Oidc: Prevent internal users from logging in when OIDC is enabled #782

2021-11-03 15:29:20 +01:00 · 2021-11-03 15:29:20 +01:00 · 2dce7c37e5
commit 2dce7c37e5
parent 150328b6e5
3 changed files with 16 additions and 0 deletions
--- a/internal/api/session.go
+++ b/internal/api/session.go
@ -66,6 +66,13 @@ func CreateSession(router *gin.RouterGroup) {
 				return
 			}

+			oidcEnabled := conf.OidcIssuerUrl() != nil && conf.OidcClientId() != "" && conf.OidcClientSecret() != ""
+			if user.ID != entity.Admin.ID && oidcEnabled && !user.External() {
+				log.Warn("Internal users are disabled when using OpenID Connect")
+				c.AbortWithStatusJSON(400, gin.H{"error": i18n.Msg(i18n.ErrInvalidCredentials)})
+				return
+			}
+
 			data.User = *user
 		} else {
 			c.AbortWithStatusJSON(400, gin.H{"error": i18n.Msg(i18n.ErrInvalidPassword)})
--- a/internal/commands/users.go
+++ b/internal/commands/users.go
@ -288,6 +288,10 @@ func usersUpdateAction(ctx *cli.Context) error {
 func callWithDependencies(ctx *cli.Context, f func(conf *config.Config) error) error {
 	conf := config.NewConfig(ctx)

+	if conf.OidcIssuerUrl() != nil && conf.OidcClientId() != "" && conf.OidcClientSecret() != "" {
+		log.Warn("Internal users are disabled when using OpenID Connect")
+	}
+
 	_, cancel := context.WithCancel(context.Background())
 	defer cancel()

--- a/internal/entity/user.go
+++ b/internal/entity/user.go
@ -292,6 +292,11 @@ func (m *User) Guest() bool {
 	return m.RoleGuest
 }

+// Guest returns true if the user is a guest.
+func (m *User) External() bool {
+	return m.ExternalID != ""
+}
+
 // SetPassword sets a new password stored as hash.
 func (m *User) SetPassword(password string) error {
 	if !m.Registered() {