Skip to content

Commit

Permalink
Redact auth tokens in description methods
Browse files Browse the repository at this point in the history 
Resolves openid#77
  • Loading branch information
@CraigLn @WilliamDenniss
CraigLn authored and WilliamDenniss committed Jun 29, 2018
1 parent 1dae3a1 commit a79e572
Show file tree
Hide file tree
Showing 8 changed files with 93 additions and 10 deletions.
14 changes: 14 additions & 0 deletions AppAuth.xcodeproj/project.pbxproj
View file
Original file line number Diff line number Diff line change
Expand Up @@ -395,6 +395,12 @@
60140F801DE4344200DA0DC3 /* OIDRegistrationResponse.m in Sources */ = {isa = PBXBuildFile; fileRef = 60140F7F1DE4344200DA0DC3 /* OIDRegistrationResponse.m */; };
60140F831DE43BAF00DA0DC3 /* OIDRegistrationRequestTests.m in Sources */ = {isa = PBXBuildFile; fileRef = 60140F821DE43BAF00DA0DC3 /* OIDRegistrationRequestTests.m */; };
60140F861DE43CC700DA0DC3 /* OIDRegistrationResponseTests.m in Sources */ = {isa = PBXBuildFile; fileRef = 60140F851DE43CC700DA0DC3 /* OIDRegistrationResponseTests.m */; };
A5EEF29720D821120044F470 /* OIDTokenUtilitiesTests.m in Sources */ = {isa = PBXBuildFile; fileRef = A5EEF1FD20CF07760044F470 /* OIDTokenUtilitiesTests.m */; };
A5EEF29820D8211A0044F470 /* OIDTokenUtilitiesTests.m in Sources */ = {isa = PBXBuildFile; fileRef = A5EEF1FD20CF07760044F470 /* OIDTokenUtilitiesTests.m */; };
A5EEF29920D8211B0044F470 /* OIDTokenUtilitiesTests.m in Sources */ = {isa = PBXBuildFile; fileRef = A5EEF1FD20CF07760044F470 /* OIDTokenUtilitiesTests.m */; };
A5EEF29A20D821960044F470 /* OIDTokenUtilitiesTests.m in Sources */ = {isa = PBXBuildFile; fileRef = A5EEF1FD20CF07760044F470 /* OIDTokenUtilitiesTests.m */; };
A5EEF29B20D821970044F470 /* OIDTokenUtilitiesTests.m in Sources */ = {isa = PBXBuildFile; fileRef = A5EEF1FD20CF07760044F470 /* OIDTokenUtilitiesTests.m */; };
A5EEF29C20D821970044F470 /* OIDTokenUtilitiesTests.m in Sources */ = {isa = PBXBuildFile; fileRef = A5EEF1FD20CF07760044F470 /* OIDTokenUtilitiesTests.m */; };
A6339DAA20321ADD0043D1C9 /* OIDAuthorizationFlowSession.h in Headers */ = {isa = PBXBuildFile; fileRef = A6339DA3203211320043D1C9 /* OIDAuthorizationFlowSession.h */; settings = {ATTRIBUTES = (Public, ); }; };
A6339DAB20321AE50043D1C9 /* OIDAuthorizationFlowSession.h in Headers */ = {isa = PBXBuildFile; fileRef = A6339DA3203211320043D1C9 /* OIDAuthorizationFlowSession.h */; settings = {ATTRIBUTES = (Public, ); }; };
A6339DAC20321AE70043D1C9 /* OIDAuthorizationFlowSession.h in Headers */ = {isa = PBXBuildFile; fileRef = A6339DA3203211320043D1C9 /* OIDAuthorizationFlowSession.h */; settings = {ATTRIBUTES = (Public, ); }; };
Expand Down Expand Up @@ -600,6 +606,7 @@
60140F821DE43BAF00DA0DC3 /* OIDRegistrationRequestTests.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = OIDRegistrationRequestTests.m; sourceTree = "<group>"; };
60140F841DE43C8C00DA0DC3 /* OIDRegistrationResponseTests.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = OIDRegistrationResponseTests.h; sourceTree = "<group>"; };
60140F851DE43CC700DA0DC3 /* OIDRegistrationResponseTests.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = OIDRegistrationResponseTests.m; sourceTree = "<group>"; };
A5EEF1FD20CF07760044F470 /* OIDTokenUtilitiesTests.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = OIDTokenUtilitiesTests.m; sourceTree = "<group>"; };
A6339DA3203211320043D1C9 /* OIDAuthorizationFlowSession.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = OIDAuthorizationFlowSession.h; sourceTree = "<group>"; };
A6DEAB982018E4A20022AC32 /* OIDExternalUserAgent.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = OIDExternalUserAgent.h; sourceTree = "<group>"; };
A6DEAB992018E4A20022AC32 /* OIDExternalUserAgentSession.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = OIDExternalUserAgentSession.h; sourceTree = "<group>"; };
Expand Down Expand Up @@ -853,6 +860,7 @@
3417420E1C5D82D3000EF209 /* OIDTokenRequestTests.m */,
3417420F1C5D82D3000EF209 /* OIDTokenResponseTests.h */,
341742101C5D82D3000EF209 /* OIDTokenResponseTests.m */,
A5EEF1FD20CF07760044F470 /* OIDTokenUtilitiesTests.m */,
341742111C5D82D3000EF209 /* OIDURLQueryComponentTests.h */,
341742121C5D82D3000EF209 /* OIDURLQueryComponentTests.m */,
341742131C5D82D3000EF209 /* OIDURLQueryComponentTestsIOS7.m */,
Expand Down Expand Up @@ -1567,6 +1575,7 @@
3417421A1C5D82D3000EF209 /* OIDGrantTypesTests.m in Sources */,
3417421B1C5D82D3000EF209 /* OIDResponseTypesTests.m in Sources */,
60140F831DE43BAF00DA0DC3 /* OIDRegistrationRequestTests.m in Sources */,
A5EEF29A20D821960044F470 /* OIDTokenUtilitiesTests.m in Sources */,
60140F861DE43CC700DA0DC3 /* OIDRegistrationResponseTests.m in Sources */,
341742191C5D82D3000EF209 /* OIDAuthStateTests.m in Sources */,
3417421D1C5D82D3000EF209 /* OIDServiceConfigurationTests.m in Sources */,
Expand All @@ -1579,6 +1588,7 @@
buildActionMask = 2147483647;
files = (
341AA50A1E7F3A9B00FCA5C6 /* OIDScopesTests.m in Sources */,
A5EEF29B20D821970044F470 /* OIDTokenUtilitiesTests.m in Sources */,
341AA50F1E7F3A9B00FCA5C6 /* OIDURLQueryComponentTests.m in Sources */,
341AA50B1E7F3A9B00FCA5C6 /* OIDServiceConfigurationTests.m in Sources */,
341AA50C1E7F3A9B00FCA5C6 /* OIDServiceDiscoveryTests.m in Sources */,
Expand All @@ -1600,6 +1610,7 @@
buildActionMask = 2147483647;
files = (
341AA4FD1E7F3A9400FCA5C6 /* OIDScopesTests.m in Sources */,
A5EEF29C20D821970044F470 /* OIDTokenUtilitiesTests.m in Sources */,
341AA5021E7F3A9400FCA5C6 /* OIDURLQueryComponentTests.m in Sources */,
341AA4FE1E7F3A9400FCA5C6 /* OIDServiceConfigurationTests.m in Sources */,
341AA4FF1E7F3A9400FCA5C6 /* OIDServiceDiscoveryTests.m in Sources */,
Expand Down Expand Up @@ -1697,6 +1708,7 @@
343AAA761E8346B400F9D36E /* OIDGrantTypesTests.m in Sources */,
34A6638E1E8865090060B664 /* OIDRPProfileCode.m in Sources */,
343AAA741E8346B400F9D36E /* OIDAuthorizationResponseTests.m in Sources */,
A5EEF29720D821120044F470 /* OIDTokenUtilitiesTests.m in Sources */,
);
runOnlyForDeploymentPostprocessing = 0;
};
Expand Down Expand Up @@ -1777,6 +1789,7 @@
343AAB821E8349CE00F9D36E /* OIDGrantTypesTests.m in Sources */,
34A6638F1E8865090060B664 /* OIDRPProfileCode.m in Sources */,
343AAB801E8349CE00F9D36E /* OIDAuthorizationResponseTests.m in Sources */,
A5EEF29820D8211A0044F470 /* OIDTokenUtilitiesTests.m in Sources */,
);
runOnlyForDeploymentPostprocessing = 0;
};
Expand Down Expand Up @@ -1833,6 +1846,7 @@
343AAB901E8349CF00F9D36E /* OIDGrantTypesTests.m in Sources */,
34A663901E8865090060B664 /* OIDRPProfileCode.m in Sources */,
343AAB8E1E8349CF00F9D36E /* OIDAuthorizationResponseTests.m in Sources */,
A5EEF29920D8211B0044F470 /* OIDTokenUtilitiesTests.m in Sources */,
);
runOnlyForDeploymentPostprocessing = 0;
};
Expand Down
7 changes: 4 additions & 3 deletions Source/OIDAuthState.m
View file
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,7 @@
#import "OIDRegistrationResponse.h"
#import "OIDTokenRequest.h"
#import "OIDTokenResponse.h"
#import "OIDTokenUtilities.h"

/*! @brief Key used to encode the @c refreshToken property for @c NSSecureCoding.
*/
Expand Down Expand Up @@ -218,11 +219,11 @@ - (NSString *)description {
NSStringFromClass([self class]),
(void *)self,
(self.isAuthorized) ? @"YES" : @"NO",
_refreshToken,
[OIDTokenUtilities redact:_refreshToken],
_scope,
self.accessToken,
[OIDTokenUtilities redact:self.accessToken],
self.accessTokenExpirationDate,
self.idToken,
[OIDTokenUtilities redact:self.idToken],
_lastAuthorizationResponse,
_lastTokenResponse,
_lastRegistrationResponse,
Expand Down
5 changes: 3 additions & 2 deletions Source/OIDAuthorizationResponse.m
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@
#import "OIDError.h"
#import "OIDFieldMapping.h"
#import "OIDTokenRequest.h"
#import "OIDTokenUtilities.h"

/*! @brief The key for the @c authorizationCode property in the incoming parameters and for
@c NSSecureCoding.
Expand Down Expand Up @@ -181,10 +182,10 @@ - (NSString *)description {
(void *)self,
_authorizationCode,
_state,
_accessToken,
[OIDTokenUtilities redact:_accessToken],
_accessTokenExpirationDate,
_tokenType,
_idToken,
[OIDTokenUtilities redact:_idToken],
_scope,
_additionalParameters,
_request];
Expand Down
5 changes: 3 additions & 2 deletions Source/OIDRegistrationResponse.m
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,7 @@
#import "OIDDefines.h"
#import "OIDFieldMapping.h"
#import "OIDRegistrationRequest.h"
#import "OIDTokenUtilities.h"

NSString *const OIDClientIDParam = @"client_id";
NSString *const OIDClientIDIssuedAtParam = @"client_id_issued_at";
Expand Down Expand Up @@ -162,9 +163,9 @@ - (NSString *)description {
(void *)self,
_clientID,
_clientIDIssuedAt,
_clientSecret,
[OIDTokenUtilities redact:_clientSecret],
_clientSecretExpiresAt,
_registrationAccessToken,
[OIDTokenUtilities redact:_registrationAccessToken],
_registrationClientURI,
_additionalParameters,
_request];
Expand Down
7 changes: 4 additions & 3 deletions Source/OIDTokenResponse.m
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,7 @@
#import "OIDDefines.h"
#import "OIDFieldMapping.h"
#import "OIDTokenRequest.h"
#import "OIDTokenUtilities.h"

/*! @brief Key used to encode the @c request property for @c NSSecureCoding
*/
Expand Down Expand Up @@ -156,11 +157,11 @@ - (NSString *)description {
"scope: \"%@\", additionalParameters: %@, request: %@>",
NSStringFromClass([self class]),
(void *)self,
_accessToken,
[OIDTokenUtilities redact:_accessToken],
_accessTokenExpirationDate,
_tokenType,
_idToken,
_refreshToken,
[OIDTokenUtilities redact:_idToken],
[OIDTokenUtilities redact:_refreshToken],
_scope,
_additionalParameters,
_request];
Expand Down
6 changes: 6 additions & 0 deletions Source/OIDTokenUtilities.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -50,6 +50,12 @@ NS_ASSUME_NONNULL_BEGIN
*/
+ (NSData *)sha265:(NSString *)inputString;

/*! @brief Truncated intput string after first 6 characters followed by ellipses
@param inputString The input string.
@return Truncated string.
*/
+ (nullable NSString *)redact:(nullable NSString *)inputString;

@end

NS_ASSUME_NONNULL_END
15 changes: 15 additions & 0 deletions Source/OIDTokenUtilities.m
View file
Original file line number Diff line number Diff line change
Expand Up @@ -48,4 +48,19 @@ + (NSData *)sha265:(NSString *)inputString {
return sha256Verifier;
}

+ (NSString *)redact:(NSString *)inputString {
if (inputString == nil) {
return nil;
}
switch(inputString.length){
case 0:
return @"";
case 1 ... 8:
return @"[redacted]";
case 9:
default:
return [[inputString substringToIndex:6] stringByAppendingString:@"...[redacted]"];
}
}

@end
44 changes: 44 additions & 0 deletions UnitTests/OIDTokenUtilitiesTests.m
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,44 @@
/*! @file OIDTokenUtilities.m
@brief AppAuth iOS SDK
@copyright
Copyright 2018 The AppAuth for iOS Authors. All Rights Reserved.
@copydetails
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/

#import <XCTest/XCTest.h>

#import "Source/OIDTokenUtilities.h"


@interface OIDTokenUtilitiesTests : XCTestCase
@end
@implementation OIDTokenUtilitiesTests

- (void)testRedact {
XCTAssertEqualObjects([OIDTokenUtilities redact:@"0123456789"], @"012345...[redacted]", @"");
}

- (void)testRedactWithNilParamater {
XCTAssertEqualObjects([OIDTokenUtilities redact:nil], nil, @"");
}

- (void)testRedactWithEmptyString {
XCTAssertEqualObjects([OIDTokenUtilities redact:@""], @"", @"");
}

- (void)testRedactWithShortInput {
XCTAssertEqualObjects([OIDTokenUtilities redact:@"01234"], @"[redacted]", @"");
}

@end

0 comments on commit a79e572

Please sign in to comment.