1. throw exception when force reset password is done for locked/disabled user/account

2. ui validation on current and new password being same
3. allow enforce change password for add user until saml is not enabled

Author: sudo87

server/src/main/java/com/cloud/user/AccountManagerImpl.java

@@ -1607,17 +1607,22 @@ public UserAccount updateUser(UpdateUserCmd updateUserCmd) {
         if (mandate2FA != null && mandate2FA) {
             user.setUser2faEnabled(true);
         }
-        updatePasswordChangeRequired(caller, updateUserCmd, user);
+        validateAndUpdatePasswordChangeRequired(caller, updateUserCmd, user, account);
         _userDao.update(user.getId(), user);
         return _userAccountDao.findById(user.getId());
     }
 
-    private void updatePasswordChangeRequired(User caller, UpdateUserCmd updateUserCmd, UserVO user) {
-        User.Source userSource = user.getSource();
-        if ((userSource == User.Source.SAML2 || userSource == User.Source.SAML2DISABLED || userSource == User.Source.LDAP)
-                && updateUserCmd.isPasswordChangeRequired()) {
-            logger.warn("Enforcing password change is not permitted for source [{}].", user.getSource());
-            throw new InvalidParameterValueException("CloudStack does not support enforcing password change for SAML or LDAP users.");
+    private void validateAndUpdatePasswordChangeRequired(User caller, UpdateUserCmd updateUserCmd, UserVO user, Account account) {
+        if (updateUserCmd.isPasswordChangeRequired()) {
+            if (user.getState() != State.ENABLED || account.getState() != State.ENABLED) {
+                throw new CloudRuntimeException("CloudStack does not support enforcing password change for locked/disabled User or Account.");
+            }
+
+            User.Source userSource = user.getSource();
+            if (userSource == User.Source.SAML2 || userSource == User.Source.SAML2DISABLED || userSource == User.Source.LDAP) {
+                logger.warn("Enforcing password change is not permitted for source [{}].", user.getSource());
+                throw new InvalidParameterValueException("CloudStack does not support enforcing password change for SAML or LDAP users.");
+            }
         }
 
         boolean isCallerSameAsUser = user.getId() == caller.getId();

server/src/test/java/com/cloud/user/AccountManagerImplTest.java

@@ -433,8 +433,33 @@ public void updateUserTestTimeZoneAndEmailNotNull() {
         prepareMockAndExecuteUpdateUserTest(1);
     }
 
+    @Test(expected = CloudRuntimeException.class)
+    public void updateUserTestPwdChangeDisabledUser() {
+        Mockito.when(userVoMock.getState()).thenReturn(State.DISABLED);
+        updateUserPwdChange();
+    }
+
+    @Test(expected = CloudRuntimeException.class)
+    public void updateUserTestPwdChangeLockedUser() {
+        Mockito.when(userVoMock.getState()).thenReturn(State.LOCKED);
+        updateUserPwdChange();
+    }
+
+    @Test(expected = CloudRuntimeException.class)
+    public void updateUserTestPwdChangeDisabledAccount() {
+        Mockito.when(userVoMock.getState()).thenReturn(State.ENABLED);
+        Mockito.when(accountMock.getState()).thenReturn(State.LOCKED);
+        updateUserPwdChange();
+    }
+
     @Test
-    public void updateUserTestPwdChange() {
+    public void testUpdateUserTestPwdChange() {
+        Mockito.when(userVoMock.getState()).thenReturn(State.ENABLED);
+        Mockito.when(accountMock.getState()).thenReturn(State.ENABLED);
+        updateUserPwdChange();
+    }
+
+    private void updateUserPwdChange() {
         Mockito.doReturn(true).when(UpdateUserCmdMock).isPasswordChangeRequired();
         Mockito.when(userVoMock.getAccountId()).thenReturn(10L);
         Mockito.doReturn(accountMock).when(accountManagerImpl).getAccount(10L);

ui/public/locales/en.json

@@ -3481,6 +3481,7 @@
 "message.error.netmask": "Please enter Netmask.",
 "message.error.network.offering": "Please select Network offering.",
 "message.error.new.password": "Please enter new password.",
+"message.error.newpassword.sameascurrent": "New password cannot be the same as the current password.",
 "message.error.nexus1000v.ipaddress": "Please enter Nexus 1000v IP address.",
 "message.error.nexus1000v.password": "Please enter Nexus 1000v password.",
 "message.error.nexus1000v.username": "Please enter Nexus 1000v username.",

ui/src/views/iam/AddUser.vue

@@ -133,16 +133,16 @@
             </a-select-option>
           </a-select>
         </a-form-item>
-        <a-form-item v-if="isAdminOrDomainAdmin() && !samlAllowed" name="passwordChangeRequired" ref="passwordChangeRequired">
+        <a-form-item v-if="isAdminOrDomainAdmin() && !samlEnable" name="passwordChangeRequired" ref="passwordChangeRequired">
             <a-checkbox v-model:checked="form.passwordChangeRequired">
               {{ $t('label.change.password.onlogin') }}
             </a-checkbox>
         </a-form-item>
         <div v-if="samlAllowed">
-          <a-form-item name="samlenable" ref="samlenable" :label="$t('label.samlenable')">
-            <a-switch v-model:checked="form.samlenable" />
+          <a-form-item name="samlEnable" ref="samlEnable" :label="$t('label.samlenable')">
+            <a-switch v-model:checked="samlEnable" />
           </a-form-item>
-          <a-form-item name="samlentity" ref="samlentity" v-if="form.samlenable">
+          <a-form-item name="samlentity" ref="samlentity" v-if="samlEnable">
             <template #label>
               <tooltip-label :title="$t('label.samlentity')" :tooltip="apiParams.entityid.description"/>
             </template>
@@ -203,6 +203,13 @@ export default {
     this.initForm()
     this.fetchData()
   },
+  watch: {
+    samlEnable (newVal) {
+      if (newVal) {
+        this.form.passwordChangeRequired = false
+      }
+    }
+  },
   computed: {
     samlAllowed () {
       return 'authorizeSamlSso' in this.$store.getters.apis
@@ -296,9 +303,9 @@ export default {
         })
 
         const user = userCreationResponse?.createuserresponse?.user
-        if (values.samlenable && user) {
+        if (this.samlEnable && user) {
           await postAPI('authorizeSamlSso', {
-            enable: values.samlenable,
+            enable: this.samlEnable,
             entityid: values.samlentity,
             userid: user.id
           })

ui/src/views/iam/ForceChangePassword.vue

@@ -130,7 +130,10 @@ export default {
     rules () {
       return {
         currentpassword: [{ required: true, message: this.$t('message.error.current.password') }],
-        password: [{ required: true, message: this.$t('message.error.new.password') }],
+        password: [
+          { required: true, message: this.$t('message.error.new.password') },
+          { validator: this.validateNewPassword, trigger: 'change' }
+        ],
         confirmpassword: [
           { required: true, message: this.$t('message.error.confirm.password') },
           { validator: this.validateTwoPassword, trigger: 'change' }
@@ -139,6 +142,17 @@ export default {
     }
   },
   methods: {
+    async validateNewPassword (rule, value) {
+      const currentPassword = this.form.currentpassword
+      if (!value || value.length === 0) {
+        return Promise.resolve()
+      }
+      // Ensure new password is different from current password
+      if (currentPassword && value === currentPassword) {
+        return Promise.reject(this.$t('message.error.newpassword.sameascurrent'))
+      }
+      return Promise.resolve()
+    },
     async validateTwoPassword (rule, value) {
       if (!value || value.length === 0) {
         return Promise.resolve()