SQL-187 Feature: Update Local Admin Password (#295)

* SQL-187 working backend for update password

* SQL-187 remove redundant do

* SQL-187 add params validator for update-password

* SQL-187 add api

* SQL-187 derive user for password change from JWT

* SQL-187 move params spec to be with its siblings

* SQL-187 UI release v0.1.9

Makefile

@@ -2,7 +2,7 @@
 
 # Version of LRS Admin UI to use
 
-LRS_ADMIN_UI_VERSION ?= v0.1.8
+LRS_ADMIN_UI_VERSION ?= v0.1.9
 LRS_ADMIN_UI_LOCATION ?= https://github.com/yetanalytics/lrs-admin-ui/releases/download/${LRS_ADMIN_UI_VERSION}/lrs-admin-ui.zip
 LRS_ADMIN_ZIPFILE ?= lrs-admin-ui-${LRS_ADMIN_UI_VERSION}.zip
 

src/db/h2/lrsql/h2/record.clj

@@ -151,6 +151,8 @@
     (query-all-accounts tx))
   (-delete-admin-account! [_ tx input]
     (delete-admin-account! tx input))
+  (-update-admin-password! [_ tx input]
+    (update-admin-password! tx input))
   (-query-account [_ tx input]
     (query-account tx input))
   (-query-account-oidc [_ tx input]

src/db/h2/lrsql/h2/sql/query.sql

@@ -243,9 +243,10 @@ WHERE activity_iri = :activity-iri
 -- :name query-account
 -- :command :query
 -- :result :one
--- :doc Given an account `username`, return the ID and the hashed password, which can be used to verify the account.
+-- :doc Given an account `username` or `account-id`, return the ID and the hashed password, which can be used to verify the account.
 SELECT id, passhash FROM admin_account
-WHERE username = :username
+--~ (when (:username params)   "WHERE username = :username")
+--~ (when (:account-id params) "WHERE id = :account-id")
 
 -- :name query-account-oidc
 -- :command :query

src/db/h2/lrsql/h2/sql/update.sql

@@ -62,3 +62,12 @@ SET
   last_modified = :last-modified
 WHERE profile_id = :profile-id
 AND activity_iri = :activity-iri
+
+-- :name update-admin-password!
+-- :command :execute
+-- :result :affected
+-- :doc Update the `passhash` of an admin account.
+UPDATE admin_account
+SET
+  passhash = :new-passhash
+WHERE id = :account-id

src/db/postgres/lrsql/postgres/record.clj

@@ -159,6 +159,8 @@
     (query-all-accounts tx))
   (-delete-admin-account! [_ tx input]
     (delete-admin-account! tx input))
+  (-update-admin-password! [_ tx input]
+    (update-admin-password! tx input))
   (-query-account [_ tx input]
     (query-account tx input))
   (-query-account-oidc [_ tx input]

src/db/postgres/lrsql/postgres/sql/query.sql

@@ -237,9 +237,11 @@ WHERE activity_iri = :activity-iri
 -- :name query-account
 -- :command :query
 -- :result :one
--- :doc Given an account `username`, return the ID and the hashed password, which can be used to verify the account.
+-- :doc Given an account `username` or `account-id`, return the ID and the hashed password, which can be used to verify the account.
 SELECT id, passhash FROM admin_account
-WHERE username = :username;
+--~ (when (:username params)   "WHERE username = :username")
+--~ (when (:account-id params) "WHERE id = :account-id")
+;
 
 -- :name query-account-oidc
 -- :command :query

src/db/postgres/lrsql/postgres/sql/update.sql

@@ -67,3 +67,12 @@ SET
   last_modified = :last-modified
 WHERE profile_id = :profile-id
 AND activity_iri = :activity-iri;
+
+-- :name update-admin-password!
+-- :command :execute
+-- :result :affected
+-- :doc Update the `passhash` of an admin account.
+UPDATE admin_account
+SET
+  passhash = :new-passhash
+WHERE id = :account-id;

src/db/sqlite/lrsql/sqlite/record.clj

@@ -187,6 +187,8 @@
     (query-all-accounts tx))
   (-delete-admin-account! [_ tx input]
     (delete-admin-account! tx input))
+  (-update-admin-password! [_ tx input]
+    (update-admin-password! tx input))
   (-query-account [_ tx input]
     (query-account tx input))
   (-query-account-oidc [_ tx input]

src/db/sqlite/lrsql/sqlite/sql/query.sql

@@ -215,9 +215,10 @@ WHERE activity_iri = :activity-iri
 -- :name query-account
 -- :command :query
 -- :result :one
--- :doc Given an account `username`, return the ID and the hashed password, which can be used to verify the account.
+-- :doc Given an account `username` or `account-id`, return the ID and the hashed password, which can be used to verify the account.
 SELECT id, passhash FROM admin_account
-WHERE username = :username
+--~ (when (:username params)   "WHERE username = :username")
+--~ (when (:account-id params) "WHERE id = :account-id")
 
 -- :name query-account-oidc
 -- :command :query

src/db/sqlite/lrsql/sqlite/sql/update.sql

@@ -62,3 +62,12 @@ SET
   last_modified = :last-modified
 WHERE profile_id = :profile-id
 AND activity_iri = :activity-iri
+
+-- :name update-admin-password!
+-- :command :execute
+-- :result :affected
+-- :doc Update the `passhash` of an admin account.
+UPDATE admin_account
+SET
+  passhash = :new-passhash
+WHERE id = :account-id

src/main/lrsql/admin/interceptors/account.clj

@@ -32,6 +32,31 @@
                 (assoc ::data acc-info)
                 (assoc-in [:request :session ::data] acc-info))))))}))
 
+
+(def validate-update-password-params
+  "Validate that the JSON params contain the params `old-password`
+   and `new-password` for password update. Also validates that `old-password`
+   `new-password` do not match."
+  (interceptor
+   {:name ::validate-update-password-params
+    :enter
+    (fn validate-params [ctx]
+      (let [params (get-in ctx [:request :json-params])]
+        (if-some [err (s/explain-data
+                       ads/update-admin-password-params-spec params)]
+          ;; Invalid parameters - Bad Request
+          (assoc (chain/terminate ctx)
+                 :response
+                 {:status 400
+                  :body   {:error (format "Invalid parameters:\n%s"
+                                          (-> err s/explain-out with-out-str))}})
+          ;; Valid params - continue
+          (let [update-info (select-keys params
+                                         [:old-password :new-password])]
+            (-> ctx
+                (assoc ::data update-info)
+                (assoc-in [:request :session ::data] update-info))))))}))
+
 (def validate-delete-params
   "Validate that the JSON params contain `account-id` for delete."
   (interceptor
@@ -121,6 +146,43 @@
                   :body   {:error (format "An account \"%s\" already exists!"
                                           username)}}))))}))
 
+(def update-admin-password
+  "Set a new password for an admin account."
+  (interceptor
+   {:name ::update-admin-password
+    :enter
+    (fn update-admin-password [ctx]
+      (let [{lrs
+             :com.yetanalytics/lrs
+             {:keys [old-password new-password]}
+             ::data
+             {:keys [account-id]}
+             :lrsql.admin.interceptors.jwt/data}
+            ctx
+            {:keys [result]}
+            (adp/-update-admin-password lrs account-id old-password new-password)]
+        (cond
+          ;; The result is the account ID - success!
+          (uuid? result)
+          (assoc ctx
+                 :response
+                 {:status 200 :body {:account-id result}})
+
+          ;; The given account-id does not belong to a known account
+          (= :lrsql.admin/missing-account-error result)
+          (assoc (chain/terminate ctx)
+                 :response
+                 {:status 404
+                  :body   {:error (format "The account \"%s\" does not exist!"
+                                          (u/uuid->str account-id))}})
+
+          ;; The old password is not correct.
+          (= :lrsql.admin/invalid-password-error result)
+          (assoc (chain/terminate ctx)
+                 :response
+                 {:status 401
+                  :body   {:error "Invalid Account Credentials"}}))))}))
+
 (def delete-admin
   "Delete the selected admin account. This is a hard delete."
   (interceptor

src/main/lrsql/admin/protocol.clj

@@ -12,7 +12,9 @@
   (-delete-account [this account-id oidc-enabled?]
     "Delete the account and all associated creds. Assumes the account has already been authenticated. Requires OIDC status to prevent sole account deletion.")
   (-ensure-account-oidc [this username oidc-issuer]
-    "Create or verify an existing admin account with the given username and oidc-issuer."))
+    "Create or verify an existing admin account with the given username and oidc-issuer.")
+  (-update-admin-password [this account-id old-password new-password]
+    "Update the password for an admin account given old and new passwords."))
 
 (defprotocol APIKeyManager
   (-create-api-keys [this account-id scopes]

src/main/lrsql/admin/routes.clj

@@ -34,6 +34,13 @@
                                          ji/validate-jwt-account
                                          ai/create-admin)
      :route-name :lrsql.admin.account/create]
+    ;; Update account password
+    ["/admin/account/password"
+     :put (conj common-interceptors
+                ai/validate-update-password-params
+                (ji/validate-jwt jwt-secret jwt-leeway)
+                ji/validate-jwt-account
+                ai/update-admin-password)]
     ;; Get all accounts
     ["/admin/account" :get (conj common-interceptors
                                  (ji/validate-jwt jwt-secret jwt-leeway)

src/main/lrsql/backend/protocol.clj

@@ -91,6 +91,7 @@
   (-insert-admin-account! [this tx input])
   (-insert-admin-account-oidc! [this tx input])
   (-delete-admin-account! [this tx input])
+  (-update-admin-password! [this tx input])
   ;; Queries
   (-query-account [this tx input])
   (-query-account-oidc [this tx input])

src/main/lrsql/input/admin.clj

@@ -68,3 +68,25 @@
   [username password]
   {:username username
    :password password})
+
+(s/fdef query-validate-admin-by-id-input
+  :args (s/cat :account-id ::ads/account-id :password ::ads/password)
+  :ret ads/query-validate-admin-by-id-input-spec)
+
+(defn query-validate-admin-by-id-input
+  "Given `account-id` and `password`, construct the input param map for
+   `query-validate-admin-by-id`."
+  [account-id password]
+  {:account-id account-id
+   :password   password})
+
+(s/fdef update-admin-password-input
+  :args (s/cat :account-id ::ads/account-id :new-password ::ads/new-password)
+  :ret ads/update-admin-password-input-spec)
+
+(defn update-admin-password-input
+  "Given `account-id` and `new-password`, construct the input
+   param map for `update-admin-password`."
+  [account-id new-password]
+  {:account-id   account-id
+   :new-passhash (adu/hash-password new-password)})

src/main/lrsql/ops/command/admin.clj

@@ -59,6 +59,25 @@
        :lrsql.admin/sole-admin-delete-error)
      :lrsql.admin/missing-account-error)})
 
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+;; Admin Account Update Password
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+
+(s/fdef update-admin-password!
+  :args (s/cat :bk ads/admin-backend?
+               :tx transaction?
+               :input ads/update-admin-password-input-spec)
+  :ret ads/update-admin-password-ret-spec)
+
+(defn update-admin-password!
+  "Update the password of an admin account. Returns a map where `:result` is the
+   account ID."
+  [bk tx input]
+  {:result
+   (let [{:keys [id]} (bp/-query-account bk tx input)]
+     (bp/-update-admin-password! bk tx input)
+     id)})
+
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;; Ensure Admin Account from OIDC
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

src/main/lrsql/ops/query/admin.clj

@@ -10,12 +10,14 @@
 (s/fdef query-validate-admin
   :args (s/cat :bk ads/admin-backend?
                :tx transaction?
-               :input ads/query-validate-admin-input-spec)
+               :input (s/or
+                       :by-username ads/query-admin-input-spec
+                       :by-id ads/query-admin-by-id-input-spec))
   :ret ads/query-admin-ret-spec)
 
 (defn query-admin
-  "Query an admin account with the given username and password. Returns
-   a map containing `:account-id` and `:passhash` on success, or nil on
+  "Query an admin account with the given username (or account-id) and password.
+   Returns a map containing `:account-id` and `:passhash` on success, or nil on
    failure."
   [bk tx input]
   (when-some [{account-id :id
@@ -33,7 +35,9 @@
 (s/fdef query-validate-admin
   :args (s/cat :bk ads/admin-backend?
                :tx transaction?
-               :input ads/query-validate-admin-input-spec)
+               :input (s/or
+                       :by-username ads/query-validate-admin-input-spec
+                       :by-id ads/query-validate-admin-by-id-input-spec))
   :ret ads/query-validate-admin-ret-spec)
 
 (defn query-validate-admin

src/main/lrsql/spec/admin.clj

@@ -31,6 +31,11 @@
 (s/def :lrsql.spec.admin.ret/oidc-issuer (s/nilable string?))
 ;; boolean to indicate whether OIDC is enabled
 (s/def :lrsql.spec.admin.input/oidc-enabled? boolean?)
+;; Update password params
+(s/def ::old-password ::password)
+(s/def ::new-password ::password)
+;; Update password input
+(s/def :lrsql.spec.admin.input/new-passhash :lrsql.spec.admin.input/passhash)
 
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;; Inputs
@@ -43,6 +48,15 @@
 (def admin-delete-params-spec
   (s/keys :req-un [::account-id]))
 
+(def update-admin-password-params-spec
+  (s/and
+   (s/keys :req-un [::old-password
+                    ::new-password])
+   (fn new-pass-noteq-old-pass
+     [{:keys [old-password
+              new-password]}]
+     (not= old-password new-password))))
+
 (def insert-admin-input-spec
   (s/keys :req-un [::c/primary-key
                    ::username
@@ -57,17 +71,33 @@
                    ::username
                    :lrsql.spec.admin.input/oidc-issuer]))
 
+(def query-admin-input-spec
+  (s/keys :req-un [::username
+                   ::password]))
+
+(def query-admin-by-id-input-spec
+  (s/keys :req-un [::account-id
+                   ::password]))
+
 (def query-validate-admin-input-spec
   (s/keys :req-un [::username
                    ::password]))
 
+(def query-validate-admin-by-id-input-spec
+  (s/keys :req-un [::account-id
+                   ::password]))
+
 (def admin-id-input-spec
   (s/keys :req-un [::account-id]))
 
 (def delete-admin-input-spec
   (s/merge admin-id-input-spec
            (s/keys :req-un [:lrsql.spec.admin.input/oidc-enabled?])))
 
+(def update-admin-password-input-spec
+  (s/keys :req-un [::account-id
+                   :lrsql.spec.admin.input/new-passhash]))
+
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;; Results
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
@@ -113,3 +143,8 @@
 
 (def query-validate-admin-ret-spec
   (s/keys :req-un [:lrsql.spec.admin.query/result]))
+
+(s/def :lrsql.spec.admin.update-password/result uuid?)
+
+(def update-admin-password-ret-spec
+  (s/keys :req-un [:lrsql.spec.admin.update-password/result]))

src/main/lrsql/system/lrs.clj

@@ -272,6 +272,19 @@
           input (admin-input/ensure-admin-oidc-input username oidc-issuer)]
       (jdbc/with-transaction [tx conn]
         (admin-cmd/ensure-admin-oidc! backend tx input))))
+  (-update-admin-password
+    [this account-id old-password new-password]
+    (let [conn       (lrs-conn this)
+          auth-input (admin-input/query-validate-admin-by-id-input
+                      account-id old-password)]
+      (jdbc/with-transaction [tx conn]
+        (let [{:keys [result]} (admin-q/query-validate-admin
+                                backend tx auth-input)]
+          (if (uuid? result)
+            (let [input (admin-input/update-admin-password-input
+                         account-id new-password)]
+              (admin-cmd/update-admin-password! backend tx input))
+            {:result result})))))
 
   adp/APIKeyManager
   (-create-api-keys