Auto merge of #3320 - pietroalbini:refactor-token-generation, r=Turbo87

bors · bors · commit eb093ee1bb0b · 2021-02-25T13:41:48.000Z
Add SecureToken to enforce good token hygiene

This PR adds the `SecureToken` struct, which relies on the type system to enforce good practices for generating and verifying tokens:

* `SecureToken` forces adding an unique prefix in front of every kind of generated token. This allows token scanning services to properly identify tokens generated by crates.io, and allows crates.io to detect which kind of token it's about to revoke.
* `SecureToken` only stores and exposes the SHA256 of already generated tokens, to prevent accidental plaintext leakages. The plaintext token value is only exposes for newly generated tokens.

r? `@Turbo87`
diff --git a/src/models/token.rs b/src/models/token.rs
@@ -1,14 +1,11 @@
 use chrono::NaiveDateTime;
 use diesel::prelude::*;
-use diesel::sql_types::{Bytea, Text};
 
 use crate::models::User;
 use crate::schema::api_tokens;
 use crate::util::errors::{AppResult, InsecurelyGeneratedTokenRevoked};
 use crate::util::rfc3339;
-
-const TOKEN_LENGTH: usize = 32;
-const TOKEN_PREFIX: &str = "cio"; // Crates.IO
+use crate::util::token::{SecureToken, SecureTokenKind};
 
 /// The model representing a row in the `api_tokens` database table.
 #[derive(Clone, Debug, PartialEq, Eq, Identifiable, Queryable, Associations, Serialize)]
@@ -29,41 +26,35 @@ pub struct ApiToken {
     pub revoked: bool,
 }
 
-diesel::sql_function! {
-    fn digest(input: Text, method: Text) -> Bytea;
-}
-
 impl ApiToken {
     /// Generates a new named API token for a user
     pub fn insert(conn: &PgConnection, user_id: i32, name: &str) -> AppResult<CreatedApiToken> {
-        let plaintext = format!(
-            "{}{}",
-            TOKEN_PREFIX,
-            crate::util::generate_secure_alphanumeric_string(TOKEN_LENGTH)
-        );
+        let token = SecureToken::generate(SecureTokenKind::API);
 
         let model: ApiToken = diesel::insert_into(api_tokens::table)
             .values((
                 api_tokens::user_id.eq(user_id),
                 api_tokens::name.eq(name),
-                api_tokens::token.eq(digest(&plaintext, "sha256")),
+                api_tokens::token.eq(token.sha256()),
             ))
             .get_result(conn)?;
 
-        Ok(CreatedApiToken { plaintext, model })
+        Ok(CreatedApiToken {
+            plaintext: token.plaintext().into(),
+            model,
+        })
     }
 
     pub fn find_by_api_token(conn: &PgConnection, token_: &str) -> AppResult<ApiToken> {
         use crate::schema::api_tokens::dsl::*;
         use diesel::{dsl::now, update};
 
-        if !token_.starts_with(TOKEN_PREFIX) {
-            return Err(InsecurelyGeneratedTokenRevoked::boxed());
-        }
+        let token_ = SecureToken::parse(SecureTokenKind::API, token_)
+            .ok_or_else(InsecurelyGeneratedTokenRevoked::boxed)?;
 
         let tokens = api_tokens
             .filter(revoked.eq(false))
-            .filter(token.eq(digest(token_, "sha256")));
+            .filter(token.eq(token_.sha256()));
 
         // If the database is in read only mode, we can't update last_used_at.
         // Try updating in a new transaction, if that fails, fall back to reading
@@ -98,14 +89,6 @@ mod tests {
     use crate::views::EncodableApiTokenWithToken;
     use chrono::NaiveDate;
 
-    #[test]
-    fn test_token_constants() {
-        // Changing this by itself will implicitly revoke all existing tokens.
-        // If this test needs to be change, make sure you're handling tokens
-        // with the old prefix or that you wanted to revoke them.
-        assert_eq!("cio", TOKEN_PREFIX);
-    }
-
     #[test]
     fn api_token_serializes_to_rfc3339() {
         let tok = ApiToken {
diff --git a/src/util.rs b/src/util.rs
@@ -1,7 +1,6 @@
 use std::cmp;
 
 use conduit::{header, Body, Response};
-use rand::{distributions::Uniform, rngs::OsRng, Rng};
 use serde::Serialize;
 
 pub use self::io_util::{read_fill, read_le_u32, LimitErrorReader};
@@ -13,6 +12,7 @@ mod io_util;
 mod request_helpers;
 mod request_proxy;
 pub mod rfc3339;
+pub(crate) mod token;
 
 pub type AppResponse = Response<conduit::Body>;
 pub type EndpointResult = Result<AppResponse, Box<dyn errors::AppError>>;
@@ -33,16 +33,6 @@ pub fn json_response<T: Serialize>(t: &T) -> AppResponse {
         .unwrap() // Header values are well formed, so should not panic
 }
 
-pub fn generate_secure_alphanumeric_string(len: usize) -> String {
-    const CHARS: &[u8] = b"abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789";
-
-    OsRng
-        .sample_iter(Uniform::from(0..CHARS.len()))
-        .map(|idx| CHARS[idx] as char)
-        .take(len)
-        .collect()
-}
-
 #[derive(Debug, Copy, Clone)]
 pub struct Maximums {
     pub max_upload_size: u64,
diff --git a/src/util/token.rs b/src/util/token.rs
@@ -0,0 +1,170 @@
+use rand::{distributions::Uniform, rngs::OsRng, Rng};
+use sha2::{Digest, Sha256};
+
+const TOKEN_LENGTH: usize = 32;
+
+pub(crate) struct SecureToken {
+    sha256: Vec<u8>,
+}
+
+impl SecureToken {
+    pub(crate) fn generate(kind: SecureTokenKind) -> NewSecureToken {
+        let plaintext = format!(
+            "{}{}",
+            kind.prefix(),
+            generate_secure_alphanumeric_string(TOKEN_LENGTH)
+        );
+        let sha256 = Sha256::digest(plaintext.as_bytes()).as_slice().to_vec();
+
+        NewSecureToken {
+            plaintext,
+            inner: Self { sha256 },
+        }
+    }
+
+    pub(crate) fn parse(kind: SecureTokenKind, plaintext: &str) -> Option<Self> {
+        // This will both reject tokens without a prefix and tokens of the wrong kind.
+        if SecureTokenKind::from_token(plaintext) != Some(kind) {
+            return None;
+        }
+
+        let sha256 = Sha256::digest(plaintext.as_bytes()).as_slice().to_vec();
+        Some(Self { sha256 })
+    }
+
+    pub(crate) fn sha256(&self) -> &[u8] {
+        &self.sha256
+    }
+}
+
+pub(crate) struct NewSecureToken {
+    plaintext: String,
+    inner: SecureToken,
+}
+
+impl NewSecureToken {
+    pub(crate) fn plaintext(&self) -> &str {
+        &self.plaintext
+    }
+}
+
+impl std::ops::Deref for NewSecureToken {
+    type Target = SecureToken;
+
+    fn deref(&self) -> &Self::Target {
+        &self.inner
+    }
+}
+
+fn generate_secure_alphanumeric_string(len: usize) -> String {
+    const CHARS: &[u8] = b"abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789";
+
+    OsRng
+        .sample_iter(Uniform::from(0..CHARS.len()))
+        .map(|idx| CHARS[idx] as char)
+        .take(len)
+        .collect()
+}
+
+macro_rules! secure_token_kind {
+    ($(#[$attr:meta])* $vis:vis enum $name:ident { $($key:ident => $repr:expr,)* }) => {
+        $(#[$attr])*
+        $vis enum $name {
+            $($key,)*
+        }
+
+        impl $name {
+            const VARIANTS: &'static [Self] = &[$(Self::$key,)*];
+
+            fn prefix(&self) -> &'static str {
+                match self {
+                    $(Self::$key => $repr,)*
+                }
+            }
+        }
+    }
+}
+
+secure_token_kind! {
+    /// Represents every kind of secure token generated by crates.io. When you need to generate a
+    /// new kind of token you should also add its own kind with its own unique prefix.
+    ///
+    /// NEVER CHANGE THE PREFIX OF EXISTING TOKEN TYPES!!! Doing so will implicitly revoke all the
+    /// tokens of that kind, distrupting production users.
+    #[derive(Debug, Copy, Clone, Eq, PartialEq, Hash)]
+    pub(crate) enum SecureTokenKind {
+        API => "cio", // Crates.IO
+    }
+}
+
+impl SecureTokenKind {
+    fn from_token(token: &str) -> Option<Self> {
+        Self::VARIANTS
+            .iter()
+            .find(|v| token.starts_with(v.prefix()))
+            .copied()
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use std::collections::HashSet;
+
+    #[test]
+    fn test_generated_and_parse() {
+        const KIND: SecureTokenKind = SecureTokenKind::API;
+
+        let token = SecureToken::generate(KIND);
+        assert!(token.plaintext().starts_with(KIND.prefix()));
+        assert_eq!(
+            token.sha256(),
+            Sha256::digest(token.plaintext().as_bytes()).as_slice()
+        );
+
+        let parsed =
+            SecureToken::parse(KIND, &token.plaintext()).expect("failed to parse back the token");
+        assert_eq!(parsed.sha256(), token.sha256());
+    }
+
+    #[test]
+    fn test_parse_no_kind() {
+        assert!(SecureToken::parse(SecureTokenKind::API, "nokind").is_none());
+    }
+
+    #[test]
+    fn test_persistent_prefixes() {
+        // Changing prefixes will implicitly revoke all the tokens of that kind, disrupting users.
+        // This test serves as a reminder for future maintainers not to change the prefixes, and
+        // to ensure all the variants are tested by this test.
+        let mut remaining: HashSet<_> = SecureTokenKind::VARIANTS.iter().copied().collect();
+        let mut ensure = |kind: SecureTokenKind, prefix| {
+            assert_eq!(kind.prefix(), prefix);
+            remaining.remove(&kind);
+        };
+
+        ensure(SecureTokenKind::API, "cio");
+
+        assert!(
+            remaining.is_empty(),
+            "not all variants have a test to check the prefix"
+        );
+    }
+
+    #[test]
+    fn test_conflicting_prefixes() {
+        // This sanity check prevents multiple tokens from starting with the same prefix, which
+        // would mess up the token kind detection. If this test fails after adding another variant
+        // do not change the test, choose another prefix instead.
+        for variant in SecureTokenKind::VARIANTS {
+            for other in SecureTokenKind::VARIANTS {
+                if variant == other {
+                    continue;
+                }
+                if variant.prefix().starts_with(other.prefix()) {
+                    panic!("variants {:?} and {:?} share a prefix", variant, other);
+                }
+            }
+        }
+    }
+}
