[UI] Allow change password for native users only.

[sureshanaparti]

Description

This PR allows change password for native users only from UI.

Fixes #12581

Types of changes

• Breaking change (fix or feature that would cause existing functionality to change)
• New feature (non-breaking change which adds functionality)
• Bug fix (non-breaking change which fixes an issue)
• Enhancement (improves an existing feature and functionality)
• Cleanup (Code refactoring and cleanup, that may add test cases)
• Build/CI
• Test (unit or integration test code)

Feature/Enhancement Scale or Bug Severity

Feature/Enhancement Scale

• Major
• Minor

Bug Severity

• BLOCKER
• Critical
• Major
• Minor
• Trivial

Screenshots (if appropriate):

How Has This Been Tested?

Tested with the users form with native, ldap, saml users.

How did you try to break this feature and the system with this change?

[sureshanaparti]

@blueorangutan ui

[blueorangutan]

@sureshanaparti a Jenkins job has been kicked to build UI QA env. I'll keep you posted as I make progress.

[sureshanaparti]

@DaanHoogland moving to draft based on your comment here - #12581 (comment)

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 16.25%. Comparing base (9ae696d) to head (57f8373).
⚠️ Report is 19 commits behind head on 4.20.

Additional details and impacted files

@@             Coverage Diff              @@
##               4.20   #12584      +/-   ##
============================================
- Coverage     16.26%   16.25%   -0.02%     
+ Complexity    13428    13425       -3     
============================================
  Files          5660     5662       +2     
  Lines        499963   500192     +229     
  Branches      60708    60739      +31     
============================================
- Hits          81330    81310      -20     
- Misses       409559   409796     +237     
- Partials       9074     9086      +12     

Flag	Coverage Δ
uitests	4.15% <ø> (-0.01%)	⬇️
unittests	17.10% <ø> (-0.02%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[blueorangutan]

UI build: ✔️
Live QA URL: https://qa.cloudstack.cloud/simulator/pr/12584 (QA-JID-871)

[DaanHoogland]

clgtm, but I have questions about the functionality. As this fixes a bug atm (NPE when tried) I think we can go ahead. Users/operators will have to define how a broken or removed link of an authenticator should be handled. E.G. invalidate/regenerate PW or disable account. I could imagine this should be configurable in which case we can revert this condition.

We can also remove the need to be a native account now, and fix the NPE.

< @sureshanaparti >

[sureshanaparti]

clgtm, but I have questions about the functionality. As this fixes a bug atm (NPE when tried) I think we can go ahead. Users/operators will have to define how a broken or removed link of an authenticator should be handled. E.G. invalidate/regenerate PW or disable account. I could imagine this should be configurable in which case we can revert this condition.

We can also remove the need to be a native account now, and fix the NPE.

< @sureshanaparti >

updated @DaanHoogland it also checks for admin, domain admin account or the same user to change the password.

[sureshanaparti]

@blueorangutan ui

[blueorangutan]

@sureshanaparti a Jenkins job has been kicked to build UI QA env. I'll keep you posted as I make progress.

[blueorangutan]

UI build: ✔️
Live QA URL: https://qa.cloudstack.cloud/simulator/pr/12584 (QA-JID-872)

[sudo87]

We should have kept password change only for "native" users. As of now we throw exception whenever password change is done from UI. In my opinion it should be hidden if capability is not supported for SAML/LDAP users.

cc: @DaanHoogland @sureshanaparti @kiranchavala

[sureshanaparti]

We should have kept password change only for "native" users. As of now we throw exception whenever password change is done from UI. In my opinion it should be hidden if capability is not supported for SAML/LDAP users.

cc: @DaanHoogland @sureshanaparti @kiranchavala

Shall I keep it for native users only? @DaanHoogland @kiranchavala

[sureshanaparti]

@blueorangutan ui

[blueorangutan]

@sureshanaparti a Jenkins job has been kicked to build UI QA env. I'll keep you posted as I make progress.

[kiranchavala]

@blueorangutan package

[blueorangutan]

@kiranchavala a [SL] Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress.

[blueorangutan]

UI build: ✔️
Live QA URL: https://qa.cloudstack.cloud/simulator/pr/12584 (QA-JID-877)

[blueorangutan]

Packaging result [SF]: ✔️ el8 ✔️ el9 ✔️ el10 ✔️ debian ✔️ suse15. SL-JID 16881

[sudo87]

lgtm

[RosiKyu]

LGTM

#	Test Case	Method	Status
TC1	Native enabled user: change password button visible	UI	PASS
TC2	LDAP user: change password button hidden	UI	PASS
TC3	SAML user: change password button hidden	UI	PASS
TC4	Disabled native user: change password button hidden	UI	PASS
TC5	Native user: password change via API succeeds	CLI (cmk)	PASS
TC6	LDAP user: password change via API blocked	CLI (cmk)	PASS
TC7	SAML user: password change via API blocked	CLI (cmk)	PASS
TC8	Native user: password change via UI succeeds	UI	PASS

Result: 8/8 PASS

Note: LDAP/SAML users were simulated by updating cloud.user.source in the database, which is functionally equivalent for UI testing since the UI checks the usersource field returned by the API (sourced directly from this DB column). TC6/TC7 confirm pre-existing backend protection that independently blocks password changes for non-native users - this is not part of the PR but provides defense in depth.

The UI correctly restricts the "Change password" button to enabled native users only, and the backend independently enforces the same restriction at the API level for defense in depth. Password change for native users works successfully via both UI and API.

Detailed Test Execution Report

TC1: Native user - change password button visible

Objective Verify that the "Change password" button is visible for an enabled native user.

Test Steps

1. As RootAdmin, create a native user account nativeuser
2. In UI, navigate to Users → nativeuser detail page
3. Check for "Change password" button in the action icons

Expected Result: The "Change password" button should be visible.

Actual Result: The "Change password" button is visible in the top-right action icons. User type shows native.

Test Evidence:

(localcloud) 🐱 > list users account=nativeuser
{
  "count": 1,
  "user": [
    {
      "account": "nativeuser",
      "accountid": "0be5ba9c-5555-42a4-aa3b-d3928f349929",
      "accounttype": 0,
      "apikeyaccess": "INHERIT",
      "created": "2026-02-23T11:05:24+0000",
      "domain": "ROOT",
      "domainid": "cf984af2-108a-11f1-88d8-1e0066000102",
      "email": "native@test.com",
      "firstname": "Native",
      "id": "afb2c4e7-6cab-4ef5-a501-60c8392e3117",
      "is2faenabled": false,
      "is2famandated": false,
      "iscallerchilddomain": false,
      "isdefault": false,
      "lastname": "User",
      "roleid": "f17c8f63-108a-11f1-88d8-1e0066000102",
      "rolename": "User",
      "roletype": "User",
      "state": "enabled",
      "username": "nativeuser",
      "usersource": "native"
    }
  ]
}

• UI screenshot: nativeuser detail page shows 6 action icons including "Change password"

---

TC2: LDAP user - change password button hidden

Objective Verify that the "Change password" button is hidden for an LDAP user.

Test Steps

1. As RootAdmin, create user ldapuser and set source to LDAP in DB: UPDATE cloud.user SET source='LDAP' WHERE username='ldapuser';
2. In UI, navigate to Users → ldapuser detail page
3. Check for "Change password" button in the action icons

Expected Result: The "Change password" button should NOT be visible.

Actual Result: The "Change password" button is not present. Only 5 action icons shown (vs 6 for native user). User type shows ldap.

Test Evidence:

mysql> UPDATE cloud.user SET source='LDAP' WHERE username='ldapuser';
Query OK, 1 row affected (0.00 sec)
Rows matched: 1  Changed: 1  Warnings: 0

(localcloud) 🐱 > list users account=ldapuser
{
  "count": 1,
  "user": [
    {
      "account": "ldapuser",
      "accountid": "7fb240b6-0736-4c03-a57e-3abefc40fcd6",
      "accounttype": 0,
      "apikeyaccess": "INHERIT",
      "created": "2026-02-23T11:05:32+0000",
      "domain": "ROOT",
      "domainid": "cf984af2-108a-11f1-88d8-1e0066000102",
      "email": "ldap@test.com",
      "firstname": "LDAP",
      "id": "ef1ab44a-ae7e-48e6-a2dc-21c0eb3e0bce",
      "is2faenabled": false,
      "is2famandated": false,
      "iscallerchilddomain": false,
      "isdefault": false,
      "lastname": "User",
      "roleid": "f17c8f63-108a-11f1-88d8-1e0066000102",
      "rolename": "User",
      "roletype": "User",
      "state": "enabled",
      "username": "ldapuser",
      "usersource": "ldap"
    }
  ]
}

• UI screenshot: ldapuser detail page shows 5 action icons, no "Change password"

---

TC3: SAML user - change password button hidden

Objective Verify that the "Change password" button is hidden for a SAML user.

Test Steps

1. As RootAdmin, create user samluser and set source to SAML2 in DB: UPDATE cloud.user SET source='SAML2' WHERE username='samluser';
2. In UI, navigate to Users → samluser detail page
3. Check for "Change password" button in the action icons

Expected Result: The "Change password" button should NOT be visible.

Actual Result: The "Change password" button is not present. Only 5 action icons shown. User type shows saml2.

Test Evidence:

mysql> UPDATE cloud.user SET source='SAML2' WHERE username='samluser';
Query OK, 1 row affected (0.00 sec)
Rows matched: 1  Changed: 1  Warnings: 0

(localcloud) 🐱 > list users account=samluser
{
  "count": 1,
  "user": [
    {
      "account": "samluser",
      "accountid": "03fa8afe-dcd9-49cd-9e43-5e33facd3b99",
      "accounttype": 0,
      "apikeyaccess": "INHERIT",
      "created": "2026-02-23T11:05:37+0000",
      "domain": "ROOT",
      "domainid": "cf984af2-108a-11f1-88d8-1e0066000102",
      "email": "saml@test.com",
      "firstname": "SAML",
      "id": "bed05e50-f72d-4b07-ac50-02ae8053b7a5",
      "is2faenabled": false,
      "is2famandated": false,
      "iscallerchilddomain": false,
      "isdefault": false,
      "lastname": "User",
      "roleid": "f17c8f63-108a-11f1-88d8-1e0066000102",
      "rolename": "User",
      "roletype": "User",
      "state": "enabled",
      "username": "samluser",
      "usersource": "saml2"
    }
  ]
}

• UI screenshot: samluser detail page shows 5 action icons, no "Change password"

---

TC4: Disabled native user - change password button hidden

Objective Verify that the "Change password" button is hidden for a disabled native user.

Test Steps

1. Disable the native user: disable user id=afb2c4e7-6cab-4ef5-a501-60c8392e3117
2. In UI, navigate to Users → nativeuser detail page
3. Check for "Change password" button in the action icons

Expected Result: The "Change password" button should NOT be visible for a disabled user, even if the user type is native.

Actual Result: The "Change password" button is not present. Only 4 action icons shown. Status shows Disabled, User type shows native.

Test Evidence:

(localcloud) 🐱 > disable user id=afb2c4e7-6cab-4ef5-a501-60c8392e3117
⣯ 😹 polling for async API result
{
  "user": {
    "account": "nativeuser",
    "accountid": "0be5ba9c-5555-42a4-aa3b-d3928f349929",
    "accounttype": 0,
    "created": "2026-02-23T11:05:24+0000",
    "domain": "ROOT",
    "domainid": "cf984af2-108a-11f1-88d8-1e0066000102",
    "email": "native@test.com",
    "firstname": "Native",
    "id": "afb2c4e7-6cab-4ef5-a501-60c8392e3117",
    "is2faenabled": false,
    "is2famandated": false,
    "iscallerchilddomain": false,
    "isdefault": false,
    "lastname": "User",
    "roleid": "f17c8f63-108a-11f1-88d8-1e0066000102",
    "rolename": "User",
    "roletype": "User",
    "state": "disabled",
    "username": "nativeuser",
    "usersource": "native"
  }
}

• UI screenshot: nativeuser detail page shows Status: Disabled, 4 action icons, no "Change password"

---

TC5: Native user - password change via API succeeds

Objective Verify that changing password for a native user works at the API level.

Test Steps

1. As RootAdmin, update password for native user via cmk: update user id=afb2c4e7-6cab-4ef5-a501-60c8392e3117 password=newpassword123

Expected Result: Password update should succeed.

Actual Result: Password update succeeded, user details returned without error.

Test Evidence:

(localcloud) 🐱 > update user id=afb2c4e7-6cab-4ef5-a501-60c8392e3117 password=newpassword123
{
  "user": {
    "account": "nativeuser",
    "accountid": "0be5ba9c-5555-42a4-aa3b-d3928f349929",
    "accounttype": 0,
    "created": "2026-02-23T11:05:24+0000",
    "domain": "ROOT",
    "domainid": "cf984af2-108a-11f1-88d8-1e0066000102",
    "email": "native@test.com",
    "firstname": "Native",
    "id": "afb2c4e7-6cab-4ef5-a501-60c8392e3117",
    "state": "enabled",
    "username": "nativeuser",
    "usersource": "native"
  }
}

---

TC6: LDAP user - password change via API blocked

Objective Verify that the backend rejects password changes for LDAP users even when bypassing the UI.

Test Steps

1. As RootAdmin, attempt to update password for LDAP user via cmk: update user id=ef1ab44a-ae7e-48e6-a2dc-21c0eb3e0bce password=newpassword123

Expected Result: Password update should fail with an error indicating LDAP/SAML users cannot change passwords.

Actual Result: Password update was rejected with error code 4350.

Test Evidence:

(localcloud) 🐱 > update user id=ef1ab44a-ae7e-48e6-a2dc-21c0eb3e0bce password=newpassword123
🙈 Error: (HTTP 431, error code 4350) CloudStack does not support updating passwords for SAML or LDAP users. Please contact your cloud administrator for assistance.

---

TC7: SAML user - password change via API blocked

Objective Verify that the backend rejects password changes for SAML users even when bypassing the UI.

Test Steps

1. As RootAdmin, attempt to update password for SAML user via cmk: update user id=bed05e50-f72d-4b07-ac50-02ae8053b7a5 password=newpassword123

Expected Result: Password update should fail with an error indicating LDAP/SAML users cannot change passwords.

Actual Result: Password update was rejected with error code 4350.

Test Evidence:

(localcloud) 🐱 > update user id=bed05e50-f72d-4b07-ac50-02ae8053b7a5 password=newpassword123
🙈 Error: (HTTP 431, error code 4350) CloudStack does not support updating passwords for SAML or LDAP users. Please contact your cloud administrator for assistance.

---

TC8: Native user - password change via UI succeeds

Objective Verify that changing password for a native user works through the UI "Change password" dialog.

Test Steps

1. As RootAdmin, navigate to Users → nativeuser detail page
2. Click the "Change password" icon in the action bar
3. Enter new password and confirm
4. Click OK

Expected Result: Password change should succeed with a success notification.

Actual Result: Password was changed successfully via the UI.

Test Evidence:

• "Change password" completed successfully for nativeuser (User type: native, Status: Enabled)

Screencast.from.2026-02-23.13-27-43.webm