AMBARI-7163. Inactive user should not be able to login. (mahadev)

ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariLdapAuthoritiesPopulator.java

@@ -17,7 +17,11 @@
  */
 package org.apache.ambari.server.security.authorization;
 
-import com.google.inject.Inject;
+import java.util.Collection;
+import java.util.Collections;
+import java.util.LinkedList;
+import java.util.List;
+
 import org.apache.ambari.server.orm.dao.MemberDAO;
 import org.apache.ambari.server.orm.dao.PrivilegeDAO;
 import org.apache.ambari.server.orm.dao.UserDAO;
@@ -28,13 +32,11 @@ import org.apache.ambari.server.orm.entities.UserEntity;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.ldap.core.DirContextOperations;
+import org.springframework.security.authentication.DisabledException;
 import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.ldap.userdetails.LdapAuthoritiesPopulator;
 
-import java.util.Collection;
-import java.util.Collections;
-import java.util.LinkedList;
-import java.util.List;
+import com.google.inject.Inject;
 
 /**
  * Provides authorities population for LDAP user from LDAP catalog
@@ -63,12 +65,14 @@ public class AmbariLdapAuthoritiesPopulator implements LdapAuthoritiesPopulator
     UserEntity user;
 
     user = userDAO.findLdapUserByName(username);
-
+    
     if (user == null) {
       log.error("Can't get authorities for user " + username + ", he is not present in local DB");
       return Collections.emptyList();
     }
-
+    if(!user.getActive()){
+      throw new DisabledException("User is disabled");
+    }
     // get all of the privileges for the user
     List<PrincipalEntity> principalEntities = new LinkedList<PrincipalEntity>();
 

ambari-server/src/main/java/org/apache/ambari/server/security/authorization/AmbariLocalUserDetailsService.java

@@ -91,7 +91,7 @@ public class AmbariLocalUserDetailsService implements UserDetailsService {
 
     List<PrivilegeEntity> privilegeEntities = privilegeDAO.findAllByPrincipal(principalEntities);
 
-    return new User(user.getUserName(), user.getUserPassword(),
-        authorizationHelper.convertPrivilegesToAuthorities(privilegeEntities));
+    return new User(user.getUserName(), user.getUserPassword(), user.getActive(), 
+        true, true, true, authorizationHelper.convertPrivilegesToAuthorities(privilegeEntities));
   }
 }

ambari-server/src/test/java/org/apache/ambari/server/security/authorization/AmbariAuthorizationProviderDisableUserTest.java

@@ -0,0 +1,97 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.ambari.server.security.authorization;
+
+import org.apache.ambari.server.orm.dao.MemberDAO;
+import org.apache.ambari.server.orm.dao.PrivilegeDAO;
+import org.apache.ambari.server.orm.dao.UserDAO;
+import org.apache.ambari.server.orm.entities.UserEntity;
+import org.junit.Assert;
+import org.junit.Before;
+import org.junit.Test;
+import org.mockito.Mockito;
+import org.springframework.security.authentication.DisabledException;
+import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
+import org.springframework.security.authentication.dao.DaoAuthenticationProvider;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.crypto.password.PasswordEncoder;
+import org.springframework.security.crypto.password.StandardPasswordEncoder;
+
+public class AmbariAuthorizationProviderDisableUserTest {
+
+  private UserDAO userDAO;
+  
+  private PasswordEncoder encoder = new StandardPasswordEncoder();
+  
+  private DaoAuthenticationProvider daoProvider;
+
+  private AmbariLdapAuthoritiesPopulator ldapPopulator;
+
+  @Before
+  public void setUp() {
+    userDAO = Mockito.mock(UserDAO.class);
+    
+    createUser("activeUser", true);
+    createUser("disabledUser", false);
+    
+    MemberDAO memberDao = Mockito.mock(MemberDAO.class);
+    PrivilegeDAO privilegeDao = Mockito.mock(PrivilegeDAO.class);
+    AuthorizationHelper authorizationHelper = new AuthorizationHelper();
+    
+    AmbariLocalUserDetailsService uds = new AmbariLocalUserDetailsService(null,null,authorizationHelper,userDAO,memberDao,privilegeDao);
+    daoProvider = new DaoAuthenticationProvider();
+    daoProvider.setUserDetailsService(uds);
+    daoProvider.setPasswordEncoder(encoder);
+    
+    ldapPopulator = new AmbariLdapAuthoritiesPopulator(authorizationHelper, userDAO, memberDao, privilegeDao);
+    
+  }
+  
+  @Test public void testDisabledUserViaDaoProvider(){
+    try{
+      daoProvider.authenticate(new UsernamePasswordAuthenticationToken("disabledUser","pwd"));
+      Assert.fail("Disabled user passes authentication");
+    }catch(DisabledException e){
+      //expected
+      Assert.assertEquals("User is disabled", e.getMessage());//UI depends on this
+    }
+    Authentication auth = daoProvider.authenticate(new UsernamePasswordAuthenticationToken("activeUser","pwd"));
+    Assert.assertNotNull(auth);
+    Assert.assertTrue(auth.isAuthenticated());
+  }
+
+  @Test public void testDisabledUserViaLdapProvider(){
+    try{
+      ldapPopulator.getGrantedAuthorities(null, "disabledUser");
+      Assert.fail("Disabled user passes authentication");
+    }catch(DisabledException e){
+      //expected
+      Assert.assertEquals("User is disabled", e.getMessage());//UI depends on this
+    }
+  }
+  
+  private void createUser(String login, boolean isActive) {
+    UserEntity activeUser = new UserEntity();
+    activeUser.setActive(isActive);
+    activeUser.setUserName(login);
+    activeUser.setUserPassword(encoder.encode("pwd"));
+    Mockito.when(userDAO.findLocalUserByName(login)).thenReturn(activeUser);
+    Mockito.when(userDAO.findLdapUserByName(login)).thenReturn(activeUser);
+  }
+}

ambari-server/src/test/java/org/apache/ambari/server/security/authorization/TestAmbariLdapAuthoritiesPopulator.java

@@ -63,6 +63,7 @@ public class TestAmbariLdapAuthoritiesPopulator extends EasyMockSupport {
         .withConstructor(helper, userDAO, memberDAO, privilegeDAO).createMock();
 
     expect(userEntity.getPrincipal()).andReturn(principalEntity);
+    expect(userEntity.getActive()).andReturn(true);
     expect(memberDAO.findAllMembersByUser(userEntity)).andReturn(Collections.singletonList(memberEntity));
     expect(memberEntity.getGroup()).andReturn(groupEntity);
     expect(groupEntity.getPrincipal()).andReturn(groupPrincipalEntity);
@@ -87,6 +88,7 @@ public class TestAmbariLdapAuthoritiesPopulator extends EasyMockSupport {
         .withConstructor(helper, userDAO, memberDAO, privilegeDAO).createMock();
 
     expect(userEntity.getPrincipal()).andReturn(principalEntity).anyTimes();
+    expect(userEntity.getActive()).andReturn(true);
     expect(memberDAO.findAllMembersByUser(userEntity)).andReturn(Collections.singletonList(memberEntity)).anyTimes();
     expect(memberEntity.getGroup()).andReturn(groupEntity).anyTimes();
     expect(groupEntity.getPrincipal()).andReturn(groupPrincipalEntity).anyTimes();

ambari-web/app/controllers/login_controller.js

@@ -35,13 +35,19 @@ App.LoginController = Em.Object.extend({
     App.get('router').login();
   },
 
-  postLogin: function (isConnected, isAuthenticated) {
+  postLogin: function (isConnected, isAuthenticated, responseText) {
     if (!isConnected) {
       console.log('Failed to connect to Ambari Server');
       this.set('errorMessage', Em.I18n.t('login.error.bad.connection'));
     } else if (!isAuthenticated) {
       console.log('Failed to login as: ' + this.get('loginName'));
-      this.set('errorMessage', Em.I18n.t('login.error.bad.credentials'));
+      var errorMessage = "";
+      if( responseText === "User is disabled" ){
+        errorMessage = Em.I18n.t('login.error.disabled');
+      } else {
+        errorMessage = Em.I18n.t('login.error.bad.credentials');
+      }
+      this.set('errorMessage', errorMessage);
     }
   }
 

ambari-web/app/messages.js

@@ -281,6 +281,7 @@ Em.I18n.translations = {
   'login.username':'Username',
   'login.loginButton':'Sign in',
   'login.error.bad.credentials':'Unable to sign in. Invalid username/password combination.',
+  'login.error.disabled':'Unable to sign in. Invalid username/password combination.',
   'login.error.bad.connection':'Unable to connect to Ambari Server. Confirm Ambari Server is running and you can reach Ambari Server from this machine.',
 
   'graphs.noData.title': 'No Data',

ambari-web/app/router.js

@@ -242,9 +242,13 @@ App.Router = Em.Router.extend({
     console.log("login error: " + error);
     this.setAuthenticated(false);
     if (request.status == 403) {
-      controller.postLogin(true, false);
+      var responseMessage = request.responseText;
+      try{
+        responseMessage = JSON.parse(request.responseText).message;
+      }catch(e){}
+      controller.postLogin(true, false, responseMessage);
     } else {
-      controller.postLogin(false, false);
+      controller.postLogin(false, false, null);
     }
 
   },