AuthN: Change EnableDisabledUserHook to EnableUserHook (#75248)

* Replace the enable disable user hook by a hook that systematically enable users

* Fix tests

* Remove the skip test

pkg/services/authn/clients/ext_jwt_test.go

@@ -175,13 +175,13 @@ func TestExtendedJWT_Authenticate(t *testing.T) {
 					},
 				},
 				ClientParams: authn.ClientParams{
-					SyncUser:            false,
-					AllowSignUp:         false,
-					FetchSyncedUser:     false,
-					EnableDisabledUsers: false,
-					SyncOrgRoles:        false,
-					SyncTeams:           false,
-					SyncPermissions:     false,
+					SyncUser:        false,
+					AllowSignUp:     false,
+					FetchSyncedUser: false,
+					EnableUser:      false,
+					SyncOrgRoles:    false,
+					SyncTeams:       false,
+					SyncPermissions: false,
 					LookUpParams: login.UserLookupParams{
 						UserID: nil,
 						Email:  nil,

pkg/services/authn/clients/grafana_test.go

@@ -112,7 +112,7 @@ func TestGrafana_AuthenticateProxy(t *testing.T) {
 				assert.Equal(t, tt.expectedIdentity.ClientParams.SyncUser, identity.ClientParams.SyncUser)
 				assert.Equal(t, tt.expectedIdentity.ClientParams.AllowSignUp, identity.ClientParams.AllowSignUp)
 				assert.Equal(t, tt.expectedIdentity.ClientParams.SyncTeams, identity.ClientParams.SyncTeams)
-				assert.Equal(t, tt.expectedIdentity.ClientParams.EnableDisabledUsers, identity.ClientParams.EnableDisabledUsers)
+				assert.Equal(t, tt.expectedIdentity.ClientParams.EnableUser, identity.ClientParams.EnableUser)
 
 				assert.EqualValues(t, tt.expectedIdentity.ClientParams.LookUpParams.Email, identity.ClientParams.LookUpParams.Email)
 				assert.EqualValues(t, tt.expectedIdentity.ClientParams.LookUpParams.Login, identity.ClientParams.LookUpParams.Login)

pkg/services/authn/clients/ldap.go

@@ -107,7 +107,7 @@ func (c *LDAP) disableUser(ctx context.Context, username string) (*authn.Identit
 }
 
 func (c *LDAP) identityFromLDAPInfo(orgID int64, info *login.ExternalUserInfo) *authn.Identity {
-	id := &authn.Identity{
+	return &authn.Identity{
 		OrgID:           orgID,
 		OrgRoles:        info.OrgRoles,
 		Login:           info.Login,
@@ -118,25 +118,17 @@ func (c *LDAP) identityFromLDAPInfo(orgID int64, info *login.ExternalUserInfo) *
 		AuthID:          info.AuthId,
 		Groups:          info.Groups,
 		ClientParams: authn.ClientParams{
-			SyncUser:            true,
-			SyncTeams:           true,
-			EnableDisabledUsers: true,
-			FetchSyncedUser:     true,
-			SyncPermissions:     true,
-			SyncOrgRoles:        !c.cfg.LDAPSkipOrgRoleSync,
-			AllowSignUp:         c.cfg.LDAPAllowSignup,
+			SyncUser:        true,
+			SyncTeams:       true,
+			EnableUser:      true,
+			FetchSyncedUser: true,
+			SyncPermissions: true,
+			SyncOrgRoles:    !c.cfg.LDAPSkipOrgRoleSync,
+			AllowSignUp:     c.cfg.LDAPAllowSignup,
 			LookUpParams: login.UserLookupParams{
 				Login: &info.Login,
 				Email: &info.Email,
 			},
 		},
 	}
-
-	// The ldap service is not aware of the internal state of the user. Fetching the user
-	// from the store to know if that user is disabled or not, is almost as costly as
-	// running an update systematically. We are setting IsDisabled to true so that the
-	// EnableDisabledUserHook force-enable that user.
-	id.IsDisabled = true
-
-	return id
 }

pkg/services/authn/clients/ldap_test.go

@@ -60,14 +60,13 @@ func TestLDAP_AuthenticateProxy(t *testing.T) {
 				AuthenticatedBy: login.LDAPAuthModule,
 				AuthID:          "123",
 				Groups:          []string{"1", "2"},
-				IsDisabled:      true, // Users are marked as disabled to force enablement on successful login
 				ClientParams: authn.ClientParams{
-					SyncUser:            true,
-					SyncTeams:           true,
-					EnableDisabledUsers: true,
-					FetchSyncedUser:     true,
-					SyncOrgRoles:        true,
-					SyncPermissions:     true,
+					SyncUser:        true,
+					SyncTeams:       true,
+					EnableUser:      true,
+					FetchSyncedUser: true,
+					SyncOrgRoles:    true,
+					SyncPermissions: true,
 					LookUpParams: login.UserLookupParams{
 						Email: strPtr("test@test.com"),
 						Login: strPtr("test"),
@@ -130,14 +129,13 @@ func TestLDAP_AuthenticatePassword(t *testing.T) {
 				AuthenticatedBy: login.LDAPAuthModule,
 				AuthID:          "123",
 				Groups:          []string{"1", "2"},
-				IsDisabled:      true, // Users are marked as disabled to force enablement on successful login
 				ClientParams: authn.ClientParams{
-					SyncUser:            true,
-					SyncTeams:           true,
-					EnableDisabledUsers: true,
-					FetchSyncedUser:     true,
-					SyncOrgRoles:        true,
-					SyncPermissions:     true,
+					SyncUser:        true,
+					SyncTeams:       true,
+					EnableUser:      true,
+					FetchSyncedUser: true,
+					SyncOrgRoles:    true,
+					SyncPermissions: true,
 					LookUpParams: login.UserLookupParams{
 						Email: strPtr("test@test.com"),
 						Login: strPtr("test"),

pkg/services/authn/clients/oauth_test.go

@@ -227,7 +227,7 @@ func TestOAuth_Authenticate(t *testing.T) {
 				assert.Equal(t, tt.expectedIdentity.ClientParams.SyncUser, identity.ClientParams.SyncUser)
 				assert.Equal(t, tt.expectedIdentity.ClientParams.AllowSignUp, identity.ClientParams.AllowSignUp)
 				assert.Equal(t, tt.expectedIdentity.ClientParams.SyncTeams, identity.ClientParams.SyncTeams)
-				assert.Equal(t, tt.expectedIdentity.ClientParams.EnableDisabledUsers, identity.ClientParams.EnableDisabledUsers)
+				assert.Equal(t, tt.expectedIdentity.ClientParams.EnableUser, identity.ClientParams.EnableUser)
 
 				assert.EqualValues(t, tt.expectedIdentity.ClientParams.LookUpParams.Email, identity.ClientParams.LookUpParams.Email)
 				assert.EqualValues(t, tt.expectedIdentity.ClientParams.LookUpParams.Login, identity.ClientParams.LookUpParams.Login)