mirror of https://github.com/nextcloud/server.git
move verification token logic out of lost password controller
- to make it reusable - needed for local email verification Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>pull/28422/head
parent
9be939300a
commit
19cc757531
@ -0,0 +1,111 @@
|
||||
<?php
|
||||
|
||||
declare(strict_types=1);
|
||||
|
||||
/**
|
||||
* @copyright Copyright (c) 2021 Arthur Schiwon <blizzz@arthur-schiwon.de>
|
||||
*
|
||||
* @author Arthur Schiwon <blizzz@arthur-schiwon.de>
|
||||
*
|
||||
* @license GNU AGPL version 3 or any later version
|
||||
*
|
||||
* This program is free software: you can redistribute it and/or modify
|
||||
* it under the terms of the GNU Affero General Public License as
|
||||
* published by the Free Software Foundation, either version 3 of the
|
||||
* License, or (at your option) any later version.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
* GNU Affero General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU Affero General Public License
|
||||
* along with this program. If not, see <https://www.gnu.org/licenses/>.
|
||||
*
|
||||
*/
|
||||
|
||||
namespace OC\Security\VerificationToken;
|
||||
|
||||
use OCP\AppFramework\Utility\ITimeFactory;
|
||||
use OCP\IConfig;
|
||||
use OCP\IUser;
|
||||
use OCP\Security\ICrypto;
|
||||
use OCP\Security\ISecureRandom;
|
||||
use OCP\Security\VerificationToken\InvalidTokenException;
|
||||
use OCP\Security\VerificationToken\IVerificationToken;
|
||||
|
||||
class VerificationToken implements IVerificationToken {
|
||||
|
||||
/** @var IConfig */
|
||||
private $config;
|
||||
/** @var ICrypto */
|
||||
private $crypto;
|
||||
/** @var ITimeFactory */
|
||||
private $timeFactory;
|
||||
/** @var ISecureRandom */
|
||||
private $secureRandom;
|
||||
|
||||
public function __construct(
|
||||
IConfig $config,
|
||||
ICrypto $crypto,
|
||||
ITimeFactory $timeFactory,
|
||||
ISecureRandom $secureRandom
|
||||
) {
|
||||
$this->config = $config;
|
||||
$this->crypto = $crypto;
|
||||
$this->timeFactory = $timeFactory;
|
||||
$this->secureRandom = $secureRandom;
|
||||
}
|
||||
|
||||
/**
|
||||
* @throws InvalidTokenException
|
||||
*/
|
||||
protected function throwInvalidTokenException(int $code): void {
|
||||
throw new InvalidTokenException($code);
|
||||
}
|
||||
|
||||
public function check(string $token, ?IUser $user, string $subject, string $passwordPrefix = ''): void {
|
||||
if ($user === null || !$user->isEnabled()) {
|
||||
$this->throwInvalidTokenException(InvalidTokenException::USER_UNKNOWN);
|
||||
}
|
||||
|
||||
$encryptedToken = $this->config->getUserValue($user->getUID(), 'core', $subject, null);
|
||||
if ($encryptedToken === null) {
|
||||
$this->throwInvalidTokenException(InvalidTokenException::TOKEN_NOT_FOUND);
|
||||
}
|
||||
|
||||
try {
|
||||
$decryptedToken = $this->crypto->decrypt($encryptedToken, $passwordPrefix.$this->config->getSystemValue('secret'));
|
||||
} catch (\Exception $e) {
|
||||
$this->throwInvalidTokenException(InvalidTokenException::TOKEN_DECRYPTION_ERROR);
|
||||
}
|
||||
|
||||
$splitToken = explode(':', $decryptedToken ?? '');
|
||||
if (count($splitToken) !== 2) {
|
||||
$this->throwInvalidTokenException(InvalidTokenException::TOKEN_INVALID_FORMAT);
|
||||
}
|
||||
|
||||
if ($splitToken[0] < ($this->timeFactory->getTime() - 60 * 60 * 24 * 7) ||
|
||||
$user->getLastLogin() > $splitToken[0]) {
|
||||
$this->throwInvalidTokenException(InvalidTokenException::TOKEN_EXPIRED);
|
||||
}
|
||||
|
||||
if (!hash_equals($splitToken[1], $token)) {
|
||||
$this->throwInvalidTokenException(InvalidTokenException::TOKEN_MISMATCH);
|
||||
}
|
||||
}
|
||||
|
||||
public function create(IUser $user, string $subject, string $passwordPrefix = ''): string {
|
||||
$token = $this->secureRandom->generate(
|
||||
21,
|
||||
ISecureRandom::CHAR_DIGITS.
|
||||
ISecureRandom::CHAR_LOWER.
|
||||
ISecureRandom::CHAR_UPPER
|
||||
);
|
||||
$tokenValue = $this->timeFactory->getTime() .':'. $token;
|
||||
$encryptedValue = $this->crypto->encrypt($tokenValue, $passwordPrefix . $this->config->getSystemValue('secret'));
|
||||
$this->config->setUserValue($user->getUID(), 'core', $subject, $encryptedValue);
|
||||
|
||||
return $token;
|
||||
}
|
||||
}
|
@ -0,0 +1,55 @@
|
||||
<?php
|
||||
|
||||
declare(strict_types=1);
|
||||
|
||||
/**
|
||||
* @copyright Copyright (c) 2021 Arthur Schiwon <blizzz@arthur-schiwon.de>
|
||||
*
|
||||
* @author Arthur Schiwon <blizzz@arthur-schiwon.de>
|
||||
*
|
||||
* @license GNU AGPL version 3 or any later version
|
||||
*
|
||||
* This program is free software: you can redistribute it and/or modify
|
||||
* it under the terms of the GNU Affero General Public License as
|
||||
* published by the Free Software Foundation, either version 3 of the
|
||||
* License, or (at your option) any later version.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
* GNU Affero General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU Affero General Public License
|
||||
* along with this program. If not, see <https://www.gnu.org/licenses/>.
|
||||
*
|
||||
*/
|
||||
|
||||
namespace OCP\Security\VerificationToken;
|
||||
|
||||
use OCP\IUser;
|
||||
|
||||
/**
|
||||
* @since 23.0.0
|
||||
*/
|
||||
interface IVerificationToken {
|
||||
|
||||
/**
|
||||
* Checks whether the a provided tokent matches a stored token and its
|
||||
* constraints. An InvalidTokenException is thrown on issues, otherwise
|
||||
* the check is successful.
|
||||
*
|
||||
* null can be passed as $user, but mind that this is for conveniently
|
||||
* passing the return of IUserManager::getUser() to this method. When
|
||||
* $user is null, InvalidTokenException is thrown for all the issued
|
||||
* tokens are user related.
|
||||
*
|
||||
* @throws InvalidTokenException
|
||||
* @since 23.0.0
|
||||
*/
|
||||
public function check(string $token, ?IUser $user, string $subject, string $passwordPrefix = ''): void;
|
||||
|
||||
/**
|
||||
* @since 23.0.0
|
||||
*/
|
||||
public function create(IUser $user, string $subject, string $passwordPrefix = ''): string;
|
||||
}
|
@ -0,0 +1,74 @@
|
||||
<?php
|
||||
|
||||
declare(strict_types=1);
|
||||
|
||||
/**
|
||||
* @copyright Copyright (c) 2021 Arthur Schiwon <blizzz@arthur-schiwon.de>
|
||||
*
|
||||
* @author Arthur Schiwon <blizzz@arthur-schiwon.de>
|
||||
*
|
||||
* @license GNU AGPL version 3 or any later version
|
||||
*
|
||||
* This program is free software: you can redistribute it and/or modify
|
||||
* it under the terms of the GNU Affero General Public License as
|
||||
* published by the Free Software Foundation, either version 3 of the
|
||||
* License, or (at your option) any later version.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
* GNU Affero General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU Affero General Public License
|
||||
* along with this program. If not, see <https://www.gnu.org/licenses/>.
|
||||
*
|
||||
*/
|
||||
|
||||
namespace OCP\Security\VerificationToken;
|
||||
|
||||
/** @since 23.0.0 */
|
||||
class InvalidTokenException extends \Exception {
|
||||
|
||||
/**
|
||||
* @since 23.0.0
|
||||
*/
|
||||
public function __construct(int $code) {
|
||||
parent::__construct('', $code);
|
||||
}
|
||||
|
||||
/**
|
||||
* @var int
|
||||
* @since 23.0.0
|
||||
*/
|
||||
public const USER_UNKNOWN = 1;
|
||||
|
||||
/**
|
||||
* @var int
|
||||
* @since 23.0.0
|
||||
*/
|
||||
public const TOKEN_NOT_FOUND = 2;
|
||||
|
||||
/**
|
||||
* @var int
|
||||
* @since 23.0.0
|
||||
*/
|
||||
public const TOKEN_DECRYPTION_ERROR = 3;
|
||||
|
||||
/**
|
||||
* @var int
|
||||
* @since 23.0.0
|
||||
*/
|
||||
public const TOKEN_INVALID_FORMAT = 4;
|
||||
|
||||
/**
|
||||
* @var int
|
||||
* @since 23.0.0
|
||||
*/
|
||||
public const TOKEN_EXPIRED = 5;
|
||||
|
||||
/**
|
||||
* @var int
|
||||
* @since 23.0.0
|
||||
*/
|
||||
public const TOKEN_MISMATCH = 6;
|
||||
}
|
@ -0,0 +1,272 @@
|
||||
<?php
|
||||
|
||||
declare(strict_types=1);
|
||||
|
||||
/**
|
||||
* @copyright Copyright (c) 2021 Arthur Schiwon <blizzz@arthur-schiwon.de>
|
||||
*
|
||||
* @author Arthur Schiwon <blizzz@arthur-schiwon.de>
|
||||
*
|
||||
* @license GNU AGPL version 3 or any later version
|
||||
*
|
||||
* This program is free software: you can redistribute it and/or modify
|
||||
* it under the terms of the GNU Affero General Public License as
|
||||
* published by the Free Software Foundation, either version 3 of the
|
||||
* License, or (at your option) any later version.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
* GNU Affero General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU Affero General Public License
|
||||
* along with this program. If not, see <https://www.gnu.org/licenses/>.
|
||||
*
|
||||
*/
|
||||
|
||||
namespace Test\Security\VerificationToken;
|
||||
|
||||
use OC\Security\VerificationToken\VerificationToken;
|
||||
use OCP\AppFramework\Utility\ITimeFactory;
|
||||
use OCP\IConfig;
|
||||
use OCP\IUser;
|
||||
use OCP\Security\ICrypto;
|
||||
use OCP\Security\ISecureRandom;
|
||||
use OCP\Security\VerificationToken\InvalidTokenException;
|
||||
use Test\TestCase;
|
||||
|
||||
class VerificationTokenTest extends TestCase {
|
||||
/** @var VerificationToken */
|
||||
protected $token;
|
||||
/** @var IConfig|\PHPUnit\Framework\MockObject\MockObject */
|
||||
protected $config;
|
||||
/** @var ISecureRandom|\PHPUnit\Framework\MockObject\MockObject */
|
||||
protected $secureRandom;
|
||||
/** @var ICrypto|\PHPUnit\Framework\MockObject\MockObject */
|
||||
protected $crypto;
|
||||
/** @var ITimeFactory|\PHPUnit\Framework\MockObject\MockObject */
|
||||
protected $timeFactory;
|
||||
|
||||
protected function setUp(): void {
|
||||
parent::setUp();
|
||||
|
||||
$this->config = $this->createMock(IConfig::class);
|
||||
$this->crypto = $this->createMock(ICrypto::class);
|
||||
$this->timeFactory = $this->createMock(ITimeFactory::class);
|
||||
$this->secureRandom = $this->createMock(ISecureRandom::class);
|
||||
|
||||
$this->token = new VerificationToken(
|
||||
$this->config,
|
||||
$this->crypto,
|
||||
$this->timeFactory,
|
||||
$this->secureRandom
|
||||
);
|
||||
}
|
||||
|
||||
public function testTokenUserUnknown() {
|
||||
$this->expectException(InvalidTokenException::class);
|
||||
$this->expectExceptionCode(InvalidTokenException::USER_UNKNOWN);
|
||||
$this->token->check('encryptedToken', null, 'fingerprintToken', 'foobar');
|
||||
}
|
||||
|
||||
public function testTokenUserUnknown2() {
|
||||
$user = $this->createMock(IUser::class);
|
||||
$user->expects($this->atLeastOnce())
|
||||
->method('isEnabled')
|
||||
->willReturn(false);
|
||||
|
||||
$this->expectException(InvalidTokenException::class);
|
||||
$this->expectExceptionCode(InvalidTokenException::USER_UNKNOWN);
|
||||
$this->token->check('encryptedToken', $user, 'fingerprintToken', 'foobar');
|
||||
}
|
||||
|
||||
public function testTokenNotFound() {
|
||||
$user = $this->createMock(IUser::class);
|
||||
$user->expects($this->atLeastOnce())
|
||||
->method('isEnabled')
|
||||
->willReturn(true);
|
||||
$user->expects($this->atLeastOnce())
|
||||
->method('getUID')
|
||||
->willReturn('alice');
|
||||
|
||||
// implicit: IConfig::getUserValue returns null by default
|
||||
|
||||
$this->expectException(InvalidTokenException::class);
|
||||
$this->expectExceptionCode(InvalidTokenException::TOKEN_NOT_FOUND);
|
||||
$this->token->check('encryptedToken', $user, 'fingerprintToken', 'foobar');
|
||||
}
|
||||
|
||||
public function testTokenDecryptionError() {
|
||||
$user = $this->createMock(IUser::class);
|
||||
$user->expects($this->atLeastOnce())
|
||||
->method('isEnabled')
|
||||
->willReturn(true);
|
||||
$user->expects($this->atLeastOnce())
|
||||
->method('getUID')
|
||||
->willReturn('alice');
|
||||
|
||||
$this->config->expects($this->atLeastOnce())
|
||||
->method('getUserValue')
|
||||
->with('alice', 'core', 'fingerprintToken', null)
|
||||
->willReturn('encryptedToken');
|
||||
$this->config->expects($this->any())
|
||||
->method('getSystemValue')
|
||||
->with('secret')
|
||||
->willReturn('357111317');
|
||||
|
||||
$this->crypto->method('decrypt')
|
||||
->with('encryptedToken', 'foobar' . '357111317')
|
||||
->willThrowException(new \Exception('decryption failed'));
|
||||
|
||||
$this->expectException(InvalidTokenException::class);
|
||||
$this->expectExceptionCode(InvalidTokenException::TOKEN_DECRYPTION_ERROR);
|
||||
$this->token->check('encryptedToken', $user, 'fingerprintToken', 'foobar');
|
||||
}
|
||||
|
||||
public function testTokenInvalidFormat() {
|
||||
$user = $this->createMock(IUser::class);
|
||||
$user->expects($this->atLeastOnce())
|
||||
->method('isEnabled')
|
||||
->willReturn(true);
|
||||
$user->expects($this->atLeastOnce())
|
||||
->method('getUID')
|
||||
->willReturn('alice');
|
||||
|
||||
$this->config->expects($this->atLeastOnce())
|
||||
->method('getUserValue')
|
||||
->with('alice', 'core', 'fingerprintToken', null)
|
||||
->willReturn('encryptedToken');
|
||||
$this->config->expects($this->any())
|
||||
->method('getSystemValue')
|
||||
->with('secret')
|
||||
->willReturn('357111317');
|
||||
|
||||
$this->crypto->method('decrypt')
|
||||
->with('encryptedToken', 'foobar' . '357111317')
|
||||
->willReturn('decrypted^nonsense');
|
||||
|
||||
$this->expectException(InvalidTokenException::class);
|
||||
$this->expectExceptionCode(InvalidTokenException::TOKEN_INVALID_FORMAT);
|
||||
$this->token->check('encryptedToken', $user, 'fingerprintToken', 'foobar');
|
||||
}
|
||||
|
||||
public function testTokenExpired() {
|
||||
$user = $this->createMock(IUser::class);
|
||||
$user->expects($this->atLeastOnce())
|
||||
->method('isEnabled')
|
||||
->willReturn(true);
|
||||
$user->expects($this->atLeastOnce())
|
||||
->method('getUID')
|
||||
->willReturn('alice');
|
||||
$user->expects($this->any())
|
||||
->method('getLastLogin')
|
||||
->willReturn(604803);
|
||||
|
||||
$this->config->expects($this->atLeastOnce())
|
||||
->method('getUserValue')
|
||||
->with('alice', 'core', 'fingerprintToken', null)
|
||||
->willReturn('encryptedToken');
|
||||
$this->config->expects($this->any())
|
||||
->method('getSystemValue')
|
||||
->with('secret')
|
||||
->willReturn('357111317');
|
||||
|
||||
$this->crypto->method('decrypt')
|
||||
->with('encryptedToken', 'foobar' . '357111317')
|
||||
->willReturn('604800:mY70K3n');
|
||||
|
||||
$this->timeFactory->expects($this->any())
|
||||
->method('getTime')
|
||||
->willReturn(604801);
|
||||
|
||||
$this->expectException(InvalidTokenException::class);
|
||||
$this->expectExceptionCode(InvalidTokenException::TOKEN_EXPIRED);
|
||||
$this->token->check('encryptedToken', $user, 'fingerprintToken', 'foobar');
|
||||
}
|
||||
|
||||
public function testTokenMismatch() {
|
||||
$user = $this->createMock(IUser::class);
|
||||
$user->expects($this->atLeastOnce())
|
||||
->method('isEnabled')
|
||||
->willReturn(true);
|
||||
$user->expects($this->atLeastOnce())
|
||||
->method('getUID')
|
||||
->willReturn('alice');
|
||||
$user->expects($this->any())
|
||||
->method('getLastLogin')
|
||||
->willReturn(604703);
|
||||
|
||||
$this->config->expects($this->atLeastOnce())
|
||||
->method('getUserValue')
|
||||
->with('alice', 'core', 'fingerprintToken', null)
|
||||
->willReturn('encryptedToken');
|
||||
$this->config->expects($this->any())
|
||||
->method('getSystemValue')
|
||||
->with('secret')
|
||||
->willReturn('357111317');
|
||||
|
||||
$this->crypto->method('decrypt')
|
||||
->with('encryptedToken', 'foobar' . '357111317')
|
||||
->willReturn('604802:mY70K3n');
|
||||
|
||||
$this->timeFactory->expects($this->any())
|
||||
->method('getTime')
|
||||
->willReturn(604801);
|
||||
|
||||
$this->expectException(InvalidTokenException::class);
|
||||
$this->expectExceptionCode(InvalidTokenException::TOKEN_MISMATCH);
|
||||
$this->token->check('encryptedToken', $user, 'fingerprintToken', 'foobar');
|
||||
}
|
||||
|
||||
public function testTokenSuccess() {
|
||||
$user = $this->createMock(IUser::class);
|
||||
$user->expects($this->atLeastOnce())
|
||||
->method('isEnabled')
|
||||
->willReturn(true);
|
||||
$user->expects($this->atLeastOnce())
|
||||
->method('getUID')
|
||||
->willReturn('alice');
|
||||
$user->expects($this->any())
|
||||
->method('getLastLogin')
|
||||
->willReturn(604703);
|
||||
|
||||
$this->config->expects($this->atLeastOnce())
|
||||
->method('getUserValue')
|
||||
->with('alice', 'core', 'fingerprintToken', null)
|
||||
->willReturn('encryptedToken');
|
||||
$this->config->expects($this->any())
|
||||
->method('getSystemValue')
|
||||
->with('secret')
|
||||
->willReturn('357111317');
|
||||
|
||||
$this->crypto->method('decrypt')
|
||||
->with('encryptedToken', 'foobar' . '357111317')
|
||||
->willReturn('604802:barfoo');
|
||||
|
||||
$this->timeFactory->expects($this->any())
|
||||
->method('getTime')
|
||||
->willReturn(604801);
|
||||
|
||||
$this->token->check('barfoo', $user, 'fingerprintToken', 'foobar');
|
||||
}
|
||||
|
||||
public function testCreate() {
|
||||
$user = $this->createMock(IUser::class);
|
||||
$user->expects($this->any())
|
||||
->method('getUID')
|
||||
->willReturn('alice');
|
||||
|
||||
$this->secureRandom->expects($this->atLeastOnce())
|
||||
->method('generate')
|
||||
->willReturn('barfoo');
|
||||
$this->crypto->expects($this->atLeastOnce())
|
||||
->method('encrypt')
|
||||
->willReturn('encryptedToken');
|
||||
$this->config->expects($this->atLeastOnce())
|
||||
->method('setUserValue')
|
||||
->with('alice', 'core', 'fingerprintToken', 'encryptedToken');
|
||||
|
||||
$vToken = $this->token->create($user, 'fingerprintToken', 'foobar');
|
||||
$this->assertSame('barfoo', $vToken);
|
||||
}
|
||||
}
|
Loading…
Reference in New Issue