Skip to content

Commit

Permalink
Merge pull request #38708 from nextcloud/backport/38398/stable26
Browse files Browse the repository at this point in the history
[stable26] Store encrypted OAuth2 client secrets
  • Loading branch information
julien-nc authored Jun 22, 2023
2 parents 70865d7 + 5f461bc commit 913d9da
Show file tree
Hide file tree
Showing 13 changed files with 215 additions and 46 deletions.
2 changes: 1 addition & 1 deletion apps/oauth2/appinfo/info.xml
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@
<name>OAuth 2.0</name>
<summary>Allows OAuth2 compatible authentication from other web applications.</summary>
<description>The OAuth2 app allows administrators to configure the built-in authentication workflow to also allow OAuth2 compatible authentication from other web applications.</description>
<version>1.14.0</version>
<version>1.14.1</version>
<licence>agpl</licence>
<author>Lukas Reschke</author>
<namespace>OAuth2</namespace>
Expand Down
2 changes: 0 additions & 2 deletions apps/oauth2/composer/composer/LICENSE
Original file line number Diff line number Diff line change
@@ -1,4 +1,3 @@

Copyright (c) Nils Adermann, Jordi Boggiano

Permission is hereby granted, free of charge, to any person obtaining a copy
Expand All @@ -18,4 +17,3 @@ AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
THE SOFTWARE.

1 change: 1 addition & 0 deletions apps/oauth2/composer/composer/autoload_classmap.php
Original file line number Diff line number Diff line change
Expand Up @@ -19,5 +19,6 @@
'OCA\\OAuth2\\Migration\\SetTokenExpiration' => $baseDir . '/../lib/Migration/SetTokenExpiration.php',
'OCA\\OAuth2\\Migration\\Version010401Date20181207190718' => $baseDir . '/../lib/Migration/Version010401Date20181207190718.php',
'OCA\\OAuth2\\Migration\\Version010402Date20190107124745' => $baseDir . '/../lib/Migration/Version010402Date20190107124745.php',
'OCA\\OAuth2\\Migration\\Version011601Date20230522143227' => $baseDir . '/../lib/Migration/Version011601Date20230522143227.php',
'OCA\\OAuth2\\Settings\\Admin' => $baseDir . '/../lib/Settings/Admin.php',
);
1 change: 1 addition & 0 deletions apps/oauth2/composer/composer/autoload_static.php
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,7 @@ class ComposerStaticInitOAuth2
'OCA\\OAuth2\\Migration\\SetTokenExpiration' => __DIR__ . '/..' . '/../lib/Migration/SetTokenExpiration.php',
'OCA\\OAuth2\\Migration\\Version010401Date20181207190718' => __DIR__ . '/..' . '/../lib/Migration/Version010401Date20181207190718.php',
'OCA\\OAuth2\\Migration\\Version010402Date20190107124745' => __DIR__ . '/..' . '/../lib/Migration/Version010402Date20190107124745.php',
'OCA\\OAuth2\\Migration\\Version011601Date20230522143227' => __DIR__ . '/..' . '/../lib/Migration/Version011601Date20230522143227.php',
'OCA\\OAuth2\\Settings\\Admin' => __DIR__ . '/..' . '/../lib/Settings/Admin.php',
);

Expand Down
15 changes: 14 additions & 1 deletion apps/oauth2/lib/Controller/OauthApiController.php
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,7 @@
use OCP\IRequest;
use OCP\Security\ICrypto;
use OCP\Security\ISecureRandom;
use Psr\Log\LoggerInterface;

class OauthApiController extends Controller {
/** @var AccessTokenMapper */
Expand All @@ -58,6 +59,8 @@ class OauthApiController extends Controller {
private $time;
/** @var Throttler */
private $throttler;
/** @var LoggerInterface */
private $logger;

public function __construct(string $appName,
IRequest $request,
Expand All @@ -67,6 +70,7 @@ public function __construct(string $appName,
TokenProvider $tokenProvider,
ISecureRandom $secureRandom,
ITimeFactory $time,
LoggerInterface $logger,
Throttler $throttler) {
parent::__construct($appName, $request);
$this->crypto = $crypto;
Expand All @@ -76,6 +80,7 @@ public function __construct(string $appName,
$this->secureRandom = $secureRandom;
$this->time = $time;
$this->throttler = $throttler;
$this->logger = $logger;
}

/**
Expand Down Expand Up @@ -124,8 +129,16 @@ public function getToken($grant_type, $code, $refresh_token, $client_id, $client
$client_secret = $this->request->server['PHP_AUTH_PW'];
}

try {
$storedClientSecret = $this->crypto->decrypt($client->getSecret());
} catch (\Exception $e) {
$this->logger->error('OAuth client secret decryption error', ['exception' => $e]);
return new JSONResponse([
'error' => 'invalid_client',
], Http::STATUS_BAD_REQUEST);
}
// The client id and secret must match. Else we don't provide an access token!
if ($client->getClientIdentifier() !== $client_id || $client->getSecret() !== $client_secret) {
if ($client->getClientIdentifier() !== $client_id || $storedClientSecret !== $client_secret) {
return new JSONResponse([
'error' => 'invalid_client',
], Http::STATUS_BAD_REQUEST);
Expand Down
14 changes: 11 additions & 3 deletions apps/oauth2/lib/Controller/SettingsController.php
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,7 @@
use OCP\IUser;
use OCP\IUserManager;
use OCP\Security\ISecureRandom;
use OCP\Security\ICrypto;

class SettingsController extends Controller {
/** @var ClientMapper */
Expand All @@ -58,6 +59,9 @@ class SettingsController extends Controller {
* @var IUserManager
*/
private $userManager;
/** @var ICrypto */
private $crypto;

public const validChars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789';

public function __construct(string $appName,
Expand All @@ -67,7 +71,8 @@ public function __construct(string $appName,
AccessTokenMapper $accessTokenMapper,
IL10N $l,
IAuthTokenProvider $tokenProvider,
IUserManager $userManager
IUserManager $userManager,
ICrypto $crypto
) {
parent::__construct($appName, $request);
$this->secureRandom = $secureRandom;
Expand All @@ -76,6 +81,7 @@ public function __construct(string $appName,
$this->l = $l;
$this->tokenProvider = $tokenProvider;
$this->userManager = $userManager;
$this->crypto = $crypto;
}

public function addClient(string $name,
Expand All @@ -87,7 +93,9 @@ public function addClient(string $name,
$client = new Client();
$client->setName($name);
$client->setRedirectUri($redirectUri);
$client->setSecret($this->secureRandom->generate(64, self::validChars));
$secret = $this->secureRandom->generate(64, self::validChars);
$encryptedSecret = $this->crypto->encrypt($secret);
$client->setSecret($encryptedSecret);
$client->setClientIdentifier($this->secureRandom->generate(64, self::validChars));
$client = $this->clientMapper->insert($client);

Expand All @@ -96,7 +104,7 @@ public function addClient(string $name,
'name' => $client->getName(),
'redirectUri' => $client->getRedirectUri(),
'clientId' => $client->getClientIdentifier(),
'clientSecret' => $client->getSecret(),
'clientSecret' => $secret,
];

return new JSONResponse($result);
Expand Down
82 changes: 82 additions & 0 deletions apps/oauth2/lib/Migration/Version011601Date20230522143227.php
Original file line number Diff line number Diff line change
@@ -0,0 +1,82 @@
<?php

declare(strict_types=1);

/**
* @copyright Copyright 2023, Julien Veyssier <julien-nc@posteo.net>
*
* @author Julien Veyssier <julien-nc@posteo.net>
*
* @license GNU AGPL version 3 or any later version
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as
* published by the Free Software Foundation, either version 3 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*/
namespace OCA\OAuth2\Migration;

use Closure;
use OCP\DB\ISchemaWrapper;
use OCP\DB\QueryBuilder\IQueryBuilder;
use OCP\IDBConnection;
use OCP\Migration\IOutput;
use OCP\Migration\SimpleMigrationStep;
use OCP\Security\ICrypto;

class Version011601Date20230522143227 extends SimpleMigrationStep {

public function __construct(
private IDBConnection $connection,
private ICrypto $crypto,
) {
}

public function changeSchema(IOutput $output, Closure $schemaClosure, array $options) {
/** @var ISchemaWrapper $schema */
$schema = $schemaClosure();

if ($schema->hasTable('oauth2_clients')) {
$table = $schema->getTable('oauth2_clients');
if ($table->hasColumn('secret')) {
$column = $table->getColumn('secret');
$column->setLength(512);
return $schema;
}
}

return null;
}

public function postSchemaChange(IOutput $output, Closure $schemaClosure, array $options) {
$qbUpdate = $this->connection->getQueryBuilder();
$qbUpdate->update('oauth2_clients')
->set('secret', $qbUpdate->createParameter('updateSecret'))
->where(
$qbUpdate->expr()->eq('id', $qbUpdate->createParameter('updateId'))
);

$qbSelect = $this->connection->getQueryBuilder();
$qbSelect->select('id', 'secret')
->from('oauth2_clients');
$req = $qbSelect->executeQuery();
while ($row = $req->fetch()) {
$id = $row['id'];
$secret = $row['secret'];
$encryptedSecret = $this->crypto->encrypt($secret);
$qbUpdate->setParameter('updateSecret', $encryptedSecret, IQueryBuilder::PARAM_STR);
$qbUpdate->setParameter('updateId', $id, IQueryBuilder::PARAM_INT);
$qbUpdate->executeStatement();
}
$req->closeCursor();
}
}
29 changes: 21 additions & 8 deletions apps/oauth2/lib/Settings/Admin.php
Original file line number Diff line number Diff line change
Expand Up @@ -29,36 +29,49 @@
use OCA\OAuth2\Db\ClientMapper;
use OCP\AppFramework\Http\TemplateResponse;
use OCP\AppFramework\Services\IInitialState;
use OCP\Security\ICrypto;
use OCP\Settings\ISettings;
use OCP\IURLGenerator;
use Psr\Log\LoggerInterface;

class Admin implements ISettings {
private IInitialState $initialState;
private ClientMapper $clientMapper;
private IURLGenerator $urlGenerator;
private ICrypto $crypto;
private LoggerInterface $logger;

public function __construct(
IInitialState $initialState,
ClientMapper $clientMapper,
IURLGenerator $urlGenerator
IURLGenerator $urlGenerator,
ICrypto $crypto,
LoggerInterface $logger
) {
$this->initialState = $initialState;
$this->clientMapper = $clientMapper;
$this->urlGenerator = $urlGenerator;
$this->crypto = $crypto;
$this->logger = $logger;
}

public function getForm(): TemplateResponse {
$clients = $this->clientMapper->getClients();
$result = [];

foreach ($clients as $client) {
$result[] = [
'id' => $client->getId(),
'name' => $client->getName(),
'redirectUri' => $client->getRedirectUri(),
'clientId' => $client->getClientIdentifier(),
'clientSecret' => $client->getSecret(),
];
try {
$secret = $this->crypto->decrypt($client->getSecret());
$result[] = [
'id' => $client->getId(),
'name' => $client->getName(),
'redirectUri' => $client->getRedirectUri(),
'clientId' => $client->getClientIdentifier(),
'clientSecret' => $secret,
];
} catch (\Exception $e) {
$this->logger->error('[Settings] OAuth client secret decryption error', ['exception' => $e]);
}
}
$this->initialState->provideInitialState('clients', $result);
$this->initialState->provideInitialState('oauth2-doc-link', $this->urlGenerator->linkToDocs('admin-oauth2'));
Expand Down
Loading

0 comments on commit 913d9da

Please sign in to comment.