PublicKeyTokenProvider - Code Metrics - Inspection of "Merge pull request #31217 from nextcloud/bugfix/no..." - nextcloud/server - Measure and Improve Code Quality continuously with Scrutinizer

Passed

Push — master ( d72133...87115d )

by Joas

created 2022-02-21 10:51 UTC

PublicKeyTokenProvider C

↳ Parent: Project

Complexity

Total Complexity

Size/Duplication

Total Lines	373
Duplicated Lines	0 %

Importance

Changes	1
Bugs	0	Features	0

Metric	Value
eloc	176
c	1
b	0
f	0
dl	0
loc	373
rs	6.96
wmc	53

23 Methods

Rating	Name	Size	Complexity
A	generateToken()	14	1
A	__construct()	12	1
A	markPasswordInvalid()	9	2
A	invalidateTokenById()	4	1
A	rotate()	16	2
A	invalidateToken()	4	1
A	getPassword()	14	3
A	updateTokenActivity()	15	3
A	updatePasswords()	15	3
A	hashToken()	3	1
A	decrypt()	8	2
A	logOpensslError()	6	2
A	renewSessionToken()	28	3
A	invalidateOldTokens()	9	1
A	getTokenByUser()	2	1
A	updateToken()	7	2
A	decryptPassword()	5	1
A	newToken()	48	4
B	getToken()	33	8
A	setPassword()	16	3
A	encryptPassword()	5	1
A	getTokenById()	21	6
A	encrypt()	3	1

How to fix Complexity

<?php

declare(strict_types=1);

/**
 * @copyright Copyright 2018, Roeland Jago Douma <[email protected]>
 *
 * @author Christoph Wurst <[email protected]>
 * @author Daniel Kesselberg <[email protected]>
 * @author Joas Schilling <[email protected]>
 * @author Morris Jobke <[email protected]>
 * @author Roeland Jago Douma <[email protected]>
 *
 * @license GNU AGPL version 3 or any later version
 *
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the GNU Affero General Public License as
 * published by the Free Software Foundation, either version 3 of the
 * License, or (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 * GNU Affero General Public License for more details.
 *
 * You should have received a copy of the GNU Affero General Public License
 * along with this program. If not, see <http://www.gnu.org/licenses/>.
 *
 */
namespace OC\Authentication\Token;

use OC\Authentication\Exceptions\ExpiredTokenException;
use OC\Authentication\Exceptions\InvalidTokenException;
use OC\Authentication\Exceptions\TokenPasswordExpiredException;
use OC\Authentication\Exceptions\PasswordlessTokenException;
use OC\Authentication\Exceptions\WipeTokenException;
use OC\Cache\CappedMemoryCache;
use OCP\AppFramework\Db\DoesNotExistException;
use OCP\AppFramework\Utility\ITimeFactory;
use OCP\IConfig;
use OCP\Security\ICrypto;
use Psr\Log\LoggerInterface;

class PublicKeyTokenProvider implements IProvider {
	/** @var PublicKeyTokenMapper */
	private $mapper;

	/** @var ICrypto */
	private $crypto;

	/** @var IConfig */
	private $config;

	/** @var LoggerInterface */
	private $logger;

	/** @var ITimeFactory */
	private $time;

	/** @var CappedMemoryCache */
	private $cache;

	public function __construct(PublicKeyTokenMapper $mapper,
								ICrypto $crypto,
								IConfig $config,
								LoggerInterface $logger,
								ITimeFactory $time) {
		$this->mapper = $mapper;
		$this->crypto = $crypto;
		$this->config = $config;
		$this->logger = $logger;
		$this->time = $time;

		$this->cache = new CappedMemoryCache();
	}

	/**
	 * {@inheritDoc}
	 */
	public function generateToken(string $token,
								  string $uid,
								  string $loginName,
								  ?string $password,
								  string $name,
								  int $type = IToken::TEMPORARY_TOKEN,
								  int $remember = IToken::DO_NOT_REMEMBER): IToken {
		$dbToken = $this->newToken($token, $uid, $loginName, $password, $name, $type, $remember);
		$this->mapper->insert($dbToken);

		// Add the token to the cache
		$this->cache[$dbToken->getToken()] = $dbToken;

		return $dbToken;
	}

	public function getToken(string $tokenId): IToken {
		$tokenHash = $this->hashToken($tokenId);

		if (isset($this->cache[$tokenHash])) {
			if ($this->cache[$tokenHash] instanceof DoesNotExistException) {
				$ex = $this->cache[$tokenHash];
				throw new InvalidTokenException("Token does not exist: " . $ex->getMessage(), 0, $ex);
			}
			$token = $this->cache[$tokenHash];
		} else {
			try {
				$token = $this->mapper->getToken($this->hashToken($tokenId));
				$this->cache[$token->getToken()] = $token;
			} catch (DoesNotExistException $ex) {
				$this->cache[$tokenHash] = $ex;
				throw new InvalidTokenException("Token does not exist: " . $ex->getMessage(), 0, $ex);
			}
		}

		if ((int)$token->getExpires() !== 0 && $token->getExpires() < $this->time->getTime()) {
			throw new ExpiredTokenException($token);
		}

		if ($token->getType() === IToken::WIPE_TOKEN) {
			throw new WipeTokenException($token);
		}

		if ($token->getPasswordInvalid() === true) {
			//The password is invalid we should throw an TokenPasswordExpiredException
			throw new TokenPasswordExpiredException($token);
		}

		return $token;
	}

	public function getTokenById(int $tokenId): IToken {
		try {
			$token = $this->mapper->getTokenById($tokenId);
		} catch (DoesNotExistException $ex) {
			throw new InvalidTokenException("Token with ID $tokenId does not exist: " . $ex->getMessage(), 0, $ex);
		}

		if ((int)$token->getExpires() !== 0 && $token->getExpires() < $this->time->getTime()) {
			throw new ExpiredTokenException($token);
		}

		if ($token->getType() === IToken::WIPE_TOKEN) {
			throw new WipeTokenException($token);
		}

		if ($token->getPasswordInvalid() === true) {
			//The password is invalid we should throw an TokenPasswordExpiredException
			throw new TokenPasswordExpiredException($token);
		}

		return $token;
	}

	public function renewSessionToken(string $oldSessionId, string $sessionId): IToken {
		$this->cache->clear();

		$token = $this->getToken($oldSessionId);

		if (!($token instanceof PublicKeyToken)) {
			throw new InvalidTokenException("Invalid token type");
		}

		$password = null;
		if (!is_null($token->getPassword())) {
			$privateKey = $this->decrypt($token->getPrivateKey(), $oldSessionId);
			$password = $this->decryptPassword($token->getPassword(), $privateKey);
		}

		$newToken = $this->generateToken(
			$sessionId,
			$token->getUID(),
			$token->getLoginName(),
			$password,
			$token->getName(),
			IToken::TEMPORARY_TOKEN,
			$token->getRemember()
		);

		$this->mapper->delete($token);

		return $newToken;
	}

	public function invalidateToken(string $token) {
		$this->cache->clear();

		$this->mapper->invalidate($this->hashToken($token));
	}

	public function invalidateTokenById(string $uid, int $id) {
		$this->cache->clear();

		$this->mapper->deleteById($uid, $id);
	}

	public function invalidateOldTokens() {
		$this->cache->clear();

		$olderThan = $this->time->getTime() - (int) $this->config->getSystemValue('session_lifetime', 60 * 60 * 24);
		$this->logger->debug('Invalidating session tokens older than ' . date('c', $olderThan), ['app' => 'cron']);
		$this->mapper->invalidateOld($olderThan, IToken::DO_NOT_REMEMBER);
		$rememberThreshold = $this->time->getTime() - (int) $this->config->getSystemValue('remember_login_cookie_lifetime', 60 * 60 * 24 * 15);
		$this->logger->debug('Invalidating remembered session tokens older than ' . date('c', $rememberThreshold), ['app' => 'cron']);
		$this->mapper->invalidateOld($rememberThreshold, IToken::REMEMBER);
	}

	public function updateToken(IToken $token) {
		$this->cache->clear();

		if (!($token instanceof PublicKeyToken)) {
			throw new InvalidTokenException("Invalid token type");
		}
		$this->mapper->update($token);
	}

	public function updateTokenActivity(IToken $token) {
		$this->cache->clear();

		if (!($token instanceof PublicKeyToken)) {
			throw new InvalidTokenException("Invalid token type");
		}

		$activityInterval = $this->config->getSystemValueInt('token_auth_activity_update', 60);
		$activityInterval = min(max($activityInterval, 0), 300);

		/** @var PublicKeyToken $token */
		$now = $this->time->getTime();
		if ($token->getLastActivity() < ($now - $activityInterval)) {
			$token->setLastActivity($now);
			$this->mapper->updateActivity($token, $now);
		}
	}

	public function getTokenByUser(string $uid): array {
		return $this->mapper->getTokenByUser($uid);
	}

	public function getPassword(IToken $savedToken, string $tokenId): string {
		if (!($savedToken instanceof PublicKeyToken)) {
			throw new InvalidTokenException("Invalid token type");
		}

		if ($savedToken->getPassword() === null) {
			throw new PasswordlessTokenException();
		}

		// Decrypt private key with tokenId
		$privateKey = $this->decrypt($savedToken->getPrivateKey(), $tokenId);

		// Decrypt password with private key
		return $this->decryptPassword($savedToken->getPassword(), $privateKey);
	}

	public function setPassword(IToken $token, string $tokenId, string $password) {
		$this->cache->clear();

		if (!($token instanceof PublicKeyToken)) {
			throw new InvalidTokenException("Invalid token type");
		}

		// When changing passwords all temp tokens are deleted
		$this->mapper->deleteTempToken($token);

		// Update the password for all tokens
		$tokens = $this->mapper->getTokenByUser($token->getUID());
		foreach ($tokens as $t) {
			$publicKey = $t->getPublicKey();
			$t->setPassword($this->encryptPassword($password, $publicKey));
			$this->updateToken($t);
		}
	}

	public function rotate(IToken $token, string $oldTokenId, string $newTokenId): IToken {
		$this->cache->clear();

		if (!($token instanceof PublicKeyToken)) {
			throw new InvalidTokenException("Invalid token type");
		}

		// Decrypt private key with oldTokenId
		$privateKey = $this->decrypt($token->getPrivateKey(), $oldTokenId);
		// Encrypt with the new token
		$token->setPrivateKey($this->encrypt($privateKey, $newTokenId));

		$token->setToken($this->hashToken($newTokenId));
		$this->updateToken($token);

		return $token;
	}

	private function encrypt(string $plaintext, string $token): string {
		$secret = $this->config->getSystemValue('secret');
		return $this->crypto->encrypt($plaintext, $token . $secret);
	}

	/**
	 * @throws InvalidTokenException
	 */
	private function decrypt(string $cipherText, string $token): string {
		$secret = $this->config->getSystemValue('secret');
		try {
			return $this->crypto->decrypt($cipherText, $token . $secret);
		} catch (\Exception $ex) {
			// Delete the invalid token
			$this->invalidateToken($token);
			throw new InvalidTokenException("Could not decrypt token password: " . $ex->getMessage(), 0, $ex);
		}
	}

	private function encryptPassword(string $password, string $publicKey): string {
		openssl_public_encrypt($password, $encryptedPassword, $publicKey, OPENSSL_PKCS1_OAEP_PADDING);
		$encryptedPassword = base64_encode($encryptedPassword);

		return $encryptedPassword;
	}

	private function decryptPassword(string $encryptedPassword, string $privateKey): string {
		$encryptedPassword = base64_decode($encryptedPassword);
		openssl_private_decrypt($encryptedPassword, $password, $privateKey, OPENSSL_PKCS1_OAEP_PADDING);

		return $password;
	}

	private function hashToken(string $token): string {
		$secret = $this->config->getSystemValue('secret');
		return hash('sha512', $token . $secret);
	}

	/**
	 * @throws \RuntimeException when OpenSSL reports a problem
	 */
	private function newToken(string $token,
							  string $uid,
							  string $loginName,
							  $password,
							  string $name,
							  int $type,
							  int $remember): PublicKeyToken {
		$dbToken = new PublicKeyToken();
		$dbToken->setUid($uid);
		$dbToken->setLoginName($loginName);

		$config = array_merge([
			'digest_alg' => 'sha512',
			'private_key_bits' => 2048,
		], $this->config->getSystemValue('openssl', []));

		// Generate new key
		$res = openssl_pkey_new($config);
		if ($res === false) {
			$this->logOpensslError();
			throw new \RuntimeException('OpenSSL reported a problem');
		}

		if (openssl_pkey_export($res, $privateKey, null, $config) === false) {
			$this->logOpensslError();
			throw new \RuntimeException('OpenSSL reported a problem');
		}

		// Extract the public key from $res to $pubKey
		$publicKey = openssl_pkey_get_details($res);
		$publicKey = $publicKey['key'];

		$dbToken->setPublicKey($publicKey);
		$dbToken->setPrivateKey($this->encrypt($privateKey, $token));

		if (!is_null($password)) {
			$dbToken->setPassword($this->encryptPassword($password, $publicKey));
		}

		$dbToken->setName($name);
		$dbToken->setToken($this->hashToken($token));
		$dbToken->setType($type);
		$dbToken->setRemember($remember);
		$dbToken->setLastActivity($this->time->getTime());
		$dbToken->setLastCheck($this->time->getTime());
		$dbToken->setVersion(PublicKeyToken::VERSION);

		return $dbToken;
	}

	public function markPasswordInvalid(IToken $token, string $tokenId) {
		$this->cache->clear();

		if (!($token instanceof PublicKeyToken)) {
			throw new InvalidTokenException("Invalid token type");
		}

		$token->setPasswordInvalid(true);
		$this->mapper->update($token);
	}

	public function updatePasswords(string $uid, string $password) {
		$this->cache->clear();

		// prevent setting an empty pw as result of pw-less-login
		if ($password === '') {
			return;
		}

		// Update the password for all tokens
		$tokens = $this->mapper->getTokenByUser($uid);
		foreach ($tokens as $t) {
			$publicKey = $t->getPublicKey();
			$t->setPassword($this->encryptPassword($password, $publicKey));
			$t->setPasswordInvalid(false);
			$this->updateToken($t);
		}
	}

	private function logOpensslError() {
		$errors = [];
		while ($error = openssl_error_string()) {
			$errors[] = $error;
		}
		$this->logger->critical('Something is wrong with your openssl setup: ' . implode(', ', $errors));
	}
}


1			<?php
2
3			declare(strict_types=1);
4
5			/**
6			* @copyright Copyright 2018, Roeland Jago Douma <[email protected]>
7			*
8			* @author Christoph Wurst <[email protected]>
9			* @author Daniel Kesselberg <[email protected]>
10			* @author Joas Schilling <[email protected]>
11			* @author Morris Jobke <[email protected]>
12			* @author Roeland Jago Douma <[email protected]>
13			*
14			* @license GNU AGPL version 3 or any later version
15			*
16			* This program is free software: you can redistribute it and/or modify
17			* it under the terms of the GNU Affero General Public License as
18			* published by the Free Software Foundation, either version 3 of the
19			* License, or (at your option) any later version.
20			*
21			* This program is distributed in the hope that it will be useful,
22			* but WITHOUT ANY WARRANTY; without even the implied warranty of
23			* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
24			* GNU Affero General Public License for more details.
25			*
26			* You should have received a copy of the GNU Affero General Public License
27			* along with this program. If not, see <http://www.gnu.org/licenses/>.
28			*
29			*/
30			namespace OC\Authentication\Token;
31
32			use OC\Authentication\Exceptions\ExpiredTokenException;
33			use OC\Authentication\Exceptions\InvalidTokenException;
34			use OC\Authentication\Exceptions\TokenPasswordExpiredException;
35			use OC\Authentication\Exceptions\PasswordlessTokenException;
36			use OC\Authentication\Exceptions\WipeTokenException;
37			use OC\Cache\CappedMemoryCache;
38			use OCP\AppFramework\Db\DoesNotExistException;
39			use OCP\AppFramework\Utility\ITimeFactory;
40			use OCP\IConfig;
41			use OCP\Security\ICrypto;
42			use Psr\Log\LoggerInterface;
43
44			class PublicKeyTokenProvider implements IProvider {
45			/** @var PublicKeyTokenMapper */
46			private $mapper;
47
48			/** @var ICrypto */
49			private $crypto;
50
51			/** @var IConfig */
52			private $config;
53
54			/** @var LoggerInterface */
55			private $logger;
56
57			/** @var ITimeFactory */
58			private $time;
59
60			/** @var CappedMemoryCache */
61			private $cache;
62
63			public function __construct(PublicKeyTokenMapper $mapper,
64			ICrypto $crypto,
65			IConfig $config,
66			LoggerInterface $logger,
67			ITimeFactory $time) {
68			$this->mapper = $mapper;
69			$this->crypto = $crypto;
70			$this->config = $config;
71			$this->logger = $logger;
72			$this->time = $time;
73
74			$this->cache = new CappedMemoryCache();
75			}
76
77			/**
78			* {@inheritDoc}
79			*/
80			public function generateToken(string $token,
81			string $uid,
82			string $loginName,
83			?string $password,
84			string $name,
85			int $type = IToken::TEMPORARY_TOKEN,
86			int $remember = IToken::DO_NOT_REMEMBER): IToken {
87			$dbToken = $this->newToken($token, $uid, $loginName, $password, $name, $type, $remember);
88			$this->mapper->insert($dbToken);
89
90			// Add the token to the cache
91			$this->cache[$dbToken->getToken()] = $dbToken;
92
93			return $dbToken;
94			}
95
96			public function getToken(string $tokenId): IToken {
97			$tokenHash = $this->hashToken($tokenId);
98
99			if (isset($this->cache[$tokenHash])) {
100			if ($this->cache[$tokenHash] instanceof DoesNotExistException) {
101			$ex = $this->cache[$tokenHash];
102			throw new InvalidTokenException("Token does not exist: " . $ex->getMessage(), 0, $ex);
103			}
104			$token = $this->cache[$tokenHash];
105			} else {
106			try {
107			$token = $this->mapper->getToken($this->hashToken($tokenId));
108			$this->cache[$token->getToken()] = $token;
109			} catch (DoesNotExistException $ex) {
110			$this->cache[$tokenHash] = $ex;
111			throw new InvalidTokenException("Token does not exist: " . $ex->getMessage(), 0, $ex);
112			}
113			}
114
115			if ((int)$token->getExpires() !== 0 && $token->getExpires() < $this->time->getTime()) {
116			throw new ExpiredTokenException($token);
117			}
118
119			if ($token->getType() === IToken::WIPE_TOKEN) {
120			throw new WipeTokenException($token);
121			}
122
123			if ($token->getPasswordInvalid() === true) {
124			//The password is invalid we should throw an TokenPasswordExpiredException
125			throw new TokenPasswordExpiredException($token);
126			}
127
128			return $token;
129			}
130
131			public function getTokenById(int $tokenId): IToken {
132			try {
133			$token = $this->mapper->getTokenById($tokenId);
134			} catch (DoesNotExistException $ex) {
135			throw new InvalidTokenException("Token with ID $tokenId does not exist: " . $ex->getMessage(), 0, $ex);
136			}
137
138			if ((int)$token->getExpires() !== 0 && $token->getExpires() < $this->time->getTime()) {
139			throw new ExpiredTokenException($token);
140			}
141
142			if ($token->getType() === IToken::WIPE_TOKEN) {
143			throw new WipeTokenException($token);
144			}
145
146			if ($token->getPasswordInvalid() === true) {
147			//The password is invalid we should throw an TokenPasswordExpiredException
148			throw new TokenPasswordExpiredException($token);
149			}
150
151			return $token;
152			}
153
154			public function renewSessionToken(string $oldSessionId, string $sessionId): IToken {
155			$this->cache->clear();
156
157			$token = $this->getToken($oldSessionId);
158
159			if (!($token instanceof PublicKeyToken)) {
160			throw new InvalidTokenException("Invalid token type");
161			}
162
163			$password = null;
164			if (!is_null($token->getPassword())) {
165			$privateKey = $this->decrypt($token->getPrivateKey(), $oldSessionId);
166			$password = $this->decryptPassword($token->getPassword(), $privateKey);
167			}
168
169			$newToken = $this->generateToken(
170			$sessionId,
171			$token->getUID(),
172			$token->getLoginName(),
173			$password,
174			$token->getName(),
175			IToken::TEMPORARY_TOKEN,
176			$token->getRemember()
177			);
178
179			$this->mapper->delete($token);
180
181			return $newToken;
182			}
183
184			public function invalidateToken(string $token) {
185			$this->cache->clear();
186
187			$this->mapper->invalidate($this->hashToken($token));
188			}
189
190			public function invalidateTokenById(string $uid, int $id) {
191			$this->cache->clear();
192
193			$this->mapper->deleteById($uid, $id);
194			}
195
196			public function invalidateOldTokens() {
197			$this->cache->clear();
198
199			$olderThan = $this->time->getTime() - (int) $this->config->getSystemValue('session_lifetime', 60 * 60 * 24);
200			$this->logger->debug('Invalidating session tokens older than ' . date('c', $olderThan), ['app' => 'cron']);
201			$this->mapper->invalidateOld($olderThan, IToken::DO_NOT_REMEMBER);
202			$rememberThreshold = $this->time->getTime() - (int) $this->config->getSystemValue('remember_login_cookie_lifetime', 60 * 60 * 24 * 15);
203			$this->logger->debug('Invalidating remembered session tokens older than ' . date('c', $rememberThreshold), ['app' => 'cron']);
204			$this->mapper->invalidateOld($rememberThreshold, IToken::REMEMBER);
205			}
206
207			public function updateToken(IToken $token) {
208			$this->cache->clear();
209
210			if (!($token instanceof PublicKeyToken)) {
211			throw new InvalidTokenException("Invalid token type");
212			}
213			$this->mapper->update($token);
214			}
215
216			public function updateTokenActivity(IToken $token) {
217			$this->cache->clear();
218
219			if (!($token instanceof PublicKeyToken)) {
220			throw new InvalidTokenException("Invalid token type");
221			}
222
223			$activityInterval = $this->config->getSystemValueInt('token_auth_activity_update', 60);
224			$activityInterval = min(max($activityInterval, 0), 300);
225
226			/** @var PublicKeyToken $token */
227			$now = $this->time->getTime();
228			if ($token->getLastActivity() < ($now - $activityInterval)) {
229			$token->setLastActivity($now);
230			$this->mapper->updateActivity($token, $now);
231			}
232			}
233
234			public function getTokenByUser(string $uid): array {
235			return $this->mapper->getTokenByUser($uid);
236			}
237
238			public function getPassword(IToken $savedToken, string $tokenId): string {
239			if (!($savedToken instanceof PublicKeyToken)) {
240			throw new InvalidTokenException("Invalid token type");
241			}
242
243			if ($savedToken->getPassword() === null) {
244			throw new PasswordlessTokenException();
245			}
246
247			// Decrypt private key with tokenId
248			$privateKey = $this->decrypt($savedToken->getPrivateKey(), $tokenId);
249
250			// Decrypt password with private key
251			return $this->decryptPassword($savedToken->getPassword(), $privateKey);
252			}
253
254			public function setPassword(IToken $token, string $tokenId, string $password) {
255			$this->cache->clear();
256
257			if (!($token instanceof PublicKeyToken)) {
258			throw new InvalidTokenException("Invalid token type");
259			}
260
261			// When changing passwords all temp tokens are deleted
262			$this->mapper->deleteTempToken($token);
263
264			// Update the password for all tokens
265			$tokens = $this->mapper->getTokenByUser($token->getUID());
266			foreach ($tokens as $t) {
267			$publicKey = $t->getPublicKey();
268			$t->setPassword($this->encryptPassword($password, $publicKey));
269			$this->updateToken($t);
270			}
271			}
272
273			public function rotate(IToken $token, string $oldTokenId, string $newTokenId): IToken {
274			$this->cache->clear();
275
276			if (!($token instanceof PublicKeyToken)) {
277			throw new InvalidTokenException("Invalid token type");
278			}
279
280			// Decrypt private key with oldTokenId
281			$privateKey = $this->decrypt($token->getPrivateKey(), $oldTokenId);
282			// Encrypt with the new token
283			$token->setPrivateKey($this->encrypt($privateKey, $newTokenId));
284
285			$token->setToken($this->hashToken($newTokenId));
286			$this->updateToken($token);
287
288			return $token;
289			}
290
291			private function encrypt(string $plaintext, string $token): string {
292			$secret = $this->config->getSystemValue('secret');
293			return $this->crypto->encrypt($plaintext, $token . $secret);
294			}
295
296			/**
297			* @throws InvalidTokenException
298			*/
299			private function decrypt(string $cipherText, string $token): string {
300			$secret = $this->config->getSystemValue('secret');
301			try {
302			return $this->crypto->decrypt($cipherText, $token . $secret);
303			} catch (\Exception $ex) {
304			// Delete the invalid token
305			$this->invalidateToken($token);
306			throw new InvalidTokenException("Could not decrypt token password: " . $ex->getMessage(), 0, $ex);
307			}
308			}
309
310			private function encryptPassword(string $password, string $publicKey): string {
311			openssl_public_encrypt($password, $encryptedPassword, $publicKey, OPENSSL_PKCS1_OAEP_PADDING);
312			$encryptedPassword = base64_encode($encryptedPassword);
313
314			return $encryptedPassword;
315			}
316
317			private function decryptPassword(string $encryptedPassword, string $privateKey): string {
318			$encryptedPassword = base64_decode($encryptedPassword);
319			openssl_private_decrypt($encryptedPassword, $password, $privateKey, OPENSSL_PKCS1_OAEP_PADDING);
320
321			return $password;
322			}
323
324			private function hashToken(string $token): string {
325			$secret = $this->config->getSystemValue('secret');
326			return hash('sha512', $token . $secret);
327			}
328
329			/**
330			* @throws \RuntimeException when OpenSSL reports a problem
331			*/
332			private function newToken(string $token,
333			string $uid,
334			string $loginName,
335			$password,
336			string $name,
337			int $type,
338			int $remember): PublicKeyToken {
339			$dbToken = new PublicKeyToken();
340			$dbToken->setUid($uid);
341			$dbToken->setLoginName($loginName);
342
343			$config = array_merge([
344			'digest_alg' => 'sha512',
345			'private_key_bits' => 2048,
346			], $this->config->getSystemValue('openssl', []));
347
348			// Generate new key
349			$res = openssl_pkey_new($config);
350			if ($res === false) {
351			$this->logOpensslError();
352			throw new \RuntimeException('OpenSSL reported a problem');
353			}
354
355			if (openssl_pkey_export($res, $privateKey, null, $config) === false) {
356			$this->logOpensslError();
357			throw new \RuntimeException('OpenSSL reported a problem');
358			}
359
360			// Extract the public key from $res to $pubKey
361			$publicKey = openssl_pkey_get_details($res);
362			$publicKey = $publicKey['key'];
363
364			$dbToken->setPublicKey($publicKey);
365			$dbToken->setPrivateKey($this->encrypt($privateKey, $token));
366
367			if (!is_null($password)) {
368			$dbToken->setPassword($this->encryptPassword($password, $publicKey));
369			}
370
371			$dbToken->setName($name);
372			$dbToken->setToken($this->hashToken($token));
373			$dbToken->setType($type);
374			$dbToken->setRemember($remember);
375			$dbToken->setLastActivity($this->time->getTime());
376			$dbToken->setLastCheck($this->time->getTime());
377			$dbToken->setVersion(PublicKeyToken::VERSION);
378
379			return $dbToken;
380			}
381
382			public function markPasswordInvalid(IToken $token, string $tokenId) {
383			$this->cache->clear();
384
385			if (!($token instanceof PublicKeyToken)) {
386			throw new InvalidTokenException("Invalid token type");
387			}
388
389			$token->setPasswordInvalid(true);
390			$this->mapper->update($token);
391			}
392
393			public function updatePasswords(string $uid, string $password) {
394			$this->cache->clear();
395
396			// prevent setting an empty pw as result of pw-less-login
397			if ($password === '') {
398			return;
399			}
400
401			// Update the password for all tokens
402			$tokens = $this->mapper->getTokenByUser($uid);
403			foreach ($tokens as $t) {
404			$publicKey = $t->getPublicKey();
405			$t->setPassword($this->encryptPassword($password, $publicKey));
406			$t->setPasswordInvalid(false);
407			$this->updateToken($t);
408			}
409			}
410
411			private function logOpensslError() {
412			$errors = [];
413			while ($error = openssl_error_string()) {
414			$errors[] = $error;
415			}
416			$this->logger->critical('Something is wrong with your openssl setup: ' . implode(', ', $errors));
417			}
418			}
419

nextcloud / server

Push — master ( d72133...87115d )

PublicKeyTokenProvider C

Complexity

Size/Duplication

Importance

23 Methods

How to fix Complexity

Complex Class

Duplication Side-by-Side

Filter issues like