From 70008b40aa3780f868da94dda360ef5be6509ae3 Mon Sep 17 00:00:00 2001
From: shwsingh <shwsingh@redhat.com>
Date: Thu, 30 Jan 2025 17:40:11 +0530
Subject: [PATCH] Add Hammer support for invalidating users JWTs

---
 robottelo/cli/user.py          | 12 +++++
 tests/foreman/cli/test_user.py | 86 ++++++++++++++++++++++++++++++++++
 2 files changed, 98 insertions(+)

diff --git a/robottelo/cli/user.py b/robottelo/cli/user.py
index 52dc7233f52..9921b794a9e 100644
--- a/robottelo/cli/user.py
+++ b/robottelo/cli/user.py
@@ -132,3 +132,15 @@ def mail_notification_add(cls, options=None):
         """
         cls.command_sub = 'mail-notification add'
         return cls.execute(cls._construct_command(options), output_format='csv')
+
+    @classmethod
+    def invalidate(cls, options=None):
+        """Invalidate JWTs for a single user"""
+        cls.command_sub = 'registration-tokens invalidate'
+        return cls.execute(cls._construct_command(options))
+
+    @classmethod
+    def invalidate_multiple(cls, options=None):
+        """Invalidate JWTs for multiple users"""
+        cls.command_sub = 'registration-tokens invalidate-multiple'
+        return cls.execute(cls._construct_command(options))
diff --git a/tests/foreman/cli/test_user.py b/tests/foreman/cli/test_user.py
index 8680183c829..cb17387051b 100644
--- a/tests/foreman/cli/test_user.py
+++ b/tests/foreman/cli/test_user.py
@@ -587,3 +587,89 @@ def test_negative_personal_access_token_invalid_date(self, target_sat):
                 action='create',
                 options={'name': token_name, 'user-id': user['id'], 'expires-at': datetime_expire},
             )
+
+
+@pytest.mark.no_containers
+@pytest.mark.parametrize('auth_type', ['admin', 'non-admin'])
+@pytest.mark.rhel_ver_list([settings.content_host.default_rhel_version])
+def test_positive_invalidating_users_tokens(
+    module_target_sat, rhel_contenthost, module_activation_key, module_org, auth_type
+):
+    """Verify invalidating single and multiple users tokens.
+
+    :id: 5db602d4-9c57-4b70-8d46-5323044824e0
+
+    :steps:
+        1. Create an admin user and a non-admin user with "edit_users" and "register_hosts" permission.
+        2. Generate a token with admin user and register a host with it, it should be successful.
+        3. Invalidate the token and try to use the generated token again to register the host, it should fail.
+        4. Invalidate tokens for multiple users with "invalidate-multiple" command, it should invalidate all the tokens for provided users.
+        5. Repeat Steps 2,3 and 4 with non-admin user and it should work the same way.
+
+    :expectedresults: Tokens invalidated cannot be used for registration of hosts.
+
+    :CaseImportance: Critical
+
+    :Verifies: SAT-30385
+    """
+    admin_login = gen_string('alpha')
+    non_admin_login = gen_string('alpha')
+    password = gen_string('alpha')
+    login = admin_login
+    admin_user = module_target_sat.cli_factory.user(
+        {
+            'login': admin_login,
+            'password': password,
+            'admin': '1',
+            'organization-ids': module_org.id,
+        }
+    )
+    user = admin_user
+    # Non-Admin user with "edit_users" permission and "Register hosts" role
+    non_admin_user = module_target_sat.cli_factory.user(
+        {'login': non_admin_login, 'password': password, 'organization-ids': module_org.id}
+    )
+    if auth_type == 'non-admin':
+        login = non_admin_login
+        user = non_admin_user
+        role = module_target_sat.cli_factory.make_role({'organization-id': module_org.id})
+        module_target_sat.cli_factory.add_role_permissions(
+            role.id,
+            resource_permissions={'User': {'permissions': ['edit_users']}},
+        )
+        module_target_sat.cli.User.add_role({'id': non_admin_user['id'], 'role-id': role['id']})
+        register_role = module_target_sat.satellite.cli.Role.info({'name': 'Register hosts'})
+        module_target_sat.cli.User.add_role(
+            {'id': non_admin_user['id'], 'role-id': register_role['id']}
+        )
+
+    # Generate token and verify token invalidation
+    cmd = module_target_sat.cli.HostRegistration.with_user(login, password).generate_command(
+        options={
+            'activation-keys': module_activation_key.name,
+            'insecure': 'true',
+            'organization-id': module_org.id,
+        }
+    )
+    result = rhel_contenthost.execute(cmd.strip('\n'))
+    assert result.status == 0, f'Failed to register host: {result.stderr}'
+
+    # Invalidate JWTs for a single user
+    result = module_target_sat.cli.User.with_user(login, password).invalidate(
+        options={
+            'user-id': user['id'],
+        }
+    )
+    assert f'Successfully invalidated registration tokens for {login}' in result
+
+    rhel_contenthost.unregister()
+    # Re-register the host with invalidated token
+    result = rhel_contenthost.execute(cmd.strip('\n'))
+    assert result.status == 1
+    assert "ERROR: unauthorized" in result.stdout
+
+    # Invalidate JWTs for multiple users
+    result = module_target_sat.cli.User.with_user(login, password).invalidate_multiple(
+        options={'search': f"id ^ ({admin_user['id']}, {non_admin_user['id']})"}
+    )
+    assert "Successfully invalidated registration tokens" in result