Skip to content

[stable17] Handle token insert conflicts #18189

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
rullzer merged 1 commit into from
Dec 3, 2019
Merged

[stable17] Handle token insert conflicts #18189

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Handle token insert conflicts 
Env-based SAML uses the "Apache auth" mechanism to log users in. In this
code path, we first delete all existin auth tokens from the database,
before a new one is inserted. This is problematic for concurrent
requests as they might reach the same code at the same time, hence both
trying to insert a new row wit the same token (the session ID). This
also bubbles up and disables user_saml.

As the token might still be OK (both request will insert the same data),
we can actually just check if the UIDs of the conflict row is the same
as the one we want to insert right now. In that case let's just use the
existing entry and carry on.

Signed-off-by: Christoph Wurst <[email protected]>
  • Loading branch information
@ChristophWurst
ChristophWurst committed Dec 2, 2019
commit 55b5e13e15db09d187092ab0ae2ce6276983223e
33 changes: 24 additions & 9 deletions lib/private/Authentication/Token/Manager.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@

namespace OC\Authentication\Token;

use Doctrine\DBAL\Exception\UniqueConstraintViolationException;
use OC\Authentication\Exceptions\ExpiredTokenException;
use OC\Authentication\Exceptions\InvalidTokenException;
use OC\Authentication\Exceptions\PasswordlessTokenException;
Expand Down Expand Up @@ -60,15 +61,29 @@ public function generateToken(string $token,
string $name,
int $type = IToken::TEMPORARY_TOKEN,
int $remember = IToken::DO_NOT_REMEMBER): IToken {
return $this->publicKeyTokenProvider->generateToken(
$token,
$uid,
$loginName,
$password,
$name,
$type,
$remember
);
try {
return $this->publicKeyTokenProvider->generateToken(
$token,
$uid,
$loginName,
$password,
$name,
$type,
$remember
);
} catch (UniqueConstraintViolationException $e) {
// It's rare, but if two requests of the same session (e.g. env-based SAML)
// try to create the session token they might end up here at the same time
// because we use the session ID as token and the db token is created anew
// with every request.
//
// If the UIDs match, then this should be fine.
$existing = $this->getToken($token);
if ($existing->getUID() !== $uid) {
throw new \Exception('Token conflict handled, but UIDs do not match. This should not happen', 0, $e);
}
return $existing;
}
}

/**
Expand Down
55 changes: 44 additions & 11 deletions tests/lib/Authentication/Token/ManagerTest.php
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
<?php
<?php declare(strict_types=1);

/**
* @copyright Copyright (c) 2018 Roeland Jago Douma <[email protected]>
*
Expand All @@ -23,29 +24,23 @@

namespace Test\Authentication\Token;

use Doctrine\DBAL\Exception\UniqueConstraintViolationException;
use OC\Authentication\Exceptions\InvalidTokenException;
use OC\Authentication\Exceptions\PasswordlessTokenException;
use OC\Authentication\Token\DefaultToken;
use OC\Authentication\Token\DefaultTokenProvider;
use OC\Authentication\Token\Manager;
use OC\Authentication\Token\PublicKeyToken;
use OC\Authentication\Token\PublicKeyTokenMapper;
use OC\Authentication\Token\PublicKeyTokenProvider;
use OC\Authentication\Token\ExpiredTokenException;
use PHPUnit\Framework\MockObject\MockObject;
use OC\Authentication\Token\IToken;
use OCP\AppFramework\Db\DoesNotExistException;
use OCP\AppFramework\Utility\ITimeFactory;
use OCP\IConfig;
use OCP\ILogger;
use OCP\IUser;
use OCP\Security\ICrypto;
use Test\TestCase;

class ManagerTest extends TestCase {

/** @var PublicKeyTokenProvider|\PHPUnit_Framework_MockObject_MockObject */
/** @var PublicKeyTokenProvider|MockObject */
private $publicKeyTokenProvider;
/** @var DefaultTokenProvider|\PHPUnit_Framework_MockObject_MockObject */
/** @var DefaultTokenProvider|MockObject */
private $defaultTokenProvider;
/** @var Manager */
private $manager;
Expand Down Expand Up @@ -92,6 +87,44 @@ public function testGenerateToken() {
$this->assertSame($token, $actual);
}

public function testGenerateConflictingToken() {
/** @var MockObject|UniqueConstraintViolationException $exception */
$exception = $this->createMock(UniqueConstraintViolationException::class);
$this->defaultTokenProvider->expects($this->never())
->method('generateToken');

$token = new PublicKeyToken();
$token->setUid('uid');

$this->publicKeyTokenProvider->expects($this->once())
->method('generateToken')
->with(
'token',
'uid',
'loginName',
'password',
'name',
IToken::TEMPORARY_TOKEN,
IToken::REMEMBER
)->willThrowException($exception);
$this->publicKeyTokenProvider->expects($this->once())
->method('getToken')
->with('token')
->willReturn($token);

$actual = $this->manager->generateToken(
'token',
'uid',
'loginName',
'password',
'name',
IToken::TEMPORARY_TOKEN,
IToken::REMEMBER
);

$this->assertSame($token, $actual);
}

public function tokenData(): array {
return [
[new DefaultToken()],
Expand Down