1
0

userhooks.php 7.1 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288
  1. <?php
  2. /**
  3. * @author Björn Schießle <schiessle@owncloud.com>
  4. * @author Clark Tomlinson <fallen013@gmail.com>
  5. * @author Thomas Müller <thomas.mueller@tmit.eu>
  6. *
  7. * @copyright Copyright (c) 2015, ownCloud, Inc.
  8. * @license AGPL-3.0
  9. *
  10. * This code is free software: you can redistribute it and/or modify
  11. * it under the terms of the GNU Affero General Public License, version 3,
  12. * as published by the Free Software Foundation.
  13. *
  14. * This program is distributed in the hope that it will be useful,
  15. * but WITHOUT ANY WARRANTY; without even the implied warranty of
  16. * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  17. * GNU Affero General Public License for more details.
  18. *
  19. * You should have received a copy of the GNU Affero General Public License, version 3,
  20. * along with this program. If not, see <http://www.gnu.org/licenses/>
  21. *
  22. */
  23. namespace OCA\Encryption\Hooks;
  24. use OCP\Util as OCUtil;
  25. use OCA\Encryption\Hooks\Contracts\IHook;
  26. use OCA\Encryption\KeyManager;
  27. use OCA\Encryption\Crypto\Crypt;
  28. use OCA\Encryption\Users\Setup;
  29. use OCP\App;
  30. use OCP\ILogger;
  31. use OCP\IUserSession;
  32. use OCA\Encryption\Util;
  33. use OCA\Encryption\Session;
  34. use OCA\Encryption\Recovery;
  35. class UserHooks implements IHook {
  36. /**
  37. * @var KeyManager
  38. */
  39. private $keyManager;
  40. /**
  41. * @var ILogger
  42. */
  43. private $logger;
  44. /**
  45. * @var Setup
  46. */
  47. private $userSetup;
  48. /**
  49. * @var IUserSession
  50. */
  51. private $user;
  52. /**
  53. * @var Util
  54. */
  55. private $util;
  56. /**
  57. * @var Session
  58. */
  59. private $session;
  60. /**
  61. * @var Recovery
  62. */
  63. private $recovery;
  64. /**
  65. * @var Crypt
  66. */
  67. private $crypt;
  68. /**
  69. * UserHooks constructor.
  70. *
  71. * @param KeyManager $keyManager
  72. * @param ILogger $logger
  73. * @param Setup $userSetup
  74. * @param IUserSession $user
  75. * @param Util $util
  76. * @param Session $session
  77. * @param Crypt $crypt
  78. * @param Recovery $recovery
  79. */
  80. public function __construct(KeyManager $keyManager,
  81. ILogger $logger,
  82. Setup $userSetup,
  83. IUserSession $user,
  84. Util $util,
  85. Session $session,
  86. Crypt $crypt,
  87. Recovery $recovery) {
  88. $this->keyManager = $keyManager;
  89. $this->logger = $logger;
  90. $this->userSetup = $userSetup;
  91. $this->user = $user;
  92. $this->util = $util;
  93. $this->session = $session;
  94. $this->recovery = $recovery;
  95. $this->crypt = $crypt;
  96. }
  97. /**
  98. * Connects Hooks
  99. *
  100. * @return null
  101. */
  102. public function addHooks() {
  103. OCUtil::connectHook('OC_User', 'post_login', $this, 'login');
  104. OCUtil::connectHook('OC_User', 'logout', $this, 'logout');
  105. OCUtil::connectHook('OC_User',
  106. 'post_setPassword',
  107. $this,
  108. 'setPassphrase');
  109. OCUtil::connectHook('OC_User',
  110. 'pre_setPassword',
  111. $this,
  112. 'preSetPassphrase');
  113. OCUtil::connectHook('OC_User',
  114. 'post_createUser',
  115. $this,
  116. 'postCreateUser');
  117. OCUtil::connectHook('OC_User',
  118. 'post_deleteUser',
  119. $this,
  120. 'postDeleteUser');
  121. }
  122. /**
  123. * Startup encryption backend upon user login
  124. *
  125. * @note This method should never be called for users using client side encryption
  126. * @param array $params
  127. * @return bool
  128. */
  129. public function login($params) {
  130. if (!App::isEnabled('encryption')) {
  131. return true;
  132. }
  133. // ensure filesystem is loaded
  134. // Todo: update?
  135. if (!\OC\Files\Filesystem::$loaded) {
  136. \OC_Util::setupFS($params['uid']);
  137. }
  138. // setup user, if user not ready force relogin
  139. if (!$this->userSetup->setupUser($params['uid'], $params['password'])) {
  140. return false;
  141. }
  142. $this->keyManager->init($params['uid'], $params['password']);
  143. }
  144. /**
  145. * remove keys from session during logout
  146. */
  147. public function logout() {
  148. $this->session->clear();
  149. }
  150. /**
  151. * setup encryption backend upon user created
  152. *
  153. * @note This method should never be called for users using client side encryption
  154. * @param array $params
  155. */
  156. public function postCreateUser($params) {
  157. if (App::isEnabled('encryption')) {
  158. $this->userSetup->setupUser($params['uid'], $params['password']);
  159. }
  160. }
  161. /**
  162. * cleanup encryption backend upon user deleted
  163. *
  164. * @param array $params : uid, password
  165. * @note This method should never be called for users using client side encryption
  166. */
  167. public function postDeleteUser($params) {
  168. if (App::isEnabled('encryption')) {
  169. $this->keyManager->deletePublicKey($params['uid']);
  170. }
  171. }
  172. /**
  173. * If the password can't be changed within ownCloud, than update the key password in advance.
  174. *
  175. * @param array $params : uid, password
  176. * @return bool
  177. */
  178. public function preSetPassphrase($params) {
  179. if (App::isEnabled('encryption')) {
  180. if (!$this->user->getUser()->canChangePassword()) {
  181. $this->setPassphrase($params);
  182. }
  183. }
  184. }
  185. /**
  186. * Change a user's encryption passphrase
  187. *
  188. * @param array $params keys: uid, password
  189. * @return bool
  190. */
  191. public function setPassphrase($params) {
  192. // Get existing decrypted private key
  193. $privateKey = $this->session->getPrivateKey();
  194. if ($params['uid'] === $this->user->getUser()->getUID() && $privateKey) {
  195. // Encrypt private key with new user pwd as passphrase
  196. $encryptedPrivateKey = $this->crypt->symmetricEncryptFileContent($privateKey,
  197. $params['password']);
  198. // Save private key
  199. if ($encryptedPrivateKey) {
  200. $this->keyManager->setPrivateKey($this->user->getUser()->getUID(),
  201. $encryptedPrivateKey);
  202. } else {
  203. $this->logger->error('Encryption could not update users encryption password');
  204. }
  205. // NOTE: Session does not need to be updated as the
  206. // private key has not changed, only the passphrase
  207. // used to decrypt it has changed
  208. } else { // admin changed the password for a different user, create new keys and reencrypt file keys
  209. $user = $params['uid'];
  210. $recoveryPassword = isset($params['recoveryPassword']) ? $params['recoveryPassword'] : null;
  211. // we generate new keys if...
  212. // ...we have a recovery password and the user enabled the recovery key
  213. // ...encryption was activated for the first time (no keys exists)
  214. // ...the user doesn't have any files
  215. if (
  216. ($this->recovery->isRecoveryEnabledForUser($user) && $recoveryPassword)
  217. || !$this->keyManager->userHasKeys($user)
  218. || !$this->util->userHasFiles($user)
  219. ) {
  220. // backup old keys
  221. //$this->backupAllKeys('recovery');
  222. $newUserPassword = $params['password'];
  223. $keyPair = $this->crypt->createKeyPair();
  224. // Save public key
  225. $this->keyManager->setPublicKey($user, $keyPair['publicKey']);
  226. // Encrypt private key with new password
  227. $encryptedKey = $this->crypt->symmetricEncryptFileContent($keyPair['privateKey'],
  228. $newUserPassword);
  229. if ($encryptedKey) {
  230. $this->keyManager->setPrivateKey($user, $encryptedKey);
  231. if ($recoveryPassword) { // if recovery key is set we can re-encrypt the key files
  232. $this->recovery->recoverUsersFiles($recoveryPassword, $user);
  233. }
  234. } else {
  235. $this->logger->error('Encryption Could not update users encryption password');
  236. }
  237. }
  238. }
  239. }
  240. /**
  241. * after password reset we create a new key pair for the user
  242. *
  243. * @param array $params
  244. */
  245. public function postPasswordReset($params) {
  246. $password = $params['password'];
  247. $this->keyManager->replaceUserKeys($params['uid']);
  248. $this->userSetup->setupServerSide($params['uid'], $password);
  249. }
  250. }