Update change password API

Modify the changing password API to support that admin user can change the password of normal users without old password

src/common/dao/dao_test.go

@@ -204,41 +204,6 @@ func TestRegister(t *testing.T) {
 	}
 }
 
-func TestCheckUserPassword(t *testing.T) {
-	nonExistUser := models.User{
-		Username: "non-exist",
-	}
-	correctUser := models.User{
-		Username: username,
-		Password: password,
-	}
-	wrongPwd := models.User{
-		Username: username,
-		Password: "wrong",
-	}
-	u, err := CheckUserPassword(nonExistUser)
-	if err != nil {
-		t.Errorf("Failed in CheckUserPassword: %v", err)
-	}
-	if u != nil {
-		t.Errorf("Expected nil for Non exist user, but actual: %+v", u)
-	}
-	u, err = CheckUserPassword(wrongPwd)
-	if err != nil {
-		t.Errorf("Failed in CheckUserPassword: %v", err)
-	}
-	if u != nil {
-		t.Errorf("Expected nil for user with wrong password, but actual: %+v", u)
-	}
-	u, err = CheckUserPassword(correctUser)
-	if err != nil {
-		t.Errorf("Failed in CheckUserPassword: %v", err)
-	}
-	if u == nil {
-		t.Errorf("User should not be nil for correct user")
-	}
-}
-
 func TestUserExists(t *testing.T) {
 	var exists bool
 	var err error
@@ -397,42 +362,6 @@ func TestChangeUserPassword(t *testing.T) {
 		t.Errorf("The username returned by Login does not match, expected: %s, acutal: %s", username, loginedUser.Username)
 	}
 }
-
-func TestChangeUserPasswordWithOldPassword(t *testing.T) {
-	user := models.User{UserID: currentUser.UserID}
-	query, err := GetUser(user)
-	if err != nil {
-		t.Errorf("Error occurred when get user salt")
-	}
-	currentUser.Salt = query.Salt
-
-	err = ChangeUserPassword(models.User{UserID: currentUser.UserID, Password: "NewerHarborTester12345", Salt: currentUser.Salt}, "NewHarborTester12345")
-	if err != nil {
-		t.Errorf("Error occurred in ChangeUserPassword: %v", err)
-	}
-	loginedUser, err := LoginByDb(models.AuthModel{Principal: currentUser.Username, Password: "NewerHarborTester12345"})
-	if err != nil {
-		t.Errorf("Error occurred in LoginByDb: %v", err)
-	}
-	if loginedUser.Username != username {
-		t.Errorf("The username returned by Login does not match, expected: %s, acutal: %s", username, loginedUser.Username)
-	}
-}
-
-func TestChangeUserPasswordWithIncorrectOldPassword(t *testing.T) {
-	err := ChangeUserPassword(models.User{UserID: currentUser.UserID, Password: "NNewerHarborTester12345", Salt: currentUser.Salt}, "WrongNewerHarborTester12345")
-	if err == nil {
-		t.Errorf("Error does not occurred due to old password is incorrect.")
-	}
-	loginedUser, err := LoginByDb(models.AuthModel{Principal: currentUser.Username, Password: "NNewerHarborTester12345"})
-	if err != nil {
-		t.Errorf("Error occurred in LoginByDb: %v", err)
-	}
-	if loginedUser != nil {
-		t.Errorf("The login user is not nil, acutal: %+v", loginedUser)
-	}
-}
-
 func TestAddProject(t *testing.T) {
 
 	project := models.Project{

src/common/dao/user.go

@@ -15,9 +15,9 @@
 package dao
 
 import (
-	"database/sql"
 	"errors"
 	"fmt"
+	"time"
 
 	"github.com/astaxie/beego/orm"
 
@@ -32,7 +32,7 @@ func GetUser(query models.User) (*models.User, error) {
 
 	o := GetOrmer()
 
-	sql := `select user_id, username, email, realname, comment, reset_uuid, salt,
+	sql := `select user_id, username, password, email, realname, comment, reset_uuid, salt,
 		sysadmin_flag, creation_time, update_time
 		from harbor_user u
 		where deleted = false `
@@ -153,34 +153,12 @@ func ToggleUserAdminRole(userID int, hasAdmin bool) error {
 }
 
 // ChangeUserPassword ...
-func ChangeUserPassword(u models.User, oldPassword ...string) (err error) {
+func ChangeUserPassword(u models.User) error {
-	if len(oldPassword) > 1 {
+	u.UpdateTime = time.Now()
-		return errors.New("wrong numbers of params")
+	u.Salt = utils.GenerateRandomString()
-	}
+	u.Password = utils.Encrypt(u.Password, u.Salt)
-
+	_, err := GetOrmer().Update(&u, "Password", "Salt", "UpdateTime")
-	o := GetOrmer()
-
-	var r sql.Result
-	salt := utils.GenerateRandomString()
-	if len(oldPassword) == 0 {
-		//In some cases, it may no need to check old password, just as Linux change password policies.
-		r, err = o.Raw(`update harbor_user set password=?, salt=? where user_id=?`, utils.Encrypt(u.Password, salt), salt, u.UserID).Exec()
-	} else {
-		r, err = o.Raw(`update harbor_user set password=?, salt=? where user_id=? and password = ?`, utils.Encrypt(u.Password, salt), salt, u.UserID, utils.Encrypt(oldPassword[0], u.Salt)).Exec()
-	}
-
-	if err != nil {
 	return err
-	}
-	c, err := r.RowsAffected()
-	if err != nil {
-		return err
-	}
-	if c == 0 {
-		return errors.New("no record has been modified, change password failed")
-	}
-
-	return nil
 }
 
 // ResetUserPassword ...
@@ -207,36 +185,6 @@ func UpdateUserResetUUID(u models.User) error {
 	return err
 }
 
-// CheckUserPassword checks whether the password is correct.
-func CheckUserPassword(query models.User) (*models.User, error) {
-
-	currentUser, err := GetUser(query)
-	if err != nil {
-		return nil, err
-	}
-	if currentUser == nil {
-		return nil, nil
-	}
-
-	sql := `select user_id, username, salt from harbor_user where deleted = false and username = ? and password = ?`
-	queryParam := make([]interface{}, 1)
-	queryParam = append(queryParam, currentUser.Username)
-	queryParam = append(queryParam, utils.Encrypt(query.Password, currentUser.Salt))
-	o := GetOrmer()
-	var user []models.User
-
-	n, err := o.Raw(sql, queryParam).QueryRows(&user)
-	if err != nil {
-		return nil, err
-	}
-	if n == 0 {
-		log.Warning("User principal does not match password. Current:", currentUser)
-		return nil, nil
-	}
-
-	return &user[0], nil
-}
-
 // DeleteUser ...
 func DeleteUser(userID int) error {
 	o := GetOrmer()

src/ui/api/user.go

@@ -24,6 +24,7 @@ import (
 	"github.com/vmware/harbor/src/common"
 	"github.com/vmware/harbor/src/common/dao"
 	"github.com/vmware/harbor/src/common/models"
+	"github.com/vmware/harbor/src/common/utils"
 	"github.com/vmware/harbor/src/common/utils/log"
 	"github.com/vmware/harbor/src/ui/config"
 )
@@ -114,6 +115,7 @@ func (ua *UserAPI) Get() {
 			log.Errorf("Error occurred in GetUser, error: %v", err)
 			ua.CustomAbort(http.StatusInternalServerError, "Internal error.")
 		}
+		u.Password = ""
 		ua.Data["json"] = u
 		ua.ServeJSON()
 		return
@@ -273,33 +275,48 @@ func (ua *UserAPI) ChangePassword() {
 		return
 	}
 
+	changePwdOfOwn := ua.userID == ua.currentUserID
+
 	var req passwordReq
 	ua.DecodeJSONReq(&req)
-	if req.OldPassword == "" {
-		log.Error("Old password is blank")
-		ua.CustomAbort(http.StatusBadRequest, "Old password is blank")
-	}
 
-	queryUser := models.User{UserID: ua.userID, Password: req.OldPassword}
+	if changePwdOfOwn && len(req.OldPassword) == 0 {
-	user, err := dao.CheckUserPassword(queryUser)
+		ua.HandleBadRequest("empty old_password")
-	if err != nil {
-		log.Errorf("Error occurred in CheckUserPassword: %v", err)
-		ua.CustomAbort(http.StatusInternalServerError, "Internal error.")
-	}
-	if user == nil {
-		log.Warning("Password input is not correct")
-		ua.CustomAbort(http.StatusForbidden, "old_password_is_not_correct")
-	}
-
-	if req.NewPassword == "" {
-		ua.HandleBadRequest("new password is null")
 		return
 	}
-	updateUser := models.User{UserID: ua.userID, Password: req.NewPassword, Salt: user.Salt}
+
-	err = dao.ChangeUserPassword(updateUser, req.OldPassword)
+	if len(req.NewPassword) == 0 {
+		ua.HandleBadRequest("empty new_password")
+		return
+	}
+
+	user, err := dao.GetUser(models.User{UserID: ua.userID})
 	if err != nil {
-		log.Errorf("Error occurred in ChangeUserPassword: %v", err)
+		ua.HandleInternalServerError(fmt.Sprintf("failed to get user %d: %v", ua.userID, err))
-		ua.CustomAbort(http.StatusInternalServerError, "Internal error.")
+		return
+	}
+	if user == nil {
+		ua.HandleNotFound(fmt.Sprintf("user %d not found", ua.userID))
+		return
+	}
+	if changePwdOfOwn {
+		if user.Password != utils.Encrypt(req.OldPassword, user.Salt) {
+			ua.HandleForbidden("incorrect old_password")
+			return
+		}
+	}
+	if user.Password == utils.Encrypt(req.NewPassword, user.Salt) {
+		ua.HandleBadRequest("the new password can not be same with the old one")
+		return
+	}
+
+	updatedUser := models.User{
+		UserID:   ua.userID,
+		Password: req.NewPassword,
+	}
+	if err = dao.ChangeUserPassword(updatedUser); err != nil {
+		ua.HandleInternalServerError(fmt.Sprintf("failed to change password of user %d: %v", ua.userID, err))
+		return
 	}
 }
 

src/ui/api/user_test.go

@@ -15,10 +15,15 @@ package api
 
 import (
 	"fmt"
+	"net/http"
 	"testing"
 
+	"github.com/stretchr/testify/require"
+	"github.com/vmware/harbor/src/common/dao"
+
 	"github.com/stretchr/testify/assert"
 	"github.com/vmware/harbor/src/common/api"
+	"github.com/vmware/harbor/src/common/models"
 	"github.com/vmware/harbor/tests/apitests/apilib"
 
 	"github.com/astaxie/beego"
@@ -323,82 +328,157 @@ func TestUsersToggleAdminRole(t *testing.T) {
 		assert.Equal(200, code, "Toggle user admin role status should be 200")
 	}
 }
+
+func buildChangeUserPasswordURL(id int) string {
+	return fmt.Sprintf("/api/users/%d/password", id)
+}
+
 func TestUsersUpdatePassword(t *testing.T) {
 	fmt.Println("Testing Update User Password")
-	assert := assert.New(t)
+	oldPassword := "old_password"
-	apiTest := newHarborAPI()
+	newPassword := "new_password"
-	password := apilib.Password{OldPassword: "", NewPassword: ""}
+
-	t.Log("Update password-case 1")
+	user01 := models.User{
-	//case 1: update user2 password with user3 auth
+		Username: "user01_for_testing_change_password",
-	code, err := apiTest.UsersUpdatePassword(testUser0002ID, password, *testUser0003Auth)
+		Email:    "user01_for_testing_change_password@test.com",
-	if err != nil {
+		Password: oldPassword,
-		t.Error("Error occured while update user password", err.Error())
-		t.Log(err)
-	} else {
-		assert.Equal(403, code, "Update user password status should be 403")
 	}
-	t.Log("Update password-case 2")
+	id, err := dao.Register(user01)
-	//case 2: update user2 password with admin auth, but oldpassword is empty
+	require.Nil(t, err)
-	code, err = apiTest.UsersUpdatePassword(testUser0002ID, password, *admin)
+	user01.UserID = int(id)
-	if err != nil {
+	defer dao.DeleteUser(user01.UserID)
-		t.Error("Error occured while update user password", err.Error())
+
-		t.Log(err)
+	user02 := models.User{
-	} else {
+		Username: "user02_for_testing_change_password",
-		assert.Equal(400, code, "Update user password status should be 400")
+		Email:    "user02_for_testing_change_password@test.com",
+		Password: oldPassword,
 	}
-	t.Log("Update password-case 3")
+	id, err = dao.Register(user02)
-	//case 3: update user2 password with admin auth, but oldpassword is wrong
+	require.Nil(t, err)
-	password.OldPassword = "000"
+	user02.UserID = int(id)
-	code, err = apiTest.UsersUpdatePassword(testUser0002ID, password, *admin)
+	defer dao.DeleteUser(user02.UserID)
-	if err != nil {
+
-		t.Error("Error occured while update user password", err.Error())
+	cases := []*codeCheckingCase{
-		t.Log(err)
+		// unauthorized
-	} else {
+		&codeCheckingCase{
-		assert.Equal(403, code, "Update user password status should be 403")
+			request: &testingRequest{
-	}
+				method: http.MethodPut,
-	t.Log("Update password-case 4")
+				url:    buildChangeUserPasswordURL(user01.UserID),
-	//case 4: update user2 password with admin auth, but newpassword is empty
+			},
-	password.OldPassword = "testUser0002"
+			code: http.StatusUnauthorized,
-	code, err = apiTest.UsersUpdatePassword(testUser0002ID, password, *admin)
+		},
-	if err != nil {
+		// 404
-		t.Error("Error occured while update user password", err.Error())
+		&codeCheckingCase{
-		t.Log(err)
+			request: &testingRequest{
-	} else {
+				method: http.MethodPut,
-		assert.Equal(400, code, "Update user password status should be 400")
+				url:    buildChangeUserPasswordURL(10000),
-	}
+				credential: &usrInfo{
-	t.Log("Update password-case 5")
+					Name:   user01.Username,
-	//case 5: update user2 password with admin auth, right parameters
+					Passwd: user01.Password,
-	password.NewPassword = "TestUser0002"
+				},
-	code, err = apiTest.UsersUpdatePassword(testUser0002ID, password, *admin)
+			},
-	if err != nil {
+			code: http.StatusNotFound,
-		t.Error("Error occured while update user password", err.Error())
+		},
-		t.Log(err)
+		// 403, a normal user tries to change password of others
-	} else {
+		&codeCheckingCase{
-		assert.Equal(200, code, "Update user password status should be 200")
+			request: &testingRequest{
-		testUser0002.Password = password.NewPassword
+				method: http.MethodPut,
-		testUser0002Auth.Passwd = password.NewPassword
+				url:    buildChangeUserPasswordURL(user02.UserID),
-		//verify the new password takes effect
+				credential: &usrInfo{
-		code, user, err := apiTest.UsersGetByID(testUser0002.Username, *testUser0002Auth, testUser0002ID)
+					Name:   user01.Username,
-		if err != nil {
+					Passwd: user01.Password,
-			t.Error("Error occured while get users", err.Error())
+				},
-			t.Log(err)
+			},
-		} else {
+			code: http.StatusForbidden,
-			assert.Equal(200, code, "Get users status should be 200")
+		},
-			assert.Equal(testUser0002.Username, user.Username, "Get users username should be equal")
+		// 400, empty old password
-			assert.Equal(testUser0002.Email, user.Email, "Get users email should be equal")
+		&codeCheckingCase{
+			request: &testingRequest{
+				method:   http.MethodPut,
+				url:      buildChangeUserPasswordURL(user01.UserID),
+				bodyJSON: &passwordReq{},
+				credential: &usrInfo{
+					Name:   user01.Username,
+					Passwd: user01.Password,
+				},
+			},
+			code: http.StatusBadRequest,
+		},
+		// 400, empty new password
+		&codeCheckingCase{
+			request: &testingRequest{
+				method: http.MethodPut,
+				url:    buildChangeUserPasswordURL(user01.UserID),
+				bodyJSON: &passwordReq{
+					OldPassword: oldPassword,
+				},
+				credential: &usrInfo{
+					Name:   user01.Username,
+					Passwd: user01.Password,
+				},
+			},
+			code: http.StatusBadRequest,
+		},
+		// 403, incorrect old password
+		&codeCheckingCase{
+			request: &testingRequest{
+				method: http.MethodPut,
+				url:    buildChangeUserPasswordURL(user01.UserID),
+				bodyJSON: &passwordReq{
+					OldPassword: "incorrect_old_password",
+					NewPassword: newPassword,
+				},
+				credential: &usrInfo{
+					Name:   user01.Username,
+					Passwd: user01.Password,
+				},
+			},
+			code: http.StatusForbidden,
+		},
+		// 200, normal user change own password
+		&codeCheckingCase{
+			request: &testingRequest{
+				method: http.MethodPut,
+				url:    buildChangeUserPasswordURL(user01.UserID),
+				bodyJSON: &passwordReq{
+					OldPassword: oldPassword,
+					NewPassword: newPassword,
+				},
+				credential: &usrInfo{
+					Name:   user01.Username,
+					Passwd: user01.Password,
+				},
+			},
+			code: http.StatusOK,
+		},
+		// 400, admin user change password of others.
+		// the new password is same with the old one
+		&codeCheckingCase{
+			request: &testingRequest{
+				method: http.MethodPut,
+				url:    buildChangeUserPasswordURL(user01.UserID),
+				bodyJSON: &passwordReq{
+					NewPassword: newPassword,
+				},
+				credential: admin,
+			},
+			code: http.StatusBadRequest,
+		},
+		// 200, admin user change password of others
+		&codeCheckingCase{
+			request: &testingRequest{
+				method: http.MethodPut,
+				url:    buildChangeUserPasswordURL(user01.UserID),
+				bodyJSON: &passwordReq{
+					NewPassword: "another_new_password",
+				},
+				credential: admin,
+			},
+			code: http.StatusOK,
+		},
 	}
 
-	}
+	runCodeCheckingCases(t, cases...)
-	t.Log("Update password-case 6")
-	//case 6: update user2 password setting the new password same as the old
-	password.OldPassword = password.NewPassword
-	code, err = apiTest.UsersUpdatePassword(testUser0002ID, password, *admin)
-	if err != nil {
-		t.Error("Error occured while update user password", err.Error())
-		t.Log(err)
-	} else {
-		assert.Equal(200, code, "When new password is same as old, update user password status should be 200")
-	}
 }
 
 func TestUsersDelete(t *testing.T) {