Merge pull request #50596 from nextcloud/backport/50424/stable29

[stable29] fix(settings): Clarify peculiarities of enabling encryption

apps/settings/src/components/Encryption.vue

@@ -1,209 +0,0 @@
-<!--
-	- @copyright 2022 Carl Schwan <carl@carlschwan.eu>
-	-
-	- @author Carl Schwan <carl@carlschwan.eu>
-	-
-	- @license GNU AGPL version 3 or any later version
-	-
-	- This program is free software: you can redistribute it and/or modify
-	- it under the terms of the GNU Affero General Public License as
-	- published by the Free Software Foundation, either version 3 of the
-	- License, or (at your option) any later version.
-	-
-	- This program is distributed in the hope that it will be useful,
-	- but WITHOUT ANY WARRANTY; without even the implied warranty of
-	- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-	- GNU Affero General Public License for more details.
-	-
-	- You should have received a copy of the GNU Affero General Public License
-	- along with this program. If not, see <http://www.gnu.org/licenses/>.
-	-
--->
-
-<template>
-	<NcSettingsSection :name="t('settings', 'Server-side encryption')"
-		:description="t('settings', 'Server-side encryption makes it possible to encrypt files which are uploaded to this server. This comes with limitations like a performance penalty, so enable this only if needed.')"
-		:doc-url="encryptionAdminDoc">
-		<NcCheckboxRadioSwitch :checked="encryptionEnabled || shouldDisplayWarning"
-			:disabled="encryptionEnabled"
-			type="switch"
-			@update:checked="displayWarning">
-			{{ t('settings', 'Enable server-side encryption') }}
-		</NcCheckboxRadioSwitch>
-
-		<div v-if="shouldDisplayWarning && !encryptionEnabled" class="notecard warning" role="alert">
-			<p>{{ t('settings', 'Please read carefully before activating server-side encryption:') }}</p>
-			<ul>
-				<li>{{ t('settings', 'Once encryption is enabled, all files uploaded to the server from that point forward will be encrypted at rest on the server. It will only be possible to disable encryption at a later date if the active encryption module supports that function, and all pre-conditions (e.g. setting a recover key) are met.') }}</li>
-				<li>{{ t('settings', 'Encryption alone does not guarantee security of the system. Please see documentation for more information about how the encryption app works, and the supported use cases.') }}</li>
-				<li>{{ t('settings', 'Be aware that encryption always increases the file size.') }}</li>
-				<li>{{ t('settings', 'It is always good to create regular backups of your data, in case of encryption make sure to backup the encryption keys along with your data.') }}</li>
-			</ul>
-
-			<p class="margin-bottom">
-				{{ t('settings', 'This is the final warning: Do you really want to enable encryption?') }}
-			</p>
-			<NcButton type="primary"
-				@click="enableEncryption()">
-				{{ t('settings', "Enable encryption") }}
-			</NcButton>
-		</div>
-
-		<div v-if="encryptionEnabled">
-			<div v-if="encryptionReady">
-				<p v-if="encryptionModules.length === 0">
-					{{ t('settings', 'No encryption module loaded, please enable an encryption module in the app menu.') }}
-				</p>
-				<template v-else>
-					<h3>{{ t('settings', 'Select default encryption module:') }}</h3>
-					<fieldset>
-						<NcCheckboxRadioSwitch v-for="(module, id) in encryptionModules"
-							:key="id"
-							:checked.sync="defaultCheckedModule"
-							:value="id"
-							type="radio"
-							name="default_encryption_module"
-							@update:checked="checkDefaultModule">
-							{{ module.displayName }}
-						</NcCheckboxRadioSwitch>
-					</fieldset>
-				</template>
-			</div>
-
-			<div v-else-if="externalBackendsEnabled" v-html="migrationMessage" />
-		</div>
-	</NcSettingsSection>
-</template>
-
-<script>
-import axios from '@nextcloud/axios'
-import NcCheckboxRadioSwitch from '@nextcloud/vue/dist/Components/NcCheckboxRadioSwitch.js'
-import NcButton from '@nextcloud/vue/dist/Components/NcButton.js'
-import NcSettingsSection from '@nextcloud/vue/dist/Components/NcSettingsSection.js'
-import { loadState } from '@nextcloud/initial-state'
-import { getLoggerBuilder } from '@nextcloud/logger'
-
-import { generateOcsUrl } from '@nextcloud/router'
-import { confirmPassword } from '@nextcloud/password-confirmation'
-import '@nextcloud/password-confirmation/dist/style.css'
-import { showError } from '@nextcloud/dialogs'
-
-const logger = getLoggerBuilder()
-	.setApp('settings')
-	.detectUser()
-	.build()
-
-export default {
-	name: 'Encryption',
-	components: {
-		NcCheckboxRadioSwitch,
-		NcSettingsSection,
-		NcButton,
-	},
-	data() {
-		const encryptionModules = loadState('settings', 'encryption-modules')
-		return {
-			encryptionReady: loadState('settings', 'encryption-ready'),
-			encryptionEnabled: loadState('settings', 'encryption-enabled'),
-			externalBackendsEnabled: loadState('settings', 'external-backends-enabled'),
-			encryptionAdminDoc: loadState('settings', 'encryption-admin-doc'),
-			encryptionModules,
-			shouldDisplayWarning: false,
-			migrating: false,
-			defaultCheckedModule: Object.entries(encryptionModules).find((module) => module[1].default)?.[0],
-		}
-	},
-	computed: {
-		migrationMessage() {
-			return t('settings', 'You need to migrate your encryption keys from the old encryption (ownCloud <= 8.0) to the new one. Please enable the "Default encryption module" and run {command}', {
-				command: '"occ encryption:migrate"',
-			})
-		},
-	},
-	methods: {
-		displayWarning() {
-			if (!this.encryptionEnabled) {
-				this.shouldDisplayWarning = !this.shouldDisplayWarning
-			} else {
-				this.encryptionEnabled = false
-				this.shouldDisplayWarning = false
-			}
-		},
-		async update(key, value) {
-			await confirmPassword()
-
-			const url = generateOcsUrl('/apps/provisioning_api/api/v1/config/apps/{appId}/{key}', {
-				appId: 'core',
-				key,
-			})
-
-			try {
-				const { data } = await axios.post(url, {
-					value: value,
-				})
-				this.handleResponse({
-					status: data.ocs?.meta?.status,
-				})
-			} catch (e) {
-				this.handleResponse({
-					errorMessage: t('settings', 'Unable to update server side encryption config'),
-					error: e,
-				})
-			}
-		},
-		async checkDefaultModule() {
-			await this.update('default_encryption_module', this.defaultCheckedModule)
-		},
-		async enableEncryption() {
-			this.encryptionEnabled = true
-			await this.update('encryption_enabled', 'yes')
-		},
-		async handleResponse({ status, errorMessage, error }) {
-			if (status !== 'ok') {
-				showError(errorMessage)
-				logger.error(errorMessage, { error })
-			}
-		},
-	},
-}
-</script>
-
-<style lang="scss" scoped>
-
-.notecard.success {
-	--note-background: rgba(var(--color-success-rgb), 0.2);
-	--note-theme: var(--color-success);
-}
-
-.notecard.error {
-	--note-background: rgba(var(--color-error-rgb), 0.2);
-	--note-theme: var(--color-error);
-}
-
-.notecard.warning {
-	--note-background: rgba(var(--color-warning-rgb), 0.2);
-	--note-theme: var(--color-warning);
-}
-
-#body-settings .notecard {
-	color: var(--color-text-light);
-	background-color: var(--note-background);
-	border: 1px solid var(--color-border);
-	border-left: 4px solid var(--note-theme);
-	border-radius: var(--border-radius);
-	box-shadow: rgba(43, 42, 51, 0.05) 0px 1px 2px 0px;
-	margin: 1rem 0;
-	margin-top: 1rem;
-	padding: 1rem;
-}
-
-li {
-	list-style-type: initial;
-	margin-left: 1rem;
-	padding: 0.25rem 0;
-}
-
-.margin-bottom {
-	margin-bottom: 0.75rem;
-}
-</style>

apps/settings/src/components/Encryption/EncryptionSettings.vue

@@ -0,0 +1,197 @@
+<!--
+  - SPDX-FileCopyrightText: 2022 Nextcloud GmbH and Nextcloud contributors
+  - SPDX-License-Identifier: AGPL-3.0-or-later
+-->
+
+<script setup lang="ts">
+import type { OCSResponse } from '@nextcloud/typings/ocs'
+import { showError, spawnDialog } from '@nextcloud/dialogs'
+import { loadState } from '@nextcloud/initial-state'
+import { t } from '@nextcloud/l10n'
+import { confirmPassword } from '@nextcloud/password-confirmation'
+import { generateOcsUrl } from '@nextcloud/router'
+import { ref } from 'vue'
+import { textExistingFilesNotEncrypted } from './sharedTexts.ts'
+
+import axios from '@nextcloud/axios'
+import logger from '../../logger.ts'
+
+import NcCheckboxRadioSwitch from '@nextcloud/vue/dist/Components/NcCheckboxRadioSwitch.js'
+import NcNoteCard from '@nextcloud/vue/dist/Components/NcNoteCard.js'
+import NcSettingsSection from '@nextcloud/vue/dist/Components/NcSettingsSection.js'
+import EncryptionWarningDialog from './EncryptionWarningDialog.vue'
+
+interface EncryptionModule {
+	default?: boolean
+	displayName: string
+}
+
+const allEncryptionModules = loadState<never[]|Record<string, EncryptionModule>>('settings', 'encryption-modules')
+/** Available encryption modules on the backend */
+const encryptionModules = Array.isArray(allEncryptionModules) ? [] : Object.entries(allEncryptionModules).map(([id, module]) => ({ ...module, id }))
+/** ID of the default encryption module */
+const defaultCheckedModule = encryptionModules.find((module) => module.default)?.id
+
+/** Is the server side encryptio ready to be enabled */
+const encryptionReady = loadState<boolean>('settings', 'encryption-ready')
+/** Are external backends enabled (legacy ownCloud stuff) */
+const externalBackendsEnabled = loadState<boolean>('settings', 'external-backends-enabled')
+/** URL to the admin docs */
+const encryptionAdminDoc = loadState<string>('settings', 'encryption-admin-doc')
+
+/** Is the encryption enabled */
+const encryptionEnabled = ref(loadState<boolean>('settings', 'encryption-enabled'))
+
+/** Loading state while enabling encryption (e.g. because the confirmation dialog is open) */
+const loadingEncryptionState = ref(false)
+
+/**
+ * Open the encryption-enabling warning (spawns a dialog)
+ * @param enabled The enabled state of encryption
+ */
+function displayWarning(enabled: boolean) {
+	if (loadingEncryptionState.value || enabled === false) {
+		return
+	}
+
+	loadingEncryptionState.value = true
+	spawnDialog(EncryptionWarningDialog, {}, async (confirmed) => {
+		try {
+			if (confirmed) {
+				await enableEncryption()
+			}
+		} finally {
+			loadingEncryptionState.value = false
+		}
+	})
+}
+
+/**
+ * Update an encryption setting on the backend
+ * @param key The setting to update
+ * @param value The new value
+ */
+async function update(key: string, value: string) {
+	await confirmPassword()
+
+	const url = generateOcsUrl('/apps/provisioning_api/api/v1/config/apps/{appId}/{key}', {
+		appId: 'core',
+		key,
+	})
+
+	try {
+		const { data } = await axios.post<OCSResponse>(url, {
+			value,
+		})
+		if (data.ocs.meta.status !== 'ok') {
+			throw new Error('Unsuccessful OCS response', { cause: data.ocs })
+		}
+	} catch (error) {
+		showError(t('settings', 'Unable to update server side encryption config'))
+		logger.error('Unable to update server side encryption config', { error })
+		return false
+	}
+	return true
+}
+
+/**
+ * Choose the default encryption module
+ */
+async function checkDefaultModule(): Promise<void> {
+	if (defaultCheckedModule) {
+		await update('default_encryption_module', defaultCheckedModule)
+	}
+}
+
+/**
+ * Enable encryption - sends an async POST request
+ */
+async function enableEncryption(): Promise<void> {
+	encryptionEnabled.value = await update('encryption_enabled', 'yes')
+}
+</script>
+
+<template>
+	<NcSettingsSection :name="t('settings', 'Server-side encryption')"
+		:description="t('settings', 'Server-side encryption makes it possible to encrypt files which are uploaded to this server. This comes with limitations like a performance penalty, so enable this only if needed.')"
+		:doc-url="encryptionAdminDoc">
+		<NcNoteCard v-if="encryptionEnabled" type="info">
+			<p>
+				{{ textExistingFilesNotEncrypted }}
+				{{ t('settings', 'To encrypt all existing files run this OCC command:') }}
+			</p>
+			<code>
+				<pre>occ encryption:encrypt-all</pre>
+			</code>
+		</NcNoteCard>
+
+		<NcCheckboxRadioSwitch :class="{ disabled: encryptionEnabled }"
+			:checked="encryptionEnabled"
+			:aria-disabled="encryptionEnabled ? 'true' : undefined"
+			:aria-describedby="encryptionEnabled ? 'server-side-encryption-disable-hint' : undefined"
+			:loading="loadingEncryptionState"
+			type="switch"
+			@update:checked="displayWarning">
+			{{ t('settings', 'Enable server-side encryption') }}
+		</NcCheckboxRadioSwitch>
+		<p v-if="encryptionEnabled" id="server-side-encryption-disable-hint" class="disable-hint">
+			{{ t('settings', 'Disabling server side encryption is only possible using OCC, please refer to the documentation.') }}
+		</p>
+
+		<NcNoteCard v-if="encryptionModules.length === 0"
+			type="warning"
+			:text="t('settings', 'No encryption module loaded, please enable an encryption module in the app menu.')" />
+
+		<template v-else-if="encryptionEnabled">
+			<div v-if="encryptionReady && encryptionModules.length > 0">
+				<h3>{{ t('settings', 'Select default encryption module:') }}</h3>
+				<fieldset>
+					<NcCheckboxRadioSwitch v-for="module in encryptionModules"
+						:key="module.id"
+						:checked.sync="defaultCheckedModule"
+						:value="module.id"
+						type="radio"
+						name="default_encryption_module"
+						@update:checked="checkDefaultModule">
+						{{ module.displayName }}
+					</NcCheckboxRadioSwitch>
+				</fieldset>
+			</div>
+
+			<div v-else-if="externalBackendsEnabled">
+				{{
+					t(
+						'settings',
+						'You need to migrate your encryption keys from the old encryption (ownCloud <= 8.0) to the new one. Please enable the "Default encryption module" and run {command}',
+						{ command: '"occ encryption:migrate"' },
+					)
+				}}
+			</div>
+		</template>
+	</NcSettingsSection>
+</template>
+
+<style scoped>
+code {
+	background-color: var(--color-background-dark);
+	color: var(--color-main-text);
+
+	display: block;
+	margin-block-start: 0.5rem;
+	padding: .25lh .5lh;
+	width: fit-content;
+}
+
+.disabled {
+	opacity: .75;
+}
+
+.disabled :deep(*) {
+	cursor: not-allowed !important;
+}
+
+.disable-hint {
+	color: var(--color-text-maxcontrast);
+	padding-inline-start: 10px;
+}
+</style>

apps/settings/src/components/Encryption/EncryptionWarningDialog.vue

@@ -0,0 +1,88 @@
+<!--
+  - SPDX-FileCopyrightText: 2025 Nextcloud GmbH and Nextcloud contributors
+  - SPDX-License-Identifier: AGPL-3.0-or-later
+-->
+
+<script setup lang="ts">
+import type { IDialogButton } from '@nextcloud/dialogs'
+
+import { t } from '@nextcloud/l10n'
+import { textExistingFilesNotEncrypted } from './sharedTexts.ts'
+import NcDialog from '@nextcloud/vue/dist/Components/NcDialog.js'
+import NcNoteCard from '@nextcloud/vue/dist/Components/NcNoteCard.js'
+
+const emit = defineEmits<{
+	(e: 'close', encrypt: boolean): void
+}>()
+
+const buttons: IDialogButton[] = [
+	{
+		label: t('settings', 'Cancel encryption'),
+		// @ts-expect-error Needs to be fixed in the dialogs library - value is allowed but missing from the types
+		type: 'tertiary',
+		callback: () => emit('close', false),
+	},
+	{
+		label: t('settings', 'Enable encryption'),
+		type: 'error',
+		callback: () => emit('close', true),
+	},
+]
+
+/**
+ * When closed we need to emit the close event
+ * @param isOpen open state of the dialog
+ */
+function onUpdateOpen(isOpen: boolean) {
+	if (!isOpen) {
+		emit('close', false)
+	}
+}
+</script>
+
+<template>
+	<NcDialog :buttons="buttons"
+		:name="t('settings', 'Confirm enabling encryption')"
+		size="normal"
+		@update:open="onUpdateOpen">
+		<NcNoteCard type="warning">
+			<p>
+				{{ t('settings', 'Please read carefully before activating server-side encryption:') }}
+				<ul>
+					<li>
+						{{ t('settings', 'Once encryption is enabled, all files uploaded to the server from that point forward will be encrypted at rest on the server. It will only be possible to disable encryption at a later date if the active encryption module supports that function, and all pre-conditions (e.g. setting a recover key) are met.') }}
+					</li>
+					<li>
+						{{ t('settings', 'Encryption alone does not guarantee security of the system. Please see documentation for more information about how the encryption app works, and the supported use cases.') }}
+					</li>
+					<li>
+						{{ t('settings', 'Be aware that encryption always increases the file size.') }}
+					</li>
+					<li>
+						{{ t('settings', 'It is always good to create regular backups of your data, in case of encryption make sure to backup the encryption keys along with your data.') }}
+					</li>
+					<li>
+						{{ textExistingFilesNotEncrypted }}
+						{{ t('settings', 'Refer to the admin documentation on how to manually also encrypt existing files.') }}
+					</li>
+				</ul>
+			</p>
+		</NcNoteCard>
+		<p>
+			{{ t('settings', 'This is the final warning: Do you really want to enable encryption?') }}
+		</p>
+	</NcDialog>
+</template>
+
+<style scoped>
+li {
+	list-style-type: initial;
+	margin-inline-start: 1rem;
+	padding: 0.25rem 0;
+}
+
+p + p,
+div + p {
+	margin-block: 0.75rem;
+}
+</style>

apps/settings/src/components/Encryption/sharedTexts.ts

@@ -0,0 +1,7 @@
+/*!
+ * SPDX-FileCopyrightText: 2025 Nextcloud GmbH and Nextcloud contributors
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ */
+import { t } from '@nextcloud/l10n'
+
+export const textExistingFilesNotEncrypted = t('settings', 'For performance reasons, when you enable encryption on a Nextcloud server only new and changed files are encrypted.')

apps/settings/src/main-admin-security.js

@@ -26,7 +26,7 @@ import { loadState } from '@nextcloud/initial-state'
 import Vue from 'vue'
 
 import AdminTwoFactor from './components/AdminTwoFactor.vue'
-import Encryption from './components/Encryption.vue'
+import EncryptionSettings from './components/Encryption/EncryptionSettings.vue'
 import store from './store/admin-security.js'
 
 // eslint-disable-next-line camelcase
@@ -47,5 +47,5 @@ new View({
 	store,
 }).$mount('#two-factor-auth-settings')
 
-const EncryptionView = Vue.extend(Encryption)
+const EncryptionView = Vue.extend(EncryptionSettings)
 new EncryptionView().$mount('#vue-admin-encryption')

dist/settings-vue-settings-admin-security.js.LICENSE.txt

@@ -1,3 +1,8 @@
+/*!
+ * SPDX-FileCopyrightText: 2025 Nextcloud GmbH and Nextcloud contributors
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ */
+
 /**
  * @copyright 2019 Roeland Jago Douma <roeland@famdouma.nl>
  *