# Copyright 2019 Nokia # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. import json import crypt import requests import access_management.db.amdb as amdb from am_api_base import * from keystoneauth1 import exceptions from cmframework.apis import cmclient class UsersOwnpasswords(AMApiBase): """ User set password operations .. :quickref: User ownpasswords;User set password operations .. http:post:: /am/v1/users/ownpasswords **Start User set password** **Example request**: .. sourcecode:: http POST am/v1/users/ownpasswords HTTP/1.1 Host: haproxyvip:61200 Accept: application/json { "npassword: "Passwd_1", "opassword: "Passwd_2", "username": "test_user" } :> json string npassword: The user's new password :> json string opassword: The user's old password :> json string username: The user's username :> json string id: The user's ID Only one of username or id needs to be present. **Example response**: .. sourcecode:: http HTTP/1.1 200 OK { "code": 0, "description": "User password changed successfully!" } :> json int code: the status code :> json string description: the error description, present if code is non zero """ endpoints = ['users/ownpasswords'] parser_arguments = ['npassword', 'opassword', 'username', 'id'] FAILURE_RESPONSE = AMApiBase.embed_data({}, 1, "Password change failed!") def post(self): self.logger.info("Received a set password request!") args = self.parse_args() user = {} state_open, message_open = self._open_db() if state_open: try: if args["username"]: user["name"] = args["username"] user["uuid"] = self.db.get_user_uuid(args["username"]) else: user["uuid"] = args["id"] user["name"] = self.db.get_user_name(args["id"]) try: keystone = self.auth_keystone_with_pass(args["opassword"], user["name"]) passstate = self.passwd_validator(args["npassword"]) if passstate is not None: self.logger.error(passstate) return AMApiBase.embed_data({}, 1, passstate) keystone.users.update_password(args["opassword"], args["npassword"]) state = True except exceptions.http.Unauthorized as ex: if "password is expired" in ex.message: passstate = self.passwd_validator(args["npassword"]) if passstate is not None: self.logger.error(passstate) return AMApiBase.embed_data({}, 1, passstate) state = self.change_password_with_request(args, user["uuid"]) else: self.logger.error("{0}".format(ex)) state = False except Exception as ex: self.logger.error("{0}".format(ex)) return self.FAILURE_RESPONSE if state: state = self.set_ownpass_in_db(args, user) if state: self.logger.info("User password changed successfully!") return AMApiBase.embed_data({}, 0, "User password changed successfully!") else: return self.FAILURE_RESPONSE else: return self.FAILURE_RESPONSE except amdb.NotExist as ex: self.logger.error("User does not exist") return self.FAILURE_RESPONSE except Exception as ex: self.logger.error("Internal error: {0}".format(ex)) return self.FAILURE_RESPONSE finally: state_close, message_close = self._close_db() if not state_close: self._close_db() else: return self.FAILURE_RESPONSE def change_password_with_request(self, args, uuid): url = self.config["Keystone"]["auth_uri"] + "/users/" + uuid + "/password" parameter = {"user": {"password": args["npassword"], "original_password": args["opassword"]}} header = {"Content-Type": "application/json"} s_user_out = requests.post(url, data=json.dumps(parameter), headers=header, timeout=30) if s_user_out.status_code != 204: s_user_out = s_user_out.json() self.logger.error(s_user_out["error"]["message"]) return False return True def set_ownpass_in_db(self, args, user): linux_user_role = False chroot_user_role = False state_open, message_open = self._open_db() if state_open: try: roles = self.db.get_user_roles(user["uuid"]) for role in roles: if self.db.is_chroot_role(role): chroot_user_role = True if role == "linux_user": linux_user_role = True # if the user has a chroot or linux account, change the pwd of that also if chroot_user_role: self.linux_chroot_pass_handling("Chroot", "cloud.chroot", args["npassword"], user["name"]) if linux_user_role: self.linux_chroot_pass_handling("Linux", "cloud.linuxuser", args["npassword"], user["name"]) except amdb.NotExist as ex: self.logger.error("User does not exist") return False except Exception as ex: self.logger.error("Internal error: {0}".format(ex)) return False finally: state_close, message_close = self._close_db() if not state_close: self._close_db() else: self.logger.error("Could not open DB") return False return True def linux_chroot_pass_handling(self, user_type, list_name, passwd, username): cmc = cmclient.CMClient() user_list = cmc.get_property(list_name) user_list = json.loads(user_list) self.logger.debug("{0} user list before the change: {1}".format(user_type, json.dumps(user_list))) if user_list is not None: self.logger.debug("The {0} user list exists!".format(user_type)) self.logger.debug("Username: {0}".format(username)) for val in user_list: if val["name"] == username: val["password"] = crypt.crypt(passwd, crypt.mksalt(crypt.METHOD_SHA512)) break self.logger.debug("{0} user list after the change: {1}".format(user_type, json.dumps(user_list))) cmc.set_property(list_name, json.dumps(user_list))