fix: login with apiKey capability (argoproj#4557)

* fix: login with apiKey capability * fix: update based on code review. * fix: update based on code review. * fix: check pws first.
paulfantom · Oct 14, 2020 · c277ef8 · c277ef8
1 parent adec070
commit c277ef8
Showing 1 changed file with 13 additions and 7 deletions.
diff --git a/util/session/sessionmanager.go b/util/session/sessionmanager.go
@@ -74,10 +74,11 @@ const (
 	SessionManagerClaimsIssuer = "argocd"
 
 	// invalidLoginError, for security purposes, doesn't say whether the username or password was invalid.  This does not mitigate the potential for timing attacks to determine which is which.
-	invalidLoginError    = "Invalid username or password"
-	blankPasswordError   = "Blank passwords are not allowed"
-	accountDisabled      = "Account %s is disabled"
-	usernameTooLongError = "Username is too long (%d bytes max)"
+	invalidLoginError         = "Invalid username or password"
+	blankPasswordError        = "Blank passwords are not allowed"
+	accountDisabled           = "Account %s is disabled"
+	usernameTooLongError      = "Username is too long (%d bytes max)"
+	userDoesNotHaveCapability = "Account %s does not have %s capability"
 )
 
 const (
@@ -399,15 +400,20 @@ func (mgr *SessionManager) VerifyUsernamePassword(username string, password stri
 		_, _ = passwordutil.HashPassword("for_consistent_response_time")
 		return err
 	}
-	if !account.Enabled {
-		return status.Errorf(codes.Unauthenticated, accountDisabled, username)
-	}
 
 	valid, _ := passwordutil.VerifyPassword(password, account.PasswordHash)
 	if !valid {
 		mgr.updateFailureCount(username, true)
 		return InvalidLoginErr
 	}
+
+	if !account.Enabled {
+		return status.Errorf(codes.Unauthenticated, accountDisabled, username)
+	}
+
+	if !account.HasCapability(settings.AccountCapabilityLogin) {
+		return status.Errorf(codes.Unauthenticated, userDoesNotHaveCapability, username, settings.AccountCapabilityLogin)
+	}
 	mgr.updateFailureCount(username, false)
 	return nil
 }