Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
fix: tokens keep working after account is deactivated (#5402)
Signed-off-by: Alexander Matyushentsev <AMatyushentsev@gmail.com>
  • Loading branch information
Alexander Matyushentsev authored and alexmt committed Feb 5, 2021
1 parent ce43b7a commit f5b0db2
Show file tree
Hide file tree
Showing 2 changed files with 21 additions and 0 deletions.
4 changes: 4 additions & 0 deletions util/session/sessionmanager.go
Expand Up @@ -283,6 +283,10 @@ func (mgr *SessionManager) Parse(tokenString string) (jwt.Claims, error) {
return nil, err
}

if !account.Enabled {
return nil, fmt.Errorf("account %s is disabled", subject)
}

if id := jwtutil.StringField(claims, "jti"); id != "" && account.TokenIndex(id) == -1 {
return nil, fmt.Errorf("account %s does not have token with id %s", subject, id)
}
Expand Down
17 changes: 17 additions & 0 deletions util/session/sessionmanager_test.go
Expand Up @@ -92,6 +92,23 @@ func TestSessionManager_AdminToken(t *testing.T) {
}
}

func TestSessionManager_AdminToken_Deactivated(t *testing.T) {
const (
defaultSubject = "admin"
)
settingsMgr := settings.NewSettingsManager(context.Background(), getKubeClient("pass", false), "argocd")
mgr := newSessionManager(settingsMgr, getProjLister(), NewInMemoryUserStateStorage())

token, err := mgr.Create(defaultSubject, 0, "")
if err != nil {
t.Errorf("Could not create token: %v", err)
}

_, err = mgr.Parse(token)
require.Error(t, err)
assert.Contains(t, err.Error(), "account admin is disabled")
}

func TestSessionManager_ProjectToken(t *testing.T) {
settingsMgr := settings.NewSettingsManager(context.Background(), getKubeClient("pass", true), "argocd")

Expand Down

0 comments on commit f5b0db2

Please sign in to comment.