class StorageTest extends TestCase {
|
|||
* @param string $expectedKeyContent
|
||||
*/
|
||||
public function testGetFileKey($path, $strippedPartialName, $originalKeyExists, $expectedKeyContent) {
|
||||
$this->config->method('getSystemValue')
|
||||
->with('version')
|
||||
->willReturn('20.0.0.2');
|
||||
$this->util->expects($this->any())
|
||||
->method('getUidAndFilename')
|
||||
->willReturnMap([
|
||||
|
@ -118,6 +167,11 @@ class StorageTest extends TestCase {
|
|||
->with($this->equalTo('/user1/files_encryption/keys' . $strippedPartialName . '/encModule/fileKey'))
|
||||
->willReturn($originalKeyExists);
|
||||
|
||||
$this->crypto->method('decrypt')
|
||||
->willReturnCallback(function ($data, $pass) {
|
||||
return $data;
|
||||
});
|
||||
|
||||
if (!$originalKeyExists) {
|
||||
$this->view->expects($this->at(1))
|
||||
->method('file_exists')
|
||||
|
@ -127,12 +181,12 @@ class StorageTest extends TestCase {
|
|||
$this->view->expects($this->once())
|
||||
->method('file_get_contents')
|
||||
->with($this->equalTo('/user1/files_encryption/keys' . $path . '/encModule/fileKey'))
|
||||
->willReturn('key2');
|
||||
->willReturn(json_encode(['key' => base64_encode('key2')]));
|
||||
} else {
|
||||
$this->view->expects($this->once())
|
||||
->method('file_get_contents')
|
||||
->with($this->equalTo('/user1/files_encryption/keys' . $strippedPartialName . '/encModule/fileKey'))
|
||||
->willReturn('key');
|
||||
->willReturn(json_encode(['key' => base64_encode('key')]));
|
||||
}
|
||||
|
||||
$this->assertSame($expectedKeyContent,
|
||||
|
@ -141,6 +195,10 @@ class StorageTest extends TestCase {
|
|||
}
|
||||
|
||||
public function testSetFileKeySystemWide() {
|
||||
$this->config->method('getSystemValue')
|
||||
->with('version')
|
||||
->willReturn('20.0.0.2');
|
||||
|
||||
$this->util->expects($this->any())
|
||||
->method('getUidAndFilename')
|
||||
->willReturn(['user1', '/files/foo.txt']);
|
||||
|
@ -150,11 +208,18 @@ class StorageTest extends TestCase {
|
|||
$this->util->expects($this->any())
|
||||
->method('stripPartialFileExtension')
|
||||
->willReturnArgument(0);
|
||||
|
||||
$this->crypto->method('encrypt')
|
||||
->willReturnCallback(function ($data, $pass) {
|
||||
return $data;
|
||||
});
|
||||
|
||||
$data = json_encode(['key' => base64_encode('key')]);
|
||||
$this->view->expects($this->once())
|
||||
->method('file_put_contents')
|
||||
->with($this->equalTo('/files_encryption/keys/files/foo.txt/encModule/fileKey'),
|
||||
$this->equalTo('key'))
|
||||
->willReturn(strlen('key'));
|
||||
$this->equalTo($data))
|
||||
->willReturn(strlen($data));
|
||||
|
||||
$this->assertTrue(
|
||||
$this->storage->setFileKey('user1/files/foo.txt', 'fileKey', 'key', 'encModule')
|
||||
|
@ -162,6 +227,10 @@ class StorageTest extends TestCase {
|
|||
}
|
||||
|
||||
public function testGetFileKeySystemWide() {
|
||||
$this->config->method('getSystemValue')
|
||||
->with('version')
|
||||
->willReturn('20.0.0.2');
|
||||
|
||||
$this->util->expects($this->any())
|
||||
->method('getUidAndFilename')
|
||||
->willReturn(['user1', '/files/foo.txt']);
|
||||
|
@ -174,7 +243,7 @@ class StorageTest extends TestCase {
|
|||
$this->view->expects($this->once())
|
||||
->method('file_get_contents')
|
||||
->with($this->equalTo('/files_encryption/keys/files/foo.txt/encModule/fileKey'))
|
||||
->willReturn('key');
|
||||
->willReturn(json_encode(['key' => base64_encode('key')]));
|
||||
$this->view->expects($this->once())
|
||||
->method('file_exists')
|
||||
->with($this->equalTo('/files_encryption/keys/files/foo.txt/encModule/fileKey'))
|
||||
|
@ -186,11 +255,19 @@ class StorageTest extends TestCase {
|
|||
}
|
||||
|
||||
public function testSetSystemUserKey() {
|
||||
$this->config->method('getSystemValue')
|
||||
->with('version')
|
||||
->willReturn('20.0.0.2');
|
||||
|
||||
$data = json_encode([
|
||||
'key' => base64_encode('key'),
|
||||
'uid' => null]
|
||||
);
|
||||
$this->view->expects($this->once())
|
||||
->method('file_put_contents')
|
||||
->with($this->equalTo('/files_encryption/encModule/shareKey_56884'),
|
||||
$this->equalTo('key'))
|
||||
->willReturn(strlen('key'));
|
||||
$this->equalTo($data))
|
||||
->willReturn(strlen($data));
|
||||
|
||||
$this->assertTrue(
|
||||
$this->storage->setSystemUserKey('shareKey_56884', 'key', 'encModule')
|
||||
|
@ -198,11 +275,19 @@ class StorageTest extends TestCase {
|
|||
}
|
||||
|
||||
public function testSetUserKey() {
|
||||
$this->config->method('getSystemValue')
|
||||
->with('version')
|
||||
->willReturn('20.0.0.2');
|
||||
|
||||
$data = json_encode([
|
||||
'key' => base64_encode('key'),
|
||||
'uid' => 'user1']
|
||||
);
|
||||
$this->view->expects($this->once())
|
||||
->method('file_put_contents')
|
||||
->with($this->equalTo('/user1/files_encryption/encModule/user1.publicKey'),
|
||||
$this->equalTo('key'))
|
||||
->willReturn(strlen('key'));
|
||||
$this->equalTo($data))
|
||||
->willReturn(strlen($data));
|
||||
|
||||
$this->assertTrue(
|
||||
$this->storage->setUserKey('user1', 'publicKey', 'key', 'encModule')
|
||||
|
@ -210,10 +295,18 @@ class StorageTest extends TestCase {
|
|||
}
|
||||
|
||||
public function testGetSystemUserKey() {
|
||||
$this->config->method('getSystemValue')
|
||||
->with('version')
|
||||
->willReturn('20.0.0.2');
|
||||
|
||||
$data = json_encode([
|
||||
'key' => base64_encode('key'),
|
||||
'uid' => null]
|
||||
);
|
||||
$this->view->expects($this->once())
|
||||
->method('file_get_contents')
|
||||
->with($this->equalTo('/files_encryption/encModule/shareKey_56884'))
|
||||
->willReturn('key');
|
||||
->willReturn($data);
|
||||
$this->view->expects($this->once())
|
||||
->method('file_exists')
|
||||
->with($this->equalTo('/files_encryption/encModule/shareKey_56884'))
|
||||
|
@ -225,10 +318,18 @@ class StorageTest extends TestCase {
|
|||
}
|
||||
|
||||
public function testGetUserKey() {
|
||||
$this->config->method('getSystemValue')
|
||||
->with('version')
|
||||
->willReturn('20.0.0.2');
|
||||
|
||||
$data = json_encode([
|
||||
'key' => base64_encode('key'),
|
||||
'uid' => 'user1']
|
||||
);
|
||||
$this->view->expects($this->once())
|
||||
->method('file_get_contents')
|
||||
->with($this->equalTo('/user1/files_encryption/encModule/user1.publicKey'))
|
||||
->willReturn('key');
|
||||
->willReturn($data);
|
||||
$this->view->expects($this->once())
|
||||
->method('file_exists')
|
||||
->with($this->equalTo('/user1/files_encryption/encModule/user1.publicKey'))
|
||||
|
@ -516,7 +617,7 @@ class StorageTest extends TestCase {
|
|||
*/
|
||||
public function testBackupUserKeys($createBackupDir) {
|
||||
$storage = $this->getMockBuilder('OC\Encryption\Keys\Storage')
|
||||
->setConstructorArgs([$this->view, $this->util])
|
||||
->setConstructorArgs([$this->view, $this->util, $this->crypto, $this->config])
|
||||
->setMethods(['getTimestamp'])
|
||||
->getMock();
|
||||
|
||||
|
|
|
@ -29,7 +29,7 @@
|
|||
// between betas, final and RCs. This is _not_ the public version number. Reset minor/patchlevel
|
||||
// when updating major/minor version number.
|
||||
|
||||
$OC_Version = [20, 0, 0, 1];
|
||||
$OC_Version = [20, 0, 0, 2];
|
||||
|
||||
// The human readable string
|
||||
$OC_VersionString = '20.0.0 alpha';
|
||||
|
|
Loading…
Reference in New Issue