Block user through HTTP API (#846)

The new functionality allows blocking a user in the Management service.
Blocked users lose access to the Dashboard, aren't able to modify the network map,
and all of their connected devices disconnect and are set to the "login expired" state.

Technically all above was achieved with the updated PUT /api/users endpoint,
that was extended with the is_blocked field.

management/server/peer.go

@@ -605,6 +605,11 @@ func (am *DefaultAccountManager) SyncPeer(sync PeerSync) (*Peer, *NetworkMap, er
 		return nil, nil, status.Errorf(status.Unauthenticated, "peer is not registered")
 	}
 
+	err = checkIfPeerOwnerIsBlocked(peer, account)
+	if err != nil {
+		return nil, nil, err
+	}
+
 	if peerLoginExpired(peer, account) {
 		return nil, nil, status.Errorf(status.PermissionDenied, "peer login has expired, please log in once more")
 	}
@@ -644,6 +649,11 @@ func (am *DefaultAccountManager) LoginPeer(login PeerLogin) (*Peer, *NetworkMap,
 		return nil, nil, status.Errorf(status.Unauthenticated, "peer is not registered")
 	}
 
+	err = checkIfPeerOwnerIsBlocked(peer, account)
+	if err != nil {
+		return nil, nil, err
+	}
+
 	updateRemotePeers := false
 	if peerLoginExpired(peer, account) {
 		err = checkAuth(login.UserID, peer)
@@ -676,6 +686,19 @@ func (am *DefaultAccountManager) LoginPeer(login PeerLogin) (*Peer, *NetworkMap,
 	return peer, account.GetPeerNetworkMap(peer.ID, am.dnsDomain), nil
 }
 
+func checkIfPeerOwnerIsBlocked(peer *Peer, account *Account) error {
+	if peer.AddedWithSSOLogin() {
+		user, err := account.FindUser(peer.UserID)
+		if err != nil {
+			return status.Errorf(status.PermissionDenied, "user doesn't exist")
+		}
+		if user.IsBlocked() {
+			return status.Errorf(status.PermissionDenied, "user is blocked")
+		}
+	}
+	return nil
+}
+
 func checkAuth(loginUserID string, peer *Peer) error {
 	if loginUserID == "" {
 		// absence of a user ID indicates that JWT wasn't provided.