1
0

Manager.php 7.2 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256
  1. <?php
  2. declare(strict_types=1);
  3. /**
  4. * @copyright Copyright 2018, Roeland Jago Douma <roeland@famdouma.nl>
  5. *
  6. * @author Christoph Wurst <christoph@winzerhof-wurst.at>
  7. * @author Morris Jobke <hey@morrisjobke.de>
  8. * @author Roeland Jago Douma <roeland@famdouma.nl>
  9. *
  10. * @license GNU AGPL version 3 or any later version
  11. *
  12. * This program is free software: you can redistribute it and/or modify
  13. * it under the terms of the GNU Affero General Public License as
  14. * published by the Free Software Foundation, either version 3 of the
  15. * License, or (at your option) any later version.
  16. *
  17. * This program is distributed in the hope that it will be useful,
  18. * but WITHOUT ANY WARRANTY; without even the implied warranty of
  19. * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  20. * GNU Affero General Public License for more details.
  21. *
  22. * You should have received a copy of the GNU Affero General Public License
  23. * along with this program. If not, see <http://www.gnu.org/licenses/>.
  24. *
  25. */
  26. namespace OC\Authentication\Token;
  27. use Doctrine\DBAL\Exception\UniqueConstraintViolationException;
  28. use OC\Authentication\Exceptions\ExpiredTokenException;
  29. use OC\Authentication\Exceptions\InvalidTokenException;
  30. use OC\Authentication\Exceptions\PasswordlessTokenException;
  31. use OC\Authentication\Exceptions\WipeTokenException;
  32. use OCP\Authentication\Token\IProvider as OCPIProvider;
  33. class Manager implements IProvider, OCPIProvider {
  34. /** @var PublicKeyTokenProvider */
  35. private $publicKeyTokenProvider;
  36. public function __construct(PublicKeyTokenProvider $publicKeyTokenProvider) {
  37. $this->publicKeyTokenProvider = $publicKeyTokenProvider;
  38. }
  39. /**
  40. * Create and persist a new token
  41. *
  42. * @param string $token
  43. * @param string $uid
  44. * @param string $loginName
  45. * @param string|null $password
  46. * @param string $name Name will be trimmed to 120 chars when longer
  47. * @param int $type token type
  48. * @param int $remember whether the session token should be used for remember-me
  49. * @return IToken
  50. */
  51. public function generateToken(string $token,
  52. string $uid,
  53. string $loginName,
  54. $password,
  55. string $name,
  56. int $type = IToken::TEMPORARY_TOKEN,
  57. int $remember = IToken::DO_NOT_REMEMBER): IToken {
  58. if (mb_strlen($name) > 128) {
  59. $name = mb_substr($name, 0, 120) . '…';
  60. }
  61. try {
  62. return $this->publicKeyTokenProvider->generateToken(
  63. $token,
  64. $uid,
  65. $loginName,
  66. $password,
  67. $name,
  68. $type,
  69. $remember
  70. );
  71. } catch (UniqueConstraintViolationException $e) {
  72. // It's rare, but if two requests of the same session (e.g. env-based SAML)
  73. // try to create the session token they might end up here at the same time
  74. // because we use the session ID as token and the db token is created anew
  75. // with every request.
  76. //
  77. // If the UIDs match, then this should be fine.
  78. $existing = $this->getToken($token);
  79. if ($existing->getUID() !== $uid) {
  80. throw new \Exception('Token conflict handled, but UIDs do not match. This should not happen', 0, $e);
  81. }
  82. return $existing;
  83. }
  84. }
  85. /**
  86. * Save the updated token
  87. *
  88. * @param IToken $token
  89. * @throws InvalidTokenException
  90. */
  91. public function updateToken(IToken $token) {
  92. $provider = $this->getProvider($token);
  93. $provider->updateToken($token);
  94. }
  95. /**
  96. * Update token activity timestamp
  97. *
  98. * @throws InvalidTokenException
  99. * @param IToken $token
  100. */
  101. public function updateTokenActivity(IToken $token) {
  102. $provider = $this->getProvider($token);
  103. $provider->updateTokenActivity($token);
  104. }
  105. /**
  106. * @param string $uid
  107. * @return IToken[]
  108. */
  109. public function getTokenByUser(string $uid): array {
  110. return $this->publicKeyTokenProvider->getTokenByUser($uid);
  111. }
  112. /**
  113. * Get a token by token
  114. *
  115. * @param string $tokenId
  116. * @throws InvalidTokenException
  117. * @throws \RuntimeException when OpenSSL reports a problem
  118. * @return IToken
  119. */
  120. public function getToken(string $tokenId): IToken {
  121. try {
  122. return $this->publicKeyTokenProvider->getToken($tokenId);
  123. } catch (WipeTokenException $e) {
  124. throw $e;
  125. } catch (ExpiredTokenException $e) {
  126. throw $e;
  127. } catch (InvalidTokenException $e) {
  128. throw $e;
  129. }
  130. }
  131. /**
  132. * Get a token by token id
  133. *
  134. * @param int $tokenId
  135. * @throws InvalidTokenException
  136. * @return IToken
  137. */
  138. public function getTokenById(int $tokenId): IToken {
  139. try {
  140. return $this->publicKeyTokenProvider->getTokenById($tokenId);
  141. } catch (ExpiredTokenException $e) {
  142. throw $e;
  143. } catch (WipeTokenException $e) {
  144. throw $e;
  145. } catch (InvalidTokenException $e) {
  146. throw $e;
  147. }
  148. }
  149. /**
  150. * @param string $oldSessionId
  151. * @param string $sessionId
  152. * @throws InvalidTokenException
  153. * @return IToken
  154. */
  155. public function renewSessionToken(string $oldSessionId, string $sessionId): IToken {
  156. try {
  157. return $this->publicKeyTokenProvider->renewSessionToken($oldSessionId, $sessionId);
  158. } catch (ExpiredTokenException $e) {
  159. throw $e;
  160. } catch (InvalidTokenException $e) {
  161. throw $e;
  162. }
  163. }
  164. /**
  165. * @param IToken $savedToken
  166. * @param string $tokenId session token
  167. * @throws InvalidTokenException
  168. * @throws PasswordlessTokenException
  169. * @return string
  170. */
  171. public function getPassword(IToken $savedToken, string $tokenId): string {
  172. $provider = $this->getProvider($savedToken);
  173. return $provider->getPassword($savedToken, $tokenId);
  174. }
  175. public function setPassword(IToken $token, string $tokenId, string $password) {
  176. $provider = $this->getProvider($token);
  177. $provider->setPassword($token, $tokenId, $password);
  178. }
  179. public function invalidateToken(string $token) {
  180. $this->publicKeyTokenProvider->invalidateToken($token);
  181. }
  182. public function invalidateTokenById(string $uid, int $id) {
  183. $this->publicKeyTokenProvider->invalidateTokenById($uid, $id);
  184. }
  185. public function invalidateOldTokens() {
  186. $this->publicKeyTokenProvider->invalidateOldTokens();
  187. }
  188. public function invalidateLastUsedBefore(string $uid, int $before): void {
  189. $this->publicKeyTokenProvider->invalidateLastUsedBefore($uid, $before);
  190. }
  191. /**
  192. * @param IToken $token
  193. * @param string $oldTokenId
  194. * @param string $newTokenId
  195. * @return IToken
  196. * @throws InvalidTokenException
  197. * @throws \RuntimeException when OpenSSL reports a problem
  198. */
  199. public function rotate(IToken $token, string $oldTokenId, string $newTokenId): IToken {
  200. if ($token instanceof PublicKeyToken) {
  201. return $this->publicKeyTokenProvider->rotate($token, $oldTokenId, $newTokenId);
  202. }
  203. throw new InvalidTokenException();
  204. }
  205. /**
  206. * @param IToken $token
  207. * @return IProvider
  208. * @throws InvalidTokenException
  209. */
  210. private function getProvider(IToken $token): IProvider {
  211. if ($token instanceof PublicKeyToken) {
  212. return $this->publicKeyTokenProvider;
  213. }
  214. throw new InvalidTokenException();
  215. }
  216. public function markPasswordInvalid(IToken $token, string $tokenId) {
  217. $this->getProvider($token)->markPasswordInvalid($token, $tokenId);
  218. }
  219. public function updatePasswords(string $uid, string $password) {
  220. $this->publicKeyTokenProvider->updatePasswords($uid, $password);
  221. }
  222. public function invalidateTokensOfUser(string $uid, ?string $clientName) {
  223. $tokens = $this->getTokenByUser($uid);
  224. foreach ($tokens as $token) {
  225. if ($clientName === null || ($token->getName() === $clientName)) {
  226. $this->invalidateTokenById($uid, $token->getId());
  227. }
  228. }
  229. }
  230. }