Certain tokens can expire

However due to the nature of what we store in the token (encrypted passwords etc). We can't just delete the tokens because that would make the oauth refresh useless. Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
author: Roeland Jago Douma <roeland@famdouma.nl> 2018-05-16 13:39:00 +0300
committer: Roeland Jago Douma <roeland@famdouma.nl> 2018-05-17 17:10:19 +0300
commit: 6b7cf4672731f299de9b7b3c7e05fbb746d7fc95 (patch)
tree: 938221007fb4c12db864e429a4e3e02375065ac2
parent: 9f064b08b3df4817d3c2fdc608a708827df8b0ae (diff)
11 files changed, 220 insertions, 6 deletions
diff --git a/core/Migrations/Version14000Date20180516101403.php b/core/Migrations/Version14000Date20180516101403.php
new file mode 100644
index 00000000000..9b56e0ab601
--- /dev/null
+++ b/core/Migrations/Version14000Date20180516101403.php
@@ -0,0 +1,56 @@
+<?php
+/**
+ * @copyright Copyright (c) 2018 Roeland Jago Douma <roeland@famdouma.nl>
+ *
+ * @author Roeland Jago Douma <roeland@famdouma.nl>
+ *
+ * @license GNU AGPL version 3 or any later version
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+namespace OC\Core\Migrations;
+
+use OCP\DB\ISchemaWrapper;
+use OCP\Migration\SimpleMigrationStep;
+use OCP\Migration\IOutput;
+
+class Version14000Date20180516101403 extends SimpleMigrationStep {
+
+	/**
+	 * @param IOutput $output
+	 * @param \Closure $schemaClosure The `\Closure` returns a `ISchemaWrapper`
+	 * @param array $options
+	 * @return null|ISchemaWrapper
+	 */
+	public function changeSchema(IOutput $output, \Closure $schemaClosure, array $options) {
+		/** @var ISchemaWrapper $schema */
+		$schema = $schemaClosure();
+
+		$table = $schema->getTable('authtoken');
+
+		if (!$table->hasColumn('expires')) {
+			$table->addColumn('expires', 'integer', [
+				'notnull' => false,
+				'length' => 4,
+				'default' => null,
+				'unsigned' => true,
+			]);
+
+			return $schema;
+		}
+		return null;
+	}
+}
diff --git a/lib/composer/composer/autoload_classmap.php b/lib/composer/composer/autoload_classmap.php
index cd5090cc93c..ebf5197d4dd 100644
--- a/lib/composer/composer/autoload_classmap.php
+++ b/lib/composer/composer/autoload_classmap.php
@@ -414,6 +414,7 @@ return array(
     'OC\\Authentication\\Token\\DefaultTokenCleanupJob' => $baseDir . '/lib/private/Authentication/Token/DefaultTokenCleanupJob.php',
     'OC\\Authentication\\Token\\DefaultTokenMapper' => $baseDir . '/lib/private/Authentication/Token/DefaultTokenMapper.php',
     'OC\\Authentication\\Token\\DefaultTokenProvider' => $baseDir . '/lib/private/Authentication/Token/DefaultTokenProvider.php',
+    'OC\\Authentication\\Token\\ExpiredTokenException' => $baseDir . '/lib/private/Authentication/Exceptions/ExpiredTokenException.php',
     'OC\\Authentication\\Token\\IProvider' => $baseDir . '/lib/private/Authentication/Token/IProvider.php',
     'OC\\Authentication\\Token\\IToken' => $baseDir . '/lib/private/Authentication/Token/IToken.php',
     'OC\\Authentication\\TwoFactorAuth\\Manager' => $baseDir . '/lib/private/Authentication/TwoFactorAuth/Manager.php',
@@ -563,6 +564,7 @@ return array(
     'OC\\Core\\Migrations\\Version13000Date20170926101637' => $baseDir . '/core/Migrations/Version13000Date20170926101637.php',
     'OC\\Core\\Migrations\\Version14000Date20180129121024' => $baseDir . '/core/Migrations/Version14000Date20180129121024.php',
     'OC\\Core\\Migrations\\Version14000Date20180404140050' => $baseDir . '/core/Migrations/Version14000Date20180404140050.php',
+    'OC\\Core\\Migrations\\Version14000Date20180516101403' => $baseDir . '/core/Migrations/Version14000Date20180516101403.php',
     'OC\\DB\\Adapter' => $baseDir . '/lib/private/DB/Adapter.php',
     'OC\\DB\\AdapterMySQL' => $baseDir . '/lib/private/DB/AdapterMySQL.php',
     'OC\\DB\\AdapterOCI8' => $baseDir . '/lib/private/DB/AdapterOCI8.php',
diff --git a/lib/composer/composer/autoload_static.php b/lib/composer/composer/autoload_static.php
index 4e47536eacc..9a1dfebf52b 100644
--- a/lib/composer/composer/autoload_static.php
+++ b/lib/composer/composer/autoload_static.php
@@ -444,6 +444,7 @@ class ComposerStaticInit53792487c5a8370acc0b06b1a864ff4c
         'OC\\Authentication\\Token\\DefaultTokenCleanupJob' => __DIR__ . '/../../..' . '/lib/private/Authentication/Token/DefaultTokenCleanupJob.php',
         'OC\\Authentication\\Token\\DefaultTokenMapper' => __DIR__ . '/../../..' . '/lib/private/Authentication/Token/DefaultTokenMapper.php',
         'OC\\Authentication\\Token\\DefaultTokenProvider' => __DIR__ . '/../../..' . '/lib/private/Authentication/Token/DefaultTokenProvider.php',
+        'OC\\Authentication\\Token\\ExpiredTokenException' => __DIR__ . '/../../..' . '/lib/private/Authentication/Exceptions/ExpiredTokenException.php',
         'OC\\Authentication\\Token\\IProvider' => __DIR__ . '/../../..' . '/lib/private/Authentication/Token/IProvider.php',
         'OC\\Authentication\\Token\\IToken' => __DIR__ . '/../../..' . '/lib/private/Authentication/Token/IToken.php',
         'OC\\Authentication\\TwoFactorAuth\\Manager' => __DIR__ . '/../../..' . '/lib/private/Authentication/TwoFactorAuth/Manager.php',
@@ -593,6 +594,7 @@ class ComposerStaticInit53792487c5a8370acc0b06b1a864ff4c
         'OC\\Core\\Migrations\\Version13000Date20170926101637' => __DIR__ . '/../../..' . '/core/Migrations/Version13000Date20170926101637.php',
         'OC\\Core\\Migrations\\Version14000Date20180129121024' => __DIR__ . '/../../..' . '/core/Migrations/Version14000Date20180129121024.php',
         'OC\\Core\\Migrations\\Version14000Date20180404140050' => __DIR__ . '/../../..' . '/core/Migrations/Version14000Date20180404140050.php',
+        'OC\\Core\\Migrations\\Version14000Date20180516101403' => __DIR__ . '/../../..' . '/core/Migrations/Version14000Date20180516101403.php',
         'OC\\DB\\Adapter' => __DIR__ . '/../../..' . '/lib/private/DB/Adapter.php',
         'OC\\DB\\AdapterMySQL' => __DIR__ . '/../../..' . '/lib/private/DB/AdapterMySQL.php',
         'OC\\DB\\AdapterOCI8' => __DIR__ . '/../../..' . '/lib/private/DB/AdapterOCI8.php',
diff --git a/lib/private/Authentication/Exceptions/ExpiredTokenException.php b/lib/private/Authentication/Exceptions/ExpiredTokenException.php
new file mode 100644
index 00000000000..a45ca5b6955
--- /dev/null
+++ b/lib/private/Authentication/Exceptions/ExpiredTokenException.php
@@ -0,0 +1,41 @@
+<?php
+declare(strict_types=1);
+/**
+ * @copyright Copyright (c) 2018 Roeland Jago Douma <roeland@famdouma.nl>
+ *
+ * @author Roeland Jago Douma <roeland@famdouma.nl>
+ *
+ * @license GNU AGPL version 3 or any later version
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+namespace OC\Authentication\Token;
+
+use OC\Authentication\Exceptions\InvalidTokenException;
+
+class ExpiredTokenException extends InvalidTokenException {
+	/** @var IToken */
+	private $token;
+
+	public function __construct(IToken $token) {
+		parent::__construct();
+
+		$this->token = $token;
+	}
+
+	public function getToken(): IToken {
+		return $this->token;
+	}
+}
diff --git a/lib/private/Authentication/Token/DefaultToken.php b/lib/private/Authentication/Token/DefaultToken.php
index 993dc7580ce..67aa89ea66b 100644
--- a/lib/private/Authentication/Token/DefaultToken.php
+++ b/lib/private/Authentication/Token/DefaultToken.php
@@ -70,6 +70,9 @@ class DefaultToken extends Entity implements IToken {
 	/** @var string */
 	protected $scope;
 
+	/** @var int */
+	protected $expires;
+
 	public function __construct() {
 		$this->addType('uid', 'string');
 		$this->addType('loginName', 'string');
@@ -81,6 +84,7 @@ class DefaultToken extends Entity implements IToken {
 		$this->addType('lastActivity', 'int');
 		$this->addType('lastCheck', 'int');
 		$this->addType('scope', 'string');
+		$this->addType('expires', 'int');
 	}
 
 	public function getId(): int {
@@ -179,4 +183,15 @@ class DefaultToken extends Entity implements IToken {
 	public function setPassword(string $password = null) {
 		parent::setPassword($password);
 	}
+
+	public function setExpires($expires) {
+		parent::setExpires($expires);
+	}
+
+	/**
+	 * @return int|null
+	 */
+	public function getExpires() {
+		return parent::getExpires();
+	}
 }
diff --git a/lib/private/Authentication/Token/DefaultTokenMapper.php b/lib/private/Authentication/Token/DefaultTokenMapper.php
index 285b043c2c1..a67d7d151e9 100644
--- a/lib/private/Authentication/Token/DefaultTokenMapper.php
+++ b/lib/private/Authentication/Token/DefaultTokenMapper.php
@@ -79,7 +79,7 @@ class DefaultTokenMapper extends QBMapper {
 	public function getToken(string $token): DefaultToken {
 		/* @var $qb IQueryBuilder */
 		$qb = $this->db->getQueryBuilder();
-		$result = $qb->select('id', 'uid', 'login_name', 'password', 'name', 'type', 'remember', 'token', 'last_activity', 'last_check', 'scope')
+		$result = $qb->select('*')
 			->from('authtoken')
 			->where($qb->expr()->eq('token', $qb->createNamedParameter($token)))
 			->execute();
@@ -102,7 +102,7 @@ class DefaultTokenMapper extends QBMapper {
 	public function getTokenById(int $id): DefaultToken {
 		/* @var $qb IQueryBuilder */
 		$qb = $this->db->getQueryBuilder();
-		$result = $qb->select('id', 'uid', 'login_name', 'password', 'name', 'type', 'token', 'last_activity', 'last_check', 'scope')
+		$result = $qb->select('*')
 			->from('authtoken')
 			->where($qb->expr()->eq('id', $qb->createNamedParameter($id)))
 			->execute();
@@ -127,7 +127,7 @@ class DefaultTokenMapper extends QBMapper {
 	public function getTokenByUser(IUser $user): array {
 		/* @var $qb IQueryBuilder */
 		$qb = $this->db->getQueryBuilder();
-		$qb->select('id', 'uid', 'login_name', 'password', 'name', 'type', 'remember', 'token', 'last_activity', 'last_check', 'scope')
+		$qb->select('*')
 			->from('authtoken')
 			->where($qb->expr()->eq('uid', $qb->createNamedParameter($user->getUID())))
 			->setMaxResults(1000);
diff --git a/lib/private/Authentication/Token/DefaultTokenProvider.php b/lib/private/Authentication/Token/DefaultTokenProvider.php
index 5167361449b..5df74cadac4 100644
--- a/lib/private/Authentication/Token/DefaultTokenProvider.php
+++ b/lib/private/Authentication/Token/DefaultTokenProvider.php
@@ -161,14 +161,21 @@ class DefaultTokenProvider implements IProvider {
 	 *
 	 * @param string $tokenId
 	 * @throws InvalidTokenException
+	 * @throws ExpiredTokenException
 	 * @return IToken
 	 */
 	public function getToken(string $tokenId): IToken {
 		try {
-			return $this->mapper->getToken($this->hashToken($tokenId));
+			$token = $this->mapper->getToken($this->hashToken($tokenId));
 		} catch (DoesNotExistException $ex) {
 			throw new InvalidTokenException();
 		}
+
+		if ($token->getExpires() !== null && $token->getExpires() < $this->time->getTime()) {
+			throw new ExpiredTokenException($token);
+		}
+
+		return $token;
 	}
 
 	/**
@@ -176,14 +183,21 @@ class DefaultTokenProvider implements IProvider {
 	 *
 	 * @param int $tokenId
 	 * @throws InvalidTokenException
+	 * @throws ExpiredTokenException
 	 * @return IToken
 	 */
 	public function getTokenById(int $tokenId): IToken {
 		try {
-			return $this->mapper->getTokenById($tokenId);
+			$token = $this->mapper->getTokenById($tokenId);
 		} catch (DoesNotExistException $ex) {
 			throw new InvalidTokenException();
 		}
+
+		if ($token->getExpires() !== null && $token->getExpires() < $this->time->getTime()) {
+			throw new ExpiredTokenException($token);
+		}
+
+		return $token;
 	}
 
 	/**
diff --git a/lib/private/Authentication/Token/IProvider.php b/lib/private/Authentication/Token/IProvider.php
index 5215b61613e..0efffefac68 100644
--- a/lib/private/Authentication/Token/IProvider.php
+++ b/lib/private/Authentication/Token/IProvider.php
@@ -58,6 +58,7 @@ interface IProvider {
 	 *
 	 * @param string $tokenId
 	 * @throws InvalidTokenException
+	 * @throws ExpiredTokenException
 	 * @return IToken
 	 */
 	public function getToken(string $tokenId): IToken;
@@ -67,6 +68,7 @@ interface IProvider {
 	 *
 	 * @param int $tokenId
 	 * @throws InvalidTokenException
+	 * @throws ExpiredTokenException
 	 * @return IToken
 	 */
 	public function getTokenById(int $tokenId): IToken;
diff --git a/lib/private/Authentication/Token/IToken.php b/lib/private/Authentication/Token/IToken.php
index b5a1d47640d..e122ec02764 100644
--- a/lib/private/Authentication/Token/IToken.php
+++ b/lib/private/Authentication/Token/IToken.php
@@ -122,4 +122,11 @@ interface IToken extends JsonSerializable {
 	 * @param string $password
 	 */
 	public function setPassword(string $password);
+
+	/**
+	 * Set the expiration time of the token
+	 *
+	 * @param int|null $expires
+	 */
+	public function setExpires($expires);
 }
diff --git a/tests/lib/Authentication/Token/DefaultTokenProviderTest.php b/tests/lib/Authentication/Token/DefaultTokenProviderTest.php
index ee98f649443..95b5b928559 100644
--- a/tests/lib/Authentication/Token/DefaultTokenProviderTest.php
+++ b/tests/lib/Authentication/Token/DefaultTokenProviderTest.php
@@ -26,6 +26,7 @@ use OC\Authentication\Exceptions\InvalidTokenException;
 use OC\Authentication\Token\DefaultToken;
 use OC\Authentication\Token\DefaultTokenMapper;
 use OC\Authentication\Token\DefaultTokenProvider;
+use OC\Authentication\Token\ExpiredTokenException;
 use OC\Authentication\Token\IToken;
 use OCP\AppFramework\Db\DoesNotExistException;
 use OCP\AppFramework\Utility\ITimeFactory;
@@ -395,6 +396,63 @@ class DefaultTokenProviderTest extends TestCase {
 		$this->tokenProvider->renewSessionToken('oldId', 'newId');
 	}
 
+	public function testGetToken() {
+		$token = new DefaultToken();
+
+		$this->config->method('getSystemValue')
+			->with('secret')
+			->willReturn('mysecret');
+
+		$this->mapper->method('getToken')
+			->with(
+				$this->callback(function (string $token) {
+					return hash('sha512', 'unhashedTokenmysecret') === $token;
+				})
+			)->willReturn($token);
+
+		$this->assertSame($token, $this->tokenProvider->getToken('unhashedToken'));
+	}
+
+	public function testGetInvalidToken() {
+		$this->expectException(InvalidTokenException::class);
+
+		$this->config->method('getSystemValue')
+			->with('secret')
+			->willReturn('mysecret');
+
+		$this->mapper->method('getToken')
+			->with(
+				$this->callback(function (string $token) {
+					return hash('sha512', 'unhashedTokenmysecret') === $token;
+				})
+			)->willThrowException(new InvalidTokenException());
+
+		$this->tokenProvider->getToken('unhashedToken');
+	}
+
+	public function testGetExpiredToken() {
+		$token = new DefaultToken();
+		$token->setExpires(42);
+
+		$this->config->method('getSystemValue')
+			->with('secret')
+			->willReturn('mysecret');
+
+		$this->mapper->method('getToken')
+			->with(
+				$this->callback(function (string $token) {
+					return hash('sha512', 'unhashedTokenmysecret') === $token;
+				})
+			)->willReturn($token);
+
+		try {
+			$this->tokenProvider->getToken('unhashedToken');
+		} catch (ExpiredTokenException $e) {
+			$this->assertSame($token, $e->getToken());
+		}
+
+	}
+
 	public function testGetTokenById() {
 		$token = $this->createMock(DefaultToken::class);
 
@@ -417,6 +475,23 @@ class DefaultTokenProviderTest extends TestCase {
 		$this->tokenProvider->getTokenById(42);
 	}
 
+	public function testGetExpiredTokenById() {
+		$token = new DefaultToken();
+		$token->setExpires(42);
+
+		$this->mapper->expects($this->once())
+			->method('getTokenById')
+			->with($this->equalTo(42))
+			->willReturn($token);
+
+		try {
+			$this->tokenProvider->getTokenById(42);
+			$this->fail();
+		} catch (ExpiredTokenException $e) {
+			$this->assertSame($token, $e->getToken());
+		}
+	}
+
 	public function testRotate() {
 		$token = new DefaultToken();
 		$token->setPassword('oldencryptedpassword');
diff --git a/version.php b/version.php
index 433f248aec7..a7b0fdbcc67 100644
--- a/version.php
+++ b/version.php
@@ -29,7 +29,7 @@
 // between betas, final and RCs. This is _not_ the public version number. Reset minor/patchlevel
 // when updating major/minor version number.
 
-$OC_Version = array(14, 0, 0, 3);
+$OC_Version = array(14, 0, 0, 4);
 
 // The human readable string
 $OC_VersionString = '14.0.0 alpha';
author	Roeland Jago Douma <roeland@famdouma.nl>	2018-05-16 13:39:00 +0300
committer	Roeland Jago Douma <roeland@famdouma.nl>	2018-05-17 17:10:19 +0300
commit	6b7cf4672731f299de9b7b3c7e05fbb746d7fc95 (patch)
tree	938221007fb4c12db864e429a4e3e02375065ac2
parent	9f064b08b3df4817d3c2fdc608a708827df8b0ae (diff)