Auth: Fix orgrole picker disabled if isSynced user #64033
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
10 tasks
eleijonmarck
commented
Mar 22, 2023
Comment on lines
396
to
404
| if err != nil { | ||
| if errors.Is(err, user.ErrUserNotFound) { | ||
| hs.log.Warn("Failed to get user auth info for basic auth user", cmd.UserID, nil) | ||
| } else { | ||
| hs.log.Error("Failed to get user auth info for external sync check", cmd.UserID, err) | ||
| return response.Error(http.StatusInternalServerError, "Failed to get user auth info", nil) | ||
| } | ||
| } | ||
| if qAuth.Result != nil && qAuth.Result.AuthModule != "" && login.IsExternallySynced(hs.Cfg, qAuth.Result.AuthModule) { |
Contributor
Author
There was a problem hiding this comment.
we need to check for Auth.Results == nil for a basic Auth user. here we look at the error if the userNotFound for a basic Auth user.
eleijonmarck
commented
Mar 22, 2023
Comment on lines
+236
to
+256
| desc: "should not be able to change basicRole with a different provider", | ||
| SkipOrgRoleSync: false, | ||
| AuthEnabled: true, | ||
| AuthModule: login.GenericOAuthModule, | ||
| expectedCode: http.StatusForbidden, | ||
| }, | ||
| { | ||
| desc: "should be able to change basicRole with a basic Auth", | ||
| SkipOrgRoleSync: false, | ||
| AuthEnabled: false, | ||
| AuthModule: "", | ||
| expectedCode: http.StatusOK, | ||
| }, | ||
| { | ||
| desc: "should be able to change basicRole with a basic Auth", | ||
| SkipOrgRoleSync: true, | ||
| AuthEnabled: true, | ||
| AuthModule: "", | ||
| expectedCode: http.StatusOK, | ||
| }, | ||
| } |
Contributor
Author
There was a problem hiding this comment.
added tests for basic Auth as well
eleijonmarck
commented
Mar 22, 2023
| userProfile.AuthLabels = append(userProfile.AuthLabels, authLabel) | ||
| userProfile.IsExternal = true | ||
| userProfile.IsExternallySynced = login.IsExternallySynced(hs.Cfg, authLabel) | ||
| userProfile.IsExternallySynced = login.IsExternallySynced(hs.Cfg, getAuthQuery.Result.AuthModule) |
Contributor
Author
There was a problem hiding this comment.
using AuthModule instead of Labels
eleijonmarck
commented
Mar 22, 2023
| </Tooltip> | ||
| </th> | ||
| <th style={{ width: '1%' }}>Synced from</th> | ||
| <th style={{ width: '1%' }}>Origin</th> |
Contributor
Author
There was a problem hiding this comment.
changed to Origin instead, wdyt?
IevaVasiljeva
approved these changes
Mar 22, 2023
pkg/api/org_users.go
Outdated
| err := hs.authInfoService.GetAuthInfo(c.Req.Context(), &qAuth) | ||
| if err != nil { | ||
| if errors.Is(err, user.ErrUserNotFound) { | ||
| hs.log.Warn("Failed to get user auth info for basic auth user", cmd.UserID, nil) |
Contributor
There was a problem hiding this comment.
I would put it at debug level - it is currently expected that a basic auth user won't have an auth info entry.
pkg/api/org_users.go
Outdated
| } | ||
| } | ||
| if qAuth.Result != nil && qAuth.Result.AuthModule != "" && login.IsExternallySynced(hs.Cfg, qAuth.Result.AuthModule) { | ||
| return response.ErrOrFallback(http.StatusForbidden, "Cannot change role for externally synced user", org.ErrCannotChangeRoleForExternallySyncedUser) |
Contributor
There was a problem hiding this comment.
I think the intended use of errutil errors is that they are propagated down from other methods that are called from handlers. There's not much benefit of returning it directly from the handler I think. But if you want to do it, you'll need something like this:
Suggested change
| return response.ErrOrFallback(http.StatusForbidden, "Cannot change role for externally synced user", org.ErrCannotChangeRoleForExternallySyncedUser) | |
| return response.Err(org.ErrCannotChangeRoleForExternallySyncedUser.Errorf("Cannot change role for externally synced user")) |
Contributor
|
The backport to To backport manually, run these commands in your terminal: # Fetch latest updates from GitHub
git fetch
# Create a new branch
git switch --create backport-64033-to-v9.4.x origin/v9.4.x
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x 3cd952b8bad8d23daee10fcc303a6d19c8b6d0a0
# Push it to GitHub
git push --set-upstream origin backport-64033-to-v9.4.x
git switch main
# Remove the local backport branch
git branch -D backport-64033-to-v9.4.xThen, create a pull request where the |
6 tasks
eleijonmarck
added a commit
that referenced
this pull request
Mar 29, 2023
* fix: disable orgrolepicker if externaluser is synced * add disable to role picker * just took me 2 hours to center the icon * wip * fix: check externallySyncedUser for API call * remove check from store * add: tests * refactor authproxy and made tests run * add: feature toggle * set feature toggle for tests * add: IsProviderEnabled * refactor: featuretoggle name * IsProviderEnabled tests * add specific tests for isProviderEnabled * fix: org_user tests * add: owner to featuretoggle * add missing authlabels * remove fmt * feature toggle * change config * add test for a different authmodule * test refactor * gen feature toggle again * fix basic auth user able to change the org role * test for basic auth role * make err.base to error * lowered lvl of log and input mesg (cherry picked from commit 3cd952b)
eleijonmarck
added a commit
that referenced
this pull request
Mar 30, 2023
* fix: disable orgrolepicker if externaluser is synced * add disable to role picker * just took me 2 hours to center the icon * wip * fix: check externallySyncedUser for API call * remove check from store * add: tests * refactor authproxy and made tests run * add: feature toggle * set feature toggle for tests * add: IsProviderEnabled * refactor: featuretoggle name * IsProviderEnabled tests * add specific tests for isProviderEnabled * fix: org_user tests * add: owner to featuretoggle * add missing authlabels * remove fmt * feature toggle * change config * add test for a different authmodule * test refactor * gen feature toggle again * fix basic auth user able to change the org role * test for basic auth role * make err.base to error * lowered lvl of log and input mesg (cherry picked from commit 3cd952b)
eleijonmarck
added a commit
that referenced
this pull request
Mar 31, 2023
* fix: disable orgrolepicker if externaluser is synced * add disable to role picker * just took me 2 hours to center the icon * wip * fix: check externallySyncedUser for API call * remove check from store * add: tests * refactor authproxy and made tests run * add: feature toggle * set feature toggle for tests * add: IsProviderEnabled * refactor: featuretoggle name * IsProviderEnabled tests * add specific tests for isProviderEnabled * fix: org_user tests * add: owner to featuretoggle * add missing authlabels * remove fmt * feature toggle * change config * add test for a different authmodule * test refactor * gen feature toggle again * fix basic auth user able to change the org role * test for basic auth role * make err.base to error * lowered lvl of log and input mesg (cherry picked from commit 3cd952b)
eleijonmarck
added a commit
that referenced
this pull request
Apr 5, 2023
Auth: Fix orgrole picker disabled if isSynced user (#64033) * fix: disable orgrolepicker if externaluser is synced * add disable to role picker * just took me 2 hours to center the icon * wip * fix: check externallySyncedUser for API call * remove check from store * add: tests * refactor authproxy and made tests run * add: feature toggle * set feature toggle for tests * add: IsProviderEnabled * refactor: featuretoggle name * IsProviderEnabled tests * add specific tests for isProviderEnabled * fix: org_user tests * add: owner to featuretoggle * add missing authlabels * remove fmt * feature toggle * change config * add test for a different authmodule * test refactor * gen feature toggle again * fix basic auth user able to change the org role * test for basic auth role * make err.base to error * lowered lvl of log and input mesg (cherry picked from commit 3cd952b)
Contributor
|
@eleijonmarck Should this be backported to |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
8 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What is this feature?
TODO:
Fixes #
#63835
Special notes for your reviewer:
Goes together w. enterprise - https://github.com/grafana/grafana-enterprise/pull/4774
oss test
enterprise test
