Allow enforcing password change for a user after reset by admin (root/domain)

api/src/main/java/org/apache/cloudstack/api/ApiConstants.java

@@ -1256,6 +1256,7 @@ public class ApiConstants {
     public static final String PROVIDER_FOR_2FA = "providerfor2fa";
     public static final String ISSUER_FOR_2FA = "issuerfor2fa";
     public static final String MANDATE_2FA = "mandate2fa";
+    public static final String PASSWORD_CHANGE_REQUIRED = "passwordchangerequired";
     public static final String SECRET_CODE = "secretcode";
     public static final String LOGIN = "login";
     public static final String LOGOUT = "logout";

api/src/main/java/org/apache/cloudstack/api/command/admin/user/UpdateUserCmd.java

@@ -29,6 +29,7 @@
 import org.apache.cloudstack.api.response.UserResponse;
 import org.apache.cloudstack.context.CallContext;
 import org.apache.cloudstack.region.RegionService;
+import org.apache.commons.lang.BooleanUtils;
 
 import com.cloud.user.Account;
 import com.cloud.user.User;
@@ -38,6 +39,8 @@
 requestHasSensitiveInfo = true, responseHasSensitiveInfo = true)
 public class UpdateUserCmd extends BaseCmd {
 
+    @Inject
+    private RegionService _regionService;
 
     /////////////////////////////////////////////////////
     //////////////// API parameters /////////////////////
@@ -85,8 +88,11 @@ public class UpdateUserCmd extends BaseCmd {
             "This parameter is only used to mandate 2FA, not to disable 2FA", since = "4.18.0.0")
     private Boolean mandate2FA;
 
-    @Inject
-    private RegionService _regionService;
+    @Parameter(name = ApiConstants.PASSWORD_CHANGE_REQUIRED,
+            type = CommandType.BOOLEAN,
+            description = "Provide true to mandate the User to reset password on next login.",
+            since = "4.23.0")
+    private Boolean passwordChangeRequired;
 
     /////////////////////////////////////////////////////
     /////////////////// Accessors ///////////////////////
@@ -193,4 +199,12 @@ public Long getApiResourceId() {
     public ApiCommandResourceType getApiResourceType() {
         return ApiCommandResourceType.User;
     }
+
+    public Boolean isPasswordChangeRequired() {
+        return BooleanUtils.isTrue(passwordChangeRequired);
+    }
+
+    public void setPasswordChangeRequired(Boolean passwordChangeRequired) {
+        this.passwordChangeRequired = passwordChangeRequired;
+    }
 }

api/src/main/java/org/apache/cloudstack/api/response/LoginCmdResponse.java

@@ -90,6 +90,10 @@ public class LoginCmdResponse extends AuthenticationCmdResponse {
     @Param(description = "Management Server ID that the user logged to", since = "4.21.0.0")
     private String managementServerId;
 
+    @SerializedName(value = ApiConstants.PASSWORD_CHANGE_REQUIRED)
+    @Param(description = "Is User required to change password on next login.", since = "4.23.0")
+    private String passwordChangeRequired;
+
     public String getUsername() {
         return username;
     }
@@ -223,4 +227,12 @@ public String getManagementServerId() {
     public void setManagementServerId(String managementServerId) {
         this.managementServerId = managementServerId;
     }
+
+    public String getPasswordChangeRequired() {
+        return passwordChangeRequired;
+    }
+
+    public void setPasswordChangeRequired(String passwordChangeRequired) {
+        this.passwordChangeRequired = passwordChangeRequired;
+    }
 }

api/src/main/java/org/apache/cloudstack/api/response/UserResponse.java

@@ -132,6 +132,10 @@ public class UserResponse extends BaseResponse implements SetResourceIconRespons
     @Param(description = "whether api key access is Enabled, Disabled or set to Inherit (it inherits the value from the parent)", since = "4.20.1.0")
     ApiConstants.ApiKeyAccess apiKeyAccess;
 
+    @SerializedName(value = ApiConstants.PASSWORD_CHANGE_REQUIRED)
+    @Param(description = "Is User required to change password on next login.", since = "4.23.0")
+    private Boolean passwordChangeRequired;
+
     @Override
     public String getObjectId() {
         return this.getId();
@@ -317,4 +321,12 @@ public void set2FAmandated(Boolean is2FAmandated) {
     public void setApiKeyAccess(Boolean apiKeyAccess) {
         this.apiKeyAccess = ApiConstants.ApiKeyAccess.fromBoolean(apiKeyAccess);
     }
+
+    public Boolean isPasswordChangeRequired() {
+        return passwordChangeRequired;
+    }
+
+    public void setPasswordChangeRequired(Boolean passwordChangeRequired) {
+        this.passwordChangeRequired = passwordChangeRequired;
+    }
 }

engine/schema/src/main/java/org/apache/cloudstack/resourcedetail/UserDetailVO.java

@@ -48,6 +48,7 @@ public class UserDetailVO implements ResourceDetail {
     public static final String Setup2FADetail = "2FASetupStatus";
     public static final String PasswordResetToken = "PasswordResetToken";
     public static final String PasswordResetTokenExpiryDate = "PasswordResetTokenExpiryDate";
+    public static final String PasswordChangeRequired = "PasswordChangeRequired";
 
     public UserDetailVO() {
     }

engine/schema/src/main/resources/META-INF/db/views/cloud.user_view.sql

@@ -53,7 +53,8 @@ select
     async_job.uuid job_uuid,
     async_job.job_status job_status,
     async_job.account_id job_account_id,
-    user.is_user_2fa_enabled is_user_2fa_enabled
+    user.is_user_2fa_enabled is_user_2fa_enabled,
+   `user_details`.`value` AS `password_change_required`
 from
     `cloud`.`user`
         inner join
@@ -63,4 +64,7 @@ from
         left join
     `cloud`.`async_job` ON async_job.instance_id = user.id
         and async_job.instance_type = 'User'
-        and async_job.job_status = 0;
+        and async_job.job_status = 0
+        left join
+    `cloud`.`user_details` AS `user_details` ON `user_details`.`user_id` = `user`.`id`
+        and `user_details`.`name` = 'PasswordChangeRequired';

plugins/api/discovery/src/main/java/org/apache/cloudstack/discovery/ApiDiscoveryServiceImpl.java

@@ -44,8 +44,10 @@
 import org.apache.cloudstack.api.response.ApiParameterResponse;
 import org.apache.cloudstack.api.response.ApiResponseResponse;
 import org.apache.cloudstack.api.response.ListResponse;
+import org.apache.cloudstack.resourcedetail.UserDetailVO;
 import org.apache.cloudstack.utils.reflectiontostringbuilderutils.ReflectionToStringBuilderUtils;
 import org.apache.commons.collections.CollectionUtils;
+import org.apache.commons.collections.MapUtils;
 import org.apache.commons.lang3.StringUtils;
 import org.reflections.ReflectionUtils;
 import org.springframework.stereotype.Component;
@@ -55,6 +57,7 @@
 import com.cloud.user.Account;
 import com.cloud.user.AccountService;
 import com.cloud.user.User;
+import com.cloud.user.UserAccount;
 import com.cloud.utils.ReflectUtil;
 import com.cloud.utils.component.ComponentLifecycleBase;
 import com.cloud.utils.component.PluggableService;
@@ -280,12 +283,23 @@ public ListResponse<? extends BaseResponse> listApis(User user, String name) {
                         ReflectionToStringBuilderUtils.reflectOnlySelectedFields(account, "accountName", "uuid")));
             }
 
-            if (role.getRoleType() == RoleType.Admin && role.getId() == RoleType.Admin.getId()) {
-                logger.info(String.format("Account [%s] is Root Admin, all APIs are allowed.",
-                        ReflectionToStringBuilderUtils.reflectOnlySelectedFields(account, "accountName", "uuid")));
+            // Limit APIs on first login requiring password change
+            UserAccount userAccount = accountService.getUserAccountById(user.getId());
+            if (MapUtils.isNotEmpty(userAccount.getDetails()) &&
+                    userAccount.getDetails().containsKey(UserDetailVO.PasswordChangeRequired)) {
+
+                String needPasswordChange = userAccount.getDetails().get(UserDetailVO.PasswordChangeRequired);
+                if ("true".equalsIgnoreCase(needPasswordChange)) {
+                    apisAllowed = Arrays.asList("login", "logout", "updateUser", "listUsers", "listApis");
+                }
             } else {
-                for (APIChecker apiChecker : _apiAccessCheckers) {
-                    apisAllowed = apiChecker.getApisAllowedToUser(role, user, apisAllowed);
+                if (role.getRoleType() == RoleType.Admin && role.getId() == RoleType.Admin.getId()) {
+                    logger.info(String.format("Account [%s] is Root Admin, all APIs are allowed.",
+                            ReflectionToStringBuilderUtils.reflectOnlySelectedFields(account, "accountName", "uuid")));
+                } else {
+                    for (APIChecker apiChecker : _apiAccessCheckers) {
+                        apisAllowed = apiChecker.getApisAllowedToUser(role, user, apisAllowed);
+                    }
                 }
             }
 

plugins/api/discovery/src/test/java/org/apache/cloudstack/discovery/ApiDiscoveryTest.java

@@ -21,6 +21,7 @@
 import com.cloud.user.AccountService;
 import com.cloud.user.AccountVO;
 import com.cloud.user.User;
+import com.cloud.user.UserAccount;
 import com.cloud.user.UserVO;
 
 import org.apache.cloudstack.acl.APIChecker;
@@ -44,6 +45,7 @@
 
 import static org.mockito.ArgumentMatchers.any;
 import static org.mockito.ArgumentMatchers.anyList;
+import static org.mockito.ArgumentMatchers.anyLong;
 
 @RunWith(MockitoJUnitRunner.class)
 public class ApiDiscoveryTest {
@@ -66,12 +68,17 @@ public class ApiDiscoveryTest {
     @InjectMocks
     ApiDiscoveryServiceImpl discoveryServiceSpy;
 
+    @Mock
+    UserAccount mockUserAccount;
+
     @Before
     public void setup() {
         discoveryServiceSpy.s_apiNameDiscoveryResponseMap = apiNameDiscoveryResponseMapMock;
         discoveryServiceSpy._apiAccessCheckers = apiAccessCheckersMock;
 
         Mockito.when(discoveryServiceSpy._apiAccessCheckers.iterator()).thenReturn(Arrays.asList(apiCheckerMock).iterator());
+        Mockito.when(mockUserAccount.getDetails()).thenReturn(null);
+        Mockito.when(accountServiceMock.getUserAccountById(anyLong())).thenReturn(mockUserAccount);
     }
 
     private User getTestUser() {

server/src/main/java/com/cloud/api/ApiServer.java

@@ -116,9 +116,11 @@
 import org.apache.cloudstack.framework.messagebus.MessageDispatcher;
 import org.apache.cloudstack.framework.messagebus.MessageHandler;
 import org.apache.cloudstack.managed.context.ManagedContextRunnable;
+import org.apache.cloudstack.resourcedetail.UserDetailVO;
 import org.apache.cloudstack.user.UserPasswordResetManager;
 import org.apache.cloudstack.utils.identity.ManagementServerNode;
 import org.apache.commons.codec.binary.Base64;
+import org.apache.commons.collections.MapUtils;
 import org.apache.commons.lang3.EnumUtils;
 import org.apache.http.ConnectionClosedException;
 import org.apache.http.HttpException;
@@ -194,6 +196,7 @@
 import com.google.gson.reflect.TypeToken;
 
 import static com.cloud.user.AccountManagerImpl.apiKeyAccess;
+import static org.apache.cloudstack.api.ApiConstants.PASSWORD_CHANGE_REQUIRED;
 import static org.apache.cloudstack.user.UserPasswordResetManager.UserPasswordResetEnabled;
 
 @Component
@@ -1227,6 +1230,9 @@ private ResponseObject createLoginResponse(HttpSession session) {
                 if (ApiConstants.MANAGEMENT_SERVER_ID.equalsIgnoreCase(attrName)) {
                     response.setManagementServerId(attrObj.toString());
                 }
+                if (PASSWORD_CHANGE_REQUIRED.endsWith(attrName)) {
+                    response.setPasswordChangeRequired(attrObj.toString());
+                }
             }
         }
         response.setResponseName("loginresponse");
@@ -1327,6 +1333,13 @@ public ResponseObject loginUser(final HttpSession session, final String username
             final String sessionKey = Base64.encodeBase64URLSafeString(sessionKeyBytes);
             session.setAttribute(ApiConstants.SESSIONKEY, sessionKey);
 
+            if (!MapUtils.isEmpty(userAcct.getDetails())) {
+                String needPwdChangeStr = userAcct.getDetails().getOrDefault(UserDetailVO.PasswordChangeRequired, null);
+                if (needPwdChangeStr != null) {
+                    boolean needPwdChange = "true".equalsIgnoreCase(needPwdChangeStr);
+                    session.setAttribute(PASSWORD_CHANGE_REQUIRED, needPwdChange);
+                }
+            }
             return createLoginResponse(session);
         }
         throw new CloudAuthenticationException("Failed to authenticate user " + username + " in domain " + domainId + "; please provide valid credentials");

server/src/main/java/com/cloud/api/query/dao/UserAccountJoinDaoImpl.java

@@ -73,6 +73,7 @@ public UserResponse newUserResponse(ResponseView view, UserAccountJoinVO usr) {
         userResponse.setSecretKey(usr.getSecretKey());
         userResponse.setIsDefault(usr.isDefault());
         userResponse.set2FAenabled(usr.isUser2faEnabled());
+        userResponse.setPasswordChangeRequired(usr.isPasswordChangeRequired());
         long domainId = usr.getDomainId();
         boolean is2FAmandated = Boolean.TRUE.equals(AccountManagerImpl.enableUserTwoFactorAuthentication.valueIn(domainId)) && Boolean.TRUE.equals(AccountManagerImpl.mandateUserTwoFactorAuthentication.valueIn(domainId));
         userResponse.set2FAmandated(is2FAmandated);

server/src/main/java/com/cloud/api/query/vo/UserAccountJoinVO.java

@@ -136,6 +136,9 @@ public class UserAccountJoinVO extends BaseViewVO implements InternalIdentity, I
     @Column(name = "api_key_access")
     Boolean apiKeyAccess;
 
+    @Column(name = "password_change_required")
+    Boolean passwordChangeRequired;
+
     public UserAccountJoinVO() {
     }
 
@@ -288,4 +291,8 @@ public boolean isUser2faEnabled() {
     public Boolean getApiKeyAccess() {
         return apiKeyAccess;
     }
+
+    public Boolean isPasswordChangeRequired() {
+        return passwordChangeRequired;
+    }
 }

server/src/main/java/com/cloud/user/AccountManagerImpl.java

@@ -16,6 +16,8 @@
 // under the License.
 package com.cloud.user;
 
+import static org.apache.cloudstack.resourcedetail.UserDetailVO.PasswordChangeRequired;
+
 import java.net.InetAddress;
 import java.net.URLEncoder;
 import java.security.NoSuchAlgorithmException;
@@ -1580,9 +1582,30 @@ public UserAccount updateUser(UpdateUserCmd updateUserCmd) {
             user.setUser2faEnabled(true);
         }
         _userDao.update(user.getId(), user);
+        updatePasswordChangeRequired(caller, updateUserCmd, user);
         return _userAccountDao.findById(user.getId());
     }
 
+    private void updatePasswordChangeRequired(User caller, UpdateUserCmd updateUserCmd, UserVO user) {
+        if (StringUtils.isNotBlank(updateUserCmd.getPassword()) && isNormalUser(user.getAccountId())) {
+            boolean isPasswordResetRequired = updateUserCmd.isPasswordChangeRequired();
+            // Admins only can enforce passwordChangeRequired for user
+            if ((isRootAdmin(caller.getId()) || isDomainAdmin(caller.getAccountId()))) {
+                if (isPasswordResetRequired) {
+                    _userDetailsDao.addDetail(user.getId(), PasswordChangeRequired, "true", false);
+                }
+            }
+
+            // Remove passwordChangeRequired if user updating own pwd or admin has not enforced it
+            if ((caller.getId() == user.getId()) || !isPasswordResetRequired) {
+                UserDetailVO userDetailVO = _userDetailsDao.findDetail(user.getId(), PasswordChangeRequired);
+                if (userDetailVO != null) {
+                    _userDetailsDao.removeDetail(user.getId(), PasswordChangeRequired);
+                }
+            }
+        }
+    }
+
     @Override
     public void verifyCallerPrivilegeForUserOrAccountOperations(Account userAccount) {
         logger.debug(String.format("Verifying whether the caller has the correct privileges based on the user's role type and API permissions: %s", userAccount));
@@ -2841,6 +2864,8 @@ public UserAccount authenticateUser(final String username, final String password
                 logger.debug(String.format("User: %s in domain %d has successfully logged in, auth time duration - %d ms", username, domainId, validUserLastAuthTimeDurationInMs));
             }
 
+            user.setDetails(_userDetailsDao.listDetailsKeyPairs(user.getId()));
+
             return user;
         } else {
             if (logger.isDebugEnabled()) {

ui/public/locales/en.json

@@ -527,6 +527,7 @@
 "label.change.ipaddress": "Change IP address for NIC",
 "label.change.disk.offering": "Change disk offering",
 "label.change.offering.for.volume": "Change disk offering for the volume",
+"label.change.password.onlogin": "User must change password at next login",
 "label.change.service.offering": "Change service offering",
 "label.character": "Character",
 "label.checksum": "Checksum",
@@ -3123,6 +3124,7 @@
 "message.change.offering.for.volume.failed": "Change offering for the volume failed",
 "message.change.offering.for.volume.processing": "Changing offering for the volume...",
 "message.change.password": "Please change your password.",
+"message.change.password.required": "You are required to change your password.",
 "message.change.scope.failed": "Scope change failed",
 "message.change.scope.processing": "Scope change in progress",
 "message.change.service.offering.sharedfs.failed": "Failed to change service offering for the Shared FileSystem.",
@@ -3368,6 +3370,7 @@
 "message.error.apply.tungsten.tag": "Applying Tag failed",
 "message.error.binaries.iso.url": "Please enter binaries ISO URL.",
 "message.error.bucket": "Please enter bucket",
+"message.error.change.password": "Failed to change password.",
 "message.error.cidr": "CIDR is required",
 "message.error.cidr.or.cidrsize": "CIDR or cidr size is required",
 "message.error.cloudian.console": "Single-Sign-On failed for Cloudian management console. Please ask your administrator to fix integration issues.",
@@ -3671,6 +3674,7 @@
 "message.please.confirm.remove.user.data": "Please confirm that you want to remove this User Data",
 "message.please.enter.valid.value": "Please enter a valid value.",
 "message.please.enter.value": "Please enter values.",
+"message.please.login.new.password": "Please log in again with your new password",
 "message.please.wait.while.autoscale.vmgroup.is.being.created": "Please wait while your AutoScaling Group is being created; this may take a while...",
 "message.please.wait.while.zone.is.being.created": "Please wait while your Zone is being created; this may take a while...",
 "message.pod.dedicated": "Pod dedicated.",

ui/src/config/router.js

@@ -313,6 +313,11 @@ export const constantRouterMap = [
         path: 'resetPassword',
         name: 'resetPassword',
         component: () => import(/* webpackChunkName: "auth" */ '@/views/auth/ResetPassword')
+      },
+      {
+        path: 'forceChangePassword',
+        name: 'forceChangePassword',
+        component: () => import(/* webpackChunkName: "auth" */ '@/views/iam/ForceChangePassword')
       }
     ]
   },