From 7f849239eadfe3d97c088b77eae4d4852c0ab842 Mon Sep 17 00:00:00 2001 From: vmarkov Date: Tue, 15 May 2018 17:04:47 +0300 Subject: [PATCH] Support for Keystone password_lock option This feature was added in Keystone V3 API. Proposed patch adds support to Horizon Co-Authored-By: Ivan Kolodyazhny Closes-bug: #1766485 Change-Id: Ic20a58c76826d703b43fa6a2d77ae5f77dcda1f4 --- .../dashboards/identity/users/forms.py | 17 +- .../dashboards/identity/users/tables.py | 4 +- .../templates/users/_detail_overview.html | 2 + .../dashboards/identity/users/tests.py | 152 +++++++++++++++++- .../dashboards/identity/users/views.py | 6 +- .../dashboards/settings/password/forms.py | 7 + .../dashboards/settings/password/tests.py | 56 +++++-- .../test/test_data/keystone_data.py | 13 +- .../notes/lock-password-d87b63f361d4bdc1.yaml | 7 + 9 files changed, 235 insertions(+), 29 deletions(-) create mode 100644 releasenotes/notes/lock-password-d87b63f361d4bdc1.yaml diff --git a/openstack_dashboard/dashboards/identity/users/forms.py b/openstack_dashboard/dashboards/identity/users/forms.py index 019d299cf3..8e794a4e3d 100644 --- a/openstack_dashboard/dashboards/identity/users/forms.py +++ b/openstack_dashboard/dashboards/identity/users/forms.py @@ -133,6 +133,9 @@ class CreateUserForm(PasswordMixin, BaseUserForm, AddExtraColumnMixIn): enabled = forms.BooleanField(label=_("Enabled"), required=False, initial=True) + lock_password = forms.BooleanField(label=_("Lock password"), + required=False, + initial=False) def __init__(self, *args, **kwargs): roles = kwargs.pop('roles') @@ -141,7 +144,7 @@ class CreateUserForm(PasswordMixin, BaseUserForm, AddExtraColumnMixIn): ordering = ["domain_id", "domain_name", "name", "description", "email", "password", "confirm_password", "project", "role_id", - "enabled"] + "enabled", "lock_password"] self.add_extra_fields(ordering) self.fields = collections.OrderedDict( (key, self.fields[key]) for key in ordering) @@ -178,6 +181,10 @@ class CreateUserForm(PasswordMixin, BaseUserForm, AddExtraColumnMixIn): else: kwargs = {} + if "lock_password" in data: + kwargs.update({'options': + {'lock_password': data['lock_password']}}) + new_user = \ api.keystone.user_create(request, name=data['name'], @@ -235,6 +242,10 @@ class UpdateUserForm(BaseUserForm, AddExtraColumnMixIn): project = forms.ThemableChoiceField(label=_("Primary Project"), required=PROJECT_REQUIRED) + lock_password = forms.BooleanField(label=_("Lock password"), + required=False, + initial=False) + def __init__(self, request, *args, **kwargs): super(UpdateUserForm, self).__init__(request, *args, **kwargs) self.add_extra_fields() @@ -261,6 +272,10 @@ class UpdateUserForm(BaseUserForm, AddExtraColumnMixIn): if 'description' not in self.changed_data: data.pop('description') + if 'lock_password' in data: + data.update({'options': {'lock_password': data['lock_password']}}) + data.pop('lock_password') + try: if "email" in data: data['email'] = data['email'] diff --git a/openstack_dashboard/dashboards/identity/users/tables.py b/openstack_dashboard/dashboards/identity/users/tables.py index fcf2cf9d60..8a9a59c900 100644 --- a/openstack_dashboard/dashboards/identity/users/tables.py +++ b/openstack_dashboard/dashboards/identity/users/tables.py @@ -64,7 +64,9 @@ class ChangePasswordLink(policy.PolicyTargetMixin, tables.LinkAction): ("target.user.domain_id", "domain_id")) def allowed(self, request, user): - return api.keystone.keystone_can_edit_user() + options = getattr(user, "options", {}) + lock_password = options.get("lock_password", False) + return not lock_password and api.keystone.keystone_can_edit_user() class ToggleEnabled(policy.PolicyTargetMixin, tables.BatchAction): diff --git a/openstack_dashboard/dashboards/identity/users/templates/users/_detail_overview.html b/openstack_dashboard/dashboards/identity/users/templates/users/_detail_overview.html index 2f031ecd06..b910b67dce 100644 --- a/openstack_dashboard/dashboards/identity/users/templates/users/_detail_overview.html +++ b/openstack_dashboard/dashboards/identity/users/templates/users/_detail_overview.html @@ -20,6 +20,8 @@
{{ user.enabled|yesno|capfirst }}
{% trans "Password Expires At" %}
{{ user.password_expires_at }}
+
{% trans "Lock password" %}
+
{{ lock_password|yesno:"yes,no"|capfirst }}
{% trans "Primary Project" %}
{% if user.project_id %}
diff --git a/openstack_dashboard/dashboards/identity/users/tests.py b/openstack_dashboard/dashboards/identity/users/tests.py index 2c1edd7174..f93d6eb8a7 100644 --- a/openstack_dashboard/dashboards/identity/users/tests.py +++ b/openstack_dashboard/dashboards/identity/users/tests.py @@ -152,9 +152,11 @@ class UsersViewTests(test.BaseAdminViewTests): kwargs = {'phone_num': phone_number} self.mock_user_create.assert_called_once_with( - test.IsHttpRequest(), name=user.name, description=user.description, - email=user.email, password=user.password, project=self.tenant.id, - enabled=True, domain=domain_id, **kwargs) + test.IsHttpRequest(), name=user.name, + description=user.description, email=user.email, + password=user.password, project=self.tenant.id, + enabled=True, domain=domain_id, options={'lock_password': False}, + **kwargs) self.mock_role_list.assert_called_once_with(test.IsHttpRequest()) self.mock_get_default_role.assert_called_once_with( test.IsHttpRequest()) @@ -229,7 +231,8 @@ class UsersViewTests(test.BaseAdminViewTests): password=user.password, project=self.tenant.id, enabled=True, - domain=domain_id) + domain=domain_id, + options={'lock_password': False}) self.mock_role_list.assert_called_once_with(test.IsHttpRequest()) self.mock_get_default_role.assert_called_once_with( test.IsHttpRequest()) @@ -394,6 +397,71 @@ class UsersViewTests(test.BaseAdminViewTests): self.mock_get_default_role, 2, mock.call(test.IsHttpRequest())) + @test.create_mocks({api.keystone: ('user_create', + 'get_default_domain', + 'tenant_list', + 'add_tenant_user_role', + 'get_default_role', + 'roles_for_user', + 'role_list')}) + def test_create_lock_pass(self): + user = self.users.get(id="1") + domain = self._get_default_domain() + domain_id = user.domain_id + + role = self.roles.first() + + self.mock_get_default_domain.return_value = domain + self.mock_tenant_list.return_value = [self.tenants.list(), False] + + self.mock_user_create.return_value = user + self.mock_role_list.return_value = self.roles.list() + self.mock_get_default_role.return_value = role + self.mock_roles_for_user.return_value = [] + self.mock_add_tenant_user_role.return_value = None + + formData = {'method': 'CreateUserForm', + 'domain_id': domain_id, + 'name': user.name, + 'description': user.description, + 'email': user.email, + 'password': user.password, + 'project': self.tenant.id, + 'role_id': self.roles.first().id, + 'enabled': True, + 'confirm_password': user.password, + 'lock_password': True} + res = self.client.post(USER_CREATE_URL, formData) + + self.assertNoFormErrors(res) + self.assertMessageCount(success=1) + + self.mock_get_default_domain.assert_has_calls([ + mock.call(test.IsHttpRequest()), + mock.call(test.IsHttpRequest(), False), + ]) + self.assertEqual(2, self.mock_get_default_domain.call_count) + + if api.keystone.VERSIONS.active >= 3: + self.mock_tenant_list.assert_called_once_with( + test.IsHttpRequest(), domain=domain.id) + else: + self.mock_tenant_list.assert_called_once_with( + test.IsHttpRequest(), user=None) + + self.mock_user_create.assert_called_once_with( + test.IsHttpRequest(), name=user.name, + options={'lock_password': True}, description=user.description, + email=user.email, password=user.password, project=self.tenant.id, + enabled=True, domain=domain.id) + self.mock_role_list.assert_called_once_with(test.IsHttpRequest()) + self.mock_get_default_role.assert_called_once_with( + test.IsHttpRequest()) + self.mock_roles_for_user.assert_called_once_with( + test.IsHttpRequest(), user.id, self.tenant.id) + self.mock_add_tenant_user_role.assert_called_once_with( + test.IsHttpRequest(), self.tenant.id, user.id, role.id) + @override_settings(USER_TABLE_EXTRA_INFO={'phone_num': 'Phone Number'}) @test.create_mocks({api.keystone: ('user_get', 'domain_get', @@ -435,6 +503,8 @@ class UsersViewTests(test.BaseAdminViewTests): self.mock_user_update.assert_called_once_with(test.IsHttpRequest(), user.id, email=user.email, + options={'lock_password': + False}, name=user.name, **kwargs) @@ -477,6 +547,8 @@ class UsersViewTests(test.BaseAdminViewTests): self.mock_user_update.assert_called_once_with(test.IsHttpRequest(), user.id, email=user.email, + options={'lock_password': + False}, name=user.name, project=new_project_id) @@ -518,6 +590,8 @@ class UsersViewTests(test.BaseAdminViewTests): self.mock_user_update.assert_called_once_with(test.IsHttpRequest(), user.id, email=user.email or "", + options={'lock_password': + False}, name=user.name, project=self.tenant.id) @@ -545,6 +619,40 @@ class UsersViewTests(test.BaseAdminViewTests): self.assertNoFormErrors(res) self.assertMessageCount(error=1) + self.mock_user_get.assert_called_once_with(test.IsHttpRequest(), '1', + admin=True) + self.mock_domain_get.assert_called_once_with(test.IsHttpRequest(), + domain_id) + self.mock_tenant_list.assert_called_once_with( + test.IsHttpRequest(), domain=domain.id) + self.assert_mock_multiple_calls_with_same_arguments( + self.mock_keystone_can_edit_user, 2, + mock.call()) + + @test.create_mocks({api.keystone: ('user_get', + 'domain_get', + 'tenant_list', + 'keystone_can_edit_user', )}) + def test_update_with_locked_password(self): + user = self.users.get(id="6") + domain_id = user.domain_id + domain = self.domains.get(id=domain_id) + + self.mock_user_get.return_value = user + self.mock_domain_get.return_value = domain + self.mock_tenant_list.return_value = [self.tenants.list(), False] + self.mock_keystone_can_edit_user.return_value = False + + formData = {'method': 'UpdateUserForm', + 'id': user.id, + 'name': user.name, + 'project': self.tenant.id, } + + res = self.client.post(USER_UPDATE_URL, formData) + + self.assertNoFormErrors(res) + self.assertMessageCount(error=1) + self.mock_user_get.assert_called_once_with(test.IsHttpRequest(), '1', admin=True) self.mock_domain_get.assert_called_once_with(test.IsHttpRequest(), @@ -578,8 +686,33 @@ class UsersViewTests(test.BaseAdminViewTests): self.assertNoFormErrors(res) - self.mock_user_get.assert_called_once_with(test.IsHttpRequest(), '1', - admin=False) + self.mock_user_get.assert_called_with(test.IsHttpRequest(), '1', + admin=False) + self.assertEqual(self.mock_user_get.call_count, 1) + self.mock_user_update_password.assert_called_once_with( + test.IsHttpRequest(), user.id, test_password, admin=False) + + @test.create_mocks({api.keystone: ('user_get', + 'user_update_password')}) + def test_change_locked_password(self): + user = self.users.get(id="6") + test_password = 'normalpwd' + + self.mock_user_get.return_value = user + self.mock_user_update_password.return_value = None + + formData = {'method': 'ChangePasswordForm', + 'id': user.id, + 'name': user.name, + 'password': test_password, + 'confirm_password': test_password} + + res = self.client.post(USER_CHANGE_PASSWORD_URL, formData) + self.assertRedirectsNoFollow(res, USERS_INDEX_URL) + + self.mock_user_get.assert_called_with(test.IsHttpRequest(), '1', + admin=False) + self.assertEqual(self.mock_user_get.call_count, 1) self.mock_user_update_password.assert_called_once_with( test.IsHttpRequest(), user.id, test_password, admin=False) @@ -605,8 +738,9 @@ class UsersViewTests(test.BaseAdminViewTests): self.assertFormError(res, "form", None, ['The admin password is incorrect.']) - self.mock_user_get.assert_called_once_with(test.IsHttpRequest(), '1', - admin=False) + self.mock_user_get.assert_called_with(test.IsHttpRequest(), '1', + admin=False) + self.assertEqual(self.mock_user_get.call_count, 1) self.mock_user_verify_admin_password.assert_called_once_with( test.IsHttpRequest(), admin_password) @@ -1214,6 +1348,8 @@ class UsersViewTests(test.BaseAdminViewTests): self.mock_user_update.assert_called_once_with(test.IsHttpRequest(), user.id, email=user.email, + options={'lock_password': + False}, name=user.name, description='changed') diff --git a/openstack_dashboard/dashboards/identity/users/views.py b/openstack_dashboard/dashboards/identity/users/views.py index 3d1b808ba7..4abb538a24 100644 --- a/openstack_dashboard/dashboards/identity/users/views.py +++ b/openstack_dashboard/dashboards/identity/users/views.py @@ -130,6 +130,7 @@ class UpdateView(forms.ModalFormView): def get_initial(self): user = self.get_object() + options = getattr(user, "options", {}) domain_id = getattr(user, "domain_id", None) domain_name = '' # Retrieve the domain name where the project belongs @@ -154,7 +155,8 @@ class UpdateView(forms.ModalFormView): 'name': user.name, 'project': user.project_id, 'email': getattr(user, 'email', None), - 'description': getattr(user, 'description', None)} + 'description': getattr(user, 'description', None), + 'lock_password': options.get("lock_password", False)} if api.keystone.VERSIONS.active >= 3: for key in settings.USER_TABLE_EXTRA_INFO: data[key] = getattr(user, key, None) @@ -209,6 +211,8 @@ class DetailView(tabs.TabView): context["user"] = user context["url"] = self.get_redirect_url() context["actions"] = table.render_row_actions(user) + options = getattr(user, "options", {}) + context["lock_password"] = options.get("lock_password", False) return context @memoized.memoized_method diff --git a/openstack_dashboard/dashboards/settings/password/forms.py b/openstack_dashboard/dashboards/settings/password/forms.py index 2497f33ad8..719429f77e 100644 --- a/openstack_dashboard/dashboards/settings/password/forms.py +++ b/openstack_dashboard/dashboards/settings/password/forms.py @@ -59,6 +59,13 @@ class PasswordForm(forms.SelfHandlingForm): @sensitive_variables('data') def handle(self, request, data): user_is_editable = api.keystone.keystone_can_edit_user() + user_id = request.user.id + user = api.keystone.user_get(self.request, user_id, admin=False) + options = getattr(user, "options", {}) + lock_password = options.get("lock_password", False) + if lock_password: + messages.error(request, _('Password is locked.')) + return False if user_is_editable: try: diff --git a/openstack_dashboard/dashboards/settings/password/tests.py b/openstack_dashboard/dashboards/settings/password/tests.py index 9d1d9e4591..31a041022c 100644 --- a/openstack_dashboard/dashboards/settings/password/tests.py +++ b/openstack_dashboard/dashboards/settings/password/tests.py @@ -29,9 +29,11 @@ INDEX_URL = reverse('horizon:settings:password:index') class ChangePasswordTests(test.TestCase): - @mock.patch.object(api.keystone, 'user_update_own_password') - def test_change_password(self, mock_user_update_own_password): - mock_user_update_own_password.return_value = None + @test.create_mocks({ + api.keystone: ['user_update_own_password', 'user_get']}) + def test_change_password(self): + self.mock_user_update_own_password.return_value = None + self.mock_user_get.return_value = mock.Mock(options={}) formData = {'method': 'PasswordForm', 'current_password': 'oldpwd', @@ -40,22 +42,17 @@ class ChangePasswordTests(test.TestCase): res = self.client.post(INDEX_URL, formData) self.assertNoFormErrors(res) - mock_user_update_own_password.assert_called_once_with( + self.mock_user_get.assert_called_once_with(test.IsHttpRequest(), '1', + admin=False) + self.mock_user_update_own_password.assert_called_once_with( test.IsHttpRequest(), 'oldpwd', 'normalpwd') - def test_change_validation_passwords_not_matching(self): - formData = {'method': 'PasswordForm', - 'current_password': 'currpasswd', - 'new_password': 'testpassword', - 'confirm_password': 'doesnotmatch'} - res = self.client.post(INDEX_URL, formData) + @test.create_mocks({ + api.keystone: ['user_update_own_password', 'user_get']}) + def test_change_password_sets_logout_reason(self): - self.assertFormError(res, "form", None, ['Passwords do not match.']) - - @mock.patch.object(api.keystone, 'user_update_own_password') - def test_change_password_sets_logout_reason(self, - mock_user_update_own_password): - mock_user_update_own_password.return_value = None + self.mock_user_update_own_password.return_value = None + self.mock_user_get.return_value = mock.Mock(options={}) formData = {'method': 'PasswordForm', 'current_password': 'oldpwd', @@ -73,5 +70,30 @@ class ChangePasswordTests(test.TestCase): redirect_response = res.client.get(path, http.QueryDict(query)) self.assertRedirectsNoFollow(redirect_response, settings.LOGIN_URL) - mock_user_update_own_password.assert_called_once_with( + self.mock_user_get.assert_called_once_with(test.IsHttpRequest(), '1', + admin=False) + self.mock_user_update_own_password.assert_called_once_with( test.IsHttpRequest(), 'oldpwd', 'normalpwd') + + def test_change_validation_passwords_not_matching(self): + formData = {'method': 'PasswordForm', + 'current_password': 'currpasswd', + 'new_password': 'testpassword', + 'confirm_password': 'doesnotmatch'} + res = self.client.post(INDEX_URL, formData) + + self.assertFormError(res, "form", None, ['Passwords do not match.']) + + @test.create_mocks({ + api.keystone: ['user_get']}) + def test_lock_password(self): + self.mock_user_get.return_value = mock.Mock( + options={'lock_password': True}) + formData = {'method': 'PasswordForm', + 'current_password': 'oldpwd', + 'new_password': 'normalpwd', + 'confirm_password': 'normalpwd'} + res = self.client.post(INDEX_URL, formData) + self.assertNoFormErrors(res) + self.mock_user_get.assert_called_once_with(test.IsHttpRequest(), '1', + admin=False) diff --git a/openstack_dashboard/test/test_data/keystone_data.py b/openstack_dashboard/test/test_data/keystone_data.py index f13636b9ea..9e2902d53f 100644 --- a/openstack_dashboard/test/test_data/keystone_data.py +++ b/openstack_dashboard/test/test_data/keystone_data.py @@ -217,7 +217,18 @@ def data(TEST): 'enabled': True, 'domain_id': "1"} user5 = users.User(None, user_dict) - TEST.users.add(user, user2, user3, user4, user5) + user_dict = {'id': "6", + 'name': 'user_six', + 'description': 'test_description', + 'email': 'test@example.com', + 'password': 'password', + 'token': 'test_token', + 'project_id': '1', + 'enabled': True, + 'domain_id': "1", + 'lock_password': True} + user6 = users.User(None, user_dict) + TEST.users.add(user, user2, user3, user4, user5, user6) TEST.user = user # Your "current" user TEST.user.service_catalog = copy.deepcopy(SERVICE_CATALOG) diff --git a/releasenotes/notes/lock-password-d87b63f361d4bdc1.yaml b/releasenotes/notes/lock-password-d87b63f361d4bdc1.yaml new file mode 100644 index 0000000000..b1d5b39295 --- /dev/null +++ b/releasenotes/notes/lock-password-d87b63f361d4bdc1.yaml @@ -0,0 +1,7 @@ +--- +features: + - | + Added support for Keystone locking user option. Locked user can't change + own password using the self-service password change API. By default, users + are unlocked and can change their own passwords. In case of older Keystone + not supporting this feature, all users treated as unlocked.