Home Explore Help
Sign In
RISCI_ATOM
/
nextcloud-server
mirror of https://github.com/nextcloud/server.git
1
0
Fork 0
Files Issues 23 Wiki
Tree: f589639822
Branches Tags
nextcloud-serve...
/
apps
/
encryption
/
lib
/
Crypto
/
EncryptAll.php

EncryptAll.php 13 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454 
  1. <?php
    2. 

  2. 

  3. /**
    4. 

  4.  * SPDX-FileCopyrightText: 2017-2024 Nextcloud GmbH and Nextcloud contributors
    5. 

  5.  * SPDX-FileCopyrightText: 2016 ownCloud, Inc.
    6. 

  6.  * SPDX-License-Identifier: AGPL-3.0-only
    7. 

  7.  */
    8. 

  8. namespace OCA\Encryption\Crypto;
    9. 

  9. 

  10. use OC\Encryption\Exceptions\DecryptionFailedException;
    11. 

  11. use OC\Files\View;
    12. 

  12. use OCA\Encryption\KeyManager;
    13. 

  13. use OCA\Encryption\Users\Setup;
    14. 

  14. use OCA\Encryption\Util;
    15. 

  15. use OCP\IConfig;
    16. 

  16. use OCP\IL10N;
    17. 

  17. use OCP\IUser;
    18. 

  18. use OCP\IUserManager;
    19. 

  19. use OCP\L10N\IFactory;
    20. 

  20. use OCP\Mail\Headers\AutoSubmitted;
    21. 

  21. use OCP\Mail\IMailer;
    22. 

  22. use OCP\Security\ISecureRandom;
    23. 

  23. use Symfony\Component\Console\Helper\ProgressBar;
    24. 

  24. use Symfony\Component\Console\Helper\QuestionHelper;
    25. 

  25. use Symfony\Component\Console\Helper\Table;
    26. 

  26. use Symfony\Component\Console\Input\InputInterface;
    27. 

  27. use Symfony\Component\Console\Output\OutputInterface;
    28. 

  28. use Symfony\Component\Console\Question\ConfirmationQuestion;
    29. 

  29. 

  30. class EncryptAll {
    31. 

  31. 

  32. 	/** @var Setup */
    33. 

  33. 	protected $userSetup;
    34. 

  34. 

  35. 	/** @var IUserManager */
    36. 

  36. 	protected $userManager;
    37. 

  37. 

  38. 	/** @var View */
    39. 

  39. 	protected $rootView;
    40. 

  40. 

  41. 	/** @var KeyManager */
    42. 

  42. 	protected $keyManager;
    43. 

  43. 

  44. 	/** @var Util */
    45. 

  45. 	protected $util;
    46. 

  46. 

  47. 	/** @var array  */
    48. 

  48. 	protected $userPasswords;
    49. 

  49. 

  50. 	/** @var  IConfig */
    51. 

  51. 	protected $config;
    52. 

  52. 

  53. 	/** @var IMailer */
    54. 

  54. 	protected $mailer;
    55. 

  55. 

  56. 	/** @var  IL10N */
    57. 

  57. 	protected $l;
    58. 

  58. 

  59. 	/** @var  IFactory */
    60. 

  60. 	protected $l10nFactory;
    61. 

  61. 

  62. 	/** @var  QuestionHelper */
    63. 

  63. 	protected $questionHelper;
    64. 

  64. 

  65. 	/** @var  OutputInterface */
    66. 

  66. 	protected $output;
    67. 

  67. 

  68. 	/** @var  InputInterface */
    69. 

  69. 	protected $input;
    70. 

  70. 

  71. 	/** @var ISecureRandom */
    72. 

  72. 	protected $secureRandom;
    73. 

  73. 

  74. 	public function __construct(
    75. 

  75. 		Setup $userSetup,
    76. 

  76. 		IUserManager $userManager,
    77. 

  77. 		View $rootView,
    78. 

  78. 		KeyManager $keyManager,
    79. 

  79. 		Util $util,
    80. 

  80. 		IConfig $config,
    81. 

  81. 		IMailer $mailer,
    82. 

  82. 		IL10N $l,
    83. 

  83. 		IFactory $l10nFactory,
    84. 

  84. 		QuestionHelper $questionHelper,
    85. 

  85. 		ISecureRandom $secureRandom
    86. 

  86. 	) {
    87. 

  87. 		$this->userSetup = $userSetup;
    88. 

  88. 		$this->userManager = $userManager;
    89. 

  89. 		$this->rootView = $rootView;
    90. 

  90. 		$this->keyManager = $keyManager;
    91. 

  91. 		$this->util = $util;
    92. 

  92. 		$this->config = $config;
    93. 

  93. 		$this->mailer = $mailer;
    94. 

  94. 		$this->l = $l;
    95. 

  95. 		$this->l10nFactory = $l10nFactory;
    96. 

  96. 		$this->questionHelper = $questionHelper;
    97. 

  97. 		$this->secureRandom = $secureRandom;
    98. 

  98. 		// store one time passwords for the users
    99. 

  99. 		$this->userPasswords = [];
    100. 

  100. 	}
    101. 

  101. 

  102. 	/**
    103. 

  103. 	 * start to encrypt all files
    104. 

  104. 	 *
    105. 

  105. 	 * @param InputInterface $input
    106. 

  106. 	 * @param OutputInterface $output
    107. 

  107. 	 */
    108. 

  108. 	public function encryptAll(InputInterface $input, OutputInterface $output) {
    109. 

  109. 		$this->input = $input;
    110. 

  110. 		$this->output = $output;
    111. 

  111. 

  112. 		$headline = 'Encrypt all files with the ' . Encryption::DISPLAY_NAME;
    113. 

  113. 		$this->output->writeln("\n");
    114. 

  114. 		$this->output->writeln($headline);
    115. 

  115. 		$this->output->writeln(str_pad('', strlen($headline), '='));
    116. 

  116. 		$this->output->writeln("\n");
    117. 

  117. 

  118. 		if ($this->util->isMasterKeyEnabled()) {
    119. 

  119. 			$this->output->writeln('Use master key to encrypt all files.');
    120. 

  120. 			$this->keyManager->validateMasterKey();
    121. 

  121. 		} else {
    122. 

  122. 			//create private/public keys for each user and store the private key password
    123. 

  123. 			$this->output->writeln('Create key-pair for every user');
    124. 

  124. 			$this->output->writeln('------------------------------');
    125. 

  125. 			$this->output->writeln('');
    126. 

  126. 			$this->output->writeln('This module will encrypt all files in the users files folder initially.');
    127. 

  127. 			$this->output->writeln('Already existing versions and files in the trash bin will not be encrypted.');
    128. 

  128. 			$this->output->writeln('');
    129. 

  129. 			$this->createKeyPairs();
    130. 

  130. 		}
    131. 

  131. 

  132. 

  133. 		// output generated encryption key passwords
    134. 

  134. 		if ($this->util->isMasterKeyEnabled() === false) {
    135. 

  135. 			//send-out or display password list and write it to a file
    136. 

  136. 			$this->output->writeln("\n");
    137. 

  137. 			$this->output->writeln('Generated encryption key passwords');
    138. 

  138. 			$this->output->writeln('----------------------------------');
    139. 

  139. 			$this->output->writeln('');
    140. 

  140. 			$this->outputPasswords();
    141. 

  141. 		}
    142. 

  142. 

  143. 		//setup users file system and encrypt all files one by one (take should encrypt setting of storage into account)
    144. 

  144. 		$this->output->writeln("\n");
    145. 

  145. 		$this->output->writeln('Start to encrypt users files');
    146. 

  146. 		$this->output->writeln('----------------------------');
    147. 

  147. 		$this->output->writeln('');
    148. 

  148. 		$this->encryptAllUsersFiles();
    149. 

  149. 		$this->output->writeln("\n");
    150. 

  150. 	}
    151. 

  151. 

  152. 	/**
    153. 

  153. 	 * create key-pair for every user
    154. 

  154. 	 */
    155. 

  155. 	protected function createKeyPairs() {
    156. 

  156. 		$this->output->writeln("\n");
    157. 

  157. 		$progress = new ProgressBar($this->output);
    158. 

  158. 		$progress->setFormat(" %message% \n [%bar%]");
    159. 

  159. 		$progress->start();
    160. 

  160. 

  161. 		foreach ($this->userManager->getBackends() as $backend) {
    162. 

  162. 			$limit = 500;
    163. 

  163. 			$offset = 0;
    164. 

  164. 			do {
    165. 

  165. 				$users = $backend->getUsers('', $limit, $offset);
    166. 

  166. 				foreach ($users as $user) {
    167. 

  167. 					if ($this->keyManager->userHasKeys($user) === false) {
    168. 

  168. 						$progress->setMessage('Create key-pair for ' . $user);
    169. 

  169. 						$progress->advance();
    170. 

  170. 						$this->setupUserFS($user);
    171. 

  171. 						$password = $this->generateOneTimePassword($user);
    172. 

  172. 						$this->userSetup->setupUser($user, $password);
    173. 

  173. 					} else {
    174. 

  174. 						// users which already have a key-pair will be stored with a
    175. 

  175. 						// empty password and filtered out later
    176. 

  176. 						$this->userPasswords[$user] = '';
    177. 

  177. 					}
    178. 

  178. 				}
    179. 

  179. 				$offset += $limit;
    180. 

  180. 			} while (count($users) >= $limit);
    181. 

  181. 		}
    182. 

  182. 

  183. 		$progress->setMessage('Key-pair created for all users');
    184. 

  184. 		$progress->finish();
    185. 

  185. 	}
    186. 

  186. 

  187. 	/**
    188. 

  188. 	 * iterate over all user and encrypt their files
    189. 

  189. 	 */
    190. 

  190. 	protected function encryptAllUsersFiles() {
    191. 

  191. 		$this->output->writeln("\n");
    192. 

  192. 		$progress = new ProgressBar($this->output);
    193. 

  193. 		$progress->setFormat(" %message% \n [%bar%]");
    194. 

  194. 		$progress->start();
    195. 

  195. 		$numberOfUsers = count($this->userPasswords);
    196. 

  196. 		$userNo = 1;
    197. 

  197. 		if ($this->util->isMasterKeyEnabled()) {
    198. 

  198. 			$this->encryptAllUserFilesWithMasterKey($progress);
    199. 

  199. 		} else {
    200. 

  200. 			foreach ($this->userPasswords as $uid => $password) {
    201. 

  201. 				$userCount = "$uid ($userNo of $numberOfUsers)";
    202. 

  202. 				$this->encryptUsersFiles($uid, $progress, $userCount);
    203. 

  203. 				$userNo++;
    204. 

  204. 			}
    205. 

  205. 		}
    206. 

  206. 		$progress->setMessage("all files encrypted");
    207. 

  207. 		$progress->finish();
    208. 

  208. 	}
    209. 

  209. 

  210. 	/**
    211. 

  211. 	 * encrypt all user files with the master key
    212. 

  212. 	 *
    213. 

  213. 	 * @param ProgressBar $progress
    214. 

  214. 	 */
    215. 

  215. 	protected function encryptAllUserFilesWithMasterKey(ProgressBar $progress) {
    216. 

  216. 		$userNo = 1;
    217. 

  217. 		foreach ($this->userManager->getBackends() as $backend) {
    218. 

  218. 			$limit = 500;
    219. 

  219. 			$offset = 0;
    220. 

  220. 			do {
    221. 

  221. 				$users = $backend->getUsers('', $limit, $offset);
    222. 

  222. 				foreach ($users as $user) {
    223. 

  223. 					$userCount = "$user ($userNo)";
    224. 

  224. 					$this->encryptUsersFiles($user, $progress, $userCount);
    225. 

  225. 					$userNo++;
    226. 

  226. 				}
    227. 

  227. 				$offset += $limit;
    228. 

  228. 			} while (count($users) >= $limit);
    229. 

  229. 		}
    230. 

  230. 	}
    231. 

  231. 

  232. 	/**
    233. 

  233. 	 * encrypt files from the given user
    234. 

  234. 	 *
    235. 

  235. 	 * @param string $uid
    236. 

  236. 	 * @param ProgressBar $progress
    237. 

  237. 	 * @param string $userCount
    238. 

  238. 	 */
    239. 

  239. 	protected function encryptUsersFiles($uid, ProgressBar $progress, $userCount) {
    240. 

  240. 		$this->setupUserFS($uid);
    241. 

  241. 		$directories = [];
    242. 

  242. 		$directories[] = '/' . $uid . '/files';
    243. 

  243. 

  244. 		while ($root = array_pop($directories)) {
    245. 

  245. 			$content = $this->rootView->getDirectoryContent($root);
    246. 

  246. 			foreach ($content as $file) {
    247. 

  247. 				$path = $root . '/' . $file['name'];
    248. 

  248. 				if ($this->rootView->is_dir($path)) {
    249. 

  249. 					$directories[] = $path;
    250. 

  250. 					continue;
    251. 

  251. 				} else {
    252. 

  252. 					$progress->setMessage("encrypt files for user $userCount: $path");
    253. 

  253. 					$progress->advance();
    254. 

  254. 					if ($this->encryptFile($path) === false) {
    255. 

  255. 						$progress->setMessage("encrypt files for user $userCount: $path (already encrypted)");
    256. 

  256. 						$progress->advance();
    257. 

  257. 					}
    258. 

  258. 				}
    259. 

  259. 			}
    260. 

  260. 		}
    261. 

  261. 	}
    262. 

  262. 

  263. 	/**
    264. 

  264. 	 * encrypt file
    265. 

  265. 	 *
    266. 

  266. 	 * @param string $path
    267. 

  267. 	 * @return bool
    268. 

  268. 	 */
    269. 

  269. 	protected function encryptFile($path) {
    270. 

  270. 

  271. 		// skip already encrypted files
    272. 

  272. 		$fileInfo = $this->rootView->getFileInfo($path);
    273. 

  273. 		if ($fileInfo !== false && $fileInfo->isEncrypted()) {
    274. 

  274. 			return true;
    275. 

  275. 		}
    276. 

  276. 

  277. 		$source = $path;
    278. 

  278. 		$target = $path . '.encrypted.' . time();
    279. 

  279. 

  280. 		try {
    281. 

  281. 			$this->rootView->copy($source, $target);
    282. 

  282. 			$this->rootView->rename($target, $source);
    283. 

  283. 		} catch (DecryptionFailedException $e) {
    284. 

  284. 			if ($this->rootView->file_exists($target)) {
    285. 

  285. 				$this->rootView->unlink($target);
    286. 

  286. 			}
    287. 

  287. 			return false;
    288. 

  288. 		}
    289. 

  289. 

  290. 		return true;
    291. 

  291. 	}
    292. 

  292. 

  293. 	/**
    294. 

  294. 	 * output one-time encryption passwords
    295. 

  295. 	 */
    296. 

  296. 	protected function outputPasswords() {
    297. 

  297. 		$table = new Table($this->output);
    298. 

  298. 		$table->setHeaders(['Username', 'Private key password']);
    299. 

  299. 

  300. 		//create rows
    301. 

  301. 		$newPasswords = [];
    302. 

  302. 		$unchangedPasswords = [];
    303. 

  303. 		foreach ($this->userPasswords as $uid => $password) {
    304. 

  304. 			if (empty($password)) {
    305. 

  305. 				$unchangedPasswords[] = $uid;
    306. 

  306. 			} else {
    307. 

  307. 				$newPasswords[] = [$uid, $password];
    308. 

  308. 			}
    309. 

  309. 		}
    310. 

  310. 

  311. 		if (empty($newPasswords)) {
    312. 

  312. 			$this->output->writeln("\nAll users already had a key-pair, no further action needed.\n");
    313. 

  313. 			return;
    314. 

  314. 		}
    315. 

  315. 

  316. 		$table->setRows($newPasswords);
    317. 

  317. 		$table->render();
    318. 

  318. 

  319. 		if (!empty($unchangedPasswords)) {
    320. 

  320. 			$this->output->writeln("\nThe following users already had a key-pair which was reused without setting a new password:\n");
    321. 

  321. 			foreach ($unchangedPasswords as $uid) {
    322. 

  322. 				$this->output->writeln("    $uid");
    323. 

  323. 			}
    324. 

  324. 		}
    325. 

  325. 

  326. 		$this->writePasswordsToFile($newPasswords);
    327. 

  327. 

  328. 		$this->output->writeln('');
    329. 

  329. 		$question = new ConfirmationQuestion('Do you want to send the passwords directly to the users by mail? (y/n) ', false);
    330. 

  330. 		if ($this->questionHelper->ask($this->input, $this->output, $question)) {
    331. 

  331. 			$this->sendPasswordsByMail();
    332. 

  332. 		}
    333. 

  333. 	}
    334. 

  334. 

  335. 	/**
    336. 

  336. 	 * write one-time encryption passwords to a csv file
    337. 

  337. 	 *
    338. 

  338. 	 * @param array $passwords
    339. 

  339. 	 */
    340. 

  340. 	protected function writePasswordsToFile(array $passwords) {
    341. 

  341. 		$fp = $this->rootView->fopen('oneTimeEncryptionPasswords.csv', 'w');
    342. 

  342. 		foreach ($passwords as $pwd) {
    343. 

  343. 			fputcsv($fp, $pwd);
    344. 

  344. 		}
    345. 

  345. 		fclose($fp);
    346. 

  346. 		$this->output->writeln("\n");
    347. 

  347. 		$this->output->writeln('A list of all newly created passwords was written to data/oneTimeEncryptionPasswords.csv');
    348. 

  348. 		$this->output->writeln('');
    349. 

  349. 		$this->output->writeln('Each of these users need to login to the web interface, go to the');
    350. 

  350. 		$this->output->writeln('personal settings section "basic encryption module" and');
    351. 

  351. 		$this->output->writeln('update the private key password to match the login password again by');
    352. 

  352. 		$this->output->writeln('entering the one-time password into the "old log-in password" field');
    353. 

  353. 		$this->output->writeln('and their current login password');
    354. 

  354. 	}
    355. 

  355. 

  356. 	/**
    357. 

  357. 	 * setup user file system
    358. 

  358. 	 *
    359. 

  359. 	 * @param string $uid
    360. 

  360. 	 */
    361. 

  361. 	protected function setupUserFS($uid) {
    362. 

  362. 		\OC_Util::tearDownFS();
    363. 

  363. 		\OC_Util::setupFS($uid);
    364. 

  364. 	}
    365. 

  365. 

  366. 	/**
    367. 

  367. 	 * generate one time password for the user and store it in a array
    368. 

  368. 	 *
    369. 

  369. 	 * @param string $uid
    370. 

  370. 	 * @return string password
    371. 

  371. 	 */
    372. 

  372. 	protected function generateOneTimePassword($uid) {
    373. 

  373. 		$password = $this->secureRandom->generate(16, ISecureRandom::CHAR_HUMAN_READABLE);
    374. 

  374. 		$this->userPasswords[$uid] = $password;
    375. 

  375. 		return $password;
    376. 

  376. 	}
    377. 

  377. 

  378. 	/**
    379. 

  379. 	 * send encryption key passwords to the users by mail
    380. 

  380. 	 */
    381. 

  381. 	protected function sendPasswordsByMail() {
    382. 

  382. 		$noMail = [];
    383. 

  383. 

  384. 		$this->output->writeln('');
    385. 

  385. 		$progress = new ProgressBar($this->output, count($this->userPasswords));
    386. 

  386. 		$progress->start();
    387. 

  387. 

  388. 		foreach ($this->userPasswords as $uid => $password) {
    389. 

  389. 			$progress->advance();
    390. 

  390. 			if (!empty($password)) {
    391. 

  391. 				$recipient = $this->userManager->get($uid);
    392. 

  392. 				if (!$recipient instanceof IUser) {
    393. 

  393. 					continue;
    394. 

  394. 				}
    395. 

  395. 

  396. 				$recipientDisplayName = $recipient->getDisplayName();
    397. 

  397. 				$to = $recipient->getEMailAddress();
    398. 

  398. 

  399. 				if ($to === '' || $to === null) {
    400. 

  400. 					$noMail[] = $uid;
    401. 

  401. 					continue;
    402. 

  402. 				}
    403. 

  403. 

  404. 				$l = $this->l10nFactory->get('encryption', $this->l10nFactory->getUserLanguage($recipient));
    405. 

  405. 

  406. 				$template = $this->mailer->createEMailTemplate('encryption.encryptAllPassword', [
    407. 

  407. 					'user' => $recipient->getUID(),
    408. 

  408. 					'password' => $password,
    409. 

  409. 				]);
    410. 

  410. 

  411. 				$template->setSubject($l->t('one-time password for server-side-encryption'));
    412. 

  412. 				// 'Hey there,<br><br>The administration enabled server-side-encryption. Your files were encrypted using the password <strong>%s</strong>.<br><br>
    413. 

  413. 				// Please login to the web interface, go to the section "Basic encryption module" of your personal settings and update your encryption password by entering this password into the "Old log-in password" field and your current login-password.<br><br>'
    414. 

  414. 				$template->addHeader();
    415. 

  415. 				$template->addHeading($l->t('Encryption password'));
    416. 

  416. 				$template->addBodyText(
    417. 

  417. 					$l->t('The administration enabled server-side-encryption. Your files were encrypted using the password <strong>%s</strong>.', [htmlspecialchars($password)]),
    418. 

  418. 					$l->t('The administration enabled server-side-encryption. Your files were encrypted using the password "%s".', $password)
    419. 

  419. 				);
    420. 

  420. 				$template->addBodyText(
    421. 

  421. 					$l->t('Please login to the web interface, go to the "Security" section of your personal settings and update your encryption password by entering this password into the "Old login password" field and your current login password.')
    422. 

  422. 				);
    423. 

  423. 				$template->addFooter();
    424. 

  424. 

  425. 				// send it out now
    426. 

  426. 				try {
    427. 

  427. 					$message = $this->mailer->createMessage();
    428. 

  428. 					$message->setTo([$to => $recipientDisplayName]);
    429. 

  429. 					$message->useTemplate($template);
    430. 

  430. 					$message->setAutoSubmitted(AutoSubmitted::VALUE_AUTO_GENERATED);
    431. 

  431. 					$this->mailer->send($message);
    432. 

  432. 				} catch (\Exception $e) {
    433. 

  433. 					$noMail[] = $uid;
    434. 

  434. 				}
    435. 

  435. 			}
    436. 

  436. 		}
    437. 

  437. 

  438. 		$progress->finish();
    439. 

  439. 

  440. 		if (empty($noMail)) {
    441. 

  441. 			$this->output->writeln("\n\nPassword successfully send to all users");
    442. 

  442. 		} else {
    443. 

  443. 			$table = new Table($this->output);
    444. 

  444. 			$table->setHeaders(['Username', 'Private key password']);
    445. 

  445. 			$this->output->writeln("\n\nCould not send password to following users:\n");
    446. 

  446. 			$rows = [];
    447. 

  447. 			foreach ($noMail as $uid) {
    448. 

  448. 				$rows[] = [$uid, $this->userPasswords[$uid]];
    449. 

  449. 			}
    450. 

  450. 			$table->setRows($rows);
    451. 

  451. 			$table->render();
    452. 

  452. 		}
    453. 

  453. 	}
    454. 

  454. }
    455.