SSO + masterkey encryption issue for new users #24182

Closed
GitHubUser4234 opened this Issue Apr 22, 2016 · 30 comments

Projects

None yet

5 participants

@GitHubUser4234
GitHubUser4234 commented Apr 22, 2016 edited

As mentioned in #23899 , there is an internal error for new users logging in through SSO when masterkey encryption is enabled.

Steps to reproduce

Link to the testing app

  1. Login as ownCloud admin.
  2. Create user "dep_tester123".
  3. Logout.
  4. Install and enable the testing app.
  5. Access ownCloud, e.g. http://xxxxxxxxxx/owncloud/ , it fails with "internal error"
  6. See error in ownCloud log.

The error goes away when "dep_tester123" repeats the SSO:

  1. Delete browser cookies & close browser.
  2. Access ownCloud, e.g. http://xxxxxxxxxx/owncloud/ , it is successful.

What happens in the GUI:

What happens in the logs:

{"reqId":"6Qcyhehckgykd0cGJJCk","remoteAddr":"xxx.xxx.xxx.xxx","app":"files_skeleton","message":"copying skeleton for dep_tester123 from \/owncloud\/core\/skeleton to \/dep_tester123\/files\/","level":0,"time":"2016-04-11T18:16:19+01:00","method":"GET","url":"\/owncloud\/index.php?redirect_url=%2Fowncloud%2Findex.php%2Fapps%2Ffiles%2F"}
{"reqId":"6Qcyhehckgykd0cGJJCk","remoteAddr":"xxx.xxx.xxx.xxx","app":"handleLogin","message":"Exception: {\"Exception\":\"OCA\Encryption\Exceptions\PrivateKeyMissingException\",\"Message\":\"Private Key missing for user: please try to log-out and log-in again\",\"Code\":0,\"Trace\":\"#0 \\\/owncloud\\\/apps\\\/encryption\\\/lib\\\/keymanager.php(400): OCA\Encryption\Session->getPrivateKey()
#1 \\\/owncloud\\\/apps\\\/encryption\\\/lib\\\/crypto\\\/encryption.php(172): OCA\Encryption\KeyManager->getFileKey('\\\/dep_tester123\\\/...', 'dep_tester123')
#2 \\\/owncloud\\\/lib\\\/private\\\/files\\\/stream\\\/encryption.php(248): OCA\Encryption\Crypto\Encryption->begin('\\\/dep_tester123\\\/...', 'dep_tester123', 'w', Array, Array)
#3 [internal function]: OC\Files\Stream\Encryption->stream_open('ocencryption:\\\/\\\/', 'w', 0, NULL)
#4 \\\/owncloud\\\/lib\\\/private\\\/files\\\/stream\\\/encryption.php(188): fopen('ocencryption:\\\/\\\/', 'w', false, Resource id #537)
#5 \\\/owncloud\\\/lib\\\/private\\\/files\\\/stream\\\/encryption.php(170): OC\Files\Stream\Encryption::wrapSource(Resource id #533, 'w', Resource id #537, 'ocencryption', 'OC\\Files\\Stream...')
#6 \\\/owncloud\\\/lib\\\/private\\\/files\\\/storage\\\/wrapper\\\/encryption.php(409): OC\Files\Stream\Encryption::wrap(Resource id #533, 'files\\\/Documents...', '\\\/dep_tester123\\\/...', Array, 'dep_tester123', Object(OCA\Encryption\Crypto\Encryption), Object(OC\Files\Storage\Home), Object(OC\Files\Storage\Wrapper\Encryption), Object(OC\Encryption\Util), Object(OC\Encryption\File), 'w', 0, 0, 0)
#7 \\\/owncloud\\\/lib\\\/private\\\/files\\\/storage\\\/wrapper\\\/wrapper.php(286): OC\Files\Storage\Wrapper\Encryption->fopen('files\\\/Documents...', 'w')
#8 \\\/owncloud\\\/lib\\\/private\\\/files\\\/view.php(1021): OC\Files\Storage\Wrapper\Wrapper->fopen('files\\\/Documents...', 'w')
#9 \\\/owncloud\\\/lib\\\/private\\\/files\\\/view.php(871): OC\Files\View->basicOperation('fopen', '\\\/dep_tester123\\\/...', Array, 'w')
#10 \\\/owncloud\\\/lib\\\/private\\\/files\\\/node\\\/file.php(91): OC\Files\View->fopen('\\\/dep_tester123\\\/...', 'w')
#11 \\\/owncloud\\\/lib\\\/private\\\/util.php(321): OC\Files\Node\File->fopen('w')
#12 \\\/owncloud\\\/lib\\\/private\\\/util.php(318): OC_Util::copyr('\\\/owncloud\\\/apps\\\/encr...', Object(OC\Files\Node\Folder))
#13 \\\/owncloud\\\/lib\\\/private\\\/util.php(299): OC_Util::copyr('\\\/owncloud\\\/apps\\\/encr...', Object(OC\Files\Node\Folder))
#14 \\\/owncloud\\\/lib\\\/private\\\/files\\\/node\\\/root.php(347): OC_Util::copySkeleton('dep_tester123', Object(OC\Files\Node\Folder))
#15 \\\/owncloud\\\/lib\\\/private\\\/server.php(617): OC\Files\Node\Root->getUserFolder('dep_tester123')
#16 \\\/owncloud\\\/lib\\\/private\\\/user.php(293): OC\Server->getUserFolder('dep_tester123')
#17 \\\/owncloud\\\/lib\\\/private\\\/user.php(319): OC_User::loginWithApache(Object(OCA\User_Dp\Dp))
#18 \\\/owncloud\\\/lib\\\/base.php(982): OC_User::handleApacheAuth()
#19 \\\/owncloud\\\/lib\\\/base.php(941): OC::tryApacheAuth()
#20 \\\/owncloud\\\/lib\\\/base.php(909): OC::handleLogin()
#21 \\\/owncloud\\\/index.php(39): OC::handleRequest()
#22 {main}\",\"File\":\"\\\/owncloud\\\/apps\\\/encryption\\\/lib\\\/session.php\",\"Line\":78}","level":3,"time":"2016-04-11T18:16:19+01:00","method":"GET","url":"\/owncloud\/index.php?redirect_url=%2Fowncloud%2Findex.php%2Fapps%2Ffiles%2F"}

Server configuration

Operating system: RHEL 5

Web server: Apache 2.2

Database: MySQL

PHP version: 5.6

ownCloud version: 8.2.1

Updated from an older ownCloud or fresh install: No

@GitHubUser4234 GitHubUser4234 changed the title from SSO + masterkey encryption issue for new users to SSO + masterkey encryption bug for new users Apr 22, 2016
@GitHubUser4234 GitHubUser4234 changed the title from SSO + masterkey encryption bug for new users to SSO + masterkey encryption issue for new users Apr 22, 2016
@PVince81
Collaborator

@schiesbn can you have a look ?

Looks like it's expecting a user's private key even in master key mode ?
Can you check whether your recent PR related to master key would fix this ?

@PVince81 PVince81 added this to the 8.2.5-next-maintenance milestone Apr 25, 2016
@butonic
Member
butonic commented Apr 25, 2016

related to SSO

@butonic butonic added the blue-ticket label Apr 25, 2016
@schiessle
Member

After enabling the master key the user needs to re-login in order to initialize the master key for the session.

That's why this solves the issue:

  1. Delete browser cookies & close browser.
  2. Access ownCloud, e.g. http://xxxxxxxxxx/owncloud/ , it is successful.

Once #18410 is fixed we can invalidate all sessions after encryption was enabled and enforce a re-login.

@GitHubUser4234

@schiesbn: Thanks for the reply. Not sure whether I understand correctly, ok a fix for #18410 would force existing users to re-login, but how about new users that are created after encryption was enabled, e.g. like in this issue? Would the internal error still show? Thanks :)

@PVince81 PVince81 referenced this issue in owncloud/QA Apr 25, 2016
Open

Encryption master key + SSO #54

@PVince81
Collaborator

I'd expect users created after that to work properly. If it doesn't, the encryption code needs to be fixed to not bother about user keys in master key mode.

@schiessle
Member
schiessle commented Apr 26, 2016 edited

For new users a key should be written to the session as soon as the user log-in and a new session gets created. Therefore the login hooks need to be triggered on login, but I assume that this happens for all SSO back-ends... Can someone with access to such back-ends verify this? Maybe @butonic ? Thanks!

@PVince81
Collaborator

@davitol can you help reproducing this issue ?

@davitol
Contributor
davitol commented Apr 26, 2016

@PVince81 I'm just talking with @schiesbn about it

@schiessle
Member

Thanks to @davitol I could test it with a SSO system (Shibboleth) but couldn't reproduce it. What we tried:

  • setup a ownCloud + enable encryption with master key
  • create new SSO user
  • login as new SSO user and try to write/read files

Everything worked fine.

What user back-end do you use for SSO?

@butonic
Member
butonic commented Apr 26, 2016

In the initial app there is a link to a demo sso app.

@butonic
Member
butonic commented Apr 26, 2016

technically they all work the same and with #23903 users home dirs are now initialized properly. Try with and without that patch.

@GitHubUser4234
GitHubUser4234 commented Apr 26, 2016 edited

@schiesbn : As @butonic suggested, I strongly recommend to use the IApacheBackend for testing. It has it's own dedicated methods like loginWithApache() in core/lib/private/user.php etc. and might therefore produce a different result.

Here again a link to the testing app

@schiessle
Member
schiessle commented Apr 29, 2016 edited

@GitHubUser4234 I will give it a try and see if I can re-produce it with this one. Still would be good to know what you use for SSO? Is it something you wrote by yourself or something provided and supported by us?

@GitHubUser4234
GitHubUser4234 commented Apr 29, 2016 edited

@schiesbn : Great! ๐Ÿ‘ Well, the SSO is based on client certificate authentication. When the Apache web server verified the client's certificate, the user is logged in automatically to ownCloud. The automatic login functionality is a feature supported by ownCloud's IApacheBackend API.

However, the testing app above doesn't contain any logic for client authentication, it's just the simplest IApacheBackend implementation possible to facilitate reproducing the problem.

@PVince81
Collaborator

CC @ChristophWurst I heard you were looking into apache auth stuff

@schiessle
Member

That's good to know! If I can't reproduce it today, maybe we can have a look together on Monday, @ChristophWurst .... But maybe it is all already solved until Monday ๐Ÿ˜‰

@schiessle
Member

I think it is obvious that it fails with your app. You just always return 'true' for isSessionActive() and then of course there is no session and if there is no session there can't be a private key. If, during login the ownCloud login hooks are triggered a session gets created and ownCloud copy the private key to the session. But this is something which never happens with your test plugin

@schiessle
Member

But I'm not really familiar with the IApacheBackend. I see that it was written by @DeepDiver1975. Maybe you can bring some light into this? How is it supposed to work? I don't see a method which could be used to trigger the login hooks.

@schiessle
Member
schiessle commented Apr 29, 2016 edited

Would probably a bad idea to do it in isSessionActive() https://github.com/owncloud/core/blob/master/lib/public/authentication/iapachebackend.php#L46 because then we would execute it on every request! But where else?

@GitHubUser4234
GitHubUser4234 commented Apr 29, 2016 edited

I think it is obvious that it fails with your app. You just always return 'true' for isSessionActive() and then of course there is no session and if there is no session there can't be a private key.

This statement doesn't seems valid. When isSessionActive() is true, ownCloud establishes a session. And it actually works properly, even when encryption/masterkeys is enabled, it just doesn't work with the combination of new users + encryption/masterkeys enabled.

@schiessle
Member

Ok, seems like I can re-produce it to some extend. But I get different error messages. In the log files I see nothing. In the Browser I get

Internal Server Error
The server encountered an internal error and was unable to complete your request.
Please contact the server administrator if this error reappears multiple times, please include the technical details below in your report.
More details can be found in the server log.

Technical details
Remote Address: 127.0.0.1
Request ID: tsgIjeSrp4alMe0gIvpr

But I also stepped through this with the debugger. The login hooks are called correctly and the encryption keys get initialized without a error. The error only happens after re re-direct to the files view. Will check if I can find out more.

@schiessle
Member
schiessle commented May 2, 2016 edited

Just tried it without encryption and there I get exactly the same error. So I'm not sure if this is really related to encryption. Btw, also your work around "Delete browser cookies & close browser" doesn't work for me.

@GitHubUser4234 do you have any chance to debug this? Any change to check if this method gets called: https://github.com/owncloud/core/blob/master/apps/encryption/hooks/userhooks.php#L154 and that in $this->keyManager->init( the master key is initialized correctly? In a first step I would like to understand why you get this encryption errors and why it fails on my system independent from encryption.

@GitHubUser4234

@schiesbn : Thanks for trying. You are using OC 8.2.1? I will try to debug according to your request tomorrow, I'm off today ๐Ÿ˜ƒ

@schiessle
Member
schiessle commented May 2, 2016 edited

Yes, I tried it with 8.2.1 and followed exactly your steps. But as said, for me it also fails without encryption. Thanks for debugging it on your side!

@GitHubUser4234

@schiesbn : Maybe the patch #23903 mentioned by @butonic was not applied yet? Just a guess into the blue, but you need that to actually reproduce the encryption problem.

@GitHubUser4234

@schiesbn: I have just debugged it, the login($params) in userhooks.php doesn't get called at all when the error described in this issue occurs. As also described above, a new user can login successfully from the second login onwards, and when the login is successful, login($params) is called and runs as expected.

Did you install the patch of #23903 yet? If not, you will encounter the bug described in #23899 which also occurs without encryption. In this case, please try again with the patch, thanks.

@schiessle
Member

Ah, sorry... I missed the patch. Let's try me again ๐Ÿ˜„

@schiessle
Member
schiessle commented May 3, 2016 edited

It can be so easy, if the test environment is set-up correctly. See the pull request above. ๐Ÿ˜„ This should fix the issue. Can you try it? Thanks!

@GitHubUser4234

Wow that was really easy ๐Ÿ˜„ I have applied it to lib/private/user.php (as I couldn't find a lib/private/legacy/user.php in my 8.2.1 installation?) and it works now, thanks a lot ๐Ÿ˜ƒ

@schiessle
Member

I have applied it to lib/private/user.php (as I couldn't find a lib/private/legacy/user.php in my 8.2.1 installation?)

That's correct, we moved the file only on master. Happy to hear that it works for you! ๐Ÿ˜„

@schiessle schiessle closed this in #24410 May 4, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment