From 46373e765702a203bfcb576c9d3639314ef4965f Mon Sep 17 00:00:00 2001 From: techknowlogick Date: Sat, 4 May 2019 11:45:34 -0400 Subject: [PATCH] Hash App token (#6724) --- go.mod | 2 +- go.sum | 4 +- integrations/api_token_test.go | 8 +- models/error.go | 4 +- models/fixtures/access_token.yml | 16 ++- models/migrations/migrations.go | 2 + models/migrations/v85.go | 135 +++++++++++++++++++++ models/token.go | 51 +++++--- models/token_test.go | 9 +- modules/base/tool.go | 8 ++ modules/base/tool_test.go | 7 ++ routers/api/v1/user/app.go | 12 +- routers/user/setting/applications.go | 2 +- templates/swagger/v1_json.tmpl | 10 +- vendor/code.gitea.io/sdk/gitea/user_app.go | 11 +- vendor/modules.txt | 2 +- 16 files changed, 239 insertions(+), 44 deletions(-) create mode 100644 models/migrations/v85.go diff --git a/go.mod b/go.mod index 0562b3aceb..38edd5c15e 100644 --- a/go.mod +++ b/go.mod @@ -3,7 +3,7 @@ module code.gitea.io/gitea go 1.12 require ( - code.gitea.io/sdk v0.0.0-20190416172854-7d954d775498 + code.gitea.io/sdk v0.0.0-20190419065346-2858b80da5f7 github.com/BurntSushi/toml v0.3.1 // indirect github.com/PuerkitoBio/goquery v0.0.0-20170324135448-ed7d758e9a34 github.com/RoaringBitmap/roaring v0.4.7 // indirect diff --git a/go.sum b/go.sum index 4b3076e13d..3b7061f84c 100644 --- a/go.sum +++ b/go.sum @@ -1,6 +1,6 @@ cloud.google.com/go v0.30.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= -code.gitea.io/sdk v0.0.0-20190416172854-7d954d775498 h1:rcjwXMYIjYts88akPiyy/GB+imecpf159jojChciEEw= -code.gitea.io/sdk v0.0.0-20190416172854-7d954d775498/go.mod h1:5bZt0dRznpn2JysytQnV0yCru3FwDv9O5G91jo+lDAk= +code.gitea.io/sdk v0.0.0-20190419065346-2858b80da5f7 h1:YggbbCVgggcOjKYmcB2wVOsEtJHgHUNFFJZDB6QcYTg= +code.gitea.io/sdk v0.0.0-20190419065346-2858b80da5f7/go.mod h1:5bZt0dRznpn2JysytQnV0yCru3FwDv9O5G91jo+lDAk= github.com/BurntSushi/toml v0.3.1 h1:WXkYYl6Yr3qBf1K79EBnL4mak0OimBfB0XUf9Vl28OQ= github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= github.com/PuerkitoBio/goquery v0.0.0-20170324135448-ed7d758e9a34 h1:UsHpWO0Elp6NaWVARdZHjiYwkhrspHVEGsyIKPb9OI8= diff --git a/integrations/api_token_test.go b/integrations/api_token_test.go index 2520f356b7..5768d3b48e 100644 --- a/integrations/api_token_test.go +++ b/integrations/api_token_test.go @@ -26,10 +26,10 @@ func TestAPICreateAndDeleteToken(t *testing.T) { var newAccessToken api.AccessToken DecodeJSON(t, resp, &newAccessToken) models.AssertExistsAndLoadBean(t, &models.AccessToken{ - ID: newAccessToken.ID, - Name: newAccessToken.Name, - Sha1: newAccessToken.Sha1, - UID: user.ID, + ID: newAccessToken.ID, + Name: newAccessToken.Name, + Token: newAccessToken.Token, + UID: user.ID, }) req = NewRequestf(t, "DELETE", "/api/v1/users/user1/tokens/%d", newAccessToken.ID) diff --git a/models/error.go b/models/error.go index c3495b28d7..fe0f05d36b 100644 --- a/models/error.go +++ b/models/error.go @@ -507,7 +507,7 @@ func (err ErrDeployKeyNameAlreadyUsed) Error() string { // ErrAccessTokenNotExist represents a "AccessTokenNotExist" kind of error. type ErrAccessTokenNotExist struct { - SHA string + Token string } // IsErrAccessTokenNotExist checks if an error is a ErrAccessTokenNotExist. @@ -517,7 +517,7 @@ func IsErrAccessTokenNotExist(err error) bool { } func (err ErrAccessTokenNotExist) Error() string { - return fmt.Sprintf("access token does not exist [sha: %s]", err.SHA) + return fmt.Sprintf("access token does not exist [sha: %s]", err.Token) } // ErrAccessTokenEmpty represents a "AccessTokenEmpty" kind of error. diff --git a/models/fixtures/access_token.yml b/models/fixtures/access_token.yml index 9572709dd9..5ff5d66f66 100644 --- a/models/fixtures/access_token.yml +++ b/models/fixtures/access_token.yml @@ -2,7 +2,10 @@ id: 1 uid: 1 name: Token A - sha1: hash1 + #token: d2c6c1ba3890b309189a8e618c72a162e4efbf36 + token_hash: 2b3668e11cb82d3af8c6e4524fc7841297668f5008d1626f0ad3417e9fa39af84c268248b78c481daa7e5dc437784003494f + token_salt: QuSiZr1byZ + token_last_eight: e4efbf36 created_unix: 946687980 updated_unix: 946687980 @@ -10,7 +13,10 @@ id: 2 uid: 1 name: Token B - sha1: hash2 + #token: 4c6f36e6cf498e2a448662f915d932c09c5a146c + token_hash: 1a0e32a231ebbd582dc626c1543a42d3c63d4fa76c07c72862721467c55e8f81c923d60700f0528b5f5f443f055559d3a279 + token_salt: Lfwopukrq5 + token_last_eight: 9c5a146c created_unix: 946687980 updated_unix: 946687980 @@ -18,6 +24,10 @@ id: 3 uid: 2 name: Token A - sha1: hash3 + #token: 90a18faa671dc43924b795806ffe4fd169d28c91 + token_hash: d6d404048048812d9e911d93aefbe94fc768d4876fdf75e3bef0bdc67828e0af422846d3056f2f25ec35c51dc92075685ec5 + token_salt: 99ArgXKlQQ + token_last_eight: 69d28c91 created_unix: 946687980 updated_unix: 946687980 +#commented out tokens so you can see what they are in plaintext \ No newline at end of file diff --git a/models/migrations/migrations.go b/models/migrations/migrations.go index 62c41fb906..1d8cf65785 100644 --- a/models/migrations/migrations.go +++ b/models/migrations/migrations.go @@ -223,6 +223,8 @@ var migrations = []Migration{ NewMigration("add uploader id for table attachment", addUploaderIDForAttachment), // v84 -> v85 NewMigration("add table to store original imported gpg keys", addGPGKeyImport), + // v85 -> v86 + NewMigration("hash application token", hashAppToken), } // Migrate database to current version diff --git a/models/migrations/v85.go b/models/migrations/v85.go new file mode 100644 index 0000000000..28f6ac146d --- /dev/null +++ b/models/migrations/v85.go @@ -0,0 +1,135 @@ +// Copyright 2019 The Gitea Authors. All rights reserved. +// Use of this source code is governed by a MIT-style +// license that can be found in the LICENSE file. + +package migrations + +import ( + "fmt" + + "github.com/go-xorm/core" + "github.com/go-xorm/xorm" + + "code.gitea.io/gitea/models" + "code.gitea.io/gitea/modules/generate" + "code.gitea.io/gitea/modules/log" + "code.gitea.io/gitea/modules/util" +) + +func hashAppToken(x *xorm.Engine) error { + // AccessToken see models/token.go + type AccessToken struct { + ID int64 `xorm:"pk autoincr"` + UID int64 `xorm:"INDEX"` + Name string + Sha1 string + Token string `xorm:"-"` + TokenHash string `xorm:"UNIQUE"` // sha256 of token + TokenSalt string + TokenLastEight string `xorm:"token_last_eight"` + + CreatedUnix util.TimeStamp `xorm:"INDEX created"` + UpdatedUnix util.TimeStamp `xorm:"INDEX updated"` + HasRecentActivity bool `xorm:"-"` + HasUsed bool `xorm:"-"` + } + + // First remove the index + sess := x.NewSession() + defer sess.Close() + if err := sess.Begin(); err != nil { + return err + } + + var err error + if models.DbCfg.Type == core.POSTGRES || models.DbCfg.Type == core.SQLITE { + _, err = sess.Exec("DROP INDEX IF EXISTS UQE_access_token_sha1") + } else if models.DbCfg.Type == core.MSSQL { + _, err = sess.Exec(`DECLARE @ConstraintName VARCHAR(256) + DECLARE @SQL NVARCHAR(256) + SELECT @ConstraintName = obj.name FROM sys.columns col LEFT OUTER JOIN sys.objects obj ON obj.object_id = col.default_object_id AND obj.type = 'D' WHERE col.object_id = OBJECT_ID('access_token') AND obj.name IS NOT NULL AND col.name = 'sha1' + SET @SQL = N'ALTER TABLE [access_token] DROP CONSTRAINT [' + @ConstraintName + N']' + EXEC sp_executesql @SQL`) + } else if models.DbCfg.Type == core.MYSQL { + indexes, err := sess.QueryString(`SHOW INDEX FROM access_token WHERE KEY_NAME = 'UQE_access_token_sha1'`) + if err != nil { + return err + } + + if len(indexes) >= 1 { + _, err = sess.Exec("DROP INDEX UQE_access_token_sha1 ON access_token") + } + } else { + _, err = sess.Exec("DROP INDEX UQE_access_token_sha1 ON access_token") + } + if err != nil { + return fmt.Errorf("Drop index failed: %v", err) + } + + if err = sess.Commit(); err != nil { + return err + } + + if err := sess.Begin(); err != nil { + return err + } + + if err := x.Sync2(new(AccessToken)); err != nil { + return fmt.Errorf("Sync2: %v", err) + } + + if err = sess.Commit(); err != nil { + return err + } + + if err := sess.Begin(); err != nil { + return err + } + + // transform all tokens to hashes + const batchSize = 100 + for start := 0; ; start += batchSize { + tokens := make([]*AccessToken, 0, batchSize) + if err := sess.Limit(batchSize, start).Find(&tokens); err != nil { + return err + } + if len(tokens) == 0 { + break + } + + for _, token := range tokens { + // generate salt + salt, err := generate.GetRandomString(10) + if err != nil { + return err + } + token.TokenSalt = salt + token.TokenHash = hashToken(token.Sha1, salt) + if len(token.Sha1) < 8 { + log.Warn("Unable to transform token %s with name %s belonging to user ID %d, skipping transformation", token.Sha1, token.Name, token.UID) + continue + } + token.TokenLastEight = token.Sha1[len(token.Sha1)-8:] + token.Sha1 = "" // ensure to blank out column in case drop column doesn't work + + if _, err := sess.ID(token.ID).Cols("token_hash, token_salt, token_last_eight, sha1").Update(token); err != nil { + return fmt.Errorf("couldn't add in sha1, token_hash, token_salt and token_last_eight: %v", err) + } + + } + } + + // Commit and begin new transaction for dropping columns + if err := sess.Commit(); err != nil { + return err + } + if err := sess.Begin(); err != nil { + return err + } + + if err := dropTableColumns(sess, "access_token", "sha1"); err != nil { + return err + } + return sess.Commit() + +} diff --git a/models/token.go b/models/token.go index 8393a7cf11..030bff8e1b 100644 --- a/models/token.go +++ b/models/token.go @@ -1,24 +1,30 @@ // Copyright 2014 The Gogs Authors. All rights reserved. +// Copyright 2019 The Gitea Authors. All rights reserved. // Use of this source code is governed by a MIT-style // license that can be found in the LICENSE file. package models import ( + "crypto/subtle" "time" gouuid "github.com/satori/go.uuid" "code.gitea.io/gitea/modules/base" + "code.gitea.io/gitea/modules/generate" "code.gitea.io/gitea/modules/util" ) // AccessToken represents a personal access token. type AccessToken struct { - ID int64 `xorm:"pk autoincr"` - UID int64 `xorm:"INDEX"` - Name string - Sha1 string `xorm:"UNIQUE VARCHAR(40)"` + ID int64 `xorm:"pk autoincr"` + UID int64 `xorm:"INDEX"` + Name string + Token string `xorm:"-"` + TokenHash string `xorm:"UNIQUE"` // sha256 of token + TokenSalt string + TokenLastEight string `xorm:"token_last_eight"` CreatedUnix util.TimeStamp `xorm:"INDEX created"` UpdatedUnix util.TimeStamp `xorm:"INDEX updated"` @@ -34,24 +40,41 @@ func (t *AccessToken) AfterLoad() { // NewAccessToken creates new access token. func NewAccessToken(t *AccessToken) error { - t.Sha1 = base.EncodeSha1(gouuid.NewV4().String()) - _, err := x.Insert(t) + salt, err := generate.GetRandomString(10) + if err != nil { + return err + } + t.TokenSalt = salt + t.Token = base.EncodeSha1(gouuid.NewV4().String()) + t.TokenHash = hashToken(t.Token, t.TokenSalt) + t.TokenLastEight = t.Token[len(t.Token)-8:] + _, err = x.Insert(t) return err } -// GetAccessTokenBySHA returns access token by given sha1. -func GetAccessTokenBySHA(sha string) (*AccessToken, error) { - if sha == "" { +// GetAccessTokenBySHA returns access token by given token value +func GetAccessTokenBySHA(token string) (*AccessToken, error) { + if token == "" { return nil, ErrAccessTokenEmpty{} } - t := &AccessToken{Sha1: sha} - has, err := x.Get(t) + if len(token) < 8 { + return nil, ErrAccessTokenNotExist{token} + } + var tokens []AccessToken + lastEight := token[len(token)-8:] + err := x.Table(&AccessToken{}).Where("token_last_eight = ?", lastEight).Find(&tokens) if err != nil { return nil, err - } else if !has { - return nil, ErrAccessTokenNotExist{sha} + } else if len(tokens) == 0 { + return nil, ErrAccessTokenNotExist{token} } - return t, nil + for _, t := range tokens { + tempHash := hashToken(token, t.TokenSalt) + if subtle.ConstantTimeCompare([]byte(t.TokenHash), []byte(tempHash)) == 1 { + return &t, nil + } + } + return nil, ErrAccessTokenNotExist{token} } // ListAccessTokens returns a list of access tokens belongs to given user. diff --git a/models/token_test.go b/models/token_test.go index 540bd40deb..9f2699a168 100644 --- a/models/token_test.go +++ b/models/token_test.go @@ -29,11 +29,12 @@ func TestNewAccessToken(t *testing.T) { func TestGetAccessTokenBySHA(t *testing.T) { assert.NoError(t, PrepareTestDatabase()) - token, err := GetAccessTokenBySHA("hash1") + token, err := GetAccessTokenBySHA("d2c6c1ba3890b309189a8e618c72a162e4efbf36") assert.NoError(t, err) assert.Equal(t, int64(1), token.UID) assert.Equal(t, "Token A", token.Name) - assert.Equal(t, "hash1", token.Sha1) + assert.Equal(t, "2b3668e11cb82d3af8c6e4524fc7841297668f5008d1626f0ad3417e9fa39af84c268248b78c481daa7e5dc437784003494f", token.TokenHash) + assert.Equal(t, "e4efbf36", token.TokenLastEight) token, err = GetAccessTokenBySHA("notahash") assert.Error(t, err) @@ -69,7 +70,7 @@ func TestListAccessTokens(t *testing.T) { func TestUpdateAccessToken(t *testing.T) { assert.NoError(t, PrepareTestDatabase()) - token, err := GetAccessTokenBySHA("hash2") + token, err := GetAccessTokenBySHA("4c6f36e6cf498e2a448662f915d932c09c5a146c") assert.NoError(t, err) token.Name = "Token Z" @@ -80,7 +81,7 @@ func TestUpdateAccessToken(t *testing.T) { func TestDeleteAccessTokenByID(t *testing.T) { assert.NoError(t, PrepareTestDatabase()) - token, err := GetAccessTokenBySHA("hash2") + token, err := GetAccessTokenBySHA("4c6f36e6cf498e2a448662f915d932c09c5a146c") assert.NoError(t, err) assert.Equal(t, int64(1), token.UID) diff --git a/modules/base/tool.go b/modules/base/tool.go index d99ed2bab4..3a6e28a885 100644 --- a/modules/base/tool.go +++ b/modules/base/tool.go @@ -9,6 +9,7 @@ import ( "crypto/md5" "crypto/rand" "crypto/sha1" + "crypto/sha256" "encoding/base64" "encoding/hex" "fmt" @@ -54,6 +55,13 @@ func EncodeSha1(str string) string { return hex.EncodeToString(h.Sum(nil)) } +// EncodeSha256 string to sha1 hex value. +func EncodeSha256(str string) string { + h := sha256.New() + h.Write([]byte(str)) + return hex.EncodeToString(h.Sum(nil)) +} + // ShortSha is basically just truncating. // It is DEPRECATED and will be removed in the future. func ShortSha(sha1 string) string { diff --git a/modules/base/tool_test.go b/modules/base/tool_test.go index 04cd682907..dcaf2fcbb0 100644 --- a/modules/base/tool_test.go +++ b/modules/base/tool_test.go @@ -53,6 +53,13 @@ func TestEncodeSha1(t *testing.T) { ) } +func TestEncodeSha256(t *testing.T) { + assert.Equal(t, + "c3ab8ff13720e8ad9047dd39466b3c8974e592c2fa383d4a3960714caef0c4f2", + EncodeSha256("foobar"), + ) +} + func TestShortSha(t *testing.T) { assert.Equal(t, "veryverylo", ShortSha("veryverylong")) } diff --git a/routers/api/v1/user/app.go b/routers/api/v1/user/app.go index ef53e95d8b..d9716f419a 100644 --- a/routers/api/v1/user/app.go +++ b/routers/api/v1/user/app.go @@ -37,9 +37,9 @@ func ListAccessTokens(ctx *context.APIContext) { apiTokens := make([]*api.AccessToken, len(tokens)) for i := range tokens { apiTokens[i] = &api.AccessToken{ - ID: tokens[i].ID, - Name: tokens[i].Name, - Sha1: tokens[i].Sha1, + ID: tokens[i].ID, + Name: tokens[i].Name, + TokenLastEight: tokens[i].TokenLastEight, } } ctx.JSON(200, &apiTokens) @@ -81,9 +81,9 @@ func CreateAccessToken(ctx *context.APIContext, form api.CreateAccessTokenOption return } ctx.JSON(201, &api.AccessToken{ - Name: t.Name, - Sha1: t.Sha1, - ID: t.ID, + Name: t.Name, + Token: t.Token, + ID: t.ID, }) } diff --git a/routers/user/setting/applications.go b/routers/user/setting/applications.go index 90e34d9e1a..d93684bcc0 100644 --- a/routers/user/setting/applications.go +++ b/routers/user/setting/applications.go @@ -49,7 +49,7 @@ func ApplicationsPost(ctx *context.Context, form auth.NewAccessTokenForm) { } ctx.Flash.Success(ctx.Tr("settings.generate_token_success")) - ctx.Flash.Info(t.Sha1) + ctx.Flash.Info(t.Token) ctx.Redirect(setting.AppSubURL + "/user/settings/applications") } diff --git a/templates/swagger/v1_json.tmpl b/templates/swagger/v1_json.tmpl index b6160fc84d..134b9051b2 100644 --- a/templates/swagger/v1_json.tmpl +++ b/templates/swagger/v1_json.tmpl @@ -9458,8 +9458,11 @@ }, "responses": { "AccessToken": { - "description": "AccessToken represents a API access token.", + "description": "AccessToken represents an API access token.", "headers": { + "hashed_token": { + "type": "string" + }, "id": { "type": "integer", "format": "int64" @@ -9467,7 +9470,10 @@ "name": { "type": "string" }, - "sha1": { + "token": { + "type": "string" + }, + "token_last_eight": { "type": "string" } } diff --git a/vendor/code.gitea.io/sdk/gitea/user_app.go b/vendor/code.gitea.io/sdk/gitea/user_app.go index d3bfce971b..023837f83b 100644 --- a/vendor/code.gitea.io/sdk/gitea/user_app.go +++ b/vendor/code.gitea.io/sdk/gitea/user_app.go @@ -1,4 +1,5 @@ // Copyright 2014 The Gogs Authors. All rights reserved. +// Copyright 2019 The Gitea Authors. All rights reserved. // Use of this source code is governed by a MIT-style // license that can be found in the LICENSE file. @@ -17,12 +18,14 @@ func BasicAuthEncode(user, pass string) string { return base64.StdEncoding.EncodeToString([]byte(user + ":" + pass)) } -// AccessToken represents a API access token. +// AccessToken represents an API access token. // swagger:response AccessToken type AccessToken struct { - ID int64 `json:"id"` - Name string `json:"name"` - Sha1 string `json:"sha1"` + ID int64 `json:"id"` + Name string `json:"name"` + Token string `json:"token"` + HashedToken string `json:"hashed_token"` + TokenLastEight string `json:"token_last_eight"` } // AccessTokenList represents a list of API access token. diff --git a/vendor/modules.txt b/vendor/modules.txt index d8ac723d90..41edf76a92 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -1,4 +1,4 @@ -# code.gitea.io/sdk v0.0.0-20190416172854-7d954d775498 +# code.gitea.io/sdk v0.0.0-20190419065346-2858b80da5f7 code.gitea.io/sdk/gitea # github.com/BurntSushi/toml v0.3.1 github.com/BurntSushi/toml