Merge #6 Telekom bearer token: additional secret

tsdicloud · tsdicloud · commit 74be00500d1e · 2023-08-23T11:04:22.000Z
diff --git a/lib/Command/UpsertProvider.php b/lib/Command/UpsertProvider.php
@@ -73,7 +73,7 @@ protected function configure() {
 			->addOption('mapping-quota', null, InputOption::VALUE_OPTIONAL, 'Attribute mapping of the quota')
 			->addOption('mapping-uid', null, InputOption::VALUE_OPTIONAL, 'Attribute mapping of the user id')
 			->addOption('extra-claims', null, InputOption::VALUE_OPTIONAL, 'Extra claims to request when getting tokens')
-
+			->addOption('bearersecret', 'bs', InputOption::VALUE_OPTIONAL, 'Telekom bearer token requires a different client secret for bearer tokens')
 			->addOption(
 				'output',
 				null,
@@ -100,11 +100,18 @@ protected function execute(InputInterface $input, OutputInterface $output) {
 			return $this->listProviders($input, $output);
 		}
 
+		// bearersecret is usually base64 encoded, but SAM delivers it non-encoded
+		// by default; so always encode/decode for this field
+		$bearersecret = $input->getOption('bearersecret');
+		if ($bearersecret !== null) {
+			$bearersecret = $this->crypto->encrypt(\Base64Url\Base64Url::encode($bearersecret));
+		}
+
 		// check if any option for updating is provided
 		$updateOptions = array_filter($input->getOptions(), static function ($value, $option) {
 			return in_array($option, [
 				'identifier', 'clientid', 'clientsecret', 'discoveryuri',
-				'scope', 'unique-uid', 'check-bearer',
+				'scope', 'unique-uid', 'check-bearer', 'bearersecret',
 				'mapping-uid', 'mapping-display-name', 'mapping-email', 'mapping-quota',
 				'extra-claims'
 			]) && $value !== null;
@@ -146,7 +153,7 @@ protected function execute(InputInterface $input, OutputInterface $output) {
 			$scope = $scope ?? 'openid email profile';
 		}
 		try {
-			$provider = $this->providerMapper->createOrUpdateProvider($identifier, $clientid, $clientsecret, $discoveryuri, $scope);
+			$provider = $this->providerMapper->createOrUpdateProvider($identifier, $clientid, $clientsecret, $discoveryuri, $scope, $bearersecret);
 			// invalidate JWKS cache (even if it was just created)
 			$this->providerService->setSetting($provider->getId(), ProviderService::SETTING_JWKS_CACHE, '');
 			$this->providerService->setSetting($provider->getId(), ProviderService::SETTING_JWKS_CACHE_TIMESTAMP, '');
diff --git a/lib/Db/Provider.php b/lib/Db/Provider.php
@@ -55,6 +55,9 @@ class Provider extends Entity implements \JsonSerializable {
 	/** @var string */
 	protected $scope;
 
+	/** @var string */
+	protected $bearerSecret;
+
 	/**
 	 * @return string
 	 */
diff --git a/lib/Db/ProviderMapper.php b/lib/Db/ProviderMapper.php
@@ -98,7 +98,7 @@ public function getProviders() {
 	 */
 	public function createOrUpdateProvider(string $identifier, string $clientid = null,
 									string $clientsecret = null, string $discoveryuri = null,
-									string $scope = 'openid email profile') {
+									string $scope = 'openid email profile', string $bearersecret = null) {
 		try {
 			$provider = $this->findProviderByIdentifier($identifier);
 		} catch (DoesNotExistException $eNotExist) {
@@ -115,6 +115,7 @@ public function createOrUpdateProvider(string $identifier, string $clientid = nu
 			$provider->setClientSecret($clientsecret);
 			$provider->setDiscoveryEndpoint($discoveryuri);
 			$provider->setScope($scope);
+			$provider->setBearerSecret($bearersecret ?? '');
 			return $this->insert($provider);
 		} else {
 			if ($clientid !== null) {
@@ -126,6 +127,9 @@ public function createOrUpdateProvider(string $identifier, string $clientid = nu
 			if ($discoveryuri !== null) {
 				$provider->setDiscoveryEndpoint($discoveryuri);
 			}
+			if ($bearerSecret !== null) {
+				$provider->setBearerSecret($bearersecret);
+			}
 			$provider->setScope($scope);
 			return $this->update($provider);
 		}
diff --git a/lib/Migration/Version00008Date20211114183344.php b/lib/Migration/Version00008Date20211114183344.php
@@ -0,0 +1,25 @@
+<?php
+
+declare(strict_types=1);
+
+namespace OCA\UserOIDC\Migration;
+
+use Closure;
+use OCP\DB\ISchemaWrapper;
+use OCP\Migration\IOutput;
+use OCP\Migration\SimpleMigrationStep;
+
+class Version00008Date20211114183344 extends SimpleMigrationStep {
+	public function changeSchema(IOutput $output, Closure $schemaClosure, array $options) {
+		/** @var ISchemaWrapper $schema */
+		$schema = $schemaClosure();
+
+		$table = $schema->getTable('user_oidc_providers');
+		$table->addColumn('bearer_secret', 'string', [
+			'notnull' => true,
+			'length' => 64,
+		]);
+
+		return $schema;
+	}
+}
