apache
diff --git a/‎api/src/main/java/com/cloud/user/AccountService.java‎
Lines changed: 2 additions & 1 deletion b/‎api/src/main/java/com/cloud/user/AccountService.java‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎api/src/main/java/org/apache/cloudstack/api/ApiConstants.java‎
Lines changed: 1 addition & 0 deletions b/‎api/src/main/java/org/apache/cloudstack/api/ApiConstants.java‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎api/src/main/java/org/apache/cloudstack/api/command/admin/user/CreateUserCmd.java‎
Lines changed: 12 additions & 1 deletion b/‎api/src/main/java/org/apache/cloudstack/api/command/admin/user/CreateUserCmd.java‎
Lines changed: 12 additions & 1 deletion
diff --git a/‎api/src/main/java/org/apache/cloudstack/api/command/admin/user/UpdateUserCmd.java‎
Lines changed: 12 additions & 2 deletions b/‎api/src/main/java/org/apache/cloudstack/api/command/admin/user/UpdateUserCmd.java‎
Lines changed: 12 additions & 2 deletions
diff --git a/‎api/src/main/java/org/apache/cloudstack/api/response/LoginCmdResponse.java‎
Lines changed: 12 additions & 0 deletions b/‎api/src/main/java/org/apache/cloudstack/api/response/LoginCmdResponse.java‎
Lines changed: 12 additions & 0 deletions
diff --git a/‎api/src/test/java/org/apache/cloudstack/api/command/admin/user/CreateUserCmdTest.java‎
Lines changed: 3 additions & 3 deletions b/‎api/src/test/java/org/apache/cloudstack/api/command/admin/user/CreateUserCmdTest.java‎
Lines changed: 3 additions & 3 deletions
diff --git a/‎api/src/test/java/org/apache/cloudstack/api/command/admin/user/UpdateUserCmdTest.java‎
Lines changed: 64 additions & 0 deletions b/‎api/src/test/java/org/apache/cloudstack/api/command/admin/user/UpdateUserCmdTest.java‎
Lines changed: 64 additions & 0 deletions
diff --git a/‎api/src/test/java/org/apache/cloudstack/api/response/LoginCmdResponseTest.java‎
Lines changed: 87 additions & 0 deletions b/‎api/src/test/java/org/apache/cloudstack/api/response/LoginCmdResponseTest.java‎
Lines changed: 87 additions & 0 deletions
diff --git a/‎engine/schema/src/main/java/org/apache/cloudstack/resourcedetail/UserDetailVO.java‎
Lines changed: 2 additions & 0 deletions b/‎engine/schema/src/main/java/org/apache/cloudstack/resourcedetail/UserDetailVO.java‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎plugins/api/discovery/src/main/java/org/apache/cloudstack/discovery/ApiDiscoveryServiceImpl.java‎
Lines changed: 17 additions & 5 deletions b/‎plugins/api/discovery/src/main/java/org/apache/cloudstack/discovery/ApiDiscoveryServiceImpl.java‎
Lines changed: 17 additions & 5 deletions
@@ -59,7 +59,8 @@ UserAccount createUserAccount(String userName, String password, String firstName
 
     User getSystemUser();
 
-    User createUser(String userName, String password, String firstName, String lastName, String email, String timeZone, String accountName, Long domainId, String userUUID);
+    User createUser(String userName, String password, String firstName, String lastName, String email, String timeZone,
+                    String accountName, Long domainId, String userUUID, boolean isPasswordChangeRequired);
 
     User createUser(String userName, String password, String firstName, String lastName, String email, String timeZone, String accountName, Long domainId, String userUUID,
                     User.Source source);
 
@@ -1261,6 +1261,7 @@ public class ApiConstants {
     public static final String PROVIDER_FOR_2FA = "providerfor2fa";
     public static final String ISSUER_FOR_2FA = "issuerfor2fa";
     public static final String MANDATE_2FA = "mandate2fa";
+    public static final String PASSWORD_CHANGE_REQUIRED = "passwordchangerequired";
     public static final String SECRET_CODE = "secretcode";
     public static final String LOGIN = "login";
     public static final String LOGOUT = "logout";
 
@@ -26,6 +26,7 @@
 import org.apache.cloudstack.api.response.DomainResponse;
 import org.apache.cloudstack.api.response.UserResponse;
 import org.apache.cloudstack.context.CallContext;
+import org.apache.commons.lang.BooleanUtils;
 import org.apache.commons.lang3.StringUtils;
 
 import com.cloud.user.Account;
@@ -78,6 +79,12 @@ public class CreateUserCmd extends BaseCmd {
     @Parameter(name = ApiConstants.USER_ID, type = CommandType.STRING, description = "User UUID, required for adding account from external provisioning system")
     private String userUUID;
 
+    @Parameter(name = ApiConstants.PASSWORD_CHANGE_REQUIRED,
+            type = CommandType.BOOLEAN,
+            description = "Provide true to mandate the User to reset password on next login.",
+            since = "4.23.0")
+    private Boolean passwordChangeRequired;
+
     /////////////////////////////////////////////////////
     /////////////////// Accessors ///////////////////////
     /////////////////////////////////////////////////////
@@ -118,6 +125,10 @@ public String getUserUUID() {
         return userUUID;
     }
 
+    public Boolean isPasswordChangeRequired() {
+        return BooleanUtils.isTrue(passwordChangeRequired);
+    }
+
     /////////////////////////////////////////////////////
     /////////////// API Implementation///////////////////
     /////////////////////////////////////////////////////
@@ -147,7 +158,7 @@ public void execute() {
         CallContext.current().setEventDetails("UserName: " + getUserName() + ", FirstName :" + getFirstName() + ", LastName: " + getLastName());
         User user =
             _accountService.createUser(getUserName(), getPassword(), getFirstName(), getLastName(), getEmail(), getTimezone(), getAccountName(), getDomainId(),
-                getUserUUID());
+                getUserUUID(), isPasswordChangeRequired());
         if (user != null) {
             UserResponse response = _responseGenerator.createUserResponse(user);
             response.setResponseName(getCommandName());
 
@@ -29,6 +29,7 @@
 import org.apache.cloudstack.api.response.UserResponse;
 import org.apache.cloudstack.context.CallContext;
 import org.apache.cloudstack.region.RegionService;
+import org.apache.commons.lang.BooleanUtils;
 
 import com.cloud.user.Account;
 import com.cloud.user.User;
@@ -38,6 +39,8 @@
 requestHasSensitiveInfo = true, responseHasSensitiveInfo = true)
 public class UpdateUserCmd extends BaseCmd {
 
+    @Inject
+    private RegionService _regionService;
 
     /////////////////////////////////////////////////////
     //////////////// API parameters /////////////////////
@@ -85,8 +88,11 @@ public class UpdateUserCmd extends BaseCmd {
             "This parameter is only used to mandate 2FA, not to disable 2FA", since = "4.18.0.0")
     private Boolean mandate2FA;
 
-    @Inject
-    private RegionService _regionService;
+    @Parameter(name = ApiConstants.PASSWORD_CHANGE_REQUIRED,
+            type = CommandType.BOOLEAN,
+            description = "Provide true to mandate the User to reset password on next login.",
+            since = "4.23.0")
+    private Boolean passwordChangeRequired;
 
     /////////////////////////////////////////////////////
     /////////////////// Accessors ///////////////////////
@@ -193,4 +199,8 @@ public Long getApiResourceId() {
     public ApiCommandResourceType getApiResourceType() {
         return ApiCommandResourceType.User;
     }
+
+    public Boolean isPasswordChangeRequired() {
+        return BooleanUtils.isTrue(passwordChangeRequired);
+    }
 }
@@ -90,6 +90,10 @@ public class LoginCmdResponse extends AuthenticationCmdResponse {
     @Param(description = "Management Server ID that the user logged to", since = "4.21.0.0")
     private String managementServerId;
 
+    @SerializedName(value = ApiConstants.PASSWORD_CHANGE_REQUIRED)
+    @Param(description = "Indicates whether the User is required to change password on next login.", since = "4.23.0")
+    private Boolean passwordChangeRequired;
+
     public String getUsername() {
         return username;
     }
@@ -223,4 +227,12 @@ public String getManagementServerId() {
     public void setManagementServerId(String managementServerId) {
         this.managementServerId = managementServerId;
     }
+
+    public Boolean getPasswordChangeRequired() {
+        return passwordChangeRequired;
+    }
+
+    public void setPasswordChangeRequired(Boolean passwordChangeRequired) {
+        this.passwordChangeRequired = passwordChangeRequired;
+    }
 }
@@ -69,7 +69,7 @@ public void testExecuteWithNotBlankPassword() {
         } catch (ServerApiException e) {
             Assert.assertTrue("Received exception as the mock accountService createUser returns null user", true);
         }
-        Mockito.verify(accountService, Mockito.times(1)).createUser(null, "Test", null, null, null, null, null, null, null);
+        Mockito.verify(accountService, Mockito.times(1)).createUser(null, "Test", null, null, null, null, null, null, null, false);
     }
 
     @Test
@@ -82,7 +82,7 @@ public void testExecuteWithNullPassword() {
             Assert.assertEquals(ApiErrorCode.PARAM_ERROR,e.getErrorCode());
             Assert.assertEquals("Empty passwords are not allowed", e.getMessage());
         }
-        Mockito.verify(accountService, Mockito.never()).createUser(null, null, null, null, null, null, null, null, null);
+        Mockito.verify(accountService, Mockito.never()).createUser(null, null, null, null, null, null, null, null, null, false);
     }
 
     @Test
@@ -95,6 +95,6 @@ public void testExecuteWithEmptyPassword() {
             Assert.assertEquals(ApiErrorCode.PARAM_ERROR,e.getErrorCode());
             Assert.assertEquals("Empty passwords are not allowed", e.getMessage());
         }
-        Mockito.verify(accountService, Mockito.never()).createUser(null, null, null, null, null, null, null, null, null);
+        Mockito.verify(accountService, Mockito.never()).createUser(null, null, null, null, null, null, null, null, null, true);
     }
 }
@@ -0,0 +1,64 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cloudstack.api.command.admin.user;
+
+import org.apache.cloudstack.api.ApiCommandResourceType;
+import org.junit.Assert;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.mockito.InjectMocks;
+import org.mockito.junit.MockitoJUnitRunner;
+import org.springframework.test.util.ReflectionTestUtils;
+
+@RunWith(MockitoJUnitRunner.class)
+public class UpdateUserCmdTest {
+    @InjectMocks
+    private UpdateUserCmd cmd;
+
+    @Test
+    public void testGetApiResourceId() {
+        Long userId = 99L;
+        cmd.setId(userId);
+        Assert.assertEquals(userId, cmd.getApiResourceId());
+    }
+
+    @Test
+    public void testGetApiResourceType() {
+        Assert.assertEquals(ApiCommandResourceType.User, cmd.getApiResourceType());
+    }
+
+    @Test
+    public void testIsPasswordChangeRequired_True() {
+        ReflectionTestUtils.setField(cmd, "passwordChangeRequired", Boolean.TRUE);
+        Assert.assertTrue(cmd.isPasswordChangeRequired());
+    }
+
+    @Test
+    public void testIsPasswordChangeRequired_False() {
+        ReflectionTestUtils.setField(cmd, "passwordChangeRequired", Boolean.FALSE);
+        Assert.assertFalse(cmd.isPasswordChangeRequired());
+    }
+
+    @Test
+    public void testIsPasswordChangeRequired_Null() {
+        ReflectionTestUtils.setField(cmd, "passwordChangeRequired", null);
+        Assert.assertFalse(cmd.isPasswordChangeRequired());
+    }
+}
@@ -0,0 +1,87 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.  You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+package org.apache.cloudstack.api.response;
+
+
+import org.junit.Assert;
+import org.junit.Test;
+
+public class LoginCmdResponseTest {
+
+    @Test
+    public void testAllGettersAndSetters() {
+        LoginCmdResponse response = new LoginCmdResponse();
+
+        response.setUsername("user1");
+        response.setUserId("100");
+        response.setDomainId("200");
+        response.setTimeout(3600);
+        response.setAccount("account1");
+        response.setFirstName("John");
+        response.setLastName("Doe");
+        response.setType("admin");
+        response.setTimeZone("UTC");
+        response.setTimeZoneOffset("+00:00");
+        response.setRegistered("true");
+        response.setSessionKey("session-key");
+        response.set2FAenabled("true");
+        response.set2FAverfied("false");
+        response.setProviderFor2FA("totp");
+        response.setIssuerFor2FA("cloudstack");
+        response.setManagementServerId("ms-1");
+
+        Assert.assertEquals("user1", response.getUsername());
+        Assert.assertEquals("100", response.getUserId());
+        Assert.assertEquals("200", response.getDomainId());
+        Assert.assertEquals(Integer.valueOf(3600), response.getTimeout());
+        Assert.assertEquals("account1", response.getAccount());
+        Assert.assertEquals("John", response.getFirstName());
+        Assert.assertEquals("Doe", response.getLastName());
+        Assert.assertEquals("admin", response.getType());
+        Assert.assertEquals("UTC", response.getTimeZone());
+        Assert.assertEquals("+00:00", response.getTimeZoneOffset());
+        Assert.assertEquals("true", response.getRegistered());
+        Assert.assertEquals("session-key", response.getSessionKey());
+        Assert.assertEquals("true", response.is2FAenabled());
+        Assert.assertEquals("false", response.is2FAverfied());
+        Assert.assertEquals("totp", response.getProviderFor2FA());
+        Assert.assertEquals("cloudstack", response.getIssuerFor2FA());
+        Assert.assertEquals("ms-1", response.getManagementServerId());
+    }
+
+    @Test
+    public void testPasswordChangeRequired_True() {
+        LoginCmdResponse response = new LoginCmdResponse();
+        response.setPasswordChangeRequired(true);
+        Assert.assertTrue(response.getPasswordChangeRequired());
+    }
+
+    @Test
+    public void testPasswordChangeRequired_False() {
+        LoginCmdResponse response = new LoginCmdResponse();
+        response.setPasswordChangeRequired(false);
+        Assert.assertFalse(response.getPasswordChangeRequired());
+    }
+
+    @Test
+    public void testPasswordChangeRequired_Null() {
+        LoginCmdResponse response = new LoginCmdResponse();
+        response.setPasswordChangeRequired(null);
+        Assert.assertNull("Boolean.parseBoolean(null) should return null", response.getPasswordChangeRequired());
+    }
+}
@@ -48,6 +48,8 @@ public class UserDetailVO implements ResourceDetail {
     public static final String Setup2FADetail = "2FASetupStatus";
     public static final String PasswordResetToken = "PasswordResetToken";
     public static final String PasswordResetTokenExpiryDate = "PasswordResetTokenExpiryDate";
+    public static final String PasswordChangeRequired = "PasswordChangeRequired";
+    public static final String OauthLogin = "OauthLogin";
 
     public UserDetailVO() {
     }
 
@@ -44,8 +44,10 @@
 import org.apache.cloudstack.api.response.ApiParameterResponse;
 import org.apache.cloudstack.api.response.ApiResponseResponse;
 import org.apache.cloudstack.api.response.ListResponse;
+import org.apache.cloudstack.resourcedetail.UserDetailVO;
 import org.apache.cloudstack.utils.reflectiontostringbuilderutils.ReflectionToStringBuilderUtils;
 import org.apache.commons.collections.CollectionUtils;
+import org.apache.commons.collections.MapUtils;
 import org.apache.commons.lang3.StringUtils;
 import org.reflections.ReflectionUtils;
 import org.springframework.stereotype.Component;
@@ -56,6 +58,7 @@
 import com.cloud.user.Account;
 import com.cloud.user.AccountService;
 import com.cloud.user.User;
+import com.cloud.user.UserAccount;
 import com.cloud.utils.ReflectUtil;
 import com.cloud.utils.component.ComponentLifecycleBase;
 import com.cloud.utils.component.PluggableService;
@@ -67,6 +70,7 @@ public class ApiDiscoveryServiceImpl extends ComponentLifecycleBase implements A
     List<APIChecker> _apiAccessCheckers = null;
     List<PluggableService> _services = null;
     protected static Map<String, ApiDiscoveryResponse> s_apiNameDiscoveryResponseMap = null;
+    public static final List<String> APIS_ALLOWED_FOR_PASSWORD_CHANGE = Arrays.asList("login", "logout", "updateUser", "listApis");
 
     @Inject
     AccountService accountService;
@@ -287,12 +291,20 @@ public ListResponse<? extends BaseResponse> listApis(User user, String name) {
                         ReflectionToStringBuilderUtils.reflectOnlySelectedFields(account, "accountName", "uuid")));
             }
 
-            if (role.getRoleType() == RoleType.Admin && role.getId() == RoleType.Admin.getId()) {
-                logger.info(String.format("Account [%s] is Root Admin, all APIs are allowed.",
-                        ReflectionToStringBuilderUtils.reflectOnlySelectedFields(account, "accountName", "uuid")));
+            // Limit APIs on first login requiring password change
+            UserAccount userAccount = accountService.getUserAccountById(user.getId());
+            Map<String, String> userAccDetails = userAccount.getDetails();
+            if (MapUtils.isNotEmpty(userAccDetails) && !userAccDetails.containsKey(UserDetailVO.OauthLogin) &&
+                    "true".equalsIgnoreCase(userAccDetails.get(UserDetailVO.PasswordChangeRequired))) {
+                apisAllowed = APIS_ALLOWED_FOR_PASSWORD_CHANGE;
             } else {
-                for (APIChecker apiChecker : _apiAccessCheckers) {
-                    apisAllowed = apiChecker.getApisAllowedToUser(role, user, apisAllowed);
+                if (role.getRoleType() == RoleType.Admin && role.getId() == RoleType.Admin.getId()) {
+                    logger.info(String.format("Account [%s] is Root Admin, all APIs are allowed.",
+                            ReflectionToStringBuilderUtils.reflectOnlySelectedFields(account, "accountName", "uuid")));
+                } else {
+                    for (APIChecker apiChecker : _apiAccessCheckers) {
+                        apisAllowed = apiChecker.getApisAllowedToUser(role, user, apisAllowed);
+                    }
                 }
             }
Original file line number	Diff line number	Diff line change
`@@ -69,7 +69,7 @@ public void testExecuteWithNotBlankPassword() {`
`69`	`69`	`} catch (ServerApiException e) {`
`70`	`70`	`Assert.assertTrue("Received exception as the mock accountService createUser returns null user", true);`
`71`	`71`	`}`
`72`		`- Mockito.verify(accountService, Mockito.times(1)).createUser(null, "Test", null, null, null, null, null, null, null);`
	`72`	`+ Mockito.verify(accountService, Mockito.times(1)).createUser(null, "Test", null, null, null, null, null, null, null, false);`
`73`	`73`	`}`
`74`	`74`
`75`	`75`	`@Test`
`@@ -82,7 +82,7 @@ public void testExecuteWithNullPassword() {`
`82`	`82`	`Assert.assertEquals(ApiErrorCode.PARAM_ERROR,e.getErrorCode());`
`83`	`83`	`Assert.assertEquals("Empty passwords are not allowed", e.getMessage());`
`84`	`84`	`}`
`85`		`- Mockito.verify(accountService, Mockito.never()).createUser(null, null, null, null, null, null, null, null, null);`
	`85`	`+ Mockito.verify(accountService, Mockito.never()).createUser(null, null, null, null, null, null, null, null, null, false);`
`86`	`86`	`}`
`87`	`87`
`88`	`88`	`@Test`
`@@ -95,6 +95,6 @@ public void testExecuteWithEmptyPassword() {`
`95`	`95`	`Assert.assertEquals(ApiErrorCode.PARAM_ERROR,e.getErrorCode());`
`96`	`96`	`Assert.assertEquals("Empty passwords are not allowed", e.getMessage());`
`97`	`97`	`}`
`98`		`- Mockito.verify(accountService, Mockito.never()).createUser(null, null, null, null, null, null, null, null, null);`
	`98`	`+ Mockito.verify(accountService, Mockito.never()).createUser(null, null, null, null, null, null, null, null, null, true);`
`99`	`99`	`}`
`100`	`100`	`}`
Original file line number	Diff line number	Diff line change
`@@ -48,6 +48,8 @@ public class UserDetailVO implements ResourceDetail {`
`48`	`48`	`public static final String Setup2FADetail = "2FASetupStatus";`
`49`	`49`	`public static final String PasswordResetToken = "PasswordResetToken";`
`50`	`50`	`public static final String PasswordResetTokenExpiryDate = "PasswordResetTokenExpiryDate";`
	`51`	`+ public static final String PasswordChangeRequired = "PasswordChangeRequired";`
	`52`	`+ public static final String OauthLogin = "OauthLogin";`
`51`	`53`
`52`	`54`	`public UserDetailVO() {`
`53`	`55`	`}`