From 4d6b4bb2f0588c2a20908855b81ff06c7c125ddf Mon Sep 17 00:00:00 2001
From: Marco Dinis <marco.dinis@goteleport.com>
Date: Mon, 28 Oct 2024 10:03:30 +0000
Subject: [PATCH] [v14] Fix UserContext SSO detection in UI for Okta Users
 (#47944) (#47959)

* Fix UserContext SSO detection in UI for Okta Users (#47944)

* Fix UserContext SSO detection in UI for Okta Users

Okta imported users are not being properly identified as SSO users.
Okta does not set any of the Users' identities and instead only sets the
User.Connector.CreatedBy field.

When building the UserContext, which is used by the WebUI, it was
returning `local` user type for Okta users.

* move usertype check to types.User

* remove User.Status field which only exists on 15+
---
 api/types/user.go              | 10 +++++++---
 lib/web/ui/usercontext.go      |  4 +---
 lib/web/ui/usercontext_test.go | 18 +++++++++++++++++-
 3 files changed, 25 insertions(+), 7 deletions(-)

diff --git a/api/types/user.go b/api/types/user.go
index 8a27369e21532..5769e53fd62b9 100644
--- a/api/types/user.go
+++ b/api/types/user.go
@@ -497,11 +497,15 @@ func (u UserV2) GetGCPServiceAccounts() []string {
 
 // GetUserType indicates if the User was created by an SSO Provider or locally.
 func (u UserV2) GetUserType() UserType {
-	if u.GetCreatedBy().Connector == nil {
-		return UserTypeLocal
+	if u.GetCreatedBy().Connector != nil ||
+		len(u.GetOIDCIdentities()) > 0 ||
+		len(u.GetGithubIdentities()) > 0 ||
+		len(u.GetSAMLIdentities()) > 0 {
+
+		return UserTypeSSO
 	}
 
-	return UserTypeSSO
+	return UserTypeLocal
 }
 
 // IsBot returns true if the user is a bot.
diff --git a/lib/web/ui/usercontext.go b/lib/web/ui/usercontext.go
index 0ccef5c69ba31..cf16947ba82a0 100644
--- a/lib/web/ui/usercontext.go
+++ b/lib/web/ui/usercontext.go
@@ -100,9 +100,7 @@ func NewUserContext(user types.User, userRoles services.RoleSet, features proto.
 	authType := authLocal
 
 	// check for any SSO identities
-	isSSO := len(user.GetOIDCIdentities()) > 0 ||
-		len(user.GetGithubIdentities()) > 0 ||
-		len(user.GetSAMLIdentities()) > 0
+	isSSO := user.GetUserType() == types.UserTypeSSO
 
 	if isSSO {
 		// SSO user
diff --git a/lib/web/ui/usercontext_test.go b/lib/web/ui/usercontext_test.go
index 569a42269c26c..cd54e0cccc241 100644
--- a/lib/web/ui/usercontext_test.go
+++ b/lib/web/ui/usercontext_test.go
@@ -61,7 +61,23 @@ func TestNewUserContext(t *testing.T) {
 	user.Spec.GithubIdentities = []types.ExternalIdentity{{ConnectorID: "foo", Username: "bar"}}
 	userContext, err = NewUserContext(user, roleSet, proto.Features{}, true, false)
 	require.NoError(t, err)
-	require.Equal(t, userContext.AuthType, authSSO)
+	require.Equal(t, authSSO, userContext.AuthType)
+
+	// test sso auth type for users with the CreatedBy.Connector field set.
+	// Eg users import from okta do not have any <IdP>Identities, so the CreatedBy.Connector must be checked.
+	userCreatedExternally := &types.UserV2{
+		Metadata: types.Metadata{
+			Name: "root",
+		},
+		Spec: types.UserSpecV2{
+			CreatedBy: types.CreatedBy{
+				Connector: &types.ConnectorRef{},
+			},
+		},
+	}
+	userContext, err = NewUserContext(userCreatedExternally, roleSet, proto.Features{}, true, false)
+	require.NoError(t, err)
+	require.Equal(t, authSSO, userContext.AuthType)
 }
 
 func TestNewUserContextCloud(t *testing.T) {