rust-lang · LawnGnome · Dec 18, 2024 · Dec 18, 2024 · Dec 19, 2024 · Dec 19, 2024
diff --git a/src/auth.rs b/src/auth.rs
@@ -18,6 +18,7 @@ pub struct AuthCheck {
     allow_token: bool,
     endpoint_scope: Option<EndpointScope>,
     crate_name: Option<String>,
+    only_admin: bool,
 }
 
 impl AuthCheck {
@@ -29,6 +30,7 @@ impl AuthCheck {
             allow_token: true,
             endpoint_scope: None,
             crate_name: None,
+            only_admin: false,
         }
     }
 
@@ -38,6 +40,7 @@ impl AuthCheck {
             allow_token: false,
             endpoint_scope: None,
             crate_name: None,
+            only_admin: false,
         }
     }
 
@@ -46,6 +49,7 @@ impl AuthCheck {
             allow_token: self.allow_token,
             endpoint_scope: Some(endpoint_scope),
             crate_name: self.crate_name.clone(),
+            only_admin: false,
         }
     }
 
@@ -54,9 +58,15 @@ impl AuthCheck {
             allow_token: self.allow_token,
             endpoint_scope: self.endpoint_scope,
             crate_name: Some(crate_name.to_string()),
+            only_admin: false,
         }
     }
 
+    pub fn require_admin(mut self) -> Self {
+        self.only_admin = true;
+        self
+    }
+
     #[instrument(name = "auth.check", skip_all)]
     pub async fn check(
         &self,
@@ -65,6 +75,15 @@ impl AuthCheck {
     ) -> AppResult<Authentication> {
         let auth = authenticate(parts, conn).await?;
 
+        if self.only_admin && !auth.user().is_admin {
+            let error_message = "User must be an admin to access this API";
+            parts.request_log().add("cause", error_message);
+
+            return Err(forbidden(
+                "this action can only be performed by a site admin",
+            ));
+        }
+
         if let Some(token) = auth.api_token() {
             if !self.allow_token {
                 let error_message =

diff --git a/src/controllers/user.rs b/src/controllers/user.rs
@@ -1,3 +1,4 @@
+pub mod admin;
 pub mod email_notifications;
 pub mod email_verification;
 pub mod me;

diff --git a/src/controllers/user/admin.rs b/src/controllers/user/admin.rs
@@ -0,0 +1,185 @@
+use axum::{extract::Path, Json};
+use chrono::{NaiveDateTime, Utc};
+use crates_io_database::schema::{emails, users};
+use diesel::{pg::Pg, prelude::*};
+use diesel_async::{scoped_futures::ScopedFutureExt, AsyncConnection, RunQueryDsl};
+use http::request::Parts;
+use utoipa::ToSchema;
+
+use crate::{
+    app::AppState, auth::AuthCheck, models::User, sql::lower, util::errors::AppResult,
+    util::rfc3339, views::EncodableAdminUser,
+};
+
+/// Find user by login, returning the admin's view of the user.
+///
+/// Only site admins can use this endpoint.
+#[utoipa::path(
+    get,
+    path = "/api/v1/users/{user}/admin",
+    params(
+        ("user" = String, Path, description = "Login name of the user"),
+    ),
+    tags = ["admin", "users"],
+    responses((status = 200, description = "Successful Response")),
+)]
+pub async fn get(
+    state: AppState,
+    Path(user_name): Path<String>,
+    req: Parts,
+) -> AppResult<Json<EncodableAdminUser>> {
+    let mut conn = state.db_read_prefer_primary().await?;
+    AuthCheck::only_cookie()
+        .require_admin()
+        .check(&req, &mut conn)
+        .await?;
+
+    get_user(
+        |query| query.filter(lower(users::gh_login).eq(lower(user_name))),
+        &mut conn,
+    )
+    .await
+    .map(Json)
+}
+
+#[derive(Deserialize, ToSchema)]
+pub struct LockRequest {
+    /// The reason for locking the account. This is visible to the user.
+    reason: String,
+
+    /// When to lock the account until. If omitted, the lock will be indefinite.
+    #[serde(default, with = "rfc3339::option")]
+    until: Option<NaiveDateTime>,
+}
+
+/// Lock the given user.
+///
+/// Only site admins can use this endpoint.
+#[utoipa::path(
+    put,
+    path = "/api/v1/users/{user}/lock",
+    params(
+        ("user" = String, Path, description = "Login name of the user"),
+    ),
+    request_body = LockRequest,
+    tags = ["admin", "users"],
+    responses((status = 200, description = "Successful Response")),
+)]
+pub async fn lock(
+    state: AppState,
+    Path(user_name): Path<String>,
+    req: Parts,
+    Json(LockRequest { reason, until }): Json<LockRequest>,
+) -> AppResult<Json<EncodableAdminUser>> {
+    let mut conn = state.db_read_prefer_primary().await?;
+    AuthCheck::only_cookie()
+        .require_admin()
+        .check(&req, &mut conn)
+        .await?;
+
+    // In theory, we could cook up a complicated update query that returns
+    // everything we need to build an `EncodableAdminUser`, but that feels hard.
+    // Instead, let's use a small transaction to get the same effect.
+    let user = conn
+        .transaction(|conn| {
+            async move {
+                let id = diesel::update(users::table)
+                    .filter(lower(users::gh_login).eq(lower(user_name)))
+                    .set((
+                        users::account_lock_reason.eq(reason),
+                        users::account_lock_until.eq(until),
+                    ))
+                    .returning(users::id)
+                    .get_result::<i32>(conn)
+                    .await?;
+
+                get_user(|query| query.filter(users::id.eq(id)), conn).await
+            }
+            .scope_boxed()
+        })
+        .await?;
+
+    Ok(Json(user))
+}
+
+/// Unlock the given user.
+///
+/// Only site admins can use this endpoint.
+#[utoipa::path(
+    delete,
+    path = "/api/v1/users/{user}/lock",
+    params(
+        ("user" = String, Path, description = "Login name of the user"),
+    ),
+    tags = ["admin", "users"],
+    responses((status = 200, description = "Successful Response")),
+)]
+pub async fn unlock(
+    state: AppState,
+    Path(user_name): Path<String>,
+    req: Parts,
+) -> AppResult<Json<EncodableAdminUser>> {
+    let mut conn = state.db_read_prefer_primary().await?;
+    AuthCheck::only_cookie()
+        .require_admin()
+        .check(&req, &mut conn)
+        .await?;
+
+    // Again, let's do this in a transaction, even though we _technically_ don't
+    // need to.
+    let user = conn
+        .transaction(|conn| {
+            // Although this is called via the `DELETE` method, this is
+            // implemented as a soft deletion by setting the lock until time to
+            // now, thereby allowing us to have some sense of history of whether
+            // an account has been locked in the past.
+            async move {
+                let id = diesel::update(users::table)
+                    .filter(lower(users::gh_login).eq(lower(user_name)))
+                    .set(users::account_lock_until.eq(Utc::now().naive_utc()))
+                    .returning(users::id)
+                    .get_result::<i32>(conn)
+                    .await?;
+
+                get_user(|query| query.filter(users::id.eq(id)), conn).await
+            }
+            .scope_boxed()
+        })
+        .await?;
+
+    Ok(Json(user))
+}
+
+/// A helper to get an [`EncodableAdminUser`] based on whatever filter predicate
+/// is provided in the callback.
+///
+/// It would be ill advised to do anything in `filter` other than calling
+/// [`QueryDsl::filter`] on the given query, but I'm not the boss of you.
+async fn get_user<Conn, F>(filter: F, conn: &mut Conn) -> AppResult<EncodableAdminUser>
+where
+    Conn: AsyncConnection<Backend = Pg>,
+    F: FnOnce(users::BoxedQuery<'_, Pg>) -> users::BoxedQuery<'_, Pg>,
+{
+    let query = filter(users::table.into_boxed());
+
+    let (user, verified, email, verification_sent): (User, Option<bool>, Option<String>, bool) =
+        query
+            .left_join(emails::table)
+            .select((
+                User::as_select(),
+                emails::verified.nullable(),
+                emails::email.nullable(),
+                emails::token_generated_at.nullable().is_not_null(),
+            ))
+            .first(conn)
+            .await?;
+
+    let verified = verified.unwrap_or(false);
+    let verification_sent = verified || verification_sent;
+    Ok(EncodableAdminUser::from(
+        user,
+        email,
+        verified,
+        verification_sent,
+    ))
+}
diff --git a/src/router.rs b/src/router.rs
@@ -61,6 +61,8 @@ pub fn build_axum_router(state: AppState) -> Router<()> {
         .routes(routes!(team::find_team))
         .routes(routes!(user::me::get_authenticated_user))
         .routes(routes!(user::me::get_authenticated_user_updates))
+        .routes(routes!(user::admin::get))
+        .routes(routes!(user::admin::lock, user::admin::unlock))
         .routes(routes!(token::list_api_tokens, token::create_api_token))
         .routes(routes!(token::find_api_token, token::revoke_api_token))
         .routes(routes!(token::revoke_current_api_token))

diff --git a/src/snapshots/crates_io__openapi__tests__openapi_snapshot.snap b/src/snapshots/crates_io__openapi__tests__openapi_snapshot.snap
@@ -1,10 +1,32 @@
 ---
 source: src/openapi.rs
 expression: response.json()
-snapshot_kind: text
 ---
 {
-  "components": {},
+  "components": {
+    "schemas": {
+      "LockRequest": {
+        "properties": {
+          "reason": {
+            "description": "The reason for locking the account. This is visible to the user.",
+            "type": "string"
+          },
+          "until": {
+            "description": "When to lock the account until. If omitted, the lock will be indefinite.",
+            "format": "date-time",
+            "type": [
+              "string",
+              "null"
+            ]
+          }
+        },
+        "required": [
+          "reason"
+        ],
+        "type": "object"
+      }
+    }
+  },
   "info": {
     "contact": {
       "email": "[email protected]",
@@ -1650,6 +1672,95 @@ snapshot_kind: text
           "users"
         ]
       }
+    },
+    "/api/v1/users/{user}/admin": {
+      "get": {
+        "description": "Only site admins can use this endpoint.",
+        "operationId": "get",
+        "parameters": [
+          {
+            "description": "Login name of the user",
+            "in": "path",
+            "name": "user",
+            "required": true,
+            "schema": {
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "Successful Response"
+          }
+        },
+        "summary": "Find user by login, returning the admin's view of the user.",
+        "tags": [
+          "admin",
+          "users"
+        ]
+      }
+    },
+    "/api/v1/users/{user}/lock": {
+      "delete": {
+        "description": "Only site admins can use this endpoint.",
+        "operationId": "unlock",
+        "parameters": [
+          {
+            "description": "Login name of the user",
+            "in": "path",
+            "name": "user",
+            "required": true,
+            "schema": {
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "Successful Response"
+          }
+        },
+        "summary": "Unlock the given user.",
+        "tags": [
+          "admin",
+          "users"
+        ]
+      },
+      "put": {
+        "description": "Only site admins can use this endpoint.",
+        "operationId": "lock",
+        "parameters": [
+          {
+            "description": "Login name of the user",
+            "in": "path",
+            "name": "user",
+            "required": true,
+            "schema": {
+              "type": "string"
+            }
+          }
+        ],
+        "requestBody": {
+          "content": {
+            "application/json": {
+              "schema": {
+                "$ref": "#/components/schemas/LockRequest"
+              }
+            }
+          },
+          "required": true
+        },
+        "responses": {
+          "200": {
+            "description": "Successful Response"
+          }
+        },
+        "summary": "Lock the given user.",
+        "tags": [
+          "admin",
+          "users"
+        ]
+      }
     }
   },
   "servers": [