[#328] allow user to change own password

Author: d-w-moore

irods/manager/user_manager.py

@@ -1,9 +1,10 @@
 from __future__ import absolute_import
 import logging
+import os
 
 from irods.models import User, UserGroup
 from irods.manager import Manager
-from irods.message import GeneralAdminRequest, iRODSMessage, GetTempPasswordForOtherRequest, GetTempPasswordForOtherOut
+from irods.message import UserAdminRequest, GeneralAdminRequest, iRODSMessage, GetTempPasswordForOtherRequest, GetTempPasswordForOtherOut
 from irods.exception import UserDoesNotExist, UserGroupDoesNotExist, NoResultFound, CAT_SQL_ERR
 from irods.api_number import api_number
 from irods.user import iRODSUser, iRODSUserGroup
@@ -82,6 +83,70 @@ def temp_password_for_user(self, user_name):
             return obf.create_temp_password(msg.stringToHashWith, conn.account.password)
 
 
+    class EnvStoredPasswordNotEdited(RuntimeError):
+
+        """
+        Error thrown by a password change attempt if a login password encoded in the
+        irods environment could not be updated.
+
+        This error will be seen when `modify_irods_authentication_file' is set True and the
+        authentication scheme in effect for the session is other than iRODS native,
+        using a password loaded from the client environment.
+        """
+
+        pass
+
+    @staticmethod
+    def abspath_exists(path):
+        return (isinstance(path,str) and
+                os.path.isabs(path) and
+                os.path.exists(path))
+
+    def modify_password(self, old_value, new_value, modify_irods_authentication_file = False):
+
+        """
+        Change the password for the current user (in the manner of `ipasswd').
+
+        Parameters:
+            old_value - the currently valid (old) password
+            new_value - the desired (new) password
+            modify_irods_authentication_file - Can be False, True, or a string.  If a string, it should indicate
+                                  the absolute path of an IRODS_AUTHENTICATION_FILE to be altered.
+        """
+        with self.sess.pool.get_connection() as conn:
+
+            hash_new_value = obf.obfuscate_new_password(new_value, old_value, conn.client_signature)
+
+            message_body = UserAdminRequest(
+                "userpw",
+                self.sess.username,
+                "password",
+                hash_new_value
+            )
+            request = iRODSMessage("RODS_API_REQ", msg=message_body,
+                                   int_info=api_number['USER_ADMIN_AN'])
+
+            conn.send(request)
+            response = conn.recv()
+            if modify_irods_authentication_file:
+                auth_file = self.sess.auth_file
+                if not auth_file or isinstance(modify_irods_authentication_file, str):
+                    auth_file = (modify_irods_authentication_file if self.abspath_exists(modify_irods_authentication_file) else '')
+                if not auth_file:
+                    message = "Session not loaded from an environment file."
+                    raise UserManager.EnvStoredPasswordNotEdited(message)
+                else:
+                    with open(auth_file) as f:
+                        stored_pw = obf.decode(f.read())
+                    if stored_pw != old_value:
+                        message = "Not changing contents of '{}' - "\
+                                  "stored password is non-native or false match to old password".format(auth_file)
+                        raise UserManager.EnvStoredPasswordNotEdited(message)
+                    with open(auth_file,'w') as f:
+                        f.write(obf.encode(new_value))
+
+        logger.debug(response.int_info)
+
     def modify(self, user_name, option, new_value, user_zone=""):
 
         # must append zone to username for this API call

irods/message/__init__.py

@@ -685,14 +685,14 @@ class VersionResponse(Message):
     cookie = IntegerProperty()
 
 
-# define generalAdminInp_PI "str *arg0; str *arg1; str *arg2; str *arg3;
-# str *arg4; str *arg5; str *arg6; str *arg7;  str *arg8;  str *arg9;"
+class _admin_request_base(Message):
 
-class GeneralAdminRequest(Message):
-    _name = 'generalAdminInp_PI'
+    _name = None
 
     def __init__(self, *args):
-        super(GeneralAdminRequest, self).__init__()
+        if self.__class__._name is None:
+            raise NotImplementedError
+        super(_admin_request_base, self).__init__()
         for i in range(10):
             if i < len(args) and args[i]:
                 setattr(self, 'arg{0}'.format(i), args[i])
@@ -711,6 +711,20 @@ def __init__(self, *args):
     arg9 = StringProperty()
 
 
+# define generalAdminInp_PI "str *arg0; str *arg1; str *arg2; str *arg3;
+# str *arg4; str *arg5; str *arg6; str *arg7;  str *arg8;  str *arg9;"
+
+class GeneralAdminRequest(_admin_request_base):
+    _name = 'generalAdminInp_PI'
+
+
+# define userAdminInp_PI "str *arg0; str *arg1; str *arg2; str *arg3;
+# str *arg4; str *arg5; str *arg6; str *arg7;  str *arg8;  str *arg9;"
+
+class UserAdminRequest(_admin_request_base):
+    _name = 'userAdminInp_PI'
+
+
 class GetTempPasswordForOtherRequest(Message):
     _name = 'getTempPasswordForOtherInp_PI'
     targetUser = StringProperty()

irods/session.py

@@ -21,10 +21,19 @@
 
 class iRODSSession(object):
 
+    @property
+    def env_file (self):
+        return self._env_file
+
+    @property
+    def auth_file (self):
+        return self._auth_file
+
     def __init__(self, configure=True, **kwargs):
         self.pool = None
         self.numThreads = 0
-
+        self._env_file = ''
+        self._auth_file = ''
         self.do_configure = (kwargs if configure else {})
         self.__configured = None
         if configure:
@@ -77,7 +86,7 @@ def _configure_account(self, **kwargs):
             return iRODSAccount(**kwargs)
 
         # Get credentials from irods environment file
-        creds = self.get_irods_env(env_file)
+        creds = self.get_irods_env(env_file, session_ = self)
 
         # Update with new keywords arguments only
         creds.update((key, value) for key, value in kwargs.items() if key not in creds)
@@ -104,7 +113,7 @@ def _configure_account(self, **kwargs):
         except KeyError:
             pass
 
-        creds['password'] = self.get_irods_password(**creds)
+        creds['password'] = self.get_irods_password(session_ = self, **creds)
 
         return iRODSAccount(**creds)
 
@@ -180,16 +189,19 @@ def get_irods_password_file():
             return os.path.expanduser('~/.irods/.irodsA')
 
     @staticmethod
-    def get_irods_env(env_file):
+    def get_irods_env(env_file, session_ = None):
         try:
             with open(env_file, 'rt') as f:
-                return json.load(f)
+                j = json.load(f)
+                if session_ is not None:
+                    session_._env_file = env_file
+                return j
         except IOError:
             logger.debug("Could not open file {}".format(env_file))
             return {}
 
     @staticmethod
-    def get_irods_password(**kwargs):
+    def get_irods_password(session_ = None, **kwargs):
         try:
             irods_auth_file = kwargs['irods_authentication_file']
         except KeyError:
@@ -200,12 +212,18 @@ def get_irods_password(**kwargs):
         except KeyError:
             uid = None
 
+        _retval = ''
+
         try:
             with open(irods_auth_file, 'r') as f:
-                return decode(f.read().rstrip('\n'), uid)
+                _retval = decode(f.read().rstrip('\n'), uid)
+                return _retval
         except IOError as exc:
             if exc.errno != errno.ENOENT: raise # Auth file exists but can't be read
             return ''                           # No auth file (as with anonymous user)
+        finally:
+            if session_ is not None and _retval:
+                session_._auth_file = irods_auth_file
 
     def get_connection_refresh_time(self, **kwargs):
         connection_refresh_time = -1

irods/test/helpers.py

@@ -12,9 +12,11 @@
 import threading
 import random
 import datetime
+import json
 from pwd import getpwnam
 from irods.session import iRODSSession
 from irods.message import iRODSMessage
+from irods.password_obfuscation import encode
 from six.moves import range
 
 
@@ -72,6 +74,20 @@ def get_register_resource(session):
     return Reg_Resc_Name
 
 
+def make_environment_and_auth_files( dir_, **params ):
+    if not os.path.exists(dir_): os.mkdir(dir_)
+    def recast(k):
+        return 'irods_' + k + ('_name' if k in ('user','zone') else '')
+    config = os.path.join(dir_,'irods_environment.json')
+    with open(config,'w') as f1:
+        json.dump({recast(k):v for k,v in params.items() if k != 'password'},f1,indent=4)
+    auth = os.path.join(dir_,'.irodsA')
+    with open(auth,'w') as f2:
+        f2.write(encode(params['password']))
+    os.chmod(auth,0o600)
+    return (config, auth)
+
+
 def make_session(**kwargs):
     try:
         env_file = kwargs.pop('irods_env_file')

irods/test/user_group_test.py

@@ -3,9 +3,13 @@
 import os
 import sys
 import unittest
-from irods.exception import UserGroupDoesNotExist
+import tempfile
+import shutil
+from irods.exception import UserGroupDoesNotExist, UserDoesNotExist
 from irods.meta import iRODSMetaCollection, iRODSMeta
 from irods.models import User, UserGroup, UserMeta
+from irods.session import iRODSSession
+import irods.exception as ex
 import irods.test.helpers as helpers
 from six.moves import range
 
@@ -20,6 +24,95 @@ def tearDown(self):
         '''
         self.sess.cleanup()
 
+    def test_modify_password__328(self):
+        ses = self.sess
+        if ses.users.get( ses.username ).type != 'rodsadmin':
+            self.skipTest( 'Only a rodsadmin may run this test.')
+
+        OLDPASS = 'apass'
+        NEWPASS = 'newpass'
+        try:
+            ses.users.create('alice', 'rodsuser')
+            ses.users.modify('alice', 'password', OLDPASS)
+
+            with iRODSSession(user='alice', password=OLDPASS, host=ses.host, port=ses.port, zone=ses.zone) as alice:
+                me = alice.users.get(alice.username)
+                me.modify_password(OLDPASS, NEWPASS)
+
+            with iRODSSession(user='alice', password=NEWPASS, host=ses.host, port=ses.port, zone=ses.zone) as alice:
+                home = helpers.home_collection( alice )
+                alice.collections.get( home ) # Non-trivial operation to test success!
+        finally:
+            try:
+                ses.users.get('alice').remove()
+            except UserDoesNotExist:
+                pass
+
+    @staticmethod
+    def do_something(session):
+        return session.username in [i[User.name] for i in session.query(User)]
+
+    def test_modify_password_with_changing_auth_file__328(self):
+        ses = self.sess
+        if ses.users.get( ses.username ).type != 'rodsadmin':
+            self.skipTest( 'Only a rodsadmin may run this test.')
+        OLDPASS = 'apass'
+        def generator(p = OLDPASS):
+            n = 1
+            old_pw = p
+            while True:
+                pw = p + str(n)
+                yield old_pw, pw
+                n += 1; old_pw = pw
+        password_generator = generator()
+        ENV_DIR = tempfile.mkdtemp()
+        d = dict(password = OLDPASS, user = 'alice', host = ses.host, port = ses.port, zone = ses.zone)
+        (alice_env, alice_auth) = helpers.make_environment_and_auth_files(ENV_DIR, **d)
+        try:
+            ses.users.create('alice', 'rodsuser')
+            ses.users.modify('alice', 'password', OLDPASS)
+            for modify_option, sess_factory in [ (alice_auth, lambda: iRODSSession(**d)),
+                                                 (True,
+                                                 lambda: helpers.make_session(irods_env_file = alice_env,
+                                                                              irods_authentication_file = alice_auth)) ]:
+                OLDPASS,NEWPASS=next(password_generator)
+                with sess_factory() as alice_ses:
+                    alice = alice_ses.users.get(alice_ses.username)
+                    alice.modify_password(OLDPASS, NEWPASS, modify_irods_authentication_file = modify_option)
+            d['password'] = NEWPASS
+            with iRODSSession(**d) as session:
+                self.do_something(session)           # can we still do stuff with the final value of the password?
+        finally:
+            shutil.rmtree(ENV_DIR)
+            ses.users.remove('alice')
+
+    def test_modify_password_with_incorrect_old_value__328(self):
+        ses = self.sess
+        if ses.users.get( ses.username ).type != 'rodsadmin':
+            self.skipTest( 'Only a rodsadmin may run this test.')
+        OLDPASS = 'apass'
+        NEWPASS = 'newpass'
+        ENV_DIR = tempfile.mkdtemp()
+        try:
+            ses.users.create('alice', 'rodsuser')
+            ses.users.modify('alice', 'password', OLDPASS)
+            d = dict(password = OLDPASS, user = 'alice', host = ses.host, port = ses.port, zone = ses.zone)
+            (alice_env, alice_auth) = helpers.make_environment_and_auth_files(ENV_DIR, **d)
+            session_factories = [
+                       (lambda: iRODSSession(**d)),
+                       (lambda: helpers.make_session( irods_env_file = alice_env, irods_authentication_file = alice_auth)),
+            ]
+            for factory in session_factories:
+                with factory() as alice_ses:
+                    alice = alice_ses.users.get(alice_ses.username)
+                    with self.assertRaises( ex.CAT_PASSWORD_ENCODING_ERROR ):
+                        alice.modify_password(OLDPASS + ".", NEWPASS)
+            with iRODSSession(**d) as alice_ses:
+                self.do_something(alice_ses)
+        finally:
+            shutil.rmtree(ENV_DIR)
+            ses.users.remove('alice')
+
     def test_create_group(self):
         group_name = "test_group"
 

irods/user.py

@@ -44,6 +44,11 @@ def metadata(self):
                  self.manager.sess.metadata, User, self.name)
         return self._meta
 
+    def modify_password(self, old_value, new_value, modify_irods_authentication_file = False):
+        self.manager.modify_password(old_value,
+                                         new_value,
+                                         modify_irods_authentication_file = modify_irods_authentication_file)
+
     def modify(self, *args, **kwargs):
         self.manager.modify(self.name, *args, **kwargs)