server: Add an option to force reset the admin password

2023-12-21 13:54:46 +01:00 · 2023-12-21 13:54:46 +01:00 · ff0ea51121
parent 9ac96e8c6e
commit ff0ea51121
4 changed files with 28 additions and 0 deletions
--- a/lldap_config.docker_template.toml
+++ b/lldap_config.docker_template.toml
@ -78,6 +78,12 @@
 ## is just the default one.
 #ldap_user_pass = "REPLACE_WITH_PASSWORD"

+## Force reset of the admin password.
+## Break glass in case of emergency: if you lost the admin password, you
+## can set this to true to force a reset of the admin password to the value
+## of ldap_user_pass above.
+# force_reset_admin_password = false
+
 ## Database URL.
 ## This encodes the type of database (SQlite, MySQL, or PostgreSQL)
 ## , the path, the user, password, and sometimes the mode (when
--- a/server/src/infra/cli.rs
+++ b/server/src/infra/cli.rs
@ -89,6 +89,10 @@ pub struct RunOpts {
    #[clap(short, long, env = "LLDAP_DATABASE_URL")]
    pub database_url: Option<String>,

+    /// Force admin password reset to the config value.
+    #[clap(short, long, env = "LLDAP_FORCE_LADP_USER_PASS_RESET")]
+    pub force_ldap_user_pass_reset: Option<bool>,
+
    #[clap(flatten)]
    pub smtp_opts: SmtpOpts,

--- a/server/src/infra/configuration.rs
+++ b/server/src/infra/configuration.rs
@ -83,6 +83,8 @@ pub struct Configuration {
    pub ldap_user_email: String,
    #[builder(default = r#"SecUtf8::from("password")"#)]
    pub ldap_user_pass: SecUtf8,
+    #[builder(default = "false")]
+    pub force_ldap_user_pass_reset: bool,
    #[builder(default = r#"String::from("sqlite://users.db?mode=rwc")"#)]
    pub database_url: String,
    #[builder(default)]
@ -244,6 +246,10 @@ impl ConfigOverrider for RunOpts {
        if let Some(database_url) = self.database_url.as_ref() {
            config.database_url = database_url.to_string();
        }
+
+        if let Some(force_ldap_user_pass_reset) = self.force_ldap_user_pass_reset {
+            config.force_ldap_user_pass_reset = force_ldap_user_pass_reset;
+        }
        self.smtp_opts.override_config(config);
        self.ldaps_opts.override_config(config);
    }
--- a/server/src/main.rs
+++ b/server/src/main.rs
@ -107,6 +107,18 @@ async fn set_up_server(config: Configuration) -> Result<ServerBuilder> {
            .await
            .map_err(|e| anyhow!("Error setting up admin login/account: {:#}", e))
            .context("while creating the admin user")?;
+    } else if config.force_ldap_user_pass_reset {
+        warn!("Forcing admin password reset to the config-provided password");
+        register_password(
+            &backend_handler,
+            &config.ldap_user_dn,
+            &config.ldap_user_pass,
+        )
+        .await
+        .context(format!(
+            "while resetting admin password for {}",
+            &config.ldap_user_dn
+        ))?;
    }
    let server_builder = infra::ldap_server::build_ldap_server(
        &config,