DropLegacyFileKey.php 4.6 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150
  1. <?php
  2. declare(strict_types=1);
  3. /**
  4. * SPDX-FileCopyrightText: 2023 Nextcloud GmbH and Nextcloud contributors
  5. * SPDX-License-Identifier: AGPL-3.0-or-later
  6. */
  7. namespace OCA\Encryption\Command;
  8. use OC\Encryption\Exceptions\DecryptionFailedException;
  9. use OC\Files\FileInfo;
  10. use OC\Files\View;
  11. use OCA\Encryption\KeyManager;
  12. use OCP\Encryption\Exceptions\GenericEncryptionException;
  13. use OCP\IUserManager;
  14. use Symfony\Component\Console\Command\Command;
  15. use Symfony\Component\Console\Input\InputInterface;
  16. use Symfony\Component\Console\Output\OutputInterface;
  17. class DropLegacyFileKey extends Command {
  18. private View $rootView;
  19. public function __construct(
  20. private IUserManager $userManager,
  21. private KeyManager $keyManager,
  22. ) {
  23. parent::__construct();
  24. $this->rootView = new View();
  25. }
  26. protected function configure(): void {
  27. $this
  28. ->setName('encryption:drop-legacy-filekey')
  29. ->setDescription('Scan the files for the legacy filekey format using RC4 and get rid of it (if master key is enabled)');
  30. }
  31. protected function execute(InputInterface $input, OutputInterface $output): int {
  32. $result = true;
  33. $output->writeln('<info>Scanning all files for legacy filekey</info>');
  34. foreach ($this->userManager->getBackends() as $backend) {
  35. $limit = 500;
  36. $offset = 0;
  37. do {
  38. $users = $backend->getUsers('', $limit, $offset);
  39. foreach ($users as $user) {
  40. $output->writeln('Scanning all files for ' . $user);
  41. $this->setupUserFS($user);
  42. $result = $result && $this->scanFolder($output, '/' . $user);
  43. }
  44. $offset += $limit;
  45. } while (count($users) >= $limit);
  46. }
  47. if ($result) {
  48. $output->writeln('All scanned files are properly encrypted.');
  49. return 0;
  50. }
  51. return 1;
  52. }
  53. private function scanFolder(OutputInterface $output, string $folder): bool {
  54. $clean = true;
  55. foreach ($this->rootView->getDirectoryContent($folder) as $item) {
  56. $path = $folder . '/' . $item['name'];
  57. if ($this->rootView->is_dir($path)) {
  58. if ($this->scanFolder($output, $path) === false) {
  59. $clean = false;
  60. }
  61. } else {
  62. if (!$item->isEncrypted()) {
  63. // ignore
  64. continue;
  65. }
  66. $stats = $this->rootView->stat($path);
  67. if (!isset($stats['hasHeader']) || $stats['hasHeader'] === false) {
  68. $clean = false;
  69. $output->writeln('<error>' . $path . ' does not have a proper header</error>');
  70. } else {
  71. try {
  72. $legacyFileKey = $this->keyManager->getFileKey($path, null, true);
  73. if ($legacyFileKey === '') {
  74. $output->writeln('Got an empty legacy filekey for ' . $path . ', continuing', OutputInterface::VERBOSITY_VERBOSE);
  75. continue;
  76. }
  77. } catch (GenericEncryptionException $e) {
  78. $output->writeln('Got a decryption error for legacy filekey for ' . $path . ', continuing', OutputInterface::VERBOSITY_VERBOSE);
  79. continue;
  80. }
  81. /* If that did not throw and filekey is not empty, a legacy filekey is used */
  82. $clean = false;
  83. $output->writeln($path . ' is using a legacy filekey, migrating');
  84. $this->migrateSinglefile($path, $item, $output);
  85. }
  86. }
  87. }
  88. return $clean;
  89. }
  90. private function migrateSinglefile(string $path, FileInfo $fileInfo, OutputInterface $output): void {
  91. $source = $path;
  92. $target = $path . '.reencrypted.' . time();
  93. try {
  94. $this->rootView->copy($source, $target);
  95. $copyResource = $this->rootView->fopen($target, 'r');
  96. $sourceResource = $this->rootView->fopen($source, 'w');
  97. if ($copyResource === false || $sourceResource === false) {
  98. throw new DecryptionFailedException('Failed to open '.$source.' or '.$target);
  99. }
  100. if (stream_copy_to_stream($copyResource, $sourceResource) === false) {
  101. $output->writeln('<error>Failed to copy '.$target.' data into '.$source.'</error>');
  102. $output->writeln('<error>Leaving both files in there to avoid data loss</error>');
  103. return;
  104. }
  105. $this->rootView->touch($source, $fileInfo->getMTime());
  106. $this->rootView->unlink($target);
  107. $output->writeln('<info>Migrated ' . $source . '</info>', OutputInterface::VERBOSITY_VERBOSE);
  108. } catch (DecryptionFailedException $e) {
  109. if ($this->rootView->file_exists($target)) {
  110. $this->rootView->unlink($target);
  111. }
  112. $output->writeln('<error>Failed to migrate ' . $path . '</error>');
  113. $output->writeln('<error>' . $e . '</error>', OutputInterface::VERBOSITY_VERBOSE);
  114. } finally {
  115. if (is_resource($copyResource)) {
  116. fclose($copyResource);
  117. }
  118. if (is_resource($sourceResource)) {
  119. fclose($sourceResource);
  120. }
  121. }
  122. }
  123. /**
  124. * setup user file system
  125. */
  126. protected function setupUserFS(string $uid): void {
  127. \OC_Util::tearDownFS();
  128. \OC_Util::setupFS($uid);
  129. }
  130. }