coder
diff --git a/‎cli/testdata/coder_users_create_--help.golden
Lines changed: 6 additions & 0 deletions b/‎cli/testdata/coder_users_create_--help.golden
Lines changed: 6 additions & 0 deletions
diff --git a/‎cli/usercreate.go
Lines changed: 18 additions & 5 deletions b/‎cli/usercreate.go
Lines changed: 18 additions & 5 deletions
diff --git a/‎coderd/apidoc/docs.go
Lines changed: 8 additions & 3 deletions b/‎coderd/apidoc/docs.go
Lines changed: 8 additions & 3 deletions
diff --git a/‎coderd/apidoc/swagger.json
Lines changed: 8 additions & 3 deletions b/‎coderd/apidoc/swagger.json
Lines changed: 8 additions & 3 deletions
diff --git a/‎coderd/coderdtest/coderdtest.go
Lines changed: 30 additions & 9 deletions b/‎coderd/coderdtest/coderdtest.go
Lines changed: 30 additions & 9 deletions
diff --git a/‎coderd/database/dump.sql
Lines changed: 4 additions & 1 deletion b/‎coderd/database/dump.sql
Lines changed: 4 additions & 1 deletion
diff --git a/‎coderd/database/migrations/000126_login_type_none.down.sql
Lines changed: 2 additions & 0 deletions b/‎coderd/database/migrations/000126_login_type_none.down.sql
Lines changed: 2 additions & 0 deletions
diff --git a/‎coderd/database/migrations/000126_login_type_none.up.sql
Lines changed: 3 additions & 0 deletions b/‎coderd/database/migrations/000126_login_type_none.up.sql
Lines changed: 3 additions & 0 deletions
diff --git a/‎coderd/database/models.go
Lines changed: 5 additions & 1 deletion b/‎coderd/database/models.go
Lines changed: 5 additions & 1 deletion
diff --git a/‎coderd/userauth_test.go
Lines changed: 16 additions & 0 deletions b/‎coderd/userauth_test.go
Lines changed: 16 additions & 0 deletions
@@ -1,6 +1,12 @@
 Usage: coder users create [flags]
 
 [1mOptions[0m
+      --disable-login bool
+          Disabling login for a user prevents the user from authenticating via
+          password or IdP login. Authentication requires an API key/token
+          generated by an admin. Be careful when using this flag as it can lock
+          the user out of their account.
+
   -e, --email string
           Specifies an email address for the new user.
 
 
@@ -14,9 +14,10 @@ import (
 
 func (r *RootCmd) userCreate() *clibase.Cmd {
 	var (
-		email    string
-		username string
-		password string
+		email        string
+		username     string
+		password     string
+		disableLogin bool
 	)
 	client := new(codersdk.Client)
 	cmd := &clibase.Cmd{
@@ -53,7 +54,7 @@ func (r *RootCmd) userCreate() *clibase.Cmd {
 					return err
 				}
 			}
-			if password == "" {
+			if password == "" && !disableLogin {
 				password, err = cryptorand.StringCharset(cryptorand.Human, 20)
 				if err != nil {
 					return err
@@ -65,10 +66,16 @@ func (r *RootCmd) userCreate() *clibase.Cmd {
 				Username:       username,
 				Password:       password,
 				OrganizationID: organization.ID,
+				DisableLogin:   disableLogin,
 			})
 			if err != nil {
 				return err
 			}
+			authenticationMethod := `Your password is: ` + cliui.DefaultStyles.Field.Render(password)
+			if disableLogin {
+				authenticationMethod = "Login has been disabled for this user. Contact your administrator to authenticate."
+			}
+
 			_, _ = fmt.Fprintln(inv.Stderr, `A new user has been created!
 Share the instructions below to get them started.
 `+cliui.DefaultStyles.Placeholder.Render("—————————————————————————————————————————————————")+`
@@ -78,7 +85,7 @@ https://github.com/coder/coder/releases
 Run `+cliui.DefaultStyles.Code.Render("coder login "+client.URL.String())+` to authenticate.
 
 Your email is: `+cliui.DefaultStyles.Field.Render(email)+`
-Your password is: `+cliui.DefaultStyles.Field.Render(password)+`
+`+authenticationMethod+`
 
 Create a workspace  `+cliui.DefaultStyles.Code.Render("coder create")+`!`)
 			return nil
@@ -103,6 +110,12 @@ Create a workspace  `+cliui.DefaultStyles.Code.Render("coder create")+`!`)
 			Description:   "Specifies a password for the new user.",
 			Value:         clibase.StringOf(&password),
 		},
+		{
+			Flag: "disable-login",
+			Description: "Disabling login for a user prevents the user from authenticating via password or IdP login. Authentication requires an API key/token generated by an admin. " +
+				"Be careful when using this flag as it can lock the user out of their account.",
+			Value: clibase.BoolOf(&disableLogin),
+		},
 	}
 	return cmd
 }
@@ -503,36 +503,57 @@ func CreateFirstUser(t testing.TB, client *codersdk.Client) codersdk.CreateFirst
 
 // CreateAnotherUser creates and authenticates a new user.
 func CreateAnotherUser(t *testing.T, client *codersdk.Client, organizationID uuid.UUID, roles ...string) (*codersdk.Client, codersdk.User) {
-	return createAnotherUserRetry(t, client, organizationID, 5, roles...)
+	return createAnotherUserRetry(t, client, organizationID, 5, roles)
 }
 
-func createAnotherUserRetry(t *testing.T, client *codersdk.Client, organizationID uuid.UUID, retries int, roles ...string) (*codersdk.Client, codersdk.User) {
+func CreateAnotherUserMutators(t *testing.T, client *codersdk.Client, organizationID uuid.UUID, roles []string, mutators ...func(r *codersdk.CreateUserRequest)) (*codersdk.Client, codersdk.User) {
+	return createAnotherUserRetry(t, client, organizationID, 5, roles, mutators...)
+}
+
+func createAnotherUserRetry(t *testing.T, client *codersdk.Client, organizationID uuid.UUID, retries int, roles []string, mutators ...func(r *codersdk.CreateUserRequest)) (*codersdk.Client, codersdk.User) {
 	req := codersdk.CreateUserRequest{
 		Email:          namesgenerator.GetRandomName(10) + "@coder.com",
 		Username:       randomUsername(t),
 		Password:       "SomeSecurePassword!",
 		OrganizationID: organizationID,
 	}
+	for _, m := range mutators {
+		m(&req)
+	}
 
 	user, err := client.CreateUser(context.Background(), req)
 	var apiError *codersdk.Error
 	// If the user already exists by username or email conflict, try again up to "retries" times.
 	if err != nil && retries >= 0 && xerrors.As(err, &apiError) {
 		if apiError.StatusCode() == http.StatusConflict {
 			retries--
-			return createAnotherUserRetry(t, client, organizationID, retries, roles...)
+			return createAnotherUserRetry(t, client, organizationID, retries, roles)
 		}
 	}
 	require.NoError(t, err)
 
-	login, err := client.LoginWithPassword(context.Background(), codersdk.LoginWithPasswordRequest{
-		Email:    req.Email,
-		Password: req.Password,
-	})
-	require.NoError(t, err)
+	var sessionToken string
+	if !req.DisableLogin {
+		login, err := client.LoginWithPassword(context.Background(), codersdk.LoginWithPasswordRequest{
+			Email:    req.Email,
+			Password: req.Password,
+		})
+		require.NoError(t, err)
+		sessionToken = login.SessionToken
+	} else {
+		// Cannot log in with a disabled login user. So make it an api key from
+		// the client making this user.
+		token, err := client.CreateToken(context.Background(), user.ID.String(), codersdk.CreateTokenRequest{
+			Lifetime:  time.Hour * 24,
+			Scope:     codersdk.APIKeyScopeAll,
+			TokenName: "no-password-user-token",
+		})
+		require.NoError(t, err)
+		sessionToken = token.Key
+	}
 
 	other := codersdk.New(client.URL)
-	other.SetSessionToken(login.SessionToken)
+	other.SetSessionToken(sessionToken)
 	t.Cleanup(func() {
 		other.HTTPClient.CloseIdleConnections()
 	})
 
@@ -0,0 +1,2 @@
+-- It's not possible to drop enum values from enum types, so the UP has "IF NOT
+-- EXISTS".
@@ -0,0 +1,3 @@
+ALTER TYPE login_type ADD VALUE IF NOT EXISTS 'none';
+
+COMMENT ON TYPE login_type IS 'Specifies the method of authentication. "none" is a special case in which no authentication method is allowed.';
@@ -56,6 +56,22 @@ func TestUserLogin(t *testing.T) {
 		require.ErrorAs(t, err, &apiErr)
 		require.Equal(t, http.StatusUnauthorized, apiErr.StatusCode())
 	})
+	// Password auth should fail if the user is made without password login.
+	t.Run("LoginTypeNone", func(t *testing.T) {
+		t.Parallel()
+		client := coderdtest.New(t, nil)
+		user := coderdtest.CreateFirstUser(t, client)
+		anotherClient, anotherUser := coderdtest.CreateAnotherUserMutators(t, client, user.OrganizationID, nil, func(r *codersdk.CreateUserRequest) {
+			r.Password = ""
+			r.DisableLogin = true
+		})
+
+		_, err := anotherClient.LoginWithPassword(context.Background(), codersdk.LoginWithPasswordRequest{
+			Email:    anotherUser.Email,
+			Password: "SomeSecurePassword!",
+		})
+		require.Error(t, err)
+	})
 }
 
 func TestUserAuthMethods(t *testing.T) {
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+-- It's not possible to drop enum values from enum types, so the UP has "IF NOT`
	`2`	`+-- EXISTS".`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+ALTER TYPE login_type ADD VALUE IF NOT EXISTS 'none';`
	`2`	`+`
	`3`	`+COMMENT ON TYPE login_type IS 'Specifies the method of authentication. "none" is a special case in which no authentication method is allowed.';`