From 9b870ff77af5461855faf867331adace8cfec556 Mon Sep 17 00:00:00 2001 From: Robin Appelman Date: Tue, 10 Jan 2023 13:48:31 +0100 Subject: [PATCH 1/6] extend fix-key-location to handle cases from broken cross-storage moves Signed-off-by: Robin Appelman --- .../encryption/lib/Command/FixKeyLocation.php | 319 ++++++++++++++++-- lib/private/Encryption/EncryptionWrapper.php | 11 +- lib/private/Encryption/Manager.php | 7 + lib/private/Encryption/Util.php | 28 ++ .../Files/Storage/Wrapper/Encryption.php | 46 +-- 5 files changed, 347 insertions(+), 64 deletions(-) diff --git a/apps/encryption/lib/Command/FixKeyLocation.php b/apps/encryption/lib/Command/FixKeyLocation.php index 5339247ae1974..3e873b3b4f163 100644 --- a/apps/encryption/lib/Command/FixKeyLocation.php +++ b/apps/encryption/lib/Command/FixKeyLocation.php @@ -23,8 +23,11 @@ namespace OCA\Encryption\Command; +use OC\Encryption\Manager; use OC\Encryption\Util; +use OC\Files\Storage\Wrapper\Encryption; use OC\Files\View; +use OCP\Encryption\IManager; use OCP\Files\Config\ICachedMountInfo; use OCP\Files\Config\IUserMountCache; use OCP\Files\Folder; @@ -46,14 +49,25 @@ class FixKeyLocation extends Command { private IRootFolder $rootFolder; private string $keyRootDirectory; private View $rootView; + private Manager $encryptionManager; - public function __construct(IUserManager $userManager, IUserMountCache $userMountCache, Util $encryptionUtil, IRootFolder $rootFolder) { + public function __construct( + IUserManager $userManager, + IUserMountCache $userMountCache, + Util $encryptionUtil, + IRootFolder $rootFolder, + IManager $encryptionManager + ) { $this->userManager = $userManager; $this->userMountCache = $userMountCache; $this->encryptionUtil = $encryptionUtil; $this->rootFolder = $rootFolder; $this->keyRootDirectory = rtrim($this->encryptionUtil->getKeyStorageRoot(), '/'); $this->rootView = new View(); + if (!$encryptionManager instanceof Manager) { + throw new \Exception("Wrong encryption manager"); + } + $this->encryptionManager = $encryptionManager; parent::__construct(); } @@ -88,20 +102,71 @@ protected function execute(InputInterface $input, OutputInterface $output): int continue; } - $files = $this->getAllFiles($mountRootFolder); + $files = $this->getAllEncryptedFiles($mountRootFolder); foreach ($files as $file) { - if ($this->isKeyStoredForUser($user, $file)) { + /** @var File $file */ + $hasSystemKey = $this->hasSystemKey($file); + $hasUserKey = $this->hasUserKey($user, $file); + if (!$hasSystemKey && $hasUserKey) { + // key was stored incorrectly as user key, migrate + if ($dryRun) { $output->writeln("" . $file->getPath() . " needs migration"); } else { $output->write("Migrating key for " . $file->getPath() . " "); - if ($this->copyKeyAndValidate($user, $file)) { + if ($this->copyUserKeyToSystemAndValidate($user, $file)) { $output->writeln(""); } else { $output->writeln("❌"); $output->writeln(" Failed to validate key for " . $file->getPath() . ", key will not be migrated"); } } + } elseif (!$hasSystemKey && !$hasUserKey) { + // no matching key, probably from a broken cross-storage move + + $shouldBeEncrypted = $file->getStorage()->instanceOfStorage(Encryption::class); + $isActuallyEncrypted = $this->isDataEncrypted($file); + if ($isActuallyEncrypted) { + if ($dryRun) { + if ($shouldBeEncrypted) { + $output->write("" . $file->getPath() . " needs migration"); + } else { + $output->write("" . $file->getPath() . " needs decryption"); + } + $foundKey = $this->findUserKeyForSystemFile($user, $file); + if ($foundKey) { + $output->writeln(", valid key found at " . $foundKey . ""); + } else { + $output->writeln(" ❌ No key found"); + } + } else { + if ($shouldBeEncrypted) { + $output->write("Migrating key for " . $file->getPath() . ""); + } else { + $output->write("Decrypting " . $file->getPath() . ""); + } + $foundKey = $this->findUserKeyForSystemFile($user, $file); + if ($foundKey) { + if ($shouldBeEncrypted) { + $systemKeyPath = $this->getSystemKeyPath($file); + $this->rootView->copy($foundKey, $systemKeyPath); + $output->writeln(" Migrated key from " . $foundKey . ""); + } else { + $this->decryptWithSystemKey($file, $foundKey); + $output->writeln(" Decrypted with key from " . $foundKey . ""); + } + } else { + $output->writeln(" ❌ No key found"); + } + } + } else { + if ($dryRun) { + $output->writeln("" . $file->getPath() . " needs to be marked as not encrypted"); + } else { + $this->markAsUnEncrypted($file); + $output->writeln("" . $file->getPath() . " marked as not encrypted"); + } + } } } } @@ -109,47 +174,68 @@ protected function execute(InputInterface $input, OutputInterface $output): int return 0; } + private function getUserRelativePath(string $path): string { + $parts = explode('/', $path, 3); + if (count($parts) >= 3) { + return '/' . $parts[2]; + } else { + return ''; + } + } + /** * @param IUser $user * @return ICachedMountInfo[] */ private function getSystemMountsForUser(IUser $user): array { - return array_filter($this->userMountCache->getMountsForUser($user), function(ICachedMountInfo $mount) use ($user) { + return array_filter($this->userMountCache->getMountsForUser($user), function (ICachedMountInfo $mount) use ( + $user + ) { $mountPoint = substr($mount->getMountPoint(), strlen($user->getUID() . '/')); return $this->encryptionUtil->isSystemWideMountPoint($mountPoint, $user->getUID()); }); } /** + * Get all files in a folder which are marked as encrypted + * * @param Folder $folder * @return \Generator */ - private function getAllFiles(Folder $folder) { + private function getAllEncryptedFiles(Folder $folder) { foreach ($folder->getDirectoryListing() as $child) { if ($child instanceof Folder) { - yield from $this->getAllFiles($child); + yield from $this->getAllEncryptedFiles($child); } else { - yield $child; + if (substr($child->getName(), -4) !== '.bak' && $child->isEncrypted()) { + yield $child; + } } } } - /** - * Check if the key for a file is stored in the user's keystore and not the system one - * - * @param IUser $user - * @param Node $node - * @return bool - */ - private function isKeyStoredForUser(IUser $user, Node $node): bool { - $path = trim(substr($node->getPath(), strlen($user->getUID()) + 1), '/'); - $systemKeyPath = $this->keyRootDirectory . '/files_encryption/keys/' . $path . '/'; - $userKeyPath = $this->keyRootDirectory . '/' . $user->getUID() . '/files_encryption/keys/' . $path . '/'; + private function getSystemKeyPath(Node $node): string { + $path = $this->getUserRelativePath($node->getPath()); + return $this->keyRootDirectory . '/files_encryption/keys/' . $path . '/'; + } + + private function getUserBaseKeyPath(IUser $user): string { + return $this->keyRootDirectory . '/' . $user->getUID() . '/files_encryption/keys'; + } + + private function getUserKeyPath(IUser $user, Node $node): string { + $path = $this->getUserRelativePath($node->getPath()); + return $this->getUserBaseKeyPath($user) . '/' . $path . '/'; + } + + private function hasSystemKey(Node $node): bool { + // this uses View instead of the RootFolder because the keys might not be in the cache + return $this->rootView->file_exists($this->getSystemKeyPath($node)); + } + private function hasUserKey(IUser $user, Node $node): bool { // this uses View instead of the RootFolder because the keys might not be in the cache - $systemKeyExists = $this->rootView->file_exists($systemKeyPath); - $userKeyExists = $this->rootView->file_exists($userKeyPath); - return $userKeyExists && !$systemKeyExists; + return $this->rootView->file_exists($this->getUserKeyPath($user, $node)); } /** @@ -159,28 +245,201 @@ private function isKeyStoredForUser(IUser $user, Node $node): bool { * @param File $node * @return bool */ - private function copyKeyAndValidate(IUser $user, File $node): bool { + private function copyUserKeyToSystemAndValidate(IUser $user, File $node): bool { $path = trim(substr($node->getPath(), strlen($user->getUID()) + 1), '/'); $systemKeyPath = $this->keyRootDirectory . '/files_encryption/keys/' . $path . '/'; $userKeyPath = $this->keyRootDirectory . '/' . $user->getUID() . '/files_encryption/keys/' . $path . '/'; $this->rootView->copy($userKeyPath, $systemKeyPath); + if ($this->tryReadFile($node)) { + // cleanup wrong key location + $this->rootView->rmdir($userKeyPath); + return true; + } else { + // remove the copied key if we know it's invalid + $this->rootView->rmdir($systemKeyPath); + return false; + } + } + + private function tryReadFile(File $node): bool { try { - // check that the copied key is valid $fh = $node->fopen('r'); // read a single chunk $data = fread($fh, 8192); if ($data === false) { - throw new \Exception("Read failed"); + return false; + } else { + return true; } + } catch (\Exception $e) { + return false; + } + } - // cleanup wrong key location - $this->rootView->rmdir($userKeyPath); - return true; + /** + * Get the contents of a file without decrypting it + * + * @param File $node + * @return resource + */ + private function openWithoutDecryption(File $node, string $mode) { + $storage = $node->getStorage(); + $internalPath = $node->getInternalPath(); + if ($storage->instanceOfStorage(Encryption::class)) { + /** @var Encryption $storage */ + try { + $storage->setEnabled(false); + $handle = $storage->fopen($internalPath, 'r'); + $storage->setEnabled(true); + } catch (\Exception $e) { + $storage->setEnabled(true); + throw $e; + } + } else { + $handle = $storage->fopen($internalPath, $mode); + } + /** @var resource|false $handle */ + if ($handle === false) { + throw new \Exception("Failed to open " . $node->getPath()); + } + return $handle; + } + + /** + * Check if the data stored for a file is encrypted, regardless of it's metadata + * + * @param File $node + * @return bool + */ + private function isDataEncrypted(File $node): bool { + $handle = $this->openWithoutDecryption($node, 'r'); + $firstBlock = fread($handle, $this->encryptionUtil->getHeaderSize()); + fclose($handle); + + $header = $this->encryptionUtil->parseRawHeader($firstBlock); + return isset($header['oc_encryption_module']); + } + + /** + * Attempt to find a key (stored for user) for a file (that needs a system key) even when it's not stored in the expected location + * + * @param File $node + * @return string + */ + private function findUserKeyForSystemFile(IUser $user, File $node): ?string { + $userKeyPath = $this->getUserBaseKeyPath($user); + $possibleKeys = $this->findKeysByFileName($userKeyPath, $node->getName()); + foreach ($possibleKeys as $possibleKey) { + if ($this->testSystemKey($user, $possibleKey, $node)) { + return $possibleKey; + } + } + return null; + } + + /** + * Attempt to find a key for a file even when it's not stored in the expected location + * + * @param string $basePath + * @param string $name + * @return \Generator + */ + private function findKeysByFileName(string $basePath, string $name) { + if ($this->rootView->is_dir($basePath . '/' . $name . '/OC_DEFAULT_MODULE')) { + yield $basePath . '/' . $name; + } else { + /** @var false|resource $dh */ + $dh = $this->rootView->opendir($basePath); + if (!$dh) { + throw new \Exception("Invalid base path " . $basePath); + } + while ($child = readdir($dh)) { + if ($child != '..' && $child != '.') { + $childPath = $basePath . '/' . $child; + + // recurse if the child is not a key folder + if ($this->rootView->is_dir($childPath) && !is_dir($childPath . '/OC_DEFAULT_MODULE')) { + yield from $this->findKeysByFileName($childPath, $name); + } + } + } + } + } + + /** + * Test if the provided key is valid as a system key for the file + * + * @param IUser $user + * @param string $key + * @param File $node + * @return bool + */ + private function testSystemKey(IUser $user, string $key, File $node): bool { + $systemKeyPath = $this->getSystemKeyPath($node); + + if ($this->rootView->file_exists($systemKeyPath)) { + // already has a key, reject new key + return false; + } + + $this->rootView->copy($key, $systemKeyPath); + $isValid = $this->tryReadFile($node); + $this->rootView->rmdir($systemKeyPath); + return $isValid; + } + + /** + * Decrypt a file with the specified system key and mark the key as not-encrypted + * + * @param File $node + * @param string $key + * @return void + */ + private function decryptWithSystemKey(File $node, string $key): void { + $storage = $node->getStorage(); + $name = $node->getName(); + + $node->move($node->getPath() . '.bak'); + $systemKeyPath = $this->getSystemKeyPath($node); + $this->rootView->copy($key, $systemKeyPath); + + try { + if (!$storage->instanceOfStorage(Encryption::class)) { + $storage = $this->encryptionManager->forceWrapStorage($node->getMountPoint(), $storage); + } + /** @var false|resource $source */ + $source = $storage->fopen($node->getInternalPath(), 'r'); + if (!$source) { + throw new \Exception("Failed to open " . $node->getPath() . " with " . $key); + } + $decryptedNode = $node->getParent()->newFile($name); + + $target = $this->openWithoutDecryption($decryptedNode, 'w'); + stream_copy_to_stream($source, $target); + fclose($target); + fclose($source); + + $decryptedNode->getStorage()->getScanner()->scan($decryptedNode->getInternalPath()); } catch (\Exception $e) { - // remove the copied key if we know it's invalid $this->rootView->rmdir($systemKeyPath); - return false; + + // remove the .bak + $node->move(substr($node->getPath(), 0, -4)); + + throw $e; + } + + if ($this->isDataEncrypted($decryptedNode)) { + throw new \Exception($node->getPath() . " still encrypted after attempting to decrypt with " . $key); } + + $this->markAsUnEncrypted($decryptedNode); + + $this->rootView->rmdir($systemKeyPath); + } + + private function markAsUnEncrypted(Node $node): void { + $node->getStorage()->getCache()->update($node->getId(), ['encrypted' => 0]); } } diff --git a/lib/private/Encryption/EncryptionWrapper.php b/lib/private/Encryption/EncryptionWrapper.php index 37264e8182355..fd9745bbbdfc3 100644 --- a/lib/private/Encryption/EncryptionWrapper.php +++ b/lib/private/Encryption/EncryptionWrapper.php @@ -29,7 +29,8 @@ use OC\Files\View; use OC\Memcache\ArrayCache; use OCP\Files\Mount\IMountPoint; -use OCP\Files\Storage; +use OCP\Files\Storage\IDisableEncryptionStorage; +use OCP\Files\Storage\IStorage; use Psr\Log\LoggerInterface; /** @@ -64,18 +65,18 @@ public function __construct(ArrayCache $arrayCache, * Wraps the given storage when it is not a shared storage * * @param string $mountPoint - * @param Storage $storage + * @param IStorage $storage * @param IMountPoint $mount - * @return Encryption|Storage + * @return Encryption|IStorage */ - public function wrapStorage($mountPoint, Storage $storage, IMountPoint $mount) { + public function wrapStorage(string $mountPoint, IStorage $storage, IMountPoint $mount, bool $force = false) { $parameters = [ 'storage' => $storage, 'mountPoint' => $mountPoint, 'mount' => $mount ]; - if (!$storage->instanceOfStorage(Storage\IDisableEncryptionStorage::class) && $mountPoint !== '/') { + if ($force || (!$storage->instanceOfStorage(IDisableEncryptionStorage::class) && $mountPoint !== '/')) { $user = \OC::$server->getUserSession()->getUser(); $mountManager = Filesystem::getMountManager(); $uid = $user ? $user->getUID() : null; diff --git a/lib/private/Encryption/Manager.php b/lib/private/Encryption/Manager.php index a553d6a55d18a..dfd032b2a6a89 100644 --- a/lib/private/Encryption/Manager.php +++ b/lib/private/Encryption/Manager.php @@ -32,6 +32,8 @@ use OC\ServiceUnavailableException; use OCP\Encryption\IEncryptionModule; use OCP\Encryption\IManager; +use OCP\Files\Mount\IMountPoint; +use OCP\Files\Storage\IStorage; use OCP\IConfig; use OCP\IL10N; use Psr\Log\LoggerInterface; @@ -234,6 +236,11 @@ public function setupStorage() { } } + public function forceWrapStorage(IMountPoint $mountPoint, IStorage $storage) { + $encryptionWrapper = new EncryptionWrapper($this->arrayCache, $this, $this->logger); + return $encryptionWrapper->wrapStorage($mountPoint->getMountPoint(), $storage, $mountPoint, true); + } + /** * check if key storage is ready diff --git a/lib/private/Encryption/Util.php b/lib/private/Encryption/Util.php index 371f2588289cf..eef30290d32f5 100644 --- a/lib/private/Encryption/Util.php +++ b/lib/private/Encryption/Util.php @@ -360,4 +360,32 @@ public function setKeyStorageRoot(string $root): void { public function getKeyStorageRoot(): string { return $this->config->getAppValue('core', 'encryption_key_storage_root', ''); } + + /** + * parse raw header to array + * + * @param string $rawHeader + * @return array + */ + public function parseRawHeader(string $rawHeader) { + $result = []; + if (substr($rawHeader, 0, strlen(Util::HEADER_START)) === Util::HEADER_START) { + $header = $rawHeader; + $endAt = strpos($header, Util::HEADER_END); + if ($endAt !== false) { + $header = substr($header, 0, $endAt + strlen(Util::HEADER_END)); + + // +1 to not start with an ':' which would result in empty element at the beginning + $exploded = explode(':', substr($header, strlen(Util::HEADER_START) + 1)); + + $element = array_shift($exploded); + while ($element !== Util::HEADER_END && $element !== null) { + $result[$element] = array_shift($exploded); + $element = array_shift($exploded); + } + } + } + + return $result; + } } diff --git a/lib/private/Files/Storage/Wrapper/Encryption.php b/lib/private/Files/Storage/Wrapper/Encryption.php index 4d860e623e0c5..e17b4080e76e7 100644 --- a/lib/private/Files/Storage/Wrapper/Encryption.php +++ b/lib/private/Files/Storage/Wrapper/Encryption.php @@ -99,6 +99,8 @@ class Encryption extends Wrapper { /** @var CappedMemoryCache */ private CappedMemoryCache $encryptedPaths; + private $enabled = true; + /** * @param array $parameters */ @@ -380,6 +382,10 @@ public function fopen($path, $mode) { return $this->storage->fopen($path, $mode); } + if (!$this->enabled) { + return $this->storage->fopen($path, $mode); + } + $encryptionEnabled = $this->encryptionManager->isEnabled(); $shouldEncrypt = false; $encryptionModule = null; @@ -924,34 +930,6 @@ protected function getHeaderSize($path) { return $headerSize; } - /** - * parse raw header to array - * - * @param string $rawHeader - * @return array - */ - protected function parseRawHeader($rawHeader) { - $result = []; - if (substr($rawHeader, 0, strlen(Util::HEADER_START)) === Util::HEADER_START) { - $header = $rawHeader; - $endAt = strpos($header, Util::HEADER_END); - if ($endAt !== false) { - $header = substr($header, 0, $endAt + strlen(Util::HEADER_END)); - - // +1 to not start with an ':' which would result in empty element at the beginning - $exploded = explode(':', substr($header, strlen(Util::HEADER_START) + 1)); - - $element = array_shift($exploded); - while ($element !== Util::HEADER_END) { - $result[$element] = array_shift($exploded); - $element = array_shift($exploded); - } - } - } - - return $result; - } - /** * read header from file * @@ -975,7 +953,7 @@ protected function getHeader($path) { if ($isEncrypted) { $firstBlock = $this->readFirstBlock($path); - $result = $this->parseRawHeader($firstBlock); + $result = $this->util->parseRawHeader($firstBlock); // if the header doesn't contain a encryption module we check if it is a // legacy file. If true, we add the default encryption module @@ -1090,4 +1068,14 @@ public function writeStream(string $path, $stream, int $size = null): int { public function clearIsEncryptedCache(): void { $this->encryptedPaths->clear(); } + + /** + * Allow temporarily disabling the wrapper + * + * @param bool $enabled + * @return void + */ + public function setEnabled(bool $enabled): void { + $this->enabled = $enabled; + } } From 404099b1806801e1c1ad73924eb53102c5c9e03b Mon Sep 17 00:00:00 2001 From: Robin Appelman Date: Fri, 27 Jan 2023 19:23:54 +0100 Subject: [PATCH 2/6] [wip] add repair to locate missing key Signed-off-by: Robin Appelman --- apps/encryption/appinfo/info.xml | 1 + apps/encryption/composer/autoload.php | 17 +- .../composer/composer/ClassLoader.php | 37 +-- .../composer/composer/autoload_classmap.php | 2 + .../composer/composer/autoload_static.php | 2 + .../encryption/lib/Command/FixKeyLocation.php | 247 ++------------- apps/encryption/lib/Command/LocateKey.php | 159 ++++++++++ apps/encryption/lib/Repair.php | 289 ++++++++++++++++++ 8 files changed, 495 insertions(+), 259 deletions(-) create mode 100644 apps/encryption/lib/Command/LocateKey.php create mode 100644 apps/encryption/lib/Repair.php diff --git a/apps/encryption/appinfo/info.xml b/apps/encryption/appinfo/info.xml index e77261c471207..ea51ecb37bf45 100644 --- a/apps/encryption/appinfo/info.xml +++ b/apps/encryption/appinfo/info.xml @@ -42,6 +42,7 @@ Please read the documentation to know all implications before you decide to enab OCA\Encryption\Command\ScanLegacyFormat OCA\Encryption\Command\FixEncryptedVersion OCA\Encryption\Command\FixKeyLocation + OCA\Encryption\Command\LocateKey diff --git a/apps/encryption/composer/autoload.php b/apps/encryption/composer/autoload.php index 527ccaeaf1543..593ddde0eb01d 100644 --- a/apps/encryption/composer/autoload.php +++ b/apps/encryption/composer/autoload.php @@ -3,21 +3,8 @@ // autoload.php @generated by Composer if (PHP_VERSION_ID < 50600) { - if (!headers_sent()) { - header('HTTP/1.1 500 Internal Server Error'); - } - $err = 'Composer 2.3.0 dropped support for autoloading on PHP <5.6 and you are running '.PHP_VERSION.', please upgrade PHP or use Composer 2.2 LTS via "composer self-update --2.2". Aborting.'.PHP_EOL; - if (!ini_get('display_errors')) { - if (PHP_SAPI === 'cli' || PHP_SAPI === 'phpdbg') { - fwrite(STDERR, $err); - } elseif (!headers_sent()) { - echo $err; - } - } - trigger_error( - $err, - E_USER_ERROR - ); + echo 'Composer 2.3.0 dropped support for autoloading on PHP <5.6 and you are running '.PHP_VERSION.', please upgrade PHP or use Composer 2.2 LTS via "composer self-update --2.2". Aborting.'.PHP_EOL; + exit(1); } require_once __DIR__ . '/composer/autoload_real.php'; diff --git a/apps/encryption/composer/composer/ClassLoader.php b/apps/encryption/composer/composer/ClassLoader.php index fd56bd7d8405f..afef3fa2ad83f 100644 --- a/apps/encryption/composer/composer/ClassLoader.php +++ b/apps/encryption/composer/composer/ClassLoader.php @@ -42,9 +42,6 @@ */ class ClassLoader { - /** @var \Closure(string):void */ - private static $includeFile; - /** @var ?string */ private $vendorDir; @@ -109,7 +106,6 @@ class ClassLoader public function __construct($vendorDir = null) { $this->vendorDir = $vendorDir; - self::initializeIncludeClosure(); } /** @@ -429,7 +425,7 @@ public function unregister() public function loadClass($class) { if ($file = $this->findFile($class)) { - (self::$includeFile)($file); + includeFile($file); return true; } @@ -559,23 +555,18 @@ private function findFileWithExtension($class, $ext) return false; } +} - private static function initializeIncludeClosure(): void - { - if (self::$includeFile !== null) { - return; - } - - /** - * Scope isolated include. - * - * Prevents access to $this/self from included files. - * - * @param string $file - * @return void - */ - self::$includeFile = static function($file) { - include $file; - }; - } +/** + * Scope isolated include. + * + * Prevents access to $this/self from included files. + * + * @param string $file + * @return void + * @private + */ +function includeFile($file) +{ + include $file; } diff --git a/apps/encryption/composer/composer/autoload_classmap.php b/apps/encryption/composer/composer/autoload_classmap.php index 9f9ab4e406f3d..47f9f9e63ecc9 100644 --- a/apps/encryption/composer/composer/autoload_classmap.php +++ b/apps/encryption/composer/composer/autoload_classmap.php @@ -12,6 +12,7 @@ 'OCA\\Encryption\\Command\\EnableMasterKey' => $baseDir . '/../lib/Command/EnableMasterKey.php', 'OCA\\Encryption\\Command\\FixEncryptedVersion' => $baseDir . '/../lib/Command/FixEncryptedVersion.php', 'OCA\\Encryption\\Command\\FixKeyLocation' => $baseDir . '/../lib/Command/FixKeyLocation.php', + 'OCA\\Encryption\\Command\\LocateKey' => $baseDir . '/../lib/Command/LocateKey.php', 'OCA\\Encryption\\Command\\RecoverUser' => $baseDir . '/../lib/Command/RecoverUser.php', 'OCA\\Encryption\\Command\\ScanLegacyFormat' => $baseDir . '/../lib/Command/ScanLegacyFormat.php', 'OCA\\Encryption\\Controller\\RecoveryController' => $baseDir . '/../lib/Controller/RecoveryController.php', @@ -31,6 +32,7 @@ 'OCA\\Encryption\\KeyManager' => $baseDir . '/../lib/KeyManager.php', 'OCA\\Encryption\\Migration\\SetMasterKeyStatus' => $baseDir . '/../lib/Migration/SetMasterKeyStatus.php', 'OCA\\Encryption\\Recovery' => $baseDir . '/../lib/Recovery.php', + 'OCA\\Encryption\\Repair' => $baseDir . '/../lib/Repair.php', 'OCA\\Encryption\\Session' => $baseDir . '/../lib/Session.php', 'OCA\\Encryption\\Settings\\Admin' => $baseDir . '/../lib/Settings/Admin.php', 'OCA\\Encryption\\Settings\\Personal' => $baseDir . '/../lib/Settings/Personal.php', diff --git a/apps/encryption/composer/composer/autoload_static.php b/apps/encryption/composer/composer/autoload_static.php index 8f50f0649970f..dd3a66e8b05f0 100644 --- a/apps/encryption/composer/composer/autoload_static.php +++ b/apps/encryption/composer/composer/autoload_static.php @@ -27,6 +27,7 @@ class ComposerStaticInitEncryption 'OCA\\Encryption\\Command\\EnableMasterKey' => __DIR__ . '/..' . '/../lib/Command/EnableMasterKey.php', 'OCA\\Encryption\\Command\\FixEncryptedVersion' => __DIR__ . '/..' . '/../lib/Command/FixEncryptedVersion.php', 'OCA\\Encryption\\Command\\FixKeyLocation' => __DIR__ . '/..' . '/../lib/Command/FixKeyLocation.php', + 'OCA\\Encryption\\Command\\LocateKey' => __DIR__ . '/..' . '/../lib/Command/LocateKey.php', 'OCA\\Encryption\\Command\\RecoverUser' => __DIR__ . '/..' . '/../lib/Command/RecoverUser.php', 'OCA\\Encryption\\Command\\ScanLegacyFormat' => __DIR__ . '/..' . '/../lib/Command/ScanLegacyFormat.php', 'OCA\\Encryption\\Controller\\RecoveryController' => __DIR__ . '/..' . '/../lib/Controller/RecoveryController.php', @@ -46,6 +47,7 @@ class ComposerStaticInitEncryption 'OCA\\Encryption\\KeyManager' => __DIR__ . '/..' . '/../lib/KeyManager.php', 'OCA\\Encryption\\Migration\\SetMasterKeyStatus' => __DIR__ . '/..' . '/../lib/Migration/SetMasterKeyStatus.php', 'OCA\\Encryption\\Recovery' => __DIR__ . '/..' . '/../lib/Recovery.php', + 'OCA\\Encryption\\Repair' => __DIR__ . '/..' . '/../lib/Repair.php', 'OCA\\Encryption\\Session' => __DIR__ . '/..' . '/../lib/Session.php', 'OCA\\Encryption\\Settings\\Admin' => __DIR__ . '/..' . '/../lib/Settings/Admin.php', 'OCA\\Encryption\\Settings\\Personal' => __DIR__ . '/..' . '/../lib/Settings/Personal.php', diff --git a/apps/encryption/lib/Command/FixKeyLocation.php b/apps/encryption/lib/Command/FixKeyLocation.php index 3e873b3b4f163..d1bf36c1e4cb4 100644 --- a/apps/encryption/lib/Command/FixKeyLocation.php +++ b/apps/encryption/lib/Command/FixKeyLocation.php @@ -23,17 +23,15 @@ namespace OCA\Encryption\Command; -use OC\Encryption\Manager; use OC\Encryption\Util; use OC\Files\Storage\Wrapper\Encryption; use OC\Files\View; -use OCP\Encryption\IManager; +use OCA\Encryption\Repair; use OCP\Files\Config\ICachedMountInfo; use OCP\Files\Config\IUserMountCache; use OCP\Files\Folder; use OCP\Files\File; use OCP\Files\IRootFolder; -use OCP\Files\Node; use OCP\IUser; use OCP\IUserManager; use Symfony\Component\Console\Command\Command; @@ -45,29 +43,21 @@ class FixKeyLocation extends Command { private IUserManager $userManager; private IUserMountCache $userMountCache; - private Util $encryptionUtil; private IRootFolder $rootFolder; - private string $keyRootDirectory; private View $rootView; - private Manager $encryptionManager; + private Repair $repair; public function __construct( IUserManager $userManager, IUserMountCache $userMountCache, - Util $encryptionUtil, IRootFolder $rootFolder, - IManager $encryptionManager + Repair $repair ) { $this->userManager = $userManager; $this->userMountCache = $userMountCache; - $this->encryptionUtil = $encryptionUtil; $this->rootFolder = $rootFolder; - $this->keyRootDirectory = rtrim($this->encryptionUtil->getKeyStorageRoot(), '/'); $this->rootView = new View(); - if (!$encryptionManager instanceof Manager) { - throw new \Exception("Wrong encryption manager"); - } - $this->encryptionManager = $encryptionManager; + $this->repair = $repair; parent::__construct(); } @@ -105,8 +95,8 @@ protected function execute(InputInterface $input, OutputInterface $output): int $files = $this->getAllEncryptedFiles($mountRootFolder); foreach ($files as $file) { /** @var File $file */ - $hasSystemKey = $this->hasSystemKey($file); - $hasUserKey = $this->hasUserKey($user, $file); + $hasSystemKey = $this->repair->hasSystemKey($file); + $hasUserKey = $this->repair->hasUserKey($user, $file); if (!$hasSystemKey && $hasUserKey) { // key was stored incorrectly as user key, migrate @@ -125,7 +115,7 @@ protected function execute(InputInterface $input, OutputInterface $output): int // no matching key, probably from a broken cross-storage move $shouldBeEncrypted = $file->getStorage()->instanceOfStorage(Encryption::class); - $isActuallyEncrypted = $this->isDataEncrypted($file); + $isActuallyEncrypted = $this->repair->isDataEncrypted($file); if ($isActuallyEncrypted) { if ($dryRun) { if ($shouldBeEncrypted) { @@ -133,7 +123,7 @@ protected function execute(InputInterface $input, OutputInterface $output): int } else { $output->write("" . $file->getPath() . " needs decryption"); } - $foundKey = $this->findUserKeyForSystemFile($user, $file); + $foundKey = $this->findUserKeyForSystemFileByName($user, $file); if ($foundKey) { $output->writeln(", valid key found at " . $foundKey . ""); } else { @@ -145,14 +135,14 @@ protected function execute(InputInterface $input, OutputInterface $output): int } else { $output->write("Decrypting " . $file->getPath() . ""); } - $foundKey = $this->findUserKeyForSystemFile($user, $file); + $foundKey = $this->findUserKeyForSystemFileByName($user, $file); if ($foundKey) { if ($shouldBeEncrypted) { - $systemKeyPath = $this->getSystemKeyPath($file); + $systemKeyPath = $this->repair->getSystemKeyPath($file); $this->rootView->copy($foundKey, $systemKeyPath); $output->writeln(" Migrated key from " . $foundKey . ""); } else { - $this->decryptWithSystemKey($file, $foundKey); + $this->repair->decryptWithSystemKey($file, $foundKey); $output->writeln(" Decrypted with key from " . $foundKey . ""); } } else { @@ -163,7 +153,7 @@ protected function execute(InputInterface $input, OutputInterface $output): int if ($dryRun) { $output->writeln("" . $file->getPath() . " needs to be marked as not encrypted"); } else { - $this->markAsUnEncrypted($file); + $this->repair->markAsUnEncrypted($file); $output->writeln("" . $file->getPath() . " marked as not encrypted"); } } @@ -174,25 +164,13 @@ protected function execute(InputInterface $input, OutputInterface $output): int return 0; } - private function getUserRelativePath(string $path): string { - $parts = explode('/', $path, 3); - if (count($parts) >= 3) { - return '/' . $parts[2]; - } else { - return ''; - } - } - /** * @param IUser $user * @return ICachedMountInfo[] */ private function getSystemMountsForUser(IUser $user): array { - return array_filter($this->userMountCache->getMountsForUser($user), function (ICachedMountInfo $mount) use ( - $user - ) { - $mountPoint = substr($mount->getMountPoint(), strlen($user->getUID() . '/')); - return $this->encryptionUtil->isSystemWideMountPoint($mountPoint, $user->getUID()); + return array_filter($this->userMountCache->getMountsForUser($user), function (ICachedMountInfo $mount){ + return $this->repair->needsSystemKey($mount->getMountPoint()); }); } @@ -214,30 +192,6 @@ private function getAllEncryptedFiles(Folder $folder) { } } - private function getSystemKeyPath(Node $node): string { - $path = $this->getUserRelativePath($node->getPath()); - return $this->keyRootDirectory . '/files_encryption/keys/' . $path . '/'; - } - - private function getUserBaseKeyPath(IUser $user): string { - return $this->keyRootDirectory . '/' . $user->getUID() . '/files_encryption/keys'; - } - - private function getUserKeyPath(IUser $user, Node $node): string { - $path = $this->getUserRelativePath($node->getPath()); - return $this->getUserBaseKeyPath($user) . '/' . $path . '/'; - } - - private function hasSystemKey(Node $node): bool { - // this uses View instead of the RootFolder because the keys might not be in the cache - return $this->rootView->file_exists($this->getSystemKeyPath($node)); - } - - private function hasUserKey(IUser $user, Node $node): bool { - // this uses View instead of the RootFolder because the keys might not be in the cache - return $this->rootView->file_exists($this->getUserKeyPath($user, $node)); - } - /** * Check that the user key stored for a file can decrypt the file * @@ -247,11 +201,11 @@ private function hasUserKey(IUser $user, Node $node): bool { */ private function copyUserKeyToSystemAndValidate(IUser $user, File $node): bool { $path = trim(substr($node->getPath(), strlen($user->getUID()) + 1), '/'); - $systemKeyPath = $this->keyRootDirectory . '/files_encryption/keys/' . $path . '/'; - $userKeyPath = $this->keyRootDirectory . '/' . $user->getUID() . '/files_encryption/keys/' . $path . '/'; + $systemKeyPath = $this->repair->getSystemKeyRoot() . '/' . $path . '/'; + $userKeyPath = $this->repair->getUserKeyRoot($user) . '/' . $path . '/'; $this->rootView->copy($userKeyPath, $systemKeyPath); - if ($this->tryReadFile($node)) { + if ($this->repair->tryReadFile($node)) { // cleanup wrong key location $this->rootView->rmdir($userKeyPath); return true; @@ -262,76 +216,17 @@ private function copyUserKeyToSystemAndValidate(IUser $user, File $node): bool { } } - private function tryReadFile(File $node): bool { - try { - $fh = $node->fopen('r'); - // read a single chunk - $data = fread($fh, 8192); - if ($data === false) { - return false; - } else { - return true; - } - } catch (\Exception $e) { - return false; - } - } - - /** - * Get the contents of a file without decrypting it - * - * @param File $node - * @return resource - */ - private function openWithoutDecryption(File $node, string $mode) { - $storage = $node->getStorage(); - $internalPath = $node->getInternalPath(); - if ($storage->instanceOfStorage(Encryption::class)) { - /** @var Encryption $storage */ - try { - $storage->setEnabled(false); - $handle = $storage->fopen($internalPath, 'r'); - $storage->setEnabled(true); - } catch (\Exception $e) { - $storage->setEnabled(true); - throw $e; - } - } else { - $handle = $storage->fopen($internalPath, $mode); - } - /** @var resource|false $handle */ - if ($handle === false) { - throw new \Exception("Failed to open " . $node->getPath()); - } - return $handle; - } - - /** - * Check if the data stored for a file is encrypted, regardless of it's metadata - * - * @param File $node - * @return bool - */ - private function isDataEncrypted(File $node): bool { - $handle = $this->openWithoutDecryption($node, 'r'); - $firstBlock = fread($handle, $this->encryptionUtil->getHeaderSize()); - fclose($handle); - - $header = $this->encryptionUtil->parseRawHeader($firstBlock); - return isset($header['oc_encryption_module']); - } - /** * Attempt to find a key (stored for user) for a file (that needs a system key) even when it's not stored in the expected location * * @param File $node * @return string */ - private function findUserKeyForSystemFile(IUser $user, File $node): ?string { - $userKeyPath = $this->getUserBaseKeyPath($user); + public function findUserKeyForSystemFileByName(IUser $user, File $node): ?string { + $userKeyPath = $this->repair->getUserKeyRoot($user); $possibleKeys = $this->findKeysByFileName($userKeyPath, $node->getName()); foreach ($possibleKeys as $possibleKey) { - if ($this->testSystemKey($user, $possibleKey, $node)) { + if ($this->repair->testSystemKey($possibleKey, $node)) { return $possibleKey; } } @@ -345,101 +240,11 @@ private function findUserKeyForSystemFile(IUser $user, File $node): ?string { * @param string $name * @return \Generator */ - private function findKeysByFileName(string $basePath, string $name) { - if ($this->rootView->is_dir($basePath . '/' . $name . '/OC_DEFAULT_MODULE')) { - yield $basePath . '/' . $name; - } else { - /** @var false|resource $dh */ - $dh = $this->rootView->opendir($basePath); - if (!$dh) { - throw new \Exception("Invalid base path " . $basePath); - } - while ($child = readdir($dh)) { - if ($child != '..' && $child != '.') { - $childPath = $basePath . '/' . $child; - - // recurse if the child is not a key folder - if ($this->rootView->is_dir($childPath) && !is_dir($childPath . '/OC_DEFAULT_MODULE')) { - yield from $this->findKeysByFileName($childPath, $name); - } - } - } - } - } - - /** - * Test if the provided key is valid as a system key for the file - * - * @param IUser $user - * @param string $key - * @param File $node - * @return bool - */ - private function testSystemKey(IUser $user, string $key, File $node): bool { - $systemKeyPath = $this->getSystemKeyPath($node); - - if ($this->rootView->file_exists($systemKeyPath)) { - // already has a key, reject new key - return false; - } - - $this->rootView->copy($key, $systemKeyPath); - $isValid = $this->tryReadFile($node); - $this->rootView->rmdir($systemKeyPath); - return $isValid; - } - - /** - * Decrypt a file with the specified system key and mark the key as not-encrypted - * - * @param File $node - * @param string $key - * @return void - */ - private function decryptWithSystemKey(File $node, string $key): void { - $storage = $node->getStorage(); - $name = $node->getName(); - - $node->move($node->getPath() . '.bak'); - $systemKeyPath = $this->getSystemKeyPath($node); - $this->rootView->copy($key, $systemKeyPath); - - try { - if (!$storage->instanceOfStorage(Encryption::class)) { - $storage = $this->encryptionManager->forceWrapStorage($node->getMountPoint(), $storage); - } - /** @var false|resource $source */ - $source = $storage->fopen($node->getInternalPath(), 'r'); - if (!$source) { - throw new \Exception("Failed to open " . $node->getPath() . " with " . $key); - } - $decryptedNode = $node->getParent()->newFile($name); - - $target = $this->openWithoutDecryption($decryptedNode, 'w'); - stream_copy_to_stream($source, $target); - fclose($target); - fclose($source); - - $decryptedNode->getStorage()->getScanner()->scan($decryptedNode->getInternalPath()); - } catch (\Exception $e) { - $this->rootView->rmdir($systemKeyPath); - - // remove the .bak - $node->move(substr($node->getPath(), 0, -4)); - - throw $e; - } - - if ($this->isDataEncrypted($decryptedNode)) { - throw new \Exception($node->getPath() . " still encrypted after attempting to decrypt with " . $key); - } - - $this->markAsUnEncrypted($decryptedNode); - - $this->rootView->rmdir($systemKeyPath); - } - - private function markAsUnEncrypted(Node $node): void { - $node->getStorage()->getCache()->update($node->getId(), ['encrypted' => 0]); + public function findKeysByFileName(string $basePath, string $name) { + $allKeys = $this->repair->findAllKeysInDirectory($basePath); + return new \CallbackFilterIterator($allKeys, function($path) use ($name) { + $parts = explode('/', $path); + return array_pop($parts) === $name; + }); } } diff --git a/apps/encryption/lib/Command/LocateKey.php b/apps/encryption/lib/Command/LocateKey.php new file mode 100644 index 0000000000000..3c13ad5ed9e2d --- /dev/null +++ b/apps/encryption/lib/Command/LocateKey.php @@ -0,0 +1,159 @@ + + * + * @license GNU AGPL version 3 or any later version + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU Affero General Public License as + * published by the Free Software Foundation, either version 3 of the + * License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Affero General Public License for more details. + * + * You should have received a copy of the GNU Affero General Public License + * along with this program. If not, see . + * + */ + +namespace OCA\Encryption\Command; + +use OC\Encryption\Util; +use OC\Files\View; +use OCA\Encryption\Repair; +use OCA\Files_Sharing\ISharedStorage; +use OCP\Files\Config\IUserMountCache; +use OCP\Files\IRootFolder; +use OCP\Files\File; +use OCP\Files\NotFoundException; +use OCP\IUser; +use OCP\IUserManager; +use Symfony\Component\Console\Command\Command; +use Symfony\Component\Console\Input\InputArgument; +use Symfony\Component\Console\Input\InputInterface; +use Symfony\Component\Console\Input\InputOption; +use Symfony\Component\Console\Output\OutputInterface; + +class LocateKey extends Command { + private IUserManager $userManager; + private IRootFolder $rootFolder; + private Repair $repair; + private View $rootView; + + public function __construct( + IUserManager $userManager, + IRootFolder $rootFolder, + Repair $repair + ) { + $this->userManager = $userManager; + $this->rootFolder = $rootFolder; + $this->repair = $repair; + $this->rootView = new View(); + + parent::__construct(); + } + + protected function configure(): void { + parent::configure(); + + $this + ->setName('encryption:locate-key') + ->setDescription('Attempt to find the matching key for a file when the key is lost') + ->addOption('dry-run', null, InputOption::VALUE_NONE, "Don't repair the key once found") + ->addOption('from-all-users', null, InputOption::VALUE_NONE, "Look for keys from every user") + ->addArgument('path', InputArgument::REQUIRED, "Absolute path of the file to locate the key for"); + } + + protected function execute(InputInterface $input, OutputInterface $output): int { + $dryRun = $input->getOption('dry-run'); + $path = $input->getArgument('path'); + [, $userId, ] = explode('/', $path); + $user = $this->userManager->get($userId); + if (!$user) { + $output->writeln("User $userId not found"); + return 1; + } + try { + $node = $this->rootFolder->get($path); + } catch (NotFoundException $e) { + $output->writeln("$path not found"); + return 1; + } + + if (!$node instanceof File) { + $output->writeln("$path is a directory, this command can only be ran on files"); + return 1; + } + + if ($node->getStorage()->instanceOfStorage(ISharedStorage::class)) { + $output->writeln("$path is a shared file, please run the command for the owner of the file"); + return 1; + } + + if (!$this->repair->isDataEncrypted($node)) { + $output->writeln("$path isn't encrypted"); + return 1; + } + + if ($node->isEncrypted()) { + // if the file is not marked as encrypted (but the data is actually encrypted as verified above) + // the `tryRead` check will always pass + if ($this->repair->tryReadFile($node)) { + $output->writeln("$path apprears to already have a valid key in the correct location"); + return 1; + } + } else { + $output->writeln("$path isn't marked as encrypted but it's data appears to be encrypted"); + $output->writeln("Repairing this is currently not supported"); + return 1; + } + + $allKeys = new \AppendIterator(); + $allKeys->append($this->repair->findAllKeysInDirectory($this->repair->getUserKeyRoot($user))); + $allKeys->append($this->repair->findAllKeysInDirectory($this->repair->getSystemKeyRoot())); + // todo: keys from other users + + $workingKey = $this->testKeys($user, $node, $allKeys); + + if ($workingKey) { + if ($dryRun) { + $output->writeln("Found working key at $workingKey"); + } else { + $this->rootView->copy($workingKey, $this->repair->getKeyPath($user, $node)); + $output->writeln("Copied working key at $workingKey"); + } + return 0; + } else { + $output->writeln("No working key found for $path"); + return 1; + } + } + + /** + * Test all keys until we find one that works for a file + * + * @param File $node + * @param iterable $keys + * @return string|null + */ + private function testKeys(IUser $user, File $node, iterable $keys): ?string { + $needsSystemKey = $this->repair->needsSystemKey($node->getPath()); + foreach ($keys as $possibleKey) { + if ($needsSystemKey) { + if ($this->repair->testSystemKey($possibleKey, $node)) { + return $possibleKey; + } + } else { + if ($this->repair->testUserKey($user, $possibleKey, $node)) { + return $possibleKey; + } + } + } + return null; + } +} diff --git a/apps/encryption/lib/Repair.php b/apps/encryption/lib/Repair.php new file mode 100644 index 0000000000000..bb89cc07e5cae --- /dev/null +++ b/apps/encryption/lib/Repair.php @@ -0,0 +1,289 @@ + + * + * @license GNU AGPL version 3 or any later version + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU Affero General Public License as + * published by the Free Software Foundation, either version 3 of the + * License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Affero General Public License for more details. + * + * You should have received a copy of the GNU Affero General Public License + * along with this program. If not, see . + * + */ + +namespace OCA\Encryption; + +use OC\Encryption\Manager; +use OC\Encryption\Util; +use OC\Files\Storage\Wrapper\Encryption; +use OC\Files\View; +use OCP\Encryption\IManager; +use OCP\Files\Config\ICachedMountInfo; +use OCP\Files\File; +use OCP\Files\Mount\IMountPoint; +use OCP\Files\Node; +use OCP\IUser; + +class Repair { + private Util $encryptionUtil; + private string $keyRootDirectory; + private View $rootView; + private Manager $encryptionManager; + + public function __construct( + Util $encryptionUtil, + IManager $encryptionManager + ) { + $this->encryptionUtil = $encryptionUtil; + $this->keyRootDirectory = rtrim($this->encryptionUtil->getKeyStorageRoot(), '/'); + $this->rootView = new View(); + // we're using some bits from the manager not exposed through the interface + if (!$encryptionManager instanceof Manager) { + throw new \Exception("Wrong encryption manager"); + } + $this->encryptionManager = $encryptionManager; + } + + public function getSystemKeyRoot(): string { + return $this->keyRootDirectory . '/files_encryption/keys'; + } + + public function getUserKeyRoot(IUser $user): string { + return $this->keyRootDirectory . '/' . $user->getUID() . '/files_encryption/keys'; + } + + public function tryReadFile(File $node): bool { + try { + $fh = $node->fopen('r'); + // read a single chunk + $data = fread($fh, 8192); + if ($data === false) { + return false; + } else { + return true; + } + } catch (\Exception $e) { + return false; + } + } + + /** + * Get the contents of a file without decrypting it + * + * @param File $node + * @return resource + */ + public function openWithoutDecryption(File $node, string $mode) { + $storage = $node->getStorage(); + $internalPath = $node->getInternalPath(); + if ($storage->instanceOfStorage(Encryption::class)) { + /** @var Encryption $storage */ + try { + $storage->setEnabled(false); + $handle = $storage->fopen($internalPath, 'r'); + $storage->setEnabled(true); + } catch (\Exception $e) { + $storage->setEnabled(true); + throw $e; + } + } else { + $handle = $storage->fopen($internalPath, $mode); + } + /** @var resource|false $handle */ + if ($handle === false) { + throw new \Exception("Failed to open " . $node->getPath()); + } + return $handle; + } + + /** + * Check if the data stored for a file is encrypted, regardless of it's metadata + * + * @param File $node + * @return bool + */ + public function isDataEncrypted(File $node): bool { + $handle = $this->openWithoutDecryption($node, 'r'); + $firstBlock = fread($handle, $this->encryptionUtil->getHeaderSize()); + fclose($handle); + + $header = $this->encryptionUtil->parseRawHeader($firstBlock); + return isset($header['oc_encryption_module']); + } + + /** + * @param string $name + * @return \Generator + */ + public function findAllKeysInDirectory(string $basePath) { + if ($this->rootView->is_dir($basePath . '/OC_DEFAULT_MODULE')) { + yield $basePath; + } else { + /** @var false|resource $dh */ + $dh = $this->rootView->opendir($basePath); + if (!$dh) { + throw new \Exception("Invalid base path " . $basePath); + } + while ($child = readdir($dh)) { + if ($child != '..' && $child != '.') { + $childPath = $basePath . '/' . $child; + + // recurse if the child is not a key folder + if ($this->rootView->is_dir($childPath) && !is_dir($childPath . '/OC_DEFAULT_MODULE')) { + yield from $this->findAllKeysInDirectory($childPath); + } + } + } + } + } + + /** + * Test if the provided key is valid as a system key for the file + * + * @param string $key + * @param File $node + * @return bool + */ + public function testSystemKey(string $key, File $node): bool { + $systemKeyPath = $this->getSystemKeyPath($node); + + if ($this->rootView->file_exists($systemKeyPath)) { + // already has a key, reject new key + return false; + } + + $this->rootView->copy($key, $systemKeyPath); + $isValid = $this->tryReadFile($node); + $this->rootView->rmdir($systemKeyPath); + return $isValid; + } + + /** + * Test if the provided key is valid as a system key for the file + * + * @param IUser $user + * @param string $key + * @param File $node + * @return bool + */ + public function testUserKey(IUser $user, string $key, File $node): bool { + $userKeyPath = $this->getUserKeyPath($user, $node); + + if ($this->rootView->file_exists($userKeyPath)) { + // already has a key, reject new key + return false; + } + + $this->rootView->copy($key, $userKeyPath); + $isValid = $this->tryReadFile($node); + $this->rootView->rmdir($userKeyPath); + return $isValid; + } + + /** + * Decrypt a file with the specified system key and mark the key as not-encrypted + * + * @param File $node + * @param string $key + * @return void + */ + public function decryptWithSystemKey(File $node, string $key): void { + $storage = $node->getStorage(); + $name = $node->getName(); + + $node->move($node->getPath() . '.bak'); + $systemKeyPath = $this->getSystemKeyPath($node); + $this->rootView->copy($key, $systemKeyPath); + + try { + if (!$storage->instanceOfStorage(Encryption::class)) { + $storage = $this->encryptionManager->forceWrapStorage($node->getMountPoint(), $storage); + } + /** @var false|resource $source */ + $source = $storage->fopen($node->getInternalPath(), 'r'); + if (!$source) { + throw new \Exception("Failed to open " . $node->getPath() . " with " . $key); + } + $decryptedNode = $node->getParent()->newFile($name); + + $target = $this->openWithoutDecryption($decryptedNode, 'w'); + stream_copy_to_stream($source, $target); + fclose($target); + fclose($source); + + $decryptedNode->getStorage()->getScanner()->scan($decryptedNode->getInternalPath()); + } catch (\Exception $e) { + $this->rootView->rmdir($systemKeyPath); + + // remove the .bak + $node->move(substr($node->getPath(), 0, -4)); + + throw $e; + } + + if ($this->isDataEncrypted($decryptedNode)) { + throw new \Exception($node->getPath() . " still encrypted after attempting to decrypt with " . $key); + } + + $this->markAsUnEncrypted($decryptedNode); + + $this->rootView->rmdir($systemKeyPath); + } + + public function markAsUnEncrypted(Node $node): void { + $node->getStorage()->getCache()->update($node->getId(), ['encrypted' => 0]); + } + + public function getSystemKeyPath(Node $node): string { + $path = $this->getUserRelativePath($node->getPath()); + return $this->getSystemKeyRoot() . $path . '/'; + } + + public function getUserKeyPath(IUser $user, Node $node): string { + $path = $this->getUserRelativePath($node->getPath()); + return $this->getUserKeyRoot($user) . '/' . $path . '/'; + } + + public function getKeyPath(IUser $user, Node $node): string { + if ($this->needsSystemKey($node->getPath())) { + return $this->getSystemKeyPath($node); + } else { + return $this->getUserKeyRoot($user, $node); + } + } + + public function hasSystemKey(Node $node): bool { + // this uses View instead of the RootFolder because the keys might not be in the cache + return $this->rootView->file_exists($this->getSystemKeyPath($node)); + } + + public function hasUserKey(IUser $user, Node $node): bool { + // this uses View instead of the RootFolder because the keys might not be in the cache + return $this->rootView->file_exists($this->getUserKeyPath($user, $node)); + } + + private function getUserRelativePath(string $path): string { + $parts = explode('/', $path, 3); + if (count($parts) >= 3) { + return '/' . $parts[2]; + } else { + return ''; + } + } + + public function needsSystemKey(string $path): bool { + [, $uid, $path] = explode("/", $path, 3); + $path = '/' . $path; + return $this->encryptionUtil->isSystemWideMountPoint($path, $uid); + } +} From 124142e019fa9bd59a2194aea81a6d555e69dbc4 Mon Sep 17 00:00:00 2001 From: Robin Appelman Date: Fri, 3 Feb 2023 17:35:23 +0100 Subject: [PATCH 3/6] clear key cache before trying a key Signed-off-by: Robin Appelman --- apps/encryption/lib/Repair.php | 13 ++++++++++--- lib/private/Encryption/Keys/Storage.php | 4 ++++ 2 files changed, 14 insertions(+), 3 deletions(-) diff --git a/apps/encryption/lib/Repair.php b/apps/encryption/lib/Repair.php index bb89cc07e5cae..1259c03b7dbbf 100644 --- a/apps/encryption/lib/Repair.php +++ b/apps/encryption/lib/Repair.php @@ -23,14 +23,14 @@ namespace OCA\Encryption; +use OC\Encryption\Keys\Storage; use OC\Encryption\Manager; use OC\Encryption\Util; use OC\Files\Storage\Wrapper\Encryption; use OC\Files\View; use OCP\Encryption\IManager; -use OCP\Files\Config\ICachedMountInfo; +use OCP\Encryption\Keys\IStorage; use OCP\Files\File; -use OCP\Files\Mount\IMountPoint; use OCP\Files\Node; use OCP\IUser; @@ -39,10 +39,12 @@ class Repair { private string $keyRootDirectory; private View $rootView; private Manager $encryptionManager; + private IStorage $keyStorage; public function __construct( Util $encryptionUtil, - IManager $encryptionManager + IManager $encryptionManager, + IStorage $keyStorage ) { $this->encryptionUtil = $encryptionUtil; $this->keyRootDirectory = rtrim($this->encryptionUtil->getKeyStorageRoot(), '/'); @@ -51,6 +53,10 @@ public function __construct( if (!$encryptionManager instanceof Manager) { throw new \Exception("Wrong encryption manager"); } + if (!$keyStorage instanceof Storage) { + throw new \Exception("Wrong encryption storage"); + } + $this->keyStorage = $keyStorage; $this->encryptionManager = $encryptionManager; } @@ -63,6 +69,7 @@ public function getUserKeyRoot(IUser $user): string { } public function tryReadFile(File $node): bool { + $this->keyStorage->clearKeyCache(); try { $fh = $node->fopen('r'); // read a single chunk diff --git a/lib/private/Encryption/Keys/Storage.php b/lib/private/Encryption/Keys/Storage.php index b6376dc014669..baf2f447d0cd1 100644 --- a/lib/private/Encryption/Keys/Storage.php +++ b/lib/private/Encryption/Keys/Storage.php @@ -485,4 +485,8 @@ protected function keySetPreparation($path) { } } } + + public function clearKeyCache() { + $this->keyCache = []; + } } From 6bcae72ea4c5f54a8398f804c649acee4089042d Mon Sep 17 00:00:00 2001 From: Robin Appelman Date: Fri, 3 Feb 2023 17:36:00 +0100 Subject: [PATCH 4/6] allow trying keys from other users Signed-off-by: Robin Appelman --- apps/encryption/lib/Command/LocateKey.php | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/apps/encryption/lib/Command/LocateKey.php b/apps/encryption/lib/Command/LocateKey.php index 3c13ad5ed9e2d..0d4a8d2fa7bc6 100644 --- a/apps/encryption/lib/Command/LocateKey.php +++ b/apps/encryption/lib/Command/LocateKey.php @@ -72,6 +72,7 @@ protected function configure(): void { protected function execute(InputInterface $input, OutputInterface $output): int { $dryRun = $input->getOption('dry-run'); $path = $input->getArgument('path'); + $allUsers = $input->getOption('from-all-users'); [, $userId, ] = explode('/', $path); $user = $this->userManager->get($userId); if (!$user) { @@ -104,7 +105,7 @@ protected function execute(InputInterface $input, OutputInterface $output): int // if the file is not marked as encrypted (but the data is actually encrypted as verified above) // the `tryRead` check will always pass if ($this->repair->tryReadFile($node)) { - $output->writeln("$path apprears to already have a valid key in the correct location"); + $output->writeln("$path apprears to already have a valid key in the correct location"); return 1; } } else { @@ -116,7 +117,11 @@ protected function execute(InputInterface $input, OutputInterface $output): int $allKeys = new \AppendIterator(); $allKeys->append($this->repair->findAllKeysInDirectory($this->repair->getUserKeyRoot($user))); $allKeys->append($this->repair->findAllKeysInDirectory($this->repair->getSystemKeyRoot())); - // todo: keys from other users + if ($allUsers) { + $this->userManager->callForSeenUsers(function(IUser $user) use ($allKeys) { + $allKeys->append($this->repair->findAllKeysInDirectory($this->repair->getUserKeyRoot($user))); + }); + } $workingKey = $this->testKeys($user, $node, $allKeys); From 20993af6d43d6a204b94cdea41192423f36bf60b Mon Sep 17 00:00:00 2001 From: Robin Appelman Date: Fri, 3 Feb 2023 17:40:58 +0100 Subject: [PATCH 5/6] tell the user where we copied the key to Signed-off-by: Robin Appelman --- apps/encryption/lib/Command/LocateKey.php | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/apps/encryption/lib/Command/LocateKey.php b/apps/encryption/lib/Command/LocateKey.php index 0d4a8d2fa7bc6..4e770b99583dd 100644 --- a/apps/encryption/lib/Command/LocateKey.php +++ b/apps/encryption/lib/Command/LocateKey.php @@ -129,8 +129,9 @@ protected function execute(InputInterface $input, OutputInterface $output): int if ($dryRun) { $output->writeln("Found working key at $workingKey"); } else { - $this->rootView->copy($workingKey, $this->repair->getKeyPath($user, $node)); - $output->writeln("Copied working key at $workingKey"); + $target = $this->repair->getKeyPath($user, $node); + $this->rootView->copy($workingKey, $target); + $output->writeln("Copied working key from $workingKey to $target"); } return 0; } else { From b9ec6adfb2e057bcac25339e21f694569b3ec48b Mon Sep 17 00:00:00 2001 From: Robin Appelman Date: Tue, 4 Apr 2023 16:12:54 +0200 Subject: [PATCH 6/6] psalm fixes Signed-off-by: Robin Appelman --- apps/encryption/lib/Command/FixKeyLocation.php | 2 +- apps/encryption/lib/Repair.php | 6 ++++-- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/apps/encryption/lib/Command/FixKeyLocation.php b/apps/encryption/lib/Command/FixKeyLocation.php index d1bf36c1e4cb4..a9ffb59864555 100644 --- a/apps/encryption/lib/Command/FixKeyLocation.php +++ b/apps/encryption/lib/Command/FixKeyLocation.php @@ -238,7 +238,7 @@ public function findUserKeyForSystemFileByName(IUser $user, File $node): ?string * * @param string $basePath * @param string $name - * @return \Generator + * @return \Iterator */ public function findKeysByFileName(string $basePath, string $name) { $allKeys = $this->repair->findAllKeysInDirectory($basePath); diff --git a/apps/encryption/lib/Repair.php b/apps/encryption/lib/Repair.php index 1259c03b7dbbf..3b2551156215e 100644 --- a/apps/encryption/lib/Repair.php +++ b/apps/encryption/lib/Repair.php @@ -69,7 +69,9 @@ public function getUserKeyRoot(IUser $user): string { } public function tryReadFile(File $node): bool { - $this->keyStorage->clearKeyCache(); + if ($this->keyStorage instanceof Storage) { + $this->keyStorage->clearKeyCache(); + } try { $fh = $node->fopen('r'); // read a single chunk @@ -265,7 +267,7 @@ public function getKeyPath(IUser $user, Node $node): string { if ($this->needsSystemKey($node->getPath())) { return $this->getSystemKeyPath($node); } else { - return $this->getUserKeyRoot($user, $node); + return $this->getUserKeyRoot($user); } }