matrix/authentication-service
1
0
Fork 0
mirror of https://github.com/matrix-org/matrix-authentication-service.git synced 2025-08-07 17:03:01 +03:00
Code Activity

admin: set password API

Browse Source
This commit is contained in:
Quentin Gliech
2024-07-29 12:10:55 +02:00
parent 9ea77a9562
commit 8b5d576018
6 changed files with 278 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
crates/handlers/src/admin/mod.rs
View File

@@ -43,11 +43,13 @@ mod schema;
mod v1;
use self::call_context::CallContext;
use crate::passwords::PasswordManager;
pub fn router<S>() -> (OpenApi, Router<S>)
where
S: Clone + Send + Sync + 'static,
BoxHomeserverConnection: FromRef<S>,
PasswordManager: FromRef<S>,
BoxRng: FromRequestParts<S>,
CallContext: FromRequestParts<S>,
Templates: FromRef<S>,

6
crates/handlers/src/admin/v1/mod.rs
View File

@@ -21,6 +21,7 @@ use mas_matrix::BoxHomeserverConnection;
use mas_storage::BoxRng;
use super::call_context::CallContext;
use crate::passwords::PasswordManager;
mod users;
@@ -28,6 +29,7 @@ pub fn router<S>() -> ApiRouter<S>
where
S: Clone + Send + Sync + 'static,
BoxHomeserverConnection: FromRef<S>,
PasswordManager: FromRef<S>,
BoxRng: FromRequestParts<S>,
CallContext: FromRequestParts<S>,
{
@@ -41,6 +43,10 @@ where
"/users/:id",
get_with(self::users::get, self::users::get_doc),
)
.api_route(
"/users/:id/set-password",
post_with(self::users::set_password, self::users::set_password_doc),
)
.api_route(
"/users/by-username/:username",
get_with(self::users::by_username, self::users::by_username_doc),

2
crates/handlers/src/admin/v1/users/mod.rs
View File

@@ -18,6 +18,7 @@ mod deactivate;
mod get;
mod list;
mod lock;
mod set_password;
mod unlock;
pub use self::{
@@ -27,5 +28,6 @@ pub use self::{
get::{doc as get_doc, handler as get},
list::{doc as list_doc, handler as list},
lock::{doc as lock_doc, handler as lock},
set_password::{doc as set_password_doc, handler as set_password},
unlock::{doc as unlock_doc, handler as unlock},
};

190
crates/handlers/src/admin/v1/users/set_password.rs Normal file
View File

@@ -0,0 +1,190 @@
// Copyright 2024 The Matrix.org Foundation C.I.C.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
use aide::{transform::TransformOperation, NoApi, OperationIo};
use axum::{extract::State, response::IntoResponse, Json};
use hyper::StatusCode;
use mas_storage::BoxRng;
use schemars::JsonSchema;
use serde::Deserialize;
use ulid::Ulid;
use zeroize::Zeroizing;
use crate::{
admin::{call_context::CallContext, params::UlidPathParam, response::ErrorResponse},
impl_from_error_for_route,
passwords::PasswordManager,
};
#[derive(Debug, thiserror::Error, OperationIo)]
#[aide(output_with = "Json<ErrorResponse>")]
pub enum RouteError {
#[error(transparent)]
Internal(Box<dyn std::error::Error + Send + Sync + 'static>),
#[error("Password hashing failed")]
Password(#[source] anyhow::Error),
#[error("User ID {0} not found")]
NotFound(Ulid),
}
impl_from_error_for_route!(mas_storage::RepositoryError);
impl IntoResponse for RouteError {
fn into_response(self) -> axum::response::Response {
let error = ErrorResponse::from_error(&self);
let status = match self {
Self::Internal(_) | Self::Password(_) => StatusCode::INTERNAL_SERVER_ERROR,
Self::NotFound(_) => StatusCode::NOT_FOUND,
};
(status, Json(error)).into_response()
}
}
fn password_example() -> String {
"hunter2".to_owned()
}
/// # JSON payload for the `POST /api/admin/v1/users/:id/set-password` endpoint
#[derive(Deserialize, JsonSchema)]
#[schemars(rename = "SetUserPasswordRequest")]
pub struct Request {
/// The password to set for the user
#[schemars(example = "password_example")]
password: String,
}
pub fn doc(operation: TransformOperation) -> TransformOperation {
operation
.id("setUserPassword")
.summary("Set the password for a user")
.tag("user")
.response_with::<200, StatusCode, _>(|t| t.description("Password was set"))
.response_with::<404, RouteError, _>(|t| {
let response = ErrorResponse::from_error(&RouteError::NotFound(Ulid::nil()));
t.description("User was not found").example(response)
})
}
#[tracing::instrument(name = "handler.admin.v1.users.set_password", skip_all, err)]
pub async fn handler(
CallContext {
mut repo, clock, ..
}: CallContext,
NoApi(mut rng): NoApi<BoxRng>,
State(password_manager): State<PasswordManager>,
id: UlidPathParam,
Json(params): Json<Request>,
) -> Result<StatusCode, RouteError> {
let user = repo
.user()
.lookup(*id)
.await?
.ok_or(RouteError::NotFound(*id))?;
let password = Zeroizing::new(params.password.into_bytes());
let (version, hashed_password) = password_manager
.hash(&mut rng, password)
.await
.map_err(RouteError::Password)?;
repo.user_password()
.add(&mut rng, &clock, &user, version, hashed_password, None)
.await?;
repo.save().await?;
Ok(StatusCode::NO_CONTENT)
}
#[cfg(test)]
mod tests {
use hyper::{Request, StatusCode};
use mas_storage::{user::UserPasswordRepository, RepositoryAccess};
use sqlx::PgPool;
use zeroize::Zeroizing;
use crate::test_utils::{setup, RequestBuilderExt, ResponseExt, TestState};
#[sqlx::test(migrator = "mas_storage_pg::MIGRATOR")]
async fn test_set_password(pool: PgPool) {
setup();
let mut state = TestState::from_pool(pool).await.unwrap();
let token = state.token_with_scope("urn:mas:admin").await;
// Create a user
let mut repo = state.repository().await.unwrap();
let user = repo
.user()
.add(&mut state.rng(), &state.clock, "alice".to_owned())
.await
.unwrap();
// Double-check that the user doesn't have a password
let user_password = repo.user_password().active(&user).await.unwrap();
assert!(user_password.is_none());
repo.save().await.unwrap();
let user_id = user.id;
// Set the password through the API
let request = Request::post(format!("/api/admin/v1/users/{user_id}/set-password"))
.bearer(&token)
.json(serde_json::json!({
"password": "hunter2",
}));
let response = state.request(request).await;
response.assert_status(StatusCode::NO_CONTENT);
// Check that the user now has a password
let mut repo = state.repository().await.unwrap();
let user_password = repo.user_password().active(&user).await.unwrap().unwrap();
let password = Zeroizing::new(b"hunter2".to_vec());
state
.password_manager
.verify(
user_password.version,
password,
user_password.hashed_password,
)
.await
.unwrap();
}
#[sqlx::test(migrator = "mas_storage_pg::MIGRATOR")]
async fn test_unknown_user(pool: PgPool) {
setup();
let mut state = TestState::from_pool(pool).await.unwrap();
let token = state.token_with_scope("urn:mas:admin").await;
// Set the password through the API
let request = Request::post("/api/admin/v1/users/01040G2081040G2081040G2081/set-password")
.bearer(&token)
.json(serde_json::json!({
"password": "hunter2",
}));
let response = state.request(request).await;
response.assert_status(StatusCode::NOT_FOUND);
let body: serde_json::Value = response.json();
assert_eq!(
body["errors"][0]["title"],
"User ID 01040G2081040G2081040G2081 not found"
);
}
}

3
crates/handlers/src/bin/api-schema.rs
View File

@@ -1,4 +1,4 @@
// Copyright 2022 The Matrix.org Foundation C.I.C.
// Copyright 2024 The Matrix.org Foundation C.I.C.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
@@ -66,6 +66,7 @@ impl_from_ref!(mas_router::UrlBuilder);
impl_from_ref!(mas_templates::Templates);
impl_from_ref!(mas_matrix::BoxHomeserverConnection);
impl_from_ref!(mas_keystore::Keystore);
impl_from_ref!(mas_handlers::passwords::PasswordManager);
fn main() -> Result<(), Box<dyn std::error::Error>> {
let (mut api, _) = mas_handlers::admin_api_router::<DummyState>();

76
docs/api/spec.json
View File

@@ -310,6 +310,66 @@
}
}
},
"/api/admin/v1/users/{id}/set-password": {
"post": {
"tags": [
"user"
],
"summary": "Set the password for a user",
"operationId": "setUserPassword",
"parameters": [
{
"in": "path",
"name": "id",
"required": true,
"schema": {
"title": "The ID of the resource",
"$ref": "#/components/schemas/ULID"
},
"style": "simple"
}
],
"requestBody": {
"content": {
"application/json": {
"schema": {
"$ref": "#/components/schemas/SetUserPasswordRequest"
}
}
},
"required": true
},
"responses": {
"200": {
"description": "",
"content": {
"application/json": {
"schema": {
"$ref": "#/components/schemas/ErrorResponse"
}
}
}
},
"404": {
"description": "User was not found",
"content": {
"application/json": {
"schema": {
"$ref": "#/components/schemas/ErrorResponse"
},
"example": {
"errors": [
{
"title": "User ID 00000000000000000000000000 not found"
}
]
}
}
}
}
}
}
},
"/api/admin/v1/users/by-username/{username}": {
"get": {
"tags": [
@@ -890,6 +950,22 @@
}
}
},
"SetUserPasswordRequest": {
"title": "JSON payload for the `POST /api/admin/v1/users/:id/set-password` endpoint",
"type": "object",
"required": [
"password"
],
"properties": {
"password": {
"description": "The password to set for the user",
"examples": [
"hunter2"
],
"type": "string"
}
}
},
"UsernamePathParam": {
"type": "object",
"required": [