123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212 |
- <?php
- declare(strict_types=1);
- /**
- * SPDX-FileCopyrightText: 2020 Nextcloud GmbH and Nextcloud contributors
- * SPDX-License-Identifier: AGPL-3.0-or-later
- */
- namespace OC\Core\Command\Encryption;
- use OC\Encryption\Keys\Storage;
- use OC\Encryption\Util;
- use OC\Files\View;
- use OCP\IConfig;
- use OCP\IUserManager;
- use OCP\Security\ICrypto;
- use Symfony\Component\Console\Command\Command;
- use Symfony\Component\Console\Helper\ProgressBar;
- use Symfony\Component\Console\Input\InputInterface;
- use Symfony\Component\Console\Output\OutputInterface;
- class MigrateKeyStorage extends Command {
- public function __construct(
- protected View $rootView,
- protected IUserManager $userManager,
- protected IConfig $config,
- protected Util $util,
- private ICrypto $crypto,
- ) {
- parent::__construct();
- }
- protected function configure() {
- parent::configure();
- $this
- ->setName('encryption:migrate-key-storage-format')
- ->setDescription('Migrate the format of the keystorage to a newer format');
- }
- protected function execute(InputInterface $input, OutputInterface $output): int {
- $root = $this->util->getKeyStorageRoot();
- $output->writeln('Updating key storage format');
- $this->updateKeys($root, $output);
- $output->writeln('Key storage format successfully updated');
- return 0;
- }
- /**
- * Move keys to new key storage root
- *
- * @param string $root
- * @param OutputInterface $output
- * @return bool
- * @throws \Exception
- */
- protected function updateKeys(string $root, OutputInterface $output): bool {
- $output->writeln('Start to update the keys:');
- $this->updateSystemKeys($root);
- $this->updateUsersKeys($root, $output);
- $this->config->deleteSystemValue('encryption.key_storage_migrated');
- return true;
- }
- /**
- * Move system key folder
- */
- protected function updateSystemKeys(string $root): void {
- if (!$this->rootView->is_dir($root . '/files_encryption')) {
- return;
- }
- $this->traverseKeys($root . '/files_encryption', null);
- }
- private function traverseKeys(string $folder, ?string $uid) {
- $listing = $this->rootView->getDirectoryContent($folder);
- foreach ($listing as $node) {
- if ($node['mimetype'] === 'httpd/unix-directory') {
- continue;
- }
- if ($node['name'] === 'fileKey' ||
- str_ends_with($node['name'], '.privateKey') ||
- str_ends_with($node['name'], '.publicKey') ||
- str_ends_with($node['name'], '.shareKey')) {
- $path = $folder . '/' . $node['name'];
- $content = $this->rootView->file_get_contents($path);
- try {
- $this->crypto->decrypt($content);
- continue;
- } catch (\Exception $e) {
- // Ignore we now update the data.
- }
- $data = [
- 'key' => base64_encode($content),
- 'uid' => $uid,
- ];
- $enc = $this->crypto->encrypt(json_encode($data));
- $this->rootView->file_put_contents($path, $enc);
- }
- }
- }
- private function traverseFileKeys(string $folder) {
- $listing = $this->rootView->getDirectoryContent($folder);
- foreach ($listing as $node) {
- if ($node['mimetype'] === 'httpd/unix-directory') {
- $this->traverseFileKeys($folder . '/' . $node['name']);
- } else {
- $endsWith = function ($haystack, $needle) {
- $length = strlen($needle);
- if ($length === 0) {
- return true;
- }
- return (substr($haystack, -$length) === $needle);
- };
- if ($node['name'] === 'fileKey' ||
- $endsWith($node['name'], '.privateKey') ||
- $endsWith($node['name'], '.publicKey') ||
- $endsWith($node['name'], '.shareKey')) {
- $path = $folder . '/' . $node['name'];
- $content = $this->rootView->file_get_contents($path);
- try {
- $this->crypto->decrypt($content);
- continue;
- } catch (\Exception $e) {
- // Ignore we now update the data.
- }
- $data = [
- 'key' => base64_encode($content)
- ];
- $enc = $this->crypto->encrypt(json_encode($data));
- $this->rootView->file_put_contents($path, $enc);
- }
- }
- }
- }
- /**
- * setup file system for the given user
- *
- * @param string $uid
- */
- protected function setupUserFS($uid) {
- \OC_Util::tearDownFS();
- \OC_Util::setupFS($uid);
- }
- /**
- * iterate over each user and move the keys to the new storage
- *
- * @param string $root
- * @param OutputInterface $output
- */
- protected function updateUsersKeys(string $root, OutputInterface $output) {
- $progress = new ProgressBar($output);
- $progress->start();
- foreach ($this->userManager->getBackends() as $backend) {
- $limit = 500;
- $offset = 0;
- do {
- $users = $backend->getUsers('', $limit, $offset);
- foreach ($users as $user) {
- $progress->advance();
- $this->setupUserFS($user);
- $this->updateUserKeys($root, $user);
- }
- $offset += $limit;
- } while (count($users) >= $limit);
- }
- $progress->finish();
- }
- /**
- * move user encryption folder to new root folder
- *
- * @param string $root
- * @param string $user
- * @throws \Exception
- */
- protected function updateUserKeys(string $root, string $user) {
- if ($this->userManager->userExists($user)) {
- $source = $root . '/' . $user . '/files_encryption/OC_DEFAULT_MODULE';
- if ($this->rootView->is_dir($source)) {
- $this->traverseKeys($source, $user);
- }
- $source = $root . '/' . $user . '/files_encryption/keys';
- if ($this->rootView->is_dir($source)) {
- $this->traverseFileKeys($source);
- }
- }
- }
- }
|