Store encrypted OAuth2 client secrets #38398
Conversation
julien-nc
requested review from
nickvergessen,
marcelklehr,
ChristophWurst and
juliusknorr
Quick search in nextcloud org only reveals: https://github.com/nextcloud/integration_openproject |
Yeah that's the one I found by searching for |
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
|
For the software architecture I would suggest to leave the db layer like before and do the encryption/description in the service layer (controller in the oauth app case). That avoids adding logic and a non-testable service locator to the entity class. |
OCA is a private app namespace. We can change it at any time. Other apps are not supposed to access other apps this way but go through OCP |
julien-nc
force-pushed
the
fix/noid/oauth2-encrypt-client-secret
branch
from
71bfa9b
to
7b6dd11
Compare
julien-nc
force-pushed
the
fix/noid/oauth2-encrypt-client-secret
branch
2 times, most recently
from
fb37e9c
to
cba874f
Compare
| return null; | ||
| } | ||
|
|
||
| public function postSchemaChange(IOutput $output, Closure $schemaClosure, array $options) { |
Check notice
Code scanning / Psalm
MissingReturnType
julien-nc
force-pushed
the
fix/noid/oauth2-encrypt-client-secret
branch
2 times, most recently
from
293dcf9
to
a5456d1
Compare
julien-nc
force-pushed
the
fix/noid/oauth2-encrypt-client-secret
branch
from
d2f21b5
to
8b842fa
Compare
Signed-off-by: Julien Veyssier <julien-nc@posteo.net>
julien-nc
force-pushed
the
fix/noid/oauth2-encrypt-client-secret
branch
from
8b842fa
to
18c742a
Compare
|
Rebased and fixed the failing SettingsControllerTest. |
|
/backport to stable27 |
|
/backport to stable26 |
|
/backport to stable25 |
|
The backport to stable27 failed. Please do this backport manually. # Switch to the target branch and update it
git checkout stable27
git pull origin/stable27
# Create the new backport branch
git checkout -b fix/foo-stable27
# Cherry pick the change from the commit sha1 of the change against the default branch
# This might cause conflicts. Resolve them.
git cherry-pick abc123
# Push the cherry pick commit to the remote repository and open a pull request
git push origin fix/foo-stable27More info at https://docs.nextcloud.com/server/latest/developer_manual/getting_started/development_process.html#manual-backport |
|
The backport to stable26 failed. Please do this backport manually. # Switch to the target branch and update it
git checkout stable26
git pull origin/stable26
# Create the new backport branch
git checkout -b fix/foo-stable26
# Cherry pick the change from the commit sha1 of the change against the default branch
# This might cause conflicts. Resolve them.
git cherry-pick abc123
# Push the cherry pick commit to the remote repository and open a pull request
git push origin fix/foo-stable26More info at https://docs.nextcloud.com/server/latest/developer_manual/getting_started/development_process.html#manual-backport |
|
The backport to stable25 failed. Please do this backport manually. # Switch to the target branch and update it
git checkout stable25
git pull origin/stable25
# Create the new backport branch
git checkout -b fix/foo-stable25
# Cherry pick the change from the commit sha1 of the change against the default branch
# This might cause conflicts. Resolve them.
git cherry-pick abc123
# Push the cherry pick commit to the remote repository and open a pull request
git push origin fix/foo-stable25More info at https://docs.nextcloud.com/server/latest/developer_manual/getting_started/development_process.html#manual-backport |
|
@julien-nc |
|
@szaimen Thanks, I'm on it. |
Apparently it is not 🥲
With mysql on my dev env. The secret string is 324 bytes long. |
| $table = $schema->getTable('oauth2_clients'); | ||
| if ($table->hasColumn('secret')) { | ||
| $column = $table->getColumn('secret'); | ||
| $column->setLength(256); |
There was a problem hiding this comment.
👍 Thanks a lot.
I'll create another PR for master and adjust the backport PRs.
No idea about the max potential length of a 64 B string encrypted with OC\Security\Crypto. Let's discuss that in #38770
|
My application secret is 48 chars long
|
This PR includes:
secretcolumn inoc_oauth2_clientsOCA\OAuth2\Db\Client::getRawSecretandOCA\OAuth2\Db\Client::setRawSecret) in the Client DB entity which are used in theoauth2app instead ofOCA\OAuth2\Db\Client::getSecretandOCA\OAuth2\Db\Client::setSecretMaybe there's a more straightforward way to implement this.
I gave up on trying to redefine
OCA\OAuth2\Db\Client::getSecretandOCA\OAuth2\Db\Client::setSecretbecausesetSecretis used to build the Client entity so the value we get from the DB is encrypted again bysetSecretand then stored in the entity attribute 😁.Remaining doubts/questions:
OCA\OAuth2\Db\Client::getSecretandOCA\OAuth2\Db\Client::setSecretmethods?