Merge pull request #635 from nextcloud/backport/633/stable5.12

[stable5.12] fix: allow server-side encryption if the master key is used

Author: st3iny

lib/BackgroundJob/PreviewJob.php

@@ -9,6 +9,7 @@
 
 namespace OCA\PreviewGenerator\BackgroundJob;
 
+use OCA\PreviewGenerator\Exceptions\EncryptionEnabledException;
 use OCA\PreviewGenerator\Service\ConfigService;
 use OCA\PreviewGenerator\Service\PreGenerateService;
 use OCA\PreviewGenerator\Support\OutputInterfaceLoggerAdapter;
@@ -54,6 +55,11 @@ protected function run($argument) {
 		}
 
 		$this->preGenerateService->setLimiter($this->limiter);
-		$this->preGenerateService->preGenerate($this->outputInterface);
+
+		try {
+			$this->preGenerateService->preGenerate($this->outputInterface);
+		} catch (EncryptionEnabledException $e) {
+			// Just skip the job silently
+		}
 	}
 }

lib/Command/Generate.php

@@ -11,11 +11,12 @@
 
 use OC\DB\Exceptions\DbalException;
 use OCA\Files_External\Service\GlobalStoragesService;
+use OCA\PreviewGenerator\Exceptions\EncryptionEnabledException;
 use OCA\PreviewGenerator\Model\WorkerConfig;
+use OCA\PreviewGenerator\Service\EncryptionService;
 use OCA\PreviewGenerator\Service\ModuloService;
 use OCA\PreviewGenerator\SizeHelper;
 use OCP\DB\Exception;
-use OCP\Encryption\IManager;
 use OCP\Files\File;
 use OCP\Files\Folder;
 use OCP\Files\GenericFileException;
@@ -48,7 +49,7 @@ class Generate extends Command {
 	protected IPreview $previewGenerator;
 	protected IConfig $config;
 	protected OutputInterface $output;
-	protected IManager $encryptionManager;
+	protected EncryptionService $encryptionService;
 	protected SizeHelper $sizeHelper;
 
 	private ?WorkerConfig $workerConfig = null;
@@ -57,7 +58,7 @@ public function __construct(IRootFolder $rootFolder,
 		IUserManager $userManager,
 		IPreview $previewGenerator,
 		IConfig $config,
-		IManager $encryptionManager,
+		EncryptionService $encryptionService,
 		ContainerInterface $container,
 		SizeHelper $sizeHelper) {
 		parent::__construct();
@@ -66,7 +67,7 @@ public function __construct(IRootFolder $rootFolder,
 		$this->rootFolder = $rootFolder;
 		$this->previewGenerator = $previewGenerator;
 		$this->config = $config;
-		$this->encryptionManager = $encryptionManager;
+		$this->encryptionService = $encryptionService;
 		$this->sizeHelper = $sizeHelper;
 
 		try {
@@ -98,8 +99,8 @@ protected function configure(): void {
 	}
 
 	protected function execute(InputInterface $input, OutputInterface $output): int {
-		if ($this->encryptionManager->isEnabled()) {
-			$output->writeln('<error>Encryption is enabled. Aborted.</error>');
+		if (!$this->encryptionService->isCompatibleWithCurrentEncryption()) {
+			$output->writeln('<error>' . EncryptionEnabledException::DEFAULT_MESSAGE . '</error>');
 			return 1;
 		}
 

lib/Command/PreGenerate.php

@@ -32,7 +32,7 @@ protected function execute(InputInterface $input, OutputInterface $output): int
 		try {
 			$this->preGenerateService->preGenerate($output);
 		} catch (EncryptionEnabledException $e) {
-			$output->writeln('<error>Encryption is enabled. Aborted.</error>');
+			$output->writeln('<error>' . EncryptionEnabledException::DEFAULT_MESSAGE . '</error>');
 			return 1;
 		}
 

lib/Exceptions/EncryptionEnabledException.php

@@ -10,12 +10,7 @@
 namespace OCA\PreviewGenerator\Exceptions;
 
 use Exception;
-use Throwable;
 
 class EncryptionEnabledException extends Exception {
-	public const DEFAULT_MESSAGE = 'Encryption is enabled';
-
-	public function __construct(string $message = '', int $code = 0, ?Throwable $previous = null) {
-		parent::__construct($message ?? self::DEFAULT_MESSAGE, $code, $previous);
-	}
+	public const DEFAULT_MESSAGE = 'Encryption is enabled without the master key';
 }

lib/Service/EncryptionService.php

@@ -0,0 +1,34 @@
+<?php
+
+declare(strict_types=1);
+
+/**
+ * SPDX-FileCopyrightText: 2026 Nextcloud GmbH and Nextcloud contributors
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ */
+
+namespace OCA\PreviewGenerator\Service;
+
+use OC\Encryption\Exceptions\ModuleDoesNotExistsException;
+use OCP\Encryption\IManager as IEncryptionManager;
+
+class EncryptionService {
+	public function __construct(
+		private readonly IEncryptionManager $encryptionManager,
+	) {
+	}
+
+	public function isCompatibleWithCurrentEncryption(): bool {
+		if (!$this->encryptionManager->isEnabled()) {
+			return true;
+		}
+
+		try {
+			$encryptionModule = $this->encryptionManager->getEncryptionModule();
+		} catch (ModuleDoesNotExistsException $e) {
+			return false;
+		}
+
+		return !$encryptionModule->needDetailedAccessList();
+	}
+}

lib/Service/PreGenerateService.php

@@ -18,7 +18,6 @@
 use OCP\AppFramework\Db\TTransactional;
 use OCP\AppFramework\Utility\ITimeFactory;
 use OCP\DB\Exception;
-use OCP\Encryption\IManager;
 use OCP\Files\File;
 use OCP\Files\GenericFileException;
 use OCP\Files\IRootFolder;
@@ -44,7 +43,7 @@ public function __construct(
 		private IPreview $previewGenerator,
 		private IConfig $config,
 		private IDBConnection $connection,
-		private IManager $encryptionManager,
+		private EncryptionService $encryptionService,
 		private ITimeFactory $time,
 		private SizeHelper $sizeHelper,
 		private NoMediaService $noMediaService,
@@ -56,11 +55,11 @@ public function setLimiter(PreviewLimiter $limiter): void {
 	}
 
 	/**
-	 * @throws EncryptionEnabledException If encryption is enabled.
+	 * @throws EncryptionEnabledException If encryption is enabled without the master key.
 	 */
 	public function preGenerate(OutputInterface $output): void {
-		if ($this->encryptionManager->isEnabled()) {
-			throw new EncryptionEnabledException();
+		if (!$this->encryptionService->isCompatibleWithCurrentEncryption()) {
+			throw new EncryptionEnabledException(EncryptionEnabledException::DEFAULT_MESSAGE);
 		}
 
 		// Set timestamp output