From d4f2d9b7d8d22aa3d87e13078d8804b0d20bebb0 Mon Sep 17 00:00:00 2001 From: summersab Date: Sun, 11 Jul 2021 10:33:35 -0500 Subject: [PATCH] support for per-user encryption Signed-off-by: summersab --- lib/Settings/Admin.php | 6 +++++- lib/UserBackend.php | 31 +++++++++++++++++++++++++++++++ tests/unit/Settings/AdminTest.php | 5 +++++ 3 files changed, 41 insertions(+), 1 deletion(-) diff --git a/lib/Settings/Admin.php b/lib/Settings/Admin.php index 5ed13dc03..784b350b4 100644 --- a/lib/Settings/Admin.php +++ b/lib/Settings/Admin.php @@ -131,7 +131,11 @@ public function getForm() { 'type' => 'line', 'required' => true, ], - + 'user_secret_mapping' => [ + 'text' => $this->l10n->t('Attribute to use as user secret e.g. for the encryption app.'), + 'type' => 'line', + 'required' => false, + ], ]; $selectedNameIdFormat = $this->config->getAppValue('user_saml', 'sp-name-id-format', Constants::NAMEID_UNSPECIFIED); diff --git a/lib/UserBackend.php b/lib/UserBackend.php index 6dd1a36ee..ad54c280f 100644 --- a/lib/UserBackend.php +++ b/lib/UserBackend.php @@ -143,6 +143,12 @@ public function createUserIfNotExists($uid, array $attributes = array()) { } $qb->execute(); + // If we use per-user encryption the keys must be initialized first + $userSecret = $this->getUserSecret($uid, $attributes); + if ($userSecret !== null) { + // Emit a post login action to initialize the encryption module with the user secret provided by the idp. + \OC_Hook::emit('OC_User', 'post_login', ['run' => true, 'uid' => $uid, 'password' => $userSecret, 'isTokenLogin' => false]); + } $this->initializeHomeDir($uid); } @@ -502,6 +508,16 @@ public function getCurrentUserId() { return ''; } + /** + * Optionally returns a stable per-user secret. This secret is for + * instance used to secure file encryption keys. + * @return string|null + * @since 23.0.0 + */ + public function getCurrentUserSecret() { + $samlData = $this->session->get('user_saml.samlUserData'); + return $this->getUserSecret($this->getCurrentUserId(), $samlData); + } /** * Backend name to be shown in user management @@ -600,6 +616,21 @@ private function getAttributeArrayValue($name, array $attributes) { return $value; } + private function getUserSecret($uid, array $attributes) { + try { + $userSecret = $this->getAttributeValue('saml-attribute-mapping-user_secret_mapping', $attributes); + if ($userSecret === '') { + $this->logger->debug('Got no user_secret from idp', ['app' => 'user_saml']); + } else { + $this->logger->debug('Got user_secret from idp', ['app' => 'user_saml']); + return $userSecret; + } + } catch (\InvalidArgumentException $e) { + $this->logger->debug('No user_secret mapping configured', ['app' => 'user_saml']); + } + return null; + } + public function updateAttributes($uid, array $attributes) { $user = $this->userManager->get($uid); diff --git a/tests/unit/Settings/AdminTest.php b/tests/unit/Settings/AdminTest.php index 7a97eb88e..5320ac6f3 100644 --- a/tests/unit/Settings/AdminTest.php +++ b/tests/unit/Settings/AdminTest.php @@ -140,6 +140,11 @@ public function formDataProvider() { 'type' => 'line', 'required' => true, ], + 'user_secret_mapping' => [ + 'text' => $this->l10n->t('Attribute to use as user secret e.g. for the encryption app.'), + 'type' => 'line', + 'required' => false, + ], ]; $nameIdFormats = [