Allow configuring max age and expiry notifications for login tokens (#28)

* Allow configuring max age and expiry notifications for login tokens

- Trying to enforce maximum security, access tokens should not be valid forever.
- It is possible to implement automatic token rotation by directly accessing the REST service similar to what the UI does.
- Enabling max token age invalidation (which is optional and off by default for backwards compatibility) means a lot more invalidation happen.
- To help users troubleshoot 401 errors when contacting nexus, a possibility to notify users via email when their tokens expire was introduced.
- This is entirely optional and will only work if Nexus has a mail server configured via default Sonatype means.
- Leveraging OAuth2 Proxys behaviour and correct reverse proxy configuration, this allows to use API tokens like OIDC access tokens with very limited lifespan, where renewing the API token requires full OIDC login, potentially including 2FA, Passkeys or whatever login method is configured.
- If everything is configured correctly, it is not possible to renew the API token with an existing API token, but only with full OAuth2 Proxy login, further strengthening security

* Adjust README to explain the new possibilites

---------

Co-authored-by: marco.herglotz <marco.herglotz@cas.de>

Author: herglotzmarco

docs/README.md

@@ -24,8 +24,12 @@ It is important to highlight that this plugin is provided on an 'as-is' basis, w
   * the groups received in the related header will be stored in a dedicated database table and become available for the 'external role mapping' functionality
   * ⚠️ note: [currently it is necessary](https://github.com/tumbl3w33d/nexus-oauth2-proxy-plugin/issues/26) to use this mapping mechanism because assigning Nexus' default roles to users created via plugin has no effect
 * automatic expiry of API tokens
-  * there is a configurable task that lets API tokens expire, so another login by the user is necessary to renew it
-  * as long as the user keeps showing up regularly, their token will not expire
+  * there is a configurable task that lets API tokens expire, so another login and manual renewal by the user is necessary
+  * by default, the token will expire after 30 days of inactivity. As long as the user keeps showing up regularly, their token will not expire
+  * The expiration can be configured as a regular nexus task. You can:
+    * adjust inactivity period that leads to token invalidation
+    * enable and set max token age, meaning the token automatically expires after a certain time, regardless of activity
+    * enable mail notifications on token expiry (requires having a mail server configured in Nexus to work)
 * backchannel logout in IDP via oauth2 proxy (if supported) when the logout is performed in Nexus
   * make sure to enable the OAuth2 Proxy: Logout capability in Nexus to make this work
 
@@ -168,6 +172,14 @@ skip_provider_button = true
 
 **Note**: Depending on the amount of data the OAuth2 Proxy receives from your IDP (especially list of groups) you might want to look into [changing its session storage to redis/valkey](https://oauth2-proxy.github.io/oauth2-proxy/configuration/session_storage/#redis-storage). The proxy will warn you about data exceeding limits which results in multiple cookies being set for the proxy session.
 
+## Optional: Bearer token authentication and token rotation
+
+If for some reason you need to use a Bearer token for machine-to-machine communcation or in general accessing Nexus programmatically e.g. because corporate guidelines prevent you from using Basic Auth using the api token, it is possible to set this up: 
+
+Add 'skip_jwt_bearer_tokens = true' to your OAuth2 Proxy configuration. This flag makes OAuth2 Proxy optionally accept Bearer tokens instead of performing the auth flow itself as long as the Bearer token is valid and the audience matches the configured client id. For details, check the [official documentation](https://oauth2-proxy.github.io/oauth2-proxy/configuration/overview/). OAuth2 Proxy will then populate the x-forwarded headers based on information from this token, so for Nexus the login mechanism is still transparent.
+
+Leveraging this way of authenticating it is possible to create an automatic token rotation even if the API token is invalidated by obtaining the Bearer token via some kind of OIDC login and then using it to perform an authenticated REST call  against https://your_nexus_host/service/rest/oauth2-proxy/user/reset-token to obtain a new API token. Keep in mind that this REST call immediately invalidates the old token! Also make sure your reverse proxy is configured to route this URL to Nexus via OAuth2 Proxy (if you use the above example configs, this should automatically be the case)
+
 ## Troubleshooting
 
 If you encounter authentication issues, you can activate logging for the plugin classes by creating a logger in the Nexus administration section (`Support -> Logging -> Create Logger`), e.g. for the top level package `com.github.tumbl3w33d`.

src/main/java/com/github/tumbl3w33d/OAuth2ProxyApiTokenInvalidateTask.java

@@ -5,88 +5,164 @@
 import java.sql.Timestamp;
 import java.time.Instant;
 import java.time.temporal.ChronoUnit;
-import java.util.List;
+import java.util.HashSet;
+import java.util.Map;
 import java.util.Set;
 
 import javax.inject.Inject;
 import javax.inject.Named;
 
+import org.apache.commons.mail.EmailException;
+import org.apache.commons.mail.SimpleEmail;
+import org.sonatype.nexus.common.app.BaseUrlHolder;
+import org.sonatype.nexus.email.EmailManager;
 import org.sonatype.nexus.logging.task.TaskLogging;
 import org.sonatype.nexus.scheduling.Cancelable;
 import org.sonatype.nexus.scheduling.TaskSupport;
-import org.sonatype.nexus.security.user.UserManager;
+import org.sonatype.nexus.security.SecuritySystem;
+import org.sonatype.nexus.security.user.User;
 import org.sonatype.nexus.security.user.UserNotFoundException;
 
 import com.github.tumbl3w33d.h2.OAuth2ProxyLoginRecordStore;
+import com.github.tumbl3w33d.h2.OAuth2ProxyTokenInfoStore;
 import com.github.tumbl3w33d.users.OAuth2ProxyUserManager;
 import com.github.tumbl3w33d.users.db.OAuth2ProxyLoginRecord;
+import com.github.tumbl3w33d.users.db.OAuth2ProxyTokenInfo;
 
 @Named
 @TaskLogging(NEXUS_LOG_ONLY)
 public class OAuth2ProxyApiTokenInvalidateTask extends TaskSupport implements Cancelable {
 
     private final OAuth2ProxyLoginRecordStore loginRecordStore;
-
+    private final OAuth2ProxyTokenInfoStore tokenInfoStore;
     private final OAuth2ProxyUserManager userManager;
+    private final SecuritySystem securitySystem;
+    private final EmailManager mailManager;
 
     @Inject
     public OAuth2ProxyApiTokenInvalidateTask(@Named OAuth2ProxyLoginRecordStore loginRecordStore,
-            final List<UserManager> userManagers, final OAuth2ProxyUserManager userManager) {
-
+            @Named OAuth2ProxyTokenInfoStore tokenInfoStore, @Named OAuth2ProxyUserManager userManager,
+            SecuritySystem securitySystem, EmailManager mailManager) {
         this.loginRecordStore = loginRecordStore;
+        this.tokenInfoStore = tokenInfoStore;
         this.userManager = userManager;
-    }
-
-    private void resetApiToken(String userId) {
-        try {
-            userManager.changePassword(userId, OAuth2ProxyRealm.generateSecureRandomString(32));
-            log.debug("API token reset for user {} succeeded", userId);
-        } catch (UserNotFoundException e) {
-            log.error("Unable to reset API token of user {} - {}", userId, e);
-        }
+        this.securitySystem = securitySystem;
+        this.mailManager = mailManager;
     }
 
     @Override
     protected Void execute() throws Exception {
+        Map<String, OAuth2ProxyLoginRecord> loginRecords = loginRecordStore.getAllLoginRecords();
+        Map<String, OAuth2ProxyTokenInfo> tokenInfos = tokenInfoStore.getAllTokenInfos();
 
-        Set<OAuth2ProxyLoginRecord> loginRecords = loginRecordStore.getAllLoginRecords();
-
-        if (loginRecords.isEmpty()) {
-            log.debug("No login records found, nothing to do");
+        if (loginRecords.isEmpty() && tokenInfos.isEmpty()) {
+            log.debug("No records found, nothing to do");
             return null;
         }
 
-        for (OAuth2ProxyLoginRecord loginRecord : loginRecords) {
-            String userId = loginRecord.getId();
-            Timestamp lastLoginDate = loginRecord.getLastLogin();
-
-            Instant lastLoginInstant = lastLoginDate.toInstant();
-            Instant nowInstant = Instant.now();
+        int configuredIdleExpiration = getConfiguration().getInteger(
+                OAuth2ProxyApiTokenInvalidateTaskDescriptor.CONFIG_IDLE_EXPIRY,
+                OAuth2ProxyApiTokenInvalidateTaskDescriptor.CONFIG_IDLE_EXPIRY_DEFAULT);
+
+        int configuredMaxTokenAge = getConfiguration().getInteger(
+                OAuth2ProxyApiTokenInvalidateTaskDescriptor.CONFIG_AGE,
+                OAuth2ProxyApiTokenInvalidateTaskDescriptor.CONFIG_AGE_DEFAULT);
+
+        boolean notify = getConfiguration().getBoolean(OAuth2ProxyApiTokenInvalidateTaskDescriptor.NOTIFY,
+                OAuth2ProxyApiTokenInvalidateTaskDescriptor.NOTIFY_DEFAULT);
+
+        Set<String> userIds = new HashSet<>(loginRecords.size());
+        userIds.addAll(loginRecords.keySet());
+        userIds.addAll(tokenInfos.keySet());
+        for (String userId : userIds) {
+            if ("admin".equals(userId)) {
+                // never reset the admin "token" as it would overwrite the password, possibly locking people out of nexus
+                // when the task would run before OIDC setup is completed
+                continue;
+            }
 
-            log.debug("Last known login for {} was {}", userId,
-                    OAuth2ProxyRealm.formatDateString(lastLoginDate));
+            if (isUserIdleTimeExpired(userId, loginRecords.get(userId), configuredIdleExpiration)
+                    || isTokenLifespanExpired(userId, tokenInfos.get(userId), configuredMaxTokenAge)) {
+                resetApiToken(userId, notify);
+                log.info("API token of user {} has been reset", userId);
+            }
 
-            long timePassed = ChronoUnit.DAYS.between(lastLoginInstant, nowInstant);
+        }
+        return null;
+    }
 
-            int configuredDuration = getConfiguration()
-                    .getInteger(OAuth2ProxyApiTokenInvalidateTaskDescriptor.CONFIG_EXPIRY, 1);
+    private boolean isUserIdleTimeExpired(String userId, OAuth2ProxyLoginRecord loginRecord, int configuredIdleTime) {
+        if (configuredIdleTime <= 0) {
+            return false;
+        }
 
-            log.debug("Time passed since login: {} - configured maximum: {}", timePassed,
-                    configuredDuration);
+        Timestamp lastLoginDate = loginRecord.getLastLogin();
+        log.debug("Last known login for {} was {}", userId, OAuth2ProxyRealm.formatDateString(lastLoginDate));
+        long timePassed = ChronoUnit.DAYS.between(lastLoginDate.toInstant(), Instant.now());
+        log.debug("Time passed since login: {} - configured maximum: {}", timePassed, configuredIdleTime);
+        if (timePassed >= configuredIdleTime) {
+            log.debug("Idle time expired for {}", userId);
+            return true;
+        }
+        return false;
+    }
 
-            if (timePassed >= configuredDuration) {
-                resetApiToken(userId);
-                log.info("Reset api token of user {} because they did not show up for a while",
-                        userId);
-            }
+    private boolean isTokenLifespanExpired(String userId, OAuth2ProxyTokenInfo tokenInfo, int configuredMaxTokenAge) {
+        if (configuredMaxTokenAge <= 0) {
+            return false;
         }
 
-        return null;
+        Timestamp tokenCreationDate = tokenInfo.getTokenCreation();
+        log.debug("API token for {} was created at {}", userId, OAuth2ProxyRealm.formatDateString(tokenCreationDate));
+        long timePassed = ChronoUnit.DAYS.between(tokenCreationDate.toInstant(), Instant.now());
+        log.debug("Time passed since token creation: {} - configured maximum: {}", timePassed, configuredMaxTokenAge);
+        if (timePassed >= configuredMaxTokenAge) {
+            log.debug("Token lifespan expired for user {}", userId);
+            return true;
+        }
+        return false;
     }
 
     @Override
     public String getMessage() {
         return "Invalidate OAuth2 Proxy API tokens of users who did not show up for a while";
     }
 
+    private void resetApiToken(String userId, boolean notify) {
+        try {
+            securitySystem.changePassword(userId, OAuth2ProxyRealm.generateSecureRandomString(32));
+            log.debug("API token reset for user {} succeeded", userId);
+            if (notify) {
+                sendMail(userId);
+            }
+        } catch (UserNotFoundException e) {
+            log.error("Unable to reset API token of user {}", userId);
+            log.debug("Unable to reset API token of user {}", userId, e);
+        }
+    }
+
+    private void sendMail(String userId) throws UserNotFoundException {
+        if (mailManager.getConfiguration().isEnabled()) {
+            User user = userManager.getUser(userId);
+            String to = user.getEmailAddress();
+            try {
+                SimpleEmail mail = new SimpleEmail();
+                mail.addTo(to);
+                if (BaseUrlHolder.isSet()) {
+                    mail.setMsg("Your OAuth2 Proxy API Token on " + BaseUrlHolder.get()
+                            + " has been invalidated because of inactivity or expired token lifespan");
+                } else {
+                    mail.setMsg(
+                            "Your OAuth2 Proxy API Token has been invalidated because of inactivity or expired token lifespan");
+                }
+                mailManager.send(mail);
+            } catch (EmailException e) {
+                log.warn("Failed to send notification email about oauth2 API token reset to user " + user.getName());
+                log.debug("Failed to send notification email", e);
+            }
+        } else {
+            log.warn("Sending token invalidation notifications is enabled, but no mail server is configured in Nexus");
+        }
+    }
+
 }

src/main/java/com/github/tumbl3w33d/OAuth2ProxyApiTokenInvalidateTaskDescriptor.java

@@ -5,29 +5,51 @@
 import javax.inject.Singleton;
 
 import org.sonatype.nexus.common.upgrade.AvailabilityVersion;
+import org.sonatype.nexus.formfields.CheckboxFormField;
 import org.sonatype.nexus.formfields.FormField;
 import org.sonatype.nexus.formfields.NumberTextFormField;
 import org.sonatype.nexus.scheduling.TaskDescriptorSupport;
 
 @AvailabilityVersion(from = "1.0")
 @Named
 @Singleton
-public class OAuth2ProxyApiTokenInvalidateTaskDescriptor
-        extends TaskDescriptorSupport {
+public class OAuth2ProxyApiTokenInvalidateTaskDescriptor extends TaskDescriptorSupport {
 
     public static final String TYPE_ID = "oauth2-proxy-api-token.cleanup";
 
-    public static final String CONFIG_EXPIRY = TYPE_ID + "-expiry";
-    private static final NumberTextFormField field = new NumberTextFormField(CONFIG_EXPIRY,
-            "Expiration in days",
-            "After this duration the API token will be overwritten and the user must renew it interactively.",
-            FormField.MANDATORY).withMinimumValue(1).withInitialValue(30);
+    public static final String CONFIG_IDLE_EXPIRY = TYPE_ID + "-expiry";
+    public static final int CONFIG_IDLE_EXPIRY_DEFAULT = 30;
+    private static final NumberTextFormField maxIdleAge = new NumberTextFormField(CONFIG_IDLE_EXPIRY, //
+            "User idle time in days", //
+            "After the user has been inactive for this amount of days the API token will be overwritten and the user must renew it interactively. Setting this to 0 or a negative value disables max idle time entirely. Default is "
+                    + CONFIG_IDLE_EXPIRY_DEFAULT + " days.",
+            FormField.MANDATORY)//
+            .withMinimumValue(1)//
+            .withInitialValue(CONFIG_IDLE_EXPIRY_DEFAULT);
+
+    public static final String CONFIG_AGE = TYPE_ID + "-max-age";
+    public static final int CONFIG_AGE_DEFAULT = -1;
+    private static final NumberTextFormField maxAge = new NumberTextFormField(CONFIG_AGE, //
+            "Max token age in days", //
+            "After this amount of days the API token will be overwritten and the user must renew it interactively. Setting this to 0 or a negative value disables max token age entirely. Default is "
+                    + CONFIG_AGE_DEFAULT + " days.",
+            FormField.MANDATORY)//
+            .withInitialValue(CONFIG_AGE_DEFAULT);
+
+    public static final String NOTIFY = TYPE_ID + "-notify";
+    public static final Boolean NOTIFY_DEFAULT = false;
+    private static final CheckboxFormField notify = new CheckboxFormField(NOTIFY, //
+            "Send Email on token invalidation", //
+            "Defines whether an email is send to the affected user if their API token is invalidated automatically based on any condition. Default is "
+                    + NOTIFY_DEFAULT,
+            FormField.OPTIONAL)//
+            .withInitialValue(NOTIFY_DEFAULT);
 
     @Inject
     public OAuth2ProxyApiTokenInvalidateTaskDescriptor() {
         super(TYPE_ID, OAuth2ProxyApiTokenInvalidateTask.class, "OAuth2 Proxy API token invalidator",
-                TaskDescriptorSupport.VISIBLE, TaskDescriptorSupport.EXPOSED,
-                TaskDescriptorSupport.REQUEST_RECOVERY, new FormField[] { field });
+                TaskDescriptorSupport.VISIBLE, TaskDescriptorSupport.EXPOSED, TaskDescriptorSupport.REQUEST_RECOVERY,
+                new FormField[] { maxIdleAge, maxAge, notify });
     }
 
     @Override

src/main/java/com/github/tumbl3w33d/h2/OAuth2ProxyLoginRecordStore.java

@@ -2,8 +2,10 @@
 
 import static com.github.tumbl3w33d.h2.OAuth2ProxyStores.loginRecordDAO;
 
+import java.util.Collections;
+import java.util.Map;
 import java.util.Optional;
-import java.util.Set;
+import java.util.function.Function;
 import java.util.stream.Collectors;
 import java.util.stream.StreamSupport;
 
@@ -18,7 +20,6 @@
 import org.sonatype.nexus.transaction.TransactionalStore;
 
 import com.github.tumbl3w33d.users.db.OAuth2ProxyLoginRecord;
-import com.google.common.collect.ImmutableSet;
 
 @Named("mybatis")
 @Singleton
@@ -28,8 +29,7 @@ public class OAuth2ProxyLoginRecordStore extends StateGuardLifecycleSupport
     private final DataSessionSupplier sessionSupplier;
 
     @Inject
-    public OAuth2ProxyLoginRecordStore(
-            final DataSessionSupplier sessionSupplier) {
+    public OAuth2ProxyLoginRecordStore(final DataSessionSupplier sessionSupplier) {
         this.sessionSupplier = sessionSupplier;
     }
 
@@ -39,19 +39,17 @@ public DataSession<?> openSession() {
     }
 
     @Transactional
-    public Set<OAuth2ProxyLoginRecord> getAllLoginRecords() {
-        Set<OAuth2ProxyLoginRecord> allRecords = StreamSupport.stream(loginRecordDAO().browse().spliterator(), false)
-                .collect(Collectors.toSet());
-
-        return ImmutableSet.copyOf(allRecords);
+    public Map<String, OAuth2ProxyLoginRecord> getAllLoginRecords() {
+        return Collections.unmodifiableMap(StreamSupport.stream(loginRecordDAO().browse().spliterator(), false)
+                .collect(Collectors.toMap(OAuth2ProxyLoginRecord::getId, Function.identity())));
     }
 
     @Transactional
     public Optional<OAuth2ProxyLoginRecord> getLoginRecord(String userId) {
         log.trace("call to getLoginRecord with userId {}", userId);
 
         try {
-            return OAuth2ProxyStores.loginRecordDAO().read(userId);
+            return loginRecordDAO().read(userId);
         } catch (Exception e) {
             log.error("unable to retrieve login record for {} - {}", userId, e);
             throw e;

src/main/java/com/github/tumbl3w33d/h2/OAuth2ProxyStores.java

@@ -32,4 +32,8 @@ public static OAuth2ProxyRoleDAO roleDAO() {
     public static OAuth2ProxyLoginRecordDAO loginRecordDAO() {
         return dao(OAuth2ProxyLoginRecordDAO.class);
     }
+
+    public static OAuth2ProxyTokenInfoDAO tokenInfoDAO() {
+        return dao(OAuth2ProxyTokenInfoDAO.class);
+    }
 }

src/main/java/com/github/tumbl3w33d/h2/OAuth2ProxyTokenInfoDAO.java

@@ -0,0 +1,9 @@
+package com.github.tumbl3w33d.h2;
+
+import org.sonatype.nexus.datastore.api.IdentifiedDataAccess;
+
+import com.github.tumbl3w33d.users.db.OAuth2ProxyTokenInfo;
+
+public interface OAuth2ProxyTokenInfoDAO extends IdentifiedDataAccess<OAuth2ProxyTokenInfo> {
+
+}