Bootstrap: enable and reset password for existing users

One of the common use cases for the admin_token middleware was to provide a recovery mechanism for cloud operators that had accidentally disabled themselves or lost their password. Instead of using bootstrap to create a second admin just to recover the first, this change allows bootstrap to reset the user's credentials and ensure that the account is enabled. Change-Id: I82cafced67852335e9bb49035f13c993c7ccd2df Closes-Bug: 1588860
2016-06-03 09:55:16 -05:00 · 2016-06-03 09:55:16 -05:00 · d6b016dd91
parent 6e4fae9ed6
commit d6b016dd91
2 changed files with 40 additions and 0 deletions
--- a/keystone/cmd/cli.py
+++ b/keystone/cmd/cli.py
@ -215,6 +215,24 @@ class BootStrap(BaseApp):
                                                          default_domain['id'])
            LOG.info(_LI('User %s already exists, skipping creation.'),
                     self.username)
+
+            # Remember whether the user was enabled or not, so that we can
+            # provide useful logging output later.
+            was_enabled = user['enabled']
+
+            # To keep bootstrap idempotent, try to reset the user's password
+            # and ensure that they are enabled. This allows bootstrap to act as
+            # a recovery tool, without having to create a new user.
+            user = self.identity_manager.update_user(
+                user['id'],
+                {'enabled': True,
+                 'password': self.password})
+            LOG.info(_LI('Reset password for user %s.'), self.username)
+            if not was_enabled and user['enabled']:
+                # Although we always try to enable the user, this log message
+                # only makes sense if we know that the user was previously
+                # disabled.
+                LOG.info(_LI('Enabled user %s.'), self.username)
        except exception.UserNotFound:
            user = self.identity_manager.create_user(
                user_ref={'name': self.username,
--- a/keystone/tests/unit/test_cli.py
+++ b/keystone/tests/unit/test_cli.py
@ -145,6 +145,28 @@ class CliBootStrapTestCase(unit.SQLDriverOverrides, unit.TestCase):
        self._do_test_bootstrap(bootstrap)
        self._do_test_bootstrap(bootstrap)

+    def test_bootstrap_recovers_user(self):
+        bootstrap = cli.BootStrap()
+        self._do_test_bootstrap(bootstrap)
+
+        # Completely lock the user out.
+        user_id = bootstrap.identity_manager.get_user_by_name(
+            bootstrap.username,
+            'default')['id']
+        bootstrap.identity_manager.update_user(
+            user_id,
+            {'enabled': False,
+             'password': uuid.uuid4().hex})
+
+        # The second bootstrap run will recover the account.
+        self._do_test_bootstrap(bootstrap)
+
+        # Sanity check that the original password works again.
+        bootstrap.identity_manager.authenticate(
+            {},
+            user_id,
+            bootstrap.password)
+

 class CliBootStrapTestCaseWithEnvironment(CliBootStrapTestCase):