From cf4ae6a84a67b6ddd6139640595e83161af6e5cf Mon Sep 17 00:00:00 2001
From: Varun Patil <varunpatil@ucla.edu>
Date: Mon, 21 Nov 2022 02:13:43 -0800
Subject: [PATCH] Allow server-side encryption

Close #175. Close #99. Squashed commit of the following:

commit 7c5e11dded8aff22b77bb3d01233350f86af04f4
Author: Varun Patil <varunpatil@ucla.edu>
Date:   Mon Nov 21 02:12:34 2022 -0800

    Fix lint

commit b421a6d61c1143aac38d954bee032f582b71b492
Merge: 9e91d1d 019cdd3
Author: Varun Patil <varunpatil@ucla.edu>
Date:   Mon Nov 21 02:11:37 2022 -0800

    Merge branch 'eltos-patch-99' of https://github.com/eltos/memories into eltos-eltos-patch-99

commit 019cdd31f26f974a200e35fb1188a53e9704fbc2
Author: eltos <eltos@outlook.de>
Date:   Sat Nov 19 18:32:36 2022 +0100

    Check for e2e encryption before indexing

commit 5078d986da292ef8e8363241817c9789c6aceb32
Author: eltos <eltos@outlook.de>
Date:   Sat Nov 19 18:28:57 2022 +0100

    Check for e2e encryption when changing exif data

commit 1167365f7e290b59b08edb3d340c3473ca706114
Merge: d465400 e210c32
Author: Philipp Niedermayer <eltos@outlook.de>
Date:   Sat Nov 19 15:52:58 2022 +0100

    Merge branch 'pulsejet:master' into eltos-patch-99

commit d4654009695825232fb86667f5da8a04040721ea
Author: Philipp Niedermayer <eltos@outlook.de>
Date:   Mon Nov 7 22:21:20 2022 +0100

    Allow server-side encryption

    See https://github.com/pulsejet/memories/issues/99
---
 lib/Command/Index.php              |  5 +++--
 lib/Controller/ApiBase.php         |  4 ++++
 lib/Controller/ImageController.php |  5 +++++
 lib/Util.php                       | 16 ++++++++++++++++
 4 files changed, 28 insertions(+), 2 deletions(-)

diff --git a/lib/Command/Index.php b/lib/Command/Index.php
index 4613a970..1196e77a 100644
--- a/lib/Command/Index.php
+++ b/lib/Command/Index.php
@@ -178,8 +178,9 @@ class Index extends Command
         // Time measurement
         $startTime = microtime(true);
 
-        if ($this->encryptionManager->isEnabled()) {
-            error_log('FATAL: Encryption is enabled. Aborted.');
+        if (\OCA\Memories\Util::isEncryptionEnabled($this->encryptionManager)) {
+            // Can work with server-side but not with e2e encryption, see https://github.com/pulsejet/memories/issues/99
+            error_log('FATAL: Only server-side encryption (OC_DEFAULT_MODULE) is supported, but another encryption module is enabled. Aborted.');
 
             return 1;
         }
diff --git a/lib/Controller/ApiBase.php b/lib/Controller/ApiBase.php
index a7ea2319..7a882d30 100644
--- a/lib/Controller/ApiBase.php
+++ b/lib/Controller/ApiBase.php
@@ -32,6 +32,7 @@ use OCP\App\IAppManager;
 use OCP\AppFramework\Controller;
 use OCP\AppFramework\Http;
 use OCP\AppFramework\Http\JSONResponse;
+use OCP\Encryption\IManager;
 use OCP\Files\File;
 use OCP\Files\Folder;
 use OCP\Files\IRootFolder;
@@ -48,6 +49,7 @@ class ApiBase extends Controller
     protected IUserSession $userSession;
     protected IRootFolder $rootFolder;
     protected IAppManager $appManager;
+    protected IManager $encryptionManager;
     protected TimelineQuery $timelineQuery;
     protected TimelineWrite $timelineWrite;
     protected IShareManager $shareManager;
@@ -60,6 +62,7 @@ class ApiBase extends Controller
         IDBConnection $connection,
         IRootFolder $rootFolder,
         IAppManager $appManager,
+        IManager $encryptionManager,
         IShareManager $shareManager,
         IPreview $preview
     ) {
@@ -70,6 +73,7 @@ class ApiBase extends Controller
         $this->connection = $connection;
         $this->rootFolder = $rootFolder;
         $this->appManager = $appManager;
+        $this->encryptionManager = $encryptionManager;
         $this->shareManager = $shareManager;
         $this->previewManager = $preview;
         $this->timelineQuery = new TimelineQuery($connection);
diff --git a/lib/Controller/ImageController.php b/lib/Controller/ImageController.php
index c6cb40bf..03d3606d 100644
--- a/lib/Controller/ImageController.php
+++ b/lib/Controller/ImageController.php
@@ -75,6 +75,11 @@ class ImageController extends ApiBase
             return new JSONResponse([], Http::STATUS_FORBIDDEN);
         }
 
+        // Check for end-to-end encryption
+        if (\OCA\Memories\Util::isEncryptionEnabled($this->encryptionManager)) {
+            return new JSONResponse(['message' => 'Cannot change encrypted file'], Http::STATUS_PRECONDITION_FAILED);
+        }
+
         // Get original file from body
         $exif = $this->request->getParam('raw');
         $path = $file->getStorage()->getLocalFile($file->getInternalPath());
diff --git a/lib/Util.php b/lib/Util.php
index 2ddd9cb6..9d7e1e1a 100644
--- a/lib/Util.php
+++ b/lib/Util.php
@@ -105,4 +105,20 @@ class Util
 
         return true;
     }
+
+    /**
+     * Check if any encryption is enabled that we can not cope with
+     * such as end-to-end encryption.
+     *
+     * @param mixed $encryptionManager
+     */
+    public static function isEncryptionEnabled(&$encryptionManager): bool
+    {
+        if ($encryptionManager->isEnabled()) {
+            // Server-side encryption (OC_DEFAULT_MODULE) is okay, others like e2e are not
+            return 'OC_DEFAULT_MODULE' !== $encryptionManager->getDefaultEncryptionModuleId();
+        }
+
+        return false;
+    }
 }