Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Check if a user is disabled before logging in #782

Open
wants to merge 4 commits into
base: main
Choose a base branch
from
Open

Check if a user is disabled before logging in #782

wants to merge 4 commits into from

Conversation

shiv-tyagi
Copy link
Contributor

As discussed in #640, this adds a property to the UserDB to mark a user enable/disabled. Before creating an authentication session in pam, we check if the user exists in the cache and is disabled.

@shiv-tyagi shiv-tyagi requested a review from a team as a code owner February 7, 2025 16:14
@shiv-tyagi
Copy link
Contributor Author

@adombeck Does this look good?

I see that the tests are failing on main branch as well. So I am hoping that it is not me.

@codecov-commenter
Copy link

codecov-commenter commented Feb 7, 2025
edited
Loading

Codecov Report

Attention: Patch coverage is 72.72727% with 3 lines in your changes missing coverage. Please review.

Project coverage is 83.16%. Comparing base (36511cd) to head (a7d839c).
Report is 336 commits behind head on main.

Files with missing lines Patch % Lines
internal/services/pam/pam.go 25.00% 2 Missing and 1 partial ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main     #782      +/-   ##
==========================================
- Coverage   83.43%   83.16%   -0.28%     
==========================================
  Files          83       96      +13     
  Lines        8689     9644     +955     
  Branches       74       74              
==========================================
+ Hits         7250     8020     +770     
- Misses       1111     1243     +132     
- Partials      328      381      +53

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@shiv-tyagi shiv-tyagi changed the title Check is a user is disabled before logging in Check if a user is disabled before logging in Feb 10, 2025
adombeck
adombeck reviewed Feb 10, 2025
View reviewed changes
internal/services/pam/pam.go
@@ -138,6 +138,12 @@ func (s Service) SelectBroker(ctx context.Context, req *authd.SBRequest) (resp *
lang = "C"
}

// Throw an error if the user trying to authenticate already exists in cache and is disabled
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We use the term "database" instead of "cache" now (related: #775)

Suggested change
// Throw an error if the user trying to authenticate already exists in cache and is disabled
// Throw an error if the user trying to authenticate already exists in the database and is disabled

@adombeck
Copy link
Contributor

Hi @shiv-tyagi, yes this looks good, thanks! One small thing: I would prefer to have a Disabled field instead of Enabled, so that the default value (false) means that the user is enabled, even when we're not using NewUserDB to instantiate the UserDB struct (like we do here).

@adombeck
Copy link
Contributor

There should also be a new test case "Error_when_user_is_disabled" in https://github.com/shiv-tyagi/authd/blob/fed39218cfcce6c23e80e0d02fe2a2d748d3d912/internal/brokers/manager_test.go#L187-L190.

@adombeck
Copy link
Contributor

Oh and I don't think it makes sense to merge this before we have code which actually causes a user to be disabled (i.e. the command-line tool). If you still plan to work on that soon, feel free to repurpose this PR. Otherwise, I'll start working on that soon and would then cherry-pick your commits to a new branch.

@shiv-tyagi
Copy link
Contributor Author

I would prefer to have a Disabled field instead of Enabled, so that the default value (false) means that the user is enabled, even when we're not using NewUserDB to instantiate the UserDB struct (like we do here).

Sure. I will do that.

There should also be a new test case "Error_when_user_is_disabled"

Noted.

If you still plan to work on that soon, feel free to repurpose this PR.

Yes, I really intend to work on that. I will push my work soon :)

3v1n0
3v1n0 reviewed Feb 11, 2025
View reviewed changes
internal/users/manager.go
@@ -328,6 +328,16 @@ func (m *Manager) UpdateBrokerForUser(username, brokerID string) error {
return nil
}

// IsUserDisabled returns true if the user with the given user name is disabled, false otherwise
func (m *Manager) IsUserDisabled(username string) (bool, error) {
usr, err := m.cache.UserByName(username)
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
usr, err := m.cache.UserByName(username)
u, err := m.cache.UserByName(username)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@3v1n0 3v1n0 3v1n0 left review comments

@adombeck adombeck adombeck left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@shiv-tyagi @codecov-commenter @adombeck @3v1n0