[ChaosCenter]: Revoke the token when the user logout (#4085)

* feat: add logout logic Signed-off-by: namkyu1999 <lak9348@konkuk.ac.kr> * feat: add logout api to frontend Signed-off-by: namkyu1999 <lak9348@konkuk.ac.kr> * fix: rename collection Signed-off-by: namkyu1999 <lak9348@konkuk.ac.kr> * feat: add IsRevokedToken logic to graphql-server Signed-off-by: namkyu1999 <lak9348@konkuk.ac.kr> * fix: fix testcases Signed-off-by: namkyu1999 <lak9348@konkuk.ac.kr> * fix: fix minor bugs Signed-off-by: namkyu1999 <lak9348@konkuk.ac.kr> * feat: add logout logic to chaoscenter/auth Signed-off-by: namkyu1999 <lak9348@konkuk.ac.kr> * feat: add logout logic to chaoscenter/web Signed-off-by: namkyu1999 <lak9348@konkuk.ac.kr> * feat: add logout logic to chaoscenter/graphql Signed-off-by: namkyu1999 <lak9348@konkuk.ac.kr> * fix: fix minor bugs Signed-off-by: namkyu1999 <lak9348@konkuk.ac.kr> * fix: fix auth logic Signed-off-by: namkyu1999 <lak9348@konkuk.ac.kr> * feat: update swagger Signed-off-by: namkyu1999 <lak9348@konkuk.ac.kr> * fix: add mutation api Signed-off-by: namkyu1999 <lak9348@konkuk.ac.kr> * fix: rename field Signed-off-by: namkyu1999 <lak9348@konkuk.ac.kr> * fix: minor Signed-off-by: namkyu1999 <lak9348@konkuk.ac.kr> --------- Signed-off-by: namkyu1999 <lak9348@konkuk.ac.kr>
litmuschaos · Aug 14, 2023 · 2d64b25 · 2d64b25
1 parent 8e1b602
commit 2d64b25
Show file tree

Hide file tree

Showing 42 changed files with 710 additions and 223 deletions.
diff --git a/chaoscenter/Readme.md → chaoscenter/README.md b/chaoscenter/Readme.md → chaoscenter/README.md
@@ -24,6 +24,14 @@ metrics:
   enabled: false
   prometheusRule:
     enabled: false
+
+# bitnami/mongodb is not yet supported on ARM.
+# Using unofficial tools to build bitnami/mongodb (arm64 support)
+# more info: https://github.com/ZCube/bitnami-compat
+#image:
+#  registry: ghcr.io/zcube
+#  repository: bitnami-compat/mongodb
+#  tag: 6.0.5
 ```
 
 ```shell

diff --git a/chaoscenter/authentication/api/handlers/grpc/grpc_handler.go b/chaoscenter/authentication/api/handlers/grpc/grpc_handler.go
@@ -4,7 +4,6 @@ import (
 	"context"
 	"strconv"
 
-	"github.com/litmuschaos/litmus/chaoscenter/authentication/api/middleware"
 	"github.com/litmuschaos/litmus/chaoscenter/authentication/api/presenter/protos"
 	"github.com/litmuschaos/litmus/chaoscenter/authentication/pkg/entities"
 	"github.com/litmuschaos/litmus/chaoscenter/authentication/pkg/validations"
@@ -16,7 +15,7 @@ import (
 
 func (s *ServerGrpc) ValidateRequest(ctx context.Context,
 	inputRequest *protos.ValidationRequest) (*protos.ValidationResponse, error) {
-	token, err := middleware.ValidateToken(inputRequest.Jwt)
+	token, err := s.ValidateToken(inputRequest.Jwt)
 	if err != nil {
 		return &protos.ValidationResponse{Error: err.Error(), IsValid: false}, err
 	}

diff --git a/chaoscenter/authentication/api/handlers/rest/dex_auth_handler.go b/chaoscenter/authentication/api/handlers/rest/dex_auth_handler.go
@@ -116,7 +116,7 @@ func DexCallback(userService services.ApplicationService) gin.HandlerFunc {
 			c.JSON(utils.ErrorStatusCodes[utils.ErrServerError], presenter.CreateErrorResponse(utils.ErrServerError))
 			return
 		}
-		jwtToken, err := signedInUser.GetSignedJWT()
+		jwtToken, err := userService.GetSignedJWT(signedInUser)
 		if err != nil {
 			log.Error(err)
 			c.JSON(utils.ErrorStatusCodes[utils.ErrServerError], presenter.CreateErrorResponse(utils.ErrServerError))

diff --git a/chaoscenter/authentication/api/handlers/rest/user_handlers.go b/chaoscenter/authentication/api/handlers/rest/user_handlers.go
@@ -14,6 +14,8 @@ import (
 	"golang.org/x/crypto/bcrypt"
 )
 
+const BearerSchema = "Bearer "
+
 func CreateUser(service services.ApplicationService) gin.HandlerFunc {
 	return func(c *gin.Context) {
 		userRole := c.MustGet("role").(string)
@@ -203,7 +205,7 @@ func LoginUser(service services.ApplicationService) gin.HandlerFunc {
 			return
 		}
 
-		token, err := user.GetSignedJWT()
+		token, err := service.GetSignedJWT(user)
 		if err != nil {
 			log.Error(err)
 			c.JSON(utils.ErrorStatusCodes[utils.ErrServerError], presenter.CreateErrorResponse(utils.ErrServerError))
@@ -265,6 +267,28 @@ func LoginUser(service services.ApplicationService) gin.HandlerFunc {
 	}
 }
 
+// LogoutUser revokes the token passed in the Authorization header
+func LogoutUser(service services.ApplicationService) gin.HandlerFunc {
+	return func(c *gin.Context) {
+		authHeader := c.GetHeader("Authorization")
+		if authHeader == "" {
+			c.AbortWithStatusJSON(utils.ErrorStatusCodes[utils.ErrUnauthorized], presenter.CreateErrorResponse(utils.ErrUnauthorized))
+			return
+		}
+		tokenString := authHeader[len(BearerSchema):]
+		// revoke token
+		err := service.RevokeToken(tokenString)
+		if err != nil {
+			log.Error(err)
+			c.JSON(utils.ErrorStatusCodes[utils.ErrServerError], presenter.CreateErrorResponse(utils.ErrServerError))
+			return
+		}
+		c.JSON(200, gin.H{
+			"message": "successfully logged out",
+		})
+	}
+}
+
 func UpdatePassword(service services.ApplicationService) gin.HandlerFunc {
 	return func(c *gin.Context) {
 		var userPasswordRequest entities.UserPassword

diff --git a/chaoscenter/authentication/api/main.go b/chaoscenter/authentication/api/main.go
@@ -14,6 +14,7 @@ import (
 	"github.com/litmuschaos/litmus/chaoscenter/authentication/pkg/misc"
 	"github.com/litmuschaos/litmus/chaoscenter/authentication/pkg/project"
 	"github.com/litmuschaos/litmus/chaoscenter/authentication/pkg/services"
+	"github.com/litmuschaos/litmus/chaoscenter/authentication/pkg/session"
 	"github.com/litmuschaos/litmus/chaoscenter/authentication/pkg/user"
 	"github.com/litmuschaos/litmus/chaoscenter/authentication/pkg/utils"
 
@@ -37,6 +38,8 @@ type Config struct {
 }
 
 func init() {
+	log.SetFormatter(&log.JSONFormatter{})
+	log.SetReportCaller(true)
 	printVersion()
 
 	var c Config
@@ -48,7 +51,7 @@ func init() {
 }
 
 func main() {
-	// send logs to stderr so we can use 'kubectl logs'
+	// send logs to stderr, so we can use 'kubectl logs'
 	_ = flag.Set("logtostderr", "true")
 	_ = flag.Set("v", "3")
 
@@ -64,18 +67,27 @@ func main() {
 	// Creating User Collection
 	err = utils.CreateCollection(utils.UserCollection, db)
 	if err != nil {
-		log.Fatalf("failed to create collection  %s", err)
+		log.Errorf("failed to create collection  %s", err)
 	}
 
 	err = utils.CreateIndex(utils.UserCollection, utils.UsernameField, db)
 	if err != nil {
-		log.Fatalf("failed to create index  %s", err)
+		log.Errorf("failed to create index  %s", err)
 	}
 
 	// Creating Project Collection
 	err = utils.CreateCollection(utils.ProjectCollection, db)
 	if err != nil {
-		log.Fatalf("failed to create collection  %s", err)
+		log.Errorf("failed to create collection  %s", err)
+	}
+
+	// Creating Session Collection
+	if err = utils.CreateCollection(utils.RevokedTokenCollection, db); err != nil {
+		log.Errorf("failed to create collection  %s", err)
+	}
+
+	if err = utils.CreateTTLIndex(utils.RevokedTokenCollection, db); err != nil {
+		log.Errorf("failed to create index  %s", err)
 	}
 
 	userCollection := db.Collection(utils.UserCollection)
@@ -84,9 +96,12 @@ func main() {
 	projectCollection := db.Collection(utils.ProjectCollection)
 	projectRepo := project.NewRepo(projectCollection)
 
+	revokedTokenCollection := db.Collection(utils.RevokedTokenCollection)
+	sessionRepo := session.NewRepo(revokedTokenCollection)
+
 	miscRepo := misc.NewRepo(db, client)
 
-	applicationService := services.NewService(userRepo, projectRepo, miscRepo, db)
+	applicationService := services.NewService(userRepo, projectRepo, miscRepo, sessionRepo, db)
 
 	validatedAdminSetup(applicationService)
 
@@ -95,7 +110,6 @@ func main() {
 }
 
 func validatedAdminSetup(service services.ApplicationService) {
-
 	// Assigning UID to admin
 	uID := uuid.Must(uuid.NewRandom()).String()
 

diff --git a/chaoscenter/authentication/api/middleware/jwt_middlware.go b/chaoscenter/authentication/api/middleware/jwt_middlware.go
@@ -1,18 +1,16 @@
 package middleware
 
 import (
-	"fmt"
-
-	"github.com/litmuschaos/litmus/chaoscenter/authentication/api/presenter"
-	"github.com/litmuschaos/litmus/chaoscenter/authentication/pkg/utils"
-
 	"github.com/gin-gonic/gin"
 	"github.com/golang-jwt/jwt"
-	"github.com/sirupsen/logrus"
+	"github.com/litmuschaos/litmus/chaoscenter/authentication/api/presenter"
+	"github.com/litmuschaos/litmus/chaoscenter/authentication/pkg/services"
+	"github.com/litmuschaos/litmus/chaoscenter/authentication/pkg/utils"
+	log "github.com/sirupsen/logrus"
 )
 
 // JwtMiddleware is a Gin Middleware that authorises requests
-func JwtMiddleware() gin.HandlerFunc {
+func JwtMiddleware(service services.ApplicationService) gin.HandlerFunc {
 	return func(c *gin.Context) {
 		const BearerSchema = "Bearer "
 		authHeader := c.GetHeader("Authorization")
@@ -21,28 +19,21 @@ func JwtMiddleware() gin.HandlerFunc {
 			return
 		}
 		tokenString := authHeader[len(BearerSchema):]
-		token, err := ValidateToken(tokenString)
+		token, err := service.ValidateToken(tokenString)
+		if err != nil {
+			log.Error(err)
+			c.AbortWithStatusJSON(utils.ErrorStatusCodes[utils.ErrUnauthorized], presenter.CreateErrorResponse(utils.ErrUnauthorized))
+			return
+		}
 		if token.Valid {
 			claims := token.Claims.(jwt.MapClaims)
 			c.Set("username", claims["username"])
 			c.Set("uid", claims["uid"])
 			c.Set("role", claims["role"])
 			c.Next()
 		} else {
-			logrus.Info(err)
 			c.AbortWithStatusJSON(utils.ErrorStatusCodes[utils.ErrUnauthorized], presenter.CreateErrorResponse(utils.ErrUnauthorized))
 			return
 		}
 	}
 }
-
-// ValidateToken validates the given JWT Token
-func ValidateToken(encodedToken string) (*jwt.Token, error) {
-	return jwt.Parse(encodedToken, func(token *jwt.Token) (interface{}, error) {
-		if _, isValid := token.Method.(*jwt.SigningMethodHMAC); !isValid {
-			return nil, fmt.Errorf("invalid token %s", token.Header["alg"])
-		}
-		return []byte(utils.JwtSecret), nil
-	})
-
-}
diff --git a/chaoscenter/authentication/api/routes/project_router.go b/chaoscenter/authentication/api/routes/project_router.go
@@ -10,7 +10,7 @@ import (
 
 // ProjectRouter creates all the required routes for project related purposes.
 func ProjectRouter(router *gin.Engine, service services.ApplicationService) {
-	router.Use(middleware.JwtMiddleware())
+	router.Use(middleware.JwtMiddleware(service))
 	router.GET("/get_project/:project_id", rest.GetProject(service))
 	router.GET("/get_project_members/:project_id/:state", rest.GetActiveProjectMembers(service))
 	router.GET("/get_user_with_project/:username", rest.GetUserWithProject(service))

diff --git a/chaoscenter/authentication/api/routes/user_router.go b/chaoscenter/authentication/api/routes/user_router.go
@@ -11,7 +11,8 @@ import (
 // UserRouter creates all the required routes for user authentications purposes.
 func UserRouter(router *gin.Engine, service services.ApplicationService) {
 	router.POST("/login", rest.LoginUser(service))
-	router.Use(middleware.JwtMiddleware())
+	router.POST("/logout", rest.LogoutUser(service))
+	router.Use(middleware.JwtMiddleware(service))
 	router.POST("/update/password", rest.UpdatePassword(service))
 	router.POST("/reset/password", rest.ResetPassword(service))
 	router.POST("/create_user", rest.CreateUser(service))

diff --git a/chaoscenter/authentication/pkg/entities/session.go b/chaoscenter/authentication/pkg/entities/session.go
@@ -0,0 +1,8 @@
+package entities
+
+// RevokedToken struct for storing revoked tokens
+type RevokedToken struct {
+	Token     string `bson:"token"`
+	ExpiresAt int64  `bson:"expires_at"`
+	CreatedAt int64  `bson:"created_at"`
+}
diff --git a/chaoscenter/authentication/pkg/entities/user.go b/chaoscenter/authentication/pkg/entities/user.go
@@ -2,12 +2,6 @@ package entities
 
 import (
 	"net/mail"
-	"time"
-
-	"github.com/litmuschaos/litmus/chaoscenter/authentication/pkg/utils"
-
-	"github.com/golang-jwt/jwt"
-	"github.com/sirupsen/logrus"
 )
 
 // Role states the role of the user in the portal
@@ -96,22 +90,3 @@ func (user *User) IsEmailValid(email string) bool {
 	_, err := mail.ParseAddress(email)
 	return err == nil
 }
-
-// GetSignedJWT generates the JWT Token for the user object
-func (user *User) GetSignedJWT() (string, error) {
-
-	token := jwt.New(jwt.SigningMethodHS512)
-	claims := token.Claims.(jwt.MapClaims)
-	claims["uid"] = user.ID
-	claims["role"] = user.Role
-	claims["username"] = user.Username
-	claims["exp"] = time.Now().Add(time.Minute * time.Duration(utils.JWTExpiryDuration)).Unix()
-
-	tokenString, err := token.SignedString([]byte(utils.JwtSecret))
-	if err != nil {
-		logrus.Info(err)
-		return "", err
-	}
-
-	return tokenString, nil
-}
diff --git a/chaoscenter/authentication/pkg/services/application_service.go b/chaoscenter/authentication/pkg/services/application_service.go
@@ -3,6 +3,7 @@ package services
 import (
 	"github.com/litmuschaos/litmus/chaoscenter/authentication/pkg/misc"
 	"github.com/litmuschaos/litmus/chaoscenter/authentication/pkg/project"
+	"github.com/litmuschaos/litmus/chaoscenter/authentication/pkg/session"
 	"github.com/litmuschaos/litmus/chaoscenter/authentication/pkg/user"
 
 	"go.mongodb.org/mongo-driver/mongo"
@@ -13,20 +14,23 @@ type ApplicationService interface {
 	projectService
 	transactionService
 	miscService
+	sessionService
 }
 
 type applicationService struct {
 	userRepository    user.Repository
 	projectRepository project.Repository
 	miscRepository    misc.Repository
+	sessionRepository session.Repository
 	db                *mongo.Database
 }
 
 // NewService creates a new instance of this service
-func NewService(userRepo user.Repository, projectRepo project.Repository, miscRepo misc.Repository, db *mongo.Database) ApplicationService {
+func NewService(userRepo user.Repository, projectRepo project.Repository, miscRepo misc.Repository, sessionRepo session.Repository, db *mongo.Database) ApplicationService {
 	return &applicationService{
 		userRepository:    userRepo,
 		projectRepository: projectRepo,
+		sessionRepository: sessionRepo,
 		db:                db,
 		miscRepository:    miscRepo,
 	}