fix: bug where disabled didnt disable the use of service account (#47688)

2025-02-25 18:55:37 -06:00 · 2022-04-13 13:40:58 +01:00
parent ab5e2e10ce
commit 673a2ab49e
3 changed files with 15 additions and 6 deletions
--- a/pkg/models/user.go
+++ b/pkg/models/user.go
@@ -182,6 +182,7 @@ type SignedInUser struct {
 	OrgCount           int
 	IsGrafanaAdmin     bool
 	IsAnonymous        bool
+	IsDisabled         bool
 	HelpFlags1         HelpFlags1
 	LastSeenAt         time.Time
 	Teams              []int64
--- a/pkg/services/contexthandler/contexthandler.go
+++ b/pkg/services/contexthandler/contexthandler.go
@@ -4,6 +4,7 @@ package contexthandler
 import (
 	"context"
 	"errors"
+	"net/http"
 	"net/url"
 	"strconv"
 	"strings"
@@ -255,20 +256,26 @@ func (h *ContextHandler) initContextWithAPIKey(reqContext *models.ReqContext) bo
 	//There is a service account attached to the API key

 	//Use service account linked to API key as the signed in user
-	query := models.GetSignedInUserQuery{UserId: *apikey.ServiceAccountId, OrgId: apikey.OrgId}
-	if err := h.SQLStore.GetSignedInUserWithCacheCtx(reqContext.Req.Context(), &query); err != nil {
+	querySignedInUser := models.GetSignedInUserQuery{UserId: *apikey.ServiceAccountId, OrgId: apikey.OrgId}
+	if err := h.SQLStore.GetSignedInUserWithCacheCtx(reqContext.Req.Context(), &querySignedInUser); err != nil {
 		reqContext.Logger.Error(
 			"Failed to link API key to service account in",
-			"id", query.UserId,
-			"org", query.OrgId,
+			"id", querySignedInUser.UserId,
+			"org", querySignedInUser.OrgId,
 			"err", err,
 		)
-		reqContext.JsonApiErr(500, "Unable to link API key to service account", err)
+		reqContext.JsonApiErr(http.StatusInternalServerError, "Unable to link API key to service account", err)
+		return true
+	}
+
+	// disabled service accounts are not allowed to access the API
+	if querySignedInUser.Result.IsDisabled {
+		reqContext.JsonApiErr(http.StatusUnauthorized, "Service account is disabled", nil)
 		return true
 	}

 	reqContext.IsSignedIn = true
-	reqContext.SignedInUser = query.Result
+	reqContext.SignedInUser = querySignedInUser.Result
 	return true
 }

--- a/pkg/services/sqlstore/user.go
+++ b/pkg/services/sqlstore/user.go
@@ -535,6 +535,7 @@ func (ss *SQLStore) GetSignedInUser(ctx context.Context, query *models.GetSigned
 		u.email               as email,
 		u.login               as login,
 		u.name                as name,
+		u.is_disabled         as is_disabled,
 		u.help_flags1         as help_flags1,
 		u.last_seen_at        as last_seen_at,
 		(SELECT COUNT(*) FROM org_user where org_user.user_id = u.id) as org_count,