User Disabler in API by #814 + Consistent Listeners in API by #800

src/config/hot_reload.rs

@@ -118,6 +118,7 @@ pub struct HotFields {
     pub me_admission_poll_ms: u64,
     pub me_warn_rate_limit_ms: u64,
     pub users: std::collections::HashMap<String, String>,
+    pub user_enabled: std::collections::HashMap<String, bool>,
     pub user_ad_tags: std::collections::HashMap<String, String>,
     pub user_max_tcp_conns: std::collections::HashMap<String, usize>,
     pub user_max_tcp_conns_global_each: usize,
@@ -247,6 +248,7 @@ impl HotFields {
             me_admission_poll_ms: cfg.general.me_admission_poll_ms,
             me_warn_rate_limit_ms: cfg.general.me_warn_rate_limit_ms,
             users: cfg.access.users.clone(),
+            user_enabled: cfg.access.user_enabled.clone(),
             user_ad_tags: cfg.access.user_ad_tags.clone(),
             user_max_tcp_conns: cfg.access.user_max_tcp_conns.clone(),
             user_max_tcp_conns_global_each: cfg.access.user_max_tcp_conns_global_each,
@@ -551,6 +553,7 @@ fn overlay_hot_fields(old: &ProxyConfig, new: &ProxyConfig) -> ProxyConfig {
     cfg.general.me_warn_rate_limit_ms = new.general.me_warn_rate_limit_ms;
 
     cfg.access.users = new.access.users.clone();
+    cfg.access.user_enabled = new.access.user_enabled.clone();
     cfg.access.user_ad_tags = new.access.user_ad_tags.clone();
     cfg.access.user_max_tcp_conns = new.access.user_max_tcp_conns.clone();
     cfg.access.user_max_tcp_conns_global_each = new.access.user_max_tcp_conns_global_each;
@@ -1178,6 +1181,16 @@ fn log_changes(
         }
     }
 
+    if old_hot.user_enabled != new_hot.user_enabled {
+        info!(
+            "config reload: user_enabled updated ({} disabled overrides)",
+            new_hot
+                .user_enabled
+                .values()
+                .filter(|enabled| !**enabled)
+                .count()
+        );
+    }
     if old_hot.user_max_tcp_conns != new_hot.user_max_tcp_conns {
         info!(
             "config reload: user_max_tcp_conns updated ({} entries)",

src/config/load.rs

@@ -411,6 +411,7 @@ const TLS_FETCH_CONFIG_KEYS: &[&str] = &[
 
 const ACCESS_CONFIG_KEYS: &[&str] = &[
     "users",
+    "user_enabled",
     "user_ad_tags",
     "user_max_tcp_conns",
     "user_max_tcp_conns_global_each",

src/config/types.rs

@@ -1892,6 +1892,9 @@ pub struct AccessConfig {
     #[serde(default = "default_access_users")]
     pub users: HashMap<String, String>,
 
+    #[serde(default)]
+    pub user_enabled: HashMap<String, bool>,
+
     /// Per-user ad_tag (32 hex chars from @MTProxybot).
     #[serde(default)]
     pub user_ad_tags: HashMap<String, String>,
@@ -1963,6 +1966,7 @@ impl Default for AccessConfig {
     fn default() -> Self {
         Self {
             users: default_access_users(),
+            user_enabled: HashMap::new(),
             user_ad_tags: HashMap::new(),
             user_max_tcp_conns: HashMap::new(),
             user_max_tcp_conns_global_each: default_user_max_tcp_conns_global_each(),
@@ -1983,6 +1987,10 @@ impl Default for AccessConfig {
 }
 
 impl AccessConfig {
+    pub fn is_user_enabled(&self, username: &str) -> bool {
+        self.user_enabled.get(username).copied().unwrap_or(true)
+    }
+
     /// Returns true if `ip` is contained in any CIDR listed for `username` under `user_source_deny`.
     pub fn is_user_source_ip_denied(&self, username: &str, ip: IpAddr) -> bool {
         self.user_source_deny