allow user to check and detect its usb token for e2e encryption

Signed-off-by: Matthieu Gallien <[email protected]>

Author: mgallien

NEXTCLOUD.cmake

@@ -80,3 +80,5 @@ endif()
 if (APPLE)
     option( BUILD_FILE_PROVIDER_MODULE "Build the macOS virtual files File Provider module" OFF )
 endif()
+
+set (CLIENTSIDEENCRYPTION_ENFORCE_USB_TOKEN true)

config.h.in

@@ -61,4 +61,6 @@
 
 #cmakedefine CFAPI_SHELL_EXTENSIONS_LIB_NAME "@CFAPI_SHELL_EXTENSIONS_LIB_NAME@"
 
+#cmakedefine CLIENTSIDEENCRYPTION_ENFORCE_USB_TOKEN @CLIENTSIDEENCRYPTION_ENFORCE_USB_TOKEN@
+
 #endif

resources.qrc

@@ -7,6 +7,7 @@
         <file>src/gui/PredefinedStatusButton.qml</file>
         <file>src/gui/BasicComboBox.qml</file>
         <file>src/gui/ErrorBox.qml</file>
+        <file>src/gui/EncryptionTokenSelectionWindow.qml</file>
         <file>src/gui/filedetails/FileActivityView.qml</file>
         <file>src/gui/filedetails/FileDetailsPage.qml</file>
         <file>src/gui/filedetails/FileDetailsView.qml</file>

src/gui/CMakeLists.txt

@@ -154,6 +154,7 @@ set(client_SRCS
     syncrunfilelog.cpp
     systray.h
     systray.cpp
+    EncryptionTokenSelectionWindow.qml
     thumbnailjob.h
     thumbnailjob.cpp
     userinfo.h

src/gui/EncryptionTokenSelectionWindow.qml

@@ -0,0 +1,40 @@
+/*
+ * Copyright (C) 2023 by Matthieu Gallien <[email protected]>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+import QtQuick 2.15
+import QtQuick.Layouts 1.15
+import QtQuick.Controls 2.15
+
+import com.nextcloud.desktopclient 1.0
+import Style 1.0
+
+Item {
+    id: root
+
+    required property var tokensInfo
+
+    width: 400
+    height: 600
+
+    ListView {
+        anchors.fill: parent
+
+        model: tokensInfo
+
+        delegate: ItemDelegate {
+            width: parent.width
+            text: 'hello'
+        }
+    }
+}

src/gui/accountsettings.cpp

@@ -283,6 +283,7 @@ void AccountSettings::slotE2eEncryptionMnemonicReady()
 void AccountSettings::slotE2eEncryptionGenerateKeys()
 {
     connect(_accountState->account()->e2e(), &ClientSideEncryption::initializationFinished, this, &AccountSettings::slotE2eEncryptionInitializationFinished);
+    connect(_accountState->account()->e2e(), &ClientSideEncryption::displayTokenInitDialog, this, &AccountSettings::slotDisplayTokenInitDialog);
     _accountState->account()->setE2eEncryptionKeysGenerationAllowed(true);
     _accountState->account()->setAskUserForMnemonic(true);
     _accountState->account()->e2e()->initialize(_accountState->account());
@@ -291,6 +292,7 @@ void AccountSettings::slotE2eEncryptionGenerateKeys()
 void AccountSettings::slotE2eEncryptionInitializationFinished(bool isNewMnemonicGenerated)
 {
     disconnect(_accountState->account()->e2e(), &ClientSideEncryption::initializationFinished, this, &AccountSettings::slotE2eEncryptionInitializationFinished);
+    disconnect(_accountState->account()->e2e(), &ClientSideEncryption::displayTokenInitDialog, this, &AccountSettings::slotDisplayTokenInitDialog);
     if (_accountState->account()->e2e()->isInitialized()) {
         removeActionFromEncryptionMessage(e2EeUiActionEnableEncryptionId);
         slotE2eEncryptionMnemonicReady();
@@ -301,6 +303,16 @@ void AccountSettings::slotE2eEncryptionInitializationFinished(bool isNewMnemonic
     _accountState->account()->setAskUserForMnemonic(false);
 }
 
+void AccountSettings::slotDisplayTokenInitDialog()
+{
+    disconnect(_accountState->account()->e2e(), &ClientSideEncryption::initializationFinished, this, &AccountSettings::slotE2eEncryptionInitializationFinished);
+    disconnect(_accountState->account()->e2e(), &ClientSideEncryption::displayTokenInitDialog, this, &AccountSettings::slotDisplayTokenInitDialog);
+    qCInfo(lcAccountSettings()) << "trying to find the parent window" << _parentWindow;
+    if (_parentWindow) {
+        Systray::instance()->createTokenInitDialog(_accountState->account()->e2e()->discoveredTokens(), _parentWindow);
+    }
+}
+
 void AccountSettings::slotEncryptFolderFinished(int status)
 {
     qCInfo(lcAccountSettings) << "Current folder encryption status code:" << status;
@@ -1382,6 +1394,11 @@ void AccountSettings::slotHideSelectiveSyncWidget()
     _ui->selectiveSyncLabel->hide();
 }
 
+void AccountSettings::setParentWindow(QWindow *parentWindow)
+{
+    _parentWindow = parentWindow;
+}
+
 void AccountSettings::slotSelectiveSyncChanged(const QModelIndex &topLeft,
                                                const QModelIndex &bottomRight,
                                                const QVector<int> &roles)

src/gui/accountsettings.h

@@ -58,6 +58,7 @@ class AccountSettings : public QWidget
     ~AccountSettings() override;
     [[nodiscard]] QSize sizeHint() const override { return ownCloudGui::settingsDialogSize(); }
     bool canEncryptOrDecrypt(const FolderStatusModel::SubFolderInfo* folderInfo);
+    [[nodiscard]] OCC::AccountState *accountsState() const { return _accountState; }
 
 signals:
     void folderChanged();
@@ -72,8 +73,8 @@ public slots:
     void slotUpdateQuota(qint64 total, qint64 used);
     void slotAccountStateChanged();
     void slotStyleChanged();
-    OCC::AccountState *accountsState() { return _accountState; }
     void slotHideSelectiveSyncWidget();
+    void setParentWindow(QWindow *parentWindow);
 
 protected slots:
     void slotAddFolder();
@@ -106,6 +107,7 @@ protected slots:
     void slotE2eEncryptionMnemonicReady();
     void slotE2eEncryptionGenerateKeys();
     void slotE2eEncryptionInitializationFinished(bool isNewMnemonicGenerated);
+    void slotDisplayTokenInitDialog();
     void slotEncryptFolderFinished(int status);
 
     void slotSelectiveSyncChanged(const QModelIndex &topLeft, const QModelIndex &bottomRight,
@@ -150,6 +152,8 @@ private slots:
     bool _menuShown = false;
 
     QHash<QString, QMetaObject::Connection> _folderConnections;
+
+    QWindow *_parentWindow = nullptr;
 };
 
 } // namespace OCC

src/gui/settingsdialog.cpp

@@ -137,10 +137,6 @@ SettingsDialog::SettingsDialog(ownCloudGui *gui, QWidget *parent)
     _actionGroupWidgets.insert(generalAction, generalSettings);
     _actionGroupWidgets.insert(networkAction, networkSettings);
 
-    foreach(auto ai, AccountManager::instance()->accounts()) {
-        accountAdded(ai.data());
-    }
-
     QTimer::singleShot(1, this, &SettingsDialog::showFirstPage);
 
     auto *showLogWindow = new QAction(this);
@@ -215,6 +211,10 @@ void SettingsDialog::slotSwitchPage(QAction *action)
 
 void SettingsDialog::showFirstPage()
 {
+    foreach(auto ai, AccountManager::instance()->accounts()) {
+        accountAdded(ai.data());
+    }
+
     QList<QAction *> actions = _toolBar->actions();
     if (!actions.empty()) {
         actions.first()->trigger();
@@ -247,6 +247,7 @@ void SettingsDialog::accountAdded(AccountState *s)
     QString objectName = QLatin1String("accountSettings_");
     objectName += s->account()->displayName();
     accountSettings->setObjectName(objectName);
+    accountSettings->setParentWindow(windowHandle());
     _ui->stack->insertWidget(0 , accountSettings);
 
     _actionGroup->addAction(accountAction);

src/gui/systray.cpp

@@ -34,6 +34,7 @@
 #include <QScreen>
 #include <QMenu>
 #include <QGuiApplication>
+#include <QQuickView>
 
 #ifdef USE_FDO_NOTIFICATIONS
 #include <QDBusConnection>
@@ -412,6 +413,38 @@ void Systray::createFileActivityDialog(const QString &localPath)
     Q_EMIT showFileDetailsPage(localPath, FileDetailsPage::Activity);
 }
 
+void Systray::createTokenInitDialog(const QVariantList &tokensInfo, QWindow *dialogParent)
+{
+    if(_tokenInitDialog) {
+        destroyDialog(_tokenInitDialog);
+        _tokenInitDialog = nullptr;
+    }
+
+    qCDebug(lcSystray) << "Opening new token init dialog with " << tokensInfo.size() << "possible tokens";
+
+    if (!_trayEngine) {
+        qCWarning(lcSystray) << "Could not open token init dialog as no tray engine was available";
+        return;
+    }
+
+    const QVariantMap initialProperties{
+                                        {"tokensInfo", tokensInfo},
+                                        };
+
+    const auto createdDialog = new QQuickView(_trayEngine.data(), dialogParent);
+
+    createdDialog->setInitialProperties(initialProperties);
+    createdDialog->setSource(QStringLiteral("qrc:/qml/src/gui/EncryptionTokenSelectionWindow.qml"));
+    createdDialog->setTitle(tr("Encryption Token Selector"));
+    createdDialog->setModality(Qt::ApplicationModal);
+
+    createdDialog->show();
+    createdDialog->raise();
+    createdDialog->requestActivate();
+
+    _tokenInitDialog = createdDialog;
+}
+
 void Systray::presentShareViewInTray(const QString &localPath)
 {
     const auto folder = FolderMan::instance()->folderForPath(localPath);

src/gui/systray.h

@@ -15,11 +15,11 @@
 #ifndef SYSTRAY_H
 #define SYSTRAY_H
 
-#include <QSystemTrayIcon>
-
 #include "accountmanager.h"
 #include "tray/usermodel.h"
 
+#include <QSystemTrayIcon>
+#include <QQuickImageProvider>
 #include <QQmlNetworkAccessManagerFactory>
 
 class QScreen;
@@ -145,6 +145,7 @@ public slots:
 
     void createShareDialog(const QString &localPath);
     void createFileActivityDialog(const QString &localPath);
+    void createTokenInitDialog(const QVariantList &tokensInfo, QWindow *dialogParent);
 
     void presentShareViewInTray(const QString &localPath);
 
@@ -185,6 +186,7 @@ private slots:
     QSet<qlonglong> _callsAlreadyNotified;
     QPointer<QObject> _editFileLocallyLoadingDialog;
     QVector<QQuickWindow*> _fileDetailDialogs;
+    QQuickWindow* _tokenInitDialog = nullptr;
 };
 
 } // namespace OCC

src/libsync/CMakeLists.txt

@@ -105,6 +105,8 @@ set(libsync_SRCS
     clientsideencryption.cpp
     clientsideencryptionjobs.h
     clientsideencryptionjobs.cpp
+    clientsidetokenselector.h
+    clientsidetokenselector.cpp
     datetimeprovider.h
     datetimeprovider.cpp
     ocsuserstatusconnector.h

src/libsync/account.cpp

@@ -33,6 +33,8 @@
 #include "clientsideencryption.h"
 #include "ocsuserstatusconnector.h"
 
+#include "config.h"
+
 #include <QLoggingCategory>
 #include <QNetworkReply>
 #include <QNetworkAccessManager>
@@ -1023,9 +1025,9 @@ bool Account::askUserForMnemonic() const
     return _e2eAskUserForMnemonic;
 }
 
-bool Account::useHardwareTokenEncryption() const
+bool Account::enforceUseHardwareTokenEncryption() const
 {
-    return !encryptionHardwareTokenDriverPath().isEmpty();
+    return CLIENTSIDEENCRYPTION_ENFORCE_USB_TOKEN;
 }
 
 QString Account::encryptionHardwareTokenDriverPath() const

src/libsync/account.h

@@ -88,7 +88,7 @@ class OWNCLOUDSYNC_EXPORT Account : public QObject
     Q_PROPERTY(QUrl url MEMBER _url)
     Q_PROPERTY(bool e2eEncryptionKeysGenerationAllowed MEMBER _e2eEncryptionKeysGenerationAllowed)
     Q_PROPERTY(bool askUserForMnemonic READ askUserForMnemonic WRITE setAskUserForMnemonic NOTIFY askUserForMnemonicChanged)
-    Q_PROPERTY(bool useHardwareTokenEncryption READ useHardwareTokenEncryption NOTIFY useHardwareTokenEncryptionChanged)
+    Q_PROPERTY(bool enforceUseHardwareTokenEncryption READ enforceUseHardwareTokenEncryption NOTIFY enforceUseHardwareTokenEncryptionChanged)
     Q_PROPERTY(QString encryptionHardwareTokenDriverPath READ encryptionHardwareTokenDriverPath NOTIFY encryptionHardwareTokenDriverPathChanged)
 
 public:
@@ -328,7 +328,7 @@ class OWNCLOUDSYNC_EXPORT Account : public QObject
 
     [[nodiscard]] bool askUserForMnemonic() const;
 
-    [[nodiscard]] bool useHardwareTokenEncryption() const;
+    [[nodiscard]] bool enforceUseHardwareTokenEncryption() const;
 
     [[nodiscard]] QString encryptionHardwareTokenDriverPath() const;
 
@@ -360,7 +360,7 @@ public slots:
     void accountChangedDisplayName();
     void prettyNameChanged();
     void askUserForMnemonicChanged();
-    void useHardwareTokenEncryptionChanged();
+    void enforceUseHardwareTokenEncryptionChanged();
     void encryptionHardwareTokenDriverPathChanged();
 
     /// Used in RemoteWipe

src/libsync/clientsideencryption.cpp

@@ -1012,13 +1012,22 @@ std::optional<QByteArray> decryptStringAsymmetricWithToken(ENGINE *sslEngine,
 }
 
 
-ClientSideEncryption::ClientSideEncryption() = default;
+ClientSideEncryption::ClientSideEncryption()
+{
+    connect(&_usbTokenInformation, &ClientSideTokenSelector::discoveredTokensChanged,
+            this, &ClientSideEncryption::displayTokenInitDialog);
+}
 
 bool ClientSideEncryption::isInitialized() const
 {
     return !getMnemonic().isEmpty();
 }
 
+QVariantList ClientSideEncryption::discoveredTokens() const
+{
+    return _usbTokenInformation.discoveredTokens();
+}
+
 const QSslKey &ClientSideEncryption::getPublicKey() const
 {
     return _publicKey;
@@ -1080,8 +1089,19 @@ void ClientSideEncryption::initialize(const AccountPtr &account)
         return;
     }
 
-    if (account->useHardwareTokenEncryption()) {
-        initializeHardwareTokenEncryption(account);
+    if (account->enforceUseHardwareTokenEncryption()) {
+        if (_usbTokenInformation.isSetup()) {
+            initializeHardwareTokenEncryption(account);
+        } else if (account->e2eEncryptionKeysGenerationAllowed() && account->askUserForMnemonic()) {
+            _usbTokenInformation.searchForToken(account);
+            if (_usbTokenInformation.isSetup()) {
+                initializeHardwareTokenEncryption(account);
+            } else {
+                emit initializationFinished();
+            }
+        } else {
+            emit initializationFinished();
+        }
     } else {
         fetchCertificateFromKeyChain(account);
     }

src/libsync/clientsideencryption.h

@@ -16,7 +16,9 @@
 #define CLIENTSIDEENCRYPTION_H
 
 #include "accountfwd.h"
+
 #include "networkjobs.h"
+#include "clientsidetokenselector.h"
 
 #include <QString>
 #include <QObject>
@@ -139,6 +141,10 @@ class OWNCLOUDSYNC_EXPORT ClientSideEncryption : public QObject {
 
     [[nodiscard]] bool isInitialized() const;
 
+    [[nodiscard]] bool tokenIsSetup() const;
+
+    [[nodiscard]] QVariantList discoveredTokens() const;
+
     [[nodiscard]] const QSslKey& getPublicKey() const;
 
     void setPublicKey(const QSslKey &publicKey);
@@ -166,6 +172,7 @@ class OWNCLOUDSYNC_EXPORT ClientSideEncryption : public QObject {
     void certificateDeleted();
     void mnemonicDeleted();
     void publicKeyDeleted();
+    void displayTokenInitDialog();
 
 public slots:
     void initialize(const OCC::AccountPtr &account);
@@ -248,6 +255,8 @@ private slots:
     QString _mnemonic;
     bool _newMnemonicGenerated = false;
 
+    ClientSideTokenSelector _usbTokenInformation;
+
     PKCS11_KEY* _tokenPublicKey = nullptr;
     PKCS11_KEY* _tokenPrivateKey = nullptr;
 };