1
0

DropLegacyFileKey.php 5.3 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167
  1. <?php
  2. declare(strict_types=1);
  3. /**
  4. * @copyright Copyright (c) 2023, Côme Chilliet <come.chilliet@nextcloud.com>
  5. *
  6. * @author Côme Chilliet <come.chilliet@nextcloud.com>
  7. *
  8. * @license GNU AGPL version 3 or any later version
  9. *
  10. * This program is free software: you can redistribute it and/or modify
  11. * it under the terms of the GNU Affero General Public License as
  12. * published by the Free Software Foundation, either version 3 of the
  13. * License, or (at your option) any later version.
  14. *
  15. * This program is distributed in the hope that it will be useful,
  16. * but WITHOUT ANY WARRANTY; without even the implied warranty of
  17. * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  18. * GNU Affero General Public License for more details.
  19. *
  20. * You should have received a copy of the GNU Affero General Public License
  21. * along with this program. If not, see <http://www.gnu.org/licenses/>.
  22. *
  23. */
  24. namespace OCA\Encryption\Command;
  25. use OC\Encryption\Exceptions\DecryptionFailedException;
  26. use OC\Files\FileInfo;
  27. use OC\Files\View;
  28. use OCA\Encryption\KeyManager;
  29. use OCP\Encryption\Exceptions\GenericEncryptionException;
  30. use OCP\IUserManager;
  31. use Symfony\Component\Console\Command\Command;
  32. use Symfony\Component\Console\Input\InputInterface;
  33. use Symfony\Component\Console\Output\OutputInterface;
  34. class DropLegacyFileKey extends Command {
  35. private View $rootView;
  36. public function __construct(
  37. private IUserManager $userManager,
  38. private KeyManager $keyManager,
  39. ) {
  40. parent::__construct();
  41. $this->rootView = new View();
  42. }
  43. protected function configure(): void {
  44. $this
  45. ->setName('encryption:drop-legacy-filekey')
  46. ->setDescription('Scan the files for the legacy filekey format using RC4 and get rid of it (if master key is enabled)');
  47. }
  48. protected function execute(InputInterface $input, OutputInterface $output): int {
  49. $result = true;
  50. $output->writeln('<info>Scanning all files for legacy filekey</info>');
  51. foreach ($this->userManager->getBackends() as $backend) {
  52. $limit = 500;
  53. $offset = 0;
  54. do {
  55. $users = $backend->getUsers('', $limit, $offset);
  56. foreach ($users as $user) {
  57. $output->writeln('Scanning all files for ' . $user);
  58. $this->setupUserFS($user);
  59. $result = $result && $this->scanFolder($output, '/' . $user);
  60. }
  61. $offset += $limit;
  62. } while (count($users) >= $limit);
  63. }
  64. if ($result) {
  65. $output->writeln('All scanned files are properly encrypted.');
  66. return 0;
  67. }
  68. return 1;
  69. }
  70. private function scanFolder(OutputInterface $output, string $folder): bool {
  71. $clean = true;
  72. foreach ($this->rootView->getDirectoryContent($folder) as $item) {
  73. $path = $folder . '/' . $item['name'];
  74. if ($this->rootView->is_dir($path)) {
  75. if ($this->scanFolder($output, $path) === false) {
  76. $clean = false;
  77. }
  78. } else {
  79. if (!$item->isEncrypted()) {
  80. // ignore
  81. continue;
  82. }
  83. $stats = $this->rootView->stat($path);
  84. if (!isset($stats['hasHeader']) || $stats['hasHeader'] === false) {
  85. $clean = false;
  86. $output->writeln('<error>' . $path . ' does not have a proper header</error>');
  87. } else {
  88. try {
  89. $legacyFileKey = $this->keyManager->getFileKey($path, null, true);
  90. if ($legacyFileKey === '') {
  91. $output->writeln('Got an empty legacy filekey for ' . $path . ', continuing', OutputInterface::VERBOSITY_VERBOSE);
  92. continue;
  93. }
  94. } catch (GenericEncryptionException $e) {
  95. $output->writeln('Got a decryption error for legacy filekey for ' . $path . ', continuing', OutputInterface::VERBOSITY_VERBOSE);
  96. continue;
  97. }
  98. /* If that did not throw and filekey is not empty, a legacy filekey is used */
  99. $clean = false;
  100. $output->writeln($path . ' is using a legacy filekey, migrating');
  101. $this->migrateSinglefile($path, $item, $output);
  102. }
  103. }
  104. }
  105. return $clean;
  106. }
  107. private function migrateSinglefile(string $path, FileInfo $fileInfo, OutputInterface $output): void {
  108. $source = $path;
  109. $target = $path . '.reencrypted.' . time();
  110. try {
  111. $this->rootView->copy($source, $target);
  112. $copyResource = $this->rootView->fopen($target, 'r');
  113. $sourceResource = $this->rootView->fopen($source, 'w');
  114. if ($copyResource === false || $sourceResource === false) {
  115. throw new DecryptionFailedException('Failed to open '.$source.' or '.$target);
  116. }
  117. if (stream_copy_to_stream($copyResource, $sourceResource) === false) {
  118. $output->writeln('<error>Failed to copy '.$target.' data into '.$source.'</error>');
  119. $output->writeln('<error>Leaving both files in there to avoid data loss</error>');
  120. return;
  121. }
  122. $this->rootView->touch($source, $fileInfo->getMTime());
  123. $this->rootView->unlink($target);
  124. $output->writeln('<info>Migrated ' . $source . '</info>', OutputInterface::VERBOSITY_VERBOSE);
  125. } catch (DecryptionFailedException $e) {
  126. if ($this->rootView->file_exists($target)) {
  127. $this->rootView->unlink($target);
  128. }
  129. $output->writeln('<error>Failed to migrate ' . $path . '</error>');
  130. $output->writeln('<error>' . $e . '</error>', OutputInterface::VERBOSITY_VERBOSE);
  131. } finally {
  132. if (is_resource($copyResource)) {
  133. fclose($copyResource);
  134. }
  135. if (is_resource($sourceResource)) {
  136. fclose($sourceResource);
  137. }
  138. }
  139. }
  140. /**
  141. * setup user file system
  142. */
  143. protected function setupUserFS(string $uid): void {
  144. \OC_Util::tearDownFS();
  145. \OC_Util::setupFS($uid);
  146. }
  147. }