Merge branch '3078-invalidate-tokens-on-startup' into develop

Issue #3078
PR #3208

Author: mssalvatore

monkey/monkey_island/cc/services/authentication_service/authentication_facade.py

@@ -126,6 +126,12 @@ def authorize_otp(self, otp: OTP) -> bool:
             except UnknownRecordError:
                 return False
 
+    def _otp_ttl_elapsed(self, otp: OTP) -> bool:
+        return self._otp_repository.get_expiration(otp) < time.monotonic()
+
+    def revoke_all_otps(self):
+        self._otp_repository.reset()
+
     def create_user(
         self, username: str, password: str, roles: Sequence[str], email: str = "dummy@dummy.com"
     ) -> User:
@@ -136,9 +142,6 @@ def create_user(
             email=email,
         )
 
-    def _otp_ttl_elapsed(self, otp: OTP) -> bool:
-        return self._otp_repository.get_expiration(otp) < time.monotonic()
-
     def handle_successful_registration(self, username: str, password: str):
         self._reset_island_data()
         self._reset_repository_encryptor(username, password)

monkey/monkey_island/cc/services/authentication_service/setup.py

@@ -29,6 +29,7 @@ def setup_authentication(api, app: Flask, container: DIContainer, data_dir: Path
 
     # revoke all old tokens so that the user has to log in again on startup
     authentication_facade.revoke_all_tokens_for_all_users()
+    authentication_facade.revoke_all_otps()
 
 
 def _build_authentication_facade(container: DIContainer, security: Security):

monkey/tests/unit_tests/monkey_island/cc/services/authentication_service/test_authentication_service.py

@@ -17,6 +17,7 @@
     AuthenticationFacade,
 )
 from monkey_island.cc.services.authentication_service.i_otp_repository import IOTPRepository
+from monkey_island.cc.services.authentication_service.mongo_otp_repository import MongoOTPRepository
 from monkey_island.cc.services.authentication_service.setup import setup_authentication
 from monkey_island.cc.services.authentication_service.user import User
 
@@ -261,3 +262,30 @@ def test_setup_authentication__revokes_tokens(
     assert mock_user_datastore.set_uniquifier.call_count == len(USERS)
     for user in USERS:
         mock_user_datastore.set_uniquifier.assert_any_call(user)
+
+
+def test_setup_authentication__invalidates_otps(
+    monkeypatch,
+    mock_flask_app,
+    mock_agent_event_queue: IAgentEventQueue,
+    mock_island_event_queue: IIslandEventQueue,
+    mock_repository_encryptor: ILockableEncryptor,
+):
+    mock_otp_repository = MagicMock(spec=MongoOTPRepository)
+    mock_security = MagicMock()
+    mock_security.datastore = mock_user_datastore
+    monkeypatch.setattr(
+        "monkey_island.cc.services.authentication_service.setup.configure_flask_security",
+        lambda *args: mock_security,
+    )
+
+    container = StubDIContainer()
+    container.register_instance(MongoOTPRepository, mock_otp_repository)
+    container.register_instance(ILockableEncryptor, mock_repository_encryptor)
+    container.register_instance(IIslandEventQueue, mock_island_event_queue)
+    container.register_instance(IAgentEventQueue, mock_agent_event_queue)
+    container.register_instance(pymongo.MongoClient, MockMongoClient())
+
+    setup_authentication(MagicMock(), MagicMock(), container, Path("data_dir"), MagicMock())
+
+    assert mock_otp_repository.reset.called