Share keys not updated when group members change

[J0WI]

I run into a critical bug when a folder is shared with a group and group members are updated afterwards.

Steps to reproduce

1. disable master key
2. enable encryption
3. add a new group and at least two additional users
4. add yourself and one user to the new group
5. share a folder with some stuff with this group
   Note: *nextcloud data root*/*user*/files_encryption/keys/files/*folder*/*file*/OC_DEFAULT_MODULE/ contains the keys of all group members and data/admin/files/keys/files/*folder*/*file* is encrypted
6. add the second user to the group
7. remove the first user from the group or delete it

Expected behaviour

After step 7 and 8 the key files should have been updated.

Actual behaviour

The key files are not updated and users that have been added to the group after the folder has been shared are not able to access its content. If a user is removed from the group or deleted, its key file is not cleaned up. This results in a very confusing situation, that after deleting a user and creating a new one with the exact same name, you re not able to share any files again.
This does also happen if you reset the password of a user.

Workaround

The owner of the files has to unsahre all folders and reshare them again after groups memebers have been changed. This is a really bad behavior and not practicable. It's also potential insecure that obsolete keys are not removed.

@nextcloud/encryption is it save to remove any obsolete user.shareKey by hand?

Server configuration

Operating system: any

Web server: any

Database: any

PHP version: 7.3

Nextcloud version: 18

Updated from an older Nextcloud/ownCloud or fresh install: fresh (just for this testcase))

Where did you install Nextcloud from: source

Are you using encryption: yes

[yahesh]

We ran into this problem back in 2017 when we evaluated server-side-encryption but thought that this had to do with using an LDAP backend for the group definitions. I guess this problem stems from the fact that Nextcloud uses openssl_seal() internally to encrypt the file key. Thus, whenever a file/folder is shared, the file key is sealed for all recipient. When the file/folder is unshared, the corresponding file keys would have to be re-sealed which is quite CPU-intensive due to the RSA encryptions taking place underneath. Back then, using the user-key encryption proved to not be practical due to this problem.