From f304ecdd01e1985aa1d122653f32fb4aaeace7bf Mon Sep 17 00:00:00 2001
From: hongming <hongming@kubesphere.io>
Date: Wed, 11 May 2022 14:37:41 +0800
Subject: [PATCH] Fix: deny the blocked user request

---
 pkg/apiserver/authentication/authenticators/jwt/jwt.go | 10 +++++++---
 pkg/kapis/oauth/handler.go                             |  3 +++
 2 files changed, 10 insertions(+), 3 deletions(-)

diff --git a/pkg/apiserver/authentication/authenticators/jwt/jwt.go b/pkg/apiserver/authentication/authenticators/jwt/jwt.go
index 76108cc18..d7e62e995 100644
--- a/pkg/apiserver/authentication/authenticators/jwt/jwt.go
+++ b/pkg/apiserver/authentication/authenticators/jwt/jwt.go
@@ -60,15 +60,19 @@ func (t *tokenAuthenticator) AuthenticateToken(ctx context.Context, token string
 		}, true, nil
 	}
 
-	u, err := t.userLister.Get(verified.User.GetName())
+	userInfo, err := t.userLister.Get(verified.User.GetName())
 	if err != nil {
 		return nil, false, err
 	}
 
+	// AuthLimitExceeded state should be ignored
+	if userInfo.Status.State == iamv1alpha2.UserDisabled {
+		return nil, false, auth.AccountIsNotActiveError
+	}
 	return &authenticator.Response{
 		User: &user.DefaultInfo{
-			Name:   u.GetName(),
-			Groups: append(u.Spec.Groups, user.AllAuthenticated),
+			Name:   userInfo.GetName(),
+			Groups: append(userInfo.Spec.Groups, user.AllAuthenticated),
 		},
 	}, true, nil
 }
diff --git a/pkg/kapis/oauth/handler.go b/pkg/kapis/oauth/handler.go
index f2e01be24..a052d3a0e 100644
--- a/pkg/kapis/oauth/handler.go
+++ b/pkg/kapis/oauth/handler.go
@@ -437,6 +437,9 @@ func (h *handler) passwordGrant(username string, password string, req *restful.R
 	authenticated, provider, err := h.passwordAuthenticator.Authenticate(req.Request.Context(), username, password)
 	if err != nil {
 		switch err {
+		case auth.AccountIsNotActiveError:
+			response.WriteHeaderAndEntity(http.StatusBadRequest, oauth.NewInvalidGrant(err))
+			return
 		case auth.IncorrectPasswordError:
 			requestInfo, _ := request.RequestInfoFrom(req.Request.Context())
 			if err := h.loginRecorder.RecordLogin(username, iamv1alpha2.Token, provider, requestInfo.SourceIP, requestInfo.UserAgent, err); err != nil {