UserServlet.java
- /*
- * Copyright (C) 2020-2024 by Savoir-faire Linux
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 3 of the License, or
- * (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program. If not, see <https://www.gnu.org/licenses/>.
- */
- package net.jami.jams.server.servlets.api.admin.users;
- import static net.jami.jams.server.Server.certificateAuthority;
- import static net.jami.jams.server.Server.dataStore;
- import static net.jami.jams.server.Server.nameServer;
- import static net.jami.jams.server.Server.userAuthenticationModule;
- import com.google.gson.Gson;
- import com.google.gson.JsonObject;
- import jakarta.servlet.ServletException;
- import jakarta.servlet.annotation.WebServlet;
- import jakarta.servlet.http.HttpServlet;
- import jakarta.servlet.http.HttpServletRequest;
- import jakarta.servlet.http.HttpServletResponse;
- import net.jami.jams.authmodule.PasswordUtil;
- import net.jami.jams.common.annotations.JsonContent;
- import net.jami.jams.common.annotations.ScopedServletMethod;
- import net.jami.jams.common.authentication.AuthenticationSourceType;
- import net.jami.jams.common.objects.devices.Device;
- import net.jami.jams.common.objects.responses.DeviceRevocationResponse;
- import net.jami.jams.common.objects.user.AccessLevel;
- import net.jami.jams.common.objects.user.User;
- import net.jami.jams.common.serialization.adapters.GsonFactory;
- import net.jami.jams.server.core.workflows.RevokeDeviceFlow;
- import net.jami.jams.server.core.workflows.RevokeUserFlow;
- import org.apache.commons.codec.binary.Base64;
- import org.bouncycastle.cert.X509CRLEntryHolder;
- import org.bouncycastle.cert.X509CRLHolder;
- import java.io.IOException;
- import java.util.List;
- import java.util.Optional;
- import java.util.concurrent.atomic.AtomicReference;
- @WebServlet("/api/admin/user")
- public class UserServlet extends HttpServlet {
- private final Gson gson = GsonFactory.createGson();
- // Get the user
- @Override
- @ScopedServletMethod(securityGroups = {AccessLevel.ADMIN})
- @JsonContent
- protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOException {
- String username = req.getParameter("username");
- Optional<User> result = dataStore.getUserDao().getByUsername(username);
- if (result.isEmpty()) {
- resp.sendError(404, "An error occurred while attempting to obtain user.");
- }
- User user = result.get();
- X509CRLHolder crl = certificateAuthority.getLatestCRL().get();
- if (crl != null) {
- X509CRLEntryHolder revoked =
- crl.getRevokedCertificate(user.getCertificate().getSerialNumber());
- user.setRevoked(revoked != null);
- } else {
- user.setRevoked(false);
- }
- if (!user.getNeedsPasswordReset() && req.getParameter("needPW") != null) {
- String pw = req.getParameter("password");
- if (pw == null || pw.isEmpty()) {
- resp.sendError(400, "Password is empty!");
- return;
- }
- String password = PasswordUtil.hashPassword(pw, Base64.decodeBase64(user.getSalt()));
- dataStore.getUserDao().updateObject(password, username);
- user = dataStore.getUserDao().getByUsername(username).orElseThrow();
- }
- resp.getOutputStream().write(gson.toJson(user).getBytes());
- resp.flushBuffer();
- resp.setStatus(200);
- }
- // Create an internal user - this is always technically available, because
- // internal users have the right to exist.
- @Override
- @ScopedServletMethod(securityGroups = {AccessLevel.ADMIN})
- @JsonContent
- protected void doPost(HttpServletRequest req, HttpServletResponse resp)
- throws ServletException, IOException {
- JsonObject obj = gson.fromJson(req.getReader(), JsonObject.class);
- String username = obj.get("username").getAsString();
- String password = obj.get("password").getAsString();
- if (password.isEmpty()) {
- resp.sendError(400, "Password is empty!");
- return;
- }
- byte[] salt = PasswordUtil.generateSalt();
- String hashedPassword = PasswordUtil.hashPassword(password, salt);
- User user = new User();
- user.setUsername(username);
- user.setNeedsPasswordReset(true);
- user.setPassword(hashedPassword);
- user.setSalt(Base64.encodeBase64String(salt));
- user.setRealm("LOCAL");
- user.setUserType(AuthenticationSourceType.LOCAL);
- if (userAuthenticationModule.createUser(
- user.getUserType(), user.getRealm(), nameServer, user)) {
- resp.setStatus(201);
- return;
- }
- resp.sendError(500, "An error occurred while attempting to create the user.");
- }
- // Update user data.
- @Override
- @ScopedServletMethod(securityGroups = {AccessLevel.ADMIN})
- protected void doPut(HttpServletRequest req, HttpServletResponse resp) throws IOException {
- JsonObject obj = gson.fromJson(req.getReader(), JsonObject.class);
- String username = obj.get("username").getAsString();
- String pw = obj.get("password").getAsString();
- Optional<User> result = dataStore.getUserDao().getByUsername(username);
- if (result.isEmpty()) {
- resp.sendError(404, "User was not found!");
- return;
- }
- User user = result.get();
- // Check if he is AD/LDAP - then return a 403, because we are unable to set such
- // password.
- if (user.getUserType() != AuthenticationSourceType.LOCAL) {
- resp.sendError(500, "Unable to change user data as user is not a local user.");
- return;
- }
- byte[] salt = PasswordUtil.generateSalt();
- String password = PasswordUtil.hashPassword(pw, salt);
- String encodedSalt = Base64.encodeBase64String(salt);
- if (dataStore.getUserDao().updateObject(password, encodedSalt, username))
- resp.setStatus(200);
- else
- resp.sendError(
- 500, "An error occurred while attempting to update the user's data field.");
- }
- // Revoke a user.
- @Override
- @ScopedServletMethod(securityGroups = {AccessLevel.ADMIN})
- protected void doDelete(HttpServletRequest req, HttpServletResponse resp) throws IOException {
- String username = req.getParameter("username");
- AtomicReference<DeviceRevocationResponse> devResponse =
- new AtomicReference<>(RevokeUserFlow.revokeUser(username));
- List<Device> devices = dataStore.getDeviceDao().getByOwner(username);
- if (certificateAuthority.getLatestCRL() != null) {
- devices.forEach(
- device -> {
- if (certificateAuthority
- .getLatestCRL()
- .get()
- .getRevokedCertificate(
- device.getCertificate().getSerialNumber())
- == null)
- devResponse.set(
- RevokeDeviceFlow.revokeDevice(username, device.getDeviceId()));
- });
- }
- if (devResponse.get() != null && devResponse.get().isSuccess()) {
- resp.getOutputStream().write(gson.toJson(devResponse.get()).getBytes());
- resp.flushBuffer();
- } else resp.sendError(500, "An error occurred while revoking the user.");
- }
- }