From b91b60e83ddef6f54b5103b9505906b9b166689a Mon Sep 17 00:00:00 2001 From: Joseph Schorr Date: Tue, 30 Jun 2015 19:42:19 +0300 Subject: [PATCH] Add encrypted password output in the superuser API When creating a user or changing their password, we now also return an encrypted form of the password, so API callers can pass it along --- endpoints/api/superuser.py | 18 ++++++++++++------ test/test_api_usage.py | 14 +++++++++++++- 2 files changed, 25 insertions(+), 7 deletions(-) diff --git a/endpoints/api/superuser.py b/endpoints/api/superuser.py index 2ec28c56a..fca871fe3 100644 --- a/endpoints/api/superuser.py +++ b/endpoints/api/superuser.py @@ -6,7 +6,7 @@ import json import os from random import SystemRandom -from app import app, avatar, superusers +from app import app, avatar, superusers, authentication from flask import request from endpoints.api import (ApiResource, nickname, resource, validate_json_request, request_error, @@ -115,16 +115,21 @@ def org_view(org): 'avatar': avatar.get_data_for_org(org), } -def user_view(user): - return { +def user_view(user, password=None): + user_data = { 'username': user.username, 'email': user.email, 'verified': user.verified, 'avatar': avatar.get_data_for_user(user), 'super_user': superusers.is_superuser(user.username), - 'enabled': user.enabled + 'enabled': user.enabled, } + if password is not None: + user_data['encrypted_password'] = authentication.encrypt_user_password(password) + + return user_data + @resource('/v1/superuser/changelog/') @internal_only @show_if(features.SUPER_USERS) @@ -232,7 +237,8 @@ class SuperUserList(ApiResource): return { 'username': username, 'email': email, - 'password': password + 'password': password, + 'encrypted_password': authentication.encrypt_user_password(password), } abort(403) @@ -355,7 +361,7 @@ class SuperUserManagement(ApiResource): user.enabled = bool(user_data['enabled']) user.save() - return user_view(user) + return user_view(user, password=user_data.get('password')) abort(403) diff --git a/test/test_api_usage.py b/test/test_api_usage.py index 4ec4348dd..ed759ae7d 100644 --- a/test/test_api_usage.py +++ b/test/test_api_usage.py @@ -2903,6 +2903,17 @@ class TestSuperUserManagement(ApiTestCase): # Verify the user no longer exists. self.getResponse(SuperUserManagement, params=dict(username = 'freshuser'), expected_code=404) + def test_change_user_password(self): + self.login(ADMIN_ACCESS_USER) + + # Verify the user exists. + json = self.getJsonResponse(SuperUserManagement, params=dict(username = 'freshuser')) + self.assertEquals('freshuser', json['username']) + self.assertEquals('jschorr+test@devtable.com', json['email']) + + # Update the user. + json = self.putJsonResponse(SuperUserManagement, params=dict(username='freshuser'), data=dict(password='somepassword')) + self.assertTrue('encrypted_password' in json) def test_update_user(self): self.login(ADMIN_ACCESS_USER) @@ -2913,7 +2924,8 @@ class TestSuperUserManagement(ApiTestCase): self.assertEquals('jschorr+test@devtable.com', json['email']) # Update the user. - self.putJsonResponse(SuperUserManagement, params=dict(username='freshuser'), data=dict(email='foo@bar.com')) + json = self.putJsonResponse(SuperUserManagement, params=dict(username='freshuser'), data=dict(email='foo@bar.com')) + self.assertFalse('encrypted_password' in json) # Verify the user was updated. json = self.getJsonResponse(SuperUserManagement, params=dict(username = 'freshuser'))