|
|
|
@ -29,13 +29,14 @@ declare(strict_types=1);
|
|
|
|
|
*/
|
|
|
|
|
namespace OC\Authentication\Token;
|
|
|
|
|
|
|
|
|
|
use OCP\ICache;
|
|
|
|
|
use OCP\ICacheFactory;
|
|
|
|
|
use OC\Authentication\Exceptions\ExpiredTokenException;
|
|
|
|
|
use OC\Authentication\Exceptions\InvalidTokenException;
|
|
|
|
|
use OC\Authentication\Exceptions\TokenPasswordExpiredException;
|
|
|
|
|
use OC\Authentication\Exceptions\PasswordlessTokenException;
|
|
|
|
|
use OC\Authentication\Exceptions\WipeTokenException;
|
|
|
|
|
use OCP\AppFramework\Db\TTransactional;
|
|
|
|
|
use OCP\Cache\CappedMemoryCache;
|
|
|
|
|
use OCP\AppFramework\Db\DoesNotExistException;
|
|
|
|
|
use OCP\AppFramework\Utility\ITimeFactory;
|
|
|
|
|
use OCP\IConfig;
|
|
|
|
@ -47,6 +48,8 @@ use Psr\Log\LoggerInterface;
|
|
|
|
|
|
|
|
|
|
class PublicKeyTokenProvider implements IProvider {
|
|
|
|
|
public const TOKEN_MIN_LENGTH = 22;
|
|
|
|
|
/** Token cache TTL in seconds */
|
|
|
|
|
private const TOKEN_CACHE_TTL = 10;
|
|
|
|
|
|
|
|
|
|
use TTransactional;
|
|
|
|
|
|
|
|
|
@ -67,10 +70,11 @@ class PublicKeyTokenProvider implements IProvider {
|
|
|
|
|
/** @var ITimeFactory */
|
|
|
|
|
private $time;
|
|
|
|
|
|
|
|
|
|
/** @var CappedMemoryCache */
|
|
|
|
|
/** @var ICache */
|
|
|
|
|
private $cache;
|
|
|
|
|
|
|
|
|
|
private IHasher $hasher;
|
|
|
|
|
/** @var IHasher */
|
|
|
|
|
private $hasher;
|
|
|
|
|
|
|
|
|
|
public function __construct(PublicKeyTokenMapper $mapper,
|
|
|
|
|
ICrypto $crypto,
|
|
|
|
@ -78,7 +82,8 @@ class PublicKeyTokenProvider implements IProvider {
|
|
|
|
|
IDBConnection $db,
|
|
|
|
|
LoggerInterface $logger,
|
|
|
|
|
ITimeFactory $time,
|
|
|
|
|
IHasher $hasher) {
|
|
|
|
|
IHasher $hasher,
|
|
|
|
|
ICacheFactory $cacheFactory) {
|
|
|
|
|
$this->mapper = $mapper;
|
|
|
|
|
$this->crypto = $crypto;
|
|
|
|
|
$this->config = $config;
|
|
|
|
@ -86,7 +91,7 @@ class PublicKeyTokenProvider implements IProvider {
|
|
|
|
|
$this->logger = $logger;
|
|
|
|
|
$this->time = $time;
|
|
|
|
|
|
|
|
|
|
$this->cache = new CappedMemoryCache();
|
|
|
|
|
$this->cache = $cacheFactory->createLocal('authtoken_');
|
|
|
|
|
$this->hasher = $hasher;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
@ -128,7 +133,7 @@ class PublicKeyTokenProvider implements IProvider {
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Add the token to the cache
|
|
|
|
|
$this->cache[$dbToken->getToken()] = $dbToken;
|
|
|
|
|
$this->cacheToken($dbToken);
|
|
|
|
|
|
|
|
|
|
return $dbToken;
|
|
|
|
|
}
|
|
|
|
@ -156,43 +161,56 @@ class PublicKeyTokenProvider implements IProvider {
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
$tokenHash = $this->hashToken($tokenId);
|
|
|
|
|
if ($token = $this->getTokenFromCache($tokenHash)) {
|
|
|
|
|
$this->checkToken($token);
|
|
|
|
|
return $token;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (isset($this->cache[$tokenHash])) {
|
|
|
|
|
if ($this->cache[$tokenHash] instanceof DoesNotExistException) {
|
|
|
|
|
$ex = $this->cache[$tokenHash];
|
|
|
|
|
throw new InvalidTokenException("Token does not exist: " . $ex->getMessage(), 0, $ex);
|
|
|
|
|
}
|
|
|
|
|
$token = $this->cache[$tokenHash];
|
|
|
|
|
} else {
|
|
|
|
|
try {
|
|
|
|
|
$token = $this->mapper->getToken($tokenHash);
|
|
|
|
|
$this->cacheToken($token);
|
|
|
|
|
} catch (DoesNotExistException $ex) {
|
|
|
|
|
try {
|
|
|
|
|
$token = $this->mapper->getToken($tokenHash);
|
|
|
|
|
$this->cache[$token->getToken()] = $token;
|
|
|
|
|
} catch (DoesNotExistException $ex) {
|
|
|
|
|
try {
|
|
|
|
|
$token = $this->mapper->getToken($this->hashTokenWithEmptySecret($tokenId));
|
|
|
|
|
$this->cache[$token->getToken()] = $token;
|
|
|
|
|
$this->rotate($token, $tokenId, $tokenId);
|
|
|
|
|
} catch (DoesNotExistException $ex2) {
|
|
|
|
|
$this->cache[$tokenHash] = $ex2;
|
|
|
|
|
throw new InvalidTokenException("Token does not exist: " . $ex->getMessage(), 0, $ex);
|
|
|
|
|
}
|
|
|
|
|
$token = $this->mapper->getToken($this->hashTokenWithEmptySecret($tokenId));
|
|
|
|
|
$this->rotate($token, $tokenId, $tokenId);
|
|
|
|
|
} catch (DoesNotExistException) {
|
|
|
|
|
$this->cacheInvalidHash($tokenHash);
|
|
|
|
|
throw new InvalidTokenException("Token does not exist: " . $ex->getMessage(), 0, $ex);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if ((int)$token->getExpires() !== 0 && $token->getExpires() < $this->time->getTime()) {
|
|
|
|
|
throw new ExpiredTokenException($token);
|
|
|
|
|
}
|
|
|
|
|
$this->checkToken($token);
|
|
|
|
|
|
|
|
|
|
if ($token->getType() === IToken::WIPE_TOKEN) {
|
|
|
|
|
throw new WipeTokenException($token);
|
|
|
|
|
return $token;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* @throws InvalidTokenException when token doesn't exist
|
|
|
|
|
*/
|
|
|
|
|
private function getTokenFromCache(string $tokenHash): ?PublicKeyToken {
|
|
|
|
|
$serializedToken = $this->cache->get($tokenHash);
|
|
|
|
|
if ($serializedToken === false) {
|
|
|
|
|
throw new InvalidTokenException('Token does not exist: ' . $tokenHash);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if ($token->getPasswordInvalid() === true) {
|
|
|
|
|
//The password is invalid we should throw an TokenPasswordExpiredException
|
|
|
|
|
throw new TokenPasswordExpiredException($token);
|
|
|
|
|
if ($serializedToken === null) {
|
|
|
|
|
return null;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return $token;
|
|
|
|
|
$token = unserialize($serializedToken, [
|
|
|
|
|
'allowed_classes' => [PublicKeyToken::class],
|
|
|
|
|
]);
|
|
|
|
|
|
|
|
|
|
return $token instanceof PublicKeyToken ? $token : null;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
private function cacheToken(PublicKeyToken $token): void {
|
|
|
|
|
$this->cache->set($token->getToken(), serialize($token), self::TOKEN_CACHE_TTL);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
private function cacheInvalidHash(string $tokenHash): void {
|
|
|
|
|
// Invalid entries can be kept longer in cache since it’s unlikely to reuse them
|
|
|
|
|
$this->cache->set($tokenHash, false, self::TOKEN_CACHE_TTL * 2);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
public function getTokenById(int $tokenId): IToken {
|
|
|
|
@ -202,6 +220,12 @@ class PublicKeyTokenProvider implements IProvider {
|
|
|
|
|
throw new InvalidTokenException("Token with ID $tokenId does not exist: " . $ex->getMessage(), 0, $ex);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
$this->checkToken($token);
|
|
|
|
|
|
|
|
|
|
return $token;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
private function checkToken($token): void {
|
|
|
|
|
if ((int)$token->getExpires() !== 0 && $token->getExpires() < $this->time->getTime()) {
|
|
|
|
|
throw new ExpiredTokenException($token);
|
|
|
|
|
}
|
|
|
|
@ -214,13 +238,9 @@ class PublicKeyTokenProvider implements IProvider {
|
|
|
|
|
//The password is invalid we should throw an TokenPasswordExpiredException
|
|
|
|
|
throw new TokenPasswordExpiredException($token);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return $token;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
public function renewSessionToken(string $oldSessionId, string $sessionId): IToken {
|
|
|
|
|
$this->cache->clear();
|
|
|
|
|
|
|
|
|
|
return $this->atomic(function () use ($oldSessionId, $sessionId) {
|
|
|
|
|
$token = $this->getToken($oldSessionId);
|
|
|
|
|
|
|
|
|
@ -242,7 +262,9 @@ class PublicKeyTokenProvider implements IProvider {
|
|
|
|
|
IToken::TEMPORARY_TOKEN,
|
|
|
|
|
$token->getRemember()
|
|
|
|
|
);
|
|
|
|
|
$this->cacheToken($newToken);
|
|
|
|
|
|
|
|
|
|
$this->cacheInvalidHash($token->getToken());
|
|
|
|
|
$this->mapper->delete($token);
|
|
|
|
|
|
|
|
|
|
return $newToken;
|
|
|
|
@ -250,21 +272,22 @@ class PublicKeyTokenProvider implements IProvider {
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
public function invalidateToken(string $token) {
|
|
|
|
|
$this->cache->clear();
|
|
|
|
|
|
|
|
|
|
$tokenHash = $this->hashToken($token);
|
|
|
|
|
$this->mapper->invalidate($this->hashToken($token));
|
|
|
|
|
$this->mapper->invalidate($this->hashTokenWithEmptySecret($token));
|
|
|
|
|
$this->cacheInvalidHash($tokenHash);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
public function invalidateTokenById(string $uid, int $id) {
|
|
|
|
|
$this->cache->clear();
|
|
|
|
|
|
|
|
|
|
$this->mapper->deleteById($uid, $id);
|
|
|
|
|
$token = $this->mapper->getTokenById($id);
|
|
|
|
|
if ($token->getUID() !== $uid) {
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
$this->mapper->invalidate($token->getToken());
|
|
|
|
|
$this->cacheInvalidHash($token->getToken());
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
public function invalidateOldTokens() {
|
|
|
|
|
$this->cache->clear();
|
|
|
|
|
|
|
|
|
|
$olderThan = $this->time->getTime() - $this->config->getSystemValueInt('session_lifetime', 60 * 60 * 24);
|
|
|
|
|
$this->logger->debug('Invalidating session tokens older than ' . date('c', $olderThan), ['app' => 'cron']);
|
|
|
|
|
$this->mapper->invalidateOld($olderThan, IToken::DO_NOT_REMEMBER);
|
|
|
|
@ -274,17 +297,14 @@ class PublicKeyTokenProvider implements IProvider {
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
public function updateToken(IToken $token) {
|
|
|
|
|
$this->cache->clear();
|
|
|
|
|
|
|
|
|
|
if (!($token instanceof PublicKeyToken)) {
|
|
|
|
|
throw new InvalidTokenException("Invalid token type");
|
|
|
|
|
}
|
|
|
|
|
$this->mapper->update($token);
|
|
|
|
|
$this->cacheToken($token);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
public function updateTokenActivity(IToken $token) {
|
|
|
|
|
$this->cache->clear();
|
|
|
|
|
|
|
|
|
|
if (!($token instanceof PublicKeyToken)) {
|
|
|
|
|
throw new InvalidTokenException("Invalid token type");
|
|
|
|
|
}
|
|
|
|
@ -297,6 +317,7 @@ class PublicKeyTokenProvider implements IProvider {
|
|
|
|
|
if ($token->getLastActivity() < ($now - $activityInterval)) {
|
|
|
|
|
$token->setLastActivity($now);
|
|
|
|
|
$this->mapper->updateActivity($token, $now);
|
|
|
|
|
$this->cacheToken($token);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
@ -321,8 +342,6 @@ class PublicKeyTokenProvider implements IProvider {
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
public function setPassword(IToken $token, string $tokenId, string $password) {
|
|
|
|
|
$this->cache->clear();
|
|
|
|
|
|
|
|
|
|
if (!($token instanceof PublicKeyToken)) {
|
|
|
|
|
throw new InvalidTokenException("Invalid token type");
|
|
|
|
|
}
|
|
|
|
@ -348,8 +367,6 @@ class PublicKeyTokenProvider implements IProvider {
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
public function rotate(IToken $token, string $oldTokenId, string $newTokenId): IToken {
|
|
|
|
|
$this->cache->clear();
|
|
|
|
|
|
|
|
|
|
if (!($token instanceof PublicKeyToken)) {
|
|
|
|
|
throw new InvalidTokenException("Invalid token type");
|
|
|
|
|
}
|
|
|
|
@ -473,19 +490,16 @@ class PublicKeyTokenProvider implements IProvider {
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
public function markPasswordInvalid(IToken $token, string $tokenId) {
|
|
|
|
|
$this->cache->clear();
|
|
|
|
|
|
|
|
|
|
if (!($token instanceof PublicKeyToken)) {
|
|
|
|
|
throw new InvalidTokenException("Invalid token type");
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
$token->setPasswordInvalid(true);
|
|
|
|
|
$this->mapper->update($token);
|
|
|
|
|
$this->cacheToken($token);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
public function updatePasswords(string $uid, string $password) {
|
|
|
|
|
$this->cache->clear();
|
|
|
|
|
|
|
|
|
|
// prevent setting an empty pw as result of pw-less-login
|
|
|
|
|
if ($password === '' || !$this->config->getSystemValueBool('auth.storeCryptedPassword', true)) {
|
|
|
|
|
return;
|
|
|
|
|