Login: allow basic users to reset password when LDAP or Auth Proxy is enabled (#52331)

pkg/api/password.go

@@ -19,9 +19,6 @@ func (hs *HTTPServer) SendResetPasswordEmail(c *models.ReqContext) response.Resp
 	if err := web.Bind(c.Req, &form); err != nil {
 		return response.Error(http.StatusBadRequest, "bad request data", err)
 	}
-	if setting.LDAPEnabled || setting.AuthProxyEnabled {
-		return response.Error(401, "Not allowed to reset password when LDAP or Auth Proxy is enabled", nil)
-	}
 	if setting.DisableLoginForm {
 		return response.Error(401, "Not allowed to reset password when login form is disabled", nil)
 	}
@@ -34,6 +31,19 @@ func (hs *HTTPServer) SendResetPasswordEmail(c *models.ReqContext) response.Resp
 		return response.Error(http.StatusOK, "Email sent", err)
 	}
 
+	if usr.IsDisabled {
+		c.Logger.Info("Requested password reset for disabled user", "user", userQuery.LoginOrEmail)
+		return response.Error(http.StatusOK, "Email sent", nil)
+	}
+
+	getAuthQuery := models.GetAuthInfoQuery{UserId: usr.ID}
+	if err := hs.authInfoService.GetAuthInfo(c.Req.Context(), &getAuthQuery); err == nil {
+		authModule := getAuthQuery.Result.AuthModule
+		if authModule == models.AuthModuleLDAP || authModule == models.AuthModuleProxy {
+			return response.Error(401, "Not allowed to reset password for LDAP or Auth Proxy user", nil)
+		}
+	}
+
 	emailCmd := models.SendResetPasswordEmailCommand{User: usr}
 	if err := hs.NotificationService.SendResetPasswordEmail(c.Req.Context(), &emailCmd); err != nil {
 		return response.Error(500, "Failed to send email", err)

pkg/api/user.go

@@ -383,9 +383,6 @@ func (hs *HTTPServer) ChangeUserPassword(c *models.ReqContext) response.Response
 	if err := web.Bind(c.Req, &cmd); err != nil {
 		return response.Error(http.StatusBadRequest, "bad request data", err)
 	}
-	if setting.LDAPEnabled || setting.AuthProxyEnabled {
-		return response.Error(400, "Not allowed to change password when LDAP or Auth Proxy is enabled", nil)
-	}
 
 	userQuery := user.GetUserByIDQuery{ID: c.UserId}
 
@@ -394,6 +391,14 @@ func (hs *HTTPServer) ChangeUserPassword(c *models.ReqContext) response.Response
 		return response.Error(500, "Could not read user from database", err)
 	}
 
+	getAuthQuery := models.GetAuthInfoQuery{UserId: user.ID}
+	if err := hs.authInfoService.GetAuthInfo(c.Req.Context(), &getAuthQuery); err == nil {
+		authModule := getAuthQuery.Result.AuthModule
+		if authModule == models.AuthModuleLDAP || authModule == models.AuthModuleProxy {
+			return response.Error(400, "Not allowed to reset password for LDAP or Auth Proxy user", nil)
+		}
+	}
+
 	passwordHashed, err := util.EncodePassword(cmd.OldPassword, user.Salt)
 	if err != nil {
 		return response.Error(500, "Failed to encode password", err)
@@ -491,6 +496,8 @@ func GetAuthProviderLabel(authModule string) string {
 		return "grafana.com"
 	case "auth.saml":
 		return "SAML"
+	case "authproxy":
+		return "Auth Proxy"
 	case "ldap", "":
 		return "LDAP"
 	default:

pkg/models/user_auth.go

@@ -11,6 +11,7 @@ import (
 
 const (
 	AuthModuleLDAP  = "ldap"
+	AuthModuleProxy = "authproxy"
 )
 
 type UserAuth struct {

public/app/core/components/Login/LoginCtrl.tsx

@@ -25,8 +25,6 @@ interface Props {
     skipPasswordChange: Function;
     login: (data: FormModel) => void;
     disableLoginForm: boolean;
-    ldapEnabled: boolean;
-    authProxyEnabled: boolean;
     disableUserSignUp: boolean;
     isOauthEnabled: boolean;
     loginHint: string;
@@ -129,7 +127,7 @@ export class LoginCtrl extends PureComponent<Props, State> {
     const { children } = this.props;
     const { isLoggingIn, isChangingPassword } = this.state;
     const { login, toGrafana, changePassword } = this;
-    const { loginHint, passwordHint, disableLoginForm, ldapEnabled, authProxyEnabled, disableUserSignUp } = config;
+    const { loginHint, passwordHint, disableLoginForm, disableUserSignUp } = config;
 
     return (
       <>
@@ -138,8 +136,6 @@ export class LoginCtrl extends PureComponent<Props, State> {
           loginHint,
           passwordHint,
           disableLoginForm,
-          ldapEnabled,
-          authProxyEnabled,
           disableUserSignUp,
           login,
           isLoggingIn,

public/app/core/components/Login/LoginPage.tsx

@@ -28,8 +28,6 @@ export const LoginPage: FC = () => {
         {({
           loginHint,
           passwordHint,
-          ldapEnabled,
-          authProxyEnabled,
           disableLoginForm,
           disableUserSignUp,
           login,
@@ -48,7 +46,6 @@ export const LoginPage: FC = () => {
                     passwordHint={passwordHint}
                     isLoggingIn={isLoggingIn}
                   >
-                    {!(ldapEnabled || authProxyEnabled) ? (
                     <HorizontalGroup justify="flex-end">
                       <LinkButton
                         className={forgottenPasswordStyles}
@@ -58,9 +55,6 @@ export const LoginPage: FC = () => {
                         Forgot your password?
                       </LinkButton>
                     </HorizontalGroup>
-                    ) : (
-                      <></>
-                    )}
                   </LoginForm>
                 )}
                 <LoginServiceButtons />

public/app/features/profile/ChangePasswordForm.tsx

@@ -16,11 +16,11 @@ export interface Props {
 }
 
 export const ChangePasswordForm: FC<Props> = ({ user, onChangePassword, isSaving }) => {
-  const { ldapEnabled, authProxyEnabled, disableLoginForm } = config;
+  const { disableLoginForm } = config;
   const authSource = user.authLabels?.length && user.authLabels[0];
 
-  if (ldapEnabled || authProxyEnabled) {
+  if (authSource === 'LDAP' || authSource === 'Auth Proxy') {
-    return <p>You cannot change password when LDAP or auth proxy authentication is enabled.</p>;
+    return <p>You cannot change password when signed in with LDAP or auth proxy.</p>;
   }
   if (authSource && disableLoginForm) {
     return <p>Password cannot be changed here.</p>;

public/app/features/profile/ChangePasswordPage.test.tsx

@@ -84,19 +84,19 @@ describe('ChangePasswordPage', () => {
       );
     });
   });
-  it('should cannot change password form if ldap or authProxy enabled', async () => {
+  it('should cannot change password form if user signed in with LDAP', async () => {
-    config.ldapEnabled = true;
+    await getTestContext({
-    const { rerender } = await getTestContext();
+      user: { ...defaultProps.user!, authLabels: ['LDAP'] },
-    expect(
+    });
-      screen.getByText('You cannot change password when LDAP or auth proxy authentication is enabled.')
+
-    ).toBeInTheDocument();
+    expect(screen.getByText('You cannot change password when signed in with LDAP or auth proxy.')).toBeInTheDocument();
-    config.ldapEnabled = false;
+  });
-    config.authProxyEnabled = true;
+  it('should cannot change password form if user signed in with auth proxy', async () => {
-    rerender(<ChangePasswordPage {...defaultProps} />);
+    await getTestContext({
-    expect(
+      user: { ...defaultProps.user!, authLabels: ['Auth Proxy'] },
-      screen.getByText('You cannot change password when LDAP or auth proxy authentication is enabled.')
+    });
-    ).toBeInTheDocument();
+
-    config.authProxyEnabled = false;
+    expect(screen.getByText('You cannot change password when signed in with LDAP or auth proxy.')).toBeInTheDocument();
   });
   it('should show cannot change password if disableLoginForm is true and auth', async () => {
     config.disableLoginForm = true;