Mark passwords for SSO-only users as invalid to allow changing them later

Add a new "hash type" for invalid passwords, which is never equal to normal passwords, but nevertheless can be changed without being known by the user. This "invalid" password can only be set by directly setting the password hash type. When updating the password using update_password method, it will always be upgrade it to the strongest hash type, sha256crypt. To allow changing this "invalid" password to a normal one, stop requiring a non-empty current password in the password change dialog when changing a password from an "invalid" one. Don’t show the current password box either, as it is not used anyway in this case, making it better not to show it to avoid confusion. Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk> Gbp-Pq: Topic collabora/sso Gbp-Pq: Name Mark-passwords-for-SSO-only-users-as-invalid-to-allow-cha.patch

Mark passwords for SSO-only users as invalid to allow changing them later
72d7191b · Andrej Shadura · 3a5669f0 · 72d7191b · 72d7191b · 72d7191b
Verified Commit 72d7191b authored 4 years ago by Andrej Shadura
--- a/src/api/app/controllers/webui/user_controller.rb
+++ b/src/api/app/controllers/webui/user_controller.rb
@@ -217,7 +217,7 @@ class Webui::UserController < Webui::WebuiController

  def change_password
    # check the valid of the params
-    unless User.current.password_equals?(params[:password])
+    unless User.current.password_equals?(params[:password]) || User.current.password_invalid?
      errmsg = 'The value of current password does not match your current password. Please enter the password and try again.'
    end
    if not params[:new_password] == params[:repeat_password]

--- a/src/api/app/models/user.rb
+++ b/src/api/app/models/user.rb
@@ -23,7 +23,7 @@ class User < ActiveRecord::Base
  include ActiveModel::Dirty
  include CanRenderModel

-  PASSWORD_HASH_TYPES = ['md5', 'md5crypt', 'sha256crypt']
+  PASSWORD_HASH_TYPES = ['md5', 'md5crypt', 'sha256crypt', 'invalid']

  STATES = {
    'unconfirmed'        => 1,
@@ -131,6 +131,9 @@ class User < ActiveRecord::Base
  #
  def update_password(pass)
    password_will_change!
+    if password_invalid?
+      self.password_hash_type = 'sha256crypt'
+    end
    self.password_crypted = hash_string(pass).crypt('os')
    self.password_confirmation = hash_string(pass)
    self.password = hash_string(pass)
@@ -311,7 +314,11 @@ class User < ActiveRecord::Base
  # This method checks whether the given value equals the password when
  # hashed with this user's password hash type. Returns a boolean.
  def password_equals?(value)
-    hash_string(value) == self.password
+    hash_string(value) == self.password && !password_invalid?
+  end
+
+  def password_invalid?
+    self.password_hash_type == 'invalid'
  end

  # Sets the last login time and saves the object. Note: Must currently be
@@ -1048,6 +1055,8 @@ class User < ActiveRecord::Base
      Digest::MD5.hexdigest(value + password_salt)
    elsif crypt2index.keys.include?(password_hash_type)
      value.crypt("$#{crypt2index[password_hash_type]}$#{password_salt}$").split("$")[3]
+    else
+      'invalid'
    end
  end


--- a/src/api/app/views/webui/user/_password_dialog.html.erb
+++ b/src/api/app/views/webui/user/_password_dialog.html.erb
@@ -5,10 +5,12 @@
  <h2 class="box-header">Change Your Password</h2>
  <div class="dialog-content">
    <%= form_tag(:action => 'change_password') do %>
+      <% if !User.current.password_invalid? %>
      <p>
        <%= label_tag :password, 'Current Password:' %><br/>
        <%= text_field_tag :password, nil, :type => 'password', :required => 'true'%>
      </p>
+      <% end %>
      <p>
        <%= label_tag :new_password, 'New Password:' %><br/>
        <%= text_field_tag :new_password, nil, :type => 'password', :autocomplete => 'off', :required => 'true' %>