From d775020a32caa824da3bf89ff53924c7bab53df8 Mon Sep 17 00:00:00 2001
From: Livio Spring <livio.a@gmail.com>
Date: Fri, 7 Oct 2022 13:56:50 +0200
Subject: [PATCH] fix: login for initial users (#4506)

---
 .../eventsourcing/eventstore/auth_request.go  | 21 +++++++++++++++----
 internal/domain/user.go                       |  4 ++++
 2 files changed, 21 insertions(+), 4 deletions(-)

diff --git a/internal/auth/repository/eventsourcing/eventstore/auth_request.go b/internal/auth/repository/eventsourcing/eventstore/auth_request.go
index 70f13dabd6..893a42bf53 100644
--- a/internal/auth/repository/eventsourcing/eventstore/auth_request.go
+++ b/internal/auth/repository/eventsourcing/eventstore/auth_request.go
@@ -655,8 +655,8 @@ func (repo *AuthRequestRepo) checkLoginName(ctx context.Context, request *domain
 	if err != nil && !errors.IsNotFound(err) {
 		return err
 	}
-	// if there's an active user, let's use it
-	if user != nil && user.State == int32(domain.UserStateActive) {
+	// if there's an active (human) user, let's use it
+	if user != nil && !user.HumanView.IsZero() && domain.UserState(user.State).NotDisabled() {
 		request.SetUserInfo(user.ID, loginName, user.PreferredLoginName, "", "", user.ResourceOwner)
 		return nil
 	}
@@ -674,12 +674,25 @@ func (repo *AuthRequestRepo) checkLoginName(ctx context.Context, request *domain
 		return nil
 	}
 	// there was no policy that allowed unknown loginnames in any case
+	// so not found errors can now be returned
+	if err != nil {
+		return err
+	}
+	// let's check if it was a machine user
+	if !user.MachineView.IsZero() {
+		return errors.ThrowPreconditionFailed(nil, "AUTH-DGV4g", "Errors.User.NotHuman")
+	}
 	// let's once again check if the user was just inactive
 	if user != nil && user.State == int32(domain.UserStateInactive) {
 		return errors.ThrowPreconditionFailed(nil, "AUTH-2n8fs", "Errors.User.Inactive")
 	}
-	// user was not found
-	return err
+	// or locked
+	if user != nil && user.State == int32(domain.UserStateLocked) {
+		return errors.ThrowPreconditionFailed(nil, "AUTH-SF3gb", "Errors.User.Locked")
+	}
+	// everything should be handled by now
+	logging.WithFields("authRequest", request.ID, "loginName", loginName).Error("unhandled state for checkLoginName")
+	return errors.ThrowInternal(nil, "AUTH-asf3df", "Errors.Internal")
 }
 
 func (repo *AuthRequestRepo) checkDomainDiscovery(ctx context.Context, request *domain.AuthRequest, loginName string) bool {
diff --git a/internal/domain/user.go b/internal/domain/user.go
index 71b5c41261..157edcc196 100644
--- a/internal/domain/user.go
+++ b/internal/domain/user.go
@@ -27,6 +27,10 @@ func (s UserState) Exists() bool {
 	return s != UserStateUnspecified && s != UserStateDeleted
 }
 
+func (s UserState) NotDisabled() bool {
+	return s == UserStateActive || s == UserStateInitial
+}
+
 type UserType int32
 
 const (