libeufin

Integration and sandbox testing for FinTech APIs and data formats
Log | Files | Refs | Submodules | README | LICENSE
commit 3c7524c6a876ab3254b45a445d533161258374ea
parent 775073e70b4f1044a2c2c3dc84782d571b812e06
Author: Florian Dold <florian@dold.me>
Date:   Sat,  7 Aug 2021 12:00:37 +0200

allow changing passwords as superuser

Diffstat:

Mcli/bin/libeufin-cli | 7++++---


Mnexus/src/main/kotlin/tech/libeufin/nexus/ebics/EbicsNexus.kt | 1+


Mnexus/src/main/kotlin/tech/libeufin/nexus/server/NexusServer.kt | 15++++++++++++---


3 files changed, 17 insertions(+), 6 deletions(-)

diff --git a/cli/bin/libeufin-cli b/cli/bin/libeufin-cli
@@ -94,7 +94,8 @@ def list_users(obj):
     tell_user(resp, withsuccess=True)
     check_response_status(resp)
 
-@users.command(help="Change user's password")
+@users.command(help="Change user's password (as superuser)")
+@click.argument("username")
 @click.option(
     "--new-password",
     help="New password",
@@ -103,8 +104,8 @@ def list_users(obj):
     confirmation_prompt=True,
 )
 @click.pass_obj
-def change_password(obj, new_password):
-    url = urljoin(obj.nexus_base_url, f"/users/password")
+def change_password(obj, username, new_password):
+    url = urljoin(obj.nexus_base_url, f"/users/{username}/password")
     try:
         body = dict(newPassword=new_password)
         resp = post(
diff --git a/nexus/src/main/kotlin/tech/libeufin/nexus/ebics/EbicsNexus.kt b/nexus/src/main/kotlin/tech/libeufin/nexus/ebics/EbicsNexus.kt
@@ -603,6 +603,7 @@ class EbicsBankConnectionProtocol: BankConnectionProtocol {
         pdfWriter.flush()
         return po.toByteArray()
     }
+
     override fun exportBackup(bankConnectionId: String, passphrase: String): JsonNode {
         val subscriber = transaction { getEbicsSubscriberDetails(bankConnectionId) }
         val ret = EbicsKeysBackupJson(
diff --git a/nexus/src/main/kotlin/tech/libeufin/nexus/server/NexusServer.kt b/nexus/src/main/kotlin/tech/libeufin/nexus/server/NexusServer.kt
@@ -279,6 +279,7 @@ fun serverMain(dbName: String, host: String, port: Int) {
 
             post("/permissions") {
                 val req = call.receive<ChangePermissionsRequest>()
+                val knownPermissions = listOf()
                 transaction {
                     requireSuperuser(call.request)
                     val existingPerm = findPermission(req.permission)
@@ -321,11 +322,19 @@ fun serverMain(dbName: String, host: String, port: Int) {
             }
 
             // change a user's password
-            post("/users/password") {
+            post("/users/{username}/password") {
                 val body = call.receiveJson<ChangeUserPassword>()
+                val targetUsername = ensureNonNull(call.parameters["username"])
                 transaction {
-                    val user = authenticateRequest(call.request)
-                    user.passwordHash = CryptoUtil.hashpw(body.newPassword)
+                    requireSuperuser(call.request)
+                    val targetUser = NexusUserEntity.find {
+                        NexusUsersTable.username eq targetUsername
+                    }.firstOrNull()
+                    if (targetUser == null) throw NexusError(
+                        HttpStatusCode.NotFound,
+                        "Username $targetUsername not found"
+                    )
+                    targetUser.passwordHash = CryptoUtil.hashpw(body.newPassword)
                 }
                 call.respond(NexusMessage(message = "Password successfully changed"))
                 return@post