[oauth2_provider] Hash access and refresh tokens (ansible#641)

Previously, OAuth2 Access tokens including PATs were not hashed or
encrypted in any way, and were stored in plaintext in the database.
Seeing them required direct database access, but it is still better to
hash them, since they are long-lived.

This commit implements hashing (using sha256) of access tokens. Hashing
is unsalted, as we need to be able to key on a stable input - but also
because the tokens are already random strings and a salt adds nothing
more of security.

The input bearer token (used to auth a user) is hashed in
LoggedOAuth2Authentication and stuffed back into the request. This might
seem like a weird place to inject the hash, but it avoids having to
override any DOT internals.

The serializer has been updated to account for the new functionality and
still works the same way as in the past: On POST (new token creation),
the token will be displayed -- after that it will not.

Test fixtures and tests have been updated as well.

---------

Signed-off-by: Rick Elrod <[email protected]>

Author: relrod

ansible_base/lib/utils/hashing.py

@@ -16,3 +16,18 @@ def hash_serializer_data(instance: Model, serializer: Type[Serializer], field: O
         serialized_data = serialized_data[field]
     metadata_json = json.dumps(serialized_data, sort_keys=True).encode("utf-8")
     return hasher(metadata_json).hexdigest()
+
+
+def hash_string(inp: str, hasher: Callable = hashlib.sha256, algo=""):
+    """
+    Takes a string and hashes it with the given hasher function.
+    If algo is given, it is prepended to the hash between dollar signs ($)
+    before the hash is returned.
+
+    NOTE: There is no salt or pepper here, so this is not secure for passwords.
+    It is, however, useful for *random* strings like tokens, that need to be secured.
+    """
+    hash = hasher(inp.encode("utf-8")).hexdigest()
+    if algo:
+        return f"${algo}${hash}"
+    return hash

ansible_base/oauth2_provider/authentication.py

@@ -1,10 +1,13 @@
+import hashlib
 import logging
 
 from django.utils.encoding import smart_str
 from oauth2_provider.contrib.rest_framework import OAuth2Authentication
 from oauth2_provider.oauth2_backends import OAuthLibCore as _OAuthLibCore
 from rest_framework.exceptions import UnsupportedMediaType
 
+from ansible_base.lib.utils.hashing import hash_string
+
 logger = logging.getLogger('ansible_base.oauth2_provider.authentication')
 
 
@@ -18,7 +21,24 @@ def extract_body(self, request):
 
 class LoggedOAuth2Authentication(OAuth2Authentication):
     def authenticate(self, request):
-        ret = super().authenticate(request)
+        # sha256 the bearer token. We store the hash in the database
+        # and this gives us a place to hash the incoming token for comparison
+        did_hash_token = False
+        bearer_token = request.META.get('HTTP_AUTHORIZATION')
+        if bearer_token and bearer_token.lower().startswith('bearer '):
+            token_component = bearer_token.split(' ', 1)[1]
+            hashed = hash_string(token_component, hasher=hashlib.sha256, algo="sha256")
+            did_hash_token = True
+            request.META['HTTP_AUTHORIZATION'] = f"Bearer {hashed}"
+
+        # We don't /really/ want to modify the request, so after we're done authing,
+        # revert what we did above.
+        try:
+            ret = super().authenticate(request)
+        finally:
+            if did_hash_token:
+                request.META['HTTP_AUTHORIZATION'] = bearer_token
+
         if ret:
             user, token = ret
             username = user.username if user else '<none>'

ansible_base/oauth2_provider/fixtures.py

@@ -1,9 +1,11 @@
+import hashlib
 from datetime import datetime, timezone
 
 import pytest
 from oauthlib.common import generate_token
 
 from ansible_base.lib.testing.fixtures import copy_fixture
+from ansible_base.lib.utils.hashing import hash_string
 from ansible_base.lib.utils.response import get_relative_url
 from ansible_base.oauth2_provider.models import OAuth2AccessToken, OAuth2Application
 
@@ -62,10 +64,18 @@ def oauth2_application_password(randname):
 
 @pytest.fixture
 def oauth2_admin_access_token(oauth2_application, admin_api_client, admin_user):
+    """
+    3-tuple with (token object with hashed token, plaintext token, plaintext_refresh_token)
+    """
     url = get_relative_url('token-list')
     response = admin_api_client.post(url, {'application': oauth2_application[0].pk})
     assert response.status_code == 201
-    return OAuth2AccessToken.objects.get(token=response.data['token'])
+
+    plaintext_token = response.data['token']
+    plaintext_refresh_token = response.data['refresh_token']
+    hashed_token = hash_string(plaintext_token, hasher=hashlib.sha256, algo="sha256")
+    token = OAuth2AccessToken.objects.get(token=hashed_token)
+    return (token, plaintext_token, plaintext_refresh_token)
 
 
 @copy_fixture(copies=3)

ansible_base/oauth2_provider/management/commands/create_oauth2_token.py

@@ -31,5 +31,5 @@ def __init__(self):
                 self.user = user
 
         serializer_obj.context['request'] = FakeRequest()
-        token_record = serializer_obj.create(config)
-        self.stdout.write(token_record.token)
+        serializer_obj.create(config)
+        self.stdout.write(serializer_obj.unencrypted_token)

ansible_base/oauth2_provider/migrations/0005_hash_existing_tokens.py

@@ -0,0 +1,13 @@
+from django.db import migrations
+
+from ansible_base.oauth2_provider.migrations._utils import hash_tokens
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ("dab_oauth2_provider", "0004_alter_oauth2accesstoken_scope"),
+    ]
+
+    operations = [
+        migrations.RunPython(hash_tokens),
+    ]

ansible_base/oauth2_provider/migrations/_utils.py

@@ -0,0 +1,16 @@
+import hashlib
+
+from ansible_base.lib.utils.hashing import hash_string
+
+
+def hash_tokens(apps, schema_editor):
+    OAuth2AccessToken = apps.get_model("dab_oauth2_provider", "OAuth2AccessToken")
+    OAuth2RefreshToken = apps.get_model("dab_oauth2_provider", "OAuth2RefreshToken")
+    for model in (OAuth2AccessToken, OAuth2RefreshToken):
+        for token in model.objects.all():
+            # Never re-hash a hashed token
+            if token.token.startswith("$"):
+                continue
+            hashed = hash_string(token.token, hasher=hashlib.sha256, algo="sha256")
+            token.token = hashed
+            token.save()

ansible_base/oauth2_provider/models/access_token.py

@@ -1,3 +1,5 @@
+import hashlib
+
 import oauth2_provider.models as oauth2_models
 from django.conf import settings
 from django.core.exceptions import ValidationError
@@ -7,6 +9,7 @@
 from oauthlib import oauth2
 
 from ansible_base.lib.abstract_models.common import CommonModel
+from ansible_base.lib.utils.hashing import hash_string
 from ansible_base.lib.utils.models import prevent_search
 from ansible_base.lib.utils.settings import get_setting
 from ansible_base.oauth2_provider.utils import is_external_account
@@ -103,4 +106,5 @@ def validate_external_users(self):
     def save(self, *args, **kwargs):
         if not self.pk:
             self.validate_external_users()
+            self.token = hash_string(self.token, hasher=hashlib.sha256, algo="sha256")
         super().save(*args, **kwargs)

ansible_base/oauth2_provider/models/refresh_token.py

@@ -1,9 +1,12 @@
+import hashlib
+
 import oauth2_provider.models as oauth2_models
 from django.conf import settings
 from django.db import models
 from django.utils.translation import gettext_lazy as _
 
 from ansible_base.lib.abstract_models.common import CommonModel
+from ansible_base.lib.utils.hashing import hash_string
 from ansible_base.lib.utils.models import prevent_search
 
 activitystream = object
@@ -21,3 +24,8 @@ class Meta(oauth2_models.AbstractRefreshToken.Meta):
 
     token = prevent_search(models.CharField(max_length=255))
     updated = None  # Tracked in CommonModel with 'modified', no need for this
+
+    def save(self, *args, **kwargs):
+        if not self.pk:
+            self.token = hash_string(self.token, hasher=hashlib.sha256, algo="sha256")
+        super().save(*args, **kwargs)

ansible_base/oauth2_provider/serializers/token.py

@@ -20,9 +20,11 @@
 logger = logging.getLogger("ansible_base.oauth2_provider.serializers.token")
 
 
-class BaseOAuth2TokenSerializer(CommonModelSerializer):
+class OAuth2TokenSerializer(CommonModelSerializer):
     refresh_token = SerializerMethodField()
-    token = SerializerMethodField()
+
+    unencrypted_token = None  # Only used in POST so we can return the token in the response
+    unencrypted_refresh_token = None  # Only used in POST so we can return the refresh token in the response
 
     class Meta:
         model = OAuth2AccessToken
@@ -40,23 +42,23 @@ class Meta:
         read_only_fields = ('user', 'token', 'expires', 'refresh_token')
         extra_kwargs = {'scope': {'allow_null': False, 'required': False}, 'user': {'allow_null': False, 'required': True}}
 
-    def get_token(self, obj) -> str:
-        request = self.context.get('request')
-        try:
-            if request and request.method == 'POST':
-                return obj.token
-            else:
-                return ENCRYPTED_STRING
-        except ObjectDoesNotExist:
-            return ''
+    def to_representation(self, instance):
+        request = self.context.get('request', None)
+        ret = super().to_representation(instance)
+        if request and request.method == 'POST':
+            # If we're creating the token, show it. Otherwise, show the encrypted string.
+            ret['token'] = self.unencrypted_token
+        else:
+            ret['token'] = ENCRYPTED_STRING
+        return ret
 
     def get_refresh_token(self, obj) -> Optional[str]:
         request = self.context.get('request')
         try:
             if not obj.refresh_token:
                 return None
             elif request and request.method == 'POST':
-                return getattr(obj.refresh_token, 'token', '')
+                return self.unencrypted_refresh_token
             else:
                 return ENCRYPTED_STRING
         except ObjectDoesNotExist:
@@ -78,26 +80,30 @@ def validate_scope(self, value):
             raise ValidationError(_('Must be a simple space-separated string with allowed scopes {}.').format(SCOPES))
         return value
 
-    def create(self, validated_data):
-        validated_data['user'] = self.context['request'].user
-        try:
-            return super().create(validated_data)
-        except AccessDeniedError as e:
-            raise PermissionDenied(str(e))
-
-
-class OAuth2TokenSerializer(BaseOAuth2TokenSerializer):
     def create(self, validated_data):
         current_user = get_current_user()
         validated_data['token'] = generate_token()
         expires_delta = get_setting('OAUTH2_PROVIDER', {}).get('ACCESS_TOKEN_EXPIRE_SECONDS', 0)
         if expires_delta == 0:
             logger.warning("OAUTH2_PROVIDER.ACCESS_TOKEN_EXPIRE_SECONDS was set to 0, creating token that has already expired")
         validated_data['expires'] = now() + timedelta(seconds=expires_delta)
-        obj = super().create(validated_data)
+        validated_data['user'] = self.context['request'].user
+        self.unencrypted_token = validated_data.get('token')  # Before it is hashed
+
+        try:
+            obj = super().create(validated_data)
+        except AccessDeniedError as e:
+            raise PermissionDenied(str(e))
+
         if obj.application and obj.application.user:
             obj.user = obj.application.user
         obj.save()
         if obj.application:
-            OAuth2RefreshToken.objects.create(user=current_user, token=generate_token(), application=obj.application, access_token=obj)
+            self.unencrypted_refresh_token = generate_token()
+            OAuth2RefreshToken.objects.create(
+                user=current_user,
+                token=self.unencrypted_refresh_token,
+                application=obj.application,
+                access_token=obj,
+            )
         return obj

ansible_base/oauth2_provider/views/token.py

@@ -1,10 +1,12 @@
+import hashlib
 from datetime import timedelta
 
 from django.utils.timezone import now
 from oauth2_provider import views as oauth_views
 from oauthlib import oauth2
 from rest_framework.viewsets import ModelViewSet
 
+from ansible_base.lib.utils.hashing import hash_string
 from ansible_base.lib.utils.settings import get_setting
 from ansible_base.lib.utils.views.django_app_api import AnsibleBaseDjangoAppApiView
 from ansible_base.oauth2_provider.models import OAuth2AccessToken, OAuth2RefreshToken
@@ -28,7 +30,8 @@ def create_token_response(self, request):
         # This code detects and auto-expires them on refresh grant
         # requests.
         if request.POST.get('grant_type') == 'refresh_token' and 'refresh_token' in request.POST:
-            refresh_token = OAuth2RefreshToken.objects.filter(token=request.POST['refresh_token']).first()
+            hashed_refresh_token = hash_string(request.POST['refresh_token'], hasher=hashlib.sha256, algo="sha256")
+            refresh_token = OAuth2RefreshToken.objects.filter(token=hashed_refresh_token).first()
             if refresh_token:
                 expire_seconds = get_setting('OAUTH2_PROVIDER', {}).get('REFRESH_TOKEN_EXPIRE_SECONDS', 0)
                 if refresh_token.created + timedelta(seconds=expire_seconds) < now():
@@ -38,7 +41,23 @@ def create_token_response(self, request):
 
         # oauth2_provider.oauth2_backends.OAuthLibCore.create_token_response
         # (we override this so we can implement our own error handling to be compatible with AWX)
-        uri, http_method, body, headers = core._extract_params(request)
+
+        # This is really, really ugly. Modify the request to hash the refresh_token
+        # but only long enough for the oauth lib to do its magic.
+        did_hash_refresh_token = False
+        old_post = request.POST
+        if 'refresh_token' in request.POST:
+            did_hash_refresh_token = True
+            request.POST = request.POST.copy()  # so it's mutable
+            hashed_refresh_token = hash_string(request.POST['refresh_token'], hasher=hashlib.sha256, algo="sha256")
+            request.POST['refresh_token'] = hashed_refresh_token
+
+        try:
+            uri, http_method, body, headers = core._extract_params(request)
+        finally:
+            if did_hash_refresh_token:
+                request.POST = old_post
+
         extra_credentials = core._get_extra_credentials(request)
         try:
             headers, body, status = core.server.create_token_response(uri, http_method, body, headers, extra_credentials)