Handle token insert conflicts
Env-based SAML uses the "Apache auth" mechanism to log users in. In this code path, we first delete all existin auth tokens from the database, before a new one is inserted. This is problematic for concurrent requests as they might reach the same code at the same time, hence both trying to insert a new row wit the same token (the session ID). This also bubbles up and disables user_saml. As the token might still be OK (both request will insert the same data), we can actually just check if the UIDs of the conflict row is the same as the one we want to insert right now. In that case let's just use the existing entry and carry on. Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
This commit is contained in:
Christoph Wurst
Backportbot
parent
00e9f5f024
commit
dd9fd24f4e
|
|
@ -23,6 +23,7 @@ declare(strict_types=1);
|
|||
|
||||
namespace OC\Authentication\Token;
|
||||
|
||||
use Doctrine\DBAL\Exception\UniqueConstraintViolationException;
|
||||
use OC\Authentication\Exceptions\ExpiredTokenException;
|
||||
use OC\Authentication\Exceptions\InvalidTokenException;
|
||||
use OC\Authentication\Exceptions\PasswordlessTokenException;
|
||||
|
|
@ -59,15 +60,29 @@ class Manager implements IProvider {
|
|||
string $name,
|
||||
int $type = IToken::TEMPORARY_TOKEN,
|
||||
int $remember = IToken::DO_NOT_REMEMBER): IToken {
|
||||
return $this->publicKeyTokenProvider->generateToken(
|
||||
$token,
|
||||
$uid,
|
||||
$loginName,
|
||||
$password,
|
||||
$name,
|
||||
$type,
|
||||
$remember
|
||||
);
|
||||
try {
|
||||
return $this->publicKeyTokenProvider->generateToken(
|
||||
$token,
|
||||
$uid,
|
||||
$loginName,
|
||||
$password,
|
||||
$name,
|
||||
$type,
|
||||
$remember
|
||||
);
|
||||
} catch (UniqueConstraintViolationException $e) {
|
||||
// It's rare, but if two requests of the same session (e.g. env-based SAML)
|
||||
// try to create the session token they might end up here at the same time
|
||||
// because we use the session ID as token and the db token is created anew
|
||||
// with every request.
|
||||
//
|
||||
// If the UIDs match, then this should be fine.
|
||||
$existing = $this->getToken($token);
|
||||
if ($existing->getUID() !== $uid) {
|
||||
throw new \Exception('Token conflict handled, but UIDs do not match. This should not happen', 0, $e);
|
||||
}
|
||||
return $existing;
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
|
|
|
|||
|
|
@ -1,4 +1,5 @@
|
|||
<?php
|
||||
<?php declare(strict_types=1);
|
||||
|
||||
/**
|
||||
* @copyright Copyright (c) 2018 Roeland Jago Douma <roeland@famdouma.nl>
|
||||
*
|
||||
|
|
@ -23,29 +24,23 @@
|
|||
|
||||
namespace Test\Authentication\Token;
|
||||
|
||||
use Doctrine\DBAL\Exception\UniqueConstraintViolationException;
|
||||
use OC\Authentication\Exceptions\InvalidTokenException;
|
||||
use OC\Authentication\Exceptions\PasswordlessTokenException;
|
||||
use OC\Authentication\Token\DefaultToken;
|
||||
use OC\Authentication\Token\DefaultTokenProvider;
|
||||
use OC\Authentication\Token\Manager;
|
||||
use OC\Authentication\Token\PublicKeyToken;
|
||||
use OC\Authentication\Token\PublicKeyTokenMapper;
|
||||
use OC\Authentication\Token\PublicKeyTokenProvider;
|
||||
use OC\Authentication\Token\ExpiredTokenException;
|
||||
use PHPUnit\Framework\MockObject\MockObject;
|
||||
use OC\Authentication\Token\IToken;
|
||||
use OCP\AppFramework\Db\DoesNotExistException;
|
||||
use OCP\AppFramework\Utility\ITimeFactory;
|
||||
use OCP\IConfig;
|
||||
use OCP\ILogger;
|
||||
use OCP\IUser;
|
||||
use OCP\Security\ICrypto;
|
||||
use Test\TestCase;
|
||||
|
||||
class ManagerTest extends TestCase {
|
||||
|
||||
/** @var PublicKeyTokenProvider|\PHPUnit_Framework_MockObject_MockObject */
|
||||
/** @var PublicKeyTokenProvider|MockObject */
|
||||
private $publicKeyTokenProvider;
|
||||
/** @var DefaultTokenProvider|\PHPUnit_Framework_MockObject_MockObject */
|
||||
/** @var DefaultTokenProvider|MockObject */
|
||||
private $defaultTokenProvider;
|
||||
/** @var Manager */
|
||||
private $manager;
|
||||
|
|
@ -92,6 +87,44 @@ class ManagerTest extends TestCase {
|
|||
$this->assertSame($token, $actual);
|
||||
}
|
||||
|
||||
public function testGenerateConflictingToken() {
|
||||
/** @var MockObject|UniqueConstraintViolationException $exception */
|
||||
$exception = $this->createMock(UniqueConstraintViolationException::class);
|
||||
$this->defaultTokenProvider->expects($this->never())
|
||||
->method('generateToken');
|
||||
|
||||
$token = new PublicKeyToken();
|
||||
$token->setUid('uid');
|
||||
|
||||
$this->publicKeyTokenProvider->expects($this->once())
|
||||
->method('generateToken')
|
||||
->with(
|
||||
'token',
|
||||
'uid',
|
||||
'loginName',
|
||||
'password',
|
||||
'name',
|
||||
IToken::TEMPORARY_TOKEN,
|
||||
IToken::REMEMBER
|
||||
)->willThrowException($exception);
|
||||
$this->publicKeyTokenProvider->expects($this->once())
|
||||
->method('getToken')
|
||||
->with('token')
|
||||
->willReturn($token);
|
||||
|
||||
$actual = $this->manager->generateToken(
|
||||
'token',
|
||||
'uid',
|
||||
'loginName',
|
||||
'password',
|
||||
'name',
|
||||
IToken::TEMPORARY_TOKEN,
|
||||
IToken::REMEMBER
|
||||
);
|
||||
|
||||
$this->assertSame($token, $actual);
|
||||
}
|
||||
|
||||
public function tokenData(): array {
|
||||
return [
|
||||
[new DefaultToken()],
|
||||
|
|
|
|||
Loading…
Reference in New Issue