Move identity logic from controller to manager

The logic for changing a user's password will be used to implement
bp password-rotation.  Keeping the logic in the controller makes it
much harder to reuse.

Change-Id: I6e29a9f1875a3ea6dec4757db86c30497c0253cb

keystone/identity/controllers.py

@@ -352,15 +352,11 @@ class UserV3(controller.V3Controller):
 
         domain_scope = self._get_domain_id_for_request(context)
         try:
-            self.identity_api.authenticate(user_id=user_id,
-                                           password=original_password,
-                                           domain_scope=domain_scope)
+            self.identity_api.change_password(user_id, original_password,
+                                              password, domain_scope)
         except AssertionError:
             raise exception.Unauthorized()
 
-        update_dict = {'password': password}
-        self._update_user(context, user_id, update_dict, domain_scope)
-
 
 @dependency.requires('identity_api')
 class GroupV3(controller.V3Controller):

keystone/identity/core.py

@@ -466,6 +466,17 @@ class Manager(manager.Manager):
         domain_id, driver = self._get_domain_id_and_driver(domain_scope)
         return driver.check_user_in_group(user_id, group_id)
 
+    @domains_configured
+    def change_password(self, user_id, original_password, new_password,
+                        domain_scope):
+
+        # authenticate() will raise an AssertionError if authentication fails
+        self.authenticate(user_id, original_password,
+                          domain_scope=domain_scope)
+
+        update_dict = {'password': new_password}
+        self.update_user(user_id, update_dict, domain_scope=domain_scope)
+
     # TODO(morganfainberg): Remove the following deprecated methods once
     # Icehouse is released.  Maintain identity -> assignment proxy for 1
     # release.