Repository: ranger Updated Branches: refs/heads/master 243b72965 -> 5b0fbac88
RANGER-1727 : Ranger allows user to change an external user's password with 'null' old password Signed-off-by: Velmurugan Periasamy <[email protected]> Project: http://git-wip-us.apache.org/repos/asf/ranger/repo Commit: http://git-wip-us.apache.org/repos/asf/ranger/commit/5b0fbac8 Tree: http://git-wip-us.apache.org/repos/asf/ranger/tree/5b0fbac8 Diff: http://git-wip-us.apache.org/repos/asf/ranger/diff/5b0fbac8 Branch: refs/heads/master Commit: 5b0fbac8846e9e97398e14307893caabd6ee60bc Parents: 243b729 Author: fatimaawez <[email protected]> Authored: Tue Sep 26 14:59:41 2017 +0530 Committer: Velmurugan Periasamy <[email protected]> Committed: Wed Sep 27 14:50:37 2017 -0400 ---------------------------------------------------------------------- .../java/org/apache/ranger/biz/UserMgr.java | 41 ++++++++++++++++---- .../java/org/apache/ranger/biz/XUserMgr.java | 18 +++++++-- .../org/apache/ranger/biz/TestXUserMgr.java | 4 ++ 3 files changed, 52 insertions(+), 11 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/ranger/blob/5b0fbac8/security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java b/security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java index cc81029..5f85066 100644 --- a/security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java +++ b/security-admin/src/main/java/org/apache/ranger/biz/UserMgr.java @@ -401,7 +401,13 @@ public class UserMgr { logger.warn("SECURITY:changePassword(). User not found. LoginId="+ pwdChange.getLoginId()); throw restErrorUtil.createRESTException("serverMsg.userMgrInvalidUser",MessageEnums.DATA_NOT_FOUND, null, null,pwdChange.getLoginId()); } - + if (gjUser.getUserSource() == RangerCommonEnums.USER_EXTERNAL) { + logger.info("SECURITY:changePassword().Ranger External Users cannot change password. LoginId=" + pwdChange.getLoginId()); + VXResponse vXResponse = new VXResponse(); + vXResponse.setStatusCode(HttpServletResponse.SC_FORBIDDEN); + vXResponse.setMsgDesc("SECURITY:changePassword().Ranger External Users cannot change password. LoginId=" + pwdChange.getLoginId()); + throw restErrorUtil.generateRESTException(vXResponse); + } //check current password and provided old password is same or not String encryptedOldPwd = encrypt(pwdChange.getLoginId(),pwdChange.getOldPassword()); if (!stringUtil.equals(encryptedOldPwd, gjUser.getPassword())) { @@ -484,9 +490,12 @@ public class UserMgr { String saltEncodedpasswd = encrypt(gjUser.getLoginId(), changeEmail.getOldPassword()); - + if (gjUser.getUserSource() == RangerCommonEnums.USER_APP) { gjUser.setPassword(saltEncodedpasswd); - + } + else if (gjUser.getUserSource() == RangerCommonEnums.USER_EXTERNAL) { + gjUser.setPassword(gjUser.getPassword()); + } daoManager.getXXPortalUser().update(gjUser); return mapXXPortalUserVXPortalUser(gjUser); } @@ -1246,7 +1255,7 @@ public class UserMgr { public XXPortalUser updateUserWithPass(VXPortalUser userProfile) { String updatedPassword = userProfile.getPassword(); - XXPortalUser xXPortalUser = this.updateUser(userProfile); + XXPortalUser xXPortalUser = this.updateUser(userProfile); if (xXPortalUser == null) { return null; @@ -1267,8 +1276,13 @@ public class UserMgr { String encryptedNewPwd = encrypt(xXPortalUser.getLoginId(), updatedPassword); - xXPortalUser.setPassword(encryptedNewPwd); - xXPortalUser = daoManager.getXXPortalUser().update(xXPortalUser); + if (xXPortalUser.getUserSource() != RangerCommonEnums.USER_EXTERNAL) { + xXPortalUser.setPassword(encryptedNewPwd); + } + else if (xXPortalUser.getUserSource() != RangerCommonEnums.USER_EXTERNAL) { + xXPortalUser.setPassword(xXPortalUser.getPassword()); + } + xXPortalUser = daoManager.getXXPortalUser().update(xXPortalUser); } return xXPortalUser; } @@ -1286,7 +1300,13 @@ public class UserMgr { } String dbOldPwd =xXPortalUser.getPassword(); String encryptedNewPwd = encrypt(xXPortalUser.getLoginId(),userPassword); - xXPortalUser.setPassword(encryptedNewPwd); + if (xXPortalUser.getUserSource() != RangerCommonEnums.USER_EXTERNAL) { + xXPortalUser.setPassword(encryptedNewPwd); + } + else if (xXPortalUser.getUserSource() != RangerCommonEnums.USER_EXTERNAL) { + xXPortalUser.setPassword(xXPortalUser.getPassword()); + } + xXPortalUser = daoManager.getXXPortalUser().update(xXPortalUser); if(xXPortalUser!=null && logAudits){ String dbNewPwd=xXPortalUser.getPassword(); @@ -1363,7 +1383,12 @@ public class UserMgr { xXPortalUser.setLoginId(newUserName); // The old password needs to be encrypted by the new user name String updatedPwd = encrypt(newUserName,currentPassword); - xXPortalUser.setPassword(updatedPwd); + if (xXPortalUser.getUserSource() == RangerCommonEnums.USER_APP) { + xXPortalUser.setPassword(updatedPwd); + } + else if (xXPortalUser.getUserSource() == RangerCommonEnums.USER_EXTERNAL) { + xXPortalUser.setPassword(xXPortalUser.getPassword()); + } xXPortalUser = daoManager.getXXPortalUser().update(xXPortalUser); List<XXTrxLog> trxLogList = new ArrayList<XXTrxLog>(); XXTrxLog xTrxLog = new XXTrxLog(); http://git-wip-us.apache.org/repos/asf/ranger/blob/5b0fbac8/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java ---------------------------------------------------------------------- diff --git a/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java b/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java index 670baa3..0b97da9 100644 --- a/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java +++ b/security-admin/src/main/java/org/apache/ranger/biz/XUserMgr.java @@ -386,10 +386,16 @@ public class XUserMgr extends XUserMgrBase { && password.equals(hiddenPasswordString)) { vXPortalUser.setPassword(oldUserProfile.getPassword()); } - else if(password != null){ - validatePassword(vXUser); - vXPortalUser.setPassword(password); + else if(password != null){ + validatePassword(vXUser); + if (oldUserProfile.getUserSource() == RangerCommonEnums.USER_EXTERNAL) { + vXPortalUser.setPassword(oldUserProfile.getPassword()); + } + else if(oldUserProfile.getUserSource() == RangerCommonEnums.USER_APP) + { + vXPortalUser.setPassword(password); } + } Collection<Long> groupIdList = vXUser.getGroupIdList(); XXPortalUser xXPortalUser = new XXPortalUser(); xXPortalUser = userMgr.updateUserWithPass(vXPortalUser); @@ -441,7 +447,13 @@ public class XUserMgr extends XUserMgrBase { // There is nothing to log anything in XXUser so far. vXUser = xUserService.updateResource(vXUser); vXUser.setUserRoleList(roleList); + if (oldUserProfile.getUserSource() == RangerCommonEnums.USER_APP) { vXUser.setPassword(password); + } + else if (oldUserProfile.getUserSource() == RangerCommonEnums.USER_EXTERNAL) { + vXUser.setPassword(oldUserProfile.getPassword()); + } + List<XXTrxLog> trxLogList = xUserService.getTransactionLog(vXUser, oldUserProfile, "update"); vXUser.setPassword(hiddenPasswordString); http://git-wip-us.apache.org/repos/asf/ranger/blob/5b0fbac8/security-admin/src/test/java/org/apache/ranger/biz/TestXUserMgr.java ---------------------------------------------------------------------- diff --git a/security-admin/src/test/java/org/apache/ranger/biz/TestXUserMgr.java b/security-admin/src/test/java/org/apache/ranger/biz/TestXUserMgr.java index d0fb3dc..cdd581b 100644 --- a/security-admin/src/test/java/org/apache/ranger/biz/TestXUserMgr.java +++ b/security-admin/src/test/java/org/apache/ranger/biz/TestXUserMgr.java @@ -314,7 +314,11 @@ public class TestXUserMgr { public void test12UpdateXUser() { setup(); VXUser vxUser = vxUser(); + vxUser.setUserSource(RangerCommonEnums.USER_APP); + vxUser.setName("name"); Mockito.when(xUserService.updateResource(vxUser)).thenReturn(vxUser); + VXPortalUser vXPortalUser = new VXPortalUser(); + Mockito.when(userMgr.getUserProfileByLoginId(vxUser.getName())).thenReturn(vXPortalUser); VXUser dbvxUser = xUserMgr.updateXUser(vxUser); Assert.assertNotNull(dbvxUser);
