UserServlet.java

  1. /*
  2.  * Copyright (C) 2020-2024 by Savoir-faire Linux
  3.  *
  4.  * This program is free software; you can redistribute it and/or modify
  5.  * it under the terms of the GNU General Public License as published by
  6.  * the Free Software Foundation; either version 3 of the License, or
  7.  * (at your option) any later version.
  8.  *
  9.  * This program is distributed in the hope that it will be useful,
  10.  * but WITHOUT ANY WARRANTY; without even the implied warranty of
  11.  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  12.  * GNU General Public License for more details.
  13.  *
  14.  * You should have received a copy of the GNU General Public License
  15.  * along with this program.  If not, see <https://www.gnu.org/licenses/>.
  16.  */
  17. package net.jami.jams.server.servlets.api.auth.user;

  19. import static net.jami.jams.server.Server.certificateAuthority;
  20. import static net.jami.jams.server.Server.dataStore;

  22. import com.google.gson.Gson;

  24. import jakarta.servlet.ServletException;
  25. import jakarta.servlet.annotation.WebServlet;
  26. import jakarta.servlet.http.HttpServlet;
  27. import jakarta.servlet.http.HttpServletRequest;
  28. import jakarta.servlet.http.HttpServletResponse;

  30. import net.jami.jams.common.annotations.ScopedServletMethod;
  31. import net.jami.jams.common.authentication.AuthenticationSourceType;
  32. import net.jami.jams.common.objects.user.AccessLevel;
  33. import net.jami.jams.common.objects.user.User;
  34. import net.jami.jams.common.serialization.adapters.GsonFactory;

  36. import java.io.IOException;
  37. import java.util.Optional;

  39. @WebServlet("/api/auth/user")
  40. public class UserServlet extends HttpServlet {
  41.     private final Gson gson = GsonFactory.createGson();

  43.     // User can "read" himself.
  44.     /**
  45.      * @apiVersion 1.0.0
  46.      * @api {get} /api/auth/user Get JAMS user info
  47.      * @apiName getUser
  48.      * @apiGroup User
  49.      * @apiSuccess (200) {body} User json user object representation
  50.      * @apiSuccessExample {json} Success-Response: { "username":"jdoe", "password":null,
  51.      *     "userType":"AD", "realm":"savoirfairelinux", "accessLevel":"USER",
  52.      *     "needsPasswordReset":false, "ethAddress":"8272773ac", "ethKey":"192938ae72772ab",
  53.      *     "jamiId":"6e3552723df", "certificate":"pem_formatted_certificate",
  54.      *     "privateKey":"pem_formatted_key", "revoked":false }
  55.      * @apiError (500) {null} null was unable to fetch user information
  56.      */
  57.     @Override
  58.     @ScopedServletMethod(securityGroups = {AccessLevel.USER})
  59.     protected void doGet(HttpServletRequest req, HttpServletResponse resp)
  60.             throws ServletException, IOException {
  61.         String username = req.getAttribute("username").toString();
  62.         Optional<User> result = dataStore.getUserDao().getByUsername(username);
  63.         if (result.isEmpty()) {
  64.             resp.sendError(404, "User was not found!");
  65.             return;
  66.         }

  68.         User user = result.get();
  69.         if (certificateAuthority.getLatestCRL().get() != null) {
  70.             user.setRevoked(
  71.                     certificateAuthority
  72.                                     .getLatestCRL()
  73.                                     .get()
  74.                                     .getRevokedCertificate(user.getCertificate().getSerialNumber())
  75.                             != null);
  76.         } else user.setRevoked(false);
  77.         resp.setStatus(200);
  78.         resp.getOutputStream().write(gson.toJson(user).getBytes());
  79.         resp.flushBuffer();
  80.     }

  82.     // The user can update 3 fields: password,privatekey,publickey
  83.     // For now we do not consider the possibility for privatekey, publickey for other reasons.
  84.     /**
  85.      * @apiVersion 1.0.0
  86.      * @api {put} /api/auth/user Modify the user's info (for now just the password)
  87.      * @apiName putUser
  88.      * @apiGroup User
  89.      * @apiParam {query} password new password
  90.      * @apiSuccess (200) {null} null password changed successfully
  91.      * @apiError (500) {null} null was unable to change password
  92.      */
  93.     @Override
  94.     @ScopedServletMethod(securityGroups = AccessLevel.USER)
  95.     protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws IOException {
  96.         String username = req.getAttribute("username").toString();

  98.         // Check if he is AD/LDAP - then return a 403, because we are unable to set such password.
  99.         User user = dataStore.getUserDao().getByUsername(username).orElseThrow();
  100.         if (user.getUserType() != AuthenticationSourceType.LOCAL) {
  101.             resp.sendError(403, "Unable to change user data as user is not a local user.");
  102.             return;
  103.         }

  105.         String password = req.getParameter("password");

  107.         if (dataStore.getUserDao().updateObject(password, username)) resp.setStatus(200);
  108.         else
  109.             resp.sendError(
  110.                     500, "An error occurred while attempting to update the user's data field.");
  111.     }
  112. }
Created with JaCoCo 0.8.11.202310140853