MB-68657 Add CLI support for temporary passwords

Add a user-manage --temporary-password flag which marks the password
of an internal user as temporary.

Change-Id: I86af3c0ba81cae9ff4858e9c0ab8df9ddc67e7ef
Reviewed-on: https://review.couchbase.org/c/couchbase-cli/+/240154
Tested-by: Build Bot <build@couchbase.com>
Well-Formed: Restriction Checker
Reviewed-by: Matt Hall <matt.hall@couchbase.com>

Author: lubomarinski

cbmgr.py

@@ -4780,8 +4780,10 @@ def __init__(self):
         group.add_argument("--group-name", dest="group", metavar="<group>", help="Group name")
         group.add_argument("--group-description", dest="description", metavar="<text>", help="Group description")
         group.add_argument("--ldap-ref", dest="ldap_ref", metavar="<ref>", help="LDAP group's distinguished name")
+        group.add_argument("--temporary-password", dest="temporary_password", action="store_true",
+                           help="Force the user to change their password on next login (Enterprise Edition only)")
 
-    @rest_initialiser(cluster_init_check=True, version_check=True)
+    @rest_initialiser(cluster_init_check=True, version_check=True, enterprise_check=False)
     def execute(self, opts):
         num_selectors = sum([opts.delete, opts.list, opts.my_roles, opts.set, opts.get, opts.get_group,
                              opts.list_group, opts.delete_group, opts.set_group, opts.lock, opts.unlock])
@@ -4915,11 +4917,15 @@ def _set(self, opts):
         if opts.rbac_pass is not None and opts.auth_domain == "external":
             _warning("--rbac-password cannot be used with the external auth domain")
             opts.rbac_pass = None
+        if opts.temporary_password and not self.enterprise:
+            _exit_if_errors(["--temporary-password is only supported on Enterprise Edition"])
+        if opts.temporary_password and opts.auth_domain == "external":
+            _exit_if_errors(["--temporary-password cannot be used for external users"])
         if opts.auth_domain is None:
             _exit_if_errors(["--auth-domain is required with the --set option"])
 
         _, errors = self.rest.set_rbac_user(opts.rbac_user, opts.rbac_pass, opts.rbac_name, opts.roles,
-                                            opts.auth_domain, opts.groups)
+                                            opts.auth_domain, opts.groups, opts.temporary_password)
         _exit_if_errors(errors)
 
         if opts.roles is not None and "query_external_access" in opts.roles:

cluster_manager.py

@@ -1595,7 +1595,7 @@ def my_roles(self):
         url = f'{self.hostname}/whoami'
         return self._get(url)
 
-    def set_rbac_user(self, username, password, name, roles, auth_domain, groups):
+    def set_rbac_user(self, username, password, name, roles, auth_domain, groups, temporary_password=None):
         if auth_domain is None:
             return None, ["The authentication type is required"]
 
@@ -1625,6 +1625,8 @@ def set_rbac_user(self, username, password, name, roles, auth_domain, groups):
             params['groups'] = groups
         elif 'groups' in defaults:
             params['groups'] = ','.join(defaults['groups'])
+        if temporary_password:
+            params['temporaryPassword'] = 'true'
 
         return self._put(url, params)
 

docs/modules/cli/pages/cbcli/couchbase-cli-user-manage.adoc

@@ -19,7 +19,7 @@ _couchbase-cli user-manage_ [--cluster <url>] [--username <user>] [--password <p
     [--set-group] [--delete-group] [--list-groups] [--get-group]
     [-- get] [--lock] [--unlock] [--rbac-username <username>]
     [--rbac-password <password>] [--rbac-name <name>] [--roles <roles_list>]
-    [--auth-domain <domain>] [--user-groups <group>]
+    [--auth-domain <domain>] [--user-groups <group>] [--temporary-password]
     [--group-description <text>] [--ldap-ref <ref>]
 
 == DESCRIPTION
@@ -100,6 +100,10 @@ include::{partialsdir}/cbcli/part-common-options.adoc[]
   a user (--set) or when updating the users group, and
   should be specified as a comma separated list.
 
+--temporary-password::
+  Sets a temporary password which the user must change on their next login.
+  This option can only be used with _local_ users.
+
 --group-name <group>::
   Specifies the target group for the group operations (--set-group,
   --delete-group, --get-group).
@@ -456,6 +460,13 @@ $ couchbase-cli user-manage -c 127.0.0.1:8091 -u Administrator \
  --rbac-name "John Doe" --roles bucket_admin[default],replication_admin \
  --auth-domain local
 ----
+To create a local user that with a temporary password (Enterprise Edition only):
+----
+$ couchbase-cli user-manage -c 127.0.0.1:8091 -u Administrator \
+ -p password --set --rbac-username jdoe --rbac-password cbpass \
+ --rbac-name "John Doe" --roles bucket_admin[default] \
+ --auth-domain local --temporary-password
+----
 If you have external user source setup in your cluster and you want to add a
 user "John Doe" with username `jdoe` who should have the ability to manage only
 views for all bucket run the following command

test/test_cli.py

@@ -2777,8 +2777,31 @@ def test_unlock(self):
         self.assertIn('PATCH:/settings/rbac/users/local/username', self.server.trace)
         expected_params = ['locked=false']
         self.rest_parameter_match(expected_params)
+
+    def test_set_local_user_with_temporary_password(self):
+        self.no_error_run(self.command + ['--set', '--rbac-username', 'username', '--rbac-password', 'pwd',
+                                          '--auth-domain', 'local', '--roles', 'admin', '--rbac-name', 'name',
+                                          '--temporary-password'],
+                          self.server_args)
+        self.assertIn('PUT:/settings/rbac/users/local/username', self.server.trace)
+        expected_params = ['name=name', 'password=pwd', 'roles=admin', 'temporaryPassword=true']
         self.rest_parameter_match(expected_params)
 
+    def test_set_external_user_with_temporary_password(self):
+        self.system_exit_run(self.command + ['--set', '--rbac-username', 'username', '--auth-domain',
+                                             'external', '--roles', 'admin', '--rbac-name', 'name',
+                                             '--temporary-password'],
+                             self.server_args)
+        self.assertIn('--temporary-password cannot be used for external users', self.str_output)
+
+    def test_set_local_user_with_temporary_password_community(self):
+        self.server_args['enterprise'] = False
+        self.system_exit_run(self.command + ['--set', '--rbac-username', 'username', '--rbac-password', 'pwd',
+                                             '--auth-domain', 'local', '--roles', 'admin', '--rbac-name', 'name',
+                                             '--temporary-password'],
+                             self.server_args)
+        self.assertIn('--temporary-password is only supported on Enterprise Edition', self.str_output)
+
 
 class TestMasterPassword(CommandTest):
     def setUp(self):