Skip to content

Add SecureToken to enforce good token hygiene #3320

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 3 commits into from
Feb 25, 2021
Merged

Add SecureToken to enforce good token hygiene #3320

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
ee4a837
util: add SecureToken to enforce good token hygiene
pietroalbini Feb 22, 2021
f519510
util: extract SecureTokenKind::from_token out of the macro
pietroalbini Feb 23, 2021
46840ca
util: add more tests to the token generation
pietroalbini Feb 23, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
37 changes: 10 additions & 27 deletions src/models/token.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,14 +1,11 @@
use chrono::NaiveDateTime;
use diesel::prelude::*;
use diesel::sql_types::{Bytea, Text};

use crate::models::User;
use crate::schema::api_tokens;
use crate::util::errors::{AppResult, InsecurelyGeneratedTokenRevoked};
use crate::util::rfc3339;

const TOKEN_LENGTH: usize = 32;
const TOKEN_PREFIX: &str = "cio"; // Crates.IO
use crate::util::token::{SecureToken, SecureTokenKind};

/// The model representing a row in the `api_tokens` database table.
#[derive(Clone, Debug, PartialEq, Eq, Identifiable, Queryable, Associations, Serialize)]
Expand All @@ -29,41 +26,35 @@ pub struct ApiToken {
pub revoked: bool,
}

diesel::sql_function! {
fn digest(input: Text, method: Text) -> Bytea;
}

impl ApiToken {
/// Generates a new named API token for a user
pub fn insert(conn: &PgConnection, user_id: i32, name: &str) -> AppResult<CreatedApiToken> {
let plaintext = format!(
"{}{}",
TOKEN_PREFIX,
crate::util::generate_secure_alphanumeric_string(TOKEN_LENGTH)
);
let token = SecureToken::generate(SecureTokenKind::API);

let model: ApiToken = diesel::insert_into(api_tokens::table)
.values((
api_tokens::user_id.eq(user_id),
api_tokens::name.eq(name),
api_tokens::token.eq(digest(&plaintext, "sha256")),
api_tokens::token.eq(token.sha256()),
))
.get_result(conn)?;

Ok(CreatedApiToken { plaintext, model })
Ok(CreatedApiToken {
plaintext: token.plaintext().into(),
model,
})
}

pub fn find_by_api_token(conn: &PgConnection, token_: &str) -> AppResult<ApiToken> {
use crate::schema::api_tokens::dsl::*;
use diesel::{dsl::now, update};

if !token_.starts_with(TOKEN_PREFIX) {
return Err(InsecurelyGeneratedTokenRevoked::boxed());
}
let token_ = SecureToken::parse(SecureTokenKind::API, token_)
.ok_or_else(InsecurelyGeneratedTokenRevoked::boxed)?;

let tokens = api_tokens
.filter(revoked.eq(false))
.filter(token.eq(digest(token_, "sha256")));
.filter(token.eq(token_.sha256()));

// If the database is in read only mode, we can't update last_used_at.
// Try updating in a new transaction, if that fails, fall back to reading
Expand Down Expand Up @@ -98,14 +89,6 @@ mod tests {
use crate::views::EncodableApiTokenWithToken;
use chrono::NaiveDate;

#[test]
fn test_token_constants() {
// Changing this by itself will implicitly revoke all existing tokens.
// If this test needs to be change, make sure you're handling tokens
// with the old prefix or that you wanted to revoke them.
assert_eq!("cio", TOKEN_PREFIX);
}

#[test]
fn api_token_serializes_to_rfc3339() {
let tok = ApiToken {
Expand Down
12 changes: 1 addition & 11 deletions src/util.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,6 @@
use std::cmp;

use conduit::{header, Body, Response};
use rand::{distributions::Uniform, rngs::OsRng, Rng};
use serde::Serialize;

pub use self::io_util::{read_fill, read_le_u32, LimitErrorReader};
Expand All @@ -13,6 +12,7 @@ mod io_util;
mod request_helpers;
mod request_proxy;
pub mod rfc3339;
pub(crate) mod token;

pub type AppResponse = Response<conduit::Body>;
pub type EndpointResult = Result<AppResponse, Box<dyn errors::AppError>>;
Expand All @@ -33,16 +33,6 @@ pub fn json_response<T: Serialize>(t: &T) -> AppResponse {
.unwrap() // Header values are well formed, so should not panic
}

pub fn generate_secure_alphanumeric_string(len: usize) -> String {
const CHARS: &[u8] = b"abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789";

OsRng
.sample_iter(Uniform::from(0..CHARS.len()))
.map(|idx| CHARS[idx] as char)
.take(len)
.collect()
}

#[derive(Debug, Copy, Clone)]
pub struct Maximums {
pub max_upload_size: u64,
Expand Down
170 changes: 170 additions & 0 deletions src/util/token.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,170 @@
use rand::{distributions::Uniform, rngs::OsRng, Rng};
use sha2::{Digest, Sha256};

const TOKEN_LENGTH: usize = 32;

pub(crate) struct SecureToken {
sha256: Vec<u8>,
}

impl SecureToken {
pub(crate) fn generate(kind: SecureTokenKind) -> NewSecureToken {
let plaintext = format!(
"{}{}",
kind.prefix(),
generate_secure_alphanumeric_string(TOKEN_LENGTH)
);
let sha256 = Sha256::digest(plaintext.as_bytes()).as_slice().to_vec();

NewSecureToken {
plaintext,
inner: Self { sha256 },
}
}

pub(crate) fn parse(kind: SecureTokenKind, plaintext: &str) -> Option<Self> {
// This will both reject tokens without a prefix and tokens of the wrong kind.
if SecureTokenKind::from_token(plaintext) != Some(kind) {
return None;
}

let sha256 = Sha256::digest(plaintext.as_bytes()).as_slice().to_vec();
Some(Self { sha256 })
}

pub(crate) fn sha256(&self) -> &[u8] {
&self.sha256
}
}

pub(crate) struct NewSecureToken {
plaintext: String,
inner: SecureToken,
}

impl NewSecureToken {
pub(crate) fn plaintext(&self) -> &str {
&self.plaintext
}
}

impl std::ops::Deref for NewSecureToken {
type Target = SecureToken;

fn deref(&self) -> &Self::Target {
&self.inner
}
}

fn generate_secure_alphanumeric_string(len: usize) -> String {
const CHARS: &[u8] = b"abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789";

OsRng
.sample_iter(Uniform::from(0..CHARS.len()))
.map(|idx| CHARS[idx] as char)
.take(len)
.collect()
}

macro_rules! secure_token_kind {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I find this a bit hard to read. Did you consider using something like strum instead of this custom macro? If we'll still go with the custom macro I think it'd be good to add a few more doc comments on it at least :)

Copy link
Member Author

@pietroalbini pietroalbini Feb 23, 2021
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think it's worth bringing another dependency in just for this. I'll try to add some comments to the macro.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I guess this is also fine to retrofit. I'm approving the PR in the meantime :)

($(#[$attr:meta])* $vis:vis enum $name:ident { $($key:ident => $repr:expr,)* }) => {
$(#[$attr])*
$vis enum $name {
$($key,)*
}

impl $name {
const VARIANTS: &'static [Self] = &[$(Self::$key,)*];

fn prefix(&self) -> &'static str {
match self {
$(Self::$key => $repr,)*
}
}
}
}
}

secure_token_kind! {
/// Represents every kind of secure token generated by crates.io. When you need to generate a
/// new kind of token you should also add its own kind with its own unique prefix.
///
/// NEVER CHANGE THE PREFIX OF EXISTING TOKEN TYPES!!! Doing so will implicitly revoke all the
/// tokens of that kind, distrupting production users.
#[derive(Debug, Copy, Clone, Eq, PartialEq, Hash)]
pub(crate) enum SecureTokenKind {
API => "cio", // Crates.IO
}
}

impl SecureTokenKind {
fn from_token(token: &str) -> Option<Self> {
Self::VARIANTS
.iter()
.find(|v| token.starts_with(v.prefix()))
.copied()
}
}

#[cfg(test)]
mod tests {
use super::*;
use std::collections::HashSet;

#[test]
fn test_generated_and_parse() {
const KIND: SecureTokenKind = SecureTokenKind::API;

let token = SecureToken::generate(KIND);
assert!(token.plaintext().starts_with(KIND.prefix()));
assert_eq!(
token.sha256(),
Sha256::digest(token.plaintext().as_bytes()).as_slice()
);

let parsed =
SecureToken::parse(KIND, &token.plaintext()).expect("failed to parse back the token");
assert_eq!(parsed.sha256(), token.sha256());
}

#[test]
fn test_parse_no_kind() {
assert!(SecureToken::parse(SecureTokenKind::API, "nokind").is_none());
}

#[test]
fn test_persistent_prefixes() {
// Changing prefixes will implicitly revoke all the tokens of that kind, disrupting users.
// This test serves as a reminder for future maintainers not to change the prefixes, and
// to ensure all the variants are tested by this test.
let mut remaining: HashSet<_> = SecureTokenKind::VARIANTS.iter().copied().collect();
let mut ensure = |kind: SecureTokenKind, prefix| {
assert_eq!(kind.prefix(), prefix);
remaining.remove(&kind);
};

ensure(SecureTokenKind::API, "cio");

assert!(
remaining.is_empty(),
"not all variants have a test to check the prefix"
);
}

#[test]
fn test_conflicting_prefixes() {
// This sanity check prevents multiple tokens from starting with the same prefix, which
// would mess up the token kind detection. If this test fails after adding another variant
// do not change the test, choose another prefix instead.
for variant in SecureTokenKind::VARIANTS {
for other in SecureTokenKind::VARIANTS {
if variant == other {
continue;
}
if variant.prefix().starts_with(other.prefix()) {
panic!("variants {:?} and {:?} share a prefix", variant, other);
}
}
}
}
}