js re-encryption bug fixes

appinfo/routes.php

@@ -58,14 +58,17 @@
         ['name' => 'share#getPendingRequests', 'url' => '/api/v2/sharing/pending', 'verb' => 'GET'],
         ['name' => 'share#deleteShareRequest', 'url' => '/api/v2/sharing/decline/{share_request_id}', 'verb' => 'DELETE'],
         ['name' => 'share#getVaultItems', 'url' => '/api/v2/sharing/vault/{vault_guid}/get', 'verb' => 'GET'],
+        ['name' => 'share#getVaultAclEntries', 'url' => '/api/v2/sharing/vault/{vault_guid}/acl', 'verb' => 'GET'],
         ['name' => 'share#createPublicShare', 'url' => '/api/v2/sharing/public', 'verb' => 'POST'],
         ['name' => 'share#getPublicCredentialData', 'url' => '/api/v2/sharing/credential/{credential_guid}/public', 'verb' => 'GET'],
         ['name' => 'share#unshareCredential', 'url' => '/api/v2/sharing/credential/{item_guid}', 'verb' => 'DELETE'],
         ['name' => 'share#unshareCredentialFromUser', 'url' => '/api/v2/sharing/credential/{item_guid}/{user_id}', 'verb' => 'DELETE'],
         ['name' => 'share#getRevisions', 'url' => '/api/v2/sharing/credential/{item_guid}/revisions', 'verb' => 'GET'],
         ['name' => 'share#getItemAcl', 'url' => '/api/v2/sharing/credential/{item_guid}/acl', 'verb' => 'GET'],
+		['name' => 'share#uploadFile', 'url' => '/api/v2/sharing/credential/{item_guid}/file', 'verb' => 'POST'],
         ['name' => 'share#getFile', 'url' => '/api/v2/sharing/credential/{item_guid}/file/{file_guid}', 'verb' => 'GET'],
         ['name' => 'share#updateSharedCredentialACL', 'url' => '/api/v2/sharing/credential/{item_guid}/acl', 'verb' => 'PATCH'],
+        ['name' => 'share#updateSharedCredentialACLSharedKey', 'url' => '/api/v2/sharing/credential/{item_guid}/acl/shared_key', 'verb' => 'PATCH'],
 		['name' => 'internal#getAppVersion', 'url' => '/api/v2/version', 'verb' => 'GET'],
 
 		//Settings

controller/filecontroller.php

@@ -93,6 +93,10 @@ public function deleteFiles($file_ids) {
 		return new JSONResponse(array('ok' => empty($failed_file_ids), 'failed' => $failed_file_ids));
 	}
 
+	/**
+	 * @NoAdminRequired
+	 * @NoCSRFRequired
+	 */
 	public function updateFile($file_id, $file_data, $filename) {
 		try {
 			$file = $this->fileService->getFile($file_id, $this->userId);

controller/sharecontroller.php

@@ -368,6 +368,20 @@ public function getVaultItems($vault_guid) {
 		}
 	}
 
+	/**
+	 * Obtains the list of acl entries for credentials shared with this vault
+	 *
+	 * @NoAdminRequired
+	 * @NoCSRFRequired
+	 */
+	public function getVaultAclEntries($vault_guid) {
+		try {
+			return new JSONResponse($this->shareService->getVaultAclList($this->userId->getUID(), $vault_guid));
+		} catch (\Exception $ex) {
+			return new NotFoundResponse();
+		}
+	}
+
 	/**
 	 * @param $share_request_id
 	 * @return JSONResponse
@@ -476,13 +490,55 @@ public function getFile($item_guid, $file_guid) {
 		} catch (\Exception $e) {
 			return new NotFoundJSONResponse();
 		}
+
+		// $this->userId does not exist for anonymous share link downloads
 		$userId = ($this->userId) ? $this->userId->getUID() : null;
 		$acl = $this->shareService->getACL($userId, $credential->getGuid());
-		if (!$acl->hasPermission(SharingACL::FILES)) {
+
+		if ($acl->hasPermission(SharingACL::FILES)) {
+		    // get file by guid and check if it is owned by the owner of the shared credential
+			return $this->fileService->getFileByGuid($file_guid, $credential->getUserId());
+		}
+
+		return new NotFoundJSONResponse();
+	}
+
+	/**
+	 * @param $item_guid
+	 * @param $data
+	 * @param $filename
+	 * @param $mimetype
+	 * @param $size
+	 * @return DataResponse|NotFoundJSONResponse|JSONResponse
+	 * @throws \Exception
+	 * @NoAdminRequired
+	 * @NoCSRFRequired
+	 */
+	public function uploadFile($item_guid, $data, $filename, $mimetype, $size) {
+		try {
+			$credential = $this->credentialService->getCredentialByGUID($item_guid);
+		} catch (\Exception $e) {
 			return new NotFoundJSONResponse();
-		} else {
-			return $this->fileService->getFileByGuid($file_guid);
 		}
+
+		// only check acl, if the uploading user is not the credential owner
+		if ($credential->getUserId() != $this->userId->getUID()) {
+			$acl = $this->shareService->getACL($this->userId->getUID(), $credential->getGuid());
+			if (!$acl->hasPermission(SharingACL::FILES)) {
+				return new DataResponse(['msg' => 'Not authorized'], Http::STATUS_UNAUTHORIZED);
+			}
+		}
+
+		$file = array(
+			'filename' => $filename,
+			'size' => $size,
+			'mimetype' => $mimetype,
+			'file_data' => $data,
+			'user_id' => $credential->getUserId()
+		);
+
+		// save the file with the id of the user that owns the credential
+		return new JSONResponse($this->fileService->createFile($file, $credential->getUserId()));
 	}
 
 	/**
@@ -515,4 +571,18 @@ public function updateSharedCredentialACL($item_guid, $user_id, $permission) {
 
 		}
 	}
+
+	/**
+	 * @param $item_guid
+	 * @param $shared_key
+	 * @return JSONResponse
+	 * @NoAdminRequired
+	 * @NoCSRFRequired
+	 */
+	public function updateSharedCredentialACLSharedKey($item_guid, $shared_key) {
+		/** @var SharingACL $acl */
+		$acl = $this->shareService->getACL($this->userId->getUID(), $item_guid);
+		$acl->setSharedKey($shared_key);
+		return new JSONResponse($this->shareService->updateCredentialACL($acl)->jsonSerialize());
+	}
 }

controller/translationcontroller.php

@@ -58,6 +58,7 @@ public function getLanguageStrings() {
 			'credential.recovered' => $this->trans->t('Credential recovered'),
 			'credential.destroyed' => $this->trans->t('Credential destroyed'),
 			'error.loading.file.perm' => $this->trans->t('Error downloading file, you probably have insufficient permissions'),
+			'error.general' => $this->trans->t('An error occurred'),
 
 			// js/app/controllers/edit_credential.js
 			'invalid.qr' => $this->trans->t('Invalid QR code'),

js/app/controllers/credential.js

@@ -72,20 +72,18 @@
 							try {
 								if (!_credential.shared_key) {
 									_credential = CredentialService.decryptCredential(angular.copy(_credential));
-
 								} else {
 									var enc_key = EncryptService.decryptString(_credential.shared_key);
 									_credential = ShareService.decryptSharedCredential(angular.copy(_credential), enc_key);
 								}
 								_credential.tags_raw = _credential.tags;
 							} catch (e) {
-
 								NotificationService.showNotification($translate.instant('error.decrypt'), 5000);
+								console.error(e);
 								//$rootScope.$broadcast('logout');
 								//SettingsService.setSetting('defaultVaultPass', null);
 								//.setSetting('defaultVault', null);
 								//$location.path('/')
-
 							}
 							_credentials[i] = _credential;
 						}
@@ -181,10 +179,10 @@
 
 					private_key = ShareService.rsaPrivateKeyFromPEM(private_key);
 					/** global: forge */
-					crypted_shared_key = private_key.decrypt(forge.util.decode64(crypted_shared_key));
-					crypted_shared_key = EncryptService.encryptString(crypted_shared_key);
+					const decrypted_shared_key = private_key.decrypt(forge.util.decode64(crypted_shared_key));
+					const vault_key_encrypted_shared_key = EncryptService.encryptString(decrypted_shared_key);
 
-					ShareService.saveSharingRequest(share_request, crypted_shared_key).then(function () {
+					ShareService.saveSharingRequest(share_request, vault_key_encrypted_shared_key).then(function () {
 						var idx = $scope.incoming_share_requests.indexOf(share_request);
 						$scope.incoming_share_requests.splice(idx, 1);
 						var active_share_requests = false;
@@ -261,54 +259,62 @@
 				};
 
 				var notification;
-				$scope.deleteCredential = function (credential) {
-					var _credential = angular.copy(credential);
-					try {
-						_credential = CredentialService.decryptCredential(_credential);
-					} catch (e) {
-
-					}
+				$scope.deleteCredential = function (decrypted_credential) {
+					let _credential = angular.copy(decrypted_credential);
 					_credential.delete_time = new Date().getTime() / 1000;
-					for (var i = 0; i < $scope.active_vault.credentials.length; i++) {
-						if ($scope.active_vault.credentials[i].credential_id === credential.credential_id) {
-							$scope.active_vault.credentials[i].delete_time = _credential.delete_time;
-						}
-					}
+
 					$scope.closeSelected();
 					if (notification) {
 						NotificationService.hideNotification(notification);
 					}
-					var key = CredentialService.getSharedKeyFromCredential(_credential);
-					CredentialService.updateCredential(_credential, false, key).then(function () {
+
+					const key = CredentialService.getSharedKeyFromCredential(_credential);
+					CredentialService.updateCredential(_credential, false, key).then(function (response) {
+						decrypted_credential.delete_time = _credential.delete_time;
+						for (let i = 0; i < $scope.active_vault.credentials.length; i++) {
+							if ($scope.active_vault.credentials[i].credential_id === _credential.credential_id) {
+								$scope.active_vault.credentials[i].delete_time = _credential.delete_time;
+							}
+						}
 						notification = NotificationService.showNotification($translate.instant('credential.deleted'), 5000);
+					}, function (error) {
+						if (error.data.msg) {
+							NotificationService.showNotification(error.data.msg, 5000);
+						} else {
+							NotificationService.showNotification($translate.instant('error.general'), 5000);
+						}
 					});
 				};
 
-				$scope.recoverCredential = function (credential) {
-					var _credential = angular.copy(credential);
-					try {
-						_credential = CredentialService.decryptCredential(_credential);
-					} catch (e) {
-
-					}
-					for (var i = 0; i < $scope.active_vault.credentials.length; i++) {
-						if ($scope.active_vault.credentials[i].credential_id === credential.credential_id) {
-							$scope.active_vault.credentials[i].delete_time = 0;
-						}
-					}
+				$scope.recoverCredential = function (decrypted_credential) {
+					let _credential = angular.copy(decrypted_credential);
 					_credential.delete_time = 0;
+
 					$scope.closeSelected();
 					if (notification) {
 						NotificationService.hideNotification(notification);
 					}
-					var key = CredentialService.getSharedKeyFromCredential(_credential);
-					CredentialService.updateCredential(_credential, false, key).then(function () {
+
+					const key = CredentialService.getSharedKeyFromCredential(_credential);
+					CredentialService.updateCredential(_credential, false, key).then(function (response) {
+						decrypted_credential.delete_time = 0;
+						for (let i = 0; i < $scope.active_vault.credentials.length; i++) {
+							if ($scope.active_vault.credentials[i].credential_id === _credential.credential_id) {
+								$scope.active_vault.credentials[i].delete_time = 0;
+							}
+						}
 						NotificationService.showNotification($translate.instant('credential.recovered'), 5000);
+					}, function (error) {
+						if (error.data.msg) {
+							NotificationService.showNotification(error.data.msg, 5000);
+						} else {
+							NotificationService.showNotification($translate.instant('error.general'), 5000);
+						}
 					});
 				};
 
 				$scope.destroyCredential = function (credential) {
-					var _credential = angular.copy(credential);
+					const _credential = angular.copy(credential);
 					CredentialService.destroyCredential(_credential.guid).then(function () {
 						for (var i = 0; i < $scope.active_vault.credentials.length; i++) {
 							if ($scope.active_vault.credentials[i].credential_id === credential.credential_id) {
@@ -317,6 +323,12 @@
 								break;
 							}
 						}
+					}, function (error) {
+						if (error.data.msg) {
+							NotificationService.showNotification(error.data.msg, 5000);
+						} else {
+							NotificationService.showNotification($translate.instant('error.general'), 5000);
+						}
 					});
 				};