fleet/server/service/service_users.go

package service

import (
	"context"

	"github.com/fleetdm/fleet/v4/server"

	"github.com/fleetdm/fleet/v4/server/contexts/ctxerr"
	"github.com/fleetdm/fleet/v4/server/fleet"
	"github.com/fleetdm/fleet/v4/server/ptr"
)

func (svc *Service) CreateInitialUser(ctx context.Context, p fleet.UserPayload) (*fleet.User, error) {
	// skipauth: Only the initial user creation should be allowed to skip
	// authorization (because there is not yet a user context to check against).
	svc.authz.SkipAuthorization(ctx)

	setupRequired, err := svc.SetupRequired(ctx)
	if err != nil {
		return nil, err
	}
	if !setupRequired {
		return nil, ctxerr.New(ctx, "a user already exists")
	}

	// Initial user should be global admin with no explicit teams
	p.GlobalRole = ptr.String(fleet.RoleAdmin)
	p.Teams = nil

	return svc.newUser(ctx, p)
}

func (svc *Service) newUser(ctx context.Context, p fleet.UserPayload) (*fleet.User, error) {
	var ssoEnabled bool
	// if user is SSO generate a fake password
	if (p.SSOInvite != nil && *p.SSOInvite) || (p.SSOEnabled != nil && *p.SSOEnabled) {
		fakePassword, err := server.GenerateRandomText(14)
		if err != nil {
			return nil, ctxerr.Wrap(ctx, err, "generate stand-in password")
		}
		p.Password = &fakePassword
		ssoEnabled = true
	}
	user, err := p.User(svc.config.Auth.SaltKeySize, svc.config.Auth.BcryptCost)
	if err != nil {
		return nil, err
	}
	user.SSOEnabled = ssoEnabled
	user, err = svc.ds.NewUser(ctx, user)
	if err != nil {
		return nil, err
	}
	return user, nil
}

func (svc *Service) UserUnauthorized(ctx context.Context, id uint) (*fleet.User, error) {
	// Explicitly no authorization check. Should only be used by middleware.
	return svc.ds.UserByID(ctx, id)
}
Organizing go code (#241) 2016-09-26 18:48:55 +00:00			`package service`
go-kit server layout 2016-08-28 03:59:17 +00:00
			`import (`
Update go-kit to 0.4.0 (#1411) Notable refactoring: - Use stdlib "context" in place of "golang.org/x/net/context" - Go-kit no longer wraps errors, so we remove the unwrap in transport_error.go - Use MakeHandler when setting up endpoint tests (fixes test bug caught during this refactoring) Closes #1411. 2017-03-15 15:55:30 +00:00			`"context"`
go-kit server layout 2016-08-28 03:59:17 +00:00
Refactor app config (POC, for now) (#1685) 2021-08-20 15:27:41 +00:00			`"github.com/fleetdm/fleet/v4/server"`

Use new error handling approach in other packages (#2954) 2021-11-22 14:13:26 +00:00			`"github.com/fleetdm/fleet/v4/server/contexts/ctxerr"`
Add v4 suffix in go.mod (#1224) 2021-06-26 04:46:51 +00:00			`"github.com/fleetdm/fleet/v4/server/fleet"`
			`"github.com/fleetdm/fleet/v4/server/ptr"`
go-kit server layout 2016-08-28 03:59:17 +00:00			`)`

Remove kolide types and packages from backend (#974) Generally renamed `kolide` -> `fleet` 2021-06-06 22:07:29 +00:00			`func (svc Service) CreateInitialUser(ctx context.Context, p fleet.UserPayload) (fleet.User, error) {`
Add authorization checks in service (#938) - Add policy.rego file defining authorization policies. - Add Go integrations to evaluate Rego policies (via OPA). - Add middleware to ensure requests without authorization check are rejected (guard against programmer error). - Add authorization checks to most service endpoints. 2021-06-03 23:24:15 +00:00			`// skipauth: Only the initial user creation should be allowed to skip`
			`// authorization (because there is not yet a user context to check against).`
			`svc.authz.SkipAuthorization(ctx)`

			`setupRequired, err := svc.SetupRequired(ctx)`
			`if err != nil {`
			`return nil, err`
			`}`
			`if !setupRequired {`
Use new error handling approach in other packages (#2954) 2021-11-22 14:13:26 +00:00			`return nil, ctxerr.New(ctx, "a user already exists")`
Add authorization checks in service (#938) - Add policy.rego file defining authorization policies. - Add Go integrations to evaluate Rego policies (via OPA). - Add middleware to ensure requests without authorization check are rejected (guard against programmer error). - Add authorization checks to most service endpoints. 2021-06-03 23:24:15 +00:00			`}`

			`// Initial user should be global admin with no explicit teams`
Remove kolide types and packages from backend (#974) Generally renamed `kolide` -> `fleet` 2021-06-06 22:07:29 +00:00			`p.GlobalRole = ptr.String(fleet.RoleAdmin)`
Add authorization checks in service (#938) - Add policy.rego file defining authorization policies. - Add Go integrations to evaluate Rego policies (via OPA). - Add middleware to ensure requests without authorization check are rejected (guard against programmer error). - Add authorization checks to most service endpoints. 2021-06-03 23:24:15 +00:00			`p.Teams = nil`

Add support for context in datastore/mysql layer (#1962) This is just to pass down the context to the datastore layer, it doesn't use it just yet - this will be in a follow-up PR. 2021-09-14 12:11:07 +00:00			`return svc.newUser(ctx, p)`
create first time setup endpoint (#436) The endpoint is only active if there are no users in the datastore. While the endpoint is active, it also disables all the other API endpoints, and /config returns `{"require_setup":true}` for #378 2016-11-09 17:19:07 +00:00			`}`

Add support for context in datastore/mysql layer (#1962) This is just to pass down the context to the datastore layer, it doesn't use it just yet - this will be in a follow-up PR. 2021-09-14 12:11:07 +00:00			`func (svc Service) newUser(ctx context.Context, p fleet.UserPayload) (fleet.User, error) {`
Add SSO support to new user activation (#1504) Closes #1502. This PR adds support for SSO to the new user creation process. An admin now has the option to select SSO when creating a new user. When the confirmation form is submitted, the user is automatically authenticated with the IDP, and if successful, is redirected to the Kolide home page. Password authentication, password change and password reset are not allowed for an SSO user. 2017-05-10 16:26:05 +00:00			`var ssoEnabled bool`
			`// if user is SSO generate a fake password`
Implement fleetctl user create (#9) - Allow user creation via `fleetctl user create` - Cleanup and rename existing methods for clarity Fixes https://github.com/kolide/fleet/issues/2306 2020-11-05 01:06:55 +00:00			`if (p.SSOInvite != nil && p.SSOInvite) \|\| (p.SSOEnabled != nil && p.SSOEnabled) {`
Issue 1278 select leader (#1367) * Add leader selection * remove comment * Address review comments * Add changes file * Simplify implementation * Simplify further * Whoops, removed a little too much 2021-07-19 18:08:41 +00:00			`fakePassword, err := server.GenerateRandomText(14)`
Add SSO support to new user activation (#1504) Closes #1502. This PR adds support for SSO to the new user creation process. An admin now has the option to select SSO when creating a new user. When the confirmation form is submitted, the user is automatically authenticated with the IDP, and if successful, is redirected to the Kolide home page. Password authentication, password change and password reset are not allowed for an SSO user. 2017-05-10 16:26:05 +00:00			`if err != nil {`
Use new error handling approach in other packages (#2954) 2021-11-22 14:13:26 +00:00			`return nil, ctxerr.Wrap(ctx, err, "generate stand-in password")`
Add SSO support to new user activation (#1504) Closes #1502. This PR adds support for SSO to the new user creation process. An admin now has the option to select SSO when creating a new user. When the confirmation form is submitted, the user is automatically authenticated with the IDP, and if successful, is redirected to the Kolide home page. Password authentication, password change and password reset are not allowed for an SSO user. 2017-05-10 16:26:05 +00:00			`}`
			`p.Password = &fakePassword`
			`ssoEnabled = true`
			`}`
create first time setup endpoint (#436) The endpoint is only active if there are no users in the datastore. While the endpoint is active, it also disables all the other API endpoints, and /config returns `{"require_setup":true}` for #378 2016-11-09 17:19:07 +00:00			`user, err := p.User(svc.config.Auth.SaltKeySize, svc.config.Auth.BcryptCost)`
			`if err != nil {`
			`return nil, err`
			`}`
Add SSO support to new user activation (#1504) Closes #1502. This PR adds support for SSO to the new user creation process. An admin now has the option to select SSO when creating a new user. When the confirmation form is submitted, the user is automatically authenticated with the IDP, and if successful, is redirected to the Kolide home page. Password authentication, password change and password reset are not allowed for an SSO user. 2017-05-10 16:26:05 +00:00			`user.SSOEnabled = ssoEnabled`
Add support for context in datastore/mysql layer (#1962) This is just to pass down the context to the datastore layer, it doesn't use it just yet - this will be in a follow-up PR. 2021-09-14 12:11:07 +00:00			`user, err = svc.ds.NewUser(ctx, user)`
Adds endpoints to invite new users to the application. (#235) User service checks that tokens are valid on new user signups. Closes #230 2016-09-29 02:44:05 +00:00			`if err != nil {`
			`return nil, err`
			`}`
go-kit server layout 2016-08-28 03:59:17 +00:00			`return user, nil`
			`}`

Remove kolide types and packages from backend (#974) Generally renamed `kolide` -> `fleet` 2021-06-06 22:07:29 +00:00			`func (svc Service) UserUnauthorized(ctx context.Context, id uint) (fleet.User, error) {`
Add authorization checks in service (#938) - Add policy.rego file defining authorization policies. - Add Go integrations to evaluate Rego policies (via OPA). - Add middleware to ensure requests without authorization check are rejected (guard against programmer error). - Add authorization checks to most service endpoints. 2021-06-03 23:24:15 +00:00			`// Explicitly no authorization check. Should only be used by middleware.`
Add support for context in datastore/mysql layer (#1962) This is just to pass down the context to the datastore layer, it doesn't use it just yet - this will be in a follow-up PR. 2021-09-14 12:11:07 +00:00			`return svc.ds.UserByID(ctx, id)`
add tests for set password 2016-08-29 00:29:56 +00:00			`}`