1   /*
2    * Copyright 2017 LINE Corporation
3    *
4    * LINE Corporation licenses this file to you under the Apache License,
5    * version 2.0 (the "License"); you may not use this file except in compliance
6    * with the License. You may obtain a copy of the License at:
7    *
8    *   https://www.apache.org/licenses/LICENSE-2.0
9    *
10   * Unless required by applicable law or agreed to in writing, software
11   * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
12   * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
13   * License for the specific language governing permissions and limitations
14   * under the License.
15   */
16  
17  package com.linecorp.centraldogma.server.auth.shiro;
18  
19  import static java.util.Objects.requireNonNull;
20  
21  import java.util.concurrent.CompletableFuture;
22  import java.util.function.Function;
23  
24  import org.apache.shiro.mgt.SecurityManager;
25  import org.apache.shiro.session.Session;
26  import org.apache.shiro.session.mgt.DefaultSessionKey;
27  import org.apache.shiro.subject.Subject;
28  import org.apache.shiro.util.ThreadContext;
29  import org.slf4j.Logger;
30  import org.slf4j.LoggerFactory;
31  
32  import com.linecorp.armeria.common.HttpRequest;
33  import com.linecorp.armeria.common.HttpResponse;
34  import com.linecorp.armeria.common.HttpStatus;
35  import com.linecorp.armeria.common.RequestHeaders;
36  import com.linecorp.armeria.server.AbstractHttpService;
37  import com.linecorp.armeria.server.ServiceRequestContext;
38  import com.linecorp.armeria.server.auth.AuthTokenExtractors;
39  import com.linecorp.centraldogma.server.internal.api.HttpApiUtil;
40  
41  /**
42   * A service to handle a logout request to Central Dogma Web admin service.
43   */
44  final class LogoutService extends AbstractHttpService {
45  
46      private static final Logger logger = LoggerFactory.getLogger(LogoutService.class);
47  
48      private final SecurityManager securityManager;
49      private final Function<String, CompletableFuture<Void>> logoutSessionPropagator;
50  
51      LogoutService(SecurityManager securityManager,
52                    Function<String, CompletableFuture<Void>> logoutSessionPropagator) {
53          this.securityManager = requireNonNull(securityManager, "securityManager");
54          this.logoutSessionPropagator = requireNonNull(logoutSessionPropagator, "logoutSessionPropagator");
55      }
56  
57      @Override
58      protected HttpResponse doPost(ServiceRequestContext ctx, HttpRequest req) throws Exception {
59          return HttpResponse.from(
60                  req.aggregate().thenApply(msg -> AuthTokenExtractors.oAuth2().apply(
61                          RequestHeaders.of(msg.headers())))
62                     .thenApplyAsync(token -> {
63                         if (token == null) {
64                             return HttpResponse.of(HttpStatus.OK);
65                         }
66  
67                         final String sessionId = token.accessToken();
68                         // Need to set the thread-local security manager to silence
69                         // the UnavailableSecurityManagerException logged at DEBUG level.
70                         ThreadContext.bind(securityManager);
71                         try {
72                             final Session session = securityManager.getSession(new DefaultSessionKey(sessionId));
73                             if (session != null) {
74                                 final Subject currentUser = new Subject.Builder(securityManager)
75                                         .sessionCreationEnabled(false)
76                                         .sessionId(sessionId)
77                                         .buildSubject();
78  
79                                 // Get the principal before logging out because otherwise it will be cleared out.
80                                 final String username = (String) currentUser.getPrincipal();
81                                 currentUser.logout();
82                             }
83                         } catch (Throwable t) {
84                             logger.warn("{} Failed to log out: {}", ctx, sessionId, t);
85                         } finally {
86                             ThreadContext.unbindSecurityManager();
87                         }
88  
89                         // Do not care the exception raised before, then try to remove session from the
90                         // Central Dogma session manager. If it succeeded, the session ID has been also
91                         // invalidated so that the logout request with the session ID would not come here again.
92                         return HttpResponse.from(
93                                 logoutSessionPropagator.apply(sessionId).handle((unused, cause) -> {
94                                     if (cause != null) {
95                                         return HttpResponse.of(HttpApiUtil.newResponse(
96                                                 ctx, HttpStatus.INTERNAL_SERVER_ERROR, cause));
97                                     } else {
98                                         return HttpResponse.of(HttpStatus.OK);
99                                     }
100                                }));
101                    }, ctx.blockingTaskExecutor()));
102     }
103 }