From a79e572fd952e679055f680522310a54408c6a27 Mon Sep 17 00:00:00 2001 From: Craig Lane Date: Thu, 28 Jun 2018 21:48:13 -0500 Subject: [PATCH] Redact auth tokens in description methods Resolves #77 --- AppAuth.xcodeproj/project.pbxproj | 14 ++++++++++ Source/OIDAuthState.m | 7 +++-- Source/OIDAuthorizationResponse.m | 5 ++-- Source/OIDRegistrationResponse.m | 5 ++-- Source/OIDTokenResponse.m | 7 +++-- Source/OIDTokenUtilities.h | 6 ++++ Source/OIDTokenUtilities.m | 15 ++++++++++ UnitTests/OIDTokenUtilitiesTests.m | 44 ++++++++++++++++++++++++++++++ 8 files changed, 93 insertions(+), 10 deletions(-) create mode 100644 UnitTests/OIDTokenUtilitiesTests.m diff --git a/AppAuth.xcodeproj/project.pbxproj b/AppAuth.xcodeproj/project.pbxproj index cae0dfed5..baf27bf61 100644 --- a/AppAuth.xcodeproj/project.pbxproj +++ b/AppAuth.xcodeproj/project.pbxproj @@ -395,6 +395,12 @@ 60140F801DE4344200DA0DC3 /* OIDRegistrationResponse.m in Sources */ = {isa = PBXBuildFile; fileRef = 60140F7F1DE4344200DA0DC3 /* OIDRegistrationResponse.m */; }; 60140F831DE43BAF00DA0DC3 /* OIDRegistrationRequestTests.m in Sources */ = {isa = PBXBuildFile; fileRef = 60140F821DE43BAF00DA0DC3 /* OIDRegistrationRequestTests.m */; }; 60140F861DE43CC700DA0DC3 /* OIDRegistrationResponseTests.m in Sources */ = {isa = PBXBuildFile; fileRef = 60140F851DE43CC700DA0DC3 /* OIDRegistrationResponseTests.m */; }; + A5EEF29720D821120044F470 /* OIDTokenUtilitiesTests.m in Sources */ = {isa = PBXBuildFile; fileRef = A5EEF1FD20CF07760044F470 /* OIDTokenUtilitiesTests.m */; }; + A5EEF29820D8211A0044F470 /* OIDTokenUtilitiesTests.m in Sources */ = {isa = PBXBuildFile; fileRef = A5EEF1FD20CF07760044F470 /* OIDTokenUtilitiesTests.m */; }; + A5EEF29920D8211B0044F470 /* OIDTokenUtilitiesTests.m in Sources */ = {isa = PBXBuildFile; fileRef = A5EEF1FD20CF07760044F470 /* OIDTokenUtilitiesTests.m */; }; + A5EEF29A20D821960044F470 /* OIDTokenUtilitiesTests.m in Sources */ = {isa = PBXBuildFile; fileRef = A5EEF1FD20CF07760044F470 /* OIDTokenUtilitiesTests.m */; }; + A5EEF29B20D821970044F470 /* OIDTokenUtilitiesTests.m in Sources */ = {isa = PBXBuildFile; fileRef = A5EEF1FD20CF07760044F470 /* OIDTokenUtilitiesTests.m */; }; + A5EEF29C20D821970044F470 /* OIDTokenUtilitiesTests.m in Sources */ = {isa = PBXBuildFile; fileRef = A5EEF1FD20CF07760044F470 /* OIDTokenUtilitiesTests.m */; }; A6339DAA20321ADD0043D1C9 /* OIDAuthorizationFlowSession.h in Headers */ = {isa = PBXBuildFile; fileRef = A6339DA3203211320043D1C9 /* OIDAuthorizationFlowSession.h */; settings = {ATTRIBUTES = (Public, ); }; }; A6339DAB20321AE50043D1C9 /* OIDAuthorizationFlowSession.h in Headers */ = {isa = PBXBuildFile; fileRef = A6339DA3203211320043D1C9 /* OIDAuthorizationFlowSession.h */; settings = {ATTRIBUTES = (Public, ); }; }; A6339DAC20321AE70043D1C9 /* OIDAuthorizationFlowSession.h in Headers */ = {isa = PBXBuildFile; fileRef = A6339DA3203211320043D1C9 /* OIDAuthorizationFlowSession.h */; settings = {ATTRIBUTES = (Public, ); }; }; @@ -600,6 +606,7 @@ 60140F821DE43BAF00DA0DC3 /* OIDRegistrationRequestTests.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = OIDRegistrationRequestTests.m; sourceTree = ""; }; 60140F841DE43C8C00DA0DC3 /* OIDRegistrationResponseTests.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = OIDRegistrationResponseTests.h; sourceTree = ""; }; 60140F851DE43CC700DA0DC3 /* OIDRegistrationResponseTests.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = OIDRegistrationResponseTests.m; sourceTree = ""; }; + A5EEF1FD20CF07760044F470 /* OIDTokenUtilitiesTests.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = OIDTokenUtilitiesTests.m; sourceTree = ""; }; A6339DA3203211320043D1C9 /* OIDAuthorizationFlowSession.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = OIDAuthorizationFlowSession.h; sourceTree = ""; }; A6DEAB982018E4A20022AC32 /* OIDExternalUserAgent.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = OIDExternalUserAgent.h; sourceTree = ""; }; A6DEAB992018E4A20022AC32 /* OIDExternalUserAgentSession.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = OIDExternalUserAgentSession.h; sourceTree = ""; }; @@ -853,6 +860,7 @@ 3417420E1C5D82D3000EF209 /* OIDTokenRequestTests.m */, 3417420F1C5D82D3000EF209 /* OIDTokenResponseTests.h */, 341742101C5D82D3000EF209 /* OIDTokenResponseTests.m */, + A5EEF1FD20CF07760044F470 /* OIDTokenUtilitiesTests.m */, 341742111C5D82D3000EF209 /* OIDURLQueryComponentTests.h */, 341742121C5D82D3000EF209 /* OIDURLQueryComponentTests.m */, 341742131C5D82D3000EF209 /* OIDURLQueryComponentTestsIOS7.m */, @@ -1567,6 +1575,7 @@ 3417421A1C5D82D3000EF209 /* OIDGrantTypesTests.m in Sources */, 3417421B1C5D82D3000EF209 /* OIDResponseTypesTests.m in Sources */, 60140F831DE43BAF00DA0DC3 /* OIDRegistrationRequestTests.m in Sources */, + A5EEF29A20D821960044F470 /* OIDTokenUtilitiesTests.m in Sources */, 60140F861DE43CC700DA0DC3 /* OIDRegistrationResponseTests.m in Sources */, 341742191C5D82D3000EF209 /* OIDAuthStateTests.m in Sources */, 3417421D1C5D82D3000EF209 /* OIDServiceConfigurationTests.m in Sources */, @@ -1579,6 +1588,7 @@ buildActionMask = 2147483647; files = ( 341AA50A1E7F3A9B00FCA5C6 /* OIDScopesTests.m in Sources */, + A5EEF29B20D821970044F470 /* OIDTokenUtilitiesTests.m in Sources */, 341AA50F1E7F3A9B00FCA5C6 /* OIDURLQueryComponentTests.m in Sources */, 341AA50B1E7F3A9B00FCA5C6 /* OIDServiceConfigurationTests.m in Sources */, 341AA50C1E7F3A9B00FCA5C6 /* OIDServiceDiscoveryTests.m in Sources */, @@ -1600,6 +1610,7 @@ buildActionMask = 2147483647; files = ( 341AA4FD1E7F3A9400FCA5C6 /* OIDScopesTests.m in Sources */, + A5EEF29C20D821970044F470 /* OIDTokenUtilitiesTests.m in Sources */, 341AA5021E7F3A9400FCA5C6 /* OIDURLQueryComponentTests.m in Sources */, 341AA4FE1E7F3A9400FCA5C6 /* OIDServiceConfigurationTests.m in Sources */, 341AA4FF1E7F3A9400FCA5C6 /* OIDServiceDiscoveryTests.m in Sources */, @@ -1697,6 +1708,7 @@ 343AAA761E8346B400F9D36E /* OIDGrantTypesTests.m in Sources */, 34A6638E1E8865090060B664 /* OIDRPProfileCode.m in Sources */, 343AAA741E8346B400F9D36E /* OIDAuthorizationResponseTests.m in Sources */, + A5EEF29720D821120044F470 /* OIDTokenUtilitiesTests.m in Sources */, ); runOnlyForDeploymentPostprocessing = 0; }; @@ -1777,6 +1789,7 @@ 343AAB821E8349CE00F9D36E /* OIDGrantTypesTests.m in Sources */, 34A6638F1E8865090060B664 /* OIDRPProfileCode.m in Sources */, 343AAB801E8349CE00F9D36E /* OIDAuthorizationResponseTests.m in Sources */, + A5EEF29820D8211A0044F470 /* OIDTokenUtilitiesTests.m in Sources */, ); runOnlyForDeploymentPostprocessing = 0; }; @@ -1833,6 +1846,7 @@ 343AAB901E8349CF00F9D36E /* OIDGrantTypesTests.m in Sources */, 34A663901E8865090060B664 /* OIDRPProfileCode.m in Sources */, 343AAB8E1E8349CF00F9D36E /* OIDAuthorizationResponseTests.m in Sources */, + A5EEF29920D8211B0044F470 /* OIDTokenUtilitiesTests.m in Sources */, ); runOnlyForDeploymentPostprocessing = 0; }; diff --git a/Source/OIDAuthState.m b/Source/OIDAuthState.m index 0c9e1c091..171b419d5 100644 --- a/Source/OIDAuthState.m +++ b/Source/OIDAuthState.m @@ -29,6 +29,7 @@ #import "OIDRegistrationResponse.h" #import "OIDTokenRequest.h" #import "OIDTokenResponse.h" +#import "OIDTokenUtilities.h" /*! @brief Key used to encode the @c refreshToken property for @c NSSecureCoding. */ @@ -218,11 +219,11 @@ - (NSString *)description { NSStringFromClass([self class]), (void *)self, (self.isAuthorized) ? @"YES" : @"NO", - _refreshToken, + [OIDTokenUtilities redact:_refreshToken], _scope, - self.accessToken, + [OIDTokenUtilities redact:self.accessToken], self.accessTokenExpirationDate, - self.idToken, + [OIDTokenUtilities redact:self.idToken], _lastAuthorizationResponse, _lastTokenResponse, _lastRegistrationResponse, diff --git a/Source/OIDAuthorizationResponse.m b/Source/OIDAuthorizationResponse.m index fb66f4986..3ba07502e 100644 --- a/Source/OIDAuthorizationResponse.m +++ b/Source/OIDAuthorizationResponse.m @@ -23,6 +23,7 @@ #import "OIDError.h" #import "OIDFieldMapping.h" #import "OIDTokenRequest.h" +#import "OIDTokenUtilities.h" /*! @brief The key for the @c authorizationCode property in the incoming parameters and for @c NSSecureCoding. @@ -181,10 +182,10 @@ - (NSString *)description { (void *)self, _authorizationCode, _state, - _accessToken, + [OIDTokenUtilities redact:_accessToken], _accessTokenExpirationDate, _tokenType, - _idToken, + [OIDTokenUtilities redact:_idToken], _scope, _additionalParameters, _request]; diff --git a/Source/OIDRegistrationResponse.m b/Source/OIDRegistrationResponse.m index 71dc91005..c9aca6971 100644 --- a/Source/OIDRegistrationResponse.m +++ b/Source/OIDRegistrationResponse.m @@ -22,6 +22,7 @@ #import "OIDDefines.h" #import "OIDFieldMapping.h" #import "OIDRegistrationRequest.h" +#import "OIDTokenUtilities.h" NSString *const OIDClientIDParam = @"client_id"; NSString *const OIDClientIDIssuedAtParam = @"client_id_issued_at"; @@ -162,9 +163,9 @@ - (NSString *)description { (void *)self, _clientID, _clientIDIssuedAt, - _clientSecret, + [OIDTokenUtilities redact:_clientSecret], _clientSecretExpiresAt, - _registrationAccessToken, + [OIDTokenUtilities redact:_registrationAccessToken], _registrationClientURI, _additionalParameters, _request]; diff --git a/Source/OIDTokenResponse.m b/Source/OIDTokenResponse.m index 6db60bb73..1e4eeef91 100644 --- a/Source/OIDTokenResponse.m +++ b/Source/OIDTokenResponse.m @@ -21,6 +21,7 @@ #import "OIDDefines.h" #import "OIDFieldMapping.h" #import "OIDTokenRequest.h" +#import "OIDTokenUtilities.h" /*! @brief Key used to encode the @c request property for @c NSSecureCoding */ @@ -156,11 +157,11 @@ - (NSString *)description { "scope: \"%@\", additionalParameters: %@, request: %@>", NSStringFromClass([self class]), (void *)self, - _accessToken, + [OIDTokenUtilities redact:_accessToken], _accessTokenExpirationDate, _tokenType, - _idToken, - _refreshToken, + [OIDTokenUtilities redact:_idToken], + [OIDTokenUtilities redact:_refreshToken], _scope, _additionalParameters, _request]; diff --git a/Source/OIDTokenUtilities.h b/Source/OIDTokenUtilities.h index f13d937b0..598be2aed 100644 --- a/Source/OIDTokenUtilities.h +++ b/Source/OIDTokenUtilities.h @@ -50,6 +50,12 @@ NS_ASSUME_NONNULL_BEGIN */ + (NSData *)sha265:(NSString *)inputString; +/*! @brief Truncated intput string after first 6 characters followed by ellipses + @param inputString The input string. + @return Truncated string. + */ ++ (nullable NSString *)redact:(nullable NSString *)inputString; + @end NS_ASSUME_NONNULL_END diff --git a/Source/OIDTokenUtilities.m b/Source/OIDTokenUtilities.m index fa08ddcb5..cd42bfd7f 100644 --- a/Source/OIDTokenUtilities.m +++ b/Source/OIDTokenUtilities.m @@ -48,4 +48,19 @@ + (NSData *)sha265:(NSString *)inputString { return sha256Verifier; } ++ (NSString *)redact:(NSString *)inputString { + if (inputString == nil) { + return nil; + } + switch(inputString.length){ + case 0: + return @""; + case 1 ... 8: + return @"[redacted]"; + case 9: + default: + return [[inputString substringToIndex:6] stringByAppendingString:@"...[redacted]"]; + } +} + @end diff --git a/UnitTests/OIDTokenUtilitiesTests.m b/UnitTests/OIDTokenUtilitiesTests.m new file mode 100644 index 000000000..689ea00cf --- /dev/null +++ b/UnitTests/OIDTokenUtilitiesTests.m @@ -0,0 +1,44 @@ +/*! @file OIDTokenUtilities.m + @brief AppAuth iOS SDK + @copyright + Copyright 2018 The AppAuth for iOS Authors. All Rights Reserved. + @copydetails + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. + */ + +#import + +#import "Source/OIDTokenUtilities.h" + + +@interface OIDTokenUtilitiesTests : XCTestCase +@end +@implementation OIDTokenUtilitiesTests + +- (void)testRedact { + XCTAssertEqualObjects([OIDTokenUtilities redact:@"0123456789"], @"012345...[redacted]", @""); +} + +- (void)testRedactWithNilParamater { + XCTAssertEqualObjects([OIDTokenUtilities redact:nil], nil, @""); +} + +- (void)testRedactWithEmptyString { + XCTAssertEqualObjects([OIDTokenUtilities redact:@""], @"", @""); +} + +- (void)testRedactWithShortInput { + XCTAssertEqualObjects([OIDTokenUtilities redact:@"01234"], @"[redacted]", @""); +} + +@end