Implement refresh and revoke for lg identifier backend session

longsleep · longsleep · commit b96398ac978a · 2024-09-19T11:26:27.000+02:00
With this change the libregraph identifier backend does have an
implementation for the refresh session and destroy session calls.

Refreshing a session simply loads the user from the backend, providing
the current session ID in the request headers similar to the already
existing request headers.

Destroying a session implements a new endpoint which is modeled after
the Microsoft Graph revokeSignInSessions but is only for a single
session (hooked at `/api/v1/me/revokeSignInSession`). If a backend
implements this endpoint it must do so for a POST request and return an
odata boolean value.
diff --git a/identifier/backends/libregraph/libregraph.go b/identifier/backends/libregraph/libregraph.go
@@ -54,8 +54,9 @@ const (
 )
 
 const (
-	apiPathMe    = "/api/v1/me"
-	apiPathUsers = "/api/v1/users"
+	apiPathMe                  = "/api/v1/me"
+	apiPathUsers               = "/api/v1/users"
+	apiPathRevokeSignInSession = "/api/v1/me/revokeSignInSession"
 )
 
 var libreGraphSpportedScopes = []string{
@@ -521,7 +522,7 @@ func (b *LibreGraphIdentifierBackend) GetUser(ctx context.Context, entryID strin
 	return user, nil
 }
 
-// ResolveUserByUsername implements the Beckend interface, providing lookup for
+// ResolveUserByUsername implements the Backend interface, providing lookup for
 // user by providing the username. Requests are bound to the provided context.
 func (b *LibreGraphIdentifierBackend) ResolveUserByUsername(ctx context.Context, username string) (backends.UserFromBackend, error) {
 	// Libregraph backend accept both user name and ID lookups, so this is
@@ -531,11 +532,72 @@ func (b *LibreGraphIdentifierBackend) ResolveUserByUsername(ctx context.Context,
 
 // RefreshSession implements the Backend interface.
 func (b *LibreGraphIdentifierBackend) RefreshSession(ctx context.Context, userID string, sessionRef *string, claims map[string]interface{}) error {
+	user, err := b.GetUser(ctx, userID, sessionRef, nil)
+	if err != nil {
+		return err
+	}
+	if user == nil {
+		return fmt.Errorf("refresh session did not yield a user")
+	}
 	return nil
 }
 
-// DestroySession implements the Backend interface providing destroy to KC session.
+// DestroySession implements the Backend interface providing explicit revoke
+// of the backend session.
 func (b *LibreGraphIdentifierBackend) DestroySession(ctx context.Context, sessionRef *string) error {
+	var requestedScopes map[string]bool
+	record, _ := identifier.FromRecordContext(ctx)
+	if record != nil {
+		if record.HelloRequest != nil {
+			requestedScopes = record.HelloRequest.Scopes
+		}
+	}
+
+	_, revokeSessionURL := b.getRevokeSigninSessionURL(requestedScopes)
+	req, err := http.NewRequestWithContext(ctx, http.MethodPost, revokeSessionURL, http.NoBody)
+	if err != nil {
+		return fmt.Errorf("libregraph identifier backend destroy session request error: %w", err)
+	}
+
+	if sessionRef != nil {
+		sessionID := *sessionRef
+		if !strings.HasPrefix(sessionID, libreGraphIdentifierBackendName+":") {
+			// Only send the session ID if it is not a ref generated by lico.
+			req.Header.Set("X-SessionID", sessionID)
+		}
+	}
+
+	if record == nil {
+		record, _ = identifier.RecordFromRequestContext(ctx, b.config)
+	}
+	if record != nil {
+		// Inject HTTP headers.
+		if record.RealIP != "" {
+			req.Header.Set("X-User-Real-IP", record.RealIP)
+		}
+		if record.UserAgent != "" {
+			req.Header.Set("X-User-Real-User-Agent", record.UserAgent)
+		}
+	}
+	req.Header.Set("User-Agent", utils.DefaultHTTPUserAgent)
+
+	response, err := b.client.Do(req)
+	if err != nil {
+		return fmt.Errorf("libregraph identifier backend destroy session request failed: %w", err)
+	}
+	defer response.Body.Close()
+
+	switch response.StatusCode {
+	case http.StatusOK:
+		// breaks
+	case http.StatusNotFound:
+		return nil
+	case http.StatusUnauthorized:
+		return nil
+	default:
+		return fmt.Errorf("libregraph identifier backend logon request unexpected response status: %d", response.StatusCode)
+	}
+
 	return nil
 }
 
@@ -590,3 +652,9 @@ func (b *LibreGraphIdentifierBackend) getUserURL(requestedScopes map[string]bool
 
 	return scope, baseURL + apiPathUsers
 }
+
+func (b *LibreGraphIdentifierBackend) getRevokeSigninSessionURL(requestedScopes map[string]bool) (string, string) {
+	scope, baseURL := b.getBaseURL(requestedScopes)
+
+	return scope, baseURL + apiPathRevokeSignInSession
+}
