mirror of
https://github.com/dani-garcia/vaultwarden.git
synced 2024-12-22 22:45:12 +01:00
Prevent disabled User from SSO login
This commit is contained in:
parent
02a9ab5d48
commit
28146e292d
2 changed files with 49 additions and 6 deletions
|
@ -152,7 +152,12 @@ async fn _sso_login(data: ConnectData, user_uuid: &mut Option<String>, conn: &mu
|
||||||
crate::ratelimit::check_limit_login(&ip.ip)?;
|
crate::ratelimit::check_limit_login(&ip.ip)?;
|
||||||
|
|
||||||
let code = match data.code.as_ref() {
|
let code = match data.code.as_ref() {
|
||||||
None => err!("Got no code in OIDC data"),
|
None => err!(
|
||||||
|
"Got no code in OIDC data",
|
||||||
|
ErrorEvent {
|
||||||
|
event: EventType::UserFailedLogIn
|
||||||
|
}
|
||||||
|
),
|
||||||
Some(code) => code,
|
Some(code) => code,
|
||||||
};
|
};
|
||||||
|
|
||||||
|
@ -166,14 +171,33 @@ async fn _sso_login(data: ConnectData, user_uuid: &mut Option<String>, conn: &mu
|
||||||
"Login failure ({}), existing non SSO user ({}) with same email ({}) and association is disabled",
|
"Login failure ({}), existing non SSO user ({}) with same email ({}) and association is disabled",
|
||||||
user_infos.identifier, user.uuid, user.email
|
user_infos.identifier, user.uuid, user.email
|
||||||
);
|
);
|
||||||
err_silent!("Existing non SSO user with same email")
|
err_silent!(
|
||||||
|
"Existing non SSO user with same email",
|
||||||
|
ErrorEvent {
|
||||||
|
event: EventType::UserFailedLogIn
|
||||||
|
}
|
||||||
|
)
|
||||||
}
|
}
|
||||||
Some((user, Some(sso_user))) if sso_user.identifier != user_infos.identifier => {
|
Some((user, Some(sso_user))) if sso_user.identifier != user_infos.identifier => {
|
||||||
error!(
|
error!(
|
||||||
"Login failure ({}), existing SSO user ({}) with same email ({})",
|
"Login failure ({}), existing SSO user ({}) with same email ({})",
|
||||||
user_infos.identifier, user.uuid, user.email
|
user_infos.identifier, user.uuid, user.email
|
||||||
);
|
);
|
||||||
err_silent!("Existing SSO user with same email")
|
err_silent!(
|
||||||
|
"Existing SSO user with same email",
|
||||||
|
ErrorEvent {
|
||||||
|
event: EventType::UserFailedLogIn
|
||||||
|
}
|
||||||
|
)
|
||||||
|
}
|
||||||
|
Some((user, _)) if !user.enabled => {
|
||||||
|
err!(
|
||||||
|
"This user has been disabled",
|
||||||
|
format!("IP: {}. Username: {}.", ip.ip, user.name),
|
||||||
|
ErrorEvent {
|
||||||
|
event: EventType::UserFailedLogIn
|
||||||
|
}
|
||||||
|
)
|
||||||
}
|
}
|
||||||
Some((user, sso_user)) => {
|
Some((user, sso_user)) => {
|
||||||
let (mut device, new_device) = get_device(&data, conn, &user).await?;
|
let (mut device, new_device) = get_device(&data, conn, &user).await?;
|
||||||
|
@ -190,15 +214,28 @@ async fn _sso_login(data: ConnectData, user_uuid: &mut Option<String>, conn: &mu
|
||||||
let (user, mut device, new_device, twofactor_token, sso_user) = match user_data {
|
let (user, mut device, new_device, twofactor_token, sso_user) = match user_data {
|
||||||
None => {
|
None => {
|
||||||
if !CONFIG.is_email_domain_allowed(&user_infos.email) {
|
if !CONFIG.is_email_domain_allowed(&user_infos.email) {
|
||||||
err!("Email domain not allowed");
|
err!(
|
||||||
|
"Email domain not allowed",
|
||||||
|
ErrorEvent {
|
||||||
|
event: EventType::UserFailedLogIn
|
||||||
|
}
|
||||||
|
);
|
||||||
}
|
}
|
||||||
|
|
||||||
match user_infos.email_verified {
|
match user_infos.email_verified {
|
||||||
None if !CONFIG.sso_allow_unknown_email_verification() => err!(
|
None if !CONFIG.sso_allow_unknown_email_verification() => err!(
|
||||||
"Your provider does not send email verification status.\n\
|
"Your provider does not send email verification status.\n\
|
||||||
You will need to change the server configuration (check `SSO_ALLOW_UNKNOWN_EMAIL_VERIFICATION`) to log in."
|
You will need to change the server configuration (check `SSO_ALLOW_UNKNOWN_EMAIL_VERIFICATION`) to log in.",
|
||||||
|
ErrorEvent {
|
||||||
|
event: EventType::UserFailedLogIn
|
||||||
|
}
|
||||||
|
),
|
||||||
|
Some(false) => err!(
|
||||||
|
"You need to verify your email with your provider before you can log in",
|
||||||
|
ErrorEvent {
|
||||||
|
event: EventType::UserFailedLogIn
|
||||||
|
}
|
||||||
),
|
),
|
||||||
Some(false) => err!("You need to verify your email with your provider before you can log in"),
|
|
||||||
_ => (),
|
_ => (),
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -255,9 +255,15 @@ macro_rules! err_silent {
|
||||||
($msg:expr) => {{
|
($msg:expr) => {{
|
||||||
return Err($crate::error::Error::new($msg, $msg));
|
return Err($crate::error::Error::new($msg, $msg));
|
||||||
}};
|
}};
|
||||||
|
($msg:expr, ErrorEvent $err_event:tt) => {{
|
||||||
|
return Err($crate::error::Error::new($msg, $msg).with_event($crate::error::ErrorEvent $err_event));
|
||||||
|
}};
|
||||||
($usr_msg:expr, $log_value:expr) => {{
|
($usr_msg:expr, $log_value:expr) => {{
|
||||||
return Err($crate::error::Error::new($usr_msg, $log_value));
|
return Err($crate::error::Error::new($usr_msg, $log_value));
|
||||||
}};
|
}};
|
||||||
|
($usr_msg:expr, $log_value:expr, ErrorEvent $err_event:tt) => {{
|
||||||
|
return Err($crate::error::Error::new($usr_msg, $log_value).with_event($crate::error::ErrorEvent $err_event));
|
||||||
|
}};
|
||||||
}
|
}
|
||||||
|
|
||||||
#[macro_export]
|
#[macro_export]
|
||||||
|
|
Loading…
Reference in a new issue