open-dsi
/
nextcloud-server
mirror of https://github.com/nextcloud/server
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Implementing sharing support

Browse Source 
New file-specific methods in lib/public/share
Changes to how keyfiles are stored
remotes/origin/stable6
Sam Tuke 13 years ago
parent b3e59ca1e3
commit 92f06243be
6 changed files with 283 additions and 105 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 47
      apps/files_encryption/hooks/hooks.php
  2. 41
      apps/files_encryption/lib/crypt.php
  3. 97
      apps/files_encryption/lib/keymanager.php
  4. 113
      apps/files_encryption/lib/proxy.php
  5. 8
      apps/files_encryption/test/crypt.php
  6. 82
      lib/public/share.php

47
apps/files_encryption/hooks/hooks.php
Unescape View File

@ -82,8 +82,12 @@ class Hooks {
}
\OC_FileProxy::$enabled = false;
$publicKey = Keymanager::getPublicKey( $view, $params['uid'] );
\OC_FileProxy::$enabled = false;
// Encrypt existing user files:
// This serves to upgrade old versions of the encryption
// app (see appinfo/spec.txt)
@ -175,8 +179,9 @@ class Hooks {
$view = new \OC_FilesystemView( '/' );
$userId = \OCP\User::getUser();
$util = new Util( $view, $userId );
$session = new Session();
$shares = \OCP\Share::getUsersSharingFile( $params['fileTarget'] );
$shares = \OCP\Share::getUsersSharingFile( $params['fileTarget'], 1 );
$userIds = array();
@ -202,41 +207,35 @@ class Hooks {
}
trigger_error("UIDS = ".var_export($userIds, 1));
$userPubKeys = Keymanager::getPublicKeys( $view, $userIds );
// trigger_error("PUB KEYS = ".var_export($userPubKeys, 1));
// TODO: Fetch path from Crypt{} getter
$plainContent = $view->file_get_contents( $userId . '/' . 'files'. '/' . $params['fileTarget'] );
\OC_FileProxy::$enabled = false;
// Generate new catfile and share keys
if ( ! $encrypted = Crypt::multiKeyEncrypt( $plainContent, $userPubKeys ) ) {
// get the keyfile
$encKeyfile = Keymanager::getFileKey( $view, $userId, $params['fileTarget'] );
// If the re-encryption failed, don't risk deleting data
return false;
}
$privateKey = $session->getPrivateKey();
trigger_error("ENCRYPTED = ". var_export($encrypted, 1));
// decrypt the keyfile
$plainKeyfile = Crypt::keyDecrypt( $encKeyfile, $privateKey );
// Save env keys to user folders
foreach ( $encrypted['keys'] as $key ) {
// re-enc keyfile to sharekeys
$shareKeys = Crypt::multiKeyEncrypt( $plainKeyfile, $userPubKeys );
// Keymanager::setShareKey( $view, $params['fileTarget'], $userId, $key );
// save sharekeys
if ( ! Keymanager::setShareKeys( $view, $params['fileTarget'], $shareKeys['keys'] ) ) {
trigger_error( "SET Share keys failed" );
}
// Delete existing catfile
// Check if keyfile exists (it won't if file has been shared before)
// Delete existing keyfile
// Do this last to ensure file is recoverable in case of error
if ( $util->isEncryptedPath( $params['fileTarget'] ) ) {
// NOTE: This will trigger an error if keyfile isn't found
// Keymanager::deleteFileKey( $params['fileTarget'] );
// Keymanager::deleteFileKey( $view, $userId, $params['fileTarget'] );
}
\OC_FileProxy::$enabled = true;
return true;
}

41
apps/files_encryption/lib/crypt.php
Unescape View File

@ -370,22 +370,41 @@ class Crypt {
/**
* @brief Create asymmetrically encrypted keyfile content using a generated key
* @param string $plainContent content to be encrypted
* @returns array keys: key, encrypted
* @note symmetricDecryptFileContent() can be used to decrypt files created using this method
*
* This function decrypts a file
* @param array $publicKeys array keys must be the userId of corresponding user
* @returns array keys: keys (array, key = userId), encrypted
* @note symmetricDecryptFileContent() can decrypt files created using this method
*/
public static function multiKeyEncrypt( $plainContent, array $publicKeys ) {
// openssl_seal returns false without errors if $plainContent
// is empty, so trigger our own error
if ( empty( $plainContent ) ) {
trigger_error( "Cannot mutliKeyEncrypt empty plain content" );
throw new \Exception( 'Cannot mutliKeyEncrypt empty plain content' );
}
// Set empty vars to be set by openssl by reference
$sealed = '';
$envKeys = array();
$shareKeys = array();
if( openssl_seal( $plainContent, $sealed, $envKeys, $publicKeys ) ) {
if( openssl_seal( $plainContent, $sealed, $shareKeys, $publicKeys ) ) {
$i = 0;
// Ensure each shareKey is labelled with its
// corresponding userId
foreach ( $publicKeys as $userId => $publicKey ) {
$mappedShareKeys[$userId] = $shareKeys[$i];
$i++;
}
return array(
'keys' => $envKeys
, 'encrypted' => $sealed
'keys' => $mappedShareKeys
, 'data' => $sealed
);
} else {
@ -404,7 +423,7 @@ class Crypt {
*
* This function decrypts a file
*/
public static function multiKeyDecrypt( $encryptedContent, $envKey, $privateKey ) {
public static function multiKeyDecrypt( $encryptedContent, $shareKey, $privateKey ) {
if ( !$encryptedContent ) {
@ -412,7 +431,7 @@ class Crypt {
}
if ( openssl_open( $encryptedContent, $plainContent, $envKey, $privateKey ) ) {
if ( openssl_open( $encryptedContent, $plainContent, $shareKey, $privateKey ) ) {
return $plainContent;

97
apps/files_encryption/lib/keymanager.php
Unescape View File

@ -52,8 +52,11 @@ class Keymanager {
*/
public static function getPublicKey( \OC_FilesystemView $view, $userId ) {
\OC_FileProxy::$enabled = false;
return $view->file_get_contents( '/public-keys/' . '/' . $userId . '.public.key' );
\OC_FileProxy::$enabled = true;
}
/**
@ -77,20 +80,16 @@ class Keymanager {
* @param array $userIds
* @return array of public keys for the specified users
*/
public static function getPublicKeys( \OC_FilesystemView $view, $userIds ) {
public static function getPublicKeys( \OC_FilesystemView $view, array $userIds ) {
$i = 0;
$keys = array();
foreach ( $userIds as $userId ) {
$i++;
$keys[$userId] = self::getPublicKey( $view, $userId );
}
$keys['total'] = $i;
return $keys;
}
@ -137,11 +136,11 @@ class Keymanager {
$filePath_f = ltrim( $filePath, '/' );
$catfilePath = '/' . $userId . '/files_encryption/keyfiles/' . $filePath_f . '.key';
$keyfilePath = '/' . $userId . '/files_encryption/keyfiles/' . $filePath_f . '.key';
if ( $view->file_exists( $catfilePath ) ) {
if ( $view->file_exists( $keyfilePath ) ) {
return $view->file_get_contents( $catfilePath );
return $view->file_get_contents( $keyfilePath );
} else {
@ -239,7 +238,7 @@ class Keymanager {
}
/**
* @brief store file encryption key
* @brief store share key
*
* @param string $path relative path of the file, including filename
* @param string $key
@ -255,7 +254,85 @@ class Keymanager {
$shareKeyPath = self::keySetPreparation( $view, $path, $basePath, $userId );
return $view->file_put_contents( $basePath . '/' . $shareKeyPath . '.shareKey', $shareKey );
$writePath = $basePath . '/' . $shareKeyPath . '.shareKey';
\OC_FileProxy::$enabled = false;
$result = $view->file_put_contents( $writePath, $shareKey );
if (
is_int( $result )
&& $result > 0
) {
return true;
} else {
return false;
}
}
/**
* @brief store multiple share keys for a single file
* @return bool
*/
public static function setShareKeys( \OC_FilesystemView $view, $path, array $shareKeys ) {
// $shareKeys must be an array with the following format:
// [userId] => [encrypted key]
$result = true;
foreach ( $shareKeys as $userId => $shareKey ) {
if ( ! self::setShareKey( $view, $path, $userId, $shareKey ) ) {
// If any of the keys are not set, flag false
$result = false;
}
}
// Returns false if any of the keys weren't set
return $result;
}
/**
* @brief retrieve shareKey for an encrypted file
* @param \OC_FilesystemView $view
* @param $userId
* @param $filePath
* @internal param \OCA\Encryption\file $string name
* @return string file key or false
* @note The sharekey returned is encrypted. Decryption
* of the keyfile must be performed by client code
*/
public static function getShareKey( \OC_FilesystemView $view, $userId, $filePath ) {
\OC_FileProxy::$enabled = false;
$filePath_f = ltrim( $filePath, '/' );
$shareKeyPath = '/' . $userId . '/files_encryption/share-keys/' . $filePath_f . '.shareKey';
if ( $view->file_exists( $shareKeyPath ) ) {
$result = $view->file_get_contents( $shareKeyPath );
} else {
$result = false;
}
\OC_FileProxy::$enabled = true;
return $result;
}

113
apps/files_encryption/lib/proxy.php
Unescape View File

@ -99,58 +99,65 @@ class Proxy extends \OC_FileProxy {
if ( !is_resource( $data ) ) {
$userId = \OCP\USER::getUser();
$rootView = new \OC_FilesystemView( '/' );
$util = new Util( $rootView, $userId );
$filePath = $util->stripUserFilesPath( $path );
// Set the filesize for userland, before encrypting
$size = strlen( $data );
// Disable encryption proxy to prevent recursive calls
\OC_FileProxy::$enabled = false;
$fileOwner = \OC\Files\Filesystem::getOwner( $path );
// Encrypt data
$encData = Crypt::symmetricEncryptFileContentKeyfile( $data );
// Check if the keyfile needs to be shared
if (
$fileOwner !== true
or $fileOwner !== $userId
) {
if ( \OCP\Share::isSharedFile( $filePath ) ) {
// $fileOwner = \OC\Files\Filesystem::getOwner( $path );
// List everyone sharing the file
$shares = \OCP\Share::getUsersSharingFile( $filePath, 1 );
$userIds = array();
foreach ( $shares as $share ) {
$userIds[] = $share['userId'];
}
$publicKeys = Keymanager::getPublicKeys( $rootView, $userIds );
\OC_FileProxy::$enabled = false;
// Encrypt plain keyfile to multiple sharefiles
$multiEncrypted = Crypt::multiKeyEncrypt( $encData['key'], $publicKeys );
// Save sharekeys to user folders
Keymanager::setShareKeys( $rootView, $filePath, $multiEncrypted['keys'] );
// Set encrypted keyfile as common varname
$encKey = $multiEncrypted['encrypted'];
// Shared storage backend isn't loaded
$users = \OCP\Share::getItemShared( 'file', $path, \OC_Share_backend_File::FORMAT_SHARED_STORAGE );
//
trigger_error("SHARE USERS = ". var_export($users, 1));
//
// $publicKeys = Keymanager::getPublicKeys( $rootView, $users);
//
// // Encrypt plain data to multiple users
// $encrypted = Crypt::multiKeyEncrypt( $data, $publicKeys );
} else {
$publicKey = Keymanager::getPublicKey( $rootView, $userId );
// Encrypt plain data to a single user
$encrypted = Crypt::keyEncryptKeyfile( $data, $publicKey );
$encKey = Crypt::keyEncrypt( $encData['key'], $publicKey );
}
// Replace plain content with encrypted content by reference
$data = $encrypted['data'];
$filePath = explode( '/', $path );
$filePath = array_slice( $filePath, 3 );
$filePath = '/' . implode( '/', $filePath );
// TODO: make keyfile dir dynamic from app config
$view = new \OC_FilesystemView( '/' );
// TODO: Replace userID with ownerId so keyfile is saved centrally
// Save keyfile for newly encrypted file in parallel directory tree
Keymanager::setFileKey( $view, $filePath, $userId, $encrypted['key'] );
Keymanager::setFileKey( $rootView, $filePath, $userId, $encKey );
// Replace plain content with encrypted content by reference
$data = $encData['encrypted'];
// Update the file cache with file info
\OC\Files\Filesystem::putFileInfo( $path, array( 'encrypted'=>true, 'size' => $size ), '' );
@ -168,8 +175,6 @@ class Proxy extends \OC_FileProxy {
* @param string $data Data that has been read from file
*/
public function postFile_get_contents( $path, $data ) {
// TODO: Use dependency injection to add required args for view and user etc. to this method
// Disable encryption proxy to prevent recursive calls
\OC_FileProxy::$enabled = false;
@ -180,45 +185,55 @@ class Proxy extends \OC_FileProxy {
&& Crypt::isCatfile( $data )
) {
$split = explode( '/', $path );
$filePath = array_slice( $split, 3 );
$view = new \OC_FilesystemView( '/' );
$userId = \OCP\USER::getUser();
$session = new Session();
$util = new Util( $view, $userId );
$filePath = $util->stripUserFilesPath( $path );
$privateKey = $session->getPrivateKey( $userId );
$filePath = '/' . implode( '/', $filePath );
// Get the encrypted keyfile
$encKeyfile = Keymanager::getFileKey( $view, $userId, $filePath );
//$cached = \OC\Files\Filesystem::getFileInfo( $path, '' );
// Check if key is shared or not
if ( \OCP\Share::isSharedFile( $filePath ) ) {
$view = new \OC_FilesystemView( '' );
// If key is shared, fetch the user's shareKey
$shareKey = Keymanager::getShareKey( $view, $userId, $filePath );
\OC_FileProxy::$enabled = false;
// Decrypt keyfile with shareKey
$plainKeyfile = Crypt::multiKeyDecrypt( $encKeyfile, $shareKey, $privateKey );
$userId = \OCP\USER::getUser();
} else {
// If key is unshared, decrypt with user private key
$plainKeyfile = Crypt::keyDecrypt( $encKeyfile, $privateKey );
// TODO: Check if file is shared, if so, use multiKeyDecrypt
}
$encryptedKeyfile = Keymanager::getFileKey( $view, $userId, $filePath );
$plainData = Crypt::symmetricDecryptFileContent( $data, $plainKeyfile );
$session = new Session();
$decrypted = Crypt::keyDecryptKeyfile( $data, $encryptedKeyfile, $session->getPrivateKey( $split[1] ) );
} elseif (
Crypt::mode() == 'server'
&& isset( $_SESSION['legacyenckey'] )
&& Crypt::isEncryptedMeta( $path )
) {
$decrypted = Crypt::legacyDecrypt( $data, $_SESSION['legacyenckey'] );
$plainData = Crypt::legacyDecrypt( $data, $session->getLegacyKey() );
}
\OC_FileProxy::$enabled = true;
if ( ! isset( $decrypted ) ) {
if ( ! isset( $plainData ) ) {
$decrypted = $data;
$plainData = $data;
}
return $decrypted;
return $plainData;
}

8
apps/files_encryption/test/crypt.php
Unescape View File

@ -439,14 +439,14 @@ class Test_Crypt extends \PHPUnit_Framework_TestCase {
$this->assertTrue( strlen( $pair1['privateKey'] ) > 1 );
$crypted = Encryption\Crypt::multiKeyEncrypt( $this->dataUrl, array( $pair1['publicKey'] ) );
$crypted = Encryption\Crypt::multiKeyEncrypt( $this->dataShort, array( $pair1['publicKey'] ) );
$this->assertNotEquals( $this->dataUrl, $crypted['encrypted'] );
$this->assertNotEquals( $this->dataShort, $crypted['data'] );
$decrypt = Encryption\Crypt::multiKeyDecrypt( $crypted['encrypted'], $crypted['keys'][0], $pair1['privateKey'] );
$decrypt = Encryption\Crypt::multiKeyDecrypt( $crypted['data'], $crypted['keys'][0], $pair1['privateKey'] );
$this->assertEquals( $this->dataUrl, $decrypt );
$this->assertEquals( $this->dataShort, $decrypt );
}

82
lib/public/share.php
Unescape View File

@ -92,20 +92,73 @@ class Share {
return false;
}
/**
* @brief Prepare a path to be passed to DB as file_target
* @return string Prepared path
*/
public static function prepFileTarget( $path ) {
// Paths in DB are stored with leading slashes, so add one if necessary
if ( substr( $path, 0, 1 ) !== '/' ) {
$path = '/' . $path;
}
return $path;
}
public static function isSharedFile( $path ) {
$fPath = self::prepFileTarget( $path );
// Fetch all shares of this file path from DB
$query = \OC_DB::prepare(
'SELECT
id
FROM
`*PREFIX*share`
WHERE
file_target = ?'
);
$result = $query->execute( array( $fPath ) );
if ( \OC_DB::isError( $result ) ) {
\OC_Log::write( 'OCP\Share', \OC_DB::getErrorMessage( $result ) . ', path=' . $fPath, \OC_Log::ERROR );
}
if ( $result->fetchRow() !== false ) {
return true;
} else {
return false;
}
}
/**
* @brief Find which users can access a shared item
* @param string Item type
* @param int Format (optional) Format type must be defined by the backend
* @param int Number of items to return (optional) Returns all by default
* @return Return depends on format
* @return bool / array
* @note $path needs to be relative to user data dir, e.g. 'file.txt'
* not '/admin/data/file.txt'
*/
public static function getUsersSharingFile( $path ) {
public static function getUsersSharingFile( $path, $includeOwner = 0 ) {
$fPath = self::prepFileTarget( $path );
// Fetch all shares of this file path from DB
$query = \OC_DB::prepare(
'SELECT
share_type
, share_with
, uid_owner
, permissions
FROM
`*PREFIX*share`
@ -113,11 +166,11 @@ class Share {
file_target = ?'
);
$result = $query->execute( array( $path ) );
$result = $query->execute( array( $fPath ) );
if ( \OC_DB::isError( $result ) ) {
\OC_Log::write( 'OCP\Share', \OC_DB::getErrorMessage($result) . ', path=' . $path, \OC_Log::ERROR );
\OC_Log::write( 'OCP\Share', \OC_DB::getErrorMessage($result) . ', path=' . $fPath, \OC_Log::ERROR );
}
@ -128,6 +181,7 @@ class Share {
// Set helpful array keys
$shares[] = array(
'userId' => $row['share_with']
, 'owner' => $row['uid_owner'] // we just set this so it can be used once, hugly hack :/
, 'shareType' => $row['share_type']
, 'permissions' => $row['permissions']
);
@ -136,6 +190,20 @@ class Share {
if ( ! empty( $shares ) ) {
// Include owner in list of users, if requested
if ( $includeOwner == 1 ) {
// NOTE: The values are incorrect for shareType and
// permissions of the owner; we just include them for
// optional convenience
$shares[] = array(
'userId' => $shares[0]['owner']
, 'shareType' => 0
, 'permissions' => 0
);
}
return $shares;
} else {

Write Preview
Loading…
Cancel
Save