Change logic of revoke tokens call to revoke everything

cmd/cli/app/auth/auth_revoke_provider.go

@@ -79,5 +79,6 @@ var Auth_revokeproviderCmd = &cobra.Command{
 func init() {
 	AuthCmd.AddCommand(Auth_revokeproviderCmd)
 	Auth_revokeproviderCmd.Flags().StringP("provider", "n", "", "Name for the provider to revoke tokens for")
+	Auth_revokeproviderCmd.Flags().Int32P("group-id", "g", 0, "ID of the group for repo registration")
 	Auth_revokeproviderCmd.Flags().BoolP("all", "a", false, "Revoke all tokens")
 }

database/query/providers.sql

@@ -14,5 +14,8 @@ SELECT * FROM providers WHERE id = $1 AND group_id = $2;
 -- name: ListProvidersByGroupID :many
 SELECT * FROM providers WHERE group_id = $1;
 
+-- name: GlobalListProviders :many
+SELECT * FROM providers;
+
 -- name: DeleteProvider :exec
 DELETE FROM providers WHERE id = $1 AND group_id = $2;

internal/controlplane/handlers_oauth.go

@@ -297,38 +297,40 @@ func (s *Server) GetProviderAccessToken(ctx context.Context, providerID uuid.UUI
 }
 
 // RevokeOauthTokens revokes the all oauth tokens for a provider
+// This is in case of a security breach, where we need to revoke all tokens
 func (s *Server) RevokeOauthTokens(ctx context.Context, in *pb.RevokeOauthTokensRequest) (*pb.RevokeOauthTokensResponse, error) {
-	provider, err := s.store.GetProviderByName(ctx, db.GetProviderByNameParams{
-		Name:    in.Provider,
-		GroupID: in.GroupId,
-	})
+	providers, err := s.store.GlobalListProviders(ctx)
 	if err != nil {
-		return nil, status.Errorf(codes.InvalidArgument, "provider not supported: %v", in.Provider)
-	}
-
-	// need to read all tokens from the provider and revoke them
-	tokens, err := s.store.GetAccessTokenByProvider(ctx, provider.ID)
-	if err != nil {
-		return nil, status.Errorf(codes.Internal, "error getting access tokens: %v", err)
+		return nil, status.Errorf(codes.InvalidArgument, "unable to list providers: %v", err)
 	}
 
 	revoked_tokens := 0
-	for _, token := range tokens {
-		objToken, err := s.cryptoEngine.DecryptOAuthToken(token.EncryptedToken)
-		if err != nil {
-			// just log and continue
-			log.Error().Msgf("error decrypting token: %v", err)
-		} else {
-			// remove token from db
-			_ = s.store.DeleteAccessToken(ctx, db.DeleteAccessTokenParams{ProviderID: provider.ID, GroupID: token.GroupID})
 
-			// remove from provider
-			err := auth.DeleteAccessToken(ctx, provider.Name, objToken.AccessToken)
+	for idx := range providers {
+		provider := providers[idx]
+		// need to read all tokens from the provider and revoke them
+		tokens, err := s.store.GetAccessTokenByProvider(ctx, provider.ID)
+		if err != nil {
+			return nil, status.Errorf(codes.Internal, "error getting access tokens: %v", err)
+		}
 
+		for _, token := range tokens {
+			objToken, err := s.cryptoEngine.DecryptOAuthToken(token.EncryptedToken)
 			if err != nil {
-				log.Error().Msgf("Error deleting access token: %v", err)
+				// just log and continue
+				log.Error().Msgf("error decrypting token: %v", err)
+			} else {
+				// remove token from db
+				_ = s.store.DeleteAccessToken(ctx, db.DeleteAccessTokenParams{ProviderID: provider.ID, GroupID: token.GroupID})
+
+				// remove from provider
+				err := auth.DeleteAccessToken(ctx, provider.Name, objToken.AccessToken)
+
+				if err != nil {
+					log.Error().Msgf("Error deleting access token: %v", err)
+				}
+				revoked_tokens++
 			}
-			revoked_tokens++
 		}
 	}
 	return &pb.RevokeOauthTokensResponse{RevokedTokens: int32(revoked_tokens)}, nil

internal/controlplane/handlers_oauth_test.go

@@ -201,10 +201,7 @@ func TestRevokeOauthTokens_gRPC(t *testing.T) {
 
 	server := newDefaultServer(t, mockStore)
 
-	res, err := server.RevokeOauthTokens(ctx, &pb.RevokeOauthTokensRequest{
-		Provider: ghclient.Github,
-		GroupId:  1,
-	})
+	res, err := server.RevokeOauthTokens(ctx, &pb.RevokeOauthTokensRequest{})
 
 	assert.NoError(t, err)
 	assert.NotNil(t, res)