From 864a254071216e03d4ec9e81e9ca96bd914b1890 Mon Sep 17 00:00:00 2001
From: Paulus Schoutsen <paulus@paulusschoutsen.nl>
Date: Sun, 15 Jul 2018 23:09:05 +0200
Subject: [PATCH] Aware comments (#15480)

* Make sure we cannot deactivate the owner

* Use different error code when trying to fetch token for inactive user
---
 homeassistant/auth/__init__.py            |  2 ++
 homeassistant/components/auth/__init__.py |  7 +++++--
 tests/auth/test_init.py                   | 11 +++++++++++
 tests/components/auth/test_init.py        |  5 ++++-
 4 files changed, 22 insertions(+), 3 deletions(-)

diff --git a/homeassistant/auth/__init__.py b/homeassistant/auth/__init__.py
index b05fca164a0..9f342a50407 100644
--- a/homeassistant/auth/__init__.py
+++ b/homeassistant/auth/__init__.py
@@ -148,6 +148,8 @@ class AuthManager:
 
     async def async_deactivate_user(self, user):
         """Deactivate a user."""
+        if user.is_owner:
+            raise ValueError('Unable to deactive the owner')
         await self._store.async_deactivate_user(user)
 
     async def async_remove_credentials(self, credentials):
diff --git a/homeassistant/components/auth/__init__.py b/homeassistant/components/auth/__init__.py
index f9588093933..6518c2bcc1c 100644
--- a/homeassistant/components/auth/__init__.py
+++ b/homeassistant/components/auth/__init__.py
@@ -243,6 +243,7 @@ class GrantTokenView(HomeAssistantView):
         if client_id is None or not indieauth.verify_client_id(client_id):
             return self.json({
                 'error': 'invalid_request',
+                'error_description': 'Invalid client id',
             }, status_code=400)
 
         grant_type = data.get('grant_type')
@@ -272,14 +273,16 @@ class GrantTokenView(HomeAssistantView):
         if credentials is None:
             return self.json({
                 'error': 'invalid_request',
+                'error_description': 'Invalid code',
             }, status_code=400)
 
         user = await hass.auth.async_get_or_create_user(credentials)
 
         if not user.is_active:
             return self.json({
-                'error': 'invalid_request',
-            }, status_code=400)
+                'error': 'access_denied',
+                'error_description': 'User is not active',
+            }, status_code=403)
 
         refresh_token = await hass.auth.async_create_refresh_token(user,
                                                                    client_id)
diff --git a/tests/auth/test_init.py b/tests/auth/test_init.py
index 3e3662c13c4..cad4bbdbd71 100644
--- a/tests/auth/test_init.py
+++ b/tests/auth/test_init.py
@@ -291,3 +291,14 @@ async def test_refresh_token_not_requires_client_for_system_user(hass):
     token = await manager.async_create_refresh_token(user)
     assert token is not None
     assert token.client_id is None
+
+
+async def test_cannot_deactive_owner(mock_hass):
+    """Test that we cannot deactive the owner."""
+    manager = await auth.auth_manager_from_config(mock_hass, [])
+    owner = MockUser(
+        is_owner=True,
+    ).add_to_auth_manager(manager)
+
+    with pytest.raises(ValueError):
+        await manager.async_deactivate_user(owner)
diff --git a/tests/components/auth/test_init.py b/tests/components/auth/test_init.py
index 59fc8714f77..5f3a2d6478c 100644
--- a/tests/components/auth/test_init.py
+++ b/tests/components/auth/test_init.py
@@ -40,7 +40,10 @@ async def test_login_new_user_and_trying_refresh_token(hass, aiohttp_client):
     })
 
     # User is not active
-    assert resp.status == 400
+    assert resp.status == 403
+    data = await resp.json()
+    assert data['error'] == 'access_denied'
+    assert data['error_description'] == 'User is not active'
 
 
 def test_credential_store_expiration():