Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[QA] 1.5.1 Testplan #263

Closed
52 of 58 tasks
jnweiger opened this issue Apr 27, 2021 · 4 comments
Closed
52 of 58 tasks

[QA] 1.5.1 Testplan #263

jnweiger opened this issue Apr 27, 2021 · 4 comments

Comments

@jnweiger
Copy link
Contributor

jnweiger commented Apr 27, 2021
edited
Loading

'Encryption' Test Plan

Setup

Setup details (click to view) 
occ encryption:status
# occ app:enable encryption
# occ encryption:enable
# occ encryption:select-encryption-type masterkey --yes

Testing functionality

The toplevel checkmark indictes the test was performed.
The indented checkmarks indicate the results were as expected.

  • Enable the app
    • No problems found
  • Disable and enable the app using CLI
    • No problems found
  • Master Key Encryption
    occ encryption:enable
    occ encryption:select-encryption-type masterkey --yes
    • Uploaded files via client are stored encrypted. (Inspect with xxd)
    • Uploaded files via WebUI are stored encrypted.
    • Files saved via TextEditor or Colabora are stored encrypted.
    • Files on external SFTP, WND storage are stored encrypted.
      • Test_Plan_Files_external_CLI.md:Change Mount option for an SFTP mount
        • option disable encryption is there.
        • disable for SFTP; Options in occ files_external:list has 'encrypt: false'
        • disable, and inspect files with xxd.
    • files added to the storage + occ file:scan are not encrypted. (both cases, encrypted and unencrypted external storage)
    • move file from main storage to unencrypted external storage. The file gets decrypted on disk.
    • move file from unencrypted external storage to main storage. The file gets encrypted on disk. -> [QA] moving encrypted file to unencrypted FTP storage and back causes a decrypt error #281
  • Receiving federated share folder from an unencrypted server.
    Look up your federated ID, go to [email protected], share the Photos folder with that federated ID. Visit the Shared with you page, Accept.
    • Files added locally to the received folder are not encrypted.
    • Files added locally can be read by the remote server.
  • Sending fedrated share folder to an unencrypted server.
    • Files added locally to the folder are encrypted.
    • Files can be cleanly read by feaderated servers.
    • Files added remote can be read locally.
  • Test_Plan_Federated_Sharing.md:share a file (server A), in (server B) using different oC versions both servers with encryption
    • shared file can be seen from server B
  • Test_Plan_Federated_Sharing.md:share a file with link (server A), add link to your owncloud (server B) using different O.C versions both servers with encryption
    • shared file can be seen from server B
  • Public link to folder with file drop
    • files dropped into the folder are encrypted.
  • Public link to folder with file drop in unencrypted SFTP drive
    • files dropped into the folder are not encrypted.
  • Test_Plan_Files_Transfer_Ownership.md:files:transfer-ownership with encryption enabled
    create user1 and user2 (do not use admin), prepare some shares from/to user1, then transfer all files with occ files:transfer-ownership user1 user2
    • Test_Plan_Files_Transfer_Ownership.md:Transfer from user1 to user2, both users are in group "group1". Non-decrypted encrypted files
    • The files/folders are transferred to user2 and they do not appear for user1 any longer
    • Confirm user2 can read.
  • update migration from previous core release not done. encryption 1.5.1-rc1 has min-version 10.7
Skip (click to view)
  • Test_Plan_Updater.md:* Create a file, encrypt the server and create another file after the encryption.
  • latest app on previous core can encrypt files, unencrypted files remain unencrypted.
  • update to latest oc10 succeeds. unencrypted files remain unencrypted.
  • decrypt works, encrypt of new files works.
  • update migration from previous app release to current release
    • previous app release on current core can encrypt files:
      • default is binary encoding
      • unencrypted external storage remains unencrypted.
      • occ config:system:set encryption.use_legacy_encoding --type boolean --value True creates file with base64 encoding.
    • update to latest app succeeds.
    • read access of unencrypted, binary and base64 encoded files works
    • upload of unencrypted, binary and base64 encoded files works.
@jnweiger jnweiger mentioned this issue Apr 27, 2021
Closed
39 tasks
@jnweiger
Copy link
Contributor Author

jnweiger commented Jun 20, 2021
edited
Loading

Test encryption and decryption

firefox ... -> log in as administrator (needed according to https://doc.owncloud.com/server/admin_manual/configuration/server/security/hsmdaemon/#initialize-and-check-generated-keys)
grep "generated keypair" /var/log/hsm.log
{"level":"debug","ts":"2021-06-19T03:10:01.562+0200","msg":"generated keypair","tokenID":"1262668f-d09b-11eb-b283-960000c05f34"}
{"level":"debug","ts":"2021-06-19T03:10:03.043+0200","msg":"generated keypair","tokenID":"1374447f-d09b-11eb-83c8-960000c05f34"}
{"level":"debug","ts":"2021-06-19T03:10:03.710+0200","msg":"generated keypair","tokenID":"13cd3f95-d09b-11eb-83c8-960000c05f34"}
key_id=$(grep "generated keypair" /var/log/hsm.log | head -1 | jq .tokenID -r)
hello="Hello, world!"
echo "$hello" | base64
SGVsbG8sIHdvcmxkIQo=
test_enc=$(./hsmdaemon encrypt $key_id $(echo "$hello" | base64) | tee /dev/stderr)
ep6Y1aAVAYpAesZ1+sQzzUepjO82o34kjmm63Drmz+6KED4oIBARQkXeW/OoxgUg6kQhQK1thA/3Ww33aaRxIESzVQF598qjXhhEXQ/OGL6BC+3tPclC7ujUZaA7CG1NDkMneLFDd2+Tbax4OM+/w0zhfTMPgT0I1NrH/03owVglbWHjgLZmN/vxpPZKm/lyAV9tI2HW36UjVLEMD2qtPFXqjLU4YjZOVnMdETxQNSCWIVauFw0+VQQ/RiAqiXzRXEgO6YKxOBk0n9IMT6XEH4MkMQTgb9pB12jrNSa9aMHbCvCneEmhd0CHBxPX499EkxxwtoEnXe6PATXsOg3VRA==
occ encryption:hsmdaemon:decrypt --keyId $key_id "$test_enc"
decrypted string (base64 encoded): 'SGVsbG8sIHdvcmxkIQo='
tail -5 /var/log/hsm.log
{"level":"debug","ts":"2021-06-20T23:46:11.958+0200","msg":"openHSMSession","slotID":757826573}
{"level":"debug","ts":"2021-06-20T23:46:11.960+0200","msg":"created new session"}
{"level":"debug","ts":"2021-06-20T23:46:11.960+0200","msg":"Got uuid","string":"1262668f-d09b-11eb-b283-960000c05f34"}
{"level":"debug","ts":"2021-06-20T23:46:11.962+0200","msg":"found object","id":"\u0012bf\ufffdЛ\u0011벃\ufffd\u0000\u0000\ufffd_4"}
{"level":"debug","ts":"2021-06-20T23:46:11.963+0200","msg":"Decrypted"}

Observe:

  • The base64 encoded string matches before encryption and after decryption.
  • The key-id seen in the log with "generated keypair" causes no errors during encryption.
  • The key-id re-appears in the log during decryption ("Got uuid")

@jnweiger
Copy link
Contributor Author

Migration tested from both 1.4.0 and 1.5.0 to 1.5.1-rc2.
hsmdaemon runs fine on both 1.4.0 and 1.5.0 (for basic uploads and downloads)
upgrade to 1.5.1-rc1 (still with hsmdaemon) succeeds in both cases.

@jnweiger
Copy link
Contributor Author

QA passed with defects.
IMHO no blockers: #262 (comment)

@jnweiger jnweiger mentioned this issue Jun 21, 2021
Closed
2 tasks
@jnweiger
Copy link
Contributor Author

Approved by PM. Shipping.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@jnweiger