Users: Disable users removed from LDAP (#16820)

* Users: add is_disabled column

* Users: disable users removed from LDAP

* Auth: return ErrInvalidCredentials for failed LDAP auth

* User: return isDisabled flag in user search api

* User: mark disabled users at the server admin page

* Chore: refactor according to review

* Auth: prevent disabled user from login

* Auth: re-enable user when it found in ldap

* User: add api endpoint for disabling user

* User: use separate endpoints to disable/enable user

* User: disallow disabling external users

* User: able do disable users from admin UI

* Chore: refactor based on review

* Chore: use more clear error check when disabling user

* Fix login tests

* Tests for disabling user during the LDAP login

* Tests for disable user API

* Tests for login with disabled user

* Remove disable user UI stub

* Sync with latest LDAP refactoring

pkg/services/sqlstore/user_auth.go

@@ -5,7 +5,7 @@ import (
 	"time"
 
 	"github.com/grafana/grafana/pkg/bus"
-	m "github.com/grafana/grafana/pkg/models"
+	"github.com/grafana/grafana/pkg/models"
 	"github.com/grafana/grafana/pkg/setting"
 	"github.com/grafana/grafana/pkg/util"
 )
@@ -14,17 +14,18 @@ var getTime = time.Now
 
 func init() {
 	bus.AddHandler("sql", GetUserByAuthInfo)
+	bus.AddHandler("sql", GetExternalUserInfoByLogin)
 	bus.AddHandler("sql", GetAuthInfo)
 	bus.AddHandler("sql", SetAuthInfo)
 	bus.AddHandler("sql", UpdateAuthInfo)
 	bus.AddHandler("sql", DeleteAuthInfo)
 }
 
-func GetUserByAuthInfo(query *m.GetUserByAuthInfoQuery) error {
-	user := &m.User{}
+func GetUserByAuthInfo(query *models.GetUserByAuthInfoQuery) error {
+	user := &models.User{}
 	has := false
 	var err error
-	authQuery := &m.GetAuthInfoQuery{}
+	authQuery := &models.GetAuthInfoQuery{}
 
 	// Try to find the user by auth module and id first
 	if query.AuthModule != "" && query.AuthId != "" {
@@ -32,14 +33,14 @@ func GetUserByAuthInfo(query *m.GetUserByAuthInfoQuery) error {
 		authQuery.AuthId = query.AuthId
 
 		err = GetAuthInfo(authQuery)
-		if err != m.ErrUserNotFound {
+		if err != models.ErrUserNotFound {
 			if err != nil {
 				return err
 			}
 
 			// if user id was specified and doesn't match the user_auth entry, remove it
 			if query.UserId != 0 && query.UserId != authQuery.Result.UserId {
-				err = DeleteAuthInfo(&m.DeleteAuthInfoCommand{
+				err = DeleteAuthInfo(&models.DeleteAuthInfoCommand{
 					UserAuth: authQuery.Result,
 				})
 				if err != nil {
@@ -55,7 +56,7 @@ func GetUserByAuthInfo(query *m.GetUserByAuthInfoQuery) error {
 
 				if !has {
 					// if the user has been deleted then remove the entry
-					err = DeleteAuthInfo(&m.DeleteAuthInfoCommand{
+					err = DeleteAuthInfo(&models.DeleteAuthInfoCommand{
 						UserAuth: authQuery.Result,
 					})
 					if err != nil {
@@ -78,7 +79,7 @@ func GetUserByAuthInfo(query *m.GetUserByAuthInfoQuery) error {
 
 	// If not found, try to find the user by email address
 	if !has && query.Email != "" {
-		user = &m.User{Email: query.Email}
+		user = &models.User{Email: query.Email}
 		has, err = x.Get(user)
 		if err != nil {
 			return err
@@ -87,7 +88,7 @@ func GetUserByAuthInfo(query *m.GetUserByAuthInfoQuery) error {
 
 	// If not found, try to find the user by login
 	if !has && query.Login != "" {
-		user = &m.User{Login: query.Login}
+		user = &models.User{Login: query.Login}
 		has, err = x.Get(user)
 		if err != nil {
 			return err
@@ -96,12 +97,12 @@ func GetUserByAuthInfo(query *m.GetUserByAuthInfoQuery) error {
 
 	// No user found
 	if !has {
-		return m.ErrUserNotFound
+		return models.ErrUserNotFound
 	}
 
 	// create authInfo record to link accounts
 	if authQuery.Result == nil && query.AuthModule != "" {
-		cmd2 := &m.SetAuthInfoCommand{
+		cmd2 := &models.SetAuthInfoCommand{
 			UserId:     user.Id,
 			AuthModule: query.AuthModule,
 			AuthId:     query.AuthId,
@@ -115,8 +116,32 @@ func GetUserByAuthInfo(query *m.GetUserByAuthInfoQuery) error {
 	return nil
 }
 
-func GetAuthInfo(query *m.GetAuthInfoQuery) error {
-	userAuth := &m.UserAuth{
+func GetExternalUserInfoByLogin(query *models.GetExternalUserInfoByLoginQuery) error {
+	userQuery := models.GetUserByLoginQuery{LoginOrEmail: query.LoginOrEmail}
+	err := bus.Dispatch(&userQuery)
+	if err != nil {
+		return err
+	}
+
+	authInfoQuery := &models.GetAuthInfoQuery{UserId: userQuery.Result.Id}
+	if err := bus.Dispatch(authInfoQuery); err != nil {
+		return err
+	}
+
+	query.Result = &models.ExternalUserInfo{
+		UserId:     userQuery.Result.Id,
+		Login:      userQuery.Result.Login,
+		Email:      userQuery.Result.Email,
+		Name:       userQuery.Result.Name,
+		IsDisabled: userQuery.Result.IsDisabled,
+		AuthModule: authInfoQuery.Result.AuthModule,
+		AuthId:     authInfoQuery.Result.AuthId,
+	}
+	return nil
+}
+
+func GetAuthInfo(query *models.GetAuthInfoQuery) error {
+	userAuth := &models.UserAuth{
 		UserId:     query.UserId,
 		AuthModule: query.AuthModule,
 		AuthId:     query.AuthId,
@@ -126,7 +151,7 @@ func GetAuthInfo(query *m.GetAuthInfoQuery) error {
 		return err
 	}
 	if !has {
-		return m.ErrUserNotFound
+		return models.ErrUserNotFound
 	}
 
 	secretAccessToken, err := decodeAndDecrypt(userAuth.OAuthAccessToken)
@@ -149,9 +174,9 @@ func GetAuthInfo(query *m.GetAuthInfoQuery) error {
 	return nil
 }
 
-func SetAuthInfo(cmd *m.SetAuthInfoCommand) error {
+func SetAuthInfo(cmd *models.SetAuthInfoCommand) error {
 	return inTransaction(func(sess *DBSession) error {
-		authUser := &m.UserAuth{
+		authUser := &models.UserAuth{
 			UserId:     cmd.UserId,
 			AuthModule: cmd.AuthModule,
 			AuthId:     cmd.AuthId,
@@ -183,9 +208,9 @@ func SetAuthInfo(cmd *m.SetAuthInfoCommand) error {
 	})
 }
 
-func UpdateAuthInfo(cmd *m.UpdateAuthInfoCommand) error {
+func UpdateAuthInfo(cmd *models.UpdateAuthInfoCommand) error {
 	return inTransaction(func(sess *DBSession) error {
-		authUser := &m.UserAuth{
+		authUser := &models.UserAuth{
 			UserId:     cmd.UserId,
 			AuthModule: cmd.AuthModule,
 			AuthId:     cmd.AuthId,
@@ -212,7 +237,7 @@ func UpdateAuthInfo(cmd *m.UpdateAuthInfoCommand) error {
 			authUser.OAuthExpiry = cmd.OAuthToken.Expiry
 		}
 
-		cond := &m.UserAuth{
+		cond := &models.UserAuth{
 			UserId:     cmd.UserId,
 			AuthModule: cmd.AuthModule,
 		}
@@ -222,7 +247,7 @@ func UpdateAuthInfo(cmd *m.UpdateAuthInfoCommand) error {
 	})
 }
 
-func DeleteAuthInfo(cmd *m.DeleteAuthInfoCommand) error {
+func DeleteAuthInfo(cmd *models.DeleteAuthInfoCommand) error {
 	return inTransaction(func(sess *DBSession) error {
 		_, err := sess.Delete(cmd.UserAuth)
 		return err