Merge pull request #2440 from cyberark/fix-password-change

Fix server error for admin user password change
cyberark · Dec 20, 2021 · f1f2abc · f1f2abc
2 parents 5335422 + 06d0de2
commit f1f2abc
Show file tree

Hide file tree

Showing 3 changed files with 21 additions and 1 deletion.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -6,6 +6,10 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 
 ## [Unreleased]
 
+### Fixed
+- Check to stop hosts from setting passwords fixed for admin user
+  [#2440](https://github.com/cyberark/conjur/pull/2440)
+
 ## [1.14.2] - 2021-12-13
 
 ### Changed

diff --git a/app/controllers/credentials_controller.rb b/app/controllers/credentials_controller.rb
@@ -37,7 +37,7 @@ class CredentialsController < ApplicationController
   # This method requires a PUT request. The new password is in the request body.
   def update_password
     password = request.body.read
-    raise Exceptions::Forbidden if @role.resource.kind == "host"
+    raise Exceptions::Forbidden if @role.login.start_with?("host/")
 
     Commands::Credentials::ChangePassword.new.call(
       role: @role,

diff --git a/cucumber/api/features/change_password.feature b/cucumber/api/features/change_password.feature
@@ -24,6 +24,22 @@ Feature: Change the password of a role
       cucumber:user:alice successfully changed their password
     """
 
+  Scenario: With basic authentication, user admin update their own password using the current password.
+
+    Given I set the password for "admin" to "My-Password1"
+    And I save my place in the audit log file for remote
+    When I successfully PUT "/authn/cucumber/password" with username "admin" and password "My-Password1" and plain text body "New-Password1"
+    Then I can GET "/authn/cucumber/login" with username "admin" and password "New-Password1"
+    And there is an audit record matching:
+    """
+      <86>1 * * conjur * password
+      [auth@43868 user="cucumber:user:admin"]
+      [subject@43868 role="cucumber:user:admin"]
+      [client@43868 ip="\d+\.\d+\.\d+\.\d+"]
+      [action@43868 result="success" operation="change"]
+      cucumber:user:admin successfully changed their password
+    """
+
   Scenario: With basic authentication, users can update their own password using the current API key.
 
     When I successfully PUT "/authn/cucumber/password" with username "alice" and password ":cucumber:user:alice_api_key" and plain text body "New-Password1"