Loading...

This issue belongs to an archived project. You can view it, but you can't modify it. Learn more

XML

Word

Printable

Details

Type: Bug
Resolution: Won't Fix
Priority: Low
Fix Version/s: None
Affects Version/s: None
Component/s: HC Platform - HipChat Server
Labels:
None

Symptom Severity:
Severity 2 - Major

Description

Summary

By default, the Require user to reset their password feature only exists for Internal users.

There are cases where admins accidentally deactivated the external users - Directory user will switch to become internal user if admin deactivates and reactivates the account directly within HipChat Server - and after performing a full synchronization, the user gets locked out from the instance even after using the correct credentials.

Environment

HipChat Server 2.1.3
HipChat Server 2.2.4

Steps to Reproduce

The admin deactivates user supremebot@example.com from the web interface and confirmed that we run into the Directory user will switch to become internal user if admin deactivates and reactivates the account directly within HipChat Server issue
Reactivated the user again to verify that it is now an internal user and the option Require user to reset their password appears on the web interface

Enabled the Require user to reset their password and verified that the "require_pw_reset":true flag appears under the metadata column of the user

admin@danial213:~$ DBPASS=$(awk '/"pass"/ {gsub(/[",]/,"");print $2}' /hipchat/config/site.json) && mysql -uroot -p$DBPASS hipchat -e "SELECT * FROM users WHERE email='supremebot@example.com'\G"
*************************** 1. row ***************************
          id: 212
     version: 3D2BEB20
 external_id: NULL
        name: Supreme
    nickname: NULL
mention_name: Supreme
       email: supremebot@example.com
    password:
       title:
   photo_url: NULL
   confirmed: 0
     created: 2017-07-04 23:27:45
  is_deleted: 0
  is_enabled: 1
    is_guest: 0
    timezone: UTC
    metadata: {"activation_token":"ih8i66DoGY","require_pw_reset":true}

Ran a full synchronization by disabling and reenabling the directory again to ensure that the user gets synced properly again from the external directory

Expected Results

The user should be able to log in using the correct credentials after the full synchronization gets completed

Actual Results

When trying to log in using the correct credentials, the user only gets redirected to the log in screen with the following URL - https://<FQDN>/login_password?d=%2Fhome

The /var/log/hipchat/atlassian-crowd.log shows that the log in was successful:

2017-07-04 23:42:27,624 http-bio-8095-exec-2 INFO [hipchat.server.rest.HipChatCrowdAuthenticateResource] [JLx4imw0] Initiating authentication for user 'supremebot@example.com'
2017-07-04 23:42:27,756 http-bio-8095-exec-2 INFO [hipchat.server.rest.HipChatCrowdAuthenticateResource] [JLx4imw0] Authentication for 'supremebot@example.com' successful

Verified that the "require_pw_reset": true still exists in the metadata column.

admin@danial213:~$ DBPASS=$(awk '/"pass"/ {gsub(/[",]/,"");print $2}' /hipchat/config/site.json) && mysql -uroot -p$DBPASS hipchat -e "SELECT * FROM users WHERE email='supremebot@example.com'\G"
*************************** 1. row ***************************
          id: 212
     version: 3D2BEB20
 external_id: {hcs}supreme.1
        name: Supreme
    nickname: NULL
mention_name: Supreme
       email: supremebot@example.com
    password:
       title:
   photo_url: NULL
   confirmed: 0
     created: 2017-07-04 23:27:45
  is_deleted: 0
  is_enabled: 1
    is_guest: 0
    timezone: UTC
    metadata: {"require_pw_reset": true, "activation_token": "ih8i66DoGY"}

The require_pw_reset flag does not get cleared automatically after the synchronization

Workaround

Obtain access to the hipchat database:

DBPASS=$(awk '/"pass"/ {gsub(/[",]/,"");print $2}' /hipchat/config/site.json) && mysql -uroot -p$DBPASS hipchat

Get a sample confirmation_unix_time of the other external users that were synchronized to HipChat Server:
```
SELECT metadata FROM users WHERE external_id LIKE '%hcs%'\G
```

Update the metadata column with the correct data:

UPDATE users SET metadata = '{"confirmation_unix_time":<confirmation_unix_time>}' WHERE id = <user_id>;

Ensure that the user is confirmed by running the command below
```
UPDATE users SET confirmed=1 WHERE id=<user_id>;
```

Verify that the users information is updated correctly and For example:

admin@danial:~$ DBPASS=$(awk '/"pass"/ {gsub(/[",]/,"");print $2}' /hipchat/config/site.json) && mysql -uroot -p$DBPASS hipchat -e "SELECT * FROM users WHERE id=214\G"
*************************** 1. row ***************************
          id: 214
     version: 1BE8A39F
 external_id: {hcs}supreme.1
        name: Supreme
    nickname: NULL
mention_name: Supreme
       email: supremebot@example.com
    password:
       title:
   photo_url: NULL
   confirmed: 1
     created: 2017-07-04 23:31:21
  is_deleted: 0
  is_enabled: 1
    is_guest: 0
    timezone: UTC
    metadata: {"confirmation_unix_time":1498088204}

Confirm that the external user can log in as per normal.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List

Screen Shot 2017-07-04 at 12.41.05.png
96 kB
05/Jul/2017 12:29 AM
Screen Shot 2017-07-05 at 07.29.03.png
75 kB
05/Jul/2017 12:29 AM
Screen Shot 2017-07-05 at 07.35.05.png
158 kB
05/Jul/2017 12:29 AM
Screen Shot 2017-07-05 at 07.38.39.png
135 kB
05/Jul/2017 12:29 AM
Screen Shot 2017-07-05 at 07.42.21.png
111 kB
05/Jul/2017 12:29 AM
Screen Shot 2017-07-05 at 08.34.17.png
201 kB
05/Jul/2017 12:34 AM

Issue Links

is related to

HCPUB-86 HipChat Server: 'Require password reset on next sign-in' locks user out of account if they were synchronised over from external directory.

Closed

Activity

People

Assignee:: Unassigned

Reporter:: Ahmad Danial (Inactive)

Archiver:: Michael Andreacchio

Dates

Created:: 05/Jul/2017 12:08 AM

Updated:: 15/Aug/2019 3:10 AM

Resolved:: 15/Aug/2019 3:10 AM

Archived:: 16/Jun/2020 5:19 AM