Allow the rotation of tokens

This for example will allow rotating the apptoken for oauth

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
This commit is contained in:
Roeland Jago Douma 2018-05-15 21:10:43 +02:00
parent 9e657d0577
commit 0885bd4ee5
No known key found for this signature in database
GPG Key ID: F941078878347C0C
5 changed files with 96 additions and 2 deletions

View File

@ -28,10 +28,8 @@ use OCP\AppFramework\Db\Entity;
* @method void setId(int $id)
* @method void setUid(string $uid);
* @method void setLoginName(string $loginName)
* @method void setPassword(string $password)
* @method void setName(string $name)
* @method string getName()
* @method void setToken(string $token)
* @method string getToken()
* @method void setType(string $type)
* @method int getType()
@ -173,4 +171,12 @@ class DefaultToken extends Entity implements IToken {
parent::setScope((string)$scope);
}
}
public function setToken($token) {
parent::setToken($token);
}
public function setPassword($password = null) {
parent::setPassword($password);
}
}

View File

@ -261,6 +261,28 @@ class DefaultTokenProvider implements IProvider {
$this->mapper->invalidateOld($rememberThreshold, IToken::REMEMBER);
}
/**
* Rotate the token. Usefull for for example oauth tokens
*
* @param IToken $token
* @param string $oldTokenId
* @param string $newTokenId
* @return IToken
*/
public function rotate(IToken $token, $oldTokenId, $newTokenId) {
try {
$password = $this->getPassword($token, $oldTokenId);
$token->setPassword($this->encryptPassword($password, $newTokenId));
} catch (PasswordlessTokenException $e) {
}
$token->setToken($this->hashToken($newTokenId));
$this->updateToken($token);
return $token;
}
/**
* @param string $token
* @return string

View File

@ -135,4 +135,14 @@ interface IProvider {
* @throws InvalidTokenException
*/
public function setPassword(IToken $token, $tokenId, $password);
/**
* Rotate the token. Usefull for for example oauth tokens
*
* @param IToken $token
* @param string $oldTokenId
* @param string $newTokenId
* @return IToken
*/
public function rotate(IToken $token, $oldTokenId, $newTokenId);
}

View File

@ -93,4 +93,18 @@ interface IToken extends JsonSerializable {
* @param array $scope
*/
public function setScope($scope);
/**
* Set the token
*
* @param string $token
*/
public function setToken($token);
/**
* Set the password
*
* @param string $password
*/
public function setPassword($password);
}

View File

@ -417,4 +417,46 @@ class DefaultTokenProviderTest extends TestCase {
$this->tokenProvider->getTokenById(42);
}
public function testRotate() {
$token = new DefaultToken();
$token->setPassword('oldencryptedpassword');
$this->config->method('getSystemValue')
->with('secret')
->willReturn('mysecret');
$this->crypto->method('decrypt')
->with('oldencryptedpassword', 'oldtokenmysecret')
->willReturn('mypassword');
$this->crypto->method('encrypt')
->with('mypassword', 'newtokenmysecret')
->willReturn('newencryptedpassword');
$this->mapper->expects($this->once())
->method('update')
->with($this->callback(function (DefaultToken $token) {
return $token->getPassword() === 'newencryptedpassword' &&
$token->getToken() === hash('sha512', 'newtokenmysecret');
}));
$this->tokenProvider->rotate($token, 'oldtoken', 'newtoken');
}
public function testRotateNoPassword() {
$token = new DefaultToken();
$this->config->method('getSystemValue')
->with('secret')
->willReturn('mysecret');
$this->mapper->expects($this->once())
->method('update')
->with($this->callback(function (DefaultToken $token) {
return $token->getPassword() === null &&
$token->getToken() === hash('sha512', 'newtokenmysecret');
}));
$this->tokenProvider->rotate($token, 'oldtoken', 'newtoken');
}
}