fix: tokens should be removed when user is disabled

fixes AM-4062

gravitee-am-gateway/gravitee-am-gateway-handler/gravitee-am-gateway-handler-scim/src/main/java/io/gravitee/am/gateway/handler/scim/service/impl/UserServiceImpl.java

@@ -47,6 +47,7 @@
 import io.gravitee.am.service.PasswordService;
 import io.gravitee.am.service.RateLimiterService;
 import io.gravitee.am.service.RoleService;
+import io.gravitee.am.service.TokenService;
 import io.gravitee.am.service.UserActivityService;
 import io.gravitee.am.service.VerifyAttemptService;
 import io.gravitee.am.service.exception.AbstractManagementException;
@@ -144,6 +145,9 @@ public class UserServiceImpl implements UserService {
     @Autowired
     private VerifyAttemptService verifyAttemptService;
 
+    @Autowired
+    private TokenService tokenService;
+
     @Override
     public Single<ListResponse<User>> list(Filter filter, int page, int size, String baseUrl) {
         LOGGER.debug("Find users by domain: {}", domain.getId());
@@ -398,7 +402,7 @@ public Single<User> innerUpdate(io.gravitee.am.model.User userIntoDb, User scimU
                                                         userToUpdate.setLastPasswordReset(new Date());
                                                     }
 
-                                                    return userRepository.update(userToUpdate, UpdateActions.build(existingUser, userToUpdate));
+                                                    return updateUser(userToUpdate, UpdateActions.build(existingUser, userToUpdate));
                                                 })
                                                 .onErrorResumeNext(ex -> {
                                                     if (ex instanceof UserNotFoundException ||
@@ -407,7 +411,7 @@ public Single<User> innerUpdate(io.gravitee.am.model.User userIntoDb, User scimU
                                                         // idp user does not exist, only update AM user
                                                         // clear password
                                                         userToUpdate.setPassword(null);
-                                                        return userRepository.update(userToUpdate, UpdateActions.build(existingUser, userToUpdate));
+                                                        return updateUser(userToUpdate, UpdateActions.build(existingUser, userToUpdate));
                                                     }
                                                     return Single.error(ex);
                                                 })
@@ -436,6 +440,12 @@ public Single<User> innerUpdate(io.gravitee.am.model.User userIntoDb, User scimU
                 });
     }
 
+    private Single<io.gravitee.am.model.User> updateUser(io.gravitee.am.model.User userToUpdate, UpdateActions updateActions){
+        Completable revokeTokens = userToUpdate.isDisabled() ?
+                tokenService.deleteByUserId(userToUpdate.getId()) : Completable.complete();
+        return revokeTokens.andThen(userRepository.update(userToUpdate, updateActions));
+    }
+
     @Override
     public Single<User> patch(String userId, PatchOp patchOp, String idp, String baseUrl, io.gravitee.am.identityprovider.api.User principal, Client client) {
         LOGGER.debug("Patch user {}", userId);

gravitee-am-gateway/gravitee-am-gateway-handler/gravitee-am-gateway-handler-scim/src/test/java/io/gravitee/am/gateway/handler/scim/service/UserServiceTest.java

@@ -42,12 +42,14 @@
 import io.gravitee.am.service.PasswordService;
 import io.gravitee.am.service.RateLimiterService;
 import io.gravitee.am.service.RoleService;
+import io.gravitee.am.service.TokenService;
 import io.gravitee.am.service.UserActivityService;
 import io.gravitee.am.service.VerifyAttemptService;
 import io.gravitee.am.service.impl.PasswordHistoryService;
 import io.gravitee.am.service.validators.email.EmailValidatorImpl;
 import io.gravitee.am.service.validators.user.UserValidator;
 import io.gravitee.am.service.validators.user.UserValidatorImpl;
+import io.reactivex.rxjava3.core.Completable;
 import io.reactivex.rxjava3.core.Flowable;
 import io.reactivex.rxjava3.core.Maybe;
 import io.reactivex.rxjava3.core.Single;
@@ -145,6 +147,9 @@ public class UserServiceTest {
     @Mock
     private VerifyAttemptService verifyAttemptService;
 
+    @Mock
+    private TokenService tokenService;
+
     @Before
     public void setUp() {
         when(passwordHistoryService.addPasswordToHistory(any(), any(), any(), any(), any(), any())).thenReturn(Maybe.just(new PasswordHistory()));
@@ -562,6 +567,7 @@ public void shouldPatchUser() throws Exception {
         when(userRepository.findById(userId)).thenReturn(Maybe.just(patchedUser));
         when(identityProviderManager.getIdentityProvider(anyString())).thenReturn(new IdentityProvider());
         when(identityProviderManager.getUserProvider(anyString())).thenReturn(Maybe.just(userProvider));
+        when(tokenService.deleteByUserId(anyString())).thenReturn(Completable.complete());
         doAnswer(invocation -> {
             io.gravitee.am.model.User userToUpdate = invocation.getArgument(0);
             Assert.assertTrue(userToUpdate.getDisplayName().equals("my user 2"));
@@ -615,6 +621,7 @@ public void shouldPatchUser_customGraviteeUser() throws Exception {
         when(userRepository.findById(userId)).thenReturn(Maybe.just(patchedUser));
         when(identityProviderManager.getIdentityProvider(anyString())).thenReturn(new IdentityProvider());
         when(identityProviderManager.getUserProvider(anyString())).thenReturn(Maybe.just(userProvider));
+        when(tokenService.deleteByUserId(anyString())).thenReturn(Completable.complete());
         doAnswer(invocation -> {
             io.gravitee.am.model.User userToUpdate = invocation.getArgument(0);
             Assert.assertTrue(userToUpdate.getAdditionalInformation().containsKey("customClaim"));

gravitee-am-management-api/gravitee-am-management-api-rest/src/main/java/io/gravitee/am/management/handlers/management/api/resources/organizations/OrganizationResource.java

@@ -26,10 +26,7 @@
 import io.gravitee.am.management.handlers.management.api.resources.organizations.roles.RolesResource;
 import io.gravitee.am.management.handlers.management.api.resources.organizations.settings.SettingsResource;
 import io.gravitee.am.management.handlers.management.api.resources.organizations.tags.TagsResource;
-import io.gravitee.am.management.handlers.management.api.resources.organizations.users.UsersResource;
-import io.gravitee.am.management.handlers.management.api.resources.platform.plugins.PluginsResource;
-import io.gravitee.am.service.OrganizationService;
-import org.springframework.beans.factory.annotation.Autowired;
+import io.gravitee.am.management.handlers.management.api.resources.organizations.users.OrganizationUsersResource;
 
 import jakarta.ws.rs.Path;
 import jakarta.ws.rs.container.ResourceContext;
@@ -85,8 +82,8 @@ public IdentityProvidersResource getIdentityProvidersResource() {
     }
 
     @Path("users")
-    public UsersResource getUsersResource() {
-        return resourceContext.getResource(UsersResource.class);
+    public OrganizationUsersResource getUsersResource() {
+        return resourceContext.getResource(OrganizationUsersResource.class);
     }
 
     @Path("settings")

gravitee-am-management-api/gravitee-am-management-api-rest/src/main/java/io/gravitee/am/management/handlers/management/api/resources/organizations/environments/domains/UserResource.java

@@ -169,7 +169,7 @@ public void updateUserStatus(
         checkAnyPermission(organizationId, environmentId, domain, Permission.DOMAIN_USER, Acl.UPDATE)
                 .andThen(domainService.findById(domain)
                         .switchIfEmpty(Maybe.error(new DomainNotFoundException(domain)))
-                        .flatMapSingle(irrelevant -> userService.updateStatus(ReferenceType.DOMAIN, domain, user, status.isEnabled(), authenticatedUser)))
+                        .flatMapSingle(irrelevant -> userService.updateStatus(domain, user, status.isEnabled(), authenticatedUser)))
                 .subscribe(response::resume, response::resume);
     }
 

gravitee-am-management-api/gravitee-am-management-api-rest/src/main/java/io/gravitee/am/management/handlers/management/api/resources/organizations/users/UserResource.java → gravitee-am-management-api/gravitee-am-management-api-rest/src/main/java/io/gravitee/am/management/handlers/management/api/resources/organizations/users/OrganizationUserResource.java

@@ -41,9 +41,7 @@
 import io.swagger.v3.oas.annotations.responses.ApiResponses;
 import jakarta.ws.rs.*;
 import jakarta.ws.rs.container.AsyncResponse;
-import jakarta.ws.rs.container.ResourceContext;
 import jakarta.ws.rs.container.Suspended;
-import jakarta.ws.rs.core.Context;
 import jakarta.ws.rs.core.Response;
 import org.springframework.beans.factory.annotation.Autowired;
 
@@ -56,10 +54,7 @@
  * @author GraviteeSource Team
  */
 @SuppressWarnings("ResultOfMethodCallIgnored")
-public class UserResource extends AbstractResource {
-
-    @Context
-    private ResourceContext resourceContext;
+public class OrganizationUserResource extends AbstractResource {
 
     @Autowired
     @Named("managementOrganizationUserService")
@@ -136,7 +131,7 @@ public void updateUserStatus(
         final io.gravitee.am.identityprovider.api.User authenticatedUser = getAuthenticatedUser();
 
         checkPermission(ReferenceType.ORGANIZATION, organizationId, Permission.ORGANIZATION_USER, Acl.UPDATE)
-                .andThen(organizationUserService.updateStatus(ReferenceType.ORGANIZATION, organizationId, user, status.isEnabled(), authenticatedUser)
+                .andThen(organizationUserService.updateStatus(organizationId, user, status.isEnabled(), authenticatedUser)
                     .map(UserEntity::new))
                 .subscribe(response::resume, response::resume);
     }

gravitee-am-management-api/gravitee-am-management-api-rest/src/main/java/io/gravitee/am/management/handlers/management/api/resources/organizations/users/UsersResource.java → gravitee-am-management-api/gravitee-am-management-api-rest/src/main/java/io/gravitee/am/management/handlers/management/api/resources/organizations/users/OrganizationUsersResource.java

@@ -56,7 +56,7 @@
  * @author GraviteeSource Team
  */
 @Tags({@Tag(name= "user")})
-public class UsersResource extends AbstractUsersResource {
+public class OrganizationUsersResource extends AbstractUsersResource {
 
     @Context
     private ResourceContext resourceContext;
@@ -132,8 +132,8 @@ public void create(
     }
 
     @Path("{user}")
-    public UserResource getUserResource() {
-        return resourceContext.getResource(UserResource.class);
+    public OrganizationUserResource getUserResource() {
+        return resourceContext.getResource(OrganizationUserResource.class);
     }
 
     private Single<User> filterUserInfos(Map<Permission, Set<Acl>> organizationPermissions, User user) {

gravitee-am-management-api/gravitee-am-management-api-rest/src/test/java/io/gravitee/am/management/handlers/management/api/resources/UserResourceTest.java

@@ -34,6 +34,7 @@
 import org.assertj.core.api.Assertions;
 import org.assertj.core.api.InstanceOfAssertFactories;
 import org.junit.Test;
+import org.mockito.Mockito;
 
 import java.util.HashMap;
 import java.util.Map;
@@ -45,6 +46,7 @@
 import static org.mockito.ArgumentMatchers.any;
 import static org.mockito.ArgumentMatchers.eq;
 import static org.mockito.Mockito.doReturn;
+import static org.mockito.Mockito.times;
 
 /**
  * @author Titouan COMPIEGNE (titouan.compiegne at graviteesource.com)
@@ -293,7 +295,7 @@ public void shouldNotUpdateUsername_domainNotFound() {
     }
 
     @Test
-    public void shouldUpdateStatus() {
+    public void shouldUpdateStatus_enabled() {
         final String domainId = "domain-id";
         final Domain mockDomain = new Domain();
         mockDomain.setId(domainId);
@@ -316,6 +318,35 @@ public void shouldUpdateStatus() {
         final User user = readEntity(response, User.class);
         assertEquals(domainId, user.getReferenceId());
         assertEquals(statusEntity.isEnabled(), user.isEnabled());
+        Mockito.verifyNoInteractions(tokenService);
+    }
+
+    @Test
+    public void shouldUpdateStatus_disabled() {
+        final String domainId = "domain-id";
+        final Domain mockDomain = new Domain();
+        mockDomain.setId(domainId);
+
+        final String userId = "userId";
+        final User mockUser = new User();
+        mockUser.setId(userId);
+        mockUser.setUsername("user-username");
+        mockUser.setReferenceType(ReferenceType.DOMAIN);
+        mockUser.setReferenceId(domainId);
+        mockUser.setEnabled(false);
+
+        var statusEntity = new StatusEntity();
+        statusEntity.setEnabled(false);
+        doReturn(Maybe.just(mockDomain)).when(domainService).findById(domainId);
+        doReturn(Completable.complete()).when(tokenService).deleteByUserId(Mockito.eq(userId));
+        doReturn(Single.just(mockUser)).when(userService).updateStatus(eq(ReferenceType.DOMAIN), eq(domainId), eq(userId), eq(statusEntity.isEnabled()), any());
+
+        final Response response = target("domains").path(domainId).path("users").path(userId).path("status").request().put(Entity.json(statusEntity));
+        assertEquals(HttpStatusCode.OK_200, response.getStatus());
+        final User user = readEntity(response, User.class);
+        assertEquals(domainId, user.getReferenceId());
+        assertEquals(statusEntity.isEnabled(), user.isEnabled());
+        Mockito.verify(tokenService, times(1)).deleteByUserId(Mockito.eq(userId));
     }
 
     @Test
@@ -345,6 +376,8 @@ public void shouldUpdateStatus_organization() {
         assertEquals(mockUser.getUsername(), user.getUsername());
         assertNull(user.getPassword());
         assertEquals(statusEntity.isEnabled(), user.isEnabled());
+        Mockito.verifyNoInteractions(tokenService);
+
     }
 
     @Test

gravitee-am-management-api/gravitee-am-management-api-service/src/main/java/io/gravitee/am/management/service/OrganizationUserService.java

@@ -35,4 +35,7 @@ public interface OrganizationUserService extends CommonUserService {
     Completable resetPassword(String organizationId, User user, String password, io.gravitee.am.identityprovider.api.User principal);
 
     Single<User> updateLogoutDate(ReferenceType referenceType, String referenceId, String id);
+
+    Single<User> updateStatus(String organizationId, String id, boolean status, io.gravitee.am.identityprovider.api.User principal);
+
 }

gravitee-am-management-api/gravitee-am-management-api-service/src/main/java/io/gravitee/am/management/service/UserService.java

@@ -64,9 +64,6 @@ default Single<User> update(String domain, String id, UpdateUser updateUser) {
         return update(domain, id, updateUser, null);
     }
 
-    default Single<User> updateStatus(String domain, String userId, boolean status) {
-        return updateStatus(domain, userId, status, null);
-    }
     default Completable unlock(ReferenceType referenceType, String referenceId, String userId) {
         return unlock(referenceType, referenceId, userId, null);
     }
@@ -79,8 +76,4 @@ default Single<User> revokeRoles(ReferenceType referenceType, String referenceId
         return revokeRoles(referenceType, referenceId, userId, roles, null);
     }
 
-    default Single<User> enrollFactors(String userId, List<EnrolledFactor> factors) {
-        return enrollFactors(userId, factors, null);
-    }
-
 }

gravitee-am-management-api/gravitee-am-management-api-service/src/main/java/io/gravitee/am/management/service/impl/AbstractUserService.java

@@ -35,6 +35,7 @@
 import io.gravitee.am.service.MembershipService;
 import io.gravitee.am.service.PasswordService;
 import io.gravitee.am.service.RateLimiterService;
+import io.gravitee.am.service.TokenService;
 import io.gravitee.am.service.UserActivityService;
 import io.gravitee.am.service.VerifyAttemptService;
 import io.gravitee.am.service.exception.InvalidUserException;
@@ -156,9 +157,9 @@ private Single<UpdateUser> updateWithUserProvider(UpdateUser updateUser, User
     }
 
     @Override
-    public Single<User> updateStatus(ReferenceType referenceType, String referenceId, String id, boolean status, io.
+    public Single<User> updateStatus(ReferenceType referenceType, String referenceId, String userId, boolean status, io.
             gravitee.am.identityprovider.api.User principal) {
-        return getUserService().findById(referenceType, referenceId, id)
+        return getUserService().findById(referenceType, referenceId, userId)
                 .flatMap(user -> {
                     user.setEnabled(status);
                     return getUserService().update(user);

gravitee-am-management-api/gravitee-am-management-api-service/src/main/java/io/gravitee/am/management/service/impl/OrganizationUserServiceImpl.java

@@ -40,6 +40,8 @@
 import java.util.function.BiFunction;
 
 import static io.gravitee.am.management.service.impl.IdentityProviderManagerImpl.IDP_GRAVITEE;
+import static io.gravitee.am.model.ReferenceType.DOMAIN;
+import static io.gravitee.am.model.ReferenceType.ORGANIZATION;
 
 /**
  * @author Titouan COMPIEGNE (titouan.compiegne at graviteesource.com)
@@ -187,4 +189,9 @@ public Single<User> updateLogoutDate(ReferenceType referenceType, String referen
                     return getUserService().update(user);
                 });
     }
+
+    @Override
+    public Single<User> updateStatus(String organizationId, String userId, boolean status, io.gravitee.am.identityprovider.api.User principal) {
+        return updateStatus(ORGANIZATION, organizationId, userId, status, principal);
+    }
 }

gravitee-am-management-api/gravitee-am-management-api-service/src/main/java/io/gravitee/am/management/service/impl/UserServiceImpl.java

@@ -87,11 +87,10 @@ public class UserServiceImpl extends AbstractUserService<io.gravitee.am.service.
     private DomainService domainService;
 
     @Autowired
-    protected io.gravitee.am.service.UserService userService;
+    private io.gravitee.am.service.UserService userService;
 
     @Autowired
-    protected TokenService tokenService;
-
+    private TokenService tokenService;
 
     @Override
     protected io.gravitee.am.service.UserService getUserService() {
@@ -250,8 +249,21 @@ public Single<User> update(String domain, String id, UpdateUser updateUser, io.g
     }
 
     @Override
-    public Single<User> updateStatus(String domain, String id, boolean status, io.gravitee.am.identityprovider.api.User principal) {
-        return updateStatus(DOMAIN, domain, id, status, principal);
+    public Single<User> updateStatus(String domainId, String userId, boolean status, io.gravitee.am.identityprovider.api.User principal) {
+        return updateStatus(DOMAIN, domainId, userId, status, principal);
+    }
+
+    @Override
+    public Single<User> updateStatus(ReferenceType referenceType, String referenceId, String userId, boolean status, io.
+            gravitee.am.identityprovider.api.User principal) {
+        Completable removeTokens = status ? Completable.complete() : tokenService.deleteByUserId(userId);
+        return getUserService().findById(referenceType, referenceId, userId)
+                .flatMap(user -> {
+                    user.setEnabled(status);
+                    return removeTokens.andThen(getUserService().update(user));
+                })
+                .doOnSuccess(user1 -> auditService.report(AuditBuilder.builder(UserAuditBuilder.class).principal(principal).type((status ? EventType.USER_ENABLED : EventType.USER_DISABLED)).user(user1)))
+                .doOnError(throwable -> auditService.report(AuditBuilder.builder(UserAuditBuilder.class).principal(principal).type((status ? EventType.USER_ENABLED : EventType.USER_DISABLED)).throwable(throwable)));
     }
 
     @Override

gravitee-am-model/src/main/java/io/gravitee/am/model/User.java

@@ -849,4 +849,8 @@ public void unlockUser() {
         setAccountLockedAt(null);
         setAccountLockedUntil(null);
     }
+
+    public boolean isDisabled(){
+        return Boolean.FALSE.equals(enabled);
+    }
 }