Ensures that in-active users are not allowed to login. (#618)

lemur/auth/service.py

@@ -68,7 +68,7 @@ def create_token(user):
 
 def login_required(f):
     """
-    Validates the JWT and ensures that is has not expired.
+    Validates the JWT and ensures that is has not expired and the user is still active.
 
     :param f:
     :return:
@@ -94,7 +94,12 @@ def login_required(f):
         except jwt.InvalidTokenError:
             return dict(message='Token is invalid'), 403
 
-        g.current_user = user_service.get(payload['sub'])
+        user = user_service.get(payload['sub'])
+
+        if not user.active:
+            return dict(message='User is not currently active'), 403
+
+        g.current_user = user
 
         if not g.current_user:
             return dict(message='You are not logged in'), 403

lemur/auth/views.py

@@ -93,7 +93,7 @@ class Login(Resource):
         else:
             user = user_service.get_by_username(args['username'])
 
-        if user and user.check_password(args['password']):
+        if user and user.check_password(args['password']) and user.active:
             # Tell Flask-Principal the identity changed
             identity_changed.send(current_app._get_current_object(),
                                   identity=Identity(user.id))
@@ -194,6 +194,7 @@ class Ping(Resource):
             roles.append(role)
 
         role = role_service.get_by_name(profile['email'])
+
         if not role:
             role = role_service.create(profile['email'], description='This is a user specific role')
         roles.append(role)
@@ -231,9 +232,14 @@ class Ping(Resource):
                 roles
             )
 
+        if not user.active:
+            metrics.send('invalid_login', 'counter', 1)
+            return dict(message='The supplied credentials are invalid'), 403
+
         # Tell Flask-Principal the identity changed
         identity_changed.send(current_app._get_current_object(), identity=Identity(user.id))
 
+        metrics.send('successful_login', 'counter', 1)
         return dict(token=create_token(user))
 
 
@@ -272,10 +278,16 @@ class Google(Resource):
 
         user = user_service.get_by_email(profile['email'])
 
+        if not user.active:
+            metrics.send('invalid_login', 'counter', 1)
+            return dict(message='The supplied credentials are invalid.'), 401
+
         if user:
             metrics.send('successful_login', 'counter', 1)
             return dict(token=create_token(user))
 
+        metrics.send('invalid_login', 'counter', 1)
+
 
 class Providers(Resource):
     def get(self):

lemur/static/app/angular/app.js

@@ -105,6 +105,15 @@
       RestangularConfigurer.setBaseUrl('http://localhost:8000/api/1');
       RestangularConfigurer.setDefaultHttpFields({withCredentials: true});
 
+      // handle situation where our token has become invalid.
+      RestangularConfigurer.setErrorInterceptor(function (response) {
+        if (response.status === 403) {
+          $auth.logout();
+          $location.path('/login');
+          return false;
+        }
+      });
+
       RestangularConfigurer.addResponseInterceptor(function (data, operation) {
         var extractedData;
 

lemur/static/app/angular/users/view/view.tpl.html

@@ -27,7 +27,7 @@
             <td data-title="'Active'" sortable="'active'">
               <i class="glyphicon glyphicon-ok" ng-show="certificate.san == 'true'"></i>
               <i class="glyphicon glyphicon-remove" ng-show="certificate.san == 'false'"></i>
-              <i ng-show="user.active" class="glyphicon glyphicon-ok"></i><i ng-show="!user.active" class="glyphicon gplyphinco-remove"></i>
+              <i ng-show="user.active" class="glyphicon glyphicon-ok"></i><i ng-show="!user.active" class="glyphicon glyphicon-remove"></i>
             </td>
             <td data-title="''">
               <div class="btn-group-vertical pull-right">