diff options
| -rw-r--r-- | lib/composer/composer/autoload_classmap.php | 4 | ||||
| -rw-r--r-- | lib/composer/composer/autoload_static.php | 4 | ||||
| -rw-r--r-- | lib/private/Authentication/Token/DefaultToken.php | 209 | ||||
| -rw-r--r-- | lib/private/Authentication/Token/DefaultTokenCleanupJob.php | 34 | ||||
| -rw-r--r-- | lib/private/Authentication/Token/DefaultTokenMapper.php | 172 | ||||
| -rw-r--r-- | lib/private/Authentication/Token/DefaultTokenProvider.php | 343 | ||||
| -rw-r--r-- | lib/private/Authentication/Token/Manager.php | 45 | ||||
| -rw-r--r-- | lib/private/Authentication/Token/PublicKeyTokenMapper.php | 18 | ||||
| -rw-r--r-- | lib/private/Authentication/Token/PublicKeyTokenProvider.php | 24 | ||||
| -rw-r--r-- | lib/private/Server.php | 8 | ||||
| -rw-r--r-- | lib/private/Setup.php | 8 | ||||
| -rw-r--r-- | lib/private/User/Session.php | 4 |
12 files changed, 23 insertions, 850 deletions
diff --git a/lib/composer/composer/autoload_classmap.php b/lib/composer/composer/autoload_classmap.php index 09d5159369e..70d298a851d 100644 --- a/lib/composer/composer/autoload_classmap.php +++ b/lib/composer/composer/autoload_classmap.php @@ -728,10 +728,6 @@ return array( 'OC\\Authentication\\Login\\WebAuthnChain' => $baseDir . '/lib/private/Authentication/Login/WebAuthnChain.php', 'OC\\Authentication\\Login\\WebAuthnLoginCommand' => $baseDir . '/lib/private/Authentication/Login/WebAuthnLoginCommand.php', 'OC\\Authentication\\Notifications\\Notifier' => $baseDir . '/lib/private/Authentication/Notifications/Notifier.php', - 'OC\\Authentication\\Token\\DefaultToken' => $baseDir . '/lib/private/Authentication/Token/DefaultToken.php', - 'OC\\Authentication\\Token\\DefaultTokenCleanupJob' => $baseDir . '/lib/private/Authentication/Token/DefaultTokenCleanupJob.php', - 'OC\\Authentication\\Token\\DefaultTokenMapper' => $baseDir . '/lib/private/Authentication/Token/DefaultTokenMapper.php', - 'OC\\Authentication\\Token\\DefaultTokenProvider' => $baseDir . '/lib/private/Authentication/Token/DefaultTokenProvider.php', 'OC\\Authentication\\Token\\INamedToken' => $baseDir . '/lib/private/Authentication/Token/INamedToken.php', 'OC\\Authentication\\Token\\IProvider' => $baseDir . '/lib/private/Authentication/Token/IProvider.php', 'OC\\Authentication\\Token\\IToken' => $baseDir . '/lib/private/Authentication/Token/IToken.php', diff --git a/lib/composer/composer/autoload_static.php b/lib/composer/composer/autoload_static.php index 932de0b7858..280c590cd9a 100644 --- a/lib/composer/composer/autoload_static.php +++ b/lib/composer/composer/autoload_static.php @@ -757,10 +757,6 @@ class ComposerStaticInit53792487c5a8370acc0b06b1a864ff4c 'OC\\Authentication\\Login\\WebAuthnChain' => __DIR__ . '/../../..' . '/lib/private/Authentication/Login/WebAuthnChain.php', 'OC\\Authentication\\Login\\WebAuthnLoginCommand' => __DIR__ . '/../../..' . '/lib/private/Authentication/Login/WebAuthnLoginCommand.php', 'OC\\Authentication\\Notifications\\Notifier' => __DIR__ . '/../../..' . '/lib/private/Authentication/Notifications/Notifier.php', - 'OC\\Authentication\\Token\\DefaultToken' => __DIR__ . '/../../..' . '/lib/private/Authentication/Token/DefaultToken.php', - 'OC\\Authentication\\Token\\DefaultTokenCleanupJob' => __DIR__ . '/../../..' . '/lib/private/Authentication/Token/DefaultTokenCleanupJob.php', - 'OC\\Authentication\\Token\\DefaultTokenMapper' => __DIR__ . '/../../..' . '/lib/private/Authentication/Token/DefaultTokenMapper.php', - 'OC\\Authentication\\Token\\DefaultTokenProvider' => __DIR__ . '/../../..' . '/lib/private/Authentication/Token/DefaultTokenProvider.php', 'OC\\Authentication\\Token\\INamedToken' => __DIR__ . '/../../..' . '/lib/private/Authentication/Token/INamedToken.php', 'OC\\Authentication\\Token\\IProvider' => __DIR__ . '/../../..' . '/lib/private/Authentication/Token/IProvider.php', 'OC\\Authentication\\Token\\IToken' => __DIR__ . '/../../..' . '/lib/private/Authentication/Token/IToken.php', diff --git a/lib/private/Authentication/Token/DefaultToken.php b/lib/private/Authentication/Token/DefaultToken.php deleted file mode 100644 index b649fdbb6af..00000000000 --- a/lib/private/Authentication/Token/DefaultToken.php +++ /dev/null @@ -1,209 +0,0 @@ -<?php - -declare(strict_types=1); - -/** - * @copyright Copyright (c) 2016, ownCloud, Inc. - * - * @author Christoph Wurst <christoph@winzerhof-wurst.at> - * @author Daniel Kesselberg <mail@danielkesselberg.de> - * @author Robin Appelman <robin@icewind.nl> - * @author Roeland Jago Douma <roeland@famdouma.nl> - * - * @license AGPL-3.0 - * - * This code is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License, version 3, - * as published by the Free Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License, version 3, - * along with this program. If not, see <http://www.gnu.org/licenses/> - * - */ -namespace OC\Authentication\Token; - -use OCP\AppFramework\Db\Entity; - -/** - * @method void setId(int $id) - * @method void setUid(string $uid); - * @method void setLoginName(string $loginname) - * @method string getToken() - * @method void setType(int $type) - * @method int getType() - * @method void setRemember(int $remember) - * @method void setLastActivity(int $lastactivity) - * @method int getLastActivity() - * @method void setVersion(int $version) - */ -class DefaultToken extends Entity implements INamedToken { - public const VERSION = 1; - - /** @var string user UID */ - protected $uid; - - /** @var string login name used for generating the token */ - protected $loginName; - - /** @var string encrypted user password */ - protected $password; - - /** @var string token name (e.g. browser/OS) */ - protected $name; - - /** @var string */ - protected $token; - - /** @var int */ - protected $type; - - /** @var int */ - protected $remember; - - /** @var int */ - protected $lastActivity; - - /** @var int */ - protected $lastCheck; - - /** @var string */ - protected $scope; - - /** @var int */ - protected $expires; - - /** @var int */ - protected $version; - - public function __construct() { - $this->addType('uid', 'string'); - $this->addType('loginName', 'string'); - $this->addType('password', 'string'); - $this->addType('name', 'string'); - $this->addType('token', 'string'); - $this->addType('type', 'int'); - $this->addType('remember', 'int'); - $this->addType('lastActivity', 'int'); - $this->addType('lastCheck', 'int'); - $this->addType('scope', 'string'); - $this->addType('expires', 'int'); - $this->addType('version', 'int'); - } - - public function getId(): int { - return $this->id; - } - - public function getUID(): string { - return $this->uid; - } - - /** - * Get the login name used when generating the token - * - * @return string - */ - public function getLoginName(): string { - return parent::getLoginName(); - } - - /** - * Get the (encrypted) login password - * - * @return string|null - */ - public function getPassword() { - return parent::getPassword(); - } - - public function jsonSerialize(): array { - return [ - 'id' => $this->id, - 'name' => $this->name, - 'lastActivity' => $this->lastActivity, - 'type' => $this->type, - 'scope' => $this->getScopeAsArray() - ]; - } - - /** - * Get the timestamp of the last password check - * - * @return int - */ - public function getLastCheck(): int { - return parent::getLastCheck(); - } - - /** - * Get the timestamp of the last password check - * - * @param int $time - */ - public function setLastCheck(int $time) { - parent::setLastCheck($time); - } - - public function getScope(): string { - $scope = parent::getScope(); - if ($scope === null) { - return ''; - } - - return $scope; - } - - public function getScopeAsArray(): array { - $scope = json_decode($this->getScope(), true); - if (!$scope) { - return [ - 'filesystem' => true - ]; - } - return $scope; - } - - public function setScope($scope) { - if (\is_array($scope)) { - parent::setScope(json_encode($scope)); - } else { - parent::setScope((string)$scope); - } - } - - public function getName(): string { - return parent::getName(); - } - - public function setName(string $name): void { - parent::setName($name); - } - - public function getRemember(): int { - return parent::getRemember(); - } - - public function setToken(string $token) { - parent::setToken($token); - } - - public function setPassword(string $password = null) { - parent::setPassword($password); - } - - public function setExpires($expires) { - parent::setExpires($expires); - } - - /** - * @return int|null - */ - public function getExpires() { - return parent::getExpires(); - } -} diff --git a/lib/private/Authentication/Token/DefaultTokenCleanupJob.php b/lib/private/Authentication/Token/DefaultTokenCleanupJob.php deleted file mode 100644 index c3d80beac69..00000000000 --- a/lib/private/Authentication/Token/DefaultTokenCleanupJob.php +++ /dev/null @@ -1,34 +0,0 @@ -<?php -/** - * @copyright Copyright (c) 2016, ownCloud, Inc. - * - * @author Christoph Wurst <christoph@winzerhof-wurst.at> - * @author Morris Jobke <hey@morrisjobke.de> - * - * @license AGPL-3.0 - * - * This code is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License, version 3, - * as published by the Free Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License, version 3, - * along with this program. If not, see <http://www.gnu.org/licenses/> - * - */ -namespace OC\Authentication\Token; - -use OC; -use OC\BackgroundJob\Job; - -class DefaultTokenCleanupJob extends Job { - protected function run($argument) { - /* @var $provider IProvider */ - $provider = OC::$server->query(IProvider::class); - $provider->invalidateOldTokens(); - } -} diff --git a/lib/private/Authentication/Token/DefaultTokenMapper.php b/lib/private/Authentication/Token/DefaultTokenMapper.php deleted file mode 100644 index 6ceb777c30f..00000000000 --- a/lib/private/Authentication/Token/DefaultTokenMapper.php +++ /dev/null @@ -1,172 +0,0 @@ -<?php - -declare(strict_types=1); - -/** - * @copyright Copyright (c) 2016, ownCloud, Inc. - * - * @author Bjoern Schiessle <bjoern@schiessle.org> - * @author Christoph Wurst <christoph@winzerhof-wurst.at> - * @author Lukas Reschke <lukas@statuscode.ch> - * @author Marcel Waldvogel <marcel.waldvogel@uni-konstanz.de> - * @author Robin Appelman <robin@icewind.nl> - * @author Roeland Jago Douma <roeland@famdouma.nl> - * - * @license AGPL-3.0 - * - * This code is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License, version 3, - * as published by the Free Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License, version 3, - * along with this program. If not, see <http://www.gnu.org/licenses/> - * - */ -namespace OC\Authentication\Token; - -use OCP\AppFramework\Db\DoesNotExistException; -use OCP\AppFramework\Db\QBMapper; -use OCP\DB\QueryBuilder\IQueryBuilder; -use OCP\IDBConnection; - -/** - * @template-extends QBMapper<DefaultToken> - */ -class DefaultTokenMapper extends QBMapper { - public function __construct(IDBConnection $db) { - parent::__construct($db, 'authtoken'); - } - - /** - * Invalidate (delete) a given token - * - * @param string $token - */ - public function invalidate(string $token) { - /* @var $qb IQueryBuilder */ - $qb = $this->db->getQueryBuilder(); - $qb->delete('authtoken') - ->where($qb->expr()->eq('token', $qb->createNamedParameter($token, IQueryBuilder::PARAM_STR))) - ->andWhere($qb->expr()->eq('version', $qb->createNamedParameter(DefaultToken::VERSION, IQueryBuilder::PARAM_INT))) - ->execute(); - } - - /** - * @param int $olderThan - * @param int $remember - */ - public function invalidateOld(int $olderThan, int $remember = IToken::DO_NOT_REMEMBER) { - /* @var $qb IQueryBuilder */ - $qb = $this->db->getQueryBuilder(); - $qb->delete('authtoken') - ->where($qb->expr()->lt('last_activity', $qb->createNamedParameter($olderThan, IQueryBuilder::PARAM_INT))) - ->andWhere($qb->expr()->eq('type', $qb->createNamedParameter(IToken::TEMPORARY_TOKEN, IQueryBuilder::PARAM_INT))) - ->andWhere($qb->expr()->eq('remember', $qb->createNamedParameter($remember, IQueryBuilder::PARAM_INT))) - ->andWhere($qb->expr()->eq('version', $qb->createNamedParameter(DefaultToken::VERSION, IQueryBuilder::PARAM_INT))) - ->execute(); - } - - /** - * Get the user UID for the given token - * - * @param string $token - * @throws DoesNotExistException - * @return DefaultToken - */ - public function getToken(string $token): DefaultToken { - /* @var $qb IQueryBuilder */ - $qb = $this->db->getQueryBuilder(); - $result = $qb->select('id', 'uid', 'login_name', 'password', 'name', 'token', 'type', 'remember', 'last_activity', 'last_check', 'scope', 'expires', 'version') - ->from('authtoken') - ->where($qb->expr()->eq('token', $qb->createNamedParameter($token))) - ->andWhere($qb->expr()->eq('version', $qb->createNamedParameter(DefaultToken::VERSION, IQueryBuilder::PARAM_INT))) - ->execute(); - - $data = $result->fetch(); - $result->closeCursor(); - if ($data === false) { - throw new DoesNotExistException('token does not exist'); - } - return DefaultToken::fromRow($data); - } - - /** - * Get the token for $id - * - * @param int $id - * @throws DoesNotExistException - * @return DefaultToken - */ - public function getTokenById(int $id): DefaultToken { - /* @var $qb IQueryBuilder */ - $qb = $this->db->getQueryBuilder(); - $result = $qb->select('id', 'uid', 'login_name', 'password', 'name', 'token', 'type', 'remember', 'last_activity', 'last_check', 'scope', 'expires', 'version') - ->from('authtoken') - ->where($qb->expr()->eq('id', $qb->createNamedParameter($id))) - ->andWhere($qb->expr()->eq('version', $qb->createNamedParameter(DefaultToken::VERSION, IQueryBuilder::PARAM_INT))) - ->execute(); - - $data = $result->fetch(); - $result->closeCursor(); - if ($data === false) { - throw new DoesNotExistException('token does not exist'); - } - return DefaultToken::fromRow($data); - } - - /** - * Get all tokens of a user - * - * The provider may limit the number of result rows in case of an abuse - * where a high number of (session) tokens is generated - * - * @param string $uid - * @return DefaultToken[] - */ - public function getTokenByUser(string $uid): array { - /* @var $qb IQueryBuilder */ - $qb = $this->db->getQueryBuilder(); - $qb->select('id', 'uid', 'login_name', 'password', 'name', 'token', 'type', 'remember', 'last_activity', 'last_check', 'scope', 'expires', 'version') - ->from('authtoken') - ->where($qb->expr()->eq('uid', $qb->createNamedParameter($uid))) - ->andWhere($qb->expr()->eq('version', $qb->createNamedParameter(DefaultToken::VERSION, IQueryBuilder::PARAM_INT))) - ->setMaxResults(1000); - $result = $qb->execute(); - $data = $result->fetchAll(); - $result->closeCursor(); - - $entities = array_map(function ($row) { - return DefaultToken::fromRow($row); - }, $data); - - return $entities; - } - - public function deleteById(string $uid, int $id) { - /* @var $qb IQueryBuilder */ - $qb = $this->db->getQueryBuilder(); - $qb->delete('authtoken') - ->where($qb->expr()->eq('id', $qb->createNamedParameter($id))) - ->andWhere($qb->expr()->eq('uid', $qb->createNamedParameter($uid))) - ->andWhere($qb->expr()->eq('version', $qb->createNamedParameter(DefaultToken::VERSION, IQueryBuilder::PARAM_INT))); - $qb->execute(); - } - - /** - * delete all auth token which belong to a specific client if the client was deleted - * - * @param string $name - */ - public function deleteByName(string $name) { - $qb = $this->db->getQueryBuilder(); - $qb->delete('authtoken') - ->where($qb->expr()->eq('name', $qb->createNamedParameter($name), IQueryBuilder::PARAM_STR)) - ->andWhere($qb->expr()->eq('version', $qb->createNamedParameter(DefaultToken::VERSION, IQueryBuilder::PARAM_INT))); - $qb->execute(); - } -} diff --git a/lib/private/Authentication/Token/DefaultTokenProvider.php b/lib/private/Authentication/Token/DefaultTokenProvider.php deleted file mode 100644 index c10d7f17bc2..00000000000 --- a/lib/private/Authentication/Token/DefaultTokenProvider.php +++ /dev/null @@ -1,343 +0,0 @@ -<?php - -declare(strict_types=1); - -/** - * @copyright Copyright (c) 2016, ownCloud, Inc. - * @copyright Copyright (c) 2016, Christoph Wurst <christoph@winzerhof-wurst.at> - * - * @author Christoph Wurst <christoph@winzerhof-wurst.at> - * @author Flávio Gomes da Silva Lisboa <flavio.lisboa@serpro.gov.br> - * @author Joas Schilling <coding@schilljs.com> - * @author Lukas Reschke <lukas@statuscode.ch> - * @author Martin <github@diemattels.at> - * @author Robin Appelman <robin@icewind.nl> - * @author Roeland Jago Douma <roeland@famdouma.nl> - * - * @license AGPL-3.0 - * - * This code is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License, version 3, - * as published by the Free Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License, version 3, - * along with this program. If not, see <http://www.gnu.org/licenses/> - * - */ -namespace OC\Authentication\Token; - -use Exception; -use OC\Authentication\Exceptions\ExpiredTokenException; -use OC\Authentication\Exceptions\InvalidTokenException; -use OC\Authentication\Exceptions\PasswordlessTokenException; -use OCP\AppFramework\Db\DoesNotExistException; -use OCP\AppFramework\Utility\ITimeFactory; -use OCP\IConfig; -use OCP\Security\ICrypto; -use Psr\Log\LoggerInterface; - -class DefaultTokenProvider implements IProvider { - - /** @var DefaultTokenMapper */ - private $mapper; - - /** @var ICrypto */ - private $crypto; - - /** @var IConfig */ - private $config; - - /** @var LoggerInterface */ - private $logger; - - /** @var ITimeFactory */ - private $time; - - public function __construct(DefaultTokenMapper $mapper, - ICrypto $crypto, - IConfig $config, - LoggerInterface $logger, - ITimeFactory $time) { - $this->mapper = $mapper; - $this->crypto = $crypto; - $this->config = $config; - $this->logger = $logger; - $this->time = $time; - } - - /** - * {@inheritDoc} - */ - public function generateToken(string $token, - string $uid, - string $loginName, - ?string $password, - string $name, - int $type = IToken::TEMPORARY_TOKEN, - int $remember = IToken::DO_NOT_REMEMBER): IToken { - $dbToken = new DefaultToken(); - $dbToken->setUid($uid); - $dbToken->setLoginName($loginName); - if (!is_null($password)) { - $dbToken->setPassword($this->encryptPassword($password, $token)); - } - $dbToken->setName($name); - $dbToken->setToken($this->hashToken($token)); - $dbToken->setType($type); - $dbToken->setRemember($remember); - $dbToken->setLastActivity($this->time->getTime()); - $dbToken->setLastCheck($this->time->getTime()); - $dbToken->setVersion(DefaultToken::VERSION); - - $this->mapper->insert($dbToken); - - return $dbToken; - } - - /** - * Save the updated token - * - * @param IToken $token - * @throws InvalidTokenException - */ - public function updateToken(IToken $token) { - if (!($token instanceof DefaultToken)) { - throw new InvalidTokenException("Invalid token type"); - } - $this->mapper->update($token); - } - - /** - * Update token activity timestamp - * - * @throws InvalidTokenException - * @param IToken $token - */ - public function updateTokenActivity(IToken $token) { - if (!($token instanceof DefaultToken)) { - throw new InvalidTokenException("Invalid token type"); - } - /** @var DefaultToken $token */ - $now = $this->time->getTime(); - if ($token->getLastActivity() < ($now - 60)) { - // Update token only once per minute - $token->setLastActivity($now); - $this->mapper->update($token); - } - } - - public function getTokenByUser(string $uid): array { - return $this->mapper->getTokenByUser($uid); - } - - /** - * Get a token by token - * - * @param string $tokenId - * @throws InvalidTokenException - * @throws ExpiredTokenException - * @return IToken - */ - public function getToken(string $tokenId): IToken { - try { - $token = $this->mapper->getToken($this->hashToken($tokenId)); - } catch (DoesNotExistException $ex) { - throw new InvalidTokenException("Token does not exist", 0, $ex); - } - - if ((int)$token->getExpires() !== 0 && $token->getExpires() < $this->time->getTime()) { - throw new ExpiredTokenException($token); - } - - return $token; - } - - /** - * Get a token by token id - * - * @param int $tokenId - * @throws InvalidTokenException - * @throws ExpiredTokenException - * @return IToken - */ - public function getTokenById(int $tokenId): IToken { - try { - $token = $this->mapper->getTokenById($tokenId); - } catch (DoesNotExistException $ex) { - throw new InvalidTokenException("Token with ID $tokenId does not exist", 0, $ex); - } - - if ((int)$token->getExpires() !== 0 && $token->getExpires() < $this->time->getTime()) { - throw new ExpiredTokenException($token); - } - - return $token; - } - - /** - * @param string $oldSessionId - * @param string $sessionId - * @throws InvalidTokenException - * @return IToken - */ - public function renewSessionToken(string $oldSessionId, string $sessionId): IToken { - $token = $this->getToken($oldSessionId); - - $newToken = new DefaultToken(); - $newToken->setUid($token->getUID()); - $newToken->setLoginName($token->getLoginName()); - if (!is_null($token->getPassword())) { - $password = $this->decryptPassword($token->getPassword(), $oldSessionId); - $newToken->setPassword($this->encryptPassword($password, $sessionId)); - } - $newToken->setName($token->getName()); - $newToken->setToken($this->hashToken($sessionId)); - $newToken->setType(IToken::TEMPORARY_TOKEN); - $newToken->setRemember($token->getRemember()); - $newToken->setLastActivity($this->time->getTime()); - $this->mapper->insert($newToken); - $this->mapper->delete($token); - - return $newToken; - } - - /** - * @param IToken $savedToken - * @param string $tokenId session token - * @throws InvalidTokenException - * @throws PasswordlessTokenException - * @return string - */ - public function getPassword(IToken $savedToken, string $tokenId): string { - $password = $savedToken->getPassword(); - if ($password === null || $password === '') { - throw new PasswordlessTokenException(); - } - return $this->decryptPassword($password, $tokenId); - } - - /** - * Encrypt and set the password of the given token - * - * @param IToken $token - * @param string $tokenId - * @param string $password - * @throws InvalidTokenException - */ - public function setPassword(IToken $token, string $tokenId, string $password) { - if (!($token instanceof DefaultToken)) { - throw new InvalidTokenException("Invalid token type"); - } - /** @var DefaultToken $token */ - $token->setPassword($this->encryptPassword($password, $tokenId)); - $this->mapper->update($token); - } - - /** - * Invalidate (delete) the given session token - * - * @param string $token - */ - public function invalidateToken(string $token) { - $this->mapper->invalidate($this->hashToken($token)); - } - - public function invalidateTokenById(string $uid, int $id) { - $this->mapper->deleteById($uid, $id); - } - - /** - * Invalidate (delete) old session tokens - */ - public function invalidateOldTokens() { - $olderThan = $this->time->getTime() - (int) $this->config->getSystemValue('session_lifetime', 60 * 60 * 24); - $this->logger->debug('Invalidating session tokens older than ' . date('c', $olderThan), ['app' => 'cron']); - $this->mapper->invalidateOld($olderThan, IToken::DO_NOT_REMEMBER); - $rememberThreshold = $this->time->getTime() - (int) $this->config->getSystemValue('remember_login_cookie_lifetime', 60 * 60 * 24 * 15); - $this->logger->debug('Invalidating remembered session tokens older than ' . date('c', $rememberThreshold), ['app' => 'cron']); - $this->mapper->invalidateOld($rememberThreshold, IToken::REMEMBER); - } - - /** - * Rotate the token. Usefull for for example oauth tokens - * - * @param IToken $token - * @param string $oldTokenId - * @param string $newTokenId - * @return IToken - */ - public function rotate(IToken $token, string $oldTokenId, string $newTokenId): IToken { - try { - $password = $this->getPassword($token, $oldTokenId); - $token->setPassword($this->encryptPassword($password, $newTokenId)); - } catch (PasswordlessTokenException $e) { - } - - $token->setToken($this->hashToken($newTokenId)); - $this->updateToken($token); - - return $token; - } - - /** - * @param string $token - * @return string - */ - private function hashToken(string $token): string { - $secret = $this->config->getSystemValue('secret'); - return hash('sha512', $token . $secret); - } - - /** - * Encrypt the given password - * - * The token is used as key - * - * @param string $password - * @param string $token - * @return string encrypted password - */ - private function encryptPassword(string $password, string $token): string { - $secret = $this->config->getSystemValue('secret'); - return $this->crypto->encrypt($password, $token . $secret); - } - - /** - * Decrypt the given password - * - * The token is used as key - * - * @param string $password - * @param string $token - * @throws InvalidTokenException - * @return string the decrypted key - */ - private function decryptPassword(string $password, string $token): string { - $secret = $this->config->getSystemValue('secret'); - try { - return $this->crypto->decrypt($password, $token . $secret); - } catch (Exception $ex) { - // Delete the invalid token - $this->invalidateToken($token); - throw new InvalidTokenException("Can not decrypt token password: " . $ex->getMessage(), 0, $ex); - } - } - - public function markPasswordInvalid(IToken $token, string $tokenId) { - if (!($token instanceof DefaultToken)) { - throw new InvalidTokenException("Invalid token type"); - } - - //No need to mark as invalid. We just invalide default tokens - $this->invalidateToken($tokenId); - } - - public function updatePasswords(string $uid, string $password) { - // Nothing to do here - } -} diff --git a/lib/private/Authentication/Token/Manager.php b/lib/private/Authentication/Token/Manager.php index b718ce73ea4..0a7a821e23e 100644 --- a/lib/private/Authentication/Token/Manager.php +++ b/lib/private/Authentication/Token/Manager.php @@ -35,14 +35,10 @@ use OC\Authentication\Exceptions\WipeTokenException; class Manager implements IProvider { - /** @var DefaultTokenProvider */ - private $defaultTokenProvider; - /** @var PublicKeyTokenProvider */ private $publicKeyTokenProvider; - public function __construct(DefaultTokenProvider $defaultTokenProvider, PublicKeyTokenProvider $publicKeyTokenProvider) { - $this->defaultTokenProvider = $defaultTokenProvider; + public function __construct(PublicKeyTokenProvider $publicKeyTokenProvider) { $this->publicKeyTokenProvider = $publicKeyTokenProvider; } @@ -117,10 +113,7 @@ class Manager implements IProvider { * @return IToken[] */ public function getTokenByUser(string $uid): array { - $old = $this->defaultTokenProvider->getTokenByUser($uid); - $new = $this->publicKeyTokenProvider->getTokenByUser($uid); - - return array_merge($old, $new); + return $this->publicKeyTokenProvider->getTokenByUser($uid); } /** @@ -139,19 +132,8 @@ class Manager implements IProvider { } catch (ExpiredTokenException $e) { throw $e; } catch (InvalidTokenException $e) { - // No worries we try to convert it to a PublicKey Token - } - - //Convert! - $token = $this->defaultTokenProvider->getToken($tokenId); - - try { - $password = $this->defaultTokenProvider->getPassword($token, $tokenId); - } catch (PasswordlessTokenException $e) { - $password = null; + throw $e; } - - return $this->publicKeyTokenProvider->convertToken($token, $tokenId, $password); } /** @@ -169,7 +151,7 @@ class Manager implements IProvider { } catch (WipeTokenException $e) { throw $e; } catch (InvalidTokenException $e) { - return $this->defaultTokenProvider->getTokenById($tokenId); + throw $e; } } @@ -185,7 +167,7 @@ class Manager implements IProvider { } catch (ExpiredTokenException $e) { throw $e; } catch (InvalidTokenException $e) { - return $this->defaultTokenProvider->renewSessionToken($oldSessionId, $sessionId); + throw $e; } } @@ -207,17 +189,14 @@ class Manager implements IProvider { } public function invalidateToken(string $token) { - $this->defaultTokenProvider->invalidateToken($token); $this->publicKeyTokenProvider->invalidateToken($token); } public function invalidateTokenById(string $uid, int $id) { - $this->defaultTokenProvider->invalidateTokenById($uid, $id); $this->publicKeyTokenProvider->invalidateTokenById($uid, $id); } public function invalidateOldTokens() { - $this->defaultTokenProvider->invalidateOldTokens(); $this->publicKeyTokenProvider->invalidateOldTokens(); } @@ -230,16 +209,6 @@ class Manager implements IProvider { * @throws \RuntimeException when OpenSSL reports a problem */ public function rotate(IToken $token, string $oldTokenId, string $newTokenId): IToken { - if ($token instanceof DefaultToken) { - try { - $password = $this->defaultTokenProvider->getPassword($token, $oldTokenId); - } catch (PasswordlessTokenException $e) { - $password = null; - } - - return $this->publicKeyTokenProvider->convertToken($token, $newTokenId, $password); - } - if ($token instanceof PublicKeyToken) { return $this->publicKeyTokenProvider->rotate($token, $oldTokenId, $newTokenId); } @@ -253,9 +222,6 @@ class Manager implements IProvider { * @throws InvalidTokenException */ private function getProvider(IToken $token): IProvider { - if ($token instanceof DefaultToken) { - return $this->defaultTokenProvider; - } if ($token instanceof PublicKeyToken) { return $this->publicKeyTokenProvider; } @@ -268,7 +234,6 @@ class Manager implements IProvider { } public function updatePasswords(string $uid, string $password) { - $this->defaultTokenProvider->updatePasswords($uid, $password); $this->publicKeyTokenProvider->updatePasswords($uid, $password); } } diff --git a/lib/private/Authentication/Token/PublicKeyTokenMapper.php b/lib/private/Authentication/Token/PublicKeyTokenMapper.php index 0c532312ace..7b11ef8adf3 100644 --- a/lib/private/Authentication/Token/PublicKeyTokenMapper.php +++ b/lib/private/Authentication/Token/PublicKeyTokenMapper.php @@ -48,7 +48,7 @@ class PublicKeyTokenMapper extends QBMapper { public function invalidate(string $token) { /* @var $qb IQueryBuilder */ $qb = $this->db->getQueryBuilder(); - $qb->delete('authtoken') + $qb->delete($this->tableName) ->where($qb->expr()->eq('token', $qb->createNamedParameter($token))) ->andWhere($qb->expr()->eq('version', $qb->createNamedParameter(PublicKeyToken::VERSION, IQueryBuilder::PARAM_INT))) ->execute(); @@ -61,7 +61,7 @@ class PublicKeyTokenMapper extends QBMapper { public function invalidateOld(int $olderThan, int $remember = IToken::DO_NOT_REMEMBER) { /* @var $qb IQueryBuilder */ $qb = $this->db->getQueryBuilder(); - $qb->delete('authtoken') + $qb->delete($this->tableName) ->where($qb->expr()->lt('last_activity', $qb->createNamedParameter($olderThan, IQueryBuilder::PARAM_INT))) ->andWhere($qb->expr()->eq('type', $qb->createNamedParameter(IToken::TEMPORARY_TOKEN, IQueryBuilder::PARAM_INT))) ->andWhere($qb->expr()->eq('remember', $qb->createNamedParameter($remember, IQueryBuilder::PARAM_INT))) @@ -78,7 +78,7 @@ class PublicKeyTokenMapper extends QBMapper { /* @var $qb IQueryBuilder */ $qb = $this->db->getQueryBuilder(); $result = $qb->select('*') - ->from('authtoken') + ->from($this->tableName) ->where($qb->expr()->eq('token', $qb->createNamedParameter($token))) ->andWhere($qb->expr()->eq('version', $qb->createNamedParameter(PublicKeyToken::VERSION, IQueryBuilder::PARAM_INT))) ->execute(); @@ -100,7 +100,7 @@ class PublicKeyTokenMapper extends QBMapper { /* @var $qb IQueryBuilder */ $qb = $this->db->getQueryBuilder(); $result = $qb->select('*') - ->from('authtoken') + ->from($this->tableName) ->where($qb->expr()->eq('id', $qb->createNamedParameter($id))) ->andWhere($qb->expr()->eq('version', $qb->createNamedParameter(PublicKeyToken::VERSION, IQueryBuilder::PARAM_INT))) ->execute(); @@ -126,7 +126,7 @@ class PublicKeyTokenMapper extends QBMapper { /* @var $qb IQueryBuilder */ $qb = $this->db->getQueryBuilder(); $qb->select('*') - ->from('authtoken') + ->from($this->tableName) ->where($qb->expr()->eq('uid', $qb->createNamedParameter($uid))) ->andWhere($qb->expr()->eq('version', $qb->createNamedParameter(PublicKeyToken::VERSION, IQueryBuilder::PARAM_INT))) ->setMaxResults(1000); @@ -144,7 +144,7 @@ class PublicKeyTokenMapper extends QBMapper { public function deleteById(string $uid, int $id) { /* @var $qb IQueryBuilder */ $qb = $this->db->getQueryBuilder(); - $qb->delete('authtoken') + $qb->delete($this->tableName) ->where($qb->expr()->eq('id', $qb->createNamedParameter($id))) ->andWhere($qb->expr()->eq('uid', $qb->createNamedParameter($uid))) ->andWhere($qb->expr()->eq('version', $qb->createNamedParameter(PublicKeyToken::VERSION, IQueryBuilder::PARAM_INT))); @@ -158,7 +158,7 @@ class PublicKeyTokenMapper extends QBMapper { */ public function deleteByName(string $name) { $qb = $this->db->getQueryBuilder(); - $qb->delete('authtoken') + $qb->delete($this->tableName) ->where($qb->expr()->eq('name', $qb->createNamedParameter($name), IQueryBuilder::PARAM_STR)) ->andWhere($qb->expr()->eq('version', $qb->createNamedParameter(PublicKeyToken::VERSION, IQueryBuilder::PARAM_INT))); $qb->execute(); @@ -167,7 +167,7 @@ class PublicKeyTokenMapper extends QBMapper { public function deleteTempToken(PublicKeyToken $except) { $qb = $this->db->getQueryBuilder(); - $qb->delete('authtoken') + $qb->delete($this->tableName) ->where($qb->expr()->eq('uid', $qb->createNamedParameter($except->getUID()))) ->andWhere($qb->expr()->eq('type', $qb->createNamedParameter(IToken::TEMPORARY_TOKEN))) ->andWhere($qb->expr()->neq('id', $qb->createNamedParameter($except->getId()))) @@ -179,7 +179,7 @@ class PublicKeyTokenMapper extends QBMapper { public function hasExpiredTokens(string $uid): bool { $qb = $this->db->getQueryBuilder(); $qb->select('*') - ->from('authtoken') + ->from($this->tableName) ->where($qb->expr()->eq('uid', $qb->createNamedParameter($uid))) ->andWhere($qb->expr()->eq('password_invalid', $qb->createNamedParameter(true), IQueryBuilder::PARAM_BOOL)) ->setMaxResults(1); diff --git a/lib/private/Authentication/Token/PublicKeyTokenProvider.php b/lib/private/Authentication/Token/PublicKeyTokenProvider.php index b9cfce6c869..04781457a7a 100644 --- a/lib/private/Authentication/Token/PublicKeyTokenProvider.php +++ b/lib/private/Authentication/Token/PublicKeyTokenProvider.php @@ -322,30 +322,6 @@ class PublicKeyTokenProvider implements IProvider { } /** - * Convert a DefaultToken to a publicKeyToken - * This will also be updated directly in the Database - * @throws \RuntimeException when OpenSSL reports a problem - */ - public function convertToken(DefaultToken $defaultToken, string $token, $password): PublicKeyToken { - $this->cache->clear(); - - $pkToken = $this->newToken( - $token, - $defaultToken->getUID(), - $defaultToken->getLoginName(), - $password, - $defaultToken->getName(), - $defaultToken->getType(), - $defaultToken->getRemember() - ); - - $pkToken->setExpires($defaultToken->getExpires()); - $pkToken->setId($defaultToken->getId()); - - return $this->mapper->update($pkToken); - } - - /** * @throws \RuntimeException when OpenSSL reports a problem */ private function newToken(string $token, diff --git a/lib/private/Server.php b/lib/private/Server.php index baebbe7558d..92f0ef57f0f 100644 --- a/lib/private/Server.php +++ b/lib/private/Server.php @@ -522,11 +522,11 @@ class Server extends ServerContainer implements IServerContainer { $session = new \OC\Session\Memory(''); $timeFactory = new TimeFactory(); // Token providers might require a working database. This code - // might however be called when ownCloud is not yet setup. + // might however be called when Nextcloud is not yet setup. if (\OC::$server->get(SystemConfig::class)->getValue('installed', false)) { - $defaultTokenProvider = $c->get(IProvider::class); + $provider = $c->get(IProvider::class); } else { - $defaultTokenProvider = null; + $provider = null; } $legacyDispatcher = $c->get(SymfonyAdapter::class); @@ -535,7 +535,7 @@ class Server extends ServerContainer implements IServerContainer { $manager, $session, $timeFactory, - $defaultTokenProvider, + $provider, $c->get(\OCP\IConfig::class), $c->get(ISecureRandom::class), $c->getLockdownManager(), diff --git a/lib/private/Setup.php b/lib/private/Setup.php index 589bbb273c0..177ede1e292 100644 --- a/lib/private/Setup.php +++ b/lib/private/Setup.php @@ -52,8 +52,7 @@ use bantu\IniGetWrapper\IniGetWrapper; use Exception; use InvalidArgumentException; use OC\App\AppStore\Bundles\BundleFetcher; -use OC\Authentication\Token\DefaultTokenCleanupJob; -use OC\Authentication\Token\DefaultTokenProvider; +use OC\Authentication\Token\PublicKeyTokenProvider; use OC\Log\Rotate; use OC\Preview\BackgroundCleanupJob; use OCP\AppFramework\Utility\ITimeFactory; @@ -432,8 +431,8 @@ class Setup { // The token provider requires a working db, so it's not injected on setup /* @var $userSession User\Session */ $userSession = \OC::$server->getUserSession(); - $defaultTokenProvider = \OC::$server->query(DefaultTokenProvider::class); - $userSession->setTokenProvider($defaultTokenProvider); + $provider = \OC::$server->query(PublicKeyTokenProvider::class); + $userSession->setTokenProvider($provider); $userSession->login($username, $password); $userSession->createSessionToken($request, $userSession->getUser()->getUID(), $username, $password); @@ -451,7 +450,6 @@ class Setup { public static function installBackgroundJobs() { $jobList = \OC::$server->getJobList(); - $jobList->add(DefaultTokenCleanupJob::class); $jobList->add(Rotate::class); $jobList->add(BackgroundCleanupJob::class); } diff --git a/lib/private/User/Session.php b/lib/private/User/Session.php index 710cba84879..e84576236b8 100644 --- a/lib/private/User/Session.php +++ b/lib/private/User/Session.php @@ -123,7 +123,7 @@ class Session implements IUserSession, Emitter { * @param Manager $manager * @param ISession $session * @param ITimeFactory $timeFactory - * @param IProvider $tokenProvider + * @param IProvider|null $tokenProvider * @param IConfig $config * @param ISecureRandom $random * @param ILockdownManager $lockdownManager @@ -132,7 +132,7 @@ class Session implements IUserSession, Emitter { public function __construct(Manager $manager, ISession $session, ITimeFactory $timeFactory, - $tokenProvider, + ?IProvider $tokenProvider, IConfig $config, ISecureRandom $random, ILockdownManager $lockdownManager, |