mbk-lab
/
nextcloud
2
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Work on post_share hook for files_encryption 

New method in OCP\Share{}:: getUsersSharingFile()
Development shapshot
This commit is contained in:
Sam Tuke 2013-02-09 18:39:32 +00:00
parent 1aba986d9f
commit b3e59ca1e3
4 changed files with 429 additions and 311 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

71
apps/files_encryption/hooks/hooks.php
View File

@ -166,14 +166,77 @@ class Hooks {
*/ */
public static function postShared( $params ) { public static function postShared( $params ) {
// Delete existing catfile // NOTE: $params is an array with these keys:
Keymanager::deleteFileKey( ); // itemSource -> int, filecache file ID
// shareWith -> string, uid of user being shared to
// fileTarget -> path of file being shared
// uidOwner -> owner of the original file being shared
// Generate new catfile and env keys $view = new \OC_FilesystemView( '/' );
Crypt::multiKeyEncrypt( $plainContent, $publicKeys ); $userId = \OCP\User::getUser();
$util = new Util( $view, $userId );
$shares = \OCP\Share::getUsersSharingFile( $params['fileTarget'] );
$userIds = array();
foreach ( $shares as $share ) {
$util = new Util( $view, $share['userId'] );
// Check that the user is encryption capable
if ( $util->ready() ) {
// Construct array of just UIDs for Keymanager{}
$userIds[] = $share['userId'];
} else {
// Log warning; we can't do necessary setup here
// because we don't have the user passphrase
// TODO: Provide user feedback indicating that
// sharing failed
\OC_Log::write( 'Encryption library', 'File cannot be shared: user "'.$share['userId'].'" is not setup for encryption', \OC_Log::WARN );
}
}
trigger_error("UIDS = ".var_export($userIds, 1));
$userPubKeys = Keymanager::getPublicKeys( $view, $userIds );
// trigger_error("PUB KEYS = ".var_export($userPubKeys, 1));
// TODO: Fetch path from Crypt{} getter
$plainContent = $view->file_get_contents( $userId . '/' . 'files'. '/' . $params['fileTarget'] );
// Generate new catfile and share keys
if ( ! $encrypted = Crypt::multiKeyEncrypt( $plainContent, $userPubKeys ) ) {
// If the re-encryption failed, don't risk deleting data
return false;
}
trigger_error("ENCRYPTED = ". var_export($encrypted, 1));
// Save env keys to user folders // Save env keys to user folders
foreach ( $encrypted['keys'] as $key ) {
// Keymanager::setShareKey( $view, $params['fileTarget'], $userId, $key );
}
// Delete existing catfile
// Check if keyfile exists (it won't if file has been shared before)
// Do this last to ensure file is recoverable in case of error
if ( $util->isEncryptedPath( $params['fileTarget'] ) ) {
// NOTE: This will trigger an error if keyfile isn't found
// Keymanager::deleteFileKey( $params['fileTarget'] );
}
} }

583
apps/files_encryption/lib/keymanager.php
View File

@ -1,267 +1,244 @@
<?php <?php
/** /**
* ownCloud * ownCloud
* *
* @author Bjoern Schiessle * @author Bjoern Schiessle
* @copyright 2012 Bjoern Schiessle <schiessle@owncloud.com> * @copyright 2012 Bjoern Schiessle <schiessle@owncloud.com>
* *
* This library is free software; you can redistribute it and/or * This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU AFFERO GENERAL PUBLIC LICENSE * modify it under the terms of the GNU AFFERO GENERAL PUBLIC LICENSE
* License as published by the Free Software Foundation; either * License as published by the Free Software Foundation; either
* version 3 of the License, or any later version. * version 3 of the License, or any later version.
* *
* This library is distributed in the hope that it will be useful, * This library is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of * but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU AFFERO GENERAL PUBLIC LICENSE for more details. * GNU AFFERO GENERAL PUBLIC LICENSE for more details.
* *
* You should have received a copy of the GNU Affero General Public * You should have received a copy of the GNU Affero General Public
* License along with this library. If not, see <http://www.gnu.org/licenses/>. * License along with this library. If not, see <http://www.gnu.org/licenses/>.
* *
*/ */
namespace OCA\Encryption; namespace OCA\Encryption;
/** /**
* @brief Class to manage storage and retrieval of encryption keys * @brief Class to manage storage and retrieval of encryption keys
* @note Where a method requires a view object, it's root must be '/' * @note Where a method requires a view object, it's root must be '/'
*/ */
class Keymanager { class Keymanager {
/** /**
* @brief retrieve the ENCRYPTED private key from a user * @brief retrieve the ENCRYPTED private key from a user
* *
* @return string private key or false * @return string private key or false
* @note the key returned by this method must be decrypted before use * @note the key returned by this method must be decrypted before use
*/ */
public static function getPrivateKey( \OC_FilesystemView $view, $user ) { public static function getPrivateKey( \OC_FilesystemView $view, $user ) {
$path = '/' . $user . '/' . 'files_encryption' . '/' . $user.'.private.key'; $path = '/' . $user . '/' . 'files_encryption' . '/' . $user.'.private.key';
$key = $view->file_get_contents( $path ); $key = $view->file_get_contents( $path );
return $key; return $key;
} }
/** /**
* @brief retrieve public key for a specified user * @brief retrieve public key for a specified user
* @param \OC_FilesystemView $view * @param \OC_FilesystemView $view
* @param $userId * @param $userId
* @return string public key or false * @return string public key or false
*/ */
public static function getPublicKey( \OC_FilesystemView $view, $userId ) { public static function getPublicKey( \OC_FilesystemView $view, $userId ) {
return $view->file_get_contents( '/public-keys/' . '/' . $userId . '.public.key' ); return $view->file_get_contents( '/public-keys/' . '/' . $userId . '.public.key' );
} }
/** /**
* @brief retrieve both keys from a user (private and public) * @brief Retrieve a user's public and private key
* @param \OC_FilesystemView $view * @param \OC_FilesystemView $view
* @param $userId * @param $userId
* @return array keys: privateKey, publicKey * @return array keys: privateKey, publicKey
*/ */
public static function getUserKeys( \OC_FilesystemView $view, $userId ) { public static function getUserKeys( \OC_FilesystemView $view, $userId ) {
return array( return array(
'publicKey' => self::getPublicKey( $view, $userId ) 'publicKey' => self::getPublicKey( $view, $userId )
, 'privateKey' => self::getPrivateKey( $view, $userId ) , 'privateKey' => self::getPrivateKey( $view, $userId )
); );
} }
/** /**
* @brief Retrieve public keys of all users with access to a file * @brief Retrieve public keys for given users
* @param string $path Path to file * @param \OC_FilesystemView $view
* @return array of public keys for the given file * @param array $userIds
* @note Checks that the sharing app is enabled should be performed * @return array of public keys for the specified users
* by client code, that isn't checked here */
*/ public static function getPublicKeys( \OC_FilesystemView $view, $userIds ) {
public static function getPublicKeys( \OC_FilesystemView $view, $userId, $filePath ) {
$i = 0;
$path = ltrim( $path, '/' ); $keys = array();
$filepath = '/' . $userId . '/files/' . $filePath; foreach ( $userIds as $userId ) {
// Check if sharing is enabled $i++;
if ( OC_App::isEnabled( 'files_sharing' ) ) { $keys[$userId] = self::getPublicKey( $view, $userId );
}
} else { $keys['total'] = $i;
// check if it is a file owned by the user and not shared at all return $keys;
$userview = new \OC_FilesystemView( '/'.$userId.'/files/' );
}
if ( $userview->file_exists( $path ) ) {
/**
$users[] = $userId; * @brief store file encryption key
*
} * @param string $path relative path of the file, including filename
* @param string $key
} * @return bool true/false
* @note The keyfile is not encrypted here. Client code must
$view = new \OC_FilesystemView( '/public-keys/' ); * asymmetrically encrypt the keyfile before passing it to this method
*/
$keylist = array(); public static function setFileKey( \OC_FilesystemView $view, $path, $userId, $catfile ) {
$count = 0; $basePath = '/' . $userId . '/files_encryption/keyfiles';
foreach ( $users as $user ) { $targetPath = self::keySetPreparation( $view, $path, $basePath, $userId );
$keylist['key'.++$count] = $view->file_get_contents( $user.'.public.key' ); if ( $view->is_dir( $basePath . '/' . $targetPath ) ) {
}
return $keylist; } else {
} // Save the keyfile in parallel directory
return $view->file_put_contents( $basePath . '/' . $targetPath . '.key', $catfile );
/**
* @brief store file encryption key }
*
* @param string $path relative path of the file, including filename }
* @param string $key
* @return bool true/false /**
* @note The keyfile is not encrypted here. Client code must * @brief retrieve keyfile for an encrypted file
* asymmetrically encrypt the keyfile before passing it to this method
*/
public static function setFileKey( \OC_FilesystemView $view, $path, $userId, $catfile ) {
$basePath = '/' . $userId . '/files_encryption/keyfiles';
$targetPath = self::keySetPreparation( $view, $path, $basePath, $userId );
if ( $view->is_dir( $basePath . '/' . $targetPath ) ) {
} else {
// Save the keyfile in parallel directory
return $view->file_put_contents( $basePath . '/' . $targetPath . '.key', $catfile );
}
}
/**
* @brief retrieve keyfile for an encrypted file
* @param \OC_FilesystemView $view * @param \OC_FilesystemView $view
* @param $userId * @param $userId
* @param $filePath * @param $filePath
* @internal param \OCA\Encryption\file $string name * @internal param \OCA\Encryption\file $string name
* @return string file key or false * @return string file key or false
* @note The keyfile returned is asymmetrically encrypted. Decryption * @note The keyfile returned is asymmetrically encrypted. Decryption
* of the keyfile must be performed by client code * of the keyfile must be performed by client code
*/ */
public static function getFileKey( \OC_FilesystemView $view, $userId, $filePath ) { public static function getFileKey( \OC_FilesystemView $view, $userId, $filePath ) {
$filePath_f = ltrim( $filePath, '/' ); $filePath_f = ltrim( $filePath, '/' );
$catfilePath = '/' . $userId . '/files_encryption/keyfiles/' . $filePath_f . '.key'; $catfilePath = '/' . $userId . '/files_encryption/keyfiles/' . $filePath_f . '.key';
if ( $view->file_exists( $catfilePath ) ) { if ( $view->file_exists( $catfilePath ) ) {
return $view->file_get_contents( $catfilePath ); return $view->file_get_contents( $catfilePath );
} else { } else {
return false; return false;
} }
} }
/** /**
* @brief Delete a keyfile * @brief Delete a keyfile
* *
* @param OC_FilesystemView $view * @param OC_FilesystemView $view
* @param string $userId username * @param string $userId username
* @param string $path path of the file the key belongs to * @param string $path path of the file the key belongs to
* @return bool Outcome of unlink operation * @return bool Outcome of unlink operation
* @note $path must be relative to data/user/files. e.g. mydoc.txt NOT * @note $path must be relative to data/user/files. e.g. mydoc.txt NOT
* /data/admin/files/mydoc.txt * /data/admin/files/mydoc.txt
*/ */
public static function deleteFileKey( \OC_FilesystemView $view, $userId, $path ) { public static function deleteFileKey( \OC_FilesystemView $view, $userId, $path ) {
$trimmed = ltrim( $path, '/' ); $trimmed = ltrim( $path, '/' );
$keyPath = '/' . $userId . '/files_encryption/keyfiles/' . $trimmed . '.key'; $keyPath = '/' . $userId . '/files_encryption/keyfiles/' . $trimmed . '.key';
// Unlink doesn't tell us if file was deleted (not found returns // Unlink doesn't tell us if file was deleted (not found returns
// true), so we perform our own test // true), so we perform our own test
if ( $view->file_exists( $keyPath ) ) { if ( $view->file_exists( $keyPath ) ) {
return $view->unlink( $keyPath ); return $view->unlink( $keyPath );
} else { } else {
\OC_Log::write( 'Encryption library', 'Could not delete keyfile; does not exist: "' . $keyPath, \OC_Log::ERROR ); \OC_Log::write( 'Encryption library', 'Could not delete keyfile; does not exist: "' . $keyPath, \OC_Log::ERROR );
return false; return false;
} }
} }
/** /**
* @brief store private key from the user * @brief store private key from the user
* @param string key * @param string key
* @return bool * @return bool
* @note Encryption of the private key must be performed by client code * @note Encryption of the private key must be performed by client code
* as no encryption takes place here * as no encryption takes place here
*/ */
public static function setPrivateKey( $key ) { public static function setPrivateKey( $key ) {
$user = \OCP\User::getUser(); $user = \OCP\User::getUser();
$view = new \OC_FilesystemView( '/' . $user . '/files_encryption' ); $view = new \OC_FilesystemView( '/' . $user . '/files_encryption' );
\OC_FileProxy::$enabled = false; \OC_FileProxy::$enabled = false;
if ( !$view->file_exists( '' ) ) $view->mkdir( '' ); if ( !$view->file_exists( '' ) ) $view->mkdir( '' );
return $view->file_put_contents( $user . '.private.key', $key ); return $view->file_put_contents( $user . '.private.key', $key );
\OC_FileProxy::$enabled = true; \OC_FileProxy::$enabled = true;
} }
/** /**
* @brief store private keys from the user * @brief store private keys from the user
* *
* @param string privatekey * @param string privatekey
* @param string publickey * @param string publickey
* @return bool true/false * @return bool true/false
*/ */
public static function setUserKeys($privatekey, $publickey) { public static function setUserKeys($privatekey, $publickey) {
return ( self::setPrivateKey( $privatekey ) && self::setPublicKey( $publickey ) ); return ( self::setPrivateKey( $privatekey ) && self::setPublicKey( $publickey ) );
} }
/** /**
* @brief store public key of the user * @brief store public key of the user
* *
* @param string key * @param string key
* @return bool true/false * @return bool true/false
*/ */
public static function setPublicKey( $key ) { public static function setPublicKey( $key ) {
$view = new \OC_FilesystemView( '/public-keys' ); $view = new \OC_FilesystemView( '/public-keys' );
\OC_FileProxy::$enabled = false; \OC_FileProxy::$enabled = false;
if ( !$view->file_exists( '' ) ) $view->mkdir( '' ); if ( !$view->file_exists( '' ) ) $view->mkdir( '' );
return $view->file_put_contents( \OCP\User::getUser() . '.public.key', $key ); return $view->file_put_contents( \OCP\User::getUser() . '.public.key', $key );
\OC_FileProxy::$enabled = true; \OC_FileProxy::$enabled = true;
} }
/** /**
* @brief store file encryption key * @brief store file encryption key
* *
* @param string $path relative path of the file, including filename * @param string $path relative path of the file, including filename
@ -271,70 +248,70 @@ class Keymanager {
* @return bool true/false * @return bool true/false
* @note The keyfile is not encrypted here. Client code must * @note The keyfile is not encrypted here. Client code must
* asymmetrically encrypt the keyfile before passing it to this method * asymmetrically encrypt the keyfile before passing it to this method
*/ */
public static function setShareKey( \OC_FilesystemView $view, $path, $userId, $shareKey ) { public static function setShareKey( \OC_FilesystemView $view, $path, $userId, $shareKey ) {
$basePath = '/' . $userId . '/files_encryption/share-keys'; $basePath = '/' . $userId . '/files_encryption/share-keys';
$shareKeyPath = self::keySetPreparation( $view, $path, $basePath, $userId ); $shareKeyPath = self::keySetPreparation( $view, $path, $basePath, $userId );
return $view->file_put_contents( $basePath . '/' . $shareKeyPath . '.shareKey', $shareKey ); return $view->file_put_contents( $basePath . '/' . $shareKeyPath . '.shareKey', $shareKey );
} }
/** /**
* @brief Make preparations to vars and filesystem for saving a keyfile * @brief Make preparations to vars and filesystem for saving a keyfile
*/ */
public static function keySetPreparation( \OC_FilesystemView $view, $path, $basePath, $userId ) { public static function keySetPreparation( \OC_FilesystemView $view, $path, $basePath, $userId ) {
$targetPath = ltrim( $path, '/' ); $targetPath = ltrim( $path, '/' );
$path_parts = pathinfo( $targetPath ); $path_parts = pathinfo( $targetPath );
// If the file resides within a subdirectory, create it // If the file resides within a subdirectory, create it
if ( if (
isset( $path_parts['dirname'] ) isset( $path_parts['dirname'] )
&& ! $view->file_exists( $basePath . '/' . $path_parts['dirname'] ) && ! $view->file_exists( $basePath . '/' . $path_parts['dirname'] )
) { ) {
$view->mkdir( $basePath . '/' . $path_parts['dirname'] ); $view->mkdir( $basePath . '/' . $path_parts['dirname'] );
} }
return $targetPath; return $targetPath;
} }
/** /**
* @brief change password of private encryption key * @brief change password of private encryption key
* *
* @param string $oldpasswd old password * @param string $oldpasswd old password
* @param string $newpasswd new password * @param string $newpasswd new password
* @return bool true/false * @return bool true/false
*/ */
public static function changePasswd($oldpasswd, $newpasswd) { public static function changePasswd($oldpasswd, $newpasswd) {
if ( \OCP\User::checkPassword(\OCP\User::getUser(), $newpasswd) ) { if ( \OCP\User::checkPassword(\OCP\User::getUser(), $newpasswd) ) {
return Crypt::changekeypasscode($oldpasswd, $newpasswd); return Crypt::changekeypasscode($oldpasswd, $newpasswd);
} }
return false; return false;
} }
/** /**
* @brief Fetch the legacy encryption key from user files * @brief Fetch the legacy encryption key from user files
* @param string $login used to locate the legacy key * @param string $login used to locate the legacy key
* @param string $passphrase used to decrypt the legacy key * @param string $passphrase used to decrypt the legacy key
* @return true / false * @return true / false
* *
* if the key is left out, the default handeler will be used * if the key is left out, the default handeler will be used
*/ */
public function getLegacyKey() { public function getLegacyKey() {
$user = \OCP\User::getUser(); $user = \OCP\User::getUser();
$view = new \OC_FilesystemView( '/' . $user ); $view = new \OC_FilesystemView( '/' . $user );
return $view->file_get_contents( 'encryption.key' ); return $view->file_get_contents( 'encryption.key' );
} }
} }

32
apps/files_encryption/lib/proxy.php
View File

@ -95,7 +95,8 @@ class Proxy extends \OC_FileProxy {
if ( self::shouldEncrypt( $path ) ) { if ( self::shouldEncrypt( $path ) ) {
if ( !is_resource( $data ) ) { //stream put contents should have been converted to fopen // Stream put contents should have been converted to fopen
if ( !is_resource( $data ) ) {
$userId = \OCP\USER::getUser(); $userId = \OCP\USER::getUser();
@ -107,10 +108,33 @@ class Proxy extends \OC_FileProxy {
// Disable encryption proxy to prevent recursive calls // Disable encryption proxy to prevent recursive calls
\OC_FileProxy::$enabled = false; \OC_FileProxy::$enabled = false;
// TODO: Check if file is shared, if so, use multiKeyEncrypt $fileOwner = \OC\Files\Filesystem::getOwner( $path );
// Encrypt plain data and fetch key // Check if the keyfile needs to be shared
$encrypted = Crypt::keyEncryptKeyfile( $data, Keymanager::getPublicKey( $rootView, $userId ) ); if (
$fileOwner !== true
or $fileOwner !== $userId
) {
// Shared storage backend isn't loaded
$users = \OCP\Share::getItemShared( 'file', $path, \OC_Share_backend_File::FORMAT_SHARED_STORAGE );
//
trigger_error("SHARE USERS = ". var_export($users, 1));
//
// $publicKeys = Keymanager::getPublicKeys( $rootView, $users);
//
// // Encrypt plain data to multiple users
// $encrypted = Crypt::multiKeyEncrypt( $data, $publicKeys );
} else {
$publicKey = Keymanager::getPublicKey( $rootView, $userId );
// Encrypt plain data to a single user
$encrypted = Crypt::keyEncryptKeyfile( $data, $publicKey );
}
// Replace plain content with encrypted content by reference // Replace plain content with encrypted content by reference
$data = $encrypted['data']; $data = $encrypted['data'];

54
lib/public/share.php
View File

@ -91,6 +91,60 @@ class Share {
} }
return false; return false;
} }
/**
* @brief Find which users can access a shared item
* @param string Item type
* @param int Format (optional) Format type must be defined by the backend
* @param int Number of items to return (optional) Returns all by default
* @return Return depends on format
*/
public static function getUsersSharingFile( $path ) {
// Fetch all shares of this file path from DB
$query = \OC_DB::prepare(
'SELECT
share_type
, share_with
, permissions
FROM
`*PREFIX*share`
WHERE
file_target = ?'
);
$result = $query->execute( array( $path ) );
if ( \OC_DB::isError( $result ) ) {
\OC_Log::write( 'OCP\Share', \OC_DB::getErrorMessage($result) . ', path=' . $path, \OC_Log::ERROR );
}
$shares = array();
while( $row = $result->fetchRow() ) {
// Set helpful array keys
$shares[] = array(
'userId' => $row['share_with']
, 'shareType' => $row['share_type']
, 'permissions' => $row['permissions']
);
}
if ( ! empty( $shares ) ) {
return $shares;
} else {
return false;
}
}
/** /**
* @brief Get the items of item type shared with the current user * @brief Get the items of item type shared with the current user