nextcloud/lib/private/Authentication/Token/DefaultTokenProvider.php

<?php

declare(strict_types=1);

/**
 * @copyright Copyright (c) 2016, ownCloud, Inc.
 * @copyright Copyright (c) 2016, Christoph Wurst <christoph@winzerhof-wurst.at>
 *
 * @author Christoph Wurst <christoph@winzerhof-wurst.at>
 * @author Flávio Gomes da Silva Lisboa <flavio.lisboa@serpro.gov.br>
 * @author Joas Schilling <coding@schilljs.com>
 * @author Lukas Reschke <lukas@statuscode.ch>
 * @author Martin <github@diemattels.at>
 * @author Robin Appelman <robin@icewind.nl>
 * @author Roeland Jago Douma <roeland@famdouma.nl>
 *
 * @license AGPL-3.0
 *
 * This code is free software: you can redistribute it and/or modify
 * it under the terms of the GNU Affero General Public License, version 3,
 * as published by the Free Software Foundation.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 * GNU Affero General Public License for more details.
 *
 * You should have received a copy of the GNU Affero General Public License, version 3,
 * along with this program. If not, see <http://www.gnu.org/licenses/>
 *
 */

namespace OC\Authentication\Token;

use Exception;
use OC\Authentication\Exceptions\ExpiredTokenException;
use OC\Authentication\Exceptions\InvalidTokenException;
use OC\Authentication\Exceptions\PasswordlessTokenException;
use OCP\AppFramework\Db\DoesNotExistException;
use OCP\AppFramework\Utility\ITimeFactory;
use OCP\IConfig;
use OCP\Security\ICrypto;
use Psr\Log\LoggerInterface;

class DefaultTokenProvider implements IProvider {

	/** @var DefaultTokenMapper */
	private $mapper;

	/** @var ICrypto */
	private $crypto;

	/** @var IConfig */
	private $config;

	/** @var LoggerInterface */
	private $logger;

	/** @var ITimeFactory */
	private $time;

	public function __construct(DefaultTokenMapper $mapper,
								ICrypto $crypto,
								IConfig $config,
								LoggerInterface $logger,
								ITimeFactory $time) {
		$this->mapper = $mapper;
		$this->crypto = $crypto;
		$this->config = $config;
		$this->logger = $logger;
		$this->time = $time;
	}

	/**
	 * Create and persist a new token
	 *
	 * @param string $token
	 * @param string $uid
	 * @param string $loginName
	 * @param string|null $password
	 * @param string $name
	 * @param int $type token type
	 * @param int $remember whether the session token should be used for remember-me
	 * @return IToken
	 */
	public function generateToken(string $token,
								  string $uid,
								  string $loginName,
								  $password,
								  string $name,
								  int $type = IToken::TEMPORARY_TOKEN,
								  int $remember = IToken::DO_NOT_REMEMBER): IToken {
		if ($this->config->getSystemValueBool('auth.authtoken.v1.disabled')) {
			throw new InvalidTokenException('Authtokens v1 disabled');
		}

		$dbToken = new DefaultToken();
		$dbToken->setUid($uid);
		$dbToken->setLoginName($loginName);
		if (!is_null($password)) {
			$dbToken->setPassword($this->encryptPassword($password, $token));
		}
		$dbToken->setName($name);
		$dbToken->setToken($this->hashToken($token));
		$dbToken->setType($type);
		$dbToken->setRemember($remember);
		$dbToken->setLastActivity($this->time->getTime());
		$dbToken->setLastCheck($this->time->getTime());
		$dbToken->setVersion(DefaultToken::VERSION);

		$this->mapper->insert($dbToken);

		return $dbToken;
	}

	/**
	 * Save the updated token
	 *
	 * @param IToken $token
	 * @throws InvalidTokenException
	 */
	public function updateToken(IToken $token) {
		if ($this->config->getSystemValueBool('auth.authtoken.v1.disabled')) {
			throw new InvalidTokenException('Authtokens v1 disabled');
		}

		if (!($token instanceof DefaultToken)) {
			throw new InvalidTokenException("Invalid token type");
		}
		$this->mapper->update($token);
	}

	/**
	 * Update token activity timestamp
	 *
	 * @throws InvalidTokenException
	 * @param IToken $token
	 */
	public function updateTokenActivity(IToken $token) {
		if ($this->config->getSystemValueBool('auth.authtoken.v1.disabled')) {
			throw new InvalidTokenException('Authtokens v1 disabled');
		}

		if (!($token instanceof DefaultToken)) {
			throw new InvalidTokenException("Invalid token type");
		}
		/** @var DefaultToken $token */
		$now = $this->time->getTime();
		if ($token->getLastActivity() < ($now - 60)) {
			// Update token only once per minute
			$token->setLastActivity($now);
			$this->mapper->update($token);
		}
	}

	public function getTokenByUser(string $uid): array {
		if ($this->config->getSystemValueBool('auth.authtoken.v1.disabled')) {
			return [];
		}

		return $this->mapper->getTokenByUser($uid);
	}

	/**
	 * Get a token by token
	 *
	 * @param string $tokenId
	 * @throws InvalidTokenException
	 * @throws ExpiredTokenException
	 * @return IToken
	 */
	public function getToken(string $tokenId): IToken {
		if ($this->config->getSystemValueBool('auth.authtoken.v1.disabled')) {
			throw new InvalidTokenException('Authtokens v1 disabled');
		}

		try {
			$token = $this->mapper->getToken($this->hashToken($tokenId));
		} catch (DoesNotExistException $ex) {
			throw new InvalidTokenException("Token does not exist", 0, $ex);
		}

		if ((int)$token->getExpires() !== 0 && $token->getExpires() < $this->time->getTime()) {
			throw new ExpiredTokenException($token);
		}

		return $token;
	}

	/**
	 * Get a token by token id
	 *
	 * @param int $tokenId
	 * @throws InvalidTokenException
	 * @throws ExpiredTokenException
	 * @return IToken
	 */
	public function getTokenById(int $tokenId): IToken {
		if ($this->config->getSystemValueBool('auth.authtoken.v1.disabled')) {
			throw new InvalidTokenException('Authtokens v1 disabled');
		}

		try {
			$token = $this->mapper->getTokenById($tokenId);
		} catch (DoesNotExistException $ex) {
			throw new InvalidTokenException("Token with ID $tokenId does not exist", 0, $ex);
		}

		if ((int)$token->getExpires() !== 0 && $token->getExpires() < $this->time->getTime()) {
			throw new ExpiredTokenException($token);
		}

		return $token;
	}

	/**
	 * @param string $oldSessionId
	 * @param string $sessionId
	 * @throws InvalidTokenException
	 * @return IToken
	 */
	public function renewSessionToken(string $oldSessionId, string $sessionId): IToken {
		if ($this->config->getSystemValueBool('auth.authtoken.v1.disabled')) {
			throw new InvalidTokenException('Authtokens v1 disabled');
		}

		$token = $this->getToken($oldSessionId);

		$newToken = new DefaultToken();
		$newToken->setUid($token->getUID());
		$newToken->setLoginName($token->getLoginName());
		if (!is_null($token->getPassword())) {
			$password = $this->decryptPassword($token->getPassword(), $oldSessionId);
			$newToken->setPassword($this->encryptPassword($password, $sessionId));
		}
		$newToken->setName($token->getName());
		$newToken->setToken($this->hashToken($sessionId));
		$newToken->setType(IToken::TEMPORARY_TOKEN);
		$newToken->setRemember($token->getRemember());
		$newToken->setLastActivity($this->time->getTime());
		$this->mapper->insert($newToken);
		$this->mapper->delete($token);

		return $newToken;
	}

	/**
	 * @param IToken $savedToken
	 * @param string $tokenId session token
	 * @throws InvalidTokenException
	 * @throws PasswordlessTokenException
	 * @return string
	 */
	public function getPassword(IToken $savedToken, string $tokenId): string {
		if ($this->config->getSystemValueBool('auth.authtoken.v1.disabled')) {
			throw new InvalidTokenException('Authtokens v1 disabled');
		}

		$password = $savedToken->getPassword();
		if ($password === null || $password === '') {
			throw new PasswordlessTokenException();
		}
		return $this->decryptPassword($password, $tokenId);
	}

	/**
	 * Encrypt and set the password of the given token
	 *
	 * @param IToken $token
	 * @param string $tokenId
	 * @param string $password
	 * @throws InvalidTokenException
	 */
	public function setPassword(IToken $token, string $tokenId, string $password) {
		if ($this->config->getSystemValueBool('auth.authtoken.v1.disabled')) {
			throw new InvalidTokenException('Authtokens v1 disabled');
		}

		if (!($token instanceof DefaultToken)) {
			throw new InvalidTokenException("Invalid token type");
		}
		/** @var DefaultToken $token */
		$token->setPassword($this->encryptPassword($password, $tokenId));
		$this->mapper->update($token);
	}

	/**
	 * Invalidate (delete) the given session token
	 *
	 * @param string $token
	 */
	public function invalidateToken(string $token) {
		if ($this->config->getSystemValueBool('auth.authtoken.v1.disabled')) {
			return;
		}

		$this->mapper->invalidate($this->hashToken($token));
	}

	public function invalidateTokenById(string $uid, int $id) {
		if ($this->config->getSystemValueBool('auth.authtoken.v1.disabled')) {
			return;
		}

		$this->mapper->deleteById($uid, $id);
	}

	/**
	 * Invalidate (delete) old session tokens
	 */
	public function invalidateOldTokens() {
		if ($this->config->getSystemValueBool('auth.authtoken.v1.disabled')) {
			return;
		}

		$olderThan = $this->time->getTime() - (int) $this->config->getSystemValue('session_lifetime', 60 * 60 * 24);
		$this->logger->debug('Invalidating session tokens older than ' . date('c', $olderThan), ['app' => 'cron']);
		$this->mapper->invalidateOld($olderThan, IToken::DO_NOT_REMEMBER);
		$rememberThreshold = $this->time->getTime() - (int) $this->config->getSystemValue('remember_login_cookie_lifetime', 60 * 60 * 24 * 15);
		$this->logger->debug('Invalidating remembered session tokens older than ' . date('c', $rememberThreshold), ['app' => 'cron']);
		$this->mapper->invalidateOld($rememberThreshold, IToken::REMEMBER);
	}

	/**
	 * Rotate the token. Usefull for for example oauth tokens
	 *
	 * @param IToken $token
	 * @param string $oldTokenId
	 * @param string $newTokenId
	 * @return IToken
	 */
	public function rotate(IToken $token, string $oldTokenId, string $newTokenId): IToken {
		if ($this->config->getSystemValueBool('auth.authtoken.v1.disabled')) {
			throw new InvalidTokenException('Authtokens v1 disabled');
		}

		try {
			$password = $this->getPassword($token, $oldTokenId);
			$token->setPassword($this->encryptPassword($password, $newTokenId));
		} catch (PasswordlessTokenException $e) {
		}

		$token->setToken($this->hashToken($newTokenId));
		$this->updateToken($token);

		return $token;
	}

	/**
	 * @param string $token
	 * @return string
	 */
	private function hashToken(string $token): string {
		$secret = $this->config->getSystemValue('secret');
		return hash('sha512', $token . $secret);
	}

	/**
	 * Encrypt the given password
	 *
	 * The token is used as key
	 *
	 * @param string $password
	 * @param string $token
	 * @return string encrypted password
	 */
	private function encryptPassword(string $password, string $token): string {
		$secret = $this->config->getSystemValue('secret');
		return $this->crypto->encrypt($password, $token . $secret);
	}

	/**
	 * Decrypt the given password
	 *
	 * The token is used as key
	 *
	 * @param string $password
	 * @param string $token
	 * @throws InvalidTokenException
	 * @return string the decrypted key
	 */
	private function decryptPassword(string $password, string $token): string {
		$secret = $this->config->getSystemValue('secret');
		try {
			return $this->crypto->decrypt($password, $token . $secret);
		} catch (Exception $ex) {
			// Delete the invalid token
			$this->invalidateToken($token);
			throw new InvalidTokenException("Can not decrypt token password: " . $ex->getMessage(), 0, $ex);
		}
	}

	public function markPasswordInvalid(IToken $token, string $tokenId) {
		if ($this->config->getSystemValueBool('auth.authtoken.v1.disabled')) {
			throw new InvalidTokenException('Authtokens v1 disabled');
		}

		if (!($token instanceof DefaultToken)) {
			throw new InvalidTokenException("Invalid token type");
		}

		//No need to mark as invalid. We just invalide default tokens
		$this->invalidateToken($tokenId);
	}

	public function updatePasswords(string $uid, string $password) {
		// Nothing to do here
	}
}