Set password admin API

crates/handlers/src/admin/mod.rs

@@ -43,11 +43,13 @@ mod schema;
 mod v1;
 
 use self::call_context::CallContext;
+use crate::passwords::PasswordManager;
 
 pub fn router<S>() -> (OpenApi, Router<S>)
 where
     S: Clone + Send + Sync + 'static,
     BoxHomeserverConnection: FromRef<S>,
+    PasswordManager: FromRef<S>,
     BoxRng: FromRequestParts<S>,
     CallContext: FromRequestParts<S>,
     Templates: FromRef<S>,

crates/handlers/src/admin/v1/mod.rs

@@ -21,13 +21,15 @@ use mas_matrix::BoxHomeserverConnection;
 use mas_storage::BoxRng;
 
 use super::call_context::CallContext;
+use crate::passwords::PasswordManager;
 
 mod users;
 
 pub fn router<S>() -> ApiRouter<S>
 where
     S: Clone + Send + Sync + 'static,
     BoxHomeserverConnection: FromRef<S>,
+    PasswordManager: FromRef<S>,
     BoxRng: FromRequestParts<S>,
     CallContext: FromRequestParts<S>,
 {
@@ -41,6 +43,10 @@ where
             "/users/:id",
             get_with(self::users::get, self::users::get_doc),
         )
+        .api_route(
+            "/users/:id/set-password",
+            post_with(self::users::set_password, self::users::set_password_doc),
+        )
         .api_route(
             "/users/by-username/:username",
             get_with(self::users::by_username, self::users::by_username_doc),

crates/handlers/src/admin/v1/users/mod.rs

@@ -18,6 +18,7 @@ mod deactivate;
 mod get;
 mod list;
 mod lock;
+mod set_password;
 mod unlock;
 
 pub use self::{
@@ -27,5 +28,6 @@ pub use self::{
     get::{doc as get_doc, handler as get},
     list::{doc as list_doc, handler as list},
     lock::{doc as lock_doc, handler as lock},
+    set_password::{doc as set_password_doc, handler as set_password},
     unlock::{doc as unlock_doc, handler as unlock},
 };

crates/handlers/src/admin/v1/users/set_password.rs

@@ -0,0 +1,270 @@
+// Copyright 2024 The Matrix.org Foundation C.I.C.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+use aide::{transform::TransformOperation, NoApi, OperationIo};
+use axum::{extract::State, response::IntoResponse, Json};
+use hyper::StatusCode;
+use mas_storage::BoxRng;
+use schemars::JsonSchema;
+use serde::Deserialize;
+use ulid::Ulid;
+use zeroize::Zeroizing;
+
+use crate::{
+    admin::{call_context::CallContext, params::UlidPathParam, response::ErrorResponse},
+    impl_from_error_for_route,
+    passwords::PasswordManager,
+};
+
+#[derive(Debug, thiserror::Error, OperationIo)]
+#[aide(output_with = "Json<ErrorResponse>")]
+pub enum RouteError {
+    #[error(transparent)]
+    Internal(Box<dyn std::error::Error + Send + Sync + 'static>),
+
+    #[error("Password is too weak")]
+    PasswordTooWeak,
+
+    #[error("Password hashing failed")]
+    Password(#[source] anyhow::Error),
+
+    #[error("User ID {0} not found")]
+    NotFound(Ulid),
+}
+
+impl_from_error_for_route!(mas_storage::RepositoryError);
+
+impl IntoResponse for RouteError {
+    fn into_response(self) -> axum::response::Response {
+        let error = ErrorResponse::from_error(&self);
+        let status = match self {
+            Self::Internal(_) | Self::Password(_) => StatusCode::INTERNAL_SERVER_ERROR,
+            Self::PasswordTooWeak => StatusCode::BAD_REQUEST,
+            Self::NotFound(_) => StatusCode::NOT_FOUND,
+        };
+        (status, Json(error)).into_response()
+    }
+}
+
+fn password_example() -> String {
+    "hunter2".to_owned()
+}
+
+/// # JSON payload for the `POST /api/admin/v1/users/:id/set-password` endpoint
+#[derive(Deserialize, JsonSchema)]
+#[schemars(rename = "SetUserPasswordRequest")]
+pub struct Request {
+    /// The password to set for the user
+    #[schemars(example = "password_example")]
+    password: String,
+
+    /// Skip the password complexity check
+    skip_password_check: Option<bool>,
+}
+
+pub fn doc(operation: TransformOperation) -> TransformOperation {
+    operation
+        .id("setUserPassword")
+        .summary("Set the password for a user")
+        .tag("user")
+        .response_with::<200, StatusCode, _>(|t| t.description("Password was set"))
+        .response_with::<400, RouteError, _>(|t| {
+            let response = ErrorResponse::from_error(&RouteError::PasswordTooWeak);
+            t.description("Password is too weak").example(response)
+        })
+        .response_with::<404, RouteError, _>(|t| {
+            let response = ErrorResponse::from_error(&RouteError::NotFound(Ulid::nil()));
+            t.description("User was not found").example(response)
+        })
+}
+
+#[tracing::instrument(name = "handler.admin.v1.users.set_password", skip_all, err)]
+pub async fn handler(
+    CallContext {
+        mut repo, clock, ..
+    }: CallContext,
+    NoApi(mut rng): NoApi<BoxRng>,
+    State(password_manager): State<PasswordManager>,
+    id: UlidPathParam,
+    Json(params): Json<Request>,
+) -> Result<StatusCode, RouteError> {
+    let user = repo
+        .user()
+        .lookup(*id)
+        .await?
+        .ok_or(RouteError::NotFound(*id))?;
+
+    let skip_password_check = params.skip_password_check.unwrap_or(false);
+    tracing::info!(skip_password_check, "skip_password_check");
+    if !skip_password_check
+        && !password_manager
+            .is_password_complex_enough(&params.password)
+            .unwrap_or(false)
+    {
+        return Err(RouteError::PasswordTooWeak);
+    }
+
+    let password = Zeroizing::new(params.password.into_bytes());
+    let (version, hashed_password) = password_manager
+        .hash(&mut rng, password)
+        .await
+        .map_err(RouteError::Password)?;
+
+    repo.user_password()
+        .add(&mut rng, &clock, &user, version, hashed_password, None)
+        .await?;
+
+    repo.save().await?;
+
+    Ok(StatusCode::NO_CONTENT)
+}
+
+#[cfg(test)]
+mod tests {
+    use hyper::{Request, StatusCode};
+    use mas_storage::{user::UserPasswordRepository, RepositoryAccess};
+    use sqlx::PgPool;
+    use zeroize::Zeroizing;
+
+    use crate::test_utils::{setup, RequestBuilderExt, ResponseExt, TestState};
+
+    #[sqlx::test(migrator = "mas_storage_pg::MIGRATOR")]
+    async fn test_set_password(pool: PgPool) {
+        setup();
+        let mut state = TestState::from_pool(pool).await.unwrap();
+        let token = state.token_with_scope("urn:mas:admin").await;
+
+        // Create a user
+        let mut repo = state.repository().await.unwrap();
+        let user = repo
+            .user()
+            .add(&mut state.rng(), &state.clock, "alice".to_owned())
+            .await
+            .unwrap();
+
+        // Double-check that the user doesn't have a password
+        let user_password = repo.user_password().active(&user).await.unwrap();
+        assert!(user_password.is_none());
+
+        repo.save().await.unwrap();
+
+        let user_id = user.id;
+
+        // Set the password through the API
+        let request = Request::post(format!("/api/admin/v1/users/{user_id}/set-password"))
+            .bearer(&token)
+            .json(serde_json::json!({
+                "password": "this is a good enough password",
+            }));
+
+        let response = state.request(request).await;
+        response.assert_status(StatusCode::NO_CONTENT);
+
+        // Check that the user now has a password
+        let mut repo = state.repository().await.unwrap();
+        let user_password = repo.user_password().active(&user).await.unwrap().unwrap();
+        let password = Zeroizing::new(b"this is a good enough password".to_vec());
+        state
+            .password_manager
+            .verify(
+                user_password.version,
+                password,
+                user_password.hashed_password,
+            )
+            .await
+            .unwrap();
+    }
+
+    #[sqlx::test(migrator = "mas_storage_pg::MIGRATOR")]
+    async fn test_weak_password(pool: PgPool) {
+        setup();
+        let mut state = TestState::from_pool(pool).await.unwrap();
+        let token = state.token_with_scope("urn:mas:admin").await;
+
+        // Create a user
+        let mut repo = state.repository().await.unwrap();
+        let user = repo
+            .user()
+            .add(&mut state.rng(), &state.clock, "alice".to_owned())
+            .await
+            .unwrap();
+        repo.save().await.unwrap();
+
+        let user_id = user.id;
+
+        // Set a weak password through the API
+        let request = Request::post(format!("/api/admin/v1/users/{user_id}/set-password"))
+            .bearer(&token)
+            .json(serde_json::json!({
+                "password": "password",
+            }));
+
+        let response = state.request(request).await;
+        response.assert_status(StatusCode::BAD_REQUEST);
+
+        // Check that the user still has a password
+        let mut repo = state.repository().await.unwrap();
+        let user_password = repo.user_password().active(&user).await.unwrap();
+        assert!(user_password.is_none());
+        repo.save().await.unwrap();
+
+        // Now try with the skip_password_check flag
+        let request = Request::post(format!("/api/admin/v1/users/{user_id}/set-password"))
+            .bearer(&token)
+            .json(serde_json::json!({
+                "password": "password",
+                "skip_password_check": true,
+            }));
+
+        let response = state.request(request).await;
+        response.assert_status(StatusCode::NO_CONTENT);
+
+        // Check that the user now has a password
+        let mut repo = state.repository().await.unwrap();
+        let user_password = repo.user_password().active(&user).await.unwrap().unwrap();
+        let password = Zeroizing::new(b"password".to_vec());
+        state
+            .password_manager
+            .verify(
+                user_password.version,
+                password,
+                user_password.hashed_password,
+            )
+            .await
+            .unwrap();
+    }
+
+    #[sqlx::test(migrator = "mas_storage_pg::MIGRATOR")]
+    async fn test_unknown_user(pool: PgPool) {
+        setup();
+        let mut state = TestState::from_pool(pool).await.unwrap();
+        let token = state.token_with_scope("urn:mas:admin").await;
+
+        // Set the password through the API
+        let request = Request::post("/api/admin/v1/users/01040G2081040G2081040G2081/set-password")
+            .bearer(&token)
+            .json(serde_json::json!({
+                "password": "this is a good enough password",
+            }));
+
+        let response = state.request(request).await;
+        response.assert_status(StatusCode::NOT_FOUND);
+
+        let body: serde_json::Value = response.json();
+        assert_eq!(
+            body["errors"][0]["title"],
+            "User ID 01040G2081040G2081040G2081 not found"
+        );
+    }
+}

crates/handlers/src/bin/api-schema.rs

@@ -1,4 +1,4 @@
-// Copyright 2022 The Matrix.org Foundation C.I.C.
+// Copyright 2024 The Matrix.org Foundation C.I.C.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -66,6 +66,7 @@ impl_from_ref!(mas_router::UrlBuilder);
 impl_from_ref!(mas_templates::Templates);
 impl_from_ref!(mas_matrix::BoxHomeserverConnection);
 impl_from_ref!(mas_keystore::Keystore);
+impl_from_ref!(mas_handlers::passwords::PasswordManager);
 
 fn main() -> Result<(), Box<dyn std::error::Error>> {
     let (mut api, _) = mas_handlers::admin_api_router::<DummyState>();