occ encryption:migrate is broken (as of v13.0.0)

[SimJoSt]

Steps to reproduce

1. Have a post oC v8.0 install and never have run occ encryption:migrate
2. Upgrade (step by step) to v13.0.0
3. Enable the app "default encryption module"
4. Notice "Installation is in transit between the old Encryption (ownCloud <= 8.0) and the new encryption. Please enable the "Default encryption module" and run 'occ encryption:migrate'" notification
5. run occ encryption:migrate

Expected behavior

Encryption key migration being performed successfully.

Actual behavior

Get a Too few arguments error:

~ sudo -u www-data php occ encryption:migrate
An unhandled exception has been thrown:
ArgumentCountError: Too few arguments to function OCA\Encryption\Migration::__construct(), 4 passed in /var/www/html/apps/encryption/lib/Command/MigrateKeys.php on line 86 and exactly 5 expected in /var/www/html/apps/encryption/lib/Migration.php:57
Stack trace:
#0 /var/www/html/apps/encryption/lib/Command/MigrateKeys.php(86): OCA\Encryption\Migration->__construct(Object(OC\AllConfig), Object(OC\Files\View), Object(OC\DB\Connection), Object(OC\Log))
#1 /var/www/html/3rdparty/symfony/console/Command/Command.php(264): OCA\Encryption\Command\MigrateKeys->execute(Object(Symfony\Component\Console\Input\ArgvInput), Object(Symfony\Component\Console\Output\ConsoleOutput))
#2 /var/www/html/3rdparty/symfony/console/Application.php(874): Symfony\Component\Console\Command\Command->run(Object(Symfony\Component\Console\Input\ArgvInput), Object(Symfony\Component\Console\Output\ConsoleOutput))
#3 /var/www/html/3rdparty/symfony/console/Application.php(228): Symfony\Component\Console\Application->doRunCommand(Object(OCA\Encryption\Command\MigrateKeys), Object(Symfony\Component\Console\Input\ArgvInput),Object(Symfony\Component\Console\Output\ConsoleOutput))
#4 /var/www/html/3rdparty/symfony/console/Application.php(130): Symfony\Component\Console\Application->doRun(Object(Symfony\Component\Console\Input\ArgvInput), Object(Symfony\Component\Console\Output\ConsoleOutput))
#5 /var/www/html/lib/private/Console/Application.php(173): Symfony\Component\Console\Application->run(Object(Symfony\Component\Console\Input\ArgvInput), Object(Symfony\Component\Console\Output\ConsoleOutput))
#6 /var/www/html/console.php(90): OC\Console\Application->run()
#7 /var/www/html/occ(11): require_once('/var/www/html/c...')

Additional information

• occ encryption:status displays no defaultModule being set:

sudo -u www-data php occ encryption:status
  - enabled: false
  - defaultModule:

• Running occ encryption:list-modules doesn't output anything.
• Setting OC_DEFAULT_MODULE as default encryption module doesn't work:

sudo -u www-data php occ encryption:set-default-module OC_DEFAULT_MODULE
The specified module "OC_DEFAULT_MODULE" does not exist

Code research

The two mentioned files and lines are these ones:

• https://github.com/nextcloud/server/blob/v13.0.0/apps/encryption/lib/Migration.php#L57
• https://github.com/nextcloud/server/blob/v13.0.0/apps/encryption/lib/Command/MigrateKeys.php#L86

Apparently, a change in the first one, adding IAppManager seems to cause the dysfunction. It was added in 9993413 by @MorrisJobke.

Server configuration detail

Operating system: Linux 4.9.0-5-amd64 #1 SMP Debian 4.9.65-3+deb9u2 (2018-01-04) x86_64

Webserver: Apache/2.4.10 (Debian) (apache2handler)

Database: mysql 5.7.21

PHP version: 7.1.14
Modules loaded: Core, date, libxml, openssl, pcre, sqlite3, zlib, ctype, curl, dom, fileinfo, filter, ftp, hash, iconv, json, mbstring, SPL, PDO, session, posix, Reflection, standard, SimpleXML, pdo_sqlite, Phar, tokenizer, xml, xmlreader, xmlwriter, mysqlnd, apache2handler, apcu, exif, gd, intl, ldap, mcrypt, memcached, mysqli, pcntl, pdo_mysql, pdo_pgsql, pgsql, redis, zip, Zend OPcache

Nextcloud version: 13.0.0 - 13.0.0.14

Updated from an older Nextcloud/ownCloud or fresh install:

Where did you install Nextcloud from: unknown

Signing status

Array

List of activated apps

Enabled:
 - activity: 2.6.1
 - admin_audit: 1.3.0
 - announcementcenter: 3.2.1
 - apporder: 0.4.1
 - bookmarks: 0.10.1
 - bruteforcesettings: 1.0.3
 - calendar: 1.6.0
 - caniupdate: 0.1.2
 - checksum: 0.3.5
 - circles: 0.13.6
 - comments: 1.3.0
 - contacts: 2.1.0
 - dav: 1.4.6
 - deck: 0.3.0
 - external: 3.0.2
 - federatedfilesharing: 1.3.1
 - federation: 1.3.0
 - files: 1.8.0
 - files_downloadactivity: 1.2.0
 - files_external: 1.4.1
 - files_markdown: 2.0.1
 - files_pdfviewer: 1.2.0
 - files_reader: 1.2.2
 - files_sharing: 1.5.0
 - files_texteditor: 2.5.1
 - files_trashbin: 1.3.0
 - files_versions: 1.6.0
 - files_videoplayer: 1.2.0
 - firstrunwizard: 2.2.1
 - gallery: 18.0.0
 - groupfolders: 1.2.0
 - issuetemplate: 0.3.0
 - logreader: 2.0.0
 - lookup_server_connector: 1.1.0
 - mail: 0.7.9
 - metadata: 0.6.0
 - music: 0.5.5
 - nextcloud_announcements: 1.2.0
 - notes: 2.3.2
 - notifications: 2.1.2
 - oauth2: 1.1.0
 - password_policy: 1.3.0
 - polls: 0.8.1
 - provisioning_api: 1.3.0
 - quota_warning: 1.2.0
 - ransomware_protection: 1.1.0
 - richdocuments: 1.12.40
 - serverinfo: 1.3.0
 - sharebymail: 1.3.0
 - spreed: 3.0.1
 - systemtags: 1.3.0
 - tasks: 0.9.6
 - theming: 1.4.1
 - twofactor_backupcodes: 1.2.3
 - twofactor_totp: 1.4.1
 - twofactor_u2f: 1.5.1
 - updatenotification: 1.3.0
 - user_external: 0.4
 - workflowengine: 1.3.0
Disabled:
 - audioplayer
 - encryption
 - files_accesscontrol
 - files_automatedtagging
 - files_linkeditor
 - files_retention
 - survey_client
 - unsplash
 - user_ldap

Configuration (config/config.php)

{
    "instanceid": "***REMOVED SENSITIVE VALUE***",
    "passwordsalt": "***REMOVED SENSITIVE VALUE***",
    "secret": "***REMOVED SENSITIVE VALUE***",
    "trusted_domains": [
        "cloud.freiheitswolke.org",
        "cloud.freiheitswolke.de"
    ],
    "datadirectory": "***REMOVED SENSITIVE VALUE***",
    "dbtype": "mysql",
    "version": "13.0.0.14",
    "dbname": "***REMOVED SENSITIVE VALUE***",
    "dbhost": "***REMOVED SENSITIVE VALUE***",
    "dbtableprefix": "oc_",
    "dbuser": "***REMOVED SENSITIVE VALUE***",
    "dbpassword": "***REMOVED SENSITIVE VALUE***",
    "installed": true,
    "forcessl": true,
    "mail_from_address": "***REMOVED SENSITIVE VALUE***",
    "mail_smtpmode": "smtp",
    "mail_domain": "***REMOVED SENSITIVE VALUE***",
    "maintenance": false,
    "theme": "",
    "loglevel": 0,
    "trashbin_retention_obligation": "auto",
    "updatechecker": true,
    "ldapIgnoreNamingRules": false,
    "apps_paths": [
        {
            "path": "\/var\/www\/html\/apps",
            "url": "\/apps",
            "writable": false
        },
        {
            "path": "\/var\/www\/html\/custom_apps",
            "url": "\/custom_apps",
            "writable": true
        }
    ],
    "ldapProviderFactory": "\\OCA\\User_LDAP\\LDAPProviderFactory",
    "memcache.local": "\\OC\\Memcache\\APCu",
    "mail_smtpauthtype": "LOGIN",
    "mail_smtpauth": 1,
    "mail_smtphost": "***REMOVED SENSITIVE VALUE***",
    "mail_smtpport": "465",
    "mail_smtpname": "***REMOVED SENSITIVE VALUE***",
    "mail_smtppassword": "***REMOVED SENSITIVE VALUE***",
    "mail_smtpsecure": "ssl",
    "htaccess.RewriteBase": "\/",
    "overwrite.cli.url": "https:\/\/cloud.freiheitswolke.org",
    "auth.bruteforce.protection.enabled": false
}

Are you using external storage, if yes which one: local/smb/sftp/...

Are you using encryption: no

Are you using an external user-backend, if yes which one: LDAP/ActiveDirectory/Webdav/...

LDAP configuration (delete this part if not used)

With access to your command line run e.g.:
sudo -u www-data php occ ldap:show-config
from within your Nextcloud installation folder

Without access to your command line download the data/owncloud.db to your local
computer or access your SQL server remotely and run the select query:
SELECT * FROM `oc_appconfig` WHERE `appid` = 'user_ldap';


Eventually replace sensitive data as the name/IP-address of your LDAP server or groups.

Client configuration

Browser: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36

Operating system:

Logs

Browser log

Insert your webserver log here 

Nextcloud log

Insert your Nextcloud log here

Browser log

Insert your browser log here, this could for example include:

a) The javascript console log
b) The network log
c) ...

[victorbw]

same here, but from fresh nc 12.0.5 -> "occ upgrade" NC13 -> "encryption:migrate" throws exeptions:

Stack trace:
#0 /var/www/html/nextcloud/apps/encryption/lib/Command/MigrateKeys.php(86): OCA\Encryption\Migration->__construct(Object(OC\AllConfig), Object(OC\Files\View), Object(OC\DB\Connection), Object(OC\Log))
#1 /var/www/html/nextcloud/3rdparty/symfony/console/Command/Command.php(264): OCA\Encryption\Command\MigrateKeys->execute(Object(Symfony\Component\Console\Input\ArgvInput), Object(Symfony\Component\Console\Output\ConsoleOutput))
#2 /var/www/html/nextcloud/3rdparty/symfony/console/Application.php(874): Symfony\Component\Console\Command\Command->run(Object(Symfony\Component\Console\Input\ArgvInput), Object(Symfony\Component\Console\Output\ConsoleOutput))
#3 /var/www/html/nextcloud/3rdparty/symfony/console/Application.php(228): Symfony\Component\Console\Application->doRunCommand(Object(OCA\Encryption\Command\MigrateKeys), Object(Symfony\Component\Console\Input\ArgvInput), Object(Symfony\Component\Console\Output\ConsoleOutput))
#4 /var/www/html/nextcloud/3rdparty/symfony/console/Application.php(130): Symfony\Component\Console\Application->doRun(Object(Symfony\Component\Console\Input\ArgvInput), Object(Symfony\Component\Console\Output\ConsoleOutput))
#5 /var/www/html/nextcloud/lib/private/Console/Application.php(173): Symfony\Component\Console\Application->run(Object(Symfony\Component\Console\Input\ArgvInput), Object(Symfony\Component\Console\Output\ConsoleOutput))
#6 /var/www/html/nextcloud/console.php(90): OC\Console\Application->run()
#7 /var/www/html/nextcloud/occ(11): require_once('/var/www/html/n...')

[blizzz]

@nextcloud/encryption

[schiessle]

@victorbw there is no need to run it if you migrate from Nextcloud 12.0.5 to Nextcloud 13. This was a bug fix for a really old ownCloud version back then. We should probably just remove this completely.

[victorbw]

@schiessle thank you for pointing that out!

I also suggest to have it either removed or adjusted to supress any malformed informations.

[SimJoSt]

We've followed the recommended update path from oC 9.1.4 to last dot update of oC 9.1 (9.1.7) to last dot update of Nc 10, 12 and 13. But still when I activate the "default encryption module" on our install, I get the yellow notification, asking me to run the migration command.
So apparently the feature is still needed.

[albertogscotti]

I agree. Also this seems to have broken encryption on files/folders shared with others - users are getting a 503 error and nextcloud logs various "Sabre\DAV\Exception\ServiceUnavailable: Encryption not ready: multikeydecrypt with share key failed"

[schiessle]

This script should have been run from ownCloud 8 to ownCloud 8.1, not later. Because we can't guarantee that the script is compatible with possible differences to any later version.

[SimJoSt]

@schiessle So everyone who didn't do it, for whatever reason, will never be able to use server-side encryption in the future at all?
That sucks.

Is there any way to fix it manually?