Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Implement and enforce user account status #9374

Merged
merged 14 commits into from
Nov 9, 2020
Merged

Implement and enforce user account status #9374

merged 14 commits into from
Nov 9, 2020

Conversation

mpfz0r
Copy link
Contributor

@mpfz0r mpfz0r commented Nov 5, 2020

Fixes #9077

@mpfz0r
Add AccountStatus field to User
9b2e1fd
@mpfz0r
Add UserAccountControl and status to LdapEntry and UserDetails
fee5799
@mpfz0r
Try to cope with incomplete LDAP user entries.
92e37f8 
 - If we can't get the userNameAttribute, simply use the username
 - Fill in dummy email address if none can't be found
@mpfz0r
Also provision accounts that failed to login
317a9be 
Reverse the order: First provision, then try to login.
This is needed, because we otherwise can't update the disabled status
flag for accounts.
@mpfz0r
Prevent user logins for disabled accounts
74d53f7
@mpfz0r
Add account_status to UserSummary
92dfa0e
@mpfz0r
Add endpoint to modify user acount status
5b45e21
@mpfz0r
Add auditevent
71425e8
bernd
bernd requested changes Nov 5, 2020
View reviewed changes
Copy link
Member

@bernd bernd left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

First round of review.

graylog2-server/src/main/java/org/graylog/security/authservice/ldap/LDAPEntry.java Outdated Show resolved Hide resolved
graylog2-server/src/main/java/org/graylog/security/authservice/ldap/LDAPUser.java Outdated Show resolved Hide resolved
...log2-server/src/main/java/org/graylog/security/authservice/backend/ADAuthServiceBackend.java Outdated Show resolved Hide resolved
...g2-server/src/main/java/org/graylog/security/authservice/backend/LDAPAuthServiceBackend.java Outdated Show resolved Hide resolved
@bernd bernd self-assigned this Nov 5, 2020
@mpfz0r
Print userAccountControl as flags
016b21e
@mpfz0r
Remove ADUserAccountControl from LDAPUser and LDAPEntry.
6927c63 
This means the test result can only show whether an account is
enabled/disabled.
@mpfz0r
Restore original authenticateAndProvision order
ca3d164
@mpfz0r
Double check that an account is enabled in AD
9adb2b8 
This deliberately ignores the pre-auth flag set by the
HTTPHeaderAuthRealm.
@mpfz0r mpfz0r marked this pull request as ready for review November 6, 2020 12:10
@mpfz0r mpfz0r requested a review from bernd November 6, 2020 14:19
bernd
bernd requested changes Nov 6, 2020
View reviewed changes
Copy link
Member

@bernd bernd left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tested with local users and AD users. Works! 👍

Three smaller comments:

graylog2-server/src/main/java/org/graylog2/rest/resources/users/UsersResource.java Outdated Show resolved Hide resolved
graylog2-server/src/main/java/org/graylog2/rest/resources/users/UsersResource.java Show resolved Hide resolved
...log2-server/src/main/java/org/graylog/security/authservice/backend/ADAuthServiceBackend.java Outdated Show resolved Hide resolved
@mpfz0r mpfz0r requested a review from bernd November 9, 2020 09:39
@bernd bernd merged commit ae427f1 into master Nov 9, 2020
@bernd bernd deleted the issue-9077 branch November 9, 2020 10:13
@linuspahl linuspahl mentioned this pull request Nov 9, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bernd bernd bernd approved these changes

Assignees

@bernd bernd

Labels
ready-for-review
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Implement a user status
2 participants
@mpfz0r @bernd