From 0a1b82c85ef88e53239e280bdf0fee952fd7cb69 Mon Sep 17 00:00:00 2001 From: Fahim Salam Chowdhury Date: Mon, 27 May 2024 18:28:06 +0600 Subject: [PATCH 1/5] feat: logout from sso sessions on password update --- lib/AppInfo/Application.php | 3 +++ lib/Listeners/PasswordUpdatedListener.php | 29 +++++++++++++++++++++++ lib/Service/SSOService.php | 13 ++++++++++ 3 files changed, 45 insertions(+) create mode 100644 lib/Listeners/PasswordUpdatedListener.php diff --git a/lib/AppInfo/Application.php b/lib/AppInfo/Application.php index b8070465..b1635540 100644 --- a/lib/AppInfo/Application.php +++ b/lib/AppInfo/Application.php @@ -28,6 +28,7 @@ namespace OCA\EcloudAccounts\AppInfo; use OCA\EcloudAccounts\Listeners\BeforeTemplateRenderedListener; use OCA\EcloudAccounts\Listeners\BeforeUserDeletedListener; +use OCA\EcloudAccounts\Listeners\PasswordUpdatedListener; use OCA\EcloudAccounts\Listeners\TwoFactorStateChangedListener; use OCA\EcloudAccounts\Listeners\UserChangedListener; use OCA\EcloudAccounts\Service\LDAPConnectionService; @@ -39,6 +40,7 @@ use OCP\AppFramework\Bootstrap\IRegistrationContext; use OCP\AppFramework\Http\Events\BeforeTemplateRenderedEvent; use OCP\IUserManager; use OCP\User\Events\BeforeUserDeletedEvent; +use OCP\User\Events\PasswordUpdatedEvent; use OCP\User\Events\UserChangedEvent; class Application extends App implements IBootstrap { @@ -53,6 +55,7 @@ class Application extends App implements IBootstrap { $context->registerEventListener(BeforeUserDeletedEvent::class, BeforeUserDeletedListener::class); $context->registerEventListener(UserChangedEvent::class, UserChangedListener::class); $context->registerEventListener(StateChanged::class, TwoFactorStateChangedListener::class); + $context->registerEventListener(PasswordUpdatedEvent::class, PasswordUpdatedListener::class); } public function boot(IBootContext $context): void { diff --git a/lib/Listeners/PasswordUpdatedListener.php b/lib/Listeners/PasswordUpdatedListener.php new file mode 100644 index 00000000..aacf34bc --- /dev/null +++ b/lib/Listeners/PasswordUpdatedListener.php @@ -0,0 +1,29 @@ +ssoService = $ssoService; + } + + public function handle(Event $event): void { + if (!($event instanceof PasswordUpdatedEvent)) { + return; + } + + $user = $event->getUser(); + $username = $user->getUID(); + + $this->ssoService->logout($username); + } +} diff --git a/lib/Service/SSOService.php b/lib/Service/SSOService.php index b176b59d..55f06c9e 100644 --- a/lib/Service/SSOService.php +++ b/lib/Service/SSOService.php @@ -85,6 +85,19 @@ class SSOService { } } + public function logout(string $username) : void { + if(empty($this->currentUserId)) { + $this->getUserId($username); + } + + $language = $this->config->getUserValue($username, 'core', 'lang', 'en'); + $url = $this->ssoConfig['admin_rest_api_url'] . self::USERS_ENDPOINT . '/' . $this->currentUserId . '/logout'; + + + $this->logger->debug('logout calling SSO API with url: '. $url); + $this->callSSOAPI($url, 'POST', [], 201); + } + private function getCredentialIds() : array { $url = $this->ssoConfig['admin_rest_api_url'] . self::CREDENTIALS_ENDPOINT; $url = str_replace('{USER_ID}', $this->currentUserId, $url); -- GitLab From f9aba2c5432d9dfad98aa85434a7eeffe898cddc Mon Sep 17 00:00:00 2001 From: Fahim Salam Chowdhury Date: Tue, 28 May 2024 00:58:51 +0600 Subject: [PATCH 2/5] chore: remove unwanted code --- lib/Service/SSOService.php | 2 -- 1 file changed, 2 deletions(-) diff --git a/lib/Service/SSOService.php b/lib/Service/SSOService.php index 55f06c9e..3d9d950a 100644 --- a/lib/Service/SSOService.php +++ b/lib/Service/SSOService.php @@ -90,10 +90,8 @@ class SSOService { $this->getUserId($username); } - $language = $this->config->getUserValue($username, 'core', 'lang', 'en'); $url = $this->ssoConfig['admin_rest_api_url'] . self::USERS_ENDPOINT . '/' . $this->currentUserId . '/logout'; - $this->logger->debug('logout calling SSO API with url: '. $url); $this->callSSOAPI($url, 'POST', [], 201); } -- GitLab From 2d19748c87448c854959b038bd5b43c9d5bba185 Mon Sep 17 00:00:00 2001 From: Fahim Salam Chowdhury Date: Tue, 28 May 2024 15:47:50 +0600 Subject: [PATCH 3/5] chore: add try-catch block on ssoLogout on passwordChange --- lib/Listeners/PasswordUpdatedListener.php | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/lib/Listeners/PasswordUpdatedListener.php b/lib/Listeners/PasswordUpdatedListener.php index aacf34bc..402797cd 100644 --- a/lib/Listeners/PasswordUpdatedListener.php +++ b/lib/Listeners/PasswordUpdatedListener.php @@ -4,16 +4,22 @@ declare(strict_types=1); namespace OCA\EcloudAccounts\Listeners; +use Exception; use OCA\EcloudAccounts\Service\SSOService; use OCP\EventDispatcher\Event; use OCP\EventDispatcher\IEventListener; +use OCP\ILogger; use OCP\User\Events\PasswordUpdatedEvent; class PasswordUpdatedListener implements IEventListener { + private SSOService $ssoService; - public function __construct(SSOService $ssoService) { + private $logger; + + public function __construct(SSOService $ssoService, ILogger $logger) { $this->ssoService = $ssoService; + $this->logger = $logger; } public function handle(Event $event): void { @@ -24,6 +30,11 @@ class PasswordUpdatedListener implements IEventListener { $user = $event->getUser(); $username = $user->getUID(); - $this->ssoService->logout($username); + try { + $this->ssoService->logout($username); + } catch (Exception $e) { + $this->logger->logException('Failed to logout from ssoService for user: ' . $username, ['exception' => $e]); + } } } + -- GitLab From 430c66c4cde89af8daeb15873f25cb2a1d167415 Mon Sep 17 00:00:00 2001 From: Fahim Salam Chowdhury Date: Tue, 28 May 2024 15:50:21 +0600 Subject: [PATCH 4/5] fix: php lint --- lib/Listeners/PasswordUpdatedListener.php | 1 - 1 file changed, 1 deletion(-) diff --git a/lib/Listeners/PasswordUpdatedListener.php b/lib/Listeners/PasswordUpdatedListener.php index 402797cd..c283ac91 100644 --- a/lib/Listeners/PasswordUpdatedListener.php +++ b/lib/Listeners/PasswordUpdatedListener.php @@ -37,4 +37,3 @@ class PasswordUpdatedListener implements IEventListener { } } } - -- GitLab From 8e890a74d9c8347f8fcd0114bd71490aeaee6ece Mon Sep 17 00:00:00 2001 From: Fahim Salam Chowdhury Date: Wed, 29 May 2024 00:44:09 +0600 Subject: [PATCH 5/5] fix: sso logout expected result code keycloak documentation mention /logout should return 201, but it actually return 204. --- lib/Service/SSOService.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/Service/SSOService.php b/lib/Service/SSOService.php index 3d9d950a..896b2d20 100644 --- a/lib/Service/SSOService.php +++ b/lib/Service/SSOService.php @@ -93,7 +93,7 @@ class SSOService { $url = $this->ssoConfig['admin_rest_api_url'] . self::USERS_ENDPOINT . '/' . $this->currentUserId . '/logout'; $this->logger->debug('logout calling SSO API with url: '. $url); - $this->callSSOAPI($url, 'POST', [], 201); + $this->callSSOAPI($url, 'POST', [], 204); } private function getCredentialIds() : array { -- GitLab