don't create a recovery user, only generate recovery key similar to the public link share key

2013-05-13 17:26:21 +02:00 · 2013-05-13 17:26:21 +02:00 · 517efdf952
commit 517efdf952
parent 2f4ba9d1e8
5 changed files with 63 additions and 99 deletions
--- a/apps/files_encryption/ajax/adminrecovery.php
+++ b/apps/files_encryption/ajax/adminrecovery.php
@ -1,4 +1,5 @@
 <?php
+
 /**
 * Copyright (c) 2013, Sam Tuke <samtuke@owncloud.com>
 * This file is licensed under the Affero General Public License version 3 or later.
@ -6,87 +7,78 @@
 *
 * @brief Script to handle admin settings for encrypted key recovery
 */
-
 use OCA\Encryption;

 \OCP\JSON::checkAdminUser();
-\OCP\JSON::checkAppEnabled( 'files_encryption' );
+\OCP\JSON::checkAppEnabled('files_encryption');
 \OCP\JSON::callCheck();

-$return = $doSetup = false;
+$return = false;

 // Enable recoveryAdmin
-if ( 
-	isset( $_POST['adminEnableRecovery'] ) 
-	&& 1 == $_POST['adminEnableRecovery'] 
-// 	&& isset( $_POST['recoveryPassword'] ) 
-// 	&& ! empty ( $_POST['recoveryPassword'] )
+
+if (
+	isset($_POST['adminEnableRecovery'])
+	&& 1 == $_POST['adminEnableRecovery']
 ) {

-	// TODO: Let the admin set this themselves
-	$recoveryAdminUid = 'recoveryAdmin';
-	
-	// If desired recoveryAdmin UID is already in use
-	if ( ! \OC_User::userExists( $recoveryAdminUid ) ) {
-		
-		// Create new recoveryAdmin user
-		\OC_User::createUser( $recoveryAdminUid, $_POST['recoveryPassword'] );
-		
-		// Make recovery user an administrator
-		\OC_Group::addToGroup ( $recoveryAdminUid, 'admin' );
-		
-		$doSetup = true;
-		
-	} else {
-	
-		// Get list of admin users
-		$admins = OC_Group::usersInGroup( 'admin' );
-		
-		// If the existing recoveryAdmin UID is an admin
-		if ( in_array( $recoveryAdminUid, $admins ) ) {
-			
-			// The desired recoveryAdmi UID pre-exists and can be used
-			$doSetup = true;
-		
-		// If the recoveryAdmin UID exists but doesn't have admin rights
-		} else {
-		
-			$return = false;
-			
+	$view = new \OC\Files\View('/');
+
+	$recoveryKeyId = OC_Appconfig::getValue('files_encryption', 'recoveryKeyId');
+
+	if ($recoveryKeyId === null) {
+		$recoveryKeyId = 'recovery_' . substr(md5(time()), 0, 8);
+		\OC_Appconfig::setValue('files_encryption', 'recoveryKeyId', $recoveryKeyId);
+	}
+
+	if (!$view->is_dir('/owncloud_private_key')) {
+		$view->mkdir('/owncloud_private_key');
+	}
+
+	if (
+		(!$view->file_exists("/public-keys/" . $recoveryKeyId . ".public.key")
+		|| !$view->file_exists("/owncloud_private_key/" . $recoveryKeyId . ".private.key"))
+		&& isset($_POST['recoveryPassword'])
+		&& !empty($_POST['recoveryPassword'])
+	) {
+
+		$keypair = \OCA\Encryption\Crypt::createKeypair();
+
+		\OC_FileProxy::$enabled = false;
+
+		// Save public key
+
+		if (!$view->is_dir('/public-keys')) {
+			$view->mkdir('/public-keys');
 		}
-		
+
+		$view->file_put_contents('/public-keys/' . $recoveryKeyId . '.public.key', $keypair['publicKey']);
+
+		// Encrypt private key empthy passphrase
+		$encryptedPrivateKey = \OCA\Encryption\Crypt::symmetricEncryptFileContent($keypair['privateKey'], $_POST['recoveryPassword']);
+
+		// Save private key
+		$view->file_put_contents('/owncloud_private_key/' . $recoveryKeyId . '.private.key', $encryptedPrivateKey);
+
+		\OC_FileProxy::$enabled = true;
+
 	}
-	
-	// Setup recoveryAdmin user for encryption
-	if ( $doSetup ) {
-		
-		$view = new \OC_FilesystemView( '/' );
-		$util = new \OCA\Encryption\Util( $view, $recoveryAdminUid );
-		
-		// Ensure recoveryAdmin is ready for encryption (has usable keypair etc.)
-		$util->setupServerSide( $_POST['recoveryPassword'] );
-		
-		// Store the UID in the DB
-		OC_Appconfig::setValue( 'files_encryption', 'recoveryAdminUid', $recoveryAdminUid );
-		
-		$return = true;
-		
-	}
-	
+
 	// Set recoveryAdmin as enabled
-	OC_Appconfig::setValue( 'files_encryption', 'recoveryAdminEnabled', 1 );
+	OC_Appconfig::setValue('files_encryption', 'recoveryAdminEnabled', 1);
+
+	$return = true;

 // Disable recoveryAdmin
-} elseif ( 
-	isset( $_POST['adminEnableRecovery'] ) 
-	&& 0 == $_POST['adminEnableRecovery'] 
+} elseif (
+	isset($_POST['adminEnableRecovery'])
+	&& 0 == $_POST['adminEnableRecovery']
 ) {
-		
-		// Set recoveryAdmin as enabled
-		OC_Appconfig::setValue( 'files_encryption', 'recoveryAdminEnabled', 0 );
-		
-		$return = true;

+	// Set recoveryAdmin as enabled
+	OC_Appconfig::setValue('files_encryption', 'recoveryAdminEnabled', 0);
+
+	$return = true;
 }

 // Return success or failure
--- a/apps/files_encryption/js/settings-admin.js
+++ b/apps/files_encryption/js/settings-admin.js
@ -7,13 +7,6 @@


 $(document).ready(function(){
-	// Trigger ajax on filetype blacklist change
-	$('#encryption_blacklist').multiSelect({
-		oncheck:blackListChange,
-		onuncheck:blackListChange,
-		createText:'...'
-	});
-	
 	// Trigger ajax on recoveryAdmin status change
 	$( 'input:radio[name="adminEnableRecovery"]' ).change( 
 		function() {
@ -24,7 +17,7 @@ $(document).ready(function(){
 			if ( '' == recoveryPassword ) {
 				
 				// FIXME: add proper OC notification
-				alert( 'You  must set a recovery account password first' );
+				alert( 'You must set a recovery account password first' );
 				
 			} else {
 			
--- a/apps/files_encryption/lib/session.php
+++ b/apps/files_encryption/lib/session.php
@ -49,7 +49,7 @@ class Session {
 		$publicShareKeyId = \OC_Appconfig::getValue('files_encryption', 'publicShareKeyId');

 		if ($publicShareKeyId === null) {
-			$publicShareKeyId = substr(md5(time()),0,8);
+			$publicShareKeyId = 'pubShare_'.substr(md5(time()),0,8);
 			\OC_Appconfig::setValue('files_encryption', 'publicShareKeyId', $publicShareKeyId);
 		}
 		
@ -57,13 +57,7 @@ class Session {
 			! $this->view->file_exists( "/public-keys/".$publicShareKeyId.".public.key" )
 			|| ! $this->view->file_exists( "/owncloud_private_key/".$publicShareKeyId.".private.key" )
 		) {
-		
-			//FIXME: Bug: for some reason file_exists is returning 
-			// false in above if statement, and causing new keys 
-			// to be generated on each page load. At last check 
-			// our app.php is being executed 18 times per page load
-			// , causing 18 new keypairs and huge performance hit.
-			
+				
 			$keypair = Crypt::createKeypair();
 			
 			\OC_FileProxy::$enabled = false;
--- a/apps/files_encryption/lib/util.php
+++ b/apps/files_encryption/lib/util.php
@ -958,10 +958,10 @@ class Util {
 		if ( $recoveryEnabled ) {
 			
 			// Find recoveryAdmin user ID
-			$recoveryAdminUid = \OC_Appconfig::getValue( 'files_encryption', 'recoveryAdminUid' );
+			$recoveryKeyId = \OC_Appconfig::getValue( 'files_encryption', 'recoveryKeyId' );
 			
 			// Add recoveryAdmin to list of users sharing
-			$userIds[] = $recoveryAdminUid;
+			$userIds[] = $recoveryKeyId;
 			
 		}

--- a/apps/files_encryption/templates/settings-admin.php
+++ b/apps/files_encryption/templates/settings-admin.php
@ -4,25 +4,10 @@
 		<p>
 			<strong><?php p($l->t( 'Encryption' )); ?></strong>
 			<br />
-			
-			<?php p($l->t( "Exclude the following file types from encryption:" )); ?>
-			<br />
-			
-			<select 
-			id='encryption_blacklist' 
-			title="<?php p($l->t( 'None' ))?>" 
-			multiple="multiple">
-			<?php foreach($_["blacklist"] as $type): ?>
-				<option selected="selected" value="<?php p($type); ?>"> <?php p($type); ?> </option>
-			<?php endforeach;?>
-			</select>
 		</p>
 		<p>
-			<strong>
-				<?php p($l->t( "Enable encryption passwords recovery account (allow sharing to recovery account):" )); ?>
+			<?php p($l->t( "Enable encryption passwords recovery key (allow sharing to recovery key):" )); ?>
 			<br />
-			</strong>
-			<?php p($l->t( "To perform a recovery log in using the 'recoveryAdmin' account and the specified password" )); ?>
 			<br />
 			<?php if ( empty( $_['recoveryAdminUid'] ) ): ?>
 				<input type="password" name="recoveryPassword" id="recoveryPassword" />