Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Store encrypted OAuth2 client secrets #38398

Merged
merged 1 commit into from
Jun 7, 2023

Conversation

julien-nc
Copy link
Member

This PR includes:

  • A migration step that encrypts existing client secrets and changes the length of the secret column in oc_oauth2_clients
  • 2 new methods (OCA\OAuth2\Db\Client::getRawSecret and OCA\OAuth2\Db\Client::setRawSecret) in the Client DB entity which are used in the oauth2 app instead of OCA\OAuth2\Db\Client::getSecret and OCA\OAuth2\Db\Client::setSecret

Maybe there's a more straightforward way to implement this.
I gave up on trying to redefine OCA\OAuth2\Db\Client::getSecret and OCA\OAuth2\Db\Client::setSecret because setSecret is used to build the Client entity so the value we get from the DB is encrypted again by setSecret and then stored in the entity attribute 😁.

Remaining doubts/questions:

  • Is 256 chars long enough for an encrypted 64 chars string?
  • Is it fine that this breaks any other apps directly using the OCA\OAuth2\Db\Client::getSecret and OCA\OAuth2\Db\Client::setSecret methods?

@marcelklehr
Copy link
Member

Is it fine that this breaks any other apps directly using the OCA\OAuth2\Db\Client::getSecret and OCA\OAuth2\Db\Client::setSecret methods?

Quick search in nextcloud org only reveals: https://github.com/nextcloud/integration_openproject

@julien-nc
Copy link
Member Author

Quick search in nextcloud org only reveals: https://github.com/nextcloud/integration_openproject

Yeah that's the one I found by searching for getSecret usages in my IDE.

@ChristophWurst
Copy link
Member

For the software architecture I would suggest to leave the db layer like before and do the encryption/description in the service layer (controller in the oauth app case). That avoids adding logic and a non-testable service locator to the entity class.

@ChristophWurst
Copy link
Member

Is it fine that this breaks any other apps directly using the OCA\OAuth2\Db\Client::getSecret and OCA\OAuth2\Db\Client::setSecret methods?

OCA is a private app namespace. We can change it at any time. Other apps are not supposed to access other apps this way but go through OCP

@julien-nc julien-nc force-pushed the fix/noid/oauth2-encrypt-client-secret branch from 71bfa9b to 7b6dd11 Compare May 22, 2023 16:07
Copy link
Member

@ChristophWurst ChristophWurst left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

performance nitpicks

apps/oauth2/lib/Db/Client.php Outdated Show resolved Hide resolved
@julien-nc julien-nc force-pushed the fix/noid/oauth2-encrypt-client-secret branch 2 times, most recently from fb37e9c to cba874f Compare May 22, 2023 16:51
return null;
}

public function postSchemaChange(IOutput $output, Closure $schemaClosure, array $options) {

Check notice

Code scanning / Psalm

MissingReturnType

Method OCA\OAuth2\Migration\Version011601Date20230522143227::postSchemaChange does not have a return type, expecting void
@julien-nc julien-nc force-pushed the fix/noid/oauth2-encrypt-client-secret branch 2 times, most recently from 293dcf9 to a5456d1 Compare May 22, 2023 17:05
@julien-nc julien-nc force-pushed the fix/noid/oauth2-encrypt-client-secret branch from d2f21b5 to 8b842fa Compare May 23, 2023 10:45
Signed-off-by: Julien Veyssier <julien-nc@posteo.net>
@julien-nc julien-nc force-pushed the fix/noid/oauth2-encrypt-client-secret branch from 8b842fa to 18c742a Compare June 7, 2023 09:36
@julien-nc
Copy link
Member Author

Rebased and fixed the failing SettingsControllerTest.
CI failures are not related IMO.

@julien-nc julien-nc merged commit 5bf1fc6 into master Jun 7, 2023
@julien-nc julien-nc deleted the fix/noid/oauth2-encrypt-client-secret branch June 7, 2023 10:40
@julien-nc
Copy link
Member Author

/backport to stable27

@julien-nc
Copy link
Member Author

/backport to stable26

@julien-nc
Copy link
Member Author

/backport to stable25

@backportbot-nextcloud
Copy link

The backport to stable27 failed. Please do this backport manually.

# Switch to the target branch and update it
git checkout stable27
git pull origin/stable27

# Create the new backport branch
git checkout -b fix/foo-stable27

# Cherry pick the change from the commit sha1 of the change against the default branch
# This might cause conflicts. Resolve them.
git cherry-pick abc123

# Push the cherry pick commit to the remote repository and open a pull request
git push origin fix/foo-stable27

More info at https://docs.nextcloud.com/server/latest/developer_manual/getting_started/development_process.html#manual-backport

@backportbot-nextcloud
Copy link

The backport to stable26 failed. Please do this backport manually.

# Switch to the target branch and update it
git checkout stable26
git pull origin/stable26

# Create the new backport branch
git checkout -b fix/foo-stable26

# Cherry pick the change from the commit sha1 of the change against the default branch
# This might cause conflicts. Resolve them.
git cherry-pick abc123

# Push the cherry pick commit to the remote repository and open a pull request
git push origin fix/foo-stable26

More info at https://docs.nextcloud.com/server/latest/developer_manual/getting_started/development_process.html#manual-backport

@backportbot-nextcloud
Copy link

The backport to stable25 failed. Please do this backport manually.

# Switch to the target branch and update it
git checkout stable25
git pull origin/stable25

# Create the new backport branch
git checkout -b fix/foo-stable25

# Cherry pick the change from the commit sha1 of the change against the default branch
# This might cause conflicts. Resolve them.
git cherry-pick abc123

# Push the cherry pick commit to the remote repository and open a pull request
git push origin fix/foo-stable25

More info at https://docs.nextcloud.com/server/latest/developer_manual/getting_started/development_process.html#manual-backport

@szaimen
Copy link
Contributor

szaimen commented Jun 7, 2023

@julien-nc
I think these are related:
Screenshot_20230607_184436_Brave

@julien-nc
Copy link
Member Author

@szaimen Thanks, I'm on it.

@ChristophWurst
Copy link
Member

ChristophWurst commented Jun 12, 2023

Is 256 chars long enough for an encrypted 64 chars string?

Apparently it is not 🥲

An exception occurred while executing a query: SQLSTATE[22001]: String data, right truncated: 1406 Data too long for column 'secret' at row 1

With mysql on my dev env. The secret string is 324 bytes long.

$table = $schema->getTable('oauth2_clients');
if ($table->hasColumn('secret')) {
$column = $table->getColumn('secret');
$column->setLength(256);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

let's widen to 512?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍 Thanks a lot.
I'll create another PR for master and adjust the backport PRs.
No idea about the max potential length of a 64 B string encrypted with OC\Security\Crypto. Let's discuss that in #38770

@ChristophWurst
Copy link
Member

My application secret is 48 chars long

image

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants