Support non-interactive user password update

Currently user password update require interactive prompting of user's original password. This is problematic because we can't support non-interactive applications and therefore hinders automation. This patch make it possible by optionally accepting an '--original-password' argument. If specified, we would use it instead of prompting. DocImpact Change-Id: I2d994e8c2be949f7ae616ac1d1594fb94e1a27cd Closes-Bug: 1531360
2016-01-07 18:56:44 -08:00 · 2016-01-07 18:56:44 -08:00 · 5cbecc130e
commit 5cbecc130e
parent ee1a4774dd
3 changed files with 53 additions and 2 deletions
--- a/openstackclient/identity/v3/user.py
+++ b/openstackclient/identity/v3/user.py
@ -392,14 +392,41 @@ class SetPasswordUser(command.Command):
            metavar='<new-password>',
            help='New user password'
        )
+        parser.add_argument(
+            '--original-password',
+            metavar='<original-password>',
+            help='Original user password'
+        )
        return parser

    @utils.log_method(log)
    def take_action(self, parsed_args):
        identity_client = self.app.client_manager.identity

-        current_password = utils.get_password(
-            self.app.stdin, prompt="Current Password:", confirm=False)
+        # FIXME(gyee): there are two scenarios:
+        #
+        # 1. user update password for himself
+        # 2. admin update password on behalf of the user. This is an unlikely
+        #    scenario because that will require admin knowing the user's
+        #    original password which is forbidden under most security
+        #    policies.
+        #
+        # Of the two scenarios above, user either authenticate using its
+        # original password or an authentication token. For scenario #1,
+        # if user is authenticating with its original password (i.e. passing
+        # --os-password argument), we can just make use of it instead of using
+        # --original-password or prompting. For scenario #2, admin will need
+        # to specify --original-password option or this won't work because
+        # --os-password is the admin's own password. In the future if we stop
+        # supporting scenario #2 then we can just do this.
+        #
+        # current_password = (parsed_args.original_password or
+        #                     self.app.cloud.password)
+        #
+        current_password = parsed_args.original_password
+        if current_password is None:
+            current_password = utils.get_password(
+                self.app.stdin, prompt="Current Password:", confirm=False)

        password = parsed_args.password
        if password is None:
--- a/openstackclient/tests/identity/v3/test_user.py
+++ b/openstackclient/tests/identity/v3/test_user.py
@ -1095,6 +1095,25 @@ class TestUserSetPassword(TestUser):
            current_pass, new_pass
        )

+    def test_user_password_change_no_prompt(self):
+        current_pass = 'old_pass'
+        new_pass = 'new_pass'
+        arglist = [
+            '--password', new_pass,
+            '--original-password', current_pass,
+        ]
+        verifylist = [
+            ('password', new_pass),
+            ('original_password', current_pass),
+        ]
+        parsed_args = self.check_parser(self.cmd, arglist, verifylist)
+
+        self.cmd.take_action(parsed_args)
+
+        self.users_mock.update_password.assert_called_with(
+            current_pass, new_pass
+        )
+

 class TestUserShow(TestUser):

--- a/releasenotes/notes/bug-1531360-0f5c62d18088e5b5.yaml
+++ b/releasenotes/notes/bug-1531360-0f5c62d18088e5b5.yaml
@ -0,0 +1,5 @@
+---
+fixes:
+  - |
+    Support non-interactive user password update
+    [Bug `1531360 <https://bugs.launchpad.net/bugs/1531360>`_]