admin: set password API

Author: sandhose

crates/handlers/src/admin/mod.rs

@@ -35,11 +35,13 @@ mod response;
 mod v1;
 
 use self::call_context::CallContext;
+use crate::passwords::PasswordManager;
 
 pub fn router<S>() -> (OpenApi, Router<S>)
 where
     S: Clone + Send + Sync + 'static,
     BoxHomeserverConnection: FromRef<S>,
+    PasswordManager: FromRef<S>,
     BoxRng: FromRequestParts<S>,
     CallContext: FromRequestParts<S>,
 {

crates/handlers/src/admin/v1/mod.rs

@@ -12,19 +12,24 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
-use aide::axum::{routing::get_with, ApiRouter};
+use aide::axum::{
+    routing::{get_with, post_with},
+    ApiRouter,
+};
 use axum::extract::{FromRef, FromRequestParts};
 use mas_matrix::BoxHomeserverConnection;
 use mas_storage::BoxRng;
 
 use super::call_context::CallContext;
+use crate::passwords::PasswordManager;
 
 mod users;
 
 pub fn router<S>() -> ApiRouter<S>
 where
     S: Clone + Send + Sync + 'static,
     BoxHomeserverConnection: FromRef<S>,
+    PasswordManager: FromRef<S>,
     BoxRng: FromRequestParts<S>,
     CallContext: FromRequestParts<S>,
 {
@@ -38,6 +43,10 @@ where
             "/users/:id",
             get_with(self::users::get, self::users::get_doc),
         )
+        .api_route(
+            "/users/:id/set-password",
+            post_with(self::users::set_password, self::users::set_password_doc),
+        )
         .api_route(
             "/users/by-username/:username",
             get_with(self::users::by_username, self::users::by_username_doc),

crates/handlers/src/admin/v1/users/mod.rs

@@ -16,10 +16,12 @@ mod add;
 mod by_username;
 mod get;
 mod list;
+mod set_password;
 
 pub use self::{
     add::{doc as add_doc, handler as add},
     by_username::{doc as by_username_doc, handler as by_username},
     get::{doc as get_doc, handler as get},
     list::{doc as list_doc, handler as list},
+    set_password::{doc as set_password_doc, handler as set_password},
 };

crates/handlers/src/admin/v1/users/set_password.rs

@@ -0,0 +1,189 @@
+// Copyright 2024 The Matrix.org Foundation C.I.C.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+use aide::{transform::TransformOperation, NoApi, OperationIo};
+use axum::{extract::State, response::IntoResponse, Json};
+use hyper::StatusCode;
+use mas_storage::BoxRng;
+use schemars::JsonSchema;
+use serde::Deserialize;
+use ulid::Ulid;
+use zeroize::Zeroizing;
+
+use crate::{
+    admin::{call_context::CallContext, params::UlidPathParam, response::ErrorResponse},
+    impl_from_error_for_route,
+    passwords::PasswordManager,
+};
+
+#[derive(Debug, thiserror::Error, OperationIo)]
+#[aide(output_with = "Json<ErrorResponse>")]
+pub enum RouteError {
+    #[error(transparent)]
+    Internal(Box<dyn std::error::Error + Send + Sync + 'static>),
+
+    #[error("Password hashing failed")]
+    Password(#[source] anyhow::Error),
+
+    #[error("User ID {0} not found")]
+    NotFound(Ulid),
+}
+
+impl_from_error_for_route!(mas_storage::RepositoryError);
+
+impl IntoResponse for RouteError {
+    fn into_response(self) -> axum::response::Response {
+        let error = ErrorResponse::from_error(&self);
+        let status = match self {
+            Self::Internal(_) | Self::Password(_) => StatusCode::INTERNAL_SERVER_ERROR,
+            Self::NotFound(_) => StatusCode::NOT_FOUND,
+        };
+        (status, Json(error)).into_response()
+    }
+}
+
+fn password_example() -> String {
+    "hunter2".to_owned()
+}
+
+/// # JSON payload for the `POST /api/admin/v1/users/:id/set-password` endpoint
+#[derive(Deserialize, JsonSchema)]
+#[schemars(rename = "SetUserPasswordPayload")]
+pub struct Payload {
+    /// The password to set for the user
+    #[schemars(example = "password_example")]
+    password: String,
+}
+
+pub fn doc(operation: TransformOperation) -> TransformOperation {
+    operation
+        .summary("Set the password for a user")
+        .tag("user")
+        .response_with::<200, StatusCode, _>(|t| t.description("Password was set"))
+        .response_with::<404, RouteError, _>(|t| {
+            let response = ErrorResponse::from_error(&RouteError::NotFound(Ulid::nil()));
+            t.description("User was not found").example(response)
+        })
+}
+
+#[tracing::instrument(name = "handler.admin.v1.users.set_password", skip_all, err)]
+pub async fn handler(
+    CallContext {
+        mut repo, clock, ..
+    }: CallContext,
+    NoApi(mut rng): NoApi<BoxRng>,
+    State(password_manager): State<PasswordManager>,
+    id: UlidPathParam,
+    Json(params): Json<Payload>,
+) -> Result<StatusCode, RouteError> {
+    let user = repo
+        .user()
+        .lookup(*id)
+        .await?
+        .ok_or(RouteError::NotFound(*id))?;
+
+    let password = Zeroizing::new(params.password.into_bytes());
+    let (version, hashed_password) = password_manager
+        .hash(&mut rng, password)
+        .await
+        .map_err(RouteError::Password)?;
+
+    repo.user_password()
+        .add(&mut rng, &clock, &user, version, hashed_password, None)
+        .await?;
+
+    repo.save().await?;
+
+    Ok(StatusCode::NO_CONTENT)
+}
+
+#[cfg(test)]
+mod tests {
+    use hyper::{Request, StatusCode};
+    use mas_storage::{user::UserPasswordRepository, RepositoryAccess};
+    use sqlx::PgPool;
+    use zeroize::Zeroizing;
+
+    use crate::test_utils::{setup, RequestBuilderExt, ResponseExt, TestState};
+
+    #[sqlx::test(migrator = "mas_storage_pg::MIGRATOR")]
+    async fn test_set_password(pool: PgPool) {
+        setup();
+        let mut state = TestState::from_pool(pool).await.unwrap();
+        let token = state.token_with_scope("urn:mas:admin").await;
+
+        // Create a user
+        let mut repo = state.repository().await.unwrap();
+        let user = repo
+            .user()
+            .add(&mut state.rng(), &state.clock, "alice".to_owned())
+            .await
+            .unwrap();
+
+        // Double-check that the user doesn't have a password
+        let user_password = repo.user_password().active(&user).await.unwrap();
+        assert!(user_password.is_none());
+
+        repo.save().await.unwrap();
+
+        let user_id = user.id;
+
+        // Set the password through the API
+        let request = Request::post(format!("/api/admin/v1/users/{user_id}/set-password"))
+            .bearer(&token)
+            .json(serde_json::json!({
+                "password": "hunter2",
+            }));
+
+        let response = state.request(request).await;
+        response.assert_status(StatusCode::NO_CONTENT);
+
+        // Check that the user now has a password
+        let mut repo = state.repository().await.unwrap();
+        let user_password = repo.user_password().active(&user).await.unwrap().unwrap();
+        let password = Zeroizing::new(b"hunter2".to_vec());
+        state
+            .password_manager
+            .verify(
+                user_password.version,
+                password,
+                user_password.hashed_password,
+            )
+            .await
+            .unwrap();
+    }
+
+    #[sqlx::test(migrator = "mas_storage_pg::MIGRATOR")]
+    async fn test_unknown_user(pool: PgPool) {
+        setup();
+        let mut state = TestState::from_pool(pool).await.unwrap();
+        let token = state.token_with_scope("urn:mas:admin").await;
+
+        // Set the password through the API
+        let request = Request::post("/api/admin/v1/users/01040G2081040G2081040G2081/set-password")
+            .bearer(&token)
+            .json(serde_json::json!({
+                "password": "hunter2",
+            }));
+
+        let response = state.request(request).await;
+        response.assert_status(StatusCode::NOT_FOUND);
+
+        let body: serde_json::Value = response.json();
+        assert_eq!(
+            body["errors"][0]["title"],
+            "User ID 01040G2081040G2081040G2081 not found"
+        );
+    }
+}

crates/handlers/src/bin/api-schema.rs

@@ -1,4 +1,4 @@
-// Copyright 2022 The Matrix.org Foundation C.I.C.
+// Copyright 2024 The Matrix.org Foundation C.I.C.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -61,6 +61,7 @@ impl_from_request_parts!(mas_storage::BoxRng);
 impl_from_request_parts!(mas_handlers::BoundActivityTracker);
 impl_from_ref!(mas_matrix::BoxHomeserverConnection);
 impl_from_ref!(mas_keystore::Keystore);
+impl_from_ref!(mas_handlers::passwords::PasswordManager);
 
 fn main() -> Result<(), Box<dyn std::error::Error>> {
     let (api, _) = mas_handlers::admin_api_router::<DummyState>();

docs/api.schema.json

@@ -316,6 +316,68 @@
         }
       }
     },
+    "/api/admin/v1/users/{id}/set-password": {
+      "post": {
+        "tags": [
+          "user"
+        ],
+        "summary": "Set the password for a user",
+        "parameters": [
+          {
+            "in": "path",
+            "name": "id",
+            "description": "A ULID as per https://github.com/ulid/spec",
+            "required": true,
+            "schema": {
+              "title": "ULID",
+              "description": "A ULID as per https://github.com/ulid/spec",
+              "type": "string",
+              "pattern": "^[0123456789ABCDEFGHJKMNPQRSTVWXYZ]{26}$"
+            },
+            "style": "simple"
+          }
+        ],
+        "requestBody": {
+          "content": {
+            "application/json": {
+              "schema": {
+                "$ref": "#/components/schemas/SetUserPasswordPayload"
+              }
+            }
+          },
+          "required": true
+        },
+        "responses": {
+          "200": {
+            "description": "",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "$ref": "#/components/schemas/ErrorResponse"
+                }
+              }
+            }
+          },
+          "404": {
+            "description": "User was not found",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "$ref": "#/components/schemas/ErrorResponse"
+                },
+                "example": {
+                  "errors": [
+                    {
+                      "title": "User ID 00000000000000000000000000 not found"
+                    }
+                  ]
+                }
+              }
+            }
+          }
+        }
+      }
+    },
     "/api/admin/v1/users/by-username/{username}": {
       "get": {
         "description": "Get a user by its username (localpart)",
@@ -709,6 +771,22 @@
           }
         }
       },
+      "SetUserPasswordPayload": {
+        "title": "JSON payload for the `POST /api/admin/v1/users/:id/set-password` endpoint",
+        "type": "object",
+        "required": [
+          "password"
+        ],
+        "properties": {
+          "password": {
+            "description": "The password to set for the user",
+            "examples": [
+              "hunter2"
+            ],
+            "type": "string"
+          }
+        }
+      },
       "UsernamePathParam": {
         "type": "object",
         "required": [