feat(api): add password reset and change to user service (#6036)

* feat(api): add password reset and change to user service * integration tests * invalidate password check after password change * handle notification type * fix proto
2025-08-12 06:57:33 +00:00 · 2023-06-20 17:34:06 +02:00
parent 1017568cf1
commit 82e7333169
20 changed files with 1373 additions and 54 deletions
--- a/internal/command/user_human_password_test.go
+++ b/internal/command/user_human_password_test.go
@@ -2,6 +2,7 @@ package command

 import (
 	"context"
+	"errors"
 	"testing"
 	"time"

@@ -22,6 +23,7 @@ func TestCommandSide_SetOneTimePassword(t *testing.T) {
 	type fields struct {
 		eventstore      *eventstore.Eventstore
 		userPasswordAlg crypto.HashAlgorithm
+		checkPermission domain.PermissionCheck
 	}
 	type args struct {
 		ctx           context.Context
@@ -72,6 +74,49 @@ func TestCommandSide_SetOneTimePassword(t *testing.T) {
 				err: caos_errs.IsPreconditionFailed,
 			},
 		},
+		{
+			name: "missing permission, error",
+			fields: fields{
+				eventstore: eventstoreExpect(
+					t,
+					expectFilter(
+						eventFromEventPusher(
+							user.NewHumanAddedEvent(context.Background(),
+								&user.NewAggregate("user1", "org1").Aggregate,
+								"username",
+								"firstname",
+								"lastname",
+								"nickname",
+								"displayname",
+								language.German,
+								domain.GenderUnspecified,
+								"email@test.ch",
+								true,
+							),
+						),
+						eventFromEventPusher(
+							user.NewHumanEmailVerifiedEvent(context.Background(),
+								&user.NewAggregate("user1", "org1").Aggregate,
+							),
+						),
+					),
+				),
+				userPasswordAlg: crypto.CreateMockHashAlg(gomock.NewController(t)),
+				checkPermission: newMockPermissionCheckNotAllowed(),
+			},
+			args: args{
+				ctx:           context.Background(),
+				userID:        "user1",
+				resourceOwner: "org1",
+				password:      "password",
+				oneTime:       true,
+			},
+			res: res{
+				err: func(err error) bool {
+					return errors.Is(err, caos_errs.ThrowPermissionDenied(nil, "AUTHZ-HKJD33", "Errors.PermissionDenied"))
+				},
+			},
+		},
 		{
 			name: "change password onetime, ok",
 			fields: fields{
@@ -129,6 +174,7 @@ func TestCommandSide_SetOneTimePassword(t *testing.T) {
 					),
 				),
 				userPasswordAlg: crypto.CreateMockHashAlg(gomock.NewController(t)),
+				checkPermission: newMockPermissionCheckAllowed(),
 			},
 			args: args{
 				ctx:           context.Background(),
@@ -200,6 +246,7 @@ func TestCommandSide_SetOneTimePassword(t *testing.T) {
 					),
 				),
 				userPasswordAlg: crypto.CreateMockHashAlg(gomock.NewController(t)),
+				checkPermission: newMockPermissionCheckAllowed(),
 			},
 			args: args{
 				ctx:           context.Background(),
@@ -220,6 +267,7 @@ func TestCommandSide_SetOneTimePassword(t *testing.T) {
 			r := &Commands{
 				eventstore:      tt.fields.eventstore,
 				userPasswordAlg: tt.fields.userPasswordAlg,
+				checkPermission: tt.fields.checkPermission,
 			}
 			got, err := r.SetPassword(tt.args.ctx, tt.args.resourceOwner, tt.args.userID, tt.args.password, tt.args.oneTime)
 			if tt.res.err == nil {
@@ -235,19 +283,19 @@ func TestCommandSide_SetOneTimePassword(t *testing.T) {
 	}
 }

-func TestCommandSide_SetPassword(t *testing.T) {
+func TestCommandSide_SetPasswordWithVerifyCode(t *testing.T) {
 	type fields struct {
 		eventstore      *eventstore.Eventstore
+		userEncryption  crypto.EncryptionAlgorithm
 		userPasswordAlg crypto.HashAlgorithm
 	}
 	type args struct {
-		ctx             context.Context
-		userID          string
-		code            string
-		resourceOwner   string
-		password        string
-		agentID         string
-		secretGenerator crypto.Generator
+		ctx           context.Context
+		userID        string
+		code          string
+		resourceOwner string
+		password      string
+		agentID       string
 	}
 	type res struct {
 		want *domain.ObjectDetails
@@ -377,14 +425,14 @@ func TestCommandSide_SetPassword(t *testing.T) {
 						),
 					),
 				),
+				userEncryption: crypto.CreateMockEncryptionAlg(gomock.NewController(t)),
 			},
 			args: args{
-				ctx:             context.Background(),
-				userID:          "user1",
-				code:            "test",
-				resourceOwner:   "org1",
-				password:        "password",
-				secretGenerator: GetMockSecretGenerator(t),
+				ctx:           context.Background(),
+				userID:        "user1",
+				code:          "test",
+				resourceOwner: "org1",
+				password:      "password",
 			},
 			res: res{
 				err: caos_errs.IsPreconditionFailed,
@@ -460,14 +508,14 @@ func TestCommandSide_SetPassword(t *testing.T) {
 					),
 				),
 				userPasswordAlg: crypto.CreateMockHashAlg(gomock.NewController(t)),
+				userEncryption:  crypto.CreateMockEncryptionAlg(gomock.NewController(t)),
 			},
 			args: args{
-				ctx:             context.Background(),
-				userID:          "user1",
-				resourceOwner:   "org1",
-				password:        "password",
-				code:            "a",
-				secretGenerator: GetMockSecretGenerator(t),
+				ctx:           context.Background(),
+				userID:        "user1",
+				resourceOwner: "org1",
+				password:      "password",
+				code:          "a",
 			},
 			res: res{
 				want: &domain.ObjectDetails{
@@ -481,14 +529,18 @@ func TestCommandSide_SetPassword(t *testing.T) {
 			r := &Commands{
 				eventstore:      tt.fields.eventstore,
 				userPasswordAlg: tt.fields.userPasswordAlg,
+				userEncryption:  tt.fields.userEncryption,
 			}
-			err := r.SetPasswordWithVerifyCode(tt.args.ctx, tt.args.resourceOwner, tt.args.userID, tt.args.code, tt.args.password, tt.args.agentID, tt.args.secretGenerator)
+			got, err := r.SetPasswordWithVerifyCode(tt.args.ctx, tt.args.resourceOwner, tt.args.userID, tt.args.code, tt.args.password, tt.args.agentID)
 			if tt.res.err == nil {
 				assert.NoError(t, err)
 			}
 			if tt.res.err != nil && !tt.res.err(err) {
 				t.Errorf("got wrong err: %v ", err)
 			}
+			if tt.res.err == nil {
+				assert.Equal(t, tt.res.want, got)
+			}
 		})
 	}
 }