RISCI_ATOM
/
nextcloud-server
镜像自地址 https://github.com/nextcloud/server.git


			
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400
							<?php

declare(strict_types=1);
/**
 * SPDX-FileCopyrightText: 2022 Nextcloud GmbH and Nextcloud contributors
 * SPDX-License-Identifier: AGPL-3.0-or-later
 */

namespace OCA\Encryption\Command;

use OC\Encryption\Manager;
use OC\Encryption\Util;
use OC\Files\Storage\Wrapper\Encryption;
use OC\Files\View;
use OCP\Encryption\IManager;
use OCP\Files\Config\ICachedMountInfo;
use OCP\Files\Config\IUserMountCache;
use OCP\Files\File;
use OCP\Files\Folder;
use OCP\Files\IRootFolder;
use OCP\Files\Node;
use OCP\IUser;
use OCP\IUserManager;
use Symfony\Component\Console\Command\Command;
use Symfony\Component\Console\Input\InputArgument;
use Symfony\Component\Console\Input\InputInterface;
use Symfony\Component\Console\Input\InputOption;
use Symfony\Component\Console\Output\OutputInterface;

class FixKeyLocation extends Command {
	private string $keyRootDirectory;
	private View $rootView;
	private Manager $encryptionManager;

	public function __construct(
		private IUserManager $userManager,
		private IUserMountCache $userMountCache,
		private Util $encryptionUtil,
		private IRootFolder $rootFolder,
		IManager $encryptionManager,
	) {
		$this->keyRootDirectory = rtrim($this->encryptionUtil->getKeyStorageRoot(), '/');
		$this->rootView = new View();
		if (!$encryptionManager instanceof Manager) {
			throw new \Exception('Wrong encryption manager');
		}
		$this->encryptionManager = $encryptionManager;

		parent::__construct();
	}


	protected function configure(): void {
		parent::configure();

		$this
			->setName('encryption:fix-key-location')
			->setDescription('Fix the location of encryption keys for external storage')
			->addOption('dry-run', null, InputOption::VALUE_NONE, "Only list files that require key migration, don't try to perform any migration")
			->addArgument('user', InputArgument::REQUIRED, 'User id to fix the key locations for');
	}

	protected function execute(InputInterface $input, OutputInterface $output): int {
		$dryRun = $input->getOption('dry-run');
		$userId = $input->getArgument('user');
		$user = $this->userManager->get($userId);
		if (!$user) {
			$output->writeln("<error>User $userId not found</error>");
			return self::FAILURE;
		}

		\OC_Util::setupFS($user->getUID());

		$mounts = $this->getSystemMountsForUser($user);
		foreach ($mounts as $mount) {
			$mountRootFolder = $this->rootFolder->get($mount->getMountPoint());
			if (!$mountRootFolder instanceof Folder) {
				$output->writeln('<error>System wide mount point is not a directory, skipping: ' . $mount->getMountPoint() . '</error>');
				continue;
			}

			$files = $this->getAllEncryptedFiles($mountRootFolder);
			foreach ($files as $file) {
				/** @var File $file */
				$hasSystemKey = $this->hasSystemKey($file);
				$hasUserKey = $this->hasUserKey($user, $file);
				if (!$hasSystemKey) {
					if ($hasUserKey) {
						// key was stored incorrectly as user key, migrate

						if ($dryRun) {
							$output->writeln('<info>' . $file->getPath() . '</info> needs migration');
						} else {
							$output->write('Migrating key for <info>' . $file->getPath() . '</info> ');
							if ($this->copyUserKeyToSystemAndValidate($user, $file)) {
								$output->writeln('<info>✓</info>');
							} else {
								$output->writeln('<fg=red>❌</>');
								$output->writeln('  Failed to validate key for <error>' . $file->getPath() . '</error>, key will not be migrated');
							}
						}
					} else {
						// no matching key, probably from a broken cross-storage move

						$shouldBeEncrypted = $file->getStorage()->instanceOfStorage(Encryption::class);
						$isActuallyEncrypted = $this->isDataEncrypted($file);
						if ($isActuallyEncrypted) {
							if ($dryRun) {
								if ($shouldBeEncrypted) {
									$output->write('<info>' . $file->getPath() . '</info> needs migration');
								} else {
									$output->write('<info>' . $file->getPath() . '</info> needs decryption');
								}
								$foundKey = $this->findUserKeyForSystemFile($user, $file);
								if ($foundKey) {
									$output->writeln(', valid key found at <info>' . $foundKey . '</info>');
								} else {
									$output->writeln(' <error>❌ No key found</error>');
								}
							} else {
								if ($shouldBeEncrypted) {
									$output->write('<info>Migrating key for ' . $file->getPath() . '</info>');
								} else {
									$output->write('<info>Decrypting ' . $file->getPath() . '</info>');
								}
								$foundKey = $this->findUserKeyForSystemFile($user, $file);
								if ($foundKey) {
									if ($shouldBeEncrypted) {
										$systemKeyPath = $this->getSystemKeyPath($file);
										$this->rootView->copy($foundKey, $systemKeyPath);
										$output->writeln('  Migrated key from <info>' . $foundKey . '</info>');
									} else {
										$this->decryptWithSystemKey($file, $foundKey);
										$output->writeln('  Decrypted with key from <info>' . $foundKey . '</info>');
									}
								} else {
									$output->writeln(' <error>❌ No key found</error>');
								}
							}
						} else {
							if ($dryRun) {
								$output->writeln('<info>' . $file->getPath() . ' needs to be marked as not encrypted</info>');
							} else {
								$this->markAsUnEncrypted($file);
								$output->writeln('<info>' . $file->getPath() . ' marked as not encrypted</info>');
							}
						}
					}
				}
			}
		}

		return self::SUCCESS;
	}

	private function getUserRelativePath(string $path): string {
		$parts = explode('/', $path, 3);
		if (count($parts) >= 3) {
			return '/' . $parts[2];
		} else {
			return '';
		}
	}

	/**
	 * @return ICachedMountInfo[]
	 */
	private function getSystemMountsForUser(IUser $user): array {
		return array_filter($this->userMountCache->getMountsForUser($user), function (ICachedMountInfo $mount) use (
			$user
		) {
			$mountPoint = substr($mount->getMountPoint(), strlen($user->getUID() . '/'));
			return $this->encryptionUtil->isSystemWideMountPoint($mountPoint, $user->getUID());
		});
	}

	/**
	 * Get all files in a folder which are marked as encrypted
	 *
	 * @return \Generator<File>
	 */
	private function getAllEncryptedFiles(Folder $folder) {
		foreach ($folder->getDirectoryListing() as $child) {
			if ($child instanceof Folder) {
				yield from $this->getAllEncryptedFiles($child);
			} else {
				if (substr($child->getName(), -4) !== '.bak' && $child->isEncrypted()) {
					yield $child;
				}
			}
		}
	}

	private function getSystemKeyPath(Node $node): string {
		$path = $this->getUserRelativePath($node->getPath());
		return $this->keyRootDirectory . '/files_encryption/keys/' . $path . '/';
	}

	private function getUserBaseKeyPath(IUser $user): string {
		return $this->keyRootDirectory . '/' . $user->getUID() . '/files_encryption/keys';
	}

	private function getUserKeyPath(IUser $user, Node $node): string {
		$path = $this->getUserRelativePath($node->getPath());
		return $this->getUserBaseKeyPath($user) . '/' . $path . '/';
	}

	private function hasSystemKey(Node $node): bool {
		// this uses View instead of the RootFolder because the keys might not be in the cache
		return $this->rootView->file_exists($this->getSystemKeyPath($node));
	}

	private function hasUserKey(IUser $user, Node $node): bool {
		// this uses View instead of the RootFolder because the keys might not be in the cache
		return $this->rootView->file_exists($this->getUserKeyPath($user, $node));
	}

	/**
	 * Check that the user key stored for a file can decrypt the file
	 */
	private function copyUserKeyToSystemAndValidate(IUser $user, File $node): bool {
		$path = trim(substr($node->getPath(), strlen($user->getUID()) + 1), '/');
		$systemKeyPath = $this->keyRootDirectory . '/files_encryption/keys/' . $path . '/';
		$userKeyPath = $this->keyRootDirectory . '/' . $user->getUID() . '/files_encryption/keys/' . $path . '/';

		$this->rootView->copy($userKeyPath, $systemKeyPath);
		if ($this->tryReadFile($node)) {
			// cleanup wrong key location
			$this->rootView->rmdir($userKeyPath);
			return true;
		} else {
			// remove the copied key if we know it's invalid
			$this->rootView->rmdir($systemKeyPath);
			return false;
		}
	}

	private function tryReadFile(File $node): bool {
		try {
			$fh = $node->fopen('r');
			// read a single chunk
			$data = fread($fh, 8192);
			if ($data === false) {
				return false;
			} else {
				return true;
			}
		} catch (\Exception $e) {
			return false;
		}
	}

	/**
	 * Get the contents of a file without decrypting it
	 *
	 * @return resource
	 */
	private function openWithoutDecryption(File $node, string $mode) {
		$storage = $node->getStorage();
		$internalPath = $node->getInternalPath();
		if ($storage->instanceOfStorage(Encryption::class)) {
			/** @var Encryption $storage */
			try {
				$storage->setEnabled(false);
				$handle = $storage->fopen($internalPath, 'r');
				$storage->setEnabled(true);
			} catch (\Exception $e) {
				$storage->setEnabled(true);
				throw $e;
			}
		} else {
			$handle = $storage->fopen($internalPath, $mode);
		}
		/** @var resource|false $handle */
		if ($handle === false) {
			throw new \Exception('Failed to open ' . $node->getPath());
		}
		return $handle;
	}

	/**
	 * Check if the data stored for a file is encrypted, regardless of it's metadata
	 */
	private function isDataEncrypted(File $node): bool {
		$handle = $this->openWithoutDecryption($node, 'r');
		$firstBlock = fread($handle, $this->encryptionUtil->getHeaderSize());
		fclose($handle);

		$header = $this->encryptionUtil->parseRawHeader($firstBlock);
		return isset($header['oc_encryption_module']);
	}

	/**
	 * Attempt to find a key (stored for user) for a file (that needs a system key) even when it's not stored in the expected location
	 */
	private function findUserKeyForSystemFile(IUser $user, File $node): ?string {
		$userKeyPath = $this->getUserBaseKeyPath($user);
		$possibleKeys = $this->findKeysByFileName($userKeyPath, $node->getName());
		foreach ($possibleKeys as $possibleKey) {
			if ($this->testSystemKey($user, $possibleKey, $node)) {
				return $possibleKey;
			}
		}
		return null;
	}

	/**
	 * Attempt to find a key for a file even when it's not stored in the expected location
	 *
	 * @return \Generator<string>
	 */
	private function findKeysByFileName(string $basePath, string $name) {
		if ($this->rootView->is_dir($basePath . '/' . $name . '/OC_DEFAULT_MODULE')) {
			yield $basePath . '/' . $name;
		} else {
			/** @var false|resource $dh */
			$dh = $this->rootView->opendir($basePath);
			if (!$dh) {
				throw new \Exception('Invalid base path ' . $basePath);
			}
			while ($child = readdir($dh)) {
				if ($child != '..' && $child != '.') {
					$childPath = $basePath . '/' . $child;

					// recurse if the child is not a key folder
					if ($this->rootView->is_dir($childPath) && !is_dir($childPath . '/OC_DEFAULT_MODULE')) {
						yield from $this->findKeysByFileName($childPath, $name);
					}
				}
			}
		}
	}

	/**
	 * Test if the provided key is valid as a system key for the file
	 */
	private function testSystemKey(IUser $user, string $key, File $node): bool {
		$systemKeyPath = $this->getSystemKeyPath($node);

		if ($this->rootView->file_exists($systemKeyPath)) {
			// already has a key, reject new key
			return false;
		}

		$this->rootView->copy($key, $systemKeyPath);
		$isValid = $this->tryReadFile($node);
		$this->rootView->rmdir($systemKeyPath);
		return $isValid;
	}

	/**
	 * Decrypt a file with the specified system key and mark the key as not-encrypted
	 */
	private function decryptWithSystemKey(File $node, string $key): void {
		$storage = $node->getStorage();
		$name = $node->getName();

		$node->move($node->getPath() . '.bak');
		$systemKeyPath = $this->getSystemKeyPath($node);
		$this->rootView->copy($key, $systemKeyPath);

		try {
			if (!$storage->instanceOfStorage(Encryption::class)) {
				$storage = $this->encryptionManager->forceWrapStorage($node->getMountPoint(), $storage);
			}
			/** @var false|resource $source */
			$source = $storage->fopen($node->getInternalPath(), 'r');
			if (!$source) {
				throw new \Exception('Failed to open ' . $node->getPath() . ' with ' . $key);
			}
			$decryptedNode = $node->getParent()->newFile($name);

			$target = $this->openWithoutDecryption($decryptedNode, 'w');
			stream_copy_to_stream($source, $target);
			fclose($target);
			fclose($source);

			$decryptedNode->getStorage()->getScanner()->scan($decryptedNode->getInternalPath());
		} catch (\Exception $e) {
			$this->rootView->rmdir($systemKeyPath);

			// remove the .bak
			$node->move(substr($node->getPath(), 0, -4));

			throw $e;
		}

		if ($this->isDataEncrypted($decryptedNode)) {
			throw new \Exception($node->getPath() . ' still encrypted after attempting to decrypt with ' . $key);
		}

		$this->markAsUnEncrypted($decryptedNode);

		$this->rootView->rmdir($systemKeyPath);
	}

	private function markAsUnEncrypted(Node $node): void {
		$node->getStorage()->getCache()->update($node->getId(), ['encrypted' => 0]);
	}
}