Project

General

Profile

Actions
Copy link

Feature #3349

closed

Implement password management for technical accounts

Added by Peter Štrunc about 1 year ago. Updated 7 months ago.

Status:
Closed
Priority:
Normal
Assignee:
Jiří Koula
Target version:
1.2.0
Start date:
05/02/2023
Due date:
% Done:

100%

Estimated time:
Owner:
Jiří Koula

Description

Current state

Backend

PasswordChangeController
  • main entry point for password changes
  • passwordChange(UUID, PasswordChangeDto)
    • hardcoded IdmIdentityDto lookup
    • authenticates, if identity is not authenticated
      • for unauthenticated password change, or mustChange when logging in with expired password
    • Checks permission for password change after authentication
    • Calls identityService.passwordChange(identity, PasswordChangeDto)
      IdmIdentityService
  • Publishes IdmIdentityEvent.PASSWORD
    • identity-password-validate-processor(acc)
      • Fetches all identity accounts
      • Validates provided accounts (password change type)
      • Validates against system password policies for each account
    • identity-password-validate-processor(core)
      • Validates all aspects of password change (original pwd requirement, policies, change type)
    • identity-uniform-password-processor
      • Handles uniform password stuff and password filter echo
      • Uses identity only for account searches
    • identity-password-processor
      • saves PasswordDto and handles password age from idm password policy
    • core-identity-demo-change-processor
      • for monitoring changes on admin identity
    • identity-password-provisioning-processor
      • setup echo
      • call provisioningService.changePassword(identity, passwordChangeDto)
      • process results and handle password filter
    • identity-password-change-notification
      • Notifies identity of password change
        ProvisioningService
  • Calls provisioning executor changePassword
    • uses dto and PasswordChangeDto as input (no need for identity)

Frontend

All of frontend only works with identity and its accounts

PasswordChangeComponent
  • Renders form and sends requests to backend controller
  • hard coupling on identityManager and identityService
    PasswordChangeRoute
    PasswordRoute
    PasswordChangeForm

Requirements

Enable use case of changing account’s password from account detail
Support identity account and Technical accounts
Support accounts without owner (AccAccount)

Proposed changes

Backend

Introduce a new interface PasswordManageable
Extract common password management logic into common predecessors for all password processors
Move logic from PasswordController somewhere, where it can be generalized for different PasswordManageables
Move event type PASSWORD from IdmIdentityEventType to a new event type, which is not tied to IdmIdentity
  • Make all password processors react to this new event
    Update tests and write new ones for tech account password management

Frontend

Make PasswordChangeComponent take managers as a prop, so that we can supply correct managers
introduce new routes for password change on account detail
  • No need for other tabs such as Password details and Tokens, just change form
Actions
Copy link

Also available in: Atom PDF