public/grafana
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

AuthN: Readd user protection service to user sync (#61534)

Browse Source 
* add user protection service to user sync

* fix tests
This commit is contained in:
Jo
2023-01-16 11:15:14 +00:00
committed by GitHub
parent dcfeab2c73
commit be3b81fecd
3 changed files with 31 additions and 24 deletions
Download Patch File Download Diff File Expand all files Collapse all files
pkg/services/authn/authnimpl/usersync/usersync.go
+25 -7
View File
@@ -12,23 +12,37 @@ import (
"github.com/grafana/grafana/pkg/services/org"
"github.com/grafana/grafana/pkg/services/quota"
"github.com/grafana/grafana/pkg/services/user"
"github.com/grafana/grafana/pkg/util/errutil"
)
func ProvideUserSync(userService user.Service, authInfoService login.AuthInfoService, quotaService quota.Service) *UserSync {
return &UserSync{userService, authInfoService, quotaService, log.New("user.sync")}
var (
errUserProtection = errutil.NewBase(errutil.StatusForbidden,
"user.sync.protected role", errutil.WithPublicMessage("Unable to sync due to protected role"))
)
func ProvideUserSync(userService user.Service,
userProtectionService login.UserProtectionService,
authInfoService login.AuthInfoService, quotaService quota.Service) *UserSync {
return &UserSync{
userService: userService,
authInfoService: authInfoService,
userProtectionService: userProtectionService,
quotaService: quotaService,
log: log.New("user.sync"),
}
}
type UserSync struct {
userService user.Service
authInfoService login.AuthInfoService
quotaService quota.Service
log log.Logger
userService user.Service
authInfoService login.AuthInfoService
userProtectionService login.UserProtectionService
quotaService quota.Service
log log.Logger
}
// SyncUser syncs a user with the database
func (s *UserSync) SyncUser(ctx context.Context, id *authn.Identity, _ *authn.Request) error {
if !id.ClientParams.SyncUser {
s.log.Debug("Not syncing user", "auth_module", id.AuthModule, "auth_id", id.AuthID)
return nil
}
@@ -67,6 +81,10 @@ func (s *UserSync) SyncUser(ctx context.Context, id *authn.Identity, _ *authn.Re
}
}
if errProtection := s.userProtectionService.AllowUserMapping(usr, id.AuthModule); errProtection != nil {
return errUserProtection.Errorf("user mapping not allowed: %w", errProtection)
}
// update user
if errUpdate := s.updateUserAttributes(ctx, usr, id); errUpdate != nil {
return errUpdate