Merge pull request #27726 from nextcloud/backport/27638/stable22

PVince81 · web-flow · commit 28a21048ac28 · 2021-06-30T16:56:26.000+02:00
[stable22] Downstream encryption:fix-encrypted-version for repairing "bad signature" errors
diff --git a/apps/encryption/appinfo/info.xml b/apps/encryption/appinfo/info.xml
@@ -45,6 +45,7 @@
 		<command>OCA\Encryption\Command\DisableMasterKey</command>
 		<command>OCA\Encryption\Command\RecoverUser</command>
 		<command>OCA\Encryption\Command\ScanLegacyFormat</command>
+		<command>OCA\Encryption\Command\FixEncryptedVersion</command>
 	</commands>
 
 	<settings>
diff --git a/apps/encryption/composer/composer/autoload_classmap.php b/apps/encryption/composer/composer/autoload_classmap.php
@@ -10,6 +10,7 @@
     'OCA\\Encryption\\AppInfo\\Application' => $baseDir . '/../lib/AppInfo/Application.php',
     'OCA\\Encryption\\Command\\DisableMasterKey' => $baseDir . '/../lib/Command/DisableMasterKey.php',
     'OCA\\Encryption\\Command\\EnableMasterKey' => $baseDir . '/../lib/Command/EnableMasterKey.php',
+    'OCA\\Encryption\\Command\\FixEncryptedVersion' => $baseDir . '/../lib/Command/FixEncryptedVersion.php',
     'OCA\\Encryption\\Command\\RecoverUser' => $baseDir . '/../lib/Command/RecoverUser.php',
     'OCA\\Encryption\\Command\\ScanLegacyFormat' => $baseDir . '/../lib/Command/ScanLegacyFormat.php',
     'OCA\\Encryption\\Controller\\RecoveryController' => $baseDir . '/../lib/Controller/RecoveryController.php',
diff --git a/apps/encryption/composer/composer/autoload_static.php b/apps/encryption/composer/composer/autoload_static.php
@@ -25,6 +25,7 @@ class ComposerStaticInitEncryption
         'OCA\\Encryption\\AppInfo\\Application' => __DIR__ . '/..' . '/../lib/AppInfo/Application.php',
         'OCA\\Encryption\\Command\\DisableMasterKey' => __DIR__ . '/..' . '/../lib/Command/DisableMasterKey.php',
         'OCA\\Encryption\\Command\\EnableMasterKey' => __DIR__ . '/..' . '/../lib/Command/EnableMasterKey.php',
+        'OCA\\Encryption\\Command\\FixEncryptedVersion' => __DIR__ . '/..' . '/../lib/Command/FixEncryptedVersion.php',
         'OCA\\Encryption\\Command\\RecoverUser' => __DIR__ . '/..' . '/../lib/Command/RecoverUser.php',
         'OCA\\Encryption\\Command\\ScanLegacyFormat' => __DIR__ . '/..' . '/../lib/Command/ScanLegacyFormat.php',
         'OCA\\Encryption\\Controller\\RecoveryController' => __DIR__ . '/..' . '/../lib/Controller/RecoveryController.php',
diff --git a/apps/encryption/lib/Command/FixEncryptedVersion.php b/apps/encryption/lib/Command/FixEncryptedVersion.php
@@ -0,0 +1,286 @@
+<?php
+/**
+ * @author Sujith Haridasan <sharidasan@owncloud.com>
+ * @author Ilja Neumann <ineumann@owncloud.com>
+ *
+ * @copyright Copyright (c) 2019, ownCloud GmbH
+ * @license AGPL-3.0
+ *
+ * This code is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License, version 3,
+ * as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License, version 3,
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>
+ *
+ */
+
+namespace OCA\Encryption\Command;
+
+use OC\Files\View;
+use OC\HintException;
+use OCA\Encryption\Util;
+use OCP\Files\IRootFolder;
+use OCP\IConfig;
+use OCP\ILogger;
+use OCP\IUserManager;
+use Symfony\Component\Console\Command\Command;
+use Symfony\Component\Console\Input\InputArgument;
+use Symfony\Component\Console\Input\InputInterface;
+use Symfony\Component\Console\Output\OutputInterface;
+
+class FixEncryptedVersion extends Command {
+	/** @var IConfig */
+	private $config;
+
+	/** @var ILogger */
+	private $logger;
+
+	/** @var IRootFolder  */
+	private $rootFolder;
+
+	/** @var IUserManager  */
+	private $userManager;
+
+	/** @var Util */
+	private $util;
+
+	/** @var View  */
+	private $view;
+
+	public function __construct(
+		IConfig $config,
+		ILogger $logger,
+		IRootFolder $rootFolder,
+		IUserManager $userManager,
+		Util $util,
+		View $view
+	) {
+		$this->config = $config;
+		$this->logger = $logger;
+		$this->rootFolder = $rootFolder;
+		$this->userManager = $userManager;
+		$this->util = $util;
+		$this->view = $view;
+		parent::__construct();
+	}
+
+	protected function configure(): void {
+		parent::configure();
+
+		$this
+			->setName('encryption:fix-encrypted-version')
+			->setDescription('Fix the encrypted version if the encrypted file(s) are not downloadable.')
+			->addArgument(
+				'user',
+				InputArgument::REQUIRED,
+				'The id of the user whose files need fixing'
+			)->addOption(
+				'path',
+				'p',
+				InputArgument::OPTIONAL,
+				'Limit files to fix with path, e.g., --path="/Music/Artist". If path indicates a directory, all the files inside directory will be fixed.'
+			);
+	}
+
+	/**
+	 * @param InputInterface $input
+	 * @param OutputInterface $output
+	 * @return int
+	 */
+	protected function execute(InputInterface $input, OutputInterface $output): int {
+		$skipSignatureCheck = $this->config->getSystemValue('encryption_skip_signature_check', false);
+
+		if ($skipSignatureCheck) {
+			$output->writeln("<error>Repairing is not possible when \"encryption_skip_signature_check\" is set. Please disable this flag in the configuration.</error>\n");
+			return 1;
+		}
+
+		if (!$this->util->isMasterKeyEnabled()) {
+			$output->writeln("<error>Repairing only works with master key encryption.</error>\n");
+			return 1;
+		}
+
+		$user = (string)$input->getArgument('user');
+		$pathToWalk = "/$user/files";
+
+		/**
+		 * trim() returns an empty string when the argument is an unset/null
+		 */
+		$pathOption = \trim($input->getOption('path'), '/');
+		if ($pathOption !== "") {
+			$pathToWalk = "$pathToWalk/$pathOption";
+		}
+
+		if ($user === null) {
+			$output->writeln("<error>No user id provided.</error>\n");
+			return 1;
+		}
+
+		if ($this->userManager->get($user) === null) {
+			$output->writeln("<error>User id $user does not exist. Please provide a valid user id</error>");
+			return 1;
+		}
+		return $this->walkPathOfUser($user, $pathToWalk, $output);
+	}
+
+	/**
+	 * @param string $user
+	 * @param string $path
+	 * @param OutputInterface $output
+	 * @return int 0 for success, 1 for error
+	 */
+	private function walkPathOfUser($user, $path, OutputInterface $output): int {
+		$this->setupUserFs($user);
+		if (!$this->view->file_exists($path)) {
+			$output->writeln("<error>Path \"$path\" does not exist. Please provide a valid path.</error>");
+			return 1;
+		}
+
+		if ($this->view->is_file($path)) {
+			$output->writeln("Verifying the content of file \"$path\"");
+			$this->verifyFileContent($path, $output);
+			return 0;
+		}
+		$directories = [];
+		$directories[] = $path;
+		while ($root = \array_pop($directories)) {
+			$directoryContent = $this->view->getDirectoryContent($root);
+			foreach ($directoryContent as $file) {
+				$path = $root . '/' . $file['name'];
+				if ($this->view->is_dir($path)) {
+					$directories[] = $path;
+				} else {
+					$output->writeln("Verifying the content of file \"$path\"");
+					$this->verifyFileContent($path, $output);
+				}
+			}
+		}
+		return 0;
+	}
+
+	/**
+	 * @param string $path
+	 * @param OutputInterface $output
+	 * @param bool $ignoreCorrectEncVersionCall, setting this variable to false avoids recursion
+	 */
+	private function verifyFileContent($path, OutputInterface $output, $ignoreCorrectEncVersionCall = true): bool {
+		try {
+			/**
+			 * In encryption, the files are read in a block size of 8192 bytes
+			 * Read block size of 8192 and a bit more (808 bytes)
+			 * If there is any problem, the first block should throw the signature
+			 * mismatch error. Which as of now, is enough to proceed ahead to
+			 * correct the encrypted version.
+			 */
+			$handle = $this->view->fopen($path, 'rb');
+
+			if (\fread($handle, 9001) !== false) {
+				$output->writeln("<info>The file \"$path\" is: OK</info>");
+			}
+
+			\fclose($handle);
+
+			return true;
+		} catch (HintException $e) {
+			$this->logger->warning("Issue: " . $e->getMessage());
+			//If allowOnce is set to false, this becomes recursive.
+			if ($ignoreCorrectEncVersionCall === true) {
+				//Lets rectify the file by correcting encrypted version
+				$output->writeln("<info>Attempting to fix the path: \"$path\"</info>");
+				return $this->correctEncryptedVersion($path, $output);
+			}
+			return false;
+		}
+	}
+
+	/**
+	 * @param string $path
+	 * @param OutputInterface $output
+	 * @return bool
+	 */
+	private function correctEncryptedVersion($path, OutputInterface $output): bool {
+		$fileInfo = $this->view->getFileInfo($path);
+		if (!$fileInfo) {
+			$output->writeln("<warning>File info not found for file: \"$path\"</warning>");
+			return true;
+		}
+		$fileId = $fileInfo->getId();
+		$encryptedVersion = $fileInfo->getEncryptedVersion();
+		$wrongEncryptedVersion = $encryptedVersion;
+
+		$storage = $fileInfo->getStorage();
+
+		$cache = $storage->getCache();
+		$fileCache = $cache->get($fileId);
+		if (!$fileCache) {
+			$output->writeln("<warning>File cache entry not found for file: \"$path\"</warning>");
+			return true;
+		}
+
+		if ($storage->instanceOfStorage('OCA\Files_Sharing\ISharedStorage')) {
+			$output->writeln("<info>The file: \"$path\" is a share. Please also run the script for the owner of the share</info>");
+			return true;
+		}
+
+		// Save original encrypted version so we can restore it if decryption fails with all version
+		$originalEncryptedVersion = $encryptedVersion;
+		if ($encryptedVersion >= 0) {
+			//test by decrementing the value till 1 and if nothing works try incrementing
+			$encryptedVersion--;
+			while ($encryptedVersion > 0) {
+				$cacheInfo = ['encryptedVersion' => $encryptedVersion, 'encrypted' => $encryptedVersion];
+				$cache->put($fileCache->getPath(), $cacheInfo);
+				$output->writeln("<info>Decrement the encrypted version to $encryptedVersion</info>");
+				if ($this->verifyFileContent($path, $output, false) === true) {
+					$output->writeln("<info>Fixed the file: \"$path\" with version " . $encryptedVersion . "</info>");
+					return true;
+				}
+				$encryptedVersion--;
+			}
+
+			//So decrementing did not work. Now lets increment. Max increment is till 5
+			$increment = 1;
+			while ($increment <= 5) {
+				/**
+				 * The wrongEncryptedVersion would not be incremented so nothing to worry about here.
+				 * Only the newEncryptedVersion is incremented.
+				 * For example if the wrong encrypted version is 4 then
+				 * cycle1 -> newEncryptedVersion = 5 ( 4 + 1)
+				 * cycle2 -> newEncryptedVersion = 6 ( 4 + 2)
+				 * cycle3 -> newEncryptedVersion = 7 ( 4 + 3)
+				 */
+				$newEncryptedVersion = $wrongEncryptedVersion + $increment;
+
+				$cacheInfo = ['encryptedVersion' => $newEncryptedVersion, 'encrypted' => $newEncryptedVersion];
+				$cache->put($fileCache->getPath(), $cacheInfo);
+				$output->writeln("<info>Increment the encrypted version to $newEncryptedVersion</info>");
+				if ($this->verifyFileContent($path, $output, false) === true) {
+					$output->writeln("<info>Fixed the file: \"$path\" with version " . $newEncryptedVersion . "</info>");
+					return true;
+				}
+				$increment++;
+			}
+		}
+
+		$cacheInfo = ['encryptedVersion' => $originalEncryptedVersion, 'encrypted' => $originalEncryptedVersion];
+		$cache->put($fileCache->getPath(), $cacheInfo);
+		$output->writeln("<info>No fix found for \"$path\", restored version to original: $originalEncryptedVersion</info>");
+
+		return false;
+	}
+
+	/**
+	 * Setup user file system
+	 * @param string $uid
+	 */
+	private function setupUserFs($uid): void {
+		\OC_Util::tearDownFS();
+		\OC_Util::setupFS($uid);
+	}
+}
diff --git a/apps/encryption/tests/Command/FixEncryptedVersionTest.php b/apps/encryption/tests/Command/FixEncryptedVersionTest.php
