Commit 46a328a7 authored by Lukas Reschke's avatar Lukas Reschke
Browse files

Merge pull request #18873 from owncloud/enc_use_master_password

Allow admin to use a master key for all files
parents 6b22006f b2e6d7b5
......@@ -21,10 +21,17 @@
*/
use OCA\Encryption\Command\MigrateKeys;
use Symfony\Component\Console\Helper\QuestionHelper;
$userManager = OC::$server->getUserManager();
$view = new \OC\Files\View();
$config = \OC::$server->getConfig();
$userSession = \OC::$server->getUserSession();
$connection = \OC::$server->getDatabaseConnection();
$logger = \OC::$server->getLogger();
$questionHelper = new QuestionHelper();
$crypt = new \OCA\Encryption\Crypto\Crypt($logger, $userSession, $config);
$util = new \OCA\Encryption\Util($view, $crypt, $logger, $userSession, $config, $userManager);
$application->add(new MigrateKeys($userManager, $view, $connection, $config, $logger));
$application->add(new \OCA\Encryption\Command\EnableMasterKey($util, $config, $questionHelper));
<?php
/**
* @author Björn Schießle <schiessle@owncloud.com>
*
* @copyright Copyright (c) 2015, ownCloud, Inc.
* @license AGPL-3.0
*
* This code is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License, version 3,
* as published by the Free Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License, version 3,
* along with this program. If not, see <http://www.gnu.org/licenses/>
*
*/
namespace OCA\Encryption\Command;
use OCA\Encryption\Util;
use OCP\IConfig;
use Symfony\Component\Console\Command\Command;
use Symfony\Component\Console\Helper\QuestionHelper;
use Symfony\Component\Console\Input\InputInterface;
use Symfony\Component\Console\Output\OutputInterface;
use Symfony\Component\Console\Question\ConfirmationQuestion;
class EnableMasterKey extends Command {
/** @var Util */
protected $util;
/** @var IConfig */
protected $config;
/** @var QuestionHelper */
protected $questionHelper;
/**
* @param Util $util
* @param IConfig $config
* @param QuestionHelper $questionHelper
*/
public function __construct(Util $util,
IConfig $config,
QuestionHelper $questionHelper) {
$this->util = $util;
$this->config = $config;
$this->questionHelper = $questionHelper;
parent::__construct();
}
protected function configure() {
$this
->setName('encryption:enable-master-key')
->setDescription('Enable the master key. Only available for fresh installations with no existing encrypted data! There is also no way to disable it again.');
}
protected function execute(InputInterface $input, OutputInterface $output) {
$isAlreadyEnabled = $this->util->isMasterKeyEnabled();
if($isAlreadyEnabled) {
$output->writeln('Master key already enabled');
} else {
$question = new ConfirmationQuestion(
'Warning: Only available for fresh installations with no existing encrypted data! '
. 'There is also no way to disable it again. Do you want to continue? (y/n) ', false);
if ($this->questionHelper->ask($input, $output, $question)) {
$this->config->setAppValue('encryption', 'useMasterKey', '1');
$output->writeln('Master key successfully enabled.');
} else {
$output->writeln('aborted.');
}
}
}
}
......@@ -84,6 +84,9 @@ class Encryption implements IEncryptionModule {
/** @var EncryptAll */
private $encryptAll;
/** @var bool */
private $useMasterPassword;
/**
*
* @param Crypt $crypt
......@@ -105,6 +108,7 @@ class Encryption implements IEncryptionModule {
$this->encryptAll = $encryptAll;
$this->logger = $logger;
$this->l = $il10n;
$this->useMasterPassword = $util->isMasterKeyEnabled();
}
/**
......@@ -193,23 +197,26 @@ class Encryption implements IEncryptionModule {
$this->writeCache = '';
}
$publicKeys = array();
foreach ($this->accessList['users'] as $uid) {
try {
$publicKeys[$uid] = $this->keyManager->getPublicKey($uid);
} catch (PublicKeyMissingException $e) {
$this->logger->warning(
'no public key found for user "{uid}", user will not be able to read the file',
['app' => 'encryption', 'uid' => $uid]
);
// if the public key of the owner is missing we should fail
if ($uid === $this->user) {
throw $e;
if ($this->useMasterPassword === true) {
$publicKeys[$this->keyManager->getMasterKeyId()] = $this->keyManager->getPublicMasterKey();
} else {
foreach ($this->accessList['users'] as $uid) {
try {
$publicKeys[$uid] = $this->keyManager->getPublicKey($uid);
} catch (PublicKeyMissingException $e) {
$this->logger->warning(
'no public key found for user "{uid}", user will not be able to read the file',
['app' => 'encryption', 'uid' => $uid]
);
// if the public key of the owner is missing we should fail
if ($uid === $this->user) {
throw $e;
}
}
}
}
$publicKeys = $this->keyManager->addSystemKeys($this->accessList, $publicKeys, $this->user);
$encryptedKeyfiles = $this->crypt->multiKeyEncrypt($this->fileKey, $publicKeys);
$this->keyManager->setAllFileKeys($this->path, $encryptedKeyfiles);
}
......@@ -318,8 +325,12 @@ class Encryption implements IEncryptionModule {
if (!empty($fileKey)) {
$publicKeys = array();
foreach ($accessList['users'] as $user) {
$publicKeys[$user] = $this->keyManager->getPublicKey($user);
if ($this->useMasterPassword === true) {
$publicKeys[$this->keyManager->getMasterKeyId()] = $this->keyManager->getPublicMasterKey();
} else {
foreach ($accessList['users'] as $user) {
$publicKeys[$user] = $this->keyManager->getPublicKey($user);
}
}
$publicKeys = $this->keyManager->addSystemKeys($accessList, $publicKeys, $uid);
......
......@@ -54,6 +54,10 @@ class KeyManager {
* @var string
*/
private $publicShareKeyId;
/**
* @var string
*/
private $masterKeyId;
/**
* @var string UserID
*/
......@@ -131,10 +135,20 @@ class KeyManager {
$this->config->setAppValue('encryption', 'publicShareKeyId', $this->publicShareKeyId);
}
$this->masterKeyId = $this->config->getAppValue('encryption',
'masterKeyId');
if (empty($this->masterKeyId)) {
$this->masterKeyId = 'master_' . substr(md5(time()), 0, 8);
$this->config->setAppValue('encryption', 'masterKeyId', $this->masterKeyId);
}
$this->keyId = $userSession && $userSession->isLoggedIn() ? $userSession->getUser()->getUID() : false;
$this->log = $log;
}
/**
* check if key pair for public link shares exists, if not we create one
*/
public function validateShareKey() {
$shareKey = $this->getPublicShareKey();
if (empty($shareKey)) {
......@@ -152,6 +166,26 @@ class KeyManager {
}
}
/**
* check if a key pair for the master key exists, if not we create one
*/
public function validateMasterKey() {
$masterKey = $this->getPublicMasterKey();
if (empty($masterKey)) {
$keyPair = $this->crypt->createKeyPair();
// Save public key
$this->keyStorage->setSystemUserKey(
$this->masterKeyId . '.publicKey', $keyPair['publicKey'],
Encryption::ID);
// Encrypt private key with system password
$encryptedKey = $this->crypt->encryptPrivateKey($keyPair['privateKey'], $this->getMasterKeyPassword(), $this->masterKeyId);
$header = $this->crypt->generateHeader();
$this->setSystemPrivateKey($this->masterKeyId, $header . $encryptedKey);
}
}
/**
* @return bool
*/
......@@ -304,8 +338,15 @@ class KeyManager {
$this->session->setStatus(Session::INIT_EXECUTED);
try {
$privateKey = $this->getPrivateKey($uid);
if($this->util->isMasterKeyEnabled()) {
$uid = $this->getMasterKeyId();
$passPhrase = $this->getMasterKeyPassword();
$privateKey = $this->getSystemPrivateKey($uid);
} else {
$privateKey = $this->getPrivateKey($uid);
}
$privateKey = $this->crypt->decryptPrivateKey($privateKey, $passPhrase, $uid);
} catch (PrivateKeyMissingException $e) {
return false;
......@@ -345,6 +386,10 @@ class KeyManager {
public function getFileKey($path, $uid) {
$encryptedFileKey = $this->keyStorage->getFileKey($path, $this->fileKeyId, Encryption::ID);
if ($this->util->isMasterKeyEnabled()) {
$uid = $this->getMasterKeyId();
}
if (is_null($uid)) {
$uid = $this->getPublicShareKeyId();
$shareKey = $this->getShareKey($path, $uid);
......@@ -566,4 +611,37 @@ class KeyManager {
return $publicKeys;
}
/**
* get master key password
*
* @return string
* @throws \Exception
*/
protected function getMasterKeyPassword() {
$password = $this->config->getSystemValue('secret');
if (empty($password)){
throw new \Exception('Can not get secret from ownCloud instance');
}
return $password;
}
/**
* return master key id
*
* @return string
*/
public function getMasterKeyId() {
return $this->masterKeyId;
}
/**
* get public master key
*
* @return string
*/
public function getPublicMasterKey() {
return $this->keyStorage->getSystemUserKey($this->masterKeyId . '.publicKey', Encryption::ID);
}
}
......@@ -84,6 +84,7 @@ class Setup {
*/
public function setupServerSide($uid, $password) {
$this->keyManager->validateShareKey();
$this->keyManager->validateMasterKey();
// Check if user already has keys
if (!$this->keyManager->userHasKeys($uid)) {
return $this->keyManager->storeKeyPair($uid, $password,
......
......@@ -101,6 +101,16 @@ class Util {
return ($recoveryMode === '1');
}
/**
* check if master key is enabled
*
* @return bool
*/
public function isMasterKeyEnabled() {
$userMasterKey = $this->config->getAppValue('encryption', 'useMasterKey', '0');
return ($userMasterKey === '1');
}
/**
* @param $enabled
* @return bool
......
<?php
/**
* @author Björn Schießle <schiessle@owncloud.com>
*
* @copyright Copyright (c) 2015, ownCloud, Inc.
* @license AGPL-3.0
*
* This code is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License, version 3,
* as published by the Free Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License, version 3,
* along with this program. If not, see <http://www.gnu.org/licenses/>
*
*/
namespace OCA\Encryption\Tests\Command;
use OCA\Encryption\Command\EnableMasterKey;
use Test\TestCase;
class TestEnableMasterKey extends TestCase {
/** @var EnableMasterKey */
protected $enableMasterKey;
/** @var Util | \PHPUnit_Framework_MockObject_MockObject */
protected $util;
/** @var \OCP\IConfig | \PHPUnit_Framework_MockObject_MockObject */
protected $config;
/** @var \Symfony\Component\Console\Helper\QuestionHelper | \PHPUnit_Framework_MockObject_MockObject */
protected $questionHelper;
/** @var \Symfony\Component\Console\Output\OutputInterface | \PHPUnit_Framework_MockObject_MockObject */
protected $output;
/** @var \Symfony\Component\Console\Input\InputInterface | \PHPUnit_Framework_MockObject_MockObject */
protected $input;
public function setUp() {
parent::setUp();
$this->util = $this->getMockBuilder('OCA\Encryption\Util')
->disableOriginalConstructor()->getMock();
$this->config = $this->getMockBuilder('OCP\IConfig')
->disableOriginalConstructor()->getMock();
$this->questionHelper = $this->getMockBuilder('Symfony\Component\Console\Helper\QuestionHelper')
->disableOriginalConstructor()->getMock();
$this->output = $this->getMockBuilder('Symfony\Component\Console\Output\OutputInterface')
->disableOriginalConstructor()->getMock();
$this->input = $this->getMockBuilder('Symfony\Component\Console\Input\InputInterface')
->disableOriginalConstructor()->getMock();
$this->enableMasterKey = new EnableMasterKey($this->util, $this->config, $this->questionHelper);
}
/**
* @dataProvider dataTestExecute
*
* @param bool $isAlreadyEnabled
* @param string $answer
*/
public function testExecute($isAlreadyEnabled, $answer) {
$this->util->expects($this->once())->method('isMasterKeyEnabled')
->willReturn($isAlreadyEnabled);
if ($isAlreadyEnabled) {
$this->output->expects($this->once())->method('writeln')
->with('Master key already enabled');
} else {
if ($answer === 'y') {
$this->questionHelper->expects($this->once())->method('ask')->willReturn(true);
$this->config->expects($this->once())->method('setAppValue')
->with('encryption', 'useMasterKey', '1');
} else {
$this->questionHelper->expects($this->once())->method('ask')->willReturn(false);
$this->config->expects($this->never())->method('setAppValue');
}
}
$this->invokePrivate($this->enableMasterKey, 'execute', [$this->input, $this->output]);
}
public function dataTestExecute() {
return [
[true, ''],
[false, 'y'],
[false, 'n'],
[false, '']
];
}
}
......@@ -27,6 +27,7 @@ namespace OCA\Encryption\Tests;
use OCA\Encryption\KeyManager;
use OCA\Encryption\Session;
use Test\TestCase;
class KeyManagerTest extends TestCase {
......@@ -237,24 +238,62 @@ class KeyManagerTest extends TestCase {
}
/**
* @dataProvider dataTestInit
*
* @param bool $useMasterKey
*/
public function testInit($useMasterKey) {
$instance = $this->getMockBuilder('OCA\Encryption\KeyManager')
->setConstructorArgs(
[
$this->keyStorageMock,
$this->cryptMock,
$this->configMock,
$this->userMock,
$this->sessionMock,
$this->logMock,
$this->utilMock
]
)->setMethods(['getMasterKeyId', 'getMasterKeyPassword', 'getSystemPrivateKey', 'getPrivateKey'])
->getMock();
public function testInit() {
$this->keyStorageMock->expects($this->any())
->method('getUserKey')
->with($this->equalTo($this->userId), $this->equalTo('privateKey'))
->willReturn('privateKey');
$this->cryptMock->expects($this->any())
->method('decryptPrivateKey')
->with($this->equalTo('privateKey'), $this->equalTo('pass'))
->willReturn('decryptedPrivateKey');
$this->utilMock->expects($this->once())->method('isMasterKeyEnabled')
->willReturn($useMasterKey);
$this->sessionMock->expects($this->at(0))->method('setStatus')
->with(Session::INIT_EXECUTED);
$instance->expects($this->any())->method('getMasterKeyId')->willReturn('masterKeyId');
$instance->expects($this->any())->method('getMasterKeyPassword')->willReturn('masterKeyPassword');
$instance->expects($this->any())->method('getSystemPrivateKey')->with('masterKeyId')->willReturn('privateMasterKey');
$instance->expects($this->any())->method('getPrivateKey')->with($this->userId)->willReturn('privateUserKey');
if($useMasterKey) {
$this->cryptMock->expects($this->once())->method('decryptPrivateKey')
->with('privateMasterKey', 'masterKeyPassword', 'masterKeyId')
->willReturn('key');
} else {
$this->cryptMock->expects($this->once())->method('decryptPrivateKey')
->with('privateUserKey', 'pass', $this->userId)
->willReturn('key');
}
$this->sessionMock->expects($this->once())->method('setPrivateKey')
->with('key');
$this->assertTrue(
$this->instance->init($this->userId, 'pass')
);
$this->assertTrue($instance->init($this->userId, 'pass'));
}
public function dataTestInit() {
return [
[true],
[false]
];
}
public function testSetRecoveryKey() {
$this->keyStorageMock->expects($this->exactly(2))
->method('setSystemUserKey')
......@@ -401,5 +440,92 @@ class KeyManagerTest extends TestCase {
);
}
public function testGetMasterKeyId() {
$this->assertSame('systemKeyId', $this->instance->getMasterKeyId());
}
public function testGetPublicMasterKey() {
$this->keyStorageMock->expects($this->once())->method('getSystemUserKey')
->with('systemKeyId.publicKey', \OCA\Encryption\Crypto\Encryption::ID)
->willReturn(true);
$this->assertTrue(
$this->instance->getPublicMasterKey()
);
}
public function testGetMasterKeyPassword() {
$this->configMock->expects($this->once())->method('getSystemValue')->with('secret')
->willReturn('password');
$this->assertSame('password',
$this->invokePrivate($this->instance, 'getMasterKeyPassword', [])
);
}
/**
* @expectedException \Exception
*/
public function testGetMasterKeyPasswordException() {
$this->configMock->expects($this->once())->method('getSystemValue')->with('secret')
->willReturn('');
$this->invokePrivate($this->instance, 'getMasterKeyPassword', []);
}
/**
* @dataProvider dataTestValidateMasterKey
*
* @param $masterKey
*/
public function testValidateMasterKey($masterKey) {
/** @var \OCA\Encryption\KeyManager | \PHPUnit_Framework_MockObject_MockObject $instance */
$instance = $this->getMockBuilder('OCA\Encryption\KeyManager')
->setConstructorArgs(
[
$this->keyStorageMock,
$this->cryptMock,
$this->configMock,
$this->userMock,
$this->sessionMock,
$this->logMock,
$this->utilMock
]
)->setMethods(['getPublicMasterKey', 'setSystemPrivateKey', 'getMasterKeyPassword'])
->getMock();
$instance->expects($this->once())->method('getPublicMasterKey')
->willReturn($masterKey);
$instance->expects($this->any())->method('getMasterKeyPassword')->willReturn('masterKeyPassword');
$this->cryptMock->expects($this->any())->method('generateHeader')->willReturn('header');
if(empty($masterKey)) {
$this->cryptMock->expects($this->once())->method('createKeyPair')
->willReturn(['publicKey' => 'public', 'privateKey' => 'private']);
$this->keyStorageMock->expects($this->once())->method('setSystemUserKey')
->with('systemKeyId.publicKey', 'public', \OCA\Encryption\Crypto\Encryption::ID);
$this->cryptMock->expects($this->once())->method('encryptPrivateKey')
->with('private', 'masterKeyPassword', 'systemKeyId')
->willReturn('EncryptedKey');
$instance->expects($this->once())->method('setSystemPrivateKey')
->with('systemKeyId', 'headerEncryptedKey');
} else {
$this->cryptMock->expects($this->never())->method('createKeyPair');
$this->keyStorageMock->expects($this->never())->method('setSystemUserKey');
$this->cryptMock->expects($this->never())->method('encryptPrivateKey');
$instance->expects($this->never())->method('setSystemPrivateKey');
}
$instance->validateMasterKey();
}
public function dataTestValidateMasterKey() {
return [
['masterKey'],
['']
];