From a6814fb9386b7bed928f60c8cde66526c78d2e6a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ren=C3=A9=20Pfeuffer?= <rene.pfeuffer@cloudogu.com>
Date: Thu, 1 Oct 2020 18:20:34 +0200
Subject: [PATCH] Delete api keys when user is deleted

---
 .../java/sonia/scm/security/ApiKeyService.java     | 10 ++++++++++
 .../java/sonia/scm/security/ApiKeyServiceTest.java | 14 ++++++++++++++
 2 files changed, 24 insertions(+)

diff --git a/scm-webapp/src/main/java/sonia/scm/security/ApiKeyService.java b/scm-webapp/src/main/java/sonia/scm/security/ApiKeyService.java
index 9a358f0832..59bd138413 100644
--- a/scm-webapp/src/main/java/sonia/scm/security/ApiKeyService.java
+++ b/scm-webapp/src/main/java/sonia/scm/security/ApiKeyService.java
@@ -24,6 +24,7 @@
 
 package sonia.scm.security;
 
+import com.github.legman.Subscribe;
 import com.google.common.util.concurrent.Striped;
 import lombok.AllArgsConstructor;
 import lombok.Getter;
@@ -31,8 +32,10 @@ import org.apache.shiro.authc.credential.PasswordService;
 import org.apache.shiro.authz.AuthorizationException;
 import org.apache.shiro.util.ThreadContext;
 import sonia.scm.ContextEntry;
+import sonia.scm.HandlerEventType;
 import sonia.scm.store.DataStore;
 import sonia.scm.store.DataStoreFactory;
+import sonia.scm.user.UserEvent;
 import sonia.scm.user.UserPermissions;
 
 import javax.inject.Inject;
@@ -176,6 +179,13 @@ public class ApiKeyService {
       .anyMatch(key -> key.getDisplayName().equals(name));
   }
 
+  @Subscribe
+  public void cleanupForDeletedUser(UserEvent userEvent) {
+    if (userEvent.getEventType() == HandlerEventType.DELETE) {
+      store.remove(userEvent.getItem().getId());
+    }
+  }
+
   @Getter
   @AllArgsConstructor
   public static class CreationResult {
diff --git a/scm-webapp/src/test/java/sonia/scm/security/ApiKeyServiceTest.java b/scm-webapp/src/test/java/sonia/scm/security/ApiKeyServiceTest.java
index 4af23f4686..adb7d5b0ba 100644
--- a/scm-webapp/src/test/java/sonia/scm/security/ApiKeyServiceTest.java
+++ b/scm-webapp/src/test/java/sonia/scm/security/ApiKeyServiceTest.java
@@ -34,10 +34,13 @@ import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Nested;
 import org.junit.jupiter.api.Test;
 import sonia.scm.AlreadyExistsException;
+import sonia.scm.HandlerEventType;
 import sonia.scm.store.DataStore;
 import sonia.scm.store.DataStoreFactory;
 import sonia.scm.store.InMemoryDataStore;
 import sonia.scm.store.InMemoryDataStoreFactory;
+import sonia.scm.user.User;
+import sonia.scm.user.UserEvent;
 
 import java.util.function.Supplier;
 
@@ -163,5 +166,16 @@ class ApiKeyServiceTest {
 
       assertThrows(AuthorizationException.class, () -> service.check("dent", "other", firstKey));
     }
+
+    @Test
+    void shouldDeleteTokensWhenUserIsDeleted() {
+      service.createNewKey("1", "READ").getToken();
+
+      assertThat(store.get("dent").getKeys()).hasSize(1);
+
+      service.cleanupForDeletedUser(new UserEvent(HandlerEventType.DELETE, new User("dent")));
+
+      assertThat(store.get("dent")).isNull();
+    }
   }
 }