From 9a2bc56e290c563c2436c5cd6bca189b1fa8e962 Mon Sep 17 00:00:00 2001 From: Julien Veyssier Date: Thu, 29 Aug 2024 17:28:01 +0200 Subject: [PATCH] fix(oauth2): store hashed secret instead of encrypted Signed-off-by: Julien Veyssier --- apps/oauth2/appinfo/info.xml | 2 +- .../composer/composer/autoload_classmap.php | 1 + .../composer/composer/autoload_static.php | 1 + .../lib/Controller/OauthApiController.php | 5 +- .../lib/Controller/SettingsController.php | 4 +- .../Version011901Date20240829164356.php | 49 +++++++++++ apps/oauth2/lib/Settings/Admin.php | 6 +- apps/oauth2/src/App.vue | 8 ++ apps/oauth2/src/components/OAuthItem.vue | 2 +- .../Controller/OauthApiControllerTest.php | 81 ++++++++++--------- .../Controller/SettingsControllerTest.php | 10 +-- apps/oauth2/tests/Settings/AdminTest.php | 4 +- 12 files changed, 118 insertions(+), 55 deletions(-) create mode 100644 apps/oauth2/lib/Migration/Version011901Date20240829164356.php diff --git a/apps/oauth2/appinfo/info.xml b/apps/oauth2/appinfo/info.xml index 716e9ecd362..6cd8f4cae8d 100644 --- a/apps/oauth2/appinfo/info.xml +++ b/apps/oauth2/appinfo/info.xml @@ -5,7 +5,7 @@ OAuth 2.0 Allows OAuth2 compatible authentication from other web applications. The OAuth2 app allows administrators to configure the built-in authentication workflow to also allow OAuth2 compatible authentication from other web applications. - 1.15.2 + 1.15.3 agpl Lukas Reschke OAuth2 diff --git a/apps/oauth2/composer/composer/autoload_classmap.php b/apps/oauth2/composer/composer/autoload_classmap.php index b2f24b59c77..6714e3e081a 100644 --- a/apps/oauth2/composer/composer/autoload_classmap.php +++ b/apps/oauth2/composer/composer/autoload_classmap.php @@ -22,5 +22,6 @@ return array( 'OCA\\OAuth2\\Migration\\Version010402Date20190107124745' => $baseDir . '/../lib/Migration/Version010402Date20190107124745.php', 'OCA\\OAuth2\\Migration\\Version011601Date20230522143227' => $baseDir . '/../lib/Migration/Version011601Date20230522143227.php', 'OCA\\OAuth2\\Migration\\Version011603Date20230620111039' => $baseDir . '/../lib/Migration/Version011603Date20230620111039.php', + 'OCA\\OAuth2\\Migration\\Version011901Date20240829164356' => $baseDir . '/../lib/Migration/Version011901Date20240829164356.php', 'OCA\\OAuth2\\Settings\\Admin' => $baseDir . '/../lib/Settings/Admin.php', ); diff --git a/apps/oauth2/composer/composer/autoload_static.php b/apps/oauth2/composer/composer/autoload_static.php index ad4983efbb9..d1ddd62f2b7 100644 --- a/apps/oauth2/composer/composer/autoload_static.php +++ b/apps/oauth2/composer/composer/autoload_static.php @@ -37,6 +37,7 @@ class ComposerStaticInitOAuth2 'OCA\\OAuth2\\Migration\\Version010402Date20190107124745' => __DIR__ . '/..' . '/../lib/Migration/Version010402Date20190107124745.php', 'OCA\\OAuth2\\Migration\\Version011601Date20230522143227' => __DIR__ . '/..' . '/../lib/Migration/Version011601Date20230522143227.php', 'OCA\\OAuth2\\Migration\\Version011603Date20230620111039' => __DIR__ . '/..' . '/../lib/Migration/Version011603Date20230620111039.php', + 'OCA\\OAuth2\\Migration\\Version011901Date20240829164356' => __DIR__ . '/..' . '/../lib/Migration/Version011901Date20240829164356.php', 'OCA\\OAuth2\\Settings\\Admin' => __DIR__ . '/..' . '/../lib/Settings/Admin.php', ); diff --git a/apps/oauth2/lib/Controller/OauthApiController.php b/apps/oauth2/lib/Controller/OauthApiController.php index dea8bd5c83d..fec19f8f741 100644 --- a/apps/oauth2/lib/Controller/OauthApiController.php +++ b/apps/oauth2/lib/Controller/OauthApiController.php @@ -149,7 +149,8 @@ class OauthApiController extends Controller { } try { - $storedClientSecret = $this->crypto->decrypt($client->getSecret()); + $storedClientSecretHash = $client->getSecret(); + $clientSecretHash = bin2hex($this->crypto->calculateHMAC($client_secret)); } catch (\Exception $e) { $this->logger->error('OAuth client secret decryption error', ['exception' => $e]); // we don't throttle here because it might not be a bruteforce attack @@ -158,7 +159,7 @@ class OauthApiController extends Controller { ], Http::STATUS_BAD_REQUEST); } // The client id and secret must match. Else we don't provide an access token! - if ($client->getClientIdentifier() !== $client_id || $storedClientSecret !== $client_secret) { + if ($client->getClientIdentifier() !== $client_id || $storedClientSecretHash !== $clientSecretHash) { $response = new JSONResponse([ 'error' => 'invalid_client', ], Http::STATUS_BAD_REQUEST); diff --git a/apps/oauth2/lib/Controller/SettingsController.php b/apps/oauth2/lib/Controller/SettingsController.php index 3dcda337917..c1c397ae121 100644 --- a/apps/oauth2/lib/Controller/SettingsController.php +++ b/apps/oauth2/lib/Controller/SettingsController.php @@ -72,8 +72,8 @@ class SettingsController extends Controller { $client->setName($name); $client->setRedirectUri($redirectUri); $secret = $this->secureRandom->generate(64, self::validChars); - $encryptedSecret = $this->crypto->encrypt($secret); - $client->setSecret($encryptedSecret); + $hashedSecret = bin2hex($this->crypto->calculateHMAC($secret)); + $client->setSecret($hashedSecret); $client->setClientIdentifier($this->secureRandom->generate(64, self::validChars)); $client = $this->clientMapper->insert($client); diff --git a/apps/oauth2/lib/Migration/Version011901Date20240829164356.php b/apps/oauth2/lib/Migration/Version011901Date20240829164356.php new file mode 100644 index 00000000000..9ce9ff371cb --- /dev/null +++ b/apps/oauth2/lib/Migration/Version011901Date20240829164356.php @@ -0,0 +1,49 @@ +connection->getQueryBuilder(); + $qbUpdate->update('oauth2_clients') + ->set('secret', $qbUpdate->createParameter('updateSecret')) + ->where( + $qbUpdate->expr()->eq('id', $qbUpdate->createParameter('updateId')) + ); + + $qbSelect = $this->connection->getQueryBuilder(); + $qbSelect->select('id', 'secret') + ->from('oauth2_clients'); + $req = $qbSelect->executeQuery(); + while ($row = $req->fetch()) { + $id = $row['id']; + $storedEncryptedSecret = $row['secret']; + $secret = $this->crypto->decrypt($storedEncryptedSecret); + $hashedSecret = bin2hex($this->crypto->calculateHMAC($secret)); + $qbUpdate->setParameter('updateSecret', $hashedSecret, IQueryBuilder::PARAM_STR); + $qbUpdate->setParameter('updateId', $id, IQueryBuilder::PARAM_INT); + $qbUpdate->executeStatement(); + } + $req->closeCursor(); + } +} diff --git a/apps/oauth2/lib/Settings/Admin.php b/apps/oauth2/lib/Settings/Admin.php index 7b297116a77..e142d131d65 100644 --- a/apps/oauth2/lib/Settings/Admin.php +++ b/apps/oauth2/lib/Settings/Admin.php @@ -29,9 +29,9 @@ namespace OCA\OAuth2\Settings; use OCA\OAuth2\Db\ClientMapper; use OCP\AppFramework\Http\TemplateResponse; use OCP\AppFramework\Services\IInitialState; +use OCP\IURLGenerator; use OCP\Security\ICrypto; use OCP\Settings\ISettings; -use OCP\IURLGenerator; use Psr\Log\LoggerInterface; class Admin implements ISettings { @@ -40,7 +40,6 @@ class Admin implements ISettings { private IInitialState $initialState, private ClientMapper $clientMapper, private IURLGenerator $urlGenerator, - private ICrypto $crypto, private LoggerInterface $logger, ) { } @@ -51,13 +50,12 @@ class Admin implements ISettings { foreach ($clients as $client) { try { - $secret = $this->crypto->decrypt($client->getSecret()); $result[] = [ 'id' => $client->getId(), 'name' => $client->getName(), 'redirectUri' => $client->getRedirectUri(), 'clientId' => $client->getClientIdentifier(), - 'clientSecret' => $secret, + 'clientSecret' => '', ]; } catch (\Exception $e) { $this->logger->error('[Settings] OAuth client secret decryption error', ['exception' => $e]); diff --git a/apps/oauth2/src/App.vue b/apps/oauth2/src/App.vue index fc154204c8d..498e9b3637b 100644 --- a/apps/oauth2/src/App.vue +++ b/apps/oauth2/src/App.vue @@ -39,6 +39,10 @@ @delete="deleteClient" /> + + {{ t('oauth2', 'Make sure you store the secret key, it cannot be recovered.') }} +

{{ t('oauth2', 'Add client') }}

@@ -68,6 +72,7 @@ import { generateUrl } from '@nextcloud/router' import { getCapabilities } from '@nextcloud/capabilities' import NcSettingsSection from '@nextcloud/vue/dist/Components/NcSettingsSection.js' import NcButton from '@nextcloud/vue/dist/Components/NcButton.js' +import NcNoteCard from '@nextcloud/vue/dist/Components/NcNoteCard.js' import { loadState } from '@nextcloud/initial-state' export default { @@ -76,6 +81,7 @@ export default { OAuthItem, NcSettingsSection, NcButton, + NcNoteCard, }, props: { clients: { @@ -92,6 +98,7 @@ export default { error: false, }, oauthDocLink: loadState('oauth2', 'oauth2-doc-link'), + showSecretWarning: false, } }, computed: { @@ -119,6 +126,7 @@ export default { ).then(response => { // eslint-disable-next-line vue/no-mutating-props this.clients.push(response.data) + this.showSecretWarning = true this.newClient.name = '' this.newClient.redirectUri = '' diff --git a/apps/oauth2/src/components/OAuthItem.vue b/apps/oauth2/src/components/OAuthItem.vue index a759af56906..aaf2f2ecd92 100644 --- a/apps/oauth2/src/components/OAuthItem.vue +++ b/apps/oauth2/src/components/OAuthItem.vue @@ -37,7 +37,7 @@ {{ t('oauth2', 'Secret') }} - {{ renderedSecret }} + {{ renderedSecret }} diff --git a/apps/oauth2/tests/Controller/OauthApiControllerTest.php b/apps/oauth2/tests/Controller/OauthApiControllerTest.php index 6faef7c88f3..f3ffbfe7991 100644 --- a/apps/oauth2/tests/Controller/OauthApiControllerTest.php +++ b/apps/oauth2/tests/Controller/OauthApiControllerTest.php @@ -265,9 +265,20 @@ class OauthApiControllerTest extends TestCase { ->with('validrefresh') ->willReturn($accessToken); + $this->crypto + ->method('calculateHMAC') + ->with($this->callback(function (string $text) { + return $text === 'clientSecret' || $text === 'invalidClientSecret'; + })) + ->willReturnCallback(function (string $text) { + return $text === 'clientSecret' + ? 'hashedClientSecret' + : 'hashedInvalidClientSecret'; + }); + $client = new Client(); $client->setClientIdentifier('clientId'); - $client->setSecret('clientSecret'); + $client->setSecret('hashedClientSecret'); $this->clientMapper->method('getByUid') ->with(42) ->willReturn($client); @@ -292,21 +303,20 @@ class OauthApiControllerTest extends TestCase { $client = new Client(); $client->setClientIdentifier('clientId'); - $client->setSecret('encryptedClientSecret'); + $client->setSecret('hashedClientSecret'); $this->clientMapper->method('getByUid') ->with(42) ->willReturn($client); $this->crypto ->method('decrypt') - ->with($this->callback(function (string $text) { - return $text === 'encryptedClientSecret' || $text === 'encryptedToken'; - })) - ->willReturnCallback(function (string $text) { - return $text === 'encryptedClientSecret' - ? 'clientSecret' - : ($text === 'encryptedToken' ? 'decryptedToken' : ''); - }); + ->with('encryptedToken') + ->willReturn('decryptedToken'); + + $this->crypto + ->method('calculateHMAC') + ->with('clientSecret') + ->willReturn('hashedClientSecret'); $this->tokenProvider->method('getTokenById') ->with(1337) @@ -331,21 +341,20 @@ class OauthApiControllerTest extends TestCase { $client = new Client(); $client->setClientIdentifier('clientId'); - $client->setSecret('encryptedClientSecret'); + $client->setSecret('hashedClientSecret'); $this->clientMapper->method('getByUid') ->with(42) ->willReturn($client); $this->crypto ->method('decrypt') - ->with($this->callback(function (string $text) { - return $text === 'encryptedClientSecret' || $text === 'encryptedToken'; - })) - ->willReturnCallback(function (string $text) { - return $text === 'encryptedClientSecret' - ? 'clientSecret' - : ($text === 'encryptedToken' ? 'decryptedToken' : ''); - }); + ->with('encryptedToken') + ->willReturn('decryptedToken'); + + $this->crypto + ->method('calculateHMAC') + ->with('clientSecret') + ->willReturn('hashedClientSecret'); $appToken = new PublicKeyToken(); $appToken->setUid('userId'); @@ -428,21 +437,20 @@ class OauthApiControllerTest extends TestCase { $client = new Client(); $client->setClientIdentifier('clientId'); - $client->setSecret('encryptedClientSecret'); + $client->setSecret('hashedClientSecret'); $this->clientMapper->method('getByUid') ->with(42) ->willReturn($client); $this->crypto ->method('decrypt') - ->with($this->callback(function (string $text) { - return $text === 'encryptedClientSecret' || $text === 'encryptedToken'; - })) - ->willReturnCallback(function (string $text) { - return $text === 'encryptedClientSecret' - ? 'clientSecret' - : ($text === 'encryptedToken' ? 'decryptedToken' : ''); - }); + ->with('encryptedToken') + ->willReturn('decryptedToken'); + + $this->crypto + ->method('calculateHMAC') + ->with('clientSecret') + ->willReturn('hashedClientSecret'); $appToken = new PublicKeyToken(); $appToken->setUid('userId'); @@ -528,21 +536,20 @@ class OauthApiControllerTest extends TestCase { $client = new Client(); $client->setClientIdentifier('clientId'); - $client->setSecret('encryptedClientSecret'); + $client->setSecret('hashedClientSecret'); $this->clientMapper->method('getByUid') ->with(42) ->willReturn($client); $this->crypto ->method('decrypt') - ->with($this->callback(function (string $text) { - return $text === 'encryptedClientSecret' || $text === 'encryptedToken'; - })) - ->willReturnCallback(function (string $text) { - return $text === 'encryptedClientSecret' - ? 'clientSecret' - : ($text === 'encryptedToken' ? 'decryptedToken' : ''); - }); + ->with('encryptedToken') + ->willReturn('decryptedToken'); + + $this->crypto + ->method('calculateHMAC') + ->with('clientSecret') + ->willReturn('hashedClientSecret'); $appToken = new PublicKeyToken(); $appToken->setUid('userId'); diff --git a/apps/oauth2/tests/Controller/SettingsControllerTest.php b/apps/oauth2/tests/Controller/SettingsControllerTest.php index 817747599b7..191ee8de53b 100644 --- a/apps/oauth2/tests/Controller/SettingsControllerTest.php +++ b/apps/oauth2/tests/Controller/SettingsControllerTest.php @@ -103,13 +103,13 @@ class SettingsControllerTest extends TestCase { $this->crypto ->expects($this->once()) - ->method('encrypt') - ->willReturn('MyEncryptedSecret'); + ->method('calculateHMAC') + ->willReturn('MyHashedSecret'); $client = new Client(); $client->setName('My Client Name'); $client->setRedirectUri('https://example.com/'); - $client->setSecret('MySecret'); + $client->setSecret('MyHashedSecret'); $client->setClientIdentifier('MyClientIdentifier'); $this->clientMapper @@ -118,7 +118,7 @@ class SettingsControllerTest extends TestCase { ->with($this->callback(function (Client $c) { return $c->getName() === 'My Client Name' && $c->getRedirectUri() === 'https://example.com/' && - $c->getSecret() === 'MyEncryptedSecret' && + $c->getSecret() === 'MyHashedSecret' && $c->getClientIdentifier() === 'MyClientIdentifier'; }))->willReturnCallback(function (Client $c) { $c->setId(42); @@ -161,7 +161,7 @@ class SettingsControllerTest extends TestCase { $client->setId(123); $client->setName('My Client Name'); $client->setRedirectUri('https://example.com/'); - $client->setSecret('MySecret'); + $client->setSecret('MyHashedSecret'); $client->setClientIdentifier('MyClientIdentifier'); $this->clientMapper diff --git a/apps/oauth2/tests/Settings/AdminTest.php b/apps/oauth2/tests/Settings/AdminTest.php index fb19a9fc6d1..55f8920b202 100644 --- a/apps/oauth2/tests/Settings/AdminTest.php +++ b/apps/oauth2/tests/Settings/AdminTest.php @@ -28,7 +28,6 @@ use OCA\OAuth2\Settings\Admin; use OCP\AppFramework\Http\TemplateResponse; use OCP\AppFramework\Services\IInitialState; use OCP\IURLGenerator; -use OCP\Security\ICrypto; use PHPUnit\Framework\MockObject\MockObject; use Psr\Log\LoggerInterface; use Test\TestCase; @@ -38,7 +37,7 @@ class AdminTest extends TestCase { /** @var Admin|MockObject */ private $admin; - /** @var IInitialStateService|MockObject */ + /** @var IInitialState|MockObject */ private $initialState; /** @var ClientMapper|MockObject */ @@ -54,7 +53,6 @@ class AdminTest extends TestCase { $this->initialState, $this->clientMapper, $this->createMock(IURLGenerator::class), - $this->createMock(ICrypto::class), $this->createMock(LoggerInterface::class) ); }