From 0a44c30a46e54dfd5e57f801120d60e178893edc Mon Sep 17 00:00:00 2001
From: hongming <hongming@kubesphere.io>
Date: Mon, 9 May 2022 17:11:04 +0800
Subject: [PATCH] Fix disabled status not work for OAuth

---
 pkg/models/auth/oauth.go      |  4 ++++
 pkg/models/auth/oauth_test.go | 31 +++++++++++++++++++++++++++++--
 2 files changed, 33 insertions(+), 2 deletions(-)

diff --git a/pkg/models/auth/oauth.go b/pkg/models/auth/oauth.go
index fbcd87f47b..207c494512 100644
--- a/pkg/models/auth/oauth.go
+++ b/pkg/models/auth/oauth.go
@@ -91,6 +91,10 @@ func (o *oauthAuthenticator) Authenticate(_ context.Context, provider string, re
 	}
 
 	if user != nil {
+		if user.Status.State == iamv1alpha2.UserDisabled {
+			// state not active
+			return nil, "", AccountIsNotActiveError
+		}
 		return &authuser.DefaultInfo{Name: user.GetName()}, providerOptions.Name, nil
 	}
 
diff --git a/pkg/models/auth/oauth_test.go b/pkg/models/auth/oauth_test.go
index 61e87e5810..8334a05cae 100644
--- a/pkg/models/auth/oauth_test.go
+++ b/pkg/models/auth/oauth_test.go
@@ -53,6 +53,11 @@ func Test_oauthAuthenticator_Authenticate(t *testing.T) {
 								"email":    "user1@kubesphere.io",
 								"username": "user1",
 							},
+							"code2": map[string]string{
+								"uid":      "100002",
+								"email":    "user2@kubesphere.io",
+								"username": "user2",
+							},
 						},
 					},
 				},
@@ -67,8 +72,14 @@ func Test_oauthAuthenticator_Authenticate(t *testing.T) {
 
 	ksClient := fakeks.NewSimpleClientset()
 	ksInformerFactory := ksinformers.NewSharedInformerFactory(ksClient, 0)
-	err := ksInformerFactory.Iam().V1alpha2().Users().Informer().GetIndexer().Add(newUser("user1", "100001", "fake"))
-	if err != nil {
+
+	if err := ksInformerFactory.Iam().V1alpha2().Users().Informer().GetIndexer().Add(newUser("user1", "100001", "fake")); err != nil {
+		t.Fatal(err)
+	}
+
+	blockedUser := newUser("user2", "100002", "fake")
+	blockedUser.Status = iamv1alpha2.UserStatus{State: iamv1alpha2.UserDisabled}
+	if err := ksInformerFactory.Iam().V1alpha2().Users().Informer().GetIndexer().Add(blockedUser); err != nil {
 		t.Fatal(err)
 	}
 
@@ -103,6 +114,22 @@ func Test_oauthAuthenticator_Authenticate(t *testing.T) {
 			provider: "fake",
 			wantErr:  false,
 		},
+		{
+			name: "Blocked user test",
+			oauthAuthenticator: NewOAuthAuthenticator(
+				nil,
+				ksInformerFactory.Iam().V1alpha2().Users().Lister(),
+				oauthOptions,
+			),
+			args: args{
+				ctx:      context.Background(),
+				provider: "fake",
+				req:      must(http.NewRequest(http.MethodGet, "https://ks-console.kubesphere.io/oauth/callback/test?code=code2&state=100002", nil)),
+			},
+			userInfo: nil,
+			provider: "",
+			wantErr:  true,
+		},
 		{
 			name: "Should successfully",
 			oauthAuthenticator: NewOAuthAuthenticator(