PublicKeyTokenProvider - Code Metrics - Inspection of "Merge pull request #25460 from nextcloud/fix/apppa..." - nextcloud/server - Measure and Improve Code Quality continuously with Scrutinizer

Passed

Push — master ( d0cf4e...7bacd7 )

by Roeland

created 2021-02-10 20:09 UTC

PublicKeyTokenProvider B

↳ Parent: Project

Complexity

Total Complexity

Size/Duplication

Total Lines	388
Duplicated Lines	0 %

Importance

Changes

Metric	Value
eloc	182
dl	0
loc	388
rs	7.44
c	0
b	0
f	0
wmc	52

24 Methods

Rating	Name	Size	Complexity
A	invalidateTokenById()	4	1
A	invalidateToken()	4	1
A	logOpensslError()	6	2
A	renewSessionToken()	28	3
A	invalidateOldTokens()	9	1
A	updateToken()	7	2
B	getToken()	28	7
A	generateToken()	14	1
A	__construct()	12	1
A	getTokenById()	21	6
A	markPasswordInvalid()	9	2
A	rotate()	16	2
A	updateTokenActivity()	16	3
A	getPassword()	14	3
A	convertToken()	17	1
A	hashToken()	3	1
A	decrypt()	8	2
A	getTokenByUser()	2	1
A	decryptPassword()	5	1
A	newToken()	48	4
A	setPassword()	16	3
A	encryptPassword()	5	1
A	encrypt()	3	1
A	updatePasswords()	10	2

How to fix Complexity

<?php

declare(strict_types=1);

/**
 * @copyright Copyright 2018, Roeland Jago Douma <[email protected]>
 *
 * @author Christoph Wurst <[email protected]>
 * @author Daniel Kesselberg <[email protected]>
 * @author Joas Schilling <[email protected]>
 * @author Morris Jobke <[email protected]>
 * @author Roeland Jago Douma <[email protected]>
 *
 * @license GNU AGPL version 3 or any later version
 *
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the GNU Affero General Public License as
 * published by the Free Software Foundation, either version 3 of the
 * License, or (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU Affero General Public License for more details.
 *
 * You should have received a copy of the GNU Affero General Public License
 * along with this program. If not, see <http://www.gnu.org/licenses/>.
 *
 */

namespace OC\Authentication\Token;

use OC\Authentication\Exceptions\ExpiredTokenException;
use OC\Authentication\Exceptions\InvalidTokenException;
use OC\Authentication\Exceptions\TokenPasswordExpiredException;
use OC\Authentication\Exceptions\PasswordlessTokenException;
use OC\Authentication\Exceptions\WipeTokenException;
use OC\Cache\CappedMemoryCache;
use OCP\AppFramework\Db\DoesNotExistException;
use OCP\AppFramework\Utility\ITimeFactory;
use OCP\IConfig;
use OCP\Security\ICrypto;
use Psr\Log\LoggerInterface;

class PublicKeyTokenProvider implements IProvider {
	/** @var PublicKeyTokenMapper */
	private $mapper;

	/** @var ICrypto */
	private $crypto;

	/** @var IConfig */
	private $config;

	/** @var LoggerInterface */
	private $logger;

	/** @var ITimeFactory */
	private $time;

	/** @var CappedMemoryCache */
	private $cache;

	public function __construct(PublicKeyTokenMapper $mapper,
								ICrypto $crypto,
								IConfig $config,
								LoggerInterface $logger,
								ITimeFactory $time) {
		$this->mapper = $mapper;
		$this->crypto = $crypto;
		$this->config = $config;
		$this->logger = $logger;
		$this->time = $time;

		$this->cache = new CappedMemoryCache();
	}

	/**
	 * {@inheritDoc}
	 */
	public function generateToken(string $token,
								  string $uid,
								  string $loginName,
								  $password,
								  string $name,
								  int $type = IToken::TEMPORARY_TOKEN,
								  int $remember = IToken::DO_NOT_REMEMBER): IToken {
		$dbToken = $this->newToken($token, $uid, $loginName, $password, $name, $type, $remember);
		$this->mapper->insert($dbToken);

		// Add the token to the cache
		$this->cache[$dbToken->getToken()] = $dbToken;

		return $dbToken;
	}

	public function getToken(string $tokenId): IToken {
		$tokenHash = $this->hashToken($tokenId);

		if (isset($this->cache[$tokenHash])) {
			$token = $this->cache[$tokenHash];
		} else {
			try {
				$token = $this->mapper->getToken($this->hashToken($tokenId));
				$this->cache[$token->getToken()] = $token;
			} catch (DoesNotExistException $ex) {
				throw new InvalidTokenException("Token does not exist: " . $ex->getMessage(), 0, $ex);
			}
		}

		if ((int)$token->getExpires() !== 0 && $token->getExpires() < $this->time->getTime()) {
			throw new ExpiredTokenException($token);
		}

		if ($token->getType() === IToken::WIPE_TOKEN) {
			throw new WipeTokenException($token);
		}

		if ($token->getPasswordInvalid() === true) {
			//The password is invalid we should throw an TokenPasswordExpiredException
			throw new TokenPasswordExpiredException($token);
		}

		return $token;
	}

	public function getTokenById(int $tokenId): IToken {
		try {
			$token = $this->mapper->getTokenById($tokenId);
		} catch (DoesNotExistException $ex) {
			throw new InvalidTokenException("Token with ID $tokenId does not exist: " . $ex->getMessage(), 0, $ex);
		}

		if ((int)$token->getExpires() !== 0 && $token->getExpires() < $this->time->getTime()) {
			throw new ExpiredTokenException($token);
		}

		if ($token->getType() === IToken::WIPE_TOKEN) {
			throw new WipeTokenException($token);
		}

		if ($token->getPasswordInvalid() === true) {
			//The password is invalid we should throw an TokenPasswordExpiredException
			throw new TokenPasswordExpiredException($token);
		}

		return $token;
	}

	public function renewSessionToken(string $oldSessionId, string $sessionId): IToken {
		$this->cache->clear();

		$token = $this->getToken($oldSessionId);

		if (!($token instanceof PublicKeyToken)) {

			throw new InvalidTokenException("Invalid token type");
		}

		$password = null;
		if (!is_null($token->getPassword())) {
			$privateKey = $this->decrypt($token->getPrivateKey(), $oldSessionId);
			$password = $this->decryptPassword($token->getPassword(), $privateKey);
		}

		$newToken = $this->generateToken(
			$sessionId,
			$token->getUID(),
			$token->getLoginName(),
			$password,
			$token->getName(),
			IToken::TEMPORARY_TOKEN,
			$token->getRemember()
		);

		$this->mapper->delete($token);

		return $newToken;
	}

	public function invalidateToken(string $token) {
		$this->cache->clear();

		$this->mapper->invalidate($this->hashToken($token));
	}

	public function invalidateTokenById(string $uid, int $id) {
		$this->cache->clear();

		$this->mapper->deleteById($uid, $id);
	}

	public function invalidateOldTokens() {
		$this->cache->clear();

		$olderThan = $this->time->getTime() - (int) $this->config->getSystemValue('session_lifetime', 60 * 60 * 24);
		$this->logger->debug('Invalidating session tokens older than ' . date('c', $olderThan), ['app' => 'cron']);
		$this->mapper->invalidateOld($olderThan, IToken::DO_NOT_REMEMBER);
		$rememberThreshold = $this->time->getTime() - (int) $this->config->getSystemValue('remember_login_cookie_lifetime', 60 * 60 * 24 * 15);
		$this->logger->debug('Invalidating remembered session tokens older than ' . date('c', $rememberThreshold), ['app' => 'cron']);
		$this->mapper->invalidateOld($rememberThreshold, IToken::REMEMBER);
	}

	public function updateToken(IToken $token) {
		$this->cache->clear();

		if (!($token instanceof PublicKeyToken)) {
			throw new InvalidTokenException("Invalid token type");
		}
		$this->mapper->update($token);
	}

	public function updateTokenActivity(IToken $token) {
		$this->cache->clear();

		if (!($token instanceof PublicKeyToken)) {
			throw new InvalidTokenException("Invalid token type");
		}

		$activityInterval = $this->config->getSystemValueInt('token_auth_activity_update', 60);
		$activityInterval = min(max($activityInterval, 0), 300);

		/** @var PublicKeyToken $token */
		$now = $this->time->getTime();
		if ($token->getLastActivity() < ($now - $activityInterval)) {
			// Update token only once per minute
			$token->setLastActivity($now);
			$this->mapper->update($token);
		}
	}

	public function getTokenByUser(string $uid): array {
		return $this->mapper->getTokenByUser($uid);
	}

	public function getPassword(IToken $savedToken, string $tokenId): string {
		if (!($savedToken instanceof PublicKeyToken)) {
			throw new InvalidTokenException("Invalid token type");
		}

		if ($savedToken->getPassword() === null) {
			throw new PasswordlessTokenException();
		}

		// Decrypt private key with tokenId
		$privateKey = $this->decrypt($savedToken->getPrivateKey(), $tokenId);

		// Decrypt password with private key
		return $this->decryptPassword($savedToken->getPassword(), $privateKey);
	}

	public function setPassword(IToken $token, string $tokenId, string $password) {
		$this->cache->clear();

		if (!($token instanceof PublicKeyToken)) {
			throw new InvalidTokenException("Invalid token type");
		}

		// When changing passwords all temp tokens are deleted
		$this->mapper->deleteTempToken($token);

		// Update the password for all tokens
		$tokens = $this->mapper->getTokenByUser($token->getUID());
		foreach ($tokens as $t) {
			$publicKey = $t->getPublicKey();
			$t->setPassword($this->encryptPassword($password, $publicKey));
			$this->updateToken($t);
		}
	}

	public function rotate(IToken $token, string $oldTokenId, string $newTokenId): IToken {
		$this->cache->clear();

		if (!($token instanceof PublicKeyToken)) {
			throw new InvalidTokenException("Invalid token type");
		}

		// Decrypt private key with oldTokenId
		$privateKey = $this->decrypt($token->getPrivateKey(), $oldTokenId);
		// Encrypt with the new token
		$token->setPrivateKey($this->encrypt($privateKey, $newTokenId));

		$token->setToken($this->hashToken($newTokenId));
		$this->updateToken($token);

		return $token;
	}

	private function encrypt(string $plaintext, string $token): string {
		$secret = $this->config->getSystemValue('secret');
		return $this->crypto->encrypt($plaintext, $token . $secret);
	}

	/**
	 * @throws InvalidTokenException
	 */
	private function decrypt(string $cipherText, string $token): string {
		$secret = $this->config->getSystemValue('secret');
		try {
			return $this->crypto->decrypt($cipherText, $token . $secret);
		} catch (\Exception $ex) {
			// Delete the invalid token
			$this->invalidateToken($token);
			throw new InvalidTokenException("Could not decrypt token password: " . $ex->getMessage(), 0, $ex);
		}
	}

	private function encryptPassword(string $password, string $publicKey): string {
		openssl_public_encrypt($password, $encryptedPassword, $publicKey, OPENSSL_PKCS1_OAEP_PADDING);
		$encryptedPassword = base64_encode($encryptedPassword);

		return $encryptedPassword;
	}

	private function decryptPassword(string $encryptedPassword, string $privateKey): string {
		$encryptedPassword = base64_decode($encryptedPassword);
		openssl_private_decrypt($encryptedPassword, $password, $privateKey, OPENSSL_PKCS1_OAEP_PADDING);

		return $password;
	}

	private function hashToken(string $token): string {
		$secret = $this->config->getSystemValue('secret');
		return hash('sha512', $token . $secret);
	}

	/**
	 * Convert a DefaultToken to a publicKeyToken
	 * This will also be updated directly in the Database
	 * @throws \RuntimeException when OpenSSL reports a problem
	 */
	public function convertToken(DefaultToken $defaultToken, string $token, $password): PublicKeyToken {
		$this->cache->clear();

		$pkToken = $this->newToken(
			$token,
			$defaultToken->getUID(),
			$defaultToken->getLoginName(),
			$password,
			$defaultToken->getName(),
			$defaultToken->getType(),
			$defaultToken->getRemember()
		);

		$pkToken->setExpires($defaultToken->getExpires());
		$pkToken->setId($defaultToken->getId());

		return $this->mapper->update($pkToken);
	}

	/**
	 * @throws \RuntimeException when OpenSSL reports a problem
	 */
	private function newToken(string $token,
							  string $uid,
							  string $loginName,
							  $password,
							  string $name,
							  int $type,
							  int $remember): PublicKeyToken {
		$dbToken = new PublicKeyToken();
		$dbToken->setUid($uid);
		$dbToken->setLoginName($loginName);

		$config = array_merge([
			'digest_alg' => 'sha512',
			'private_key_bits' => 2048,
		], $this->config->getSystemValue('openssl', []));

		// Generate new key
		$res = openssl_pkey_new($config);
		if ($res === false) {
			$this->logOpensslError();
			throw new \RuntimeException('OpenSSL reported a problem');
		}

		if (openssl_pkey_export($res, $privateKey, null, $config) === false) {
			$this->logOpensslError();
			throw new \RuntimeException('OpenSSL reported a problem');
		}

		// Extract the public key from $res to $pubKey
		$publicKey = openssl_pkey_get_details($res);
		$publicKey = $publicKey['key'];

		$dbToken->setPublicKey($publicKey);
		$dbToken->setPrivateKey($this->encrypt($privateKey, $token));

		if (!is_null($password)) {
			$dbToken->setPassword($this->encryptPassword($password, $publicKey));
		}

		$dbToken->setName($name);
		$dbToken->setToken($this->hashToken($token));
		$dbToken->setType($type);
		$dbToken->setRemember($remember);
		$dbToken->setLastActivity($this->time->getTime());
		$dbToken->setLastCheck($this->time->getTime());
		$dbToken->setVersion(PublicKeyToken::VERSION);

		return $dbToken;
	}

	public function markPasswordInvalid(IToken $token, string $tokenId) {
		$this->cache->clear();

		if (!($token instanceof PublicKeyToken)) {
			throw new InvalidTokenException("Invalid token type");
		}

		$token->setPasswordInvalid(true);
		$this->mapper->update($token);
	}

	public function updatePasswords(string $uid, string $password) {
		$this->cache->clear();

		// Update the password for all tokens
		$tokens = $this->mapper->getTokenByUser($uid);
		foreach ($tokens as $t) {
			$publicKey = $t->getPublicKey();
			$t->setPassword($this->encryptPassword($password, $publicKey));
			$t->setPasswordInvalid(false);
			$this->updateToken($t);
		}
	}

	private function logOpensslError() {
		$errors = [];
		while ($error = openssl_error_string()) {
			$errors[] = $error;
		}
		$this->logger->critical('Something is wrong with your openssl setup: ' . implode(', ', $errors));
	}
}


1			<?php
2
3			declare(strict_types=1);
4
5			/**
6			* @copyright Copyright 2018, Roeland Jago Douma <[email protected]>
7			*
8			* @author Christoph Wurst <[email protected]>
9			* @author Daniel Kesselberg <[email protected]>
10			* @author Joas Schilling <[email protected]>
11			* @author Morris Jobke <[email protected]>
12			* @author Roeland Jago Douma <[email protected]>
13			*
14			* @license GNU AGPL version 3 or any later version
15			*
16			* This program is free software: you can redistribute it and/or modify
17			* it under the terms of the GNU Affero General Public License as
18			* published by the Free Software Foundation, either version 3 of the
19			* License, or (at your option) any later version.
20			*
21			* This program is distributed in the hope that it will be useful,
22			* but WITHOUT ANY WARRANTY; without even the implied warranty of
23			* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
24			* GNU Affero General Public License for more details.
25			*
26			* You should have received a copy of the GNU Affero General Public License
27			* along with this program. If not, see <http://www.gnu.org/licenses/>.
28			*
29			*/
30
31			namespace OC\Authentication\Token;
32
33			use OC\Authentication\Exceptions\ExpiredTokenException;
34			use OC\Authentication\Exceptions\InvalidTokenException;
35			use OC\Authentication\Exceptions\TokenPasswordExpiredException;
36			use OC\Authentication\Exceptions\PasswordlessTokenException;
37			use OC\Authentication\Exceptions\WipeTokenException;
38			use OC\Cache\CappedMemoryCache;
39			use OCP\AppFramework\Db\DoesNotExistException;
40			use OCP\AppFramework\Utility\ITimeFactory;
41			use OCP\IConfig;
42			use OCP\Security\ICrypto;
43			use Psr\Log\LoggerInterface;
44
45			class PublicKeyTokenProvider implements IProvider {
46			/** @var PublicKeyTokenMapper */
47			private $mapper;
48
49			/** @var ICrypto */
50			private $crypto;
51
52			/** @var IConfig */
53			private $config;
54
55			/** @var LoggerInterface */
56			private $logger;
57
58			/** @var ITimeFactory */
59			private $time;
60
61			/** @var CappedMemoryCache */
62			private $cache;
63
64			public function __construct(PublicKeyTokenMapper $mapper,
65			ICrypto $crypto,
66			IConfig $config,
67			LoggerInterface $logger,
68			ITimeFactory $time) {
69			$this->mapper = $mapper;
70			$this->crypto = $crypto;
71			$this->config = $config;
72			$this->logger = $logger;
73			$this->time = $time;
74
75			$this->cache = new CappedMemoryCache();
76			}
77
78			/**
79			* {@inheritDoc}
80			*/
81			public function generateToken(string $token,
82			string $uid,
83			string $loginName,
84			$password,
85			string $name,
86			int $type = IToken::TEMPORARY_TOKEN,
87			int $remember = IToken::DO_NOT_REMEMBER): IToken {
88			$dbToken = $this->newToken($token, $uid, $loginName, $password, $name, $type, $remember);
89			$this->mapper->insert($dbToken);
90
91			// Add the token to the cache
92			$this->cache[$dbToken->getToken()] = $dbToken;
93
94			return $dbToken;
95			}
96
97			public function getToken(string $tokenId): IToken {
98			$tokenHash = $this->hashToken($tokenId);
99
100			if (isset($this->cache[$tokenHash])) {
101			$token = $this->cache[$tokenHash];
102			} else {
103			try {
104			$token = $this->mapper->getToken($this->hashToken($tokenId));
105			$this->cache[$token->getToken()] = $token;
106			} catch (DoesNotExistException $ex) {
107			throw new InvalidTokenException("Token does not exist: " . $ex->getMessage(), 0, $ex);
108			}
109			}
110
111			if ((int)$token->getExpires() !== 0 && $token->getExpires() < $this->time->getTime()) {
112			throw new ExpiredTokenException($token);
113			}
114
115			if ($token->getType() === IToken::WIPE_TOKEN) {
116			throw new WipeTokenException($token);
117			}
118
119			if ($token->getPasswordInvalid() === true) {
120			//The password is invalid we should throw an TokenPasswordExpiredException
121			throw new TokenPasswordExpiredException($token);
122			}
123
124			return $token;
125			}
126
127			public function getTokenById(int $tokenId): IToken {
128			try {
129			$token = $this->mapper->getTokenById($tokenId);
130			} catch (DoesNotExistException $ex) {
131			throw new InvalidTokenException("Token with ID $tokenId does not exist: " . $ex->getMessage(), 0, $ex);
132			}
133
134			if ((int)$token->getExpires() !== 0 && $token->getExpires() < $this->time->getTime()) {
135			throw new ExpiredTokenException($token);
136			}
137
138			if ($token->getType() === IToken::WIPE_TOKEN) {
139			throw new WipeTokenException($token);
140			}
141
142			if ($token->getPasswordInvalid() === true) {
143			//The password is invalid we should throw an TokenPasswordExpiredException
144			throw new TokenPasswordExpiredException($token);
145			}
146
147			return $token;
148			}
149
150			public function renewSessionToken(string $oldSessionId, string $sessionId): IToken {
151			$this->cache->clear();
152
153			$token = $this->getToken($oldSessionId);
154
155			if (!($token instanceof PublicKeyToken)) {
			0 ignored issues – show introduced 2018-10-24 12:40 UTC by Report Bug Copy Issue Report `$token` is always a sub-type of `OC\Authentication\Token\PublicKeyToken`. Loading history...
156			throw new InvalidTokenException("Invalid token type");
157			}
158
159			$password = null;
160			if (!is_null($token->getPassword())) {
161			$privateKey = $this->decrypt($token->getPrivateKey(), $oldSessionId);
162			$password = $this->decryptPassword($token->getPassword(), $privateKey);
163			}
164
165			$newToken = $this->generateToken(
166			$sessionId,
167			$token->getUID(),
168			$token->getLoginName(),
169			$password,
170			$token->getName(),
171			IToken::TEMPORARY_TOKEN,
172			$token->getRemember()
173			);
174
175			$this->mapper->delete($token);
176
177			return $newToken;
178			}
179
180			public function invalidateToken(string $token) {
181			$this->cache->clear();
182
183			$this->mapper->invalidate($this->hashToken($token));
184			}
185
186			public function invalidateTokenById(string $uid, int $id) {
187			$this->cache->clear();
188
189			$this->mapper->deleteById($uid, $id);
190			}
191
192			public function invalidateOldTokens() {
193			$this->cache->clear();
194
195			$olderThan = $this->time->getTime() - (int) $this->config->getSystemValue('session_lifetime', 60 * 60 * 24);
196			$this->logger->debug('Invalidating session tokens older than ' . date('c', $olderThan), ['app' => 'cron']);
197			$this->mapper->invalidateOld($olderThan, IToken::DO_NOT_REMEMBER);
198			$rememberThreshold = $this->time->getTime() - (int) $this->config->getSystemValue('remember_login_cookie_lifetime', 60 * 60 * 24 * 15);
199			$this->logger->debug('Invalidating remembered session tokens older than ' . date('c', $rememberThreshold), ['app' => 'cron']);
200			$this->mapper->invalidateOld($rememberThreshold, IToken::REMEMBER);
201			}
202
203			public function updateToken(IToken $token) {
204			$this->cache->clear();
205
206			if (!($token instanceof PublicKeyToken)) {
207			throw new InvalidTokenException("Invalid token type");
208			}
209			$this->mapper->update($token);
210			}
211
212			public function updateTokenActivity(IToken $token) {
213			$this->cache->clear();
214
215			if (!($token instanceof PublicKeyToken)) {
216			throw new InvalidTokenException("Invalid token type");
217			}
218
219			$activityInterval = $this->config->getSystemValueInt('token_auth_activity_update', 60);
220			$activityInterval = min(max($activityInterval, 0), 300);
221
222			/** @var PublicKeyToken $token */
223			$now = $this->time->getTime();
224			if ($token->getLastActivity() < ($now - $activityInterval)) {
225			// Update token only once per minute
226			$token->setLastActivity($now);
227			$this->mapper->update($token);
228			}
229			}
230
231			public function getTokenByUser(string $uid): array {
232			return $this->mapper->getTokenByUser($uid);
233			}
234
235			public function getPassword(IToken $savedToken, string $tokenId): string {
236			if (!($savedToken instanceof PublicKeyToken)) {
237			throw new InvalidTokenException("Invalid token type");
238			}
239
240			if ($savedToken->getPassword() === null) {
241			throw new PasswordlessTokenException();
242			}
243
244			// Decrypt private key with tokenId
245			$privateKey = $this->decrypt($savedToken->getPrivateKey(), $tokenId);
246
247			// Decrypt password with private key
248			return $this->decryptPassword($savedToken->getPassword(), $privateKey);
249			}
250
251			public function setPassword(IToken $token, string $tokenId, string $password) {
252			$this->cache->clear();
253
254			if (!($token instanceof PublicKeyToken)) {
255			throw new InvalidTokenException("Invalid token type");
256			}
257
258			// When changing passwords all temp tokens are deleted
259			$this->mapper->deleteTempToken($token);
260
261			// Update the password for all tokens
262			$tokens = $this->mapper->getTokenByUser($token->getUID());
263			foreach ($tokens as $t) {
264			$publicKey = $t->getPublicKey();
265			$t->setPassword($this->encryptPassword($password, $publicKey));
266			$this->updateToken($t);
267			}
268			}
269
270			public function rotate(IToken $token, string $oldTokenId, string $newTokenId): IToken {
271			$this->cache->clear();
272
273			if (!($token instanceof PublicKeyToken)) {
274			throw new InvalidTokenException("Invalid token type");
275			}
276
277			// Decrypt private key with oldTokenId
278			$privateKey = $this->decrypt($token->getPrivateKey(), $oldTokenId);
279			// Encrypt with the new token
280			$token->setPrivateKey($this->encrypt($privateKey, $newTokenId));
281
282			$token->setToken($this->hashToken($newTokenId));
283			$this->updateToken($token);
284
285			return $token;
286			}
287
288			private function encrypt(string $plaintext, string $token): string {
289			$secret = $this->config->getSystemValue('secret');
290			return $this->crypto->encrypt($plaintext, $token . $secret);
291			}
292
293			/**
294			* @throws InvalidTokenException
295			*/
296			private function decrypt(string $cipherText, string $token): string {
297			$secret = $this->config->getSystemValue('secret');
298			try {
299			return $this->crypto->decrypt($cipherText, $token . $secret);
300			} catch (\Exception $ex) {
301			// Delete the invalid token
302			$this->invalidateToken($token);
303			throw new InvalidTokenException("Could not decrypt token password: " . $ex->getMessage(), 0, $ex);
304			}
305			}
306
307			private function encryptPassword(string $password, string $publicKey): string {
308			openssl_public_encrypt($password, $encryptedPassword, $publicKey, OPENSSL_PKCS1_OAEP_PADDING);
309			$encryptedPassword = base64_encode($encryptedPassword);
310
311			return $encryptedPassword;
312			}
313
314			private function decryptPassword(string $encryptedPassword, string $privateKey): string {
315			$encryptedPassword = base64_decode($encryptedPassword);
316			openssl_private_decrypt($encryptedPassword, $password, $privateKey, OPENSSL_PKCS1_OAEP_PADDING);
317
318			return $password;
319			}
320
321			private function hashToken(string $token): string {
322			$secret = $this->config->getSystemValue('secret');
323			return hash('sha512', $token . $secret);
324			}
325
326			/**
327			* Convert a DefaultToken to a publicKeyToken
328			* This will also be updated directly in the Database
329			* @throws \RuntimeException when OpenSSL reports a problem
330			*/
331			public function convertToken(DefaultToken $defaultToken, string $token, $password): PublicKeyToken {
332			$this->cache->clear();
333
334			$pkToken = $this->newToken(
335			$token,
336			$defaultToken->getUID(),
337			$defaultToken->getLoginName(),
338			$password,
339			$defaultToken->getName(),
340			$defaultToken->getType(),
341			$defaultToken->getRemember()
342			);
343
344			$pkToken->setExpires($defaultToken->getExpires());
345			$pkToken->setId($defaultToken->getId());
346
347			return $this->mapper->update($pkToken);
348			}
349
350			/**
351			* @throws \RuntimeException when OpenSSL reports a problem
352			*/
353			private function newToken(string $token,
354			string $uid,
355			string $loginName,
356			$password,
357			string $name,
358			int $type,
359			int $remember): PublicKeyToken {
360			$dbToken = new PublicKeyToken();
361			$dbToken->setUid($uid);
362			$dbToken->setLoginName($loginName);
363
364			$config = array_merge([
365			'digest_alg' => 'sha512',
366			'private_key_bits' => 2048,
367			], $this->config->getSystemValue('openssl', []));
368
369			// Generate new key
370			$res = openssl_pkey_new($config);
371			if ($res === false) {
372			$this->logOpensslError();
373			throw new \RuntimeException('OpenSSL reported a problem');
374			}
375
376			if (openssl_pkey_export($res, $privateKey, null, $config) === false) {
377			$this->logOpensslError();
378			throw new \RuntimeException('OpenSSL reported a problem');
379			}
380
381			// Extract the public key from $res to $pubKey
382			$publicKey = openssl_pkey_get_details($res);
383			$publicKey = $publicKey['key'];
384
385			$dbToken->setPublicKey($publicKey);
386			$dbToken->setPrivateKey($this->encrypt($privateKey, $token));
387
388			if (!is_null($password)) {
389			$dbToken->setPassword($this->encryptPassword($password, $publicKey));
390			}
391
392			$dbToken->setName($name);
393			$dbToken->setToken($this->hashToken($token));
394			$dbToken->setType($type);
395			$dbToken->setRemember($remember);
396			$dbToken->setLastActivity($this->time->getTime());
397			$dbToken->setLastCheck($this->time->getTime());
398			$dbToken->setVersion(PublicKeyToken::VERSION);
399
400			return $dbToken;
401			}
402
403			public function markPasswordInvalid(IToken $token, string $tokenId) {
404			$this->cache->clear();
405
406			if (!($token instanceof PublicKeyToken)) {
407			throw new InvalidTokenException("Invalid token type");
408			}
409
410			$token->setPasswordInvalid(true);
411			$this->mapper->update($token);
412			}
413
414			public function updatePasswords(string $uid, string $password) {
415			$this->cache->clear();
416
417			// Update the password for all tokens
418			$tokens = $this->mapper->getTokenByUser($uid);
419			foreach ($tokens as $t) {
420			$publicKey = $t->getPublicKey();
421			$t->setPassword($this->encryptPassword($password, $publicKey));
422			$t->setPasswordInvalid(false);
423			$this->updateToken($t);
424			}
425			}
426
427			private function logOpensslError() {
428			$errors = [];
429			while ($error = openssl_error_string()) {
430			$errors[] = $error;
431			}
432			$this->logger->critical('Something is wrong with your openssl setup: ' . implode(', ', $errors));
433			}
434			}
435

nextcloud / server

Push — master ( d0cf4e...7bacd7 )

PublicKeyTokenProvider B

Complexity

Size/Duplication

Importance

24 Methods

How to fix Complexity

Complex Class

Duplication Side-by-Side

Filter issues like