Skip to content

Commit

Permalink
feat(oauth2) optionally hash client secret
Browse files Browse the repository at this point in the history
### Summary

This was originally implemented with #4866 by @janza.

After some review comments, and the introduction of DAO transformations,
I decided to make changes, thus opening this new PR.

This PR adds a new `boolean` column `hash_secret` to `oauth2_credentials`
that is used to determine whether or not the `client_secret` will be hashed.

The PR adds support for `argon2`, and `bcrypt` and it uses `argon2` if the
system library for argon2 is installed. Otherwise it will fallback to
`bcrypt`. The plugin will also check if the `client_secret` needs to be
rehashed (on usage). One caveat. If you run this on cluster and some nodes
have `argon2` and some don't, it is possible that you cannot use the
credentials on those that don't. So keep your environments similar.

### Issues resolved

Close #4866, Fix #1237 (at least on OAuth2)
  • Loading branch information
bungle committed Mar 25, 2020
1 parent 46f933e commit 3b03783
Show file tree
Hide file tree
Showing 9 changed files with 537 additions and 10 deletions.
1 change: 1 addition & 0 deletions kong-2.0.2-0.rockspec
Original file line number Diff line number Diff line change
Expand Up @@ -228,6 +228,7 @@ build = {
["kong.plugins.oauth2.migrations.003_130_to_140"] = "kong/plugins/oauth2/migrations/003_130_to_140.lua",
["kong.plugins.oauth2.migrations.004_200_to_210"] = "kong/plugins/oauth2/migrations/004_200_to_210.lua",
["kong.plugins.oauth2.handler"] = "kong/plugins/oauth2/handler.lua",
["kong.plugins.oauth2.secret"] = "kong/plugins/oauth2/secret.lua",
["kong.plugins.oauth2.access"] = "kong/plugins/oauth2/access.lua",
["kong.plugins.oauth2.schema"] = "kong/plugins/oauth2/schema.lua",
["kong.plugins.oauth2.daos"] = "kong/plugins/oauth2/daos.lua",
Expand Down
42 changes: 33 additions & 9 deletions kong/plugins/oauth2/access.lua
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@ local utils = require "kong.tools.utils"
local constants = require "kong.constants"
local sha256 = require "resty.sha256"
local timestamp = require "kong.tools.timestamp"
local secret = require "kong.plugins.oauth2.secret"


local kong = kong
Expand Down Expand Up @@ -566,17 +567,40 @@ local function issue_token(conf)
end

if client then
if client.client_type == CLIENT_TYPE_CONFIDENTIAL and client.client_secret ~= client_secret then
response_params = {
[ERROR] = "invalid_client",
error_description = "Invalid client authentication"
}
if from_authorization_header then
invalid_client_properties = {
status = 401,
www_authenticate = "Basic realm=\"OAuth2.0\""
if client.client_type == CLIENT_TYPE_CONFIDENTIAL then
local authenticated
if client.hash_secret then
authenticated = secret.verify(client_secret, client.client_secret)
if authenticated and secret.needs_rehash(client.client_secret) then
local pk = kong.db.oauth2_credentials.schema:extract_pk_values(client)
local ok, err = kong.db.oauth2_credentials:update(pk, {
client_secret = client_secret,
hash_secret = true,
})

if not ok then
kong.log.warn(err)
end
end

else
authenticated = client.client_secret == client_secret
end

if not authenticated then
response_params = {
[ERROR] = "invalid_client",
error_description = "Invalid client authentication"
}

if from_authorization_header then
invalid_client_properties = {
status = 401,
www_authenticate = "Basic realm=\"OAuth2.0\""
}
end
end

elseif client.client_type == CLIENT_TYPE_PUBLIC and strip(client_secret) ~= "" then
response_params = {
[ERROR] = "invalid_request",
Expand Down
20 changes: 20 additions & 0 deletions kong/plugins/oauth2/daos.lua
Original file line number Diff line number Diff line change
@@ -1,5 +1,9 @@
local url = require "socket.url"
local typedefs = require "kong.db.schema.typedefs"
local secret = require "kong.plugins.oauth2.secret"


local assert = assert


local function validate_uri(uri)
Expand Down Expand Up @@ -28,6 +32,7 @@ local oauth2_credentials = {
{ name = { type = "string", required = true }, },
{ client_id = { type = "string", required = false, unique = true, auto = true }, },
{ client_secret = { type = "string", required = false, auto = true }, },
{ hash_secret = { type = "boolean", required = true, default = false }, },
{ redirect_uris = {
type = "array",
required = false,
Expand All @@ -38,6 +43,21 @@ local oauth2_credentials = {
{ tags = typedefs.tags },
{ client_type = { type = "string", required = true, default = "confidential", one_of = { "confidential", "public" }, }, },
},
transformations = {
{
input = { "hash_secret" },
needs = { "client_secret" },
on_write = function(hash_secret, client_secret)
if not hash_secret then
return {}
end
local hash = assert(secret.hash(client_secret))
return {
client_secret = hash,
}
end,
},
},
}


Expand Down
8 changes: 8 additions & 0 deletions kong/plugins/oauth2/migrations/004_200_to_210.lua
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,13 @@ return {
EXCEPTION WHEN DUPLICATE_COLUMN THEN
-- Do nothing, accept existing state
END$$;
DO $$
BEGIN
ALTER TABLE IF EXISTS ONLY oauth2_credentials ADD hash_secret BOOLEAN;
EXCEPTION WHEN DUPLICATE_COLUMN THEN
-- Do nothing, accept existing state
END$$;
]],
},

Expand All @@ -29,6 +36,7 @@ return {
ALTER TABLE oauth2_authorization_codes ADD challenge text;
ALTER TABLE oauth2_authorization_codes ADD challenge_method text;
ALTER TABLE oauth2_credentials ADD client_type text;
ALTER TABLE oauth2_credentials ADD hash_secret boolean;
]],
},
}
Loading

0 comments on commit 3b03783

Please sign in to comment.