[CLOUDSTACK-5235] ask users current password when they are executing a password update#2574
Conversation
rafaelweingartner
changed the title
|
@rafaelweingartner a Jenkins job has been kicked to build packages. I'll keep you posted as I make progress. |
|
Packaging result: ✔centos6 ✔centos7 ✖debian. JID-1933 |
|
@blueorangutan package |
|
@rafaelweingartner a Jenkins job has been kicked to build packages. I'll keep you posted as I make progress. |
|
Packaging result: ✔centos6 ✔centos7 ✔debian. JID-1934 |
|
@blueorangutan test |
|
@borisstoyanov a Trillian-Jenkins test job (centos7 mgmt + kvm-centos7) has been kicked to run smoke tests |
|
@blueorangutan test |
|
@borisstoyanov a Trillian-Jenkins test job (centos7 mgmt + kvm-centos7) has been kicked to run smoke tests |
|
|
||
| /** | ||
| * Creates a new user and account, stores the password as is so encrypted passwords are recommended. | ||
| * |
There was a problem hiding this comment.
@rafaelweingartner, Thanks for the fix. I think it's better to keep the comments, would be helpful in the documentation. Would be great if you describe a bit about each parameter.
There was a problem hiding this comment.
Well, I do like Java documentation; however, in this case, the use of @param does not bring benefits. I mean, if each one of the parameters was fully described it would be ok, but that is not what happened here. That is why I removed them.
I am sorry Nitin, but I would rather not document those parameters. Instead, we should get rid of these methods with a lot of parameters. My changes affect only the updateUser method (I already refactored that whole method). Afterwards, I executed a cleanup in the classes that I had modified some code.
| * | ||
| * If all checks pass, we encode the given password with the most preferable password mechanism given in {@link #_userPasswordEncoders}. | ||
| */ | ||
| protected void validateUserPasswordAndUpdateIfNeeded(String password, UserVO user, String oldPassword) { |
There was a problem hiding this comment.
I think newPassword name would be more meaningful.
There was a problem hiding this comment.
Do you mean validateUserNewPasswordAndUpdateIfNeeded?
There was a problem hiding this comment.
I mean the first parameter (password -> newPassword)
| label: 'label.old.password', | ||
| isPassword: true, | ||
| validation: { | ||
| required: !(isAdmin() || isDomainAdmin()) |
There was a problem hiding this comment.
As we are hiding this field for admin and domain admin. I think we can assign the value true for the required parameter.
There was a problem hiding this comment.
I thought about that, but I was under the impression that the field would still be validated by the javascript framework we have. I could not find a hide parameter. Therefore, I am hiding it manually.
| throw new InvalidParameterValueException("You must inform the old password when updating a user password."); | ||
| } | ||
| if (CollectionUtils.isEmpty(_userPasswordEncoders)) { | ||
| throw new CloudRuntimeException("No user authenticatiors configured!"); |
There was a problem hiding this comment.
Typo. (authenticators)
There was a problem hiding this comment.
Fixed, thanks!
rafaelweingartner
force-pushed
the
CLOUDSTACK-5235
branch
from
46b4670 to
75ebd00
Compare
|
Thanks, @rafaelweingartner for making the changes, I will review rest of the changes by tomorrow or day after. |
|
@nitin-maharana thank you for the review ;) |
|
Trillian test result (tid-2516)
|
rafaelweingartner
force-pushed
the
CLOUDSTACK-5235
branch
from
75ebd00 to
6f0dde6
Compare
|
@borisstoyanov the errors here do not seem to be related to the changes introduced. Can I consider the test successful? |
| acceptedOnAdminPort = false) | ||
| private String password; | ||
|
|
||
| @Parameter(name = ApiConstants.OLD_PASSWORD, type = CommandType.STRING, description = "Old password that was being used by the user. You must inform the old password when updating the password.", acceptedOnAdminPort = false) |
There was a problem hiding this comment.
I would prefer the word "current" instead of "old*
There was a problem hiding this comment.
That is a good suggestion. Done.
| if (!isAdmin && StringUtils.isBlank(oldPassword)) { | ||
| throw new InvalidParameterValueException("You must inform the old password when updating a user password."); | ||
| if (!isAdmin && StringUtils.isBlank(currentPassword)) { | ||
| throw new InvalidParameterValueException("You must inform the current password when updating a user password."); |
There was a problem hiding this comment.
"To set a new password the current password must be provided."
There was a problem hiding this comment.
Done.
Thanks for the review!
| if (!oldPasswordMatchesDataBasePassword) { | ||
| throw new InvalidParameterValueException("Old password does not match the database password."); | ||
| if (!currentPasswordMatchesDataBasePassword) { | ||
| throw new InvalidParameterValueException("Current password informed does not match the database password."); |
There was a problem hiding this comment.
I would prefer "Current password is incorrect."
There was a problem hiding this comment.
Done.
Thanks for the second pair of eyes here.
rafaelweingartner
changed the title
|
@nitin-maharana are you fine with these changes now? |
| } | ||
|
|
||
| /** | ||
| * Iterates over all configured user authenticators and tries to authenticated the user using the current password. |
There was a problem hiding this comment.
TYPO: authenticated -> authenticate.
There was a problem hiding this comment.
Done.
Thanks for spotting this mistake.
| // to | ||
| // update | ||
| // itself | ||
| // same |
There was a problem hiding this comment.
Would be better if we combine all the words in a single line.
There was a problem hiding this comment.
Well, these were already there. Probably the lines shifted because of my changes, but I can fix it without problems.
Side note: I do not appreciate code comments. They are a sign that the method is too big and complicated. This means that code should be extracted to smaller methods and then documented.
|
@rafaelweingartner a Jenkins job has been kicked to build packages. I'll keep you posted as I make progress. |
|
Packaging result: ✔centos6 ✔centos7 ✔debian. JID-1995 |
Adição de informação do endereço IP da SSVM na rede de _storage_ Closes apache#2574 See merge request scclouds/scclouds!1182
7 participants
Description
This is a long standing issue in Jira. It was asked for us to re-authenticate users with their old password when users execute a password update.
One thing to note though. Root/domain admins are able to update users password (users they have access to) without needing to provide the old password.
Types of changes
Screenshots (if appropriate):
How Has This Been Tested?
Locally and via unit tests for the newly introduced code.
Checklist:
Testing
@blueorangutan package