open-dsi
/
nextcloud-server
mirror of https://github.com/nextcloud/server
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Actually convert the token

Browse Source 
* When getting the token
* When rotating the token

* Also store the encrypted password as base64 to avoid weird binary
stuff

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
pull/9485/head
Roeland Jago Douma 7 years ago
parent d03d16a936
commit f168ecfa7a
No known key found for this signature in database
GPG Key ID: F941078878347C0C
3 changed files with 94 additions and 40 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 27
      lib/private/Authentication/Token/Manager.php
  2. 8
      lib/private/Authentication/Token/PublicKeyTokenMapper.php
  3. 99
      lib/private/Authentication/Token/PublicKeyTokenProvider.php

27
lib/private/Authentication/Token/Manager.php
Unescape View File

@ -121,8 +121,19 @@ class Manager implements IProvider {
try { try {
return $this->publicKeyTokenProvider->getToken($tokenId); return $this->publicKeyTokenProvider->getToken($tokenId);
} catch (InvalidTokenException $e) { } catch (InvalidTokenException $e) {
return $this->defaultTokenProvider->getToken($tokenId); // No worries we try to convert it to a PublicKey Token
} }
//Convert!
$token = $this->defaultTokenProvider->getToken($tokenId);
try {
$password = $this->defaultTokenProvider->getPassword($token, $tokenId);
} catch (PasswordlessTokenException $e) {
$password = null;
}
return $this->publicKeyTokenProvider->convertToken($token, $tokenId, $password);
} }
/** /**
@ -149,7 +160,6 @@ class Manager implements IProvider {
try { try {
$this->publicKeyTokenProvider->renewSessionToken($oldSessionId, $sessionId); $this->publicKeyTokenProvider->renewSessionToken($oldSessionId, $sessionId);
} catch (InvalidTokenException $e) { } catch (InvalidTokenException $e) {
//TODO: Move to new token
$this->defaultTokenProvider->renewSessionToken($oldSessionId, $sessionId); $this->defaultTokenProvider->renewSessionToken($oldSessionId, $sessionId);
} }
} }
@ -163,7 +173,6 @@ class Manager implements IProvider {
*/ */
public function getPassword(IToken $savedToken, string $tokenId): string { public function getPassword(IToken $savedToken, string $tokenId): string {
if ($savedToken instanceof DefaultToken) { if ($savedToken instanceof DefaultToken) {
//TODO convert to new token type
return $this->defaultTokenProvider->getPassword($savedToken, $tokenId); return $this->defaultTokenProvider->getPassword($savedToken, $tokenId);
} }
@ -173,9 +182,7 @@ class Manager implements IProvider {
} }
public function setPassword(IToken $token, string $tokenId, string $password) { public function setPassword(IToken $token, string $tokenId, string $password) {
if ($token instanceof DefaultToken) { if ($token instanceof DefaultToken) {
//TODO conver to new token
$this->defaultTokenProvider->setPassword($token, $tokenId, $password); $this->defaultTokenProvider->setPassword($token, $tokenId, $password);
} }
@ -200,10 +207,14 @@ class Manager implements IProvider {
} }
public function rotate(IToken $token, string $oldTokenId, string $newTokenId): IToken { public function rotate(IToken $token, string $oldTokenId, string $newTokenId): IToken {
if ($token instanceof DefaultToken) { if ($token instanceof DefaultToken) {
//TODO Migrate to new token try {
return $this->defaultTokenProvider->rotate($token, $oldTokenId, $newTokenId); $password = $this->defaultTokenProvider->getPassword($token, $oldTokenId);
} catch (PasswordlessTokenException $e) {
$password = null;
}
return $this->publicKeyTokenProvider->convertToken($token, $newTokenId, $password);
} }
if ($token instanceof PublicKeyToken) { if ($token instanceof PublicKeyToken) {

8
lib/private/Authentication/Token/PublicKeyTokenMapper.php
Unescape View File

@ -159,4 +159,12 @@ class PublicKeyTokenMapper extends QBMapper {
$qb->execute(); $qb->execute();
} }
public function deleteTempToken(PublicKeyToken $except) {
$qb = $this->db->getQueryBuilder();
$qb->delete('authtoken')
->where($qb->expr()->eq('type', $qb->createNamedParameter(IToken::TEMPORARY_TOKEN)))
->andWhere($qb->expr()->neq('id', $qb->createNamedParameter($except->getId())))
->andWhere($qb->expr()->eq('version', $qb->createNamedParameter(2, IQueryBuilder::PARAM_INT)));
}
} }

99
lib/private/Authentication/Token/PublicKeyTokenProvider.php
Unescape View File

@ -67,36 +67,7 @@ class PublicKeyTokenProvider implements IProvider {
string $name, string $name,
int $type = IToken::TEMPORARY_TOKEN, int $type = IToken::TEMPORARY_TOKEN,
int $remember = IToken::DO_NOT_REMEMBER): IToken { int $remember = IToken::DO_NOT_REMEMBER): IToken {
$dbToken = new PublicKeyToken(); $dbToken = $this->newToken($token, $uid, $loginName, $password, $name, $type, $remember);
$dbToken->setUid($uid);
$dbToken->setLoginName($loginName);
$config = [
'digest_alg' => 'sha512',
'private_key_bits' => 2048,
];
// Generate new key
$res = openssl_pkey_new($config);
openssl_pkey_export($res, $privateKey);
// Extract the public key from $res to $pubKey
$publicKey = openssl_pkey_get_details($res);
$publicKey = $publicKey['key'];
$dbToken->setPublicKey($publicKey);
$dbToken->setPrivateKey($this->encrypt($privateKey, $token));
if (!is_null($password)) {
$dbToken->setPassword($this->encryptPassword($password, $publicKey));
}
$dbToken->setName($name);
$dbToken->setToken($this->hashToken($token));
$dbToken->setType($type);
$dbToken->setRemember($remember);
$dbToken->setLastActivity($this->time->getTime());
$dbToken->setLastCheck($this->time->getTime());
$this->mapper->insert($dbToken); $this->mapper->insert($dbToken);
@ -219,6 +190,9 @@ class PublicKeyTokenProvider implements IProvider {
throw new InvalidTokenException(); throw new InvalidTokenException();
} }
// When changeing passwords all temp tokens are deleted
$this->mapper->deleteTempToken($token);
// Update the password for all tokens // Update the password for all tokens
$tokens = $this->mapper->getTokenByUser($token->getUID()); $tokens = $this->mapper->getTokenByUser($token->getUID());
foreach ($tokens as $t) { foreach ($tokens as $t) {
@ -226,8 +200,6 @@ class PublicKeyTokenProvider implements IProvider {
$t->setPassword($this->encryptPassword($password, $publicKey)); $t->setPassword($this->encryptPassword($password, $publicKey));
$this->updateToken($t); $this->updateToken($t);
} }
//TODO: should we also do this for temp tokens?
} }
public function rotate(IToken $token, string $oldTokenId, string $newTokenId): IToken { public function rotate(IToken $token, string $oldTokenId, string $newTokenId): IToken {
@ -267,11 +239,13 @@ class PublicKeyTokenProvider implements IProvider {
private function encryptPassword(string $password, string $publicKey): string { private function encryptPassword(string $password, string $publicKey): string {
openssl_public_encrypt($password, $encryptedPassword, $publicKey, OPENSSL_PKCS1_OAEP_PADDING); openssl_public_encrypt($password, $encryptedPassword, $publicKey, OPENSSL_PKCS1_OAEP_PADDING);
$encryptedPassword = base64_encode($encryptedPassword);
return $encryptedPassword; return $encryptedPassword;
} }
private function decryptPassword(string $encryptedPassword, string $privateKey): string { private function decryptPassword(string $encryptedPassword, string $privateKey): string {
$encryptedPassword = base64_decode($encryptedPassword);
openssl_private_decrypt($encryptedPassword, $password, $privateKey, OPENSSL_PKCS1_OAEP_PADDING); openssl_private_decrypt($encryptedPassword, $password, $privateKey, OPENSSL_PKCS1_OAEP_PADDING);
return $password; return $password;
@ -281,4 +255,65 @@ class PublicKeyTokenProvider implements IProvider {
$secret = $this->config->getSystemValue('secret'); $secret = $this->config->getSystemValue('secret');
return hash('sha512', $token . $secret); return hash('sha512', $token . $secret);
} }
/**
* Convert a DefaultToken to a publicKeyToken
* This will also be updated directly in the Database
*/
public function convertToken(DefaultToken $defaultToken, string $token, $password): PublicKeyToken {
$pkToken = $this->newToken(
$token,
$defaultToken->getUID(),
$defaultToken->getLoginName(),
$password,
$defaultToken->getName(),
$defaultToken->getType(),
$defaultToken->getRemember()
);
$pkToken->setId($defaultToken->getId());
return $this->mapper->update($pkToken);
}
private function newToken(string $token,
string $uid,
string $loginName,
$password,
string $name,
int $type,
int $remember): PublicKeyToken {
$dbToken = new PublicKeyToken();
$dbToken->setUid($uid);
$dbToken->setLoginName($loginName);
$config = [
'digest_alg' => 'sha512',
'private_key_bits' => 2048,
];
// Generate new key
$res = openssl_pkey_new($config);
openssl_pkey_export($res, $privateKey);
// Extract the public key from $res to $pubKey
$publicKey = openssl_pkey_get_details($res);
$publicKey = $publicKey['key'];
$dbToken->setPublicKey($publicKey);
$dbToken->setPrivateKey($this->encrypt($privateKey, $token));
if (!is_null($password)) {
$dbToken->setPassword($this->encryptPassword($password, $publicKey));
}
$dbToken->setName($name);
$dbToken->setToken($this->hashToken($token));
$dbToken->setType($type);
$dbToken->setRemember($remember);
$dbToken->setLastActivity($this->time->getTime());
$dbToken->setLastCheck($this->time->getTime());
return $dbToken;
}
} }

Write Preview
Loading…
Cancel
Save