userManager = $userManager; $this->userMountCache = $userMountCache; $this->encryptionUtil = $encryptionUtil; $this->rootFolder = $rootFolder; $this->keyRootDirectory = rtrim($this->encryptionUtil->getKeyStorageRoot(), '/'); $this->rootView = new View(); if (!$encryptionManager instanceof Manager) { throw new \Exception("Wrong encryption manager"); } $this->encryptionManager = $encryptionManager; parent::__construct(); } protected function configure(): void { parent::configure(); $this ->setName('encryption:fix-key-location') ->setDescription('Fix the location of encryption keys for external storage') ->addOption('dry-run', null, InputOption::VALUE_NONE, "Only list files that require key migration, don't try to perform any migration") ->addArgument('user', InputArgument::REQUIRED, "User id to fix the key locations for"); } protected function execute(InputInterface $input, OutputInterface $output): int { $dryRun = $input->getOption('dry-run'); $userId = $input->getArgument('user'); $user = $this->userManager->get($userId); if (!$user) { $output->writeln("User $userId not found"); return 1; } \OC_Util::setupFS($user->getUID()); $mounts = $this->getSystemMountsForUser($user); foreach ($mounts as $mount) { $mountRootFolder = $this->rootFolder->get($mount->getMountPoint()); if (!$mountRootFolder instanceof Folder) { $output->writeln("System wide mount point is not a directory, skipping: " . $mount->getMountPoint() . ""); continue; } $files = $this->getAllEncryptedFiles($mountRootFolder); foreach ($files as $file) { /** @var File $file */ $hasSystemKey = $this->hasSystemKey($file); $hasUserKey = $this->hasUserKey($user, $file); if (!$hasSystemKey) { if ($hasUserKey) { // key was stored incorrectly as user key, migrate if ($dryRun) { $output->writeln("" . $file->getPath() . " needs migration"); } else { $output->write("Migrating key for " . $file->getPath() . " "); if ($this->copyUserKeyToSystemAndValidate($user, $file)) { $output->writeln(""); } else { $output->writeln("❌"); $output->writeln(" Failed to validate key for " . $file->getPath() . ", key will not be migrated"); } } } else { // no matching key, probably from a broken cross-storage move $shouldBeEncrypted = $file->getStorage()->instanceOfStorage(Encryption::class); $isActuallyEncrypted = $this->isDataEncrypted($file); if ($isActuallyEncrypted) { if ($dryRun) { if ($shouldBeEncrypted) { $output->write("" . $file->getPath() . " needs migration"); } else { $output->write("" . $file->getPath() . " needs decryption"); } $foundKey = $this->findUserKeyForSystemFile($user, $file); if ($foundKey) { $output->writeln(", valid key found at " . $foundKey . ""); } else { $output->writeln(" ❌ No key found"); } } else { if ($shouldBeEncrypted) { $output->write("Migrating key for " . $file->getPath() . ""); } else { $output->write("Decrypting " . $file->getPath() . ""); } $foundKey = $this->findUserKeyForSystemFile($user, $file); if ($foundKey) { if ($shouldBeEncrypted) { $systemKeyPath = $this->getSystemKeyPath($file); $this->rootView->copy($foundKey, $systemKeyPath); $output->writeln(" Migrated key from " . $foundKey . ""); } else { $this->decryptWithSystemKey($file, $foundKey); $output->writeln(" Decrypted with key from " . $foundKey . ""); } } else { $output->writeln(" ❌ No key found"); } } } else { if ($dryRun) { $output->writeln("" . $file->getPath() . " needs to be marked as not encrypted"); } else { $this->markAsUnEncrypted($file); $output->writeln("" . $file->getPath() . " marked as not encrypted"); } } } } } } return 0; } private function getUserRelativePath(string $path): string { $parts = explode('/', $path, 3); if (count($parts) >= 3) { return '/' . $parts[2]; } else { return ''; } } /** * @param IUser $user * @return ICachedMountInfo[] */ private function getSystemMountsForUser(IUser $user): array { return array_filter($this->userMountCache->getMountsForUser($user), function (ICachedMountInfo $mount) use ( $user ) { $mountPoint = substr($mount->getMountPoint(), strlen($user->getUID() . '/')); return $this->encryptionUtil->isSystemWideMountPoint($mountPoint, $user->getUID()); }); } /** * Get all files in a folder which are marked as encrypted * * @param Folder $folder * @return \Generator */ private function getAllEncryptedFiles(Folder $folder) { foreach ($folder->getDirectoryListing() as $child) { if ($child instanceof Folder) { yield from $this->getAllEncryptedFiles($child); } else { if (substr($child->getName(), -4) !== '.bak' && $child->isEncrypted()) { yield $child; } } } } private function getSystemKeyPath(Node $node): string { $path = $this->getUserRelativePath($node->getPath()); return $this->keyRootDirectory . '/files_encryption/keys/' . $path . '/'; } private function getUserBaseKeyPath(IUser $user): string { return $this->keyRootDirectory . '/' . $user->getUID() . '/files_encryption/keys'; } private function getUserKeyPath(IUser $user, Node $node): string { $path = $this->getUserRelativePath($node->getPath()); return $this->getUserBaseKeyPath($user) . '/' . $path . '/'; } private function hasSystemKey(Node $node): bool { // this uses View instead of the RootFolder because the keys might not be in the cache return $this->rootView->file_exists($this->getSystemKeyPath($node)); } private function hasUserKey(IUser $user, Node $node): bool { // this uses View instead of the RootFolder because the keys might not be in the cache return $this->rootView->file_exists($this->getUserKeyPath($user, $node)); } /** * Check that the user key stored for a file can decrypt the file * * @param IUser $user * @param File $node * @return bool */ private function copyUserKeyToSystemAndValidate(IUser $user, File $node): bool { $path = trim(substr($node->getPath(), strlen($user->getUID()) + 1), '/'); $systemKeyPath = $this->keyRootDirectory . '/files_encryption/keys/' . $path . '/'; $userKeyPath = $this->keyRootDirectory . '/' . $user->getUID() . '/files_encryption/keys/' . $path . '/'; $this->rootView->copy($userKeyPath, $systemKeyPath); if ($this->tryReadFile($node)) { // cleanup wrong key location $this->rootView->rmdir($userKeyPath); return true; } else { // remove the copied key if we know it's invalid $this->rootView->rmdir($systemKeyPath); return false; } } private function tryReadFile(File $node): bool { try { $fh = $node->fopen('r'); // read a single chunk $data = fread($fh, 8192); if ($data === false) { return false; } else { return true; } } catch (\Exception $e) { return false; } } /** * Get the contents of a file without decrypting it * * @param File $node * @return resource */ private function openWithoutDecryption(File $node, string $mode) { $storage = $node->getStorage(); $internalPath = $node->getInternalPath(); if ($storage->instanceOfStorage(Encryption::class)) { /** @var Encryption $storage */ try { $storage->setEnabled(false); $handle = $storage->fopen($internalPath, 'r'); $storage->setEnabled(true); } catch (\Exception $e) { $storage->setEnabled(true); throw $e; } } else { $handle = $storage->fopen($internalPath, $mode); } /** @var resource|false $handle */ if ($handle === false) { throw new \Exception("Failed to open " . $node->getPath()); } return $handle; } /** * Check if the data stored for a file is encrypted, regardless of it's metadata * * @param File $node * @return bool */ private function isDataEncrypted(File $node): bool { $handle = $this->openWithoutDecryption($node, 'r'); $firstBlock = fread($handle, $this->encryptionUtil->getHeaderSize()); fclose($handle); $header = $this->encryptionUtil->parseRawHeader($firstBlock); return isset($header['oc_encryption_module']); } /** * Attempt to find a key (stored for user) for a file (that needs a system key) even when it's not stored in the expected location * * @param File $node * @return string */ private function findUserKeyForSystemFile(IUser $user, File $node): ?string { $userKeyPath = $this->getUserBaseKeyPath($user); $possibleKeys = $this->findKeysByFileName($userKeyPath, $node->getName()); foreach ($possibleKeys as $possibleKey) { if ($this->testSystemKey($user, $possibleKey, $node)) { return $possibleKey; } } return null; } /** * Attempt to find a key for a file even when it's not stored in the expected location * * @param string $basePath * @param string $name * @return \Generator */ private function findKeysByFileName(string $basePath, string $name) { if ($this->rootView->is_dir($basePath . '/' . $name . '/OC_DEFAULT_MODULE')) { yield $basePath . '/' . $name; } else { /** @var false|resource $dh */ $dh = $this->rootView->opendir($basePath); if (!$dh) { throw new \Exception("Invalid base path " . $basePath); } while ($child = readdir($dh)) { if ($child != '..' && $child != '.') { $childPath = $basePath . '/' . $child; // recurse if the child is not a key folder if ($this->rootView->is_dir($childPath) && !is_dir($childPath . '/OC_DEFAULT_MODULE')) { yield from $this->findKeysByFileName($childPath, $name); } } } } } /** * Test if the provided key is valid as a system key for the file * * @param IUser $user * @param string $key * @param File $node * @return bool */ private function testSystemKey(IUser $user, string $key, File $node): bool { $systemKeyPath = $this->getSystemKeyPath($node); if ($this->rootView->file_exists($systemKeyPath)) { // already has a key, reject new key return false; } $this->rootView->copy($key, $systemKeyPath); $isValid = $this->tryReadFile($node); $this->rootView->rmdir($systemKeyPath); return $isValid; } /** * Decrypt a file with the specified system key and mark the key as not-encrypted * * @param File $node * @param string $key * @return void */ private function decryptWithSystemKey(File $node, string $key): void { $storage = $node->getStorage(); $name = $node->getName(); $node->move($node->getPath() . '.bak'); $systemKeyPath = $this->getSystemKeyPath($node); $this->rootView->copy($key, $systemKeyPath); try { if (!$storage->instanceOfStorage(Encryption::class)) { $storage = $this->encryptionManager->forceWrapStorage($node->getMountPoint(), $storage); } /** @var false|resource $source */ $source = $storage->fopen($node->getInternalPath(), 'r'); if (!$source) { throw new \Exception("Failed to open " . $node->getPath() . " with " . $key); } $decryptedNode = $node->getParent()->newFile($name); $target = $this->openWithoutDecryption($decryptedNode, 'w'); stream_copy_to_stream($source, $target); fclose($target); fclose($source); $decryptedNode->getStorage()->getScanner()->scan($decryptedNode->getInternalPath()); } catch (\Exception $e) { $this->rootView->rmdir($systemKeyPath); // remove the .bak $node->move(substr($node->getPath(), 0, -4)); throw $e; } if ($this->isDataEncrypted($decryptedNode)) { throw new \Exception($node->getPath() . " still encrypted after attempting to decrypt with " . $key); } $this->markAsUnEncrypted($decryptedNode); $this->rootView->rmdir($systemKeyPath); } private function markAsUnEncrypted(Node $node): void { $node->getStorage()->getCache()->update($node->getId(), ['encrypted' => 0]); } }