Merge pull request #22727 from owncloud/decrypt_all_master_key

make decrypt all work with the master key

apps/encryption/lib/crypto/decryptall.php

@@ -81,35 +81,42 @@ class DecryptAll {
 	public function prepare(InputInterface $input, OutputInterface $output, $user) {
 
 		$question = new Question('Please enter the recovery key password: ');
-		$recoveryKeyId = $this->keyManager->getRecoveryKeyId();
 
-		if (!empty($user)) {
-			$output->writeln('You can only decrypt the users files if you know');
-			$output->writeln('the users password or if he activated the recovery key.');
-			$output->writeln('');
-			$questionUseLoginPassword = new ConfirmationQuestion(
-				'Do you want to use the users login password to decrypt all files? (y/n) ',
-				false
-			);
-			$useLoginPassword = $this->questionHelper->ask($input, $output, $questionUseLoginPassword);
-			if ($useLoginPassword) {
-				$question = new Question('Please enter the user\'s login password: ');
-			} else if ($this->util->isRecoveryEnabledForUser($user) === false) {
-				$output->writeln('No recovery key available for user ' . $user);
-				return false;
+		if($this->util->isMasterKeyEnabled()) {
+			$output->writeln('Use master key to decrypt all files');
+			$user = $this->keyManager->getMasterKeyId();
+			$password =$this->keyManager->getMasterKeyPassword();
+		} else {
+			$recoveryKeyId = $this->keyManager->getRecoveryKeyId();
+			if (!empty($user)) {
+				$output->writeln('You can only decrypt the users files if you know');
+				$output->writeln('the users password or if he activated the recovery key.');
+				$output->writeln('');
+				$questionUseLoginPassword = new ConfirmationQuestion(
+					'Do you want to use the users login password to decrypt all files? (y/n) ',
+					false
+				);
+				$useLoginPassword = $this->questionHelper->ask($input, $output, $questionUseLoginPassword);
+				if ($useLoginPassword) {
+					$question = new Question('Please enter the user\'s login password: ');
+				} else if ($this->util->isRecoveryEnabledForUser($user) === false) {
+					$output->writeln('No recovery key available for user ' . $user);
+					return false;
+				} else {
+					$user = $recoveryKeyId;
+				}
 			} else {
+				$output->writeln('You can only decrypt the files of all users if the');
+				$output->writeln('recovery key is enabled by the admin and activated by the users.');
+				$output->writeln('');
 				$user = $recoveryKeyId;
 			}
-		} else {
-			$output->writeln('You can only decrypt the files of all users if the');
-			$output->writeln('recovery key is enabled by the admin and activated by the users.');
-			$output->writeln('');
-			$user = $recoveryKeyId;
+
+			$question->setHidden(true);
+			$question->setHiddenFallback(false);
+			$password = $this->questionHelper->ask($input, $output, $question);
 		}
 
-		$question->setHidden(true);
-		$question->setHiddenFallback(false);
-		$password = $this->questionHelper->ask($input, $output, $question);
 		$privateKey = $this->getPrivateKey($user, $password);
 		if ($privateKey !== false) {
 			$this->updateSession($user, $privateKey);
@@ -132,9 +139,13 @@ class DecryptAll {
 	 */
 	protected function getPrivateKey($user, $password) {
 		$recoveryKeyId = $this->keyManager->getRecoveryKeyId();
+		$masterKeyId = $this->keyManager->getMasterKeyId();
 		if ($user === $recoveryKeyId) {
 			$recoveryKey = $this->keyManager->getSystemPrivateKey($recoveryKeyId);
 			$privateKey = $this->crypt->decryptPrivateKey($recoveryKey, $password);
+		} elseif ($user === $masterKeyId) {
+			$masterKey = $this->keyManager->getSystemPrivateKey($masterKeyId);
+			$privateKey = $this->crypt->decryptPrivateKey($masterKey, $password, $masterKeyId);
 		} else {
 			$userKey = $this->keyManager->getPrivateKey($user);
 			$privateKey = $this->crypt->decryptPrivateKey($userKey, $password, $user);

apps/encryption/lib/keymanager.php

@@ -658,7 +658,7 @@ class KeyManager {
 	 * @return string
 	 * @throws \Exception
 	 */
-	protected function getMasterKeyPassword() {
+	public function getMasterKeyPassword() {
 		$password = $this->config->getSystemValue('secret');
 		if (empty($password)){
 			throw new \Exception('Can not get secret from ownCloud instance');

apps/encryption/tests/lib/crypto/decryptalltest.php

@@ -87,7 +87,7 @@ class DecryptAllTest extends TestCase {
 	 * @param string $user
 	 * @param string $recoveryKeyId
 	 */
-	public function testGetPrivateKey($user, $recoveryKeyId) {
+	public function testGetPrivateKey($user, $recoveryKeyId, $masterKeyId) {
 		$password = 'passwd';
 		$recoveryKey = 'recoveryKey';
 		$userKey = 'userKey';
@@ -102,6 +102,13 @@ class DecryptAllTest extends TestCase {
 			$this->keyManager->expects($this->never())->method('getPrivateKey');
 			$this->crypt->expects($this->once())->method('decryptPrivateKey')
 				->with($recoveryKey, $password)->willReturn($unencryptedKey);
+		} elseif ($user === $masterKeyId) {
+			$this->keyManager->expects($this->once())->method('getSystemPrivateKey')
+				->with($masterKeyId)->willReturn($masterKey);
+			$this->keyManager->expects($this->never())->method('getPrivateKey');
+			$this->crypt->expects($this->once())->method('decryptPrivateKey')
+				->with($masterKey, $password, $masterKeyId)->willReturn($unencryptedKey);
+
 		} else {
 			$this->keyManager->expects($this->never())->method('getSystemPrivateKey');
 			$this->keyManager->expects($this->once())->method('getPrivateKey')
@@ -117,8 +124,9 @@ class DecryptAllTest extends TestCase {
 
 	public function dataTestGetPrivateKey() {
 		return [
-			['user1', 'recoveryKey'],
-			['recoveryKeyId', 'recoveryKeyId']
+			['user1', 'recoveryKey', 'masterKeyId'],
+			['recoveryKeyId', 'recoveryKeyId', 'masterKeyId'],
+			['masterKeyId', 'masterKeyId', 'masterKeyId']
 		];
 	}