Merge pull request #40026 from lhsazevedo/auth-token-commands

feat: Add auth token list and delete commands

4 files changed, 227 insertions, 4 deletions

diff --git a/core/Command/User/AddAppPassword.php b/core/Command/User/AuthTokens/Add.php
index 8c506c8510e..e067c069c79 100644
--- a/core/Command/User/AddAppPassword.php
+++ b/core/Command/User/AuthTokens/Add.php
@@ -24,7 +24,7 @@ declare(strict_types=1);
  * along with this program. If not, see <http://www.gnu.org/licenses/>.
  *
  */
-namespace OC\Core\Command\User;
+namespace OC\Core\Command\User\AuthTokens;
 
 use OC\Authentication\Events\AppPasswordCreatedEvent;
 use OC\Authentication\Token\IProvider;
@@ -40,7 +40,7 @@ use Symfony\Component\Console\Input\InputOption;
 use Symfony\Component\Console\Output\OutputInterface;
 use Symfony\Component\Console\Question\Question;
 
-class AddAppPassword extends Command {
+class Add extends Command {
 	public function __construct(
 		protected IUserManager $userManager,
 		protected IProvider $tokenProvider,
@@ -52,7 +52,8 @@ class AddAppPassword extends Command {
 
 	protected function configure() {
 		$this
-			->setName('user:add-app-password')
+			->setName('user:auth-tokens:add')
+			->setAliases(['user:add-app-password'])
 			->setDescription('Add app password for the named user')
 			->addArgument(
 				'user',
diff --git a/core/Command/User/AuthTokens/Delete.php b/core/Command/User/AuthTokens/Delete.php
new file mode 100644
index 00000000000..8cd6f2e6205
--- /dev/null
+++ b/core/Command/User/AuthTokens/Delete.php
@@ -0,0 +1,120 @@
+<?php
+/**
+ * @copyright Copyright (c) 2023 Lucas Azevedo <lhs_azevedo@hotmail.com>
+ *
+ * @author Lucas Azevedo <lhs_azevedo@hotmail.com>
+ *
+ * @license GNU AGPL version 3 or any later version
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+namespace OC\Core\Command\User\AuthTokens;
+
+use DateTimeImmutable;
+use OC\Core\Command\Base;
+use OC\Authentication\Token\IProvider;
+use Symfony\Component\Console\Command\Command;
+use Symfony\Component\Console\Exception\RuntimeException;
+use Symfony\Component\Console\Input\InputArgument;
+use Symfony\Component\Console\Input\InputInterface;
+use Symfony\Component\Console\Input\InputOption;
+use Symfony\Component\Console\Output\OutputInterface;
+
+class Delete extends Base {
+	public function __construct(
+		protected IProvider $tokenProvider,
+	) {
+		parent::__construct();
+	}
+
+	protected function configure(): void {
+		$this
+			->setName('user:auth-tokens:delete')
+			->setDescription('Deletes an authentication token')
+			->addArgument(
+				'uid',
+				InputArgument::REQUIRED,
+				'ID of the user to delete tokens for'
+			)
+			->addArgument(
+				'id',
+				InputArgument::OPTIONAL,
+				'ID of the auth token to delete'
+			)
+			->addOption(
+				'last-used-before',
+				null,
+				InputOption::VALUE_REQUIRED,
+				'Delete tokens last used before a given date.'
+			);
+	}
+
+	protected function execute(InputInterface $input, OutputInterface $output): int {
+		$uid = $input->getArgument('uid');
+		$id = (int) $input->getArgument('id');
+		$before = $input->getOption('last-used-before');
+
+		if ($before) {
+			if ($id) {
+				throw new RuntimeException('Option --last-used-before cannot be used with [<id>]');
+			}
+
+			return $this->deleteLastUsedBefore($uid, $before);
+		}
+
+		if (!$id) {
+			throw new RuntimeException('Not enough arguments. Specify the token <id> or use the --last-used-before option.');
+		}
+		return $this->deleteById($uid, $id);
+	}
+
+	protected function deleteById(string $uid, int $id): int {
+		$this->tokenProvider->invalidateTokenById($uid, $id);
+
+		return Command::SUCCESS;
+	}
+
+	protected function deleteLastUsedBefore(string $uid, string $before): int {
+		$date = $this->parseDateOption($before);
+		if (!$date) {
+			throw new RuntimeException('Invalid date format. Acceptable formats are: ISO8601 (w/o fractions), "YYYY-MM-DD" and Unix time in seconds.');
+		}
+
+		$this->tokenProvider->invalidateLastUsedBefore($uid, $date->getTimestamp());
+
+		return Command::SUCCESS;
+	}
+
+	/**
+	 * @return \DateTimeImmutable|false
+	 */
+	protected function parseDateOption(string $input) {
+		$date = false;
+
+		// Handle Unix timestamp
+		if (filter_var($input, FILTER_VALIDATE_INT)) {
+			return new DateTimeImmutable('@' . $input);
+		}
+
+		// ISO8601
+		$date = DateTimeImmutable::createFromFormat(DateTimeImmutable::ATOM, $input);
+		if ($date) {
+			return $date;
+		}
+
+		// YYYY-MM-DD
+		return DateTimeImmutable::createFromFormat('!Y-m-d', $input);
+	}
+}
diff --git a/core/Command/User/AuthTokens/ListCommand.php b/core/Command/User/AuthTokens/ListCommand.php
new file mode 100644
index 00000000000..bfc49606259
--- /dev/null
+++ b/core/Command/User/AuthTokens/ListCommand.php
@@ -0,0 +1,100 @@
+<?php
+/**
+ * @copyright Copyright (c) 2023 Lucas Azevedo <lhs_azevedo@hotmail.com>
+ *
+ * @author Lucas Azevedo <lhs_azevedo@hotmail.com>
+ *
+ * @license GNU AGPL version 3 or any later version
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+namespace OC\Core\Command\User\AuthTokens;
+
+use OC\Core\Command\Base;
+use OC\Authentication\Token\IProvider;
+use OC\Authentication\Token\IToken;
+use OCP\IUserManager;
+use Symfony\Component\Console\Input\InputArgument;
+use Symfony\Component\Console\Input\InputInterface;
+use Symfony\Component\Console\Output\OutputInterface;
+
+class ListCommand extends Base {
+	public function __construct(
+		protected IUserManager $userManager,
+		protected IProvider $tokenProvider,
+	) {
+		parent::__construct();
+	}
+
+	protected function configure(): void {
+		parent::configure();
+
+		$this
+			->setName('user:auth-tokens:list')
+			->setDescription('List authentication tokens of an user')
+			->addArgument(
+				'user',
+				InputArgument::REQUIRED,
+				'User to list auth tokens for'
+			);
+	}
+
+	protected function execute(InputInterface $input, OutputInterface $output): int {
+		$user = $this->userManager->get($input->getArgument('user'));
+
+		if (is_null($user)) {
+			$output->writeln('<error>user not found</error>');
+			return 1;
+		}
+
+		$tokens = $this->tokenProvider->getTokenByUser($user->getUID());
+
+		$tokens = array_map(function (IToken $token) use ($input): mixed {
+			$sensitive = [
+				'password',
+				'password_hash',
+				'token',
+				'public_key',
+				'private_key',
+			];
+			$data = array_diff_key($token->jsonSerialize(), array_flip($sensitive));
+
+			if ($input->getOption('output') === self::OUTPUT_FORMAT_PLAIN) {
+				$data = $this->formatTokenForPlainOutput($data);
+			}
+
+			return $data;
+		}, $tokens);
+
+		$this->writeTableInOutputFormat($input, $output, $tokens);
+
+		return 0;
+	}
+
+	public function formatTokenForPlainOutput(array $token): array {
+		$token['scope'] = implode(', ', array_keys(array_filter($token['scope'] ?? [])));
+
+		$token['lastActivity'] = date(DATE_ATOM, $token['lastActivity']);
+
+		$token['type'] = match ($token['type']) {
+			IToken::TEMPORARY_TOKEN => 'temporary',
+			IToken::PERMANENT_TOKEN => 'permanent',
+			IToken::WIPE_TOKEN => 'wipe',
+			default => $token['type'],
+		};
+
+		return $token;
+	}
+}
diff --git a/core/register_command.php b/core/register_command.php
index 63e56d7c228..d9e5dfcd775 100644
--- a/core/register_command.php
+++ b/core/register_command.php
@@ -193,7 +193,9 @@ if (\OC::$server->getConfig()->getSystemValue('installed', false)) {
 	$application->add(new OC\Core\Command\User\ListCommand(\OC::$server->getUserManager(), \OC::$server->getGroupManager()));
 	$application->add(new OC\Core\Command\User\Info(\OC::$server->getUserManager(), \OC::$server->getGroupManager()));
 	$application->add(new OC\Core\Command\User\SyncAccountDataCommand(\OC::$server->getUserManager(), \OC::$server->get(\OCP\Accounts\IAccountManager::class)));
-	$application->add(new OC\Core\Command\User\AddAppPassword(\OC::$server->get(\OCP\IUserManager::class), \OC::$server->get(\OC\Authentication\Token\IProvider::class), \OC::$server->get(\OCP\Security\ISecureRandom::class), \OC::$server->get(\OCP\EventDispatcher\IEventDispatcher::class)));
+	$application->add(\OC::$server->get(\OC\Core\Command\User\AuthTokens\Add::class));
+	$application->add(\OC::$server->get(\OC\Core\Command\User\AuthTokens\ListCommand::class));
+	$application->add(\OC::$server->get(\OC\Core\Command\User\AuthTokens\Delete::class));
 
 	$application->add(new OC\Core\Command\Group\Add(\OC::$server->getGroupManager()));
 	$application->add(new OC\Core\Command\Group\Delete(\OC::$server->getGroupManager()));