Merge pull request #195 from NethServer/account-management-api

ns-api: added ns.account api

packages/ns-api/Makefile

@@ -6,7 +6,7 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=ns-api
-PKG_VERSION:=0.0.11
+PKG_VERSION:=0.0.12
 PKG_RELEASE:=1
 
 PKG_BUILD_DIR:=$(BUILD_DIR)/ns-api-$(PKG_VERSION)
@@ -103,6 +103,8 @@ define Package/ns-api/install
 	$(INSTALL_DATA) ./files/ns.dpi.json $(1)/usr/share/rpcd/acl.d/
 	$(INSTALL_BIN) ./files/ns.storage $(1)/usr/libexec/rpcd/
 	$(INSTALL_DATA) ./files/ns.storage.json $(1)/usr/share/rpcd/acl.d/
+	$(INSTALL_BIN) ./files/ns.account $(1)/usr/libexec/rpcd/
+	$(INSTALL_DATA) ./files/ns.account.json $(1)/usr/share/rpcd/acl.d/
 	$(INSTALL_DIR) $(1)/lib/upgrade/keep.d
 	$(INSTALL_CONF) files/msmtp.keep $(1)/lib/upgrade/keep.d/msmtp
 	$(LN) /usr/bin/msmtp $(1)/usr/sbin/sendmail

packages/ns-api/README.md

@@ -2434,3 +2434,23 @@ Example response:
 ```
 
 **Notes**: returning strings are syslog formatted, be aware of it if any parsing is needed.
+
+## ns.account
+
+Manage accounts.
+
+### set-password
+
+Allow to change the user password.
+
+**WARNING**: due to how OpenWRT handles loging, if you change the password to the `root` user, you will also change the
+password for the shell access.
+
+```bash
+api-cli ns.account set-password --data '{"username": "john", "password": "CoolNewPassword123!!"}'
+```
+
+Parameter list:
+
+- `username`: target to change the password to, must be present inside `rpcd` configuration
+- `password`: password to set to the user

packages/ns-api/files/ns.account

@@ -0,0 +1,59 @@
+#!/usr/bin/python3
+
+#
+# Copyright (C) 2023 Nethesis S.r.l.
+# SPDX-License-Identifier: GPL-2.0-only
+#
+
+import json
+import subprocess
+import sys
+
+from euci import EUci
+from nethsec import utils
+
+cmd = sys.argv[1]
+
+if cmd == 'list':
+    print(json.dumps({
+        'set-password': {
+            'username': 'str',
+            'password': 'str'
+        }
+    }))
+elif cmd == 'call':
+    action = sys.argv[2]
+    e_uci = EUci()
+    if action == 'set-password':
+        try:
+            data = json.JSONDecoder().decode(sys.stdin.read())
+            user_list = utils.get_all_by_type(e_uci, 'rpcd', 'login')
+            # check if username is inside config
+            if data['username'] not in [user['username'] for user in user_list.values()]:
+                raise utils.ValidationError('username', 'invalid', data['username'])
+
+            # if user is not root, change rpcd config
+            if data['username'] != 'root':
+                for user_key, user in user_list.items():
+                    if user['username'] == data['username']:
+                        password_hash = subprocess.run(['uhttpd', '-m', data['password']], check=True,
+                                                       capture_output=True)
+                        e_uci.set('rpcd', user_key, 'password', password_hash.stdout.decode('utf-8').strip('\n'))
+                        e_uci.save('rpcd')
+                        e_uci.commit('rpcd')
+                        break
+
+            else:
+                # otherwise, change `passwd` file using pre-existing ubus call
+                subprocess.run(['ubus', 'call', 'luci', 'setPassword', json.dumps({
+                    'username': data['username'],
+                    'password': data['password']
+                })], capture_output=True, check=True)
+
+            print(json.dumps({'message': 'success'}))
+        except KeyError as ex:
+            print(json.dumps(utils.validation_error(ex.args[0], 'required')))
+        except utils.ValidationError as ex:
+            print(json.dumps(utils.validation_error(ex.parameter, ex.message, ex.value)))
+        except subprocess.CalledProcessError as ex:
+            print(json.dumps(utils.generic_error(f'subprocess {ex.cmd[0]} failed')))

packages/ns-api/files/ns.account.json

@@ -0,0 +1,13 @@
+{
+  "account-manager": {
+    "description": "Account Manager",
+    "write": {},
+    "read": {
+      "ubus": {
+        "ns.account": [
+          "*"
+        ]
+      }
+    }
+  }
+}