Allow enforcing password change for a user after reset by admin (root/domain)

[sudo87]

Description

This PR introduces enforcement of password changes for users upon login after an admin-initiated reset.

API changes:

1. A boolean param "passwordChangeRequired" is introduced in UpdateUserCmd
2. It is applicable only for normal user role, admin or domain admin are excluded
3. Row with name="PasswordChangeRequired" gets added into user_details table
4. passwordchangerequired: true in loginresponse for when login is invoked
5. UserAccount gets a new field passwordchangerequired
6. ListApis response contains limited APIs for user, who are required to change password
   [ "login", "logout", "updateUser", "listUsers", "listApis" ]

UI

1. New route /user/forceChangePassword
2. Guard check for passwordchangerequired and no apis request other than listUser
3. ForceChangePassword component

Types of changes

• Breaking change (fix or feature that would cause existing functionality to change)
• New feature (non-breaking change which adds functionality)
• Bug fix (non-breaking change which fixes an issue)
• Enhancement (improves an existing feature and functionality)
• Cleanup (Code refactoring and cleanup, that may add test cases)
• Build/CI
• Test (unit or integration test code)

Feature/Enhancement Scale or Bug Severity

Feature/Enhancement Scale

• Major
• Minor

Bug Severity

• BLOCKER
• Critical
• Major
• Minor
• Trivial

Screenshots (if appropriate):

Screen.Recording.2025-12-18.at.4.11.45.PM.mov

How Has This Been Tested?

How did you try to break this feature and the system with this change?

[codecov]

Codecov Report

❌ Patch coverage is 23.07692% with 40 lines in your changes missing coverage. Please review.
✅ Project coverage is 17.49%. Comparing base (f417c6b) to head (71b7b81).
⚠️ Report is 27 commits behind head on main.

Files with missing lines	Patch %	Lines
server/src/main/java/com/cloud/api/ApiServer.java	0.00%	7 Missing ⚠️
...c/main/java/com/cloud/user/AccountManagerImpl.java	41.66%	3 Missing and 4 partials ⚠️
...oudstack/api/command/admin/user/UpdateUserCmd.java	0.00%	6 Missing ⚠️
...ache/cloudstack/api/response/LoginCmdResponse.java	0.00%	6 Missing ⚠️
...g/apache/cloudstack/api/response/UserResponse.java	0.00%	6 Missing ⚠️
.../cloudstack/discovery/ApiDiscoveryServiceImpl.java	70.00%	1 Missing and 2 partials ⚠️
...java/com/cloud/api/query/vo/UserAccountJoinVO.java	0.00%	3 Missing ⚠️
...om/cloud/api/query/dao/UserAccountJoinDaoImpl.java	0.00%	1 Missing ⚠️
.../cloudstack/user/UserPasswordResetManagerImpl.java	0.00%	1 Missing ⚠️

Additional details and impacted files

@@             Coverage Diff              @@
##               main   #12294      +/-   ##
============================================
+ Coverage     17.46%   17.49%   +0.03%     
- Complexity    15516    15569      +53     
============================================
  Files          5913     5915       +2     
  Lines        529385   529767     +382     
  Branches      64679    64701      +22     
============================================
+ Hits          92448    92708     +260     
- Misses       426518   426603      +85     
- Partials      10419    10456      +37     

Flag	Coverage Δ
uitests	3.57% <ø> (-0.01%)	⬇️
unittests	18.56% <23.07%> (+0.04%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[sudo87]

@blueorangutan package

[blueorangutan]

@sudo87 a [SL] Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress.

[blueorangutan]

Packaging result [SF]: ✖️ el8 ✖️ el9 ✖️ debian ✖️ suse15. SL-JID 16086

[Copilot]

Pull request overview

This PR implements a feature to enforce password changes for normal users after an admin-initiated password reset. When an admin resets a user's password, they can require the user to change it upon next login. The user is then redirected to a forced password change page and has limited API access until the password is updated.

Key Changes:

• Added passwordChangeRequired boolean parameter to the updateUser API command, allowing admins to flag users for mandatory password change
• Introduced a new UI route /user/forceChangePassword with a dedicated component that restricts users to password change until completed
• Implemented navigation guards and API restrictions to limit users to essential APIs (login, logout, updateUser, listUsers, listApis) when password change is required

Reviewed changes

Copilot reviewed 20 out of 20 changed files in this pull request and generated 15 comments.

Show a summary per file

File	Description
ui/src/views/iam/ForceChangePassword.vue	New component for forced password change page with form validation and success state
ui/src/views/iam/ChangeUserPassword.vue	Added checkbox for admins to require password change on next login
ui/src/store/mutation-types.js	Added PASSWORD_CHANGE_REQUIRED constant for state management
ui/src/store/modules/user.js	Added state and mutations for password change requirement flag, loads user info with limited APIs when flag is set
ui/src/store/getters.js	Added getter for passwordChangeRequired state
ui/src/permission.js	Added navigation guards to redirect users to force change password page when required
ui/src/config/router.js	Registered new forceChangePassword route under user path
ui/public/locales/en.json	Added localization strings for password change UI
server/src/main/java/com/cloud/user/AccountManagerImpl.java	Added logic to set/remove passwordChangeRequired user detail, loads user details during authentication
server/src/main/java/com/cloud/api/query/vo/UserAccountJoinVO.java	Added passwordChangeRequired field to join view object
server/src/main/java/com/cloud/api/query/dao/UserAccountJoinDaoImpl.java	Maps passwordChangeRequired to user response
server/src/main/java/com/cloud/api/ApiServer.java	Sets passwordChangeRequired in login session when user detail is present
plugins/api/discovery/src/main/java/org/apache/cloudstack/discovery/ApiDiscoveryServiceImpl.java	Restricts API list to essential APIs when user requires password change
plugins/api/discovery/src/test/java/org/apache/cloudstack/discovery/ApiDiscoveryTest.java	Updated test setup to mock getUserAccountById method
engine/schema/src/main/resources/META-INF/db/views/cloud.user_view.sql	Added LEFT JOIN to user_details table for PasswordChangeRequired value
engine/schema/src/main/java/org/apache/cloudstack/resourcedetail/UserDetailVO.java	Added PasswordChangeRequired constant
api/src/main/java/org/apache/cloudstack/api/response/UserResponse.java	Added passwordChangeRequired field to user API response
api/src/main/java/org/apache/cloudstack/api/response/LoginCmdResponse.java	Added passwordChangeRequired field to login API response
api/src/main/java/org/apache/cloudstack/api/command/admin/user/UpdateUserCmd.java	Added passwordChangeRequired parameter to update user command
api/src/main/java/org/apache/cloudstack/api/ApiConstants.java	Added PASSWORD_CHANGE_REQUIRED API constant

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[sudo87]

@blueorangutan package

[blueorangutan]

@sudo87 a [SL] Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress.

[blueorangutan]

Packaging result [SF]: ✖️ el8 ✖️ el9 ✖️ debian ✖️ suse15. SL-JID 16095

[sudo87]

@blueorangutan package

[blueorangutan]

@sudo87 a [SL] Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress.

[blueorangutan]

Packaging result [SF]: ✖️ el8 ✖️ el9 ✖️ debian ✖️ suse15. SL-JID 16097

[Copilot]

Pull request overview

Copilot reviewed 21 out of 21 changed files in this pull request and generated 17 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The test setup mocks getUserAccountById to return null for user details, but there's no test case that verifies the new password change required functionality. The new logic in ApiDiscoveryServiceImpl that restricts APIs when passwordchangerequired is true is not covered by any test. Consider adding test cases for: 1) user with passwordchangerequired=true should only get limited APIs, and 2) user with passwordchangerequired=false should follow normal flow.

[Copilot]

The new updatePasswordChangeRequired method and its logic for handling passwordchangerequired parameter are not covered by any test cases. Consider adding tests to verify: 1) password change required is set when admin changes user password with the flag, 2) flag is removed when user changes own password, 3) flag is removed when admin changes password without the flag, and 4) admins cannot set the flag for themselves or other admins.

[sudo87]

@blueorangutan package

[blueorangutan]

@sudo87 a [SL] Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress.

[blueorangutan]

Packaging result [SF]: ✔️ el8 ✔️ el9 ✔️ el10 ✔️ debian ✔️ suse15. SL-JID 16106