When moving a file to trash with encryption enabled, the cache gets
moved before the actual file. According to @icewind1991 this is in order
to not break object storage.
When moving a file from an unencrypted storage (e.g. a collectives
storage) to the encrypted trashbin storage, this causes errors, see
This commit fixes it by doing `updateEncryptedVersion()` on the target
cache entry *if* the source cache entry doesn't exist anymore, but the
corresponding target cache entry does exist already.
Fixes: #26544
Signed-off-by: Jonas Meurer <jonas@freesources.org>
Fixes an issue with transfer ownership in move mode where the folder
"files_encryption/keys/files" already exists.
Instead of failing, its existence is checked before calling mkdir.
Signed-off-by: Vincent Petry <vincent@nextcloud.com>
In case of error there is no guarantee that $source or $target is set or
is a resource when handling an error.
Without this fix, there's a risk that fclose will fail and the actual
exception will not be thrown, making it impossible to find out about the
root cause.
Signed-off-by: Vincent Petry <vincent@nextcloud.com>
When we initially added the EC2 and ECS IAM role support in #24700,
we had to use a workaround by explicitly ordering the various providers
due to an inconsistency in the AWS SDK for PHP. We submitted a PR there
to get that squared away. Now, we've consumed that version upstream
for the SDK and can update our code here to be the most concise version
as well as position ourselves to pick up new methods as those become
available and prevalent in AWS (for acquiring credentials).
See also: https://github.com/nextcloud/server/pull/24700#issuecomment-747650892
See also: https://github.com/aws/aws-sdk-php/pull/2172
Signed-off-by: Stephen Cuppett <steve@cuppett.com>
Directory entry file names are now normalized in getMetaData(),
getDirectoryContents() and opendir().
This makes the scanner work properly as it assumes pre-normalized names.
In case the names were not normalized, the scanner will now skip the
entries and display a warning when applicable.
Signed-off-by: Vincent Petry <vincent@nextcloud.com>
The encoding check for file names is now happening the Scanner, and an
event will be emitted only if the storage doesn't contain the encoding
compatibility wrapper.
The event is listened to by the occ scan command to be able to display a
warning in case of file name mismatches when they have NFD encoding.
Signed-off-by: Vincent Petry <vincent@nextcloud.com>
The scanner would not find a NFD-encoded file name in an
existing file list that is normalized.
This normalizes the file name before scanning.
Fixes issues where scanning repeatedly would make NFD files flicker in
and out of existence in the file cache.
Signed-off-by: Vincent Petry <vincent@nextcloud.com>
Technically, saying that a storage has no updates when it's not
available is correct.
This makes it possible to retrieve the cache entry for the mount point
and also to list and remove unavailable federated shares.
Signed-off-by: Vincent Petry <vincent@nextcloud.com>
Make sure that when a user copy a file from a directory they don't have
all permissions to a directory where they have more permissions, the
permissions are correctly set to the one from the parent taget folder.
This was caused by the ObjectStoreStorage::copyFromStorage using
the jailed storage and cache entry instead of the unjailed one like other
storages (the local one).
Steps to reproduce
+ Use object storage
+ Create a groupfolder with one group having full permission and another one
who can just read files.
+ With an user who is in the second group, copy a file from the groupfolder to
the home folder of this user.
+ The file in the home folder of the user will be read only and can't be deleted
even though it is in their home folder and they are the owner. In oc_filecache,
the permissions stored for this file are 1 (READ)
Signed-off-by: Carl Schwan <carl@carlschwan.eu>
When using and object store as primary storage and using the default
encryption module at the same time, any encrypted file would be truncated
when read, and a text error message added to the end.
This was caused by a combination of the reliance of the read functions on
on knowing the unencrypted file size, and a bug in the function which
calculated the unencrypted file size for a given file.
In order to calculate the unencrypted file size, the function would first
skip the header block, then use fseek to skip to the last encrypted block
in the file. Because there was a corresponence between the encrypted and
unencrypted blocks, this would also be the last encrypted block. It would
then read the final block and decrypt it to get the unencrypted length of
the last block. With that, the number of blocks, and the unencrypted block
size, it could calculate the unencrypted file size.
The trouble was that when using an object store, an fread call doesn't
always get you the number of bytes you asked for, even if they are
available. To resolve this I adapted the stream_read_block function from
lib/private/Files/Streams/Encryption.php to work here. This function
wraps the fread call in a loop and repeats until it has the entire set of
bytes that were requested, or there are no more to get.
This fixes the imediate bug, and should (with luck) allow people to get
their encrypted files out of Nextcloud now. (The problem was purely on
the decryption side). In the future it would be nice to do some
refactoring here.
I have tested this with image files ranging from 1kb to 10mb using
Nextcloud version 22.1.0 (the nextcloud:22.1-apache docker image), with
sqlite and a Linode object store as the primary storage.
Signed-off-by: Alan Meeson <alan@carefullycalculated.co.uk>
Using advanced ACL, it is possible that an user has access to a
directory but not to a subdirectory, so the copying use
Common::copyFromStorage instead of Local::copyFromStorage.
Fix https://github.com/nextcloud/groupfolders/issues/1692
Signed-off-by: Carl Schwan <carl@carlschwan.eu>
This involved changing CacheQueryBuilder\whereParentIn to take a
parameter name, renaming the function accordingly.
Signed-off-by: Sijmen Schoon <me@sijmenschoon.nl>
