Allow superusers to disable user accounts

This commit is contained in:
Joseph Schorr 2015-05-11 17:13:42 -04:00
parent 442cbed087
commit dc5af7496c
19 changed files with 291 additions and 37 deletions

View file

@ -2,6 +2,7 @@
The following are features that have been merged, but not yet deployed:
- Add ability to disable users via the superuser panel (#26)
- Add a Changelog view to the superuser panel (#186)
### 1.9.7

View file

@ -35,6 +35,10 @@ def _load_user_from_cookie():
logger.debug('Loading user from cookie: %s', current_user.get_id())
db_user = current_user.db_user()
if db_user is not None:
# Don't allow disabled users to login.
if not db_user.enabled:
return None
set_authenticated_user(db_user)
loaded = QuayDeferredPermissionUser.for_user(db_user)
identity_changed.send(app, identity=loaded)
@ -62,6 +66,10 @@ def _validate_and_apply_oauth_token(token):
abort(401, message='OAuth access token has expired: %(token)s',
issue='invalid-oauth-token', token=token, headers=authenticate_header)
# Don't allow disabled users to login.
if not validated.authorized_user.enabled:
return None
# We have a valid token
scope_set = scopes.scopes_from_scope_string(validated.scope)
logger.debug('Successfully validated oauth access token: %s with scope: %s', token,

View file

@ -17,6 +17,9 @@ def get_authenticated_user():
logger.debug('Loading deferred authenticated user.')
loaded = model.get_user_by_uuid(user_uuid)
if not loaded.enabled:
return None
set_authenticated_user(loaded)
user = loaded
@ -26,6 +29,9 @@ def get_authenticated_user():
def set_authenticated_user(user_or_robot):
if not user_or_robot.enabled:
raise Exception('Attempt to authenticate a disabled user/robot: %s' % user_or_robot.username)
ctx = _request_ctx_stack.top
ctx.authenticated_user = user_or_robot

View file

@ -193,6 +193,7 @@ class User(BaseModel):
invalid_login_attempts = IntegerField(default=0)
last_invalid_login = DateTimeField(default=datetime.utcnow)
removed_tag_expiration_s = IntegerField(default=1209600) # Two weeks
enabled = BooleanField(default=True)
def delete_instance(self, recursive=False, delete_nullable=False):
# If we are deleting a robot account, only execute the subset of queries necessary.

View file

@ -0,0 +1,26 @@
"""Add enabled column to the user system
Revision ID: 154f2befdfbe
Revises: 41f4587c84ae
Create Date: 2015-05-11 17:02:43.507847
"""
# revision identifiers, used by Alembic.
revision = '154f2befdfbe'
down_revision = '41f4587c84ae'
from alembic import op
import sqlalchemy as sa
def upgrade(tables):
### commands auto generated by Alembic - please adjust! ###
op.add_column('user', sa.Column('enabled', sa.Boolean(), nullable=False, default=True))
### end Alembic commands ###
def downgrade(tables):
### commands auto generated by Alembic - please adjust! ###
op.drop_column('user', 'enabled')
### end Alembic commands ###

View file

@ -67,6 +67,7 @@ class InvalidRobotException(DataModelException):
class InvalidTeamException(DataModelException):
pass
class InvalidTeamMemberException(DataModelException):
pass
@ -259,16 +260,35 @@ def lookup_robot(robot_username):
return found[0]
def verify_robot(robot_username, password):
joined = User.select().join(FederatedLogin).join(LoginService)
found = list(joined.where(FederatedLogin.service_ident == password,
LoginService.name == 'quayrobot',
User.username == robot_username))
if not found:
result = parse_robot_username(robot_username)
if result is None:
raise InvalidRobotException('%s is an invalid robot name' % robot_username)
# Find the matching robot.
query = (User.select()
.join(FederatedLogin)
.join(LoginService)
.where(FederatedLogin.service_ident == password,
LoginService.name == 'quayrobot',
User.username == robot_username))
try:
robot = query.get()
except User.DoesNotExist:
msg = ('Could not find robot with username: %s and supplied password.' %
robot_username)
raise InvalidRobotException(msg)
return found[0]
# Find the owner user and ensure it is not disabled.
try:
owner = User.get(User.username == result[0])
except User.DoesNotExist:
raise InvalidRobotException('Robot %s owner does not exist' % robot_username)
if not owner.enabled:
raise InvalidRobotException('This user has been disabled. Please contact your administrator.')
return robot
def regenerate_robot_token(robot_shortname, parent):
robot_username = format_robot_username(parent.username, robot_shortname)

View file

@ -410,7 +410,14 @@ class UserAuthentication(object):
else:
password = decrypted
return self.state.verify_user(username_or_email, password)
(result, err_msg) = self.state.verify_user(username_or_email, password)
if not result:
return (result, err_msg)
if not result.enabled:
return (None, 'This user has been disabled. Please contact your administrator.')
return (result, err_msg)
def __getattr__(self, name):
return getattr(self.state, name, None)

View file

@ -115,7 +115,8 @@ def user_view(user):
'email': user.email,
'verified': user.verified,
'avatar': avatar.get_data_for_user(user),
'super_user': superusers.is_superuser(user.username)
'super_user': superusers.is_superuser(user.username),
'enabled': user.enabled
}
@resource('/v1/superuser/changelog/')
@ -335,6 +336,11 @@ class SuperUserManagement(ApiResource):
if 'email' in user_data:
model.update_email(user, user_data['email'], auto_verify=True)
if 'enabled' in user_data:
# Disable/enable the user.
user.enabled = bool(user_data['enabled'])
user.save()
return user_view(user)
abort(403)

View file

@ -403,6 +403,7 @@ def conduct_signin(username_or_email, password):
return {
'needsEmailVerification': needs_email_verification,
'invalidCredentials': invalid_credentials,
'message': error_message
}, 403

View file

@ -330,6 +330,12 @@ def populate_database():
new_user_1.stripe_id = TEST_STRIPE_ID
new_user_1.save()
disabled_user = model.create_user('disabled', 'password',
'jschorr+disabled@devtable.com')
disabled_user.verified = True
disabled_user.enabled = False
disabled_user.save()
dtrobot = model.create_robot('dtrobot', new_user_1)
new_user_2 = model.create_user('public', 'password',

View file

@ -0,0 +1,25 @@
.super-user .user-row {
border-bottom: 0px;
}
.super-user .user-row td {
vertical-align: middle;
}
.super-user .user-row .user-class {
text-transform: uppercase;
}
.super-user .user-row .labels {
float: right;
white-space: nowrap;
}
.super-user .user-row .labels .label {
text-transform: uppercase;
margin-right: 10px;
}
.super-user .user-row.disabled .avatar {
-webkit-filter: grayscale(100%);
}

View file

@ -3928,28 +3928,6 @@ pre.command:before {
padding: 6px;
}
.user-row {
border-bottom: 0px;
}
.user-row td {
vertical-align: middle;
}
.user-row .user-class {
text-transform: uppercase;
}
.user-row .labels {
float: right;
white-space: nowrap;
}
.user-row .labels .label {
text-transform: uppercase;
margin-right: 10px;
}
.form-change input {
margin-top: 12px;
margin-bottom: 12px;

View file

@ -1,12 +1,12 @@
<div class="signin-form-element">
<span class="quay-spinner" ng-show="signingIn"></span>
<div class="signin-form-element" style="position: relative">
<span class="cor-loader" ng-show="signingIn"></span>
<form class="form-signin" ng-submit="signin();" ng-show="!signingIn">
<input type="text" class="form-control input-lg" name="username"
placeholder="Username or E-mail Address" ng-model="user.username" autofocus>
<input type="password" class="form-control input-lg" name="password"
placeholder="Password" ng-model="user.password">
<div class="alert alert-warning" ng-show="tryAgainSoon > 0">
<div class="co-alert co-alert-warning" ng-show="tryAgainSoon > 0">
Too many attempts have been made to login. Please try again in {{ tryAgainSoon }} second<span ng-if="tryAgainSoon != 1">s</span>.
</div>
@ -23,8 +23,10 @@
</span>
</form>
<div class="alert alert-danger" ng-show="invalidCredentials">Invalid username or password.</div>
<div class="alert alert-danger" ng-show="needsEmailVerification">
<div class="co-alert co-alert-danger" ng-show="invalidCredentials">
{{ invalidCredentialsMessage || 'Invalid username or password.' }}
</div>
<div class="co-alert co-alert-danger" ng-show="needsEmailVerification">
You must verify your email address before you can sign in.
</div>
</div>

View file

@ -53,6 +53,7 @@ angular.module('quay').directive('signinForm', function () {
$scope.signingIn = false;
$scope.needsEmailVerification = false;
$scope.invalidCredentials = false;
$scope.invalidCredentialsMessage = null;
if ($scope.signedIn != null) {
$scope.signedIn();
@ -77,6 +78,7 @@ angular.module('quay').directive('signinForm', function () {
if (result.status == 429 /* try again later */) {
$scope.needsEmailVerification = false;
$scope.invalidCredentials = false;
$scope.invalidCredentialsMessage = null;
$scope.cancelInterval();
@ -87,9 +89,12 @@ angular.module('quay').directive('signinForm', function () {
$scope.cancelInterval();
}
}, 1000, $scope.tryAgainSoon);
} else if (result.status == 400) {
bootbox.alert(ApiService.getErrorMessage(result));
} else {
$scope.needsEmailVerification = result.data.needsEmailVerification;
$scope.invalidCredentials = result.data.invalidCredentials;
$scope.invalidCredentialsMessage = result.data.message;
}
});
};

View file

@ -232,6 +232,32 @@
});
};
$scope.askDisableUser = function(user) {
var message = 'Are you sure you want to disable this user? ' +
'They will be unable to login, pull or push.'
if (!user.enabled) {
message = 'Are you sure you want to reenable this user? ' +
'They will be able to login, pull or push.'
}
bootbox.confirm(message, function(resp) {
if (resp) {
var params = {
'username': user.username
};
var data = {
'enabled': !user.enabled
};
ApiService.changeInstallUser(data, params).then(function(resp) {
$scope.loadUsersInternal();
});
}
});
};
$scope.changeUserPassword = function(user) {
$('#changePasswordModal').modal('hide');

View file

@ -156,7 +156,8 @@
</thead>
<tr ng-repeat="current_user in (users | filter:search | orderBy:'username')"
class="user-row">
class="user-row"
ng-class="current_user.enabled ? 'enabled': 'disabled'">
<td>
<span class="avatar" data="current_user.avatar" size="24"></span>
</td>
@ -165,6 +166,8 @@
<span class="label label-success" ng-if="user.username == current_user.username">You</span>
<span class="label label-primary"
ng-if="current_user.super_user">Superuser</span>
<span class="label label-default"
ng-if="!current_user.enabled">Disabled</span>
</span>
{{ current_user.username }}
</td>
@ -187,6 +190,9 @@
<span class="cor-option" option-click="showDeleteUser(current_user)">
<i class="fa fa-times"></i> Delete User
</span>
<span class="cor-option" option-click="askDisableUser(current_user)">
<i class="fa" ng-class="current_user.enabled ? 'fa-circle-o' : 'fa-check-circle-o'"></i> <span ng-if="current_user.enabled">Disable</span> <span ng-if="!current_user.enabled">Enable</span> User
</span>
</span>
</td>
</tr>

Binary file not shown.

130
test/test_auth.py Normal file
View file

@ -0,0 +1,130 @@
import unittest
import base64
from datetime import datetime, timedelta
from app import app
from data import model
from data.database import OAuthApplication, OAuthAccessToken
from flask import g
from flask.ext.principal import identity_loaded
from auth.auth import _process_basic_auth
from endpoints.api import api_bp, api
from endpoints.api.user import User, Signin
import json as py_json
from test.test_api_usage import ApiTestCase
ADMIN_ACCESS_USER = 'devtable'
DISABLED_USER = 'disabled'
@identity_loaded.connect_via(app)
def on_identity_loaded(sender, identity):
g.identity = identity
class TestAuth(ApiTestCase):
def verify_cookie_auth(self, username):
resp = self.getJsonResponse(User)
self.assertEquals(resp['username'], username)
def verify_identity(self, id):
try:
identity = g.identity
except:
identity = None
self.assertIsNotNone(identity)
self.assertEquals(identity.id, id)
def verify_no_identity(self):
try:
identity = g.identity
except:
identity = None
self.assertIsNone(identity)
def conduct_basic_auth(self, username, password):
encoded = base64.b64encode(username + ':' + password)
try:
_process_basic_auth('Basic ' + encoded)
except:
pass
def create_oauth(self, user):
oauth_app = OAuthApplication.create(client_id='onetwothree', redirect_uri='',
application_uri='', organization=user,
name='someapp')
expires_at = datetime.utcnow() + timedelta(seconds=50000)
OAuthAccessToken.create(application=oauth_app, authorized_user=user,
scope='repo:admin',
access_token='access1234', token_type='Bearer',
expires_at=expires_at, refresh_token=None, data={})
def test_login(self):
password = 'password'
resp = self.postJsonResponse(Signin, data=dict(username=ADMIN_ACCESS_USER, password=password))
self.assertTrue(resp.get('success'))
self.verify_cookie_auth(ADMIN_ACCESS_USER)
def test_login_disabled(self):
password = 'password'
self.postJsonResponse(Signin, data=dict(username=DISABLED_USER, password=password),
expected_code=403)
def test_basic_auth_user(self):
user = model.get_user(ADMIN_ACCESS_USER)
self.conduct_basic_auth(ADMIN_ACCESS_USER, 'password')
self.verify_identity(user.uuid)
def test_basic_auth_disabled_user(self):
user = model.get_user(DISABLED_USER)
self.conduct_basic_auth(DISABLED_USER, 'password')
self.verify_no_identity()
def test_basic_auth_token(self):
token = model.create_delegate_token(ADMIN_ACCESS_USER, 'simple', 'sometoken')
self.conduct_basic_auth('$token', token.code)
self.verify_identity(token.code)
def test_basic_auth_invalid_token(self):
self.conduct_basic_auth('$token', 'foobar')
self.verify_no_identity()
def test_basic_auth_invalid_user(self):
self.conduct_basic_auth('foobarinvalid', 'foobar')
self.verify_no_identity()
def test_oauth_invalid(self):
self.conduct_basic_auth('$oauthtoken', 'foobar')
self.verify_no_identity()
def test_oauth_valid_user(self):
user = model.get_user(ADMIN_ACCESS_USER)
self.create_oauth(user)
self.conduct_basic_auth('$oauthtoken', 'access1234')
self.verify_identity(user.uuid)
def test_oauth_disabled_user(self):
user = model.get_user(DISABLED_USER)
self.create_oauth(user)
self.conduct_basic_auth('$oauthtoken', 'access1234')
self.verify_no_identity()
def test_basic_auth_robot(self):
user = model.get_user(ADMIN_ACCESS_USER)
robot, passcode = model.get_robot('dtrobot', user)
self.conduct_basic_auth(robot.username, passcode)
self.verify_identity(robot.uuid)
def test_basic_auth_robot_invalidcode(self):
user = model.get_user(ADMIN_ACCESS_USER)
robot, _ = model.get_robot('dtrobot', user)
self.conduct_basic_auth(robot.username, 'someinvalidcode')
self.verify_no_identity()
if __name__ == '__main__':
unittest.main()

View file

@ -43,7 +43,7 @@ def abort(status_code, message=None, issue=None, headers=None, **kwargs):
message = (str(message) % kwargs if message else
DEFAULT_MESSAGE.get(status_code, ''))
params = dict(request.view_args)
params = dict(request.view_args or {})
params.update(kwargs)
params['url'] = request.url