fix(login): check user state before ignoreUnknownUsernames setting (#4759)

Co-authored-by: Fabi <38692350+hifabienne@users.noreply.github.com>
This commit is contained in:
Livio Spring 2022-11-24 10:13:19 +01:00 committed by GitHub
parent 7e2666153e
commit 062887269b
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -668,7 +668,15 @@ func (repo *AuthRequestRepo) checkLoginName(ctx context.Context, request *domain
if repo.checkDomainDiscovery(ctx, request, loginName) {
return nil
}
// let's just check for if unknown usernames are ignored
// let's once again check if the user was just inactive
if user != nil && user.State == int32(domain.UserStateInactive) {
return errors.ThrowPreconditionFailed(nil, "AUTH-2n8fs", "Errors.User.Inactive")
}
// or locked
if user != nil && user.State == int32(domain.UserStateLocked) {
return errors.ThrowPreconditionFailed(nil, "AUTH-SF3gb", "Errors.User.Locked")
}
// let's just check if unknown usernames are ignored
if request.LoginPolicy != nil && request.LoginPolicy.IgnoreUnknownUsernames {
if request.LabelPolicy != nil && request.LabelPolicy.HideLoginNameSuffix {
preferredLoginName = loginName
@ -685,14 +693,6 @@ func (repo *AuthRequestRepo) checkLoginName(ctx context.Context, request *domain
if !user.MachineView.IsZero() {
return errors.ThrowPreconditionFailed(nil, "AUTH-DGV4g", "Errors.User.NotHuman")
}
// let's once again check if the user was just inactive
if user != nil && user.State == int32(domain.UserStateInactive) {
return errors.ThrowPreconditionFailed(nil, "AUTH-2n8fs", "Errors.User.Inactive")
}
// or locked
if user != nil && user.State == int32(domain.UserStateLocked) {
return errors.ThrowPreconditionFailed(nil, "AUTH-SF3gb", "Errors.User.Locked")
}
// everything should be handled by now
logging.WithFields("authRequest", request.ID, "loginName", loginName).Error("unhandled state for checkLoginName")
return errors.ThrowInternal(nil, "AUTH-asf3df", "Errors.Internal")