server: don't allow disabled users to access the api

2015-09-25 14:36:33 -07:00 · 2015-09-25 14:36:33 -07:00 · ffabe03bc0
parent 60a36e2c2e
commit ffabe03bc0
3 changed files with 61 additions and 4 deletions
--- a/integration/user_api_test.go
+++ b/integration/user_api_test.go
@ -53,6 +53,14 @@ var (
 				Email: "Email-3@example.com",
 			},
 		},
+		{
+			User: user.User{
+				ID:       "ID-4",
+				Email:    "Email-4@example.com",
+				Admin:    true,
+				Disabled: true,
+			},
+		},
 	}

 	userPasswords = []user.PasswordInfo{
@ -60,6 +68,10 @@ var (
 			UserID:   "ID-1",
 			Password: []byte("hi."),
 		},
+		{
+			UserID:   "ID-4",
+			Password: []byte("hi."),
+		},
 	}

 	userBadClientID = "ZZZ"
@ -75,6 +87,9 @@ var (

 	userBadTokenExpired = makeUserToken(testIssuerURL,
 		"ID-1", testClientID, time.Hour*-1, testPrivKey)
+
+	userBadTokenDisabled = makeUserToken(testIssuerURL,
+		"ID-4", testClientID, time.Hour*1, testPrivKey)
 )

 func makeUserAPITestFixtures() *userAPITestFixtures {
@ -166,6 +181,11 @@ func TestGetUser(t *testing.T) {
 		}, {
 			id: "ID-1",

+			token:   userBadTokenDisabled,
+			errCode: http.StatusUnauthorized, // TODO test with custom err before merge
+		}, {
+			id: "ID-1",
+
 			token:   "",
 			errCode: http.StatusUnauthorized,
 		}, {
@ -229,20 +249,28 @@ func TestListUsers(t *testing.T) {
 		wantIDs  [][]string
 	}{
 		{
-			pages:      3,
+			pages:      4,
 			maxResults: 1,

 			token: userGoodToken,

-			wantIDs: [][]string{{"ID-1"}, {"ID-2"}, {"ID-3"}},
+			wantIDs: [][]string{{"ID-1"}, {"ID-2"}, {"ID-3"}, {"ID-4"}},
 		},
 		{
 			pages: 1,

 			token: userGoodToken,

-			maxResults: 3,
-			wantIDs:    [][]string{{"ID-1", "ID-2", "ID-3"}},
+			maxResults: 4,
+			wantIDs:    [][]string{{"ID-1", "ID-2", "ID-3", "ID-4"}},
+		},
+		{
+			pages: 1,
+
+			token: userBadTokenDisabled,
+
+			maxResults: 1,
+			wantCode:   http.StatusUnauthorized, // TODO don't merge until you're sure this is covering what you expect
 		},
 		{
 			pages: 3,
@ -417,6 +445,22 @@ func TestCreateUser(t *testing.T) {
 			// try every variation like in TestGetUser
 			token: userBadTokenExpired,

+			wantCode: http.StatusUnauthorized,
+		},
+		{
+			req: schema.UserCreateRequest{
+				User: &schema.User{
+					Email:         "newuser@example.com",
+					DisplayName:   "New User",
+					EmailVerified: true,
+					Admin:         false,
+					CreatedAt:     clock.Now().Format(time.RFC3339),
+				},
+				RedirectURL: testRedirectURL.String(),
+			},
+
+			token: userBadTokenDisabled,
+
 			wantCode: http.StatusUnauthorized,
 		},
 	}
--- a/server/user.go
+++ b/server/user.go
@ -200,6 +200,10 @@ func (s *UserMgmtServer) getCreds(r *http.Request) (api.Creds, error) {
 		return api.Creds{}, err
 	}

+	if usr.Disabled {
+		return api.Creds{}, api.ErrorUnauthorized
+	}
+
 	isAdmin, err := s.cir.IsDexAdmin(clientID)
 	if err != nil {
 		log.Errorf("userMgmtServer: GetCreds err: %q", err)
--- a/user/api/api_test.go
+++ b/user/api/api_test.go
@ -52,6 +52,15 @@ var (
 		},
 	}

+	disabledCreds = Creds{
+		User: user.User{
+			ID:       "ID-1",
+			Admin:    true,
+			Disabled: true,
+		},
+		ClientID: "XXX",
+	}
+
 	resetPasswordURL = url.URL{
 		Host: "dex.example.com",
 		Path: "resetPassword",