WebDAV HTTP/500 on encrypted documents after uninstalling Nextcloud Office

mdartmann commented 1 year ago

⚠️ This issue respects the following points: ⚠️

[X] This is a bug, not a question or a configuration/webserver/proxy issue.
[X] This issue is not already reported on Github OR Nextcloud Community Forum (I've searched it).
[X] Nextcloud Server is up to date. See Maintenance and Release Schedule for supported versions.
[X] I agree to follow Nextcloud's Code of Conduct.

Bug description

After shutting down my Collabora server and removing the Nextcloud Office plugin from my Nextcloud 27 server, I can no longer access any files that were previously able to be read by Collabora. I can not open them in the webinterface and WebDAV requests for these files return HTTP 500.

According to the logs, the decryption fails: Cannot decrypt this file, probably this is a shared file. Please ask the file owner to reshare the file with you.

Reinstalling the Office plugin does not resolve this issue.

Steps to reproduce

Install Nextcloud and Collabora and set up encryption
Remove the Nextcloud Office plugin from your Nextcloud instance

Expected behavior

I expect to be able to read the files like I did before removing the plugin.

Installation method

Community Docker image

Nextcloud Server version

27

Operating system

Debian/Ubuntu

PHP engine version

Other

Web server

Nginx

Database engine version

MySQL

Is this bug present after an update or on a fresh install?

Upgraded to a MAJOR version (ex. 22 to 23)

Are you using the Nextcloud Server Encryption module?

Encryption is Enabled

What user-backends are you using?

[X] Default user-backend (database)
[ ] LDAP/ Active Directory
[ ] SSO - SAML
[ ] Other

Configuration report

{
    "system": {
        "memcache.local": "\\OC\\Memcache\\APCu",
        "apps_paths": [
            {
                "path": "\/var\/www\/html\/apps",
                "url": "\/apps",
                "writable": false
            },
            {
                "path": "\/var\/www\/html\/custom_apps",
                "url": "\/custom_apps",
                "writable": true
            }
        ],
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "cloud.dartmann.net"
        ],
        "trusted_proxies": "***REMOVED SENSITIVE VALUE***",
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "dbtype": "mysql",
        "version": "27.0.1.2",
        "overwrite.cli.url": "https:\/\/cloud.dartmann.net",
        "overwritehost": "cloud.dartmann.net",
        "overwriteprotocol": "https",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbport": "",
        "dbtableprefix": "oc_",
        "mysql.utf8mb4": true,
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "installed": true,
        "mail_smtpmode": "smtp",
        "mail_smtpsecure": "ssl",
        "mail_sendmailmode": "smtp",
        "mail_from_address": "***REMOVED SENSITIVE VALUE***",
        "mail_domain": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpauth": 1,
        "mail_smtpauthtype": "LOGIN",
        "mail_smtphost": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpport": "465",
        "mail_smtpname": "***REMOVED SENSITIVE VALUE***",
        "mail_smtppassword": "***REMOVED SENSITIVE VALUE***",
        "default_phone_region": "AT",
        "maintenance": false,
        "loglevel": 2,
        "theme": "",
        "memcache.distributed": "\\OC\\Memcache\\Redis",
        "memcache.locking": "OC\\Memcache\\Redis",
        "filelocking.enabled": true,
        "redis": {
            "host": "***REMOVED SENSITIVE VALUE***",
            "port": 6379,
            "timeout": 0
        }
    }
}

List of activated Apps

- activity: 2.19.0
  - admin_audit: 1.17.0
  - bruteforcesettings: 2.7.0
  - calendar: 4.4.3
  - circles: 27.0.1
  - cloud_federation_api: 1.10.0
  - comments: 1.17.0
  - contacts: 5.3.2
  - contactsinteraction: 1.8.0
  - dashboard: 7.7.0
  - dav: 1.27.0
  - drawio: 2.1.2
  - encryption: 2.15.0
  - federatedfilesharing: 1.17.0
  - federation: 1.17.0
  - files: 1.22.0
  - files_external: 1.19.0
  - files_pdfviewer: 2.8.0
  - files_rightclick: 1.6.0
  - files_sharing: 1.19.0
  - files_trashbin: 1.17.0
  - files_versions: 1.20.0
  - firstrunwizard: 2.16.0
  - logreader: 2.12.0
  - lookup_server_connector: 1.15.0
  - mail: 3.2.4
  - nextcloud_announcements: 1.16.0
  - notes: 4.8.1
  - notifications: 2.15.0
  - oauth2: 1.15.1
  - password_policy: 1.17.0
  - photos: 2.3.0
  - privacy: 1.11.0
  - provisioning_api: 1.17.0
  - recommendations: 1.6.0
  - related_resources: 1.2.0
  - richdocuments: 8.1.0
  - richdocumentscode: 23.5.104
  - serverinfo: 1.17.0
  - settings: 1.9.0
  - sharebymail: 1.17.0
  - support: 1.10.0
  - survey_client: 1.15.0
  - suspicious_login: 5.0.0
  - systemtags: 1.17.0
  - text: 3.8.0
  - theming: 2.2.0
  - twofactor_backupcodes: 1.16.0
  - twofactor_totp: 9.0.0
  - updatenotification: 1.17.0
  - user_status: 1.7.0
  - viewer: 2.1.0
  - weather_status: 1.7.0
  - workflow_pdf_converter: 1.12.0
  - workflowengine: 2.9.0
Disabled:
  - spreed: 17.0.2 (installed 17.0.2)
  - user_ldap: 1.17.0

Nextcloud Signing status

No errors have been found.

Nextcloud Logs

// only the relevant section to save space, if you want the full 111kB log let me know.
{"reqId":"a3btsBudrB4IN7GxWhCL","level":3,"time":"2023-07-26T23:23:04+00:00","remoteAddr":"2a02:8388:8b86:f280:94d9:c9cc:d91f:6d74","user":"mae","app":"webdav","method":"GET","url":"/remote.php/webdav/Wien%20Office/Wien%20Office.odt","message":"Cannot decrypt this file, probably this is a shared file. Please ask the file owner to reshare the file with you.","userAgent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) QtWebEngine/6.5.2 Chrome/108.0.5359.220 Safari/537.36","version":"27.0.1.2","exception":{"Exception":"OC\\Encryption\\Exceptions\\DecryptionFailedException","Message":"Cannot decrypt this file, probably this is a shared file. Please ask the file owner to reshare the file with you.","Code":0,"Trace":[{"file":"/var/www/html/lib/private/Files/Stream/Encryption.php","line":517,"function":"decrypt","class":"OCA\\Encryption\\Crypto\\Encryption","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/html/lib/private/Files/Stream/Encryption.php","line":316,"function":"readCache","class":"OC\\Files\\Stream\\Encryption","type":"->","args":[]},{"function":"stream_read","class":"OC\\Files\\Stream\\Encryption","type":"->","args":[8192]},{"file":"/var/www/html/apps/files_external/3rdparty/icewind/streams/src/Wrapper.php","line":55,"function":"fread","args":[null,8192]},{"file":"/var/www/html/apps/files_external/3rdparty/icewind/streams/src/CallbackWrapper.php","line":96,"function":"stream_read","class":"Icewind\\Streams\\Wrapper","type":"->","args":[8192]},{"function":"stream_read","class":"Icewind\\Streams\\CallbackWrapper","type":"->","args":[8192]},{"file":"/var/www/html/3rdparty/sabre/http/lib/Sapi.php","line":110,"function":"stream_copy_to_stream","args":[null,null,28728]},{"file":"/var/www/html/3rdparty/sabre/dav/lib/DAV/Server.php","line":490,"function":"sendResponse","class":"Sabre\\HTTP\\Sapi","type":"::","args":[["Sabre\\HTTP\\Response"]]},{"file":"/var/www/html/3rdparty/sabre/dav/lib/DAV/Server.php","line":253,"function":"invokeMethod","class":"Sabre\\DAV\\Server","type":"->","args":[["Sabre\\HTTP\\Request"],["Sabre\\HTTP\\Response"]]},{"file":"/var/www/html/3rdparty/sabre/dav/lib/DAV/Server.php","line":321,"function":"start","class":"Sabre\\DAV\\Server","type":"->","args":[]},{"file":"/var/www/html/apps/dav/appinfo/v1/webdav.php","line":85,"function":"exec","class":"Sabre\\DAV\\Server","type":"->","args":[]},{"file":"/var/www/html/remote.php","line":172,"args":["/var/www/html/apps/dav/appinfo/v1/webdav.php"],"function":"require_once"}],"File":"/var/www/html/apps/encryption/lib/Crypto/Encryption.php","Line":398,"Hint":"Cannot decrypt this file, probably this is a shared file. Please ask the file owner to reshare the file with you.","message":"Cannot decrypt this file, probably this is a shared file. Please ask the file owner to reshare the file with you.","exception":{},"CustomMessage":"Cannot decrypt this file, probably this is a shared file. Please ask the file owner to reshare the file with you."}}

Additional info

I am running this instance in a docker container using the nextcloud:alpine image. It has been around for some time and has been upgraded over time from version 21.

mdartmann commented 1 year ago

If you have a temporary workaround for this it would be appreciated. I got the files back by restoring a backup to before this issue occurred and will just not touch the Office/Collabora config until this is fixed.

joshtrichards commented 1 year ago

Hi @mdartmann - I can't speak to the underlying specifics nor why uninstalled NC Office triggered this for you, but NC Office/CODE is documented as not currently working with Encryption:

https://docs.nextcloud.com/server/latest/admin_manual/office/troubleshooting.html#frequently-asked-questions

mdartmann commented 1 year ago

Hi @joshtrichards ,

thanks for the reply. This is odd as I was previously able to edit the (encrypted) file in CODE and it hasn't been changed since last December. Looking at a file that failed shows that is encrypted. (The recent Birth time is because of a migration to a new host for the container.)

  File: Wien Office.odt
  Size: 37304       Blocks: 80         IO Block: 4096   regular file
Device: 254,3   Inode: 4468302     Links: 1
Access: (0644/-rw-r--r--)  Uid: (   82/ UNKNOWN)   Gid: (   82/ UNKNOWN)
Access: 2023-07-27 01:20:50.221181394 +0200
Modify: 2022-12-13 09:16:02.342678058 +0100
Change: 2023-07-27 00:50:42.672879438 +0200
 Birth: 2023-07-27 00:50:42.672879438 +0200

head -c 100 Wien\ Office/Wien\ Office.odt
HBEGIN:oc_encryption_module:OC_DEFAULT_MODULE:cipher:AES-256-CTR:signed:true:encoding:binary:HEND---

joshtrichards commented 1 year ago

I'm simply saying it's documented to not be supported. This may be the reason you ran into this problem.

I haven't found the historical basis yet.

Given the error you're seeing is specific to shared encrypted files:

https://docs.nextcloud.com/server/latest/admin_manual/configuration_files/encryption_configuration.html#sharing-encrypted-files

Does this behavior occur with any that aren't shares?

P.S. Are you using per-user encryption keys or a master key?

mdartmann commented 8 months ago

I have disabled encryption because of how many headaches it caused, unfortunately a few files were lost.

joshtrichards commented 1 month ago

This is odd as I was previously able to edit the (encrypted) file in CODE and it hasn't been changed since last December.

This may have been nextcloud/richdocuments#3181 / nextcloud/richdocuments#2996

More associated with Server 27.0.x. Likely just a coincidence it seemed to start when you disabled richdocuments, since 27.0.1 was released only a few days before your report. Would explain why re-enabling richdocuments didn't remedy the issue.

nextcloud-command commented 2 weeks ago

This issue has been automatically marked as stale because it has not had recent activity and seems to be missing some essential information. It will be closed if no further activity occurs. Thank you for your contributions.

nextcloud / server