feat(controller): add username parameter to /v1/auth/passwd

Matthew Fisher · Matthew Fisher · commit 79028db0b4c4 · 2015-05-26T11:01:59.000-07:00
diff --git a/controller/api/fixtures/test_auth.json b/controller/api/fixtures/test_auth.json
@@ -16,5 +16,41 @@
         "email": "autotest@deis.io",
         "date_joined": "2013-05-10T16:08:09.357Z"
     }
+},
+{
+    "pk": 8,
+    "model": "auth.user",
+    "fields": {
+        "username": "autotest2",
+        "first_name": "Otto",
+        "last_name": "Test",
+        "is_active": true,
+        "is_superuser": false,
+        "is_staff": false,
+        "last_login": "2013-05-10T16:08:09.357Z",
+        "groups": [],
+        "user_permissions": [],
+        "password": "pbkdf2_sha256$10000$5Uoq7dl61vnN$gQhDpc2q2Rkn16VdPC+pNNEQcKpy+LGe29Zkad+2/m4=",
+        "email": "autotest@deis.io",
+        "date_joined": "2013-05-10T16:08:09.357Z"
+    }
+},
+{
+    "pk": 9,
+    "model": "auth.user",
+    "fields": {
+        "username": "autotest3",
+        "first_name": "Otto",
+        "last_name": "Test",
+        "is_active": true,
+        "is_superuser": false,
+        "is_staff": false,
+        "last_login": "2013-05-10T16:08:09.357Z",
+        "groups": [],
+        "user_permissions": [],
+        "password": "pbkdf2_sha256$10000$5Uoq7dl61vnN$gQhDpc2q2Rkn16VdPC+pNNEQcKpy+LGe29Zkad+2/m4=",
+        "email": "autotest@deis.io",
+        "date_joined": "2013-05-10T16:08:09.357Z"
+    }
 }
 ]
diff --git a/controller/api/tests/test_auth.py b/controller/api/tests/test_auth.py
@@ -21,6 +21,14 @@ class AuthTest(TestCase):
 
     """Tests user registration, authentication and authorization"""
 
+    def setUp(self):
+        self.admin = User.objects.get(username='autotest')
+        self.admin_token = Token.objects.get(user=self.admin).key
+        self.user1 = User.objects.get(username='autotest2')
+        self.user1_token = Token.objects.get(user=self.user1).key
+        self.user2 = User.objects.get(username='autotest3')
+        self.user2_token = Token.objects.get(user=self.user2).key
+
     def test_auth(self):
         """
         Test that a user can register using the API, login and logout
@@ -98,10 +106,6 @@ def test_auth_registration_admin_only_fails_if_not_admin(self):
     @override_settings(REGISTRATION_MODE="admin_only")
     def test_auth_registration_admin_only_works(self):
         """test that a superuser can register when registration is admin only."""
-
-        user = User.objects.get(username='autotest')
-        token = Token.objects.get(user=user)
-
         url = '/v1/auth/register'
 
         username, password = 'newuser_by_admin', 'password'
@@ -119,7 +123,7 @@ def test_auth_registration_admin_only_works(self):
             'is_staff': True,
         }
         response = self.client.post(url, json.dumps(submit), content_type='application/json',
-                                    HTTP_AUTHORIZATION='token {}'.format(token))
+                                    HTTP_AUTHORIZATION='token {}'.format(self.admin_token))
 
         self.assertEqual(response.status_code, 201)
         for key in response.data:
@@ -236,3 +240,41 @@ def test_passwd(self):
         response = self.client.post(url, data=payload,
                                     content_type='application/x-www-form-urlencoded')
         self.assertEqual(response.status_code, 200)
+
+    def test_change_user_passwd(self):
+        """
+        Test that an administrator can change a user's password, while a regular user cannot.
+        """
+        # change password
+        url = '/v1/auth/passwd'
+        old_password = self.user1.password
+        new_password = 'password'
+        submit = {
+            'username': self.user1.username,
+            'password': old_password,
+            'new_password': new_password,
+        }
+        response = self.client.post(url, json.dumps(submit), content_type='application/json',
+                                    HTTP_AUTHORIZATION='token {}'.format(self.admin_token))
+        self.assertEqual(response.status_code, 400)
+        # test login with old password
+        url = '/v1/auth/login/'
+        payload = urllib.urlencode({'username': self.user1.username, 'password': old_password})
+        response = self.client.post(url, data=payload,
+                                    content_type='application/x-www-form-urlencoded')
+        self.assertEqual(response.status_code, 400)
+        # test login with new password
+        payload = urllib.urlencode({'username': self.user1.username, 'password': new_password})
+        response = self.client.post(url, data=payload,
+                                    content_type='application/x-www-form-urlencoded')
+        self.assertEqual(response.status_code, 200)
+        # try to change back password with a regular user
+        submit['password'], submit['new_password'] = submit['new_password'], submit['password']
+        url = '/v1/auth/passwd'
+        response = self.client.post(url, json.dumps(submit), content_type='application/json',
+                                    HTTP_AUTHORIZATION='token {}'.format(self.user2_token))
+        self.assertEqual(response.status_code, 403)
+        # however, targeting yourself should be fine.
+        response = self.client.post(url, json.dumps(submit), content_type='application/json',
+                                    HTTP_AUTHORIZATION='token {}'.format(self.user1_token))
+        self.assertEqual(response.status_code, 200)
diff --git a/controller/api/views.py b/controller/api/views.py
@@ -37,6 +37,12 @@ def get_object(self):
 
     def passwd(self, request, **kwargs):
         obj = self.get_object()
+        if request.data.get('username'):
+            # if you "accidentally" target yourself, that should be fine
+            if obj.username == request.data['username'] or obj.is_superuser:
+                obj = get_object_or_404(User, username=request.data['username'])
+            else:
+                raise PermissionDenied()
         if not obj.check_password(request.data['password']):
             return Response({'detail': 'Current password does not match'},
                             status=status.HTTP_400_BAD_REQUEST)
diff --git a/docs/reference/api-v1.4.rst b/docs/reference/api-v1.4.rst
@@ -12,6 +12,7 @@ This is the v1.4 REST API for the :ref:`Controller`.
 What's New
 ----------
 
+**New!** optional ``username`` argument for /v1/auth/passwd/
 **New!** Deprecate X prefixed headers
 ``X_DEIS_API_VERSION`` ->  ``DEIS_API_VERSION``
 ``X_DEIS_PLATFORM_VERSION`` -> ``DEIS_PLATFORM_VERSION``
@@ -118,6 +119,41 @@ Example Response:
     DEIS_PLATFORM_VERSION: 1.6.1
 
 
+Change Password
+```````````````
+
+Example Request:
+
+.. code-block:: console
+
+    POST /v1/auth/passwd/ HTTP/1.1
+    Host: deis.example.com
+    Authorization: token abc123
+
+    {
+        "password": "foo",
+        "new_password": "bar"
+    }
+
+Optional parameters:
+
+.. code-block:: console
+
+    {"username": "testuser"}
+
+.. note::
+
+    Using the ``username`` parameter requires administrative privileges
+
+Example Response:
+
+.. code-block:: console
+
+    HTTP/1.1 200 OK
+    DEIS_API_VERSION: 1.4
+    DEIS_PLATFORM_VERSION: 1.6.1
+
+
 Applications
 ------------
 
