Recovery.php 8.0 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310
  1. <?php
  2. /**
  3. * @copyright Copyright (c) 2016, ownCloud, Inc.
  4. *
  5. * @author Björn Schießle <bjoern@schiessle.org>
  6. * @author Christoph Wurst <christoph@winzerhof-wurst.at>
  7. * @author Clark Tomlinson <fallen013@gmail.com>
  8. * @author Joas Schilling <coding@schilljs.com>
  9. * @author Lukas Reschke <lukas@statuscode.ch>
  10. * @author Roeland Jago Douma <roeland@famdouma.nl>
  11. *
  12. * @license AGPL-3.0
  13. *
  14. * This code is free software: you can redistribute it and/or modify
  15. * it under the terms of the GNU Affero General Public License, version 3,
  16. * as published by the Free Software Foundation.
  17. *
  18. * This program is distributed in the hope that it will be useful,
  19. * but WITHOUT ANY WARRANTY; without even the implied warranty of
  20. * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  21. * GNU Affero General Public License for more details.
  22. *
  23. * You should have received a copy of the GNU Affero General Public License, version 3,
  24. * along with this program. If not, see <http://www.gnu.org/licenses/>
  25. *
  26. */
  27. namespace OCA\Encryption;
  28. use OC\Files\View;
  29. use OCA\Encryption\Crypto\Crypt;
  30. use OCP\Encryption\IFile;
  31. use OCP\IConfig;
  32. use OCP\IUser;
  33. use OCP\IUserSession;
  34. use OCP\PreConditionNotMetException;
  35. class Recovery {
  36. /**
  37. * @var null|IUser
  38. */
  39. protected $user;
  40. /**
  41. * @var Crypt
  42. */
  43. protected $crypt;
  44. /**
  45. * @var KeyManager
  46. */
  47. private $keyManager;
  48. /**
  49. * @var IConfig
  50. */
  51. private $config;
  52. /**
  53. * @var View
  54. */
  55. private $view;
  56. /**
  57. * @var IFile
  58. */
  59. private $file;
  60. /**
  61. * @param IUserSession $userSession
  62. * @param Crypt $crypt
  63. * @param KeyManager $keyManager
  64. * @param IConfig $config
  65. * @param IFile $file
  66. * @param View $view
  67. */
  68. public function __construct(IUserSession $userSession,
  69. Crypt $crypt,
  70. KeyManager $keyManager,
  71. IConfig $config,
  72. IFile $file,
  73. View $view) {
  74. $this->user = ($userSession->isLoggedIn()) ? $userSession->getUser() : null;
  75. $this->crypt = $crypt;
  76. $this->keyManager = $keyManager;
  77. $this->config = $config;
  78. $this->view = $view;
  79. $this->file = $file;
  80. }
  81. /**
  82. * @param string $password
  83. * @return bool
  84. */
  85. public function enableAdminRecovery($password) {
  86. $appConfig = $this->config;
  87. $keyManager = $this->keyManager;
  88. if (!$keyManager->recoveryKeyExists()) {
  89. $keyPair = $this->crypt->createKeyPair();
  90. if (!is_array($keyPair)) {
  91. return false;
  92. }
  93. $this->keyManager->setRecoveryKey($password, $keyPair);
  94. }
  95. if ($keyManager->checkRecoveryPassword($password)) {
  96. $appConfig->setAppValue('encryption', 'recoveryAdminEnabled', 1);
  97. return true;
  98. }
  99. return false;
  100. }
  101. /**
  102. * change recovery key id
  103. *
  104. * @param string $newPassword
  105. * @param string $oldPassword
  106. * @return bool
  107. */
  108. public function changeRecoveryKeyPassword($newPassword, $oldPassword) {
  109. $recoveryKey = $this->keyManager->getSystemPrivateKey($this->keyManager->getRecoveryKeyId());
  110. $decryptedRecoveryKey = $this->crypt->decryptPrivateKey($recoveryKey, $oldPassword);
  111. if ($decryptedRecoveryKey === false) {
  112. return false;
  113. }
  114. $encryptedRecoveryKey = $this->crypt->encryptPrivateKey($decryptedRecoveryKey, $newPassword);
  115. $header = $this->crypt->generateHeader();
  116. if ($encryptedRecoveryKey) {
  117. $this->keyManager->setSystemPrivateKey($this->keyManager->getRecoveryKeyId(), $header . $encryptedRecoveryKey);
  118. return true;
  119. }
  120. return false;
  121. }
  122. /**
  123. * @param string $recoveryPassword
  124. * @return bool
  125. */
  126. public function disableAdminRecovery($recoveryPassword) {
  127. $keyManager = $this->keyManager;
  128. if ($keyManager->checkRecoveryPassword($recoveryPassword)) {
  129. // Set recoveryAdmin as disabled
  130. $this->config->setAppValue('encryption', 'recoveryAdminEnabled', 0);
  131. return true;
  132. }
  133. return false;
  134. }
  135. /**
  136. * check if recovery is enabled for user
  137. *
  138. * @param string $user if no user is given we check the current logged-in user
  139. *
  140. * @return bool
  141. */
  142. public function isRecoveryEnabledForUser($user = '') {
  143. $uid = $user === '' ? $this->user->getUID() : $user;
  144. $recoveryMode = $this->config->getUserValue($uid,
  145. 'encryption',
  146. 'recoveryEnabled',
  147. 0);
  148. return ($recoveryMode === '1');
  149. }
  150. /**
  151. * check if recovery is key is enabled by the administrator
  152. *
  153. * @return bool
  154. */
  155. public function isRecoveryKeyEnabled() {
  156. $enabled = $this->config->getAppValue('encryption', 'recoveryAdminEnabled', 0);
  157. return ($enabled === '1');
  158. }
  159. /**
  160. * @param string $value
  161. * @return bool
  162. */
  163. public function setRecoveryForUser($value) {
  164. try {
  165. $this->config->setUserValue($this->user->getUID(),
  166. 'encryption',
  167. 'recoveryEnabled',
  168. $value);
  169. if ($value === '1') {
  170. $this->addRecoveryKeys('/' . $this->user->getUID() . '/files/');
  171. } else {
  172. $this->removeRecoveryKeys('/' . $this->user->getUID() . '/files/');
  173. }
  174. return true;
  175. } catch (PreConditionNotMetException $e) {
  176. return false;
  177. }
  178. }
  179. /**
  180. * add recovery key to all encrypted files
  181. * @param string $path
  182. */
  183. private function addRecoveryKeys($path) {
  184. $dirContent = $this->view->getDirectoryContent($path);
  185. foreach ($dirContent as $item) {
  186. $filePath = $item->getPath();
  187. if ($item['type'] === 'dir') {
  188. $this->addRecoveryKeys($filePath . '/');
  189. } else {
  190. $fileKey = $this->keyManager->getFileKey($filePath, $this->user->getUID());
  191. if (!empty($fileKey)) {
  192. $accessList = $this->file->getAccessList($filePath);
  193. $publicKeys = [];
  194. foreach ($accessList['users'] as $uid) {
  195. $publicKeys[$uid] = $this->keyManager->getPublicKey($uid);
  196. }
  197. $publicKeys = $this->keyManager->addSystemKeys($accessList, $publicKeys, $this->user->getUID());
  198. $encryptedKeyfiles = $this->crypt->multiKeyEncrypt($fileKey, $publicKeys);
  199. $this->keyManager->setAllFileKeys($filePath, $encryptedKeyfiles);
  200. }
  201. }
  202. }
  203. }
  204. /**
  205. * remove recovery key to all encrypted files
  206. * @param string $path
  207. */
  208. private function removeRecoveryKeys($path) {
  209. $dirContent = $this->view->getDirectoryContent($path);
  210. foreach ($dirContent as $item) {
  211. $filePath = $item->getPath();
  212. if ($item['type'] === 'dir') {
  213. $this->removeRecoveryKeys($filePath . '/');
  214. } else {
  215. $this->keyManager->deleteShareKey($filePath, $this->keyManager->getRecoveryKeyId());
  216. }
  217. }
  218. }
  219. /**
  220. * recover users files with the recovery key
  221. *
  222. * @param string $recoveryPassword
  223. * @param string $user
  224. */
  225. public function recoverUsersFiles($recoveryPassword, $user) {
  226. $encryptedKey = $this->keyManager->getSystemPrivateKey($this->keyManager->getRecoveryKeyId());
  227. $privateKey = $this->crypt->decryptPrivateKey($encryptedKey, $recoveryPassword);
  228. if ($privateKey !== false) {
  229. $this->recoverAllFiles('/' . $user . '/files/', $privateKey, $user);
  230. }
  231. }
  232. /**
  233. * recover users files
  234. *
  235. * @param string $path
  236. * @param string $privateKey
  237. * @param string $uid
  238. */
  239. private function recoverAllFiles($path, $privateKey, $uid) {
  240. $dirContent = $this->view->getDirectoryContent($path);
  241. foreach ($dirContent as $item) {
  242. // Get relative path from encryption/keyfiles
  243. $filePath = $item->getPath();
  244. if ($this->view->is_dir($filePath)) {
  245. $this->recoverAllFiles($filePath . '/', $privateKey, $uid);
  246. } else {
  247. $this->recoverFile($filePath, $privateKey, $uid);
  248. }
  249. }
  250. }
  251. /**
  252. * recover file
  253. *
  254. * @param string $path
  255. * @param string $privateKey
  256. * @param string $uid
  257. */
  258. private function recoverFile($path, $privateKey, $uid) {
  259. $encryptedFileKey = $this->keyManager->getEncryptedFileKey($path);
  260. $shareKey = $this->keyManager->getShareKey($path, $this->keyManager->getRecoveryKeyId());
  261. if ($encryptedFileKey && $shareKey && $privateKey) {
  262. $fileKey = $this->crypt->multiKeyDecrypt($encryptedFileKey,
  263. $shareKey,
  264. $privateKey);
  265. }
  266. if (!empty($fileKey)) {
  267. $accessList = $this->file->getAccessList($path);
  268. $publicKeys = [];
  269. foreach ($accessList['users'] as $user) {
  270. $publicKeys[$user] = $this->keyManager->getPublicKey($user);
  271. }
  272. $publicKeys = $this->keyManager->addSystemKeys($accessList, $publicKeys, $uid);
  273. $encryptedKeyfiles = $this->crypt->multiKeyEncrypt($fileKey, $publicKeys);
  274. $this->keyManager->setAllFileKeys($path, $encryptedKeyfiles);
  275. }
  276. }
  277. }