SSO + masterkey encryption issue for new users

[GitHubUser4234]

As mentioned in #23899 , there is an internal error for new users logging in through SSO when masterkey encryption is enabled.

Steps to reproduce

Link to the testing app

1. Login as ownCloud admin.
2. Create user "dep_tester123".
3. Logout.
4. Install and enable the testing app.
5. Access ownCloud, e.g. http://xxxxxxxxxx/owncloud/ , it fails with "internal error"
6. See error in ownCloud log.

The error goes away when "dep_tester123" repeats the SSO:

1. Delete browser cookies & close browser.
2. Access ownCloud, e.g. http://xxxxxxxxxx/owncloud/ , it is successful.

What happens in the GUI:

What happens in the logs:

{"reqId":"6Qcyhehckgykd0cGJJCk","remoteAddr":"xxx.xxx.xxx.xxx","app":"files_skeleton","message":"copying skeleton for dep_tester123 from \/owncloud\/core\/skeleton to \/dep_tester123\/files\/","level":0,"time":"2016-04-11T18:16:19+01:00","method":"GET","url":"\/owncloud\/index.php?redirect_url=%2Fowncloud%2Findex.php%2Fapps%2Ffiles%2F"}
{"reqId":"6Qcyhehckgykd0cGJJCk","remoteAddr":"xxx.xxx.xxx.xxx","app":"handleLogin","message":"Exception: {\"Exception\":\"OCA\Encryption\Exceptions\PrivateKeyMissingException\",\"Message\":\"Private Key missing for user: please try to log-out and log-in again\",\"Code\":0,\"Trace\":\"#0 \\\/owncloud\\\/apps\\\/encryption\\\/lib\\\/keymanager.php(400): OCA\Encryption\Session->getPrivateKey()
#1 \\\/owncloud\\\/apps\\\/encryption\\\/lib\\\/crypto\\\/encryption.php(172): OCA\Encryption\KeyManager->getFileKey('\\\/dep_tester123\\\/...', 'dep_tester123')
#2 \\\/owncloud\\\/lib\\\/private\\\/files\\\/stream\\\/encryption.php(248): OCA\Encryption\Crypto\Encryption->begin('\\\/dep_tester123\\\/...', 'dep_tester123', 'w', Array, Array)
#3 [internal function]: OC\Files\Stream\Encryption->stream_open('ocencryption:\\\/\\\/', 'w', 0, NULL)
#4 \\\/owncloud\\\/lib\\\/private\\\/files\\\/stream\\\/encryption.php(188): fopen('ocencryption:\\\/\\\/', 'w', false, Resource id #537)
#5 \\\/owncloud\\\/lib\\\/private\\\/files\\\/stream\\\/encryption.php(170): OC\Files\Stream\Encryption::wrapSource(Resource id #533, 'w', Resource id #537, 'ocencryption', 'OC\\Files\\Stream...')
#6 \\\/owncloud\\\/lib\\\/private\\\/files\\\/storage\\\/wrapper\\\/encryption.php(409): OC\Files\Stream\Encryption::wrap(Resource id #533, 'files\\\/Documents...', '\\\/dep_tester123\\\/...', Array, 'dep_tester123', Object(OCA\Encryption\Crypto\Encryption), Object(OC\Files\Storage\Home), Object(OC\Files\Storage\Wrapper\Encryption), Object(OC\Encryption\Util), Object(OC\Encryption\File), 'w', 0, 0, 0)
#7 \\\/owncloud\\\/lib\\\/private\\\/files\\\/storage\\\/wrapper\\\/wrapper.php(286): OC\Files\Storage\Wrapper\Encryption->fopen('files\\\/Documents...', 'w')
#8 \\\/owncloud\\\/lib\\\/private\\\/files\\\/view.php(1021): OC\Files\Storage\Wrapper\Wrapper->fopen('files\\\/Documents...', 'w')
#9 \\\/owncloud\\\/lib\\\/private\\\/files\\\/view.php(871): OC\Files\View->basicOperation('fopen', '\\\/dep_tester123\\\/...', Array, 'w')
#10 \\\/owncloud\\\/lib\\\/private\\\/files\\\/node\\\/file.php(91): OC\Files\View->fopen('\\\/dep_tester123\\\/...', 'w')
#11 \\\/owncloud\\\/lib\\\/private\\\/util.php(321): OC\Files\Node\File->fopen('w')
#12 \\\/owncloud\\\/lib\\\/private\\\/util.php(318): OC_Util::copyr('\\\/owncloud\\\/apps\\\/encr...', Object(OC\Files\Node\Folder))
#13 \\\/owncloud\\\/lib\\\/private\\\/util.php(299): OC_Util::copyr('\\\/owncloud\\\/apps\\\/encr...', Object(OC\Files\Node\Folder))
#14 \\\/owncloud\\\/lib\\\/private\\\/files\\\/node\\\/root.php(347): OC_Util::copySkeleton('dep_tester123', Object(OC\Files\Node\Folder))
#15 \\\/owncloud\\\/lib\\\/private\\\/server.php(617): OC\Files\Node\Root->getUserFolder('dep_tester123')
#16 \\\/owncloud\\\/lib\\\/private\\\/user.php(293): OC\Server->getUserFolder('dep_tester123')
#17 \\\/owncloud\\\/lib\\\/private\\\/user.php(319): OC_User::loginWithApache(Object(OCA\User_Dp\Dp))
#18 \\\/owncloud\\\/lib\\\/base.php(982): OC_User::handleApacheAuth()
#19 \\\/owncloud\\\/lib\\\/base.php(941): OC::tryApacheAuth()
#20 \\\/owncloud\\\/lib\\\/base.php(909): OC::handleLogin()
#21 \\\/owncloud\\\/index.php(39): OC::handleRequest()
#22 {main}\",\"File\":\"\\\/owncloud\\\/apps\\\/encryption\\\/lib\\\/session.php\",\"Line\":78}","level":3,"time":"2016-04-11T18:16:19+01:00","method":"GET","url":"\/owncloud\/index.php?redirect_url=%2Fowncloud%2Findex.php%2Fapps%2Ffiles%2F"}

Server configuration

Operating system: RHEL 5

Web server: Apache 2.2

Database: MySQL

PHP version: 5.6

ownCloud version: 8.2.1

Updated from an older ownCloud or fresh install: No

[PVince81]

@schiesbn can you have a look ?

Looks like it's expecting a user's private key even in master key mode ?
Can you check whether your recent PR related to master key would fix this ?

[butonic]

related to SSO

[schiessle]

After enabling the master key the user needs to re-login in order to initialize the master key for the session.

That's why this solves the issue:

1. Delete browser cookies & close browser.
2. Access ownCloud, e.g. http://xxxxxxxxxx/owncloud/ , it is successful.

Once #18410 is fixed we can invalidate all sessions after encryption was enabled and enforce a re-login.

[GitHubUser4234]

@schiesbn: Thanks for the reply. Not sure whether I understand correctly, ok a fix for #18410 would force existing users to re-login, but how about new users that are created after encryption was enabled, e.g. like in this issue? Would the internal error still show? Thanks :)

[PVince81]

I'd expect users created after that to work properly. If it doesn't, the encryption code needs to be fixed to not bother about user keys in master key mode.

[schiessle]

For new users a key should be written to the session as soon as the user log-in and a new session gets created. Therefore the login hooks need to be triggered on login, but I assume that this happens for all SSO back-ends... Can someone with access to such back-ends verify this? Maybe @butonic ? Thanks!

[PVince81]

@davitol can you help reproducing this issue ?

[davitol]

@PVince81 I'm just talking with @schiesbn about it

[schiessle]

Thanks to @davitol I could test it with a SSO system (Shibboleth) but couldn't reproduce it. What we tried:

• setup a ownCloud + enable encryption with master key
• create new SSO user
• login as new SSO user and try to write/read files

Everything worked fine.

What user back-end do you use for SSO?

[butonic]

In the initial app there is a link to a demo sso app.

[butonic]

technically they all work the same and with #23903 users home dirs are now initialized properly. Try with and without that patch.

[GitHubUser4234]

@schiesbn : As @butonic suggested, I strongly recommend to use the IApacheBackend for testing. It has it's own dedicated methods like loginWithApache() in core/lib/private/user.php etc. and might therefore produce a different result.

Here again a link to the testing app

[schiessle]

@GitHubUser4234 I will give it a try and see if I can re-produce it with this one. Still would be good to know what you use for SSO? Is it something you wrote by yourself or something provided and supported by us?

[GitHubUser4234]

@schiesbn : Great! 👍 Well, the SSO is based on client certificate authentication. When the Apache web server verified the client's certificate, the user is logged in automatically to ownCloud. The automatic login functionality is a feature supported by ownCloud's IApacheBackend API.

However, the testing app above doesn't contain any logic for client authentication, it's just the simplest IApacheBackend implementation possible to facilitate reproducing the problem.

[PVince81]

CC @ChristophWurst I heard you were looking into apache auth stuff

[schiessle]

That's good to know! If I can't reproduce it today, maybe we can have a look together on Monday, @ChristophWurst .... But maybe it is all already solved until Monday 😉

[schiessle]

I think it is obvious that it fails with your app. You just always return 'true' for isSessionActive() and then of course there is no session and if there is no session there can't be a private key. If, during login the ownCloud login hooks are triggered a session gets created and ownCloud copy the private key to the session. But this is something which never happens with your test plugin

[schiessle]

But I'm not really familiar with the IApacheBackend. I see that it was written by @DeepDiver1975. Maybe you can bring some light into this? How is it supposed to work? I don't see a method which could be used to trigger the login hooks.

[schiessle]

Would probably a bad idea to do it in isSessionActive() https://github.com/owncloud/core/blob/master/lib/public/authentication/iapachebackend.php#L46 because then we would execute it on every request! But where else?

[GitHubUser4234]

I think it is obvious that it fails with your app. You just always return 'true' for isSessionActive() and then of course there is no session and if there is no session there can't be a private key.

This statement doesn't seems valid. When isSessionActive() is true, ownCloud establishes a session. And it actually works properly, even when encryption/masterkeys is enabled, it just doesn't work with the combination of new users + encryption/masterkeys enabled.

[schiessle]

Ok, seems like I can re-produce it to some extend. But I get different error messages. In the log files I see nothing. In the Browser I get

Internal Server Error
The server encountered an internal error and was unable to complete your request.
Please contact the server administrator if this error reappears multiple times, please include the technical details below in your report.
More details can be found in the server log.

Technical details
Remote Address: 127.0.0.1
Request ID: tsgIjeSrp4alMe0gIvpr

But I also stepped through this with the debugger. The login hooks are called correctly and the encryption keys get initialized without a error. The error only happens after re re-direct to the files view. Will check if I can find out more.

[schiessle]

Just tried it without encryption and there I get exactly the same error. So I'm not sure if this is really related to encryption. Btw, also your work around "Delete browser cookies & close browser" doesn't work for me.

@GitHubUser4234 do you have any chance to debug this? Any change to check if this method gets called: https://github.com/owncloud/core/blob/master/apps/encryption/hooks/userhooks.php#L154 and that in $this->keyManager->init( the master key is initialized correctly? In a first step I would like to understand why you get this encryption errors and why it fails on my system independent from encryption.

[GitHubUser4234]

@schiesbn : Thanks for trying. You are using OC 8.2.1? I will try to debug according to your request tomorrow, I'm off today 😃

[schiessle]

Yes, I tried it with 8.2.1 and followed exactly your steps. But as said, for me it also fails without encryption. Thanks for debugging it on your side!

[GitHubUser4234]

@schiesbn : Maybe the patch #23903 mentioned by @butonic was not applied yet? Just a guess into the blue, but you need that to actually reproduce the encryption problem.

[GitHubUser4234]

@schiesbn: I have just debugged it, the login($params) in userhooks.php doesn't get called at all when the error described in this issue occurs. As also described above, a new user can login successfully from the second login onwards, and when the login is successful, login($params) is called and runs as expected.

Did you install the patch of #23903 yet? If not, you will encounter the bug described in #23899 which also occurs without encryption. In this case, please try again with the patch, thanks.

[schiessle]

Ah, sorry... I missed the patch. Let's try me again 😄

[schiessle]

It can be so easy, if the test environment is set-up correctly. See the pull request above. 😄 This should fix the issue. Can you try it? Thanks!

[GitHubUser4234]

Wow that was really easy 😄 I have applied it to lib/private/user.php (as I couldn't find a lib/private/legacy/user.php in my 8.2.1 installation?) and it works now, thanks a lot 😃

[schiessle]

I have applied it to lib/private/user.php (as I couldn't find a lib/private/legacy/user.php in my 8.2.1 installation?)

That's correct, we moved the file only on master. Happy to hear that it works for you! 😄

[lock]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.