Delete api keys when user is deleted

2026-06-23 10:19:46 +02:00 · 2020-10-01 18:20:34 +02:00
parent 95bad28b0a
commit a6814fb938
2 changed files with 24 additions and 0 deletions
--- a/scm-webapp/src/main/java/sonia/scm/security/ApiKeyService.java
+++ b/scm-webapp/src/main/java/sonia/scm/security/ApiKeyService.java
@@ -24,6 +24,7 @@

 package sonia.scm.security;

+import com.github.legman.Subscribe;
 import com.google.common.util.concurrent.Striped;
 import lombok.AllArgsConstructor;
 import lombok.Getter;
@@ -31,8 +32,10 @@ import org.apache.shiro.authc.credential.PasswordService;
 import org.apache.shiro.authz.AuthorizationException;
 import org.apache.shiro.util.ThreadContext;
 import sonia.scm.ContextEntry;
+import sonia.scm.HandlerEventType;
 import sonia.scm.store.DataStore;
 import sonia.scm.store.DataStoreFactory;
+import sonia.scm.user.UserEvent;
 import sonia.scm.user.UserPermissions;

 import javax.inject.Inject;
@@ -176,6 +179,13 @@ public class ApiKeyService {
      .anyMatch(key -> key.getDisplayName().equals(name));
  }

+  @Subscribe
+  public void cleanupForDeletedUser(UserEvent userEvent) {
+    if (userEvent.getEventType() == HandlerEventType.DELETE) {
+      store.remove(userEvent.getItem().getId());
+    }
+  }
+
  @Getter
  @AllArgsConstructor
  public static class CreationResult {
--- a/scm-webapp/src/test/java/sonia/scm/security/ApiKeyServiceTest.java
+++ b/scm-webapp/src/test/java/sonia/scm/security/ApiKeyServiceTest.java
@@ -34,10 +34,13 @@ import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Nested;
 import org.junit.jupiter.api.Test;
 import sonia.scm.AlreadyExistsException;
+import sonia.scm.HandlerEventType;
 import sonia.scm.store.DataStore;
 import sonia.scm.store.DataStoreFactory;
 import sonia.scm.store.InMemoryDataStore;
 import sonia.scm.store.InMemoryDataStoreFactory;
+import sonia.scm.user.User;
+import sonia.scm.user.UserEvent;

 import java.util.function.Supplier;

@@ -163,5 +166,16 @@ class ApiKeyServiceTest {

      assertThrows(AuthorizationException.class, () -> service.check("dent", "other", firstKey));
    }
+
+    @Test
+    void shouldDeleteTokensWhenUserIsDeleted() {
+      service.createNewKey("1", "READ").getToken();
+
+      assertThat(store.get("dent").getKeys()).hasSize(1);
+
+      service.cleanupForDeletedUser(new UserEvent(HandlerEventType.DELETE, new User("dent")));
+
+      assertThat(store.get("dent")).isNull();
+    }
  }
 }