alpcentaur
/
sncf-docker-compose
mirror of https://git.42l.fr/alpcentaur/sncf-docker-compose.git
1
0
Fork 0
Code Issues 0 Projects 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
2 Commits
1 Branch
20 MiB
Tree: df7e20de4b
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'df7e20de4b'
${ noResults }
sncf-docker-compose/docker/overlays/nextcloud/html/lib/private/Encryption/Util.php

403 lines
11 KiB
Raw Normal View History

first commit
3 years ago
 
  1. <?php
  2. /**
  3.  * @copyright Copyright (c) 2016, ownCloud, Inc.
  4.  *
  5.  * @author Bjoern Schiessle <bjoern@schiessle.org>
  6.  * @author Björn Schießle <bjoern@schiessle.org>
  7.  * @author Christoph Wurst <christoph@winzerhof-wurst.at>
  8.  * @author Jan-Christoph Borchardt <hey@jancborchardt.net>
  9.  * @author Morris Jobke <hey@morrisjobke.de>
  10.  * @author Roeland Jago Douma <roeland@famdouma.nl>
  11.  * @author Thomas Müller <thomas.mueller@tmit.eu>
  12.  *
  13.  * @license AGPL-3.0
  14.  *
  15.  * This code is free software: you can redistribute it and/or modify
  16.  * it under the terms of the GNU Affero General Public License, version 3,
  17.  * as published by the Free Software Foundation.
  18.  *
  19.  * This program is distributed in the hope that it will be useful,
  20.  * but WITHOUT ANY WARRANTY; without even the implied warranty of
  21.  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  22.  * GNU Affero General Public License for more details.
  23.  *
  24.  * You should have received a copy of the GNU Affero General Public License, version 3,
  25.  * along with this program. If not, see <http://www.gnu.org/licenses/>
  26.  *
  27.  */
  28. 

  29. namespace OC\Encryption;
  30. 

  31. use OC\Encryption\Exceptions\EncryptionHeaderKeyExistsException;
  32. use OC\Encryption\Exceptions\EncryptionHeaderToLargeException;
  33. use OC\Encryption\Exceptions\ModuleDoesNotExistsException;
  34. use OC\Files\Filesystem;
  35. use OC\Files\View;
  36. use OCP\Encryption\IEncryptionModule;
  37. use OCP\IConfig;
  38. use OCP\IUser;
  39. 

  40. class Util {
  41. 	public const HEADER_START = 'HBEGIN';
  42. 	public const HEADER_END = 'HEND';
  43. 	public const HEADER_PADDING_CHAR = '-';
  44. 

  45. 	public const HEADER_ENCRYPTION_MODULE_KEY = 'oc_encryption_module';
  46. 

  47. 	/**
  48. 	 * block size will always be 8192 for a PHP stream
  49. 	 * @see https://bugs.php.net/bug.php?id=21641
  50. 	 * @var integer
  51. 	 */
  52. 	protected $headerSize = 8192;
  53. 

  54. 	/**
  55. 	 * block size will always be 8192 for a PHP stream
  56. 	 * @see https://bugs.php.net/bug.php?id=21641
  57. 	 * @var integer
  58. 	 */
  59. 	protected $blockSize = 8192;
  60. 

  61. 	/** @var View */
  62. 	protected $rootView;
  63. 

  64. 	/** @var array */
  65. 	protected $ocHeaderKeys;
  66. 

  67. 	/** @var \OC\User\Manager */
  68. 	protected $userManager;
  69. 

  70. 	/** @var IConfig */
  71. 	protected $config;
  72. 

  73. 	/** @var array paths excluded from encryption */
  74. 	protected $excludedPaths;
  75. 

  76. 	/** @var \OC\Group\Manager $manager */
  77. 	protected $groupManager;
  78. 

  79. 	/**
  80. 	 *
  81. 	 * @param View $rootView
  82. 	 * @param \OC\User\Manager $userManager
  83. 	 * @param \OC\Group\Manager $groupManager
  84. 	 * @param IConfig $config
  85. 	 */
  86. 	public function __construct(
  87. 		View $rootView,
  88. 		\OC\User\Manager $userManager,
  89. 		\OC\Group\Manager $groupManager,
  90. 		IConfig $config) {
  91. 		$this->ocHeaderKeys = [
  92. 			self::HEADER_ENCRYPTION_MODULE_KEY
  93. 		];
  94. 

  95. 		$this->rootView = $rootView;
  96. 		$this->userManager = $userManager;
  97. 		$this->groupManager = $groupManager;
  98. 		$this->config = $config;
  99. 

  100. 		$this->excludedPaths[] = 'files_encryption';
  101. 		$this->excludedPaths[] = 'appdata_' . $config->getSystemValue('instanceid', null);
  102. 		$this->excludedPaths[] = 'files_external';
  103. 	}
  104. 

  105. 	/**
  106. 	 * read encryption module ID from header
  107. 	 *
  108. 	 * @param array $header
  109. 	 * @return string
  110. 	 * @throws ModuleDoesNotExistsException
  111. 	 */
  112. 	public function getEncryptionModuleId(array $header = null) {
  113. 		$id = '';
  114. 		$encryptionModuleKey = self::HEADER_ENCRYPTION_MODULE_KEY;
  115. 

  116. 		if (isset($header[$encryptionModuleKey])) {
  117. 			$id = $header[$encryptionModuleKey];
  118. 		} elseif (isset($header['cipher'])) {
  119. 			if (class_exists('\OCA\Encryption\Crypto\Encryption')) {
  120. 				// fall back to default encryption if the user migrated from

  121. 				// ownCloud <= 8.0 with the old encryption

  122. 				$id = \OCA\Encryption\Crypto\Encryption::ID;
  123. 			} else {
  124. 				throw new ModuleDoesNotExistsException('Default encryption module missing');
  125. 			}
  126. 		}
  127. 

  128. 		return $id;
  129. 	}
  130. 

  131. 	/**
  132. 	 * create header for encrypted file
  133. 	 *
  134. 	 * @param array $headerData
  135. 	 * @param IEncryptionModule $encryptionModule
  136. 	 * @return string
  137. 	 * @throws EncryptionHeaderToLargeException if header has to many arguments
  138. 	 * @throws EncryptionHeaderKeyExistsException if header key is already in use
  139. 	 */
  140. 	public function createHeader(array $headerData, IEncryptionModule $encryptionModule) {
  141. 		$header = self::HEADER_START . ':' . self::HEADER_ENCRYPTION_MODULE_KEY . ':' . $encryptionModule->getId() . ':';
  142. 		foreach ($headerData as $key => $value) {
  143. 			if (in_array($key, $this->ocHeaderKeys)) {
  144. 				throw new EncryptionHeaderKeyExistsException($key);
  145. 			}
  146. 			$header .= $key . ':' . $value . ':';
  147. 		}
  148. 		$header .= self::HEADER_END;
  149. 

  150. 		if (strlen($header) > $this->getHeaderSize()) {
  151. 			throw new EncryptionHeaderToLargeException();
  152. 		}
  153. 

  154. 		$paddedHeader = str_pad($header, $this->headerSize, self::HEADER_PADDING_CHAR, STR_PAD_RIGHT);
  155. 

  156. 		return $paddedHeader;
  157. 	}
  158. 

  159. 	/**
  160. 	 * go recursively through a dir and collect all files and sub files.
  161. 	 *
  162. 	 * @param string $dir relative to the users files folder
  163. 	 * @return array with list of files relative to the users files folder
  164. 	 */
  165. 	public function getAllFiles($dir) {
  166. 		$result = [];
  167. 		$dirList = [$dir];
  168. 

  169. 		while ($dirList) {
  170. 			$dir = array_pop($dirList);
  171. 			$content = $this->rootView->getDirectoryContent($dir);
  172. 

  173. 			foreach ($content as $c) {
  174. 				if ($c->getType() === 'dir') {
  175. 					$dirList[] = $c->getPath();
  176. 				} else {
  177. 					$result[] =  $c->getPath();
  178. 				}
  179. 			}
  180. 		}
  181. 

  182. 		return $result;
  183. 	}
  184. 

  185. 	/**
  186. 	 * check if it is a file uploaded by the user stored in data/user/files
  187. 	 * or a metadata file
  188. 	 *
  189. 	 * @param string $path relative to the data/ folder
  190. 	 * @return boolean
  191. 	 */
  192. 	public function isFile($path) {
  193. 		$parts = explode('/', Filesystem::normalizePath($path), 4);
  194. 		if (isset($parts[2]) && $parts[2] === 'files') {
  195. 			return true;
  196. 		}
  197. 		return false;
  198. 	}
  199. 

  200. 	/**
  201. 	 * return size of encryption header
  202. 	 *
  203. 	 * @return integer
  204. 	 */
  205. 	public function getHeaderSize() {
  206. 		return $this->headerSize;
  207. 	}
  208. 

  209. 	/**
  210. 	 * return size of block read by a PHP stream
  211. 	 *
  212. 	 * @return integer
  213. 	 */
  214. 	public function getBlockSize() {
  215. 		return $this->blockSize;
  216. 	}
  217. 

  218. 	/**
  219. 	 * get the owner and the path for the file relative to the owners files folder
  220. 	 *
  221. 	 * @param string $path
  222. 	 * @return array
  223. 	 * @throws \BadMethodCallException
  224. 	 */
  225. 	public function getUidAndFilename($path) {
  226. 		$parts = explode('/', $path);
  227. 		$uid = '';
  228. 		if (count($parts) > 2) {
  229. 			$uid = $parts[1];
  230. 		}
  231. 		if (!$this->userManager->userExists($uid)) {
  232. 			throw new \BadMethodCallException(
  233. 				'path needs to be relative to the system wide data folder and point to a user specific file'
  234. 			);
  235. 		}
  236. 

  237. 		$ownerPath = implode('/', array_slice($parts, 2));
  238. 

  239. 		return [$uid, Filesystem::normalizePath($ownerPath)];
  240. 	}
  241. 

  242. 	/**
  243. 	 * Remove .path extension from a file path
  244. 	 * @param string $path Path that may identify a .part file
  245. 	 * @return string File path without .part extension
  246. 	 * @note this is needed for reusing keys
  247. 	 */
  248. 	public function stripPartialFileExtension($path) {
  249. 		$extension = pathinfo($path, PATHINFO_EXTENSION);
  250. 

  251. 		if ($extension === 'part') {
  252. 			$newLength = strlen($path) - 5; // 5 = strlen(".part")

  253. 			$fPath = substr($path, 0, $newLength);
  254. 

  255. 			// if path also contains a transaction id, we remove it too

  256. 			$extension = pathinfo($fPath, PATHINFO_EXTENSION);
  257. 			if (substr($extension, 0, 12) === 'ocTransferId') { // 12 = strlen("ocTransferId")

  258. 				$newLength = strlen($fPath) - strlen($extension) -1;
  259. 				$fPath = substr($fPath, 0, $newLength);
  260. 			}
  261. 			return $fPath;
  262. 		} else {
  263. 			return $path;
  264. 		}
  265. 	}
  266. 

  267. 	public function getUserWithAccessToMountPoint($users, $groups) {
  268. 		$result = [];
  269. 		if (in_array('all', $users)) {
  270. 			$users = $this->userManager->search('', null, null);
  271. 			$result = array_map(function (IUser $user) {
  272. 				return $user->getUID();
  273. 			}, $users);
  274. 		} else {
  275. 			$result = array_merge($result, $users);
  276. 

  277. 			$groupManager = \OC::$server->getGroupManager();
  278. 			foreach ($groups as $group) {
  279. 				$groupObject = $groupManager->get($group);
  280. 				if ($groupObject) {
  281. 					$foundUsers = $groupObject->searchUsers('', -1, 0);
  282. 					$userIds = [];
  283. 					foreach ($foundUsers as $user) {
  284. 						$userIds[] = $user->getUID();
  285. 					}
  286. 					$result = array_merge($result, $userIds);
  287. 				}
  288. 			}
  289. 		}
  290. 

  291. 		return $result;
  292. 	}
  293. 

  294. 	/**
  295. 	 * check if the file is stored on a system wide mount point
  296. 	 * @param string $path relative to /data/user with leading '/'
  297. 	 * @param string $uid
  298. 	 * @return boolean
  299. 	 */
  300. 	public function isSystemWideMountPoint($path, $uid) {
  301. 		if (\OCP\App::isEnabled("files_external")) {
  302. 			$mounts = \OCA\Files_External\MountConfig::getSystemMountPoints();
  303. 			foreach ($mounts as $mount) {
  304. 				if (strpos($path, '/files/' . $mount['mountpoint']) === 0) {
  305. 					if ($this->isMountPointApplicableToUser($mount, $uid)) {
  306. 						return true;
  307. 					}
  308. 				}
  309. 			}
  310. 		}
  311. 		return false;
  312. 	}
  313. 

  314. 	/**
  315. 	 * check if mount point is applicable to user
  316. 	 *
  317. 	 * @param array $mount contains $mount['applicable']['users'], $mount['applicable']['groups']
  318. 	 * @param string $uid
  319. 	 * @return boolean
  320. 	 */
  321. 	private function isMountPointApplicableToUser($mount, $uid) {
  322. 		$acceptedUids = ['all', $uid];
  323. 		// check if mount point is applicable for the user

  324. 		$intersection = array_intersect($acceptedUids, $mount['applicable']['users']);
  325. 		if (!empty($intersection)) {
  326. 			return true;
  327. 		}
  328. 		// check if mount point is applicable for group where the user is a member

  329. 		foreach ($mount['applicable']['groups'] as $gid) {
  330. 			if ($this->groupManager->isInGroup($uid, $gid)) {
  331. 				return true;
  332. 			}
  333. 		}
  334. 		return false;
  335. 	}
  336. 

  337. 	/**
  338. 	 * check if it is a path which is excluded by ownCloud from encryption
  339. 	 *
  340. 	 * @param string $path
  341. 	 * @return boolean
  342. 	 */
  343. 	public function isExcluded($path) {
  344. 		$normalizedPath = Filesystem::normalizePath($path);
  345. 		$root = explode('/', $normalizedPath, 4);
  346. 		if (count($root) > 1) {
  347. 

  348. 			// detect alternative key storage root

  349. 			$rootDir = $this->getKeyStorageRoot();
  350. 			if ($rootDir !== '' &&
  351. 				0 === strpos(
  352. 					Filesystem::normalizePath($path),
  353. 					Filesystem::normalizePath($rootDir)
  354. 				)
  355. 			) {
  356. 				return true;
  357. 			}
  358. 

  359. 

  360. 			//detect system wide folders

  361. 			if (in_array($root[1], $this->excludedPaths)) {
  362. 				return true;
  363. 			}
  364. 

  365. 			// detect user specific folders

  366. 			if ($this->userManager->userExists($root[1])
  367. 				&& in_array($root[2], $this->excludedPaths)) {
  368. 				return true;
  369. 			}
  370. 		}
  371. 		return false;
  372. 	}
  373. 

  374. 	/**
  375. 	 * check if recovery key is enabled for user
  376. 	 *
  377. 	 * @param string $uid
  378. 	 * @return boolean
  379. 	 */
  380. 	public function recoveryEnabled($uid) {
  381. 		$enabled = $this->config->getUserValue($uid, 'encryption', 'recovery_enabled', '0');
  382. 

  383. 		return $enabled === '1';
  384. 	}
  385. 

  386. 	/**
  387. 	 * set new key storage root
  388. 	 *
  389. 	 * @param string $root new key store root relative to the data folder
  390. 	 */
  391. 	public function setKeyStorageRoot($root) {
  392. 		$this->config->setAppValue('core', 'encryption_key_storage_root', $root);
  393. 	}
  394. 

  395. 	/**
  396. 	 * get key storage root
  397. 	 *
  398. 	 * @return string key storage root
  399. 	 */
  400. 	public function getKeyStorageRoot() {
  401. 		return $this->config->getAppValue('core', 'encryption_key_storage_root', '');
  402. 	}
  403. }