From eed32112c504d6333232a1d77e8007f2bdfa40b7 Mon Sep 17 00:00:00 2001 From: Lucas Azevedo Date: Wed, 23 Aug 2023 20:15:42 -0300 Subject: [PATCH 01/13] feat: Add user:auth-tokens command Signed-off-by: Lucas Azevedo --- core/Command/User/AuthTokens.php | 70 ++++++++++++++++++++++++++++++++ core/register_command.php | 1 + 2 files changed, 71 insertions(+) create mode 100644 core/Command/User/AuthTokens.php diff --git a/core/Command/User/AuthTokens.php b/core/Command/User/AuthTokens.php new file mode 100644 index 00000000000..938efd952a5 --- /dev/null +++ b/core/Command/User/AuthTokens.php @@ -0,0 +1,70 @@ + + * + * @author Lucas Azevedo + * + * @license GNU AGPL version 3 or any later version + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU Affero General Public License as + * published by the Free Software Foundation, either version 3 of the + * License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Affero General Public License for more details. + * + * You should have received a copy of the GNU Affero General Public License + * along with this program. If not, see . + * + */ +namespace OC\Core\Command\User; + +use OC\Core\Command\Base; +use OC\Authentication\Token\IProvider; +use OC\Authentication\Token\IToken; +use OCP\IUserManager; +use Symfony\Component\Console\Input\InputArgument; +use Symfony\Component\Console\Input\InputInterface; +use Symfony\Component\Console\Output\OutputInterface; + +class AuthTokens extends Base { + public function __construct( + protected IUserManager $userManager, + protected IProvider $tokenProvider, + ) { + parent::__construct(); + } + + protected function configure() { + parent::configure(); + + $this + ->setName('user:auth-tokens') + ->setDescription('List authentication tokens of an user') + ->addArgument( + 'user', + InputArgument::REQUIRED, + 'User to list auth tokens for' + ); + } + + protected function execute(InputInterface $input, OutputInterface $output): int { + $user = $this->userManager->get($input->getArgument('user')); + + if (is_null($user)) { + $output->writeln('user not found'); + return 1; + } + + $tokens = $this->tokenProvider->getTokenByUser($user->getUID()); + + $data = array_map(fn (IToken $token) => $token->jsonSerialize(), $tokens); + + $this->writeArrayInOutputFormat($input, $output, $data); + + return 0; + } +} diff --git a/core/register_command.php b/core/register_command.php index c9b6cc99901..c82c076c207 100644 --- a/core/register_command.php +++ b/core/register_command.php @@ -193,6 +193,7 @@ if (\OC::$server->getConfig()->getSystemValue('installed', false)) { $application->add(new OC\Core\Command\User\ListCommand(\OC::$server->getUserManager(), \OC::$server->getGroupManager())); $application->add(new OC\Core\Command\User\Info(\OC::$server->getUserManager(), \OC::$server->getGroupManager())); $application->add(new OC\Core\Command\User\AddAppPassword(\OC::$server->get(\OCP\IUserManager::class), \OC::$server->get(\OC\Authentication\Token\IProvider::class), \OC::$server->get(\OCP\Security\ISecureRandom::class), \OC::$server->get(\OCP\EventDispatcher\IEventDispatcher::class))); + $application->add(new OC\Core\Command\User\AuthTokens(\OC::$server->get(\OCP\IUserManager::class), \OC::$server->get(\OC\Authentication\Token\IProvider::class))); $application->add(new OC\Core\Command\Group\Add(\OC::$server->getGroupManager())); $application->add(new OC\Core\Command\Group\Delete(\OC::$server->getGroupManager())); From 651044ce178fffcbe12ef124c27c37322a829d73 Mon Sep 17 00:00:00 2001 From: Lucas Azevedo Date: Wed, 23 Aug 2023 20:16:08 -0300 Subject: [PATCH 02/13] feat: Add user:delete-auth-token command Signed-off-by: Lucas Azevedo --- core/Command/User/DeleteAuthToken.php | 56 +++++++++++++++++++++++++++ core/register_command.php | 1 + 2 files changed, 57 insertions(+) create mode 100644 core/Command/User/DeleteAuthToken.php diff --git a/core/Command/User/DeleteAuthToken.php b/core/Command/User/DeleteAuthToken.php new file mode 100644 index 00000000000..eb31efbf05e --- /dev/null +++ b/core/Command/User/DeleteAuthToken.php @@ -0,0 +1,56 @@ + + * + * @author Lucas Azevedo + * + * @license GNU AGPL version 3 or any later version + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU Affero General Public License as + * published by the Free Software Foundation, either version 3 of the + * License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Affero General Public License for more details. + * + * You should have received a copy of the GNU Affero General Public License + * along with this program. If not, see . + * + */ +namespace OC\Core\Command\User; + +use OC\Core\Command\Base; +use OC\Authentication\Token\IProvider; +use Symfony\Component\Console\Input\InputArgument; +use Symfony\Component\Console\Input\InputInterface; +use Symfony\Component\Console\Output\OutputInterface; + +class DeleteAuthToken extends Base { + public function __construct( + protected IProvider $tokenProvider, + ) { + parent::__construct(); + } + + protected function configure() { + $this + ->setName('user:delete-auth-token') + ->setDescription('Deletes an authentication token') + ->addArgument( + 'id', + InputArgument::REQUIRED, + 'ID of the auth token to delete' + ); + } + + protected function execute(InputInterface $input, OutputInterface $output): int { + $token = $this->tokenProvider->getTokenById($input->getArgument('id')); + + $this->tokenProvider->invalidateTokenById($token->getUID(), $token->getId()); + + return 0; + } +} diff --git a/core/register_command.php b/core/register_command.php index c82c076c207..cfd1a6d2aea 100644 --- a/core/register_command.php +++ b/core/register_command.php @@ -194,6 +194,7 @@ if (\OC::$server->getConfig()->getSystemValue('installed', false)) { $application->add(new OC\Core\Command\User\Info(\OC::$server->getUserManager(), \OC::$server->getGroupManager())); $application->add(new OC\Core\Command\User\AddAppPassword(\OC::$server->get(\OCP\IUserManager::class), \OC::$server->get(\OC\Authentication\Token\IProvider::class), \OC::$server->get(\OCP\Security\ISecureRandom::class), \OC::$server->get(\OCP\EventDispatcher\IEventDispatcher::class))); $application->add(new OC\Core\Command\User\AuthTokens(\OC::$server->get(\OCP\IUserManager::class), \OC::$server->get(\OC\Authentication\Token\IProvider::class))); + $application->add(new OC\Core\Command\User\DeleteAuthToken(\OC::$server->get(\OC\Authentication\Token\IProvider::class))); $application->add(new OC\Core\Command\Group\Add(\OC::$server->getGroupManager())); $application->add(new OC\Core\Command\Group\Delete(\OC::$server->getGroupManager())); From 7d05d1f604ad10b6bd2065299a983f7b2c514cd6 Mon Sep 17 00:00:00 2001 From: Lucas Azevedo Date: Thu, 24 Aug 2023 00:10:30 -0300 Subject: [PATCH 03/13] Add missing return types Signed-off-by: Lucas Azevedo --- core/Command/User/AuthTokens.php | 4 ++-- core/Command/User/DeleteAuthToken.php | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/core/Command/User/AuthTokens.php b/core/Command/User/AuthTokens.php index 938efd952a5..0555cdfeab3 100644 --- a/core/Command/User/AuthTokens.php +++ b/core/Command/User/AuthTokens.php @@ -38,7 +38,7 @@ class AuthTokens extends Base { parent::__construct(); } - protected function configure() { + protected function configure(): void { parent::configure(); $this @@ -61,7 +61,7 @@ class AuthTokens extends Base { $tokens = $this->tokenProvider->getTokenByUser($user->getUID()); - $data = array_map(fn (IToken $token) => $token->jsonSerialize(), $tokens); + $data = array_map(fn (IToken $token): mixed => $token->jsonSerialize(), $tokens); $this->writeArrayInOutputFormat($input, $output, $data); diff --git a/core/Command/User/DeleteAuthToken.php b/core/Command/User/DeleteAuthToken.php index eb31efbf05e..13b63242b79 100644 --- a/core/Command/User/DeleteAuthToken.php +++ b/core/Command/User/DeleteAuthToken.php @@ -35,7 +35,7 @@ class DeleteAuthToken extends Base { parent::__construct(); } - protected function configure() { + protected function configure(): void { $this ->setName('user:delete-auth-token') ->setDescription('Deletes an authentication token') From ca101b2dbef60bd9a56d5832fdee29e147e80519 Mon Sep 17 00:00:00 2001 From: Lucas Azevedo Date: Thu, 24 Aug 2023 11:19:50 -0300 Subject: [PATCH 04/13] Filter out sensitive fields in user:auth-tokens PublicKeyToken::jsonSerialize() already explicitly lists allowed fields, we are adding a second guard here to be on the safe side. Signed-off-by: Lucas Azevedo --- core/Command/User/AuthTokens.php | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/core/Command/User/AuthTokens.php b/core/Command/User/AuthTokens.php index 0555cdfeab3..43fa687781e 100644 --- a/core/Command/User/AuthTokens.php +++ b/core/Command/User/AuthTokens.php @@ -61,7 +61,16 @@ class AuthTokens extends Base { $tokens = $this->tokenProvider->getTokenByUser($user->getUID()); - $data = array_map(fn (IToken $token): mixed => $token->jsonSerialize(), $tokens); + $data = array_map(function (IToken $token): mixed { + $filtered = [ + 'password', + 'password_hash', + 'token', + 'public_key', + 'private_key', + ]; + return array_diff_key($token->jsonSerialize(), array_flip($filtered)); + }, $tokens); $this->writeArrayInOutputFormat($input, $output, $data); From f7bf468e22e74be7e00d3ffa2356ce4212f12760 Mon Sep 17 00:00:00 2001 From: Lucas Azevedo Date: Thu, 24 Aug 2023 11:26:27 -0300 Subject: [PATCH 05/13] Use autowiring when registering commands Co-authored-by: Joas Schilling <213943+nickvergessen@users.noreply.github.com> Signed-off-by: Lucas Azevedo --- core/register_command.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/core/register_command.php b/core/register_command.php index cfd1a6d2aea..f6ffe231c8f 100644 --- a/core/register_command.php +++ b/core/register_command.php @@ -193,8 +193,8 @@ if (\OC::$server->getConfig()->getSystemValue('installed', false)) { $application->add(new OC\Core\Command\User\ListCommand(\OC::$server->getUserManager(), \OC::$server->getGroupManager())); $application->add(new OC\Core\Command\User\Info(\OC::$server->getUserManager(), \OC::$server->getGroupManager())); $application->add(new OC\Core\Command\User\AddAppPassword(\OC::$server->get(\OCP\IUserManager::class), \OC::$server->get(\OC\Authentication\Token\IProvider::class), \OC::$server->get(\OCP\Security\ISecureRandom::class), \OC::$server->get(\OCP\EventDispatcher\IEventDispatcher::class))); - $application->add(new OC\Core\Command\User\AuthTokens(\OC::$server->get(\OCP\IUserManager::class), \OC::$server->get(\OC\Authentication\Token\IProvider::class))); - $application->add(new OC\Core\Command\User\DeleteAuthToken(\OC::$server->get(\OC\Authentication\Token\IProvider::class))); + $application->add(\OC::$server->get(\OC\Core\Command\User\AuthTokens::class)); + $application->add(\OC::$server->get(\OC\Core\Command\User\DeleteAuthToken::class)); $application->add(new OC\Core\Command\Group\Add(\OC::$server->getGroupManager())); $application->add(new OC\Core\Command\Group\Delete(\OC::$server->getGroupManager())); From 5af683d2c4d0883ae9038c33078cbb792a0974e7 Mon Sep 17 00:00:00 2001 From: Lucas Azevedo Date: Thu, 24 Aug 2023 11:42:30 -0300 Subject: [PATCH 06/13] Namespace user auth token commands Signed-off-by: Lucas Azevedo --- .../User/{AddAppPassword.php => AuthTokens/Add.php} | 7 ++++--- .../User/{DeleteAuthToken.php => AuthTokens/Delete.php} | 6 +++--- .../User/{AuthTokens.php => AuthTokens/ListCommand.php} | 6 +++--- core/register_command.php | 6 +++--- 4 files changed, 13 insertions(+), 12 deletions(-) rename core/Command/User/{AddAppPassword.php => AuthTokens/Add.php} (96%) rename core/Command/User/{DeleteAuthToken.php => AuthTokens/Delete.php} (93%) rename core/Command/User/{AuthTokens.php => AuthTokens/ListCommand.php} (95%) diff --git a/core/Command/User/AddAppPassword.php b/core/Command/User/AuthTokens/Add.php similarity index 96% rename from core/Command/User/AddAppPassword.php rename to core/Command/User/AuthTokens/Add.php index 8c506c8510e..e067c069c79 100644 --- a/core/Command/User/AddAppPassword.php +++ b/core/Command/User/AuthTokens/Add.php @@ -24,7 +24,7 @@ declare(strict_types=1); * along with this program. If not, see . * */ -namespace OC\Core\Command\User; +namespace OC\Core\Command\User\AuthTokens; use OC\Authentication\Events\AppPasswordCreatedEvent; use OC\Authentication\Token\IProvider; @@ -40,7 +40,7 @@ use Symfony\Component\Console\Input\InputOption; use Symfony\Component\Console\Output\OutputInterface; use Symfony\Component\Console\Question\Question; -class AddAppPassword extends Command { +class Add extends Command { public function __construct( protected IUserManager $userManager, protected IProvider $tokenProvider, @@ -52,7 +52,8 @@ class AddAppPassword extends Command { protected function configure() { $this - ->setName('user:add-app-password') + ->setName('user:auth-tokens:add') + ->setAliases(['user:add-app-password']) ->setDescription('Add app password for the named user') ->addArgument( 'user', diff --git a/core/Command/User/DeleteAuthToken.php b/core/Command/User/AuthTokens/Delete.php similarity index 93% rename from core/Command/User/DeleteAuthToken.php rename to core/Command/User/AuthTokens/Delete.php index 13b63242b79..928387f1cc6 100644 --- a/core/Command/User/DeleteAuthToken.php +++ b/core/Command/User/AuthTokens/Delete.php @@ -20,7 +20,7 @@ * along with this program. If not, see . * */ -namespace OC\Core\Command\User; +namespace OC\Core\Command\User\AuthTokens; use OC\Core\Command\Base; use OC\Authentication\Token\IProvider; @@ -28,7 +28,7 @@ use Symfony\Component\Console\Input\InputArgument; use Symfony\Component\Console\Input\InputInterface; use Symfony\Component\Console\Output\OutputInterface; -class DeleteAuthToken extends Base { +class Delete extends Base { public function __construct( protected IProvider $tokenProvider, ) { @@ -37,7 +37,7 @@ class DeleteAuthToken extends Base { protected function configure(): void { $this - ->setName('user:delete-auth-token') + ->setName('user:auth-tokens:delete') ->setDescription('Deletes an authentication token') ->addArgument( 'id', diff --git a/core/Command/User/AuthTokens.php b/core/Command/User/AuthTokens/ListCommand.php similarity index 95% rename from core/Command/User/AuthTokens.php rename to core/Command/User/AuthTokens/ListCommand.php index 43fa687781e..6739e8b4648 100644 --- a/core/Command/User/AuthTokens.php +++ b/core/Command/User/AuthTokens/ListCommand.php @@ -20,7 +20,7 @@ * along with this program. If not, see . * */ -namespace OC\Core\Command\User; +namespace OC\Core\Command\User\AuthTokens; use OC\Core\Command\Base; use OC\Authentication\Token\IProvider; @@ -30,7 +30,7 @@ use Symfony\Component\Console\Input\InputArgument; use Symfony\Component\Console\Input\InputInterface; use Symfony\Component\Console\Output\OutputInterface; -class AuthTokens extends Base { +class ListCommand extends Base { public function __construct( protected IUserManager $userManager, protected IProvider $tokenProvider, @@ -42,7 +42,7 @@ class AuthTokens extends Base { parent::configure(); $this - ->setName('user:auth-tokens') + ->setName('user:auth-tokens:list') ->setDescription('List authentication tokens of an user') ->addArgument( 'user', diff --git a/core/register_command.php b/core/register_command.php index f6ffe231c8f..2da8e2aa186 100644 --- a/core/register_command.php +++ b/core/register_command.php @@ -192,9 +192,9 @@ if (\OC::$server->getConfig()->getSystemValue('installed', false)) { $application->add(new OC\Core\Command\User\Setting(\OC::$server->getUserManager(), \OC::$server->getConfig())); $application->add(new OC\Core\Command\User\ListCommand(\OC::$server->getUserManager(), \OC::$server->getGroupManager())); $application->add(new OC\Core\Command\User\Info(\OC::$server->getUserManager(), \OC::$server->getGroupManager())); - $application->add(new OC\Core\Command\User\AddAppPassword(\OC::$server->get(\OCP\IUserManager::class), \OC::$server->get(\OC\Authentication\Token\IProvider::class), \OC::$server->get(\OCP\Security\ISecureRandom::class), \OC::$server->get(\OCP\EventDispatcher\IEventDispatcher::class))); - $application->add(\OC::$server->get(\OC\Core\Command\User\AuthTokens::class)); - $application->add(\OC::$server->get(\OC\Core\Command\User\DeleteAuthToken::class)); + $application->add(\OC::$server->get(\OC\Core\Command\User\AuthTokens\Add::class)); + $application->add(\OC::$server->get(\OC\Core\Command\User\AuthTokens\ListCommand::class)); + $application->add(\OC::$server->get(\OC\Core\Command\User\AuthTokens\Delete::class)); $application->add(new OC\Core\Command\Group\Add(\OC::$server->getGroupManager())); $application->add(new OC\Core\Command\Group\Delete(\OC::$server->getGroupManager())); From a49a220fca751ba946da0a1439429933ad56a93b Mon Sep 17 00:00:00 2001 From: Lucas Azevedo Date: Thu, 24 Aug 2023 11:59:55 -0300 Subject: [PATCH 07/13] Update autoloaders Signed-off-by: Lucas Azevedo --- lib/composer/composer/autoload_classmap.php | 4 +++- lib/composer/composer/autoload_static.php | 4 +++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/lib/composer/composer/autoload_classmap.php b/lib/composer/composer/autoload_classmap.php index 007b19692c5..a3397b6bdd0 100644 --- a/lib/composer/composer/autoload_classmap.php +++ b/lib/composer/composer/autoload_classmap.php @@ -1042,7 +1042,9 @@ return array( 'OC\\Core\\Command\\TwoFactorAuth\\State' => $baseDir . '/core/Command/TwoFactorAuth/State.php', 'OC\\Core\\Command\\Upgrade' => $baseDir . '/core/Command/Upgrade.php', 'OC\\Core\\Command\\User\\Add' => $baseDir . '/core/Command/User/Add.php', - 'OC\\Core\\Command\\User\\AddAppPassword' => $baseDir . '/core/Command/User/AddAppPassword.php', + 'OC\\Core\\Command\\User\\AuthTokens\\Add' => $baseDir . '/core/Command/User/AuthTokens/Add.php', + 'OC\\Core\\Command\\User\\AuthTokens\\Delete' => $baseDir . '/core/Command/User/AuthTokens/Delete.php', + 'OC\\Core\\Command\\User\\AuthTokens\\ListCommand' => $baseDir . '/core/Command/User/AuthTokens/ListCommand.php', 'OC\\Core\\Command\\User\\Delete' => $baseDir . '/core/Command/User/Delete.php', 'OC\\Core\\Command\\User\\Disable' => $baseDir . '/core/Command/User/Disable.php', 'OC\\Core\\Command\\User\\Enable' => $baseDir . '/core/Command/User/Enable.php', diff --git a/lib/composer/composer/autoload_static.php b/lib/composer/composer/autoload_static.php index f9164a13aa3..efe39527313 100644 --- a/lib/composer/composer/autoload_static.php +++ b/lib/composer/composer/autoload_static.php @@ -1075,7 +1075,9 @@ class ComposerStaticInit749170dad3f5e7f9ca158f5a9f04f6a2 'OC\\Core\\Command\\TwoFactorAuth\\State' => __DIR__ . '/../../..' . '/core/Command/TwoFactorAuth/State.php', 'OC\\Core\\Command\\Upgrade' => __DIR__ . '/../../..' . '/core/Command/Upgrade.php', 'OC\\Core\\Command\\User\\Add' => __DIR__ . '/../../..' . '/core/Command/User/Add.php', - 'OC\\Core\\Command\\User\\AddAppPassword' => __DIR__ . '/../../..' . '/core/Command/User/AddAppPassword.php', + 'OC\\Core\\Command\\User\\AuthTokens\\Add' => __DIR__ . '/../../..' . '/core/Command/User/AuthTokens/Add.php', + 'OC\\Core\\Command\\User\\AuthTokens\\Delete' => __DIR__ . '/../../..' . '/core/Command/User/AuthTokens/Delete.php', + 'OC\\Core\\Command\\User\\AuthTokens\\ListCommand' => __DIR__ . '/../../..' . '/core/Command/User/AuthTokens/ListCommand.php', 'OC\\Core\\Command\\User\\Delete' => __DIR__ . '/../../..' . '/core/Command/User/Delete.php', 'OC\\Core\\Command\\User\\Disable' => __DIR__ . '/../../..' . '/core/Command/User/Disable.php', 'OC\\Core\\Command\\User\\Enable' => __DIR__ . '/../../..' . '/core/Command/User/Enable.php', From fe9b9c1955cb33c5026928a9f753bb6bde6e65ab Mon Sep 17 00:00:00 2001 From: Lucas Azevedo Date: Fri, 25 Aug 2023 02:07:57 -0300 Subject: [PATCH 08/13] Add last-used-before option Signed-off-by: Lucas Azevedo --- core/Command/User/AuthTokens/Delete.php | 72 +++++++++++++++++-- .../Authentication/Token/IProvider.php | 5 ++ lib/private/Authentication/Token/Manager.php | 4 ++ .../Token/PublicKeyTokenMapper.php | 9 +++ .../Token/PublicKeyTokenProvider.php | 6 ++ 5 files changed, 92 insertions(+), 4 deletions(-) diff --git a/core/Command/User/AuthTokens/Delete.php b/core/Command/User/AuthTokens/Delete.php index 928387f1cc6..830050c1bb9 100644 --- a/core/Command/User/AuthTokens/Delete.php +++ b/core/Command/User/AuthTokens/Delete.php @@ -22,10 +22,14 @@ */ namespace OC\Core\Command\User\AuthTokens; +use DateTimeImmutable; use OC\Core\Command\Base; use OC\Authentication\Token\IProvider; +use Symfony\Component\Console\Command\Command; +use Symfony\Component\Console\Exception\RuntimeException; use Symfony\Component\Console\Input\InputArgument; use Symfony\Component\Console\Input\InputInterface; +use Symfony\Component\Console\Input\InputOption; use Symfony\Component\Console\Output\OutputInterface; class Delete extends Base { @@ -40,17 +44,77 @@ class Delete extends Base { ->setName('user:auth-tokens:delete') ->setDescription('Deletes an authentication token') ->addArgument( - 'id', + 'uid', InputArgument::REQUIRED, + 'ID of the user to delete tokens for' + ) + ->addArgument( + 'id', + InputArgument::OPTIONAL, 'ID of the auth token to delete' + ) + ->addOption( + 'last-used-before', + null, + InputOption::VALUE_REQUIRED, + 'Delete tokens last used before a given date.' ); } protected function execute(InputInterface $input, OutputInterface $output): int { - $token = $this->tokenProvider->getTokenById($input->getArgument('id')); + $uid = $input->getArgument('uid'); + $id = $input->getArgument('id'); + $before = $input->getOption('last-used-before'); - $this->tokenProvider->invalidateTokenById($token->getUID(), $token->getId()); + if ($before) { + if ($id) { + throw new RuntimeException('Option --last-used-before cannot be used with []'); + } - return 0; + return $this->deleteLastUsedBefore($uid, $before); + } + + if (!$id) { + throw new RuntimeException('Not enough arguments. Specify the token or use the --last-used-before option.'); + } + return $this->deleteById($uid, $id); + } + + protected function deleteById(string $uid, string $id) { + $this->tokenProvider->invalidateTokenById($uid, $id); + + return Command::SUCCESS; + } + + protected function deleteLastUsedBefore(string $uid, string $before) { + $date = $this->parseDateOption($before); + if (!$date) { + throw new RuntimeException('Invalid date format. Acceptable formats are: ISO8601 (w/o fractions), "YYYY-MM-DD" and Unix time in seconds.'); + } + + $this->tokenProvider->invalidateLastUsedBefore($uid, $date->getTimestamp()); + + return Command::SUCCESS; + } + + /** + * @return \DateTimeImmutable|false + */ + protected function parseDateOption(string $input) { + $date = false; + + // Handle Unix timestamp + if (filter_var($input, FILTER_VALIDATE_INT)) { + return new DateTimeImmutable('@' . $input); + } + + // ISO8601 + $date = DateTimeImmutable::createFromFormat(DateTimeImmutable::ATOM, $input); + if ($date) { + return $date; + } + + // YYYY-MM-DD + return DateTimeImmutable::createFromFormat('!Y-m-d', $input); } } diff --git a/lib/private/Authentication/Token/IProvider.php b/lib/private/Authentication/Token/IProvider.php index b5af3f3a5ee..a12d3ba34d9 100644 --- a/lib/private/Authentication/Token/IProvider.php +++ b/lib/private/Authentication/Token/IProvider.php @@ -109,6 +109,11 @@ interface IProvider { */ public function invalidateOldTokens(); + /** + * Invalidate (delete) tokens last used before a given date + */ + public function invalidateLastUsedBefore(string $uid, int $before): void; + /** * Save the updated token * diff --git a/lib/private/Authentication/Token/Manager.php b/lib/private/Authentication/Token/Manager.php index 761e799d298..6a1c7d4c1e7 100644 --- a/lib/private/Authentication/Token/Manager.php +++ b/lib/private/Authentication/Token/Manager.php @@ -204,6 +204,10 @@ class Manager implements IProvider, OCPIProvider { $this->publicKeyTokenProvider->invalidateOldTokens(); } + public function invalidateLastUsedBefore(string $uid, int $before): void { + $this->publicKeyTokenProvider->invalidateLastUsedBefore($uid, $before); + } + /** * @param IToken $token * @param string $oldTokenId diff --git a/lib/private/Authentication/Token/PublicKeyTokenMapper.php b/lib/private/Authentication/Token/PublicKeyTokenMapper.php index 8feb275b3b7..f150576a623 100644 --- a/lib/private/Authentication/Token/PublicKeyTokenMapper.php +++ b/lib/private/Authentication/Token/PublicKeyTokenMapper.php @@ -69,6 +69,15 @@ class PublicKeyTokenMapper extends QBMapper { ->execute(); } + public function invalidateLastUsedBefore(string $uid, int $before): int { + $qb = $this->db->getQueryBuilder(); + return $qb->delete($this->tableName) + ->where($qb->expr()->eq('uid', $qb->createNamedParameter($uid))) + ->andWhere($qb->expr()->lt('last_activity', $qb->createNamedParameter($before, IQueryBuilder::PARAM_INT))) + ->andWhere($qb->expr()->eq('version', $qb->createNamedParameter(PublicKeyToken::VERSION, IQueryBuilder::PARAM_INT))) + ->executeStatement(); + } + /** * Get the user UID for the given token * diff --git a/lib/private/Authentication/Token/PublicKeyTokenProvider.php b/lib/private/Authentication/Token/PublicKeyTokenProvider.php index f5fcd4dcef2..3fb11611076 100644 --- a/lib/private/Authentication/Token/PublicKeyTokenProvider.php +++ b/lib/private/Authentication/Token/PublicKeyTokenProvider.php @@ -273,6 +273,12 @@ class PublicKeyTokenProvider implements IProvider { $this->mapper->invalidateOld($rememberThreshold, IToken::REMEMBER); } + public function invalidateLastUsedBefore(string $uid, int $before): void { + $this->cache->clear(); + + $this->mapper->invalidateLastUsedBefore($uid, $before); + } + public function updateToken(IToken $token) { $this->cache->clear(); From 771a7b92cccb77a1b907a8cc0d022fb7b5103f8e Mon Sep 17 00:00:00 2001 From: Lucas Azevedo Date: Fri, 25 Aug 2023 02:27:41 -0300 Subject: [PATCH 09/13] Add tests for occ user:auth-tokens:delete Signed-off-by: Lucas Azevedo --- .../Command/User/AuthTokens/DeleteTest.php | 170 ++++++++++++++++++ .../lib/Authentication/Token/ManagerTest.php | 8 + .../Token/PublicKeyTokenMapperTest.php | 34 +++- .../Token/PublicKeyTokenProviderTest.php | 8 + 4 files changed, 214 insertions(+), 6 deletions(-) create mode 100644 tests/Core/Command/User/AuthTokens/DeleteTest.php diff --git a/tests/Core/Command/User/AuthTokens/DeleteTest.php b/tests/Core/Command/User/AuthTokens/DeleteTest.php new file mode 100644 index 00000000000..528d4c6869b --- /dev/null +++ b/tests/Core/Command/User/AuthTokens/DeleteTest.php @@ -0,0 +1,170 @@ + + * + * @author Lucas Azevedo + * + * @license GNU AGPL version 3 or any later version + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU Affero General Public License as + * published by the Free Software Foundation, either version 3 of the + * License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Affero General Public License for more details. + * + * You should have received a copy of the GNU Affero General Public License + * along with this program. If not, see . + * + */ +namespace Tests\Core\Command\User\AuthTokens; + +use OC\Core\Command\User\AuthTokens\Delete; +use OC\Authentication\Token\IProvider; +use Symfony\Component\Console\Command\Command; +use Symfony\Component\Console\Exception\RuntimeException; +use Symfony\Component\Console\Input\InputInterface; +use Symfony\Component\Console\Output\OutputInterface; +use Test\TestCase; + +class DeleteTest extends TestCase { + /** @var \PHPUnit\Framework\MockObject\MockObject */ + protected $tokenProvider; + /** @var \PHPUnit\Framework\MockObject\MockObject */ + protected $consoleInput; + /** @var \PHPUnit\Framework\MockObject\MockObject */ + protected $consoleOutput; + + /** @var \Symfony\Component\Console\Command\Command */ + protected $command; + + protected function setUp(): void { + parent::setUp(); + + $tokenProvider = $this->tokenProvider = $this->getMockBuilder(IProvider::class) + ->disableOriginalConstructor() + ->getMock(); + $this->consoleInput = $this->getMockBuilder(InputInterface::class)->getMock(); + $this->consoleOutput = $this->getMockBuilder(OutputInterface::class)->getMock(); + + /** @var \OC\Authentication\Token\IProvider $tokenProvider */ + $this->command = new Delete($tokenProvider); + } + + public function testDeleteTokenById() { + $this->consoleInput->expects($this->exactly(2)) + ->method('getArgument') + ->withConsecutive(['uid'], ['id']) + ->willReturnOnConsecutiveCalls('user', 42); + + $this->consoleInput->expects($this->once()) + ->method('getOption') + ->with('last-used-before') + ->willReturn(null); + + $this->tokenProvider->expects($this->once()) + ->method('invalidateTokenById') + ->with('user', 42); + + $result = self::invokePrivate($this->command, 'execute', [$this->consoleInput, $this->consoleOutput]); + $this->assertSame(Command::SUCCESS, $result); + } + + public function testDeleteTokenByIdRequiresTokenId() { + $this->consoleInput->expects($this->exactly(2)) + ->method('getArgument') + ->withConsecutive(['uid'], ['id']) + ->willReturnOnConsecutiveCalls('user', null); + + $this->consoleInput->expects($this->once()) + ->method('getOption') + ->with('last-used-before') + ->willReturn(null); + + $this->expectException(RuntimeException::class); + + $this->tokenProvider->expects($this->never())->method('invalidateTokenById'); + + $result = self::invokePrivate($this->command, 'execute', [$this->consoleInput, $this->consoleOutput]); + $this->assertSame(Command::FAILURE, $result); + } + + public function testDeleteTokensLastUsedBefore() { + $this->consoleInput->expects($this->exactly(2)) + ->method('getArgument') + ->withConsecutive(['uid'], ['id']) + ->willReturnOnConsecutiveCalls('user', null); + + $this->consoleInput->expects($this->once()) + ->method('getOption') + ->with('last-used-before') + ->willReturn('946684800'); + + $this->tokenProvider->expects($this->once()) + ->method('invalidateLastUsedBefore') + ->with('user', 946684800); + + $result = self::invokePrivate($this->command, 'execute', [$this->consoleInput, $this->consoleOutput]); + $this->assertSame(Command::SUCCESS, $result); + } + + public function testLastUsedBeforeAcceptsIso8601Expanded() { + $this->consoleInput->expects($this->exactly(2)) + ->method('getArgument') + ->withConsecutive(['uid'], ['id']) + ->willReturnOnConsecutiveCalls('user', null); + + $this->consoleInput->expects($this->once()) + ->method('getOption') + ->with('last-used-before') + ->willReturn('2000-01-01T00:00:00Z'); + + $this->tokenProvider->expects($this->once()) + ->method('invalidateLastUsedBefore') + ->with('user', 946684800); + + $result = self::invokePrivate($this->command, 'execute', [$this->consoleInput, $this->consoleOutput]); + $this->assertSame(Command::SUCCESS, $result); + } + + public function testLastUsedBeforeAcceptsYmd() { + $this->consoleInput->expects($this->exactly(2)) + ->method('getArgument') + ->withConsecutive(['uid'], ['id']) + ->willReturnOnConsecutiveCalls('user', null); + + $this->consoleInput->expects($this->once()) + ->method('getOption') + ->with('last-used-before') + ->willReturn('2000-01-01'); + + $this->tokenProvider->expects($this->once()) + ->method('invalidateLastUsedBefore') + ->with('user', 946684800); + + $result = self::invokePrivate($this->command, 'execute', [$this->consoleInput, $this->consoleOutput]); + $this->assertSame(Command::SUCCESS, $result); + } + + public function testIdAndLastUsedBeforeAreMutuallyExclusive() { + $this->consoleInput->expects($this->exactly(2)) + ->method('getArgument') + ->withConsecutive(['uid'], ['id']) + ->willReturnOnConsecutiveCalls('user', 42); + + $this->consoleInput->expects($this->once()) + ->method('getOption') + ->with('last-used-before') + ->willReturn('946684800'); + + $this->expectException(RuntimeException::class); + + $this->tokenProvider->expects($this->never())->method('invalidateLastUsedBefore'); + + $result = self::invokePrivate($this->command, 'execute', [$this->consoleInput, $this->consoleOutput]); + $this->assertSame(Command::SUCCESS, $result); + } +} diff --git a/tests/lib/Authentication/Token/ManagerTest.php b/tests/lib/Authentication/Token/ManagerTest.php index de3e5e1c362..3dd889dcae2 100644 --- a/tests/lib/Authentication/Token/ManagerTest.php +++ b/tests/lib/Authentication/Token/ManagerTest.php @@ -243,6 +243,14 @@ class ManagerTest extends TestCase { $this->manager->invalidateOldTokens(); } + public function testInvalidateLastUsedBefore() { + $this->publicKeyTokenProvider->expects($this->once()) + ->method('invalidateLastUsedBefore') + ->with('user', 946684800); + + $this->manager->invalidateLastUsedBefore('user', 946684800); + } + public function testGetTokenByUser() { $t1 = new PublicKeyToken(); $t2 = new PublicKeyToken(); diff --git a/tests/lib/Authentication/Token/PublicKeyTokenMapperTest.php b/tests/lib/Authentication/Token/PublicKeyTokenMapperTest.php index 27646f19888..68962b26931 100644 --- a/tests/lib/Authentication/Token/PublicKeyTokenMapperTest.php +++ b/tests/lib/Authentication/Token/PublicKeyTokenMapperTest.php @@ -113,6 +113,20 @@ class PublicKeyTokenMapperTest extends TestCase { 'version' => $qb->createNamedParameter(2), 'password_invalid' => $qb->createNamedParameter(1), ])->execute(); + $qb->insert('authtoken')->values([ + 'uid' => $qb->createNamedParameter('user3'), + 'login_name' => $qb->createNamedParameter('User3'), + 'password' => $qb->createNamedParameter('063de945d6f6b26862d9b6f40652f2d5|DZ/z520tfdXPtd0T|395f6b89be8d9d605e409e20b9d9abe477fde1be38a3223f9e508f979bf906e50d9eaa4dca983ca4fb22a241eb696c3f98654e7775f78c4caf13108f98642b53'), + 'name' => $qb->createNamedParameter('Iceweasel on Linux'), + 'token' => $qb->createNamedParameter('84c5808c6445b6d65b8aa5b03840f09b27de603f0fb970906fb14ea4b115b7bf5ec53fada5c093fe46afdcd7bbc9617253a4d105f7dfb32719f9973d72412f31'), + 'type' => $qb->createNamedParameter(IToken::PERMANENT_TOKEN), + 'last_activity' => $qb->createNamedParameter($this->time - 60 * 3, IQueryBuilder::PARAM_INT), // Three minutes ago + 'last_check' => $this->time - 60 * 10, // 10mins ago + 'public_key' => $qb->createNamedParameter('public key'), + 'private_key' => $qb->createNamedParameter('private key'), + 'version' => $qb->createNamedParameter(2), + 'password_invalid' => $qb->createNamedParameter(1), + ])->execute(); } private function getNumberOfTokens() { @@ -129,7 +143,7 @@ class PublicKeyTokenMapperTest extends TestCase { $this->mapper->invalidate($token); - $this->assertSame(3, $this->getNumberOfTokens()); + $this->assertSame(4, $this->getNumberOfTokens()); } public function testInvalidateInvalid() { @@ -137,7 +151,7 @@ class PublicKeyTokenMapperTest extends TestCase { $this->mapper->invalidate($token); - $this->assertSame(4, $this->getNumberOfTokens()); + $this->assertSame(5, $this->getNumberOfTokens()); } public function testInvalidateOld() { @@ -145,7 +159,15 @@ class PublicKeyTokenMapperTest extends TestCase { $this->mapper->invalidateOld($olderThan); - $this->assertSame(3, $this->getNumberOfTokens()); + $this->assertSame(4, $this->getNumberOfTokens()); + } + + public function testInvalidateLastUsedBefore() { + $before = $this->time - 60 * 2; // Two minutes + + $this->mapper->invalidateLastUsedBefore('user3', $before); + + $this->assertSame(4, $this->getNumberOfTokens()); } public function testGetToken() { @@ -238,7 +260,7 @@ class PublicKeyTokenMapperTest extends TestCase { $id = $result->fetch()['id']; $this->mapper->deleteById('user1', (int)$id); - $this->assertEquals(3, $this->getNumberOfTokens()); + $this->assertEquals(4, $this->getNumberOfTokens()); } public function testDeleteByIdWrongUser() { @@ -247,7 +269,7 @@ class PublicKeyTokenMapperTest extends TestCase { $id = 33; $this->mapper->deleteById('user1000', $id); - $this->assertEquals(4, $this->getNumberOfTokens()); + $this->assertEquals(5, $this->getNumberOfTokens()); } public function testDeleteByName() { @@ -258,7 +280,7 @@ class PublicKeyTokenMapperTest extends TestCase { $result = $qb->execute(); $name = $result->fetch()['name']; $this->mapper->deleteByName($name); - $this->assertEquals(3, $this->getNumberOfTokens()); + $this->assertEquals(4, $this->getNumberOfTokens()); } public function testHasExpiredTokens() { diff --git a/tests/lib/Authentication/Token/PublicKeyTokenProviderTest.php b/tests/lib/Authentication/Token/PublicKeyTokenProviderTest.php index e37ef68852d..b3f5241877e 100644 --- a/tests/lib/Authentication/Token/PublicKeyTokenProviderTest.php +++ b/tests/lib/Authentication/Token/PublicKeyTokenProviderTest.php @@ -361,6 +361,14 @@ class PublicKeyTokenProviderTest extends TestCase { $this->tokenProvider->invalidateOldTokens(); } + public function testInvalidateLastUsedBefore() { + $this->mapper->expects($this->once()) + ->method('invalidateLastUsedBefore') + ->with('user', 946684800); + + $this->tokenProvider->invalidateLastUsedBefore('user', 946684800); + } + public function testRenewSessionTokenWithoutPassword() { $token = 'oldIdtokentokentokentoken'; $uid = 'user'; From c93b1634d347b9fe343be4785a6d7b7a3757e7ec Mon Sep 17 00:00:00 2001 From: Lucas Azevedo Date: Fri, 25 Aug 2023 10:41:46 -0300 Subject: [PATCH 10/13] Fixes from static analysis Co-authored-by: Joas Schilling <213943+nickvergessen@users.noreply.github.com> Signed-off-by: Lucas Azevedo --- core/Command/User/AuthTokens/Delete.php | 6 +++--- lib/private/Authentication/Token/PublicKeyTokenMapper.php | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/core/Command/User/AuthTokens/Delete.php b/core/Command/User/AuthTokens/Delete.php index 830050c1bb9..8cd6f2e6205 100644 --- a/core/Command/User/AuthTokens/Delete.php +++ b/core/Command/User/AuthTokens/Delete.php @@ -63,7 +63,7 @@ class Delete extends Base { protected function execute(InputInterface $input, OutputInterface $output): int { $uid = $input->getArgument('uid'); - $id = $input->getArgument('id'); + $id = (int) $input->getArgument('id'); $before = $input->getOption('last-used-before'); if ($before) { @@ -80,13 +80,13 @@ class Delete extends Base { return $this->deleteById($uid, $id); } - protected function deleteById(string $uid, string $id) { + protected function deleteById(string $uid, int $id): int { $this->tokenProvider->invalidateTokenById($uid, $id); return Command::SUCCESS; } - protected function deleteLastUsedBefore(string $uid, string $before) { + protected function deleteLastUsedBefore(string $uid, string $before): int { $date = $this->parseDateOption($before); if (!$date) { throw new RuntimeException('Invalid date format. Acceptable formats are: ISO8601 (w/o fractions), "YYYY-MM-DD" and Unix time in seconds.'); diff --git a/lib/private/Authentication/Token/PublicKeyTokenMapper.php b/lib/private/Authentication/Token/PublicKeyTokenMapper.php index f150576a623..b04467a509a 100644 --- a/lib/private/Authentication/Token/PublicKeyTokenMapper.php +++ b/lib/private/Authentication/Token/PublicKeyTokenMapper.php @@ -71,11 +71,11 @@ class PublicKeyTokenMapper extends QBMapper { public function invalidateLastUsedBefore(string $uid, int $before): int { $qb = $this->db->getQueryBuilder(); - return $qb->delete($this->tableName) + $qb->delete($this->tableName) ->where($qb->expr()->eq('uid', $qb->createNamedParameter($uid))) ->andWhere($qb->expr()->lt('last_activity', $qb->createNamedParameter($before, IQueryBuilder::PARAM_INT))) - ->andWhere($qb->expr()->eq('version', $qb->createNamedParameter(PublicKeyToken::VERSION, IQueryBuilder::PARAM_INT))) - ->executeStatement(); + ->andWhere($qb->expr()->eq('version', $qb->createNamedParameter(PublicKeyToken::VERSION, IQueryBuilder::PARAM_INT))); + return $query->executeStatement(); } /** From 2a36acfc2b774340099f9c8445a4f48337026225 Mon Sep 17 00:00:00 2001 From: Lucas Azevedo Date: Fri, 25 Aug 2023 11:13:10 -0300 Subject: [PATCH 11/13] Fix typo Signed-off-by: Lucas Azevedo --- lib/private/Authentication/Token/PublicKeyTokenMapper.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/private/Authentication/Token/PublicKeyTokenMapper.php b/lib/private/Authentication/Token/PublicKeyTokenMapper.php index b04467a509a..855639dd907 100644 --- a/lib/private/Authentication/Token/PublicKeyTokenMapper.php +++ b/lib/private/Authentication/Token/PublicKeyTokenMapper.php @@ -75,7 +75,7 @@ class PublicKeyTokenMapper extends QBMapper { ->where($qb->expr()->eq('uid', $qb->createNamedParameter($uid))) ->andWhere($qb->expr()->lt('last_activity', $qb->createNamedParameter($before, IQueryBuilder::PARAM_INT))) ->andWhere($qb->expr()->eq('version', $qb->createNamedParameter(PublicKeyToken::VERSION, IQueryBuilder::PARAM_INT))); - return $query->executeStatement(); + return $qb->executeStatement(); } /** From 9c66bf6dc3ca29ac52f6fd83ff0d05edafb917b3 Mon Sep 17 00:00:00 2001 From: Lucas Azevedo Date: Fri, 25 Aug 2023 11:13:34 -0300 Subject: [PATCH 12/13] Use table output for list command Signed-off-by: Lucas Azevedo --- core/Command/User/AuthTokens/ListCommand.php | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/core/Command/User/AuthTokens/ListCommand.php b/core/Command/User/AuthTokens/ListCommand.php index 6739e8b4648..97e94f29f92 100644 --- a/core/Command/User/AuthTokens/ListCommand.php +++ b/core/Command/User/AuthTokens/ListCommand.php @@ -61,18 +61,24 @@ class ListCommand extends Base { $tokens = $this->tokenProvider->getTokenByUser($user->getUID()); - $data = array_map(function (IToken $token): mixed { - $filtered = [ + $tokens = array_map(function (IToken $token) use ($input): mixed { + $sensitive = [ 'password', 'password_hash', 'token', 'public_key', 'private_key', ]; - return array_diff_key($token->jsonSerialize(), array_flip($filtered)); + $data = array_diff_key($token->jsonSerialize(), array_flip($sensitive)); + + if ($input->getOption('output') === self::OUTPUT_FORMAT_PLAIN) { + $data['scope'] = implode(', ', array_keys(array_filter($data['scope']))); + } + + return $data; }, $tokens); - $this->writeArrayInOutputFormat($input, $output, $data); + $this->writeTableInOutputFormat($input, $output, $tokens); return 0; } From cc912c3b51be06a7034c397a2b77d7968a28a7bd Mon Sep 17 00:00:00 2001 From: Lucas Azevedo Date: Sun, 27 Aug 2023 23:02:52 -0300 Subject: [PATCH 13/13] Format lastActivity and type for plain output Signed-off-by: Lucas Azevedo --- core/Command/User/AuthTokens/ListCommand.php | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/core/Command/User/AuthTokens/ListCommand.php b/core/Command/User/AuthTokens/ListCommand.php index 97e94f29f92..bfc49606259 100644 --- a/core/Command/User/AuthTokens/ListCommand.php +++ b/core/Command/User/AuthTokens/ListCommand.php @@ -72,7 +72,7 @@ class ListCommand extends Base { $data = array_diff_key($token->jsonSerialize(), array_flip($sensitive)); if ($input->getOption('output') === self::OUTPUT_FORMAT_PLAIN) { - $data['scope'] = implode(', ', array_keys(array_filter($data['scope']))); + $data = $this->formatTokenForPlainOutput($data); } return $data; @@ -82,4 +82,19 @@ class ListCommand extends Base { return 0; } + + public function formatTokenForPlainOutput(array $token): array { + $token['scope'] = implode(', ', array_keys(array_filter($token['scope'] ?? []))); + + $token['lastActivity'] = date(DATE_ATOM, $token['lastActivity']); + + $token['type'] = match ($token['type']) { + IToken::TEMPORARY_TOKEN => 'temporary', + IToken::PERMANENT_TOKEN => 'permanent', + IToken::WIPE_TOKEN => 'wipe', + default => $token['type'], + }; + + return $token; + } }