Calling 'passwd' command now prompts for password using textui.prompt_password()

3 files changed, 40 insertions, 20 deletions

diff --git a/ipalib/cli.py b/ipalib/cli.py
index 7cbf6e4bb..b3aa10994 100644
--- a/ipalib/cli.py
+++ b/ipalib/cli.py
@@ -658,12 +658,28 @@ class CLI(object):
     def run_cmd(self, cmd):
         kw = self.parse(cmd)
         if self.options.interactive:
-            kw = self.prompt_interactively(cmd, kw)
+            self.prompt_interactively(cmd, kw)
+        self.prompt_for_passwords(cmd, kw)
         result = cmd(**kw)
         if callable(cmd.output_for_cli):
+            for param in cmd.params():
+                if param.ispassword():
+                    del kw[param.name]
             (args, options) = cmd.params_2_args_options(kw)
             cmd.output_for_cli(self.api.Backend.textui, result, *args, **options)
 
+    def prompt_for_passwords(self, cmd, kw):
+        for param in cmd.params():
+            if 'password' not in param.flags:
+                continue
+            if kw.get(param.name, False) is True or param.name in cmd.args:
+                kw[param.name] = self.textui.prompt_password(
+                    param.cli_name
+                )
+            else:
+                kw.pop(param.name, None)
+        return kw
+
     def prompt_interactively(self, cmd, kw):
         """
         Interactively prompt for missing or invalid values.
@@ -676,12 +692,7 @@ class CLI(object):
         """
         for param in cmd.params():
             if 'password' in param.flags:
-                if kw.get(param.name, False) is True:
-                    kw[param.name] = self.textui.prompt_password(
-                        param.cli_name
-                    )
-                else:
-                    kw.pop(param.name, None)
+                continue
             elif param.name not in kw:
                 if not (param.required or self.options.prompt_all):
                     continue
@@ -760,6 +771,8 @@ class CLI(object):
     def get_usage_iter(self, cmd):
         yield 'Usage: %%prog [global-options] %s' % to_cli(cmd.name)
         for arg in cmd.args():
+            if 'password' in arg.flags:
+                continue
             name = to_cli(arg.cli_name).upper()
             if arg.multivalue:
                 name = '%s...' % name
diff --git a/ipalib/frontend.py b/ipalib/frontend.py
index 61cba513b..db399ba58 100644
--- a/ipalib/frontend.py
+++ b/ipalib/frontend.py
@@ -261,6 +261,13 @@ class Param(plugable.ReadOnly):
         self.primary_key = self.__check_type(bool, 'primary_key')
         lock(self)
 
+    def ispassword(self):
+        """
+        Return ``True`` is this Param is a password.
+        """
+        # FIXME: add unit test
+        return 'password' in self.flags
+
     def __clone__(self, **override):
         """
         Return a new `Param` instance similar to this one.
diff --git a/ipalib/plugins/f_passwd.py b/ipalib/plugins/f_passwd.py
index 7b424a3bc..edc13b633 100644
--- a/ipalib/plugins/f_passwd.py
+++ b/ipalib/plugins/f_passwd.py
@@ -30,14 +30,17 @@ from ipalib import util
 
 class passwd(frontend.Command):
     'Edit existing password policy.'
+
     takes_args = (
         Param('principal',
             cli_name='user',
             primary_key=True,
             default_from=util.get_current_principal,
         ),
+        Param('password', flags=['password']),
     )
-    def execute(self, principal, **kw):
+
+    def execute(self, principal, password):
         """
         Execute the passwd operation.
 
@@ -49,8 +52,6 @@ class passwd(frontend.Command):
         :param param uid: The login name of the user being updated.
         :param kw: Not used.
         """
-        ldap = self.api.Backend.ldap
-
         if principal.find('@') < 0:
             u = principal.split('@')
             if len(u) > 2 or len(u) == 0:
@@ -59,16 +60,15 @@ class passwd(frontend.Command):
                 principal = principal+"@"+self.api.env.realm
             else:
                 principal = principal
+        dn = self.Backend.ldap.find_entry_dn(
+            "krbprincipalname",
+            principal,
+            "posixAccount"
+        )
+        return self.Backend.ldap.modify_password(dn, newpass=password)
 
-        dn = ldap.find_entry_dn("krbprincipalname", principal, "posixAccount")
-
-        # FIXME: we need a way to prompt for passwords using getpass
-        kw['newpass'] = "password"
-
-        return ldap.modify_password(dn, **kw)
-
-    def output_for_cli(self, ret):
-        if ret:
-            print "Password change successful"
+    def output_for_cli(self, textui, result, principal, password):
+        assert password is None
+        textui.print_plain('Changed password for "%s"' % principal)
 
 api.register(passwd)