From ffabe03bc0e844663fc9aea9389d04b2e145fc85 Mon Sep 17 00:00:00 2001 From: Joe Bowers Date: Fri, 25 Sep 2015 14:36:33 -0700 Subject: [PATCH] server: don't allow disabled users to access the api --- integration/user_api_test.go | 52 +++++++++++++++++++++++++++++++++--- server/user.go | 4 +++ user/api/api_test.go | 9 +++++++ 3 files changed, 61 insertions(+), 4 deletions(-) diff --git a/integration/user_api_test.go b/integration/user_api_test.go index 15d32849..6ed8f8da 100644 --- a/integration/user_api_test.go +++ b/integration/user_api_test.go @@ -53,6 +53,14 @@ var ( Email: "Email-3@example.com", }, }, + { + User: user.User{ + ID: "ID-4", + Email: "Email-4@example.com", + Admin: true, + Disabled: true, + }, + }, } userPasswords = []user.PasswordInfo{ @@ -60,6 +68,10 @@ var ( UserID: "ID-1", Password: []byte("hi."), }, + { + UserID: "ID-4", + Password: []byte("hi."), + }, } userBadClientID = "ZZZ" @@ -75,6 +87,9 @@ var ( userBadTokenExpired = makeUserToken(testIssuerURL, "ID-1", testClientID, time.Hour*-1, testPrivKey) + + userBadTokenDisabled = makeUserToken(testIssuerURL, + "ID-4", testClientID, time.Hour*1, testPrivKey) ) func makeUserAPITestFixtures() *userAPITestFixtures { @@ -166,6 +181,11 @@ func TestGetUser(t *testing.T) { }, { id: "ID-1", + token: userBadTokenDisabled, + errCode: http.StatusUnauthorized, // TODO test with custom err before merge + }, { + id: "ID-1", + token: "", errCode: http.StatusUnauthorized, }, { @@ -229,20 +249,28 @@ func TestListUsers(t *testing.T) { wantIDs [][]string }{ { - pages: 3, + pages: 4, maxResults: 1, token: userGoodToken, - wantIDs: [][]string{{"ID-1"}, {"ID-2"}, {"ID-3"}}, + wantIDs: [][]string{{"ID-1"}, {"ID-2"}, {"ID-3"}, {"ID-4"}}, }, { pages: 1, token: userGoodToken, - maxResults: 3, - wantIDs: [][]string{{"ID-1", "ID-2", "ID-3"}}, + maxResults: 4, + wantIDs: [][]string{{"ID-1", "ID-2", "ID-3", "ID-4"}}, + }, + { + pages: 1, + + token: userBadTokenDisabled, + + maxResults: 1, + wantCode: http.StatusUnauthorized, // TODO don't merge until you're sure this is covering what you expect }, { pages: 3, @@ -417,6 +445,22 @@ func TestCreateUser(t *testing.T) { // try every variation like in TestGetUser token: userBadTokenExpired, + wantCode: http.StatusUnauthorized, + }, + { + req: schema.UserCreateRequest{ + User: &schema.User{ + Email: "newuser@example.com", + DisplayName: "New User", + EmailVerified: true, + Admin: false, + CreatedAt: clock.Now().Format(time.RFC3339), + }, + RedirectURL: testRedirectURL.String(), + }, + + token: userBadTokenDisabled, + wantCode: http.StatusUnauthorized, }, } diff --git a/server/user.go b/server/user.go index 64ce05d0..a57ca769 100644 --- a/server/user.go +++ b/server/user.go @@ -200,6 +200,10 @@ func (s *UserMgmtServer) getCreds(r *http.Request) (api.Creds, error) { return api.Creds{}, err } + if usr.Disabled { + return api.Creds{}, api.ErrorUnauthorized + } + isAdmin, err := s.cir.IsDexAdmin(clientID) if err != nil { log.Errorf("userMgmtServer: GetCreds err: %q", err) diff --git a/user/api/api_test.go b/user/api/api_test.go index a48a220a..439e52c8 100644 --- a/user/api/api_test.go +++ b/user/api/api_test.go @@ -52,6 +52,15 @@ var ( }, } + disabledCreds = Creds{ + User: user.User{ + ID: "ID-1", + Admin: true, + Disabled: true, + }, + ClientID: "XXX", + } + resetPasswordURL = url.URL{ Host: "dex.example.com", Path: "resetPassword",