fix: hibernate and unhibernate rbac issue (#6641)

Shivam-nagar23 · web-flow · commit a4a3d0166858 · 2025-06-04T11:46:24.000+05:30
* fixed user status function inauthroser

* fix: correct function name for user retrieval in UserService
diff --git a/App.go b/App.go
@@ -56,6 +56,7 @@ type App struct {
 	server        *http.Server
 	db            *pg.DB
 	posthogClient *posthogTelemetry.PosthogClient
+	userService   user.UserService
 	// eventProcessor.CentralEventProcessor is used to register event processors
 	centralEventProcessor *eventProcessor.CentralEventProcessor // do not remove this.
 	// used for local dev only
@@ -79,6 +80,7 @@ func NewApp(router *router.MuxRouter,
 	pubSubClient *pubsub.PubSubClientServiceImpl,
 	workflowEventProcessorImpl *in.WorkflowEventProcessorImpl,
 	enforcerV2 *casbinv2.SyncedEnforcer,
+	userService user.UserService,
 ) *App {
 	//check argo connection
 	//todo - check argo-cd version on acd integration installation
@@ -97,6 +99,7 @@ func NewApp(router *router.MuxRouter,
 		centralEventProcessor:      centralEventProcessor,
 		pubSubClient:               pubSubClient,
 		workflowEventProcessorImpl: workflowEventProcessorImpl,
+		userService:                userService,
 	}
 	return app
 }
@@ -112,7 +115,7 @@ func (app *App) Start() {
 	app.MuxRouter.Init()
 	//authEnforcer := casbin2.Create()
 
-	server := &http.Server{Addr: fmt.Sprintf(":%d", port), Handler: authMiddleware.Authorizer(app.sessionManager2, user.WhitelistChecker, nil)(app.MuxRouter.Router)}
+	server := &http.Server{Addr: fmt.Sprintf(":%d", port), Handler: authMiddleware.Authorizer(app.sessionManager2, user.WhitelistChecker, app.userService.CheckUserStatusAndUpdateLoginAudit)(app.MuxRouter.Router)}
 	app.MuxRouter.Router.Use(app.loggingMiddleware.LoggingMiddleware)
 	app.MuxRouter.Router.Use(middleware.PrometheusMiddleware)
 	app.MuxRouter.Router.Use(middlewares.Recovery)
diff --git a/cmd/external-app/externalApp.go b/cmd/external-app/externalApp.go
@@ -42,21 +42,24 @@ type App struct {
 	server         *http.Server
 	telemetry      telemetry.TelemetryEventClient
 	posthogClient  *posthogTelemetry.PosthogClient
+	userService    user.UserService
 }
 
 func NewApp(db *pg.DB,
 	sessionManager *authMiddleware.SessionManager,
 	MuxRouter *MuxRouter,
 	telemetry telemetry.TelemetryEventClient,
 	posthogClient *posthogTelemetry.PosthogClient,
-	Logger *zap.SugaredLogger) *App {
+	Logger *zap.SugaredLogger,
+	userService user.UserService) *App {
 	return &App{
 		db:             db,
 		sessionManager: sessionManager,
 		MuxRouter:      MuxRouter,
 		Logger:         Logger,
 		telemetry:      telemetry,
 		posthogClient:  posthogClient,
+		userService:    userService,
 	}
 }
 func (app *App) Start() {
@@ -73,7 +76,7 @@ func (app *App) Start() {
 	if err != nil {
 		app.Logger.Warnw("telemetry installation success event failed", "err", err)
 	}
-	server := &http.Server{Addr: fmt.Sprintf(":%d", port), Handler: authMiddleware.Authorizer(app.sessionManager, user.WhitelistChecker, nil)(app.MuxRouter.Router)}
+	server := &http.Server{Addr: fmt.Sprintf(":%d", port), Handler: authMiddleware.Authorizer(app.sessionManager, user.WhitelistChecker, app.userService.CheckUserStatusAndUpdateLoginAudit)(app.MuxRouter.Router)}
 	app.MuxRouter.Router.Use(middleware.PrometheusMiddleware)
 	app.MuxRouter.Router.Use(middlewares.Recovery)
 	app.server = server
diff --git a/cmd/external-app/wire_gen.go b/cmd/external-app/wire_gen.go
diff --git a/pkg/auth/user/UserSelfRegistrationService.go b/pkg/auth/user/UserSelfRegistrationService.go
@@ -126,20 +126,15 @@ func (impl *UserSelfRegistrationServiceImpl) CheckAndCreateUserIfConfigured(clai
 		emailId = sub
 	}
 	exists := impl.userService.UserExists(emailId)
-	var id int32
 	if !exists {
 		impl.logger.Infow("self registering user,  ", "email", emailId)
 		user, err := impl.SelfRegister(emailId)
 		if err != nil {
 			impl.logger.Errorw("error while register user", "error", err)
 		} else if user != nil && user.Id > 0 {
-			id = user.Id
 			exists = true
 		}
 	}
-	if exists {
-		impl.userService.SaveLoginAudit(emailId, "localhost", id)
-	}
 	impl.logger.Infow("user status", "email", emailId, "status", exists)
 	return exists
 }
diff --git a/pkg/auth/user/UserService.go b/pkg/auth/user/UserService.go
@@ -86,6 +86,7 @@ type UserService interface {
 	GetRoleFiltersByUserRoleGroups(userRoleGroups []userBean.UserRoleGroup) ([]userBean.RoleFilter, error)
 	SaveLoginAudit(emailId, clientIp string, id int32)
 	CheckIfTokenIsValid(email string, version string) error
+	CheckUserStatusAndUpdateLoginAudit(token string) (bool, int32, string, error)
 }
 
 type UserServiceImpl struct {
@@ -1826,3 +1827,34 @@ func (impl *UserServiceImpl) GetUserBasicDataByEmailId(emailId string) (*userBea
 	}
 	return response, nil
 }
+
+func (impl *UserServiceImpl) CheckUserStatusAndUpdateLoginAudit(token string) (bool, int32, string, error) {
+	emailId, version, err := impl.GetEmailAndVersionFromToken(token)
+	if err != nil {
+		impl.logger.Error("unable to fetch user by token")
+		err = &util.ApiError{HttpStatusCode: 401, UserMessage: "Invalid User", InternalMessage: "unable to fetch user by token"}
+		return false, 0, "", err
+	}
+	userId, isInactive, err := impl.getUserWithTimeoutWindowConfiguration(emailId)
+	if err != nil {
+		err = &util.ApiError{HttpStatusCode: 401, UserMessage: "Invalid User", InternalMessage: err.Error()}
+		impl.logger.Errorw("unable to fetch user by email, %s", token)
+		return isInactive, userId, "", err
+	}
+	//if user is inactive, no need to store audit log
+	if !isInactive {
+		impl.SaveLoginAudit(emailId, "localhost", userId)
+	}
+	// checking length of version, to ensure backward compatibility as earlier we did not
+	// have version for api-tokens
+	// therefore, for tokens without version we will skip the below part
+	if strings.HasPrefix(emailId, userBean.API_TOKEN_USER_EMAIL_PREFIX) && len(version) > 0 {
+		err := impl.CheckIfTokenIsValid(emailId, version)
+		if err != nil {
+			impl.logger.Errorw("token is not valid", "error", err, "token", token)
+			return isInactive, userId, "", err
+		}
+	}
+
+	return isInactive, userId, emailId, nil
+}
diff --git a/pkg/auth/user/UserService_ent.go b/pkg/auth/user/UserService_ent.go
@@ -8,6 +8,7 @@ import (
 	userBean "github.com/devtron-labs/devtron/pkg/auth/user/bean"
 	userrepo "github.com/devtron-labs/devtron/pkg/auth/user/repository"
 	"github.com/go-pg/pg"
+	"github.com/juju/errors"
 	"strings"
 )
 
@@ -204,3 +205,14 @@ func (impl *UserServiceImpl) checkValidationAndPerformOperationsForUpdate(token
 	}
 	return false, isUserSuperAdmin, nil
 }
+
+func (impl *UserServiceImpl) getUserWithTimeoutWindowConfiguration(emailId string) (int32, bool, error) {
+	user, err := impl.userRepository.FetchActiveUserByEmail(emailId)
+	if err != nil {
+		impl.logger.Errorw("error while fetching user from db", "error", err)
+		errMsg := fmt.Sprintf("failed to fetch user by email id, err: %s", err.Error())
+		return 0, false, errors.New(errMsg)
+	}
+	// here false is always returned to match signature of authoriser function.
+	return user.Id, false, nil
+}
diff --git a/wire_gen.go b/wire_gen.go

Original file line number	Diff line number	Diff line change
`@@ -126,20 +126,15 @@ func (impl *UserSelfRegistrationServiceImpl) CheckAndCreateUserIfConfigured(clai`
`126`	`126`	`emailId = sub`
`127`	`127`	`}`
`128`	`128`	`exists := impl.userService.UserExists(emailId)`
`129`		`- var id int32`
`130`	`129`	`if !exists {`
`131`	`130`	`impl.logger.Infow("self registering user, ", "email", emailId)`
`132`	`131`	`user, err := impl.SelfRegister(emailId)`
`133`	`132`	`if err != nil {`
`134`	`133`	`impl.logger.Errorw("error while register user", "error", err)`
`135`	`134`	`} else if user != nil && user.Id > 0 {`
`136`		`- id = user.Id`
`137`	`135`	`exists = true`
`138`	`136`	`}`
`139`	`137`	`}`
`140`		`- if exists {`
`141`		`- impl.userService.SaveLoginAudit(emailId, "localhost", id)`
`142`		`- }`
`143`	`138`	`impl.logger.Infow("user status", "email", emailId, "status", exists)`
`144`	`139`	`return exists`
`145`	`140`	`}`