Add functionality to Enable/Disable users

[shiv-tyagi]

As discussed in #640, this adds a property to the UserDB to mark a user enable/disabled. Before creating an authentication session in pam, we check if the user exists in the cache and is disabled.

This also adds the initial implementation of the authctl tool which can be used to enable/disable a user.

[shiv-tyagi]

@adombeck Does this look good?

I see that the tests are failing on main branch as well. So I am hoping that it is not me.

[codecov-commenter]

Codecov Report

Attention: Patch coverage is 86.15385% with 9 lines in your changes missing coverage. Please review.

Project coverage is 79.08%. Comparing base (36511cd) to head (5152313).
Report is 449 commits behind head on main.

Files with missing lines	Patch %	Lines
internal/users/db/update.go	57.14%	4 Missing and 2 partials ⚠️
internal/services/pam/pam.go	57.14%	2 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #782      +/-   ##
==========================================
- Coverage   83.43%   79.08%   -4.36%     
==========================================
  Files          83      102      +19     
  Lines        8689    10442    +1753     
  Branches       74       74              
==========================================
+ Hits         7250     8258    +1008     
- Misses       1111     1715     +604     
- Partials      328      469     +141     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[adombeck]

We use the term "database" instead of "cache" now (related: #775)

Suggested change

	// Throw an error if the user trying to authenticate already exists in cache and is disabled
	// Throw an error if the user trying to authenticate already exists in the database and is disabled

[shiv-tyagi]

changed.

[adombeck]

Hi @shiv-tyagi, yes this looks good, thanks! One small thing: I would prefer to have a Disabled field instead of Enabled, so that the default value (false) means that the user is enabled, even when we're not using NewUserDB to instantiate the UserDB struct (like we do here).

[adombeck]

There should also be a new test case "Error_when_user_is_disabled" in https://github.com/shiv-tyagi/authd/blob/fed39218cfcce6c23e80e0d02fe2a2d748d3d912/internal/brokers/manager_test.go#L187-L190.

[adombeck]

Oh and I don't think it makes sense to merge this before we have code which actually causes a user to be disabled (i.e. the command-line tool). If you still plan to work on that soon, feel free to repurpose this PR. Otherwise, I'll start working on that soon and would then cherry-pick your commits to a new branch.

[shiv-tyagi]

I would prefer to have a Disabled field instead of Enabled, so that the default value (false) means that the user is enabled, even when we're not using NewUserDB to instantiate the UserDB struct (like we do here).

Sure. I will do that.

There should also be a new test case "Error_when_user_is_disabled"

Noted.

If you still plan to work on that soon, feel free to repurpose this PR.

Yes, I really intend to work on that. I will push my work soon :)

[3v1n0]

Suggested change

	usr, err := m.cache.UserByName(username)
	u, err := m.cache.UserByName(username)

[shiv-tyagi]

Fixed. Thanks.

[adombeck]

Let's handle unexpected errors here

Suggested change

	userIsDisabled, err := s.userManager.IsUserDisabled(username)
	if err == nil && userIsDisabled {
	return nil, status.Error(codes.PermissionDenied, fmt.Sprintf("user %s is disabled", username))
	}
	userIsDisabled, err := s.userManager.IsUserDisabled(username)
	if err != nil && !errors.Is(err, users.NoDataFoundError{}) {
	return nil, fmt.Errorf("could not check if user %q is disabled: %w", username, err)
	}
	if err == nil && userIsDisabled {
	return nil, status.Error(codes.PermissionDenied, fmt.Sprintf("user %s is disabled", username))
	}

[shiv-tyagi]

Thanks for suggesting. I have incorporated this change.

[adombeck]

I rebased on main and resolved the conflicts caused by #779.

[shiv-tyagi]

I rebased on main and resolved the conflicts caused by #779.

Thanks for this @adombeck. I had some more work which I had not pushed yet. I would need to fix that as well. Planning to push that work soon.

[shiv-tyagi]

I have finished the part till extending the GRPC API with new methods and adding unit tests for those. Now only the part of creating the CLI tool to call those methods remains.

[shiv-tyagi]

@adombeck I have added the initial implementation of the authctl tool. Please check if it looks good and provide any suggestions for me to proceed. This is my first time writing Go code, so I apologise if I made any rookie mistakes. I’ll be happy to fix them.

Thanks in advance.

[adombeck]

I've got a few comments but the overall code style is good! Thanks a lot, @shiv-tyagi!

[adombeck]

This test case is not named correctly

[shiv-tyagi]

Sorry that was a copy and paste error. I should have been more careful. I have fixed this.

[adombeck]

Same here, please update the test case name

[shiv-tyagi]

Fixed this.

[adombeck]

I don't understand why we would need to mock gpasswd in this test, but I also don't see why that's done in many of the other tests in this file which are unrelated to /etc/group. I see that was introduced in fd10538, do you remember the reason, @denisonbarbosa?

[adombeck]

There should be a test case which uses testdata with a disabled user. Currently, it only tests enabling a user which was already enabled before.

[shiv-tyagi]

I think I am already doing that. Please see this.

[adombeck]

The GetPasswd... methods are named like that because they return an entry like the ones in the /etc/passwd file. This analogy doesn't really apply to the disable/enable functionality, so let's name these methods DisableUser and EnableUser.

[shiv-tyagi]

Done.

[adombeck]

"Error while executing authctl" doesn't provide any useful info. Let's just print the error.

Suggested change

	fmt.Fprintf(os.Stderr, "Error while executing authctl '%s'\n", err)
	fmt.Fprintln(os.Stderr, err.Error())

[shiv-tyagi]

Done.

[adombeck]

"Disable a user to log in" is not a correct sentence. Also, I would like to convey that this can only disable users managed by authd (which is also an opportunity to at least implicitly tell users that the user accounts created by authd are managed separately from other user accounts on the system), so how about:

Suggested change

	Short: "Disable a user to log in",
	Short: "Disable a user managed by authd",

[shiv-tyagi]

Sounds better. Fixed that.

[adombeck]

That's the wrong API method, you want to call DisablePasswd.

[shiv-tyagi]

Oops. Sorry. I have fixed that.

[adombeck]

nitpick: no newline between function call and error handling. please also change that in the other occurrences in cmd/authctl/user/disable.go and cmd/authctl/user/enable.go.

Suggested change

	conn, err := grpc.NewClient("unix://"+consts.DefaultSocketPath, grpc.WithTransportCredentials(insecure.NewCredentials()))
	if err != nil {
	return err
	}
	conn, err := grpc.NewClient("unix://"+consts.DefaultSocketPath, grpc.WithTransportCredentials(insecure.NewCredentials()))
	if err != nil {
	return err
	}

[shiv-tyagi]

Fixed this.

[adombeck]

Suggested change

	Short: "Commands retaled to working with users",
	Short: "Commands related to users",

[shiv-tyagi]

Done. Thanks.

[shiv-tyagi]

Thank you so much @adombeck for reviewing this. I have addressed all your suggestions. What next? How should I test it locally?