lock certain users username / password, prevent demo creds from being changed.

2025-03-03 23:51:21 -08:00
parent 999ad9a4ce
commit 6ee707576b
4 changed files with 44 additions and 1 deletions
--- a/bin/core/src/api/write/user.rs
+++ b/bin/core/src/api/write/user.rs
@@ -12,7 +12,9 @@ use komodo_client::{
 use mungos::mongodb::bson::{doc, oid::ObjectId};
 use resolver_api::Resolve;

-use crate::{helpers::hash_password, state::db_client};
+use crate::{
+  config::core_config, helpers::hash_password, state::db_client,
+};

 use super::WriteArgs;

@@ -23,6 +25,16 @@ impl Resolve<WriteArgs> for UpdateUserUsername {
    self,
    WriteArgs { user }: &WriteArgs,
  ) -> serror::Result<UpdateUserUsernameResponse> {
+    for locked_username in &core_config().lock_login_credentials_for {
+      if locked_username == "__ALL__"
+        || *locked_username == user.username
+      {
+        return Err(
+          anyhow!("User not allowed to update their username.")
+            .into(),
+        );
+      }
+    }
    if self.username.is_empty() {
      return Err(anyhow!("Username cannot be empty.").into());
    }
@@ -56,6 +68,16 @@ impl Resolve<WriteArgs> for UpdateUserPassword {
    self,
    WriteArgs { user }: &WriteArgs,
  ) -> serror::Result<UpdateUserPasswordResponse> {
+    for locked_username in &core_config().lock_login_credentials_for {
+      if locked_username == "__ALL__"
+        || *locked_username == user.username
+      {
+        return Err(
+          anyhow!("User not allowed to update their password.")
+            .into(),
+        );
+      }
+    }
    let UserConfig::Local { .. } = user.config else {
      return Err(anyhow!("User is not local user").into());
    };
--- a/bin/core/src/config.rs
+++ b/bin/core/src/config.rs
@@ -182,6 +182,8 @@ pub fn core_config() -> &'static CoreConfig {
        .unwrap_or(config.disable_user_registration),
      disable_non_admin_create: env.komodo_disable_non_admin_create
        .unwrap_or(config.disable_non_admin_create),
+      lock_login_credentials_for: env.komodo_lock_login_credentials_for
+        .unwrap_or(config.lock_login_credentials_for),
      local_auth: env.komodo_local_auth
        .unwrap_or(config.local_auth),
      logging: LogConfig {
--- a/client/core/rs/src/entities/config/core.rs
+++ b/client/core/rs/src/entities/config/core.rs
@@ -96,6 +96,8 @@ pub struct Env {
  pub komodo_enable_new_users: Option<bool>,
  /// Override `disable_user_registration`
  pub komodo_disable_user_registration: Option<bool>,
+  /// Override `lock_login_credentials_for`
+  pub komodo_lock_login_credentials_for: Option<Vec<String>>,
  /// Override `disable_confirm_dialog`
  pub komodo_disable_confirm_dialog: Option<bool>,
  /// Override `disable_non_admin_create`
@@ -300,6 +302,13 @@ pub struct CoreConfig {
  #[serde(default)]
  pub disable_user_registration: bool,

+  /// List of usernames for which the update username / password
+  /// APIs are disabled. Used by demo to lock the 'demo' : 'demo' login.
+  ///
+  /// To lock the api for all users, use `lock_login_credentials_for = ["__ALL__"]`
+  #[serde(default)]
+  pub lock_login_credentials_for: Vec<String>,
+
  /// Normally all users can create resources.
  /// If `disable_non_admin_create = true`, only admins will be able to create resources.
  #[serde(default)]
@@ -581,6 +590,7 @@ impl CoreConfig {
      enable_new_users: config.enable_new_users,
      disable_user_registration: config.disable_user_registration,
      disable_non_admin_create: config.disable_non_admin_create,
+      lock_login_credentials_for: config.lock_login_credentials_for,
      local_auth: config.local_auth,
      oidc_enabled: config.oidc_enabled,
      oidc_provider: config.oidc_provider,
--- a/config/core.config.toml
+++ b/config/core.config.toml
@@ -118,6 +118,15 @@ transparent_mode = false
 ## Default: false
 disable_non_admin_create = false

+## Normally users can update their username / password using the API.
+## This will disable this ability for specific users or all users.
+## Example:
+##  - `lock_login_credentials_for = []` will allow all users to update username / password.
+##  - `lock_login_credentials_for = ["demo"]` will block the demo user from doing so.
+##  - `lock_login_credentials_for = ["__ALL__"]` will block all users.
+## Default: empty list
+lock_login_credentials_for = []
+
 ## Optionally provide a specific jwt secret.
 ## Passing nothing or an empty string will cause one to be generated on every startup.
 ## This means users will have to log in again if Komodo restarts.