percona · oksana-grishchenko · Apr 28, 2025 · Apr 7, 2025 · Apr 7, 2025 · Apr 8, 2025
diff --git a/.github/workflows/dev-be-ci.yaml b/.github/workflows/dev-be-ci.yaml
@@ -349,8 +349,10 @@ jobs:
         run: |
           kubectl port-forward --namespace everest-system deployment/everest-server 8080:8080 &
 
-      - name: Create Everest test user
+      - name: Create Everest test users
         run: |
+          ./bin/everestctl accounts create -u test -p password
+          echo "API_TOKEN_TEST=$(curl --location -s 'localhost:8080/v1/session' --header 'Content-Type: application/json' --data '{"username": "test","password": "password"}' | jq -r .token)" >> $GITHUB_ENV
           ./bin/everestctl accounts create -u everest_ci -p password
           echo "API_TOKEN=$(curl --location -s 'localhost:8080/v1/session' --header 'Content-Type: application/json' --data '{"username": "everest_ci","password": "password"}' | jq -r .token)" >> $GITHUB_ENV
 

diff --git a/api-tests/tests/auth.spec.ts b/api-tests/tests/auth.spec.ts
@@ -39,3 +39,25 @@ test.describe('no authorization header', () => {
     expect(version.status()).toEqual(400);
   });
 });
+
+test.describe('logout', () => {
+    test.use({
+        extraHTTPHeaders: {
+            'Content-Type': 'application/json',
+            Accept: 'application/json',
+            Authorization: `Bearer ${process.env.API_TOKEN_TEST}`,
+        },
+    });
+
+    test('authenticated api request fails after logout', async ({request}) => {
+        const versionBeforeLogout = await request.get('/v1/version');
+        // NOTE: this test is сontext-dependent, the API_TOKEN_TEST needs to be valid before each run
+        expect(versionBeforeLogout.status()).toEqual(200);
+
+        const response = await request.delete('/v1/session');
+        expect(response.status()).toEqual(204);
+
+        const versionAfterLogout = await request.get('/v1/version');
+        expect(versionAfterLogout.status()).toEqual(401);
+    });
+});
diff --git a/api/everest-server.gen.go b/api/everest-server.gen.go
diff --git a/client/everest-client.gen.go b/client/everest-client.gen.go
diff --git a/docs/spec/openapi.yml b/docs/spec/openapi.yml
@@ -59,6 +59,12 @@ paths:
             application/json:
               schema:
                 $ref: '#/components/schemas/Error'
+        '429':
+          description: Too many attempts
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/Error'
         '500':
           description: Internal server error
           content:
@@ -72,6 +78,28 @@ paths:
           application/json:
             schema:
               $ref: '#/components/schemas/UserCredentials'
+    delete:
+      tags:
+        - Authentication & Authorization
+      summary: Everest UI Logout
+      description: |
+        This API invalidates Everest API JWT token.
+      operationId: deleteSession
+      responses:
+        '204':
+          description: Successful operation
+        '429':
+          description: Too many attempts
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/Error'
+        '500':
+          description: Internal server error
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/Error'
   '/permissions':
     get:
       tags:

diff --git a/internal/server/everest.go b/internal/server/everest.go
@@ -27,6 +27,7 @@ import (
 	"net/http"
 	"slices"
 
+	"github.com/AlekSi/pointer"
 	"github.com/getkin/kin-openapi/openapi3filter"
 	"github.com/golang-jwt/jwt/v5"
 	echojwt "github.com/labstack/echo-jwt/v4"
@@ -61,6 +62,7 @@ type EverestServer struct {
 	sessionMgr    *session.Manager
 	attemptsStore *RateLimiterMemoryStore
 	handler       handlers.Handler
+	blocklist     session.Blocklist
 	oidcProvider  *oidc.ProviderConfig
 }
 
@@ -110,13 +112,19 @@ func NewEverestServer(ctx context.Context, c *config.EverestConfig, l *zap.Sugar
 		return nil, errors.Join(err, errors.New("failed to get OIDC provider config"))
 	}
 
+	blockList, err := session.NewBlocklist(ctx, kubeClient, l)
+	if err != nil {
+		return nil, errors.Join(err, errors.New("failed to configure tokens blocklist"))
+	}
+
 	e := &EverestServer{
 		config:        c,
 		l:             l,
 		echo:          echoServer,
 		kubeClient:    kubeClient,
 		sessionMgr:    sessMgr,
 		attemptsStore: store,
+		blocklist:     blockList,
 		oidcProvider:  oidcProvider,
 	}
 	e.echo.HTTPErrorHandler = e.errorHandlerChain()
@@ -202,6 +210,12 @@ func (e *EverestServer) initHTTPServer(ctx context.Context) error {
 	}
 	apiGroup.Use(jwtMW)
 
+	blocklistMW, err := e.blocklistMiddleWare()
+	if err != nil {
+		return err
+	}
+	apiGroup.Use(blocklistMW)
+
 	apiGroup.Use(e.checkOperatorUpgradeState)
 	api.RegisterHandlers(apiGroup, e)
 
@@ -363,7 +377,7 @@ func (e *EverestServer) getBodyFromContext(ctx echo.Context, into any) error {
 
 func sessionRateLimiter(limit int) (echo.MiddlewareFunc, *RateLimiterMemoryStore) {
 	allButSession := func(c echo.Context) bool {
-		return c.Request().Method != echo.POST || c.Request().URL.Path != "/v1/session"
+		return c.Request().URL.Path != "/v1/session"
 	}
 	config := echomiddleware.DefaultRateLimiterConfig
 	config.Skipper = allButSession
@@ -414,3 +428,26 @@ func everestErrorHandler(next echo.HTTPErrorHandler) echo.HTTPErrorHandler {
 		next(err, c)
 	}
 }
+
+func (e *EverestServer) blocklistMiddleWare() (echo.MiddlewareFunc, error) {
+	skipper, err := newSkipperFunc()
+	if err != nil {
+		return nil, err
+	}
+	return func(next echo.HandlerFunc) echo.HandlerFunc {
+		return func(c echo.Context) error {
+			if skipper(c) {
+				return next(c)
+			}
+			if allow, err := e.blocklist.IsAllowed(c.Request().Context()); err != nil {
+				e.l.Error(err)
+				return err
+			} else if !allow {
+				return c.JSON(http.StatusUnauthorized, api.Error{
+					Message: pointer.ToString("Invalid token"),
+				})
+			}
+			return next(c)
+		}
+	}, nil
+}
diff --git a/internal/server/session.go b/internal/server/session.go
@@ -23,11 +23,13 @@ import (
 	"time"
 
 	"github.com/AlekSi/pointer"
+	"github.com/golang-jwt/jwt/v5"
 	"github.com/google/uuid"
 	"github.com/labstack/echo/v4"
 
 	"github.com/percona/everest/api"
 	"github.com/percona/everest/pkg/accounts"
+	"github.com/percona/everest/pkg/common"
 )
 
 const (
@@ -66,6 +68,25 @@ func (e *EverestServer) CreateSession(ctx echo.Context) error {
 	return ctx.JSON(http.StatusOK, map[string]string{"token": jwtToken})
 }
 
+// DeleteSession deletes session.
+func (e *EverestServer) DeleteSession(ctx echo.Context) error {
+	e.attemptsStore.IncreaseTimeout(ctx.RealIP())
+	c := ctx.Request().Context()
+	token, ok := c.Value(common.UserCtxKey).(*jwt.Token)
+	if !ok {
+		return ctx.JSON(http.StatusUnauthorized, errors.New("failed to get token from context"))
+	}
+	if token != nil {
+		err := e.blocklist.Add(c, token)
+		if err != nil {
+			return ctx.JSON(http.StatusRequestTimeout, api.Error{
+				Message: pointer.To("Incorrect username or password provided"),
+			})
+		}
+	}
+	return ctx.NoContent(http.StatusNoContent)
+}
+
 func sessionErrToHTTPRes(ctx echo.Context, err error) error {
 	if errors.Is(err, accounts.ErrAccountNotFound) ||
 		errors.Is(err, accounts.ErrIncorrectPassword) {

diff --git a/pkg/common/constants.go b/pkg/common/constants.go
@@ -66,6 +66,8 @@ const (
 	EverestAccountsSecretName = "everest-accounts"
 	// EverestJWTSecretName is the name of the secret that holds JWT secret.
 	EverestJWTSecretName = "everest-jwt"
+	// EverestBlocklistSecretName is the name of the secret that holds JWT blocklist.
+	EverestBlocklistSecretName = "everest-blocklist"
 	// EverestJWTPrivateKeyFile is the path to the JWT private key.
 	EverestJWTPrivateKeyFile = "/etc/jwt/id_rsa"
 	// EverestJWTPublicKeyFile is the path to the JWT public key.

diff --git a/pkg/session/blocklist.go b/pkg/session/blocklist.go
@@ -0,0 +1,124 @@
+package session
+
+import (
+	"context"
+	"github.com/percona/everest/pkg/kubernetes"
+	"github.com/percona/everest/pkg/kubernetes/informer"
+
+	"github.com/golang-jwt/jwt/v5"
+	"github.com/pkg/errors"
+	"go.uber.org/zap"
+	corev1 "k8s.io/api/core/v1"
+	k8serrors "k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+	"github.com/percona/everest/pkg/common"
+)
+
+const (
+	dataKey    = "list"
+	maxRetries = 10
+)
+
+type Blocklist interface {
+	Add(ctx context.Context, token *jwt.Token) error
+	IsAllowed(ctx context.Context) (bool, error)
+}
+
+type blocklist struct {
+	kubeClient   kubernetes.KubernetesConnector
+	content      ContentProcessor
+	informer     *informer.Informer
+	cachedSecret *corev1.Secret
+	l            *zap.SugaredLogger
+}
+
+type ContentProcessor interface {
+	Add(l *zap.SugaredLogger, secret *corev1.Secret, tokenData string) (*corev1.Secret, bool)
+	IsBlocked(shortenedToken string) bool
+	UpdateCache(secret *corev1.Secret)
+}
+
+func (b *blocklist) Add(ctx context.Context, token *jwt.Token) error {
+	shortenedToken, err := shortenToken(token)
+	if err != nil {
+		return err
+	}
+
+	for attempts := 0; attempts < maxRetries; attempts++ {
+		secret, err := b.kubeClient.GetSecret(ctx, common.SystemNamespace, common.EverestBlocklistSecretName)
+		if err != nil {
+			if k8serrors.IsNotFound(err) {
+				_, err = b.kubeClient.CreateSecret(ctx, blockListSecretTemplate(shortenedToken))
+				if err != nil {
+					b.l.Errorf("failed to create %s secret: %v", common.EverestBlocklistSecretName, err)
+					continue
+				}
+				return nil
+			}
+		}
+		b.cachedSecret = secret
+		secret, retryNeeded := b.content.Add(b.l, secret, shortenedToken)
+		if retryNeeded {
+			continue
+		}
+		updatedSecret, updateErr := b.kubeClient.UpdateSecret(ctx, secret)
+		if updateErr != nil {
+			b.l.Errorf("failed to update %s secret: %v", common.EverestBlocklistSecretName, updateErr)
+			continue
+		}
+		b.content.UpdateCache(updatedSecret)
+		return nil
+	}
+	return nil
+}
+
+func blockListSecretTemplate(stringData string) *corev1.Secret {
+	return &corev1.Secret{
+		TypeMeta: metav1.TypeMeta{
+			Kind:       "Secret",
+			APIVersion: "v1",
+		},
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      common.EverestBlocklistSecretName,
+			Namespace: common.SystemNamespace,
+		},
+		StringData: map[string]string{
+			dataKey: stringData,
+		},
+	}
+}
+
+func (b *blocklist) IsAllowed(ctx context.Context) (bool, error) {
+	token, ok := ctx.Value(common.UserCtxKey).(*jwt.Token)
+	if !ok {
+		return false, errors.New("failed to get token from context")
+	}
+
+	shortenedToken, err := shortenToken(token)
+	if err != nil {
+		return false, errors.Wrap(err, "failed to shrink token")
+	}
+
+	return !b.content.IsBlocked(shortenedToken), nil
+}
+
+func NewBlocklist(ctx context.Context, kubeClient kubernetes.KubernetesConnector, logger *zap.SugaredLogger) (Blocklist, error) {
+	// read the existing blocklist token or create it
+	secret, err := kubeClient.GetSecret(ctx, common.SystemNamespace, common.EverestBlocklistSecretName)
+	if err != nil {
+		if !k8serrors.IsNotFound(err) {
+			return nil, errors.Wrap(err, "failed to get secret")
+		}
+		var createErr error
+		secret, createErr = kubeClient.CreateSecret(ctx, blockListSecretTemplate(""))
+		if createErr != nil {
+			return nil, errors.Wrap(createErr, "failed to create secret")
+		}
+	}
+	return &blocklist{
+		kubeClient: kubeClient,
+		content:    newContentProcessor(secret),
+		l:          logger,
+	}, nil
+}