From f1f7df3d3365cac3326287e1e61a5b7224c1e891 Mon Sep 17 00:00:00 2001
From: Volker Theile <vtheile@suse.com>
Date: Wed, 26 Feb 2020 09:17:18 +0100
Subject: [PATCH] mgr/dashboard: Enhance user create CLI command to force
 password change

Fixes: https://tracker.ceph.com/issues/44301

Signed-off-by: Volker Theile <vtheile@suse.com>
---
 doc/mgr/dashboard.rst                              |  6 +++++-
 qa/tasks/mgr/dashboard/test_user.py                | 14 ++++++++++++++
 .../mgr/dashboard/services/access_control.py       |  8 +++++---
 3 files changed, 24 insertions(+), 4 deletions(-)

diff --git a/doc/mgr/dashboard.rst b/doc/mgr/dashboard.rst
index 1746efed0cb4b..1070910d37c2f 100644
--- a/doc/mgr/dashboard.rst
+++ b/doc/mgr/dashboard.rst
@@ -690,7 +690,11 @@ We provide a set of CLI commands to manage user accounts:
 
 - *Create User*::
 
-  $ ceph dashboard ac-user-create [--force-password] <username> [<password>] [<rolename>] [<name>] [<email>] [--enabled] [<pwd_expiration_date>]
+  $ ceph dashboard ac-user-create [--enabled] [--force-password] [--pwd_update_required] <username> [<password>] [<rolename>] [<name>] [<email>] [<pwd_expiration_date>]
+
+  To bypass the password policy checks use the `force-password` option.
+  Use the option `pwd_update_required` so that a newly created user has
+  to change their password after the first login.
 
 - *Delete User*::
 
diff --git a/qa/tasks/mgr/dashboard/test_user.py b/qa/tasks/mgr/dashboard/test_user.py
index ac7517cccd1c9..a76183f72ad38 100644
--- a/qa/tasks/mgr/dashboard/test_user.py
+++ b/qa/tasks/mgr/dashboard/test_user.py
@@ -539,3 +539,17 @@ class UserTest(DashboardTestCase):
             'credits': 0,
             'valuation': 'Password must not be the same as the previous one.'
         })
+
+    def test_create_user_pwd_update_required(self):
+        exit_code = self._ceph_cmd_result([
+            'dashboard', 'ac-user-create', '--force-password',
+            '--pwd_update_required', 'foo', 'bar'
+        ])
+        self.assertEqual(exit_code, 0)
+        self._get('/api/user/foo')
+        self.assertStatus(200)
+        self.assertJsonSubset({
+            'username': 'foo',
+            'pwdUpdateRequired': True
+        })
+        self.delete_user('foo')
diff --git a/src/pybind/mgr/dashboard/services/access_control.py b/src/pybind/mgr/dashboard/services/access_control.py
index 17d9f71976d69..96aea131ded78 100644
--- a/src/pybind/mgr/dashboard/services/access_control.py
+++ b/src/pybind/mgr/dashboard/services/access_control.py
@@ -708,11 +708,12 @@ def ac_user_show_cmd(_, username=None):
                  'name=email,type=CephString,req=false '
                  'name=enabled,type=CephBool,req=false '
                  'name=force_password,type=CephBool,req=false '
-                 'name=pwd_expiration_date,type=CephInt,req=false',
+                 'name=pwd_expiration_date,type=CephInt,req=false '
+                 'name=pwd_update_required,type=CephBool,req=false',
                  'Create a user')
 def ac_user_create_cmd(_, username, password=None, rolename=None, name=None,
                        email=None, enabled=True, force_password=False,
-                       pwd_expiration_date=None):
+                       pwd_expiration_date=None, pwd_update_required=False):
     try:
         role = mgr.ACCESS_CTRL_DB.get_role(rolename) if rolename else None
     except RoleDoesNotExist as ex:
@@ -725,7 +726,8 @@ def ac_user_create_cmd(_, username, password=None, rolename=None, name=None,
             pw_check = PasswordPolicy(password, username)
             pw_check.check_all()
         user = mgr.ACCESS_CTRL_DB.create_user(username, password, name, email,
-                                              enabled, pwd_expiration_date)
+                                              enabled, pwd_expiration_date,
+                                              pwd_update_required)
     except PasswordPolicyException as ex:
         return -errno.EINVAL, '', str(ex)
     except UserAlreadyExists as ex:
-- 
2.39.5