Browse Source
Merge pull request #9485 from nextcloud/feature/9441/multiple_token_providers
Merge pull request #9485 from nextcloud/feature/9441/multiple_token_providers
Add new public key token provider (tokens survive password change)pull/9906/head
blizzz
8 years ago
committed by
GitHub
GitHub
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
22 changed files with 2309 additions and 111 deletions
-
54core/Migrations/Version14000Date20180518120534.php
-
5lib/composer/composer/autoload_classmap.php
-
5lib/composer/composer/autoload_static.php
-
7lib/private/Authentication/Token/DefaultToken.php
-
33lib/private/Authentication/Token/DefaultTokenMapper.php
-
27lib/private/Authentication/Token/DefaultTokenProvider.php
-
9lib/private/Authentication/Token/IProvider.php
-
230lib/private/Authentication/Token/Manager.php
-
217lib/private/Authentication/Token/PublicKeyToken.php
-
172lib/private/Authentication/Token/PublicKeyTokenMapper.php
-
320lib/private/Authentication/Token/PublicKeyTokenProvider.php
-
10lib/private/Server.php
-
13settings/Controller/AuthSettingsController.php
-
12tests/Settings/Controller/AuthSettingsControllerTest.php
-
12tests/lib/Authentication/Token/DefaultTokenCleanupJobTest.php
-
30tests/lib/Authentication/Token/DefaultTokenMapperTest.php
-
11tests/lib/Authentication/Token/DefaultTokenProviderTest.php
-
451tests/lib/Authentication/Token/ManagerTest.php
-
250tests/lib/Authentication/Token/PublicKeyTokenMapperTest.php
-
506tests/lib/Authentication/Token/PublicKeyTokenProviderTest.php
-
44tests/lib/Authentication/Token/PublicKeyTokenTest.php
-
2version.php
@ -0,0 +1,54 @@ |
|||
<?php |
|||
declare(strict_types=1); |
|||
/** |
|||
* @copyright Copyright (c) 2018 Roeland Jago Douma <roeland@famdouma.nl> |
|||
* |
|||
* @author Roeland Jago Douma <roeland@famdouma.nl> |
|||
* |
|||
* @license GNU AGPL version 3 or any later version |
|||
* |
|||
* This program is free software: you can redistribute it and/or modify |
|||
* it under the terms of the GNU Affero General Public License as |
|||
* published by the Free Software Foundation, either version 3 of the |
|||
* License, or (at your option) any later version. |
|||
* |
|||
* This program is distributed in the hope that it will be useful, |
|||
* but WITHOUT ANY WARRANTY; without even the implied warranty of |
|||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
|||
* GNU Affero General Public License for more details. |
|||
* |
|||
* You should have received a copy of the GNU Affero General Public License |
|||
* along with this program. If not, see <http://www.gnu.org/licenses/>. |
|||
* |
|||
*/ |
|||
|
|||
namespace OC\Core\Migrations; |
|||
|
|||
use OCP\DB\ISchemaWrapper; |
|||
use OCP\Migration\SimpleMigrationStep; |
|||
use OCP\Migration\IOutput; |
|||
|
|||
class Version14000Date20180518120534 extends SimpleMigrationStep { |
|||
|
|||
public function changeSchema(IOutput $output, \Closure $schemaClosure, array $options) { |
|||
/** @var ISchemaWrapper $schema */ |
|||
$schema = $schemaClosure(); |
|||
|
|||
$table = $schema->getTable('authtoken'); |
|||
$table->addColumn('private_key', 'text', [ |
|||
'notnull' => false, |
|||
]); |
|||
$table->addColumn('public_key', 'text', [ |
|||
'notnull' => false, |
|||
]); |
|||
$table->addColumn('version', 'smallint', [ |
|||
'notnull' => true, |
|||
'default' => 1, |
|||
'unsigned' => true, |
|||
]); |
|||
$table->addIndex(['uid'], 'authtoken_uid_index'); |
|||
$table->addIndex(['version'], 'authtoken_version_index'); |
|||
|
|||
return $schema; |
|||
} |
|||
} |
|||
@ -0,0 +1,230 @@ |
|||
<?php |
|||
declare(strict_types=1); |
|||
/** |
|||
* @copyright Copyright 2018, Roeland Jago Douma <roeland@famdouma.nl> |
|||
* |
|||
* @author Roeland Jago Douma <roeland@famdouma.nl> |
|||
* |
|||
* @license AGPL-3.0 |
|||
* |
|||
* This code is free software: you can redistribute it and/or modify |
|||
* it under the terms of the GNU Affero General Public License, version 3, |
|||
* as published by the Free Software Foundation. |
|||
* |
|||
* This program is distributed in the hope that it will be useful, |
|||
* but WITHOUT ANY WARRANTY; without even the implied warranty of |
|||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
|||
* GNU Affero General Public License for more details. |
|||
* |
|||
* You should have received a copy of the GNU Affero General Public License, version 3, |
|||
* along with this program. If not, see <http://www.gnu.org/licenses/> |
|||
* |
|||
*/ |
|||
|
|||
namespace OC\Authentication\Token; |
|||
|
|||
use OC\Authentication\Exceptions\InvalidTokenException; |
|||
use OC\Authentication\Exceptions\PasswordlessTokenException; |
|||
|
|||
class Manager implements IProvider { |
|||
|
|||
/** @var DefaultTokenProvider */ |
|||
private $defaultTokenProvider; |
|||
|
|||
/** @var PublicKeyTokenProvider */ |
|||
private $publicKeyTokenProvider; |
|||
|
|||
public function __construct(DefaultTokenProvider $defaultTokenProvider, PublicKeyTokenProvider $publicKeyTokenProvider) { |
|||
$this->defaultTokenProvider = $defaultTokenProvider; |
|||
$this->publicKeyTokenProvider = $publicKeyTokenProvider; |
|||
} |
|||
|
|||
/** |
|||
* Create and persist a new token |
|||
* |
|||
* @param string $token |
|||
* @param string $uid |
|||
* @param string $loginName |
|||
* @param string|null $password |
|||
* @param string $name |
|||
* @param int $type token type |
|||
* @param int $remember whether the session token should be used for remember-me |
|||
* @return IToken |
|||
*/ |
|||
public function generateToken(string $token, |
|||
string $uid, |
|||
string $loginName, |
|||
$password, |
|||
string $name, |
|||
int $type = IToken::TEMPORARY_TOKEN, |
|||
int $remember = IToken::DO_NOT_REMEMBER): IToken { |
|||
return $this->publicKeyTokenProvider->generateToken( |
|||
$token, |
|||
$uid, |
|||
$loginName, |
|||
$password, |
|||
$name, |
|||
$type, |
|||
$remember |
|||
); |
|||
} |
|||
|
|||
/** |
|||
* Save the updated token |
|||
* |
|||
* @param IToken $token |
|||
* @throws InvalidTokenException |
|||
*/ |
|||
public function updateToken(IToken $token) { |
|||
$provider = $this->getProvider($token); |
|||
$provider->updateToken($token); |
|||
} |
|||
|
|||
/** |
|||
* Update token activity timestamp |
|||
* |
|||
* @throws InvalidTokenException |
|||
* @param IToken $token |
|||
*/ |
|||
public function updateTokenActivity(IToken $token) { |
|||
$provider = $this->getProvider($token); |
|||
$provider->updateTokenActivity($token); |
|||
} |
|||
|
|||
/** |
|||
* @param string $uid |
|||
* @return IToken[] |
|||
*/ |
|||
public function getTokenByUser(string $uid): array { |
|||
$old = $this->defaultTokenProvider->getTokenByUser($uid); |
|||
$new = $this->publicKeyTokenProvider->getTokenByUser($uid); |
|||
|
|||
return array_merge($old, $new); |
|||
} |
|||
|
|||
/** |
|||
* Get a token by token |
|||
* |
|||
* @param string $tokenId |
|||
* @throws InvalidTokenException |
|||
* @return IToken |
|||
*/ |
|||
public function getToken(string $tokenId): IToken { |
|||
try { |
|||
return $this->publicKeyTokenProvider->getToken($tokenId); |
|||
} catch (InvalidTokenException $e) { |
|||
// No worries we try to convert it to a PublicKey Token
|
|||
} |
|||
|
|||
//Convert!
|
|||
$token = $this->defaultTokenProvider->getToken($tokenId); |
|||
|
|||
try { |
|||
$password = $this->defaultTokenProvider->getPassword($token, $tokenId); |
|||
} catch (PasswordlessTokenException $e) { |
|||
$password = null; |
|||
} |
|||
|
|||
return $this->publicKeyTokenProvider->convertToken($token, $tokenId, $password); |
|||
} |
|||
|
|||
/** |
|||
* Get a token by token id |
|||
* |
|||
* @param int $tokenId |
|||
* @throws InvalidTokenException |
|||
* @return IToken |
|||
*/ |
|||
public function getTokenById(int $tokenId): IToken { |
|||
try { |
|||
return $this->publicKeyTokenProvider->getTokenById($tokenId); |
|||
} catch (InvalidTokenException $e) { |
|||
return $this->defaultTokenProvider->getTokenById($tokenId); |
|||
} |
|||
} |
|||
|
|||
/** |
|||
* @param string $oldSessionId |
|||
* @param string $sessionId |
|||
* @throws InvalidTokenException |
|||
*/ |
|||
public function renewSessionToken(string $oldSessionId, string $sessionId) { |
|||
try { |
|||
$this->publicKeyTokenProvider->renewSessionToken($oldSessionId, $sessionId); |
|||
} catch (InvalidTokenException $e) { |
|||
$this->defaultTokenProvider->renewSessionToken($oldSessionId, $sessionId); |
|||
} |
|||
} |
|||
|
|||
/** |
|||
* @param IToken $savedToken |
|||
* @param string $tokenId session token |
|||
* @throws InvalidTokenException |
|||
* @throws PasswordlessTokenException |
|||
* @return string |
|||
*/ |
|||
public function getPassword(IToken $savedToken, string $tokenId): string { |
|||
$provider = $this->getProvider($savedToken); |
|||
return $provider->getPassword($savedToken, $tokenId); |
|||
} |
|||
|
|||
public function setPassword(IToken $token, string $tokenId, string $password) { |
|||
$provider = $this->getProvider($token); |
|||
$provider->setPassword($token, $tokenId, $password); |
|||
} |
|||
|
|||
public function invalidateToken(string $token) { |
|||
$this->defaultTokenProvider->invalidateToken($token); |
|||
$this->publicKeyTokenProvider->invalidateToken($token); |
|||
} |
|||
|
|||
public function invalidateTokenById(string $uid, int $id) { |
|||
$this->defaultTokenProvider->invalidateTokenById($uid, $id); |
|||
$this->publicKeyTokenProvider->invalidateTokenById($uid, $id); |
|||
} |
|||
|
|||
public function invalidateOldTokens() { |
|||
$this->defaultTokenProvider->invalidateOldTokens(); |
|||
$this->publicKeyTokenProvider->invalidateOldTokens(); |
|||
} |
|||
|
|||
/** |
|||
* @param IToken $token |
|||
* @param string $oldTokenId |
|||
* @param string $newTokenId |
|||
* @return IToken |
|||
* @throws InvalidTokenException |
|||
*/ |
|||
public function rotate(IToken $token, string $oldTokenId, string $newTokenId): IToken { |
|||
if ($token instanceof DefaultToken) { |
|||
try { |
|||
$password = $this->defaultTokenProvider->getPassword($token, $oldTokenId); |
|||
} catch (PasswordlessTokenException $e) { |
|||
$password = null; |
|||
} |
|||
|
|||
return $this->publicKeyTokenProvider->convertToken($token, $newTokenId, $password); |
|||
} |
|||
|
|||
if ($token instanceof PublicKeyToken) { |
|||
return $this->publicKeyTokenProvider->rotate($token, $oldTokenId, $newTokenId); |
|||
} |
|||
|
|||
throw new InvalidTokenException(); |
|||
} |
|||
|
|||
/** |
|||
* @param IToken $token |
|||
* @return IProvider |
|||
* @throws InvalidTokenException |
|||
*/ |
|||
private function getProvider(IToken $token): IProvider { |
|||
if ($token instanceof DefaultToken) { |
|||
return $this->defaultTokenProvider; |
|||
} |
|||
if ($token instanceof PublicKeyToken) { |
|||
return $this->publicKeyTokenProvider; |
|||
} |
|||
throw new InvalidTokenException(); |
|||
} |
|||
} |
|||
@ -0,0 +1,217 @@ |
|||
<?php |
|||
/** @noinspection ALL */ |
|||
declare(strict_types=1); |
|||
/** |
|||
* @copyright Copyright (c) 2018 Roeland Jago Douma <roeland@famdouma.nl> |
|||
* |
|||
* @author Roeland Jago Douma <roeland@famdouma.nl> |
|||
* |
|||
* @license GNU AGPL version 3 or any later version |
|||
* |
|||
* This program is free software: you can redistribute it and/or modify |
|||
* it under the terms of the GNU Affero General Public License as |
|||
* published by the Free Software Foundation, either version 3 of the |
|||
* License, or (at your option) any later version. |
|||
* |
|||
* This program is distributed in the hope that it will be useful, |
|||
* but WITHOUT ANY WARRANTY; without even the implied warranty of |
|||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
|||
* GNU Affero General Public License for more details. |
|||
* |
|||
* You should have received a copy of the GNU Affero General Public License |
|||
* along with this program. If not, see <http://www.gnu.org/licenses/>. |
|||
* |
|||
*/ |
|||
|
|||
namespace OC\Authentication\Token; |
|||
|
|||
use OCP\AppFramework\Db\Entity; |
|||
|
|||
/** |
|||
* @method void setId(int $id) |
|||
* @method void setUid(string $uid); |
|||
* @method void setLoginName(string $loginname) |
|||
* @method void setName(string $name) |
|||
* @method string getToken() |
|||
* @method void setType(int $type) |
|||
* @method int getType() |
|||
* @method void setRemember(int $remember) |
|||
* @method void setLastActivity(int $lastactivity) |
|||
* @method int getLastActivity() |
|||
* @method string getPrivateKey() |
|||
* @method void setPrivateKey(string $key) |
|||
* @method string getPublicKey() |
|||
* @method void setPublicKey(string $key) |
|||
* @method void setVersion(int $version) |
|||
*/ |
|||
class PublicKeyToken extends Entity implements IToken { |
|||
|
|||
const VERSION = 2; |
|||
|
|||
/** @var string user UID */ |
|||
protected $uid; |
|||
|
|||
/** @var string login name used for generating the token */ |
|||
protected $loginName; |
|||
|
|||
/** @var string encrypted user password */ |
|||
protected $password; |
|||
|
|||
/** @var string token name (e.g. browser/OS) */ |
|||
protected $name; |
|||
|
|||
/** @var string */ |
|||
protected $token; |
|||
|
|||
/** @var int */ |
|||
protected $type; |
|||
|
|||
/** @var int */ |
|||
protected $remember; |
|||
|
|||
/** @var int */ |
|||
protected $lastActivity; |
|||
|
|||
/** @var int */ |
|||
protected $lastCheck; |
|||
|
|||
/** @var string */ |
|||
protected $scope; |
|||
|
|||
/** @var int */ |
|||
protected $expires; |
|||
|
|||
/** @var string */ |
|||
protected $privateKey; |
|||
|
|||
/** @var string */ |
|||
protected $publicKey; |
|||
|
|||
/** @var int */ |
|||
protected $version; |
|||
|
|||
public function __construct() { |
|||
$this->addType('uid', 'string'); |
|||
$this->addType('loginName', 'string'); |
|||
$this->addType('password', 'string'); |
|||
$this->addType('name', 'string'); |
|||
$this->addType('token', 'string'); |
|||
$this->addType('type', 'int'); |
|||
$this->addType('remember', 'int'); |
|||
$this->addType('lastActivity', 'int'); |
|||
$this->addType('lastCheck', 'int'); |
|||
$this->addType('scope', 'string'); |
|||
$this->addType('expires', 'int'); |
|||
$this->addType('publicKey', 'string'); |
|||
$this->addType('privateKey', 'string'); |
|||
$this->addType('version', 'int'); |
|||
} |
|||
|
|||
public function getId(): int { |
|||
return $this->id; |
|||
} |
|||
|
|||
public function getUID(): string { |
|||
return $this->uid; |
|||
} |
|||
|
|||
/** |
|||
* Get the login name used when generating the token |
|||
* |
|||
* @return string |
|||
*/ |
|||
public function getLoginName(): string { |
|||
return parent::getLoginName(); |
|||
} |
|||
|
|||
/** |
|||
* Get the (encrypted) login password |
|||
* |
|||
* @return string|null |
|||
*/ |
|||
public function getPassword() { |
|||
return parent::getPassword(); |
|||
} |
|||
|
|||
public function jsonSerialize() { |
|||
return [ |
|||
'id' => $this->id, |
|||
'name' => $this->name, |
|||
'lastActivity' => $this->lastActivity, |
|||
'type' => $this->type, |
|||
'scope' => $this->getScopeAsArray() |
|||
]; |
|||
} |
|||
|
|||
/** |
|||
* Get the timestamp of the last password check |
|||
* |
|||
* @return int |
|||
*/ |
|||
public function getLastCheck(): int { |
|||
return parent::getLastCheck(); |
|||
} |
|||
|
|||
/** |
|||
* Get the timestamp of the last password check |
|||
* |
|||
* @param int $time |
|||
*/ |
|||
public function setLastCheck(int $time) { |
|||
parent::setLastCheck($time); |
|||
} |
|||
|
|||
public function getScope(): string { |
|||
$scope = parent::getScope(); |
|||
if ($scope === null) { |
|||
return ''; |
|||
} |
|||
|
|||
return $scope; |
|||
} |
|||
|
|||
public function getScopeAsArray(): array { |
|||
$scope = json_decode($this->getScope(), true); |
|||
if (!$scope) { |
|||
return [ |
|||
'filesystem'=> true |
|||
]; |
|||
} |
|||
return $scope; |
|||
} |
|||
|
|||
public function setScope($scope) { |
|||
if (is_array($scope)) { |
|||
parent::setScope(json_encode($scope)); |
|||
} else { |
|||
parent::setScope((string)$scope); |
|||
} |
|||
} |
|||
|
|||
public function getName(): string { |
|||
return parent::getName(); |
|||
} |
|||
|
|||
public function getRemember(): int { |
|||
return parent::getRemember(); |
|||
} |
|||
|
|||
public function setToken(string $token) { |
|||
parent::setToken($token); |
|||
} |
|||
|
|||
public function setPassword(string $password = null) { |
|||
parent::setPassword($password); |
|||
} |
|||
|
|||
public function setExpires($expires) { |
|||
parent::setExpires($expires); |
|||
} |
|||
|
|||
/** |
|||
* @return int|null |
|||
*/ |
|||
public function getExpires() { |
|||
return parent::getExpires(); |
|||
} |
|||
} |
|||
@ -0,0 +1,172 @@ |
|||
<?php |
|||
declare(strict_types=1); |
|||
/** |
|||
* @copyright Copyright (c) 2018 Roeland Jago Douma <roeland@famdouma.nl> |
|||
* |
|||
* @author Roeland Jago Douma <roeland@famdouma.nl> |
|||
* |
|||
* @license GNU AGPL version 3 or any later version |
|||
* |
|||
* This program is free software: you can redistribute it and/or modify |
|||
* it under the terms of the GNU Affero General Public License as |
|||
* published by the Free Software Foundation, either version 3 of the |
|||
* License, or (at your option) any later version. |
|||
* |
|||
* This program is distributed in the hope that it will be useful, |
|||
* but WITHOUT ANY WARRANTY; without even the implied warranty of |
|||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
|||
* GNU Affero General Public License for more details. |
|||
* |
|||
* You should have received a copy of the GNU Affero General Public License |
|||
* along with this program. If not, see <http://www.gnu.org/licenses/>. |
|||
* |
|||
*/ |
|||
|
|||
namespace OC\Authentication\Token; |
|||
|
|||
use OCP\AppFramework\Db\DoesNotExistException; |
|||
use OCP\AppFramework\Db\QBMapper; |
|||
use OCP\DB\QueryBuilder\IQueryBuilder; |
|||
use OCP\IDBConnection; |
|||
|
|||
class PublicKeyTokenMapper extends QBMapper { |
|||
|
|||
public function __construct(IDBConnection $db) { |
|||
parent::__construct($db, 'authtoken'); |
|||
} |
|||
|
|||
/** |
|||
* Invalidate (delete) a given token |
|||
* |
|||
* @param string $token |
|||
*/ |
|||
public function invalidate(string $token) { |
|||
/* @var $qb IQueryBuilder */ |
|||
$qb = $this->db->getQueryBuilder(); |
|||
$qb->delete('authtoken') |
|||
->where($qb->expr()->eq('token', $qb->createNamedParameter($token))) |
|||
->andWhere($qb->expr()->eq('version', $qb->createNamedParameter(PublicKeyToken::VERSION, IQueryBuilder::PARAM_INT))) |
|||
->execute(); |
|||
} |
|||
|
|||
/** |
|||
* @param int $olderThan |
|||
* @param int $remember |
|||
*/ |
|||
public function invalidateOld(int $olderThan, int $remember = IToken::DO_NOT_REMEMBER) { |
|||
/* @var $qb IQueryBuilder */ |
|||
$qb = $this->db->getQueryBuilder(); |
|||
$qb->delete('authtoken') |
|||
->where($qb->expr()->lt('last_activity', $qb->createNamedParameter($olderThan, IQueryBuilder::PARAM_INT))) |
|||
->andWhere($qb->expr()->eq('type', $qb->createNamedParameter(IToken::TEMPORARY_TOKEN, IQueryBuilder::PARAM_INT))) |
|||
->andWhere($qb->expr()->eq('remember', $qb->createNamedParameter($remember, IQueryBuilder::PARAM_INT))) |
|||
->andWhere($qb->expr()->eq('version', $qb->createNamedParameter(PublicKeyToken::VERSION, IQueryBuilder::PARAM_INT))) |
|||
->execute(); |
|||
} |
|||
|
|||
/** |
|||
* Get the user UID for the given token |
|||
* |
|||
* @throws DoesNotExistException |
|||
*/ |
|||
public function getToken(string $token): PublicKeyToken { |
|||
/* @var $qb IQueryBuilder */ |
|||
$qb = $this->db->getQueryBuilder(); |
|||
$result = $qb->select('*') |
|||
->from('authtoken') |
|||
->where($qb->expr()->eq('token', $qb->createNamedParameter($token))) |
|||
->andWhere($qb->expr()->eq('version', $qb->createNamedParameter(PublicKeyToken::VERSION, IQueryBuilder::PARAM_INT))) |
|||
->execute(); |
|||
|
|||
$data = $result->fetch(); |
|||
$result->closeCursor(); |
|||
if ($data === false) { |
|||
throw new DoesNotExistException('token does not exist'); |
|||
} |
|||
return PublicKeyToken::fromRow($data); |
|||
} |
|||
|
|||
/** |
|||
* Get the token for $id |
|||
* |
|||
* @throws DoesNotExistException |
|||
*/ |
|||
public function getTokenById(int $id): PublicKeyToken { |
|||
/* @var $qb IQueryBuilder */ |
|||
$qb = $this->db->getQueryBuilder(); |
|||
$result = $qb->select('*') |
|||
->from('authtoken') |
|||
->where($qb->expr()->eq('id', $qb->createNamedParameter($id))) |
|||
->andWhere($qb->expr()->eq('version', $qb->createNamedParameter(PublicKeyToken::VERSION, IQueryBuilder::PARAM_INT))) |
|||
->execute(); |
|||
|
|||
$data = $result->fetch(); |
|||
$result->closeCursor(); |
|||
if ($data === false) { |
|||
throw new DoesNotExistException('token does not exist'); |
|||
} |
|||
return PublicKeyToken::fromRow($data); |
|||
} |
|||
|
|||
/** |
|||
* Get all tokens of a user |
|||
* |
|||
* The provider may limit the number of result rows in case of an abuse |
|||
* where a high number of (session) tokens is generated |
|||
* |
|||
* @param string $uid |
|||
* @return PublicKeyToken[] |
|||
*/ |
|||
public function getTokenByUser(string $uid): array { |
|||
/* @var $qb IQueryBuilder */ |
|||
$qb = $this->db->getQueryBuilder(); |
|||
$qb->select('*') |
|||
->from('authtoken') |
|||
->where($qb->expr()->eq('uid', $qb->createNamedParameter($uid))) |
|||
->andWhere($qb->expr()->eq('version', $qb->createNamedParameter(PublicKeyToken::VERSION, IQueryBuilder::PARAM_INT))) |
|||
->setMaxResults(1000); |
|||
$result = $qb->execute(); |
|||
$data = $result->fetchAll(); |
|||
$result->closeCursor(); |
|||
|
|||
$entities = array_map(function ($row) { |
|||
return PublicKeyToken::fromRow($row); |
|||
}, $data); |
|||
|
|||
return $entities; |
|||
} |
|||
|
|||
public function deleteById(string $uid, int $id) { |
|||
/* @var $qb IQueryBuilder */ |
|||
$qb = $this->db->getQueryBuilder(); |
|||
$qb->delete('authtoken') |
|||
->where($qb->expr()->eq('id', $qb->createNamedParameter($id))) |
|||
->andWhere($qb->expr()->eq('uid', $qb->createNamedParameter($uid))) |
|||
->andWhere($qb->expr()->eq('version', $qb->createNamedParameter(PublicKeyToken::VERSION, IQueryBuilder::PARAM_INT))); |
|||
$qb->execute(); |
|||
} |
|||
|
|||
/** |
|||
* delete all auth token which belong to a specific client if the client was deleted |
|||
* |
|||
* @param string $name |
|||
*/ |
|||
public function deleteByName(string $name) { |
|||
$qb = $this->db->getQueryBuilder(); |
|||
$qb->delete('authtoken') |
|||
->where($qb->expr()->eq('name', $qb->createNamedParameter($name), IQueryBuilder::PARAM_STR)) |
|||
->andWhere($qb->expr()->eq('version', $qb->createNamedParameter(PublicKeyToken::VERSION, IQueryBuilder::PARAM_INT))); |
|||
$qb->execute(); |
|||
} |
|||
|
|||
public function deleteTempToken(PublicKeyToken $except) { |
|||
$qb = $this->db->getQueryBuilder(); |
|||
|
|||
$qb->delete('authtoken') |
|||
->where($qb->expr()->eq('type', $qb->createNamedParameter(IToken::TEMPORARY_TOKEN))) |
|||
->andWhere($qb->expr()->neq('id', $qb->createNamedParameter($except->getId()))) |
|||
->andWhere($qb->expr()->eq('version', $qb->createNamedParameter(PublicKeyToken::VERSION, IQueryBuilder::PARAM_INT))); |
|||
|
|||
$qb->execute(); |
|||
} |
|||
} |
|||
@ -0,0 +1,320 @@ |
|||
<?php |
|||
declare(strict_types=1); |
|||
/** |
|||
* @copyright Copyright 2018, Roeland Jago Douma <roeland@famdouma.nl> |
|||
* |
|||
* @author Roeland Jago Douma <roeland@famdouma.nl> |
|||
* |
|||
* @license AGPL-3.0 |
|||
* |
|||
* This code is free software: you can redistribute it and/or modify |
|||
* it under the terms of the GNU Affero General Public License, version 3, |
|||
* as published by the Free Software Foundation. |
|||
* |
|||
* This program is distributed in the hope that it will be useful, |
|||
* but WITHOUT ANY WARRANTY; without even the implied warranty of |
|||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
|||
* GNU Affero General Public License for more details. |
|||
* |
|||
* You should have received a copy of the GNU Affero General Public License, version 3, |
|||
* along with this program. If not, see <http://www.gnu.org/licenses/> |
|||
* |
|||
*/ |
|||
|
|||
namespace OC\Authentication\Token; |
|||
|
|||
use OC\Authentication\Exceptions\InvalidTokenException; |
|||
use OC\Authentication\Exceptions\PasswordlessTokenException; |
|||
use OCP\AppFramework\Db\DoesNotExistException; |
|||
use OCP\AppFramework\Utility\ITimeFactory; |
|||
use OCP\IConfig; |
|||
use OCP\ILogger; |
|||
use OCP\Security\ICrypto; |
|||
|
|||
class PublicKeyTokenProvider implements IProvider { |
|||
/** @var PublicKeyTokenMapper */ |
|||
private $mapper; |
|||
|
|||
/** @var ICrypto */ |
|||
private $crypto; |
|||
|
|||
/** @var IConfig */ |
|||
private $config; |
|||
|
|||
/** @var ILogger $logger */ |
|||
private $logger; |
|||
|
|||
/** @var ITimeFactory $time */ |
|||
private $time; |
|||
|
|||
public function __construct(PublicKeyTokenMapper $mapper, |
|||
ICrypto $crypto, |
|||
IConfig $config, |
|||
ILogger $logger, |
|||
ITimeFactory $time) { |
|||
$this->mapper = $mapper; |
|||
$this->crypto = $crypto; |
|||
$this->config = $config; |
|||
$this->logger = $logger; |
|||
$this->time = $time; |
|||
} |
|||
|
|||
public function generateToken(string $token, |
|||
string $uid, |
|||
string $loginName, |
|||
$password, |
|||
string $name, |
|||
int $type = IToken::TEMPORARY_TOKEN, |
|||
int $remember = IToken::DO_NOT_REMEMBER): IToken { |
|||
$dbToken = $this->newToken($token, $uid, $loginName, $password, $name, $type, $remember); |
|||
|
|||
$this->mapper->insert($dbToken); |
|||
|
|||
return $dbToken; |
|||
} |
|||
|
|||
public function getToken(string $tokenId): IToken { |
|||
try { |
|||
$token = $this->mapper->getToken($this->hashToken($tokenId)); |
|||
} catch (DoesNotExistException $ex) { |
|||
throw new InvalidTokenException(); |
|||
} |
|||
|
|||
if ($token->getExpires() !== null && $token->getExpires() < $this->time->getTime()) { |
|||
throw new ExpiredTokenException($token); |
|||
} |
|||
|
|||
return $token; |
|||
} |
|||
|
|||
public function getTokenById(int $tokenId): IToken { |
|||
try { |
|||
$token = $this->mapper->getTokenById($tokenId); |
|||
} catch (DoesNotExistException $ex) { |
|||
throw new InvalidTokenException(); |
|||
} |
|||
|
|||
if ($token->getExpires() !== null && $token->getExpires() < $this->time->getTime()) { |
|||
throw new ExpiredTokenException($token); |
|||
} |
|||
|
|||
return $token; |
|||
} |
|||
|
|||
public function renewSessionToken(string $oldSessionId, string $sessionId) { |
|||
$token = $this->getToken($oldSessionId); |
|||
|
|||
if (!($token instanceof PublicKeyToken)) { |
|||
throw new InvalidTokenException(); |
|||
} |
|||
|
|||
$password = null; |
|||
if (!is_null($token->getPassword())) { |
|||
$privateKey = $this->decrypt($token->getPrivateKey(), $oldSessionId); |
|||
$password = $this->decryptPassword($token->getPassword(), $privateKey); |
|||
} |
|||
|
|||
$this->generateToken( |
|||
$sessionId, |
|||
$token->getUID(), |
|||
$token->getLoginName(), |
|||
$password, |
|||
$token->getName(), |
|||
IToken::TEMPORARY_TOKEN, |
|||
$token->getRemember() |
|||
); |
|||
|
|||
$this->mapper->delete($token); |
|||
} |
|||
|
|||
public function invalidateToken(string $token) { |
|||
$this->mapper->invalidate($this->hashToken($token)); |
|||
} |
|||
|
|||
public function invalidateTokenById(string $uid, int $id) { |
|||
$this->mapper->deleteById($uid, $id); |
|||
} |
|||
|
|||
public function invalidateOldTokens() { |
|||
$olderThan = $this->time->getTime() - (int) $this->config->getSystemValue('session_lifetime', 60 * 60 * 24); |
|||
$this->logger->debug('Invalidating session tokens older than ' . date('c', $olderThan), ['app' => 'cron']); |
|||
$this->mapper->invalidateOld($olderThan, IToken::DO_NOT_REMEMBER); |
|||
$rememberThreshold = $this->time->getTime() - (int) $this->config->getSystemValue('remember_login_cookie_lifetime', 60 * 60 * 24 * 15); |
|||
$this->logger->debug('Invalidating remembered session tokens older than ' . date('c', $rememberThreshold), ['app' => 'cron']); |
|||
$this->mapper->invalidateOld($rememberThreshold, IToken::REMEMBER); |
|||
} |
|||
|
|||
public function updateToken(IToken $token) { |
|||
if (!($token instanceof PublicKeyToken)) { |
|||
throw new InvalidTokenException(); |
|||
} |
|||
$this->mapper->update($token); |
|||
} |
|||
|
|||
public function updateTokenActivity(IToken $token) { |
|||
if (!($token instanceof PublicKeyToken)) { |
|||
throw new InvalidTokenException(); |
|||
} |
|||
/** @var DefaultToken $token */ |
|||
$now = $this->time->getTime(); |
|||
if ($token->getLastActivity() < ($now - 60)) { |
|||
// Update token only once per minute
|
|||
$token->setLastActivity($now); |
|||
$this->mapper->update($token); |
|||
} |
|||
} |
|||
|
|||
public function getTokenByUser(string $uid): array { |
|||
return $this->mapper->getTokenByUser($uid); |
|||
} |
|||
|
|||
public function getPassword(IToken $token, string $tokenId): string { |
|||
if (!($token instanceof PublicKeyToken)) { |
|||
throw new InvalidTokenException(); |
|||
} |
|||
|
|||
if ($token->getPassword() === null) { |
|||
throw new PasswordlessTokenException(); |
|||
} |
|||
|
|||
// Decrypt private key with tokenId
|
|||
$privateKey = $this->decrypt($token->getPrivateKey(), $tokenId); |
|||
|
|||
// Decrypt password with private key
|
|||
return $this->decryptPassword($token->getPassword(), $privateKey); |
|||
} |
|||
|
|||
public function setPassword(IToken $token, string $tokenId, string $password) { |
|||
if (!($token instanceof PublicKeyToken)) { |
|||
throw new InvalidTokenException(); |
|||
} |
|||
|
|||
// When changing passwords all temp tokens are deleted
|
|||
$this->mapper->deleteTempToken($token); |
|||
|
|||
// Update the password for all tokens
|
|||
$tokens = $this->mapper->getTokenByUser($token->getUID()); |
|||
foreach ($tokens as $t) { |
|||
$publicKey = $t->getPublicKey(); |
|||
$t->setPassword($this->encryptPassword($password, $publicKey)); |
|||
$this->updateToken($t); |
|||
} |
|||
} |
|||
|
|||
public function rotate(IToken $token, string $oldTokenId, string $newTokenId): IToken { |
|||
if (!($token instanceof PublicKeyToken)) { |
|||
throw new InvalidTokenException(); |
|||
} |
|||
|
|||
// Decrypt private key with oldTokenId
|
|||
$privateKey = $this->decrypt($token->getPrivateKey(), $oldTokenId); |
|||
// Encrypt with the new token
|
|||
$token->setPrivateKey($this->encrypt($privateKey, $newTokenId)); |
|||
|
|||
$token->setToken($this->hashToken($newTokenId)); |
|||
$this->updateToken($token); |
|||
|
|||
return $token; |
|||
} |
|||
|
|||
private function encrypt(string $plaintext, string $token): string { |
|||
$secret = $this->config->getSystemValue('secret'); |
|||
return $this->crypto->encrypt($plaintext, $token . $secret); |
|||
} |
|||
|
|||
/** |
|||
* @throws InvalidTokenException |
|||
*/ |
|||
private function decrypt(string $cipherText, string $token): string { |
|||
$secret = $this->config->getSystemValue('secret'); |
|||
try { |
|||
return $this->crypto->decrypt($cipherText, $token . $secret); |
|||
} catch (\Exception $ex) { |
|||
// Delete the invalid token
|
|||
$this->invalidateToken($token); |
|||
throw new InvalidTokenException(); |
|||
} |
|||
} |
|||
|
|||
private function encryptPassword(string $password, string $publicKey): string { |
|||
openssl_public_encrypt($password, $encryptedPassword, $publicKey, OPENSSL_PKCS1_OAEP_PADDING); |
|||
$encryptedPassword = base64_encode($encryptedPassword); |
|||
|
|||
return $encryptedPassword; |
|||
} |
|||
|
|||
private function decryptPassword(string $encryptedPassword, string $privateKey): string { |
|||
$encryptedPassword = base64_decode($encryptedPassword); |
|||
openssl_private_decrypt($encryptedPassword, $password, $privateKey, OPENSSL_PKCS1_OAEP_PADDING); |
|||
|
|||
return $password; |
|||
} |
|||
|
|||
private function hashToken(string $token): string { |
|||
$secret = $this->config->getSystemValue('secret'); |
|||
return hash('sha512', $token . $secret); |
|||
} |
|||
|
|||
/** |
|||
* Convert a DefaultToken to a publicKeyToken |
|||
* This will also be updated directly in the Database |
|||
*/ |
|||
public function convertToken(DefaultToken $defaultToken, string $token, $password): PublicKeyToken { |
|||
$pkToken = $this->newToken( |
|||
$token, |
|||
$defaultToken->getUID(), |
|||
$defaultToken->getLoginName(), |
|||
$password, |
|||
$defaultToken->getName(), |
|||
$defaultToken->getType(), |
|||
$defaultToken->getRemember() |
|||
); |
|||
|
|||
$pkToken->setExpires($defaultToken->getExpires()); |
|||
$pkToken->setId($defaultToken->getId()); |
|||
|
|||
return $this->mapper->update($pkToken); |
|||
} |
|||
|
|||
private function newToken(string $token, |
|||
string $uid, |
|||
string $loginName, |
|||
$password, |
|||
string $name, |
|||
int $type, |
|||
int $remember): PublicKeyToken { |
|||
$dbToken = new PublicKeyToken(); |
|||
$dbToken->setUid($uid); |
|||
$dbToken->setLoginName($loginName); |
|||
|
|||
$config = [ |
|||
'digest_alg' => 'sha512', |
|||
'private_key_bits' => 2048, |
|||
]; |
|||
|
|||
// Generate new key
|
|||
$res = openssl_pkey_new($config); |
|||
openssl_pkey_export($res, $privateKey); |
|||
|
|||
// Extract the public key from $res to $pubKey
|
|||
$publicKey = openssl_pkey_get_details($res); |
|||
$publicKey = $publicKey['key']; |
|||
|
|||
$dbToken->setPublicKey($publicKey); |
|||
$dbToken->setPrivateKey($this->encrypt($privateKey, $token)); |
|||
|
|||
if (!is_null($password)) { |
|||
$dbToken->setPassword($this->encryptPassword($password, $publicKey)); |
|||
} |
|||
|
|||
$dbToken->setName($name); |
|||
$dbToken->setToken($this->hashToken($token)); |
|||
$dbToken->setType($type); |
|||
$dbToken->setRemember($remember); |
|||
$dbToken->setLastActivity($this->time->getTime()); |
|||
$dbToken->setLastCheck($this->time->getTime()); |
|||
$dbToken->setVersion(PublicKeyToken::VERSION); |
|||
|
|||
return $dbToken; |
|||
} |
|||
} |
|||
@ -0,0 +1,451 @@ |
|||
<?php |
|||
/** |
|||
* @copyright Copyright (c) 2018 Roeland Jago Douma <roeland@famdouma.nl> |
|||
* |
|||
* @author Roeland Jago Douma <roeland@famdouma.nl> |
|||
* |
|||
* @license GNU AGPL version 3 or any later version |
|||
* |
|||
* This program is free software: you can redistribute it and/or modify |
|||
* it under the terms of the GNU Affero General Public License as |
|||
* published by the Free Software Foundation, either version 3 of the |
|||
* License, or (at your option) any later version. |
|||
* |
|||
* This program is distributed in the hope that it will be useful, |
|||
* but WITHOUT ANY WARRANTY; without even the implied warranty of |
|||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
|||
* GNU Affero General Public License for more details. |
|||
* |
|||
* You should have received a copy of the GNU Affero General Public License |
|||
* along with this program. If not, see <http://www.gnu.org/licenses/>. |
|||
* |
|||
*/ |
|||
|
|||
namespace Test\Authentication\Token; |
|||
|
|||
use OC\Authentication\Exceptions\InvalidTokenException; |
|||
use OC\Authentication\Exceptions\PasswordlessTokenException; |
|||
use OC\Authentication\Token\DefaultToken; |
|||
use OC\Authentication\Token\DefaultTokenProvider; |
|||
use OC\Authentication\Token\Manager; |
|||
use OC\Authentication\Token\PublicKeyToken; |
|||
use OC\Authentication\Token\PublicKeyTokenMapper; |
|||
use OC\Authentication\Token\PublicKeyTokenProvider; |
|||
use OC\Authentication\Token\ExpiredTokenException; |
|||
use OC\Authentication\Token\IToken; |
|||
use OCP\AppFramework\Db\DoesNotExistException; |
|||
use OCP\AppFramework\Utility\ITimeFactory; |
|||
use OCP\IConfig; |
|||
use OCP\ILogger; |
|||
use OCP\IUser; |
|||
use OCP\Security\ICrypto; |
|||
use Test\TestCase; |
|||
|
|||
class ManagerTest extends TestCase { |
|||
|
|||
/** @var PublicKeyTokenProvider|\PHPUnit_Framework_MockObject_MockObject */ |
|||
private $publicKeyTokenProvider; |
|||
/** @var DefaultTokenProvider|\PHPUnit_Framework_MockObject_MockObject */ |
|||
private $defaultTokenProvider; |
|||
/** @var Manager */ |
|||
private $manager; |
|||
|
|||
protected function setUp() { |
|||
parent::setUp(); |
|||
|
|||
$this->publicKeyTokenProvider = $this->createMock(PublicKeyTokenProvider::class); |
|||
$this->defaultTokenProvider = $this->createMock(DefaultTokenProvider::class); |
|||
$this->manager = new Manager( |
|||
$this->defaultTokenProvider, |
|||
$this->publicKeyTokenProvider |
|||
); |
|||
} |
|||
|
|||
public function testGenerateToken() { |
|||
$this->defaultTokenProvider->expects($this->never()) |
|||
->method('generateToken'); |
|||
|
|||
$token = new PublicKeyToken(); |
|||
|
|||
$this->publicKeyTokenProvider->expects($this->once()) |
|||
->method('generateToken') |
|||
->with( |
|||
'token', |
|||
'uid', |
|||
'loginName', |
|||
'password', |
|||
'name', |
|||
IToken::TEMPORARY_TOKEN, |
|||
IToken::REMEMBER |
|||
)->willReturn($token); |
|||
|
|||
$actual = $this->manager->generateToken( |
|||
'token', |
|||
'uid', |
|||
'loginName', |
|||
'password', |
|||
'name', |
|||
IToken::TEMPORARY_TOKEN, |
|||
IToken::REMEMBER |
|||
); |
|||
|
|||
$this->assertSame($token, $actual); |
|||
} |
|||
|
|||
public function tokenData(): array { |
|||
return [ |
|||
[new DefaultToken()], |
|||
[new PublicKeyToken()], |
|||
[$this->createMock(IToken::class)], |
|||
]; |
|||
} |
|||
|
|||
protected function setNoCall(IToken $token) { |
|||
if (!($token instanceof DefaultToken)) { |
|||
$this->defaultTokenProvider->expects($this->never()) |
|||
->method($this->anything()); |
|||
} |
|||
|
|||
if (!($token instanceof PublicKeyToken)) { |
|||
$this->publicKeyTokenProvider->expects($this->never()) |
|||
->method($this->anything()); |
|||
} |
|||
} |
|||
|
|||
protected function setCall(IToken $token, string $function, $return = null) { |
|||
if ($token instanceof DefaultToken) { |
|||
$this->defaultTokenProvider->expects($this->once()) |
|||
->method($function) |
|||
->with($token) |
|||
->willReturn($return); |
|||
} |
|||
|
|||
if ($token instanceof PublicKeyToken) { |
|||
$this->publicKeyTokenProvider->expects($this->once()) |
|||
->method($function) |
|||
->with($token) |
|||
->willReturn($return); |
|||
} |
|||
} |
|||
|
|||
protected function setException(IToken $token) { |
|||
if (!($token instanceof DefaultToken) && !($token instanceof PublicKeyToken)) { |
|||
$this->expectException(InvalidTokenException::class); |
|||
} |
|||
} |
|||
|
|||
/** |
|||
* @dataProvider tokenData |
|||
*/ |
|||
public function testUpdateToken(IToken $token) { |
|||
$this->setNoCall($token); |
|||
$this->setCall($token, 'updateToken'); |
|||
$this->setException($token); |
|||
|
|||
$this->manager->updateToken($token); |
|||
} |
|||
|
|||
/** |
|||
* @dataProvider tokenData |
|||
*/ |
|||
public function testUpdateTokenActivity(IToken $token) { |
|||
$this->setNoCall($token); |
|||
$this->setCall($token, 'updateTokenActivity'); |
|||
$this->setException($token); |
|||
|
|||
$this->manager->updateTokenActivity($token); |
|||
} |
|||
|
|||
/** |
|||
* @dataProvider tokenData |
|||
*/ |
|||
public function testGetPassword(IToken $token) { |
|||
$this->setNoCall($token); |
|||
$this->setCall($token, 'getPassword', 'password'); |
|||
$this->setException($token); |
|||
|
|||
$result = $this->manager->getPassword($token, 'tokenId', 'password'); |
|||
|
|||
$this->assertSame('password', $result); |
|||
} |
|||
|
|||
/** |
|||
* @dataProvider tokenData |
|||
*/ |
|||
public function testSetPassword(IToken $token) { |
|||
$this->setNoCall($token); |
|||
$this->setCall($token, 'setPassword'); |
|||
$this->setException($token); |
|||
|
|||
$this->manager->setPassword($token, 'tokenId', 'password'); |
|||
} |
|||
|
|||
public function testInvalidateTokens() { |
|||
$this->defaultTokenProvider->expects($this->once()) |
|||
->method('invalidateToken') |
|||
->with('token'); |
|||
|
|||
$this->publicKeyTokenProvider->expects($this->once()) |
|||
->method('invalidateToken') |
|||
->with('token'); |
|||
|
|||
$this->manager->invalidateToken('token'); |
|||
} |
|||
|
|||
public function testInvalidateTokenById() { |
|||
$this->defaultTokenProvider->expects($this->once()) |
|||
->method('invalidateTokenById') |
|||
->with('uid', 42); |
|||
|
|||
$this->publicKeyTokenProvider->expects($this->once()) |
|||
->method('invalidateTokenById') |
|||
->with('uid', 42); |
|||
|
|||
$this->manager->invalidateTokenById('uid', 42); |
|||
} |
|||
|
|||
public function testInvalidateOldTokens() { |
|||
$this->defaultTokenProvider->expects($this->once()) |
|||
->method('invalidateOldTokens'); |
|||
|
|||
$this->publicKeyTokenProvider->expects($this->once()) |
|||
->method('invalidateOldTokens'); |
|||
|
|||
$this->manager->invalidateOldTokens(); |
|||
} |
|||
|
|||
public function testGetTokenByUser() { |
|||
$t1 = new DefaultToken(); |
|||
$t2 = new DefaultToken(); |
|||
$t3 = new PublicKeyToken(); |
|||
$t4 = new PublicKeyToken(); |
|||
|
|||
$this->defaultTokenProvider |
|||
->method('getTokenByUser') |
|||
->willReturn([$t1, $t2]); |
|||
|
|||
$this->publicKeyTokenProvider |
|||
->method('getTokenByUser') |
|||
->willReturn([$t3, $t4]); |
|||
|
|||
$result = $this->manager->getTokenByUser('uid'); |
|||
|
|||
$this->assertEquals([$t1, $t2, $t3, $t4], $result); |
|||
} |
|||
|
|||
public function testRenewSessionTokenPublicKey() { |
|||
$this->defaultTokenProvider->expects($this->never()) |
|||
->method($this->anything()); |
|||
|
|||
$this->publicKeyTokenProvider->expects($this->once()) |
|||
->method('renewSessionToken') |
|||
->with('oldId', 'newId'); |
|||
|
|||
$this->manager->renewSessionToken('oldId', 'newId'); |
|||
} |
|||
|
|||
public function testRenewSessionTokenDefault() { |
|||
$this->publicKeyTokenProvider->expects($this->once()) |
|||
->method('renewSessionToken') |
|||
->with('oldId', 'newId') |
|||
->willThrowException(new InvalidTokenException()); |
|||
|
|||
$this->defaultTokenProvider->expects($this->once()) |
|||
->method('renewSessionToken') |
|||
->with('oldId', 'newId'); |
|||
|
|||
$this->manager->renewSessionToken('oldId', 'newId'); |
|||
} |
|||
|
|||
public function testRenewSessionInvalid() { |
|||
$this->publicKeyTokenProvider->expects($this->once()) |
|||
->method('renewSessionToken') |
|||
->with('oldId', 'newId') |
|||
->willThrowException(new InvalidTokenException()); |
|||
|
|||
$this->defaultTokenProvider->expects($this->once()) |
|||
->method('renewSessionToken') |
|||
->with('oldId', 'newId') |
|||
->willThrowException(new InvalidTokenException()); |
|||
|
|||
$this->expectException(InvalidTokenException::class); |
|||
$this->manager->renewSessionToken('oldId', 'newId'); |
|||
} |
|||
|
|||
public function testGetTokenByIdPublicKey() { |
|||
$token = $this->createMock(IToken::class); |
|||
|
|||
$this->publicKeyTokenProvider->expects($this->once()) |
|||
->method('getTokenById') |
|||
->with(42) |
|||
->willReturn($token); |
|||
|
|||
$this->defaultTokenProvider->expects($this->never()) |
|||
->method($this->anything()); |
|||
|
|||
|
|||
$this->assertSame($token, $this->manager->getTokenById(42)); |
|||
} |
|||
|
|||
public function testGetTokenByIdDefault() { |
|||
$token = $this->createMock(IToken::class); |
|||
|
|||
$this->publicKeyTokenProvider->expects($this->once()) |
|||
->method('getTokenById') |
|||
->with(42) |
|||
->willThrowException(new InvalidTokenException()); |
|||
|
|||
$this->defaultTokenProvider->expects($this->once()) |
|||
->method('getTokenById') |
|||
->with(42) |
|||
->willReturn($token); |
|||
|
|||
$this->assertSame($token, $this->manager->getTokenById(42)); |
|||
} |
|||
|
|||
public function testGetTokenByIdInvalid() { |
|||
$this->publicKeyTokenProvider->expects($this->once()) |
|||
->method('getTokenById') |
|||
->with(42) |
|||
->willThrowException(new InvalidTokenException()); |
|||
|
|||
$this->defaultTokenProvider->expects($this->once()) |
|||
->method('getTokenById') |
|||
->with(42) |
|||
->willThrowException(new InvalidTokenException()); |
|||
|
|||
$this->expectException(InvalidTokenException::class); |
|||
$this->manager->getTokenById(42); |
|||
} |
|||
|
|||
public function testGetTokenPublicKey() { |
|||
$token = new PublicKeyToken(); |
|||
|
|||
$this->defaultTokenProvider->expects($this->never()) |
|||
->method($this->anything()); |
|||
|
|||
$this->publicKeyTokenProvider |
|||
->method('getToken') |
|||
->with('tokenId') |
|||
->willReturn($token); |
|||
|
|||
$this->assertSame($token, $this->manager->getToken('tokenId')); |
|||
} |
|||
|
|||
public function testGetTokenInvalid() { |
|||
$this->defaultTokenProvider |
|||
->method('getToken') |
|||
->with('tokenId') |
|||
->willThrowException(new InvalidTokenException()); |
|||
|
|||
$this->publicKeyTokenProvider |
|||
->method('getToken') |
|||
->with('tokenId') |
|||
->willThrowException(new InvalidTokenException()); |
|||
|
|||
$this->expectException(InvalidTokenException::class); |
|||
$this->manager->getToken('tokenId'); |
|||
} |
|||
|
|||
public function testGetTokenConvertPassword() { |
|||
$oldToken = new DefaultToken(); |
|||
$newToken = new PublicKeyToken(); |
|||
|
|||
$this->publicKeyTokenProvider |
|||
->method('getToken') |
|||
->with('tokenId') |
|||
->willThrowException(new InvalidTokenException()); |
|||
|
|||
$this->defaultTokenProvider |
|||
->method('getToken') |
|||
->willReturn($oldToken); |
|||
|
|||
$this->defaultTokenProvider |
|||
->method('getPassword') |
|||
->with($oldToken, 'tokenId') |
|||
->willReturn('password'); |
|||
|
|||
$this->publicKeyTokenProvider |
|||
->method('convertToken') |
|||
->with($oldToken, 'tokenId', 'password') |
|||
->willReturn($newToken); |
|||
|
|||
$this->assertSame($newToken, $this->manager->getToken('tokenId')); |
|||
} |
|||
|
|||
public function testGetTokenConvertNoPassword() { |
|||
$oldToken = new DefaultToken(); |
|||
$newToken = new PublicKeyToken(); |
|||
|
|||
$this->publicKeyTokenProvider |
|||
->method('getToken') |
|||
->with('tokenId') |
|||
->willThrowException(new InvalidTokenException()); |
|||
|
|||
$this->defaultTokenProvider |
|||
->method('getToken') |
|||
->willReturn($oldToken); |
|||
|
|||
$this->defaultTokenProvider |
|||
->method('getPassword') |
|||
->with($oldToken, 'tokenId') |
|||
->willThrowException(new PasswordlessTokenException()); |
|||
|
|||
$this->publicKeyTokenProvider |
|||
->method('convertToken') |
|||
->with($oldToken, 'tokenId', null) |
|||
->willReturn($newToken); |
|||
|
|||
$this->assertSame($newToken, $this->manager->getToken('tokenId')); |
|||
} |
|||
|
|||
public function testRotateInvalid() { |
|||
$this->expectException(InvalidTokenException::class); |
|||
$this->manager->rotate($this->createMock(IToken::class), 'oldId', 'newId'); |
|||
} |
|||
|
|||
public function testRotatePublicKey() { |
|||
$token = new PublicKeyToken(); |
|||
|
|||
$this->publicKeyTokenProvider |
|||
->method('rotate') |
|||
->with($token, 'oldId', 'newId') |
|||
->willReturn($token); |
|||
|
|||
$this->assertSame($token, $this->manager->rotate($token, 'oldId', 'newId')); |
|||
} |
|||
|
|||
public function testRotateConvertPassword() { |
|||
$oldToken = new DefaultToken(); |
|||
$newToken = new PublicKeyToken(); |
|||
|
|||
$this->defaultTokenProvider |
|||
->method('getPassword') |
|||
->with($oldToken, 'oldId') |
|||
->willReturn('password'); |
|||
|
|||
$this->publicKeyTokenProvider |
|||
->method('convertToken') |
|||
->with($oldToken, 'newId', 'password') |
|||
->willReturn($newToken); |
|||
|
|||
$this->assertSame($newToken, $this->manager->rotate($oldToken, 'oldId', 'newId')); |
|||
} |
|||
|
|||
public function testRotateConvertNoPassword() { |
|||
$oldToken = new DefaultToken(); |
|||
$newToken = new PublicKeyToken(); |
|||
|
|||
$this->defaultTokenProvider |
|||
->method('getPassword') |
|||
->with($oldToken, 'oldId') |
|||
->willThrowException(new PasswordlessTokenException()); |
|||
|
|||
$this->publicKeyTokenProvider |
|||
->method('convertToken') |
|||
->with($oldToken, 'newId', null) |
|||
->willReturn($newToken); |
|||
|
|||
$this->assertSame($newToken, $this->manager->rotate($oldToken, 'oldId', 'newId')); |
|||
} |
|||
} |
|||
@ -0,0 +1,250 @@ |
|||
<?php |
|||
declare(strict_types=1); |
|||
/** |
|||
* @copyright Copyright (c) 2018 Roeland Jago Douma <roeland@famdouma.nl> |
|||
* |
|||
* @author Roeland Jago Douma <roeland@famdouma.nl> |
|||
* |
|||
* @license GNU AGPL version 3 or any later version |
|||
* |
|||
* This program is free software: you can redistribute it and/or modify |
|||
* it under the terms of the GNU Affero General Public License as |
|||
* published by the Free Software Foundation, either version 3 of the |
|||
* License, or (at your option) any later version. |
|||
* |
|||
* This program is distributed in the hope that it will be useful, |
|||
* but WITHOUT ANY WARRANTY; without even the implied warranty of |
|||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
|||
* GNU Affero General Public License for more details. |
|||
* |
|||
* You should have received a copy of the GNU Affero General Public License |
|||
* along with this program. If not, see <http://www.gnu.org/licenses/>. |
|||
* |
|||
*/ |
|||
|
|||
namespace Test\Authentication\Token; |
|||
|
|||
use OC; |
|||
use OC\Authentication\Token\PublicKeyToken; |
|||
use OC\Authentication\Token\PublicKeyTokenMapper; |
|||
use OC\Authentication\Token\IToken; |
|||
use OCP\DB\QueryBuilder\IQueryBuilder; |
|||
use OCP\IDBConnection; |
|||
use OCP\IUser; |
|||
use Test\TestCase; |
|||
|
|||
/** |
|||
* @group DB |
|||
*/ |
|||
class PublicKeyTokenMapperTest extends TestCase { |
|||
|
|||
/** @var PublicKeyTokenMapper */ |
|||
private $mapper; |
|||
|
|||
/** @var IDBConnection */ |
|||
private $dbConnection; |
|||
|
|||
/** @var int */ |
|||
private $time; |
|||
|
|||
protected function setUp() { |
|||
parent::setUp(); |
|||
|
|||
$this->dbConnection = OC::$server->getDatabaseConnection(); |
|||
$this->time = time(); |
|||
$this->resetDatabase(); |
|||
|
|||
$this->mapper = new PublicKeyTokenMapper($this->dbConnection); |
|||
} |
|||
|
|||
private function resetDatabase() { |
|||
$qb = $this->dbConnection->getQueryBuilder(); |
|||
$qb->delete('authtoken')->execute(); |
|||
$qb->insert('authtoken')->values([ |
|||
'uid' => $qb->createNamedParameter('user1'), |
|||
'login_name' => $qb->createNamedParameter('User1'), |
|||
'password' => $qb->createNamedParameter('a75c7116460c082912d8f6860a850904|3nz5qbG1nNSLLi6V|c55365a0e54cfdfac4a175bcf11a7612aea74492277bba6e5d96a24497fa9272488787cb2f3ad34d8b9b8060934fce02f008d371df3ff3848f4aa61944851ff0'), |
|||
'name' => $qb->createNamedParameter('Firefox on Linux'), |
|||
'token' => $qb->createNamedParameter('9c5a2e661482b65597408a6bb6c4a3d1af36337381872ac56e445a06cdb7fea2b1039db707545c11027a4966919918b19d875a8b774840b18c6cbb7ae56fe206'), |
|||
'type' => $qb->createNamedParameter(IToken::TEMPORARY_TOKEN), |
|||
'last_activity' => $qb->createNamedParameter($this->time - 120, IQueryBuilder::PARAM_INT), // Two minutes ago
|
|||
'last_check' => $this->time - 60 * 10, // 10mins ago
|
|||
'public_key' => $qb->createNamedParameter('public key'), |
|||
'private_key' => $qb->createNamedParameter('private key'), |
|||
'version' => $qb->createNamedParameter(2), |
|||
])->execute(); |
|||
$qb->insert('authtoken')->values([ |
|||
'uid' => $qb->createNamedParameter('user2'), |
|||
'login_name' => $qb->createNamedParameter('User2'), |
|||
'password' => $qb->createNamedParameter('971a337057853344700bbeccf836519f|UwOQwyb34sJHtqPV|036d4890f8c21d17bbc7b88072d8ef049a5c832a38e97f3e3d5f9186e896c2593aee16883f617322fa242728d0236ff32d163caeb4bd45e14ca002c57a88665f'), |
|||
'name' => $qb->createNamedParameter('Firefox on Android'), |
|||
'token' => $qb->createNamedParameter('1504445f1524fc801035448a95681a9378ba2e83930c814546c56e5d6ebde221198792fd900c88ed5ead0555780dad1ebce3370d7e154941cd5de87eb419899b'), |
|||
'type' => $qb->createNamedParameter(IToken::TEMPORARY_TOKEN), |
|||
'last_activity' => $qb->createNamedParameter($this->time - 60 * 60 * 24 * 3, IQueryBuilder::PARAM_INT), // Three days ago
|
|||
'last_check' => $this->time - 10, // 10secs ago
|
|||
'public_key' => $qb->createNamedParameter('public key'), |
|||
'private_key' => $qb->createNamedParameter('private key'), |
|||
'version' => $qb->createNamedParameter(2), |
|||
])->execute(); |
|||
$qb->insert('authtoken')->values([ |
|||
'uid' => $qb->createNamedParameter('user1'), |
|||
'login_name' => $qb->createNamedParameter('User1'), |
|||
'password' => $qb->createNamedParameter('063de945d6f6b26862d9b6f40652f2d5|DZ/z520tfdXPtd0T|395f6b89be8d9d605e409e20b9d9abe477fde1be38a3223f9e508f979bf906e50d9eaa4dca983ca4fb22a241eb696c3f98654e7775f78c4caf13108f98642b53'), |
|||
'name' => $qb->createNamedParameter('Iceweasel on Linux'), |
|||
'token' => $qb->createNamedParameter('47af8697ba590fb82579b5f1b3b6e8066773a62100abbe0db09a289a62f5d980dc300fa3d98b01d7228468d1ab05c1aa14c8d14bd5b6eee9cdf1ac14864680c3'), |
|||
'type' => $qb->createNamedParameter(IToken::TEMPORARY_TOKEN), |
|||
'last_activity' => $qb->createNamedParameter($this->time - 120, IQueryBuilder::PARAM_INT), // Two minutes ago
|
|||
'last_check' => $this->time - 60 * 10, // 10mins ago
|
|||
'public_key' => $qb->createNamedParameter('public key'), |
|||
'private_key' => $qb->createNamedParameter('private key'), |
|||
'version' => $qb->createNamedParameter(2), |
|||
])->execute(); |
|||
} |
|||
|
|||
private function getNumberOfTokens() { |
|||
$qb = $this->dbConnection->getQueryBuilder(); |
|||
$result = $qb->select($qb->createFunction('count(*) as `count`')) |
|||
->from('authtoken') |
|||
->execute() |
|||
->fetch(); |
|||
return (int) $result['count']; |
|||
} |
|||
|
|||
public function testInvalidate() { |
|||
$token = '9c5a2e661482b65597408a6bb6c4a3d1af36337381872ac56e445a06cdb7fea2b1039db707545c11027a4966919918b19d875a8b774840b18c6cbb7ae56fe206'; |
|||
|
|||
$this->mapper->invalidate($token); |
|||
|
|||
$this->assertSame(2, $this->getNumberOfTokens()); |
|||
} |
|||
|
|||
public function testInvalidateInvalid() { |
|||
$token = 'youwontfindthisoneinthedatabase'; |
|||
|
|||
$this->mapper->invalidate($token); |
|||
|
|||
$this->assertSame(3, $this->getNumberOfTokens()); |
|||
} |
|||
|
|||
public function testInvalidateOld() { |
|||
$olderThan = $this->time - 60 * 60; // One hour
|
|||
|
|||
$this->mapper->invalidateOld($olderThan); |
|||
|
|||
$this->assertSame(2, $this->getNumberOfTokens()); |
|||
} |
|||
|
|||
public function testGetToken() { |
|||
$token = new PublicKeyToken(); |
|||
$token->setUid('user2'); |
|||
$token->setLoginName('User2'); |
|||
$token->setPassword('971a337057853344700bbeccf836519f|UwOQwyb34sJHtqPV|036d4890f8c21d17bbc7b88072d8ef049a5c832a38e97f3e3d5f9186e896c2593aee16883f617322fa242728d0236ff32d163caeb4bd45e14ca002c57a88665f'); |
|||
$token->setName('Firefox on Android'); |
|||
$token->setToken('1504445f1524fc801035448a95681a9378ba2e83930c814546c56e5d6ebde221198792fd900c88ed5ead0555780dad1ebce3370d7e154941cd5de87eb419899b'); |
|||
$token->setType(IToken::TEMPORARY_TOKEN); |
|||
$token->setRemember(IToken::DO_NOT_REMEMBER); |
|||
$token->setLastActivity($this->time - 60 * 60 * 24 * 3); |
|||
$token->setLastCheck($this->time - 10); |
|||
$token->setPublicKey('public key'); |
|||
$token->setPrivateKey('private key'); |
|||
$token->setVersion(PublicKeyToken::VERSION); |
|||
|
|||
$dbToken = $this->mapper->getToken($token->getToken()); |
|||
|
|||
$token->setId($dbToken->getId()); // We don't know the ID
|
|||
$token->resetUpdatedFields(); |
|||
|
|||
$this->assertEquals($token, $dbToken); |
|||
} |
|||
|
|||
/** |
|||
* @expectedException \OCP\AppFramework\Db\DoesNotExistException |
|||
*/ |
|||
public function testGetInvalidToken() { |
|||
$token = 'thisisaninvalidtokenthatisnotinthedatabase'; |
|||
|
|||
$this->mapper->getToken($token); |
|||
} |
|||
|
|||
public function testGetTokenById() { |
|||
$token = new PublicKeyToken(); |
|||
$token->setUid('user2'); |
|||
$token->setLoginName('User2'); |
|||
$token->setPassword('971a337057853344700bbeccf836519f|UwOQwyb34sJHtqPV|036d4890f8c21d17bbc7b88072d8ef049a5c832a38e97f3e3d5f9186e896c2593aee16883f617322fa242728d0236ff32d163caeb4bd45e14ca002c57a88665f'); |
|||
$token->setName('Firefox on Android'); |
|||
$token->setToken('1504445f1524fc801035448a95681a9378ba2e83930c814546c56e5d6ebde221198792fd900c88ed5ead0555780dad1ebce3370d7e154941cd5de87eb419899b'); |
|||
$token->setType(IToken::TEMPORARY_TOKEN); |
|||
$token->setRemember(IToken::DO_NOT_REMEMBER); |
|||
$token->setLastActivity($this->time - 60 * 60 * 24 * 3); |
|||
$token->setLastCheck($this->time - 10); |
|||
$token->setPublicKey('public key'); |
|||
$token->setPrivateKey('private key'); |
|||
$token->setVersion(PublicKeyToken::VERSION); |
|||
|
|||
$dbToken = $this->mapper->getToken($token->getToken()); |
|||
$token->setId($dbToken->getId()); // We don't know the ID
|
|||
$token->resetUpdatedFields(); |
|||
|
|||
$dbToken = $this->mapper->getTokenById($token->getId()); |
|||
$this->assertEquals($token, $dbToken); |
|||
} |
|||
|
|||
/** |
|||
* @expectedException \OCP\AppFramework\Db\DoesNotExistException |
|||
*/ |
|||
public function testGetTokenByIdNotFound() { |
|||
$this->mapper->getTokenById(-1); |
|||
} |
|||
|
|||
/** |
|||
* @expectedException \OCP\AppFramework\Db\DoesNotExistException |
|||
*/ |
|||
public function testGetInvalidTokenById() { |
|||
$id = '42'; |
|||
|
|||
$this->mapper->getToken($id); |
|||
} |
|||
|
|||
public function testGetTokenByUser() { |
|||
$this->assertCount(2, $this->mapper->getTokenByUser('user1')); |
|||
} |
|||
|
|||
public function testGetTokenByUserNotFound() { |
|||
$this->assertCount(0, $this->mapper->getTokenByUser('user1000')); |
|||
} |
|||
|
|||
public function testDeleteById() { |
|||
/** @var IUser|\PHPUnit_Framework_MockObject_MockObject $user */ |
|||
$user = $this->createMock(IUser::class); |
|||
$qb = $this->dbConnection->getQueryBuilder(); |
|||
$qb->select('id') |
|||
->from('authtoken') |
|||
->where($qb->expr()->eq('token', $qb->createNamedParameter('9c5a2e661482b65597408a6bb6c4a3d1af36337381872ac56e445a06cdb7fea2b1039db707545c11027a4966919918b19d875a8b774840b18c6cbb7ae56fe206'))); |
|||
$result = $qb->execute(); |
|||
$id = $result->fetch()['id']; |
|||
|
|||
$this->mapper->deleteById('user1', (int)$id); |
|||
$this->assertEquals(2, $this->getNumberOfTokens()); |
|||
} |
|||
|
|||
public function testDeleteByIdWrongUser() { |
|||
/** @var IUser|\PHPUnit_Framework_MockObject_MockObject $user */ |
|||
$user = $this->createMock(IUser::class); |
|||
$id = 33; |
|||
|
|||
$this->mapper->deleteById('user1000', $id); |
|||
$this->assertEquals(3, $this->getNumberOfTokens()); |
|||
} |
|||
|
|||
public function testDeleteByName() { |
|||
$qb = $this->dbConnection->getQueryBuilder(); |
|||
$qb->select('name') |
|||
->from('authtoken') |
|||
->where($qb->expr()->eq('token', $qb->createNamedParameter('9c5a2e661482b65597408a6bb6c4a3d1af36337381872ac56e445a06cdb7fea2b1039db707545c11027a4966919918b19d875a8b774840b18c6cbb7ae56fe206'))); |
|||
$result = $qb->execute(); |
|||
$name = $result->fetch()['name']; |
|||
$this->mapper->deleteByName($name); |
|||
$this->assertEquals(2, $this->getNumberOfTokens()); |
|||
} |
|||
|
|||
} |
|||
@ -0,0 +1,506 @@ |
|||
<?php |
|||
/** |
|||
* @copyright Copyright (c) 2018 Roeland Jago Douma <roeland@famdouma.nl> |
|||
* |
|||
* @author Roeland Jago Douma <roeland@famdouma.nl> |
|||
* |
|||
* @license GNU AGPL version 3 or any later version |
|||
* |
|||
* This program is free software: you can redistribute it and/or modify |
|||
* it under the terms of the GNU Affero General Public License as |
|||
* published by the Free Software Foundation, either version 3 of the |
|||
* License, or (at your option) any later version. |
|||
* |
|||
* This program is distributed in the hope that it will be useful, |
|||
* but WITHOUT ANY WARRANTY; without even the implied warranty of |
|||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
|||
* GNU Affero General Public License for more details. |
|||
* |
|||
* You should have received a copy of the GNU Affero General Public License |
|||
* along with this program. If not, see <http://www.gnu.org/licenses/>. |
|||
* |
|||
*/ |
|||
|
|||
namespace Test\Authentication\Token; |
|||
|
|||
use OC\Authentication\Exceptions\InvalidTokenException; |
|||
use OC\Authentication\Exceptions\PasswordlessTokenException; |
|||
use OC\Authentication\Token\DefaultToken; |
|||
use OC\Authentication\Token\PublicKeyToken; |
|||
use OC\Authentication\Token\PublicKeyTokenMapper; |
|||
use OC\Authentication\Token\PublicKeyTokenProvider; |
|||
use OC\Authentication\Token\ExpiredTokenException; |
|||
use OC\Authentication\Token\IToken; |
|||
use OCP\AppFramework\Db\DoesNotExistException; |
|||
use OCP\AppFramework\Utility\ITimeFactory; |
|||
use OCP\IConfig; |
|||
use OCP\ILogger; |
|||
use OCP\IUser; |
|||
use OCP\Security\ICrypto; |
|||
use Test\TestCase; |
|||
|
|||
class PublicKeyTokenProviderTest extends TestCase { |
|||
|
|||
/** @var PublicKeyTokenProvider|\PHPUnit_Framework_MockObject_MockObject */ |
|||
private $tokenProvider; |
|||
/** @var PublicKeyTokenMapper|\PHPUnit_Framework_MockObject_MockObject */ |
|||
private $mapper; |
|||
/** @var ICrypto */ |
|||
private $crypto; |
|||
/** @var IConfig|\PHPUnit_Framework_MockObject_MockObject */ |
|||
private $config; |
|||
/** @var ILogger|\PHPUnit_Framework_MockObject_MockObject */ |
|||
private $logger; |
|||
/** @var ITimeFactory|\PHPUnit_Framework_MockObject_MockObject */ |
|||
private $timeFactory; |
|||
/** @var int */ |
|||
private $time; |
|||
|
|||
protected function setUp() { |
|||
parent::setUp(); |
|||
|
|||
$this->mapper = $this->createMock(PublicKeyTokenMapper::class); |
|||
$this->crypto = \OC::$server->getCrypto(); |
|||
$this->config = $this->createMock(IConfig::class); |
|||
$this->config->method('getSystemValue') |
|||
->will($this->returnValueMap([ |
|||
['session_lifetime', 60 * 60 * 24, 150], |
|||
['remember_login_cookie_lifetime', 60 * 60 * 24 * 15, 300], |
|||
['secret', '', '1f4h9s'], |
|||
])); |
|||
$this->logger = $this->createMock(ILogger::class); |
|||
$this->timeFactory = $this->createMock(ITimeFactory::class); |
|||
$this->time = 1313131; |
|||
$this->timeFactory->method('getTime') |
|||
->willReturn($this->time); |
|||
|
|||
$this->tokenProvider = new PublicKeyTokenProvider($this->mapper, $this->crypto, $this->config, $this->logger, |
|||
$this->timeFactory); |
|||
} |
|||
|
|||
public function testGenerateToken() { |
|||
$token = 'token'; |
|||
$uid = 'user'; |
|||
$user = 'User'; |
|||
$password = 'passme'; |
|||
$name = 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12' |
|||
. 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12' |
|||
. 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12' |
|||
. 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12'; |
|||
$type = IToken::PERMANENT_TOKEN; |
|||
|
|||
$actual = $this->tokenProvider->generateToken($token, $uid, $user, $password, $name, $type, IToken::DO_NOT_REMEMBER); |
|||
|
|||
$this->assertInstanceOf(PublicKeyToken::class, $actual); |
|||
$this->assertSame($uid, $actual->getUID()); |
|||
$this->assertSame($user, $actual->getLoginName()); |
|||
$this->assertSame($name, $actual->getName()); |
|||
$this->assertSame(IToken::DO_NOT_REMEMBER, $actual->getRemember()); |
|||
$this->assertSame($password, $this->tokenProvider->getPassword($actual, $token)); |
|||
} |
|||
|
|||
public function testUpdateToken() { |
|||
$tk = new PublicKeyToken(); |
|||
$tk->setLastActivity($this->time - 200); |
|||
$this->mapper->expects($this->once()) |
|||
->method('update') |
|||
->with($tk); |
|||
|
|||
$this->tokenProvider->updateTokenActivity($tk); |
|||
|
|||
$this->assertEquals($this->time, $tk->getLastActivity()); |
|||
} |
|||
|
|||
public function testUpdateTokenDebounce() { |
|||
$tk = new PublicKeyToken(); |
|||
$tk->setLastActivity($this->time - 30); |
|||
$this->mapper->expects($this->never()) |
|||
->method('update') |
|||
->with($tk); |
|||
|
|||
$this->tokenProvider->updateTokenActivity($tk); |
|||
} |
|||
|
|||
public function testGetTokenByUser() { |
|||
$this->mapper->expects($this->once()) |
|||
->method('getTokenByUser') |
|||
->with('uid') |
|||
->will($this->returnValue(['token'])); |
|||
|
|||
$this->assertEquals(['token'], $this->tokenProvider->getTokenByUser('uid')); |
|||
} |
|||
|
|||
public function testGetPassword() { |
|||
$token = 'token'; |
|||
$uid = 'user'; |
|||
$user = 'User'; |
|||
$password = 'passme'; |
|||
$name = 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12' |
|||
. 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12' |
|||
. 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12' |
|||
. 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12'; |
|||
$type = IToken::PERMANENT_TOKEN; |
|||
|
|||
$actual = $this->tokenProvider->generateToken($token, $uid, $user, $password, $name, $type, IToken::DO_NOT_REMEMBER); |
|||
|
|||
$this->assertSame($password, $this->tokenProvider->getPassword($actual, $token)); |
|||
} |
|||
|
|||
/** |
|||
* @expectedException \OC\Authentication\Exceptions\PasswordlessTokenException |
|||
*/ |
|||
public function testGetPasswordPasswordLessToken() { |
|||
$token = 'token1234'; |
|||
$tk = new PublicKeyToken(); |
|||
$tk->setPassword(null); |
|||
|
|||
$this->tokenProvider->getPassword($tk, $token); |
|||
} |
|||
|
|||
/** |
|||
* @expectedException \OC\Authentication\Exceptions\InvalidTokenException |
|||
*/ |
|||
public function testGetPasswordInvalidToken() { |
|||
$token = 'token'; |
|||
$uid = 'user'; |
|||
$user = 'User'; |
|||
$password = 'passme'; |
|||
$name = 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12' |
|||
. 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12' |
|||
. 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12' |
|||
. 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12'; |
|||
$type = IToken::PERMANENT_TOKEN; |
|||
|
|||
$actual = $this->tokenProvider->generateToken($token, $uid, $user, $password, $name, $type, IToken::DO_NOT_REMEMBER); |
|||
|
|||
$this->tokenProvider->getPassword($actual, 'wrongtoken'); |
|||
} |
|||
|
|||
public function testSetPassword() { |
|||
$token = 'token'; |
|||
$uid = 'user'; |
|||
$user = 'User'; |
|||
$password = 'passme'; |
|||
$name = 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12' |
|||
. 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12' |
|||
. 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12' |
|||
. 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12'; |
|||
$type = IToken::PERMANENT_TOKEN; |
|||
|
|||
$actual = $this->tokenProvider->generateToken($token, $uid, $user, $password, $name, $type, IToken::DO_NOT_REMEMBER); |
|||
|
|||
$this->mapper->method('getTokenByUser') |
|||
->with('user') |
|||
->willReturn([$actual]); |
|||
|
|||
$newpass = 'newpass'; |
|||
$this->mapper->expects($this->once()) |
|||
->method('update') |
|||
->with($this->callback(function ($token) use ($newpass) { |
|||
return $newpass === $this->tokenProvider->getPassword($token, 'token'); |
|||
})); |
|||
|
|||
|
|||
$this->tokenProvider->setPassword($actual, $token, $newpass); |
|||
|
|||
$this->assertSame($newpass, $this->tokenProvider->getPassword($actual, 'token')); |
|||
} |
|||
|
|||
/** |
|||
* @expectedException \OC\Authentication\Exceptions\InvalidTokenException |
|||
*/ |
|||
public function testSetPasswordInvalidToken() { |
|||
$token = $this->createMock(IToken::class); |
|||
$tokenId = 'token123'; |
|||
$password = '123456'; |
|||
|
|||
$this->tokenProvider->setPassword($token, $tokenId, $password); |
|||
} |
|||
|
|||
public function testInvalidateToken() { |
|||
$this->mapper->expects($this->once()) |
|||
->method('invalidate') |
|||
->with(hash('sha512', 'token7'.'1f4h9s')); |
|||
|
|||
$this->tokenProvider->invalidateToken('token7'); |
|||
} |
|||
|
|||
public function testInvaildateTokenById() { |
|||
$id = 123; |
|||
|
|||
$this->mapper->expects($this->once()) |
|||
->method('deleteById') |
|||
->with('uid', $id); |
|||
|
|||
$this->tokenProvider->invalidateTokenById('uid', $id); |
|||
} |
|||
|
|||
public function testInvalidateOldTokens() { |
|||
$defaultSessionLifetime = 60 * 60 * 24; |
|||
$defaultRememberMeLifetime = 60 * 60 * 24 * 15; |
|||
$this->config->expects($this->exactly(2)) |
|||
->method('getSystemValue') |
|||
->will($this->returnValueMap([ |
|||
['session_lifetime', $defaultSessionLifetime, 150], |
|||
['remember_login_cookie_lifetime', $defaultRememberMeLifetime, 300], |
|||
])); |
|||
$this->mapper->expects($this->at(0)) |
|||
->method('invalidateOld') |
|||
->with($this->time - 150); |
|||
$this->mapper->expects($this->at(1)) |
|||
->method('invalidateOld') |
|||
->with($this->time - 300); |
|||
|
|||
$this->tokenProvider->invalidateOldTokens(); |
|||
} |
|||
|
|||
public function testRenewSessionTokenWithoutPassword() { |
|||
$token = 'oldId'; |
|||
$uid = 'user'; |
|||
$user = 'User'; |
|||
$password = null; |
|||
$name = 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12' |
|||
. 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12' |
|||
. 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12' |
|||
. 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12'; |
|||
$type = IToken::PERMANENT_TOKEN; |
|||
|
|||
$oldToken = $this->tokenProvider->generateToken($token, $uid, $user, $password, $name, $type, IToken::DO_NOT_REMEMBER); |
|||
|
|||
$this->mapper |
|||
->expects($this->at(0)) |
|||
->method('getToken') |
|||
->with(hash('sha512', 'oldId' . '1f4h9s')) |
|||
->willReturn($oldToken); |
|||
$this->mapper |
|||
->expects($this->at(1)) |
|||
->method('insert') |
|||
->with($this->callback(function (PublicKeyToken $token) use ($user, $uid, $name) { |
|||
return $token->getUID() === $uid && |
|||
$token->getLoginName() === $user && |
|||
$token->getName() === $name && |
|||
$token->getType() === IToken::DO_NOT_REMEMBER && |
|||
$token->getLastActivity() === $this->time && |
|||
$token->getPassword() === null; |
|||
})); |
|||
$this->mapper |
|||
->expects($this->at(2)) |
|||
->method('delete') |
|||
->with($this->callback(function($token) use ($oldToken) { |
|||
return $token === $oldToken; |
|||
})); |
|||
|
|||
$this->tokenProvider->renewSessionToken('oldId', 'newId'); |
|||
} |
|||
|
|||
public function testRenewSessionTokenWithPassword() { |
|||
$token = 'oldId'; |
|||
$uid = 'user'; |
|||
$user = 'User'; |
|||
$password = 'password'; |
|||
$name = 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12' |
|||
. 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12' |
|||
. 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12' |
|||
. 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12'; |
|||
$type = IToken::PERMANENT_TOKEN; |
|||
|
|||
$oldToken = $this->tokenProvider->generateToken($token, $uid, $user, $password, $name, $type, IToken::DO_NOT_REMEMBER); |
|||
|
|||
$this->mapper |
|||
->expects($this->at(0)) |
|||
->method('getToken') |
|||
->with(hash('sha512', 'oldId' . '1f4h9s')) |
|||
->willReturn($oldToken); |
|||
$this->mapper |
|||
->expects($this->at(1)) |
|||
->method('insert') |
|||
->with($this->callback(function (PublicKeyToken $token) use ($user, $uid, $name) { |
|||
return $token->getUID() === $uid && |
|||
$token->getLoginName() === $user && |
|||
$token->getName() === $name && |
|||
$token->getType() === IToken::DO_NOT_REMEMBER && |
|||
$token->getLastActivity() === $this->time && |
|||
$token->getPassword() !== null && |
|||
$this->tokenProvider->getPassword($token, 'newId') === 'password'; |
|||
})); |
|||
$this->mapper |
|||
->expects($this->at(2)) |
|||
->method('delete') |
|||
->with($this->callback(function($token) use ($oldToken) { |
|||
return $token === $oldToken; |
|||
})); |
|||
|
|||
$this->tokenProvider->renewSessionToken('oldId', 'newId'); |
|||
} |
|||
|
|||
public function testGetToken() { |
|||
$token = new PublicKeyToken(); |
|||
|
|||
$this->config->method('getSystemValue') |
|||
->with('secret') |
|||
->willReturn('mysecret'); |
|||
|
|||
$this->mapper->method('getToken') |
|||
->with( |
|||
$this->callback(function (string $token) { |
|||
return hash('sha512', 'unhashedToken'.'1f4h9s') === $token; |
|||
}) |
|||
)->willReturn($token); |
|||
|
|||
$this->assertSame($token, $this->tokenProvider->getToken('unhashedToken')); |
|||
} |
|||
|
|||
public function testGetInvalidToken() { |
|||
$this->expectException(InvalidTokenException::class); |
|||
|
|||
$this->mapper->method('getToken') |
|||
->with( |
|||
$this->callback(function (string $token) { |
|||
return hash('sha512', 'unhashedToken'.'1f4h9s') === $token; |
|||
}) |
|||
)->willThrowException(new DoesNotExistException('nope')); |
|||
|
|||
$this->tokenProvider->getToken('unhashedToken'); |
|||
} |
|||
|
|||
public function testGetExpiredToken() { |
|||
$token = 'token'; |
|||
$uid = 'user'; |
|||
$user = 'User'; |
|||
$password = 'passme'; |
|||
$name = 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12' |
|||
. 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12' |
|||
. 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12' |
|||
. 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12'; |
|||
$type = IToken::PERMANENT_TOKEN; |
|||
|
|||
$actual = $this->tokenProvider->generateToken($token, $uid, $user, $password, $name, $type, IToken::DO_NOT_REMEMBER); |
|||
$actual->setExpires(42); |
|||
|
|||
$this->mapper->method('getToken') |
|||
->with( |
|||
$this->callback(function (string $token) { |
|||
return hash('sha512', 'token'.'1f4h9s') === $token; |
|||
}) |
|||
)->willReturn($actual); |
|||
|
|||
try { |
|||
$this->tokenProvider->getToken('token'); |
|||
$this->fail(); |
|||
} catch (ExpiredTokenException $e) { |
|||
$this->assertSame($actual, $e->getToken()); |
|||
} |
|||
|
|||
} |
|||
|
|||
public function testGetTokenById() { |
|||
$token = $this->createMock(PublicKeyToken::class); |
|||
|
|||
$this->mapper->expects($this->once()) |
|||
->method('getTokenById') |
|||
->with($this->equalTo(42)) |
|||
->willReturn($token); |
|||
|
|||
$this->assertSame($token, $this->tokenProvider->getTokenById(42)); |
|||
} |
|||
|
|||
public function testGetInvalidTokenById() { |
|||
$this->expectException(InvalidTokenException::class); |
|||
|
|||
$this->mapper->expects($this->once()) |
|||
->method('getTokenById') |
|||
->with($this->equalTo(42)) |
|||
->willThrowException(new DoesNotExistException('nope')); |
|||
|
|||
$this->tokenProvider->getTokenById(42); |
|||
} |
|||
|
|||
public function testGetExpiredTokenById() { |
|||
$token = new PublicKeyToken(); |
|||
$token->setExpires(42); |
|||
|
|||
$this->mapper->expects($this->once()) |
|||
->method('getTokenById') |
|||
->with($this->equalTo(42)) |
|||
->willReturn($token); |
|||
|
|||
try { |
|||
$this->tokenProvider->getTokenById(42); |
|||
$this->fail(); |
|||
} catch (ExpiredTokenException $e) { |
|||
$this->assertSame($token, $e->getToken()); |
|||
} |
|||
} |
|||
|
|||
public function testRotate() { |
|||
$token = 'oldtoken'; |
|||
$uid = 'user'; |
|||
$user = 'User'; |
|||
$password = 'password'; |
|||
$name = 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12' |
|||
. 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12' |
|||
. 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12' |
|||
. 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12'; |
|||
$type = IToken::PERMANENT_TOKEN; |
|||
|
|||
$actual = $this->tokenProvider->generateToken($token, $uid, $user, $password, $name, $type, IToken::DO_NOT_REMEMBER); |
|||
|
|||
$new = $this->tokenProvider->rotate($actual, 'oldtoken', 'newtoken'); |
|||
|
|||
$this->assertSame('password', $this->tokenProvider->getPassword($new, 'newtoken')); |
|||
} |
|||
|
|||
public function testRotateNoPassword() { |
|||
$token = 'oldtoken'; |
|||
$uid = 'user'; |
|||
$user = 'User'; |
|||
$password = null; |
|||
$name = 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12' |
|||
. 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12' |
|||
. 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12' |
|||
. 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12'; |
|||
$type = IToken::PERMANENT_TOKEN; |
|||
|
|||
$actual = $this->tokenProvider->generateToken($token, $uid, $user, $password, $name, $type, IToken::DO_NOT_REMEMBER); |
|||
|
|||
$oldPrivate = $actual->getPrivateKey(); |
|||
|
|||
$new = $this->tokenProvider->rotate($actual, 'oldtoken', 'newtoken'); |
|||
|
|||
$newPrivate = $new->getPrivateKey(); |
|||
|
|||
$this->assertNotSame($newPrivate, $oldPrivate); |
|||
$this->assertNull($new->getPassword()); |
|||
} |
|||
|
|||
public function testConvertToken() { |
|||
$defaultToken = new DefaultToken(); |
|||
$defaultToken->setId(42); |
|||
$defaultToken->setPassword('oldPass'); |
|||
$defaultToken->setExpires(1337); |
|||
$defaultToken->setToken('oldToken'); |
|||
$defaultToken->setUid('uid'); |
|||
$defaultToken->setLoginName('loginName'); |
|||
$defaultToken->setLastActivity(999); |
|||
$defaultToken->setName('name'); |
|||
$defaultToken->setRemember(IToken::REMEMBER); |
|||
$defaultToken->setType(IToken::PERMANENT_TOKEN); |
|||
|
|||
$this->mapper->expects($this->once()) |
|||
->method('update') |
|||
->willReturnArgument(0); |
|||
|
|||
$newToken = $this->tokenProvider->convertToken($defaultToken, 'newToken', 'newPassword'); |
|||
|
|||
$this->assertSame(42, $newToken->getId()); |
|||
$this->assertSame('newPassword', $this->tokenProvider->getPassword($newToken, 'newToken')); |
|||
$this->assertSame(1337, $newToken->getExpires()); |
|||
$this->assertSame('uid', $newToken->getUID()); |
|||
$this->assertSame('loginName', $newToken->getLoginName()); |
|||
$this->assertSame(1313131, $newToken->getLastActivity()); |
|||
$this->assertSame(1313131, $newToken->getLastCheck()); |
|||
$this->assertSame('name', $newToken->getName()); |
|||
$this->assertSame(IToken::REMEMBER, $newToken->getRemember()); |
|||
$this->assertSame(IToken::PERMANENT_TOKEN, $newToken->getType()); |
|||
} |
|||
} |
|||
@ -0,0 +1,44 @@ |
|||
<?php |
|||
declare(strict_types=1); |
|||
/** |
|||
* @copyright Copyright (c) 2018 Roeland Jago Douma <roeland@famdouma.nl> |
|||
* |
|||
* @author Roeland Jago Douma <roeland@famdouma.nl> |
|||
* |
|||
* @license GNU AGPL version 3 or any later version |
|||
* |
|||
* This program is free software: you can redistribute it and/or modify |
|||
* it under the terms of the GNU Affero General Public License as |
|||
* published by the Free Software Foundation, either version 3 of the |
|||
* License, or (at your option) any later version. |
|||
* |
|||
* This program is distributed in the hope that it will be useful, |
|||
* but WITHOUT ANY WARRANTY; without even the implied warranty of |
|||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
|||
* GNU Affero General Public License for more details. |
|||
* |
|||
* You should have received a copy of the GNU Affero General Public License |
|||
* along with this program. If not, see <http://www.gnu.org/licenses/>. |
|||
* |
|||
*/ |
|||
|
|||
namespace Test\Authentication\Token; |
|||
|
|||
use OC\Authentication\Token\PublicKeyToken; |
|||
use Test\TestCase; |
|||
|
|||
class PublicKeyTokenTest extends TestCase { |
|||
public function testSetScopeAsArray() { |
|||
$scope = ['filesystem' => false]; |
|||
$token = new PublicKeyToken(); |
|||
$token->setScope($scope); |
|||
$this->assertEquals(json_encode($scope), $token->getScope()); |
|||
$this->assertEquals($scope, $token->getScopeAsArray()); |
|||
} |
|||
|
|||
public function testDefaultScope() { |
|||
$scope = ['filesystem' => true]; |
|||
$token = new PublicKeyToken(); |
|||
$this->assertEquals($scope, $token->getScopeAsArray()); |
|||
} |
|||
} |
|||
Write
Preview
Loading…
Cancel
Save
Reference in new issue