/**
* @brief test moving a shared file out of the Shared folder
*/
function testRename()
{
// login as admin
\Test_Encryption_Util::loginHelper(\Test_Encryption_Share::TEST_ENCRYPTION_SHARE_USER1);
// save file with content
$cryptedFile = file_put_contents('crypt:///' . \Test_Encryption_Share::TEST_ENCRYPTION_SHARE_USER1 . '/files/' . $this->filename, $this->dataShort);
// test that data was successfully written
$this->assertTrue(is_int($cryptedFile));
// get the file info from previous created file
$fileInfo = $this->view->getFileInfo('/' . \Test_Encryption_Share::TEST_ENCRYPTION_SHARE_USER1 . '/files/' . $this->filename);
// check if we have a valid file info
$this->assertTrue(is_array($fileInfo));
// share the file
\OCP\Share::shareItem('file', $fileInfo['fileid'], \OCP\Share::SHARE_TYPE_USER, \Test_Encryption_Share::TEST_ENCRYPTION_SHARE_USER2, OCP\PERMISSION_ALL);
// check if share key for user2exists
$this->assertTrue($this->view->file_exists('/' . \Test_Encryption_Share::TEST_ENCRYPTION_SHARE_USER1 . '/files_encryption/share-keys/' . $this->filename . '.' . \Test_Encryption_Share::TEST_ENCRYPTION_SHARE_USER2 . '.shareKey'));
// login as user2
\Test_Encryption_Util::loginHelper(\Test_Encryption_Share::TEST_ENCRYPTION_SHARE_USER2);
$this->assertTrue($this->view->file_exists('/' . \Test_Encryption_Share::TEST_ENCRYPTION_SHARE_USER2 . '/files/Shared/' . $this->filename));
// get file contents
$retrievedCryptedFile = $this->view->file_get_contents('/' . \Test_Encryption_Share::TEST_ENCRYPTION_SHARE_USER2 . '/files/Shared/' . $this->filename);
// check if data is the same as we previously written
$this->assertEquals($this->dataShort, $retrievedCryptedFile);
// move the file out of the shared folder
$this->view->rename('/' . \Test_Encryption_Share::TEST_ENCRYPTION_SHARE_USER2 . '/files/Shared/' . $this->filename, '/' . \Test_Encryption_Share::TEST_ENCRYPTION_SHARE_USER2 . '/files/' . $this->filename);
// check if we can read the moved file
$retrievedRenamedFile = $this->view->file_get_contents('/' . \Test_Encryption_Share::TEST_ENCRYPTION_SHARE_USER2 . '/files/' . $this->filename);
// check if data is the same as we previously written
$this->assertEquals($this->dataShort, $retrievedRenamedFile);
// the owners file should be deleted
$this->assertFalse($this->view->file_exists('/' . \Test_Encryption_Share::TEST_ENCRYPTION_SHARE_USER1 . '/files/' . $this->filename));
// cleanup
$this->view->unlink('/' . \Test_Encryption_Share::TEST_ENCRYPTION_SHARE_USER2 . '/files/' . $this->filename);
}
/**
* @brief retrieve public key for a specified user
* @param \OC_FilesystemView $view
* @param $userId
* @return string public key or false
*/
public static function getPublicKey(\OC_FilesystemView $view, $userId)
{
$proxyStatus = \OC_FileProxy::$enabled;
\OC_FileProxy::$enabled = false;
$result = $view->file_get_contents('/public-keys/' . $userId . '.public.key');
\OC_FileProxy::$enabled = $proxyStatus;
return $result;
}
/**
* @brief Startup encryption backend upon user login
* @note This method should never be called for users using client side encryption
*/
public static function login($params)
{
$l = new \OC_L10N('files_encryption');
//check if all requirements are met
if (!Helper::checkRequirements()) {
$error_msg = $l->t("Missing requirements.");
$hint = $l->t('Please make sure that PHP 5.3.3 or newer is installed and that the OpenSSL PHP extension is enabled and configured properly. For now, the encryption app has been disabled.');
\OC_App::disable('files_encryption');
\OCP\Util::writeLog('Encryption library', $error_msg . ' ' . $hint, \OCP\Util::ERROR);
\OCP\Template::printErrorPage($error_msg, $hint);
}
$view = new \OC_FilesystemView('/');
// ensure filesystem is loaded
if (!\OC\Files\Filesystem::$loaded) {
\OC_Util::setupFS($params['uid']);
}
$util = new Util($view, $params['uid']);
// setup user, if user not ready force relogin
if (Helper::setupUser($util, $params['password']) === false) {
return false;
}
$encryptedKey = Keymanager::getPrivateKey($view, $params['uid']);
$privateKey = Crypt::decryptPrivateKey($encryptedKey, $params['password']);
if ($privateKey === false) {
\OCP\Util::writeLog('Encryption library', 'Private key for user "' . $params['uid'] . '" is not valid! Maybe the user password was changed from outside if so please change it back to gain access', \OCP\Util::ERROR);
}
$session = new \OCA\Encryption\Session($view);
$session->setPrivateKey($privateKey);
// Check if first-run file migration has already been performed
$ready = false;
if ($util->getMigrationStatus() === Util::MIGRATION_OPEN) {
$ready = $util->beginMigration();
}
// If migration not yet done
if ($ready) {
$userView = new \OC_FilesystemView('/' . $params['uid']);
// Set legacy encryption key if it exists, to support
// depreciated encryption system
if ($userView->file_exists('encryption.key') && ($encLegacyKey = $userView->file_get_contents('encryption.key'))) {
$plainLegacyKey = Crypt::legacyDecrypt($encLegacyKey, $params['password']);
$session->setLegacyKey($plainLegacyKey);
}
// Encrypt existing user files:
// This serves to upgrade old versions of the encryption
// app (see appinfo/spec.txt)
if ($util->encryptAll('/' . $params['uid'] . '/' . 'files', $session->getLegacyKey(), $params['password'])) {
\OC_Log::write('Encryption library', 'Encryption of existing files belonging to "' . $params['uid'] . '" completed', \OC_Log::INFO);
}
// Register successful migration in DB
$util->finishMigration();
}
return true;
}
/**
* @medium
* @brief Test that data that is written by the crypto stream wrapper
* @note Encrypted data is manually prepared and decrypted here to avoid dependency on success of stream_read
* @note If this test fails with truncate content, check that enough array slices are being rejoined to form $e, as the crypt.php file may have gotten longer and broken the manual
* reassembly of its data
*/
function testSymmetricStreamEncryptLongFileContent()
{
// Generate a a random filename
$filename = 'tmp-' . uniqid() . '.test';
$util = new Encryption\Util(new \OC_FilesystemView(), $this->userId);
// Save long data as encrypted file using stream wrapper
$cryptedFile = file_put_contents('crypt:///' . $this->userId . '/files/' . $filename, $this->dataLong . $this->dataLong);
// Test that data was successfully written
$this->assertTrue(is_int($cryptedFile));
// Disable encryption proxy to prevent recursive calls
$proxyStatus = \OC_FileProxy::$enabled;
\OC_FileProxy::$enabled = false;
// Get file contents without using any wrapper to get it's actual contents on disk
$retreivedCryptedFile = $this->view->file_get_contents($this->userId . '/files/' . $filename);
// Re-enable proxy - our work is done
\OC_FileProxy::$enabled = $proxyStatus;
// Check that the file was encrypted before being written to disk
$this->assertNotEquals($this->dataLong . $this->dataLong, $retreivedCryptedFile);
// Manuallly split saved file into separate IVs and encrypted chunks
$r = preg_split('/(00iv00.{16,18})/', $retreivedCryptedFile, NULL, PREG_SPLIT_DELIM_CAPTURE);
//print_r($r);
// Join IVs and their respective data chunks
$e = array();
$i = 0;
while ($i < count($r) - 1) {
$e[] = $r[$i] . $r[$i + 1];
$i = $i + 2;
}
//print_r($e);
// Get the encrypted keyfile
$encKeyfile = Encryption\Keymanager::getFileKey($this->view, $util, $filename);
// Attempt to fetch the user's shareKey
$shareKey = Encryption\Keymanager::getShareKey($this->view, $this->userId, $util, $filename);
// get session
$session = new \OCA\Encryption\Session($this->view);
// get private key
$privateKey = $session->getPrivateKey($this->userId);
// Decrypt keyfile with shareKey
$plainKeyfile = Encryption\Crypt::multiKeyDecrypt($encKeyfile, $shareKey, $privateKey);
// Set var for reassembling decrypted content
$decrypt = '';
// Manually decrypt chunk
foreach ($e as $chunk) {
$chunkDecrypt = Encryption\Crypt::symmetricDecryptFileContent($chunk, $plainKeyfile);
// Assemble decrypted chunks
$decrypt .= $chunkDecrypt;
}
$this->assertEquals($this->dataLong . $this->dataLong, $decrypt);
// Teardown
$this->view->unlink($this->userId . '/files/' . $filename);
Encryption\Keymanager::deleteFileKey($this->view, $filename);
}
/**
* @brief Startup encryption backend upon user login
* @note This method should never be called for users using client side encryption
*/
public static function login($params)
{
if (\OCP\App::isEnabled('files_encryption') === false) {
return true;
}
$l = new \OC_L10N('files_encryption');
$view = new \OC_FilesystemView('/');
// ensure filesystem is loaded
if (!\OC\Files\Filesystem::$loaded) {
\OC_Util::setupFS($params['uid']);
}
$privateKey = \OCA\Encryption\Keymanager::getPrivateKey($view, $params['uid']);
// if no private key exists, check server configuration
if (!$privateKey) {
//check if all requirements are met
if (!Helper::checkRequirements() || !Helper::checkConfiguration()) {
$error_msg = $l->t("Missing requirements.");
$hint = $l->t('Please make sure that PHP 5.3.3 or newer is installed and that OpenSSL together with the PHP extension is enabled and configured properly. For now, the encryption app has been disabled.');
\OC_App::disable('files_encryption');
\OCP\Util::writeLog('Encryption library', $error_msg . ' ' . $hint, \OCP\Util::ERROR);
\OCP\Template::printErrorPage($error_msg, $hint);
}
}
$util = new Util($view, $params['uid']);
// setup user, if user not ready force relogin
if (Helper::setupUser($util, $params['password']) === false) {
return false;
}
$session = $util->initEncryption($params);
// Check if first-run file migration has already been performed
$ready = false;
if ($util->getMigrationStatus() === Util::MIGRATION_OPEN) {
$ready = $util->beginMigration();
}
// If migration not yet done
if ($ready) {
$userView = new \OC_FilesystemView('/' . $params['uid']);
// Set legacy encryption key if it exists, to support
// depreciated encryption system
if ($userView->file_exists('encryption.key') && ($encLegacyKey = $userView->file_get_contents('encryption.key'))) {
$plainLegacyKey = Crypt::legacyDecrypt($encLegacyKey, $params['password']);
$session->setLegacyKey($plainLegacyKey);
}
// Encrypt existing user files:
if ($util->encryptAll('/' . $params['uid'] . '/' . 'files', $session->getLegacyKey(), $params['password'])) {
\OC_Log::write('Encryption library', 'Encryption of existing files belonging to "' . $params['uid'] . '" completed', \OC_Log::INFO);
}
// Register successful migration in DB
$util->finishMigration();
}
return true;
}
public function testView()
{
$file = OC::$SERVERROOT . '/3rdparty/MDB2.php';
$original = file_get_contents($file);
$rootView = new OC_FilesystemView('');
$view = new OC_FilesystemView('/' . OC_User::getUser());
$userDir = '/' . OC_User::getUser() . '/files';
$rootView->file_put_contents($userDir . '/file', $original);
OC_FileProxy::$enabled = false;
$stored = $rootView->file_get_contents($userDir . '/file');
OC_FileProxy::$enabled = true;
$this->assertNotEqual($original, $stored);
$fromFile = $rootView->file_get_contents($userDir . '/file');
$this->assertEqual($original, $fromFile);
$fromFile = $view->file_get_contents('files/file');
$this->assertEqual($original, $fromFile);
}
function testShareFileWithGroup()
{
// login as admin
\Test_Encryption_Util::loginHelper(\Test_Encryption_Share::TEST_ENCRYPTION_SHARE_USER1);
// save file with content
$cryptedFile = file_put_contents('crypt://' . $this->filename, $this->dataShort);
// test that data was successfully written
$this->assertTrue(is_int($cryptedFile));
// disable encryption proxy to prevent recursive calls
$proxyStatus = \OC_FileProxy::$enabled;
\OC_FileProxy::$enabled = false;
// get the file info from previous created file
$fileInfo = $this->view->getFileInfo('/' . \Test_Encryption_Share::TEST_ENCRYPTION_SHARE_USER1 . '/files/' . $this->filename);
// check if we have a valid file info
$this->assertTrue(is_array($fileInfo));
// check if the unencrypted file size is stored
$this->assertGreaterThan(0, $fileInfo['unencrypted_size']);
// re-enable the file proxy
\OC_FileProxy::$enabled = $proxyStatus;
// share the file
\OCP\Share::shareItem('file', $fileInfo['fileid'], \OCP\Share::SHARE_TYPE_GROUP, \Test_Encryption_Share::TEST_ENCRYPTION_SHARE_GROUP1, OCP\PERMISSION_ALL);
// login as admin
\Test_Encryption_Util::loginHelper(\Test_Encryption_Share::TEST_ENCRYPTION_SHARE_USER1);
// check if share key for user2 and user3 exists
$this->assertTrue($this->view->file_exists('/' . \Test_Encryption_Share::TEST_ENCRYPTION_SHARE_USER1 . '/files_encryption/share-keys/' . $this->filename . '.' . \Test_Encryption_Share::TEST_ENCRYPTION_SHARE_USER3 . '.shareKey'));
$this->assertTrue($this->view->file_exists('/' . \Test_Encryption_Share::TEST_ENCRYPTION_SHARE_USER1 . '/files_encryption/share-keys/' . $this->filename . '.' . \Test_Encryption_Share::TEST_ENCRYPTION_SHARE_USER4 . '.shareKey'));
// login as user1
\Test_Encryption_Util::loginHelper(\Test_Encryption_Share::TEST_ENCRYPTION_SHARE_USER3);
// get file contents
$retrievedCryptedFile = $this->view->file_get_contents('/' . \Test_Encryption_Share::TEST_ENCRYPTION_SHARE_USER3 . '/files/Shared/' . $this->filename);
// check if data is the same as we previously written
$this->assertEquals($this->dataShort, $retrievedCryptedFile);
// login as admin
\Test_Encryption_Util::loginHelper(\Test_Encryption_Share::TEST_ENCRYPTION_SHARE_USER1);
// unshare the file
\OCP\Share::unshare('file', $fileInfo['fileid'], \OCP\Share::SHARE_TYPE_GROUP, \Test_Encryption_Share::TEST_ENCRYPTION_SHARE_GROUP1);
// check if share key not exists
$this->assertFalse($this->view->file_exists('/' . \Test_Encryption_Share::TEST_ENCRYPTION_SHARE_USER1 . '/files_encryption/share-keys/' . $this->filename . '.' . \Test_Encryption_Share::TEST_ENCRYPTION_SHARE_USER3 . '.shareKey'));
$this->assertFalse($this->view->file_exists('/' . \Test_Encryption_Share::TEST_ENCRYPTION_SHARE_USER1 . '/files_encryption/share-keys/' . $this->filename . '.' . \Test_Encryption_Share::TEST_ENCRYPTION_SHARE_USER4 . '.shareKey'));
// cleanup
$this->view->unlink('/' . \Test_Encryption_Share::TEST_ENCRYPTION_SHARE_USER1 . '/files/' . $this->filename);
// check if share key not exists
$this->assertFalse($this->view->file_exists('/' . \Test_Encryption_Share::TEST_ENCRYPTION_SHARE_USER1 . '/files_encryption/share-keys/' . $this->filename . '.' . \Test_Encryption_Share::TEST_ENCRYPTION_SHARE_USER1 . '.shareKey'));
}
/**
< * @brief Test that data that is read by the crypto stream wrapper
*/
function testGetFileSize()
{
\Test_Encryption_Util::loginHelper(\Test_Encryption_Util::TEST_ENCRYPTION_UTIL_USER1);
$filename = 'tmp-' . uniqid();
$externalFilename = '/' . $this->userId . '/files/' . $filename;
// Test for 0 byte files
$problematicFileSizeData = "";
$cryptedFile = $this->view->file_put_contents($externalFilename, $problematicFileSizeData);
$this->assertTrue(is_int($cryptedFile));
$this->assertEquals($this->util->getFileSize($externalFilename), 0);
$decrypt = $this->view->file_get_contents($externalFilename);
$this->assertEquals($problematicFileSizeData, $decrypt);
$this->view->unlink($this->userId . '/files/' . $filename);
// Test a file with 18377 bytes as in https://github.com/owncloud/mirall/issues/1009
$problematicFileSizeData = str_pad("", 18377, "abc");
$cryptedFile = $this->view->file_put_contents($externalFilename, $problematicFileSizeData);
$this->assertTrue(is_int($cryptedFile));
$this->assertEquals($this->util->getFileSize($externalFilename), 18377);
$decrypt = $this->view->file_get_contents($externalFilename);
$this->assertEquals($problematicFileSizeData, $decrypt);
$this->view->unlink($this->userId . '/files/' . $filename);
}
/**
* @brief test webdav put random file
*/
function testWebdavPUT()
{
// generate filename
$filename = '/tmp-' . time() . '.txt';
// set server vars
$_SERVER['REQUEST_METHOD'] = 'OPTIONS';
$_SERVER['REQUEST_METHOD'] = 'PUT';
$_SERVER['REQUEST_URI'] = '/remote.php/webdav' . $filename;
$_SERVER['HTTP_AUTHORIZATION'] = 'Basic dGVzdC13ZWJkYXYtdXNlcjE6dGVzdC13ZWJkYXYtdXNlcjE=';
$_SERVER['CONTENT_TYPE'] = 'application/octet-stream';
$_SERVER['PATH_INFO'] = '/webdav' . $filename;
$_SERVER['CONTENT_LENGTH'] = strlen($this->dataShort);
// handle webdav request
$this->handleWebdavRequest($this->dataShort);
// check if file was created
$this->assertTrue($this->view->file_exists('/' . $this->userId . '/files' . $filename));
// check if key-file was created
$this->assertTrue($this->view->file_exists('/' . $this->userId . '/files_encryption/keyfiles/' . $filename . '.key'));
// check if shareKey-file was created
$this->assertTrue($this->view->file_exists('/' . $this->userId . '/files_encryption/share-keys/' . $filename . '.' . $this->userId . '.shareKey'));
// disable encryption proxy to prevent recursive calls
$proxyStatus = \OC_FileProxy::$enabled;
\OC_FileProxy::$enabled = false;
// get encrypted file content
$encryptedContent = $this->view->file_get_contents('/' . $this->userId . '/files' . $filename);
// restore proxy state
\OC_FileProxy::$enabled = $proxyStatus;
// check if encrypted content is valid
$this->assertTrue(Encryption\Crypt::isCatfileContent($encryptedContent));
// get decrypted file contents
$decrypt = file_get_contents('crypt://' . $filename);
// check if file content match with the written content
$this->assertEquals($this->dataShort, $decrypt);
// return filename for next test
return $filename;
}
/**
* @medium
* @brief test if stream wrapper can read files outside from the data folder
*/
function testStreamFromLocalFile()
{
$filename = '/' . $this->userId . '/files/' . 'tmp-' . time() . '.txt';
$tmpFilename = "/tmp/" . time() . ".txt";
// write an encrypted file
$cryptedFile = $this->view->file_put_contents($filename, $this->dataShort);
// Test that data was successfully written
$this->assertTrue(is_int($cryptedFile));
// create a copy outside of the data folder in /tmp
$proxyStatus = \OC_FileProxy::$enabled;
\OC_FileProxy::$enabled = false;
$encryptedContent = $this->view->file_get_contents($filename);
\OC_FileProxy::$enabled = $proxyStatus;
file_put_contents($tmpFilename, $encryptedContent);
\OCA\Encryption\Helper::addTmpFileToMapper($tmpFilename, $filename);
// try to read the file from /tmp
$handle = fopen("crypt://" . $tmpFilename, "r");
$contentFromTmpFile = stream_get_contents($handle);
// check if it was successful
$this->assertEquals($this->dataShort, $contentFromTmpFile);
// clean up
unlink($tmpFilename);
$this->view->unlink($filename);
}
/**
* @param $path
* @param $data
* @return bool
*/
public function preFile_put_contents($path, &$data)
{
if (self::shouldEncrypt($path)) {
if (!is_resource($data)) {
// get root view
$view = new \OC_FilesystemView('/');
// get relative path
$relativePath = \OCA\Encryption\Helper::stripUserFilesPath($path);
if (!isset($relativePath)) {
return true;
}
// create random cache folder
$cacheFolder = rand();
$path_slices = explode('/', \OC_Filesystem::normalizePath($path));
$path_slices[2] = "cache/" . $cacheFolder;
$tmpPath = implode('/', $path_slices);
$handle = fopen('crypt://' . $tmpPath, 'w');
if (is_resource($handle)) {
// write data to stream
fwrite($handle, $data);
// close stream
fclose($handle);
// disable encryption proxy to prevent recursive calls
$proxyStatus = \OC_FileProxy::$enabled;
\OC_FileProxy::$enabled = false;
// get encrypted content
$data = $view->file_get_contents($tmpPath);
// store new unenecrypted size so that it can be updated
// in the post proxy
$tmpFileInfo = $view->getFileInfo($tmpPath);
if (isset($tmpFileInfo['size'])) {
self::$unencryptedSizes[\OC_Filesystem::normalizePath($path)] = $tmpFileInfo['size'];
}
// remove our temp file
$view->deleteAll('/' . \OCP\User::getUser() . '/cache/' . $cacheFolder);
// re-enable proxy - our work is done
\OC_FileProxy::$enabled = $proxyStatus;
} else {
return false;
}
}
}
return true;
}
/**
* @param $path
* @param $data
* @return bool
*/
public function preFile_put_contents($path, &$data)
{
if (self::shouldEncrypt($path)) {
if (!is_resource($data)) {
// get root view
$view = new \OC_FilesystemView('/');
// get relative path
$relativePath = \OCA\Encryption\Helper::stripUserFilesPath($path);
if (!isset($relativePath)) {
return true;
}
$handle = fopen('crypt://' . $relativePath . '.etmp', 'w');
if (is_resource($handle)) {
// write data to stream
fwrite($handle, $data);
// close stream
fclose($handle);
// disable encryption proxy to prevent recursive calls
$proxyStatus = \OC_FileProxy::$enabled;
\OC_FileProxy::$enabled = false;
// get encrypted content
$data = $view->file_get_contents($path . '.etmp');
// remove our temp file
$view->unlink($path . '.etmp');
// re-enable proxy - our work is done
\OC_FileProxy::$enabled = $proxyStatus;
}
}
}
return true;
}
public static function changekeypasscode($oldPassword, $newPassword)
{
if (OCP\User::isLoggedIn()) {
$username = OCP\USER::getUser();
$view = new OC_FilesystemView('/' . $username);
// read old key
$key = $view->file_get_contents('/encryption.key');
// decrypt key with old passcode
$key = OC_Crypt::decrypt($key, $oldPassword);
// encrypt again with new passcode
$key = OC_Crypt::encrypt($key, $newPassword);
// store the new key
$view->file_put_contents('/encryption.key', $key);
}
}
/**
* @brief retrieve shareKey for an encrypted file
* @param \OC_FilesystemView $view
* @param string $userId
* @param \OCA\Encryption\Util $util
* @param string $filePath
* @return string file key or false
* @note The sharekey returned is encrypted. Decryption
* of the keyfile must be performed by client code
*/
public static function getShareKey(\OC_FilesystemView $view, $userId, $util, $filePath)
{
// try reusing key file if part file
$proxyStatus = \OC_FileProxy::$enabled;
\OC_FileProxy::$enabled = false;
list($owner, $filename) = $util->getUidAndFilename($filePath);
$filename = Helper::stripPartialFileExtension($filename);
// in case of system wide mount points the keys are stored directly in the data directory
if ($util->isSystemWideMountPoint($filename)) {
$shareKeyPath = '/files_encryption/share-keys/' . $filename . '.' . $userId . '.shareKey';
} else {
$shareKeyPath = '/' . $owner . '/files_encryption/share-keys/' . $filename . '.' . $userId . '.shareKey';
}
if ($view->file_exists($shareKeyPath)) {
$result = $view->file_get_contents($shareKeyPath);
} else {
$result = false;
}
\OC_FileProxy::$enabled = $proxyStatus;
return $result;
}
