Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Store encrypted OAuth2 client secrets #38398

Merged
merged 1 commit into from Jun 7, 2023
Merged

Store encrypted OAuth2 client secrets #38398

merged 1 commit into from Jun 7, 2023

Conversation

julien-nc
Copy link
Member

This PR includes:

  • A migration step that encrypts existing client secrets and changes the length of the secret column in oc_oauth2_clients
  • 2 new methods (OCA\OAuth2\Db\Client::getRawSecret and OCA\OAuth2\Db\Client::setRawSecret) in the Client DB entity which are used in the oauth2 app instead of OCA\OAuth2\Db\Client::getSecret and OCA\OAuth2\Db\Client::setSecret

Maybe there's a more straightforward way to implement this.
I gave up on trying to redefine OCA\OAuth2\Db\Client::getSecret and OCA\OAuth2\Db\Client::setSecret because setSecret is used to build the Client entity so the value we get from the DB is encrypted again by setSecret and then stored in the entity attribute 馃榿.

Remaining doubts/questions:

  • Is 256 chars long enough for an encrypted 64 chars string?
  • Is it fine that this breaks any other apps directly using the OCA\OAuth2\Db\Client::getSecret and OCA\OAuth2\Db\Client::setSecret methods?

@julien-nc julien-nc added this to the Nextcloud 28 milestone May 22, 2023
@marcelklehr
Copy link
Member

Is it fine that this breaks any other apps directly using the OCA\OAuth2\Db\Client::getSecret and OCA\OAuth2\Db\Client::setSecret methods?

Quick search in nextcloud org only reveals: https://github.com/nextcloud/integration_openproject

@julien-nc
Copy link
Member Author

Quick search in nextcloud org only reveals: https://github.com/nextcloud/integration_openproject

Yeah that's the one I found by searching for getSecret usages in my IDE.

@ChristophWurst
Copy link
Member

For the software architecture I would suggest to leave the db layer like before and do the encryption/description in the service layer (controller in the oauth app case). That avoids adding logic and a non-testable service locator to the entity class.

@ChristophWurst
Copy link
Member

Is it fine that this breaks any other apps directly using the OCA\OAuth2\Db\Client::getSecret and OCA\OAuth2\Db\Client::setSecret methods?

OCA is a private app namespace. We can change it at any time. Other apps are not supposed to access other apps this way but go through OCP

@julien-nc julien-nc force-pushed the fix/noid/oauth2-encrypt-client-secret branch from 71bfa9b to 7b6dd11 Compare May 22, 2023 16:07
ChristophWurst
ChristophWurst reviewed May 22, 2023
View reviewed changes
Copy link
Member

@ChristophWurst ChristophWurst left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

performance nitpicks

apps/oauth2/lib/Db/Client.php Outdated Show resolved Hide resolved
apps/oauth2/lib/Migration/Version011601Date20230522143227.php Outdated Show resolved Hide resolved
apps/oauth2/lib/Migration/Version011601Date20230522143227.php Outdated Show resolved Hide resolved
@julien-nc julien-nc force-pushed the fix/noid/oauth2-encrypt-client-secret branch 2 times, most recently from fb37e9c to cba874f Compare May 22, 2023 16:51
github-advanced-security[bot]
github-advanced-security bot found potential problems May 22, 2023
View reviewed changes
apps/oauth2/lib/Migration/Version011601Date20230522143227.php
return null;
}

public function postSchemaChange(IOutput $output, Closure $schemaClosure, array $options) {

Check notice

Code scanning / Psalm

MissingReturnType Note

Method OCA\OAuth2\Migration\Version011601Date20230522143227::postSchemaChange does not have a return type, expecting void
@julien-nc julien-nc force-pushed the fix/noid/oauth2-encrypt-client-secret branch 2 times, most recently from 293dcf9 to a5456d1 Compare May 22, 2023 17:05
@julien-nc julien-nc force-pushed the fix/noid/oauth2-encrypt-client-secret branch from d2f21b5 to 8b842fa Compare May 23, 2023 10:45
@julien-nc
encrypt oauth2 client secrets
18c742a 
Signed-off-by: Julien Veyssier <julien-nc@posteo.net>
@julien-nc julien-nc force-pushed the fix/noid/oauth2-encrypt-client-secret branch from 8b842fa to 18c742a Compare June 7, 2023 09:36
@julien-nc
Copy link
Member Author

Rebased and fixed the failing SettingsControllerTest.
CI failures are not related IMO.

@julien-nc julien-nc merged commit 5bf1fc6 into master Jun 7, 2023
33 of 36 checks passed
@julien-nc julien-nc deleted the fix/noid/oauth2-encrypt-client-secret branch June 7, 2023 10:40
@julien-nc
Copy link
Member Author

/backport to stable27

@julien-nc
Copy link
Member Author

/backport to stable26

@julien-nc
Copy link
Member Author

/backport to stable25

@backportbot-nextcloud
Copy link

The backport to stable27 failed. Please do this backport manually.

# Switch to the target branch and update it
git checkout stable27
git pull origin/stable27

# Create the new backport branch
git checkout -b fix/foo-stable27

# Cherry pick the change from the commit sha1 of the change against the default branch
# This might cause conflicts. Resolve them.
git cherry-pick abc123

# Push the cherry pick commit to the remote repository and open a pull request
git push origin fix/foo-stable27

More info at https://docs.nextcloud.com/server/latest/developer_manual/getting_started/development_process.html#manual-backport

@backportbot-nextcloud
Copy link

The backport to stable26 failed. Please do this backport manually.

# Switch to the target branch and update it
git checkout stable26
git pull origin/stable26

# Create the new backport branch
git checkout -b fix/foo-stable26

# Cherry pick the change from the commit sha1 of the change against the default branch
# This might cause conflicts. Resolve them.
git cherry-pick abc123

# Push the cherry pick commit to the remote repository and open a pull request
git push origin fix/foo-stable26

More info at https://docs.nextcloud.com/server/latest/developer_manual/getting_started/development_process.html#manual-backport

@backportbot-nextcloud
Copy link

The backport to stable25 failed. Please do this backport manually.

# Switch to the target branch and update it
git checkout stable25
git pull origin/stable25

# Create the new backport branch
git checkout -b fix/foo-stable25

# Cherry pick the change from the commit sha1 of the change against the default branch
# This might cause conflicts. Resolve them.
git cherry-pick abc123

# Push the cherry pick commit to the remote repository and open a pull request
git push origin fix/foo-stable25

More info at https://docs.nextcloud.com/server/latest/developer_manual/getting_started/development_process.html#manual-backport

@szaimen
Copy link
Contributor

szaimen commented Jun 7, 2023

@julien-nc
I think these are related:
Screenshot_20230607_184436_Brave

@julien-nc
Copy link
Member Author

@szaimen Thanks, I'm on it.

This was referenced Jun 8, 2023
Merged
Merged
Merged
Merged
@ChristophWurst
Copy link
Member

ChristophWurst commented Jun 12, 2023
edited

Is 256 chars long enough for an encrypted 64 chars string?

Apparently it is not 馃ゲ

An exception occurred while executing a query: SQLSTATE[22001]: String data, right truncated: 1406 Data too long for column 'secret' at row 1

With mysql on my dev env. The secret string is 324 bytes long.

ChristophWurst
ChristophWurst reviewed Jun 12, 2023
View reviewed changes
apps/oauth2/lib/Migration/Version011601Date20230522143227.php
$table = $schema->getTable('oauth2_clients');
if ($table->hasColumn('secret')) {
$column = $table->getColumn('secret');
$column->setLength(256);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

let's widen to 512?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

馃憤 Thanks a lot.
I'll create another PR for master and adjust the backport PRs.
No idea about the max potential length of a 64 B string encrypted with OC\Security\Crypto. Let's discuss that in #38770

@ChristophWurst
Copy link
Member

My application secret is 48 chars long

image

@julien-nc julien-nc mentioned this pull request Jun 12, 2023
Merged
This was referenced Jul 27, 2023
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ChristophWurst ChristophWurst ChristophWurst left review comments

@rullzer rullzer rullzer approved these changes

@nickvergessen nickvergessen nickvergessen approved these changes

@marcelklehr marcelklehr Awaiting requested review from marcelklehr

@juliushaertl juliushaertl Awaiting requested review from juliushaertl

Assignees
No one assigned
Labels
2. developing Work in progress backport-request enhancement help wanted security
Projects
None yet
Milestone
Nextcloud 28
Development

Successfully merging this pull request may close these issues.

None yet
6 participants
@julien-nc @marcelklehr @ChristophWurst @szaimen @rullzer @nickvergessen