open-build-service
open-build-service copied to clipboard
openSUSE
administrative password reset through ruby console fails with deprecated password in place
Issue Description
After resetting a password for a user in a local installation of obs using the ruby console using
RAILS_ENV="production" /usr/bin/rails.ruby2.5-5.1.4 console
user = User.where(:login => '<loginname>').first
user.password = "<password>"
user.password_confirmation = "<password>"
user.save
the user is still not able to login. By looking in the database a distinguishing feature of the account is now, that both password_digest and the triple (deprecated_password, deprecated_password_hash_type, deprecated_password_salt) are set for the user. As the deprecated password is still set, login with the newly set password fails. Setting deprecated_password* to "NULL" lets the user login with the new password.
It seems to me, that a successful login with deprecated_password* migrates the entries to use password_digest and sets the deprecated_password* fields to NULL.
Documentation about administrative password change is lacking, where such behavior could have been noted down.
Expected Result
Resetting password with the crude ruby console should work, i.e. a present password_digest should have precedence over the deprecated password.
Ideally there would be a password change function in the "Configuration" - "Manage Users" page, without the need for the ruby console or direct manipulation of the database, like proposed in #699 .
How to Reproduce
- Have a user created in obs versions prior to at least 2.10 (with local accounts) with deprecated_password* set.
- set new password using ruby console as described above
- try logging in with new password
Further Information
Seen on: https://pmbs.links2linux.de 2.10-lp151.10.1 on openSUSE Leap 15.1
hi @jsjhb did the user.save returned true? If not, could you please paste here the results of user.errors ?
user.save gave a true, and errors, please have a look (username, email, and hashes modified):
`buildhost:/srv/www/obs/api # RAILS_ENV="production" /usr/bin/rails.ruby2.5-5.1.4 console DEPRECATED: Please update your options.yml by running 'rake migrate_options_yml' Loading production environment (Rails 5.2.3) irb(main):001:0> user = User.where(:login => 'olddude').first => #<User id: 7, created_at: "2017-06-22 19:51:45", updated_at: "2018-04-04 12:49:13", last_logged_in_at: nil, login_failure_count: 0, login: "olddude", email: "[email protected]", realname: "", password_digest: nil, deprecated_password: "eed3c8afc6e203f8bb296c39518ff1d9", deprecated_password_hash_type: "md5", deprecated_password_salt: "ghD2wykZAD", adminnote: nil, state: "deleted", owner_id: nil, ignore_auth_services: false, in_beta: false>
irb(main):002:0> user.password = "B1gBu115iht" => "B1gBu115iht"
irb(main):003:0> user.save => true
irb(main):005:0> user.errors => #<ActiveModel::Errors:0x0000560ab719e340 @base=#<User id: 7, created_at: "2017-06-22 19:51:45", updated_at: "2019-07-25 17:00:09", last_logged_in_at: nil, login_failure_count: 0, login: "olddude", email: "[email protected]", realname: "", password_digest: "$2a$12$z/Roa8r.NS165K8vdnsGmOjvHLdmfhg2eMNvce.G2jB...", deprecated_password: "eed3c8afc6e203f8bb296c39518ff1d9", deprecated_password_hash_type: "md5", deprecated_password_salt: "ghD2wykZAD", adminnote: nil, state: "deleted", owner_id: nil, ignore_auth_services: false, in_beta: false>, @messages={}, @details={}>
irb(main):006:0> exit **Airbrake: closed
buildhost:/srv/www/obs/api # `
You also need to give theuser.password_confirmation now as we started to use has_secure_password, see the docu.
I did that initially, with the same result.
Also, can you please give a link to the docu?
The password_confirmation is not the problem. I can confirm the issue - I actually have it every time I load a production dump into my development env.
You can set passwords all day long, as long as you aren't wiping also the deprecated_password field, this one will be used.
