feat(controller): allow admins to change a user's password.

Joshua Anderson · Joshua Anderson · commit d887af0fd650 · 2015-07-29T14:34:38.000-07:00
diff --git a/client-go/cmd/auth.go b/client-go/cmd/auth.go
@@ -104,7 +104,7 @@ func Logout() error {
 func Passwd(username string, password string, newPassword string) error {
 	var err error
 
-	if password == "" {
+	if password == "" && username == "" {
 		fmt.Print("current password: ")
 		password, err = readPassword()
 		fmt.Println()
diff --git a/client-go/controller/api/auth.go b/client-go/controller/api/auth.go
@@ -21,7 +21,7 @@ type AuthLoginResponse tokenResponse
 // AuthPasswdRequest is the definition of POST /v1/auth/passwd/.
 type AuthPasswdRequest struct {
 	Username    string `json:"username,omitempty"`
-	Password    string `json:"password"`
+	Password    string `json:"password,omitempty"`
 	NewPassword string `json:"new_password"`
 }
 
diff --git a/client/deis.py b/client/deis.py
@@ -83,7 +83,7 @@
 __version__ = '1.9.0-dev'
 
 # what version of the API is this client compatible with?
-__api_version__ = '1.5'
+__api_version__ = '1.6'
 
 
 locale.setlocale(locale.LC_ALL, '')
@@ -928,7 +928,7 @@ def auth_passwd(self, args):
             raise EnvironmentError(
                 'Could not find token. Use `deis login` or `deis register` to get started.')
         password = args.get('--password')
-        if not password:
+        if not password and not args.get('--username'):
             password = getpass('current password: ')
         new_password = args.get('--new-password')
         if not new_password:
@@ -938,10 +938,13 @@ def auth_passwd(self, args):
                 self._logger.error('Password mismatch, not changing.')
                 sys.exit(1)
         payload = {
-            'password': password,
             'new_password': new_password,
             'username': args.get('--username', self._settings['username']),
         }
+
+        if password:
+            payload['password'] = password
+
         response = self._dispatch('post', "/v1/auth/passwd", json.dumps(payload))
         if response.status_code == requests.codes.ok:
             self._logger.info('Password change succeeded.')
diff --git a/controller/api/__init__.py b/controller/api/__init__.py
@@ -2,4 +2,4 @@
 The **api** Django app presents a RESTful web API for interacting with the **deis** system.
 """
 
-__version__ = '1.5.0'
+__version__ = '1.6.0'
diff --git a/controller/api/tests/test_auth.py b/controller/api/tests/test_auth.py
@@ -251,12 +251,11 @@ def test_change_user_passwd(self):
         new_password = 'password'
         submit = {
             'username': self.user1.username,
-            'password': old_password,
             'new_password': new_password,
         }
         response = self.client.post(url, json.dumps(submit), content_type='application/json',
                                     HTTP_AUTHORIZATION='token {}'.format(self.admin_token))
-        self.assertEqual(response.status_code, 400)
+        self.assertEqual(response.status_code, 200)
         # test login with old password
         url = '/v1/auth/login/'
         payload = urllib.urlencode({'username': self.user1.username, 'password': old_password})
@@ -268,16 +267,22 @@ def test_change_user_passwd(self):
         response = self.client.post(url, data=payload,
                                     content_type='application/x-www-form-urlencoded')
         self.assertEqual(response.status_code, 200)
-        # try to change back password with a regular user
-        submit['password'], submit['new_password'] = submit['new_password'], submit['password']
+        # Non-admins can't change another user's password
+        submit['password'], submit['new_password'] = submit['new_password'], old_password
         url = '/v1/auth/passwd'
         response = self.client.post(url, json.dumps(submit), content_type='application/json',
                                     HTTP_AUTHORIZATION='token {}'.format(self.user2_token))
         self.assertEqual(response.status_code, 403)
-        # however, targeting yourself should be fine.
+        # change back password with a regular user
         response = self.client.post(url, json.dumps(submit), content_type='application/json',
                                     HTTP_AUTHORIZATION='token {}'.format(self.user1_token))
         self.assertEqual(response.status_code, 200)
+        # test login with new password
+        url = '/v1/auth/login/'
+        payload = urllib.urlencode({'username': self.user1.username, 'password': old_password})
+        response = self.client.post(url, data=payload,
+                                    content_type='application/x-www-form-urlencoded')
+        self.assertEqual(response.status_code, 200)
 
     def test_regenerate(self):
         """ Test that token regeneration works"""
diff --git a/controller/api/views.py b/controller/api/views.py
@@ -37,18 +37,20 @@ def get_object(self):
         return self.get_queryset()[0]
 
     def passwd(self, request, **kwargs):
-        obj = self.get_object()
+        caller_obj = self.get_object()
+        target_obj = self.get_object()
         if request.data.get('username'):
             # if you "accidentally" target yourself, that should be fine
-            if obj.username == request.data['username'] or obj.is_superuser:
-                obj = get_object_or_404(User, username=request.data['username'])
+            if caller_obj.username == request.data['username'] or caller_obj.is_superuser:
+                target_obj = get_object_or_404(User, username=request.data['username'])
             else:
                 raise PermissionDenied()
-        if not obj.check_password(request.data['password']):
-            return Response({'detail': 'Current password does not match'},
-                            status=status.HTTP_400_BAD_REQUEST)
-        obj.set_password(request.data['new_password'])
-        obj.save()
+        if request.data.get('password') or not caller_obj.is_superuser:
+            if not target_obj.check_password(request.data['password']):
+                return Response({'detail': 'Current password does not match'},
+                                status=status.HTTP_400_BAD_REQUEST)
+        target_obj.set_password(request.data['new_password'])
+        target_obj.save()
         return Response({'status': 'password set'})
 
 
diff --git a/docs/reference/api-v1.5.rst b/docs/reference/api-v1.5.rst
@@ -1,8 +1,6 @@
 :title: Controller API v1.5
 :description: The v1.5 REST API for Deis' Controller
 
-.. _controller_api_v1:
-
 Controller API v1.5
 ===================
 
diff --git a/docs/reference/api-v1.6.rst b/docs/reference/api-v1.6.rst
diff --git a/docs/reference/index.rst b/docs/reference/index.rst
diff --git a/version/version.go b/version/version.go

Original file line number	Diff line number	Diff line change
`@@ -21,7 +21,7 @@ type AuthLoginResponse tokenResponse`
`21`	`21`	`// AuthPasswdRequest is the definition of POST /v1/auth/passwd/.`
`22`	`22`	`type AuthPasswdRequest struct {`
`23`	`23`	Username string `json:"username,omitempty"`
`24`		- Password string `json:"password"`
	`24`	+ Password string `json:"password,omitempty"`
`25`	`25`	NewPassword string `json:"new_password"`
`26`	`26`	`}`
`27`	`27`