SONAR-13472 Fix SSF-113

* SONAR-13472 Create 'SESSION_TOKENS' table
* SONAR-13472 Remove 'SESSION_TOKENS' from user when disabling an user
* SONAR-13472 Replace JwtSession expiration duration by a time
* SONAR-13472 Create, update and delete SessionToken during authentication lifecycle
* SONAR-13472 Purge expired session tokens at start-up and every day
* SONAR-13472 Improve log during session tokens cleaning
* Add example to start a Keycloak server already configured

4 files changed, 28 insertions, 16 deletions

diff --git a/server/sonar-webserver-webapi/src/main/java/org/sonar/server/authentication/ws/LogoutAction.java b/server/sonar-webserver-webapi/src/main/java/org/sonar/server/authentication/ws/LogoutAction.java
index 936e1d64baf..6470e483807 100644
--- a/server/sonar-webserver-webapi/src/main/java/org/sonar/server/authentication/ws/LogoutAction.java
+++ b/server/sonar-webserver-webapi/src/main/java/org/sonar/server/authentication/ws/LogoutAction.java
@@ -87,7 +87,7 @@ public class LogoutAction extends ServletFilter implements AuthenticationWsActio
   private void generateAuthenticationEvent(HttpServletRequest request, HttpServletResponse response) {
     try {
       Optional<JwtHttpHandler.Token> token = jwtHttpHandler.getToken(request, response);
-      String userLogin = token.isPresent() ? token.get().getUserDto().getLogin() : null;
+      String userLogin = token.map(value -> value.getUserDto().getLogin()).orElse(null);
       authenticationEvent.logoutSuccess(request, userLogin);
     } catch (AuthenticationException e) {
       authenticationEvent.logoutFailure(request, e.getMessage());
diff --git a/server/sonar-webserver-webapi/src/main/java/org/sonar/server/user/ws/DeactivateAction.java b/server/sonar-webserver-webapi/src/main/java/org/sonar/server/user/ws/DeactivateAction.java
index a5da21e08a4..ac5b47ecbfe 100644
--- a/server/sonar-webserver-webapi/src/main/java/org/sonar/server/user/ws/DeactivateAction.java
+++ b/server/sonar-webserver-webapi/src/main/java/org/sonar/server/user/ws/DeactivateAction.java
@@ -108,19 +108,14 @@ public class DeactivateAction implements UsersWsAction {
       dbClient.organizationMemberDao().deleteByUserUuid(dbSession, userUuid);
       dbClient.userPropertiesDao().deleteByUser(dbSession, user);
       dbClient.almPatDao().deleteByUser(dbSession, user);
-      deactivateUser(dbSession, user);
+      dbClient.sessionTokensDao().deleteByUser(dbSession, user);
+      dbClient.userDao().deactivateUser(dbSession, user);
       userIndexer.commitAndIndex(dbSession, user);
-
-      LOGGER.debug("Deactivate user: {}; by admin: {}", login, userSession.isSystemAdministrator());
     }
 
     writeResponse(response, login);
   }
 
-  private void deactivateUser(DbSession dbSession, UserDto user) {
-    dbClient.userDao().deactivateUser(dbSession, user);
-  }
-
   private void writeResponse(Response response, String login) {
     try (DbSession dbSession = dbClient.openSession(false)) {
       UserDto user = dbClient.userDao().selectByLogin(dbSession, login);
diff --git a/server/sonar-webserver-webapi/src/test/java/org/sonar/server/authentication/ws/LogoutActionTest.java b/server/sonar-webserver-webapi/src/test/java/org/sonar/server/authentication/ws/LogoutActionTest.java
index 0cf8985de48..84861bc4607 100644
--- a/server/sonar-webserver-webapi/src/test/java/org/sonar/server/authentication/ws/LogoutActionTest.java
+++ b/server/sonar-webserver-webapi/src/test/java/org/sonar/server/authentication/ws/LogoutActionTest.java
@@ -40,7 +40,7 @@ import static org.mockito.ArgumentMatchers.any;
 import static org.mockito.Mockito.doThrow;
 import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.verify;
-import static org.mockito.Mockito.verifyZeroInteractions;
+import static org.mockito.Mockito.verifyNoInteractions;
 import static org.mockito.Mockito.when;
 import static org.sonar.db.user.UserTesting.newUserDto;
 import static org.sonar.server.authentication.event.AuthenticationEvent.Source.sso;
@@ -91,34 +91,34 @@ public class LogoutActionTest {
 
     underTest.doFilter(request, response, chain);
 
-    verifyZeroInteractions(jwtHttpHandler, chain);
+    verifyNoInteractions(jwtHttpHandler, chain);
     verify(response).setStatus(400);
   }
 
   @Test
-  public void logout_logged_user() throws Exception {
+  public void logout_logged_user() {
     setUser(USER);
 
     executeRequest();
 
     verify(jwtHttpHandler).removeToken(request, response);
-    verifyZeroInteractions(chain);
+    verifyNoInteractions(chain);
     verify(authenticationEvent).logoutSuccess(request, "john");
   }
 
   @Test
-  public void logout_unlogged_user() throws Exception {
+  public void logout_unlogged_user() {
     setNoUser();
 
     executeRequest();
 
     verify(jwtHttpHandler).removeToken(request, response);
-    verifyZeroInteractions(chain);
+    verifyNoInteractions(chain);
     verify(authenticationEvent).logoutSuccess(request, null);
   }
 
   @Test
-  public void generate_auth_event_on_failure() throws Exception {
+  public void generate_auth_event_on_failure() {
     setUser(USER);
     AuthenticationException exception = AuthenticationException.newBuilder().setMessage("error!").setSource(sso()).build();
     doThrow(exception).when(jwtHttpHandler).getToken(any(HttpServletRequest.class), any(HttpServletResponse.class));
@@ -127,7 +127,7 @@ public class LogoutActionTest {
 
     verify(authenticationEvent).logoutFailure(request, "error!");
     verify(jwtHttpHandler).removeToken(any(HttpServletRequest.class), any(HttpServletResponse.class));
-    verifyZeroInteractions(chain);
+    verifyNoInteractions(chain);
   }
 
   private void executeRequest() {
diff --git a/server/sonar-webserver-webapi/src/test/java/org/sonar/server/user/ws/DeactivateActionTest.java b/server/sonar-webserver-webapi/src/test/java/org/sonar/server/user/ws/DeactivateActionTest.java
index 010afb4a438..caaecbb3ac1 100644
--- a/server/sonar-webserver-webapi/src/test/java/org/sonar/server/user/ws/DeactivateActionTest.java
+++ b/server/sonar-webserver-webapi/src/test/java/org/sonar/server/user/ws/DeactivateActionTest.java
@@ -38,6 +38,7 @@ import org.sonar.db.property.PropertyDto;
 import org.sonar.db.property.PropertyQuery;
 import org.sonar.db.qualityprofile.QProfileDto;
 import org.sonar.db.user.GroupDto;
+import org.sonar.db.user.SessionTokenDto;
 import org.sonar.db.user.UserDto;
 import org.sonar.server.es.EsTester;
 import org.sonar.server.exceptions.BadRequestException;
@@ -260,6 +261,22 @@ public class DeactivateActionTest {
   }
 
   @Test
+  public void deactivate_user_deletes_his_session_tokens() {
+    logInAsSystemAdministrator();
+    UserDto user = db.users().insertUser();
+    SessionTokenDto sessionToken1 = db.users().insertSessionToken(user);
+    SessionTokenDto sessionToken2 =db.users().insertSessionToken(user);
+    UserDto anotherUser = db.users().insertUser();
+    SessionTokenDto sessionToken3 =db.users().insertSessionToken(anotherUser);
+
+    deactivate(user.getLogin());
+
+    assertThat(db.getDbClient().sessionTokensDao().selectByUuid(dbSession, sessionToken1.getUuid())).isNotPresent();
+    assertThat(db.getDbClient().sessionTokensDao().selectByUuid(dbSession, sessionToken2.getUuid())).isNotPresent();
+    assertThat(db.getDbClient().sessionTokensDao().selectByUuid(dbSession, sessionToken3.getUuid())).isPresent();
+  }
+
+  @Test
   public void user_cannot_deactivate_itself_on_sonarqube() {
     UserDto user = db.users().insertUser();
     userSession.logIn(user.getLogin()).setSystemAdministrator();