feat: add userid_origin field in the database

2025-04-19 18:48:14 +02:00
parent bc9cf85807
commit 78a02edbbf
9 changed files with 61 additions and 26 deletions
--- a/src/service/admin/create.rs
+++ b/src/service/admin/create.rs
@@ -38,7 +38,7 @@ pub async fn create_admin_room(services: &Services) -> Result {

 	// Create a user for the server
 	let server_user = services.globals.server_user.as_ref();
-	services.users.create(server_user, None)?;
+	services.users.create(server_user, None, None).await?;

 	let create_content = {
 		use RoomVersionId::*;
--- a/src/service/emergency/mod.rs
+++ b/src/service/emergency/mod.rs
@@ -61,7 +61,8 @@ impl Service {

 		self.services
 			.users
-			.set_password(server_user, self.services.config.emergency_password.as_deref())?;
+			.set_password(server_user, self.services.config.emergency_password.as_deref())
+			.await?;

 		let (ruleset, pwd_set) = match self.services.config.emergency_password {
 			| Some(_) => (Ruleset::server_default(server_user), true),
--- a/src/service/rooms/state_cache/mod.rs
+++ b/src/service/rooms/state_cache/mod.rs
@@ -133,7 +133,7 @@ impl Service {
 		#[allow(clippy::collapsible_if)]
 		if !self.services.globals.user_is_local(user_id) {
 			if !self.services.users.exists(user_id).await {
-				self.services.users.create(user_id, None)?;
+				self.services.users.create(user_id, None, None).await?;
 			}

 			/*
--- a/src/service/users/mod.rs
+++ b/src/service/users/mod.rs
@@ -52,6 +52,7 @@ struct Data {
 	userid_lastonetimekeyupdate: Arc<Map>,
 	userid_masterkeyid: Arc<Map>,
 	userid_password: Arc<Map>,
+	userid_origin: Arc<Map>,
 	userid_selfsigningkeyid: Arc<Map>,
 	userid_usersigningkeyid: Arc<Map>,
 	useridprofilekey_value: Arc<Map>,
@@ -87,6 +88,7 @@ impl crate::Service for Service {
 				userid_lastonetimekeyupdate: args.db["userid_lastonetimekeyupdate"].clone(),
 				userid_masterkeyid: args.db["userid_masterkeyid"].clone(),
 				userid_password: args.db["userid_password"].clone(),
+				userid_origin: args.db["userid_origin"].clone(),
 				userid_selfsigningkeyid: args.db["userid_selfsigningkeyid"].clone(),
 				userid_usersigningkeyid: args.db["userid_usersigningkeyid"].clone(),
 				useridprofilekey_value: args.db["useridprofilekey_value"].clone(),
@@ -122,8 +124,17 @@ impl Service {

 	/// Create a new user account on this homeserver.
 	#[inline]
-	pub fn create(&self, user_id: &UserId, password: Option<&str>) -> Result<()> {
-		self.set_password(user_id, password)
+	pub async fn create(
+		&self,
+		user_id: &UserId,
+		password: Option<&str>,
+		origin: Option<&str>,
+	) -> Result<()> {
+		origin.map_or_else(
+			|| self.db.userid_origin.insert(user_id, "password"),
+			|origin| self.db.userid_origin.insert(user_id, origin),
+		);
+		self.set_password(user_id, password).await
 	}

 	/// Deactivate account
@@ -137,7 +148,7 @@ impl Service {
 		// result in an empty string, so the user will not be able to log in again.
 		// Systems like changing the password without logging in should check if the
 		// account is deactivated.
-		self.set_password(user_id, None)?;
+		self.set_password(user_id, None).await?;

 		// TODO: Unhook 3PID
 		Ok(())
@@ -209,6 +220,11 @@ impl Service {
 			.ready_filter_map(|(u, p): (&UserId, &[u8])| (!p.is_empty()).then_some(u))
 	}

+	/// Returns the origin of the user (password/LDAP/...).
+	pub async fn origin(&self, user_id: &UserId) -> Result<String> {
+		self.db.userid_origin.get(user_id).await.deserialized()
+	}
+
 	/// Returns the password hash for the given user.
 	pub async fn password_hash(&self, user_id: &UserId) -> Result<String> {
 		self.db
@@ -219,19 +235,30 @@ impl Service {
 	}

 	/// Hash and set the user's password to the Argon2 hash
-	pub fn set_password(&self, user_id: &UserId, password: Option<&str>) -> Result<()> {
-		password
-			.map(utils::hash::password)
-			.transpose()
-			.map_err(|e| {
-				err!(Request(InvalidParam("Password does not meet the requirements: {e}")))
-			})?
-			.map_or_else(
-				|| self.db.userid_password.insert(user_id, b""),
-				|hash| self.db.userid_password.insert(user_id, hash),
-			);
+	pub async fn set_password(&self, user_id: &UserId, password: Option<&str>) -> Result<()> {
+		if self
+			.db
+			.userid_origin
+			.get(user_id)
+			.await
+			.deserialized::<String>()?
+			== "ldap"
+		{
+			Err!(Request(InvalidParam("Cannot change password of a LDAP user")))
+		} else {
+			password
+				.map(utils::hash::password)
+				.transpose()
+				.map_err(|e| {
+					err!(Request(InvalidParam("Password does not meet the requirements: {e}")))
+				})?
+				.map_or_else(
+					|| self.db.userid_password.insert(user_id, b""),
+					|hash| self.db.userid_password.insert(user_id, hash),
+				);

-		Ok(())
+			Ok(())
+		}
 	}

 	/// Returns the displayname of a user on this homeserver.