Merge pull request #585 from amousset/arch_23243/hash_api_tokens_plugin

Fixes #23243: Hash API tokens - plugin

api-authorizations/src/main/elm/sources/UserApiToken.elm

@@ -39,6 +39,7 @@ type alias Model =
     { contextPath : String
     , token : Maybe Token
     , error : Maybe (Html Msg)
+    , isNewToken : Bool
     }
 
 
@@ -95,7 +96,7 @@ init : { contextPath : String } -> ( Model, Cmd Msg )
 init flags =
     let
         initModel =
-            Model flags.contextPath Nothing Nothing
+            Model flags.contextPath Nothing Nothing False
     in
     ( initModel
     , getUserToken initModel
@@ -173,7 +174,7 @@ update msg model =
             updateFromApiResult res model
 
         CreateUserToken res ->
-            updateFromApiResult res model
+            updateFromApiResult res { model | isNewToken = True}
 
         DeleteUserToken res ->
             updateFromDelete res model
@@ -244,8 +245,8 @@ deleteUserToken model =
 -- view when the token exists
 
 
-tokenPresent : Token -> List (Html Msg)
-tokenPresent token =
+tokenPresent : Token -> Bool -> List (Html Msg)
+tokenPresent token isNewToken =
     let
         ( statusIcon, statusTxt, statusClass ) =
             case token.enabled of
@@ -254,36 +255,62 @@ tokenPresent token =
 
                 False ->
                     ( "fa-ban", "disabled", "text-info" )
+        hasClearTextToken = not (String.isEmpty token.token)
     in
-    [ li []
+    [ if hasClearTextToken then
+      li []
+      [ a [ class "no-click" ]
+        [ span [ class "fa fa-key" ] []
+        , text "Your personal token: "
+        , div [ class "help-block" ] [ b [] [ text token.token ] ]
+        ]
+      ]
+    else
+      li []
+      [ a [ class "no-click" ]
+        [ span [ class "fa fa-key" ] []
+        , text "You have a personal token."
+        ]
+      ]
+    , if isNewToken then
+      li []
+      [ a [ class "no-click" ]
+        [ span [ class "fa fa-exclamation-triangle" ] []
+        , text "Copy it now as it will not be re-displayed"
+        ]
+      ]
+    else
+      if hasClearTextToken then
+        li []
         [ a [ class "no-click" ]
-            [ span [ class "fa fa-key" ] []
-            , text "Your personal token: "
-            , div [ class "help-block" ] [ b [] [ text token.token ] ]
-            ]
+          [ span [ class "fa fa-exclamation-triangle" ] []
+          , text "Deprecated token format, please re-create"
+          ]
         ]
+      else
+        text ""
     , li []
         [ a [ class "no-click" ]
-            [ span [ class "fa fa-calendar" ] []
-            , text "Generated on "
-            , b [] [ text token.generationDate ]
-            ]
+          [ span [ class "fa fa-calendar" ] []
+          , text "Generated on "
+          , b [] [ text token.generationDate ]
+          ]
         ]
     , li []
         [ a [ class "no-click" ]
-            [ span [ class ("fa " ++ statusIcon) ] []
-            , text "Status: "
-            , b [ class ("text-capitalize " ++ statusClass) ] [ text statusTxt ]
-            ]
+          [ span [ class ("fa " ++ statusIcon) ] []
+          , text "Status: "
+          , b [ class ("text-capitalize " ++ statusClass) ] [ text statusTxt ]
+          ]
         ]
-    , li [ class "footer" ] [ a [ class "deleteToken", onClick DeleteButton ] [ text "Delete API Token" ] ]
+    , li [ class "footer" ] [ a [ class "deleteToken", onClick DeleteButton ] [ text "Delete API token" ] ]
     ]
 
 
 tokenAbsent : Model -> List (Html Msg)
 tokenAbsent model =
     [ li [] [ a [ class "no-click no-token" ] [ text "You don't have an API token yet." ] ]
-    , li [ class "footer" ] [ a [ class "createToken", onClick CreateButton ] [ text "Create an API Token" ] ]
+    , li [ class "footer" ] [ a [ class "createToken", onClick CreateButton ] [ text "Create an API token" ] ]
     ]
 
 
@@ -299,7 +326,7 @@ view model =
          ]
             ++ (case model.token of
                     Just token ->
-                        tokenPresent token
+                        tokenPresent token model.isNewToken
 
                     Nothing ->
                         tokenAbsent model

api-authorizations/src/main/scala/com/normation/plugins/apiauthorizations/UserTokenApiDefinition.scala

@@ -89,8 +89,14 @@ class UserApi(
     val restExtractor = api.restExtractor
     def process0(version: ApiVersion, path: ApiPath, req: Req, params: DefaultParams, authzToken: AuthzToken): LiftResponse = {
       readApi.getById(ApiAccountId(authzToken.actor.name)).toBox match {
-        case Full(Some(token)) =>
-          val accounts: JValue = ("accounts" -> JArray(List(token.toJson)))
+        case Full(Some(account)) =>
+          val filtered = account.copy(token = if (account.token.isHashed) {
+            // Don't send hashes
+            ApiToken("")
+          } else {
+            account.token
+          })
+          val accounts: JValue = ("accounts" -> JArray(List(filtered.toJson)))
           RestUtils.toJsonResponse(None, accounts)(schema.name, true)
 
         case Full(None) =>
@@ -109,20 +115,31 @@ class UserApi(
     val restExtractor = api.restExtractor
     def process0(version: ApiVersion, path: ApiPath, req: Req, params: DefaultParams, authzToken: AuthzToken): LiftResponse = {
       val now     = DateTime.now
+      val secret  = ApiToken.generate_secret(tokenGenerator)
+      val hash    = ApiToken.hash(secret)
       val account = ApiAccount(
         ApiAccountId(authzToken.actor.name),
         ApiAccountKind.User,
         ApiAccountName(authzToken.actor.name),
-        ApiToken(tokenGenerator.newToken(32)),
+        ApiToken(hash),
         s"API token for user '${authzToken.actor.name}'",
-        true,
+        isEnabled = true,
         now,
         now
       )
 
       writeApi.save(account, ModificationId(uuidGen.newUuid), authzToken.actor).toBox match {
-        case Full(token) =>
-          val accounts: JValue = ("accounts" -> JArray(List(token.toJson)))
+        case Full(account) =>
+          val accounts: JValue = ("accounts" -> JArray(
+            List(
+              account
+                .copy(
+                  // Send clear text secret
+                  token = ApiToken(secret)
+                )
+                .toJson
+            )
+          ))
           RestUtils.toJsonResponse(None, accounts)(schema.name, true)
 
         case eb: EmptyBox =>
@@ -137,8 +154,8 @@ class UserApi(
     val restExtractor = api.restExtractor
     def process0(version: ApiVersion, path: ApiPath, req: Req, params: DefaultParams, authzToken: AuthzToken): LiftResponse = {
       writeApi.delete(ApiAccountId(authzToken.actor.name), ModificationId(uuidGen.newUuid), authzToken.actor).toBox match {
-        case Full(token) =>
-          val accounts: JValue = ("accounts" -> ("id" -> token.value))
+        case Full(account) =>
+          val accounts: JValue = ("accounts" -> ("id" -> account.value))
           RestUtils.toJsonResponse(None, accounts)(schema.name, true)
 
         case eb: EmptyBox =>
@@ -153,8 +170,14 @@ class UserApi(
     val restExtractor = api.restExtractor
     def process0(version: ApiVersion, path: ApiPath, req: Req, params: DefaultParams, authzToken: AuthzToken): LiftResponse = {
       readApi.getById(ApiAccountId(authzToken.actor.name)).toBox match {
-        case Full(Some(token)) =>
-          val accounts: JValue = ("accounts" -> JArray(List(token.toJson)))
+        case Full(Some(account)) =>
+          val filtered = account.copy(token = if (account.token.isHashed) {
+            // Don't send hashes
+            ApiToken("")
+          } else {
+            account.token
+          })
+          val accounts: JValue = ("accounts" -> JArray(List(filtered.toJson)))
           RestUtils.toJsonResponse(None, accounts)(schema.name, true)
 
         case Full(None) =>