Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: query by hashed signature only on access code table #3593

Merged
merged 3 commits into from
Aug 8, 2023
Merged

Conversation

alnr
Copy link
Contributor

@alnr alnr commented Aug 3, 2023

No description provided.

@alnr alnr self-assigned this Aug 3, 2023
@codecov
Copy link

codecov bot commented Aug 3, 2023

Codecov Report

Merging #3593 (2c465f5) into master (1a1f504) will decrease coverage by 0.08%.
The diff coverage is 63.01%.

❗ Current head 2c465f5 differs from pull request most recent head cfd4f0f. Consider uploading reports for the commit cfd4f0f to get more accurate results

@@            Coverage Diff             @@
##           master    #3593      +/-   ##
==========================================
- Coverage   76.32%   76.24%   -0.08%     
==========================================
  Files         132      132              
  Lines        9879     9901      +22     
==========================================
+ Hits         7540     7549       +9     
- Misses       1824     1837      +13     
  Partials      515      515              
Files Changed Coverage Δ
cmd/server/handler.go 1.33% <0.00%> (-0.04%) ⬇️
consent/handler.go 65.07% <ø> (+0.90%) ⬆️
x/clean_sql.go 90.90% <0.00%> (-0.21%) ⬇️
persistence/sql/persister_oauth2.go 82.09% <60.78%> (-3.44%) ⬇️
consent/strategy_default.go 68.97% <100.00%> (+0.47%) ⬆️

Copy link
Contributor

@hperl hperl left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You found all the right places, but the hasing only applies to access tokens (and the respective table), not all the other tables (refresh, id, code, pkce, oidc).

persistence/sql/persister_oauth2.go Show resolved Hide resolved
persistence/sql/persister_oauth2.go Show resolved Hide resolved
err = sqlcon.HandleError(
p.QueryWithNetwork(ctx).
Where("signature IN (?, ?)", signature, SignatureHash(signature)).
Where("signature = ?", SignatureHash(signature)).
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
Where("signature = ?", SignatureHash(signature)).
Where("signature = ?", signature).

fmt.Sprintf("UPDATE %s SET active=false WHERE signature=? AND nid = ?", OAuth2RequestSQL{Table: sqlTableCode}.TableName()),
signature,
fmt.Sprintf("UPDATE %s SET active = false WHERE signature = ? AND nid = ?", OAuth2RequestSQL{Table: sqlTableCode}.TableName()),
SignatureHash(signature),
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No need to hash because authorization code signatures are not hashed.

@@ -1448,12 +1450,12 @@ func (s *PersisterTestSuite) TestInvalidateAuthorizeCodeSession() {

require.NoError(t, r.Persister().InvalidateAuthorizeCodeSession(s.t2, sig))
actual := persistencesql.OAuth2RequestSQL{Table: "code"}
require.NoError(t, r.Persister().Connection(context.Background()).Find(&actual, sig))
require.NoError(t, r.Persister().Connection(context.Background()).Find(&actual, persistencesql.SignatureHash(sig)))
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Change not needed.

@@ -1748,10 +1750,10 @@ func (s *PersisterTestSuite) TestRevokeRefreshToken() {
actual := persistencesql.OAuth2RequestSQL{Table: "refresh"}

require.NoError(t, r.Persister().RevokeRefreshToken(s.t2, request.ID))
require.NoError(t, r.Persister().Connection(context.Background()).Find(&actual, signature))
require.NoError(t, r.Persister().Connection(context.Background()).Find(&actual, persistencesql.SignatureHash(signature)))
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Change not needed.

require.Equal(t, true, actual.Active)
require.NoError(t, r.Persister().RevokeRefreshToken(s.t1, request.ID))
require.NoError(t, r.Persister().Connection(context.Background()).Find(&actual, signature))
require.NoError(t, r.Persister().Connection(context.Background()).Find(&actual, persistencesql.SignatureHash(signature)))
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Change not needed.

@@ -1778,10 +1780,10 @@ func (s *PersisterTestSuite) TestRevokeRefreshTokenMaybeGracePeriod() {
}

require.NoError(t, store.RevokeRefreshTokenMaybeGracePeriod(s.t2, request.ID, signature))
require.NoError(t, r.Persister().Connection(context.Background()).Find(&actual, signature))
require.NoError(t, r.Persister().Connection(context.Background()).Find(&actual, persistencesql.SignatureHash(signature)))
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Change not needed.

require.Equal(t, true, actual.Active)
require.NoError(t, store.RevokeRefreshTokenMaybeGracePeriod(s.t1, request.ID, signature))
require.NoError(t, r.Persister().Connection(context.Background()).Find(&actual, signature))
require.NoError(t, r.Persister().Connection(context.Background()).Find(&actual, persistencesql.SignatureHash(signature)))
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Change not needed.

persistence/sql/persister_nid_test.go Show resolved Hide resolved
@aeneasr
Copy link
Member

aeneasr commented Aug 3, 2023

Doesn't this break BC @hperl ?

@alnr alnr changed the title fix: don't query by raw signature fix: query by hashed signature only on access code table Aug 3, 2023
@alnr alnr marked this pull request as ready for review August 4, 2023 08:34
@alnr alnr requested a review from aeneasr as a code owner August 4, 2023 08:34
consent/handler.go Show resolved Hide resolved
@hperl
Copy link
Contributor

hperl commented Aug 4, 2023

Doesn't this break BC @hperl ?

This should not not break backwards compatibility. We introduced undconditionally hashing all new access token signatures (before, we hashed only JWT access tokens). We kept the lookup for the raw signature in place so that old access tokens could still be found.

Since some time has passed, all current access tokens should have a hashed signature already, so removing the additional lookup for the raw signature can be removed safely.

hperl
hperl previously approved these changes Aug 4, 2023
Copy link
Contributor

@hperl hperl left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@aeneasr
Copy link
Member

aeneasr commented Aug 4, 2023

Since some time has passed, all current access tokens should have a hashed signature already, so removing the additional lookup for the raw signature can be removed safely.

So it does have BC implications and those simply don't apply ONLY if you no longer have active tokens in the store. Scenarios where this isn't the case:

  • Someone upgrading from hydra pre-hash to this version without running the interim version for a while. We have at least one customer I know that could run into this.
  • Someone running (unreasonably high) TTLs for their access tokens

Have we verified that there is indeed no active tokens in Ory Network any more that would be affected by this?

hperl
hperl previously approved these changes Aug 8, 2023
Copy link
Contributor

@hperl hperl left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

aeneasr
aeneasr previously approved these changes Aug 8, 2023
@alnr alnr merged commit 6741a49 into master Aug 8, 2023
@alnr alnr deleted the query-raw-sig branch August 8, 2023 14:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants