Merge pull request #405 from wultra/issues/backport-revoke-recovery

Backport of revoking of recovery codes during remove activation action

Author: romanstrobl

docs/PowerAuth-Server-0.22.0.md

@@ -313,3 +313,7 @@ The [VerifyOfflineSignature](./SOAP-Service-Methods.md#method-verifyofflinesigna
 ### External User Identifier
 
 The [CommitActivation](./SOAP-Service-Methods.md#method-commitactivation), [RemoveActivation](./SOAP-Service-Methods.md#method-removeactivation), [BlockActivation](./SOAP-Service-Methods.md#method-blockactivation) and [UnblockActivation](./SOAP-Service-Methods.md#method-unblockactivation) methods have been updated to allow specification of external user identifier. The related PowerAuth client methods have been updated to reflect the change of parameters. If you use any of these methods, please update the SOAP method call.
+
+### Revoking Recovery Codes on Activation Removal
+
+We added an optional `revokeRecoveryCodes` attribute to [activation removal service call](./SOAP-Service-Methods.md#method-removeactivation). This flag indicates if recovery codes that are associated with removed activation should be also revoked. By default, the value of the flag is `false`, hence omitting the flag results in the same behavior as before this change. 

docs/PowerAuth-Server-0.23.0.md

@@ -96,4 +96,10 @@ The reason for the change is that the original function is no longer usable for
 
 ## Database record encryption
 
-If you turned on additional database record encryption in any previous PowerAuth Server version (see [Encrypting Records in Database](Encrypting-Records-in-Database.md#additional-record-encryption)), please contact us at [[email protected]](mailto:[email protected]). The encryption scheme has been slightly changed, so we can help you with the migration.
+If you turned on additional database record encryption in any previous PowerAuth Server version (see [Encrypting Records in Database](Encrypting-Records-in-Database.md#additional-record-encryption)), please contact us at [[email protected]](mailto:[email protected]). The encryption scheme has been slightly changed, so we can help you with the migration.
+
+## SOAP Endpoint Changes
+
+### Revoking Recovery Codes on Activation Removal
+
+We added an optional `revokeRecoveryCodes` attribute to [activation removal service call](./SOAP-Service-Methods.md#method-removeactivation). This flag indicates if recovery codes that are associated with removed activation should be also revoked. By default, the value of the flag is `false`, hence omitting the flag results in the same behavior as before this change. 

docs/SOAP-Service-Methods.md

@@ -491,6 +491,7 @@ Remove activation with given ID. This operation is irreversible. Activations can
 |------|------|-------------|
 | `String` | `activationId` | An identifier of an activation |
 | `String` | `externalUserId` | User ID of user who removed the activation. Use null value if activation owner caused the change. |
+| `Boolean` | `revokeRecoveryCodes` | An optional flag that indicates if recovery codes, that were created in the scope of the removed activation, should be also revoked. |
 
 #### Response
 

powerauth-java-client-axis/src/main/java/io/getlime/security/powerauth/soap/axis/client/PowerAuthServiceClient.java

@@ -476,9 +476,22 @@ public PowerAuthPortV3ServiceStub.RemoveActivationResponse removeActivation(Powe
      * @throws RemoteException In case of a business logic error.
      */
     public PowerAuthPortV3ServiceStub.RemoveActivationResponse removeActivation(String activationId, String externalUserId) throws RemoteException {
+        return this.removeActivation(activationId, externalUserId, false);
+    }
+
+    /**
+     * Call the removeActivation method of the PowerAuth 3.0 Server SOAP interface.
+     * @param activationId Activation ID of activation to be removed.
+     * @param externalUserId User ID of user who removed the activation. Use null value if activation owner caused the change.
+     * @param revokeRecoveryCodes Indicates if the recovery codes associated with this activation should be also revoked.
+     * @return {@link io.getlime.powerauth.soap.v3.PowerAuthPortV3ServiceStub.RemoveActivationResponse}
+     * @throws RemoteException In case of a business logic error.
+     */
+    public PowerAuthPortV3ServiceStub.RemoveActivationResponse removeActivation(String activationId, String externalUserId, Boolean revokeRecoveryCodes) throws RemoteException {
         PowerAuthPortV3ServiceStub.RemoveActivationRequest request = new PowerAuthPortV3ServiceStub.RemoveActivationRequest();
         request.setActivationId(activationId);
         request.setExternalUserId(externalUserId);
+        request.setRevokeRecoveryCodes(revokeRecoveryCodes);
         return this.removeActivation(request);
     }
 

powerauth-java-client-axis/src/main/resources/soap/wsdl/serviceV3.wsdl

@@ -448,6 +448,7 @@
                     <xs:sequence>
                         <xs:element maxOccurs="1" minOccurs="1" name="activationId" type="xs:string"/>
                         <xs:element maxOccurs="1" minOccurs="0" name="externalUserId" type="xs:string"/>
+                        <xs:element maxOccurs="1" minOccurs="0" name="revokeRecoveryCodes" type="xs:boolean"/>
                     </xs:sequence>
                 </xs:complexType>
             </xs:element>

powerauth-java-client-spring/src/main/java/io/getlime/security/powerauth/soap/spring/client/PowerAuthServiceClient.java

@@ -344,9 +344,21 @@ public RemoveActivationResponse removeActivation(RemoveActivationRequest request
      * @return {@link RemoveActivationResponse}
      */
     public RemoveActivationResponse removeActivation(String activationId, String externalUserId) {
+        return this.removeActivation(activationId, externalUserId, false);
+    }
+
+    /**
+     * Call the removeActivation method of the PowerAuth 3.0 Server SOAP interface.
+     * @param activationId Activation ID of activation to be removed.
+     * @param externalUserId User ID of user who removed the activation. Use null value if activation owner caused the change.
+     * @param revokeRecoveryCodes Indicates if the recovery codes associated with this activation should be also revoked.
+     * @return {@link RemoveActivationResponse}
+     */
+    public RemoveActivationResponse removeActivation(String activationId, String externalUserId, Boolean revokeRecoveryCodes) {
         RemoveActivationRequest request = new RemoveActivationRequest();
         request.setActivationId(activationId);
         request.setExternalUserId(externalUserId);
+        request.setRevokeRecoveryCodes(revokeRecoveryCodes);
         return this.removeActivation(request);
     }
 

powerauth-java-client-spring/src/main/resources/soap/wsdl/serviceV3.wsdl

@@ -448,6 +448,7 @@
                     <xs:sequence>
                         <xs:element maxOccurs="1" minOccurs="1" name="activationId" type="xs:string"/>
                         <xs:element maxOccurs="1" minOccurs="0" name="externalUserId" type="xs:string"/>
+                        <xs:element maxOccurs="1" minOccurs="0" name="revokeRecoveryCodes" type="xs:boolean"/>
                     </xs:sequence>
                 </xs:complexType>
             </xs:element>

powerauth-java-server/src/main/java/io/getlime/security/powerauth/app/server/database/repository/RecoveryCodeRepository.java

@@ -49,6 +49,14 @@ public interface RecoveryCodeRepository extends CrudRepository<RecoveryCodeEntit
     @Query("SELECT r FROM RecoveryCodeEntity r WHERE r.userId = :userId ORDER BY r.timestampCreated DESC")
     List<RecoveryCodeEntity> findAllByUserId(String userId);
 
+    /**
+     * Find all recovery codes for given activation ID.
+     * @param activationId Activation ID.
+     * @return Recovery codes matching search criteria.
+     */
+    @Query("SELECT r FROM RecoveryCodeEntity r WHERE r.activationId = :activationId ORDER BY r.timestampCreated DESC")
+    List<RecoveryCodeEntity> findAllByActivationId(String activationId);
+
     /**
      * Find all recovery codes for given application ID and user ID.
      * @param applicationId Application ID.

powerauth-java-server/src/main/java/io/getlime/security/powerauth/app/server/service/behavior/tasks/v3/ActivationServiceBehavior.java

@@ -1095,10 +1095,11 @@ public CommitActivationResponse commitActivation(String activationId, String ext
      *
      * @param activationId Activation ID.
      * @param externalUserId User ID of user who removed the activation. Use null value if activation owner caused the change.
+     * @param revokeRecoveryCodes Flag that indicates if a recover codes associated with this activation should be also revoked.
      * @return Response with confirmation of removal.
      * @throws GenericServiceException In case activation does not exist.
      */
-    public RemoveActivationResponse removeActivation(String activationId, String externalUserId) throws GenericServiceException {
+    public RemoveActivationResponse removeActivation(String activationId, String externalUserId, boolean revokeRecoveryCodes) throws GenericServiceException {
         ActivationRecordEntity activation = repositoryCatalogue.getActivationRepository().findActivationWithLock(activationId);
         if (activation != null) { // does the record even exist?
             activation.setActivationStatus(io.getlime.security.powerauth.app.server.database.model.ActivationStatus.REMOVED);
@@ -1107,6 +1108,26 @@ public RemoveActivationResponse removeActivation(String activationId, String ext
             RemoveActivationResponse response = new RemoveActivationResponse();
             response.setActivationId(activationId);
             response.setRemoved(true);
+            if (revokeRecoveryCodes) {
+                final RecoveryCodeRepository recoveryCodeRepository = repositoryCatalogue.getRecoveryCodeRepository();
+                final List<RecoveryCodeEntity> recoveryCodeEntities = recoveryCodeRepository.findAllByActivationId(activationId);
+                final Date now = new Date();
+                for (RecoveryCodeEntity recoveryCode : recoveryCodeEntities) {
+                    // revoke only codes that are not yet revoked, to avoid messing up with timestamp
+                    if (!RecoveryCodeStatus.REVOKED.equals(recoveryCode.getStatus())) {
+                        recoveryCode.setStatus(RecoveryCodeStatus.REVOKED);
+                        recoveryCode.setTimestampLastChange(now);
+                        // Change status of PUKs with status VALID to INVALID
+                        for (RecoveryPukEntity puk : recoveryCode.getRecoveryPuks()) {
+                            if (RecoveryPukStatus.VALID.equals(puk.getStatus())) {
+                                puk.setStatus(RecoveryPukStatus.INVALID);
+                                puk.setTimestampLastChange(now);
+                            }
+                        }
+                        recoveryCodeRepository.save(recoveryCode);
+                    }
+                }
+            }
             return response;
         } else {
             logger.info("Activation does not exist, activation ID: {}", activationId);
@@ -1339,19 +1360,7 @@ public RecoveryCodeActivationResponse createActivationUsingRecoveryCode(Recovery
 
             // If recovery code is bound to an existing activation, remove this activation
             if (recoveryCodeEntity.getActivationId() != null) {
-                removeActivation(recoveryCodeEntity.getActivationId(), null);
-                // If there are no PUKs in VALID state left, set the recovery code status to REVOKED
-                boolean validPukExists = false;
-                for (RecoveryPukEntity recoveryPukEntity : recoveryCodeEntity.getRecoveryPuks()) {
-                    if (RecoveryPukStatus.VALID.equals(recoveryPukEntity.getStatus())) {
-                        validPukExists = true;
-                        break;
-                    }
-                }
-                if (!validPukExists) {
-                    recoveryCodeEntity.setStatus(RecoveryCodeStatus.REVOKED);
-                    recoveryCodeEntity.setTimestampLastChange(new Date());
-                }
+                removeActivation(recoveryCodeEntity.getActivationId(), null, true);
             }
 
             // Persist recovery code changes

powerauth-java-server/src/main/java/io/getlime/security/powerauth/app/server/service/behavior/tasks/v3/RecoveryServiceBehavior.java

@@ -423,6 +423,9 @@ public LookupRecoveryCodesResponse lookupRecoveryCodes(LookupRecoveryCodesReques
         } else if (userId != null) {
             // User ID is specified
             recoveryCodesEntities = recoveryCodeRepository.findAllByUserId(userId);
+        } else if (activationId != null) {
+            // Activation ID is specified
+            recoveryCodesEntities = recoveryCodeRepository.findAllByActivationId(activationId);
         } else {
             // Only application ID is specified, such request is not allowed
             logger.warn("Invalid request for lookup of recovery codes");

powerauth-java-server/src/main/java/io/getlime/security/powerauth/app/server/service/v3/PowerAuthServiceImpl.java

@@ -468,8 +468,13 @@ public RemoveActivationResponse removeActivation(RemoveActivationRequest request
         try {
             String activationId = request.getActivationId();
             String externalUserId = request.getExternalUserId();
-            logger.info("RemoveActivationRequest received, activation ID: {}", activationId);
-            RemoveActivationResponse response = behavior.getActivationServiceBehavior().removeActivation(activationId, externalUserId);
+            Boolean revokeRecoveryCodes = request.isRevokeRecoveryCodes();
+            if (revokeRecoveryCodes == null) {
+                // The default value is false for revokeRecoveryCodes
+                revokeRecoveryCodes = false;
+            }
+            logger.info("RemoveActivationRequest received, activation ID: {}, revoke recovery codes: {}", activationId, revokeRecoveryCodes);
+            RemoveActivationResponse response = behavior.getActivationServiceBehavior().removeActivation(activationId, externalUserId, revokeRecoveryCodes);
             logger.info("RemoveActivationRequest succeeded");
             return response;
         } catch (GenericServiceException ex) {

powerauth-java-server/src/main/resources/xsd/PowerAuth-3.0.xsd

@@ -454,6 +454,7 @@
             <xs:sequence>
                 <xs:element name="activationId" type="xs:string" minOccurs="1" maxOccurs="1"/>
                 <xs:element name="externalUserId" type="xs:string" minOccurs="0" maxOccurs="1"/>
+                <xs:element name="revokeRecoveryCodes" type="xs:boolean" minOccurs="0" maxOccurs="1"/>
             </xs:sequence>
         </xs:complexType>
     </xs:element>