feat: support user password resets

src/config.rs

@@ -68,6 +68,8 @@ pub struct Config {
     #[serde(default = "default_turn_ttl")]
     pub turn_ttl: u64,
 
+    pub emergency_password: Option<String>,
+
     #[serde(flatten)]
     pub catchall: BTreeMap<String, IgnoredAny>,
 }

src/database.rs

@@ -19,7 +19,14 @@ use abstraction::DatabaseEngine;
 use directories::ProjectDirs;
 use futures_util::{stream::FuturesUnordered, StreamExt};
 use lru_cache::LruCache;
-use ruma::{DeviceId, EventId, RoomId, UserId};
+use ruma::{
+    events::{
+        push_rules::PushRulesEventContent, room::message::RoomMessageEventContent, EventType,
+        GlobalAccountDataEvent,
+    },
+    push::Ruleset,
+    DeviceId, EventId, RoomId, UserId,
+};
 use std::{
     collections::{BTreeMap, HashMap, HashSet},
     fs::{self, remove_dir_all},
@@ -747,6 +754,23 @@ impl Database {
         guard.rooms.edus.presenceid_presence.clear()?;
 
         guard.admin.start_handler(Arc::clone(&db), admin_receiver);
+
+        // Set emergency access for the conduit user
+        match set_emergency_access(&guard) {
+            Ok(pwd_set) => {
+                if pwd_set {
+                    warn!("The Conduit account emergency password is set! Please unset it as soon as you finish admin account recovery!");
+                    guard.admin.send_message(RoomMessageEventContent::text_plain("The Conduit account emergency password is set! Please unset it as soon as you finish admin account recovery!"));
+                }
+            }
+            Err(e) => {
+                error!(
+                    "Could not set the configured emergency password for the conduit user: {}",
+                    e
+                )
+            }
+        };
+
         guard
             .sending
             .start_handler(Arc::clone(&db), sending_receiver);
@@ -928,6 +952,32 @@ impl Database {
     }
 }
 
+/// Sets the emergency password and push rules for the @conduit account in case emergency password is set
+fn set_emergency_access(db: &Database) -> Result<bool> {
+    let conduit_user = UserId::parse_with_server_name("conduit", db.globals.server_name())
+        .expect("@conduit:server_name is a valid UserId");
+
+    db.users
+        .set_password(&conduit_user, db.globals.emergency_password().as_deref())?;
+
+    let (ruleset, res) = match db.globals.emergency_password() {
+        Some(_) => (Ruleset::server_default(&conduit_user), Ok(true)),
+        None => (Ruleset::new(), Ok(false)),
+    };
+
+    db.account_data.update(
+        None,
+        &conduit_user,
+        EventType::PushRules,
+        &GlobalAccountDataEvent {
+            content: PushRulesEventContent { global: ruleset },
+        },
+        &db.globals,
+    )?;
+
+    res
+}
+
 pub struct DatabaseGuard(OwnedRwLockReadGuard<Database>);
 
 impl Deref for DatabaseGuard {

src/database/admin.rs

@@ -8,7 +8,7 @@ use std::{
 use crate::{
     error::{Error, Result},
     pdu::PduBuilder,
-    server_server,
+    server_server, utils,
     utils::HtmlEscape,
     Database, PduEvent,
 };
@@ -262,6 +262,12 @@ enum AdminCommand {
 
     /// Show configuration values
     ShowConfig,
+
+    /// Reset user password
+    ResetPassword {
+        /// Username of the user for whom the password should be reset
+        username: String,
+    },
 }
 
 fn process_admin_command(
@@ -435,6 +441,45 @@ fn process_admin_command(
             // Construct and send the response
             RoomMessageEventContent::text_plain(format!("{}", db.globals.config))
         }
+        AdminCommand::ResetPassword { username } => {
+            let user_id = match UserId::parse_with_server_name(
+                username.as_str().to_lowercase(),
+                db.globals.server_name(),
+            ) {
+                Ok(id) => id,
+                Err(e) => {
+                    return Ok(RoomMessageEventContent::text_plain(format!(
+                        "The supplied username is not a valid username: {}",
+                        e
+                    )))
+                }
+            };
+
+            // Check if the specified user is valid
+            if !db.users.exists(&user_id)?
+                || db.users.is_deactivated(&user_id)?
+                || user_id
+                    == UserId::parse_with_server_name("conduit", db.globals.server_name())
+                        .expect("conduit user exists")
+            {
+                return Ok(RoomMessageEventContent::text_plain(
+                    "The specified user does not exist or is deactivated!",
+                ));
+            }
+
+            let new_password = utils::random_string(20);
+
+            match db.users.set_password(&user_id, Some(new_password.as_str())) {
+                Ok(()) => RoomMessageEventContent::text_plain(format!(
+                    "Successfully reset the password for user {}: {}",
+                    user_id, new_password
+                )),
+                Err(e) => RoomMessageEventContent::text_plain(format!(
+                    "Couldn't reset the password for user {}: {}",
+                    user_id, e
+                )),
+            }
+        }
     };
 
     Ok(reply_message_content)

src/database/globals.rs

@@ -264,6 +264,10 @@ impl Globals {
         &self.config.turn_secret
     }
 
+    pub fn emergency_password(&self) -> &Option<String> {
+        &self.config.emergency_password
+    }
+
     /// TODO: the key valid until timestamp is only honored in room version > 4
     /// Remove the outdated keys and insert the new ones.
     ///

src/database/rooms.rs

@@ -1491,7 +1491,11 @@ impl Rooms {
                     let server_user = format!("@conduit:{}", db.globals.server_name());
 
                     let to_conduit = body.starts_with(&format!("{}: ", server_user));
-                    let from_conduit = pdu.sender == server_user;
+
+                    // This will evaluate to false if the emergency password is set up so that
+                    // the administrator can execute commands as conduit
+                    let from_conduit =
+                        pdu.sender == server_user && db.globals.emergency_password().is_none();
 
                     if to_conduit && !from_conduit && admin_room.as_ref() == Some(&pdu.room_id) {
                         db.admin.process_message(body.to_string());