The _system user is not intended to be an interactive user. However, there is a possibility someone might create a _system user and attempt to log in via an external authenticator
This PR:
Raise AuthException and return 403 when System User attempts to login via an external source
Add unit tests
Steps to test:
Enable the testing authenticator in container-startup.yml
Create a user with username _system by adding in the appropriate configuration for _system user in the following files:
LDAP: in /aap-gateway/tools/ansible/roles/ldap/files/ldap.ldif (remember to ensure the user pass the allow map policy)
Radius: in /aap-gateway/tools/ansible/roles/radius/defaults/main.yml
Keycloak: login to keycloak via port 8443 with credential (usr:admin, pw:admin), create a new _system user through the Users tab
Login using _system credential
LDAP + Radius: login via port 8800 /api/gateway/v1/login/
Keycloak: navigate to /api/gateway/v1/ui_auth, choose the corresponding login_url for SAML/ OIDC
Confirm that response is 403 - Forbidden and there is warning in logger.
To see the 403 Permission Denied Page - need this AAP-PR#442
Description:
_system
user is not intended to be an interactive user. However, there is a possibility someone might create a_system
user and attempt to log in via an external authenticatorThis PR:
Steps to test:
container-startup.yml
Create a user with username
_system
by adding in the appropriate configuration for _system user in the following files:/aap-gateway/tools/ansible/roles/ldap/files/ldap.ldif
(remember to ensure the user pass the allow map policy)/aap-gateway/tools/ansible/roles/radius/defaults/main.yml
admin
, pw:admin
), create a new _system user through the Users tab/api/gateway/v1/login/
login_url
for SAML/ OIDCTo see the 403 Permission Denied Page - need this AAP-PR#442