diff --git a/pkg/api/password.go b/pkg/api/password.go index 8f5590b89eb..95f7b7ebbc2 100644 --- a/pkg/api/password.go +++ b/pkg/api/password.go @@ -19,9 +19,6 @@ func (hs *HTTPServer) SendResetPasswordEmail(c *models.ReqContext) response.Resp if err := web.Bind(c.Req, &form); err != nil { return response.Error(http.StatusBadRequest, "bad request data", err) } - if setting.LDAPEnabled || setting.AuthProxyEnabled { - return response.Error(401, "Not allowed to reset password when LDAP or Auth Proxy is enabled", nil) - } if setting.DisableLoginForm { return response.Error(401, "Not allowed to reset password when login form is disabled", nil) } @@ -34,6 +31,19 @@ func (hs *HTTPServer) SendResetPasswordEmail(c *models.ReqContext) response.Resp return response.Error(http.StatusOK, "Email sent", err) } + if usr.IsDisabled { + c.Logger.Info("Requested password reset for disabled user", "user", userQuery.LoginOrEmail) + return response.Error(http.StatusOK, "Email sent", nil) + } + + getAuthQuery := models.GetAuthInfoQuery{UserId: usr.ID} + if err := hs.authInfoService.GetAuthInfo(c.Req.Context(), &getAuthQuery); err == nil { + authModule := getAuthQuery.Result.AuthModule + if authModule == models.AuthModuleLDAP || authModule == models.AuthModuleProxy { + return response.Error(401, "Not allowed to reset password for LDAP or Auth Proxy user", nil) + } + } + emailCmd := models.SendResetPasswordEmailCommand{User: usr} if err := hs.NotificationService.SendResetPasswordEmail(c.Req.Context(), &emailCmd); err != nil { return response.Error(500, "Failed to send email", err) diff --git a/pkg/api/user.go b/pkg/api/user.go index cda48841343..fc949dd0ebc 100644 --- a/pkg/api/user.go +++ b/pkg/api/user.go @@ -383,9 +383,6 @@ func (hs *HTTPServer) ChangeUserPassword(c *models.ReqContext) response.Response if err := web.Bind(c.Req, &cmd); err != nil { return response.Error(http.StatusBadRequest, "bad request data", err) } - if setting.LDAPEnabled || setting.AuthProxyEnabled { - return response.Error(400, "Not allowed to change password when LDAP or Auth Proxy is enabled", nil) - } userQuery := user.GetUserByIDQuery{ID: c.UserId} @@ -394,6 +391,14 @@ func (hs *HTTPServer) ChangeUserPassword(c *models.ReqContext) response.Response return response.Error(500, "Could not read user from database", err) } + getAuthQuery := models.GetAuthInfoQuery{UserId: user.ID} + if err := hs.authInfoService.GetAuthInfo(c.Req.Context(), &getAuthQuery); err == nil { + authModule := getAuthQuery.Result.AuthModule + if authModule == models.AuthModuleLDAP || authModule == models.AuthModuleProxy { + return response.Error(400, "Not allowed to reset password for LDAP or Auth Proxy user", nil) + } + } + passwordHashed, err := util.EncodePassword(cmd.OldPassword, user.Salt) if err != nil { return response.Error(500, "Failed to encode password", err) @@ -491,6 +496,8 @@ func GetAuthProviderLabel(authModule string) string { return "grafana.com" case "auth.saml": return "SAML" + case "authproxy": + return "Auth Proxy" case "ldap", "": return "LDAP" default: diff --git a/pkg/models/user_auth.go b/pkg/models/user_auth.go index 0732c81f47d..5cee0dfb449 100644 --- a/pkg/models/user_auth.go +++ b/pkg/models/user_auth.go @@ -10,7 +10,8 @@ import ( ) const ( - AuthModuleLDAP = "ldap" + AuthModuleLDAP = "ldap" + AuthModuleProxy = "authproxy" ) type UserAuth struct { diff --git a/public/app/core/components/Login/LoginCtrl.tsx b/public/app/core/components/Login/LoginCtrl.tsx index cc6bf390255..7c39e1eb324 100644 --- a/public/app/core/components/Login/LoginCtrl.tsx +++ b/public/app/core/components/Login/LoginCtrl.tsx @@ -25,8 +25,6 @@ interface Props { skipPasswordChange: Function; login: (data: FormModel) => void; disableLoginForm: boolean; - ldapEnabled: boolean; - authProxyEnabled: boolean; disableUserSignUp: boolean; isOauthEnabled: boolean; loginHint: string; @@ -129,7 +127,7 @@ export class LoginCtrl extends PureComponent { const { children } = this.props; const { isLoggingIn, isChangingPassword } = this.state; const { login, toGrafana, changePassword } = this; - const { loginHint, passwordHint, disableLoginForm, ldapEnabled, authProxyEnabled, disableUserSignUp } = config; + const { loginHint, passwordHint, disableLoginForm, disableUserSignUp } = config; return ( <> @@ -138,8 +136,6 @@ export class LoginCtrl extends PureComponent { loginHint, passwordHint, disableLoginForm, - ldapEnabled, - authProxyEnabled, disableUserSignUp, login, isLoggingIn, diff --git a/public/app/core/components/Login/LoginPage.tsx b/public/app/core/components/Login/LoginPage.tsx index bb49378ce60..0e8bbbb3b82 100644 --- a/public/app/core/components/Login/LoginPage.tsx +++ b/public/app/core/components/Login/LoginPage.tsx @@ -28,8 +28,6 @@ export const LoginPage: FC = () => { {({ loginHint, passwordHint, - ldapEnabled, - authProxyEnabled, disableLoginForm, disableUserSignUp, login, @@ -48,19 +46,15 @@ export const LoginPage: FC = () => { passwordHint={passwordHint} isLoggingIn={isLoggingIn} > - {!(ldapEnabled || authProxyEnabled) ? ( - - - Forgot your password? - - - ) : ( - <> - )} + + + Forgot your password? + + )} diff --git a/public/app/features/profile/ChangePasswordForm.tsx b/public/app/features/profile/ChangePasswordForm.tsx index 07f2553f6eb..30811d6747d 100644 --- a/public/app/features/profile/ChangePasswordForm.tsx +++ b/public/app/features/profile/ChangePasswordForm.tsx @@ -16,11 +16,11 @@ export interface Props { } export const ChangePasswordForm: FC = ({ user, onChangePassword, isSaving }) => { - const { ldapEnabled, authProxyEnabled, disableLoginForm } = config; + const { disableLoginForm } = config; const authSource = user.authLabels?.length && user.authLabels[0]; - if (ldapEnabled || authProxyEnabled) { - return

You cannot change password when LDAP or auth proxy authentication is enabled.

; + if (authSource === 'LDAP' || authSource === 'Auth Proxy') { + return

You cannot change password when signed in with LDAP or auth proxy.

; } if (authSource && disableLoginForm) { return

Password cannot be changed here.

; diff --git a/public/app/features/profile/ChangePasswordPage.test.tsx b/public/app/features/profile/ChangePasswordPage.test.tsx index 4506dfdc361..41cca32c284 100644 --- a/public/app/features/profile/ChangePasswordPage.test.tsx +++ b/public/app/features/profile/ChangePasswordPage.test.tsx @@ -84,19 +84,19 @@ describe('ChangePasswordPage', () => { ); }); }); - it('should cannot change password form if ldap or authProxy enabled', async () => { - config.ldapEnabled = true; - const { rerender } = await getTestContext(); - expect( - screen.getByText('You cannot change password when LDAP or auth proxy authentication is enabled.') - ).toBeInTheDocument(); - config.ldapEnabled = false; - config.authProxyEnabled = true; - rerender(); - expect( - screen.getByText('You cannot change password when LDAP or auth proxy authentication is enabled.') - ).toBeInTheDocument(); - config.authProxyEnabled = false; + it('should cannot change password form if user signed in with LDAP', async () => { + await getTestContext({ + user: { ...defaultProps.user!, authLabels: ['LDAP'] }, + }); + + expect(screen.getByText('You cannot change password when signed in with LDAP or auth proxy.')).toBeInTheDocument(); + }); + it('should cannot change password form if user signed in with auth proxy', async () => { + await getTestContext({ + user: { ...defaultProps.user!, authLabels: ['Auth Proxy'] }, + }); + + expect(screen.getByText('You cannot change password when signed in with LDAP or auth proxy.')).toBeInTheDocument(); }); it('should show cannot change password if disableLoginForm is true and auth', async () => { config.disableLoginForm = true;