diff --git a/lib/auth/apiserver.go b/lib/auth/apiserver.go index 918a99d79baa6..7975f2b2c6b3f 100644 --- a/lib/auth/apiserver.go +++ b/lib/auth/apiserver.go @@ -110,7 +110,6 @@ func NewAPIServer(config *APIConfig) (http.Handler, error) { // Passwords and sessions srv.POST("/:version/users", srv.withAuth(srv.upsertUser)) srv.PUT("/:version/users/:user/web/password", srv.withAuth(srv.changePassword)) - srv.POST("/:version/users/:user/web/password", srv.withAuth(srv.upsertPassword)) srv.POST("/:version/users/:user/web/password/check", srv.withRate(srv.withAuth(srv.checkPassword))) srv.POST("/:version/users/:user/web/sessions", srv.withAuth(srv.createWebSession)) srv.POST("/:version/users/:user/web/authenticate", srv.withAuth(srv.authenticateWebUser)) @@ -566,25 +565,6 @@ func (s *APIServer) changePassword(auth ClientI, w http.ResponseWriter, r *http. return message(fmt.Sprintf("password has been changed for user %q", req.User)), nil } -type upsertPasswordReq struct { - Password string `json:"password"` -} - -func (s *APIServer) upsertPassword(auth ClientI, w http.ResponseWriter, r *http.Request, p httprouter.Params, version string) (interface{}, error) { - var req *upsertPasswordReq - if err := httplib.ReadJSON(r, &req); err != nil { - return nil, trace.Wrap(err) - } - - user := p.ByName("user") - err := auth.UpsertPassword(user, []byte(req.Password)) - if err != nil { - return nil, trace.Wrap(err) - } - - return message(fmt.Sprintf("password for for user %q upserted", user)), nil -} - type upsertUserRawReq struct { User json.RawMessage `json:"user"` } diff --git a/lib/auth/auth_with_roles.go b/lib/auth/auth_with_roles.go index 110a2d66a89a2..40b38171b01c9 100644 --- a/lib/auth/auth_with_roles.go +++ b/lib/auth/auth_with_roles.go @@ -1594,13 +1594,6 @@ func (a *ServerWithRoles) CreateToken(ctx context.Context, token types.Provision return a.authServer.CreateToken(ctx, token) } -func (a *ServerWithRoles) UpsertPassword(user string, password []byte) error { - if err := a.currentUserAction(user); err != nil { - return trace.Wrap(err) - } - return a.authServer.UpsertPassword(user, password) -} - // ChangePassword updates users password based on the old password. func (a *ServerWithRoles) ChangePassword(req services.ChangePasswordReq) error { if err := a.currentUserAction(req.User); err != nil { diff --git a/lib/auth/clt.go b/lib/auth/clt.go index eee8e3d409090..dc44f4c8274d4 100644 --- a/lib/auth/clt.go +++ b/lib/auth/clt.go @@ -754,21 +754,6 @@ func (c *Client) DeleteProxy(name string) error { return nil } -// UpsertPassword updates web access password for the user -func (c *Client) UpsertPassword(user string, password []byte) error { - _, err := c.PostJSON( - context.TODO(), - c.Endpoint("users", user, "web", "password"), - upsertPasswordReq{ - Password: string(password), - }) - if err != nil { - return trace.Wrap(err) - } - - return nil -} - // UpsertUser user updates user entry. func (c *Client) UpsertUser(user types.User) error { data, err := services.MarshalUser(user) @@ -1399,8 +1384,6 @@ type WebService interface { // IdentityService manages identities and users type IdentityService interface { - // UpsertPassword updates web access password for the user - UpsertPassword(user string, password []byte) error // UpsertOIDCConnector updates or creates OIDC connector UpsertOIDCConnector(ctx context.Context, connector types.OIDCConnector) error // GetOIDCConnector returns OIDC connector information by id diff --git a/lib/auth/tls_test.go b/lib/auth/tls_test.go index 2f310f51dbc5c..79d5b63d2b1c3 100644 --- a/lib/auth/tls_test.go +++ b/lib/auth/tls_test.go @@ -1115,15 +1115,16 @@ func TestUsersCRUD(t *testing.T) { clt, err := tt.server.NewClient(TestAdmin()) require.NoError(t, err) - err = clt.UpsertPassword("user1", []byte("some pass")) + usr, err := types.NewUser("user1") require.NoError(t, err) + require.NoError(t, clt.CreateUser(ctx, usr)) users, err := clt.GetUsers(false) require.NoError(t, err) require.Equal(t, len(users), 1) require.Equal(t, users[0].GetName(), "user1") - require.NoError(t, clt.DeleteUser(context.TODO(), "user1")) + require.NoError(t, clt.DeleteUser(ctx, "user1")) users, err = clt.GetUsers(false) require.NoError(t, err) @@ -1165,7 +1166,7 @@ func TestPasswordCRUD(t *testing.T) { err = clt.CheckPassword("user1", pass, "123456") require.Error(t, err) - err = clt.UpsertPassword("user1", pass) + err = tt.server.Auth().UpsertPassword("user1", pass) require.NoError(t, err) dev, err := services.NewTOTPDevice("otp", otpSecret, tt.clock.Now()) @@ -1210,7 +1211,7 @@ func TestOTPCRUD(t *testing.T) { otpSecret := base32.StdEncoding.EncodeToString([]byte(rawSecret)) // upsert a password and totp secret - err = clt.UpsertPassword("user1", pass) + err = tt.server.Auth().UpsertPassword("user1", pass) require.NoError(t, err) dev, err := services.NewTOTPDevice("otp", otpSecret, tt.clock.Now()) require.NoError(t, err) @@ -1277,7 +1278,7 @@ func TestWebSessionWithoutAccessRequest(t *testing.T) { _, err = proxy.AuthenticateWebUser(ctx, req) require.True(t, trace.IsAccessDenied(err)) - err = clt.UpsertPassword(user, pass) + err = tt.server.Auth().UpsertPassword(user, pass) require.NoError(t, err) // success with password set up @@ -1357,7 +1358,7 @@ func TestWebSessionMultiAccessRequests(t *testing.T) { requestableRoleName := "requestable" user, err := CreateUserRoleAndRequestable(clt, username, requestableRoleName) require.NoError(t, err) - err = clt.UpsertPassword(username, password) + err = tt.server.Auth().UpsertPassword(username, password) require.NoError(t, err) // Set search_as_roles, user can request this role only with a resource @@ -1557,7 +1558,7 @@ func TestWebSessionWithApprovedAccessRequestAndSwitchback(t *testing.T) { }, } - err = clt.UpsertPassword(user, pass) + err = tt.server.Auth().UpsertPassword(user, pass) require.NoError(t, err) ws, err := proxy.AuthenticateWebUser(ctx, req) @@ -2470,7 +2471,7 @@ func TestLoginAttempts(t *testing.T) { proxy, err := tt.server.NewClient(TestBuiltin(types.RoleProxy)) require.NoError(t, err) - err = clt.UpsertPassword(user, pass) + err = tt.server.Auth().UpsertPassword(user, pass) require.NoError(t, err) req := AuthenticateUserRequest{ @@ -2571,7 +2572,7 @@ func TestLoginNoLocalAuth(t *testing.T) { require.NoError(t, err) _, _, err = CreateUserAndRole(clt, user, []string{user}) require.NoError(t, err) - err = clt.UpsertPassword(user, pass) + err = tt.server.Auth().UpsertPassword(user, pass) require.NoError(t, err) // Set auth preference to disallow local auth.