Skip to content

Store encrypted OAuth2 client secrets#38398

Merged
julien-nc merged 1 commit intomasterfrom
fix/noid/oauth2-encrypt-client-secret
Jun 7, 2023
Merged

Store encrypted OAuth2 client secrets#38398
julien-nc merged 1 commit intomasterfrom
fix/noid/oauth2-encrypt-client-secret

Conversation

@julien-nc
Copy link
Member

@julien-nc julien-nc commented May 22, 2023

This PR includes:

  • A migration step that encrypts existing client secrets and changes the length of the secret column in oc_oauth2_clients
  • 2 new methods (OCA\OAuth2\Db\Client::getRawSecret and OCA\OAuth2\Db\Client::setRawSecret) in the Client DB entity which are used in the oauth2 app instead of OCA\OAuth2\Db\Client::getSecret and OCA\OAuth2\Db\Client::setSecret

Maybe there's a more straightforward way to implement this.
I gave up on trying to redefine OCA\OAuth2\Db\Client::getSecret and OCA\OAuth2\Db\Client::setSecret because setSecret is used to build the Client entity so the value we get from the DB is encrypted again by setSecret and then stored in the entity attribute 😁.

Remaining doubts/questions:

  • Is 256 chars long enough for an encrypted 64 chars string?
  • Is it fine that this breaks any other apps directly using the OCA\OAuth2\Db\Client::getSecret and OCA\OAuth2\Db\Client::setSecret methods?

@julien-nc julien-nc added this to the Nextcloud 28 milestone May 22, 2023
@marcelklehr
Copy link
Member

marcelklehr commented May 22, 2023

Is it fine that this breaks any other apps directly using the OCA\OAuth2\Db\Client::getSecret and OCA\OAuth2\Db\Client::setSecret methods?

Quick search in nextcloud org only reveals: https://github.com/nextcloud/integration_openproject

@julien-nc
Copy link
Member Author

julien-nc commented May 22, 2023

Quick search in nextcloud org only reveals: https://github.com/nextcloud/integration_openproject

Yeah that's the one I found by searching for getSecret usages in my IDE.

github-advanced-security[bot]
github-advanced-security bot found potential problems May 22, 2023
View reviewed changes
@ChristophWurst
Copy link
Member

ChristophWurst commented May 22, 2023

For the software architecture I would suggest to leave the db layer like before and do the encryption/description in the service layer (controller in the oauth app case). That avoids adding logic and a non-testable service locator to the entity class.

@ChristophWurst
Copy link
Member

ChristophWurst commented May 22, 2023

Is it fine that this breaks any other apps directly using the OCA\OAuth2\Db\Client::getSecret and OCA\OAuth2\Db\Client::setSecret methods?

OCA is a private app namespace. We can change it at any time. Other apps are not supposed to access other apps this way but go through OCP

@julien-nc julien-nc force-pushed the fix/noid/oauth2-encrypt-client-secret branch from 71bfa9b to 7b6dd11 Compare May 22, 2023 16:07
ChristophWurst
ChristophWurst reviewed May 22, 2023
View reviewed changes
Copy link
Member

@ChristophWurst ChristophWurst left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

performance nitpicks

@julien-nc julien-nc force-pushed the fix/noid/oauth2-encrypt-client-secret branch 2 times, most recently from fb37e9c to cba874f Compare May 22, 2023 16:51
github-advanced-security[bot]
github-advanced-security bot found potential problems May 22, 2023
View reviewed changes
apps/oauth2/lib/Migration/Version011601Date20230522143227.php
return null;
}

public function postSchemaChange(IOutput $output, Closure $schemaClosure, array $options) {

Check notice

Code scanning / Psalm

MissingReturnType

Method OCA\OAuth2\Migration\Version011601Date20230522143227::postSchemaChange does not have a return type, expecting void
ChristophWurst
ChristophWurst reviewed May 22, 2023
View reviewed changes
@julien-nc julien-nc force-pushed the fix/noid/oauth2-encrypt-client-secret branch 2 times, most recently from 293dcf9 to a5456d1 Compare May 22, 2023 17:05
nickvergessen
nickvergessen reviewed May 23, 2023
View reviewed changes
nickvergessen
nickvergessen reviewed May 23, 2023
View reviewed changes
nickvergessen
nickvergessen reviewed May 23, 2023
View reviewed changes
@julien-nc julien-nc force-pushed the fix/noid/oauth2-encrypt-client-secret branch from d2f21b5 to 8b842fa Compare May 23, 2023 10:45
@julien-nc julien-nc requested a review from ChristophWurst May 23, 2023 10:45
@julien-nc julien-nc requested a review from nickvergessen May 23, 2023 10:45
@julien-nc
encrypt oauth2 client secrets
18c742a 
Signed-off-by: Julien Veyssier <julien-nc@posteo.net>
@julien-nc julien-nc force-pushed the fix/noid/oauth2-encrypt-client-secret branch from 8b842fa to 18c742a Compare June 7, 2023 09:36
@julien-nc
Copy link
Member Author

julien-nc commented Jun 7, 2023

Rebased and fixed the failing SettingsControllerTest.
CI failures are not related IMO.

@julien-nc julien-nc merged commit 5bf1fc6 into master Jun 7, 2023
@julien-nc julien-nc deleted the fix/noid/oauth2-encrypt-client-secret branch June 7, 2023 10:40
@julien-nc
Copy link
Member Author

julien-nc commented Jun 7, 2023

/backport to stable27

@julien-nc
Copy link
Member Author

julien-nc commented Jun 7, 2023

/backport to stable26

@julien-nc
Copy link
Member Author

julien-nc commented Jun 7, 2023

/backport to stable25

@backportbot-nextcloud
Copy link

backportbot-nextcloud bot commented Jun 7, 2023

The backport to stable27 failed. Please do this backport manually.

# Switch to the target branch and update it
git checkout stable27
git pull origin/stable27

# Create the new backport branch
git checkout -b fix/foo-stable27

# Cherry pick the change from the commit sha1 of the change against the default branch
# This might cause conflicts. Resolve them.
git cherry-pick abc123

# Push the cherry pick commit to the remote repository and open a pull request
git push origin fix/foo-stable27

More info at https://docs.nextcloud.com/server/latest/developer_manual/getting_started/development_process.html#manual-backport

@backportbot-nextcloud
Copy link

backportbot-nextcloud bot commented Jun 7, 2023

The backport to stable26 failed. Please do this backport manually.

# Switch to the target branch and update it
git checkout stable26
git pull origin/stable26

# Create the new backport branch
git checkout -b fix/foo-stable26

# Cherry pick the change from the commit sha1 of the change against the default branch
# This might cause conflicts. Resolve them.
git cherry-pick abc123

# Push the cherry pick commit to the remote repository and open a pull request
git push origin fix/foo-stable26

More info at https://docs.nextcloud.com/server/latest/developer_manual/getting_started/development_process.html#manual-backport

@backportbot-nextcloud
Copy link

backportbot-nextcloud bot commented Jun 7, 2023

The backport to stable25 failed. Please do this backport manually.

# Switch to the target branch and update it
git checkout stable25
git pull origin/stable25

# Create the new backport branch
git checkout -b fix/foo-stable25

# Cherry pick the change from the commit sha1 of the change against the default branch
# This might cause conflicts. Resolve them.
git cherry-pick abc123

# Push the cherry pick commit to the remote repository and open a pull request
git push origin fix/foo-stable25

More info at https://docs.nextcloud.com/server/latest/developer_manual/getting_started/development_process.html#manual-backport

@szaimen
Copy link
Contributor

szaimen commented Jun 7, 2023

@julien-nc
I think these are related:
Screenshot_20230607_184436_Brave

@julien-nc
Copy link
Member Author

julien-nc commented Jun 8, 2023

@szaimen Thanks, I'm on it.

This was referenced Jun 8, 2023
Merged
Merged
Merged
Merged
@ChristophWurst
Copy link
Member

ChristophWurst commented Jun 12, 2023
edited
Loading

Is 256 chars long enough for an encrypted 64 chars string?

Apparently it is not 🥲

An exception occurred while executing a query: SQLSTATE[22001]: String data, right truncated: 1406 Data too long for column 'secret' at row 1

With mysql on my dev env. The secret string is 324 bytes long.

ChristophWurst
ChristophWurst reviewed Jun 12, 2023
View reviewed changes
apps/oauth2/lib/Migration/Version011601Date20230522143227.php
$table = $schema->getTable('oauth2_clients');
if ($table->hasColumn('secret')) {
$column = $table->getColumn('secret');
$column->setLength(256);
Copy link
Member

@ChristophWurst ChristophWurst Jun 12, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

let's widen to 512?

Copy link
Member Author

@julien-nc julien-nc Jun 12, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍 Thanks a lot.
I'll create another PR for master and adjust the backport PRs.
No idea about the max potential length of a 64 B string encrypted with OC\Security\Crypto. Let's discuss that in #38770

@ChristophWurst
Copy link
Member

ChristophWurst commented Jun 12, 2023

My application secret is 48 chars long

image

@julien-nc julien-nc mentioned this pull request Jun 12, 2023
Merged
This was referenced Jul 27, 2023
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ChristophWurst ChristophWurst ChristophWurst left review comments

@rullzer rullzer rullzer approved these changes

@nickvergessen nickvergessen nickvergessen approved these changes

@marcelklehr marcelklehr Awaiting requested review from marcelklehr

@juliusknorr juliusknorr Awaiting requested review from juliusknorr

Assignees

No one assigned

Labels

2. developing Work in progress enhancement help wanted security

Projects

None yet

Milestone

Nextcloud 28

Development

Successfully merging this pull request may close these issues.

7 participants

@julien-nc @marcelklehr @ChristophWurst @szaimen @rullzer @nickvergessen @skjnldsv