mbk-lab
/
nextcloud
2
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Work on util: findFiles() and encryptAll(); both close to working 

Ecnryption unit tests are failing, recursion in filecache{}
This commit is contained in:
Sam Tuke 2013-01-23 19:24:26 +00:00
parent cd832935e8
commit 59ca312263
9 changed files with 213 additions and 181 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
apps/files_encryption/appinfo/app.php
View File

@ -32,7 +32,7 @@ if (
&& OCA\Encryption\Crypt::mode() == 'server' && OCA\Encryption\Crypt::mode() == 'server'
) { ) {
// Force the user to re-log in if the encryption key isn't unlocked // Force the user to log-in again if the encryption key isn't unlocked
// (happens when a user is logged in before the encryption app is // (happens when a user is logged in before the encryption app is
// enabled) // enabled)
OCP\User::logout(); OCP\User::logout();
@ -44,4 +44,6 @@ if (
} }
OCP\App::registerAdmin( 'files_encryption', 'settings' ); OCP\App::registerAdmin( 'files_encryption', 'settings' );
OCP\App::registerPersonal( 'files_encryption', 'settings-personal' );
// This is disabled until client-side encryption is supported:
// OCP\App::registerPersonal( 'files_encryption', 'settings-personal' );

4
apps/files_encryption/lib/crypt.php
View File

@ -130,7 +130,7 @@ class Crypt {
* @return true / false * @return true / false
* @note see also OCA\Encryption\Util->isEncryptedPath() * @note see also OCA\Encryption\Util->isEncryptedPath()
*/ */
public static function isEncryptedContent( $content ) { public static function isCatfile( $content ) {
if ( !$content ) { if ( !$content ) {
@ -192,7 +192,7 @@ class Crypt {
$content $content
and isset( $metadata['encrypted'] ) and isset( $metadata['encrypted'] )
and $metadata['encrypted'] === true and $metadata['encrypted'] === true
and !self::isEncryptedContent( $content ) and !self::isCatfile( $content )
) { ) {
return true; return true;

112
apps/files_encryption/lib/keymanager.php
View File

@ -146,10 +146,59 @@ class Keymanager {
} }
/**
* @brief store file encryption key
*
* @param string $path relative path of the file, including filename
* @param string $key
* @return bool true/false
* @note The keyfile is not encrypted here. Client code must
* asymmetrically encrypt the keyfile before passing it to this method
*/
public static function setFileKey( \OC_FilesystemView $view, $path, $userId, $catfile ) {
$basePath = '/' . $userId . '/files_encryption/keyfiles';
$targetPath = self::keySetPreparation( $view, $path, $basePath, $userId );
// // update $keytarget and $userId if key belongs to a file shared by someone else
// $query = $dbClassName::prepare( "SELECT uid_owner, source, target FROM `*PREFIX*sharing` WHERE target = ? AND uid_shared_with = ?" );
//
// $result = $query->execute( array ( '/'.$userId.'/files/'.$targetPath, $userId ) );
//
// if ( $row = $result->fetchRow( ) ) {
//
// $targetPath = $row['source'];
//
// $targetPath_parts = explode( '/', $targetPath );
//
// $userId = $targetPath_parts[1];
//
// $rootview = new \OC_FilesystemView( '/' );
//
// if ( ! $rootview->is_writable( $targetPath ) ) {
//
// \OC_Log::write( 'Encryption library', "File Key not updated because you don't have write access for the corresponding file", \OC_Log::ERROR );
//
// return false;
//
// }
//
// $targetPath = str_replace( '/'.$userId.'/files/', '', $targetPath );
//
// //TODO: check for write permission on shared file once the new sharing API is in place
//
// }
// Save the keyfile in parallel directory
return $view->file_put_contents( $basePath . '/' . $targetPath . '.key', $catfile );
}
/** /**
* @brief retrieve keyfile for an encrypted file * @brief retrieve keyfile for an encrypted file
* @param string file name * @param string file name
* @return string file key or false * @return string file key or false on failure
* @note The keyfile returned is asymmetrically encrypted. Decryption * @note The keyfile returned is asymmetrically encrypted. Decryption
* of the keyfile must be performed by client code * of the keyfile must be performed by client code
*/ */
@ -171,7 +220,17 @@ class Keymanager {
// //
// } // }
return $view->file_get_contents( '/' . $userId . '/files_encryption/keyfiles/' . $filePath_f . '.key' ); $catfilePath = '/' . $userId . '/files_encryption/keyfiles/' . $filePath_f . '.key';
if ( $view->file_exists( $catfilePath ) ) {
return $view->file_get_contents( $catfilePath );
} else {
return false;
}
} }
@ -298,55 +357,6 @@ class Keymanager {
} }
/**
* @brief store file encryption key
*
* @param string $path relative path of the file, including filename
* @param string $key
* @return bool true/false
* @note The keyfile is not encrypted here. Client code must
* asymmetrically encrypt the keyfile before passing it to this method
*/
public static function setFileKey( \OC_FilesystemView $view, $path, $userId, $catfile ) {
$basePath = '/' . $userId . '/files_encryption/keyfiles';
$targetPath = self::keySetPreparation( $view, $path, $basePath, $userId );
// // update $keytarget and $userId if key belongs to a file shared by someone else
// $query = $dbClassName::prepare( "SELECT uid_owner, source, target FROM `*PREFIX*sharing` WHERE target = ? AND uid_shared_with = ?" );
//
// $result = $query->execute( array ( '/'.$userId.'/files/'.$targetPath, $userId ) );
//
// if ( $row = $result->fetchRow( ) ) {
//
// $targetPath = $row['source'];
//
// $targetPath_parts = explode( '/', $targetPath );
//
// $userId = $targetPath_parts[1];
//
// $rootview = new \OC_FilesystemView( '/' );
//
// if ( ! $rootview->is_writable( $targetPath ) ) {
//
// \OC_Log::write( 'Encryption library', "File Key not updated because you don't have write access for the corresponding file", \OC_Log::ERROR );
//
// return false;
//
// }
//
// $targetPath = str_replace( '/'.$userId.'/files/', '', $targetPath );
//
// //TODO: check for write permission on shared file once the new sharing API is in place
//
// }
// Save the keyfile in parallel directory
return $view->file_put_contents( $basePath . '/' . $targetPath . '.key', $catfile );
}
/** /**
* @brief change password of private encryption key * @brief change password of private encryption key
* *

10
apps/files_encryption/lib/proxy.php
View File

@ -68,7 +68,7 @@ class Proxy extends \OC_FileProxy {
} }
if ( Crypt::isEncryptedContent( $path ) ) { if ( Crypt::isCatfile( $path ) ) {
return true; return true;
@ -147,7 +147,7 @@ class Proxy extends \OC_FileProxy {
// If data is a catfile // If data is a catfile
if ( if (
Crypt::mode() == 'server' Crypt::mode() == 'server'
&& Crypt::isEncryptedContent( $data ) && Crypt::isCatfile( $data )
) { ) {
$split = explode( '/', $path ); $split = explode( '/', $path );
@ -269,14 +269,14 @@ class Proxy extends \OC_FileProxy {
} }
public function postGetMimeType($path,$mime){ public function postGetMimeType($path,$mime){
if( Crypt::isEncryptedContent($path)){ if( Crypt::isCatfile($path)){
$mime = \OCP\Files::getMimeType('crypt://'.$path,'w'); $mime = \OCP\Files::getMimeType('crypt://'.$path,'w');
} }
return $mime; return $mime;
} }
public function postStat($path,$data){ public function postStat($path,$data){
if( Crypt::isEncryptedContent($path)){ if( Crypt::isCatfile($path)){
$cached= \OC_FileCache_Cached::get($path,''); $cached= \OC_FileCache_Cached::get($path,'');
$data['size']=$cached['size']; $data['size']=$cached['size'];
} }
@ -284,7 +284,7 @@ class Proxy extends \OC_FileProxy {
} }
public function postFileSize($path,$size){ public function postFileSize($path,$size){
if( Crypt::isEncryptedContent($path)){ if( Crypt::isCatfile($path)){
$cached = \OC_FileCache_Cached::get($path,''); $cached = \OC_FileCache_Cached::get($path,'');
return $cached['size']; return $cached['size'];
}else{ }else{

155
apps/files_encryption/lib/util.php
View File

@ -94,6 +94,7 @@ class Util {
private $view; // OC_FilesystemView object for filesystem operations private $view; // OC_FilesystemView object for filesystem operations
private $userId; // ID of the currently logged-in user
private $pwd; // User Password private $pwd; // User Password
private $client; // Client side encryption mode flag private $client; // Client side encryption mode flag
private $publicKeyDir; // Dir containing all public user keys private $publicKeyDir; // Dir containing all public user keys
@ -108,6 +109,8 @@ class Util {
$this->view = $view; $this->view = $view;
$this->userId = $userId; $this->userId = $userId;
$this->client = $client; $this->client = $client;
$this->userDir = '/' . $this->userId;
$this->userFilesDir = '/' . $this->userId . '/' . 'files';
$this->publicKeyDir = '/' . 'public-keys'; $this->publicKeyDir = '/' . 'public-keys';
$this->encryptionDir = '/' . $this->userId . '/' . 'files_encryption'; $this->encryptionDir = '/' . $this->userId . '/' . 'files_encryption';
$this->keyfilesPath = $this->encryptionDir . '/' . 'keyfiles'; $this->keyfilesPath = $this->encryptionDir . '/' . 'keyfiles';
@ -120,7 +123,9 @@ class Util {
public function ready() { public function ready() {
if( if(
!$this->view->file_exists( $this->keyfilesPath ) !$this->view->file_exists( $this->encryptionDir )
or !$this->view->file_exists( $this->keyfilesPath )
or !$this->view->file_exists( $this->shareKeysPath )
or !$this->view->file_exists( $this->publicKeyPath ) or !$this->view->file_exists( $this->publicKeyPath )
or !$this->view->file_exists( $this->privateKeyPath ) or !$this->view->file_exists( $this->privateKeyPath )
) { ) {
@ -141,6 +146,20 @@ class Util {
*/ */
public function setupServerSide( $passphrase = null ) { public function setupServerSide( $passphrase = null ) {
// Create user dir
if( !$this->view->file_exists( $this->userDir ) ) {
$this->view->mkdir( $this->userDir );
}
// Create user files dir
if( !$this->view->file_exists( $this->userFilesDir ) ) {
$this->view->mkdir( $this->userFilesDir );
}
// Create shared public key directory // Create shared public key directory
if( !$this->view->file_exists( $this->publicKeyDir ) ) { if( !$this->view->file_exists( $this->publicKeyDir ) ) {
@ -193,15 +212,32 @@ class Util {
} }
$publicKey = Keymanager::getPublicKey( $this->view, $this->userId );
// Encrypt existing user files:
$this->encryptAll( $publicKey, $this->userFilesDir );
return true; return true;
} }
public function findFiles( $directory, $type = 'plain' ) { /**
* @brief Find all files and their encryption status within a directory
* @param string $directory The path of the parent directory to search
* @return mixed false if 0 found, array on success. Keys: name, path
*/
public function findFiles( $directory ) {
# TODO: test finding non plain content // Disable proxy - we don't want files to be decrypted before
// we handle them
\OC_FileProxy::$enabled = false;
if ( $handle = $this->view->opendir( $directory ) ) { $found = array( 'plain' => array(), 'encrypted' => array(), 'legacy' => array() );
if (
$this->view->is_dir( $directory )
&& $handle = $this->view->opendir( $directory )
) {
while ( false !== ( $file = readdir( $handle ) ) ) { while ( false !== ( $file = readdir( $handle ) ) ) {
@ -212,54 +248,60 @@ class Util {
$filePath = $directory . '/' . $this->view->getRelativePath( '/' . $file ); $filePath = $directory . '/' . $this->view->getRelativePath( '/' . $file );
var_dump($filePath); // If the path is a directory, search
// its contents
if ( $this->view->is_dir( $filePath ) ) { if ( $this->view->is_dir( $filePath ) ) {
$this->findFiles( $filePath ); $this->findFiles( $filePath );
// If the path is a file, determine
// its encryption status
} elseif ( $this->view->is_file( $filePath ) ) { } elseif ( $this->view->is_file( $filePath ) ) {
if ( $type == 'plain' ) { // Disable proxies again, some-
// how they get re-enabled :/
\OC_FileProxy::$enabled = false;
$this->files[] = array( 'name' => $file, 'path' => $filePath ); // If the file is encrypted
if ( Keymanager::getFileKey( $this->view, $this->userId, $file ) ) {
} elseif ( $type == 'encrypted' ) { $found['encrypted'][] = array( 'name' => $file, 'path' => $filePath );
if ( Crypt::isEncryptedContent( $this->view->file_get_contents( $filePath ) ) ) { // If the file uses old
// encryption system
} elseif ( Crypt::isLegacyEncryptedContent( $this->view->file_get_contents( $filePath ) ) ) {
$this->files[] = array( 'name' => $file, 'path' => $filePath ); $found['legacy'][] = array( 'name' => $file, 'path' => $filePath );
}
} elseif ( $type == 'legacy' ) {
if ( Crypt::isLegacyEncryptedContent( $this->view->file_get_contents( $filePath ) ) ) {
$this->files[] = array( 'name' => $file, 'path' => $filePath );
}
}
}
}
}
if ( !empty( $this->files ) ) {
return $this->files;
// If the file is not encrypted
} else { } else {
$found['plain'][] = array( 'name' => $file, 'path' => $filePath );
}
}
}
}
\OC_FileProxy::$enabled = true;
if ( empty( $found ) ) {
return false; return false;
} else {
return $found;
} }
} }
\OC_FileProxy::$enabled = true;
return false; return false;
} }
@ -278,21 +320,54 @@ class Util {
\OC_FileProxy::$enabled = true; \OC_FileProxy::$enabled = true;
return Crypt::isEncryptedContent( $data ); return Crypt::isCatfile( $data );
} }
public function encryptAll( $directory ) { /**
* @brief Encrypt all files in a directory
* @param string $publicKey the public key to encrypt files with
* @param string $dirPath the directory whose files will be encrypted
* @note Encryption is recursive
*/
public function encryptAll( $publicKey, $dirPath ) {
$plainFiles = $this->findFiles( $this->view, 'plain' ); if ( $found = $this->findFiles( $dirPath ) ) {
if ( $this->encryptFiles( $plainFiles ) ) { // Encrypt unencrypted files
foreach ( $found['plain'] as $plainFilePath ) {
return true; // Fetch data from file
$plainData = $this->view->file_get_contents( $plainFilePath );
} else { // Encrypt data, generate catfile
$encrypted = Crypt::keyEncryptKeyfile( $plainData, $publicKey );
return false; // Save catfile
Keymanager::setFileKey( $this->view, $plainFilePath, $this->userId, $encrypted['key'] );
// Overwrite the existing file with the encrypted one
$this->view->file_put_contents( $plainFilePath, $encrypted['data'] );
}
// FIXME: Legacy recrypting here isn't finished yet
// Encrypt legacy encrypted files
foreach ( $found['legacy'] as $legacyFilePath ) {
// Fetch data from file
$legacyData = $this->view->file_get_contents( $legacyFilePath );
// Recrypt data, generate catfile
$recrypted = Crypt::legacyKeyRecryptKeyfile( $legacyData, $legacyPassphrase, $publicKey, $newPassphrase );
// Save catfile
Keymanager::setFileKey( $this->view, $plainFilePath, $this->userId, $recrypted['key'] );
// Overwrite the existing file with the encrypted one
$this->view->file_put_contents( $plainFilePath, $recrypted['data'] );
}
} }

13
apps/files_encryption/templates/settings-personal.php
View File

@ -9,17 +9,6 @@
value="<?php echo $_['encryption_mode']; ?>" value="<?php echo $_['encryption_mode']; ?>"
> >
<input
type="radio"
name="encryption_mode"
value="client"
id='client_encryption'
style="width:20px;"
<?php if ($_['encryption_mode'] == 'client') echo "checked='checked'"?>
/>
<?php echo $l->t('Client side encryption (most secure but makes it impossible to access your data from the web interface)'); ?>
<br />
<input <input
type="radio" type="radio"
name="encryption_mode" name="encryption_mode"
@ -27,7 +16,7 @@
id='server_encryption' id='server_encryption'
style="width:20px;" <?php if ($_['encryption_mode'] == 'server') echo "checked='checked'"?> style="width:20px;" <?php if ($_['encryption_mode'] == 'server') echo "checked='checked'"?>
/> />
<?php echo $l->t('Server side encryption (allows you to access your files from the web interface and the desktop client)'); ?> <?php echo $l->t('Server side encryption (allows you to access your files from the web interface)'); ?>
<br /> <br />
<input <input

63
apps/files_encryption/templates/settings.php
View File

@ -1,70 +1,11 @@
<form id="encryption"> <form id="encryption">
<fieldset class="personalblock"> <fieldset class="personalblock">
<strong>
<?php echo $l->t('Choose encryption mode:'); ?>
</strong>
<p>
<i>
<?php echo $l->t('Important: Once you selected an encryption mode there is no way to change it back'); ?>
</i>
</p>
<p>
<input
type="radio"
name="encryption_mode"
id="client_encryption"
value="client"
style="width:20px;"
<?php if ($_['encryption_mode'] == 'client') echo "checked='checked'"; if ($_['encryption_mode'] != 'none') echo "DISABLED"?>
/>
<?php echo $l->t("Client side encryption (most secure but makes it impossible to access your data from the web interface)"); ?>
<br />
<input
type="radio"
name="encryption_mode"
id="server_encryption"
value="server"
style="width:20px;"
<?php if ($_['encryption_mode'] == 'server') echo "checked='checked'"; if ($_['encryption_mode'] != 'none') echo "DISABLED"?>
/>
<?php echo $l->t('Server side encryption (allows you to access your files from the web interface and the desktop client)'); ?>
<br />
<input
type="radio"
name="encryption_mode"
id="user_encryption"
value="user"
style="width:20px;"
<?php if ($_['encryption_mode'] == 'user') echo "checked='checked'"; if ($_['encryption_mode'] != 'none') echo "DISABLED"?>
/>
<?php echo $l->t('User specific (let the user decide)'); ?>
<br/>
<input
type="radio"
name="encryption_mode"
id="none_encryption"
value="none"
style="width:20px;"
<?php if ($_['encryption_mode'] == 'none') echo "checked='checked'"; if ($_['encryption_mode'] != 'none') echo "DISABLED"?>
/>
<?php echo $l->t('None (no encryption at all)'); ?>
<br/>
</p>
<p> <p>
<strong><?php echo $l->t('Encryption'); ?></strong> <strong><?php echo $l->t('Encryption'); ?></strong>
<?php echo $l->t("Exclude the following file types from encryption"); ?> <?php echo $l->t("Exclude the following file types from encryption:"); ?>
<br />
<select <select
id='encryption_blacklist' id='encryption_blacklist'

6
apps/files_encryption/test/crypt.php
View File

@ -416,13 +416,13 @@ class Test_Crypt extends \PHPUnit_Framework_TestCase {
function testIsEncryptedContent() { function testIsEncryptedContent() {
$this->assertFalse( Encryption\Crypt::isEncryptedContent( $this->dataUrl ) ); $this->assertFalse( Encryption\Crypt::isCatfile( $this->dataUrl ) );
$this->assertFalse( Encryption\Crypt::isEncryptedContent( $this->legacyEncryptedData ) ); $this->assertFalse( Encryption\Crypt::isCatfile( $this->legacyEncryptedData ) );
$keyfileContent = Encryption\Crypt::symmetricEncryptFileContent( $this->dataUrl, 'hat' ); $keyfileContent = Encryption\Crypt::symmetricEncryptFileContent( $this->dataUrl, 'hat' );
$this->assertTrue( Encryption\Crypt::isEncryptedContent( $keyfileContent ) ); $this->assertTrue( Encryption\Crypt::isCatfile( $keyfileContent ) );
} }

23
apps/files_encryption/test/util.php
View File

@ -51,7 +51,7 @@ class Test_Enc_Util extends \PHPUnit_Framework_TestCase {
$this->publicKeyPath = $this->publicKeyDir . '/' . $this->userId . '.public.key'; // e.g. data/public-keys/admin.public.key $this->publicKeyPath = $this->publicKeyDir . '/' . $this->userId . '.public.key'; // e.g. data/public-keys/admin.public.key
$this->privateKeyPath = $this->encryptionDir . '/' . $this->userId . '.private.key'; // e.g. data/admin/admin.private.key $this->privateKeyPath = $this->encryptionDir . '/' . $this->userId . '.private.key'; // e.g. data/admin/admin.private.key
$this->view = new OC_FilesystemView( '/admin' ); $this->view = new \OC_FilesystemView( '/' );
$this->mockView = m::mock('OC_FilesystemView'); $this->mockView = m::mock('OC_FilesystemView');
$this->util = new Encryption\Util( $this->mockView, $this->userId ); $this->util = new Encryption\Util( $this->mockView, $this->userId );
@ -88,8 +88,8 @@ class Test_Enc_Util extends \PHPUnit_Framework_TestCase {
$mockView = m::mock('OC_FilesystemView'); $mockView = m::mock('OC_FilesystemView');
$mockView->shouldReceive( 'file_exists' )->times(4)->andReturn( false ); $mockView->shouldReceive( 'file_exists' )->times(5)->andReturn( false );
$mockView->shouldReceive( 'mkdir' )->times(3)->andReturn( true ); $mockView->shouldReceive( 'mkdir' )->times(4)->andReturn( true );
$mockView->shouldReceive( 'file_put_contents' )->withAnyArgs(); $mockView->shouldReceive( 'file_put_contents' )->withAnyArgs();
$util = new Encryption\Util( $mockView, $this->userId ); $util = new Encryption\Util( $mockView, $this->userId );
@ -105,7 +105,7 @@ class Test_Enc_Util extends \PHPUnit_Framework_TestCase {
$mockView = m::mock('OC_FilesystemView'); $mockView = m::mock('OC_FilesystemView');
$mockView->shouldReceive( 'file_exists' )->times(5)->andReturn( true ); $mockView->shouldReceive( 'file_exists' )->times(6)->andReturn( true );
$mockView->shouldReceive( 'file_put_contents' )->withAnyArgs(); $mockView->shouldReceive( 'file_put_contents' )->withAnyArgs();
$util = new Encryption\Util( $mockView, $this->userId ); $util = new Encryption\Util( $mockView, $this->userId );
@ -150,6 +150,21 @@ class Test_Enc_Util extends \PHPUnit_Framework_TestCase {
} }
function testFindFiles() {
// $this->view->chroot( "/data/{$this->userId}/files" );
$util = new Encryption\Util( $this->view, $this->userId );
$files = $util->findFiles( '/', 'encrypted' );
var_dump( $files );
# TODO: Add more tests here to check that if any of the dirs are
# then false will be returned. Use strict ordering?
}
// /** // /**
// * @brief test decryption using legacy blowfish method // * @brief test decryption using legacy blowfish method
// * @depends testLegacyEncryptLong // * @depends testLegacyEncryptLong