package userpass import ( "fmt" "golang.org/x/crypto/bcrypt" "github.com/hashicorp/vault/logical" "github.com/hashicorp/vault/logical/framework" ) func pathUserPassword(b *backend) *framework.Path { return &framework.Path{ Pattern: "users/" + framework.GenericNameRegex("username") + "/password$", Fields: map[string]*framework.FieldSchema{ "username": &framework.FieldSchema{ Type: framework.TypeString, Description: "Username for this user.", }, "password": &framework.FieldSchema{ Type: framework.TypeString, Description: "Password for this user.", }, }, ExistenceCheck: b.userPasswordExistenceCheck, Callbacks: map[logical.Operation]framework.OperationFunc{ logical.UpdateOperation: b.pathUserPasswordUpdate, }, HelpSynopsis: pathUserPasswordHelpSyn, HelpDescription: pathUserPasswordHelpDesc, } } // By always returning true, this endpoint will be enforced to be invoked only upon UpdateOperation. // The existence of user will be checked in the operation handler. func (b *backend) userPasswordExistenceCheck(req *logical.Request, data *framework.FieldData) (bool, error) { return true, nil } func (b *backend) pathUserPasswordUpdate( req *logical.Request, d *framework.FieldData) (*logical.Response, error) { username := d.Get("username").(string) userEntry, err := b.user(req.Storage, username) if err != nil { return nil, err } if userEntry == nil { return nil, fmt.Errorf("username does not exist") } err = b.updateUserPassword(req, d, userEntry) if err != nil { return nil, err } return nil, b.setUser(req.Storage, username, userEntry) } func (b *backend) updateUserPassword(req *logical.Request, d *framework.FieldData, userEntry *UserEntry) error { password := d.Get("password").(string) if password == "" { return fmt.Errorf("missing password") } // Generate a hash of the password hash, err := bcrypt.GenerateFromPassword([]byte(password), bcrypt.DefaultCost) if err != nil { return err } userEntry.PasswordHash = hash return nil } const pathUserPasswordHelpSyn = ` Reset user's password. ` const pathUserPasswordHelpDesc = ` This endpoint allows resetting the user's password. `