From: Tatjana Dehler Date: Fri, 3 Jan 2020 15:52:51 +0000 (+0100) Subject: mgr/dashboard: Enforce password change upon first login X-Git-Tag: v15.1.1~323^2~1 X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=310f7876876b991ed8067228b7c86d0454476405;p=ceph.git mgr/dashboard: Enforce password change upon first login Fixes: https://tracker.ceph.com/issues/24655 Signed-off-by: Tatjana Dehler --- diff --git a/qa/tasks/mgr/dashboard/test_auth.py b/qa/tasks/mgr/dashboard/test_auth.py index 16536fa94e7..e76708a9c43 100644 --- a/qa/tasks/mgr/dashboard/test_auth.py +++ b/qa/tasks/mgr/dashboard/test_auth.py @@ -46,7 +46,8 @@ class AuthTest(DashboardTestCase): 'username': JLeaf(str), 'permissions': JObj(sub_elems={}, allow_unknown=True), 'sso': JLeaf(bool), - 'pwdExpirationDate': JLeaf(int, none=True) + 'pwdExpirationDate': JLeaf(int, none=True), + 'pwdUpdateRequired': JLeaf(bool) }, allow_unknown=False)) self._validate_jwt_token(data['token'], "admin", data['permissions']) @@ -154,7 +155,8 @@ class AuthTest(DashboardTestCase): self.assertSchema(data, JObj(sub_elems={ "username": JLeaf(str), "permissions": JObj(sub_elems={}, allow_unknown=True), - "sso": JLeaf(bool) + "sso": JLeaf(bool), + "pwdUpdateRequired": JLeaf(bool) }, allow_unknown=False)) self.logout() diff --git a/qa/tasks/mgr/dashboard/test_user.py b/qa/tasks/mgr/dashboard/test_user.py index 17808482d12..2230be20e72 100644 --- a/qa/tasks/mgr/dashboard/test_user.py +++ b/qa/tasks/mgr/dashboard/test_user.py @@ -33,7 +33,7 @@ class UserTest(DashboardTestCase): @classmethod def _create_user(cls, username=None, password=None, name=None, email=None, roles=None, - enabled=True, pwd_expiration_date=None): + enabled=True, pwd_expiration_date=None, pwd_update_required=False): data = {} if username: data['username'] = username @@ -47,6 +47,7 @@ class UserTest(DashboardTestCase): data['roles'] = roles if pwd_expiration_date: data['pwdExpirationDate'] = pwd_expiration_date + data['pwdUpdateRequired'] = pwd_update_required data['enabled'] = enabled cls._post("/api/user", data) @@ -75,7 +76,8 @@ class UserTest(DashboardTestCase): 'roles': ['administrator'], 'lastUpdate': user['lastUpdate'], 'enabled': True, - 'pwdExpirationDate': None + 'pwdExpirationDate': None, + 'pwdUpdateRequired': False }) self._put('/api/user/user1', { @@ -92,7 +94,8 @@ class UserTest(DashboardTestCase): 'roles': ['block-manager'], 'lastUpdate': user['lastUpdate'], 'enabled': True, - 'pwdExpirationDate': None + 'pwdExpirationDate': None, + 'pwdUpdateRequired': False }) self._delete('/api/user/user1') @@ -122,7 +125,8 @@ class UserTest(DashboardTestCase): 'roles': ['administrator'], 'lastUpdate': user['lastUpdate'], 'enabled': False, - 'pwdExpirationDate': None + 'pwdExpirationDate': None, + 'pwdUpdateRequired': False }) self._delete('/api/user/klara') @@ -141,7 +145,8 @@ class UserTest(DashboardTestCase): 'roles': ['administrator'], 'lastUpdate': user['lastUpdate'], 'enabled': True, - 'pwdExpirationDate': None + 'pwdExpirationDate': None, + 'pwdUpdateRequired': False }]) def test_create_user_already_exists(self): @@ -344,7 +349,8 @@ class UserTest(DashboardTestCase): 'roles': ['administrator'], 'lastUpdate': user['lastUpdate'], 'enabled': True, - 'pwdExpirationDate': future_date + 'pwdExpirationDate': future_date, + 'pwdUpdateRequired': False }) self._delete('/api/user/user1') @@ -412,6 +418,49 @@ class UserTest(DashboardTestCase): self._delete('/api/user/user1') self._ceph_cmd(['dashboard', 'set-user-pwd-expiration-span', '0']) + def test_pwd_update_required(self): + self._create_user(username='user1', + password='mypassword10#', + name='My Name', + email='my@email.com', + roles=['administrator'], + pwd_update_required=True) + self.assertStatus(201) + + user_1 = self._get('/api/user/user1') + self.assertStatus(200) + self.assertEqual(user_1['pwdUpdateRequired'], True) + + self.login('user1', 'mypassword10#') + self.assertStatus(201) + + self._get('/api/osd') + self.assertStatus(403) + self._reset_login_to_admin('user1') + + def test_pwd_update_required_change_pwd(self): + self._create_user(username='user1', + password='mypassword10#', + name='My Name', + email='my@email.com', + roles=['administrator'], + pwd_update_required=True) + self.assertStatus(201) + + self.login('user1', 'mypassword10#') + self._post('/api/user/user1/change_password', { + 'old_password': 'mypassword10#', + 'new_password': 'newpassword01#' + }) + + self.login('user1', 'newpassword01#') + user_1 = self._get('/api/user/user1') + self.assertStatus(200) + self.assertEqual(user_1['pwdUpdateRequired'], False) + self._get('/api/osd') + self.assertStatus(200) + self._reset_login_to_admin('user1') + def test_validate_password_weak(self): self._post('/api/user/validate_password', { 'password': 'mypassword1' diff --git a/src/pybind/mgr/dashboard/controllers/auth.py b/src/pybind/mgr/dashboard/controllers/auth.py index 44128ce3201..e7ceca3d673 100644 --- a/src/pybind/mgr/dashboard/controllers/auth.py +++ b/src/pybind/mgr/dashboard/controllers/auth.py @@ -21,10 +21,11 @@ class Auth(RESTController): def create(self, username, password): user_data = AuthManager.authenticate(username, password) - user_perms, pwd_expiration_date = None, None + user_perms, pwd_expiration_date, pwd_update_required = None, None, None if user_data: user_perms = user_data.get('permissions') pwd_expiration_date = user_data.get('pwdExpirationDate') + pwd_update_required = user_data.get('pwdUpdateRequired') if user_perms is not None: logger.debug('Login successful') @@ -36,7 +37,8 @@ class Auth(RESTController): 'username': username, 'permissions': user_perms, 'pwdExpirationDate': pwd_expiration_date, - 'sso': mgr.SSO_DB.protocol == 'saml2' + 'sso': mgr.SSO_DB.protocol == 'saml2', + 'pwdUpdateRequired': pwd_update_required } logger.debug('Login failed') @@ -69,7 +71,8 @@ class Auth(RESTController): return { 'username': user.username, 'permissions': user.permissions_dict(), - 'sso': mgr.SSO_DB.protocol == 'saml2' + 'sso': mgr.SSO_DB.protocol == 'saml2', + 'pwdUpdateRequired': user.pwd_update_required } return { 'login_url': self._get_login_url(), diff --git a/src/pybind/mgr/dashboard/controllers/user.py b/src/pybind/mgr/dashboard/controllers/user.py index 688f6008244..d32ee4cc833 100644 --- a/src/pybind/mgr/dashboard/controllers/user.py +++ b/src/pybind/mgr/dashboard/controllers/user.py @@ -68,7 +68,7 @@ class User(RESTController): return User._user_to_dict(user) def create(self, username=None, password=None, name=None, email=None, - roles=None, enabled=True, pwdExpirationDate=None): + roles=None, enabled=True, pwdExpirationDate=None, pwdUpdateRequired=True): if not username: raise DashboardException(msg='Username is required', code='username_required', @@ -80,7 +80,8 @@ class User(RESTController): validate_password_policy(password, username) try: user = mgr.ACCESS_CTRL_DB.create_user(username, password, name, - email, enabled, pwdExpirationDate) + email, enabled, pwdExpirationDate, + pwdUpdateRequired) except UserAlreadyExists: raise DashboardException(msg='Username already exists', code='username_already_exists', @@ -109,7 +110,7 @@ class User(RESTController): mgr.ACCESS_CTRL_DB.save() def set(self, username, password=None, name=None, email=None, roles=None, - enabled=None, pwdExpirationDate=None): + enabled=None, pwdExpirationDate=None, pwdUpdateRequired=False): if JwtManager.get_username() == username and enabled is False: raise DashboardException(msg='You are not allowed to disable your user', code='cannot_disable_current_user', @@ -136,6 +137,7 @@ class User(RESTController): user.enabled = enabled user.pwd_expiration_date = pwdExpirationDate user.set_roles(user_roles) + user.pwd_update_required = pwdUpdateRequired mgr.ACCESS_CTRL_DB.save() return User._user_to_dict(user) diff --git a/src/pybind/mgr/dashboard/frontend/src/app/core/auth/auth.module.ts b/src/pybind/mgr/dashboard/frontend/src/app/core/auth/auth.module.ts index 56ce6b74c5a..43d56c9bad5 100644 --- a/src/pybind/mgr/dashboard/frontend/src/app/core/auth/auth.module.ts +++ b/src/pybind/mgr/dashboard/frontend/src/app/core/auth/auth.module.ts @@ -20,6 +20,7 @@ import { SsoNotFoundComponent } from './sso/sso-not-found/sso-not-found.componen import { UserFormComponent } from './user-form/user-form.component'; import { UserListComponent } from './user-list/user-list.component'; import { UserPasswordFormComponent } from './user-password-form/user-password-form.component'; +import { UserPasswordLoginFormComponent } from './user-password-login-form/user-password-login-form.component'; import { UserTabsComponent } from './user-tabs/user-tabs.component'; @NgModule({ @@ -45,7 +46,8 @@ import { UserTabsComponent } from './user-tabs/user-tabs.component'; UserTabsComponent, UserListComponent, UserFormComponent, - UserPasswordFormComponent + UserPasswordFormComponent, + UserPasswordLoginFormComponent ] }) export class AuthModule {} diff --git a/src/pybind/mgr/dashboard/frontend/src/app/core/auth/login/login.component.html b/src/pybind/mgr/dashboard/frontend/src/app/core/auth/login/login.component.html index aef59d07258..ab42a8ad83d 100644 --- a/src/pybind/mgr/dashboard/frontend/src/app/core/auth/login/login.component.html +++ b/src/pybind/mgr/dashboard/frontend/src/app/core/auth/login/login.component.html @@ -1,5 +1,5 @@ diff --git a/src/pybind/mgr/dashboard/frontend/src/app/core/auth/login/login.component.ts b/src/pybind/mgr/dashboard/frontend/src/app/core/auth/login/login.component.ts index 9286e31d30f..de8a44ddfea 100644 --- a/src/pybind/mgr/dashboard/frontend/src/app/core/auth/login/login.component.ts +++ b/src/pybind/mgr/dashboard/frontend/src/app/core/auth/login/login.component.ts @@ -5,6 +5,7 @@ import { BsModalService } from 'ngx-bootstrap/modal'; import { AuthService } from '../../../shared/api/auth.service'; import { Credentials } from '../../../shared/models/credentials'; +import { LoginResponse } from '../../../shared/models/login-response'; import { AuthStorageService } from '../../../shared/services/auth-storage.service'; @Component({ @@ -15,6 +16,7 @@ import { AuthStorageService } from '../../../shared/services/auth-storage.servic export class LoginComponent implements OnInit { model = new Credentials(); isLoginActive = false; + pwdUpdateRequired = false; constructor( private authService: AuthService, @@ -25,6 +27,7 @@ export class LoginComponent implements OnInit { ngOnInit() { if (this.authStorageService.isLoggedIn()) { + this.pwdUpdateRequired = this.authStorageService.getPwdUpdateRequired(); this.router.navigate(['']); } else { // Make sure all open modal dialogs are closed. This might be @@ -49,13 +52,7 @@ export class LoginComponent implements OnInit { window.location.replace(login.login_url); } } else { - this.authStorageService.set( - login.username, - token, - login.permissions, - login.sso, - login.pwdExpirationDate - ); + this.authStorageService.set(login.username, token, login.permissions, login.sso); this.router.navigate(['']); } }); @@ -63,8 +60,12 @@ export class LoginComponent implements OnInit { } login() { - this.authService.login(this.model).subscribe(() => { - this.router.navigate(['']); + this.authService.login(this.model).subscribe((resp: LoginResponse) => { + if (resp.pwdUpdateRequired) { + this.pwdUpdateRequired = true; + } else { + this.router.navigate(['']); + } }); } } diff --git a/src/pybind/mgr/dashboard/frontend/src/app/core/auth/user-form/user-form.component.html b/src/pybind/mgr/dashboard/frontend/src/app/core/auth/user-form/user-form.component.html index bdc0a32df77..da786a20db3 100644 --- a/src/pybind/mgr/dashboard/frontend/src/app/core/auth/user-form/user-form.component.html +++ b/src/pybind/mgr/dashboard/frontend/src/app/core/auth/user-form/user-form.component.html @@ -215,6 +215,23 @@ + +
+
+
+ + +
+
+
+
diff --git a/src/pybind/mgr/dashboard/frontend/src/app/core/auth/user-form/user-form.component.spec.ts b/src/pybind/mgr/dashboard/frontend/src/app/core/auth/user-form/user-form.component.spec.ts index 35a8e7bad7c..87ba10d690c 100644 --- a/src/pybind/mgr/dashboard/frontend/src/app/core/auth/user-form/user-form.component.spec.ts +++ b/src/pybind/mgr/dashboard/frontend/src/app/core/auth/user-form/user-form.component.spec.ts @@ -128,7 +128,8 @@ describe('UserFormComponent', () => { email: 'user0@email.com', roles: ['administrator'], enabled: true, - pwdExpirationDate: undefined + pwdExpirationDate: undefined, + pwdUpdateRequired: true }; formHelper.setMultipleValues(user); formHelper.setValue('confirmpassword', user.password); @@ -149,7 +150,8 @@ describe('UserFormComponent', () => { email: 'user1@email.com', roles: ['administrator'], enabled: true, - pwdExpirationDate: undefined + pwdExpirationDate: undefined, + pwdUpdateRequired: true }; const roles = [ { @@ -246,6 +248,7 @@ describe('UserFormComponent', () => { expect(userReq.request.body).toEqual({ username: 'user1', password: '', + pwdUpdateRequired: true, name: 'User 1', email: 'user1@email.com', roles: ['administrator'], diff --git a/src/pybind/mgr/dashboard/frontend/src/app/core/auth/user-form/user-form.component.ts b/src/pybind/mgr/dashboard/frontend/src/app/core/auth/user-form/user-form.component.ts index 3299a088d04..096e2e40a9b 100644 --- a/src/pybind/mgr/dashboard/frontend/src/app/core/auth/user-form/user-form.component.ts +++ b/src/pybind/mgr/dashboard/frontend/src/app/core/auth/user-form/user-form.component.ts @@ -106,7 +106,8 @@ export class UserFormComponent implements OnInit { pwdExpirationDate: [''], email: ['', [CdValidators.email]], roles: [[]], - enabled: [true, [Validators.required]] + enabled: [true, [Validators.required]], + pwdUpdateRequired: [true] }, { validators: [CdValidators.match('password', 'confirmpassword')] @@ -165,7 +166,7 @@ export class UserFormComponent implements OnInit { } setResponse(response: UserFormModel) { - ['username', 'name', 'email', 'roles', 'enabled'].forEach((key) => + ['username', 'name', 'email', 'roles', 'enabled', 'pwdUpdateRequired'].forEach((key) => this.userForm.get(key).setValue(response[key]) ); const expirationDate = response['pwdExpirationDate']; @@ -176,7 +177,7 @@ export class UserFormComponent implements OnInit { getRequest(): UserFormModel { const userFormModel = new UserFormModel(); - ['username', 'password', 'name', 'email', 'roles', 'enabled'].forEach( + ['username', 'password', 'name', 'email', 'roles', 'enabled', 'pwdUpdateRequired'].forEach( (key) => (userFormModel[key] = this.userForm.get(key).value) ); const expirationDate = this.userForm.get('pwdExpirationDate').value; diff --git a/src/pybind/mgr/dashboard/frontend/src/app/core/auth/user-form/user-form.model.ts b/src/pybind/mgr/dashboard/frontend/src/app/core/auth/user-form/user-form.model.ts index 4989905800d..2dc88ab5a4a 100644 --- a/src/pybind/mgr/dashboard/frontend/src/app/core/auth/user-form/user-form.model.ts +++ b/src/pybind/mgr/dashboard/frontend/src/app/core/auth/user-form/user-form.model.ts @@ -6,4 +6,5 @@ export class UserFormModel { email: string; roles: Array; enabled: boolean; + pwdUpdateRequired: boolean; } diff --git a/src/pybind/mgr/dashboard/frontend/src/app/core/auth/user-password-login-form/user-password-login-form.component.html b/src/pybind/mgr/dashboard/frontend/src/app/core/auth/user-password-login-form/user-password-login-form.component.html new file mode 100644 index 00000000000..b74107c9c70 --- /dev/null +++ b/src/pybind/mgr/dashboard/frontend/src/app/core/auth/user-password-login-form/user-password-login-form.component.html @@ -0,0 +1,85 @@ +
+
+
+ + + + +
+ This field is required. + The old and new passwords must be different. +
+
+
+ + + + +
+
+
+
+
+ This field is required. + The old and new passwords must be different. + Too weak +
+
+
+ + + + +
+ This field is required. + Password confirmation doesn't match the new password. +
+ + +
diff --git a/src/pybind/mgr/dashboard/frontend/src/app/core/auth/user-password-login-form/user-password-login-form.component.scss b/src/pybind/mgr/dashboard/frontend/src/app/core/auth/user-password-login-form/user-password-login-form.component.scss new file mode 100644 index 00000000000..e69de29bb2d diff --git a/src/pybind/mgr/dashboard/frontend/src/app/core/auth/user-password-login-form/user-password-login-form.component.spec.ts b/src/pybind/mgr/dashboard/frontend/src/app/core/auth/user-password-login-form/user-password-login-form.component.spec.ts new file mode 100644 index 00000000000..a5607adebae --- /dev/null +++ b/src/pybind/mgr/dashboard/frontend/src/app/core/auth/user-password-login-form/user-password-login-form.component.spec.ts @@ -0,0 +1,40 @@ +import { HttpClientTestingModule } from '@angular/common/http/testing'; +import { ComponentFixture, TestBed } from '@angular/core/testing'; +import { ReactiveFormsModule } from '@angular/forms'; +import { RouterTestingModule } from '@angular/router/testing'; + +import { ToastrModule } from 'ngx-toastr'; + +import { configureTestBed, i18nProviders } from '../../../../testing/unit-test-helper'; +import { SharedModule } from '../../../shared/shared.module'; +import { UserPasswordLoginFormComponent } from './user-password-login-form.component'; + +describe('UserPasswordLoginFormComponent', () => { + let component: UserPasswordLoginFormComponent; + let fixture: ComponentFixture; + + configureTestBed( + { + imports: [ + HttpClientTestingModule, + RouterTestingModule, + ReactiveFormsModule, + ToastrModule.forRoot(), + SharedModule + ], + declarations: [UserPasswordLoginFormComponent], + providers: i18nProviders + }, + true + ); + + beforeEach(() => { + fixture = TestBed.createComponent(UserPasswordLoginFormComponent); + component = fixture.componentInstance; + fixture.detectChanges(); + }); + + it('should create', () => { + expect(component).toBeTruthy(); + }); +}); diff --git a/src/pybind/mgr/dashboard/frontend/src/app/core/auth/user-password-login-form/user-password-login-form.component.ts b/src/pybind/mgr/dashboard/frontend/src/app/core/auth/user-password-login-form/user-password-login-form.component.ts new file mode 100644 index 00000000000..1b1ecfead32 --- /dev/null +++ b/src/pybind/mgr/dashboard/frontend/src/app/core/auth/user-password-login-form/user-password-login-form.component.ts @@ -0,0 +1,10 @@ +import { Component } from '@angular/core'; + +import { UserPasswordFormComponent } from '../user-password-form/user-password-form.component'; + +@Component({ + selector: 'cd-user-password-login-form', + templateUrl: './user-password-login-form.component.html', + styleUrls: ['./user-password-login-form.component.scss'] +}) +export class UserPasswordLoginFormComponent extends UserPasswordFormComponent {} diff --git a/src/pybind/mgr/dashboard/frontend/src/app/shared/api/auth.service.ts b/src/pybind/mgr/dashboard/frontend/src/app/shared/api/auth.service.ts index 7172ccba926..c6229377f90 100644 --- a/src/pybind/mgr/dashboard/frontend/src/app/shared/api/auth.service.ts +++ b/src/pybind/mgr/dashboard/frontend/src/app/shared/api/auth.service.ts @@ -32,7 +32,8 @@ export class AuthService { resp.token, resp.permissions, resp.sso, - resp.pwdExpirationDate + resp.pwdExpirationDate, + resp.pwdUpdateRequired ); }) ); diff --git a/src/pybind/mgr/dashboard/frontend/src/app/shared/models/login-response.ts b/src/pybind/mgr/dashboard/frontend/src/app/shared/models/login-response.ts index d9f1797a74c..7b9fc4b277e 100644 --- a/src/pybind/mgr/dashboard/frontend/src/app/shared/models/login-response.ts +++ b/src/pybind/mgr/dashboard/frontend/src/app/shared/models/login-response.ts @@ -4,4 +4,5 @@ export class LoginResponse { permissions: object; pwdExpirationDate: number; sso: boolean; + pwdUpdateRequired: boolean; } diff --git a/src/pybind/mgr/dashboard/frontend/src/app/shared/services/api-interceptor.service.ts b/src/pybind/mgr/dashboard/frontend/src/app/shared/services/api-interceptor.service.ts index c65f8c05188..0d46ed12368 100644 --- a/src/pybind/mgr/dashboard/frontend/src/app/shared/services/api-interceptor.service.ts +++ b/src/pybind/mgr/dashboard/frontend/src/app/shared/services/api-interceptor.service.ts @@ -61,7 +61,11 @@ export class ApiInterceptorService implements HttpInterceptor { this.router.navigate(['/login']); break; case 403: - this.router.navigate(['/403']); + if (this.authStorageService.getPwdUpdateRequired()) { + this.router.navigate(['/login']); + } else { + this.router.navigate(['/403']); + } break; default: timeoutId = this.prepareNotification(resp); diff --git a/src/pybind/mgr/dashboard/frontend/src/app/shared/services/auth-guard.service.ts b/src/pybind/mgr/dashboard/frontend/src/app/shared/services/auth-guard.service.ts index 7e11d9a2d03..48a367ff995 100644 --- a/src/pybind/mgr/dashboard/frontend/src/app/shared/services/auth-guard.service.ts +++ b/src/pybind/mgr/dashboard/frontend/src/app/shared/services/auth-guard.service.ts @@ -10,7 +10,7 @@ export class AuthGuardService implements CanActivate, CanActivateChild { constructor(private router: Router, private authStorageService: AuthStorageService) {} canActivate() { - if (this.authStorageService.isLoggedIn()) { + if (this.authStorageService.isLoggedIn() && !this.authStorageService.getPwdUpdateRequired()) { return true; } this.router.navigate(['/login']); diff --git a/src/pybind/mgr/dashboard/frontend/src/app/shared/services/auth-storage.service.ts b/src/pybind/mgr/dashboard/frontend/src/app/shared/services/auth-storage.service.ts index b603e7fec42..fcc24cf5b95 100644 --- a/src/pybind/mgr/dashboard/frontend/src/app/shared/services/auth-storage.service.ts +++ b/src/pybind/mgr/dashboard/frontend/src/app/shared/services/auth-storage.service.ts @@ -18,12 +18,14 @@ export class AuthStorageService { token: string, permissions = {}, sso = false, - pwdExpirationDate: number = null + pwdExpirationDate: number = null, + pwdUpdateRequired: boolean = false ) { localStorage.setItem('dashboard_username', username); localStorage.setItem('access_token', token); localStorage.setItem('dashboard_permissions', JSON.stringify(new Permissions(permissions))); localStorage.setItem('user_pwd_expiration_date', String(pwdExpirationDate)); + localStorage.setItem('user_pwd_update_required', String(pwdUpdateRequired)); localStorage.setItem('sso', String(sso)); } @@ -31,6 +33,7 @@ export class AuthStorageService { localStorage.removeItem('access_token'); localStorage.removeItem('dashboard_username'); localStorage.removeItem('user_pwd_expiration_data'); + localStorage.removeItem('user_pwd_update_required'); } getToken(): string { @@ -55,6 +58,10 @@ export class AuthStorageService { return Number(localStorage.getItem('user_pwd_expiration_date')); } + getPwdUpdateRequired(): boolean { + return localStorage.getItem('user_pwd_update_required') === 'true'; + } + isSSO() { return localStorage.getItem('sso') === 'true'; } diff --git a/src/pybind/mgr/dashboard/services/access_control.py b/src/pybind/mgr/dashboard/services/access_control.py index 99222a97cf6..86bbf8ae3fa 100644 --- a/src/pybind/mgr/dashboard/services/access_control.py +++ b/src/pybind/mgr/dashboard/services/access_control.py @@ -292,7 +292,8 @@ SYSTEM_ROLES = { class User(object): def __init__(self, username, password, name=None, email=None, roles=None, - last_update=None, enabled=True, pwd_expiration_date=None): + last_update=None, enabled=True, pwd_expiration_date=None, + pwd_update_required=False): self.username = username self.password = password self.name = name @@ -309,6 +310,7 @@ class User(object): self.pwd_expiration_date = pwd_expiration_date if self.pwd_expiration_date is None: self.refresh_pwd_expiration_date() + self.pwd_update_required = pwd_update_required def refresh_last_update(self): self.last_update = int(time.time()) @@ -337,6 +339,7 @@ class User(object): self.password = hashed_password self.refresh_last_update() self.refresh_pwd_expiration_date() + self.pwd_update_required = False def compare_password(self, password): """ @@ -371,6 +374,9 @@ class User(object): self.refresh_last_update() def authorize(self, scope, permissions): + if self.pwd_update_required: + return False + for role in self.roles: if role.authorize(scope, permissions): return True @@ -397,14 +403,16 @@ class User(object): 'email': self.email, 'lastUpdate': self.last_update, 'enabled': self.enabled, - 'pwdExpirationDate': self.pwd_expiration_date + 'pwdExpirationDate': self.pwd_expiration_date, + 'pwdUpdateRequired': self.pwd_update_required } @classmethod def from_dict(cls, u_dict, roles): return User(u_dict['username'], u_dict['password'], u_dict['name'], u_dict['email'], {roles[r] for r in u_dict['roles']}, - u_dict['lastUpdate'], u_dict['enabled'], u_dict['pwdExpirationDate']) + u_dict['lastUpdate'], u_dict['enabled'], + u_dict['pwdExpirationDate'], u_dict['pwdUpdateRequired']) class AccessControlDB(object): @@ -444,7 +452,8 @@ class AccessControlDB(object): del self.roles[name] - def create_user(self, username, password, name, email, enabled=True, pwd_expiration_date=None): + def create_user(self, username, password, name, email, enabled=True, + pwd_expiration_date=None, pwd_update_required=False): logger.debug("creating user: username=%s", username) with self.lock: if username in self.users: @@ -453,7 +462,8 @@ class AccessControlDB(object): (pwd_expiration_date < int(time.mktime(datetime.utcnow().timetuple()))): raise PwdExpirationDateNotValid() user = User(username, password_hash(password), name, email, enabled=enabled, - pwd_expiration_date=pwd_expiration_date) + pwd_expiration_date=pwd_expiration_date, + pwd_update_required=pwd_update_required) self.users[username] = user return user @@ -907,7 +917,8 @@ class LocalAuthenticator(object): if user.enabled and user.compare_password(password) \ and not user.is_pwd_expired(): return {'permissions': user.permissions_dict(), - 'pwdExpirationDate': user.pwd_expiration_date} + 'pwdExpirationDate': user.pwd_expiration_date, + 'pwdUpdateRequired': user.pwd_update_required} except UserDoesNotExist: logger.debug("User '%s' does not exist", username) return None