Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: query by hashed signature only on access code table #3593

Merged
merged 3 commits into from
Aug 8, 2023
Merged

fix: query by hashed signature only on access code table #3593

merged 3 commits into from
Aug 8, 2023

Conversation

alnr
Copy link
Contributor

@alnr alnr commented Aug 3, 2023

No description provided.

@alnr alnr self-assigned this Aug 3, 2023
@codecov
Copy link

codecov bot commented Aug 3, 2023
edited
Loading

Codecov Report

Merging #3593 (2c465f5) into master (1a1f504) will decrease coverage by 0.08%.
The diff coverage is 63.01%.

❗ Current head 2c465f5 differs from pull request most recent head cfd4f0f. Consider uploading reports for the commit cfd4f0f to get more accurate results

@@            Coverage Diff             @@
##           master    #3593      +/-   ##
==========================================
- Coverage   76.32%   76.24%   -0.08%     
==========================================
  Files         132      132              
  Lines        9879     9901      +22     
==========================================
+ Hits         7540     7549       +9     
- Misses       1824     1837      +13     
  Partials      515      515
Files Changed Coverage Δ
cmd/server/handler.go 1.33% <0.00%> (-0.04%) ⬇️
consent/handler.go 65.07% <ø> (+0.90%) ⬆️
x/clean_sql.go 90.90% <0.00%> (-0.21%) ⬇️
persistence/sql/persister_oauth2.go 82.09% <60.78%> (-3.44%) ⬇️
consent/strategy_default.go 68.97% <100.00%> (+0.47%) ⬆️

hperl
hperl requested changes Aug 3, 2023
View reviewed changes
Copy link
Contributor

@hperl hperl left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You found all the right places, but the hasing only applies to access tokens (and the respective table), not all the other tables (refresh, id, code, pkce, oidc).

persistence/sql/persister_oauth2.go Show resolved Hide resolved
persistence/sql/persister_oauth2.go Show resolved Hide resolved
persistence/sql/persister_oauth2.go Outdated
err = sqlcon.HandleError(
p.QueryWithNetwork(ctx).
Where("signature IN (?, ?)", signature, SignatureHash(signature)).
Where("signature = ?", SignatureHash(signature)).
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
Where("signature = ?", SignatureHash(signature)).
Where("signature = ?", signature).

persistence/sql/persister_oauth2.go Outdated
fmt.Sprintf("UPDATE %s SET active=false WHERE signature=? AND nid = ?", OAuth2RequestSQL{Table: sqlTableCode}.TableName()),
signature,
fmt.Sprintf("UPDATE %s SET active = false WHERE signature = ? AND nid = ?", OAuth2RequestSQL{Table: sqlTableCode}.TableName()),
SignatureHash(signature),
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No need to hash because authorization code signatures are not hashed.

persistence/sql/persister_nid_test.go Outdated
@@ -1448,12 +1450,12 @@ func (s *PersisterTestSuite) TestInvalidateAuthorizeCodeSession() {

require.NoError(t, r.Persister().InvalidateAuthorizeCodeSession(s.t2, sig))
actual := persistencesql.OAuth2RequestSQL{Table: "code"}
require.NoError(t, r.Persister().Connection(context.Background()).Find(&actual, sig))
require.NoError(t, r.Persister().Connection(context.Background()).Find(&actual, persistencesql.SignatureHash(sig)))
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Change not needed.

persistence/sql/persister_nid_test.go Outdated
@@ -1748,10 +1750,10 @@ func (s *PersisterTestSuite) TestRevokeRefreshToken() {
actual := persistencesql.OAuth2RequestSQL{Table: "refresh"}

require.NoError(t, r.Persister().RevokeRefreshToken(s.t2, request.ID))
require.NoError(t, r.Persister().Connection(context.Background()).Find(&actual, signature))
require.NoError(t, r.Persister().Connection(context.Background()).Find(&actual, persistencesql.SignatureHash(signature)))
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Change not needed.

persistence/sql/persister_nid_test.go Outdated
require.Equal(t, true, actual.Active)
require.NoError(t, r.Persister().RevokeRefreshToken(s.t1, request.ID))
require.NoError(t, r.Persister().Connection(context.Background()).Find(&actual, signature))
require.NoError(t, r.Persister().Connection(context.Background()).Find(&actual, persistencesql.SignatureHash(signature)))
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Change not needed.

persistence/sql/persister_nid_test.go Outdated
@@ -1778,10 +1780,10 @@ func (s *PersisterTestSuite) TestRevokeRefreshTokenMaybeGracePeriod() {
}

require.NoError(t, store.RevokeRefreshTokenMaybeGracePeriod(s.t2, request.ID, signature))
require.NoError(t, r.Persister().Connection(context.Background()).Find(&actual, signature))
require.NoError(t, r.Persister().Connection(context.Background()).Find(&actual, persistencesql.SignatureHash(signature)))
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Change not needed.

persistence/sql/persister_nid_test.go Outdated
require.Equal(t, true, actual.Active)
require.NoError(t, store.RevokeRefreshTokenMaybeGracePeriod(s.t1, request.ID, signature))
require.NoError(t, r.Persister().Connection(context.Background()).Find(&actual, signature))
require.NoError(t, r.Persister().Connection(context.Background()).Find(&actual, persistencesql.SignatureHash(signature)))
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Change not needed.

persistence/sql/persister_nid_test.go Show resolved Hide resolved
@aeneasr
Copy link
Member

aeneasr commented Aug 3, 2023

Doesn't this break BC @hperl ?

@alnr alnr changed the title fix: don't query by raw signature fix: query by hashed signature only on access code table Aug 3, 2023
@alnr alnr marked this pull request as ready for review August 4, 2023 08:34
@alnr alnr requested a review from aeneasr as a code owner August 4, 2023 08:34
alnr
alnr commented Aug 4, 2023
View reviewed changes
consent/handler.go Show resolved Hide resolved
@hperl
Copy link
Contributor

hperl commented Aug 4, 2023

Doesn't this break BC @hperl ?

This should not not break backwards compatibility. We introduced undconditionally hashing all new access token signatures (before, we hashed only JWT access tokens). We kept the lookup for the raw signature in place so that old access tokens could still be found.

Since some time has passed, all current access tokens should have a hashed signature already, so removing the additional lookup for the raw signature can be removed safely.

hperl
hperl previously approved these changes Aug 4, 2023
View reviewed changes
Copy link
Contributor

@hperl hperl left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@aeneasr
Copy link
Member

aeneasr commented Aug 4, 2023
edited
Loading

Since some time has passed, all current access tokens should have a hashed signature already, so removing the additional lookup for the raw signature can be removed safely.

So it does have BC implications and those simply don't apply ONLY if you no longer have active tokens in the store. Scenarios where this isn't the case:

  • Someone upgrading from hydra pre-hash to this version without running the interim version for a while. We have at least one customer I know that could run into this.
  • Someone running (unreasonably high) TTLs for their access tokens

Have we verified that there is indeed no active tokens in Ory Network any more that would be affected by this?

hperl
hperl previously approved these changes Aug 8, 2023
View reviewed changes
Copy link
Contributor

@hperl hperl left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

aeneasr
aeneasr previously approved these changes Aug 8, 2023
View reviewed changes
@alnr alnr requested review from aeneasr and hperl August 8, 2023 09:23
@alnr alnr merged commit 6741a49 into master Aug 8, 2023
28 checks passed
@alnr alnr deleted the query-raw-sig branch August 8, 2023 14:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@aeneasr aeneasr aeneasr approved these changes

@hperl hperl hperl approved these changes

Assignees

@alnr alnr

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@alnr @aeneasr @hperl