Add a session wrapper to encrypt the data before storing it on disk

This commit is contained in:
Joas Schilling 2015-07-20 12:59:04 +02:00 committed by Lukas Reschke
parent 510010e774
commit 36eef2ddab
8 changed files with 381 additions and 34 deletions

View file

@ -52,7 +52,10 @@ try {
\OC::$server->getSession()->close();
// initialize a dummy memory session
\OC::$server->setSession(new \OC\Session\Memory(''));
$session = new \OC\Session\Memory('');
$cryptoWrapper = \OC::$server->getSessionCryptoWrapper();
$session = $cryptoWrapper->wrapSession($session);
\OC::$server->setSession($session);
$logger = \OC::$server->getLogger();

View file

@ -463,13 +463,15 @@ class OC {
$useCustomSession = false;
$session = self::$server->getSession();
OC_Hook::emit('OC', 'initSession', array('session' => &$session, 'sessionName' => &$sessionName, 'useCustomSession' => &$useCustomSession));
if($useCustomSession) {
// use the session reference as the new Session
self::$server->setSession($session);
} else {
if (!$useCustomSession) {
// set the session name to the instance id - which is unique
self::$server->setSession(new \OC\Session\Internal($sessionName));
$session = new \OC\Session\Internal($sessionName);
}
$cryptoWrapper = \OC::$server->getSessionCryptoWrapper();
$session = $cryptoWrapper->wrapSession($session);
self::$server->setSession($session);
// if session cant be started break with http 500 error
} catch (Exception $e) {
\OCP\Util::logException('base', $e);

View file

@ -56,6 +56,7 @@ use OC\Security\Crypto;
use OC\Security\Hasher;
use OC\Security\SecureRandom;
use OC\Security\TrustedDomainHelper;
use OC\Session\CryptoWrapper;
use OC\Tagging\TagMapper;
use OCP\IServerContainer;
use Symfony\Component\EventDispatcher\EventDispatcher;
@ -159,7 +160,12 @@ class Server extends SimpleContainer implements IServerContainer {
});
$this->registerService('UserSession', function (Server $c) {
$manager = $c->getUserManager();
$userSession = new \OC\User\Session($manager, new \OC\Session\Memory(''));
$session = new \OC\Session\Memory('');
$cryptoWrapper = $c->getSessionCryptoWrapper();
$session = $cryptoWrapper->wrapSession($session);
$userSession = new \OC\User\Session($manager, $session);
$userSession->listen('\OC\User', 'preCreateUser', function ($uid, $password) {
\OC_Hook::emit('OC_User', 'pre_createUser', array('run' => true, 'uid' => $uid, 'password' => $password));
});
@ -461,6 +467,13 @@ class Server extends SimpleContainer implements IServerContainer {
$this->registerService('EventDispatcher', function() {
return new EventDispatcher();
});
$this->registerService('CryptoWrapper', function (Server $c) {
return new CryptoWrapper(
$c->getConfig(),
$c->getCrypto(),
$c->getSecureRandom()
);
});
}
/**
@ -949,31 +962,4 @@ class Server extends SimpleContainer implements IServerContainer {
return $this->query('MountManager');
}
/*
* Get the MimeTypeDetector
*
* @return \OCP\Files\IMimeTypeDetector
*/
public function getMimeTypeDetector() {
return $this->query('MimeTypeDetector');
}
/**
* Get the manager of all the capabilities
*
* @return \OC\CapabilitiesManager
*/
public function getCapabilitiesManager() {
return $this->query('CapabilitiesManager');
}
/**
* Get the EventDispatcher
*
* @return EventDispatcherInterface
* @since 8.2.0
*/
public function getEventDispatcher() {
return $this->query('EventDispatcher');
}
}

View file

@ -0,0 +1,140 @@
<?php
/**
* @author Joas Schilling <nickvergessen@owncloud.com>
*
* @copyright Copyright (c) 2015, ownCloud, Inc.
* @license AGPL-3.0
*
* This code is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License, version 3,
* as published by the Free Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License, version 3,
* along with this program. If not, see <http://www.gnu.org/licenses/>
*
*/
namespace OC\Session;
use OCP\ISession;
use OCP\Security\ICrypto;
class CryptoSessionData implements \ArrayAccess, ISession {
/** @var ISession */
protected $session;
/** @var \OCP\Security\ICrypto */
protected $crypto;
/** @var string */
protected $passphrase;
/**
* @param ISession $session
* @param ICrypto $crypto
* @param string $passphrase
*/
public function __construct(ISession $session, ICrypto $crypto, $passphrase) {
$this->crypto = $crypto;
$this->session = $session;
$this->passphrase = $passphrase;
}
/**
* Set a value in the session
*
* @param string $key
* @param mixed $value
*/
public function set($key, $value) {
$encryptedValue = $this->crypto->encrypt($value, $this->passphrase);
$this->session->set($key, $encryptedValue);
}
/**
* Get a value from the session
*
* @param string $key
* @return mixed should return null if $key does not exist
* @throws \Exception when the data could not be decrypted
*/
public function get($key) {
$encryptedValue = $this->session->get($key);
if ($encryptedValue === null) {
return null;
}
$value = $this->crypto->decrypt($encryptedValue, $this->passphrase);
return $value;
}
/**
* Check if a named key exists in the session
*
* @param string $key
* @return bool
*/
public function exists($key) {
return $this->session->exists($key);
}
/**
* Remove a $key/$value pair from the session
*
* @param string $key
*/
public function remove($key) {
$this->session->remove($key);
}
/**
* Reset and recreate the session
*/
public function clear() {
$this->session->clear();
}
/**
* Close the session and release the lock
*/
public function close() {
$this->session->close();
}
/**
* @param mixed $offset
* @return bool
*/
public function offsetExists($offset) {
return $this->exists($offset);
}
/**
* @param mixed $offset
* @return mixed
*/
public function offsetGet($offset) {
return $this->get($offset);
}
/**
* @param mixed $offset
* @param mixed $value
*/
public function offsetSet($offset, $value) {
$this->set($offset, $value);
}
/**
* @param mixed $offset
*/
public function offsetUnset($offset) {
$this->remove($offset);
}
}

View file

@ -0,0 +1,81 @@
<?php
/**
* @author Joas Schilling <nickvergessen@owncloud.com>
*
* @copyright Copyright (c) 2015, ownCloud, Inc.
* @license AGPL-3.0
*
* This code is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License, version 3,
* as published by the Free Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License, version 3,
* along with this program. If not, see <http://www.gnu.org/licenses/>
*
*/
namespace OC\Session;
use OCP\IConfig;
use OCP\ISession;
use OCP\Security\ICrypto;
use OCP\Security\ISecureRandom;
class CryptoWrapper {
const COOKIE_NAME = 'oc_sessionPassphrase';
/** @var ISession */
protected $session;
/** @var \OCP\Security\ICrypto */
protected $crypto;
/** @var ISecureRandom */
protected $random;
/**
* @param IConfig $config
* @param ICrypto $crypto
* @param ISecureRandom $random
*/
public function __construct(IConfig $config, ICrypto $crypto, ISecureRandom $random) {
$this->crypto = $crypto;
$this->config = $config;
$this->random = $random;
if (isset($_COOKIE[self::COOKIE_NAME])) {
// TODO circular dependency
// $request = \OC::$server->getRequest();
// $this->passphrase = $request->getCookie(self::COOKIE_NAME);
$this->passphrase = $_COOKIE[self::COOKIE_NAME];
} else {
$this->passphrase = $this->random->getMediumStrengthGenerator()->generate(128);
// TODO circular dependency
// $secureCookie = \OC::$server->getRequest()->getServerProtocol() === 'https';
$secureCookie = false;
$expires = time() + $this->config->getSystemValue('remember_login_cookie_lifetime', 60 * 60 * 24 * 15);
if (!defined('PHPUNIT_RUN')) {
setcookie(self::COOKIE_NAME, $this->passphrase, $expires, \OC::$WEBROOT, '', $secureCookie);
}
}
}
/**
* @param ISession $session
* @return ISession
*/
public function wrapSession(ISession $session) {
if (!($session instanceof CryptoSessionData) && $this->config->getSystemValue('encrypt.session', false)) {
return new \OC\Session\CryptoSessionData($session, $this->crypto, $this->passphrase);
}
return $session;
}
}

View file

@ -56,6 +56,7 @@ class Server extends \Test\TestCase {
['ContactsManager', '\OCP\Contacts\IManager'],
['Crypto', '\OC\Security\Crypto'],
['Crypto', '\OCP\Security\ICrypto'],
['CryptoWrapper', '\OC\Session\CryptoWrapper'],
['DatabaseConnection', '\OC\DB\Connection'],
['DatabaseConnection', '\OCP\IDBConnection'],

View file

@ -0,0 +1,53 @@
<?php
/**
* @author Joas Schilling <nickvergessen@owncloud.com>
*
* @copyright Copyright (c) 2015, ownCloud, Inc.
* @license AGPL-3.0
*
* This code is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License, version 3,
* as published by the Free Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License, version 3,
* along with this program. If not, see <http://www.gnu.org/licenses/>
*
*/
namespace Test\Session;
use OC\Session\CryptoSessionData;
class CryptoSessionDataTest extends Session {
/** @var \PHPUnit_Framework_MockObject_MockObject|\OCP\Security\ICrypto */
protected $crypto;
/** @var \OCP\ISession */
protected $wrappedSession;
protected function setUp() {
parent::setUp();
$this->wrappedSession = new \OC\Session\Memory($this->getUniqueID());
$this->crypto = $this->getMockBuilder('OCP\Security\ICrypto')
->disableOriginalConstructor()
->getMock();
$this->crypto->expects($this->any())
->method('encrypt')
->willReturnCallback(function ($input) {
return '#' . $input . '#';
});
$this->crypto->expects($this->any())
->method('decrypt')
->willReturnCallback(function ($input) {
return substr($input, 1, -1);
});
$this->instance = new CryptoSessionData($this->wrappedSession, $this->crypto, 'PASS');
}
}

View file

@ -0,0 +1,81 @@
<?php
/**
* @author Joas Schilling <nickvergessen@owncloud.com>
*
* @copyright Copyright (c) 2015, ownCloud, Inc.
* @license AGPL-3.0
*
* This code is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License, version 3,
* as published by the Free Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License, version 3,
* along with this program. If not, see <http://www.gnu.org/licenses/>
*
*/
namespace Test\Session;
use OC\Session\CryptoSessionData;
use Test\TestCase;
class CryptoWrappingTest extends TestCase {
/** @var \PHPUnit_Framework_MockObject_MockObject|\OCP\Security\ICrypto */
protected $crypto;
/** @var \PHPUnit_Framework_MockObject_MockObject|\OCP\ISession */
protected $wrappedSession;
/** @var \OC\Session\CryptoSessionData */
protected $instance;
protected function setUp() {
parent::setUp();
$this->wrappedSession = $this->getMockBuilder('OCP\ISession')
->disableOriginalConstructor()
->getMock();
$this->crypto = $this->getMockBuilder('OCP\Security\ICrypto')
->disableOriginalConstructor()
->getMock();
$this->crypto->expects($this->any())
->method('encrypt')
->willReturnCallback(function ($input) {
return '#' . $input . '#';
});
$this->crypto->expects($this->any())
->method('decrypt')
->willReturnCallback(function ($input) {
return substr($input, 1, -1);
});
$this->instance = new CryptoSessionData($this->wrappedSession, $this->crypto, 'PASS');
}
public function testWrappingSet() {
$unencryptedValue = 'foobar';
$this->wrappedSession->expects($this->once())
->method('set')
->with('key', $this->crypto->encrypt($unencryptedValue));
$this->instance->set('key', $unencryptedValue);
}
public function testUnwrappingGet() {
$unencryptedValue = 'foobar';
$encryptedValue = $this->crypto->encrypt($unencryptedValue);
$this->wrappedSession->expects($this->once())
->method('get')
->with('key')
->willReturnCallback(function () use ($encryptedValue) {
return $encryptedValue;
});
$this->assertSame($unencryptedValue, $this->instance->get('key'));
}
}