1. Allow enforcing password change while creating user

sudo87 · sudo87 · commit 6510400aa864 · 2026-01-06T23:07:16.000+05:30
2. Admin can enforce password change on next login with out resetting password
diff --git a/api/src/main/java/com/cloud/user/AccountService.java b/api/src/main/java/com/cloud/user/AccountService.java
@@ -58,7 +58,8 @@ UserAccount createUserAccount(String userName, String password, String firstName
 
     User getSystemUser();
 
-    User createUser(String userName, String password, String firstName, String lastName, String email, String timeZone, String accountName, Long domainId, String userUUID);
+    User createUser(String userName, String password, String firstName, String lastName, String email, String timeZone,
+                    String accountName, Long domainId, String userUUID, boolean isPasswordChangeRequired);
 
     User createUser(String userName, String password, String firstName, String lastName, String email, String timeZone, String accountName, Long domainId, String userUUID,
                     User.Source source);
diff --git a/api/src/main/java/org/apache/cloudstack/api/command/admin/user/CreateUserCmd.java b/api/src/main/java/org/apache/cloudstack/api/command/admin/user/CreateUserCmd.java
@@ -26,6 +26,7 @@
 import org.apache.cloudstack.api.response.DomainResponse;
 import org.apache.cloudstack.api.response.UserResponse;
 import org.apache.cloudstack.context.CallContext;
+import org.apache.commons.lang.BooleanUtils;
 import org.apache.commons.lang3.StringUtils;
 
 import com.cloud.user.Account;
@@ -78,6 +79,12 @@ public class CreateUserCmd extends BaseCmd {
     @Parameter(name = ApiConstants.USER_ID, type = CommandType.STRING, description = "User UUID, required for adding account from external provisioning system")
     private String userUUID;
 
+    @Parameter(name = ApiConstants.PASSWORD_CHANGE_REQUIRED,
+            type = CommandType.BOOLEAN,
+            description = "Provide true to mandate the User to reset password on next login.",
+            since = "4.23.0")
+    private Boolean passwordChangeRequired;
+
     /////////////////////////////////////////////////////
     /////////////////// Accessors ///////////////////////
     /////////////////////////////////////////////////////
@@ -118,6 +125,10 @@ public String getUserUUID() {
         return userUUID;
     }
 
+    public Boolean isPasswordChangeRequired() {
+        return BooleanUtils.isTrue(passwordChangeRequired);
+    }
+
     /////////////////////////////////////////////////////
     /////////////// API Implementation///////////////////
     /////////////////////////////////////////////////////
@@ -147,7 +158,7 @@ public void execute() {
         CallContext.current().setEventDetails("UserName: " + getUserName() + ", FirstName :" + getFirstName() + ", LastName: " + getLastName());
         User user =
             _accountService.createUser(getUserName(), getPassword(), getFirstName(), getLastName(), getEmail(), getTimezone(), getAccountName(), getDomainId(),
-                getUserUUID());
+                getUserUUID(), isPasswordChangeRequired());
         if (user != null) {
             UserResponse response = _responseGenerator.createUserResponse(user);
             response.setResponseName(getCommandName());
diff --git a/server/src/main/java/com/cloud/user/AccountManagerImpl.java b/server/src/main/java/com/cloud/user/AccountManagerImpl.java
@@ -1510,12 +1510,24 @@ private List<APIChecker> getEnabledApiCheckers() {
     @Override
     @ActionEvent(eventType = EventTypes.EVENT_USER_CREATE, eventDescription = "creating User")
     public UserVO createUser(String userName, String password, String firstName, String lastName, String email, String timeZone, String accountName, Long domainId, String userUUID,
-            User.Source source) {
+                             User.Source source) {
+        return createUser(userName, password, firstName, lastName, email, timeZone, accountName, domainId, userUUID, source, false);
+    }
+
+
+    @ActionEvent(eventType = EventTypes.EVENT_USER_CREATE, eventDescription = "creating User")
+    public UserVO createUser(String userName, String password, String firstName, String lastName, String email, String timeZone, String accountName, Long domainId, String userUUID,
+            User.Source source, boolean isPasswordChangeRequired) {
         // default domain to ROOT if not specified
         if (domainId == null) {
             domainId = Domain.ROOT_DOMAIN;
         }
 
+        if (isPasswordChangeRequired && (source == User.Source.SAML2 || source == User.Source.SAML2DISABLED || source == User.Source.LDAP)) {
+            logger.warn("Enforcing password change is not permitted for source [{}].", source);
+            throw new InvalidParameterValueException("CloudStack does not support enforcing password change for SAML or LDAP users.");
+        }
+
         Domain domain = _domainMgr.getDomain(domainId);
         if (domain == null) {
             throw new CloudRuntimeException("The domain " + domainId + " does not exist; unable to create user");
@@ -1546,14 +1558,21 @@ public UserVO createUser(String userName, String password, String firstName, Str
         verifyCallerPrivilegeForUserOrAccountOperations(account);
         UserVO user;
         user = createUser(account.getId(), userName, password, firstName, lastName, email, timeZone, userUUID, source);
+        if (isPasswordChangeRequired) {
+            long callerAccountId = CallContext.current().getCallingAccountId();
+            if ((isRootAdmin(callerAccountId) || isDomainAdmin(callerAccountId))) {
+                _userDetailsDao.addDetail(user.getId(), PasswordChangeRequired, "true", false);
+            }
+        }
         return user;
     }
 
     @Override
     @ActionEvent(eventType = EventTypes.EVENT_USER_CREATE, eventDescription = "creating User")
-    public UserVO createUser(String userName, String password, String firstName, String lastName, String email, String timeZone, String accountName, Long domainId, String userUUID) {
+    public UserVO createUser(String userName, String password, String firstName, String lastName, String email,
+                             String timeZone, String accountName, Long domainId, String userUUID, boolean isPasswordChangeRequired) {
 
-        return createUser(userName, password, firstName, lastName, email, timeZone, accountName, domainId, userUUID, User.Source.UNKNOWN);
+        return createUser(userName, password, firstName, lastName, email, timeZone, accountName, domainId, userUUID, User.Source.UNKNOWN, isPasswordChangeRequired);
     }
 
     @Override
@@ -1587,22 +1606,29 @@ public UserAccount updateUser(UpdateUserCmd updateUserCmd) {
         if (mandate2FA != null && mandate2FA) {
             user.setUser2faEnabled(true);
         }
-        _userDao.update(user.getId(), user);
         updatePasswordChangeRequired(caller, updateUserCmd, user);
+        _userDao.update(user.getId(), user);
         return _userAccountDao.findById(user.getId());
     }
 
     private void updatePasswordChangeRequired(User caller, UpdateUserCmd updateUserCmd, UserVO user) {
-        if (StringUtils.isNotBlank(updateUserCmd.getPassword())) {
-            boolean isCallerSameAsUser = user.getId() == caller.getId();
-            boolean isPasswordResetRequired = updateUserCmd.isPasswordChangeRequired() && !isCallerSameAsUser;
-            // Admins only can enforce passwordChangeRequired for user
-            if (isRootAdmin(caller.getAccountId()) || isDomainAdmin(caller.getAccountId())) {
-                if (isPasswordResetRequired) {
-                    _userDetailsDao.addDetail(user.getId(), PasswordChangeRequired, "true", false);
-                }
+        User.Source userSource = user.getSource();
+        if ((userSource == User.Source.SAML2 || userSource == User.Source.SAML2DISABLED || userSource == User.Source.LDAP)
+                && updateUserCmd.isPasswordChangeRequired()) {
+            logger.warn("Enforcing password change is not permitted for source [{}].", user.getSource());
+            throw new InvalidParameterValueException("CloudStack does not support enforcing password change for SAML or LDAP users.");
+        }
+
+        boolean isCallerSameAsUser = user.getId() == caller.getId();
+        boolean isPasswordResetRequired = updateUserCmd.isPasswordChangeRequired() && !isCallerSameAsUser;
+        // Admins only can enforce passwordChangeRequired for user
+        if (isRootAdmin(caller.getAccountId()) || isDomainAdmin(caller.getAccountId())) {
+            if (isPasswordResetRequired) {
+                _userDetailsDao.addDetail(user.getId(), PasswordChangeRequired, "true", false);
             }
+        }
 
+        if (StringUtils.isNotBlank(updateUserCmd.getPassword())) {
             // Remove passwordChangeRequired if user updating own pwd or admin has not enforced it
             if (isCallerSameAsUser || !isPasswordResetRequired) {
                 _userDetailsDao.removeDetail(user.getId(), PasswordChangeRequired);
diff --git a/ui/public/locales/en.json b/ui/public/locales/en.json
@@ -530,6 +530,7 @@
 "label.change.ipaddress": "Change IP address for NIC",
 "label.change.disk.offering": "Change disk offering",
 "label.change.offering.for.volume": "Change disk offering for the volume",
+"label.change.password.enforce": "Enforce password change",
 "label.change.password.onlogin": "User must change password at next login",
 "label.change.service.offering": "Change service offering",
 "label.character": "Character",
diff --git a/ui/src/config/section/user.js b/ui/src/config/section/user.js
@@ -82,6 +82,23 @@ export default {
       popup: true,
       component: shallowRef(defineAsyncComponent(() => import('@/views/iam/EditUser.vue')))
     },
+    {
+      api: 'updateUser',
+      icon: 'redo-outlined',
+      label: 'label.change.password.enforce',
+      dataView: true,
+      args: ['passwordchangerequired'],
+      mapping: {
+        passwordchangerequired: {
+          value: (record) => { return true }
+        }
+      },
+      popup: true,
+      show: (record, store) => {
+        return ['Admin', 'DomainAdmin'].includes(store.userInfo.roletype) &&
+          !record.isdefault && (store.userInfo.id !== record.id)
+      }
+    },
     {
       api: 'updateUser',
       icon: 'key-outlined',
diff --git a/ui/src/views/iam/AddUser.vue b/ui/src/views/iam/AddUser.vue
@@ -147,6 +147,11 @@
             </a-select-option>
           </a-select>
         </a-form-item>
+        <a-form-item v-if="isAdminOrDomainAdmin() && !samlAllowed" name="passwordChangeRequired" ref="passwordChangeRequired">
+            <a-checkbox v-model:checked="form.passwordChangeRequired">
+              {{ $t('label.change.password.onlogin') }}
+            </a-checkbox>
+        </a-form-item>
         <div v-if="samlAllowed">
           <a-form-item name="samlenable" ref="samlenable" :label="$t('label.samlenable')">
             <a-switch v-model:checked="form.samlenable" />
@@ -384,6 +389,10 @@ export default {
       if (this.isValidValueForKey(rawParams, 'timezone') && rawParams.timezone.length > 0) {
         params.timezone = rawParams.timezone
       }
+      console.log('rawParams.passwordChangeRequired', rawParams.passwordChangeRequired)
+      if (this.isAdminOrDomainAdmin() && rawParams.passwordChangeRequired === true) {
+        params.passwordchangerequired = rawParams.passwordChangeRequired
+      }
 
       return postAPI('createUser', params)
     },
