Add attributes to indicate pass_change in UPDATE events and record la…

…st pass change operation time.
pydio · Apr 24, 2024 · 01f3e01 · 01f3e01
1 parent 5c55cbc
commit 01f3e01
Show file tree

Hide file tree

Showing 3 changed files with 20 additions and 9 deletions.
diff --git a/common/proto/idm/user.go b/common/proto/idm/user.go
@@ -28,10 +28,11 @@ import (
 )
 
 const (
-	UserAttrPrivatePrefix = "pydio:"
-	UserAttrPassHashed    = UserAttrPrivatePrefix + "password_hashed"
-	UserAttrLabelLike     = UserAttrPrivatePrefix + "labelLike"
-	UserAttrOrigin        = UserAttrPrivatePrefix + "origin"
+	UserAttrPrivatePrefix   = "pydio:"
+	UserAttrPassHashed      = UserAttrPrivatePrefix + "password_hashed"
+	UserAttrLabelLike       = UserAttrPrivatePrefix + "labelLike"
+	UserAttrOrigin          = UserAttrPrivatePrefix + "origin"
+	UserAttrLastPassChanged = UserAttrPrivatePrefix + "password_changed_at"
 
 	UserAttrDisplayName = "displayName"
 	UserAttrProfile     = "profile"

diff --git a/idm/user/grpc/handler.go b/idm/user/grpc/handler.go
@@ -64,8 +64,10 @@ var (
 // ByOverride implements sort.Interface for []Role based on the ForceOverride field.
 type ByOverride []*idm.Role
 
-func (a ByOverride) Len() int           { return len(a) }
-func (a ByOverride) Swap(i, j int)      { a[i], a[j] = a[j], a[i] }
+func (a ByOverride) Len() int { return len(a) }
+
+func (a ByOverride) Swap(i, j int) { a[i], a[j] = a[j], a[i] }
+
 func (a ByOverride) Less(i, j int) bool { return !a[i].ForceOverride && a[j].ForceOverride }
 
 // Handler definition
@@ -102,7 +104,7 @@ func (h *Handler) BindUser(ctx context.Context, req *idm.BindUserRequest) (*idm.
 // CreateUser adds or creates a user or a group in the underlying database.
 func (h *Handler) CreateUser(ctx context.Context, req *idm.CreateUserRequest) (*idm.CreateUserResponse, error) {
 
-	passChange := req.User.Password
+	passChange := req.User.Password != ""
 	// Create or update user
 	newUser, createdNodes, err := h.dao.Add(req.User)
 	if err != nil {
@@ -118,7 +120,7 @@ func (h *Handler) CreateUser(ctx context.Context, req *idm.CreateUserRequest) (*
 		delete(out.Attributes, "original_group")
 	}
 
-	if passChange != "" {
+	if passChange {
 		// Check if it is a "force pass change operation".
 		ctxLogin, _ := permissions.FindUserNameInContext(ctx)
 		if l, ok := out.Attributes["locks"]; ok && strings.Contains(l, "pass_change") && ctxLogin == out.Login {
@@ -140,6 +142,7 @@ func (h *Handler) CreateUser(ctx context.Context, req *idm.CreateUserRequest) (*
 		}
 	}
 	out.Password = ""
+	out.OldPassword = ""
 	resp.User = out
 	if len(req.User.Policies) == 0 {
 		var userPolicies []*service.ResourcePolicy
@@ -183,6 +186,9 @@ func (h *Handler) CreateUser(ctx context.Context, req *idm.CreateUserRequest) (*
 		if movedGroup != "" {
 			cEvent.Attributes["original_group"] = movedGroup
 		}
+		if passChange {
+			cEvent.Attributes["password_changed"] = "true"
+		}
 		if cu, _ := permissions.FindUserNameInContext(ctx); cu != "" {
 			cEvent.Attributes["ctx_username"] = cu
 		}

diff --git a/idm/user/sql.go b/idm/user/sql.go
@@ -22,14 +22,14 @@ package user
 
 import (
 	"context"
+	databasesql "database/sql"
 	"embed"
 	"fmt"
 	"strconv"
 	"strings"
 	"time"
 	"unicode"
 
-	databasesql "database/sql"
 	migrate "github.com/rubenv/sql-migrate"
 	"go.uber.org/zap"
 	"golang.org/x/text/transform"
@@ -267,6 +267,10 @@ func (s *sqlimpl) Add(in interface{}) (interface{}, []tree.N, error) {
 		// This is an explicit password update
 		log.Logger(context.Background()).Debug("User update w/ password")
 		needsUpdate = true
+		if user.Attributes == nil {
+			user.Attributes = make(map[string]string)
+		}
+		user.Attributes[idm.UserAttrLastPassChanged] = fmt.Sprintf("%d", time.Now().Unix())
 	} else if !user.IsGroup && len(created) > 0 && user.Password == "" {
 		// User has been created with an empty password! Generate a random strong one now
 		log.Logger(context.Background()).Warn("Generating random password for new user")