From 8409b5e757c26f05c39fc5e681deaf9120a45152 Mon Sep 17 00:00:00 2001 From: Marco Dinis Date: Fri, 25 Oct 2024 15:52:28 +0100 Subject: [PATCH 1/2] Fix UserContext SSO detection in UI for Okta Users Okta imported users are not being properly identified as SSO users. Okta does not set any of the Users' identities and instead only sets the User.Connector.CreatedBy field. When building the UserContext, which is used by the WebUI, it was returning `local` user type for Okta users. --- lib/web/ui/usercontext.go | 3 ++- lib/web/ui/usercontext_test.go | 19 +++++++++++++++++++ 2 files changed, 21 insertions(+), 1 deletion(-) diff --git a/lib/web/ui/usercontext.go b/lib/web/ui/usercontext.go index 66677845338bc..e464bc0f0494d 100644 --- a/lib/web/ui/usercontext.go +++ b/lib/web/ui/usercontext.go @@ -104,7 +104,8 @@ func NewUserContext(user types.User, userRoles services.RoleSet, features proto. authType := authLocal // check for any SSO identities - isSSO := len(user.GetOIDCIdentities()) > 0 || + isSSO := user.GetUserType() == types.UserTypeSSO || + len(user.GetOIDCIdentities()) > 0 || len(user.GetGithubIdentities()) > 0 || len(user.GetSAMLIdentities()) > 0 diff --git a/lib/web/ui/usercontext_test.go b/lib/web/ui/usercontext_test.go index cd1895fa2961e..18fab7d2c277c 100644 --- a/lib/web/ui/usercontext_test.go +++ b/lib/web/ui/usercontext_test.go @@ -68,6 +68,25 @@ func TestNewUserContext(t *testing.T) { userContext, err = NewUserContext(user, roleSet, proto.Features{}, true, false) require.NoError(t, err) require.Equal(t, authSSO, userContext.AuthType) + + // test sso auth type for users with the CreatedBy.Connector field set. + // Eg users import from okta do not have any Identities, so the CreatedBy.Connector must be checked. + userCreatedExternally := &types.UserV2{ + Metadata: types.Metadata{ + Name: "root", + }, + Status: types.UserStatusV2{ + PasswordState: types.PasswordState_PASSWORD_STATE_SET, + }, + Spec: types.UserSpecV2{ + CreatedBy: types.CreatedBy{ + Connector: &types.ConnectorRef{}, + }, + }, + } + userContext, err = NewUserContext(userCreatedExternally, roleSet, proto.Features{}, true, false) + require.NoError(t, err) + require.Equal(t, authSSO, userContext.AuthType) } func TestNewUserContextCloud(t *testing.T) { From 3651123213d1665cbbbe49dda7930c9f793fb0d1 Mon Sep 17 00:00:00 2001 From: Marco Dinis Date: Fri, 25 Oct 2024 17:07:53 +0100 Subject: [PATCH 2/2] move usertype check to types.User --- api/types/user.go | 10 +++++++--- lib/web/ui/usercontext.go | 5 +---- 2 files changed, 8 insertions(+), 7 deletions(-) diff --git a/api/types/user.go b/api/types/user.go index f509ec508e991..8594d3805df12 100644 --- a/api/types/user.go +++ b/api/types/user.go @@ -521,11 +521,15 @@ func (u UserV2) GetGCPServiceAccounts() []string { // GetUserType indicates if the User was created by an SSO Provider or locally. func (u UserV2) GetUserType() UserType { - if u.GetCreatedBy().Connector == nil { - return UserTypeLocal + if u.GetCreatedBy().Connector != nil || + len(u.GetOIDCIdentities()) > 0 || + len(u.GetGithubIdentities()) > 0 || + len(u.GetSAMLIdentities()) > 0 { + + return UserTypeSSO } - return UserTypeSSO + return UserTypeLocal } // IsBot returns true if the user is a bot. diff --git a/lib/web/ui/usercontext.go b/lib/web/ui/usercontext.go index e464bc0f0494d..6a06fff1890e6 100644 --- a/lib/web/ui/usercontext.go +++ b/lib/web/ui/usercontext.go @@ -104,10 +104,7 @@ func NewUserContext(user types.User, userRoles services.RoleSet, features proto. authType := authLocal // check for any SSO identities - isSSO := user.GetUserType() == types.UserTypeSSO || - len(user.GetOIDCIdentities()) > 0 || - len(user.GetGithubIdentities()) > 0 || - len(user.GetSAMLIdentities()) > 0 + isSSO := user.GetUserType() == types.UserTypeSSO if isSSO { // SSO user