From 10a2c7144472728e4f7aa8d616dc7ec5cf4c2e1e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bj=C3=B6rn=20Geuken?= <bgeuken@suse.de>
Date: Mon, 16 Nov 2015 15:33:44 +0100
Subject: [PATCH 1/4] [webui][api] Provide a User class method for logging in
 users

The login code is a simple abstraction of what UserController's do_login action
does.
---
 src/api/app/models/user.rb     |  9 +++++++++
 src/api/test/unit/user_test.rb | 18 ++++++++++++++++++
 2 files changed, 27 insertions(+)

diff --git a/src/api/app/models/user.rb b/src/api/app/models/user.rb
index 7c922b5a89f..5d481f0677d 100644
--- a/src/api/app/models/user.rb
+++ b/src/api/app/models/user.rb
@@ -369,6 +369,15 @@ def nobody_login
       '_nobody_'
     end
 
+    def authenticate(user_login, password = nil)
+      if password.nil?
+        user = User.find_by(login: user_login)
+      else
+        user = User.find_with_credentials(user_login, password)
+      end
+      User.current = user
+    end
+
     def get_default_admin
       admin = CONFIG['default_admin'] || 'Admin'
       user = find_by_login(admin)
diff --git a/src/api/test/unit/user_test.rb b/src/api/test/unit/user_test.rb
index b3c47eb85e4..1c2a02b5ad9 100644
--- a/src/api/test/unit/user_test.rb
+++ b/src/api/test/unit/user_test.rb
@@ -9,6 +9,24 @@ def setup
     @user = User.find_by_login('Iggy')
   end
 
+  def test_login
+    user = User.authenticate("tom")
+    assert_equal User.find_by(login: "tom"), user
+    assert_equal User.find_by(login: "tom"), User.current
+
+    user = User.authenticate("tom", "thunder")
+    assert_equal User.find_by(login: "tom"), user
+    assert_equal User.find_by(login: "tom"), User.current
+
+    user = User.authenticate("tom", "wrong_pw")
+    assert_equal nil, user
+    assert_equal nil, User.current
+
+    user = User.authenticate("nonexistant")
+    assert_equal nil, user
+    assert_equal nil, User.current
+  end
+
   def test_create_home_project
     User.create(login: 'moises', email: 'moises@home.com', password: '123456')
     assert Project.find_by(name: 'home:moises')

From c13df024df12aa57a31ff2dcb183c46f91485289 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bj=C3=B6rn=20Geuken?= <bgeuken@suse.de>
Date: Mon, 16 Nov 2015 15:37:38 +0100
Subject: [PATCH 2/4] [webui] Use User#login in do_login action

---
 src/api/app/controllers/webui/user_controller.rb | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/src/api/app/controllers/webui/user_controller.rb b/src/api/app/controllers/webui/user_controller.rb
index 86d0b624f45..6089931c274 100644
--- a/src/api/app/controllers/webui/user_controller.rb
+++ b/src/api/app/controllers/webui/user_controller.rb
@@ -36,9 +36,9 @@ def do_login
 
     case mode
     when :on
-      user = User.find_by(login: request.env['HTTP_X_USERNAME'])
+      user = User.authenticate(request.env['HTTP_X_USERNAME'])
     when :basic, :off
-      user = User.find_with_credentials(params[:username], params[:password])
+      user = User.authenticate(params[:username], params[:password])
     end
 
     if user.nil? || (user.state == User::STATES['ichainrequest'] || user.state == User::STATES['unconfirmed'])
@@ -47,7 +47,6 @@ def do_login
     end
 
     logger.debug "USER found: #{user.login}"
-    User.current = user
 
     session[:login] = User.current.login
     session[:password] = params[:password]

From e6f1ccadfbc6b8c40db157ac2277fde459b953c6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bj=C3=B6rn=20Geuken?= <bgeuken@suse.de>
Date: Tue, 17 Nov 2015 10:24:50 +0100
Subject: [PATCH 3/4] [webui] user controller: Move unconfirmed state check to
 the model

---
 src/api/app/controllers/webui/user_controller.rb |  2 +-
 src/api/app/models/user.rb                       |  6 ++++++
 src/api/test/fixtures/users.yml                  | 13 +++++++++++++
 src/api/test/unit/user_test.rb                   |  4 ++++
 4 files changed, 24 insertions(+), 1 deletion(-)

diff --git a/src/api/app/controllers/webui/user_controller.rb b/src/api/app/controllers/webui/user_controller.rb
index 6089931c274..8ff78f815bc 100644
--- a/src/api/app/controllers/webui/user_controller.rb
+++ b/src/api/app/controllers/webui/user_controller.rb
@@ -41,7 +41,7 @@ def do_login
       user = User.authenticate(params[:username], params[:password])
     end
 
-    if user.nil? || (user.state == User::STATES['ichainrequest'] || user.state == User::STATES['unconfirmed'])
+    unless user
       redirect_to(user_login_path, error: 'Authentication failed')
       return
     end
diff --git a/src/api/app/models/user.rb b/src/api/app/models/user.rb
index 5d481f0677d..ccf5bb53a21 100644
--- a/src/api/app/models/user.rb
+++ b/src/api/app/models/user.rb
@@ -375,6 +375,12 @@ def authenticate(user_login, password = nil)
       else
         user = User.find_with_credentials(user_login, password)
       end
+
+      # User account is not confirmed yet
+      if [STATES['ichainrequest'], STATES['unconfirmed']].include?(user.try(:state))
+        return
+      end
+
       User.current = user
     end
 
diff --git a/src/api/test/fixtures/users.yml b/src/api/test/fixtures/users.yml
index 42bb753d10c..db1cc56a01c 100644
--- a/src/api/test/fixtures/users.yml
+++ b/src/api/test/fixtures/users.yml
@@ -281,3 +281,16 @@ user6:
   password_salt: Vibb8QsN4I
   password_crypted: osEJSjdDGtlBY
   state: 2
+unconfirmed_user:
+  created_at: 2012-01-16 13:36:00.000000000 Z
+  updated_at: 2012-01-16 13:36:00.000000000 Z
+  last_logged_in_at: 2012-01-16 13:36:00.000000000 Z
+  login_failure_count: 0
+  login: unconfirmed_user
+  email: test@example.com
+  realname: ''
+  password: df9a257e5a7c1af44987f695369adc44
+  password_hash_type: md5
+  password_salt: Vibb8QsN4I
+  password_crypted: osEJSjdDGtlBY
+  state: 1
diff --git a/src/api/test/unit/user_test.rb b/src/api/test/unit/user_test.rb
index 1c2a02b5ad9..0ed7a08c33b 100644
--- a/src/api/test/unit/user_test.rb
+++ b/src/api/test/unit/user_test.rb
@@ -25,6 +25,10 @@ def test_login
     user = User.authenticate("nonexistant")
     assert_equal nil, user
     assert_equal nil, User.current
+
+    user = User.authenticate("unconfirmed_user")
+    assert_equal nil, user
+    assert_equal nil, User.current
   end
 
   def test_create_home_project

From 8f6089cc7fdf790a5a53727dcd8dc07622ecc3a0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bj=C3=B6rn=20Geuken?= <bgeuken@suse.de>
Date: Tue, 17 Nov 2015 10:43:28 +0100
Subject: [PATCH 4/4] [ci] Small cleanup

---
 src/api/test/test_helper.rb | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/src/api/test/test_helper.rb b/src/api/test/test_helper.rb
index 759782a3c89..2ad1416dd0a 100644
--- a/src/api/test/test_helper.rb
+++ b/src/api/test/test_helper.rb
@@ -396,8 +396,7 @@ def basic_auth
     end
 
     def prepare_request_with_user(user, passwd)
-      re = 'Basic ' + Base64.encode64(user + ':' + passwd)
-      @@auth = re
+      @@auth = 'Basic ' + Base64.encode64(user + ':' + passwd)
     end
 
     # will provide a user without special permissions