mirror of
https://github.com/grafana/grafana.git
synced 2025-02-16 18:34:52 -06:00
Login: allow basic users to reset password when LDAP or Auth Proxy is enabled (#52331)
This commit is contained in:
Krzysztof Dąbrowski
GitHub
parent
62b4dbf52f
commit
2dab7ad890
@ -19,9 +19,6 @@ func (hs *HTTPServer) SendResetPasswordEmail(c *models.ReqContext) response.Resp
|
||||
if err := web.Bind(c.Req, &form); err != nil {
|
||||
return response.Error(http.StatusBadRequest, "bad request data", err)
|
||||
}
|
||||
if setting.LDAPEnabled || setting.AuthProxyEnabled {
|
||||
return response.Error(401, "Not allowed to reset password when LDAP or Auth Proxy is enabled", nil)
|
||||
}
|
||||
if setting.DisableLoginForm {
|
||||
return response.Error(401, "Not allowed to reset password when login form is disabled", nil)
|
||||
}
|
||||
@ -34,6 +31,19 @@ func (hs *HTTPServer) SendResetPasswordEmail(c *models.ReqContext) response.Resp
|
||||
return response.Error(http.StatusOK, "Email sent", err)
|
||||
}
|
||||
|
||||
if usr.IsDisabled {
|
||||
c.Logger.Info("Requested password reset for disabled user", "user", userQuery.LoginOrEmail)
|
||||
return response.Error(http.StatusOK, "Email sent", nil)
|
||||
}
|
||||
|
||||
getAuthQuery := models.GetAuthInfoQuery{UserId: usr.ID}
|
||||
if err := hs.authInfoService.GetAuthInfo(c.Req.Context(), &getAuthQuery); err == nil {
|
||||
authModule := getAuthQuery.Result.AuthModule
|
||||
if authModule == models.AuthModuleLDAP || authModule == models.AuthModuleProxy {
|
||||
return response.Error(401, "Not allowed to reset password for LDAP or Auth Proxy user", nil)
|
||||
}
|
||||
}
|
||||
|
||||
emailCmd := models.SendResetPasswordEmailCommand{User: usr}
|
||||
if err := hs.NotificationService.SendResetPasswordEmail(c.Req.Context(), &emailCmd); err != nil {
|
||||
return response.Error(500, "Failed to send email", err)
|
||||
|
||||
@ -383,9 +383,6 @@ func (hs *HTTPServer) ChangeUserPassword(c *models.ReqContext) response.Response
|
||||
if err := web.Bind(c.Req, &cmd); err != nil {
|
||||
return response.Error(http.StatusBadRequest, "bad request data", err)
|
||||
}
|
||||
if setting.LDAPEnabled || setting.AuthProxyEnabled {
|
||||
return response.Error(400, "Not allowed to change password when LDAP or Auth Proxy is enabled", nil)
|
||||
}
|
||||
|
||||
userQuery := user.GetUserByIDQuery{ID: c.UserId}
|
||||
|
||||
@ -394,6 +391,14 @@ func (hs *HTTPServer) ChangeUserPassword(c *models.ReqContext) response.Response
|
||||
return response.Error(500, "Could not read user from database", err)
|
||||
}
|
||||
|
||||
getAuthQuery := models.GetAuthInfoQuery{UserId: user.ID}
|
||||
if err := hs.authInfoService.GetAuthInfo(c.Req.Context(), &getAuthQuery); err == nil {
|
||||
authModule := getAuthQuery.Result.AuthModule
|
||||
if authModule == models.AuthModuleLDAP || authModule == models.AuthModuleProxy {
|
||||
return response.Error(400, "Not allowed to reset password for LDAP or Auth Proxy user", nil)
|
||||
}
|
||||
}
|
||||
|
||||
passwordHashed, err := util.EncodePassword(cmd.OldPassword, user.Salt)
|
||||
if err != nil {
|
||||
return response.Error(500, "Failed to encode password", err)
|
||||
@ -491,6 +496,8 @@ func GetAuthProviderLabel(authModule string) string {
|
||||
return "grafana.com"
|
||||
case "auth.saml":
|
||||
return "SAML"
|
||||
case "authproxy":
|
||||
return "Auth Proxy"
|
||||
case "ldap", "":
|
||||
return "LDAP"
|
||||
default:
|
||||
|
||||
@ -10,7 +10,8 @@ import (
|
||||
)
|
||||
|
||||
const (
|
||||
AuthModuleLDAP = "ldap"
|
||||
AuthModuleLDAP = "ldap"
|
||||
AuthModuleProxy = "authproxy"
|
||||
)
|
||||
|
||||
type UserAuth struct {
|
||||
|
||||
@ -25,8 +25,6 @@ interface Props {
|
||||
skipPasswordChange: Function;
|
||||
login: (data: FormModel) => void;
|
||||
disableLoginForm: boolean;
|
||||
ldapEnabled: boolean;
|
||||
authProxyEnabled: boolean;
|
||||
disableUserSignUp: boolean;
|
||||
isOauthEnabled: boolean;
|
||||
loginHint: string;
|
||||
@ -129,7 +127,7 @@ export class LoginCtrl extends PureComponent<Props, State> {
|
||||
const { children } = this.props;
|
||||
const { isLoggingIn, isChangingPassword } = this.state;
|
||||
const { login, toGrafana, changePassword } = this;
|
||||
const { loginHint, passwordHint, disableLoginForm, ldapEnabled, authProxyEnabled, disableUserSignUp } = config;
|
||||
const { loginHint, passwordHint, disableLoginForm, disableUserSignUp } = config;
|
||||
|
||||
return (
|
||||
<>
|
||||
@ -138,8 +136,6 @@ export class LoginCtrl extends PureComponent<Props, State> {
|
||||
loginHint,
|
||||
passwordHint,
|
||||
disableLoginForm,
|
||||
ldapEnabled,
|
||||
authProxyEnabled,
|
||||
disableUserSignUp,
|
||||
login,
|
||||
isLoggingIn,
|
||||
|
||||
@ -28,8 +28,6 @@ export const LoginPage: FC = () => {
|
||||
{({
|
||||
loginHint,
|
||||
passwordHint,
|
||||
ldapEnabled,
|
||||
authProxyEnabled,
|
||||
disableLoginForm,
|
||||
disableUserSignUp,
|
||||
login,
|
||||
@ -48,19 +46,15 @@ export const LoginPage: FC = () => {
|
||||
passwordHint={passwordHint}
|
||||
isLoggingIn={isLoggingIn}
|
||||
>
|
||||
{!(ldapEnabled || authProxyEnabled) ? (
|
||||
<HorizontalGroup justify="flex-end">
|
||||
<LinkButton
|
||||
className={forgottenPasswordStyles}
|
||||
fill="text"
|
||||
href={`${config.appSubUrl}/user/password/send-reset-email`}
|
||||
>
|
||||
Forgot your password?
|
||||
</LinkButton>
|
||||
</HorizontalGroup>
|
||||
) : (
|
||||
<></>
|
||||
)}
|
||||
<HorizontalGroup justify="flex-end">
|
||||
<LinkButton
|
||||
className={forgottenPasswordStyles}
|
||||
fill="text"
|
||||
href={`${config.appSubUrl}/user/password/send-reset-email`}
|
||||
>
|
||||
Forgot your password?
|
||||
</LinkButton>
|
||||
</HorizontalGroup>
|
||||
</LoginForm>
|
||||
)}
|
||||
<LoginServiceButtons />
|
||||
|
||||
@ -16,11 +16,11 @@ export interface Props {
|
||||
}
|
||||
|
||||
export const ChangePasswordForm: FC<Props> = ({ user, onChangePassword, isSaving }) => {
|
||||
const { ldapEnabled, authProxyEnabled, disableLoginForm } = config;
|
||||
const { disableLoginForm } = config;
|
||||
const authSource = user.authLabels?.length && user.authLabels[0];
|
||||
|
||||
if (ldapEnabled || authProxyEnabled) {
|
||||
return <p>You cannot change password when LDAP or auth proxy authentication is enabled.</p>;
|
||||
if (authSource === 'LDAP' || authSource === 'Auth Proxy') {
|
||||
return <p>You cannot change password when signed in with LDAP or auth proxy.</p>;
|
||||
}
|
||||
if (authSource && disableLoginForm) {
|
||||
return <p>Password cannot be changed here.</p>;
|
||||
|
||||
@ -84,19 +84,19 @@ describe('ChangePasswordPage', () => {
|
||||
);
|
||||
});
|
||||
});
|
||||
it('should cannot change password form if ldap or authProxy enabled', async () => {
|
||||
config.ldapEnabled = true;
|
||||
const { rerender } = await getTestContext();
|
||||
expect(
|
||||
screen.getByText('You cannot change password when LDAP or auth proxy authentication is enabled.')
|
||||
).toBeInTheDocument();
|
||||
config.ldapEnabled = false;
|
||||
config.authProxyEnabled = true;
|
||||
rerender(<ChangePasswordPage {...defaultProps} />);
|
||||
expect(
|
||||
screen.getByText('You cannot change password when LDAP or auth proxy authentication is enabled.')
|
||||
).toBeInTheDocument();
|
||||
config.authProxyEnabled = false;
|
||||
it('should cannot change password form if user signed in with LDAP', async () => {
|
||||
await getTestContext({
|
||||
user: { ...defaultProps.user!, authLabels: ['LDAP'] },
|
||||
});
|
||||
|
||||
expect(screen.getByText('You cannot change password when signed in with LDAP or auth proxy.')).toBeInTheDocument();
|
||||
});
|
||||
it('should cannot change password form if user signed in with auth proxy', async () => {
|
||||
await getTestContext({
|
||||
user: { ...defaultProps.user!, authLabels: ['Auth Proxy'] },
|
||||
});
|
||||
|
||||
expect(screen.getByText('You cannot change password when signed in with LDAP or auth proxy.')).toBeInTheDocument();
|
||||
});
|
||||
it('should show cannot change password if disableLoginForm is true and auth', async () => {
|
||||
config.disableLoginForm = true;
|
||||
|
||||
Loading…
Reference in New Issue
Block a user