Add Hammer support for invalidating users JWTs

robottelo/cli/user.py

@@ -132,3 +132,15 @@ def mail_notification_add(cls, options=None):
         """
         cls.command_sub = 'mail-notification add'
         return cls.execute(cls._construct_command(options), output_format='csv')
+
+    @classmethod
+    def invalidate(cls, options=None):
+        """Invalidate JWTs for a single user"""
+        cls.command_sub = 'registration-tokens invalidate'
+        return cls.execute(cls._construct_command(options))
+
+    @classmethod
+    def invalidate_multiple(cls, options=None):
+        """Invalidate JWTs for multiple users"""
+        cls.command_sub = 'registration-tokens invalidate-multiple'
+        return cls.execute(cls._construct_command(options))

tests/foreman/cli/test_user.py

@@ -587,3 +587,117 @@ def test_negative_personal_access_token_invalid_date(self, target_sat):
                 action='create',
                 options={'name': token_name, 'user-id': user['id'], 'expires-at': datetime_expire},
             )
+
+
+@pytest.mark.rhel_ver_list([settings.content_host.default_rhel_version])
+def test_positive_invalidating_users_tokens(
+    module_target_sat, rhel_contenthost, module_activation_key, module_org
+):
+    """Verify invalidating single and multiple users tokens.
+
+    :id: 5db602d4-9c57-4b70-8d46-5323044824e0
+
+    :steps:
+        1. Create an admin user and a non-admin user with "edit_users" and "register_hosts" permission.
+        2. Generate a token with admin user and register a host with it, it should be successful.
+        3. Invalidate the token and try to use the generated token again to register the host, it should fail.
+        4. Invalidate tokens for multiple users with "invalidate-multiple" command, it should invalidate all the tokens for provided users.
+        5. Repeat Steps 2,3 and 4 with non-admin user and it should work the same way.
+
+    :expectedresults: Tokens invalidated cannot be used for registration of hosts.
+
+    :CaseImportance: Critical
+
+    :Verifies: SAT-30385
+    """
+    admin_login = gen_string('alpha')
+    non_admin_login = gen_string('alpha')
+    password = gen_string('alpha')
+
+    admin_user = module_target_sat.cli_factory.user(
+        {
+            'login': admin_login,
+            'password': password,
+            'admin': '1',
+            'organization-ids': module_org.id,
+        }
+    )
+
+    # Non-Admin user with "edit_users" permission and "Register hosts" role
+    non_admin_user = module_target_sat.cli_factory.user(
+        {'login': non_admin_login, 'password': password, 'organization-ids': module_org.id}
+    )
+
+    role = module_target_sat.cli_factory.make_role({'organization-id': module_org.id})
+    module_target_sat.cli_factory.add_role_permissions(
+        role.id,
+        resource_permissions={'User': {'permissions': ['edit_users']}},
+    )
+    module_target_sat.cli.User.add_role({'id': non_admin_user['id'], 'role-id': role['id']})
+    register_role = module_target_sat.satellite.cli.Role.info({'name': 'Register hosts'})
+    module_target_sat.cli.User.add_role(
+        {'id': non_admin_user['id'], 'role-id': register_role['id']}
+    )
+
+    # Generate token with admin user and verify token invalidation
+    cmd = module_target_sat.cli.HostRegistration.with_user(admin_login, password).generate_command(
+        options={
+            'activation-keys': module_activation_key.name,
+            'insecure': 'true',
+            'organization-id': module_org.id,
+        }
+    )
+    result = rhel_contenthost.execute(cmd.strip('\n'))
+    assert result.status == 0, f'Failed to register host: {result.stderr}'
+
+    # Invalidate JWTs for a single user
+    result = module_target_sat.cli.User.with_user(admin_login, password).invalidate(
+        options={
+            'user-id': admin_user['id'],
+        }
+    )
+    assert f'Successfully invalidated registration tokens for {admin_login}' in result
+
+    # Re-register the host with invalidated token
+    result = rhel_contenthost.execute(cmd.strip('\n'))
+    assert result.status == 1
+    assert "ERROR: unauthorized" in result.stdout
+
+    # Invalidate JWTs for multiple users
+    result = module_target_sat.cli.User.with_user(admin_login, password).invalidate_multiple(
+        options={'search': f"id ^ ({admin_user['id']}, {non_admin_user['id']})"}
+    )
+    assert "Successfully invalidated registration tokens" in result
+
+    # Generate token with non-admin user and verify token invalidation
+    cmd = module_target_sat.cli.HostRegistration.with_user(
+        non_admin_login, password
+    ).generate_command(
+        options={
+            'activation-keys': module_activation_key.name,
+            'insecure': 'true',
+            'organization-id': module_org.id,
+            'force': 'true',
+        }
+    )
+    result = rhel_contenthost.execute(cmd.strip('\n'))
+    assert result.status == 0, f'Failed to register host: {result.stderr}'
+
+    # Invalidate JWTs for a single user
+    result = module_target_sat.cli.User.with_user(non_admin_login, password).invalidate(
+        options={
+            'user-id': non_admin_user['id'],
+        }
+    )
+    assert f'Successfully invalidated registration tokens for {non_admin_login}' in result
+
+    # Re-register the host with invalidated token
+    result = rhel_contenthost.execute(cmd.strip('\n'))
+    assert result.status == 1
+    assert "ERROR: unauthorized" in result.stdout
+
+    # Invalidate JWTs for multiple users
+    result = module_target_sat.cli.User.with_user(non_admin_login, password).invalidate_multiple(
+        options={'search': f"id ^ ({admin_user['id']}, {non_admin_user['id']})"}
+    )
+    assert "Successfully invalidated registration tokens" in result