[Prod/Test] Implement /oauth/token/revoke zone path

Author: fhanik

docs/path-based-zones-endpoints-without-z-support.md

@@ -142,20 +142,20 @@ This document lists endpoints that do **not** yet have a dual path mapping for `
 
 ## 11. OAuth / token / client admin (API – not yet covered by /z/)
 
-| Endpoint(s)                              | Controller / Class | Controller has /z/? | Security has /z/*/? | Tests that touch these endpoints |
-|------------------------------------------|--------------------|---------------------|----------------------|-----------------------------------|
-| ✅ `/oauth/confirm_access`               | AccessController | No | No | — |
-| ✅ `/oauth/error`                        | AccessController | No | No | — |
-| `/oauth/token/revoke/user/{userId}` etc. | TokenRevocationEndpoint | No | No (OauthEndpointSecurityConfiguration /oauth/token/revoke/** has no /z/) | — |
-| ✅ `/check_token`                        | CheckTokenEndpoint | No | No | — |
-| ✅ `/introspect`                         | IntrospectEndpoint | No | No | — |
-| ✅ `/oauth/clients/**`                   | ClientAdminEndpoints, ClientMetadataAdminEndpoints | No | No (ClientAdminSecurityConfiguration has no /z/) | — |
-| `/identity-providers/**`                 | IdentityProviderEndpoints | No | No (IdentityZoneSecurityConfiguration has no /z/) | — |
-| `/identity-zones/**`                     | — | No | No | IdentityZoneEndpointsMockMvcTests (already parameterized for zone path in tests) |
-| `/Codes/**`                              | CodeStoreEndpoints | No | No | — |
-| `/email_verifications`, `/email_changes` | ChangeEmailEndpoints (SCIM) | No | No | — |
-| `/RateLimitingStatus/**`                 | RateLimitStatusController | No | No | — |
-| ✅ `/saml/metadata`, `/saml/metadata/`   | SamlMetadataEndpoint | No | No (secFilterOpenSamlEndPoints has no /z/) | — |
+| Endpoint(s)                                | Controller / Class | Controller has /z/? | Security has /z/*/? | Tests that touch these endpoints |
+|--------------------------------------------|--------------------|---------------------|----------------------|-----------------------------------|
+| ✅ `/oauth/confirm_access`                 | AccessController | No | No | — |
+| ✅ `/oauth/error`                          | AccessController | No | No | — |
+| ✅ `/oauth/token/revoke/user/{userId}` etc.| TokenRevocationEndpoint | No | No (OauthEndpointSecurityConfiguration /oauth/token/revoke/** has no /z/) | — |
+| ✅ `/check_token`                          | CheckTokenEndpoint | No | No | — |
+| ✅ `/introspect`                           | IntrospectEndpoint | No | No | — |
+| ✅ `/oauth/clients/**`                     | ClientAdminEndpoints, ClientMetadataAdminEndpoints | No | No (ClientAdminSecurityConfiguration has no /z/) | — |
+| `/identity-providers/**`                   | IdentityProviderEndpoints | No | No (IdentityZoneSecurityConfiguration has no /z/) | — |
+| `/identity-zones/**`                       | — | No | No | IdentityZoneEndpointsMockMvcTests (already parameterized for zone path in tests) |
+| `/Codes/**`                                | CodeStoreEndpoints | No | No | — |
+| `/email_verifications`, `/email_changes`   | ChangeEmailEndpoints (SCIM) | No | No | — |
+| `/RateLimitingStatus/**`                   | RateLimitStatusController | No | No | — |
+| ✅ `/saml/metadata`, `/saml/metadata/`     | SamlMetadataEndpoint | No | No (secFilterOpenSamlEndPoints has no /z/) | — |
 
 ---
 

server/src/main/java/org/cloudfoundry/identity/uaa/oauth/TokenRevocationEndpoint.java

@@ -64,7 +64,7 @@ public TokenRevocationEndpoint(
         this.generator = new RandomValueStringGenerator(8);
     }
 
-    @RequestMapping("/oauth/token/revoke/user/{userId}")
+    @RequestMapping({"/oauth/token/revoke/user/{userId}", "/z/{subdomain}/oauth/token/revoke/user/{userId}"})
     public ResponseEntity<Void> revokeTokensForUser(@PathVariable String userId) {
         logger.debug("Revoking tokens for user: " + userId);
         String zoneId = IdentityZoneHolder.get().getId();
@@ -76,7 +76,7 @@ public ResponseEntity<Void> revokeTokensForUser(@PathVariable String userId) {
         return new ResponseEntity<>(OK);
     }
 
-    @RequestMapping("/oauth/token/revoke/user/{userId}/client/{clientId}")
+    @RequestMapping({"/oauth/token/revoke/user/{userId}/client/{clientId}", "/z/{subdomain}/oauth/token/revoke/user/{userId}/client/{clientId}"})
     public ResponseEntity<Void> revokeTokensForUserAndClient(@PathVariable String userId, @PathVariable String clientId) {
         String zoneId = IdentityZoneHolder.get().getId();
         logger.debug("Revoking tokens for user " + userId + " and client " + clientId);
@@ -89,7 +89,7 @@ public ResponseEntity<Void> revokeTokensForUserAndClient(@PathVariable String us
         return new ResponseEntity<>(OK);
     }
 
-    @RequestMapping("/oauth/token/revoke/client/{clientId}")
+    @RequestMapping({"/oauth/token/revoke/client/{clientId}", "/z/{subdomain}/oauth/token/revoke/client/{clientId}"})
     public ResponseEntity<Void> revokeTokensForClient(@PathVariable String clientId) {
         logger.debug("Revoking tokens for client: " + clientId);
         String zoneId = IdentityZoneHolder.get().getId();
@@ -102,7 +102,7 @@ public ResponseEntity<Void> revokeTokensForClient(@PathVariable String clientId)
         return new ResponseEntity<>(OK);
     }
 
-    @DeleteMapping(value = "/oauth/token/revoke/{tokenId}")
+    @DeleteMapping(value = {"/oauth/token/revoke/{tokenId}", "/z/{subdomain}/oauth/token/revoke/{tokenId}"})
     public ResponseEntity<Void> revokeTokenById(@PathVariable String tokenId) {
         logger.debug("Revoking token with ID:" + tokenId);
         String zoneId = IdentityZoneHolder.get().getId();

server/src/main/java/org/cloudfoundry/identity/uaa/oauth/beans/OauthEndpointSecurityConfiguration.java

@@ -235,18 +235,18 @@ private synchronized ClientParametersAuthenticationFilter getClientParameterAuth
     @Order(FilterChainOrder.OAUTH_01)
     UaaFilterChain tokenRevocationFilter(HttpSecurity http, @Qualifier("self") IsSelfCheck selfCheck) throws Exception {
         SecurityFilterChain chain = http
-                .securityMatcher("/oauth/token/revoke/**")
+                .securityMatcher("/oauth/token/revoke/**", "/z/*/oauth/token/revoke/**")
                 .authorizeHttpRequests( auth -> {
-                    auth.requestMatchers("/oauth/token/revoke/client/**").access(anyOf(true).hasScope("tokens.revoke").isUaaAdmin().isZoneAdmin());
-                    auth.requestMatchers("/oauth/token/revoke/user/*/client/**").access(anyOf(true).hasScope("tokens.revoke").isUaaAdmin().isZoneAdmin()
+                    auth.requestMatchers("/oauth/token/revoke/client/**", "/z/*/oauth/token/revoke/client/**").access(anyOf(true).hasScope("tokens.revoke").isUaaAdmin().isZoneAdmin());
+                    auth.requestMatchers("/oauth/token/revoke/user/*/client/**", "/z/*/oauth/token/revoke/user/*/client/**").access(anyOf(true).hasScope("tokens.revoke").isUaaAdmin().isZoneAdmin()
                             .or(SelfCheckAuthorizationManager.isUserTokenRevocationForSelf(selfCheck, 4))
                             .or(SelfCheckAuthorizationManager.isClientTokenRevocationForSelf(selfCheck, 6))
                     );
-                    auth.requestMatchers("/oauth/token/revoke/user/**").access(anyOf(true)
+                    auth.requestMatchers("/oauth/token/revoke/user/**", "/z/*/oauth/token/revoke/user/**").access(anyOf(true)
                             .hasScope("tokens.revoke").isUaaAdmin()
                             .or(SelfCheckAuthorizationManager.isUserTokenRevocationForSelf(selfCheck, 4))
                     );
-                    auth.requestMatchers(HttpMethod.DELETE, "/oauth/token/revoke/**").access(anyOf(true)
+                    auth.requestMatchers(HttpMethod.DELETE, "/oauth/token/revoke/**", "/z/*/oauth/token/revoke/**").access(anyOf(true)
                             .hasScope("tokens.revoke")
                             .or(SelfCheckAuthorizationManager.isTokenRevocationForSelf(selfCheck, 3))
                     );

uaa/src/test/java/org/cloudfoundry/identity/uaa/mock/token/TokenRevocationEndpointMockMvcTest.java

@@ -4,6 +4,7 @@
 import org.cloudfoundry.identity.uaa.client.UaaClientDetails;
 import org.cloudfoundry.identity.uaa.constants.OriginKeys;
 import org.cloudfoundry.identity.uaa.mock.util.MockMvcUtils;
+import org.cloudfoundry.identity.uaa.mock.util.MockMvcUtils.ZoneResolutionMode;
 import org.cloudfoundry.identity.uaa.oauth.event.TokenRevocationEvent;
 import org.cloudfoundry.identity.uaa.oauth.jwt.Jwt;
 import org.cloudfoundry.identity.uaa.oauth.jwt.JwtHelper;
@@ -14,8 +15,12 @@
 import org.cloudfoundry.identity.uaa.zone.IdentityZone;
 import org.cloudfoundry.identity.uaa.zone.IdentityZoneHolder;
 import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Nested;
 import org.junit.jupiter.api.Test;
+import org.junit.jupiter.params.ParameterizedTest;
+import org.junit.jupiter.params.provider.EnumSource;
 import org.springframework.dao.EmptyResultDataAccessException;
+import org.springframework.http.HttpMethod;
 import org.springframework.web.context.support.GenericWebApplicationContext;
 
 import java.util.Collections;
@@ -27,6 +32,7 @@
 import static org.cloudfoundry.identity.uaa.mock.util.MockMvcUtils.getClientCredentialsOAuthAccessToken;
 import static org.cloudfoundry.identity.uaa.mock.util.MockMvcUtils.getUserOAuthAccessToken;
 import static org.hamcrest.Matchers.containsString;
+import static org.springframework.http.MediaType.APPLICATION_JSON;
 import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.delete;
 import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.content;
@@ -574,4 +580,30 @@ private ScimUser setUpUser(String username) {
         scimUser.setOrigin(OriginKeys.UAA);
         return jdbcScimUserProvisioning.createUser(scimUser, "secret", IdentityZoneHolder.get().getId());
     }
+
+    @Nested
+    class TokenRevokeZonePathSupport {
+
+        @ParameterizedTest
+        @EnumSource(ZoneResolutionMode.class)
+        void revoke_client_tokens_via_zone_path(ZoneResolutionMode mode) throws Exception {
+            String subdomain = "revokezone" + generator.generate().toLowerCase();
+            String resourceClientId = "revoke-resource-" + generator.generate();
+            IdentityZone testZone = setupIdentityZone(subdomain);
+            IdentityZoneHolder.set(testZone);
+            try {
+                setupIdentityProvider(OriginKeys.UAA);
+                setUpClients("admin", "uaa.admin", "uaa.admin", "client_credentials", true, null, null, -1, testZone);
+                setUpClients(resourceClientId, "openid", "openid", "client_credentials", true, null, null, -1, testZone);
+            } finally {
+                IdentityZoneHolder.clear();
+            }
+
+            String zoneAdminToken = MockMvcUtils.getClientCredentialsOAuthAccessToken(mode, mockMvc, "admin", SECRET, null, subdomain, false);
+
+            mockMvc.perform(mode.createRequestBuilder(subdomain, HttpMethod.GET, "/oauth/token/revoke/client/" + resourceClientId)
+                            .header("Authorization", "Bearer " + zoneAdminToken))
+                    .andExpect(status().isOk());
+        }
+    }
 }