Leosac  0.7.0
OpenSourceAccessControl
PasswordChange.cpp
Go to the documentation of this file.
1 /*
2  Copyright (C) 2014-2016 Leosac
3 
4  This file is part of Leosac.
5 
6  Leosac is free software: you can redistribute it and/or modify
7  it under the terms of the GNU Affero General Public License as published by
8  the Free Software Foundation, either version 3 of the License, or
9  (at your option) any later version.
10 
11  Leosac is distributed in the hope that it will be useful,
12  but WITHOUT ANY WARRANTY; without even the implied warranty of
13  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14  GNU Affero General Public License for more details.
15 
16  You should have received a copy of the GNU Affero General Public License
17  along with this program. If not, see <http://www.gnu.org/licenses/>.
18 */
19 
20 #include "PasswordChange.hpp"
21 #include "Exceptions.hpp"
22 #include "WSServer.hpp"
23 #include "api/APISession.hpp"
24 #include "core/audit/AuditFactory.hpp"
25 #include "core/audit/UserEvent.hpp"
26 #include "core/auth/User_odb.h"
27 #include "exception/EntityNotFound.hpp"
28 #include "exception/PermissionDenied.hpp"
29 #include "tools/db/DBService.hpp"
30 
31 using namespace Leosac;
32 using namespace Leosac::Module;
33 using namespace Leosac::Module::WebSockAPI;
34 
35 PasswordChange::PasswordChange(RequestContext ctx)
36  : MethodHandler(ctx)
37 {
38 }
39 
40 MethodHandlerUPtr PasswordChange::create(RequestContext ctx)
41 {
42  return std::make_unique<PasswordChange>(ctx);
43 }
44 
45 json PasswordChange::process_impl(const json &req)
46 {
47  json rep;
48 
49  using query = odb::query<Auth::User>;
50  DBPtr db = ctx_.dbsrv->db();
51  odb::transaction t(db->begin());
52  auto uid = req.at("user_id").get<Auth::UserId>();
53  auto new_password = req.at("new_password").get<std::string>();
54 
55  Auth::UserPtr user = db->query_one<Auth::User>(query::id == uid);
56  if (user)
57  {
58  using namespace FlagSetOperator;
59  Audit::IUserEventPtr audit = Audit::Factory::UserEvent(db, user, ctx_.audit);
60 
61  if (uid == ctx_.session->current_user_id())
62  {
63  auto current_password = req.at("current_password").get<std::string>();
64  // When changing our own password, we check the `current_password` field.
65  if (!user->verify_password(current_password))
66  {
67  audit->event_mask(Audit::EventType::USER_PASSWORD_CHANGE_FAILURE);
68  audit->finalize();
69  t.commit();
70  throw PermissionDenied("Invalid `current_password`.");
71  }
72  }
73  audit->event_mask(Audit::EventType::USER_EDITED |
74  Audit::EventType::USER_PASSWORD_CHANGED);
75  user->password(new_password);
76 
77  ctx_.server.clear_user_sessions(user, ctx_.session);
78  audit->finalize();
79  db->update(user);
80  }
81  else
82  throw EntityNotFound(uid, "user");
83  t.commit();
84  return rep;
85 }
86 
87 std::vector<ActionActionParam>
88 PasswordChange::required_permission(const json &req) const
89 {
90  std::vector<ActionActionParam> perm;
91  SecurityContext::UserActionParam uap{};
92  uap.user_id = req.at("user_id").get<Auth::UserId>();
93 
94  perm.emplace_back(SecurityContext::Action::USER_CHANGE_PASSWORD, uap);
95  return perm;
96 }
Leosac::Audit::Factory::UserEvent
static IUserEventPtr UserEvent(const DBPtr &database, Auth::UserPtr target_user, IAuditEntryPtr parent)
Definition: AuditFactory.cpp:43
Leosac::Module::WebSockAPI::MethodHandler
The base class for API method handler implementation.
Definition: MethodHandler.hpp:46
Leosac
This is the header file for a generated source file, GitSHA1.cpp.
Definition: APIStatusCode.hpp:22
Leosac::Module::WebSockAPI::PasswordChange::process_impl
virtual json process_impl(const json &req) override
The API method implementation.
Definition: PasswordChange.cpp:45
Leosac::Module::WebSockAPI::RequestContext::audit
Audit::IAuditEntryPtr audit
The initial audit trail for the request.
Definition: RequestContext.hpp:55
Leosac::Module::WebSockAPI::PasswordChange::create
static MethodHandlerUPtr create(RequestContext)
Definition: PasswordChange.cpp:40
Leosac::Auth::User
Represent a user.
Definition: User.hpp:42
Leosac::Audit::EventType::USER_PASSWORD_CHANGE_FAILURE
An attempt to change the password failed.
Leosac::Auth::UserId
unsigned long UserId
Definition: AuthFwd.hpp:34
Leosac::Module::WebSockAPI::MethodHandlerUPtr
std::unique_ptr< MethodHandler > MethodHandlerUPtr
Definition: WebSockFwd.hpp:36
PermissionDenied
An exception that can be throw when the permission for a given operation is denied.
Definition: PermissionDenied.hpp:28
Leosac::Audit::IUserEventPtr
std::shared_ptr< IUserEvent > IUserEventPtr
Definition: AuditFwd.hpp:46
Leosac::Auth::UserPtr
std::shared_ptr< User > UserPtr
Definition: AuthFwd.hpp:31
Leosac::Module
All modules that provides features to Leosac shall be in this namespace.
Leosac::Module::WebSockAPI::WSServer::clear_user_sessions
void clear_user_sessions(Auth::UserPtr user, APIPtr exception)
Deauthenticate all the connections of user, except the exception APISession.
Definition: WSServer.cpp:410
Leosac::Module::WebSockAPI::RequestContext
Holds valuable pointer to provide context to a request.
Definition: RequestContext.hpp:36
Leosac::DBPtr
std::shared_ptr< odb::database > DBPtr
Definition: db_fwd.hpp:31
Leosac::Module::WebSockAPI::PasswordChange::required_permission
std::vector< ActionActionParam > required_permission(const json &req) const override
Return a list of "Action" / "ActionParam" that must pass before the request is processed.
Definition: PasswordChange.cpp:88