server: don't allow disabled users to access the api

This commit is contained in:
Joe Bowers 2015-09-25 14:36:33 -07:00
parent 60a36e2c2e
commit ffabe03bc0
3 changed files with 61 additions and 4 deletions

View file

@ -53,6 +53,14 @@ var (
Email: "Email-3@example.com",
},
},
{
User: user.User{
ID: "ID-4",
Email: "Email-4@example.com",
Admin: true,
Disabled: true,
},
},
}
userPasswords = []user.PasswordInfo{
@ -60,6 +68,10 @@ var (
UserID: "ID-1",
Password: []byte("hi."),
},
{
UserID: "ID-4",
Password: []byte("hi."),
},
}
userBadClientID = "ZZZ"
@ -75,6 +87,9 @@ var (
userBadTokenExpired = makeUserToken(testIssuerURL,
"ID-1", testClientID, time.Hour*-1, testPrivKey)
userBadTokenDisabled = makeUserToken(testIssuerURL,
"ID-4", testClientID, time.Hour*1, testPrivKey)
)
func makeUserAPITestFixtures() *userAPITestFixtures {
@ -166,6 +181,11 @@ func TestGetUser(t *testing.T) {
}, {
id: "ID-1",
token: userBadTokenDisabled,
errCode: http.StatusUnauthorized, // TODO test with custom err before merge
}, {
id: "ID-1",
token: "",
errCode: http.StatusUnauthorized,
}, {
@ -229,20 +249,28 @@ func TestListUsers(t *testing.T) {
wantIDs [][]string
}{
{
pages: 3,
pages: 4,
maxResults: 1,
token: userGoodToken,
wantIDs: [][]string{{"ID-1"}, {"ID-2"}, {"ID-3"}},
wantIDs: [][]string{{"ID-1"}, {"ID-2"}, {"ID-3"}, {"ID-4"}},
},
{
pages: 1,
token: userGoodToken,
maxResults: 3,
wantIDs: [][]string{{"ID-1", "ID-2", "ID-3"}},
maxResults: 4,
wantIDs: [][]string{{"ID-1", "ID-2", "ID-3", "ID-4"}},
},
{
pages: 1,
token: userBadTokenDisabled,
maxResults: 1,
wantCode: http.StatusUnauthorized, // TODO don't merge until you're sure this is covering what you expect
},
{
pages: 3,
@ -417,6 +445,22 @@ func TestCreateUser(t *testing.T) {
// try every variation like in TestGetUser
token: userBadTokenExpired,
wantCode: http.StatusUnauthorized,
},
{
req: schema.UserCreateRequest{
User: &schema.User{
Email: "newuser@example.com",
DisplayName: "New User",
EmailVerified: true,
Admin: false,
CreatedAt: clock.Now().Format(time.RFC3339),
},
RedirectURL: testRedirectURL.String(),
},
token: userBadTokenDisabled,
wantCode: http.StatusUnauthorized,
},
}

View file

@ -200,6 +200,10 @@ func (s *UserMgmtServer) getCreds(r *http.Request) (api.Creds, error) {
return api.Creds{}, err
}
if usr.Disabled {
return api.Creds{}, api.ErrorUnauthorized
}
isAdmin, err := s.cir.IsDexAdmin(clientID)
if err != nil {
log.Errorf("userMgmtServer: GetCreds err: %q", err)

View file

@ -52,6 +52,15 @@ var (
},
}
disabledCreds = Creds{
User: user.User{
ID: "ID-1",
Admin: true,
Disabled: true,
},
ClientID: "XXX",
}
resetPasswordURL = url.URL{
Host: "dex.example.com",
Path: "resetPassword",