Allow the rotation of tokens

This for example will allow rotating the apptoken for oauth

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>

lib/private/Authentication/Token/DefaultToken.php

@@ -28,10 +28,8 @@ use OCP\AppFramework\Db\Entity;
  * @method void setId(int $id)
  * @method void setUid(string $uid);
  * @method void setLoginName(string $loginName)
- * @method void setPassword(string $password)
  * @method void setName(string $name)
  * @method string getName()
- * @method void setToken(string $token)
  * @method string getToken()
  * @method void setType(string $type)
  * @method int getType()
@@ -173,4 +171,12 @@ class DefaultToken extends Entity implements IToken {
 			parent::setScope((string)$scope);
 		}
 	}
+
+	public function setToken($token) {
+		parent::setToken($token);
+	}
+
+	public function setPassword($password = null) {
+		parent::setPassword($password);
+	}
 }

lib/private/Authentication/Token/DefaultTokenProvider.php

@@ -261,6 +261,28 @@ class DefaultTokenProvider implements IProvider {
 		$this->mapper->invalidateOld($rememberThreshold, IToken::REMEMBER);
 	}
 
+	/**
+	 * Rotate the token. Usefull for for example oauth tokens
+	 *
+	 * @param IToken $token
+	 * @param string $oldTokenId
+	 * @param string $newTokenId
+	 * @return IToken
+	 */
+	public function rotate(IToken $token, $oldTokenId, $newTokenId) {
+		try {
+			$password = $this->getPassword($token, $oldTokenId);
+			$token->setPassword($this->encryptPassword($password, $newTokenId));
+		} catch (PasswordlessTokenException $e) {
+
+		}
+
+		$token->setToken($this->hashToken($newTokenId));
+		$this->updateToken($token);
+
+		return $token;
+	}
+
 	/**
 	 * @param string $token
 	 * @return string

lib/private/Authentication/Token/IProvider.php

@@ -135,4 +135,14 @@ interface IProvider {
 	 * @throws InvalidTokenException
 	 */
 	public function setPassword(IToken $token, $tokenId, $password);
+
+	/**
+	 * Rotate the token. Usefull for for example oauth tokens
+	 *
+	 * @param IToken $token
+	 * @param string $oldTokenId
+	 * @param string $newTokenId
+	 * @return IToken
+	 */
+	public function rotate(IToken $token, $oldTokenId, $newTokenId);
 }

lib/private/Authentication/Token/IToken.php

@@ -93,4 +93,18 @@ interface IToken extends JsonSerializable {
 	 * @param array $scope
 	 */
 	public function setScope($scope);
+
+	/**
+	 * Set the token
+	 *
+	 * @param string $token
+	 */
+	public function setToken($token);
+
+	/**
+	 * Set the password
+	 *
+	 * @param string $password
+	 */
+	public function setPassword($password);
 }

tests/lib/Authentication/Token/DefaultTokenProviderTest.php

@@ -417,4 +417,46 @@ class DefaultTokenProviderTest extends TestCase {
 
 		$this->tokenProvider->getTokenById(42);
 	}
+
+	public function testRotate() {
+		$token = new DefaultToken();
+		$token->setPassword('oldencryptedpassword');
+
+		$this->config->method('getSystemValue')
+			->with('secret')
+			->willReturn('mysecret');
+
+		$this->crypto->method('decrypt')
+			->with('oldencryptedpassword', 'oldtokenmysecret')
+			->willReturn('mypassword');
+		$this->crypto->method('encrypt')
+			->with('mypassword', 'newtokenmysecret')
+			->willReturn('newencryptedpassword');
+
+		$this->mapper->expects($this->once())
+			->method('update')
+			->with($this->callback(function (DefaultToken $token) {
+				return $token->getPassword() === 'newencryptedpassword' &&
+					$token->getToken() === hash('sha512', 'newtokenmysecret');
+			}));
+
+		$this->tokenProvider->rotate($token, 'oldtoken', 'newtoken');
+	}
+
+	public function testRotateNoPassword() {
+		$token = new DefaultToken();
+
+		$this->config->method('getSystemValue')
+			->with('secret')
+			->willReturn('mysecret');
+
+		$this->mapper->expects($this->once())
+			->method('update')
+			->with($this->callback(function (DefaultToken $token) {
+				return $token->getPassword() === null &&
+					$token->getToken() === hash('sha512', 'newtokenmysecret');
+			}));
+
+		$this->tokenProvider->rotate($token, 'oldtoken', 'newtoken');
+	}
 }