change password endpoint

scm-webapp/src/main/java/sonia/scm/api/v2/resources/ChangePasswordNotAllowedException.java

@@ -0,0 +1,9 @@
+package sonia.scm.api.v2.resources;
+
+public class ChangePasswordNotAllowedException extends RuntimeException {
+
+  public ChangePasswordNotAllowedException(String message) {
+    super(message);
+  }
+
+}

scm-webapp/src/main/java/sonia/scm/api/v2/resources/ChangePasswordNotAllowedExceptionMapper.java

@@ -0,0 +1,15 @@
+package sonia.scm.api.v2.resources;
+
+import javax.ws.rs.core.Response;
+import javax.ws.rs.ext.ExceptionMapper;
+import javax.ws.rs.ext.Provider;
+
+@Provider
+public class ChangePasswordNotAllowedExceptionMapper implements ExceptionMapper<ChangePasswordNotAllowedException> {
+  @Override
+  public Response toResponse(ChangePasswordNotAllowedException exception) {
+    return Response.status(Response.Status.BAD_REQUEST)
+      .entity(exception.getMessage())
+      .build();
+  }
+}

scm-webapp/src/main/java/sonia/scm/api/v2/resources/IdResourceManagerAdapter.java

@@ -10,6 +10,7 @@ import sonia.scm.PageResult;
 
 import javax.ws.rs.core.Response;
 import java.util.Optional;
+import java.util.function.Consumer;
 import java.util.function.Function;
 import java.util.function.Predicate;
 import java.util.function.Supplier;
@@ -37,6 +38,15 @@ class IdResourceManagerAdapter<MODEL_OBJECT extends ModelObject,
     return singleAdapter.get(loadBy(id), mapToDto);
   }
 
+  public Response update(String id, Function<MODEL_OBJECT, MODEL_OBJECT> applyChanges, Consumer<MODEL_OBJECT> checker) throws NotFoundException, ConcurrentModificationException {
+    return singleAdapter.update(
+      loadBy(id),
+      applyChanges,
+      idStaysTheSame(id),
+      checker
+    );
+  }
+
   public Response update(String id, Function<MODEL_OBJECT, MODEL_OBJECT> applyChanges) throws NotFoundException, ConcurrentModificationException {
     return singleAdapter.update(
       loadBy(id),

scm-webapp/src/main/java/sonia/scm/api/v2/resources/MeResource.java

@@ -10,7 +10,9 @@ import sonia.scm.user.UserManager;
 import sonia.scm.web.VndMediaType;
 
 import javax.inject.Inject;
+import javax.ws.rs.Consumes;
 import javax.ws.rs.GET;
+import javax.ws.rs.PUT;
 import javax.ws.rs.Path;
 import javax.ws.rs.Produces;
 import javax.ws.rs.core.Context;
@@ -52,4 +54,21 @@ public class MeResource {
     String id = (String) SecurityUtils.getSubject().getPrincipals().getPrimaryPrincipal();
     return adapter.get(id, userToDtoMapper::map);
   }
+
+  /**
+   * Change password of the current user
+   */
+  @PUT
+  @Path("password")
+  @StatusCodes({
+    @ResponseCode(code = 204, condition = "update success"),
+    @ResponseCode(code = 401, condition = "not authenticated / invalid credentials"),
+    @ResponseCode(code = 500, condition = "internal server error")
+  })
+  @TypeHint(TypeHint.NO_CONTENT.class)
+  @Consumes(VndMediaType.PASSWORD_CHANGE)
+  public Response changePassword(PasswordChangeDto passwordChange) throws NotFoundException {
+    String id = (String) SecurityUtils.getSubject().getPrincipals().getPrimaryPrincipal();
+    return adapter.get(id, userToDtoMapper::map);
+  }
 }

scm-webapp/src/main/java/sonia/scm/api/v2/resources/PasswordChangeDto.java

@@ -0,0 +1,25 @@
+package sonia.scm.api.v2.resources;
+
+import de.otto.edison.hal.HalRepresentation;
+import de.otto.edison.hal.Links;
+import lombok.Getter;
+import lombok.Setter;
+import lombok.ToString;
+import org.hibernate.validator.constraints.NotEmpty;
+
+@Getter
+@Setter
+@ToString
+public class PasswordChangeDto extends HalRepresentation {
+
+  private String oldPassword;
+
+  @NotEmpty
+  private String newPassword;
+
+  @Override
+  @SuppressWarnings("squid:S1185") // We want to have this method available in this package
+  protected HalRepresentation add(Links links) {
+    return super.add(links);
+  }
+}

scm-webapp/src/main/java/sonia/scm/api/v2/resources/ResourceLinks.java

@@ -86,6 +86,10 @@ class ResourceLinks {
     String update(String name) {
       return userLinkBuilder.method("getUserResource").parameters(name).method("update").parameters().href();
     }
+
+    public String passwordChange(String name) {
+      return userLinkBuilder.method("getUserResource").parameters(name).method("changePassword").parameters().href();
+    }
   }
 
   UserCollectionLinks userCollection() {

scm-webapp/src/main/java/sonia/scm/api/v2/resources/SingleResourceManagerAdapter.java

@@ -11,6 +11,7 @@ import javax.ws.rs.core.GenericEntity;
 import javax.ws.rs.core.Response;
 import java.util.Collection;
 import java.util.Optional;
+import java.util.function.Consumer;
 import java.util.function.Function;
 import java.util.function.Predicate;
 import java.util.function.Supplier;
@@ -53,6 +54,11 @@ class SingleResourceManagerAdapter<MODEL_OBJECT extends ModelObject,
       .map(Response.ResponseBuilder::build)
       .orElseThrow(NotFoundException::new);
   }
+  public Response update(Supplier<Optional<MODEL_OBJECT>> reader, Function<MODEL_OBJECT, MODEL_OBJECT> applyChanges, Predicate<MODEL_OBJECT> hasSameKey, Consumer<MODEL_OBJECT> checker) throws NotFoundException, ConcurrentModificationException {
+    MODEL_OBJECT existingModelObject = reader.get().orElseThrow(NotFoundException::new);
+    checker.accept(existingModelObject);
+    return update(reader,applyChanges,hasSameKey);
+  }
 
   /**
    * Update the model object for the given id according to the given function and returns a corresponding http response.

scm-webapp/src/main/java/sonia/scm/api/v2/resources/UserCollectionResource.java

@@ -5,6 +5,7 @@ import com.webcohesion.enunciate.metadata.rs.ResponseHeader;
 import com.webcohesion.enunciate.metadata.rs.ResponseHeaders;
 import com.webcohesion.enunciate.metadata.rs.StatusCodes;
 import com.webcohesion.enunciate.metadata.rs.TypeHint;
+import org.apache.shiro.authc.credential.PasswordService;
 import sonia.scm.AlreadyExistsException;
 import sonia.scm.user.User;
 import sonia.scm.user.UserManager;
@@ -29,14 +30,16 @@ public class UserCollectionResource {
   private final ResourceLinks resourceLinks;
 
   private final IdResourceManagerAdapter<User, UserDto> adapter;
+  private final PasswordService passwordService;
 
   @Inject
   public UserCollectionResource(UserManager manager, UserDtoToUserMapper dtoToUserMapper,
-    UserCollectionToDtoMapper userCollectionToDtoMapper, ResourceLinks resourceLinks) {
+                                UserCollectionToDtoMapper userCollectionToDtoMapper, ResourceLinks resourceLinks, PasswordService passwordService) {
     this.dtoToUserMapper = dtoToUserMapper;
     this.userCollectionToDtoMapper = userCollectionToDtoMapper;
     this.adapter = new IdResourceManagerAdapter<>(manager, User.class);
     this.resourceLinks = resourceLinks;
+    this.passwordService = passwordService;
   }
 
   /**
@@ -89,8 +92,6 @@ public class UserCollectionResource {
   @TypeHint(TypeHint.NO_CONTENT.class)
   @ResponseHeaders(@ResponseHeader(name = "Location", description = "uri to the created user"))
   public Response create(@Valid UserDto userDto) throws AlreadyExistsException {
-    return adapter.create(userDto,
-                          () -> dtoToUserMapper.map(userDto, ""),
-      user -> resourceLinks.user().self(user.getName()));
+    return adapter.create(userDto, () -> dtoToUserMapper.map(userDto, passwordService.encryptPassword(userDto.getPassword())), user -> resourceLinks.user().self(user.getName()));
   }
 }

scm-webapp/src/main/java/sonia/scm/api/v2/resources/UserDtoToUserMapper.java

@@ -1,37 +1,31 @@
 package sonia.scm.api.v2.resources;
 
-import org.apache.shiro.authc.credential.PasswordService;
 import org.mapstruct.Context;
 import org.mapstruct.Mapper;
 import org.mapstruct.Mapping;
 import org.mapstruct.Named;
 import sonia.scm.user.User;
 
-import javax.inject.Inject;
-
-import java.time.Instant;
-
-import static sonia.scm.api.rest.resources.UserResource.DUMMY_PASSWORT;
-
 // Mapstruct does not support parameterized (i.e. non-default) constructors. Thus, we need to use field injection.
 @SuppressWarnings("squid:S3306")
 @Mapper
 public abstract class UserDtoToUserMapper extends BaseDtoMapper {
 
-  @Inject
-  private PasswordService passwordService;
-
-  @Mapping(source = "password", target = "password", qualifiedByName = "encrypt")
+  @Mapping(source = "password", target = "password", qualifiedByName = "getUsedPassword")
   @Mapping(target = "creationDate", ignore = true)
-  public abstract User map(UserDto userDto, @Context String originalPassword);
+  public abstract User map(UserDto userDto, @Context String usedPassword);
 
-  @Named("encrypt")
-  String encrypt(String password, @Context String originalPassword) {
 
-    if (DUMMY_PASSWORT.equals(password)) {
-      return originalPassword;
-    } else {
-      return passwordService.encryptPassword(password);
-    }
+  /**
+   * depends on the use case the right password will be mapped.
+   * eg. for update user action the password will be set to the original password
+   * for create user and change password actions the password is the user input
+   *
+   * @param usedPassword the password to be mapped
+   * @return the password to be mapped
+   */
+  @Named("getUsedPassword")
+  String getUsedPassword(String password, @Context String usedPassword) {
+    return usedPassword;
   }
 }

scm-webapp/src/main/java/sonia/scm/api/v2/resources/UserResource.java

@@ -3,6 +3,7 @@ package sonia.scm.api.v2.resources;
 import com.webcohesion.enunciate.metadata.rs.ResponseCode;
 import com.webcohesion.enunciate.metadata.rs.StatusCodes;
 import com.webcohesion.enunciate.metadata.rs.TypeHint;
+import org.apache.shiro.authc.credential.PasswordService;
 import sonia.scm.ConcurrentModificationException;
 import sonia.scm.NotFoundException;
 import sonia.scm.user.User;
@@ -19,6 +20,8 @@ import javax.ws.rs.Path;
 import javax.ws.rs.PathParam;
 import javax.ws.rs.Produces;
 import javax.ws.rs.core.Response;
+import java.text.MessageFormat;
+import java.util.function.Consumer;
 
 public class UserResource {
 
@@ -26,12 +29,16 @@ public class UserResource {
   private final UserToUserDtoMapper userToDtoMapper;
 
   private final IdResourceManagerAdapter<User, UserDto> adapter;
+  private final UserManager userManager;
+  private final PasswordService passwordService;
 
   @Inject
-  public UserResource(UserDtoToUserMapper dtoToUserMapper, UserToUserDtoMapper userToDtoMapper, UserManager manager) {
+  public UserResource(UserDtoToUserMapper dtoToUserMapper, UserToUserDtoMapper userToDtoMapper, UserManager manager, PasswordService passwordService) {
     this.dtoToUserMapper = dtoToUserMapper;
     this.userToDtoMapper = userToDtoMapper;
     this.adapter = new IdResourceManagerAdapter<>(manager, User.class);
+    this.userManager = manager;
+    this.passwordService = passwordService;
   }
 
   /**
@@ -40,7 +47,6 @@ public class UserResource {
    * <strong>Note:</strong> This method requires "user" privilege.
    *
    * @param id the id/name of the user
-   *
    */
   @GET
   @Path("")
@@ -63,7 +69,6 @@ public class UserResource {
    * <strong>Note:</strong> This method requires "user" privilege.
    *
    * @param name the name of the user to delete.
-   *
    */
   @DELETE
   @Path("")
@@ -80,10 +85,11 @@ public class UserResource {
 
   /**
    * Modifies the given user.
+   * The given Password in the payload will be ignored. To Change Password use the changePassword endpoint
    *
    * <strong>Note:</strong> This method requires "user" privilege.
    *
-   * @param name name of the user to be modified
+   * @param name    name of the user to be modified
    * @param userDto user object to modify
    */
   @PUT
@@ -101,4 +107,41 @@ public class UserResource {
   public Response update(@PathParam("id") String name, @Valid UserDto userDto) throws NotFoundException, ConcurrentModificationException {
     return adapter.update(name, existing -> dtoToUserMapper.map(userDto, existing.getPassword()));
   }
+
+  /**
+   * This Endpoint is for Admin user to modify a user password.
+   * The oldPassword property of the DTO is not needed here. it will be ignored.
+   * The oldPassword property is needed in the MeResources when the actual user change the own password.
+   *
+   * <strong>Note:</strong> This method requires "user:modify" privilege.
+   * @param name              name of the user to be modified
+   * @param passwordChangeDto change password object to modify password. the old password is here not required
+   */
+  @PUT
+  @Path("password")
+  @Consumes(VndMediaType.PASSWORD_CHANGE)
+  @StatusCodes({
+    @ResponseCode(code = 204, condition = "update success"),
+    @ResponseCode(code = 400, condition = "Invalid body, e.g. illegal change of id/user name"),
+    @ResponseCode(code = 401, condition = "not authenticated / invalid credentials"),
+    @ResponseCode(code = 403, condition = "not authorized, the current user does not have the \"user\" privilege"),
+    @ResponseCode(code = 404, condition = "not found, no user with the specified id/name available"),
+    @ResponseCode(code = 500, condition = "internal server error")
+  })
+  @TypeHint(TypeHint.NO_CONTENT.class)
+  public Response changePassword(@PathParam("id") String name, @Valid PasswordChangeDto passwordChangeDto) throws NotFoundException, ConcurrentModificationException {
+    return adapter.update(name, user -> user.changePassword(passwordService.encryptPassword(passwordChangeDto.getNewPassword())), getUserTypeChecker());
+  }
+
+
+  /**
+   * Only account of the default type "xml" can change their password
+   */
+  private Consumer<User> getUserTypeChecker() {
+    return user -> {
+      if (!userManager.getDefaultType().equals(user.getType())) {
+        throw new ChangePasswordNotAllowedException(MessageFormat.format("It is not possible to change password for User of type {0}", user.getType()));
+      }
+    };
+  }
 }

scm-webapp/src/main/java/sonia/scm/api/v2/resources/UserToUserDtoMapper.java

@@ -4,9 +4,10 @@ import com.google.common.annotations.VisibleForTesting;
 import de.otto.edison.hal.Links;
 import org.mapstruct.AfterMapping;
 import org.mapstruct.Mapper;
+import org.mapstruct.Mapping;
 import org.mapstruct.MappingTarget;
-import sonia.scm.api.rest.resources.UserResource;
 import sonia.scm.user.User;
+import sonia.scm.user.UserManager;
 import sonia.scm.user.UserPermissions;
 
 import javax.inject.Inject;
@@ -19,6 +20,14 @@ import static de.otto.edison.hal.Links.linkingTo;
 @Mapper
 public abstract class UserToUserDtoMapper extends BaseMapper<User, UserDto> {
 
+  @Inject
+  private UserManager userManager;
+
+  @Override
+  @Mapping(target = "attributes", ignore = true)
+  @Mapping(target = "password", ignore = true)
+  public abstract UserDto map(User modelObject);
+
   @Inject
   private ResourceLinks resourceLinks;
 
@@ -27,11 +36,6 @@ public abstract class UserToUserDtoMapper extends BaseMapper<User, UserDto> {
     this.resourceLinks = resourceLinks;
   }
 
-  @AfterMapping
-  void removePassword(@MappingTarget UserDto target) {
-    target.setPassword(UserResource.DUMMY_PASSWORT);
-  }
-
   @AfterMapping
   void appendLinks(User user, @MappingTarget UserDto target) {
     Links.Builder linksBuilder = linkingTo().self(resourceLinks.user().self(target.getName()));
@@ -41,6 +45,9 @@ public abstract class UserToUserDtoMapper extends BaseMapper<User, UserDto> {
     if (UserPermissions.modify(user).isPermitted()) {
       linksBuilder.single(link("update", resourceLinks.user().update(target.getName())));
     }
+    if (userManager.getDefaultType().equals(user.getType())) {
+      linksBuilder.single(link("password", resourceLinks.user().passwordChange(target.getName())));
+    }
     target.add(linksBuilder.build());
   }