mbk-lab
/
nextcloud
2
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Merge pull request #3527 from owncloud/file_encryption_external_storage_fixes 

File encryption external storage fixes
This commit is contained in:
FlorinPeter 2013-05-31 03:21:46 -07:00
parent a730a72dcb eaa4f92275
commit d636e168a6
8 changed files with 198 additions and 181 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
apps/files_encryption/hooks/hooks.php
View File

@ -327,6 +327,12 @@ class Hooks {
$sharingEnabled = \OCP\Share::isEnabled();
// get the path including mount point only if not a shared folder
if(strncmp($path, '/Shared' , strlen('/Shared') !== 0)) {
// get path including the the storage mount point
$path = $util->getPathWithMountPoint($params['itemSource']);
}
// if a folder was shared, get a list of all (sub-)folders
if ($params['itemType'] === 'folder') {
$allFiles = $util->getAllFiles($path);
@ -376,17 +382,11 @@ class Hooks {
// rebuild path
foreach ($targetPathSplit as $pathPart) {
if ($pathPart !== $sharedPart) {
$path = '/' . $pathPart . $path;
} else {
break;
}
}
// prefix path with Shared
@ -404,13 +404,16 @@ class Hooks {
}
}
// get the path including mount point only if not a shared folder
if(strncmp($path, '/Shared' , strlen('/Shared') !== 0)) {
// get path including the the storage mount point
$path = $util->getPathWithMountPoint($params['itemSource']);
}
// if we unshare a folder we need a list of all (sub-)files
if ($params['itemType'] === 'folder') {
$allFiles = $util->getAllFiles($path);
$allFiles = $util->getAllFiles( $path );
} else {
$allFiles = array($path);
}

14
apps/files_encryption/lib/helper.php
View File

@ -186,4 +186,18 @@ class Helper {
return false;
}
}
/**
* @brief Format a path to be relative to the /user/files/ directory
* @param string $path the absolute path
* @return string e.g. turns '/admin/files/test.txt' into 'test.txt'
*/
public static function stripUserFilesPath($path) {
$trimmed = ltrim($path, '/');
$split = explode('/', $trimmed);
$sliced = array_slice($split, 2);
$relPath = implode('/', $sliced);
return $relPath;
}
}

4
apps/files_encryption/lib/keymanager.php
View File

@ -169,7 +169,7 @@ class Keymanager {
*/
public static function fixPartialFilePath($path) {
if (preg_match('/\.part$/', $path)) {
if (preg_match('/\.part$/', $path) || preg_match('/\.etmp$/', $path)) {
$newLength = strlen($path) - 5;
$fPath = substr($path, 0, $newLength);
@ -191,7 +191,7 @@ class Keymanager {
*/
public static function isPartialFilePath($path) {
if (preg_match('/\.part$/', $path)) {
if (preg_match('/\.part$/', $path) || preg_match('/\.etmp$/', $path)) {
return true;

166
apps/files_encryption/lib/proxy.php
View File

@ -104,78 +104,40 @@ class Proxy extends \OC_FileProxy {
if (self::shouldEncrypt($path)) {
// Stream put contents should have been converted to fopen
if (!is_resource($data)) {
$userId = \OCP\USER::getUser();
// get root view
$view = new \OC_FilesystemView('/');
$util = new Util($view, $userId);
$session = new \OCA\Encryption\Session($view);
$privateKey = $session->getPrivateKey();
$filePath = $util->stripUserFilesPath($path);
// Set the filesize for userland, before encrypting
$size = strlen($data);
// Disable encryption proxy to prevent recursive calls
$proxyStatus = \OC_FileProxy::$enabled;
\OC_FileProxy::$enabled = false;
// Check if there is an existing key we can reuse
if ($encKeyfile = Keymanager::getFileKey($view, $userId, $filePath)) {
// Fetch shareKey
$shareKey = Keymanager::getShareKey($view, $userId, $filePath);
// Decrypt the keyfile
$plainKey = Crypt::multiKeyDecrypt($encKeyfile, $shareKey, $privateKey);
} else {
// Make a new key
$plainKey = Crypt::generateKey();
// get relative path
$relativePath = \OCA\Encryption\Helper::stripUserFilesPath($path);
if (!isset($relativePath)) {
return true;
}
// Encrypt data
$encData = Crypt::symmetricEncryptFileContent($data, $plainKey);
$handle = fopen('crypt://' . $relativePath . '.etmp', 'w');
if (is_resource($handle)) {
$sharingEnabled = \OCP\Share::isEnabled();
// write data to stream
fwrite($handle, $data);
// if file exists try to get sharing users
if ($view->file_exists($path)) {
$uniqueUserIds = $util->getSharingUsersArray($sharingEnabled, $filePath, $userId);
} else {
$uniqueUserIds[] = $userId;
// close stream
fclose($handle);
// disable encryption proxy to prevent recursive calls
$proxyStatus = \OC_FileProxy::$enabled;
\OC_FileProxy::$enabled = false;
// get encrypted content
$data = $view->file_get_contents($path . '.etmp');
// remove our temp file
$view->unlink($path . '.etmp');
// re-enable proxy - our work is done
\OC_FileProxy::$enabled = $proxyStatus;
}
// Fetch public keys for all users who will share the file
$publicKeys = Keymanager::getPublicKeys($view, $uniqueUserIds);
// Encrypt plain keyfile to multiple sharefiles
$multiEncrypted = Crypt::multiKeyEncrypt($plainKey, $publicKeys);
// Save sharekeys to user folders
Keymanager::setShareKeys($view, $filePath, $multiEncrypted['keys']);
// Set encrypted keyfile as common varname
$encKey = $multiEncrypted['data'];
// Save keyfile for newly encrypted file in parallel directory tree
Keymanager::setFileKey($view, $filePath, $userId, $encKey);
// Replace plain content with encrypted content by reference
$data = $encData;
// Update the file cache with file info
\OC\Files\Filesystem::putFileInfo($filePath, array(
'encrypted' => true,
'size' => strlen($data),
'unencrypted_size' => $size
), '');
// Re-enable proxy - our work is done
\OC_FileProxy::$enabled = $proxyStatus;
}
}
@ -189,15 +151,11 @@ class Proxy extends \OC_FileProxy {
*/
public function postFile_get_contents($path, $data) {
$userId = \OCP\USER::getUser();
$plainData = null;
$view = new \OC_FilesystemView('/');
$util = new Util($view, $userId);
$relPath = $util->stripUserFilesPath($path);
// Disable encryption proxy to prevent recursive calls
$proxyStatus = \OC_FileProxy::$enabled;
\OC_FileProxy::$enabled = false;
// get relative path
$relativePath = \OCA\Encryption\Helper::stripUserFilesPath($path);
// init session
$session = new \OCA\Encryption\Session($view);
@ -208,28 +166,27 @@ class Proxy extends \OC_FileProxy {
&& Crypt::isCatfileContent($data)
) {
$privateKey = $session->getPrivateKey($userId);
$handle = fopen('crypt://' . $relativePath, 'r');
// Get the encrypted keyfile
$encKeyfile = Keymanager::getFileKey($view, $userId, $relPath);
// Attempt to fetch the user's shareKey
$shareKey = Keymanager::getShareKey($view, $userId, $relPath);
// Decrypt keyfile with shareKey
$plainKeyfile = Crypt::multiKeyDecrypt($encKeyfile, $shareKey, $privateKey);
$plainData = Crypt::symmetricDecryptFileContent($data, $plainKeyfile);
if (is_resource($handle)) {
while (($plainDataChunk = fgets($handle, 8192)) !== false) {
$plainData .= $plainDataChunk;
}
}
} elseif (
Crypt::mode() == 'server'
&& \OC::$session->exists('legacyenckey')
&& Crypt::isEncryptedMeta($path)
) {
$plainData = Crypt::legacyBlockDecrypt($data, $session->getLegacyKey());
}
// Disable encryption proxy to prevent recursive calls
$proxyStatus = \OC_FileProxy::$enabled;
\OC_FileProxy::$enabled = false;
\OC_FileProxy::$enabled = $proxyStatus;
$plainData = Crypt::legacyBlockDecrypt($data, $session->getLegacyKey());
\OC_FileProxy::$enabled = $proxyStatus;
}
if (!isset($plainData)) {
@ -261,10 +218,10 @@ class Proxy extends \OC_FileProxy {
$util = new Util($view, $userId);
// Format path to be relative to user files dir
$relPath = $util->stripUserFilesPath($path);
// get relative path
$relativePath = \OCA\Encryption\Helper::stripUserFilesPath($path);
list($owner, $ownerPath) = $util->getUidAndFilename($relPath);
list($owner, $ownerPath) = $util->getUidAndFilename($relativePath);
// Delete keyfile & shareKey so it isn't orphaned
if (!Keymanager::deleteFileKey($view, $owner, $ownerPath)) {
@ -305,12 +262,14 @@ class Proxy extends \OC_FileProxy {
}
// Reformat path for use with OC_FSV
$path_split = explode('/', $path);
$path_f = implode('/', array_slice($path_split, 3));
// split the path parts
$pathParts = explode('/', $path);
// get relative path
$relativePath = \OCA\Encryption\Helper::stripUserFilesPath($path);
// FIXME: handling for /userId/cache used by webdav for chunking. The cache chunks are NOT encrypted
if (isset($path_split) && $path_split[2] === 'cache') {
if (isset($pathParts[2]) && $pathParts[2] === 'cache') {
return $result;
}
@ -335,14 +294,14 @@ class Proxy extends \OC_FileProxy {
// Open the file using the crypto stream wrapper
// protocol and let it do the decryption work instead
$result = fopen('crypt://' . $path_f, $meta['mode']);
$result = fopen('crypt://' . $relativePath, $meta['mode']);
} elseif (
self::shouldEncrypt($path)
and $meta ['mode'] !== 'r'
and $meta['mode'] !== 'rb'
) {
$result = fopen('crypt://' . $path_f, $meta['mode']);
$result = fopen('crypt://' . $relativePath, $meta['mode']);
}
// Re-enable the proxy
@ -390,12 +349,11 @@ class Proxy extends \OC_FileProxy {
return $size;
}
// Reformat path for use with OC_FSV
$path_split = explode('/', $path);
$path_f = implode('/', array_slice($path_split, 3));
// get relative path
$relativePath = \OCA\Encryption\Helper::stripUserFilesPath($path);
// if path is empty we cannot resolve anything
if (empty($path_f)) {
if (empty($relativePath)) {
return $size;
}
@ -424,7 +382,7 @@ class Proxy extends \OC_FileProxy {
$fileInfo['unencrypted_size'] = $size;
// put file info if not .part file
if (!Keymanager::isPartialFilePath($path_f)) {
if (!Keymanager::isPartialFilePath($relativePath)) {
$view->putFileInfo($path, $fileInfo);
}
}
@ -447,21 +405,23 @@ class Proxy extends \OC_FileProxy {
$userId = \OCP\User::getUser();
$util = new Util($view, $userId);
// Reformat path for use with OC_FSV
$path_split = explode('/', $path);
$path_f = implode('/', array_slice($path_split, 3));
// split the path parts
$pathParts = explode('/', $path);
// get relative path
$relativePath = \OCA\Encryption\Helper::stripUserFilesPath($path);
// only if file is on 'files' folder fix file size and sharing
if (isset($path_split) && $path_split[2] === 'files' && $util->fixFileSize($path)) {
if (isset($pathParts[2]) && $pathParts[2] === 'files' && $util->fixFileSize($path)) {
// get sharing app state
$sharingEnabled = \OCP\Share::isEnabled();
// get users
$usersSharing = $util->getSharingUsersArray($sharingEnabled, $path_f);
$usersSharing = $util->getSharingUsersArray($sharingEnabled, $relativePath);
// update sharing-keys
$util->setSharedFileKeyfiles($session, $usersSharing, $path_f);
$util->setSharedFileKeyfiles($session, $usersSharing, $relativePath);
}
\OC_FileProxy::$enabled = $proxyStatus;

67
apps/files_encryption/lib/util.php
View File

@ -188,7 +188,9 @@ class Util {
/**
* @brief Sets up user folders and keys for serverside encryption
* @param string $passphrase passphrase to encrypt server-stored private key with
*
* @param string $passphrase to encrypt server-stored private key with
* @return bool
*/
public function setupServerSide($passphrase = null) {
@ -403,7 +405,7 @@ class Util {
) {
$filePath = $directory . '/' . $this->view->getRelativePath('/' . $file);
$relPath = $this->stripUserFilesPath($filePath);
$relPath = \OCA\Encryption\Helper::stripUserFilesPath($filePath);
// If the path is a directory, search
// its contents
@ -528,7 +530,7 @@ class Util {
/**
* @brief Check if a given path identifies an encrypted file
* @param $path
* @param string $path
* @return boolean
*/
public function isEncryptedPath($path) {
@ -541,7 +543,7 @@ class Util {
// we only need 24 byte from the last chunk
$data = '';
$handle = $this->view->fopen($path, 'r');
if (!fseek($handle, -24, SEEK_END)) {
if (is_resource($handle) && !fseek($handle, -24, SEEK_END)) {
$data = fgets($handle);
}
@ -565,11 +567,13 @@ class Util {
$proxyStatus = \OC_FileProxy::$enabled;
\OC_FileProxy::$enabled = false;
// Reformat path for use with OC_FSV
$pathSplit = explode('/', $path);
$pathRelative = implode('/', array_slice($pathSplit, 3));
// split the path parts
$pathParts = explode('/', $path);
if (isset($pathSplit[2]) && $pathSplit[2] === 'files' && $this->view->file_exists($path) && $this->isEncryptedPath($path)) {
// get relative path
$relativePath = \OCA\Encryption\Helper::stripUserFilesPath($path);
if (isset($pathParts[2]) && $pathParts[2] === 'files' && $this->view->file_exists($path) && $this->isEncryptedPath($path)) {
// get the size from filesystem
$fullPath = $this->view->getLocalFile($path);
@ -579,7 +583,7 @@ class Util {
$lastChunkNr = floor($size / 8192);
// open stream
$stream = fopen('crypt://' . $pathRelative, "r");
$stream = fopen('crypt://' . $relativePath, "r");
if (is_resource($stream)) {
// calculate last chunk position
@ -639,20 +643,6 @@ class Util {
return $result;
}
/**
* @brief Format a path to be relative to the /user/files/ directory
* @note e.g. turns '/admin/files/test.txt' into 'test.txt'
*/
public function stripUserFilesPath($path) {
$trimmed = ltrim($path, '/');
$split = explode('/', $trimmed);
$sliced = array_slice($split, 2);
$relPath = implode('/', $sliced);
return $relPath;
}
/**
* @param $path
@ -748,7 +738,7 @@ class Util {
$recrypted = Crypt::legacyKeyRecryptKeyfile( $legacyData, $legacyPassphrase, $publicKeys );
$rawPath = $legacyFile['path'];
$relPath = $this->stripUserFilesPath($rawPath);
$relPath = \OCA\Encryption\Helper::stripUserFilesPath($rawPath);
// Save keyfile
Keymanager::setFileKey($this->view, $relPath, $this->userId, $recrypted['filekey']);
@ -903,6 +893,7 @@ class Util {
* @param string $filePath
* @param string $fileOwner
* @param string $privateKey
* @return bool|string
* @note Checks whether file was encrypted with openssl_seal or
* openssl_encrypt, and decrypts accrdingly
* @note This was used when 2 types of encryption for keyfiles was used,
@ -1028,7 +1019,7 @@ class Util {
if ($sharingEnabled) {
// Find out who, if anyone, is sharing the file
$result = \OCP\Share::getUsersSharingFile($ownerPath, $owner, true, true, true);
$result = \OCP\Share::getUsersSharingFile($ownerPath, $owner, true);
$userIds = $result['users'];
if ($result['public']) {
$userIds[] = $this->publicShareKeyId;
@ -1136,6 +1127,7 @@ class Util {
/**
* @brief get uid of the owners of the file and the path to the file
* @param string $path Path of the file to check
* @throws \Exception
* @note $shareFilePath must be relative to data/UID/files. Files
* relative to /Shared are also acceptable
* @return array
@ -1199,14 +1191,14 @@ class Util {
$result = array();
$content = $this->view->getDirectoryContent($this->userFilesDir . $dir);
$content = $this->view->getDirectoryContent(\OC\Files\Filesystem::normalizePath($this->userFilesDir . '/' . $dir));
// handling for re shared folders
$path_split = explode('/', $dir);
$pathSplit = explode('/', $dir);
foreach ($content as $c) {
$sharedPart = $path_split[sizeof($path_split) - 1];
$sharedPart = $pathSplit[sizeof($pathSplit) - 1];
$targetPathSplit = array_reverse(explode('/', $c['path']));
$path = '';
@ -1459,7 +1451,7 @@ class Util {
// Find out who, if anyone, is sharing the file
if ($sharingEnabled) {
$result = \OCP\Share::getUsersSharingFile($file, $this->userId, true, true, true);
$result = \OCP\Share::getUsersSharingFile($file, $this->userId, true);
$userIds = $result['users'];
$userIds[] = $this->recoveryKeyId;
if ($result['public']) {
@ -1535,4 +1527,21 @@ class Util {
$this->recoverAllFiles('/', $privateKey);
}
/**
* Get the path including the storage mount point
* @param int $id
* @return string the path including the mount point like AmazonS3/folder/file.txt
*/
public function getPathWithMountPoint($id) {
list($storage, $internalPath) = \OC\Files\Cache\Cache::getById($id);
$mount = \OC\Files\Filesystem::getMountByStorageId($storage);
$mountPoint = $mount[0]->getMountPoint();
$path = \OC\Files\Filesystem::normalizePath($mountPoint.'/'.$internalPath);
// reformat the path to be relative e.g. /user/files/folder becomes /folder/
$relativePath = \OCA\Encryption\Helper::stripUserFilesPath($path);
return $relativePath;
}
}

2
apps/files_encryption/tests/webdav.php
View File

@ -216,7 +216,7 @@ class Test_Encryption_Webdav extends \PHPUnit_Framework_TestCase {
*
* @param bool $body
*
* @note this init procedure is copied from /apps/files/remote.php
* @note this init procedure is copied from /apps/files/appinfo/remote.php
*/
function handleWebdavRequest($body = false) {
// Backends

17
apps/files_versions/lib/versions.php
View File

@ -113,8 +113,16 @@ class Storage {
mkdir($versionsFolderName.'/'.$info['dirname'], 0750, true);
}
// disable proxy to prevent multiple fopen calls
$proxyStatus = \OC_FileProxy::$enabled;
\OC_FileProxy::$enabled = false;
// store a new version of a file
$users_view->copy('files'.$filename, 'files_versions'.$filename.'.v'.$users_view->filemtime('files'.$filename));
// reset proxy state
\OC_FileProxy::$enabled = $proxyStatus;
$versionsSize = self::getVersionsSize($uid);
if ( $versionsSize === false || $versionsSize < 0 ) {
$versionsSize = self::calculateSize($uid);
@ -195,7 +203,16 @@ class Storage {
//first create a new version
$version = 'files_versions'.$filename.'.v'.$users_view->filemtime('files'.$filename);
if ( !$users_view->file_exists($version)) {
// disable proxy to prevent multiple fopen calls
$proxyStatus = \OC_FileProxy::$enabled;
\OC_FileProxy::$enabled = false;
$users_view->copy('files'.$filename, 'files_versions'.$filename.'.v'.$users_view->filemtime('files'.$filename));
// reset proxy state
\OC_FileProxy::$enabled = $proxyStatus;
$versionCreated = true;
}

78
lib/public/share.php
View File

@ -133,17 +133,22 @@ class Share {
* @note $path needs to be relative to user data dir, e.g. 'file.txt'
* not '/admin/data/file.txt'
*/
public static function getUsersSharingFile($path, $user, $includeOwner = false, $removeDuplicates = true) {
public static function getUsersSharingFile($path, $user, $includeOwner = false) {
$path_parts = explode(DIRECTORY_SEPARATOR, trim($path, DIRECTORY_SEPARATOR));
$path = '';
$shares = array();
$publicShare = false;
$source = -1;
$cache = false;
$view = new \OC\Files\View('/' . $user . '/files/');
foreach ($path_parts as $p) {
$path .= '/' . $p;
$meta = $view->getFileInfo(\OC_Filesystem::normalizePath($path));
$meta = $view->getFileInfo(\OC\Files\Filesystem::normalizePath($path));
if($meta !== false) {
$source = $meta['fileid'];
$cache = new \OC\Files\Cache\Cache($meta['storage']);
}
while ($source !== -1) {
// Fetch all shares of this file path from DB
$query = \OC_DB::prepare(
@ -156,14 +161,13 @@ class Share {
$result = $query->execute(array($source, self::SHARE_TYPE_USER));
if (\OC_DB::isError($result)) {
\OC_Log::write('OCP\Share', \OC_DB::getErrorMessage($result), \OC_Log::ERROR);
if (\OCP\DB::isError($result)) {
\OCP\Util::writeLog('OCP\Share', \OC_DB::getErrorMessage($result), \OC_Log::ERROR);
} else {
while ($row = $result->fetchRow()) {
$shares[] = $row['share_with'];
}
}
while ($row = $result->fetchRow()) {
$shares[] = $row['share_with'];
}
// We also need to take group shares into account
$query = \OC_DB::prepare(
@ -176,32 +180,42 @@ class Share {
$result = $query->execute(array($source, self::SHARE_TYPE_GROUP));
if (\OC_DB::isError($result)) {
\OC_Log::write('OCP\Share', \OC_DB::getErrorMessage($result), \OC_Log::ERROR);
}
while ($row = $result->fetchRow()) {
$usersInGroup = \OC_Group::usersInGroup($row['share_with']);
$shares = array_merge($shares, $usersInGroup);
if (\OCP\DB::isError($result)) {
\OCP\Util::writeLog('OCP\Share', \OC_DB::getErrorMessage($result), \OC_Log::ERROR);
} else {
while ($row = $result->fetchRow()) {
$usersInGroup = \OC_Group::usersInGroup($row['share_with']);
$shares = array_merge($shares, $usersInGroup);
}
}
//check for public link shares
$query = \OC_DB::prepare(
'SELECT share_with
FROM
`*PREFIX*share`
WHERE
item_source = ? AND share_type = ?'
);
if (!$publicShare) {
$query = \OC_DB::prepare(
'SELECT share_with
FROM
`*PREFIX*share`
WHERE
item_source = ? AND share_type = ?'
);
$result = $query->execute(array($source, self::SHARE_TYPE_LINK));
$result = $query->execute(array($source, self::SHARE_TYPE_LINK));
if (\OC_DB::isError($result)) {
\OC_Log::write('OCP\Share', \OC_DB::getErrorMessage($result), \OC_Log::ERROR);
if (\OCP\DB::isError($result)) {
\OCP\Util::writeLog('OCP\Share', \OC_DB::getErrorMessage($result), \OC_Log::ERROR);
} else {
if ($result->fetchRow()) {
$publicShare = true;
}
}
}
if ($result->fetchRow()) {
$publicShare = true;
// let's get the parent for the next round
$meta = $cache->get((int)$source);
if($meta !== false) {
$source = (int)$meta['parent'];
} else {
$source = -1;
}
}
// Include owner in list of users, if requested