condition change to support password reset

backend/apid/middlewares/authorization_attributes.go

@@ -93,9 +93,13 @@ func (a AuthorizationAttributes) Then(next http.Handler) http.Handler {
  attrs.Resource = types.LocalSelfUserResource
  }
 
- // Change the resource to LocalSelfUserResource if a user tries to change
- // its own password
- if attrs.Verb == "update" && vars["subresource"] == "password" {
+ // check if request comes from webui
+ if strings.Contains(r.URL.Path, "/change_password") {
+ attrs.Resource = types.LocalSelfUserResource
+ }
+
+ switch vars["subresource"] {
+ case "password":
  attrs.Resource = types.LocalSelfUserResource
  }
  }

backend/apid/routers/users.go

@@ -59,6 +59,9 @@ func (r *UsersRouter) Mount(parent *mux.Router) {
  // Password change & reset
  routes.Path("{id}/{subresource:password}", r.updatePassword).Methods(http.MethodPut)
  routes.Path("{id}/{subresource:reset_password}", r.resetPassword).Methods(http.MethodPut)
+
+ // password update from web ui
+ routes.Path("{id}/{subresource:change_password}", r.changePasswordFromWeb).Methods(http.MethodPut)
 }
 
 func (r *UsersRouter) get(req *http.Request) (interface{}, error) {
@@ -153,6 +156,35 @@ func (r *UsersRouter) updatePassword(req *http.Request) (interface{}, error) {
  return nil, err
 }
 
+// changePasswordFromWeb updates user password when requests are sent from web UI
+func (r *UsersRouter) changePasswordFromWeb(req *http.Request) (interface{}, error) {
+ params := map[string]string{}
+ if err := UnmarshalBody(req, &params); err != nil {
+ return nil, err
+ }
+
+ vars := mux.Vars(req)
+ username, err := url.PathUnescape(vars["id"])
+ if err != nil {
+ return nil, err
+ }
+ newPassword := params["password_new"]
+ oldPassword := params["password"]
+
+ user, err := r.controller.AuthenticateUser(req.Context(), username, oldPassword)
+ if err != nil {
+ return nil, err
+ }
+
+ // set new password for updating into store
+ user.Password = newPassword
+
+ // Remove any old password hash
+ user.PasswordHash = ""
+ err = r.controller.CreateOrReplace(req.Context(), user)
+ return nil, err
+}
+
 // resetPassword updates a user password without any kind of verification
 func (r *UsersRouter) resetPassword(req *http.Request) (interface{}, error) {
  params := map[string]string{}

backend/apid/routers/users_test.go

@@ -235,6 +235,21 @@ func TestUsersRouter(t *testing.T) {
  },
  wantStatusCode: http.StatusCreated,
  },
+ {
+ name: "update password from web ui",
+ method: http.MethodPut,
+ path: path.Join(fixture.URIPath(), "change_password"),
+ body: []byte(`{"username":"foo","password":"admin123","password_new":"admin123"}`),
+ controllerFunc: func(c *mockUserController) {
+ c.On("AuthenticateUser", mock.Anything, mock.Anything, mock.Anything).
+ Return(&corev2.User{Username: "foo", Password: "admin123", PasswordHash: "admin123_hash"}, nil).
+ Once()
+ c.On("CreateOrReplace", mock.Anything, mock.Anything).
+ Return(nil).
+ Once()
+ },
+ wantStatusCode: http.StatusCreated,
+ },
  }
  for _, tt := range tests {
  t.Run(tt.name, func(t *testing.T) {