AuthN: Change EnableDisabledUserHook to EnableUserHook (#75248)

* Replace the enable disable user hook by a hook that systematically enable users

* Fix tests

* Remove the skip test

pkg/services/authn/authn.go

@@ -48,8 +48,8 @@ type ClientParams struct {
 	SyncUser bool
 	// AllowSignUp Adds identity to DB if it doesn't exist when, only work if SyncUser is enabled
 	AllowSignUp bool
-	// EnableDisabledUsers will enable disabled user, only work if SyncUser is enabled
+	// EnableUser will ensure the user is enabled, only work if SyncUser is enabled
-	EnableDisabledUsers bool
+	EnableUser bool
 	// FetchSyncedUser ensure that all required information is added to the identity
 	FetchSyncedUser bool
 	// SyncTeams will sync the groups from identity to teams in grafana, enterprise only feature

pkg/services/authn/authnimpl/service.go

@@ -154,7 +154,7 @@ func ProvideService(
 	userSyncService := sync.ProvideUserSync(userService, userProtectionService, authInfoService, quotaService)
 	orgUserSyncService := sync.ProvideOrgSync(userService, orgService, accessControlService)
 	s.RegisterPostAuthHook(userSyncService.SyncUserHook, 10)
-	s.RegisterPostAuthHook(userSyncService.EnableDisabledUserHook, 20)
+	s.RegisterPostAuthHook(userSyncService.EnableUserHook, 20)
 	s.RegisterPostAuthHook(orgUserSyncService.SyncOrgRolesHook, 30)
 	s.RegisterPostAuthHook(userSyncService.SyncLastSeenHook, 120)
 

pkg/services/authn/authnimpl/sync/user_sync.go

@@ -163,12 +163,8 @@ func (s *UserSync) SyncLastSeenHook(ctx context.Context, identity *authn.Identit
 	return nil
 }
 
-func (s *UserSync) EnableDisabledUserHook(ctx context.Context, identity *authn.Identity, _ *authn.Request) error {
+func (s *UserSync) EnableUserHook(ctx context.Context, identity *authn.Identity, _ *authn.Request) error {
-	if !identity.ClientParams.EnableDisabledUsers {
+	if !identity.ClientParams.EnableUser {
-		return nil
-	}
-
-	if !identity.IsDisabled {
 		return nil
 	}
 

pkg/services/authn/authnimpl/sync/user_sync_test.go

@@ -349,9 +349,9 @@ func TestUserSync_SyncUserHook(t *testing.T) {
 					AuthenticatedBy: "oauth",
 					AuthID:          "2032",
 					ClientParams: authn.ClientParams{
-						SyncUser:            true,
+						SyncUser:    true,
-						AllowSignUp:         true,
+						AllowSignUp: true,
-						EnableDisabledUsers: true,
+						EnableUser:  true,
 						LookUpParams: login.UserLookupParams{
 							UserID: nil,
 							Email:  ptrString("test_create"),
@@ -370,9 +370,9 @@ func TestUserSync_SyncUserHook(t *testing.T) {
 				AuthID:          "2032",
 				IsGrafanaAdmin:  ptrBool(true),
 				ClientParams: authn.ClientParams{
-					SyncUser:            true,
+					SyncUser:    true,
-					AllowSignUp:         true,
+					AllowSignUp: true,
-					EnableDisabledUsers: true,
+					EnableUser:  true,
 					LookUpParams: login.UserLookupParams{
 						UserID: nil,
 						Email:  ptrString("test_create"),
@@ -398,8 +398,8 @@ func TestUserSync_SyncUserHook(t *testing.T) {
 					IsDisabled:     false,
 					IsGrafanaAdmin: ptrBool(true),
 					ClientParams: authn.ClientParams{
-						SyncUser:            true,
+						SyncUser:   true,
-						EnableDisabledUsers: true,
+						EnableUser: true,
 						LookUpParams: login.UserLookupParams{
 							UserID: ptrInt64(3),
 							Email:  nil,
@@ -417,8 +417,8 @@ func TestUserSync_SyncUserHook(t *testing.T) {
 				IsDisabled:     false,
 				IsGrafanaAdmin: ptrBool(true),
 				ClientParams: authn.ClientParams{
-					SyncUser:            true,
+					SyncUser:   true,
-					EnableDisabledUsers: true,
+					EnableUser: true,
 					LookUpParams: login.UserLookupParams{
 						UserID: ptrInt64(3),
 						Email:  nil,
@@ -486,16 +486,7 @@ func TestUserSync_EnableDisabledUserHook(t *testing.T) {
 			identity: &authn.Identity{
 				ID:           authn.NamespacedID(authn.NamespaceUser, 1),
 				IsDisabled:   true,
-				ClientParams: authn.ClientParams{EnableDisabledUsers: false},
+				ClientParams: authn.ClientParams{EnableUser: false},
-			},
-			enableUser: false,
-		},
-		{
-			desc: "should skip if identity is not disabled",
-			identity: &authn.Identity{
-				ID:           authn.NamespacedID(authn.NamespaceUser, 1),
-				IsDisabled:   false,
-				ClientParams: authn.ClientParams{EnableDisabledUsers: true},
 			},
 			enableUser: false,
 		},
@@ -504,7 +495,7 @@ func TestUserSync_EnableDisabledUserHook(t *testing.T) {
 			identity: &authn.Identity{
 				ID:           authn.NamespacedID(authn.NamespaceAPIKey, 1),
 				IsDisabled:   true,
-				ClientParams: authn.ClientParams{EnableDisabledUsers: true},
+				ClientParams: authn.ClientParams{EnableUser: true},
 			},
 			enableUser: false,
 		},
@@ -513,7 +504,7 @@ func TestUserSync_EnableDisabledUserHook(t *testing.T) {
 			identity: &authn.Identity{
 				ID:           authn.NamespacedID(authn.NamespaceUser, 1),
 				IsDisabled:   true,
-				ClientParams: authn.ClientParams{EnableDisabledUsers: true},
+				ClientParams: authn.ClientParams{EnableUser: true},
 			},
 			enableUser: true,
 		},
@@ -529,7 +520,7 @@ func TestUserSync_EnableDisabledUserHook(t *testing.T) {
 			}
 
 			s := UserSync{userService: userSvc}
-			err := s.EnableDisabledUserHook(context.Background(), tt.identity, nil)
+			err := s.EnableUserHook(context.Background(), tt.identity, nil)
 			require.NoError(t, err)
 			assert.Equal(t, tt.enableUser, called)
 		})

pkg/services/authn/clients/ext_jwt_test.go

@@ -175,13 +175,13 @@ func TestExtendedJWT_Authenticate(t *testing.T) {
 					},
 				},
 				ClientParams: authn.ClientParams{
-					SyncUser:            false,
+					SyncUser:        false,
-					AllowSignUp:         false,
+					AllowSignUp:     false,
-					FetchSyncedUser:     false,
+					FetchSyncedUser: false,
-					EnableDisabledUsers: false,
+					EnableUser:      false,
-					SyncOrgRoles:        false,
+					SyncOrgRoles:    false,
-					SyncTeams:           false,
+					SyncTeams:       false,
-					SyncPermissions:     false,
+					SyncPermissions: false,
 					LookUpParams: login.UserLookupParams{
 						UserID: nil,
 						Email:  nil,

pkg/services/authn/clients/grafana_test.go

@@ -112,7 +112,7 @@ func TestGrafana_AuthenticateProxy(t *testing.T) {
 				assert.Equal(t, tt.expectedIdentity.ClientParams.SyncUser, identity.ClientParams.SyncUser)
 				assert.Equal(t, tt.expectedIdentity.ClientParams.AllowSignUp, identity.ClientParams.AllowSignUp)
 				assert.Equal(t, tt.expectedIdentity.ClientParams.SyncTeams, identity.ClientParams.SyncTeams)
-				assert.Equal(t, tt.expectedIdentity.ClientParams.EnableDisabledUsers, identity.ClientParams.EnableDisabledUsers)
+				assert.Equal(t, tt.expectedIdentity.ClientParams.EnableUser, identity.ClientParams.EnableUser)
 
 				assert.EqualValues(t, tt.expectedIdentity.ClientParams.LookUpParams.Email, identity.ClientParams.LookUpParams.Email)
 				assert.EqualValues(t, tt.expectedIdentity.ClientParams.LookUpParams.Login, identity.ClientParams.LookUpParams.Login)

pkg/services/authn/clients/ldap.go

@@ -107,7 +107,7 @@ func (c *LDAP) disableUser(ctx context.Context, username string) (*authn.Identit
 }
 
 func (c *LDAP) identityFromLDAPInfo(orgID int64, info *login.ExternalUserInfo) *authn.Identity {
-	id := &authn.Identity{
+	return &authn.Identity{
 		OrgID:           orgID,
 		OrgRoles:        info.OrgRoles,
 		Login:           info.Login,
@@ -118,25 +118,17 @@ func (c *LDAP) identityFromLDAPInfo(orgID int64, info *login.ExternalUserInfo) *
 		AuthID:          info.AuthId,
 		Groups:          info.Groups,
 		ClientParams: authn.ClientParams{
-			SyncUser:            true,
+			SyncUser:        true,
-			SyncTeams:           true,
+			SyncTeams:       true,
-			EnableDisabledUsers: true,
+			EnableUser:      true,
-			FetchSyncedUser:     true,
+			FetchSyncedUser: true,
-			SyncPermissions:     true,
+			SyncPermissions: true,
-			SyncOrgRoles:        !c.cfg.LDAPSkipOrgRoleSync,
+			SyncOrgRoles:    !c.cfg.LDAPSkipOrgRoleSync,
-			AllowSignUp:         c.cfg.LDAPAllowSignup,
+			AllowSignUp:     c.cfg.LDAPAllowSignup,
 			LookUpParams: login.UserLookupParams{
 				Login: &info.Login,
 				Email: &info.Email,
 			},
 		},
 	}
-
-	// The ldap service is not aware of the internal state of the user. Fetching the user
-	// from the store to know if that user is disabled or not, is almost as costly as
-	// running an update systematically. We are setting IsDisabled to true so that the
-	// EnableDisabledUserHook force-enable that user.
-	id.IsDisabled = true
-
-	return id
 }

pkg/services/authn/clients/ldap_test.go

@@ -60,14 +60,13 @@ func TestLDAP_AuthenticateProxy(t *testing.T) {
 				AuthenticatedBy: login.LDAPAuthModule,
 				AuthID:          "123",
 				Groups:          []string{"1", "2"},
-				IsDisabled:      true, // Users are marked as disabled to force enablement on successful login
 				ClientParams: authn.ClientParams{
-					SyncUser:            true,
+					SyncUser:        true,
-					SyncTeams:           true,
+					SyncTeams:       true,
-					EnableDisabledUsers: true,
+					EnableUser:      true,
-					FetchSyncedUser:     true,
+					FetchSyncedUser: true,
-					SyncOrgRoles:        true,
+					SyncOrgRoles:    true,
-					SyncPermissions:     true,
+					SyncPermissions: true,
 					LookUpParams: login.UserLookupParams{
 						Email: strPtr("test@test.com"),
 						Login: strPtr("test"),
@@ -130,14 +129,13 @@ func TestLDAP_AuthenticatePassword(t *testing.T) {
 				AuthenticatedBy: login.LDAPAuthModule,
 				AuthID:          "123",
 				Groups:          []string{"1", "2"},
-				IsDisabled:      true, // Users are marked as disabled to force enablement on successful login
 				ClientParams: authn.ClientParams{
-					SyncUser:            true,
+					SyncUser:        true,
-					SyncTeams:           true,
+					SyncTeams:       true,
-					EnableDisabledUsers: true,
+					EnableUser:      true,
-					FetchSyncedUser:     true,
+					FetchSyncedUser: true,
-					SyncOrgRoles:        true,
+					SyncOrgRoles:    true,
-					SyncPermissions:     true,
+					SyncPermissions: true,
 					LookUpParams: login.UserLookupParams{
 						Email: strPtr("test@test.com"),
 						Login: strPtr("test"),

pkg/services/authn/clients/oauth_test.go

@@ -227,7 +227,7 @@ func TestOAuth_Authenticate(t *testing.T) {
 				assert.Equal(t, tt.expectedIdentity.ClientParams.SyncUser, identity.ClientParams.SyncUser)
 				assert.Equal(t, tt.expectedIdentity.ClientParams.AllowSignUp, identity.ClientParams.AllowSignUp)
 				assert.Equal(t, tt.expectedIdentity.ClientParams.SyncTeams, identity.ClientParams.SyncTeams)
-				assert.Equal(t, tt.expectedIdentity.ClientParams.EnableDisabledUsers, identity.ClientParams.EnableDisabledUsers)
+				assert.Equal(t, tt.expectedIdentity.ClientParams.EnableUser, identity.ClientParams.EnableUser)
 
 				assert.EqualValues(t, tt.expectedIdentity.ClientParams.LookUpParams.Email, identity.ClientParams.LookUpParams.Email)
 				assert.EqualValues(t, tt.expectedIdentity.ClientParams.LookUpParams.Login, identity.ClientParams.LookUpParams.Login)

pkg/services/ldap/api/service.go

@@ -326,11 +326,11 @@ func (s *Service) identityFromLDAPUser(user *login.ExternalUserInfo) *authn.Iden
 		AuthID:          user.AuthId,
 		Groups:          user.Groups,
 		ClientParams: authn.ClientParams{
-			SyncUser:            true,
+			SyncUser:     true,
-			SyncTeams:           true,
+			SyncTeams:    true,
-			EnableDisabledUsers: true,
+			EnableUser:   true,
-			SyncOrgRoles:        !s.cfg.LDAPSkipOrgRoleSync,
+			SyncOrgRoles: !s.cfg.LDAPSkipOrgRoleSync,
-			AllowSignUp:         s.cfg.LDAPAllowSignup,
+			AllowSignUp:  s.cfg.LDAPAllowSignup,
 			LookUpParams: login.UserLookupParams{
 				UserID: &user.UserId,
 			},