package web import ( "net/http" "strings" "github.com/gin-contrib/sessions" "github.com/gin-gonic/gin" "github.com/jackc/pgconn" "github.com/pkg/errors" "github.com/smartcontractkit/chainlink/v2/core/auth" "github.com/smartcontractkit/chainlink/v2/core/logger/audit" "github.com/smartcontractkit/chainlink/v2/core/services/chainlink" clsession "github.com/smartcontractkit/chainlink/v2/core/sessions" "github.com/smartcontractkit/chainlink/v2/core/utils" webauth "github.com/smartcontractkit/chainlink/v2/core/web/auth" "github.com/smartcontractkit/chainlink/v2/core/web/presenters" ) // UserController manages the current Session's User. type UserController struct { App chainlink.Application } // UpdatePasswordRequest defines the request to set a new password for the // current session's User. type UpdatePasswordRequest struct { OldPassword string `json:"oldPassword"` NewPassword string `json:"newPassword"` } var errUnsupportedForAuth = errors.New("action is unsupported with configured authentication provider") // Index lists all API users func (u *UserController) Index(c *gin.Context) { ctx := c.Request.Context() users, err := u.App.AuthenticationProvider().ListUsers(ctx) if err != nil { if errors.Is(err, clsession.ErrNotSupported) { jsonAPIError(c, http.StatusBadRequest, errUnsupportedForAuth) return } u.App.GetLogger().Errorw("Unable to list users", "err", err) jsonAPIError(c, http.StatusInternalServerError, err) return } jsonAPIResponse(c, presenters.NewUserResources(users), "users") } // Create creates a new API user with provided context arguments. func (u *UserController) Create(c *gin.Context) { ctx := c.Request.Context() type newUserRequest struct { Email string `json:"email"` Password string `json:"password"` Role string `json:"role"` } var request newUserRequest if err := c.ShouldBindJSON(&request); err != nil { jsonAPIError(c, http.StatusUnprocessableEntity, err) return } userRole, err := clsession.GetUserRole(request.Role) if err != nil { jsonAPIError(c, http.StatusBadRequest, err) return } if verr := clsession.ValidateEmail(request.Email); verr != nil { jsonAPIError(c, http.StatusBadRequest, verr) return } if verr := utils.VerifyPasswordComplexity(request.Password, request.Email); verr != nil { jsonAPIError(c, http.StatusBadRequest, verr) return } user, err := clsession.NewUser(request.Email, request.Password, userRole) if err != nil { jsonAPIError(c, http.StatusBadRequest, errors.Errorf("error creating API user: %s", err)) return } if err = u.App.AuthenticationProvider().CreateUser(ctx, &user); err != nil { // If this is a duplicate key error (code 23505), return a nicer error message var pgErr *pgconn.PgError if ok := errors.As(err, &pgErr); ok { if pgErr.Code == "23505" { jsonAPIError(c, http.StatusBadRequest, errors.Errorf("user with email %s already exists", request.Email)) return } } if errors.Is(err, clsession.ErrNotSupported) { jsonAPIError(c, http.StatusBadRequest, errUnsupportedForAuth) return } u.App.GetLogger().Errorw("Error creating new API user", "err", err) jsonAPIError(c, http.StatusInternalServerError, errors.New("error creating API user")) return } jsonAPIResponse(c, presenters.NewUserResource(user), "user") } // UpdateRole changes role field of a specified API user. func (u *UserController) UpdateRole(c *gin.Context) { ctx := c.Request.Context() type updateUserRequest struct { Email string `json:"email"` NewRole string `json:"newRole"` } var request updateUserRequest if err := c.ShouldBindJSON(&request); err != nil { jsonAPIError(c, http.StatusUnprocessableEntity, err) return } // Don't allow current admin user to edit self sessionUser, ok := webauth.GetAuthenticatedUser(c) if !ok { jsonAPIError(c, http.StatusInternalServerError, errors.New("failed to obtain current user from context")) return } if strings.EqualFold(sessionUser.Email, request.Email) { jsonAPIError(c, http.StatusBadRequest, errors.New("can not change state or permissions of current admin user")) return } // In case email/role is not specified try to give friendlier/actionable error messages if request.Email == "" { jsonAPIError(c, http.StatusBadRequest, errors.New("email flag is empty, must specify an email")) return } if request.NewRole == "" { jsonAPIError(c, http.StatusBadRequest, errors.New("new-role flag is empty, must specify a new role, possible options are 'admin', 'edit', 'run', 'view'")) return } _, err := clsession.GetUserRole(request.NewRole) if err != nil { jsonAPIError(c, http.StatusBadRequest, errors.New("new role does not exist, possible options are 'admin', 'edit', 'run', 'view'")) return } user, err := u.App.AuthenticationProvider().UpdateRole(ctx, request.Email, request.NewRole) if err != nil { if errors.Is(err, clsession.ErrNotSupported) { jsonAPIError(c, http.StatusBadRequest, errUnsupportedForAuth) return } jsonAPIError(c, http.StatusInternalServerError, errors.Wrap(err, "error updating API user")) return } jsonAPIResponse(c, presenters.NewUserResource(user), "user") } // Delete deletes an API user and any sessions by email func (u *UserController) Delete(c *gin.Context) { ctx := c.Request.Context() email := c.Param("email") // Attempt find user by email user, err := u.App.AuthenticationProvider().FindUser(ctx, email) if err != nil { if errors.Is(err, clsession.ErrNotSupported) { jsonAPIError(c, http.StatusBadRequest, errUnsupportedForAuth) return } jsonAPIError(c, http.StatusBadRequest, errors.Errorf("specified user not found: %s", email)) return } // Don't allow current admin user to delete self sessionUser, ok := webauth.GetAuthenticatedUser(c) if !ok { jsonAPIError(c, http.StatusInternalServerError, errors.New("failed to obtain current user from context")) return } if strings.EqualFold(sessionUser.Email, email) { jsonAPIError(c, http.StatusBadRequest, errors.New("can not delete currently logged in admin user")) return } if err = u.App.AuthenticationProvider().DeleteUser(ctx, email); err != nil { if errors.Is(err, clsession.ErrNotSupported) { jsonAPIError(c, http.StatusBadRequest, errUnsupportedForAuth) return } u.App.GetLogger().Errorw("Error deleting API user", "err", err) jsonAPIError(c, http.StatusInternalServerError, errors.New("error deleting API user")) return } jsonAPIResponse(c, presenters.NewUserResource(user), "user") } // UpdatePassword changes the password for the current User. func (u *UserController) UpdatePassword(c *gin.Context) { ctx := c.Request.Context() var request UpdatePasswordRequest if err := c.ShouldBindJSON(&request); err != nil { jsonAPIError(c, http.StatusUnprocessableEntity, err) return } sessionUser, ok := webauth.GetAuthenticatedUser(c) if !ok { jsonAPIError(c, http.StatusInternalServerError, errors.New("failed to obtain current user from context")) return } user, err := u.App.AuthenticationProvider().FindUser(ctx, sessionUser.Email) if err != nil { if errors.Is(err, clsession.ErrNotSupported) { jsonAPIError(c, http.StatusBadRequest, errUnsupportedForAuth) return } u.App.GetLogger().Errorf("failed to obtain current user record: %s", err) jsonAPIError(c, http.StatusInternalServerError, errors.New("unable to update password")) return } if !utils.CheckPasswordHash(request.OldPassword, user.HashedPassword) { u.App.GetAuditLogger().Audit(audit.PasswordResetAttemptFailedMismatch, map[string]interface{}{"user": user.Email}) jsonAPIError(c, http.StatusConflict, errors.New("old password does not match")) return } if err := utils.VerifyPasswordComplexity(request.NewPassword, user.Email); err != nil { jsonAPIError(c, http.StatusUnprocessableEntity, err) return } if err := u.updateUserPassword(c, &user, request.NewPassword); err != nil { jsonAPIError(c, http.StatusInternalServerError, err) return } u.App.GetAuditLogger().Audit(audit.PasswordResetSuccess, map[string]interface{}{"user": user.Email}) jsonAPIResponse(c, presenters.NewUserResource(user), "user") } // NewAPIToken generates a new API token for a user overwriting any pre-existing one set. func (u *UserController) NewAPIToken(c *gin.Context) { ctx := c.Request.Context() var request clsession.ChangeAuthTokenRequest if err := c.ShouldBindJSON(&request); err != nil { jsonAPIError(c, http.StatusUnprocessableEntity, err) return } sessionUser, ok := webauth.GetAuthenticatedUser(c) if !ok { jsonAPIError(c, http.StatusInternalServerError, errors.New("failed to obtain current user from context")) return } user, err := u.App.AuthenticationProvider().FindUser(ctx, sessionUser.Email) if err != nil { if errors.Is(err, clsession.ErrNotSupported) { jsonAPIError(c, http.StatusBadRequest, errUnsupportedForAuth) return } u.App.GetLogger().Errorf("failed to obtain current user record: %s", err) jsonAPIError(c, http.StatusInternalServerError, errors.New("unable to create API token")) return } // In order to create an API token, login validation with provided password must succeed err = u.App.AuthenticationProvider().TestPassword(ctx, sessionUser.Email, request.Password) if err != nil { u.App.GetAuditLogger().Audit(audit.APITokenCreateAttemptPasswordMismatch, map[string]interface{}{"user": user.Email}) jsonAPIError(c, http.StatusUnauthorized, errors.New("incorrect password")) return } newToken := auth.NewToken() if err := u.App.AuthenticationProvider().SetAuthToken(ctx, &user, newToken); err != nil { if errors.Is(err, clsession.ErrNotSupported) { jsonAPIError(c, http.StatusBadRequest, errUnsupportedForAuth) return } jsonAPIError(c, http.StatusInternalServerError, err) return } u.App.GetAuditLogger().Audit(audit.APITokenCreated, map[string]interface{}{"user": user.Email}) jsonAPIResponseWithStatus(c, newToken, "auth_token", http.StatusCreated) } // DeleteAPIToken deletes and disables a user's API token. func (u *UserController) DeleteAPIToken(c *gin.Context) { ctx := c.Request.Context() var request clsession.ChangeAuthTokenRequest if err := c.ShouldBindJSON(&request); err != nil { jsonAPIError(c, http.StatusUnprocessableEntity, err) return } sessionUser, ok := webauth.GetAuthenticatedUser(c) if !ok { jsonAPIError(c, http.StatusInternalServerError, errors.New("failed to obtain current user from context")) return } user, err := u.App.AuthenticationProvider().FindUser(ctx, sessionUser.Email) if err != nil { if errors.Is(err, clsession.ErrNotSupported) { jsonAPIError(c, http.StatusBadRequest, errUnsupportedForAuth) return } u.App.GetLogger().Errorf("failed to obtain current user record: %s", err) jsonAPIError(c, http.StatusInternalServerError, errors.New("unable to delete API token")) return } err = u.App.AuthenticationProvider().TestPassword(ctx, sessionUser.Email, request.Password) if err != nil { u.App.GetAuditLogger().Audit(audit.APITokenDeleteAttemptPasswordMismatch, map[string]interface{}{"user": user.Email}) jsonAPIError(c, http.StatusUnauthorized, errors.New("incorrect password")) return } if err := u.App.AuthenticationProvider().DeleteAuthToken(ctx, &user); err != nil { if errors.Is(err, clsession.ErrNotSupported) { jsonAPIError(c, http.StatusBadRequest, errUnsupportedForAuth) return } jsonAPIError(c, http.StatusInternalServerError, err) return } { u.App.GetAuditLogger().Audit(audit.APITokenDeleted, map[string]interface{}{"user": user.Email}) jsonAPIResponseWithStatus(c, nil, "auth_token", http.StatusNoContent) } } func getCurrentSessionID(c *gin.Context) (string, error) { session := sessions.Default(c) sessionID, ok := session.Get(webauth.SessionIDKey).(string) if !ok { return "", errors.New("unable to get current session ID") } return sessionID, nil } func (u *UserController) updateUserPassword(c *gin.Context, user *clsession.User, newPassword string) error { ctx := c.Request.Context() sessionID, err := getCurrentSessionID(c) if err != nil { return err } orm := u.App.AuthenticationProvider() if err := orm.ClearNonCurrentSessions(ctx, sessionID); err != nil { u.App.GetLogger().Errorf("failed to clear non current user sessions: %s", err) return errors.New("unable to update password") } if err := orm.SetPassword(ctx, user, newPassword); err != nil { if errors.Is(err, clsession.ErrNotSupported) { return errUnsupportedForAuth } u.App.GetLogger().Errorf("failed to update current user password: %s", err) return errors.New("unable to update password") } return nil }