Implemented basic user management updating.

src/cli.rs

@@ -525,7 +525,7 @@ impl UserArgs {
             UserCommand::Auth {
                 username,
                 change_password,
-                change_totp
+                change_totp,
             } => user_management::change_auth(
                 &qi,
                 args.realm_id,

src/main.rs

@@ -18,10 +18,15 @@ pub use error::UIDCError;
 
 fn main() {
     stderrlog::new()
-        .verbosity(5)
         .module(module_path!())
+        .module("tide")
+        .show_module_names(true)
+        .timestamp(stderrlog::Timestamp::Millisecond)
+        .verbosity(10)
         .init()
         .unwrap();
 
+    // tide::log::with_level(log::LevelFilter::Trace);
+
     cli::invoked();
 }

src/schema.rs

@@ -32,7 +32,12 @@ pub struct SessionAuthentication {
     pub challenges_left: Vec<AuthChallengeType>,
 }
 
-make_index!(!SessionAuthenticationIndex, SessionAuthentication::Realm, SessionAuthentication::Session, SessionAuthentication::User);
+make_index!(
+    !SessionAuthenticationIndex,
+    SessionAuthentication::Realm,
+    SessionAuthentication::Session,
+    SessionAuthentication::User
+);
 
 // **** oauth types ****
 #[derive(Debug, Entity, Serialize, Deserialize)]
@@ -79,6 +84,7 @@ pub struct AuthChallenge {
     pub public: Vec<u8>,
     #[serde(with = "serde_bytes")]
     pub secret: Vec<u8>,
+    pub enabled: bool,
 }
 
 make_index!(AuthChallengeIndex, AuthChallenge::User);
@@ -102,7 +108,11 @@ pub struct GroupMembership {
     pub user: UserID,
 }
 
-make_index!(!GroupMembershipIndex, GroupMembership::Group, GroupMembership::User);
+make_index!(
+    !GroupMembershipIndex,
+    GroupMembership::Group,
+    GroupMembership::User
+);
 
 /// OAuth2 client representation
 #[derive(Debug, Entity, Serialize, Deserialize)]

src/server.rs

@@ -1,3 +1,5 @@
+use tide::prelude::Listener;
+
 use crate::{config, UIDCError};
 
 mod oidc;
@@ -35,6 +37,8 @@ async fn index(req: tide::Request<ServerStateWrapper>) -> tide::Result<tide::Res
     Ok(response)
 }
 
+fn run_cleanup() {}
+
 pub async fn run_server(
     db: microrm::DB,
     config: config::Config,
@@ -65,6 +69,10 @@ pub async fn run_server(
 
     app.at("/:realm/").get(index);
 
+    app.at("/favicon.ico")
+        .serve_file("static/favicon.ico")
+        .expect("couldn't serve favicon.ico");
+
     app.at("/static")
         .serve_dir("static/")
         .expect("Can't serve static files");
@@ -75,5 +83,7 @@ pub async fn run_server(
 
     app.listen(("127.0.0.1", port))
         .await
-        .map_err(|_| UIDCError::Abort("couldn't listen on port"))
+        .map_err(|_| UIDCError::Abort("couldn't listen on port"))?;
+
+    Ok(())
 }

src/server/session.rs

@@ -126,8 +126,6 @@ impl<'l> SessionHelper<'l> {
         auth: Option<schema::SessionAuthentication>,
         error_msg: Option<String>,
     ) -> tide::Response {
-        log::info!("rendering login response... auth is {:?}", auth);
-
         let to_present: Option<schema::AuthChallengeType> = match auth {
             None => Some(schema::AuthChallengeType::Username),
             Some(auth) => auth.challenges_left.first().copied(),
@@ -248,11 +246,8 @@ async fn v1_login_post(mut req: Request) -> tide::Result<tide::Response> {
 
     // check if a login reset was requested; if so, we start again from the top
     if body.reset.is_some() {
-        if let Some(_) = auth {
-            shelper.destroy_auth(realm, session_id);
-            response.set_status(302);
-            return Ok(tide::Redirect::new("login").into());
-        }
+        shelper.destroy_auth(realm, session_id);
+        return Ok(tide::Redirect::new("login").into());
     }
 
     use schema::AuthChallengeType as ChallengeType;
@@ -293,7 +288,11 @@ async fn v1_login_post(mut req: Request) -> tide::Result<tide::Response> {
                 let user = user.unwrap();
 
                 let enabled = qi.get().by(schema::AuthChallenge::User, &user.id()).all()?;
-                let has_totp = enabled.iter().filter(|ac| ac.challenge_type == schema::AuthChallengeType::TOTP).count() > 0;
+                let has_totp = enabled
+                    .iter()
+                    .filter(|ac| ac.challenge_type == schema::AuthChallengeType::TOTP)
+                    .count()
+                    > 0;
 
                 // TODO: support more flows than just username,password[,totp]
                 let sa = schema::SessionAuthentication {
@@ -301,9 +300,13 @@ async fn v1_login_post(mut req: Request) -> tide::Result<tide::Response> {
                     realm: realm,
                     user: user.id(),
                     challenges_left: if has_totp {
-                        vec![schema::AuthChallengeType::Password, schema::AuthChallengeType::TOTP]
+                        vec![
+                            schema::AuthChallengeType::Password,
+                            schema::AuthChallengeType::TOTP,
+                        ]
                     } else {
-                        vec![schema::AuthChallengeType::Password] },
+                        vec![schema::AuthChallengeType::Password]
+                    },
                 };
                 let id = qi.add(&sa).unwrap();
                 auth = Some(microrm::WithID::new(sa, id));

src/server/um.rs

@@ -1,17 +1,39 @@
-use tide::http::mime;
 use microrm::prelude::*;
+use tide::http::mime;
 
 use crate::{schema, UIDCError};
 
 type Request = tide::Request<super::ServerStateWrapper>;
 
-fn generate_template_data(qi: &microrm::QueryInterface, realm: schema::RealmID, user: schema::UserID) -> Result<serde_json::Value, UIDCError> {
-    let user = qi.get().by_id(&user).one()?.ok_or(UIDCError::Abort("couldn't find user"))?;
-
-    let has_totp = qi.get().by(schema::AuthChallenge::User, &user.id()).by(schema::AuthChallenge::ChallengeType, &schema::AuthChallengeType::TOTP).one()?.is_some();
+fn generate_template_data(
+    qi: &microrm::QueryInterface,
+    realm: schema::RealmID,
+    user: schema::UserID,
+) -> Result<serde_json::Value, UIDCError> {
+    let realm = qi
+        .get()
+        .by_id(&realm)
+        .one()?
+        .ok_or(UIDCError::Abort("no such realm"))?;
+    let user = qi
+        .get()
+        .by_id(&user)
+        .one()?
+        .ok_or(UIDCError::Abort("couldn't find user"))?;
+
+    let has_totp = qi
+        .get()
+        .by(schema::AuthChallenge::User, &user.id())
+        .by(
+            schema::AuthChallenge::ChallengeType,
+            &schema::AuthChallengeType::TOTP,
+        )
+        .one()?
+        .is_some();
 
     let template_data = serde_json::json!({
         "username": user.username,
+        "realm": realm.shortname,
         "totp_control": if has_totp {
             serde_json::json!([{ "value": "keep", "text": "Keep as-is"}, { "value": "remove", "text": "Remove" }, { "value": "reset", "text": "Reset" }])
         } else {
@@ -22,14 +44,18 @@ fn generate_template_data(qi: &microrm::QueryInterface, realm: schema::RealmID,
     Ok(template_data)
 }
 
-async fn um_index(mut req: Request) -> tide::Result<tide::Response> {
+async fn um_index(req: Request) -> tide::Result<tide::Response> {
     let shelper = super::session::SessionHelper::new(&req);
 
     let (realm, user) = match shelper.verify_session(&req) {
         Some(v) => v,
         None => {
-            return Ok(tide::Redirect::temporary(format!("../v1/session/login?redirect={}", req.url())).into())
-        },
+            return Ok(tide::Redirect::temporary(format!(
+                "../v1/session/login?redirect={}",
+                req.url()
+            ))
+            .into())
+        }
     };
     let qi = req.state().core.pool.query_interface();
 
@@ -37,38 +63,114 @@ async fn um_index(mut req: Request) -> tide::Result<tide::Response> {
     let template_data = generate_template_data(qi, realm, user)?;
 
     Ok(tide::Response::builder(200)
-            .content_type(mime::HTML)
-            .body(req.state().core.templates.render("um_index", &template_data).map_err(|_| tide::Error::from_str(500, "error rendering template"))?)
-            .build())
+        .content_type(mime::HTML)
+        .body(
+            req.state()
+                .core
+                .templates
+                .render("um_index", &template_data)
+                .map_err(|_| tide::Error::from_str(500, "error rendering template"))?,
+        )
+        .build())
+}
+
+#[derive(serde::Deserialize)]
+struct UpdateForm {
+    current_password: String,
+    new_password: Option<String>,
+    new_password_repeated: Option<String>,
+    totp_control: Option<String>,
 }
 
 async fn um_update(mut req: Request) -> tide::Result<tide::Response> {
+    let update_form: UpdateForm = req.body_form().await?;
+
     let shelper = super::session::SessionHelper::new(&req);
 
-    let (realm, user) = match shelper.verify_session(&req) {
+    let (realm, user_id) = match shelper.verify_session(&req) {
         Some(v) => v,
         None => {
             return Ok(tide::Redirect::temporary("../v1/session/login?redirect=../../um/").into())
-        },
+        }
     };
+
     let qi = req.state().core.pool.query_interface();
 
-    let progress : Result<Vec<String>, UIDCError> = {
+    log::info!("processing update request...");
+
+    let progress: Result<Vec<String>, UIDCError> = (|| {
         let mut info_msgs = vec![];
 
-        let password_challenge = qi.get().by(schema::AuthChallenge::User, &user).by(schema::AuthChallenge::ChallengeType, &schema::AuthChallengeType::Password).one()?;
+        let user = crate::user::User::from_id(user_id);
+        let challenge = user.verify_challenge(
+            &qi,
+            schema::AuthChallengeType::Password,
+            update_form.current_password.as_bytes(),
+        )?;
+        if !challenge {
+            Err(UIDCError::Abort("password verification failed"))?
+        }
+
+        if let Some((new_pass, new_pass_repeated)) = update_form
+            .new_password
+            .as_ref()
+            .zip(update_form.new_password_repeated.as_ref())
+        {
+            if new_pass != new_pass_repeated {
+                Err(UIDCError::Abort("entered passwords do not match"))?
+            }
+            if new_pass.len() > 0 {
+                user.set_new_password(qi, new_pass.as_bytes())?;
+                info_msgs.push("Updated password!".into());
+            }
+        } else if update_form.new_password.is_some() || update_form.new_password_repeated.is_some()
+        {
+            Err(UIDCError::Abort("must enter new password twice"))?
+        }
+
+        if let Some(totp) = update_form.totp_control.as_ref() {
+            if totp == "remove" {
+                user.clear_totp(qi)?;
+                info_msgs.push("Cleared TOTP setup".into());
+            } else if totp == "reset" {
+                let (_secret, _uri) = user.generate_totp_with_uri(qi)?;
+                Err(UIDCError::Abort("totp setup outside of cli not supported"))?
+            }
+        }
 
         Ok(info_msgs)
-    };
-
-    let mut template_data = generate_template_data(qi, realm, user)?;
-
-    template_data.as_object_mut().and_then(|o| o.insert("info_msg".into(), serde_json::json!(["Update request received"])));
+    })();
+
+    let mut template_data = generate_template_data(qi, realm, user_id)?;
+
+    match progress {
+        Ok(info_msgs) => {
+            template_data
+                .as_object_mut()
+                .and_then(|o| o.insert("info_msg".into(), serde_json::json!(info_msgs)));
+        }
+        Err(UIDCError::Abort(msg)) => {
+            template_data
+                .as_object_mut()
+                .and_then(|o| o.insert("error_msg".into(), serde_json::json!([msg])));
+        }
+        Err(e) => {
+            template_data
+                .as_object_mut()
+                .and_then(|o| o.insert("error_msg".into(), serde_json::json!([e.to_string()])));
+        }
+    }
 
     Ok(tide::Response::builder(200)
-            .content_type(mime::HTML)
-            .body(req.state().core.templates.render("um_index", &template_data).map_err(|_| tide::Error::from_str(500, "error rendering template"))?)
-            .build())
+        .content_type(mime::HTML)
+        .body(
+            req.state()
+                .core
+                .templates
+                .render("um_index", &template_data)
+                .map_err(|_| tide::Error::from_str(500, "error rendering template"))?,
+        )
+        .build())
 }
 
 pub(super) fn um_server(mut route: tide::Route<super::ServerStateWrapper>) {

src/user.rs

@@ -19,9 +19,13 @@ static PBKDF2_ROUNDS: std::num::NonZeroU32 = unsafe { std::num::NonZeroU32::new_
 fn generate_totp_digits(secret: &[u8], time_offset: isize) -> Result<u32, UIDCError> {
     use hmac::Mac;
 
-    let mut mac = hmac::Hmac::<sha1::Sha1>::new_from_slice(secret).map_err(|_| UserError::ChallengeInvalid)?;
+    let mut mac = hmac::Hmac::<sha1::Sha1>::new_from_slice(secret)
+        .map_err(|_| UserError::ChallengeInvalid)?;
 
-    let timestamp = std::time::SystemTime::now().duration_since(std::time::SystemTime::UNIX_EPOCH).unwrap().as_secs();
+    let timestamp = std::time::SystemTime::now()
+        .duration_since(std::time::SystemTime::UNIX_EPOCH)
+        .unwrap()
+        .as_secs();
     let interval = 30;
     let time_index = (timestamp / interval) as isize + time_offset;
 
@@ -30,7 +34,7 @@ fn generate_totp_digits(secret: &[u8], time_offset: isize) -> Result<u32, UIDCEr
 
     // this is from RFC4226
     let offset = (hmac[19] & 0xf) as usize;
-    let truncation = u32::from_be_bytes(hmac[offset..offset+4].try_into().unwrap()) & 0x7fff_ffff;
+    let truncation = u32::from_be_bytes(hmac[offset..offset + 4].try_into().unwrap()) & 0x7fff_ffff;
     Ok(truncation % 1_000_000)
 }
 
@@ -43,10 +47,7 @@ impl User {
     }
 
     pub fn from_id(id: schema::UserID) -> Self {
-        Self {
-            id,
-            model: None
-        }
+        Self { id, model: None }
     }
 
     pub fn id(&self) -> schema::UserID {
@@ -91,17 +92,17 @@ impl User {
             .ok_or(UserError::NoSuchChallenge)?;
 
         match which {
-            schema::AuthChallengeType::Password => {
-                self.verify_password_challenge(&challenge.wrapped(), response)
-            }
-            schema::AuthChallengeType::TOTP => {
-                self.verify_totp_challenge(&challenge.wrapped(), response)
-            }
+            schema::AuthChallengeType::Password => challenge.verify_password_challenge(response),
+            schema::AuthChallengeType::TOTP => challenge.verify_totp_challenge(response),
             _ => todo!(),
         }
     }
 
-    pub fn set_new_password(&self, qi: &microrm::QueryInterface, password: &[u8]) -> Result<(), UIDCError> {
+    pub fn set_new_password(
+        &self,
+        qi: &microrm::QueryInterface,
+        password: &[u8],
+    ) -> Result<(), UIDCError> {
         qi.delete()
             .by(schema::AuthChallenge::User, &self.id)
             .by(
@@ -130,26 +131,43 @@ impl User {
             challenge_type: schema::AuthChallengeType::Password,
             public: salt.into(),
             secret: generated.into(),
+            enabled: true,
         })?;
         Ok(())
     }
 
-    pub fn generate_totp_with_uri(&self, qi: &microrm::QueryInterface) -> Result<(Vec<u8>, String), UIDCError> {
+    pub fn generate_totp_with_uri(
+        &self,
+        qi: &microrm::QueryInterface,
+    ) -> Result<(Vec<u8>, String), UIDCError> {
         let rng = ring::rand::SystemRandom::new();
         let secret: [u8; 16] = ring::rand::generate(&rng)
             .expect("Couldn't generate random secret?")
             .expose();
 
-        let uri_secret = base32::encode(base32::Alphabet::RFC4648 { padding: false }, secret.as_slice());
+        let uri_secret = base32::encode(
+            base32::Alphabet::RFC4648 { padding: false },
+            secret.as_slice(),
+        );
 
-        let username = qi.get().by_id(&self.id).one()?.ok_or(UIDCError::Abort("no such user"))?.wrapped().username;
+        let username = qi
+            .get()
+            .by_id(&self.id)
+            .one()?
+            .ok_or(UIDCError::Abort("no such user"))?
+            .wrapped()
+            .username;
 
         let uri = format!("otpauth://totp/uidc:{username}@uidc?secret={uri_secret}&issuer=uidc");
 
         Ok((secret.into(), uri))
     }
 
-    pub fn set_new_totp(&self, qi: &microrm::QueryInterface, secret: &[u8]) -> Result<(), UIDCError> {
+    pub fn set_new_totp(
+        &self,
+        qi: &microrm::QueryInterface,
+        secret: &[u8],
+    ) -> Result<(), UIDCError> {
         qi.delete()
             .by(schema::AuthChallenge::User, &self.id)
             .by(
@@ -163,38 +181,59 @@ impl User {
             challenge_type: schema::AuthChallengeType::TOTP,
             public: vec![],
             secret: secret.into(),
+            enabled: true,
         })?;
         Ok(())
     }
 
-    pub fn verify_password_challenge(
-        &self,
-        challenge: &schema::AuthChallenge,
-        response: &[u8],
-    ) -> Result<bool, UIDCError> {
+    pub fn clear_totp(&self, qi: &microrm::QueryInterface) -> Result<(), UIDCError> {
+        qi.delete()
+            .by(schema::AuthChallenge::User, &self.id)
+            .by(
+                schema::AuthChallenge::ChallengeType,
+                &schema::AuthChallengeType::TOTP,
+            )
+            .exec()?;
+        Ok(())
+    }
+}
+
+impl schema::AuthChallenge {
+    pub fn verify_password_challenge(&self, response: &[u8]) -> Result<bool, UIDCError> {
         use ring::pbkdf2;
 
+        if self.challenge_type != schema::AuthChallengeType::Password {
+            return Err(UIDCError::Abort(
+                "verifying password challenge on non-password challenge",
+            ));
+        }
+
         Ok(pbkdf2::verify(
             pbkdf2::PBKDF2_HMAC_SHA256,
             PBKDF2_ROUNDS,
-            challenge.public.as_slice(),
+            self.public.as_slice(),
             response,
-            challenge.secret.as_slice(),
+            self.secret.as_slice(),
         )
         .is_ok())
     }
 
-    pub fn verify_totp_challenge(
-        &self,
-        challenge: &schema::AuthChallenge,
-        response: &[u8],
-    ) -> Result<bool, UIDCError> {
-        let response_digits = std::str::from_utf8(response).map_err(|_| UserError::InvalidInput)?.parse::<u32>().map_err(|_| UserError::InvalidInput)?;
+    pub fn verify_totp_challenge(&self, response: &[u8]) -> Result<bool, UIDCError> {
+        let response_digits = std::str::from_utf8(response)
+            .map_err(|_| UserError::InvalidInput)?
+            .parse::<u32>()
+            .map_err(|_| UserError::InvalidInput)?;
+
+        if self.challenge_type != schema::AuthChallengeType::TOTP {
+            return Err(UIDCError::Abort(
+                "verifying TOTP challenge on non-TOTP challenge",
+            ));
+        }
 
         // allow for some clock skew
         for time_offset in -2..3 {
-            if generate_totp_digits(challenge.secret.as_slice(), time_offset)? == response_digits {
-                return Ok(true)
+            if generate_totp_digits(self.secret.as_slice(), time_offset)? == response_digits {
+                return Ok(true);
             }
         }
 

src/user_management.rs

@@ -68,18 +68,20 @@ pub fn change_auth(
     if change_totp {
         let (new_secret, new_uri) = user.generate_totp_with_uri(qi)?;
         println!("Please confirm you can generate tokens with the new secret:");
-        qr2term::print_qr(new_uri.as_str()).map_err(|_| UIDCError::Abort("could not display QR code"))?;
+        qr2term::print_qr(new_uri.as_str())
+            .map_err(|_| UIDCError::Abort("could not display QR code"))?;
         let new_challenge = schema::AuthChallenge {
             user: user.id(),
             challenge_type: schema::AuthChallengeType::TOTP,
             public: vec![],
-            secret: new_secret.clone()
+            secret: new_secret.clone(),
+            enabled: true,
         };
 
         loop {
             let digits = rpassword::prompt_password("TOTP code: ").unwrap();
-            if user.verify_totp_challenge(&new_challenge, digits.as_bytes())? {
-                break
+            if new_challenge.verify_totp_challenge(digits.as_bytes())? {
+                break;
             }
         }
         user.set_new_totp(qi, new_secret.as_slice())?;

tmpl/um_index.tmpl

@@ -44,7 +44,7 @@
                         <tr><td>&nbsp;</td></tr>
                         <tr>
                             <td>New password:</td>
-                            <td><input type="password" name="new_password" /><br /><input type="password" name="new_password_repeated" /></td>
+                            <td><input type="password" name="new_password" /></td>
                         </tr>
                         <tr>
                             <td>New password (again):</td>