Arsharth/dex
1
0
Fork 0
forked from mystiq/dex
Code Issues Pull requests Projects Releases Packages Wiki Activity

server: don't allow disabled users to access the api

Browse source
This commit is contained in:
Joe Bowers 2015-09-25 14:36:33 -07:00
parent 60a36e2c2e
commit ffabe03bc0
3 changed files with 61 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

52
integration/user_api_test.go
View file

@ -53,6 +53,14 @@ var (
Email: "Email-3@example.com", Email: "Email-3@example.com",
}, },
}, },
{
User: user.User{
ID: "ID-4",
Email: "Email-4@example.com",
Admin: true,
Disabled: true,
},
},
} }
userPasswords = []user.PasswordInfo{ userPasswords = []user.PasswordInfo{
@ -60,6 +68,10 @@ var (
UserID: "ID-1", UserID: "ID-1",
Password: []byte("hi."), Password: []byte("hi."),
}, },
{
UserID: "ID-4",
Password: []byte("hi."),
},
} }
userBadClientID = "ZZZ" userBadClientID = "ZZZ"
@ -75,6 +87,9 @@ var (
userBadTokenExpired = makeUserToken(testIssuerURL, userBadTokenExpired = makeUserToken(testIssuerURL,
"ID-1", testClientID, time.Hour*-1, testPrivKey) "ID-1", testClientID, time.Hour*-1, testPrivKey)
userBadTokenDisabled = makeUserToken(testIssuerURL,
"ID-4", testClientID, time.Hour*1, testPrivKey)
) )
func makeUserAPITestFixtures() *userAPITestFixtures { func makeUserAPITestFixtures() *userAPITestFixtures {
@ -166,6 +181,11 @@ func TestGetUser(t *testing.T) {
}, { }, {
id: "ID-1", id: "ID-1",
token: userBadTokenDisabled,
errCode: http.StatusUnauthorized, // TODO test with custom err before merge
}, {
id: "ID-1",
token: "", token: "",
errCode: http.StatusUnauthorized, errCode: http.StatusUnauthorized,
}, { }, {
@ -229,20 +249,28 @@ func TestListUsers(t *testing.T) {
wantIDs [][]string wantIDs [][]string
}{ }{
{ {
pages: 3, pages: 4,
maxResults: 1, maxResults: 1,
token: userGoodToken, token: userGoodToken,
wantIDs: [][]string{{"ID-1"}, {"ID-2"}, {"ID-3"}}, wantIDs: [][]string{{"ID-1"}, {"ID-2"}, {"ID-3"}, {"ID-4"}},
}, },
{ {
pages: 1, pages: 1,
token: userGoodToken, token: userGoodToken,
maxResults: 3, maxResults: 4,
wantIDs: [][]string{{"ID-1", "ID-2", "ID-3"}}, wantIDs: [][]string{{"ID-1", "ID-2", "ID-3", "ID-4"}},
},
{
pages: 1,
token: userBadTokenDisabled,
maxResults: 1,
wantCode: http.StatusUnauthorized, // TODO don't merge until you're sure this is covering what you expect
}, },
{ {
pages: 3, pages: 3,
@ -417,6 +445,22 @@ func TestCreateUser(t *testing.T) {
// try every variation like in TestGetUser // try every variation like in TestGetUser
token: userBadTokenExpired, token: userBadTokenExpired,
wantCode: http.StatusUnauthorized,
},
{
req: schema.UserCreateRequest{
User: &schema.User{
Email: "newuser@example.com",
DisplayName: "New User",
EmailVerified: true,
Admin: false,
CreatedAt: clock.Now().Format(time.RFC3339),
},
RedirectURL: testRedirectURL.String(),
},
token: userBadTokenDisabled,
wantCode: http.StatusUnauthorized, wantCode: http.StatusUnauthorized,
}, },
} }

4
server/user.go
View file

@ -200,6 +200,10 @@ func (s *UserMgmtServer) getCreds(r *http.Request) (api.Creds, error) {
return api.Creds{}, err return api.Creds{}, err
} }
if usr.Disabled {
return api.Creds{}, api.ErrorUnauthorized
}
isAdmin, err := s.cir.IsDexAdmin(clientID) isAdmin, err := s.cir.IsDexAdmin(clientID)
if err != nil { if err != nil {
log.Errorf("userMgmtServer: GetCreds err: %q", err) log.Errorf("userMgmtServer: GetCreds err: %q", err)

9
user/api/api_test.go
View file

@ -52,6 +52,15 @@ var (
}, },
} }
disabledCreds = Creds{
User: user.User{
ID: "ID-1",
Admin: true,
Disabled: true,
},
ClientID: "XXX",
}
resetPasswordURL = url.URL{ resetPasswordURL = url.URL{
Host: "dex.example.com", Host: "dex.example.com",
Path: "resetPassword", Path: "resetPassword",