core: add API endpoint to directly set user's password

closes #2040 Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
2022-01-03 13:30:39 +01:00
parent d18a691f63
commit 3e22740eac
11 changed files with 234 additions and 35 deletions
--- a/authentik/core/api/users.py
+++ b/authentik/core/api/users.py
@ -3,6 +3,7 @@ from datetime import timedelta
 from json import loads
 from typing import Optional

+from django.contrib.auth import update_session_auth_hash
 from django.db.models.query import QuerySet
 from django.db.transaction import atomic
 from django.db.utils import IntegrityError
@ -359,6 +360,35 @@ class UserViewSet(UsedByMixin, ModelViewSet):
            ).data
        return Response(serializer.initial_data)

+    @permission_required("authentik_core.reset_user_password")
+    @extend_schema(
+        request=inline_serializer(
+            "UserPasswordSetSerializer",
+            {
+                "password": CharField(required=True),
+            },
+        ),
+        responses={
+            204: "",
+            400: "",
+        },
+    )
+    @action(detail=True, methods=["POST"])
+    # pylint: disable=invalid-name, unused-argument
+    def set_password(self, request: Request, pk: int) -> Response:
+        """Set password for user"""
+        user: User = self.get_object()
+        try:
+            user.set_password(request.data.get("password"))
+            user.save()
+        except (ValidationError, IntegrityError) as exc:
+            LOGGER.debug("Failed to set password", exc=exc)
+            return Response(status=400)
+        if user.pk == request.user.pk and SESSION_IMPERSONATE_USER not in self.request.session:
+            LOGGER.debug("Updating session hash after password change")
+            update_session_auth_hash(self.request, user)
+        return Response(status=204)
+
    @extend_schema(request=UserSelfSerializer, responses={200: SessionUserSerializer(many=False)})
    @action(
        methods=["PUT"],
--- a/authentik/core/tests/test_users_api.py
+++ b/authentik/core/tests/test_users_api.py
@ -5,6 +5,7 @@ from rest_framework.test import APITestCase
 from authentik.core.models import USER_ATTRIBUTE_CHANGE_EMAIL, USER_ATTRIBUTE_CHANGE_USERNAME, User
 from authentik.core.tests.utils import create_test_admin_user, create_test_flow, create_test_tenant
 from authentik.flows.models import FlowDesignation
+from authentik.lib.generators import generate_key
 from authentik.stages.email.models import EmailStage
 from authentik.tenants.models import Tenant

@ -68,6 +69,18 @@ class TestUsersAPI(APITestCase):
        )
        self.assertEqual(response.status_code, 404)

+    def test_set_password(self):
+        """Test Direct password set"""
+        self.client.force_login(self.admin)
+        new_pw = generate_key()
+        response = self.client.post(
+            reverse("authentik_api:user-set-password", kwargs={"pk": self.admin.pk}),
+            data={"password": new_pw},
+        )
+        self.assertEqual(response.status_code, 204)
+        self.admin.refresh_from_db()
+        self.assertTrue(self.admin.check_password(new_pw))
+
    def test_recovery(self):
        """Test user recovery link (no recovery flow set)"""
        flow = create_test_flow(FlowDesignation.RECOVERY)