diff options
| author | Roeland Jago Douma <rullzer@users.noreply.github.com> | 2018-05-22 10:16:45 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2018-05-22 10:16:45 +0200 |
| commit | 57d4a16cfbbab9087925484207826446b14163b0 (patch) | |
| tree | 55a94dbbc36d87beffcba0bfc742188353576f74 | |
| parent | 6fac639747e430f511a9730eb4c5ec5b793a3264 (diff) | |
| parent | 461998dd15894e23fae2712658f940df8e1b5636 (diff) | |
| download | nextcloud-server-57d4a16cfbbab9087925484207826446b14163b0.tar.gz nextcloud-server-57d4a16cfbbab9087925484207826446b14163b0.zip | |
Merge pull request #9517 from nextcloud/feature/noid/improve_oauth_handling
Improve OAuth handling
| -rw-r--r-- | apps/oauth2/appinfo/info.xml | 8 | ||||
| -rw-r--r-- | apps/oauth2/composer/composer/autoload_classmap.php | 1 | ||||
| -rw-r--r-- | apps/oauth2/composer/composer/autoload_static.php | 1 | ||||
| -rw-r--r-- | apps/oauth2/lib/Controller/LoginRedirectorController.php | 11 | ||||
| -rw-r--r-- | apps/oauth2/lib/Controller/OauthApiController.php | 110 | ||||
| -rw-r--r-- | apps/oauth2/lib/Migration/SetTokenExpiration.php | 77 | ||||
| -rw-r--r-- | apps/oauth2/tests/Controller/LoginRedirectorControllerTest.php | 20 | ||||
| -rw-r--r-- | apps/oauth2/tests/Controller/OauthApiControllerTest.php | 344 | ||||
| -rw-r--r-- | core/Controller/ClientFlowLoginController.php | 2 |
9 files changed, 518 insertions, 56 deletions
diff --git a/apps/oauth2/appinfo/info.xml b/apps/oauth2/appinfo/info.xml index ac18b5cdb94..43d0cf72372 100644 --- a/apps/oauth2/appinfo/info.xml +++ b/apps/oauth2/appinfo/info.xml @@ -5,7 +5,7 @@ <name>OAuth 2.0</name> <summary>Allows OAuth2 compatible authentication from other web applications.</summary> <description>The OAuth2 app allows administrators to configure the built-in authentication workflow to also allow OAuth2 compatible authentication from other web applications.</description> - <version>1.2.0</version> + <version>1.2.1</version> <licence>agpl</licence> <author>Lukas Reschke</author> <namespace>OAuth2</namespace> @@ -20,6 +20,12 @@ <nextcloud min-version="14" max-version="14" /> </dependencies> + <repair-steps> + <post-migration> + <step>OCA\OAuth2\Migration\SetTokenExpiration</step> + </post-migration> + </repair-steps> + <settings> <admin>OCA\OAuth2\Settings\Admin</admin> </settings> diff --git a/apps/oauth2/composer/composer/autoload_classmap.php b/apps/oauth2/composer/composer/autoload_classmap.php index 97c8098caa3..c933a1bf21e 100644 --- a/apps/oauth2/composer/composer/autoload_classmap.php +++ b/apps/oauth2/composer/composer/autoload_classmap.php @@ -15,5 +15,6 @@ return array( 'OCA\\OAuth2\\Db\\ClientMapper' => $baseDir . '/../lib/Db/ClientMapper.php', 'OCA\\OAuth2\\Exceptions\\AccessTokenNotFoundException' => $baseDir . '/../lib/Exceptions/AccessTokenNotFoundException.php', 'OCA\\OAuth2\\Exceptions\\ClientNotFoundException' => $baseDir . '/../lib/Exceptions/ClientNotFoundException.php', + 'OCA\\OAuth2\\Migration\\SetTokenExpiration' => $baseDir . '/../lib/Migration/SetTokenExpiration.php', 'OCA\\OAuth2\\Settings\\Admin' => $baseDir . '/../lib/Settings/Admin.php', ); diff --git a/apps/oauth2/composer/composer/autoload_static.php b/apps/oauth2/composer/composer/autoload_static.php index ec48d6d0ce0..aaac9e4f6d8 100644 --- a/apps/oauth2/composer/composer/autoload_static.php +++ b/apps/oauth2/composer/composer/autoload_static.php @@ -30,6 +30,7 @@ class ComposerStaticInitOAuth2 'OCA\\OAuth2\\Db\\ClientMapper' => __DIR__ . '/..' . '/../lib/Db/ClientMapper.php', 'OCA\\OAuth2\\Exceptions\\AccessTokenNotFoundException' => __DIR__ . '/..' . '/../lib/Exceptions/AccessTokenNotFoundException.php', 'OCA\\OAuth2\\Exceptions\\ClientNotFoundException' => __DIR__ . '/..' . '/../lib/Exceptions/ClientNotFoundException.php', + 'OCA\\OAuth2\\Migration\\SetTokenExpiration' => __DIR__ . '/..' . '/../lib/Migration/SetTokenExpiration.php', 'OCA\\OAuth2\\Settings\\Admin' => __DIR__ . '/..' . '/../lib/Settings/Admin.php', ); diff --git a/apps/oauth2/lib/Controller/LoginRedirectorController.php b/apps/oauth2/lib/Controller/LoginRedirectorController.php index 9237b4b1b3c..8e6d6d55e2d 100644 --- a/apps/oauth2/lib/Controller/LoginRedirectorController.php +++ b/apps/oauth2/lib/Controller/LoginRedirectorController.php @@ -61,11 +61,20 @@ class LoginRedirectorController extends Controller { * * @param string $client_id * @param string $state + * @param string $response_type * @return RedirectResponse */ public function authorize($client_id, - $state) { + $state, + $response_type) { $client = $this->clientMapper->getByIdentifier($client_id); + + if ($response_type !== 'code') { + //Fail + $url = $client->getRedirectUri() . '?error=unsupported_response_type&state=' . $state; + return new RedirectResponse($url); + } + $this->session->set('oauth.state', $state); $targetUrl = $this->urlGenerator->linkToRouteAbsolute( diff --git a/apps/oauth2/lib/Controller/OauthApiController.php b/apps/oauth2/lib/Controller/OauthApiController.php index b97d85ae3e6..8c96a3feee1 100644 --- a/apps/oauth2/lib/Controller/OauthApiController.php +++ b/apps/oauth2/lib/Controller/OauthApiController.php @@ -21,10 +21,17 @@ namespace OCA\OAuth2\Controller; -use OC\Authentication\Token\DefaultTokenMapper; +use OC\Authentication\Exceptions\InvalidTokenException; +use OC\Authentication\Token\ExpiredTokenException; +use OC\Authentication\Token\IProvider as TokenProvider; use OCA\OAuth2\Db\AccessTokenMapper; +use OCA\OAuth2\Db\ClientMapper; +use OCA\OAuth2\Exceptions\AccessTokenNotFoundException; +use OCA\OAuth2\Exceptions\ClientNotFoundException; use OCP\AppFramework\Controller; +use OCP\AppFramework\Http; use OCP\AppFramework\Http\JSONResponse; +use OCP\AppFramework\Utility\ITimeFactory; use OCP\IRequest; use OCP\Security\ICrypto; use OCP\Security\ISecureRandom; @@ -32,56 +39,133 @@ use OCP\Security\ISecureRandom; class OauthApiController extends Controller { /** @var AccessTokenMapper */ private $accessTokenMapper; + /** @var ClientMapper */ + private $clientMapper; /** @var ICrypto */ private $crypto; - /** @var DefaultTokenMapper */ - private $defaultTokenMapper; + /** @var TokenProvider */ + private $tokenProvider; /** @var ISecureRandom */ private $secureRandom; + /** @var ITimeFactory */ + private $time; /** * @param string $appName * @param IRequest $request * @param ICrypto $crypto * @param AccessTokenMapper $accessTokenMapper - * @param DefaultTokenMapper $defaultTokenMapper + * @param ClientMapper $clientMapper + * @param TokenProvider $tokenProvider * @param ISecureRandom $secureRandom + * @param ITimeFactory $time */ public function __construct($appName, IRequest $request, ICrypto $crypto, AccessTokenMapper $accessTokenMapper, - DefaultTokenMapper $defaultTokenMapper, - ISecureRandom $secureRandom) { + ClientMapper $clientMapper, + TokenProvider $tokenProvider, + ISecureRandom $secureRandom, + ITimeFactory $time) { parent::__construct($appName, $request); $this->crypto = $crypto; $this->accessTokenMapper = $accessTokenMapper; - $this->defaultTokenMapper = $defaultTokenMapper; + $this->clientMapper = $clientMapper; + $this->tokenProvider = $tokenProvider; $this->secureRandom = $secureRandom; + $this->time = $time; } /** * @PublicPage * @NoCSRFRequired * + * @param string $grant_type * @param string $code + * @param string $refresh_token + * @param string $client_id + * @param string $client_secret * @return JSONResponse */ - public function getToken($code) { - $accessToken = $this->accessTokenMapper->getByCode($code); + public function getToken($grant_type, $code, $refresh_token, $client_id, $client_secret) { + + // We only handle two types + if ($grant_type !== 'authorization_code' && $grant_type !== 'refresh_token') { + return new JSONResponse([ + 'error' => 'invalid_grant', + ], Http::STATUS_BAD_REQUEST); + } + + // We handle the initial and refresh tokens the same way + if ($grant_type === 'refresh_token' ) { + $code = $refresh_token; + } + + try { + $accessToken = $this->accessTokenMapper->getByCode($code); + } catch (AccessTokenNotFoundException $e) { + return new JSONResponse([ + 'error' => 'invalid_request', + ], Http::STATUS_BAD_REQUEST); + } + + try { + $client = $this->clientMapper->getByUid($accessToken->getClientId()); + } catch (ClientNotFoundException $e) { + return new JSONResponse([ + 'error' => 'invalid_request', + ], Http::STATUS_BAD_REQUEST); + } + + // The client id and secret must match. Else we don't provide an access token! + if ($client->getClientIdentifier() !== $client_id || $client->getSecret() !== $client_secret) { + return new JSONResponse([ + 'error' => 'invalid_client', + ], Http::STATUS_BAD_REQUEST); + } + $decryptedToken = $this->crypto->decrypt($accessToken->getEncryptedToken(), $code); - $newCode = $this->secureRandom->generate(128); + + // Obtain the appToken assoicated + try { + $appToken = $this->tokenProvider->getTokenById($accessToken->getTokenId()); + } catch (ExpiredTokenException $e) { + $appToken = $e->getToken(); + } catch (InvalidTokenException $e) { + //We can't do anything... + $this->accessTokenMapper->delete($accessToken); + return new JSONResponse([ + 'error' => 'invalid_request', + ], Http::STATUS_BAD_REQUEST); + } + + // Rotate the apptoken (so the old one becomes invalid basically) + $newToken = $this->secureRandom->generate(72, ISecureRandom::CHAR_UPPER.ISecureRandom::CHAR_LOWER.ISecureRandom::CHAR_DIGITS); + + $appToken = $this->tokenProvider->rotate( + $appToken, + $decryptedToken, + $newToken + ); + + // Expiration is in 1 hour again + $appToken->setExpires($this->time->getTime() + 3600); + $this->tokenProvider->updateToken($appToken); + + // Generate a new refresh token and encrypt the new apptoken in the DB + $newCode = $this->secureRandom->generate(128, ISecureRandom::CHAR_UPPER.ISecureRandom::CHAR_LOWER.ISecureRandom::CHAR_DIGITS); $accessToken->setHashedCode(hash('sha512', $newCode)); - $accessToken->setEncryptedToken($this->crypto->encrypt($decryptedToken, $newCode)); + $accessToken->setEncryptedToken($this->crypto->encrypt($newToken, $newCode)); $this->accessTokenMapper->update($accessToken); return new JSONResponse( [ - 'access_token' => $decryptedToken, + 'access_token' => $newToken, 'token_type' => 'Bearer', 'expires_in' => 3600, 'refresh_token' => $newCode, - 'user_id' => $this->defaultTokenMapper->getTokenById($accessToken->getTokenId())->getUID(), + 'user_id' => $appToken->getUID(), ] ); } diff --git a/apps/oauth2/lib/Migration/SetTokenExpiration.php b/apps/oauth2/lib/Migration/SetTokenExpiration.php new file mode 100644 index 00000000000..54add100fa7 --- /dev/null +++ b/apps/oauth2/lib/Migration/SetTokenExpiration.php @@ -0,0 +1,77 @@ +<?php +/** + * @copyright Copyright 2018, Roeland Jago Douma <roeland@famdouma.nl> + * + * @author Roeland Jago Douma <roeland@famdouma.nl> + * + * @license GNU AGPL version 3 or any later version + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU Affero General Public License as + * published by the Free Software Foundation, either version 3 of the + * License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Affero General Public License for more details. + * + * You should have received a copy of the GNU Affero General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + */ + +namespace OCA\OAuth2\Migration; + +use OC\Authentication\Exceptions\InvalidTokenException; +use OC\Authentication\Token\IProvider as TokenProvider; +use OCA\OAuth2\Db\AccessToken; +use OCP\AppFramework\Utility\ITimeFactory; +use OCP\IDBConnection; +use OCP\Migration\IOutput; +use OCP\Migration\IRepairStep; + +class SetTokenExpiration implements IRepairStep { + + /** @var IDBConnection */ + private $connection; + + /** @var ITimeFactory */ + private $time; + + /** @var TokenProvider */ + private $tokenProvider; + + public function __construct(IDBConnection $connection, + ITimeFactory $timeFactory, + TokenProvider $tokenProvider) { + $this->connection = $connection; + $this->time = $timeFactory; + $this->tokenProvider = $tokenProvider; + } + + public function getName() { + return 'Update OAuth token expiration times'; + } + + public function run(IOutput $output) { + $qb = $this->connection->getQueryBuilder(); + $qb->select('*') + ->from('oauth2_access_tokens'); + + $cursor = $qb->execute(); + + while($row = $cursor->fetch()) { + $token = AccessToken::fromRow($row); + try { + $appToken = $this->tokenProvider->getTokenById($token->getTokenId()); + $appToken->setExpires($this->time->getTime() + 3600); + $this->tokenProvider->updateToken($appToken); + } catch (InvalidTokenException $e) { + //Skip this token + } + } + $cursor->closeCursor(); + } + +} diff --git a/apps/oauth2/tests/Controller/LoginRedirectorControllerTest.php b/apps/oauth2/tests/Controller/LoginRedirectorControllerTest.php index b33d3379be4..584e3ebed54 100644 --- a/apps/oauth2/tests/Controller/LoginRedirectorControllerTest.php +++ b/apps/oauth2/tests/Controller/LoginRedirectorControllerTest.php @@ -86,6 +86,24 @@ class LoginRedirectorControllerTest extends TestCase { ->willReturn('https://example.com/?clientIdentifier=foo'); $expected = new RedirectResponse('https://example.com/?clientIdentifier=foo'); - $this->assertEquals($expected, $this->loginRedirectorController->authorize('MyClientId', 'MyState')); + $this->assertEquals($expected, $this->loginRedirectorController->authorize('MyClientId', 'MyState', 'code')); + } + + public function testAuthorizeWrongResponseType() { + $client = new Client(); + $client->setClientIdentifier('MyClientIdentifier'); + $client->setRedirectUri('http://foo.bar'); + $this->clientMapper + ->expects($this->once()) + ->method('getByIdentifier') + ->with('MyClientId') + ->willReturn($client); + $this->session + ->expects($this->never()) + ->method('set'); + + + $expected = new RedirectResponse('http://foo.bar?error=unsupported_response_type&state=MyState'); + $this->assertEquals($expected, $this->loginRedirectorController->authorize('MyClientId', 'MyState', 'wrongcode')); } } diff --git a/apps/oauth2/tests/Controller/OauthApiControllerTest.php b/apps/oauth2/tests/Controller/OauthApiControllerTest.php index c90e2bf711f..790dba0a598 100644 --- a/apps/oauth2/tests/Controller/OauthApiControllerTest.php +++ b/apps/oauth2/tests/Controller/OauthApiControllerTest.php @@ -21,12 +21,22 @@ namespace OCA\OAuth2\Tests\Controller; +use OC\Authentication\Exceptions\InvalidTokenException; use OC\Authentication\Token\DefaultToken; use OC\Authentication\Token\DefaultTokenMapper; +use OC\Authentication\Token\ExpiredTokenException; +use OC\Authentication\Token\IProvider as TokenProvider; +use OC\Authentication\Token\IToken; use OCA\OAuth2\Controller\OauthApiController; use OCA\OAuth2\Db\AccessToken; use OCA\OAuth2\Db\AccessTokenMapper; +use OCA\OAuth2\Db\Client; +use OCA\OAuth2\Db\ClientMapper; +use OCA\OAuth2\Exceptions\AccessTokenNotFoundException; +use OCA\OAuth2\Exceptions\ClientNotFoundException; +use OCP\AppFramework\Http; use OCP\AppFramework\Http\JSONResponse; +use OCP\AppFramework\Utility\ITimeFactory; use OCP\IRequest; use OCP\Security\ICrypto; use OCP\Security\ISecureRandom; @@ -39,10 +49,14 @@ class OauthApiControllerTest extends TestCase { private $crypto; /** @var AccessTokenMapper|\PHPUnit_Framework_MockObject_MockObject */ private $accessTokenMapper; - /** @var DefaultTokenMapper|\PHPUnit_Framework_MockObject_MockObject */ - private $defaultTokenMapper; + /** @var ClientMapper|\PHPUnit_Framework_MockObject_MockObject */ + private $clientMapper; + /** @var TokenProvider|\PHPUnit_Framework_MockObject_MockObject */ + private $tokenProvider; /** @var ISecureRandom|\PHPUnit_Framework_MockObject_MockObject */ private $secureRandom; + /** @var ITimeFactory|\PHPUnit_Framework_MockObject_MockObject */ + private $time; /** @var OauthApiController */ private $oauthApiController; @@ -52,55 +66,307 @@ class OauthApiControllerTest extends TestCase { $this->request = $this->createMock(IRequest::class); $this->crypto = $this->createMock(ICrypto::class); $this->accessTokenMapper = $this->createMock(AccessTokenMapper::class); - $this->defaultTokenMapper = $this->createMock(DefaultTokenMapper::class); + $this->clientMapper = $this->createMock(ClientMapper::class); + $this->tokenProvider = $this->createMock(TokenProvider::class); $this->secureRandom = $this->createMock(ISecureRandom::class); + $this->time = $this->createMock(ITimeFactory::class); $this->oauthApiController = new OauthApiController( 'oauth2', $this->request, $this->crypto, $this->accessTokenMapper, - $this->defaultTokenMapper, - $this->secureRandom + $this->clientMapper, + $this->tokenProvider, + $this->secureRandom, + $this->time ); } - public function testGetToken() { + public function testGetTokenInvalidGrantType() { + $expected = new JSONResponse([ + 'error' => 'invalid_grant', + ], Http::STATUS_BAD_REQUEST); + + $this->assertEquals($expected, $this->oauthApiController->getToken('foo', null, null, null, null)); + } + + public function testGetTokenInvalidCode() { + $expected = new JSONResponse([ + 'error' => 'invalid_request', + ], Http::STATUS_BAD_REQUEST); + + $this->accessTokenMapper->method('getByCode') + ->with('invalidcode') + ->willThrowException(new AccessTokenNotFoundException()); + + $this->assertEquals($expected, $this->oauthApiController->getToken('authorization_code', 'invalidcode', null, null, null)); + } + + public function testGetTokenInvalidRefreshToken() { + $expected = new JSONResponse([ + 'error' => 'invalid_request', + ], Http::STATUS_BAD_REQUEST); + + $this->accessTokenMapper->method('getByCode') + ->with('invalidrefresh') + ->willThrowException(new AccessTokenNotFoundException()); + + $this->assertEquals($expected, $this->oauthApiController->getToken('refresh_token', null, 'invalidrefresh', null, null)); + } + + public function testGetTokenClientDoesNotExist() { + $expected = new JSONResponse([ + 'error' => 'invalid_request', + ], Http::STATUS_BAD_REQUEST); + $accessToken = new AccessToken(); - $accessToken->setEncryptedToken('MyEncryptedToken'); - $accessToken->setTokenId(123); - $this->accessTokenMapper - ->expects($this->once()) - ->method('getByCode') + $accessToken->setClientId(42); + + $this->accessTokenMapper->method('getByCode') + ->with('validrefresh') ->willReturn($accessToken); - $this->crypto - ->expects($this->once()) - ->method('decrypt') - ->with('MyEncryptedToken', 'MySecretCode') - ->willReturn('MyDecryptedToken'); - $this->secureRandom - ->expects($this->once()) - ->method('generate') - ->with(128) - ->willReturn('NewToken'); - $token = new DefaultToken(); - $token->setUid('JohnDoe'); - $this->defaultTokenMapper - ->expects($this->once()) - ->method('getTokenById') - ->with(123) - ->willReturn($token); - - $expected = new JSONResponse( - [ - 'access_token' => 'MyDecryptedToken', - 'token_type' => 'Bearer', - 'expires_in' => 3600, - 'refresh_token' => 'NewToken', - 'user_id' => 'JohnDoe', - ] - ); - $this->assertEquals($expected, $this->oauthApiController->getToken('MySecretCode')); + + $this->clientMapper->method('getByUid') + ->with(42) + ->willThrowException(new ClientNotFoundException()); + + $this->assertEquals($expected, $this->oauthApiController->getToken('refresh_token', null, 'validrefresh', null, null)); + } + + public function invalidClientProvider() { + return [ + ['invalidClientId', 'invalidClientSecret'], + ['clientId', 'invalidClientSecret'], + ['invalidClientId', 'clientSecret'], + ]; + } + + /** + * @dataProvider invalidClientProvider + * + * @param string $clientId + * @param string $clientSecret + */ + public function testGetTokenInvalidClient($clientId, $clientSecret) { + $expected = new JSONResponse([ + 'error' => 'invalid_client', + ], Http::STATUS_BAD_REQUEST); + + $accessToken = new AccessToken(); + $accessToken->setClientId(42); + + $this->accessTokenMapper->method('getByCode') + ->with('validrefresh') + ->willReturn($accessToken); + + $client = new Client(); + $client->setClientIdentifier('clientId'); + $client->setSecret('clientSecret'); + $this->clientMapper->method('getByUid') + ->with(42) + ->willReturn($client); + + $this->assertEquals($expected, $this->oauthApiController->getToken('refresh_token', null, 'validrefresh', $clientId, $clientSecret)); + } + + public function testGetTokenInvalidAppToken() { + $expected = new JSONResponse([ + 'error' => 'invalid_request', + ], Http::STATUS_BAD_REQUEST); + + $accessToken = new AccessToken(); + $accessToken->setClientId(42); + $accessToken->setTokenId(1337); + $accessToken->setEncryptedToken('encryptedToken'); + + $this->accessTokenMapper->method('getByCode') + ->with('validrefresh') + ->willReturn($accessToken); + + $client = new Client(); + $client->setClientIdentifier('clientId'); + $client->setSecret('clientSecret'); + $this->clientMapper->method('getByUid') + ->with(42) + ->willReturn($client); + + $this->crypto->method('decrypt') + ->with( + 'encryptedToken', + 'validrefresh' + )->willReturn('decryptedToken'); + + $this->tokenProvider->method('getTokenById') + ->with(1337) + ->willThrowException(new InvalidTokenException()); + + $this->accessTokenMapper->expects($this->once()) + ->method('delete') + ->with($accessToken); + + $this->assertEquals($expected, $this->oauthApiController->getToken('refresh_token', null, 'validrefresh', 'clientId', 'clientSecret')); } + public function testGetTokenValidAppToken() { + $accessToken = new AccessToken(); + $accessToken->setClientId(42); + $accessToken->setTokenId(1337); + $accessToken->setEncryptedToken('encryptedToken'); + + $this->accessTokenMapper->method('getByCode') + ->with('validrefresh') + ->willReturn($accessToken); + + $client = new Client(); + $client->setClientIdentifier('clientId'); + $client->setSecret('clientSecret'); + $this->clientMapper->method('getByUid') + ->with(42) + ->willReturn($client); + + $this->crypto->method('decrypt') + ->with( + 'encryptedToken', + 'validrefresh' + )->willReturn('decryptedToken'); + + $appToken = new DefaultToken(); + $appToken->setUid('userId'); + $this->tokenProvider->method('getTokenById') + ->with(1337) + ->willThrowException(new ExpiredTokenException($appToken)); + + $this->accessTokenMapper->expects($this->never()) + ->method('delete') + ->with($accessToken); + + $this->secureRandom->method('generate') + ->will($this->returnCallback(function ($len) { + return 'random'.$len; + })); + + $this->tokenProvider->expects($this->once()) + ->method('rotate') + ->with( + $appToken, + 'decryptedToken', + 'random72' + )->willReturn($appToken); + + $this->time->method('getTime') + ->willReturn(1000); + + $this->tokenProvider->expects($this->once()) + ->method('updateToken') + ->with( + $this->callback(function (DefaultToken $token) { + return $token->getExpires() === 4600; + }) + ); + + $this->crypto->method('encrypt') + ->with('random72', 'random128') + ->willReturn('newEncryptedToken'); + + $this->accessTokenMapper->expects($this->once()) + ->method('update') + ->with( + $this->callback(function (AccessToken $token) { + return $token->getHashedCode() === hash('sha512', 'random128') && + $token->getEncryptedToken() === 'newEncryptedToken'; + }) + ); + + $expected = new JSONResponse([ + 'access_token' => 'random72', + 'token_type' => 'Bearer', + 'expires_in' => 3600, + 'refresh_token' => 'random128', + 'user_id' => 'userId', + ]); + + $this->assertEquals($expected, $this->oauthApiController->getToken('refresh_token', null, 'validrefresh', 'clientId', 'clientSecret')); + } + + public function testGetTokenExpiredAppToken() { + $accessToken = new AccessToken(); + $accessToken->setClientId(42); + $accessToken->setTokenId(1337); + $accessToken->setEncryptedToken('encryptedToken'); + + $this->accessTokenMapper->method('getByCode') + ->with('validrefresh') + ->willReturn($accessToken); + + $client = new Client(); + $client->setClientIdentifier('clientId'); + $client->setSecret('clientSecret'); + $this->clientMapper->method('getByUid') + ->with(42) + ->willReturn($client); + + $this->crypto->method('decrypt') + ->with( + 'encryptedToken', + 'validrefresh' + )->willReturn('decryptedToken'); + + $appToken = new DefaultToken(); + $appToken->setUid('userId'); + $this->tokenProvider->method('getTokenById') + ->with(1337) + ->willReturn($appToken); + + $this->accessTokenMapper->expects($this->never()) + ->method('delete') + ->with($accessToken); + + $this->secureRandom->method('generate') + ->will($this->returnCallback(function ($len) { + return 'random'.$len; + })); + + $this->tokenProvider->expects($this->once()) + ->method('rotate') + ->with( + $appToken, + 'decryptedToken', + 'random72' + )->willReturn($appToken); + + $this->time->method('getTime') + ->willReturn(1000); + + $this->tokenProvider->expects($this->once()) + ->method('updateToken') + ->with( + $this->callback(function (DefaultToken $token) { + return $token->getExpires() === 4600; + }) + ); + + $this->crypto->method('encrypt') + ->with('random72', 'random128') + ->willReturn('newEncryptedToken'); + + $this->accessTokenMapper->expects($this->once()) + ->method('update') + ->with( + $this->callback(function (AccessToken $token) { + return $token->getHashedCode() === hash('sha512', 'random128') && + $token->getEncryptedToken() === 'newEncryptedToken'; + }) + ); + + $expected = new JSONResponse([ + 'access_token' => 'random72', + 'token_type' => 'Bearer', + 'expires_in' => 3600, + 'refresh_token' => 'random128', + 'user_id' => 'userId', + ]); + + $this->assertEquals($expected, $this->oauthApiController->getToken('refresh_token', null, 'validrefresh', 'clientId', 'clientSecret')); + } } diff --git a/core/Controller/ClientFlowLoginController.php b/core/Controller/ClientFlowLoginController.php index ab9d98df8d6..c3b88f752db 100644 --- a/core/Controller/ClientFlowLoginController.php +++ b/core/Controller/ClientFlowLoginController.php @@ -329,7 +329,7 @@ class ClientFlowLoginController extends Controller { ); if($client) { - $code = $this->random->generate(128); + $code = $this->random->generate(128, ISecureRandom::CHAR_UPPER.ISecureRandom::CHAR_LOWER.ISecureRandom::CHAR_DIGITS); $accessToken = new AccessToken(); $accessToken->setClientId($client->getId()); $accessToken->setEncryptedToken($this->crypto->encrypt($token, $code)); |