1
0

Manager.php 7.6 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260
  1. <?php
  2. declare(strict_types=1);
  3. /**
  4. * @copyright Copyright 2018, Roeland Jago Douma <roeland@famdouma.nl>
  5. *
  6. * @author Christoph Wurst <christoph@winzerhof-wurst.at>
  7. * @author Morris Jobke <hey@morrisjobke.de>
  8. * @author Roeland Jago Douma <roeland@famdouma.nl>
  9. *
  10. * @license GNU AGPL version 3 or any later version
  11. *
  12. * This program is free software: you can redistribute it and/or modify
  13. * it under the terms of the GNU Affero General Public License as
  14. * published by the Free Software Foundation, either version 3 of the
  15. * License, or (at your option) any later version.
  16. *
  17. * This program is distributed in the hope that it will be useful,
  18. * but WITHOUT ANY WARRANTY; without even the implied warranty of
  19. * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  20. * GNU Affero General Public License for more details.
  21. *
  22. * You should have received a copy of the GNU Affero General Public License
  23. * along with this program. If not, see <http://www.gnu.org/licenses/>.
  24. *
  25. */
  26. namespace OC\Authentication\Token;
  27. use Doctrine\DBAL\Exception\UniqueConstraintViolationException;
  28. use OC\Authentication\Exceptions\InvalidTokenException as OcInvalidTokenException;
  29. use OC\Authentication\Exceptions\PasswordlessTokenException;
  30. use OCP\Authentication\Exceptions\ExpiredTokenException;
  31. use OCP\Authentication\Exceptions\InvalidTokenException;
  32. use OCP\Authentication\Exceptions\WipeTokenException;
  33. use OCP\Authentication\Token\IProvider as OCPIProvider;
  34. use OCP\Authentication\Token\IToken as OCPIToken;
  35. class Manager implements IProvider, OCPIProvider {
  36. /** @var PublicKeyTokenProvider */
  37. private $publicKeyTokenProvider;
  38. public function __construct(PublicKeyTokenProvider $publicKeyTokenProvider) {
  39. $this->publicKeyTokenProvider = $publicKeyTokenProvider;
  40. }
  41. /**
  42. * Create and persist a new token
  43. *
  44. * @param string $token
  45. * @param string $uid
  46. * @param string $loginName
  47. * @param string|null $password
  48. * @param string $name Name will be trimmed to 120 chars when longer
  49. * @param int $type token type
  50. * @param int $remember whether the session token should be used for remember-me
  51. * @return OCPIToken
  52. */
  53. public function generateToken(string $token,
  54. string $uid,
  55. string $loginName,
  56. $password,
  57. string $name,
  58. int $type = OCPIToken::TEMPORARY_TOKEN,
  59. int $remember = OCPIToken::DO_NOT_REMEMBER): OCPIToken {
  60. if (mb_strlen($name) > 128) {
  61. $name = mb_substr($name, 0, 120) . '…';
  62. }
  63. try {
  64. return $this->publicKeyTokenProvider->generateToken(
  65. $token,
  66. $uid,
  67. $loginName,
  68. $password,
  69. $name,
  70. $type,
  71. $remember
  72. );
  73. } catch (UniqueConstraintViolationException $e) {
  74. // It's rare, but if two requests of the same session (e.g. env-based SAML)
  75. // try to create the session token they might end up here at the same time
  76. // because we use the session ID as token and the db token is created anew
  77. // with every request.
  78. //
  79. // If the UIDs match, then this should be fine.
  80. $existing = $this->getToken($token);
  81. if ($existing->getUID() !== $uid) {
  82. throw new \Exception('Token conflict handled, but UIDs do not match. This should not happen', 0, $e);
  83. }
  84. return $existing;
  85. }
  86. }
  87. /**
  88. * Save the updated token
  89. *
  90. * @param OCPIToken $token
  91. * @throws InvalidTokenException
  92. */
  93. public function updateToken(OCPIToken $token) {
  94. $provider = $this->getProvider($token);
  95. $provider->updateToken($token);
  96. }
  97. /**
  98. * Update token activity timestamp
  99. *
  100. * @throws InvalidTokenException
  101. * @param OCPIToken $token
  102. */
  103. public function updateTokenActivity(OCPIToken $token) {
  104. $provider = $this->getProvider($token);
  105. $provider->updateTokenActivity($token);
  106. }
  107. /**
  108. * @param string $uid
  109. * @return OCPIToken[]
  110. */
  111. public function getTokenByUser(string $uid): array {
  112. return $this->publicKeyTokenProvider->getTokenByUser($uid);
  113. }
  114. /**
  115. * Get a token by token
  116. *
  117. * @param string $tokenId
  118. * @throws InvalidTokenException
  119. * @throws \RuntimeException when OpenSSL reports a problem
  120. * @return OCPIToken
  121. */
  122. public function getToken(string $tokenId): OCPIToken {
  123. try {
  124. return $this->publicKeyTokenProvider->getToken($tokenId);
  125. } catch (WipeTokenException $e) {
  126. throw $e;
  127. } catch (ExpiredTokenException $e) {
  128. throw $e;
  129. } catch (InvalidTokenException $e) {
  130. throw $e;
  131. }
  132. }
  133. /**
  134. * Get a token by token id
  135. *
  136. * @param int $tokenId
  137. * @throws InvalidTokenException
  138. * @return OCPIToken
  139. */
  140. public function getTokenById(int $tokenId): OCPIToken {
  141. try {
  142. return $this->publicKeyTokenProvider->getTokenById($tokenId);
  143. } catch (ExpiredTokenException $e) {
  144. throw $e;
  145. } catch (WipeTokenException $e) {
  146. throw $e;
  147. } catch (InvalidTokenException $e) {
  148. throw $e;
  149. }
  150. }
  151. /**
  152. * @param string $oldSessionId
  153. * @param string $sessionId
  154. * @throws InvalidTokenException
  155. * @return OCPIToken
  156. */
  157. public function renewSessionToken(string $oldSessionId, string $sessionId): OCPIToken {
  158. try {
  159. return $this->publicKeyTokenProvider->renewSessionToken($oldSessionId, $sessionId);
  160. } catch (ExpiredTokenException $e) {
  161. throw $e;
  162. } catch (InvalidTokenException $e) {
  163. throw $e;
  164. }
  165. }
  166. /**
  167. * @param OCPIToken $savedToken
  168. * @param string $tokenId session token
  169. * @throws InvalidTokenException
  170. * @throws PasswordlessTokenException
  171. * @return string
  172. */
  173. public function getPassword(OCPIToken $savedToken, string $tokenId): string {
  174. $provider = $this->getProvider($savedToken);
  175. return $provider->getPassword($savedToken, $tokenId);
  176. }
  177. public function setPassword(OCPIToken $token, string $tokenId, string $password) {
  178. $provider = $this->getProvider($token);
  179. $provider->setPassword($token, $tokenId, $password);
  180. }
  181. public function invalidateToken(string $token) {
  182. $this->publicKeyTokenProvider->invalidateToken($token);
  183. }
  184. public function invalidateTokenById(string $uid, int $id) {
  185. $this->publicKeyTokenProvider->invalidateTokenById($uid, $id);
  186. }
  187. public function invalidateOldTokens() {
  188. $this->publicKeyTokenProvider->invalidateOldTokens();
  189. }
  190. public function invalidateLastUsedBefore(string $uid, int $before): void {
  191. $this->publicKeyTokenProvider->invalidateLastUsedBefore($uid, $before);
  192. }
  193. /**
  194. * @param OCPIToken $token
  195. * @param string $oldTokenId
  196. * @param string $newTokenId
  197. * @return OCPIToken
  198. * @throws InvalidTokenException
  199. * @throws \RuntimeException when OpenSSL reports a problem
  200. */
  201. public function rotate(OCPIToken $token, string $oldTokenId, string $newTokenId): OCPIToken {
  202. if ($token instanceof PublicKeyToken) {
  203. return $this->publicKeyTokenProvider->rotate($token, $oldTokenId, $newTokenId);
  204. }
  205. /** @psalm-suppress DeprecatedClass We have to throw the OC version so both OC and OCP catches catch it */
  206. throw new OcInvalidTokenException();
  207. }
  208. /**
  209. * @param OCPIToken $token
  210. * @return IProvider
  211. * @throws InvalidTokenException
  212. */
  213. private function getProvider(OCPIToken $token): IProvider {
  214. if ($token instanceof PublicKeyToken) {
  215. return $this->publicKeyTokenProvider;
  216. }
  217. /** @psalm-suppress DeprecatedClass We have to throw the OC version so both OC and OCP catches catch it */
  218. throw new OcInvalidTokenException();
  219. }
  220. public function markPasswordInvalid(OCPIToken $token, string $tokenId) {
  221. $this->getProvider($token)->markPasswordInvalid($token, $tokenId);
  222. }
  223. public function updatePasswords(string $uid, string $password) {
  224. $this->publicKeyTokenProvider->updatePasswords($uid, $password);
  225. }
  226. public function invalidateTokensOfUser(string $uid, ?string $clientName) {
  227. $tokens = $this->getTokenByUser($uid);
  228. foreach ($tokens as $token) {
  229. if ($clientName === null || ($token->getName() === $clientName)) {
  230. $this->invalidateTokenById($uid, $token->getId());
  231. }
  232. }
  233. }
  234. }