Recovery.php 8.0 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316
  1. <?php
  2. /**
  3. * @copyright Copyright (c) 2016, ownCloud, Inc.
  4. *
  5. * @author Björn Schießle <bjoern@schiessle.org>
  6. * @author Clark Tomlinson <fallen013@gmail.com>
  7. * @author Joas Schilling <coding@schilljs.com>
  8. * @author Lukas Reschke <lukas@statuscode.ch>
  9. * @author Roeland Jago Douma <roeland@famdouma.nl>
  10. *
  11. * @license AGPL-3.0
  12. *
  13. * This code is free software: you can redistribute it and/or modify
  14. * it under the terms of the GNU Affero General Public License, version 3,
  15. * as published by the Free Software Foundation.
  16. *
  17. * This program is distributed in the hope that it will be useful,
  18. * but WITHOUT ANY WARRANTY; without even the implied warranty of
  19. * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  20. * GNU Affero General Public License for more details.
  21. *
  22. * You should have received a copy of the GNU Affero General Public License, version 3,
  23. * along with this program. If not, see <http://www.gnu.org/licenses/>
  24. *
  25. */
  26. namespace OCA\Encryption;
  27. use OC\Files\View;
  28. use OCA\Encryption\Crypto\Crypt;
  29. use OCP\Encryption\IFile;
  30. use OCP\IConfig;
  31. use OCP\IUser;
  32. use OCP\IUserSession;
  33. use OCP\PreConditionNotMetException;
  34. class Recovery {
  35. /**
  36. * @var null|IUser
  37. */
  38. protected $user;
  39. /**
  40. * @var Crypt
  41. */
  42. protected $crypt;
  43. /**
  44. * @var KeyManager
  45. */
  46. private $keyManager;
  47. /**
  48. * @var IConfig
  49. */
  50. private $config;
  51. /**
  52. * @var View
  53. */
  54. private $view;
  55. /**
  56. * @var IFile
  57. */
  58. private $file;
  59. /**
  60. * @param IUserSession $userSession
  61. * @param Crypt $crypt
  62. * @param KeyManager $keyManager
  63. * @param IConfig $config
  64. * @param IFile $file
  65. * @param View $view
  66. */
  67. public function __construct(IUserSession $userSession,
  68. Crypt $crypt,
  69. KeyManager $keyManager,
  70. IConfig $config,
  71. IFile $file,
  72. View $view) {
  73. $this->user = ($userSession && $userSession->isLoggedIn()) ? $userSession->getUser() : false;
  74. $this->crypt = $crypt;
  75. $this->keyManager = $keyManager;
  76. $this->config = $config;
  77. $this->view = $view;
  78. $this->file = $file;
  79. }
  80. /**
  81. * @param string $password
  82. * @return bool
  83. */
  84. public function enableAdminRecovery($password) {
  85. $appConfig = $this->config;
  86. $keyManager = $this->keyManager;
  87. if (!$keyManager->recoveryKeyExists()) {
  88. $keyPair = $this->crypt->createKeyPair();
  89. if(!is_array($keyPair)) {
  90. return false;
  91. }
  92. $this->keyManager->setRecoveryKey($password, $keyPair);
  93. }
  94. if ($keyManager->checkRecoveryPassword($password)) {
  95. $appConfig->setAppValue('encryption', 'recoveryAdminEnabled', 1);
  96. return true;
  97. }
  98. return false;
  99. }
  100. /**
  101. * change recovery key id
  102. *
  103. * @param string $newPassword
  104. * @param string $oldPassword
  105. * @return bool
  106. */
  107. public function changeRecoveryKeyPassword($newPassword, $oldPassword) {
  108. $recoveryKey = $this->keyManager->getSystemPrivateKey($this->keyManager->getRecoveryKeyId());
  109. $decryptedRecoveryKey = $this->crypt->decryptPrivateKey($recoveryKey, $oldPassword);
  110. if($decryptedRecoveryKey === false) {
  111. return false;
  112. }
  113. $encryptedRecoveryKey = $this->crypt->encryptPrivateKey($decryptedRecoveryKey, $newPassword);
  114. $header = $this->crypt->generateHeader();
  115. if ($encryptedRecoveryKey) {
  116. $this->keyManager->setSystemPrivateKey($this->keyManager->getRecoveryKeyId(), $header . $encryptedRecoveryKey);
  117. return true;
  118. }
  119. return false;
  120. }
  121. /**
  122. * @param string $recoveryPassword
  123. * @return bool
  124. */
  125. public function disableAdminRecovery($recoveryPassword) {
  126. $keyManager = $this->keyManager;
  127. if ($keyManager->checkRecoveryPassword($recoveryPassword)) {
  128. // Set recoveryAdmin as disabled
  129. $this->config->setAppValue('encryption', 'recoveryAdminEnabled', 0);
  130. return true;
  131. }
  132. return false;
  133. }
  134. /**
  135. * check if recovery is enabled for user
  136. *
  137. * @param string $user if no user is given we check the current logged-in user
  138. *
  139. * @return bool
  140. */
  141. public function isRecoveryEnabledForUser($user = '') {
  142. $uid = $user === '' ? $this->user->getUID() : $user;
  143. $recoveryMode = $this->config->getUserValue($uid,
  144. 'encryption',
  145. 'recoveryEnabled',
  146. 0);
  147. return ($recoveryMode === '1');
  148. }
  149. /**
  150. * check if recovery is key is enabled by the administrator
  151. *
  152. * @return bool
  153. */
  154. public function isRecoveryKeyEnabled() {
  155. $enabled = $this->config->getAppValue('encryption', 'recoveryAdminEnabled', 0);
  156. return ($enabled === '1');
  157. }
  158. /**
  159. * @param string $value
  160. * @return bool
  161. */
  162. public function setRecoveryForUser($value) {
  163. try {
  164. $this->config->setUserValue($this->user->getUID(),
  165. 'encryption',
  166. 'recoveryEnabled',
  167. $value);
  168. if ($value === '1') {
  169. $this->addRecoveryKeys('/' . $this->user->getUID() . '/files/');
  170. } else {
  171. $this->removeRecoveryKeys('/' . $this->user->getUID() . '/files/');
  172. }
  173. return true;
  174. } catch (PreConditionNotMetException $e) {
  175. return false;
  176. }
  177. }
  178. /**
  179. * add recovery key to all encrypted files
  180. * @param string $path
  181. */
  182. private function addRecoveryKeys($path) {
  183. $dirContent = $this->view->getDirectoryContent($path);
  184. foreach ($dirContent as $item) {
  185. $filePath = $item->getPath();
  186. if ($item['type'] === 'dir') {
  187. $this->addRecoveryKeys($filePath . '/');
  188. } else {
  189. $fileKey = $this->keyManager->getFileKey($filePath, $this->user->getUID());
  190. if (!empty($fileKey)) {
  191. $accessList = $this->file->getAccessList($filePath);
  192. $publicKeys = array();
  193. foreach ($accessList['users'] as $uid) {
  194. $publicKeys[$uid] = $this->keyManager->getPublicKey($uid);
  195. }
  196. $publicKeys = $this->keyManager->addSystemKeys($accessList, $publicKeys, $this->user->getUID());
  197. $encryptedKeyfiles = $this->crypt->multiKeyEncrypt($fileKey, $publicKeys);
  198. $this->keyManager->setAllFileKeys($filePath, $encryptedKeyfiles);
  199. }
  200. }
  201. }
  202. }
  203. /**
  204. * remove recovery key to all encrypted files
  205. * @param string $path
  206. */
  207. private function removeRecoveryKeys($path) {
  208. $dirContent = $this->view->getDirectoryContent($path);
  209. foreach ($dirContent as $item) {
  210. $filePath = $item->getPath();
  211. if ($item['type'] === 'dir') {
  212. $this->removeRecoveryKeys($filePath . '/');
  213. } else {
  214. $this->keyManager->deleteShareKey($filePath, $this->keyManager->getRecoveryKeyId());
  215. }
  216. }
  217. }
  218. /**
  219. * recover users files with the recovery key
  220. *
  221. * @param string $recoveryPassword
  222. * @param string $user
  223. */
  224. public function recoverUsersFiles($recoveryPassword, $user) {
  225. $encryptedKey = $this->keyManager->getSystemPrivateKey($this->keyManager->getRecoveryKeyId());
  226. $privateKey = $this->crypt->decryptPrivateKey($encryptedKey, $recoveryPassword);
  227. if($privateKey !== false) {
  228. $this->recoverAllFiles('/' . $user . '/files/', $privateKey, $user);
  229. }
  230. }
  231. /**
  232. * recover users files
  233. *
  234. * @param string $path
  235. * @param string $privateKey
  236. * @param string $uid
  237. */
  238. private function recoverAllFiles($path, $privateKey, $uid) {
  239. $dirContent = $this->view->getDirectoryContent($path);
  240. foreach ($dirContent as $item) {
  241. // Get relative path from encryption/keyfiles
  242. $filePath = $item->getPath();
  243. if ($this->view->is_dir($filePath)) {
  244. $this->recoverAllFiles($filePath . '/', $privateKey, $uid);
  245. } else {
  246. $this->recoverFile($filePath, $privateKey, $uid);
  247. }
  248. }
  249. }
  250. /**
  251. * recover file
  252. *
  253. * @param string $path
  254. * @param string $privateKey
  255. * @param string $uid
  256. */
  257. private function recoverFile($path, $privateKey, $uid) {
  258. $encryptedFileKey = $this->keyManager->getEncryptedFileKey($path);
  259. $shareKey = $this->keyManager->getShareKey($path, $this->keyManager->getRecoveryKeyId());
  260. if ($encryptedFileKey && $shareKey && $privateKey) {
  261. $fileKey = $this->crypt->multiKeyDecrypt($encryptedFileKey,
  262. $shareKey,
  263. $privateKey);
  264. }
  265. if (!empty($fileKey)) {
  266. $accessList = $this->file->getAccessList($path);
  267. $publicKeys = array();
  268. foreach ($accessList['users'] as $user) {
  269. $publicKeys[$user] = $this->keyManager->getPublicKey($user);
  270. }
  271. $publicKeys = $this->keyManager->addSystemKeys($accessList, $publicKeys, $uid);
  272. $encryptedKeyfiles = $this->crypt->multiKeyEncrypt($fileKey, $publicKeys);
  273. $this->keyManager->setAllFileKeys($path, $encryptedKeyfiles);
  274. }
  275. }
  276. }