IApacheBackend Bug

[GitHubUser4234]

A bug has been found in the IApacheBackend API on ownCloud 8.2.1 which only occurs for new users who never logged in by username/password before. It is suspected that an initial username/password login triggers crucial initializations that the IApacheBackend API doesn't. A simple testing app has been uploaded to facilitate reproducing the problem and to show in a crystal clear way that it is in fact a core bug: https://github.com/GitHubUser4234/apps/tree/master/user_dp

Steps to reproduce

1. Login as ownCloud admin.
2. Create user "dep_tester123".
3. Logout.
4. Install and enable the testing app.
5. Access ownCloud, e.g. http://xxxxxxxxxx/owncloud/ , it fails!
6. See error in ownCloud log.

The error goes away when "dep_tester123" does an initial login/logout:

1. Delete browser cookies.
2. Uninstall this app.
3. Login as "dep_tester123"
4. Logout.
5. Install and enable the testing app.
6. Access ownCloud, e.g. http://xxxxxxxxxx/owncloud/ , it is successful!
7. See that there is no more error in ownCloud log.

Server configuration

Operating system: RHEL 5

Web server: Apache 2.2

Database: MySQL

PHP version: 5.6

ownCloud version: 8.2.1

Updated from an older ownCloud or fresh install: No

[GitHubUser4234]

Thanks for the fix. I hope this is working for 9.1, as when applying it to 8.2.1, another error appears:

GUI:

In the logs:

{"reqId":"6Qcyhehckgykd0cGJJCk","remoteAddr":"xxx.xxx.xxx.xxx","app":"files_skeleton","message":"copying skeleton for dep_tester123 from /owncloud/core/skeleton to /dep_tester123/files/","level":0,"time":"2016-04-11T18:16:19+01:00","method":"GET","url":"/owncloud/index.php?redirect_url=%2Fowncloud%2Findex.php%2Fapps%2Ffiles%2F"}
{"reqId":"6Qcyhehckgykd0cGJJCk","remoteAddr":"xxx.xxx.xxx.xxx","app":"handleLogin","message":"Exception: {"Exception":"OCA\Encryption\Exceptions\PrivateKeyMissingException","Message":"Private Key missing for user: please try to log-out and log-in again","Code":0,"Trace":"#0 \/owncloud\/apps\/encryption\/lib\/keymanager.php(400): OCA\Encryption\Session->getPrivateKey()\n#1 \/owncloud\/apps\/encryption\/lib\/crypto\/encryption.php(172): OCA\Encryption\KeyManager->getFileKey('\/dep_tester123\/...', 'dep_tester123')\n#2 \/owncloud\/lib\/private\/files\/stream\/encryption.php(248): OCA\Encryption\Crypto\Encryption->begin('\/dep_tester123\/...', 'dep_tester123', 'w', Array, Array)\n#3 [internal function]: OC\Files\Stream\Encryption->stream_open('ocencryption:\/\/', 'w', 0, NULL)\n#4 \/owncloud\/lib\/private\/files\/stream\/encryption.php(188): fopen('ocencryption:\/\/', 'w', false, Resource id #537)\n#5 \/owncloud\/lib\/private\/files\/stream\/encryption.php(170): OC\Files\Stream\Encryption::wrapSource(Resource id #533, 'w', Resource id #537, 'ocencryption', 'OC\\Files\\Stream...')\n#6 \/owncloud\/lib\/private\/files\/storage\/wrapper\/encryption.php(409): OC\Files\Stream\Encryption::wrap(Resource id #533, 'files\/Documents...', '\/dep_tester123\/...', Array, 'dep_tester123', Object(OCA\Encryption\Crypto\Encryption), Object(OC\Files\Storage\Home), Object(OC\Files\Storage\Wrapper\Encryption), Object(OC\Encryption\Util), Object(OC\Encryption\File), 'w', 0, 0, 0)\n#7 \/owncloud\/lib\/private\/files\/storage\/wrapper\/wrapper.php(286): OC\Files\Storage\Wrapper\Encryption->fopen('files\/Documents...', 'w')\n#8 \/owncloud\/lib\/private\/files\/view.php(1021): OC\Files\Storage\Wrapper\Wrapper->fopen('files\/Documents...', 'w')\n#9 \/owncloud\/lib\/private\/files\/view.php(871): OC\Files\View->basicOperation('fopen', '\/dep_tester123\/...', Array, 'w')\n#10 \/owncloud\/lib\/private\/files\/node\/file.php(91): OC\Files\View->fopen('\/dep_tester123\/...', 'w')\n#11 \/owncloud\/lib\/private\/util.php(321): OC\Files\Node\File->fopen('w')\n#12 \/owncloud\/lib\/private\/util.php(318): OC_Util::copyr('\/owncloud\/apps\/encr...', Object(OC\Files\Node\Folder))\n#13 \/owncloud\/lib\/private\/util.php(299): OC_Util::copyr('\/owncloud\/apps\/encr...', Object(OC\Files\Node\Folder))\n#14 \/owncloud\/lib\/private\/files\/node\/root.php(347): OC_Util::copySkeleton('dep_tester123', Object(OC\Files\Node\Folder))\n#15 \/owncloud\/lib\/private\/server.php(617): OC\Files\Node\Root->getUserFolder('dep_tester123')\n#16 \/owncloud\/lib\/private\/user.php(293): OC\Server->getUserFolder('dep_tester123')\n#17 \/owncloud\/lib\/private\/user.php(319): OC_User::loginWithApache(Object(OCA\User_Dp\Dp))\n#18 \/owncloud\/lib\/base.php(982): OC_User::handleApacheAuth()\n#19 \/owncloud\/lib\/base.php(941): OC::tryApacheAuth()\n#20 \/owncloud\/lib\/base.php(909): OC::handleLogin()\n#21 \/owncloud\/index.php(39): OC::handleRequest()\n#22 {main}","File":"\/owncloud\/apps\/encryption\/lib\/session.php","Line":78}","level":3,"time":"2016-04-11T18:16:19+01:00","method":"GET","url":"/owncloud/index.php?redirect_url=%2Fowncloud%2Findex.php%2Fapps%2Ffiles%2F"}

More info:

The error only happens on a user's first access through the IApacheBackend, from the second access onwards it works.

[DeepDiver1975]

Singel-Sign-On and encryption don't work together - this is an unsupported scenario

[GitHubUser4234]

Sorry, that's not correct, since OC 8.2, encryption was in fact changed to support SSO:

In ownCloud 8.2 the server-side encryption has a number of changes and improvements, including:

• An option to create a master encryption key, which replaces all individual user keys. This is especially useful for single-sign on.

https://doc.owncloud.org/server/8.2/admin_manual/configuration_files/encryption_configuration.html

[DeepDiver1975]

Sorry, that's not correct, since OC 8.2, encryption was in fact changed to support SSO:

So why don't you follow the docs and configure it properly?

[GitHubUser4234]

Thanks for the allegation that I didn't. Encryption works well and should be configured correctly already.

The fact that the error only happens on a user's first access through the IApacheBackend, and works from the second access onwards, does rather point to some flaw in the initialization, don't you think?

[DeepDiver1975]

"Private Key missing for user: please try to log-out and log-in again

this error message shows that the private key does not exist.
the private key can only be created if the user is logging in with his password.
SSO has no password and as a result encryption does not work.

Encryption and SSO will only work if you use the master key - https://doc.owncloud.org/server/8.2/admin_manual/configuration_server/occ_command.html#encryption

 encryption:enable-master-key         Enable the master key. Only available
                                      for fresh installations with no existing
                                      encrypted data! There is also no way to
                                      disable it again.

[GitHubUser4234]

Yeah, I know, we have that running since January, e.g see #21598

Meaning that even with master key enabled, the error occurs.

[DeepDiver1975]

But #21598 was fixed with 8.2.3 and you say you are running 8.2.1 - so it might work once you upgrade?

[GitHubUser4234]

@DeepDiver1975 : uhm, the link was merely for demonstration purpose to show that

a) I have master key enabled since that master key related issue had been reported by me in January
b) A "private key is missing" error can in fact occur in a setting where master key is enabled

Not saying that it would fix this issue.

[GitHubUser4234]

@DeepDiver1975 : But when looking at the commit of #21612, it potentially could fix it. Let me try to patch it in, I'll report back.

[GitHubUser4234]

@DeepDiver1975 : Tried it out, unfortunately the error stays the same. It dies in /owncloud/apps/encryption/lib/keymanager.php:

$privateKey = $this->session->getPrivateKey();

[butonic]

related: #19656

[GitHubUser4234]

@DeepDiver1975 : The problem isn't fixed yet when enabling encryption. But as this is closed now without considering the outstanding problem, a new issue will be opened.

[DeepDiver1975]

The problem isn't fixed yet when enabling encryption.

this is a problem of it's own and has to be handled in an issue of it's own. THX

[lock]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.