From 6d74ef71b5b990c1685e95500d56c47645c379b8 Mon Sep 17 00:00:00 2001 From: alexweirig Date: Thu, 17 Mar 2016 11:31:28 +0100 Subject: [PATCH 01/12] Fixed dynamic group ldap access getUserGroups: Using $userDN instead of $uid to query LDAP Converting groupDN to group name using API instead of substring Removing cache processing at the end of the method --- apps/user_ldap/group_ldap.php | 21 +++++++-------------- 1 file changed, 7 insertions(+), 14 deletions(-) diff --git a/apps/user_ldap/group_ldap.php b/apps/user_ldap/group_ldap.php index eba39ca50f..c698723beb 100644 --- a/apps/user_ldap/group_ldap.php +++ b/apps/user_ldap/group_ldap.php @@ -469,17 +469,18 @@ class GROUP_LDAP extends BackendUtility implements \OCP\GroupInterface { // apply filter via ldap search to see if this user is in this // dynamic group $userMatch = $this->access->readAttribute( - $uid, + $userDN, $this->access->connection->ldapUserDisplayName, $memberUrlFilter ); if ($userMatch !== false) { // match found so this user is in this group - $pos = strpos($dynamicGroup['dn'][0], ','); - if ($pos !== false) { - $membershipGroup = substr($dynamicGroup['dn'][0],3,$pos-3); - $groups[] = $membershipGroup; - } + $groupName = $this->access->dn2groupname($dynamicGroup['dn'][0]); + if(is_string($groupName)) { + // be sure to never return false if the dn could not be + // resolved to a name, for whatever reason. + $groups[] = $groupName; + } } } else { \OCP\Util::writeLog('user_ldap', 'No search filter found on member url '. @@ -529,14 +530,6 @@ class GROUP_LDAP extends BackendUtility implements \OCP\GroupInterface { $uid = $userDN; } - if(isset($this->cachedGroupsByMember[$uid])) { - $groups = $this->cachedGroupsByMember[$uid]; - } else { - $groups = array_values($this->getGroupsByMember($uid)); - $groups = $this->access->ownCloudGroupNames($groups); - $this->cachedGroupsByMember[$uid] = $groups; - } - if($primaryGroup !== false) { $groups[] = $primaryGroup; } From c342dcbcee24e31544c2f2c91d5259d6dee56370 Mon Sep 17 00:00:00 2001 From: alexweirig Date: Mon, 21 Mar 2016 08:06:38 +0100 Subject: [PATCH 02/12] Fixing group handling added back the cache processing and fixed --- apps/user_ldap/group_ldap.php | 19 ++++++++++++++----- 1 file changed, 14 insertions(+), 5 deletions(-) diff --git a/apps/user_ldap/group_ldap.php b/apps/user_ldap/group_ldap.php index c698723beb..069a7c161b 100644 --- a/apps/user_ldap/group_ldap.php +++ b/apps/user_ldap/group_ldap.php @@ -530,12 +530,21 @@ class GROUP_LDAP extends BackendUtility implements \OCP\GroupInterface { $uid = $userDN; } - if($primaryGroup !== false) { - $groups[] = $primaryGroup; - } + if(isset($this->cachedGroupsByMember[$uid])) { + $groups[] = $this->cachedGroupsByMember[$uid]; + } else { + $groupsByMember = array_values($this->getGroupsByMember($uid)); + $groupsByMember = $this->access->ownCloudGroupNames($groupsByMember); + $this->cachedGroupsByMember[$uid] = $groupsByMember; + $groups = array_merge($groups, $groupsByMember); + } - $groups = array_unique($groups, SORT_LOCALE_STRING); - $this->access->connection->writeToCache($cacheKey, $groups); + if($primaryGroup !== false) { + $groups[] = $primaryGroup; + } + + $groups = array_unique($groups, SORT_LOCALE_STRING); + $this->access->connection->writeToCache($cacheKey, $groups); return $groups; } From f112ece1f23ac994c1701903c7bcde9dc55e4de3 Mon Sep 17 00:00:00 2001 From: alexweirig Date: Mon, 21 Mar 2016 08:08:36 +0100 Subject: [PATCH 03/12] fixed possible indention problem spaces -> tab conversion --- apps/user_ldap/group_ldap.php | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/apps/user_ldap/group_ldap.php b/apps/user_ldap/group_ldap.php index 069a7c161b..278eadfddd 100644 --- a/apps/user_ldap/group_ldap.php +++ b/apps/user_ldap/group_ldap.php @@ -531,20 +531,20 @@ class GROUP_LDAP extends BackendUtility implements \OCP\GroupInterface { } if(isset($this->cachedGroupsByMember[$uid])) { - $groups[] = $this->cachedGroupsByMember[$uid]; + $groups[] = $this->cachedGroupsByMember[$uid]; } else { - $groupsByMember = array_values($this->getGroupsByMember($uid)); - $groupsByMember = $this->access->ownCloudGroupNames($groupsByMember); - $this->cachedGroupsByMember[$uid] = $groupsByMember; - $groups = array_merge($groups, $groupsByMember); - } + $groupsByMember = array_values($this->getGroupsByMember($uid)); + $groupsByMember = $this->access->ownCloudGroupNames($groupsByMember); + $this->cachedGroupsByMember[$uid] = $groupsByMember; + $groups = array_merge($groups, $groupsByMember); + } - if($primaryGroup !== false) { - $groups[] = $primaryGroup; - } + if($primaryGroup !== false) { + $groups[] = $primaryGroup; + } - $groups = array_unique($groups, SORT_LOCALE_STRING); - $this->access->connection->writeToCache($cacheKey, $groups); + $groups = array_unique($groups, SORT_LOCALE_STRING); + $this->access->connection->writeToCache($cacheKey, $groups); return $groups; } From 087f005936ff5acfa58a874579aa235d86222945 Mon Sep 17 00:00:00 2001 From: Arthur Schiwon Date: Mon, 21 Mar 2016 16:56:08 +0100 Subject: [PATCH 04/12] formatting, white-space changes only --- apps/user_ldap/group_ldap.php | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/apps/user_ldap/group_ldap.php b/apps/user_ldap/group_ldap.php index 278eadfddd..63476525df 100644 --- a/apps/user_ldap/group_ldap.php +++ b/apps/user_ldap/group_ldap.php @@ -476,11 +476,11 @@ class GROUP_LDAP extends BackendUtility implements \OCP\GroupInterface { if ($userMatch !== false) { // match found so this user is in this group $groupName = $this->access->dn2groupname($dynamicGroup['dn'][0]); - if(is_string($groupName)) { - // be sure to never return false if the dn could not be - // resolved to a name, for whatever reason. - $groups[] = $groupName; - } + if(is_string($groupName)) { + // be sure to never return false if the dn could not be + // resolved to a name, for whatever reason. + $groups[] = $groupName; + } } } else { \OCP\Util::writeLog('user_ldap', 'No search filter found on member url '. @@ -530,9 +530,9 @@ class GROUP_LDAP extends BackendUtility implements \OCP\GroupInterface { $uid = $userDN; } - if(isset($this->cachedGroupsByMember[$uid])) { + if(isset($this->cachedGroupsByMember[$uid])) { $groups[] = $this->cachedGroupsByMember[$uid]; - } else { + } else { $groupsByMember = array_values($this->getGroupsByMember($uid)); $groupsByMember = $this->access->ownCloudGroupNames($groupsByMember); $this->cachedGroupsByMember[$uid] = $groupsByMember; From 7f3f06cdd9f6ae8c27a96bd5bfd81482c404c511 Mon Sep 17 00:00:00 2001 From: VicDeo Date: Tue, 7 Jun 2016 10:46:53 +0300 Subject: [PATCH 05/12] Fix update from 9.0.0 and 9.0.1 (#24854) --- lib/private/repair.php | 2 + .../repair/encryptioncompatibility.php | 63 ++ .../apps/encryption/lib/crypto/encryption.php | 563 ++++++++++++++++++ 3 files changed, 628 insertions(+) create mode 100644 lib/private/repair/encryptioncompatibility.php create mode 100644 resources/updater-fixes/apps/encryption/lib/crypto/encryption.php diff --git a/lib/private/repair.php b/lib/private/repair.php index c1f94562de..b62ba20b49 100644 --- a/lib/private/repair.php +++ b/lib/private/repair.php @@ -35,6 +35,7 @@ use OC\Repair\CleanTags; use OC\Repair\Collation; use OC\Repair\CopyRewriteBaseToConfig; use OC\Repair\DropOldJobs; +use OC\Repair\EncryptionCompatibility; use OC\Repair\OldGroupMembershipShares; use OC\Repair\RemoveGetETagEntries; use OC\Repair\SqliteAutoincrement; @@ -139,6 +140,7 @@ class Repair extends BasicEmitter { public static function getBeforeUpgradeRepairSteps() { $connection = \OC::$server->getDatabaseConnection(); $steps = [ + new EncryptionCompatibility(), new InnoDB(), new Collation(\OC::$server->getConfig(), $connection), new SqliteAutoincrement($connection), diff --git a/lib/private/repair/encryptioncompatibility.php b/lib/private/repair/encryptioncompatibility.php new file mode 100644 index 0000000000..e470674f6d --- /dev/null +++ b/lib/private/repair/encryptioncompatibility.php @@ -0,0 +1,63 @@ + + * + * @copyright Copyright (c) 2016, ownCloud, Inc. + * @license AGPL-3.0 + * + * This code is free software: you can redistribute it and/or modify + * it under the terms of the GNU Affero General Public License, version 3, + * as published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Affero General Public License for more details. + * + * You should have received a copy of the GNU Affero General Public License, version 3, + * along with this program. If not, see + * + */ + +namespace OC\Repair; + +use OC\Hooks\BasicEmitter; +use OC\RepairStep; +use OCP\App; + + +class EncryptionCompatibility extends BasicEmitter implements RepairStep { + private $affectedMd5 = ['19efc6cf053d0248e45407e7cc39b39b', '6752909b79ffe71237a5db5d1f8f1b65']; + private $targetPath = 'encryption/lib/crypto/encryption.php'; + + public function getName() { + return 'Repair encryption app incompatibility'; + } + + public function run() { + $filePath = \OC::$SERVERROOT . '/__apps/' . $this->targetPath; + if ($this->isAffected($filePath)){ + $resourceDir = __DIR__ . '/../../../resources/updater-fixes/apps/'; + $isCopied = copy($resourceDir . $this->targetPath, $filePath); + if ($isCopied){ + $this->emit('\OC\Repair', 'info', ['Successfully replaced ' . $filePath . ' with new version.']); + } else { + $this->emit('\OC\Repair', 'warning', ['Could not replace ' . $filePath . ' with new version.']); + } + } else { + $this->emit('\OC\Repair', 'info', ['No repair necessary']); + } + } + + /** + * @param string $filePath + * Checks whether encryption is enabled and target revisions exist + * @return bool + */ + protected function isAffected($filePath){ + return App::isEnabled('encryption') + && file_exists($filePath) + && in_array(md5_file($filePath), $this->affectedMd5) + ; + } +} diff --git a/resources/updater-fixes/apps/encryption/lib/crypto/encryption.php b/resources/updater-fixes/apps/encryption/lib/crypto/encryption.php new file mode 100644 index 0000000000..6eff66e72b --- /dev/null +++ b/resources/updater-fixes/apps/encryption/lib/crypto/encryption.php @@ -0,0 +1,563 @@ + + * @author Clark Tomlinson + * @author Jan-Christoph Borchardt + * @author Joas Schilling + * @author Lukas Reschke + * @author Thomas Müller + * + * @copyright Copyright (c) 2016, ownCloud, Inc. + * @license AGPL-3.0 + * + * This code is free software: you can redistribute it and/or modify + * it under the terms of the GNU Affero General Public License, version 3, + * as published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Affero General Public License for more details. + * + * You should have received a copy of the GNU Affero General Public License, version 3, + * along with this program. If not, see + * + */ + +namespace OCA\Encryption\Crypto; + + +use OC\Encryption\Exceptions\DecryptionFailedException; +use OC\Files\Cache\Scanner; +use OC\Files\View; +use OCA\Encryption\Exceptions\PublicKeyMissingException; +use OCA\Encryption\Session; +use OCA\Encryption\Util; +use OCP\Encryption\IEncryptionModule; +use OCA\Encryption\KeyManager; +use OCP\IL10N; +use OCP\ILogger; +use Symfony\Component\Console\Input\InputInterface; +use Symfony\Component\Console\Output\OutputInterface; + +class Encryption implements IEncryptionModule { + + const ID = 'OC_DEFAULT_MODULE'; + const DISPLAY_NAME = 'Default encryption module'; + + /** + * @var Crypt + */ + private $crypt; + + /** @var string */ + private $cipher; + + /** @var string */ + private $path; + + /** @var string */ + private $user; + + /** @var string */ + private $fileKey; + + /** @var string */ + private $writeCache; + + /** @var KeyManager */ + private $keyManager; + + /** @var array */ + private $accessList; + + /** @var boolean */ + private $isWriteOperation; + + /** @var Util */ + private $util; + + /** @var Session */ + private $session; + + /** @var ILogger */ + private $logger; + + /** @var IL10N */ + private $l; + + /** @var EncryptAll */ + private $encryptAll; + + /** @var bool */ + private $useMasterPassword; + + /** @var DecryptAll */ + private $decryptAll; + + /** @var int unencrypted block size if block contains signature */ + private $unencryptedBlockSizeSigned = 6072; + + /** @var int unencrypted block size */ + private $unencryptedBlockSize = 6126; + + /** @var int Current version of the file */ + private $version = 0; + + /** @var array remember encryption signature version */ + private static $rememberVersion = []; + + + /** + * + * @param Crypt $crypt + * @param KeyManager $keyManager + * @param Util $util + * @param Session $session + * @param EncryptAll $encryptAll + * @param DecryptAll $decryptAll + * @param ILogger $logger + * @param IL10N $il10n + */ + public function __construct(Crypt $crypt, + KeyManager $keyManager, + Util $util, + Session $session, + EncryptAll $encryptAll, + DecryptAll $decryptAll, + ILogger $logger, + IL10N $il10n) { + $this->crypt = $crypt; + $this->keyManager = $keyManager; + $this->util = $util; + $this->session = $session; + $this->encryptAll = $encryptAll; + $this->decryptAll = $decryptAll; + $this->logger = $logger; + $this->l = $il10n; + $this->useMasterPassword = $util->isMasterKeyEnabled(); + } + + /** + * @return string defining the technical unique id + */ + public function getId() { + return self::ID; + } + + /** + * In comparison to getKey() this function returns a human readable (maybe translated) name + * + * @return string + */ + public function getDisplayName() { + return self::DISPLAY_NAME; + } + + /** + * start receiving chunks from a file. This is the place where you can + * perform some initial step before starting encrypting/decrypting the + * chunks + * + * @param string $path to the file + * @param string $user who read/write the file + * @param string $mode php stream open mode + * @param array $header contains the header data read from the file + * @param array $accessList who has access to the file contains the key 'users' and 'public' + * + * @return array $header contain data as key-value pairs which should be + * written to the header, in case of a write operation + * or if no additional data is needed return a empty array + */ + public function begin($path, $user, $mode, array $header, array $accessList) { + $this->path = $this->getPathToRealFile($path); + $this->accessList = $accessList; + $this->user = $user; + $this->isWriteOperation = false; + $this->writeCache = ''; + + if ($this->session->decryptAllModeActivated()) { + $encryptedFileKey = $this->keyManager->getEncryptedFileKey($this->path); + $shareKey = $this->keyManager->getShareKey($this->path, $this->session->getDecryptAllUid()); + $this->fileKey = $this->crypt->multiKeyDecrypt($encryptedFileKey, + $shareKey, + $this->session->getDecryptAllKey()); + } else { + $this->fileKey = $this->keyManager->getFileKey($this->path, $this->user); + } + + // always use the version from the original file, also part files + // need to have a correct version number if they get moved over to the + // final location + $this->version = (int)$this->keyManager->getVersion($this->stripPartFileExtension($path), new View()); + + if ( + $mode === 'w' + || $mode === 'w+' + || $mode === 'wb' + || $mode === 'wb+' + ) { + $this->isWriteOperation = true; + if (empty($this->fileKey)) { + $this->fileKey = $this->crypt->generateFileKey(); + } + } else { + // if we read a part file we need to increase the version by 1 + // because the version number was also increased by writing + // the part file + if(Scanner::isPartialFile($path)) { + $this->version = $this->version + 1; + } + } + + if ($this->isWriteOperation) { + $this->cipher = $this->crypt->getCipher(); + } elseif (isset($header['cipher'])) { + $this->cipher = $header['cipher']; + } else { + // if we read a file without a header we fall-back to the legacy cipher + // which was used in <=oC6 + $this->cipher = $this->crypt->getLegacyCipher(); + } + + return array('cipher' => $this->cipher, 'signed' => 'true'); + } + + /** + * last chunk received. This is the place where you can perform some final + * operation and return some remaining data if something is left in your + * buffer. + * + * @param string $path to the file + * @param int $position + * @return string remained data which should be written to the file in case + * of a write operation + * @throws PublicKeyMissingException + * @throws \Exception + * @throws \OCA\Encryption\Exceptions\MultiKeyEncryptException + */ + public function end($path, $position = 0) { + $result = ''; + if ($this->isWriteOperation) { + $this->keyManager->setVersion($path, $this->version + 1, new View()); + // in case of a part file we remember the new signature versions + // the version will be set later on update. + // This way we make sure that other apps listening to the pre-hooks + // still get the old version which should be the correct value for them + if (Scanner::isPartialFile($path)) { + self::$rememberVersion[$this->stripPartFileExtension($path)] = $this->version + 1; + } + if (!empty($this->writeCache)) { + $result = $this->crypt->symmetricEncryptFileContent($this->writeCache, $this->fileKey, $this->version + 1, $position); + $this->writeCache = ''; + } + $publicKeys = array(); + if ($this->useMasterPassword === true) { + $publicKeys[$this->keyManager->getMasterKeyId()] = $this->keyManager->getPublicMasterKey(); + } else { + foreach ($this->accessList['users'] as $uid) { + try { + $publicKeys[$uid] = $this->keyManager->getPublicKey($uid); + } catch (PublicKeyMissingException $e) { + $this->logger->warning( + 'no public key found for user "{uid}", user will not be able to read the file', + ['app' => 'encryption', 'uid' => $uid] + ); + // if the public key of the owner is missing we should fail + if ($uid === $this->user) { + throw $e; + } + } + } + } + + $publicKeys = $this->keyManager->addSystemKeys($this->accessList, $publicKeys, $this->user); + $encryptedKeyfiles = $this->crypt->multiKeyEncrypt($this->fileKey, $publicKeys); + $this->keyManager->setAllFileKeys($this->path, $encryptedKeyfiles); + } + return $result; + } + + /** + * encrypt data + * + * @param string $data you want to encrypt + * @param int $position + * @return string encrypted data + */ + public function encrypt($data, $position = 0) { + // If extra data is left over from the last round, make sure it + // is integrated into the next block + if ($this->writeCache) { + + // Concat writeCache to start of $data + $data = $this->writeCache . $data; + + // Clear the write cache, ready for reuse - it has been + // flushed and its old contents processed + $this->writeCache = ''; + + } + + $encrypted = ''; + // While there still remains some data to be processed & written + while (strlen($data) > 0) { + + // Remaining length for this iteration, not of the + // entire file (may be greater than 8192 bytes) + $remainingLength = strlen($data); + + // If data remaining to be written is less than the + // size of 1 6126 byte block + if ($remainingLength < $this->unencryptedBlockSizeSigned) { + + // Set writeCache to contents of $data + // The writeCache will be carried over to the + // next write round, and added to the start of + // $data to ensure that written blocks are + // always the correct length. If there is still + // data in writeCache after the writing round + // has finished, then the data will be written + // to disk by $this->flush(). + $this->writeCache = $data; + + // Clear $data ready for next round + $data = ''; + + } else { + + // Read the chunk from the start of $data + $chunk = substr($data, 0, $this->unencryptedBlockSizeSigned); + + $encrypted .= $this->crypt->symmetricEncryptFileContent($chunk, $this->fileKey, $this->version + 1, $position); + + // Remove the chunk we just processed from + // $data, leaving only unprocessed data in $data + // var, for handling on the next round + $data = substr($data, $this->unencryptedBlockSizeSigned); + + } + + } + + return $encrypted; + } + + /** + * decrypt data + * + * @param string $data you want to decrypt + * @param int $position + * @return string decrypted data + * @throws DecryptionFailedException + */ + public function decrypt($data, $position = 0) { + if (empty($this->fileKey)) { + $msg = 'Can not decrypt this file, probably this is a shared file. Please ask the file owner to reshare the file with you.'; + $hint = $this->l->t('Can not decrypt this file, probably this is a shared file. Please ask the file owner to reshare the file with you.'); + $this->logger->error($msg); + + throw new DecryptionFailedException($msg, $hint); + } + + return $this->crypt->symmetricDecryptFileContent($data, $this->fileKey, $this->cipher, $this->version, $position); + } + + /** + * update encrypted file, e.g. give additional users access to the file + * + * @param string $path path to the file which should be updated + * @param string $uid of the user who performs the operation + * @param array $accessList who has access to the file contains the key 'users' and 'public' + * @return boolean + */ + public function update($path, $uid, array $accessList) { + + if (empty($accessList)) { + if (isset(self::$rememberVersion[$path])) { + $this->keyManager->setVersion($path, self::$rememberVersion[$path], new View()); + unset(self::$rememberVersion[$path]); + } + return; + } + + $fileKey = $this->keyManager->getFileKey($path, $uid); + + if (!empty($fileKey)) { + + $publicKeys = array(); + if ($this->useMasterPassword === true) { + $publicKeys[$this->keyManager->getMasterKeyId()] = $this->keyManager->getPublicMasterKey(); + } else { + foreach ($accessList['users'] as $user) { + try { + $publicKeys[$user] = $this->keyManager->getPublicKey($user); + } catch (PublicKeyMissingException $e) { + $this->logger->warning('Could not encrypt file for ' . $user . ': ' . $e->getMessage()); + } + } + } + + $publicKeys = $this->keyManager->addSystemKeys($accessList, $publicKeys, $uid); + + $encryptedFileKey = $this->crypt->multiKeyEncrypt($fileKey, $publicKeys); + + $this->keyManager->deleteAllFileKeys($path); + + $this->keyManager->setAllFileKeys($path, $encryptedFileKey); + + } else { + $this->logger->debug('no file key found, we assume that the file "{file}" is not encrypted', + array('file' => $path, 'app' => 'encryption')); + + return false; + } + + return true; + } + + /** + * should the file be encrypted or not + * + * @param string $path + * @return boolean + */ + public function shouldEncrypt($path) { + if ($this->util->shouldEncryptHomeStorage() === false) { + $storage = $this->util->getStorage($path); + if ($storage->instanceOfStorage('\OCP\Files\IHomeStorage')) { + return false; + } + } + $parts = explode('/', $path); + if (count($parts) < 4) { + return false; + } + + if ($parts[2] == 'files') { + return true; + } + if ($parts[2] == 'files_versions') { + return true; + } + if ($parts[2] == 'files_trashbin') { + return true; + } + + return false; + } + + /** + * get size of the unencrypted payload per block. + * ownCloud read/write files with a block size of 8192 byte + * + * @param bool $signed + * @return int + */ + public function getUnencryptedBlockSize($signed = false) { + if ($signed === false) { + return $this->unencryptedBlockSize; + } + + return $this->unencryptedBlockSizeSigned; + } + + /** + * check if the encryption module is able to read the file, + * e.g. if all encryption keys exists + * + * @param string $path + * @param string $uid user for whom we want to check if he can read the file + * @return bool + * @throws DecryptionFailedException + */ + public function isReadable($path, $uid) { + $fileKey = $this->keyManager->getFileKey($path, $uid); + if (empty($fileKey)) { + $owner = $this->util->getOwner($path); + if ($owner !== $uid) { + // if it is a shared file we throw a exception with a useful + // error message because in this case it means that the file was + // shared with the user at a point where the user didn't had a + // valid private/public key + $msg = 'Encryption module "' . $this->getDisplayName() . + '" is not able to read ' . $path; + $hint = $this->l->t('Can not read this file, probably this is a shared file. Please ask the file owner to reshare the file with you.'); + $this->logger->warning($msg); + throw new DecryptionFailedException($msg, $hint); + } + return false; + } + + return true; + } + + /** + * Initial encryption of all files + * + * @param InputInterface $input + * @param OutputInterface $output write some status information to the terminal during encryption + */ + public function encryptAll(InputInterface $input, OutputInterface $output) { + $this->encryptAll->encryptAll($input, $output); + } + + /** + * prepare module to perform decrypt all operation + * + * @param InputInterface $input + * @param OutputInterface $output + * @param string $user + * @return bool + */ + public function prepareDecryptAll(InputInterface $input, OutputInterface $output, $user = '') { + return $this->decryptAll->prepare($input, $output, $user); + } + + + /** + * @param string $path + * @return string + */ + protected function getPathToRealFile($path) { + $realPath = $path; + $parts = explode('/', $path); + if ($parts[2] === 'files_versions') { + $realPath = '/' . $parts[1] . '/files/' . implode('/', array_slice($parts, 3)); + $length = strrpos($realPath, '.'); + $realPath = substr($realPath, 0, $length); + } + + return $realPath; + } + + /** + * remove .part file extension and the ocTransferId from the file to get the + * original file name + * + * @param string $path + * @return string + */ + protected function stripPartFileExtension($path) { + if (pathinfo($path, PATHINFO_EXTENSION) === 'part') { + $pos = strrpos($path, '.', -6); + $path = substr($path, 0, $pos); + } + + return $path; + } + + /** + * Check if the module is ready to be used by that specific user. + * In case a module is not ready - because e.g. key pairs have not been generated + * upon login this method can return false before any operation starts and might + * cause issues during operations. + * + * @param string $user + * @return boolean + * @since 9.1.0 + */ + public function isReadyForUser($user) { + return $this->keyManager->userHasKeys($user); + } +} From b37f2e230b0ca8aa4498567b40e5b465240586ff Mon Sep 17 00:00:00 2001 From: Vincent Petry Date: Wed, 8 Jun 2016 11:22:01 +0200 Subject: [PATCH 06/12] Use array_merge when reading cached groups members --- apps/user_ldap/group_ldap.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apps/user_ldap/group_ldap.php b/apps/user_ldap/group_ldap.php index 63476525df..f87fe1b5ca 100644 --- a/apps/user_ldap/group_ldap.php +++ b/apps/user_ldap/group_ldap.php @@ -531,7 +531,7 @@ class GROUP_LDAP extends BackendUtility implements \OCP\GroupInterface { } if(isset($this->cachedGroupsByMember[$uid])) { - $groups[] = $this->cachedGroupsByMember[$uid]; + $groups = array_merge($groups, $this->cachedGroupsByMember[$uid]); } else { $groupsByMember = array_values($this->getGroupsByMember($uid)); $groupsByMember = $this->access->ownCloudGroupNames($groupsByMember); From 40f066ab6d578a4ad28452596b0d0d82bfcbef88 Mon Sep 17 00:00:00 2001 From: Robin McCorkell Date: Wed, 20 Apr 2016 16:31:04 +0100 Subject: [PATCH 07/12] Delay reloading the page if an ajax error occurs, show notification --- core/js/js.js | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/core/js/js.js b/core/js/js.js index b74775a935..be913c6f04 100644 --- a/core/js/js.js +++ b/core/js/js.js @@ -752,7 +752,8 @@ var OC={ // sometimes "beforeunload" happens later, so need to defer the reload a bit setTimeout(function() { if (!self._userIsNavigatingAway && !self._reloadCalled) { - OC.reload(); + OC.Notification.show(t('core', 'Problem loading page, reloading in 5 seconds')); + setTimeout(OC.reload, 5000); // only call reload once self._reloadCalled = true; } From 3f16ce740348e87fa015a825164a49151be554d9 Mon Sep 17 00:00:00 2001 From: Robin McCorkell Date: Wed, 20 Apr 2016 22:09:59 +0100 Subject: [PATCH 08/12] Add test for reload delay --- core/js/tests/specs/coreSpec.js | 18 +++++++++++++++--- 1 file changed, 15 insertions(+), 3 deletions(-) diff --git a/core/js/tests/specs/coreSpec.js b/core/js/tests/specs/coreSpec.js index f18ecbc1a4..0296a3675a 100644 --- a/core/js/tests/specs/coreSpec.js +++ b/core/js/tests/specs/coreSpec.js @@ -935,10 +935,13 @@ describe('Core base tests', function() { }); describe('global ajax errors', function() { var reloadStub, ajaxErrorStub, clock; + var notificationStub; + var waitTimeMs = 6000; beforeEach(function() { clock = sinon.useFakeTimers(); reloadStub = sinon.stub(OC, 'reload'); + notificationStub = sinon.stub(OC.Notification, 'show'); // unstub the error processing method ajaxErrorStub = OC._processAjaxError; ajaxErrorStub.restore(); @@ -946,6 +949,7 @@ describe('Core base tests', function() { }); afterEach(function() { reloadStub.restore(); + notificationStub.restore(); clock.restore(); }); @@ -970,7 +974,7 @@ describe('Core base tests', function() { $(document).trigger(new $.Event('ajaxError'), xhr); // trigger timers - clock.tick(1000); + clock.tick(waitTimeMs); if (expectedCall) { expect(reloadStub.calledOnce).toEqual(true); @@ -986,7 +990,7 @@ describe('Core base tests', function() { $(document).trigger(new $.Event('ajaxError'), xhr); // trigger timers - clock.tick(1000); + clock.tick(waitTimeMs); expect(reloadStub.calledOnce).toEqual(true); }); @@ -997,9 +1001,17 @@ describe('Core base tests', function() { $(document).trigger(new $.Event('ajaxError'), xhr); - clock.tick(1000); + clock.tick(waitTimeMs); expect(reloadStub.notCalled).toEqual(true); }); + it('displays notification', function() { + var xhr = { status: 401 }; + + $(document).trigger(new $.Event('ajaxError'), xhr); + + clock.tick(waitTimeMs); + expect(notificationStub.calledOnce).toEqual(true); + }); }); }); From f5d83e85b7c3ed52440750888439c257c94c4854 Mon Sep 17 00:00:00 2001 From: Victor Dubiniuk Date: Tue, 17 May 2016 17:27:33 +0300 Subject: [PATCH 09/12] Construct path to the version file from the current directory and filename. Fixes #22450 --- apps/files_versions/lib/storage.php | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/apps/files_versions/lib/storage.php b/apps/files_versions/lib/storage.php index 3c23f2f730..a1069410e7 100644 --- a/apps/files_versions/lib/storage.php +++ b/apps/files_versions/lib/storage.php @@ -532,13 +532,15 @@ class Storage { $files = $view->getDirectoryContent($dir); foreach ($files as $file) { + $fileData = $file->getData(); + $filePath = $dir . '/' . $fileData['name']; if ($file['type'] === 'dir') { - array_push($dirs, $file['path']); + array_push($dirs, $filePath); } else { - $versionsBegin = strrpos($file['path'], '.v'); + $versionsBegin = strrpos($filePath, '.v'); $relPathStart = strlen(self::VERSIONS_ROOT); - $version = substr($file['path'], $versionsBegin + 2); - $relpath = substr($file['path'], $relPathStart, $versionsBegin - $relPathStart); + $version = substr($filePath, $versionsBegin + 2); + $relpath = substr($filePath, $relPathStart, $versionsBegin - $relPathStart); $key = $version . '#' . $relpath; $versions[$key] = array('path' => $relpath, 'timestamp' => $version); } From d46cb39e3c7322cf67f98a365943092c1875eff0 Mon Sep 17 00:00:00 2001 From: Robin Appelman Date: Thu, 9 Jun 2016 11:37:02 +0200 Subject: [PATCH 10/12] skip scanning for a user when the user is not setup yet --- lib/private/files/utils/scanner.php | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/lib/private/files/utils/scanner.php b/lib/private/files/utils/scanner.php index f05805fe94..cf85ff4c99 100644 --- a/lib/private/files/utils/scanner.php +++ b/lib/private/files/utils/scanner.php @@ -148,7 +148,12 @@ class Scanner extends PublicEmitter { if ($storage->instanceOfStorage('\OC\Files\Storage\Home') and (!$storage->isCreatable('') or !$storage->isCreatable('files')) ) { - throw new ForbiddenException(); + if ($storage->file_exists('') or $storage->getCache()->inCache('')) { + throw new ForbiddenException(); + } else {// if the root exists in neither the cache nor the storage the user isn't setup yet + break; + } + } $relativePath = $mount->getInternalPath($dir); $scanner = $storage->getScanner(); From eb34e95fd3525630fba8bb56c2e700a40582cb5d Mon Sep 17 00:00:00 2001 From: Vincent Petry Date: Thu, 9 Jun 2016 11:59:42 +0200 Subject: [PATCH 11/12] Use temporary htaccesstest.txt for data dir security check --- core/js/setupchecks.js | 4 +-- core/js/tests/specs/setupchecksSpec.js | 2 +- lib/private/util.php | 37 +++++++++++++++++--------- settings/admin.php | 4 +++ 4 files changed, 31 insertions(+), 16 deletions(-) diff --git a/core/js/setupchecks.js b/core/js/setupchecks.js index 41f6a6e07b..ee93781b07 100644 --- a/core/js/setupchecks.js +++ b/core/js/setupchecks.js @@ -197,7 +197,7 @@ } var afterCall = function(xhr) { var messages = []; - if (xhr.status !== 403 && xhr.status !== 307 && xhr.status !== 301 && xhr.responseText === '') { + if (xhr.status !== 403 && xhr.status !== 307 && xhr.status !== 301 && xhr.responseText !== '') { messages.push({ msg: t('core', 'Your data directory and your files are probably accessible from the Internet. The .htaccess file is not working. We strongly suggest that you configure your web server in a way that the data directory is no longer accessible or you move the data directory outside the web server document root.'), type: OC.SetupChecks.MESSAGE_TYPE_ERROR @@ -208,7 +208,7 @@ $.ajax({ type: 'GET', - url: OC.linkTo('', oc_dataURL+'/.ocdata'), + url: OC.linkTo('', oc_dataURL+'/htaccesstest.txt?t=' + (new Date()).getTime()), complete: afterCall }); return deferred.promise(); diff --git a/core/js/tests/specs/setupchecksSpec.js b/core/js/tests/specs/setupchecksSpec.js index 05be46781d..9e2f0f4901 100644 --- a/core/js/tests/specs/setupchecksSpec.js +++ b/core/js/tests/specs/setupchecksSpec.js @@ -103,7 +103,7 @@ describe('OC.SetupChecks tests', function() { it('should return an error if data directory is not protected', function(done) { var async = OC.SetupChecks.checkDataProtected(); - suite.server.requests[0].respond(200); + suite.server.requests[0].respond(200, {'Content-Type': 'text/plain'}, 'file contents'); async.done(function( data, s, x ){ expect(data).toEqual([ diff --git a/lib/private/util.php b/lib/private/util.php index 488eb8facf..e4d1ebabc7 100644 --- a/lib/private/util.php +++ b/lib/private/util.php @@ -1160,19 +1160,8 @@ class OC_Util { return $encoded; } - /** - * Check if the .htaccess file is working - * @param \OCP\IConfig $config - * @return bool - * @throws Exception - * @throws \OC\HintException If the test file can't get written. - */ - public function isHtaccessWorking(\OCP\IConfig $config) { - - if (\OC::$CLI || !$config->getSystemValue('check_for_working_htaccess', true)) { - return true; - } + public function createHtaccessTestFile(\OCP\IConfig $config) { // php dev server does not support htaccess if (php_sapi_name() === 'cli-server') { return false; @@ -1180,7 +1169,7 @@ class OC_Util { // testdata $fileName = '/htaccesstest.txt'; - $testContent = 'testcontent'; + $testContent = 'This is used for testing whether htaccess is properly enabled to disallow access from the outside. This file can be safely removed.'; // creating a test file $testFile = $config->getSystemValue('datadirectory', OC::$SERVERROOT . '/data') . '/' . $fileName; @@ -1196,6 +1185,28 @@ class OC_Util { } fwrite($fp, $testContent); fclose($fp); + } + + /** + * Check if the .htaccess file is working + * @param \OCP\IConfig $config + * @return bool + * @throws Exception + * @throws \OC\HintException If the test file can't get written. + */ + public function isHtaccessWorking(\OCP\IConfig $config) { + + if (\OC::$CLI || !$config->getSystemValue('check_for_working_htaccess', true)) { + return true; + } + + $testContent = $this->createHtaccessTestFile($config); + if ($testContent === false) { + return false; + } + + $fileName = '/htaccesstest.txt'; + $testFile = $config->getSystemValue('datadirectory', OC::$SERVERROOT . '/data') . '/' . $fileName; // accessing the file via http $url = \OC::$server->getURLGenerator()->getAbsoluteURL(OC::$WEBROOT . '/data' . $fileName); diff --git a/settings/admin.php b/settings/admin.php index 42ca7e3525..d9746f4163 100644 --- a/settings/admin.php +++ b/settings/admin.php @@ -264,3 +264,7 @@ if ($updaterAppPanel) { $template->assign('forms', $formsAndMore); $template->printPage(); + +$util = new \OC_Util(); +$util->createHtaccessTestFile(\OC::$server->getConfig()); + From fba4460342bdcea7753e70c89a11c2ecc1b8824d Mon Sep 17 00:00:00 2001 From: Vincent Petry Date: Thu, 9 Jun 2016 18:02:09 +0200 Subject: [PATCH 12/12] Add unit test for LDAP multi group caching --- apps/user_ldap/tests/group_ldap.php | 53 +++++++++++++++++++++++++++++ 1 file changed, 53 insertions(+) diff --git a/apps/user_ldap/tests/group_ldap.php b/apps/user_ldap/tests/group_ldap.php index 51bb1d8473..a81bf70f54 100644 --- a/apps/user_ldap/tests/group_ldap.php +++ b/apps/user_ldap/tests/group_ldap.php @@ -455,4 +455,57 @@ class Test_Group_Ldap extends \Test\TestCase { $groupBackend->getUserGroups('userX'); } + public function testGetGroupsByMember() { + $access = $this->getAccessMock(); + + $access->connection->expects($this->any()) + ->method('__get') + ->will($this->returnCallback(function($name) { + if($name === 'useMemberOfToDetectMembership') { + return 0; + } else if($name === 'ldapDynamicGroupMemberURL') { + return ''; + } else if($name === 'ldapNestedGroups') { + return false; + } + return 1; + })); + + $dn = 'cn=userX,dc=foobar'; + + $access->connection->hasPrimaryGroups = false; + + $access->expects($this->exactly(2)) + ->method('username2dn') + ->will($this->returnValue($dn)); + + $access->expects($this->never()) + ->method('readAttribute') + ->with($dn, 'memberOf'); + + $group1 = [ + 'cn' => 'group1', + 'dn' => ['cn=group1,ou=groups,dc=domain,dc=com'], + ]; + $group2 = [ + 'cn' => 'group2', + 'dn' => ['cn=group2,ou=groups,dc=domain,dc=com'], + ]; + + $access->expects($this->once()) + ->method('ownCloudGroupNames') + ->with([$group1, $group2]) + ->will($this->returnValue(['group1', 'group2'])); + + $access->expects($this->once()) + ->method('fetchListOfGroups') + ->will($this->returnValue([$group1, $group2])); + + $groupBackend = new GroupLDAP($access); + $groups = $groupBackend->getUserGroups('userX'); + $this->assertEquals(['group1', 'group2'], $groups); + + $groupsAgain = $groupBackend->getUserGroups('userX'); + $this->assertEquals(['group1', 'group2'], $groupsAgain); + } }