mirror of
https://github.com/grafana/grafana.git
synced 2024-11-28 03:34:15 -06:00
feat(grafana-cli): allow configuring admin ID for reset-admin-password (#60603)
* feat(grafana-cli): add a flag to control the admin user's ID for reset-admin-password Since this is now more permissive, I've also added validation that the requested user is an admin. * slight refactor to support testing
This commit is contained in:
parent
bf541ee3d1
commit
c90756eef5
@ -160,6 +160,11 @@ var adminCommands = []*cli.Command{
|
||||
Usage: "Read the password from stdin",
|
||||
Value: false,
|
||||
},
|
||||
&cli.IntFlag{
|
||||
Name: "user-id",
|
||||
Usage: "The admin user's ID",
|
||||
Value: DefaultAdminUserId,
|
||||
},
|
||||
},
|
||||
},
|
||||
{
|
||||
|
@ -7,6 +7,7 @@ import (
|
||||
"os"
|
||||
|
||||
"github.com/fatih/color"
|
||||
|
||||
"github.com/grafana/grafana/pkg/cmd/grafana-cli/logger"
|
||||
"github.com/grafana/grafana/pkg/cmd/grafana-cli/runner"
|
||||
"github.com/grafana/grafana/pkg/cmd/grafana-cli/utils"
|
||||
@ -15,10 +16,11 @@ import (
|
||||
"github.com/grafana/grafana/pkg/util"
|
||||
)
|
||||
|
||||
const AdminUserId = 1
|
||||
const DefaultAdminUserId = 1
|
||||
|
||||
func resetPasswordCommand(c utils.CommandLine, runner runner.Runner) error {
|
||||
newPassword := ""
|
||||
adminId := int64(c.Int("user-id"))
|
||||
|
||||
if c.Bool("password-from-stdin") {
|
||||
logger.Infof("New Password: ")
|
||||
@ -35,17 +37,28 @@ func resetPasswordCommand(c utils.CommandLine, runner runner.Runner) error {
|
||||
newPassword = c.Args().First()
|
||||
}
|
||||
|
||||
err := resetPassword(adminId, newPassword, runner.UserService)
|
||||
if err == nil {
|
||||
logger.Infof("\n")
|
||||
logger.Infof("Admin password changed successfully %s", color.GreenString("✔"))
|
||||
}
|
||||
return err
|
||||
}
|
||||
|
||||
func resetPassword(adminId int64, newPassword string, userSvc user.Service) error {
|
||||
password := models.Password(newPassword)
|
||||
if password.IsWeak() {
|
||||
return fmt.Errorf("new password is too short")
|
||||
}
|
||||
|
||||
userQuery := user.GetUserByIDQuery{ID: AdminUserId}
|
||||
|
||||
usr, err := runner.UserService.GetByID(context.Background(), &userQuery)
|
||||
userQuery := user.GetUserByIDQuery{ID: adminId}
|
||||
usr, err := userSvc.GetByID(context.Background(), &userQuery)
|
||||
if err != nil {
|
||||
return fmt.Errorf("could not read user from database. Error: %v", err)
|
||||
}
|
||||
if !usr.IsAdmin {
|
||||
return ErrMustBeAdmin
|
||||
}
|
||||
|
||||
passwordHashed, err := util.EncodePassword(newPassword, usr.Salt)
|
||||
if err != nil {
|
||||
@ -53,16 +66,15 @@ func resetPasswordCommand(c utils.CommandLine, runner runner.Runner) error {
|
||||
}
|
||||
|
||||
cmd := user.ChangeUserPasswordCommand{
|
||||
UserID: AdminUserId,
|
||||
UserID: adminId,
|
||||
NewPassword: passwordHashed,
|
||||
}
|
||||
|
||||
if err := runner.UserService.ChangePassword(context.Background(), &cmd); err != nil {
|
||||
if err := userSvc.ChangePassword(context.Background(), &cmd); err != nil {
|
||||
return fmt.Errorf("failed to update user password: %w", err)
|
||||
}
|
||||
|
||||
logger.Infof("\n")
|
||||
logger.Infof("Admin password changed successfully %s", color.GreenString("✔"))
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
var ErrMustBeAdmin = fmt.Errorf("reset-admin-password can only be used to reset an admin user account")
|
||||
|
54
pkg/cmd/grafana-cli/commands/reset_password_command_test.go
Normal file
54
pkg/cmd/grafana-cli/commands/reset_password_command_test.go
Normal file
@ -0,0 +1,54 @@
|
||||
package commands
|
||||
|
||||
import (
|
||||
"testing"
|
||||
|
||||
"github.com/stretchr/testify/require"
|
||||
|
||||
"github.com/grafana/grafana/pkg/services/user"
|
||||
"github.com/grafana/grafana/pkg/services/user/usertest"
|
||||
)
|
||||
|
||||
func TestResetPassword(t *testing.T) {
|
||||
tests := map[string]struct {
|
||||
UserID int64
|
||||
IsAdmin bool
|
||||
ExpectErr error
|
||||
}{
|
||||
"basic success": {
|
||||
DefaultAdminUserId,
|
||||
true,
|
||||
nil,
|
||||
},
|
||||
"default user is not an admin": {
|
||||
DefaultAdminUserId,
|
||||
false,
|
||||
ErrMustBeAdmin,
|
||||
},
|
||||
"random user is not an admin": {
|
||||
11,
|
||||
false,
|
||||
ErrMustBeAdmin,
|
||||
},
|
||||
"random user is an admin": {
|
||||
11,
|
||||
true,
|
||||
nil,
|
||||
},
|
||||
}
|
||||
|
||||
for name, test := range tests {
|
||||
t.Run(name, func(t *testing.T) {
|
||||
svc := &usertest.FakeUserService{}
|
||||
svc.ExpectedUser = &user.User{
|
||||
IsAdmin: test.IsAdmin,
|
||||
}
|
||||
err := resetPassword(test.UserID, "s00pers3cure!", svc)
|
||||
if test.ExpectErr != nil {
|
||||
require.EqualError(t, err, test.ExpectErr.Error())
|
||||
} else {
|
||||
require.NoError(t, err)
|
||||
}
|
||||
})
|
||||
}
|
||||
}
|
Loading…
Reference in New Issue
Block a user