Merge pull request #39217 from owncloud/cli-encryption

Added CLI acceptance tests for `occ` encryption command

.drone.star

@@ -191,6 +191,33 @@ config = {
             ],
             "testingRemoteSystem": False,
         },
+        "cliEncryption": {
+            "suites": [
+                "cliEncryption",
+            ],
+            "extraApps": {
+                "encryption": "composer install",
+            },
+            "testingRemoteSystem": False,
+            "extraSetup": [{
+                "name": "configure-encryption",
+                "image": "owncloudci/php:7.4",
+                "pull": "always",
+                "commands": [
+                    "php occ maintenance:singleuser --on",
+                    "php occ encryption:enable",
+                    "php occ encryption:select-encryption-type masterkey --yes",
+                    "php occ encryption:encrypt-all --yes",
+                    "php occ encryption:status",
+                    "php occ maintenance:singleuser --off",
+                ],
+            }],
+            "extraCommandsBeforeTestRun": [
+                "mkdir data/owncloud-keys",
+                "chown -R www-data data/owncloud-keys",
+                "chmod -R 0770 data/owncloud-keys",
+            ],
+        },
         "cliExternalStorage": {
             "suites": [
                 "cliExternalStorage",

tests/acceptance/config/behat.yml

@@ -692,6 +692,16 @@ default:
         - FeatureContext: *common_feature_context_params
         - OccContext:
 
+    cliEncryption:
+      paths:
+        - '%paths.base%/../features/cliEncryption'
+      context: *common_ldap_suite_context
+      contexts:
+        - FeatureContext: *common_feature_context_params
+        - OccContext:
+        - WebDavPropertiesContext:
+        - EncryptionContext:
+
     cliExternalStorage:
       paths:
         - '%paths.base%/../features/cliExternalStorage'

tests/acceptance/features/bootstrap/OccContext.php

@@ -639,6 +639,16 @@ public function theAdministratorHasInvokedOccCommand(string $cmd):void {
 		$this->theCommandShouldHaveBeenSuccessful();
 	}
 
+	/**
+	 * @Given the administrator has selected master key encryption type using the occ command
+	 *
+	 * @return void
+	 * @throws Exception
+	 */
+	public function theAdministratorHasSelectedMasterKeyEncryptionTypeUsingTheOccCommand():void {
+		$this->featureContext->runOcc(['encryption:select-encryption-type', "masterkey --yes"]);
+	}
+
 	/**
 	 * @When the administrator imports security certificate from file :filename in temporary storage on the system under test
 	 *
@@ -735,6 +745,40 @@ public function theAdministratorRunsUpgradeRoutinesOnLocalServerUsingTheOccComma
 		}
 	}
 
+	/**
+	 * @Given the administrator has decrypted everything
+	 *
+	 * @return void
+	 * @throws Exception
+	 */
+	public function theAdministratorHasDecryptedEverything():void {
+		$this->theAdministratorRunsEncryptionDecryptAllUsingTheOccCommand();
+		$this->theCommandShouldHaveBeenSuccessful();
+	}
+
+	/**
+	 * @When the administrator disables encryption using the occ command
+	 *
+	 * @return void
+	 * @throws Exception
+	 */
+	public function theAdministratorDisablesEncryptionUsingTheOccCommand():void {
+		$this->invokingTheCommand("encryption:disable");
+	}
+
+	/**
+	 * @When the administrator runs encryption decrypt all using the occ command
+	 *
+	 * @return void
+	 */
+	public function theAdministratorRunsEncryptionDecryptAllUsingTheOccCommand():void {
+		\system("./occ maintenance:singleuser --on");
+		\system("./occ encryption:decrypt-all -c yes", $status);
+
+		$this->featureContext->setResultOfOccCommand(["code" => $status, "stdOut" => null, "stdErr" => null]);
+		\system("./occ maintenance:singleuser --off");
+	}
+
 	/**
 	 * @return bool
 	 */

tests/acceptance/features/cliEncryption/encryption.feature

@@ -0,0 +1,71 @@
+@cli @skipWhenTestingRemoteSystems
+Feature: encryption command
+  As an admin
+  I want to encrypt-decrypt my data
+  So that users' resources are protected
+
+
+  Scenario: view current encryption status
+    When the administrator invokes occ command "encryption:status"
+    Then the command should have been successful
+    And the command output should contain the text "enabled: true"
+    And the command output should contain the text "defaultModule: OC_DEFAULT_MODULE"
+
+
+  Scenario: list available encryption modules
+    When the administrator invokes occ command "encryption:list-modules"
+    Then the command should have been successful
+    And the command output should contain the text "OC_DEFAULT_MODULE: Default encryption module [default*]"
+
+
+  Scenario: show current key storage root
+    When the administrator invokes occ command "encryption:show-key-storage-root"
+    Then the command should have been successful
+    And the command output should contain the text "Current key storage root:  default storage location (data/)"
+
+
+  Scenario: it should be possible to disable encryption after decrypting all of the encrypted files
+    Given the administrator has uploaded file with content "uploaded content" to "/lorem.txt"
+    And the administrator has decrypted everything
+    When the administrator disables encryption using the occ command
+    Then the command should have been successful
+    And the command output should contain the text "Cleaned up config"
+    And the command output should contain the text "Encryption is already disabled"
+    When the administrator invokes occ command "encryption:status"
+    Then the command should have been successful
+    And the command output should contain the text "enabled: false"
+
+
+  Scenario: data file contents should be encrypted
+    Given user "Alice" has been created with default attributes and without skeleton files
+    When user "Alice" uploads file with content "file to upload" to "/fileToUpload.txt" using the WebDAV API
+    Then file "fileToUpload.txt" of user "Alice" should be encrypted
+
+
+  Scenario: downloaded content of an uploaded file should not be encrypted
+    Given user "brand-new-user" has been created with default attributes and without skeleton files
+    When user "brand-new-user" uploads file with content "uploaded content" to "fileToUpload.txt" using the WebDAV API
+    Then the content of file "fileToUpload.txt" for user "brand-new-user" should be "uploaded content"
+
+
+  Scenario: it should not be possible to disable encryption without decrypting encrypted uploaded files
+    Given the administrator has uploaded file with content "uploaded content" to "/lorem.txt"
+    When the administrator disables encryption using the occ command
+    Then the command should have failed with exit code 1
+    And the command output should contain the text "The system still have encrypted files. Please decrypt them all before disabling encryption."
+
+
+  Scenario: move encryption keys to a different folder
+    When the administrator invokes occ command "encryption:change-key-storage-root owncloud-keys"
+    Then the command should have been successful
+    When the administrator invokes occ command "encryption:show-key-storage-root"
+    Then the command output should contain the text "Current key storage root:  owncloud-keys"
+
+  # this scenario is dependant with the scenario just above it i.e moving keys to different folder
+  # please remove the scenario after the issue is fixed
+  @skipOnOcV10 @issue-encryption-303
+  Scenario: it should not be possible to disable encryption even after decrypting all encrypted files if keys root has been changed
+    Given the administrator has decrypted everything
+    When the administrator disables encryption using the occ command
+    Then the command should have failed with exit code 1
+    And the command output should contain the text "The system still have encrypted files. Please decrypt them all before disabling encryption"