mbk-lab
/
nextcloud
2
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Merge pull request #5976 from owncloud/encryption_work_with_public_gallery 

Encryption work with public gallery
This commit is contained in:
Thomas Müller 2013-11-27 04:25:54 -08:00
parent a81909097c 7f2bdb0e97
commit 5b7b053634
7 changed files with 123 additions and 93 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

43
apps/files_encryption/lib/helper.php
View File

@ -225,10 +225,7 @@ class Helper {
* @return bool
*/
public static function isPublicAccess() {
if (\OCP\USER::getUser() === false
|| (isset($_GET['service']) && $_GET['service'] == 'files'
&& isset($_GET['t']))
) {
if (\OCP\User::getUser() === false) {
return true;
} else {
return false;
@ -256,10 +253,44 @@ class Helper {
}
/**
* @brief get path to the correspondig file in data/user/files if path points
* @brief try to get the user from the path if no user is logged in
* @param string $path
* @return mixed user or false if we couldn't determine a user
*/
public static function getUser($path) {
$user = \OCP\User::getUser();
// if we are logged in, then we return the userid
if ($user) {
return $user;
}
// if no user is logged in we try to access a publicly shared files.
// In this case we need to try to get the user from the path
$trimmed = ltrim($path, '/');
$split = explode('/', $trimmed);
// it is not a file relative to data/user/files
if (count($split) < 2 || $split[1] !== 'files') {
return false;
}
$user = $split[0];
if (\OCP\User::userExists($user)) {
return $user;
}
return false;
}
/**
* @brief get path to the corresponding file in data/user/files if path points
* to a version or to a file in cache
* @param string $path path to a version or a file in the trash
* @return string path to correspondig file relative to data/user/files
* @return string path to corresponding file relative to data/user/files
*/
public static function getPathToRealFile($path) {
$trimmed = ltrim($path, '/');

38
apps/files_encryption/lib/keymanager.php
View File

@ -113,20 +113,18 @@ class Keymanager {
*
* @param \OC_FilesystemView $view
* @param string $path relative path of the file, including filename
* @param $userId
* @param $catfile
* @internal param string $key
* @param string $catfile keyfile content
* @return bool true/false
* @note The keyfile is not encrypted here. Client code must
* asymmetrically encrypt the keyfile before passing it to this method
*/
public static function setFileKey(\OC_FilesystemView $view, $path, $userId, $catfile) {
public static function setFileKey(\OC_FilesystemView $view, $path, $catfile) {
$proxyStatus = \OC_FileProxy::$enabled;
\OC_FileProxy::$enabled = false;
//here we need the currently logged in user, while userId can be a different user
$util = new Util($view, \OCP\User::getUser());
$userId = Helper::getUser($path);
$util = new Util($view, $userId);
list($owner, $filename) = $util->getUidAndFilename($path);
// in case of system wide mount points the keys are stored directly in the data directory
@ -172,15 +170,15 @@ class Keymanager {
/**
* @brief retrieve keyfile for an encrypted file
* @param \OC_FilesystemView $view
* @param \OCA\Encryption\Util $util
* @param $filePath
* @internal param \OCA\Encryption\file $string name
* @return string file key or false
* @note The keyfile returned is asymmetrically encrypted. Decryption
* of the keyfile must be performed by client code
*/
public static function getFileKey(\OC_FilesystemView $view, $filePath) {
public static function getFileKey($view, $util, $filePath) {
$util = new Util($view, \OCP\User::getUser());
list($owner, $filename) = $util->getUidAndFilename($filePath);
$filename = Helper::stripPartialFileExtension($filename);
@ -216,17 +214,17 @@ class Keymanager {
* @brief Delete a keyfile
*
* @param \OC_FilesystemView $view
* @param string $userId username
* @param string $path path of the file the key belongs to
* @return bool Outcome of unlink operation
* @note $path must be relative to data/user/files. e.g. mydoc.txt NOT
* /data/admin/files/mydoc.txt
*/
public static function deleteFileKey(\OC_FilesystemView $view, $userId, $path) {
public static function deleteFileKey(\OC_FilesystemView $view, $path) {
$trimmed = ltrim($path, '/');
$util = new Util($view, \OCP\User::getUser());
$userId = Helper::getUser($path);
$util = new Util($view, $userId);
if($util->isSystemWideMountPoint($path)) {
$keyPath = '/files_encryption/keyfiles/' . $trimmed;
@ -323,8 +321,10 @@ class Keymanager {
// $shareKeys must be an array with the following format:
// [userId] => [encrypted key]
// Here we need the currently logged in user, while userId can be a different user
$util = new Util($view, \OCP\User::getUser());
$userId = Helper::getUser($path);
$util = new Util($view, $userId);
list($owner, $filename) = $util->getUidAndFilename($path);
@ -363,21 +363,18 @@ class Keymanager {
* @brief retrieve shareKey for an encrypted file
* @param \OC_FilesystemView $view
* @param string $userId
* @param \OCA\Encryption\Util $util
* @param string $filePath
* @internal param \OCA\Encryption\file $string name
* @return string file key or false
* @note The sharekey returned is encrypted. Decryption
* of the keyfile must be performed by client code
*/
public static function getShareKey(\OC_FilesystemView $view, $userId, $filePath) {
public static function getShareKey(\OC_FilesystemView $view, $userId, $util, $filePath) {
// try reusing key file if part file
$proxyStatus = \OC_FileProxy::$enabled;
\OC_FileProxy::$enabled = false;
//here we need the currently logged in user, while userId can be a different user
$util = new Util($view, \OCP\User::getUser());
list($owner, $filename) = $util->getUidAndFilename($filePath);
$filename = Helper::stripPartialFileExtension($filename);
// in case of system wide mount points the keys are stored directly in the data directory
@ -444,8 +441,9 @@ class Keymanager {
$proxyStatus = \OC_FileProxy::$enabled;
\OC_FileProxy::$enabled = false;
//here we need the currently logged in user, while userId can be a different user
$util = new Util($view, \OCP\User::getUser());
$userId = Helper::getUser($filePath);
$util = new Util($view, $userId);
list($owner, $filename) = $util->getUidAndFilename($filePath);

9
apps/files_encryption/lib/proxy.php
View File

@ -201,7 +201,7 @@ class Proxy extends \OC_FileProxy {
list($owner, $ownerPath) = $util->getUidAndFilename($relativePath);
// Delete keyfile & shareKey so it isn't orphaned
if (!Keymanager::deleteFileKey($view, $owner, $ownerPath)) {
if (!Keymanager::deleteFileKey($view, $ownerPath)) {
\OCP\Util::writeLog('Encryption library',
'Keyfile or shareKey could not be deleted for file "' . $ownerPath . '"', \OCP\Util::ERROR);
}
@ -260,7 +260,8 @@ class Proxy extends \OC_FileProxy {
$view = new \OC_FilesystemView('');
$util = new Util($view, \OCP\USER::getUser());
$userId = Helper::getUser($path);
$util = new Util($view, $userId);
// If file is already encrypted, decrypt using crypto protocol
if (
@ -323,7 +324,7 @@ class Proxy extends \OC_FileProxy {
$view = new \OC_FilesystemView('/');
$userId = \OCP\User::getUser();
$userId = Helper::getUser($path);
$util = new Util($view, $userId);
// if encryption is no longer enabled or if the files aren't migrated yet
@ -401,7 +402,7 @@ class Proxy extends \OC_FileProxy {
$view = new \OC_FilesystemView('/');
$session = new \OCA\Encryption\Session($view);
$userId = \OCP\User::getUser();
$userId = Helper::getUser($path);
$util = new Util($view, $userId);
// split the path parts

24
apps/files_encryption/lib/stream.php
View File

@ -55,6 +55,7 @@ class Stream {
private $rawPath; // The raw path relative to the data dir
private $relPath; // rel path to users file dir
private $userId;
private $keyId;
private $handle; // Resource returned by fopen
private $meta = array(); // Header / meta for source stream
private $writeCache;
@ -92,15 +93,19 @@ class Stream {
$this->session = new \OCA\Encryption\Session($this->rootView);
$this->privateKey = $this->session->getPrivateKey($this->userId);
$util = new Util($this->rootView, \OCP\USER::getUser());
$this->userId = $util->getUserId();
$this->privateKey = $this->session->getPrivateKey();
// rawPath is relative to the data directory
$this->rawPath = \OC\Files\Filesystem::normalizePath(str_replace('crypt://', '', $path));
$this->userId = Helper::getUser($this->rawPath);
$util = new Util($this->rootView, $this->userId);
// get the key ID which we want to use, can be the users key or the
// public share key
$this->keyId = $util->getKeyId();
// Strip identifier text from path, this gives us the path relative to data/<user>/files
$this->relPath = Helper::stripUserFilesPath($this->rawPath);
// if raw path doesn't point to a real file, check if it is a version or a file in the trash bin
@ -250,12 +255,13 @@ class Stream {
// Fetch and decrypt keyfile
// Fetch existing keyfile
$this->encKeyfile = Keymanager::getFileKey($this->rootView, $this->relPath);
$util = new \OCA\Encryption\Util($this->rootView, $this->userId);
$this->encKeyfile = Keymanager::getFileKey($this->rootView, $util, $this->relPath);
// If a keyfile already exists
if ($this->encKeyfile) {
$shareKey = Keymanager::getShareKey($this->rootView, $this->userId, $this->relPath);
$shareKey = Keymanager::getShareKey($this->rootView, $this->keyId, $util, $this->relPath);
// if there is no valid private key return false
if ($this->privateKey === false) {
@ -503,7 +509,7 @@ class Stream {
\OC_FileProxy::$enabled = false;
// Fetch user's public key
$this->publicKey = Keymanager::getPublicKey($this->rootView, $this->userId);
$this->publicKey = Keymanager::getPublicKey($this->rootView, $this->keyId);
// Check if OC sharing api is enabled
$sharingEnabled = \OCP\Share::isEnabled();
@ -521,7 +527,7 @@ class Stream {
$this->encKeyfiles = Crypt::multiKeyEncrypt($this->plainKey, $publicKeys);
// Save the new encrypted file key
Keymanager::setFileKey($this->rootView, $this->relPath, $this->userId, $this->encKeyfiles['data']);
Keymanager::setFileKey($this->rootView, $this->relPath, $this->encKeyfiles['data']);
// Save the sharekeys
Keymanager::setShareKeys($this->rootView, $this->relPath, $this->encKeyfiles['keys']);

84
apps/files_encryption/lib/util.php
View File

@ -38,7 +38,8 @@ class Util {
const MIGRATION_OPEN = 0; // user still needs to be migrated
private $view; // OC_FilesystemView object for filesystem operations
private $userId; // ID of the currently logged-in user
private $userId; // ID of the user we use to encrypt/decrypt files
private $keyId; // ID of the key we want to manipulate
private $client; // Client side encryption mode flag
private $publicKeyDir; // Dir containing all public user keys
private $encryptionDir; // Dir containing user's files_encryption
@ -58,51 +59,33 @@ class Util {
public function __construct(\OC_FilesystemView $view, $userId, $client = false) {
$this->view = $view;
$this->userId = $userId;
$this->client = $client;
$this->isPublic = false;
$this->userId = $userId;
$this->publicShareKeyId = \OC_Appconfig::getValue('files_encryption', 'publicShareKeyId');
$this->recoveryKeyId = \OC_Appconfig::getValue('files_encryption', 'recoveryKeyId');
// if we are anonymous/public
if (\OCA\Encryption\Helper::isPublicAccess()) {
$this->userId = $this->publicShareKeyId;
// only handle for files_sharing app
if (isset($GLOBALS['app']) && $GLOBALS['app'] === 'files_sharing') {
$this->userDir = '/' . $GLOBALS['fileOwner'];
$this->fileFolderName = 'files';
$this->userFilesDir = '/' . $GLOBALS['fileOwner'] . '/'
. $this->fileFolderName; // TODO: Does this need to be user configurable?
$this->publicKeyDir = '/' . 'public-keys';
$this->encryptionDir = '/' . $GLOBALS['fileOwner'] . '/' . 'files_encryption';
$this->keyfilesPath = $this->encryptionDir . '/' . 'keyfiles';
$this->shareKeysPath = $this->encryptionDir . '/' . 'share-keys';
$this->publicKeyPath =
$this->publicKeyDir . '/' . $this->userId . '.public.key'; // e.g. data/public-keys/admin.public.key
$this->privateKeyPath =
'/owncloud_private_key/' . $this->userId . '.private.key'; // e.g. data/admin/admin.private.key
$this->isPublic = true;
// make sure that the owners home is mounted
\OC\Files\Filesystem::initMountPoints($GLOBALS['fileOwner']);
}
} else {
$this->userDir = '/' . $this->userId;
$this->fileFolderName = 'files';
$this->userFilesDir =
'/' . $this->userId . '/' . $this->fileFolderName; // TODO: Does this need to be user configurable?
$this->publicKeyDir = '/' . 'public-keys';
$this->encryptionDir = '/' . $this->userId . '/' . 'files_encryption';
$this->keyfilesPath = $this->encryptionDir . '/' . 'keyfiles';
$this->shareKeysPath = $this->encryptionDir . '/' . 'share-keys';
$this->publicKeyPath =
$this->userDir = '/' . $this->userId;
$this->fileFolderName = 'files';
$this->userFilesDir =
'/' . $userId . '/' . $this->fileFolderName; // TODO: Does this need to be user configurable?
$this->publicKeyDir = '/' . 'public-keys';
$this->encryptionDir = '/' . $this->userId . '/' . 'files_encryption';
$this->keyfilesPath = $this->encryptionDir . '/' . 'keyfiles';
$this->shareKeysPath = $this->encryptionDir . '/' . 'share-keys';
$this->publicKeyPath =
$this->publicKeyDir . '/' . $this->userId . '.public.key'; // e.g. data/public-keys/admin.public.key
$this->privateKeyPath =
$this->privateKeyPath =
$this->encryptionDir . '/' . $this->userId . '.private.key'; // e.g. data/admin/admin.private.key
// make sure that the owners home is mounted
\OC\Files\Filesystem::initMountPoints($this->userId);
// make sure that the owners home is mounted
\OC\Files\Filesystem::initMountPoints($userId);
if (\OCA\Encryption\Helper::isPublicAccess()) {
$this->keyId = $this->publicShareKeyId;
$this->isPublic = true;
} else {
$this->keyId = $this->userId;
$this->isPublic = false;
}
}
@ -188,13 +171,13 @@ class Util {
// check if public-key exists but private-key is missing
if ($this->view->file_exists($this->publicKeyPath) && !$this->view->file_exists($this->privateKeyPath)) {
\OCP\Util::writeLog('Encryption library',
'public key exists but private key is missing for "' . $this->userId . '"', \OCP\Util::FATAL);
'public key exists but private key is missing for "' . $this->keyId . '"', \OCP\Util::FATAL);
return false;
} else {
if (!$this->view->file_exists($this->publicKeyPath) && $this->view->file_exists($this->privateKeyPath)
) {
\OCP\Util::writeLog('Encryption library',
'private key exists but public key is missing for "' . $this->userId . '"', \OCP\Util::FATAL);
'private key exists but public key is missing for "' . $this->keyId . '"', \OCP\Util::FATAL);
return false;
}
}
@ -367,7 +350,7 @@ class Util {
// scanning every file like this
// will eat server resources :(
if (
Keymanager::getFileKey($this->view, $relPath)
Keymanager::getFileKey($this->view, $this, $relPath)
&& $isEncryptedPath
) {
@ -478,7 +461,7 @@ class Util {
$relPath = Helper::stripUserFilesPath($path);
}
$fileKey = Keymanager::getFileKey($this->view, $relPath);
$fileKey = Keymanager::getFileKey($this->view, $this, $relPath);
if ($fileKey === false) {
return false;
@ -1056,10 +1039,10 @@ class Util {
private function decryptKeyfile($filePath, $privateKey) {
// Get the encrypted keyfile
$encKeyfile = Keymanager::getFileKey($this->view, $filePath);
$encKeyfile = Keymanager::getFileKey($this->view, $this, $filePath);
// The file has a shareKey and must use it for decryption
$shareKey = Keymanager::getShareKey($this->view, $this->userId, $filePath);
$shareKey = Keymanager::getShareKey($this->view, $this->keyId, $this, $filePath);
$plainKeyfile = Crypt::multiKeyDecrypt($encKeyfile, $shareKey, $privateKey);
@ -1110,7 +1093,7 @@ class Util {
// Save the recrypted key to it's owner's keyfiles directory
// Save new sharekeys to all necessary user directory
if (
!Keymanager::setFileKey($this->view, $filePath, $fileOwner, $multiEncKey['data'])
!Keymanager::setFileKey($this->view, $filePath, $multiEncKey['data'])
|| !Keymanager::setShareKeys($this->view, $filePath, $multiEncKey['keys'])
) {
@ -1335,7 +1318,7 @@ class Util {
// handle public access
if ($this->isPublic) {
$filename = $path;
$fileOwnerUid = $GLOBALS['fileOwner'];
$fileOwnerUid = $this->userId;
return array(
$fileOwnerUid,
@ -1560,6 +1543,13 @@ class Util {
return $this->userId;
}
/**
* @return string
*/
public function getKeyId() {
return $this->keyId;
}
/**
* @return string
*/

16
apps/files_encryption/tests/crypt.php
View File

@ -157,6 +157,8 @@ class Test_Encryption_Crypt extends \PHPUnit_Framework_TestCase {
$filename = 'tmp-' . time() . '.test';
$util = new Encryption\Util(new \OC_FilesystemView(), $this->userId);
$cryptedFile = file_put_contents('crypt:///' . $this->userId . '/files/'. $filename, $this->dataShort);
// Test that data was successfully written
@ -176,10 +178,10 @@ class Test_Encryption_Crypt extends \PHPUnit_Framework_TestCase {
$this->assertNotEquals($this->dataShort, $retreivedCryptedFile);
// Get the encrypted keyfile
$encKeyfile = Encryption\Keymanager::getFileKey($this->view, $filename);
$encKeyfile = Encryption\Keymanager::getFileKey($this->view, $util, $filename);
// Attempt to fetch the user's shareKey
$shareKey = Encryption\Keymanager::getShareKey($this->view, $this->userId, $filename);
$shareKey = Encryption\Keymanager::getShareKey($this->view, $this->userId, $util, $filename);
// get session
$session = new \OCA\Encryption\Session($this->view);
@ -199,7 +201,7 @@ class Test_Encryption_Crypt extends \PHPUnit_Framework_TestCase {
// Teardown
$this->view->unlink($this->userId . '/files/' . $filename);
Encryption\Keymanager::deleteFileKey($this->view, $this->userId, $filename);
Encryption\Keymanager::deleteFileKey($this->view, $filename);
}
/**
@ -214,6 +216,8 @@ class Test_Encryption_Crypt extends \PHPUnit_Framework_TestCase {
// Generate a a random filename
$filename = 'tmp-' . time() . '.test';
$util = new Encryption\Util(new \OC_FilesystemView(), $this->userId);
// Save long data as encrypted file using stream wrapper
$cryptedFile = file_put_contents('crypt:///' . $this->userId . '/files/' . $filename, $this->dataLong . $this->dataLong);
@ -250,10 +254,10 @@ class Test_Encryption_Crypt extends \PHPUnit_Framework_TestCase {
//print_r($e);
// Get the encrypted keyfile
$encKeyfile = Encryption\Keymanager::getFileKey($this->view, $filename);
$encKeyfile = Encryption\Keymanager::getFileKey($this->view, $util, $filename);
// Attempt to fetch the user's shareKey
$shareKey = Encryption\Keymanager::getShareKey($this->view, $this->userId, $filename);
$shareKey = Encryption\Keymanager::getShareKey($this->view, $this->userId, $util, $filename);
// get session
$session = new \OCA\Encryption\Session($this->view);
@ -283,7 +287,7 @@ class Test_Encryption_Crypt extends \PHPUnit_Framework_TestCase {
$this->view->unlink($this->userId . '/files/' . $filename);
Encryption\Keymanager::deleteFileKey($this->view, $this->userId, $filename);
Encryption\Keymanager::deleteFileKey($this->view, $filename);
}

2
apps/files_encryption/tests/keymanager.php
View File

@ -151,7 +151,7 @@ class Test_Encryption_Keymanager extends \PHPUnit_Framework_TestCase {
$this->view->file_put_contents($this->userId . '/files/' . $file, $this->dataShort);
Encryption\Keymanager::setFileKey($this->view, $file, $this->userId, $key);
Encryption\Keymanager::setFileKey($this->view, $file, $key);
$this->assertTrue($this->view->file_exists('/' . $this->userId . '/files_encryption/keyfiles/' . $file . '.key'));