1
0

Recovery.php 7.3 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284
  1. <?php
  2. /**
  3. * SPDX-FileCopyrightText: 2019-2024 Nextcloud GmbH and Nextcloud contributors
  4. * SPDX-FileCopyrightText: 2016 ownCloud, Inc.
  5. * SPDX-License-Identifier: AGPL-3.0-only
  6. */
  7. namespace OCA\Encryption;
  8. use OC\Files\View;
  9. use OCA\Encryption\Crypto\Crypt;
  10. use OCP\Encryption\IFile;
  11. use OCP\IConfig;
  12. use OCP\IUser;
  13. use OCP\IUserSession;
  14. use OCP\PreConditionNotMetException;
  15. class Recovery {
  16. /**
  17. * @var null|IUser
  18. */
  19. protected $user;
  20. /**
  21. * @var Crypt
  22. */
  23. protected $crypt;
  24. /**
  25. * @var KeyManager
  26. */
  27. private $keyManager;
  28. /**
  29. * @var IConfig
  30. */
  31. private $config;
  32. /**
  33. * @var View
  34. */
  35. private $view;
  36. /**
  37. * @var IFile
  38. */
  39. private $file;
  40. /**
  41. * @param IUserSession $userSession
  42. * @param Crypt $crypt
  43. * @param KeyManager $keyManager
  44. * @param IConfig $config
  45. * @param IFile $file
  46. * @param View $view
  47. */
  48. public function __construct(IUserSession $userSession,
  49. Crypt $crypt,
  50. KeyManager $keyManager,
  51. IConfig $config,
  52. IFile $file,
  53. View $view) {
  54. $this->user = ($userSession->isLoggedIn()) ? $userSession->getUser() : null;
  55. $this->crypt = $crypt;
  56. $this->keyManager = $keyManager;
  57. $this->config = $config;
  58. $this->view = $view;
  59. $this->file = $file;
  60. }
  61. /**
  62. * @param string $password
  63. * @return bool
  64. */
  65. public function enableAdminRecovery($password) {
  66. $appConfig = $this->config;
  67. $keyManager = $this->keyManager;
  68. if (!$keyManager->recoveryKeyExists()) {
  69. $keyPair = $this->crypt->createKeyPair();
  70. if (!is_array($keyPair)) {
  71. return false;
  72. }
  73. $this->keyManager->setRecoveryKey($password, $keyPair);
  74. }
  75. if ($keyManager->checkRecoveryPassword($password)) {
  76. $appConfig->setAppValue('encryption', 'recoveryAdminEnabled', '1');
  77. return true;
  78. }
  79. return false;
  80. }
  81. /**
  82. * change recovery key id
  83. *
  84. * @param string $newPassword
  85. * @param string $oldPassword
  86. * @return bool
  87. */
  88. public function changeRecoveryKeyPassword($newPassword, $oldPassword) {
  89. $recoveryKey = $this->keyManager->getSystemPrivateKey($this->keyManager->getRecoveryKeyId());
  90. $decryptedRecoveryKey = $this->crypt->decryptPrivateKey($recoveryKey, $oldPassword);
  91. if ($decryptedRecoveryKey === false) {
  92. return false;
  93. }
  94. $encryptedRecoveryKey = $this->crypt->encryptPrivateKey($decryptedRecoveryKey, $newPassword);
  95. $header = $this->crypt->generateHeader();
  96. if ($encryptedRecoveryKey) {
  97. $this->keyManager->setSystemPrivateKey($this->keyManager->getRecoveryKeyId(), $header . $encryptedRecoveryKey);
  98. return true;
  99. }
  100. return false;
  101. }
  102. /**
  103. * @param string $recoveryPassword
  104. * @return bool
  105. */
  106. public function disableAdminRecovery($recoveryPassword) {
  107. $keyManager = $this->keyManager;
  108. if ($keyManager->checkRecoveryPassword($recoveryPassword)) {
  109. // Set recoveryAdmin as disabled
  110. $this->config->setAppValue('encryption', 'recoveryAdminEnabled', '0');
  111. return true;
  112. }
  113. return false;
  114. }
  115. /**
  116. * check if recovery is enabled for user
  117. *
  118. * @param string $user if no user is given we check the current logged-in user
  119. *
  120. * @return bool
  121. */
  122. public function isRecoveryEnabledForUser($user = '') {
  123. $uid = $user === '' ? $this->user->getUID() : $user;
  124. $recoveryMode = $this->config->getUserValue($uid,
  125. 'encryption',
  126. 'recoveryEnabled',
  127. 0);
  128. return ($recoveryMode === '1');
  129. }
  130. /**
  131. * check if recovery is key is enabled by the administrator
  132. *
  133. * @return bool
  134. */
  135. public function isRecoveryKeyEnabled() {
  136. $enabled = $this->config->getAppValue('encryption', 'recoveryAdminEnabled', '0');
  137. return ($enabled === '1');
  138. }
  139. /**
  140. * @param string $value
  141. * @return bool
  142. */
  143. public function setRecoveryForUser($value) {
  144. try {
  145. $this->config->setUserValue($this->user->getUID(),
  146. 'encryption',
  147. 'recoveryEnabled',
  148. $value);
  149. if ($value === '1') {
  150. $this->addRecoveryKeys('/' . $this->user->getUID() . '/files/');
  151. } else {
  152. $this->removeRecoveryKeys('/' . $this->user->getUID() . '/files/');
  153. }
  154. return true;
  155. } catch (PreConditionNotMetException $e) {
  156. return false;
  157. }
  158. }
  159. /**
  160. * add recovery key to all encrypted files
  161. */
  162. private function addRecoveryKeys(string $path): void {
  163. $dirContent = $this->view->getDirectoryContent($path);
  164. foreach ($dirContent as $item) {
  165. $filePath = $item->getPath();
  166. if ($item['type'] === 'dir') {
  167. $this->addRecoveryKeys($filePath . '/');
  168. } else {
  169. $fileKey = $this->keyManager->getFileKey($filePath, $this->user->getUID(), null);
  170. if (!empty($fileKey)) {
  171. $accessList = $this->file->getAccessList($filePath);
  172. $publicKeys = [];
  173. foreach ($accessList['users'] as $uid) {
  174. $publicKeys[$uid] = $this->keyManager->getPublicKey($uid);
  175. }
  176. $publicKeys = $this->keyManager->addSystemKeys($accessList, $publicKeys, $this->user->getUID());
  177. $shareKeys = $this->crypt->multiKeyEncrypt($fileKey, $publicKeys);
  178. $this->keyManager->deleteLegacyFileKey($filePath);
  179. foreach ($shareKeys as $uid => $keyFile) {
  180. $this->keyManager->setShareKey($filePath, $uid, $keyFile);
  181. }
  182. }
  183. }
  184. }
  185. }
  186. /**
  187. * remove recovery key to all encrypted files
  188. */
  189. private function removeRecoveryKeys(string $path): void {
  190. $dirContent = $this->view->getDirectoryContent($path);
  191. foreach ($dirContent as $item) {
  192. $filePath = $item->getPath();
  193. if ($item['type'] === 'dir') {
  194. $this->removeRecoveryKeys($filePath . '/');
  195. } else {
  196. $this->keyManager->deleteShareKey($filePath, $this->keyManager->getRecoveryKeyId());
  197. }
  198. }
  199. }
  200. /**
  201. * recover users files with the recovery key
  202. */
  203. public function recoverUsersFiles(string $recoveryPassword, string $user): void {
  204. $encryptedKey = $this->keyManager->getSystemPrivateKey($this->keyManager->getRecoveryKeyId());
  205. $privateKey = $this->crypt->decryptPrivateKey($encryptedKey, $recoveryPassword);
  206. if ($privateKey !== false) {
  207. $this->recoverAllFiles('/' . $user . '/files/', $privateKey, $user);
  208. }
  209. }
  210. /**
  211. * recover users files
  212. */
  213. private function recoverAllFiles(string $path, string $privateKey, string $uid): void {
  214. $dirContent = $this->view->getDirectoryContent($path);
  215. foreach ($dirContent as $item) {
  216. // Get relative path from encryption/keyfiles
  217. $filePath = $item->getPath();
  218. if ($this->view->is_dir($filePath)) {
  219. $this->recoverAllFiles($filePath . '/', $privateKey, $uid);
  220. } else {
  221. $this->recoverFile($filePath, $privateKey, $uid);
  222. }
  223. }
  224. }
  225. /**
  226. * recover file
  227. */
  228. private function recoverFile(string $path, string $privateKey, string $uid): void {
  229. $encryptedFileKey = $this->keyManager->getEncryptedFileKey($path);
  230. $shareKey = $this->keyManager->getShareKey($path, $this->keyManager->getRecoveryKeyId());
  231. if ($encryptedFileKey && $shareKey && $privateKey) {
  232. $fileKey = $this->crypt->multiKeyDecryptLegacy($encryptedFileKey,
  233. $shareKey,
  234. $privateKey);
  235. } elseif ($shareKey && $privateKey) {
  236. $fileKey = $this->crypt->multiKeyDecrypt($shareKey, $privateKey);
  237. }
  238. if (!empty($fileKey)) {
  239. $accessList = $this->file->getAccessList($path);
  240. $publicKeys = [];
  241. foreach ($accessList['users'] as $user) {
  242. $publicKeys[$user] = $this->keyManager->getPublicKey($user);
  243. }
  244. $publicKeys = $this->keyManager->addSystemKeys($accessList, $publicKeys, $uid);
  245. $shareKeys = $this->crypt->multiKeyEncrypt($fileKey, $publicKeys);
  246. $this->keyManager->deleteLegacyFileKey($path);
  247. foreach ($shareKeys as $uid => $keyFile) {
  248. $this->keyManager->setShareKey($path, $uid, $keyFile);
  249. }
  250. }
  251. }
  252. }