Remove Domain/IP from Password Reset Link to custom Global Setting

[daviftorres]

Description

This PR is a minor change on the resetLink generated when users self-serve resetting passwords as described in issue #11378

Types of changes

• Breaking change (fix or feature that would cause existing functionality to change)
• New feature (non-breaking change which adds functionality)
• Bug fix (non-breaking change which fixes an issue)
• Enhancement (improves an existing feature and functionality)
• Cleanup (Code refactoring and cleanup, that may add test cases)
• build/CI
• test (unit or integration test code)

Feature/Enhancement Scale or Bug Severity

Feature/Enhancement Scale

• Major
• Minor

Bug Severity

• BLOCKER
• Critical
• Major
• Minor
• Trivial

Screenshots (if appropriate):

How Has This Been Tested?

It was not tested.

How did you try to break this feature and the system with this change?

I did not.

[codecov]

Codecov Report

❌ Patch coverage is 33.33333% with 2 lines in your changes missing coverage. Please review.
✅ Project coverage is 17.35%. Comparing base (f2d6356) to head (919f1f8).

Files with missing lines	Patch %	Lines
.../cloudstack/user/UserPasswordResetManagerImpl.java	0.00%	2 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff            @@
##               main   #11379   +/-   ##
=========================================
  Coverage     17.35%   17.35%           
- Complexity    15230    15231    +1     
=========================================
  Files          5886     5886           
  Lines        525685   525686    +1     
  Branches      64159    64159           
=========================================
+ Hits          91247    91249    +2     
  Misses       424138   424138           
+ Partials      10300    10299    -1     

Flag	Coverage Δ
uitests	3.63% <ø> (ø)
unittests	18.39% <33.33%> (+<0.01%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[DaanHoogland]

clgtm

[kiranchavala]

@blueorangutan package

[blueorangutan]

@kiranchavala a [SL] Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress.

[blueorangutan]

Packaging result [SF]: ✔️ el8 ✔️ el9 ✔️ debian ✔️ suse15. SL-JID 14550

[kiranchavala]

LGTM , tested with smtp docker image

https://github.com/mailhog/MailHog

We are not showing the IP address of Management server in the reset password mail

Global setting

user.password.reset.mail.template ="Hello {{username}}!
You have requested to reset your password. Please click the following link to reset your password:
http://kiranchavala.in{{{resetLink}}}
If you did not request a password reset, please ignore this email.

Regards,
The CloudStack Team

Before fix

After fix

[sureshanaparti]

@daviftorres what in case the config 'user.password.reset.mail.template' doesn't have any domain before the reset link (default value, has http://{{{resetLink}}} - for this, I'll be http:///client/#/user/resetPassword?username=abc&token=xyz). Should it add the Ip when domain/ip is not configured before {{{resetLink}}} in 'user.password.reset.mail.template'?

[kiranchavala]

http://{{{resetLink}}}

@sureshanaparti if global setting is only http://{{{resetLink}}}

[daviftorres]

@sureshanaparti, you're absolutely right. At first, I considered using a placeholder like example.com in the global settings, but that might be risky since people could click on it. Then I thought of using your_domain_here, which doesn’t resolve and is therefore safer.

Either way, whoever manages the cloud setup needs to customize this field. What do you suggest?

I made the following change:

This way, the string cannot be resolved and will not leak the password reset token if somebody clicks on it. Plus, I added the s to the HTTPS.

[DaanHoogland]

@blueorangutan package

[blueorangutan]

@DaanHoogland a [SL] Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress.

[DaanHoogland]

@daviftorres , all good to me. Do you want this on the next release only? It is now based off of main and I would think you want to base it off the 4.20 release branch?

[blueorangutan]

Packaging result [SF]: ✔️ el8 ✔️ el9 ✔️ debian ✔️ suse15. SL-JID 14565

[DaanHoogland]

@blueorangutan test

[blueorangutan]

@DaanHoogland a [SL] Trillian-Jenkins test job (ol8 mgmt + kvm-ol8) has been kicked to run smoke tests

[daviftorres]

hey @DaanHoogland , i honestly do not know how to procedure. Should i change it from main to 4.20 branch?

[DaanHoogland]

hey @DaanHoogland , i honestly do not know how to procedure. Should i change it from main to 4.20 branch?

@daviftorres it takes a little more effort, but this is part of it.
You should also rebase your code on 4.20, either by a cherry-pick or by

git rebase --onto 4.20 <the last commit before your changes>
git push —force

EDIT: I see you merged main back into your branch. I am not sure if that rebase-onto tactic still works after that. take care.

[blueorangutan]

[SF] Trillian test result (tid-14036)
Environment: kvm-ol8 (x2), Advanced Networking with Mgmt server ol8
Total time taken: 86104 seconds
Marvin logs: https://github.com/blueorangutan/acs-prs/releases/download/trillian/pr11379-t14036-kvm-ol8.zip
Smoke tests completed. 136 look OK, 10 have errors, 0 did not run
Only failed and skipped tests results shown below:

Test	Result	Time (s)	Test File
ContextSuite context=TestSharedNetworkWithConfigDrive>:setup	Error	1520.82	test_network.py
ContextSuite context=TestRestoreVM>:setup	Error	0.00	test_restore_vm.py
ContextSuite context=TestRouterDHCPHosts>:setup	Error	0.00	test_router_dhcphosts.py
ContextSuite context=TestRouterDHCPOpts>:setup	Error	0.00	test_router_dhcphosts.py
ContextSuite context=TestRouterDns>:setup	Error	0.00	test_router_dns.py
ContextSuite context=TestRouterDnsService>:setup	Error	0.00	test_router_dnsservice.py
ContextSuite context=TestRouterIpTablesPolicies>:setup	Error	0.00	test_routers_iptables_default_policy.py
ContextSuite context=TestVPCIpTablesPolicies>:setup	Error	0.00	test_routers_iptables_default_policy.py
ContextSuite context=TestIsolatedNetworks>:setup	Error	0.00	test_routers_network_ops.py
ContextSuite context=TestRedundantIsolateNetworks>:setup	Error	0.00	test_routers_network_ops.py
ContextSuite context=TestRouterServices>:setup	Error	0.00	test_routers.py
ContextSuite context=TestCpuCapServiceOfferings>:setup	Error	0.00	test_service_offerings.py
ContextSuite context=TestServiceOfferings>:setup	Error	0.28	test_service_offerings.py
ContextSuite context=TestSetSourceNatIp>:setup	Error	0.00	test_set_sourcenat.py