Mirrors
/
nextcloud-server
mirror of https://github.com/nextcloud/server
3
0
Fork 0
Code Releases Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
74239 Commits
1042 Branches
1221 Tags
4.5 GiB
Tree: 08e62bece9
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '08e62bece9'
${ noResults }
nextcloud-server/apps/encryption/lib/Recovery.php

303 lines
8.1 KiB
Raw Normal View History

Initial commit
11 years ago
Fix apps/
10 years ago
Update license headers
10 years ago
Update the license headers for Nextcloud 19 Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
6 years ago
fixing license headers - encryption code related
11 years ago
Update license headers Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
7 years ago
Update license headers
10 years ago
Update license headers Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
7 years ago
fixing license headers - encryption code related
11 years ago
Initial commit
11 years ago
Update license headers Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
7 years ago
Initial commit
11 years ago
Some php-cs fixes * Order the imports * No leading slash on imports * Empty line before namespace * One line per import * Empty after imports * Emmpty line at bottom of file Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
7 years ago
Initial commit
11 years ago
Some php-cs fixes * Order the imports * No leading slash on imports * Empty line before namespace * One line per import * Empty after imports * Emmpty line at bottom of file Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
7 years ago
Initial commit
11 years ago
Updating keystorage movement and fixing hooks
11 years ago
Initial commit
11 years ago
add helper class accessible for encryption modules to ask for a list of users with access to a file, needed to apply the recovery key to all files
11 years ago
moving methods to their final places and updating test some.
11 years ago
Initial commit
11 years ago
Fix wrongly mixed mock objects in encryption tests Signed-off-by: Joas Schilling <coding@schilljs.com>
7 years ago
Initial commit
11 years ago
add helper class accessible for encryption modules to ask for a list of users with access to a file, needed to apply the recovery key to all files
11 years ago
Initial commit
11 years ago
Fix wrongly mixed mock objects in encryption tests Signed-off-by: Joas Schilling <coding@schilljs.com>
7 years ago
chore: apply changes from Nextcloud coding standards 1.1.1 Signed-off-by: Joas Schilling <coding@schilljs.com> Signed-off-by: Benjamin Gaussorgues <benjamin.gaussorgues@nextcloud.com>
3 years ago
Fix a few psalm issues and moved back to psalm/phar 4.18 Signed-off-by: Carl Schwan <carl@carlschwan.eu>
4 years ago
Initial commit
11 years ago
add helper class accessible for encryption modules to ask for a list of users with access to a file, needed to apply the recovery key to all files
11 years ago
Initial commit
11 years ago
Scrutinizer Auto-Fixes This commit consists of patches automatically generated for this project on https://scrutinizer-ci.com
11 years ago
Initial commit
11 years ago
fix set recovery key and implement change password
11 years ago
Initial commit
11 years ago
Format control structures, classes, methods and function To continue this formatting madness, here's a tiny patch that adds unified formatting for control structures like if and loops as well as classes, their methods and anonymous functions. This basically forces the constructs to start on the same line. This is not exactly what PSR2 wants, but I think we can have a few exceptions with "our" style. The starting of braces on the same line is pracrically standard for our code. This also removes and empty lines from method/function bodies at the beginning and end. Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
6 years ago
Fix PHPDoc + Add handling for error cases Makes static code analyzers happier.
11 years ago
Initial commit
11 years ago
fix set recovery key and implement change password
11 years ago
Initial commit
11 years ago
Adapt code to new encryption system fileKey gets deleted upon save as it’s stored in shareKeys instead now. We use presence of a fileKey to detect if a file is using the legacy system or the new one, because we do not always have access to header data. Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>
3 years ago
Initial commit
11 years ago
fix set recovery key and implement change password
11 years ago
read cipher from key header and always write a key header if a new private key is stored
11 years ago
fix set recovery key and implement change password
11 years ago
Format control structures, classes, methods and function To continue this formatting madness, here's a tiny patch that adds unified formatting for control structures like if and loops as well as classes, their methods and anonymous functions. This basically forces the constructs to start on the same line. This is not exactly what PSR2 wants, but I think we can have a few exceptions with "our" style. The starting of braces on the same line is pracrically standard for our code. This also removes and empty lines from method/function bodies at the beginning and end. Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
6 years ago
Fix PHPDoc + Add handling for error cases Makes static code analyzers happier.
11 years ago
use password hash instead of the plain password to encrypt the private key
11 years ago
make sure that encrypted private keys always have a header
11 years ago
fix set recovery key and implement change password
11 years ago
make sure that encrypted private keys always have a header
11 years ago
fix set recovery key and implement change password
11 years ago
Initial commit
11 years ago
Scrutinizer Auto-Fixes This commit consists of patches automatically generated for this project on https://scrutinizer-ci.com
11 years ago
Initial commit
11 years ago
Adapt code to new encryption system fileKey gets deleted upon save as it’s stored in shareKeys instead now. We use presence of a fileKey to detect if a file is using the legacy system or the new one, because we do not always have access to header data. Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>
3 years ago
Initial commit
11 years ago
Updating keystorage movement and fixing hooks
11 years ago
make recovery key work
11 years ago
Updating keystorage movement and fixing hooks
11 years ago
make recovery key work
11 years ago
Fix wrongly mixed mock objects in encryption tests Signed-off-by: Joas Schilling <coding@schilljs.com>
7 years ago
make recovery key work
11 years ago
Updating keystorage movement and fixing hooks
11 years ago
moving methods to their final places and updating test some.
11 years ago
make recovery key work
11 years ago
Adapt code to new encryption system fileKey gets deleted upon save as it’s stored in shareKeys instead now. We use presence of a fileKey to detect if a file is using the legacy system or the new one, because we do not always have access to header data. Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>
3 years ago
make recovery key work
11 years ago
Updating keystorage movement and fixing hooks
11 years ago
add helper class accessible for encryption modules to ask for a list of users with access to a file, needed to apply the recovery key to all files
11 years ago
Updating keystorage movement and fixing hooks
11 years ago
add helper class accessible for encryption modules to ask for a list of users with access to a file, needed to apply the recovery key to all files
11 years ago
Updating keystorage movement and fixing hooks
11 years ago
add helper class accessible for encryption modules to ask for a list of users with access to a file, needed to apply the recovery key to all files
11 years ago
let user enable recovery key
11 years ago
add helper class accessible for encryption modules to ask for a list of users with access to a file, needed to apply the recovery key to all files
11 years ago
delete recovery keys on disable
11 years ago
add helper class accessible for encryption modules to ask for a list of users with access to a file, needed to apply the recovery key to all files
11 years ago
Updating keystorage movement and fixing hooks
11 years ago
add helper class accessible for encryption modules to ask for a list of users with access to a file, needed to apply the recovery key to all files
11 years ago
Adapt code to new encryption system fileKey gets deleted upon save as it’s stored in shareKeys instead now. We use presence of a fileKey to detect if a file is using the legacy system or the new one, because we do not always have access to header data. Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>
3 years ago
add helper class accessible for encryption modules to ask for a list of users with access to a file, needed to apply the recovery key to all files
11 years ago
let user enable recovery key
11 years ago
add helper class accessible for encryption modules to ask for a list of users with access to a file, needed to apply the recovery key to all files
11 years ago
Adapt code to new encryption system fileKey gets deleted upon save as it’s stored in shareKeys instead now. We use presence of a fileKey to detect if a file is using the legacy system or the new one, because we do not always have access to header data. Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>
3 years ago
add helper class accessible for encryption modules to ask for a list of users with access to a file, needed to apply the recovery key to all files
11 years ago
let user enable recovery key
11 years ago
Use the short array syntax, everywhere Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
6 years ago
add helper class accessible for encryption modules to ask for a list of users with access to a file, needed to apply the recovery key to all files
11 years ago
let user enable recovery key
11 years ago
add helper class accessible for encryption modules to ask for a list of users with access to a file, needed to apply the recovery key to all files
11 years ago
check recovery setting for the right user
11 years ago
let user enable recovery key
11 years ago
Adapt code to new encryption system fileKey gets deleted upon save as it’s stored in shareKeys instead now. We use presence of a fileKey to detect if a file is using the legacy system or the new one, because we do not always have access to header data. Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>
3 years ago
add helper class accessible for encryption modules to ask for a list of users with access to a file, needed to apply the recovery key to all files
11 years ago
Adapt code to new encryption system fileKey gets deleted upon save as it’s stored in shareKeys instead now. We use presence of a fileKey to detect if a file is using the legacy system or the new one, because we do not always have access to header data. Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>
3 years ago
delete recovery keys on disable
11 years ago
add helper class accessible for encryption modules to ask for a list of users with access to a file, needed to apply the recovery key to all files
11 years ago
delete recovery keys on disable
11 years ago
add helper class accessible for encryption modules to ask for a list of users with access to a file, needed to apply the recovery key to all files
11 years ago
cleanup keymanager test and add some additional tests
11 years ago
add helper class accessible for encryption modules to ask for a list of users with access to a file, needed to apply the recovery key to all files
11 years ago
Updating keystorage movement and fixing hooks
11 years ago
make recovery key work
11 years ago
Updating keystorage movement and fixing hooks
11 years ago
Adapt code to new encryption system fileKey gets deleted upon save as it’s stored in shareKeys instead now. We use presence of a fileKey to detect if a file is using the legacy system or the new one, because we do not always have access to header data. Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>
3 years ago
make recovery key work
11 years ago
moving methods to their final places and updating test some.
11 years ago
use uid as additional information for salt
11 years ago
Format control structures, classes, methods and function To continue this formatting madness, here's a tiny patch that adds unified formatting for control structures like if and loops as well as classes, their methods and anonymous functions. This basically forces the constructs to start on the same line. This is not exactly what PSR2 wants, but I think we can have a few exceptions with "our" style. The starting of braces on the same line is pracrically standard for our code. This also removes and empty lines from method/function bodies at the beginning and end. Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
6 years ago
Fix PHPDoc + Add handling for error cases Makes static code analyzers happier.
11 years ago
Updating keystorage movement and fixing hooks
11 years ago
moving methods to their final places and updating test some.
11 years ago
check recovery setting for the right user
11 years ago
moving methods to their final places and updating test some.
11 years ago
Adapt code to new encryption system fileKey gets deleted upon save as it’s stored in shareKeys instead now. We use presence of a fileKey to detect if a file is using the legacy system or the new one, because we do not always have access to header data. Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>
3 years ago
make recovery key work
11 years ago
moving methods to their final places and updating test some.
11 years ago
make recovery key work
11 years ago
check recovery setting for the right user
11 years ago
moving methods to their final places and updating test some.
11 years ago
check recovery setting for the right user
11 years ago
moving methods to their final places and updating test some.
11 years ago
check recovery setting for the right user
11 years ago
moving methods to their final places and updating test some.
11 years ago
Adapt code to new encryption system fileKey gets deleted upon save as it’s stored in shareKeys instead now. We use presence of a fileKey to detect if a file is using the legacy system or the new one, because we do not always have access to header data. Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>
3 years ago
make recovery key work
11 years ago
Adapt code to new encryption system fileKey gets deleted upon save as it’s stored in shareKeys instead now. We use presence of a fileKey to detect if a file is using the legacy system or the new one, because we do not always have access to header data. Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>
3 years ago
make recovery key work
11 years ago
Adapt code to new encryption system fileKey gets deleted upon save as it’s stored in shareKeys instead now. We use presence of a fileKey to detect if a file is using the legacy system or the new one, because we do not always have access to header data. Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>
3 years ago
moving methods to their final places and updating test some.
11 years ago
make recovery key work
11 years ago
Use the short array syntax, everywhere Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
6 years ago
check recovery setting for the right user
11 years ago
make recovery key work
11 years ago
moving methods to their final places and updating test some.
11 years ago
check recovery setting for the right user
11 years ago
moving methods to their final places and updating test some.
11 years ago
Adapt code to new encryption system fileKey gets deleted upon save as it’s stored in shareKeys instead now. We use presence of a fileKey to detect if a file is using the legacy system or the new one, because we do not always have access to header data. Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>
3 years ago
make recovery key work
11 years ago
moving methods to their final places and updating test some.
11 years ago
Initial commit
11 years ago
  1. <?php
  2. /**
  3. * @copyright Copyright (c) 2016, ownCloud, Inc.
  4. *
  5. * @author Björn Schießle <bjoern@schiessle.org>
  6. * @author Christoph Wurst <christoph@winzerhof-wurst.at>
  7. * @author Clark Tomlinson <fallen013@gmail.com>
  8. * @author Joas Schilling <coding@schilljs.com>
  9. * @author Lukas Reschke <lukas@statuscode.ch>
  10. * @author Roeland Jago Douma <roeland@famdouma.nl>
  11. *
  12. * @license AGPL-3.0
  13. *
  14. * This code is free software: you can redistribute it and/or modify
  15. * it under the terms of the GNU Affero General Public License, version 3,
  16. * as published by the Free Software Foundation.
  17. *
  18. * This program is distributed in the hope that it will be useful,
  19. * but WITHOUT ANY WARRANTY; without even the implied warranty of
  20. * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  21. * GNU Affero General Public License for more details.
  22. *
  23. * You should have received a copy of the GNU Affero General Public License, version 3,
  24. * along with this program. If not, see <http://www.gnu.org/licenses/>
  25. *
  26. */
  27. namespace OCA\Encryption;
  29. use OC\Files\View;
  30. use OCA\Encryption\Crypto\Crypt;
  31. use OCP\Encryption\IFile;
  32. use OCP\IConfig;
  33. use OCP\IUser;
  34. use OCP\IUserSession;
  35. use OCP\PreConditionNotMetException;
  37. class Recovery {
  38. /**
  39. * @var null|IUser
  40. */
  41. protected $user;
  42. /**
  43. * @var Crypt
  44. */
  45. protected $crypt;
  46. /**
  47. * @var KeyManager
  48. */
  49. private $keyManager;
  50. /**
  51. * @var IConfig
  52. */
  53. private $config;
  54. /**
  55. * @var View
  56. */
  57. private $view;
  58. /**
  59. * @var IFile
  60. */
  61. private $file;
  63. /**
  64. * @param IUserSession $userSession
  65. * @param Crypt $crypt
  66. * @param KeyManager $keyManager
  67. * @param IConfig $config
  68. * @param IFile $file
  69. * @param View $view
  70. */
  71. public function __construct(IUserSession $userSession,
  72. Crypt $crypt,
  73. KeyManager $keyManager,
  74. IConfig $config,
  75. IFile $file,
  76. View $view) {
  77. $this->user = ($userSession->isLoggedIn()) ? $userSession->getUser() : null;
  78. $this->crypt = $crypt;
  79. $this->keyManager = $keyManager;
  80. $this->config = $config;
  81. $this->view = $view;
  82. $this->file = $file;
  83. }
  85. /**
  86. * @param string $password
  87. * @return bool
  88. */
  89. public function enableAdminRecovery($password) {
  90. $appConfig = $this->config;
  91. $keyManager = $this->keyManager;
  93. if (!$keyManager->recoveryKeyExists()) {
  94. $keyPair = $this->crypt->createKeyPair();
  95. if (!is_array($keyPair)) {
  96. return false;
  97. }
  99. $this->keyManager->setRecoveryKey($password, $keyPair);
  100. }
  102. if ($keyManager->checkRecoveryPassword($password)) {
  103. $appConfig->setAppValue('encryption', 'recoveryAdminEnabled', '1');
  104. return true;
  105. }
  107. return false;
  108. }
  110. /**
  111. * change recovery key id
  112. *
  113. * @param string $newPassword
  114. * @param string $oldPassword
  115. * @return bool
  116. */
  117. public function changeRecoveryKeyPassword($newPassword, $oldPassword) {
  118. $recoveryKey = $this->keyManager->getSystemPrivateKey($this->keyManager->getRecoveryKeyId());
  119. $decryptedRecoveryKey = $this->crypt->decryptPrivateKey($recoveryKey, $oldPassword);
  120. if ($decryptedRecoveryKey === false) {
  121. return false;
  122. }
  123. $encryptedRecoveryKey = $this->crypt->encryptPrivateKey($decryptedRecoveryKey, $newPassword);
  124. $header = $this->crypt->generateHeader();
  125. if ($encryptedRecoveryKey) {
  126. $this->keyManager->setSystemPrivateKey($this->keyManager->getRecoveryKeyId(), $header . $encryptedRecoveryKey);
  127. return true;
  128. }
  129. return false;
  130. }
  132. /**
  133. * @param string $recoveryPassword
  134. * @return bool
  135. */
  136. public function disableAdminRecovery($recoveryPassword) {
  137. $keyManager = $this->keyManager;
  139. if ($keyManager->checkRecoveryPassword($recoveryPassword)) {
  140. // Set recoveryAdmin as disabled
  141. $this->config->setAppValue('encryption', 'recoveryAdminEnabled', '0');
  142. return true;
  143. }
  144. return false;
  145. }
  147. /**
  148. * check if recovery is enabled for user
  149. *
  150. * @param string $user if no user is given we check the current logged-in user
  151. *
  152. * @return bool
  153. */
  154. public function isRecoveryEnabledForUser($user = '') {
  155. $uid = $user === '' ? $this->user->getUID() : $user;
  156. $recoveryMode = $this->config->getUserValue($uid,
  157. 'encryption',
  158. 'recoveryEnabled',
  159. 0);
  161. return ($recoveryMode === '1');
  162. }
  164. /**
  165. * check if recovery is key is enabled by the administrator
  166. *
  167. * @return bool
  168. */
  169. public function isRecoveryKeyEnabled() {
  170. $enabled = $this->config->getAppValue('encryption', 'recoveryAdminEnabled', '0');
  172. return ($enabled === '1');
  173. }
  175. /**
  176. * @param string $value
  177. * @return bool
  178. */
  179. public function setRecoveryForUser($value) {
  180. try {
  181. $this->config->setUserValue($this->user->getUID(),
  182. 'encryption',
  183. 'recoveryEnabled',
  184. $value);
  186. if ($value === '1') {
  187. $this->addRecoveryKeys('/' . $this->user->getUID() . '/files/');
  188. } else {
  189. $this->removeRecoveryKeys('/' . $this->user->getUID() . '/files/');
  190. }
  192. return true;
  193. } catch (PreConditionNotMetException $e) {
  194. return false;
  195. }
  196. }
  198. /**
  199. * add recovery key to all encrypted files
  200. */
  201. private function addRecoveryKeys(string $path): void {
  202. $dirContent = $this->view->getDirectoryContent($path);
  203. foreach ($dirContent as $item) {
  204. $filePath = $item->getPath();
  205. if ($item['type'] === 'dir') {
  206. $this->addRecoveryKeys($filePath . '/');
  207. } else {
  208. $fileKey = $this->keyManager->getFileKey($filePath, $this->user->getUID(), null);
  209. if (!empty($fileKey)) {
  210. $accessList = $this->file->getAccessList($filePath);
  211. $publicKeys = [];
  212. foreach ($accessList['users'] as $uid) {
  213. $publicKeys[$uid] = $this->keyManager->getPublicKey($uid);
  214. }
  216. $publicKeys = $this->keyManager->addSystemKeys($accessList, $publicKeys, $this->user->getUID());
  218. $shareKeys = $this->crypt->multiKeyEncrypt($fileKey, $publicKeys);
  219. $this->keyManager->deleteLegacyFileKey($filePath);
  220. foreach ($shareKeys as $uid => $keyFile) {
  221. $this->keyManager->setShareKey($filePath, $uid, $keyFile);
  222. }
  223. }
  224. }
  225. }
  226. }
  228. /**
  229. * remove recovery key to all encrypted files
  230. */
  231. private function removeRecoveryKeys(string $path): void {
  232. $dirContent = $this->view->getDirectoryContent($path);
  233. foreach ($dirContent as $item) {
  234. $filePath = $item->getPath();
  235. if ($item['type'] === 'dir') {
  236. $this->removeRecoveryKeys($filePath . '/');
  237. } else {
  238. $this->keyManager->deleteShareKey($filePath, $this->keyManager->getRecoveryKeyId());
  239. }
  240. }
  241. }
  243. /**
  244. * recover users files with the recovery key
  245. */
  246. public function recoverUsersFiles(string $recoveryPassword, string $user): void {
  247. $encryptedKey = $this->keyManager->getSystemPrivateKey($this->keyManager->getRecoveryKeyId());
  249. $privateKey = $this->crypt->decryptPrivateKey($encryptedKey, $recoveryPassword);
  250. if ($privateKey !== false) {
  251. $this->recoverAllFiles('/' . $user . '/files/', $privateKey, $user);
  252. }
  253. }
  255. /**
  256. * recover users files
  257. */
  258. private function recoverAllFiles(string $path, string $privateKey, string $uid): void {
  259. $dirContent = $this->view->getDirectoryContent($path);
  261. foreach ($dirContent as $item) {
  262. // Get relative path from encryption/keyfiles
  263. $filePath = $item->getPath();
  264. if ($this->view->is_dir($filePath)) {
  265. $this->recoverAllFiles($filePath . '/', $privateKey, $uid);
  266. } else {
  267. $this->recoverFile($filePath, $privateKey, $uid);
  268. }
  269. }
  270. }
  272. /**
  273. * recover file
  274. */
  275. private function recoverFile(string $path, string $privateKey, string $uid): void {
  276. $encryptedFileKey = $this->keyManager->getEncryptedFileKey($path);
  277. $shareKey = $this->keyManager->getShareKey($path, $this->keyManager->getRecoveryKeyId());
  279. if ($encryptedFileKey && $shareKey && $privateKey) {
  280. $fileKey = $this->crypt->multiKeyDecryptLegacy($encryptedFileKey,
  281. $shareKey,
  282. $privateKey);
  283. } elseif ($shareKey && $privateKey) {
  284. $fileKey = $this->crypt->multiKeyDecrypt($shareKey, $privateKey);
  285. }
  287. if (!empty($fileKey)) {
  288. $accessList = $this->file->getAccessList($path);
  289. $publicKeys = [];
  290. foreach ($accessList['users'] as $user) {
  291. $publicKeys[$user] = $this->keyManager->getPublicKey($user);
  292. }
  294. $publicKeys = $this->keyManager->addSystemKeys($accessList, $publicKeys, $uid);
  296. $shareKeys = $this->crypt->multiKeyEncrypt($fileKey, $publicKeys);
  297. $this->keyManager->deleteLegacyFileKey($path);
  298. foreach ($shareKeys as $uid => $keyFile) {
  299. $this->keyManager->setShareKey($path, $uid, $keyFile);
  300. }
  301. }
  302. }
  303. }