GUI : Design : Alert user of need and ability to change expired password

[derick-montague]

Stakeholders

SME: @joseph-reynolds
Design Researcher:
UX Designer:
FED:

Expected Deadlines

This must be part of the 9.4.1 milestone to comply with the law that will be enacted on 1/1/2020.

We have the following sprints to complete the work. All work, Backend, Design, and FED by the end of Sprint 18 on 9/03/19.

Sprint number	Start Date	End Date
2019-16	07/24/19	08/06/19
2019-17	08/07/19	08/20/19
2019-18	08/21/19	09/03/19

• Backend: Sprint 17: 8/20/19 or earlier
• Design: Sprint 17: 8/20/19 or earlier
• FED: Sprint 18: 9/03.19 or earlier

Use Case

As a user logging into the BMC for the first time using the initial password created by the BMC, I need to update my password before I can interact with the BMC.

Questions

• What should happen if the user does not update their password? Log them out?
• Is this for the root user when the system is first brought up or is this true for any local user on their first login?

InVision Prototype

https://ibm.invisionapp.com/share/8ENYRVXAPFD#/319247221_1-_Login____existingBrand

Design Issue (phosphor-webui)

Development Issue

• Backend issue: BMC: Disable initial password on first login #1047

References/Resources

• California Senate Bill No. 37 - SB-327 Information privacy: connected devices

[joseph-reynolds]

Attempted answers to the questions above:

1. What should happen if the user does not update their password? Log them out?
   ANSWER: I envision the Web App will get the old/new password, then invoke a method to change the password on the BMC (presumably something like PATCH /redfish/v1/AccountService/Account/root ... { "password":"NEWPASSWORD" }).
   If the http response is okay, the password change was successful, the web app would probalty get new credentials and continue.
   If the http response was bad (password was not changed), the GUI would indicate that.

2. Is this for the root user when the system is first brought up or is this true for any local user on their first login?
   ANSWER: For the security to work, I envision that all BMC users will have expired passwords. The root user is not special. (I also envision that there is only one user.) If the BMC admin creates a user, the password for that user will not be expired (unless you create it that way).

[jandraa]

To confirm, is this looking for a solution for:
A. Forcing a password change once it has been expired (for all users and beyond the first login)
B. Forcing a password change from the default out of the box password to a user unique password to comply with the CA law

or is it both?

If A or both, do we need to give users a way to configure how long a password can be used before it expires?

[derick-montague]

@joseph-reynolds can you verify this for me?

To confirm, is this looking for a solution for:
A. Forcing a password change once it has been expired (for all users and beyond the first login)
B. Forcing a password change from the default out of the box password to a user unique password to comply with the CA law

or is it both?

I believe just B. I think there is a use case for A, but that is not what this story is about.

[joseph-reynolds]

I may not have been clear in issue #947 and I am not clear what you are asking. ==> I think the title of this issue (1048) is wrong. It is currently "Disable initial password on first login" and should be something like "Implement password change dialog on the web app". The WebGUI doesn't need to know or care if it is the first login; it just needs to know if the user currently trying to log in has an expired password. Then it has to have a way to change that password as part of the login screen. I believe that's the scope of this issue.

Issue 947 does not need changes from the GUI for the following items:

• The GUI doesn't need to know if this is the initial login. The expired passwords will be baked into the firmware image.
• The GUI doesn't need a way to cause any passwords to expire.
• The GUI's existing account management functions do not need to change.

Once again, the web app GUI changes are limited to the following:

1. Notice during login that the account password is expired.
2. Have a new dialog for the user to change their expired password at login.

That's the entire change. To enable the GUI, the REST APIs will have additional functions:

1. During login (/login or /redfish/v1/SessionService/Sessions) will return an indication if the current password is expired. Reference https://gerrit.openbmc-project.xyz/c/openbmc/docs/+/23849/3/designs/expired-password.md#70.
2. Have a way for a user to change their own expired password (using the existing PATCH to /redfish/v1/AccountService/Accounts/). Reference https://gerrit.openbmc-project.xyz/c/openbmc/docs/+/23849/3/designs/expired-password.md#93. To be clear: This interface already exists in the BMCWeb implementatiomn, but does not currently work from accounts that have expired passwords because those accounts cannot establish a session. The work item for BMCWeb is to be able to establish a limited-function session using accounts that have expired passwords; that work is needed for the WebApp to implement the password change dialog.

---

This issue is blocked. You can set up conditions to test like this:

1. Create a new BMC user account TESTUSER ... where TESTUSER is anything you like. There should be nothing special about root, and you can use any account name you like to test.
2. From a ssh session to the BMC as root (like ssh root@${bmc_ip}) use a command like this to expire the password: passwd --expire TESTUSER
3. Then try to log into the TESTUSER account and look for indications that the account owner must change its password to continue. (See the design bullet 2 at https://gerrit.openbmc-project.xyz/c/openbmc/docs/+/23849/3/designs/expired-password.md#70 ).

However you are currently blocked on step 3 above because there are not yet any indications that the password is expired. If you think it would help, we could consider adding that function relatively sooner in the development process.

[derick-montague]

@jandraa - My proposal would be to change the title of this story to Alert user of need and ability to change expired password. The GUI and Design in the title and the GUI and UI Design tags are enough to indicate this is a design story.

@joseph-reynolds
Thank you for all the clarifications and for the command to expire the password!!!

1. Notice during login that the account password is expired.

We were trying to determine if this story was just for the root user on first login or anytime a password is expired. Based on your information, this story is scoped for any user with a password that is expired and needs to be changed.

2. Have a new dialog for the user to change their expired password at login.

I think @jandraa has a concept for design and interaction and I believe it is a modal. In any event, I'll let her move that forward knowing that when a user logs in and the login request returns a response that contains a flag indicating that the password needs to change, we will start the user on the designed workflow to update their password.

[jandraa]

Thank you! This is the design proposal I have created (also in the InVision link above)

[jandraa]

Updated the designs to align with the current login screen design. The InVision link reflects thew new designs (ignore screenshot from last comment).

Once we get community feedback, we can move forward with a more branded login screen.

[joseph-reynolds]

In the mockup I am seeing from https://ibm.invisionapp.com/share/8ENYRVXAPFD#/319247221_1-_Login____existingBrand
looks good.
I think you also need a mockup that shows what happens if the password cannot be changed, for example, if it was the same at the previous password, or does not meet complexity requirements.
Also, the message in the red box is cut off; it reads, "The password is expired and must be" [truncated]. It seems like the box should expand to fit its content.

[joseph-reynolds]

A commit for BMCWeb is ready for this. See https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/25146.
This commit adds the PasswordChangeRequired message to created sessions as needed. You can use it in your web app development to trigger the expired password change dialog.
For details, see the commit message, and see the detailed uni testing (CURL commands) here: openbmc/bmcweb#103 (comment)

[derick-montague]

@joseph-reynolds - we are closing this issue since the design is done. There is a separate story for the FED to implement the design.

[jandraa]

Thanks for the feedback @joseph-reynolds.

the message in the red box is cut off; it reads, "The password is expired and must be" [truncated]. It seems like the box should expand to fit its content.

• This should be fixed now.

You also need a mockup that shows what happens if the password cannot be changed, for example, if it was the same at the previous password

• Added an error state to say "Password cannot be the same as the last X passwords."

or does not meet complexity requirements.

• This would be covered by the case that shows the error message, "Length must be between X – X characters"
• There are other validations besides min/max, but we were unable to get clear requirements from the library and backend and have to let the backend reject it.