Handle one time and large passwords

For passwords bigger than 250 characters, use a bigger key since the performance impact is minor (around one second to encrypt the password). For passwords bigger than 470 characters, give up earlier and throw exeception recommanding admin to either enable the previously enabled configuration or use smaller passwords. This adds an option to disable storing passwords in the database. This might be desirable when using single use token as passwords or very large passwords. Signed-off-by: Carl Schwan <carl@carlschwan.eu>
author: Carl Schwan <carl@carlschwan.eu> 2022-07-05 11:25:44 +0200
committer: Carl Schwan <carl@carlschwan.eu> 2022-07-29 16:15:38 +0200
commit: f4795f6dacb5bf8f568e99ced155ea6389190137 (patch)
tree: 340c03d2ef5875fd75d909ce38a3106a86bd90fd /tests
parent: 6a3cd32a2dc1e5451ca762e171b62493be11dbca (diff)
download: nextcloud-server-f4795f6dacb5bf8f568e99ced155ea6389190137.tar.gz
nextcloud-server-f4795f6dacb5bf8f568e99ced155ea6389190137.zip
1 files changed, 83 insertions, 4 deletions
diff --git a/tests/lib/Authentication/Token/PublicKeyTokenProviderTest.php b/tests/lib/Authentication/Token/PublicKeyTokenProviderTest.php
index 6ad57515c16..1ef0aa80817 100644
--- a/tests/lib/Authentication/Token/PublicKeyTokenProviderTest.php
+++ b/tests/lib/Authentication/Token/PublicKeyTokenProviderTest.php
@@ -25,6 +25,7 @@ namespace Test\Authentication\Token;
 
 use OC\Authentication\Exceptions\ExpiredTokenException;
 use OC\Authentication\Exceptions\InvalidTokenException;
+use OC\Authentication\Exceptions\PasswordlessTokenException;
 use OC\Authentication\Token\IToken;
 use OC\Authentication\Token\PublicKeyToken;
 use OC\Authentication\Token\PublicKeyTokenMapper;
@@ -83,6 +84,10 @@ class PublicKeyTokenProviderTest extends TestCase {
 		$name = 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12';
 		$type = IToken::PERMANENT_TOKEN;
 
+		$this->config->method('getSystemValueBool')
+			->willReturnMap([
+				['auth.storeCryptedPassword', true, true],
+			]);
 		$actual = $this->tokenProvider->generateToken($token, $uid, $user, $password, $name, $type, IToken::DO_NOT_REMEMBER);
 
 		$this->assertInstanceOf(PublicKeyToken::class, $actual);
@@ -93,6 +98,48 @@ class PublicKeyTokenProviderTest extends TestCase {
 		$this->assertSame($password, $this->tokenProvider->getPassword($actual, $token));
 	}
 
+	public function testGenerateTokenNoPassword(): void {
+		$token = 'token';
+		$uid = 'user';
+		$user = 'User';
+		$password = 'passme';
+		$name = 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12';
+		$type = IToken::PERMANENT_TOKEN;
+		$this->config->method('getSystemValueBool')
+			->willReturnMap([
+				['auth.storeCryptedPassword', true, false],
+			]);
+		$this->expectException(PasswordlessTokenException::class);
+
+		$actual = $this->tokenProvider->generateToken($token, $uid, $user, $password, $name, $type, IToken::DO_NOT_REMEMBER);
+
+		$this->assertInstanceOf(PublicKeyToken::class, $actual);
+		$this->assertSame($uid, $actual->getUID());
+		$this->assertSame($user, $actual->getLoginName());
+		$this->assertSame($name, $actual->getName());
+		$this->assertSame(IToken::DO_NOT_REMEMBER, $actual->getRemember());
+		$this->tokenProvider->getPassword($actual, $token);
+	}
+
+	public function testGenerateTokenLongPassword() {
+		$token = 'token';
+		$uid = 'user';
+		$user = 'User';
+		$password = '';
+		for ($i = 0; $i < 500; $i++) {
+			$password .= 'e';
+		}
+		$name = 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12';
+		$type = IToken::PERMANENT_TOKEN;
+		$this->config->method('getSystemValueBool')
+			->willReturnMap([
+				['auth.storeCryptedPassword', true, true],
+			]);
+		$this->expectException(\RuntimeException::class);
+
+		$actual = $this->tokenProvider->generateToken($token, $uid, $user, $password, $name, $type, IToken::DO_NOT_REMEMBER);
+	}
+
 	public function testGenerateTokenInvalidName() {
 		$token = 'token';
 		$uid = 'user';
@@ -103,6 +150,10 @@ class PublicKeyTokenProviderTest extends TestCase {
 			. 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12'
 			. 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12';
 		$type = IToken::PERMANENT_TOKEN;
+		$this->config->method('getSystemValueBool')
+			->willReturnMap([
+				['auth.storeCryptedPassword', true, true],
+			]);
 
 		$actual = $this->tokenProvider->generateToken($token, $uid, $user, $password, $name, $type, IToken::DO_NOT_REMEMBER);
 
@@ -120,6 +171,10 @@ class PublicKeyTokenProviderTest extends TestCase {
 			->method('updateActivity')
 			->with($tk, $this->time);
 		$tk->setLastActivity($this->time - 200);
+		$this->config->method('getSystemValueBool')
+			->willReturnMap([
+				['auth.storeCryptedPassword', true, true],
+			]);
 
 		$this->tokenProvider->updateTokenActivity($tk);
 
@@ -157,6 +212,10 @@ class PublicKeyTokenProviderTest extends TestCase {
 		$password = 'passme';
 		$name = 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12';
 		$type = IToken::PERMANENT_TOKEN;
+		$this->config->method('getSystemValueBool')
+			->willReturnMap([
+				['auth.storeCryptedPassword', true, true],
+			]);
 
 		$actual = $this->tokenProvider->generateToken($token, $uid, $user, $password, $name, $type, IToken::DO_NOT_REMEMBER);
 
@@ -185,6 +244,10 @@ class PublicKeyTokenProviderTest extends TestCase {
 		$name = 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12';
 		$type = IToken::PERMANENT_TOKEN;
 
+		$this->config->method('getSystemValueBool')
+			->willReturnMap([
+				['auth.storeCryptedPassword', true, true],
+			]);
 		$actual = $this->tokenProvider->generateToken($token, $uid, $user, $password, $name, $type, IToken::DO_NOT_REMEMBER);
 
 		$this->tokenProvider->getPassword($actual, 'wrongtoken');
@@ -197,6 +260,10 @@ class PublicKeyTokenProviderTest extends TestCase {
 		$password = 'passme';
 		$name = 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12';
 		$type = IToken::PERMANENT_TOKEN;
+		$this->config->method('getSystemValueBool')
+			->willReturnMap([
+				['auth.storeCryptedPassword', true, true],
+			]);
 
 		$actual = $this->tokenProvider->generateToken($token, $uid, $user, $password, $name, $type, IToken::DO_NOT_REMEMBER);
 
@@ -301,7 +368,7 @@ class PublicKeyTokenProviderTest extends TestCase {
 		$this->tokenProvider->renewSessionToken('oldId', 'newId');
 	}
 
-	public function testRenewSessionTokenWithPassword() {
+	public function testRenewSessionTokenWithPassword(): void {
 		$token = 'oldId';
 		$uid = 'user';
 		$user = 'User';
@@ -309,6 +376,10 @@ class PublicKeyTokenProviderTest extends TestCase {
 		$name = 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12';
 		$type = IToken::PERMANENT_TOKEN;
 
+		$this->config->method('getSystemValueBool')
+			->willReturnMap([
+				['auth.storeCryptedPassword', true, true],
+			]);
 		$oldToken = $this->tokenProvider->generateToken($token, $uid, $user, $password, $name, $type, IToken::DO_NOT_REMEMBER);
 
 		$this->mapper
@@ -319,7 +390,7 @@ class PublicKeyTokenProviderTest extends TestCase {
 		$this->mapper
 			->expects($this->once())
 			->method('insert')
-			->with($this->callback(function (PublicKeyToken $token) use ($user, $uid, $name) {
+			->with($this->callback(function (PublicKeyToken $token) use ($user, $uid, $name): bool {
 				return $token->getUID() === $uid &&
 					$token->getLoginName() === $user &&
 					$token->getName() === $name &&
@@ -331,14 +402,14 @@ class PublicKeyTokenProviderTest extends TestCase {
 		$this->mapper
 			->expects($this->once())
 			->method('delete')
-			->with($this->callback(function ($token) use ($oldToken) {
+			->with($this->callback(function ($token) use ($oldToken): bool {
 				return $token === $oldToken;
 			}));
 
 		$this->tokenProvider->renewSessionToken('oldId', 'newId');
 	}
 
-	public function testGetToken() {
+	public function testGetToken(): void {
 		$token = new PublicKeyToken();
 
 		$this->config->method('getSystemValue')
@@ -441,6 +512,10 @@ class PublicKeyTokenProviderTest extends TestCase {
 		$name = 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12';
 		$type = IToken::PERMANENT_TOKEN;
 
+		$this->config->method('getSystemValueBool')
+			->willReturnMap([
+				['auth.storeCryptedPassword', true, true],
+			]);
 		$actual = $this->tokenProvider->generateToken($token, $uid, $user, $password, $name, $type, IToken::DO_NOT_REMEMBER);
 
 		$new = $this->tokenProvider->rotate($actual, 'oldtoken', 'newtoken');
@@ -507,6 +582,10 @@ class PublicKeyTokenProviderTest extends TestCase {
 			'random2',
 			IToken::PERMANENT_TOKEN,
 			IToken::REMEMBER);
+		$this->config->method('getSystemValueBool')
+			->willReturnMap([
+				['auth.storeCryptedPassword', true, true],
+			]);
 
 		$this->mapper->method('hasExpiredTokens')
 			->with($uid)
author	Carl Schwan <carl@carlschwan.eu>	2022-07-05 11:25:44 +0200
committer	Carl Schwan <carl@carlschwan.eu>	2022-07-29 16:15:38 +0200
commit	f4795f6dacb5bf8f568e99ced155ea6389190137 (patch)
tree	340c03d2ef5875fd75d909ce38a3106a86bd90fd /tests
parent	6a3cd32a2dc1e5451ca762e171b62493be11dbca (diff)
download	nextcloud-server-f4795f6dacb5bf8f568e99ced155ea6389190137.tar.gz nextcloud-server-f4795f6dacb5bf8f568e99ced155ea6389190137.zip