From 4551bbe0e0ad81038708ae2c0e5e434cebe0984f Mon Sep 17 00:00:00 2001
From: Roeland Jago Douma <roeland@famdouma.nl>
Date: Wed, 20 Dec 2017 15:35:23 +0100
Subject: [PATCH] Forget key + cert + mnemonic on account removal

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
---
 src/gui/accountmanager.cpp           |  3 +++
 src/libsync/account.h                |  2 +-
 src/libsync/clientsideencryption.cpp | 38 +++++++++++++++++++++++-----
 src/libsync/clientsideencryption.h   |  2 ++
 4 files changed, 38 insertions(+), 7 deletions(-)

diff --git a/src/gui/accountmanager.cpp b/src/gui/accountmanager.cpp
index 38a0ff185..15758cc8a 100644
--- a/src/gui/accountmanager.cpp
+++ b/src/gui/accountmanager.cpp
@@ -312,6 +312,9 @@ void AccountManager::deleteAccount(AccountState *account)
     auto settings = ConfigFile::settingsWithGroup(QLatin1String(accountsC));
     settings->remove(account->account()->id());
 
+    // Forget E2E keys
+    account->account()->e2e()->forgetSensitiveData();
+
     emit accountRemoved(account);
 }
 
diff --git a/src/libsync/account.h b/src/libsync/account.h
index 8d6774a4a..1bc58d115 100644
--- a/src/libsync/account.h
+++ b/src/libsync/account.h
@@ -234,7 +234,7 @@ public:
     /// Called by network jobs on credential errors, emits invalidCredentials()
     void handleInvalidCredentials();
 
-		ClientSideEncryption* e2e();
+    ClientSideEncryption* e2e();
 
 public slots:
     /// Used when forgetting credentials
diff --git a/src/libsync/clientsideencryption.cpp b/src/libsync/clientsideencryption.cpp
index c4412795f..5553a8592 100644
--- a/src/libsync/clientsideencryption.cpp
+++ b/src/libsync/clientsideencryption.cpp
@@ -51,6 +51,12 @@ QString baseUrl(){
     return QStringLiteral("ocs/v2.php/apps/end_to_end_encryption/api/v1/");
 }
 
+namespace {
+    const char e2e_cert[] = "_e2e-certificate";
+    const char e2e_private[] = "_e2e-private";
+    const char e2e_mnemonic[] = "_e2e-mnemonic";
+} // ns
+
 namespace {
     void handleErrors(void)
     {
@@ -629,7 +635,7 @@ void ClientSideEncryption::initialize()
 void ClientSideEncryption::fetchFromKeyChain() {
     const QString kck = AbstractCredentials::keychainKey(
                 _account->url().toString(),
-                _account->credentials()->user() + "_e2e-certificate",
+                _account->credentials()->user() + e2e_cert,
                 _account->id()
     );
 
@@ -662,7 +668,7 @@ void ClientSideEncryption::publicKeyFetched(Job *incoming) {
 
     const QString kck = AbstractCredentials::keychainKey(
                 _account->url().toString(),
-                _account->credentials()->user() + "_e2e-private",
+                _account->credentials()->user() + e2e_private,
                 _account->id()
     );
 
@@ -701,7 +707,7 @@ void ClientSideEncryption::privateKeyFetched(Job *incoming) {
 
     const QString kck = AbstractCredentials::keychainKey(
                 _account->url().toString(),
-                _account->credentials()->user() + "_e2e-mnemonic",
+                _account->credentials()->user() + e2e_mnemonic,
                 _account->id()
     );
 
@@ -734,7 +740,7 @@ void ClientSideEncryption::mnemonicKeyFetched(QKeychain::Job *incoming) {
 void ClientSideEncryption::writePrivateKey() {
     const QString kck = AbstractCredentials::keychainKey(
                 _account->url().toString(),
-                _account->credentials()->user() + "_e2e-private",
+                _account->credentials()->user() + e2e_private,
                 _account->id()
     );
 
@@ -752,7 +758,7 @@ void ClientSideEncryption::writePrivateKey() {
 void ClientSideEncryption::writeCertificate() {
     const QString kck = AbstractCredentials::keychainKey(
                 _account->url().toString(),
-                _account->credentials()->user() + "_e2e-certificate",
+                _account->credentials()->user() + e2e_cert,
                 _account->id()
     );
 
@@ -770,7 +776,7 @@ void ClientSideEncryption::writeCertificate() {
 void ClientSideEncryption::writeMnemonic() {
     const QString kck = AbstractCredentials::keychainKey(
                 _account->url().toString(),
-                _account->credentials()->user() + "_e2e-mnemonic",
+                _account->credentials()->user() + e2e_mnemonic,
                 _account->id()
     );
 
@@ -785,6 +791,26 @@ void ClientSideEncryption::writeMnemonic() {
     job->start();
 }
 
+void ClientSideEncryption::forgetSensitiveData()
+{
+    _privateKey = QSslKey();
+    _certificate = QSslCertificate();
+    _publicKey = QSslKey();
+    _mnemonic = QString();
+
+    auto startDeleteJob = [this](QString user) {
+        DeletePasswordJob *job = new DeletePasswordJob(Theme::instance()->appName());
+        job->setInsecureFallback(false);
+        job->setKey(AbstractCredentials::keychainKey(_account->url().toString(), user, _account->id()));
+        job->start();
+    };
+
+    auto user = _account->credentials()->user();
+    startDeleteJob(user + e2e_private);
+    startDeleteJob(user + e2e_cert);
+    startDeleteJob(user + e2e_mnemonic);
+}
+
 bool ClientSideEncryption::hasPrivateKey() const
 {
     return !_privateKey.isNull();
diff --git a/src/libsync/clientsideencryption.h b/src/libsync/clientsideencryption.h
index 01410ff3f..10123166d 100644
--- a/src/libsync/clientsideencryption.h
+++ b/src/libsync/clientsideencryption.h
@@ -43,6 +43,8 @@ public:
     bool isFolderEncrypted(const QString& path);
     void setFolderEncryptedStatus(const QString& path, bool status);
 
+    void forgetSensitiveData();
+
 private slots:
     void folderEncryptedStatusFetched(const QMap<QString, bool> &values);
     void folderEncryptedStatusError(int error);