Skip to content

Commit

Permalink
Fixes #37936 - As a user, I want to invalidate jwt for specific user
Browse files Browse the repository at this point in the history
  • Loading branch information
girijaasoni committed Oct 24, 2024
1 parent eb66c09 commit cc036ad
Show file tree
Hide file tree
Showing 6 changed files with 45 additions and 6 deletions.
23 changes: 20 additions & 3 deletions app/controllers/api/v2/users_controller.rb
Original file line number Diff line number Diff line change
Expand Up @@ -12,8 +12,8 @@ class UsersController < V2::BaseController
['compute_attributes']

before_action :find_optional_nested_object
skip_before_action :authorize, :only => [:extlogin]
before_action :authenticate, :only => [:extlogin]
skip_before_action :authorize, :only => [:extlogin, :invalidate_jwt]
before_action :authenticate, :only => [:extlogin, :invalidate_jwt]

api :GET, "/users/", N_("List all users")
api :GET, "/auth_source_ldaps/:auth_source_ldap_id/users", N_("List all users for LDAP authentication source")
Expand Down Expand Up @@ -96,7 +96,7 @@ def create
api :PUT, "/users/:id/", N_("Update a user")
description <<-DOC
Adds role 'Default role' to the user if it is not already present.
Only another admin can change the admin account attribute.
Only another admin can change the admin account attribute.
DOC
param :id, String, :required => true
param_group :user_update
Expand All @@ -111,6 +111,23 @@ def update
end
end

api :PATCH, "/users/:id/invalidate_jwt", N_("Get vm attributes of host")
param :id, String, :required => true
description <<~EOS
Invalidate JWT for a specific user
EOS

def invalidate_jwt
@user = User.find(params[:id])
if !@user
render :json => { :error => _("User %s does not exist.") % @user.login}
elsif !User.current.can?(:edit_users, @user)
deny_access N_("User %s does not have permissions to invalidate JWT." % User.current.login)
else User.current.can?(:edit_users, @user) && @user.invalidate_jwt.blank?
process_success _('Successfully invalidated JWT for %s.' % @user.login)
end
end

api :DELETE, "/users/:id/", N_("Delete a user")
param :id, String, :required => true

Expand Down
11 changes: 10 additions & 1 deletion app/controllers/users_controller.rb
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ class UsersController < ApplicationController
rescue_from ActionController::InvalidAuthenticityToken, with: :login_token_reload
skip_before_action :require_mail, :only => [:edit, :update, :logout, :stop_impersonation]
skip_before_action :require_login, :check_user_enabled, :authorize, :session_expiry, :update_activity_time, :set_taxonomy, :set_gettext_locale_db, :only => [:login, :logout, :extlogout]
skip_before_action :authorize, :only => [:extlogin, :impersonate, :stop_impersonation]
skip_before_action :authorize, :only => [:extlogin, :impersonate, :stop_impersonation, :invalidate_jwt]
before_action :require_admin, :only => :impersonate
after_action :update_activity_time, :only => :login
before_action :verify_active_session, :only => :login
Expand Down Expand Up @@ -92,6 +92,15 @@ def impersonate
redirect_to users_path
end
end

def invalidate_jwt
@user = find_resource(:edit_users)
if @user.invalidate_jwt.blank?
process_success(
:success_msg => _('Successfully invalidated JWT for %s.') % @user.login,
)
end
end

def stop_impersonation
if session[:impersonated_by].present?
Expand Down
10 changes: 9 additions & 1 deletion app/helpers/users_helper.rb
Original file line number Diff line number Diff line change
Expand Up @@ -33,14 +33,22 @@ def user_action_buttons(user, additional_actions = [])
:method => :post,
:data => { :no_turbolink => true })
end

if user != User.current
additional_actions << display_link_if_authorized(_("Invalidate JWT"),
hash_for_invalidate_jwt_user_path(:id => user.id).merge(:auth_object => user, :permission => "edit_users"),
:method => :patch, :id => user.id,
:data => { :confirm => _("Invalidate tokens for %s?") % user.name })
end

delete_btn = display_delete_if_authorized(
hash_for_user_path(:id => user).merge(:auth_object => user, :authorizer => authorizer),
:data => { :confirm => _("Delete %s?") % user.name })

action_buttons(*([display_delete_unless_impersonator(delete_btn, user)] + additional_actions))
action_buttons(*([display_delete_unless_impersonator(delete_btn, user)] + additional_actions ))
end


def display_delete_unless_impersonator(link, user)
(user.id == session[:impersonated_by]) ? "" : link
end
Expand Down
5 changes: 4 additions & 1 deletion app/models/concerns/jwt_auth.rb
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,10 @@ module JwtAuth
def jwt_secret!
jwt_secret || create_jwt_secret!
end


def invalidate_jwt
User.find_by(id: id).jwt_secret&.destroy
end
# expiration: integer, eg: 4.hours.to_i
# scope: example: [{ controller: :registration, actions: [:global, :host] }]
def jwt_token!(expiration: nil, scope: [])
Expand Down
1 change: 1 addition & 0 deletions config/routes.rb
Original file line number Diff line number Diff line change
Expand Up @@ -256,6 +256,7 @@
end
member do
post 'impersonate'
patch 'invalidate_jwt'
end
resources :ssh_keys, only: [:new, :create, :destroy]
end
Expand Down
1 change: 1 addition & 0 deletions config/routes/api/v2.rb
Original file line number Diff line number Diff line change
Expand Up @@ -218,6 +218,7 @@
resources :mail_notifications, :only => [:create, :destroy, :update]
get 'mail_notifications', :to => 'mail_notifications#user_mail_notifications', :on => :member
get 'extlogin', :to => 'users#extlogin', :on => :collection
patch 'invalidate_jwt', :to => 'users#invalidate_jwt', :on => :member
end
end

Expand Down

0 comments on commit cc036ad

Please sign in to comment.