From 12e53e6f110ecad2af36ebb4030086cdc82078f8 Mon Sep 17 00:00:00 2001
From: Thomas Darimont <thomas.darimont@googlemail.com>
Date: Mon, 3 Feb 2020 16:46:17 +0100
Subject: [PATCH] KEYCLOAK-11003 Remove UPDATE_PASSWORD RequiredAction on
 non-temporary password reset

We now remove a potentially existing UPDATE_PASSWORD action when
explicitly assigning a non-temporary password.

Adapted tests to use a temporary password when UpdatePassword required actions
were used.
---
 .../resources/admin/UserResource.java         |  7 ++++-
 .../org/keycloak/testsuite/admin/ApiUtil.java | 14 +++++++++-
 .../keycloak/testsuite/admin/UserTest.java    | 27 +++++++++++++++++++
 .../testsuite/forms/BrowserButtonsTest.java   |  2 +-
 .../forms/MultipleTabsLoginTest.java          |  2 +-
 5 files changed, 48 insertions(+), 4 deletions(-)

diff --git a/services/src/main/java/org/keycloak/services/resources/admin/UserResource.java b/services/src/main/java/org/keycloak/services/resources/admin/UserResource.java
index 464702f03c..3774c54970 100755
--- a/services/src/main/java/org/keycloak/services/resources/admin/UserResource.java
+++ b/services/src/main/java/org/keycloak/services/resources/admin/UserResource.java
@@ -617,7 +617,12 @@ public class UserResource {
             throw new ErrorResponseException(e.getMessage(), MessageFormat.format(messages.getProperty(e.getMessage(), e.getMessage()), e.getParameters()),
                     Status.BAD_REQUEST);
         }
-        if (cred.isTemporary() != null && cred.isTemporary()) user.addRequiredAction(UserModel.RequiredAction.UPDATE_PASSWORD);
+        if (cred.isTemporary() != null && cred.isTemporary()) {
+            user.addRequiredAction(UserModel.RequiredAction.UPDATE_PASSWORD);
+        } else {
+            // Remove a potentially existing UPDATE_PASSWORD action when explicitly assigning a non-temporary password.
+            user.removeRequiredAction(UserModel.RequiredAction.UPDATE_PASSWORD);
+        }
 
         adminEvent.operation(OperationType.ACTION).resourcePath(session.getContext().getUri()).success();
     }
diff --git a/testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/admin/ApiUtil.java b/testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/admin/ApiUtil.java
index 6bc4f84f64..67b8d932f4 100644
--- a/testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/admin/ApiUtil.java
+++ b/testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/admin/ApiUtil.java
@@ -173,8 +173,20 @@ public class ApiUtil {
      * @return ID of the new user
      */
     public static String createUserAndResetPasswordWithAdminClient(RealmResource realm, UserRepresentation user, String password) {
+        return createUserAndResetPasswordWithAdminClient(realm, user, password, false);
+    }
+
+    /**
+     * Creates a user and sets the password
+     * @param realm
+     * @param user
+     * @param password
+     * @param temporary
+     * @return ID of the new user
+     */
+    public static String createUserAndResetPasswordWithAdminClient(RealmResource realm, UserRepresentation user, String password, boolean temporary) {
         String id = createUserWithAdminClient(realm, user);
-        resetUserPassword(realm.users().get(id), password, false);
+        resetUserPassword(realm.users().get(id), password, temporary);
         return id;
     }
 
diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/UserTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/UserTest.java
index 686fa7f1e4..8285fa62a2 100755
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/UserTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/UserTest.java
@@ -194,6 +194,33 @@ public class UserTest extends AbstractAdminTest {
         createUser();
     }
 
+    /**
+     * See KEYCLOAK-11003
+     */
+    @Test
+    public void createUserWithTemporaryPasswordWithAdditionalPasswordUpdateShouldRemoveUpdatePasswordRequiredAction() {
+
+        String userId = createUser();
+
+        CredentialRepresentation credTmp = new CredentialRepresentation();
+        credTmp.setType(CredentialRepresentation.PASSWORD);
+        credTmp.setValue("temp");
+        credTmp.setTemporary(Boolean.TRUE);
+
+        realm.users().get(userId).resetPassword(credTmp);
+
+        CredentialRepresentation credPerm = new CredentialRepresentation();
+        credPerm.setType(CredentialRepresentation.PASSWORD);
+        credPerm.setValue("perm");
+        credPerm.setTemporary(null);
+
+        realm.users().get(userId).resetPassword(credPerm);
+
+        UserRepresentation userRep = realm.users().get(userId).toRepresentation();
+
+        Assert.assertFalse(userRep.getRequiredActions().contains(UserModel.RequiredAction.UPDATE_PASSWORD.name()));
+    }
+
     @Test
     public void createDuplicatedUser1() {
         createUser();
diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/BrowserButtonsTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/BrowserButtonsTest.java
index ca5504ba78..af5946a617 100644
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/BrowserButtonsTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/BrowserButtonsTest.java
@@ -74,7 +74,7 @@ public class BrowserButtonsTest extends AbstractTestRealmKeycloakTest {
                 .requiredAction(UserModel.RequiredAction.UPDATE_PASSWORD.toString())
                 .build();
 
-        userId = ApiUtil.createUserAndResetPasswordWithAdminClient(testRealm(), user, "password");
+        userId = ApiUtil.createUserAndResetPasswordWithAdminClient(testRealm(), user, "password", true);
         expectedMessagesCount = 0;
         getCleanup().addUserId(userId);
 
diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/MultipleTabsLoginTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/MultipleTabsLoginTest.java
index 05ffaafd9c..f8a427b9d1 100644
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/MultipleTabsLoginTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/MultipleTabsLoginTest.java
@@ -80,7 +80,7 @@ public class MultipleTabsLoginTest extends AbstractTestRealmKeycloakTest {
                 .requiredAction(UserModel.RequiredAction.UPDATE_PASSWORD.toString())
                 .build();
 
-        userId = ApiUtil.createUserAndResetPasswordWithAdminClient(testRealm(), user, "password");
+        userId = ApiUtil.createUserAndResetPasswordWithAdminClient(testRealm(), user, "password", true);
         getCleanup().addUserId(userId);
 
         oauth.clientId("test-app");