IApacheBackend Bug #23899

Closed
GitHubUser4234 opened this Issue Apr 11, 2016 · 14 comments

Projects

None yet

4 participants

@GitHubUser4234

A bug has been found in the IApacheBackend API on ownCloud 8.2.1 which only occurs for new users who never logged in by username/password before. It is suspected that an initial username/password login triggers crucial initializations that the IApacheBackend API doesn't. A simple testing app has been uploaded to facilitate reproducing the problem and to show in a crystal clear way that it is in fact a core bug: https://github.com/GitHubUser4234/apps/tree/master/user_dp

Steps to reproduce

  1. Login as ownCloud admin.
  2. Create user "dep_tester123".
  3. Logout.
  4. Install and enable the testing app.
  5. Access ownCloud, e.g. http://xxxxxxxxxx/owncloud/ , it fails!
  6. See error in ownCloud log.

The error goes away when "dep_tester123" does an initial login/logout:

  1. Delete browser cookies.
  2. Uninstall this app.
  3. Login as "dep_tester123"
  4. Logout.
  5. Install and enable the testing app.
  6. Access ownCloud, e.g. http://xxxxxxxxxx/owncloud/ , it is successful!
  7. See that there is no more error in ownCloud log.

Server configuration

Operating system: RHEL 5

Web server: Apache 2.2

Database: MySQL

PHP version: 5.6

ownCloud version: 8.2.1

Updated from an older ownCloud or fresh install: No

@DeepDiver1975 DeepDiver1975 added this to the 9.1-current milestone Apr 11, 2016
@DeepDiver1975 DeepDiver1975 self-assigned this Apr 11, 2016
@DeepDiver1975 DeepDiver1975 added the bug label Apr 11, 2016
@DeepDiver1975 DeepDiver1975 added a commit that referenced this issue Apr 11, 2016
@DeepDiver1975 DeepDiver1975 Fixes #23899 bab5514
@GitHubUser4234

Thanks for the fix. I hope this is working for 9.1, as when applying it to 8.2.1, another error appears:

GUI:

image

In the logs:

{"reqId":"6Qcyhehckgykd0cGJJCk","remoteAddr":"xxx.xxx.xxx.xxx","app":"files_skeleton","message":"copying skeleton for dep_tester123 from /owncloud/core/skeleton to /dep_tester123/files/","level":0,"time":"2016-04-11T18:16:19+01:00","method":"GET","url":"/owncloud/index.php?redirect_url=%2Fowncloud%2Findex.php%2Fapps%2Ffiles%2F"}
{"reqId":"6Qcyhehckgykd0cGJJCk","remoteAddr":"xxx.xxx.xxx.xxx","app":"handleLogin","message":"Exception: {"Exception":"OCA\Encryption\Exceptions\PrivateKeyMissingException","Message":"Private Key missing for user: please try to log-out and log-in again","Code":0,"Trace":"#0 \/owncloud\/apps\/encryption\/lib\/keymanager.php(400): OCA\Encryption\Session->getPrivateKey()\n#1 \/owncloud\/apps\/encryption\/lib\/crypto\/encryption.php(172): OCA\Encryption\KeyManager->getFileKey('\/dep_tester123\/...', 'dep_tester123')\n#2 \/owncloud\/lib\/private\/files\/stream\/encryption.php(248): OCA\Encryption\Crypto\Encryption->begin('\/dep_tester123\/...', 'dep_tester123', 'w', Array, Array)\n#3 [internal function]: OC\Files\Stream\Encryption->stream_open('ocencryption:\/\/', 'w', 0, NULL)\n#4 \/owncloud\/lib\/private\/files\/stream\/encryption.php(188): fopen('ocencryption:\/\/', 'w', false, Resource id #537)\n#5 \/owncloud\/lib\/private\/files\/stream\/encryption.php(170): OC\Files\Stream\Encryption::wrapSource(Resource id #533, 'w', Resource id #537, 'ocencryption', 'OC\\Files\\Stream...')\n#6 \/owncloud\/lib\/private\/files\/storage\/wrapper\/encryption.php(409): OC\Files\Stream\Encryption::wrap(Resource id #533, 'files\/Documents...', '\/dep_tester123\/...', Array, 'dep_tester123', Object(OCA\Encryption\Crypto\Encryption), Object(OC\Files\Storage\Home), Object(OC\Files\Storage\Wrapper\Encryption), Object(OC\Encryption\Util), Object(OC\Encryption\File), 'w', 0, 0, 0)\n#7 \/owncloud\/lib\/private\/files\/storage\/wrapper\/wrapper.php(286): OC\Files\Storage\Wrapper\Encryption->fopen('files\/Documents...', 'w')\n#8 \/owncloud\/lib\/private\/files\/view.php(1021): OC\Files\Storage\Wrapper\Wrapper->fopen('files\/Documents...', 'w')\n#9 \/owncloud\/lib\/private\/files\/view.php(871): OC\Files\View->basicOperation('fopen', '\/dep_tester123\/...', Array, 'w')\n#10 \/owncloud\/lib\/private\/files\/node\/file.php(91): OC\Files\View->fopen('\/dep_tester123\/...', 'w')\n#11 \/owncloud\/lib\/private\/util.php(321): OC\Files\Node\File->fopen('w')\n#12 \/owncloud\/lib\/private\/util.php(318): OC_Util::copyr('\/owncloud\/apps\/encr...', Object(OC\Files\Node\Folder))\n#13 \/owncloud\/lib\/private\/util.php(299): OC_Util::copyr('\/owncloud\/apps\/encr...', Object(OC\Files\Node\Folder))\n#14 \/owncloud\/lib\/private\/files\/node\/root.php(347): OC_Util::copySkeleton('dep_tester123', Object(OC\Files\Node\Folder))\n#15 \/owncloud\/lib\/private\/server.php(617): OC\Files\Node\Root->getUserFolder('dep_tester123')\n#16 \/owncloud\/lib\/private\/user.php(293): OC\Server->getUserFolder('dep_tester123')\n#17 \/owncloud\/lib\/private\/user.php(319): OC_User::loginWithApache(Object(OCA\User_Dp\Dp))\n#18 \/owncloud\/lib\/base.php(982): OC_User::handleApacheAuth()\n#19 \/owncloud\/lib\/base.php(941): OC::tryApacheAuth()\n#20 \/owncloud\/lib\/base.php(909): OC::handleLogin()\n#21 \/owncloud\/index.php(39): OC::handleRequest()\n#22 {main}","File":"\/owncloud\/apps\/encryption\/lib\/session.php","Line":78}","level":3,"time":"2016-04-11T18:16:19+01:00","method":"GET","url":"/owncloud/index.php?redirect_url=%2Fowncloud%2Findex.php%2Fapps%2Ffiles%2F"}

More info:

The error only happens on a user's first access through the IApacheBackend, from the second access onwards it works.

@DeepDiver1975
Member

Singel-Sign-On and encryption don't work together - this is an unsupported scenario

@GitHubUser4234

Sorry, that's not correct, since OC 8.2, encryption was in fact changed to support SSO:

In ownCloud 8.2 the server-side encryption has a number of changes and improvements, including:

  • An option to create a master encryption key, which replaces all individual user keys. This is especially useful for single-sign on.

https://doc.owncloud.org/server/8.2/admin_manual/configuration_files/encryption_configuration.html

@DeepDiver1975
Member

Sorry, that's not correct, since OC 8.2, encryption was in fact changed to support SSO:

So why don't you follow the docs and configure it properly?

@GitHubUser4234

Thanks for the allegation that I didn't. Encryption works well and should be configured correctly already.

The fact that the error only happens on a user's first access through the IApacheBackend, and works from the second access onwards, does rather point to some flaw in the initialization, don't you think?

@DeepDiver1975
Member

"Private Key missing for user: please try to log-out and log-in again

this error message shows that the private key does not exist.
the private key can only be created if the user is logging in with his password.
SSO has no password and as a result encryption does not work.

Encryption and SSO will only work if you use the master key - https://doc.owncloud.org/server/8.2/admin_manual/configuration_server/occ_command.html#encryption

 encryption:enable-master-key         Enable the master key. Only available
                                      for fresh installations with no existing
                                      encrypted data! There is also no way to
                                      disable it again.
@GitHubUser4234

Yeah, I know, we have that running since January, e.g see #21598

Meaning that even with master key enabled, the error occurs.

@DeepDiver1975
Member

But #21598 was fixed with 8.2.3 and you say you are running 8.2.1 - so it might work once you upgrade?

@GitHubUser4234

@DeepDiver1975 : uhm, the link was merely for demonstration purpose to show that

a) I have master key enabled since that master key related issue had been reported by me in January
b) A "private key is missing" error can in fact occur in a setting where master key is enabled

Not saying that it would fix this issue.

@GitHubUser4234

@DeepDiver1975 : But when looking at the commit of #21612, it potentially could fix it. Let me try to patch it in, I'll report back.

@GitHubUser4234

@DeepDiver1975 : Tried it out, unfortunately the error stays the same. It dies in /owncloud/apps/encryption/lib/keymanager.php:

$privateKey = $this->session->getPrivateKey();

@butonic
Member
butonic commented Apr 19, 2016

related: #19656

@GitHubUser4234
GitHubUser4234 commented Apr 19, 2016 edited

@DeepDiver1975 : The problem isn't fixed yet when enabling encryption. But as this is closed now without considering the outstanding problem, a new issue will be opened.

@DeepDiver1975
Member

The problem isn't fixed yet when enabling encryption.

this is a problem of it's own and has to be handled in an issue of it's own. THX

@schiessle schiessle added a commit that referenced this issue May 3, 2016
@DeepDiver1975 @schiessle DeepDiver1975 + schiessle Fixes #23899 f9aef7a
@schiessle schiessle added a commit that referenced this issue May 3, 2016
@DeepDiver1975 @schiessle DeepDiver1975 + schiessle Fixes #23899 a3a5307
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment