|
|
@ -12,6 +12,7 @@ import static java.nio.charset.StandardCharsets.UTF_8; |
|
|
|
import com.sun.net.httpserver.HttpExchange; |
|
|
|
import com.sun.net.httpserver.HttpExchange; |
|
|
|
import de.srsoftware.http.SessionToken; |
|
|
|
import de.srsoftware.http.SessionToken; |
|
|
|
import de.srsoftware.oidc.api.*; |
|
|
|
import de.srsoftware.oidc.api.*; |
|
|
|
|
|
|
|
import de.srsoftware.oidc.api.data.Permission; |
|
|
|
import de.srsoftware.oidc.api.data.Session; |
|
|
|
import de.srsoftware.oidc.api.data.Session; |
|
|
|
import de.srsoftware.oidc.api.data.User; |
|
|
|
import de.srsoftware.oidc.api.data.User; |
|
|
|
import jakarta.mail.*; |
|
|
|
import jakarta.mail.*; |
|
|
@ -35,8 +36,7 @@ public class UserController extends Controller { |
|
|
|
this.resourceLoader = resourceLoader; |
|
|
|
this.resourceLoader = resourceLoader; |
|
|
|
} |
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
private boolean addUser(HttpExchange ex, Session session) throws IOException { |
|
|
|
private boolean addUser(HttpExchange ex, User user) throws IOException { |
|
|
|
var user = session.user(); |
|
|
|
|
|
|
|
if (!user.hasPermission(MANAGE_USERS)) return sendEmptyResponse(HTTP_FORBIDDEN, ex); |
|
|
|
if (!user.hasPermission(MANAGE_USERS)) return sendEmptyResponse(HTTP_FORBIDDEN, ex); |
|
|
|
var json = json(ex); |
|
|
|
var json = json(ex); |
|
|
|
var newID = uuid(); |
|
|
|
var newID = uuid(); |
|
|
@ -50,22 +50,24 @@ public class UserController extends Controller { |
|
|
|
if (optSession.isEmpty()) return sendEmptyResponse(HTTP_UNAUTHORIZED, ex); |
|
|
|
if (optSession.isEmpty()) return sendEmptyResponse(HTTP_UNAUTHORIZED, ex); |
|
|
|
|
|
|
|
|
|
|
|
// post-login paths
|
|
|
|
// post-login paths
|
|
|
|
var session = optSession.get(); |
|
|
|
var user = sessions.extend(optSession.get()).user(); |
|
|
|
sessions.extend(session); |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
switch (path) { |
|
|
|
switch (path) { |
|
|
|
case "/delete": |
|
|
|
case "/delete": |
|
|
|
return deleteUser(ex, session); |
|
|
|
return deleteUser(ex, user); |
|
|
|
|
|
|
|
case "/permission": |
|
|
|
|
|
|
|
return editPermission(ex, user, true); |
|
|
|
} |
|
|
|
} |
|
|
|
return badRequest(ex, "%s not found".formatted(path)); |
|
|
|
return badRequest(ex, "%s not found".formatted(path)); |
|
|
|
} |
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
private boolean deleteUser(HttpExchange ex, Session session) throws IOException { |
|
|
|
private boolean deleteUser(HttpExchange ex, User user) throws IOException { |
|
|
|
|
|
|
|
if (!user.hasPermission(MANAGE_USERS)) return sendEmptyResponse(HTTP_FORBIDDEN, ex); |
|
|
|
var json = json(ex); |
|
|
|
var json = json(ex); |
|
|
|
if (!json.has(USER_ID)) return badRequest(ex, "missing_user_id"); |
|
|
|
if (!json.has(USER_ID)) return badRequest(ex, "missing_user_id"); |
|
|
|
var uuid = json.getString(USER_ID); |
|
|
|
var uuid = json.getString(USER_ID); |
|
|
|
if (uuid == null || uuid.isBlank()) return badRequest(ex, "missing_user_id"); |
|
|
|
if (uuid == null || uuid.isBlank()) return badRequest(ex, "missing_user_id"); |
|
|
|
if (session.user().uuid().equals(uuid)) return badRequest(ex, "must_not_delete_self"); |
|
|
|
if (user.uuid().equals(uuid)) return badRequest(ex, "must_not_delete_self"); |
|
|
|
if (!json.has(CONFIRMED) || !json.getBoolean(CONFIRMED)) return badRequest(ex, "missing_confirmation"); |
|
|
|
if (!json.has(CONFIRMED) || !json.getBoolean(CONFIRMED)) return badRequest(ex, "missing_confirmation"); |
|
|
|
Optional<User> targetUser = users.load(uuid); |
|
|
|
Optional<User> targetUser = users.load(uuid); |
|
|
|
if (targetUser.isEmpty()) return badRequest(ex, "unknown_user"); |
|
|
|
if (targetUser.isEmpty()) return badRequest(ex, "unknown_user"); |
|
|
@ -111,22 +113,47 @@ public class UserController extends Controller { |
|
|
|
// post-login paths
|
|
|
|
// post-login paths
|
|
|
|
var session = optSession.get(); |
|
|
|
var session = optSession.get(); |
|
|
|
sessions.extend(session); |
|
|
|
sessions.extend(session); |
|
|
|
|
|
|
|
var user = session.user(); |
|
|
|
|
|
|
|
|
|
|
|
switch (path) { |
|
|
|
switch (path) { |
|
|
|
case "/": |
|
|
|
case "/": |
|
|
|
return sendUserAndCookie(ex, session); |
|
|
|
return sendUserAndCookie(ex, session); |
|
|
|
case "/add": |
|
|
|
case "/add": |
|
|
|
return addUser(ex, session); |
|
|
|
return addUser(ex, user); |
|
|
|
case "/list": |
|
|
|
case "/list": |
|
|
|
return list(ex, session); |
|
|
|
return list(ex, user); |
|
|
|
case "/password": |
|
|
|
case "/password": |
|
|
|
return updatePassword(ex, session); |
|
|
|
return updatePassword(ex, user); |
|
|
|
|
|
|
|
case "/permission": |
|
|
|
|
|
|
|
return editPermission(ex, user, false); |
|
|
|
case "/update": |
|
|
|
case "/update": |
|
|
|
return updateUser(ex, session); |
|
|
|
return updateUser(ex, user); |
|
|
|
} |
|
|
|
} |
|
|
|
return notFound(ex); |
|
|
|
return notFound(ex); |
|
|
|
} |
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
private boolean editPermission(HttpExchange ex, User user, boolean drop) throws IOException { |
|
|
|
|
|
|
|
if (!user.hasPermission(MANAGE_USERS)) return sendEmptyResponse(HTTP_FORBIDDEN, ex); |
|
|
|
|
|
|
|
var json = json(ex); |
|
|
|
|
|
|
|
if (!json.has(USER_ID)) return badRequest(ex, "Missing user_id in request!"); |
|
|
|
|
|
|
|
if (!json.has(PERMISSION)) return badRequest(ex, "Missing permission in request"); |
|
|
|
|
|
|
|
try { |
|
|
|
|
|
|
|
var permission = Permission.valueOf(json.getString(PERMISSION)); |
|
|
|
|
|
|
|
var userId = json.getString(USER_ID); |
|
|
|
|
|
|
|
var optUer = users.load(userId); |
|
|
|
|
|
|
|
if (optUer.isEmpty()) return badRequest(ex, "Unknown user id (%s)".formatted(userId)); |
|
|
|
|
|
|
|
user = optUer.get(); |
|
|
|
|
|
|
|
if (drop) { |
|
|
|
|
|
|
|
user.drop(permission); |
|
|
|
|
|
|
|
} else { |
|
|
|
|
|
|
|
user.add(permission); |
|
|
|
|
|
|
|
} |
|
|
|
|
|
|
|
users.save(user); |
|
|
|
|
|
|
|
return sendEmptyResponse(HTTP_OK, ex); |
|
|
|
|
|
|
|
} catch (IllegalArgumentException iae) { |
|
|
|
|
|
|
|
return badRequest(ex, iae.getMessage()); |
|
|
|
|
|
|
|
} |
|
|
|
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
private boolean generateResetLink(HttpExchange ex) throws IOException { |
|
|
|
private boolean generateResetLink(HttpExchange ex) throws IOException { |
|
|
|
var idOrEmail = queryParam(ex).get("user"); |
|
|
|
var idOrEmail = queryParam(ex).get("user"); |
|
|
@ -148,8 +175,7 @@ public class UserController extends Controller { |
|
|
|
} |
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
private boolean list(HttpExchange ex, Session session) throws IOException { |
|
|
|
private boolean list(HttpExchange ex, User user) throws IOException { |
|
|
|
var user = session.user(); |
|
|
|
|
|
|
|
if (!user.hasPermission(MANAGE_USERS)) return sendEmptyResponse(HTTP_FORBIDDEN, ex); |
|
|
|
if (!user.hasPermission(MANAGE_USERS)) return sendEmptyResponse(HTTP_FORBIDDEN, ex); |
|
|
|
var json = new JSONObject(); |
|
|
|
var json = new JSONObject(); |
|
|
|
users.list().forEach(u -> json.put(u.uuid(), u.map(false))); |
|
|
|
users.list().forEach(u -> json.put(u.uuid(), u.map(false))); |
|
|
@ -262,8 +288,7 @@ public class UserController extends Controller { |
|
|
|
} |
|
|
|
} |
|
|
|
} |
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
private boolean updatePassword(HttpExchange ex, Session session) throws IOException { |
|
|
|
private boolean updatePassword(HttpExchange ex, User user) throws IOException { |
|
|
|
var user = session.user(); |
|
|
|
|
|
|
|
var json = json(ex); |
|
|
|
var json = json(ex); |
|
|
|
var uuid = json.getString(UUID); |
|
|
|
var uuid = json.getString(UUID); |
|
|
|
if (!uuid.equals(user.uuid())) { |
|
|
|
if (!uuid.equals(user.uuid())) { |
|
|
@ -286,8 +311,7 @@ public class UserController extends Controller { |
|
|
|
return sendContent(ex, user.map(false)); |
|
|
|
return sendContent(ex, user.map(false)); |
|
|
|
} |
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
private boolean updateUser(HttpExchange ex, Session session) throws IOException { |
|
|
|
private boolean updateUser(HttpExchange ex, User user) throws IOException { |
|
|
|
var user = session.user(); |
|
|
|
|
|
|
|
var json = json(ex); |
|
|
|
var json = json(ex); |
|
|
|
var uuid = json.getString(UUID); |
|
|
|
var uuid = json.getString(UUID); |
|
|
|
if (!uuid.equals(user.uuid())) { |
|
|
|
if (!uuid.equals(user.uuid())) { |
|
|
|