allow oauth login to skip force password change

Author: sudo87

engine/schema/src/main/java/org/apache/cloudstack/resourcedetail/UserDetailVO.java

@@ -49,6 +49,7 @@ public class UserDetailVO implements ResourceDetail {
     public static final String PasswordResetToken = "PasswordResetToken";
     public static final String PasswordResetTokenExpiryDate = "PasswordResetTokenExpiryDate";
     public static final String PasswordChangeRequired = "PasswordChangeRequired";
+    public static final String OauthLogin = "OauthLogin";
 
     public UserDetailVO() {
     }

plugins/api/discovery/src/main/java/org/apache/cloudstack/discovery/ApiDiscoveryServiceImpl.java

@@ -294,7 +294,8 @@ public ListResponse<? extends BaseResponse> listApis(User user, String name) {
             // Limit APIs on first login requiring password change
             UserAccount userAccount = accountService.getUserAccountById(user.getId());
             Map<String, String> userAccDetails = userAccount.getDetails();
-            if (MapUtils.isNotEmpty(userAccDetails) && "true".equalsIgnoreCase(userAccDetails.get(UserDetailVO.PasswordChangeRequired))) {
+            if (MapUtils.isNotEmpty(userAccDetails) && !userAccDetails.containsKey(UserDetailVO.OauthLogin) &&
+                    "true".equalsIgnoreCase(userAccDetails.get(UserDetailVO.PasswordChangeRequired))) {
                 apisAllowed = APIS_ALLOWED_FOR_PASSWORD_CHANGE;
             } else {
                 if (role.getRoleType() == RoleType.Admin && role.getId() == RoleType.Admin.getId()) {

plugins/user-authenticators/oauth2/src/main/java/org/apache/cloudstack/oauth2/api/command/OauthLoginAPIAuthenticatorCmd.java

@@ -34,6 +34,8 @@
 import org.apache.cloudstack.api.auth.APIAuthenticator;
 import org.apache.cloudstack.api.auth.PluggableAPIAuthenticator;
 import org.apache.cloudstack.api.response.LoginCmdResponse;
+import org.apache.cloudstack.resourcedetail.UserDetailVO;
+import org.apache.cloudstack.resourcedetail.dao.UserDetailsDao;
 import org.apache.commons.collections.CollectionUtils;
 import org.apache.commons.lang3.StringUtils;
 import org.jetbrains.annotations.Nullable;
@@ -74,6 +76,9 @@ public class OauthLoginAPIAuthenticatorCmd extends BaseCmd implements APIAuthent
     @Inject
     ApiServerService _apiServer;
 
+    @Inject
+    UserDetailsDao userDetailsDao;
+
     /////////////////////////////////////////////////////
     /////////////////// Accessors ///////////////////////
     /////////////////////////////////////////////////////
@@ -157,8 +162,10 @@ private String doOauthAuthentication(HttpSession session, Long domainId, String
             if (userAccount != null && User.Source.SAML2 == userAccount.getSource()) {
                 throw new CloudAuthenticationException("User is not allowed CloudStack login");
             }
-            return ApiResponseSerializer.toSerializedString(_apiServer.loginUser(session, userAccount.getUsername(), null, domainId, domain, remoteAddress, params),
+            serializedResponse = ApiResponseSerializer.toSerializedString(_apiServer.loginUser(session, userAccount.getUsername(), null, domainId, domain, remoteAddress, params),
                     responseType);
+            userDetailsDao.addDetail(userAccount.getId(), UserDetailVO.OauthLogin, "true", false);
+            return serializedResponse;
         } catch (final CloudAuthenticationException ex) {
             ApiServlet.invalidateHttpSession(session, "fall through to API key,");
             String msg = String.format("%s", ex.getMessage() != null ?

server/src/main/java/com/cloud/api/auth/DefaultLoginAPIAuthenticatorCmd.java

@@ -34,6 +34,8 @@
 import org.apache.cloudstack.api.auth.APIAuthenticator;
 import org.apache.cloudstack.api.auth.PluggableAPIAuthenticator;
 import org.apache.cloudstack.api.response.LoginCmdResponse;
+import org.apache.cloudstack.resourcedetail.UserDetailVO;
+import org.apache.cloudstack.resourcedetail.dao.UserDetailsDao;
 import org.jetbrains.annotations.Nullable;
 
 import javax.inject.Inject;
@@ -66,6 +68,9 @@ public class DefaultLoginAPIAuthenticatorCmd extends BaseCmd implements APIAuthe
     @Inject
     ApiServerService _apiServer;
 
+    @Inject
+    UserDetailsDao userDetailsDao;
+
     /////////////////////////////////////////////////////
     /////////////////// Accessors ///////////////////////
     /////////////////////////////////////////////////////
@@ -151,8 +156,10 @@ public String authenticate(String command, Map<String, Object[]> params, HttpSes
                 if (userAccount != null && User.Source.SAML2 == userAccount.getSource()) {
                     throw new CloudAuthenticationException("User is not allowed CloudStack login");
                 }
-                return ApiResponseSerializer.toSerializedString(_apiServer.loginUser(session, username[0], pwd, domainId, domain, remoteAddress, params),
+                serializedResponse = ApiResponseSerializer.toSerializedString(_apiServer.loginUser(session, username[0], pwd, domainId, domain, remoteAddress, params),
                         responseType);
+                userDetailsDao.removeDetail(userAccount.getId(), UserDetailVO.OauthLogin);
+                return serializedResponse;
             } catch (final CloudAuthenticationException ex) {
                 ApiServlet.invalidateHttpSession(session, "fall through to API key,");
                 // TODO: fall through to API key, or just fail here w/ auth error? (HTTP 401)