Allow superusers to disable user accounts

CHANGELOG.md

@@ -2,6 +2,7 @@
 
 The following are features that have been merged, but not yet deployed:
 
+- Add ability to disable users via the superuser panel (#26)
 - Add a Changelog view to the superuser panel (#186)
 
 ### 1.9.7

auth/auth.py

@@ -35,6 +35,10 @@ def _load_user_from_cookie():
     logger.debug('Loading user from cookie: %s', current_user.get_id())
     db_user = current_user.db_user()
     if db_user is not None:
+      # Don't allow disabled users to login.
+      if not db_user.enabled:
+        return None
+
       set_authenticated_user(db_user)
       loaded = QuayDeferredPermissionUser.for_user(db_user)
       identity_changed.send(app, identity=loaded)
@@ -62,6 +66,10 @@ def _validate_and_apply_oauth_token(token):
     abort(401, message='OAuth access token has expired: %(token)s',
           issue='invalid-oauth-token', token=token, headers=authenticate_header)
 
+  # Don't allow disabled users to login.
+  if not validated.authorized_user.enabled:
+    return None
+
   # We have a valid token
   scope_set = scopes.scopes_from_scope_string(validated.scope)
   logger.debug('Successfully validated oauth access token: %s with scope: %s', token,

auth/auth_context.py

@@ -17,6 +17,9 @@ def get_authenticated_user():
 
     logger.debug('Loading deferred authenticated user.')
     loaded = model.get_user_by_uuid(user_uuid)
+    if not loaded.enabled:
+      return None
+
     set_authenticated_user(loaded)
     user = loaded
 
@@ -26,6 +29,9 @@ def get_authenticated_user():
 
 
 def set_authenticated_user(user_or_robot):
+  if not user_or_robot.enabled:
+    raise Exception('Attempt to authenticate a disabled user/robot: %s' % user_or_robot.username)
+
   ctx = _request_ctx_stack.top
   ctx.authenticated_user = user_or_robot
 

data/database.py

@@ -193,6 +193,7 @@ class User(BaseModel):
   invalid_login_attempts = IntegerField(default=0)
   last_invalid_login = DateTimeField(default=datetime.utcnow)
   removed_tag_expiration_s = IntegerField(default=1209600)  # Two weeks
+  enabled = BooleanField(default=True)
 
   def delete_instance(self, recursive=False, delete_nullable=False):
     # If we are deleting a robot account, only execute the subset of queries necessary.

data/migrations/versions/154f2befdfbe_add_enabled_column_to_the_user_system.py

@@ -0,0 +1,26 @@
+"""Add enabled column to the user system
+
+Revision ID: 154f2befdfbe
+Revises: 41f4587c84ae
+Create Date: 2015-05-11 17:02:43.507847
+
+"""
+
+# revision identifiers, used by Alembic.
+revision = '154f2befdfbe'
+down_revision = '41f4587c84ae'
+
+from alembic import op
+import sqlalchemy as sa
+
+
+def upgrade(tables):
+    ### commands auto generated by Alembic - please adjust! ###
+    op.add_column('user', sa.Column('enabled', sa.Boolean(), nullable=False, default=True))
+    ### end Alembic commands ###
+
+
+def downgrade(tables):
+    ### commands auto generated by Alembic - please adjust! ###
+    op.drop_column('user', 'enabled')
+    ### end Alembic commands ###

data/model/legacy.py

@@ -67,6 +67,7 @@ class InvalidRobotException(DataModelException):
 class InvalidTeamException(DataModelException):
   pass
 
+
 class InvalidTeamMemberException(DataModelException):
   pass
 
@@ -259,16 +260,35 @@ def lookup_robot(robot_username):
   return found[0]
 
 def verify_robot(robot_username, password):
-  joined = User.select().join(FederatedLogin).join(LoginService)
-  found = list(joined.where(FederatedLogin.service_ident == password,
-                            LoginService.name == 'quayrobot',
-                            User.username == robot_username))
-  if not found:
+  result = parse_robot_username(robot_username)
+  if result is None:
+    raise InvalidRobotException('%s is an invalid robot name' % robot_username)
+
+  # Find the matching robot.
+  query = (User.select()
+               .join(FederatedLogin)
+               .join(LoginService)
+               .where(FederatedLogin.service_ident == password,
+                      LoginService.name == 'quayrobot',
+                      User.username == robot_username))
+
+  try:
+    robot = query.get()
+  except User.DoesNotExist:
     msg = ('Could not find robot with username: %s and supplied password.' %
            robot_username)
     raise InvalidRobotException(msg)
 
-  return found[0]
+  # Find the owner user and ensure it is not disabled.
+  try:
+    owner = User.get(User.username == result[0])
+  except User.DoesNotExist:
+    raise InvalidRobotException('Robot %s owner does not exist' % robot_username)
+
+  if not owner.enabled:
+    raise InvalidRobotException('This user has been disabled. Please contact your administrator.')
+
+  return robot
 
 def regenerate_robot_token(robot_shortname, parent):
   robot_username = format_robot_username(parent.username, robot_shortname)

data/users.py

@@ -410,7 +410,14 @@ class UserAuthentication(object):
       else:
         password = decrypted
 
-    return self.state.verify_user(username_or_email, password)
+    (result, err_msg) = self.state.verify_user(username_or_email, password)
+    if not result:
+      return (result, err_msg)
+
+    if not result.enabled:
+      return (None, 'This user has been disabled. Please contact your administrator.')
+
+    return (result, err_msg)
 
   def __getattr__(self, name):
     return getattr(self.state, name, None)

endpoints/api/superuser.py

@@ -115,7 +115,8 @@ def user_view(user):
     'email': user.email,
     'verified': user.verified,
     'avatar': avatar.get_data_for_user(user),
-    'super_user': superusers.is_superuser(user.username)
+    'super_user': superusers.is_superuser(user.username),
+    'enabled': user.enabled
   }
 
 @resource('/v1/superuser/changelog/')
@@ -335,6 +336,11 @@ class SuperUserManagement(ApiResource):
         if 'email' in user_data:
           model.update_email(user, user_data['email'], auto_verify=True)
 
+        if 'enabled' in user_data:
+          # Disable/enable the user.
+          user.enabled = bool(user_data['enabled'])
+          user.save()
+
         return user_view(user)
 
     abort(403)

endpoints/api/user.py

@@ -403,6 +403,7 @@ def conduct_signin(username_or_email, password):
   return {
     'needsEmailVerification': needs_email_verification,
     'invalidCredentials': invalid_credentials,
+    'message': error_message
   }, 403
 
 

initdb.py

@@ -330,6 +330,12 @@ def populate_database():
   new_user_1.stripe_id = TEST_STRIPE_ID
   new_user_1.save()
 
+  disabled_user = model.create_user('disabled', 'password',
+                                    'jschorr+disabled@devtable.com')
+  disabled_user.verified = True
+  disabled_user.enabled = False
+  disabled_user.save()
+
   dtrobot = model.create_robot('dtrobot', new_user_1)
 
   new_user_2 = model.create_user('public', 'password',

static/css/pages/superuser.css

@@ -0,0 +1,25 @@
+.super-user .user-row {
+  border-bottom: 0px;
+}
+
+.super-user .user-row td {
+  vertical-align: middle;
+}
+
+.super-user .user-row .user-class {
+  text-transform: uppercase;
+}
+
+.super-user .user-row .labels {
+  float: right;
+  white-space: nowrap;
+}
+
+.super-user .user-row .labels .label {
+  text-transform: uppercase;
+  margin-right: 10px;
+}
+
+.super-user .user-row.disabled .avatar {
+  -webkit-filter: grayscale(100%);
+}

static/css/quay.css

@@ -3928,28 +3928,6 @@ pre.command:before {
   padding: 6px;
 }
 
-.user-row {
-  border-bottom: 0px;
-}
-
-.user-row td {
-  vertical-align: middle;
-}
-
-.user-row .user-class {
-  text-transform: uppercase;
-}
-
-.user-row .labels {
-  float: right;
-  white-space: nowrap;
-}
-
-.user-row .labels .label {
-  text-transform: uppercase;
-  margin-right: 10px;
-}
-
 .form-change input {
   margin-top: 12px;
   margin-bottom: 12px;

static/directives/signin-form.html

@@ -1,12 +1,12 @@
-<div class="signin-form-element">
-  <span class="quay-spinner" ng-show="signingIn"></span>
+<div class="signin-form-element" style="position: relative">
+  <span class="cor-loader" ng-show="signingIn"></span>
   <form class="form-signin" ng-submit="signin();" ng-show="!signingIn">
     <input type="text" class="form-control input-lg" name="username"
            placeholder="Username or E-mail Address" ng-model="user.username" autofocus>
     <input type="password" class="form-control input-lg" name="password"
            placeholder="Password" ng-model="user.password">
 
-    <div class="alert alert-warning" ng-show="tryAgainSoon > 0">
+    <div class="co-alert co-alert-warning" ng-show="tryAgainSoon > 0">
       Too many attempts have been made to login. Please try again in {{ tryAgainSoon }} second<span ng-if="tryAgainSoon != 1">s</span>.
     </div>
 
@@ -23,8 +23,10 @@
     </span>
   </form>
 
-  <div class="alert alert-danger" ng-show="invalidCredentials">Invalid username or password.</div>
-  <div class="alert alert-danger" ng-show="needsEmailVerification">
+  <div class="co-alert co-alert-danger" ng-show="invalidCredentials">
+    {{ invalidCredentialsMessage || 'Invalid username or password.' }}
+  </div>
+  <div class="co-alert co-alert-danger" ng-show="needsEmailVerification">
     You must verify your email address before you can sign in.
   </div>
 </div>

static/js/directives/ui/signin-form.js

@@ -53,6 +53,7 @@ angular.module('quay').directive('signinForm', function () {
           $scope.signingIn = false;
           $scope.needsEmailVerification = false;
           $scope.invalidCredentials = false;
+          $scope.invalidCredentialsMessage = null;
 
           if ($scope.signedIn != null) {
             $scope.signedIn();
@@ -77,6 +78,7 @@ angular.module('quay').directive('signinForm', function () {
           if (result.status == 429 /* try again later */) {
             $scope.needsEmailVerification = false;
             $scope.invalidCredentials = false;
+            $scope.invalidCredentialsMessage = null;
 
             $scope.cancelInterval();
 
@@ -87,9 +89,12 @@ angular.module('quay').directive('signinForm', function () {
                 $scope.cancelInterval();
               }
             }, 1000, $scope.tryAgainSoon);
+          } else if (result.status == 400) {
+            bootbox.alert(ApiService.getErrorMessage(result));
           } else {
             $scope.needsEmailVerification = result.data.needsEmailVerification;
             $scope.invalidCredentials = result.data.invalidCredentials;
+            $scope.invalidCredentialsMessage = result.data.message;
           }
         });
       };

static/js/pages/superuser.js

@@ -232,6 +232,32 @@
       });
     };
 
+    $scope.askDisableUser = function(user) {
+      var message = 'Are you sure you want to disable this user? ' +
+                    'They will be unable to login, pull or push.'
+
+      if (!user.enabled) {
+        message = 'Are you sure you want to reenable this user? ' +
+                  'They will be able to login, pull or push.'
+      }
+
+      bootbox.confirm(message, function(resp) {
+        if (resp) {
+          var params = {
+            'username': user.username
+          };
+
+          var data = {
+            'enabled': !user.enabled
+          };
+
+          ApiService.changeInstallUser(data, params).then(function(resp) {
+            $scope.loadUsersInternal();
+          });
+        }
+      });
+    };
+
     $scope.changeUserPassword = function(user) {
       $('#changePasswordModal').modal('hide');
 

static/partials/super-user.html

@@ -156,7 +156,8 @@
               </thead>
 
               <tr ng-repeat="current_user in (users | filter:search | orderBy:'username')"
-                  class="user-row">
+                  class="user-row"
+                  ng-class="current_user.enabled ? 'enabled': 'disabled'">
                 <td>
                   <span class="avatar" data="current_user.avatar" size="24"></span>
                 </td>
@@ -165,6 +166,8 @@
                     <span class="label label-success" ng-if="user.username == current_user.username">You</span>
                     <span class="label label-primary"
                           ng-if="current_user.super_user">Superuser</span>
+                    <span class="label label-default"
+                          ng-if="!current_user.enabled">Disabled</span>
                   </span>
                   {{ current_user.username }}
                 </td>
@@ -187,6 +190,9 @@
                     <span class="cor-option" option-click="showDeleteUser(current_user)">
                       <i class="fa fa-times"></i> Delete User
                     </span>
+                    <span class="cor-option" option-click="askDisableUser(current_user)">
+                      <i class="fa" ng-class="current_user.enabled ? 'fa-circle-o' : 'fa-check-circle-o'"></i> <span ng-if="current_user.enabled">Disable</span> <span ng-if="!current_user.enabled">Enable</span> User
+                    </span>
                   </span>
                 </td>
               </tr>

test/test_auth.py

@@ -0,0 +1,130 @@
+import unittest
+import base64
+from datetime import datetime, timedelta
+
+from app import app
+from data import model
+from data.database import OAuthApplication, OAuthAccessToken
+from flask import g
+from flask.ext.principal import identity_loaded
+
+from auth.auth import _process_basic_auth
+from endpoints.api import api_bp, api
+from endpoints.api.user import User, Signin
+
+import json as py_json
+from test.test_api_usage import ApiTestCase
+
+ADMIN_ACCESS_USER = 'devtable'
+DISABLED_USER = 'disabled'
+
+@identity_loaded.connect_via(app)
+def on_identity_loaded(sender, identity):
+  g.identity = identity
+
+class TestAuth(ApiTestCase):
+  def verify_cookie_auth(self, username):
+    resp = self.getJsonResponse(User)
+    self.assertEquals(resp['username'], username)
+
+  def verify_identity(self, id):
+    try:
+      identity = g.identity
+    except:
+      identity = None
+
+    self.assertIsNotNone(identity)
+    self.assertEquals(identity.id, id)
+
+  def verify_no_identity(self):
+    try:
+      identity = g.identity
+    except:
+      identity = None
+
+    self.assertIsNone(identity)
+
+  def conduct_basic_auth(self, username, password):
+    encoded = base64.b64encode(username + ':' + password)
+    try:
+      _process_basic_auth('Basic ' + encoded)
+    except:
+      pass
+
+  def create_oauth(self, user):
+    oauth_app = OAuthApplication.create(client_id='onetwothree', redirect_uri='',
+                                        application_uri='', organization=user,
+                                        name='someapp')
+
+    expires_at = datetime.utcnow() + timedelta(seconds=50000)
+    OAuthAccessToken.create(application=oauth_app, authorized_user=user,
+                            scope='repo:admin',
+                            access_token='access1234', token_type='Bearer',
+                            expires_at=expires_at, refresh_token=None, data={})
+
+  def test_login(self):
+    password = 'password'
+    resp = self.postJsonResponse(Signin, data=dict(username=ADMIN_ACCESS_USER, password=password))
+    self.assertTrue(resp.get('success'))
+    self.verify_cookie_auth(ADMIN_ACCESS_USER)
+
+  def test_login_disabled(self):
+    password = 'password'
+    self.postJsonResponse(Signin, data=dict(username=DISABLED_USER, password=password),
+                          expected_code=403)
+
+  def test_basic_auth_user(self):
+    user = model.get_user(ADMIN_ACCESS_USER)
+    self.conduct_basic_auth(ADMIN_ACCESS_USER, 'password')
+    self.verify_identity(user.uuid)
+
+  def test_basic_auth_disabled_user(self):
+    user = model.get_user(DISABLED_USER)
+    self.conduct_basic_auth(DISABLED_USER, 'password')
+    self.verify_no_identity()
+
+  def test_basic_auth_token(self):
+    token = model.create_delegate_token(ADMIN_ACCESS_USER, 'simple', 'sometoken')
+    self.conduct_basic_auth('$token', token.code)
+    self.verify_identity(token.code)
+
+  def test_basic_auth_invalid_token(self):
+    self.conduct_basic_auth('$token', 'foobar')
+    self.verify_no_identity()
+
+  def test_basic_auth_invalid_user(self):
+    self.conduct_basic_auth('foobarinvalid', 'foobar')
+    self.verify_no_identity()
+
+  def test_oauth_invalid(self):
+    self.conduct_basic_auth('$oauthtoken', 'foobar')
+    self.verify_no_identity()
+
+  def test_oauth_valid_user(self):
+    user = model.get_user(ADMIN_ACCESS_USER)
+    self.create_oauth(user)
+    self.conduct_basic_auth('$oauthtoken', 'access1234')
+    self.verify_identity(user.uuid)
+
+  def test_oauth_disabled_user(self):
+    user = model.get_user(DISABLED_USER)
+    self.create_oauth(user)
+    self.conduct_basic_auth('$oauthtoken', 'access1234')
+    self.verify_no_identity()
+
+  def test_basic_auth_robot(self):
+    user = model.get_user(ADMIN_ACCESS_USER)
+    robot, passcode = model.get_robot('dtrobot', user)
+    self.conduct_basic_auth(robot.username, passcode)
+    self.verify_identity(robot.uuid)
+
+  def test_basic_auth_robot_invalidcode(self):
+    user = model.get_user(ADMIN_ACCESS_USER)
+    robot, _ = model.get_robot('dtrobot', user)
+    self.conduct_basic_auth(robot.username, 'someinvalidcode')
+    self.verify_no_identity()
+
+
+if __name__ == '__main__':
+  unittest.main()
+

util/http.py

@@ -43,7 +43,7 @@ def abort(status_code, message=None, issue=None, headers=None, **kwargs):
   message = (str(message) % kwargs if message else
              DEFAULT_MESSAGE.get(status_code, ''))
 
-  params = dict(request.view_args)
+  params = dict(request.view_args or {})
   params.update(kwargs)
 
   params['url'] = request.url