cleanup redundant LOGIN_SOURCE and limiting apis for first time login

Author: sudo87

plugins/api/discovery/src/main/java/org/apache/cloudstack/discovery/ApiDiscoveryServiceImpl.java

@@ -44,8 +44,10 @@
 import org.apache.cloudstack.api.response.ApiParameterResponse;
 import org.apache.cloudstack.api.response.ApiResponseResponse;
 import org.apache.cloudstack.api.response.ListResponse;
+import org.apache.cloudstack.resourcedetail.UserDetailVO;
 import org.apache.cloudstack.utils.reflectiontostringbuilderutils.ReflectionToStringBuilderUtils;
 import org.apache.commons.collections.CollectionUtils;
+import org.apache.commons.collections.MapUtils;
 import org.apache.commons.lang3.StringUtils;
 import org.reflections.ReflectionUtils;
 import org.springframework.stereotype.Component;
@@ -55,6 +57,7 @@
 import com.cloud.user.Account;
 import com.cloud.user.AccountService;
 import com.cloud.user.User;
+import com.cloud.user.UserAccount;
 import com.cloud.utils.ReflectUtil;
 import com.cloud.utils.component.ComponentLifecycleBase;
 import com.cloud.utils.component.PluggableService;
@@ -280,12 +283,23 @@ public ListResponse<? extends BaseResponse> listApis(User user, String name) {
                         ReflectionToStringBuilderUtils.reflectOnlySelectedFields(account, "accountName", "uuid")));
             }
 
-            if (role.getRoleType() == RoleType.Admin && role.getId() == RoleType.Admin.getId()) {
-                logger.info(String.format("Account [%s] is Root Admin, all APIs are allowed.",
-                        ReflectionToStringBuilderUtils.reflectOnlySelectedFields(account, "accountName", "uuid")));
+            // Limit APIs on first login requiring password change
+            UserAccount userAccount = accountService.getUserAccountById(user.getId());
+            if (MapUtils.isNotEmpty(userAccount.getDetails()) &&
+                    userAccount.getDetails().containsKey(UserDetailVO.PasswordChangeRequired)) {
+
+                String needPasswordChange = userAccount.getDetails().get(UserDetailVO.PasswordChangeRequired);
+                if ("true".equalsIgnoreCase(needPasswordChange)) {
+                    apisAllowed = Arrays.asList("login", "logout", "updateUser", "listUsers", "listApis");
+                }
             } else {
-                for (APIChecker apiChecker : _apiAccessCheckers) {
-                    apisAllowed = apiChecker.getApisAllowedToUser(role, user, apisAllowed);
+                if (role.getRoleType() == RoleType.Admin && role.getId() == RoleType.Admin.getId()) {
+                    logger.info(String.format("Account [%s] is Root Admin, all APIs are allowed.",
+                            ReflectionToStringBuilderUtils.reflectOnlySelectedFields(account, "accountName", "uuid")));
+                } else {
+                    for (APIChecker apiChecker : _apiAccessCheckers) {
+                        apisAllowed = apiChecker.getApisAllowedToUser(role, user, apisAllowed);
+                    }
                 }
             }
 

plugins/api/discovery/src/test/java/org/apache/cloudstack/discovery/ApiDiscoveryTest.java

@@ -21,6 +21,7 @@
 import com.cloud.user.AccountService;
 import com.cloud.user.AccountVO;
 import com.cloud.user.User;
+import com.cloud.user.UserAccount;
 import com.cloud.user.UserVO;
 
 import org.apache.cloudstack.acl.APIChecker;
@@ -44,6 +45,7 @@
 
 import static org.mockito.ArgumentMatchers.any;
 import static org.mockito.ArgumentMatchers.anyList;
+import static org.mockito.ArgumentMatchers.anyLong;
 
 @RunWith(MockitoJUnitRunner.class)
 public class ApiDiscoveryTest {
@@ -66,12 +68,17 @@ public class ApiDiscoveryTest {
     @InjectMocks
     ApiDiscoveryServiceImpl discoveryServiceSpy;
 
+    @Mock
+    UserAccount mockUserAccount;
+
     @Before
     public void setup() {
         discoveryServiceSpy.s_apiNameDiscoveryResponseMap = apiNameDiscoveryResponseMapMock;
         discoveryServiceSpy._apiAccessCheckers = apiAccessCheckersMock;
 
         Mockito.when(discoveryServiceSpy._apiAccessCheckers.iterator()).thenReturn(Arrays.asList(apiCheckerMock).iterator());
+        Mockito.when(mockUserAccount.getDetails()).thenReturn(null);
+        Mockito.when(accountServiceMock.getUserAccountById(anyLong())).thenReturn(mockUserAccount);
     }
 
     private User getTestUser() {

ui/public/locales/en.json

@@ -527,6 +527,7 @@
 "label.change.ipaddress": "Change IP address for NIC",
 "label.change.disk.offering": "Change disk offering",
 "label.change.offering.for.volume": "Change disk offering for the volume",
+"label.change.password.onlogin": "User must change password at next login",
 "label.change.service.offering": "Change service offering",
 "label.character": "Character",
 "label.checksum": "Checksum",
@@ -1096,7 +1097,6 @@
 "label.forced": "Force",
 "label.force.convert.to.pool": "Force converting to storage pool directly (not using temporary storage for conversion)",
 "label.force.ms.to.import.vm.files": "Enable to force OVF Download via Management Server. Disable to use KVM Host ovftool (if installed)",
-"label.force.password.reset": "Force password change on next login",
 "label.force.update.os.type": "Force update OS type",
 "label.force.stop": "Force stop",
 "label.force.reboot": "Force reboot",

ui/src/permission.js

@@ -94,12 +94,11 @@ router.beforeEach((to, from, next) => {
         }
         store.commit('SET_LOGIN_FLAG', true)
       }
+      // store already loaded
       if (store.getters.passwordChangeRequired) {
-        // Only allow the Change Password page
         if (to.path === '/user/forceChangePassword') {
           next()
         } else {
-          // Redirect everything else (including dashboard, wildcards) to Change Password
           next({ path: '/user/forceChangePassword' })
           NProgress.done()
         }
@@ -113,6 +112,7 @@ router.beforeEach((to, from, next) => {
         store
           .dispatch('GetInfo')
           .then(apis => {
+            // Essential for Page Refresh scenarios
             if (store.getters.passwordChangeRequired) {
               // Only allow the Change Password page
               if (to.path === '/user/forceChangePassword') {

ui/src/store/modules/user.js

@@ -45,8 +45,7 @@ import {
   OAUTH_DOMAIN,
   OAUTH_PROVIDER,
   LATEST_CS_VERSION,
-  PASSWORD_CHANGE_REQUIRED,
-  LOGIN_SOURCE
+  PASSWORD_CHANGE_REQUIRED
 } from '@/store/mutation-types'
 
 import {
@@ -83,8 +82,7 @@ const user = {
     twoFaIssuer: '',
     customHypervisorName: 'Custom',
     readyForShutdownPollingJob: '',
-    passwordChangeRequired: false,
-    loginSource: ''
+    passwordChangeRequired: false
   },
 
   mutations: {
@@ -204,13 +202,10 @@ const user = {
     SET_PASSWORD_CHANGE_REQUIRED: (state, required) => {
       state.passwordChangeRequired = required
       if (required) {
-        vueProps.$localStorage.set('PASSWORD_CHANGE_REQUIRED', 'true')
+        vueProps.$localStorage.set(PASSWORD_CHANGE_REQUIRED, true)
       } else {
-        vueProps.$localStorage.remove('PASSWORD_CHANGE_REQUIRED')
+        vueProps.$localStorage.remove(PASSWORD_CHANGE_REQUIRED)
       }
-    },
-    SET_LOGIN_SOURCE: (state, source) => {
-      vueProps.$localStorage.set('LOGIN_SOURCE', source)
     }
   },
 
@@ -259,8 +254,7 @@ const user = {
           if (result && result.managementserverid) {
             commit('SET_MS_ID', result.managementserverid)
           }
-          commit('SET_LOGIN_SOURCE', 'password')
-          if (result.passwordchangerequired && result.passwordchangerequired === 'true') {
+          if (result.passwordchangerequired) {
             commit('SET_PASSWORD_CHANGE_REQUIRED', true)
             commit('SET_APIS', {})
             vueProps.$localStorage.remove(APIS)
@@ -321,8 +315,6 @@ const user = {
           const latestVersion = vueProps.$localStorage.get(LATEST_CS_VERSION, { version: '', fetchedTs: 0 })
           commit('SET_LATEST_VERSION', latestVersion)
           notification.destroy()
-          commit('SET_LOGIN_SOURCE', 'oauth')
-          commit('SET_PASSWORD_CHANGE_REQUIRED', false)
           resolve()
         }).catch(error => {
           reject(error)
@@ -349,11 +341,9 @@ const user = {
         commit('SET_LATEST_VERSION', latestVersion)
 
         // This block is to enforce password change for first time login after admin resets password
-        const loginSource = vueProps.$localStorage.get(LOGIN_SOURCE)
-        const isPwdChangeRequired = vueProps.$localStorage.get(PASSWORD_CHANGE_REQUIRED) === 'true'
-        const isPwdChangeRequiredForLogin = (loginSource === 'password' && isPwdChangeRequired)
-        commit('SET_PASSWORD_CHANGE_REQUIRED', isPwdChangeRequiredForLogin)
-        if (isPwdChangeRequiredForLogin) {
+        const isPwdChangeRequired = vueProps.$localStorage.get(PASSWORD_CHANGE_REQUIRED)
+        commit('SET_PASSWORD_CHANGE_REQUIRED', isPwdChangeRequired)
+        if (isPwdChangeRequired) {
           getAPI('listUsers', { id: Cookies.get('userid') }).then(response => {
             const result = response.listusersresponse.user[0]
             commit('SET_INFO', result)
@@ -529,9 +519,7 @@ const user = {
         vueProps.$localStorage.remove(HEADER_NOTICES)
 
         vueProps.$localStorage.remove(PASSWORD_CHANGE_REQUIRED)
-        vueProps.$localStorage.remove(LOGIN_SOURCE)
         commit('SET_PASSWORD_CHANGE_REQUIRED', false)
-        commit('SET_LOGIN_SOURCE', '')
 
         logout(state.token).then(() => {
           message.destroy()

ui/src/store/mutation-types.js

@@ -44,7 +44,6 @@ export const MS_ID = 'MS_ID'
 export const OAUTH_DOMAIN = 'OAUTH_DOMAIN'
 export const OAUTH_PROVIDER = 'OAUTH_PROVIDER'
 export const PASSWORD_CHANGE_REQUIRED = 'PASSWORD_CHANGE_REQUIRED'
-export const LOGIN_SOURCE = 'LOGIN_SOURCE'
 
 export const CONTENT_WIDTH_TYPE = {
   Fluid: 'Fluid',

ui/src/views/iam/ChangeUserPassword.vue

@@ -50,9 +50,11 @@
             :placeholder="$t('label.confirmpassword.description')"/>
         </a-form-item>
         <a-form-item v-if="isAdminOrDomainAdmin() && isNormalUserResource()" name="passwordChangeRequired" ref="passwordChangeRequired">
-          <a-switch v-model:checked="form.passwordChangeRequired" />
-          <span style="padding-left: 10px;">{{ $t('label.force.password.reset') }}</span>
+            <a-checkbox v-model:checked="form.passwordChangeRequired">
+              {{ $t('label.change.password.onlogin') }}
+            </a-checkbox>
         </a-form-item>
+
         <div :span="24" class="action-button">
           <a-button @click="closeAction">{{ $t('label.cancel') }}</a-button>
           <a-button :loading="loading" ref="submit" type="primary" @click="handleSubmit">{{ $t('label.ok') }}</a-button>