upstream/nextcloud
1
0
Fork 0
mirror of https://github.com/nextcloud/server.git synced 2026-06-08 08:16:43 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 10

Merge pull request #27727 from nextcloud/backport/27638/stable21

Browse source 
[stable21] Downstream encryption:fix-encrypted-version for repairing "bad signature" errors
This commit is contained in:
Vincent Petry 2021-06-30 17:18:14 +02:00 committed by GitHub
commit ece2e3e5ea
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
5 changed files with 635 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
apps/encryption/appinfo/info.xml
View file

@ -45,6 +45,7 @@
<command>OCA\Encryption\Command\DisableMasterKey</command>
<command>OCA\Encryption\Command\RecoverUser</command>
<command>OCA\Encryption\Command\ScanLegacyFormat</command>
<command>OCA\Encryption\Command\FixEncryptedVersion</command>
</commands>
<settings>

1
apps/encryption/composer/composer/autoload_classmap.php
View file

@ -10,6 +10,7 @@ return array(
'OCA\\Encryption\\AppInfo\\Application' => $baseDir . '/../lib/AppInfo/Application.php',
'OCA\\Encryption\\Command\\DisableMasterKey' => $baseDir . '/../lib/Command/DisableMasterKey.php',
'OCA\\Encryption\\Command\\EnableMasterKey' => $baseDir . '/../lib/Command/EnableMasterKey.php',
'OCA\\Encryption\\Command\\FixEncryptedVersion' => $baseDir . '/../lib/Command/FixEncryptedVersion.php',
'OCA\\Encryption\\Command\\RecoverUser' => $baseDir . '/../lib/Command/RecoverUser.php',
'OCA\\Encryption\\Command\\ScanLegacyFormat' => $baseDir . '/../lib/Command/ScanLegacyFormat.php',
'OCA\\Encryption\\Controller\\RecoveryController' => $baseDir . '/../lib/Controller/RecoveryController.php',

1
apps/encryption/composer/composer/autoload_static.php
View file

@ -25,6 +25,7 @@ class ComposerStaticInitEncryption
'OCA\\Encryption\\AppInfo\\Application' => __DIR__ . '/..' . '/../lib/AppInfo/Application.php',
'OCA\\Encryption\\Command\\DisableMasterKey' => __DIR__ . '/..' . '/../lib/Command/DisableMasterKey.php',
'OCA\\Encryption\\Command\\EnableMasterKey' => __DIR__ . '/..' . '/../lib/Command/EnableMasterKey.php',
'OCA\\Encryption\\Command\\FixEncryptedVersion' => __DIR__ . '/..' . '/../lib/Command/FixEncryptedVersion.php',
'OCA\\Encryption\\Command\\RecoverUser' => __DIR__ . '/..' . '/../lib/Command/RecoverUser.php',
'OCA\\Encryption\\Command\\ScanLegacyFormat' => __DIR__ . '/..' . '/../lib/Command/ScanLegacyFormat.php',
'OCA\\Encryption\\Controller\\RecoveryController' => __DIR__ . '/..' . '/../lib/Controller/RecoveryController.php',

286
apps/encryption/lib/Command/FixEncryptedVersion.php Normal file
View file

@ -0,0 +1,286 @@
<?php
/**
* @author Sujith Haridasan <sharidasan@owncloud.com>
* @author Ilja Neumann <ineumann@owncloud.com>
*
* @copyright Copyright (c) 2019, ownCloud GmbH
* @license AGPL-3.0
*
* This code is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License, version 3,
* as published by the Free Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License, version 3,
* along with this program. If not, see <http://www.gnu.org/licenses/>
*
*/
namespace OCA\Encryption\Command;
use OC\Files\View;
use OC\HintException;
use OCA\Encryption\Util;
use OCP\Files\IRootFolder;
use OCP\IConfig;
use OCP\ILogger;
use OCP\IUserManager;
use Symfony\Component\Console\Command\Command;
use Symfony\Component\Console\Input\InputArgument;
use Symfony\Component\Console\Input\InputInterface;
use Symfony\Component\Console\Output\OutputInterface;
class FixEncryptedVersion extends Command {
/** @var IConfig */
private $config;
/** @var ILogger */
private $logger;
/** @var IRootFolder */
private $rootFolder;
/** @var IUserManager */
private $userManager;
/** @var Util */
private $util;
/** @var View */
private $view;
public function __construct(
IConfig $config,
ILogger $logger,
IRootFolder $rootFolder,
IUserManager $userManager,
Util $util,
View $view
) {
$this->config = $config;
$this->logger = $logger;
$this->rootFolder = $rootFolder;
$this->userManager = $userManager;
$this->util = $util;
$this->view = $view;
parent::__construct();
}
protected function configure(): void {
parent::configure();
$this
->setName('encryption:fix-encrypted-version')
->setDescription('Fix the encrypted version if the encrypted file(s) are not downloadable.')
->addArgument(
'user',
InputArgument::REQUIRED,
'The id of the user whose files need fixing'
)->addOption(
'path',
'p',
InputArgument::OPTIONAL,
'Limit files to fix with path, e.g., --path="/Music/Artist". If path indicates a directory, all the files inside directory will be fixed.'
);
}
/**
* @param InputInterface $input
* @param OutputInterface $output
* @return int
*/
protected function execute(InputInterface $input, OutputInterface $output): int {
$skipSignatureCheck = $this->config->getSystemValue('encryption_skip_signature_check', false);
if ($skipSignatureCheck) {
$output->writeln("<error>Repairing is not possible when \"encryption_skip_signature_check\" is set. Please disable this flag in the configuration.</error>\n");
return 1;
}
if (!$this->util->isMasterKeyEnabled()) {
$output->writeln("<error>Repairing only works with master key encryption.</error>\n");
return 1;
}
$user = (string)$input->getArgument('user');
$pathToWalk = "/$user/files";
/**
* trim() returns an empty string when the argument is an unset/null
*/
$pathOption = \trim($input->getOption('path'), '/');
if ($pathOption !== "") {
$pathToWalk = "$pathToWalk/$pathOption";
}
if ($user === null) {
$output->writeln("<error>No user id provided.</error>\n");
return 1;
}
if ($this->userManager->get($user) === null) {
$output->writeln("<error>User id $user does not exist. Please provide a valid user id</error>");
return 1;
}
return $this->walkPathOfUser($user, $pathToWalk, $output);
}
/**
* @param string $user
* @param string $path
* @param OutputInterface $output
* @return int 0 for success, 1 for error
*/
private function walkPathOfUser($user, $path, OutputInterface $output): int {
$this->setupUserFs($user);
if (!$this->view->file_exists($path)) {
$output->writeln("<error>Path \"$path\" does not exist. Please provide a valid path.</error>");
return 1;
}
if ($this->view->is_file($path)) {
$output->writeln("Verifying the content of file \"$path\"");
$this->verifyFileContent($path, $output);
return 0;
}
$directories = [];
$directories[] = $path;
while ($root = \array_pop($directories)) {
$directoryContent = $this->view->getDirectoryContent($root);
foreach ($directoryContent as $file) {
$path = $root . '/' . $file['name'];
if ($this->view->is_dir($path)) {
$directories[] = $path;
} else {
$output->writeln("Verifying the content of file \"$path\"");
$this->verifyFileContent($path, $output);
}
}
}
return 0;
}
/**
* @param string $path
* @param OutputInterface $output
* @param bool $ignoreCorrectEncVersionCall, setting this variable to false avoids recursion
*/
private function verifyFileContent($path, OutputInterface $output, $ignoreCorrectEncVersionCall = true): bool {
try {
/**
* In encryption, the files are read in a block size of 8192 bytes
* Read block size of 8192 and a bit more (808 bytes)
* If there is any problem, the first block should throw the signature
* mismatch error. Which as of now, is enough to proceed ahead to
* correct the encrypted version.
*/
$handle = $this->view->fopen($path, 'rb');
if (\fread($handle, 9001) !== false) {
$output->writeln("<info>The file \"$path\" is: OK</info>");
}
\fclose($handle);
return true;
} catch (HintException $e) {
$this->logger->warning("Issue: " . $e->getMessage());
//If allowOnce is set to false, this becomes recursive.
if ($ignoreCorrectEncVersionCall === true) {
//Lets rectify the file by correcting encrypted version
$output->writeln("<info>Attempting to fix the path: \"$path\"</info>");
return $this->correctEncryptedVersion($path, $output);
}
return false;
}
}
/**
* @param string $path
* @param OutputInterface $output
* @return bool
*/
private function correctEncryptedVersion($path, OutputInterface $output): bool {
$fileInfo = $this->view->getFileInfo($path);
if (!$fileInfo) {
$output->writeln("<warning>File info not found for file: \"$path\"</warning>");
return true;
}
$fileId = $fileInfo->getId();
$encryptedVersion = $fileInfo->getEncryptedVersion();
$wrongEncryptedVersion = $encryptedVersion;
$storage = $fileInfo->getStorage();
$cache = $storage->getCache();
$fileCache = $cache->get($fileId);
if (!$fileCache) {
$output->writeln("<warning>File cache entry not found for file: \"$path\"</warning>");
return true;
}
if ($storage->instanceOfStorage('OCA\Files_Sharing\ISharedStorage')) {
$output->writeln("<info>The file: \"$path\" is a share. Please also run the script for the owner of the share</info>");
return true;
}
// Save original encrypted version so we can restore it if decryption fails with all version
$originalEncryptedVersion = $encryptedVersion;
if ($encryptedVersion >= 0) {
//test by decrementing the value till 1 and if nothing works try incrementing
$encryptedVersion--;
while ($encryptedVersion > 0) {
$cacheInfo = ['encryptedVersion' => $encryptedVersion, 'encrypted' => $encryptedVersion];
$cache->put($fileCache->getPath(), $cacheInfo);
$output->writeln("<info>Decrement the encrypted version to $encryptedVersion</info>");
if ($this->verifyFileContent($path, $output, false) === true) {
$output->writeln("<info>Fixed the file: \"$path\" with version " . $encryptedVersion . "</info>");
return true;
}
$encryptedVersion--;
}
//So decrementing did not work. Now lets increment. Max increment is till 5
$increment = 1;
while ($increment <= 5) {
/**
* The wrongEncryptedVersion would not be incremented so nothing to worry about here.
* Only the newEncryptedVersion is incremented.
* For example if the wrong encrypted version is 4 then
* cycle1 -> newEncryptedVersion = 5 ( 4 + 1)
* cycle2 -> newEncryptedVersion = 6 ( 4 + 2)
* cycle3 -> newEncryptedVersion = 7 ( 4 + 3)
*/
$newEncryptedVersion = $wrongEncryptedVersion + $increment;
$cacheInfo = ['encryptedVersion' => $newEncryptedVersion, 'encrypted' => $newEncryptedVersion];
$cache->put($fileCache->getPath(), $cacheInfo);
$output->writeln("<info>Increment the encrypted version to $newEncryptedVersion</info>");
if ($this->verifyFileContent($path, $output, false) === true) {
$output->writeln("<info>Fixed the file: \"$path\" with version " . $newEncryptedVersion . "</info>");
return true;
}
$increment++;
}
}
$cacheInfo = ['encryptedVersion' => $originalEncryptedVersion, 'encrypted' => $originalEncryptedVersion];
$cache->put($fileCache->getPath(), $cacheInfo);
$output->writeln("<info>No fix found for \"$path\", restored version to original: $originalEncryptedVersion</info>");
return false;
}
/**
* Setup user file system
* @param string $uid
*/
private function setupUserFs($uid): void {
\OC_Util::tearDownFS();
\OC_Util::setupFS($uid);
}
}

346
apps/encryption/tests/Command/FixEncryptedVersionTest.php Normal file
View file

@ -0,0 +1,346 @@
<?php
/**
* @author Sujith Haridasan <sharidasan@owncloud.com>
*
* @copyright Copyright (c) 2019, ownCloud GmbH
* @license AGPL-3.0
*
* This code is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License, version 3,
* as published by the Free Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License, version 3,
* along with this program. If not, see <http://www.gnu.org/licenses/>
*
*/
namespace OCA\Encryption\Tests\Command;
use OC\Files\View;
use OCA\Encryption\Command\FixEncryptedVersion;
use OCA\Encryption\Util;
use Symfony\Component\Console\Tester\CommandTester;
use Test\TestCase;
use Test\Traits\EncryptionTrait;
use Test\Traits\MountProviderTrait;
use Test\Traits\UserTrait;
/**
* Class FixEncryptedVersionTest
*
* @group DB
* @package OCA\Encryption\Tests\Command
*/
class FixEncryptedVersionTest extends TestCase {
use MountProviderTrait;
use EncryptionTrait;
use UserTrait;
private $userId;
/** @var FixEncryptedVersion */
private $fixEncryptedVersion;
/** @var CommandTester */
private $commandTester;
/** @var Util|\PHPUnit\Framework\MockObject\MockObject */
protected $util;
public function setUp(): void {
parent::setUp();
\OC::$server->getConfig()->setAppValue('encryption', 'useMasterKey', '1');
$this->util = $this->getMockBuilder(Util::class)
->disableOriginalConstructor()->getMock();
$this->userId = $this->getUniqueId('user_');
$this->createUser($this->userId, 'foo12345678');
$tmpFolder = \OC::$server->getTempManager()->getTemporaryFolder();
$this->registerMount($this->userId, '\OC\Files\Storage\Local', '/' . $this->userId, ['datadir' => $tmpFolder]);
$this->setupForUser($this->userId, 'foo12345678');
$this->loginWithEncryption($this->userId);
$this->fixEncryptedVersion = new FixEncryptedVersion(
\OC::$server->getConfig(),
\OC::$server->getLogger(),
\OC::$server->getRootFolder(),
\OC::$server->getUserManager(),
$this->util,
new View('/')
);
$this->commandTester = new CommandTester($this->fixEncryptedVersion);
$this->assertTrue(\OC::$server->getEncryptionManager()->isEnabled());
$this->assertTrue(\OC::$server->getEncryptionManager()->isReady());
$this->assertTrue(\OC::$server->getEncryptionManager()->isReadyForUser($this->userId));
}
/**
* In this test the encrypted version of the file is less than the original value
* but greater than zero
*/
public function testEncryptedVersionLessThanOriginalValue() {
$this->util->expects($this->once())->method('isMasterKeyEnabled')
->willReturn(true);
$view = new View("/" . $this->userId . "/files");
$view->touch('hello.txt');
$view->touch('world.txt');
$view->touch('foo.txt');
$view->file_put_contents('hello.txt', 'a test string for hello');
$view->file_put_contents('hello.txt', 'Yet another value');
$view->file_put_contents('hello.txt', 'Lets modify again1');
$view->file_put_contents('hello.txt', 'Lets modify again2');
$view->file_put_contents('hello.txt', 'Lets modify again3');
$view->file_put_contents('world.txt', 'a test string for world');
$view->file_put_contents('world.txt', 'a test string for world');
$view->file_put_contents('world.txt', 'a test string for world');
$view->file_put_contents('world.txt', 'a test string for world');
$view->file_put_contents('foo.txt', 'a foo test');
$fileInfo1 = $view->getFileInfo('hello.txt');
$storage1 = $fileInfo1->getStorage();
$cache1 = $storage1->getCache();
$fileCache1 = $cache1->get($fileInfo1->getId());
//Now change the encrypted version to two
$cacheInfo = ['encryptedVersion' => 2, 'encrypted' => 2];
$cache1->put($fileCache1->getPath(), $cacheInfo);
$fileInfo2 = $view->getFileInfo('world.txt');
$storage2 = $fileInfo2->getStorage();
$cache2 = $storage2->getCache();
$filecache2 = $cache2->get($fileInfo2->getId());
//Now change the encrypted version to 1
$cacheInfo = ['encryptedVersion' => 1, 'encrypted' => 1];
$cache2->put($filecache2->getPath(), $cacheInfo);
$this->commandTester->execute([
'user' => $this->userId
]);
$output = $this->commandTester->getDisplay();
$this->assertStringContainsString("Verifying the content of file \"/$this->userId/files/foo.txt\"
The file \"/$this->userId/files/foo.txt\" is: OK", $output);
$this->assertStringContainsString("Verifying the content of file \"/$this->userId/files/hello.txt\"
Attempting to fix the path: \"/$this->userId/files/hello.txt\"
Decrement the encrypted version to 1
Increment the encrypted version to 3
Increment the encrypted version to 4
Increment the encrypted version to 5
The file \"/$this->userId/files/hello.txt\" is: OK
Fixed the file: \"/$this->userId/files/hello.txt\" with version 5", $output);
$this->assertStringContainsString("Verifying the content of file \"/$this->userId/files/world.txt\"
Attempting to fix the path: \"/$this->userId/files/world.txt\"
Increment the encrypted version to 2
Increment the encrypted version to 3
Increment the encrypted version to 4
The file \"/$this->userId/files/world.txt\" is: OK
Fixed the file: \"/$this->userId/files/world.txt\" with version 4", $output);
}
/**
* In this test the encrypted version of the file is greater than the original value
* but greater than zero
*/
public function testEncryptedVersionGreaterThanOriginalValue() {
$this->util->expects($this->once())->method('isMasterKeyEnabled')
->willReturn(true);
$view = new View("/" . $this->userId . "/files");
$view->touch('hello.txt');
$view->touch('world.txt');
$view->touch('foo.txt');
$view->file_put_contents('hello.txt', 'a test string for hello');
$view->file_put_contents('hello.txt', 'Lets modify again2');
$view->file_put_contents('hello.txt', 'Lets modify again3');
$view->file_put_contents('world.txt', 'a test string for world');
$view->file_put_contents('world.txt', 'a test string for world');
$view->file_put_contents('world.txt', 'a test string for world');
$view->file_put_contents('world.txt', 'a test string for world');
$view->file_put_contents('foo.txt', 'a foo test');
$fileInfo1 = $view->getFileInfo('hello.txt');
$storage1 = $fileInfo1->getStorage();
$cache1 = $storage1->getCache();
$fileCache1 = $cache1->get($fileInfo1->getId());
//Now change the encrypted version to fifteen
$cacheInfo = ['encryptedVersion' => 5, 'encrypted' => 5];
$cache1->put($fileCache1->getPath(), $cacheInfo);
$fileInfo2 = $view->getFileInfo('world.txt');
$storage2 = $fileInfo2->getStorage();
$cache2 = $storage2->getCache();
$filecache2 = $cache2->get($fileInfo2->getId());
//Now change the encrypted version to 1
$cacheInfo = ['encryptedVersion' => 6, 'encrypted' => 6];
$cache2->put($filecache2->getPath(), $cacheInfo);
$this->commandTester->execute([
'user' => $this->userId
]);
$output = $this->commandTester->getDisplay();
$this->assertStringContainsString("Verifying the content of file \"/$this->userId/files/foo.txt\"
The file \"/$this->userId/files/foo.txt\" is: OK", $output);
$this->assertStringContainsString("Verifying the content of file \"/$this->userId/files/hello.txt\"
Attempting to fix the path: \"/$this->userId/files/hello.txt\"
Decrement the encrypted version to 4
Decrement the encrypted version to 3
The file \"/$this->userId/files/hello.txt\" is: OK
Fixed the file: \"/$this->userId/files/hello.txt\" with version 3", $output);
$this->assertStringContainsString("Verifying the content of file \"/$this->userId/files/world.txt\"
Attempting to fix the path: \"/$this->userId/files/world.txt\"
Decrement the encrypted version to 5
Decrement the encrypted version to 4
The file \"/$this->userId/files/world.txt\" is: OK
Fixed the file: \"/$this->userId/files/world.txt\" with version 4", $output);
}
public function testVersionIsRestoredToOriginalIfNoFixIsFound() {
$this->util->expects($this->once())->method('isMasterKeyEnabled')
->willReturn(true);
$view = new View("/" . $this->userId . "/files");
$view->touch('bar.txt');
for ($i = 0; $i < 40; $i++) {
$view->file_put_contents('bar.txt', 'a test string for hello ' . $i);
}
$fileInfo = $view->getFileInfo('bar.txt');
$storage = $fileInfo->getStorage();
$cache = $storage->getCache();
$fileCache = $cache->get($fileInfo->getId());
$cacheInfo = ['encryptedVersion' => 15, 'encrypted' => 15];
$cache->put($fileCache->getPath(), $cacheInfo);
$this->commandTester->execute([
'user' => $this->userId
]);
$cacheInfo = $cache->get($fileInfo->getId());
$encryptedVersion = $cacheInfo["encryptedVersion"];
$this->assertEquals(15, $encryptedVersion);
}
/**
* Test commands with a file path
*/
public function testExecuteWithFilePathOption() {
$this->util->expects($this->once())->method('isMasterKeyEnabled')
->willReturn(true);
$view = new View("/" . $this->userId . "/files");
$view->touch('hello.txt');
$view->touch('world.txt');
$this->commandTester->execute([
'user' => $this->userId,
'--path' => "/hello.txt"
]);
$output = $this->commandTester->getDisplay();
$this->assertStringContainsString("Verifying the content of file \"/$this->userId/files/hello.txt\"
The file \"/$this->userId/files/hello.txt\" is: OK", $output);
$this->assertStringNotContainsString('world.txt', $output);
}
/**
* Test commands with a directory path
*/
public function testExecuteWithDirectoryPathOption() {
$this->util->expects($this->once())->method('isMasterKeyEnabled')
->willReturn(true);
$view = new View("/" . $this->userId . "/files");
$view->mkdir('sub');
$view->touch('sub/hello.txt');
$view->touch('world.txt');
$this->commandTester->execute([
'user' => $this->userId,
'--path' => "/sub"
]);
$output = $this->commandTester->getDisplay();
$this->assertStringContainsString("Verifying the content of file \"/$this->userId/files/sub/hello.txt\"
The file \"/$this->userId/files/sub/hello.txt\" is: OK", $output);
$this->assertStringNotContainsString('world.txt', $output);
}
/**
* Test commands with a directory path
*/
public function testExecuteWithNoUser() {
$this->util->expects($this->once())->method('isMasterKeyEnabled')
->willReturn(true);
$this->commandTester->execute([
'user' => null,
'--path' => "/"
]);
$output = $this->commandTester->getDisplay();
$this->assertStringContainsString('does not exist', $output);
}
/**
* Test commands with a directory path
*/
public function testExecuteWithNonExistentPath() {
$this->util->expects($this->once())->method('isMasterKeyEnabled')
->willReturn(true);
$this->commandTester->execute([
'user' => $this->userId,
'--path' => '/non-exist'
]);
$output = $this->commandTester->getDisplay();
$this->assertStringContainsString('Please provide a valid path.', $output);
}
/**
* Test commands without master key
*/
public function testExecuteWithNoMasterKey() {
\OC::$server->getConfig()->setAppValue('encryption', 'useMasterKey', '0');
$this->util->expects($this->once())->method('isMasterKeyEnabled')
->willReturn(false);
$this->commandTester->execute([
'user' => $this->userId,
]);
$output = $this->commandTester->getDisplay();
$this->assertStringContainsString('only works with master key', $output);
}
}