From 5100e3152dad5e10d5e19025495c0ddf20bf6c6b Mon Sep 17 00:00:00 2001 From: Christoph Wurst Date: Tue, 7 May 2024 19:30:11 +0200 Subject: [PATCH] feat(auth): Clean-up unused auth tokens and wipe tokens Signed-off-by: Christoph Wurst --- .../Token/PublicKeyTokenMapper.php | 17 ++++++++------- .../Token/PublicKeyTokenProvider.php | 13 ++++++++++-- .../Token/PublicKeyTokenProviderTest.php | 21 +++++++++---------- 3 files changed, 31 insertions(+), 20 deletions(-) diff --git a/lib/private/Authentication/Token/PublicKeyTokenMapper.php b/lib/private/Authentication/Token/PublicKeyTokenMapper.php index 0db5c4f53e7ea..b1341fe1898e7 100644 --- a/lib/private/Authentication/Token/PublicKeyTokenMapper.php +++ b/lib/private/Authentication/Token/PublicKeyTokenMapper.php @@ -36,17 +36,20 @@ public function invalidate(string $token) { /** * @param int $olderThan - * @param int $remember + * @param int $type + * @param int|null $remember */ - public function invalidateOld(int $olderThan, int $remember = IToken::DO_NOT_REMEMBER) { + public function invalidateOld(int $olderThan, int $type = IToken::TEMPORARY_TOKEN, ?int $remember = null) { /* @var $qb IQueryBuilder */ $qb = $this->db->getQueryBuilder(); - $qb->delete($this->tableName) + $delete = $qb->delete($this->tableName) ->where($qb->expr()->lt('last_activity', $qb->createNamedParameter($olderThan, IQueryBuilder::PARAM_INT))) - ->andWhere($qb->expr()->eq('type', $qb->createNamedParameter(IToken::TEMPORARY_TOKEN, IQueryBuilder::PARAM_INT))) - ->andWhere($qb->expr()->eq('remember', $qb->createNamedParameter($remember, IQueryBuilder::PARAM_INT))) - ->andWhere($qb->expr()->eq('version', $qb->createNamedParameter(PublicKeyToken::VERSION, IQueryBuilder::PARAM_INT))) - ->execute(); + ->andWhere($qb->expr()->eq('type', $qb->createNamedParameter($type, IQueryBuilder::PARAM_INT))) + ->andWhere($qb->expr()->eq('version', $qb->createNamedParameter(PublicKeyToken::VERSION, IQueryBuilder::PARAM_INT))); + if ($remember !== null) { + $delete->andWhere($qb->expr()->eq('remember', $qb->createNamedParameter($remember, IQueryBuilder::PARAM_INT))); + } + $delete->executeStatement(); } public function invalidateLastUsedBefore(string $uid, int $before): int { diff --git a/lib/private/Authentication/Token/PublicKeyTokenProvider.php b/lib/private/Authentication/Token/PublicKeyTokenProvider.php index a3bfa3147a5d2..d3b1e7cffd7bc 100644 --- a/lib/private/Authentication/Token/PublicKeyTokenProvider.php +++ b/lib/private/Authentication/Token/PublicKeyTokenProvider.php @@ -281,10 +281,19 @@ public function invalidateTokenById(string $uid, int $id) { public function invalidateOldTokens() { $olderThan = $this->time->getTime() - $this->config->getSystemValueInt('session_lifetime', 60 * 60 * 24); $this->logger->debug('Invalidating session tokens older than ' . date('c', $olderThan), ['app' => 'cron']); - $this->mapper->invalidateOld($olderThan, OCPIToken::DO_NOT_REMEMBER); + $this->mapper->invalidateOld($olderThan, OCPIToken::TEMPORARY_TOKEN, OCPIToken::DO_NOT_REMEMBER); + $rememberThreshold = $this->time->getTime() - $this->config->getSystemValueInt('remember_login_cookie_lifetime', 60 * 60 * 24 * 15); $this->logger->debug('Invalidating remembered session tokens older than ' . date('c', $rememberThreshold), ['app' => 'cron']); - $this->mapper->invalidateOld($rememberThreshold, OCPIToken::REMEMBER); + $this->mapper->invalidateOld($rememberThreshold, OCPIToken::TEMPORARY_TOKEN, OCPIToken::REMEMBER); + + $wipeThreshold = $this->time->getTime() - $this->config->getSystemValueInt('token_auth_wipe_token_retention', 60 * 60 * 24 * 60); + $this->logger->debug('Invalidating auth tokens marked for remote wipe older than ' . date('c', $wipeThreshold), ['app' => 'cron']); + $this->mapper->invalidateOld($wipeThreshold, OCPIToken::WIPE_TOKEN); + + $authTokenThreshold = $this->time->getTime() - $this->config->getSystemValueInt('token_auth_token_retention', 60 * 60 * 24 * 365); + $this->logger->debug('Invalidating auth tokens older than ' . date('c', $authTokenThreshold), ['app' => 'cron']); + $this->mapper->invalidateOld($authTokenThreshold, OCPIToken::PERMANENT_TOKEN); } public function invalidateLastUsedBefore(string $uid, int $before): void { diff --git a/tests/lib/Authentication/Token/PublicKeyTokenProviderTest.php b/tests/lib/Authentication/Token/PublicKeyTokenProviderTest.php index 3c81eade7007a..e2ca4350f29f1 100644 --- a/tests/lib/Authentication/Token/PublicKeyTokenProviderTest.php +++ b/tests/lib/Authentication/Token/PublicKeyTokenProviderTest.php @@ -56,12 +56,6 @@ protected function setUp(): void { $this->hasher = \OC::$server->get(IHasher::class); $this->crypto = \OC::$server->getCrypto(); $this->config = $this->createMock(IConfig::class); - $this->config->method('getSystemValueInt') - ->willReturnMap([ - ['session_lifetime', 60 * 60 * 24, 150], - ['remember_login_cookie_lifetime', 60 * 60 * 24 * 15, 300], - ['token_auth_activity_update', 60, 60], - ]); $this->config->method('getSystemValue') ->willReturnMap([ ['openssl', [], []], @@ -330,20 +324,25 @@ public function testInvalidateTokenById() { $this->tokenProvider->invalidateTokenById('uid', $id); } - public function testInvalidateOldTokens() { + public function testInvalidateOldTokens(): void { $defaultSessionLifetime = 60 * 60 * 24; $defaultRememberMeLifetime = 60 * 60 * 24 * 15; - $this->config->expects($this->exactly(2)) + $wipeTokenLifetime = 60 * 60 * 24 * 60; + $this->config->expects($this->exactly(4)) ->method('getSystemValueInt') ->willReturnMap([ ['session_lifetime', $defaultSessionLifetime, 150], ['remember_login_cookie_lifetime', $defaultRememberMeLifetime, 300], + ['token_auth_wipe_token_retention', $wipeTokenLifetime, 500], + ['token_auth_token_retention', 60 * 60 * 24 * 365, 800], ]); - $this->mapper->expects($this->exactly(2)) + $this->mapper->expects($this->exactly(4)) ->method('invalidateOld') ->withConsecutive( - [$this->time - 150], - [$this->time - 300] + [$this->time - 150, IToken::TEMPORARY_TOKEN, IToken::DO_NOT_REMEMBER], + [$this->time - 300, IToken::TEMPORARY_TOKEN, IToken::REMEMBER], + [$this->time - 500, IToken::WIPE_TOKEN, null], + [$this->time - 800, IToken::PERMANENT_TOKEN, null], ); $this->tokenProvider->invalidateOldTokens();