Add UserServlet and admin_api scope

lib/msf/core/db_manager/http/metasploit_api_app.rb

@@ -22,6 +22,7 @@ require 'msf/core/db_manager/http/servlet/credential_servlet'
 require 'msf/core/db_manager/http/servlet/nmap_servlet'
 require 'msf/core/db_manager/http/servlet/db_export_servlet'
 require 'msf/core/db_manager/http/servlet/vuln_attempt_servlet'
+require 'msf/core/db_manager/http/servlet/user_servlet'
 
 class MetasploitApiApp < Sinatra::Base
   helpers ServletHelper
@@ -45,6 +46,7 @@ class MetasploitApiApp < Sinatra::Base
   register NmapServlet
   register DbExportServlet
   register VulnAttemptServlet
+  register UserServlet
 
   configure do
     set :sessions, {key: 'msf-ws.session', expire_after: 300}
@@ -54,6 +56,7 @@ class MetasploitApiApp < Sinatra::Base
   before do
     # store DBManager in request environment so that it is available to Warden
     request.env['DBManager'] = get_db
+    request.env['AuthInitialized'] ||= get_db.users({}).count > 0
   end
 
   use Warden::Manager do |config|
@@ -78,6 +81,14 @@ class MetasploitApiApp < Sinatra::Base
                           strategies: [:api_token],
                           # action (route) of the failure application
                           action: AuthServlet.api_unauthenticated_path
+
+    config.scope_defaults :admin_api,
+                          # whether to persist the result in the session or not
+                          store: false,
+                          # list of strategies to use
+                          strategies: [:admin_api_token],
+                          # action (route) of the failure application
+                          action: AuthServlet.api_unauthenticated_path
   end
 
 end

lib/msf/core/db_manager/http/servlet/user_servlet.rb

@@ -0,0 +1,78 @@
+module UserServlet
+
+  def self.api_path
+    '/api/v1/user'
+  end
+
+  def self.api_path_with_id
+    "#{UserServlet.api_path}/?:id?"
+  end
+
+  def self.registered(app)
+    app.get UserServlet.api_path_with_id, &get_user
+    app.post UserServlet.api_path, &report_user
+    app.put UserServlet.api_path_with_id, &update_user
+    app.delete UserServlet.api_path, &delete_user
+  end
+
+  #######
+  private
+  #######
+
+  def self.get_user
+    lambda {
+      warden.authenticate!(scope: :admin_api)
+      begin
+        opts = parse_json_request(request, false)
+        sanitized_params = sanitize_params(params)
+        data = get_db.users(sanitized_params)
+        set_json_response(data)
+      rescue => e
+        set_error_on_response(e)
+      end
+    }
+  end
+
+  def self.report_user
+    lambda {
+      warden.authenticate!(scope: :admin_api)
+      begin
+        job = lambda { |opts|
+          get_db.report_user(opts)
+        }
+        exec_report_job(request, &job)
+      rescue => e
+        set_error_on_response(e)
+      end
+    }
+  end
+
+  def self.update_user
+    lambda {
+      warden.authenticate!(scope: :admin_api)
+      begin
+        opts = parse_json_request(request, false)
+        tmp_params = sanitize_params(params)
+        opts[:id] = tmp_params[:id] if tmp_params[:id]
+        data = get_db.update_user(opts)
+        set_json_response(data)
+      rescue => e
+        set_error_on_response(e)
+      end
+    }
+  end
+
+  def self.delete_user
+    lambda {
+      warden.authenticate!(scope: :admin_api)
+      begin
+        opts = parse_json_request(request, false)
+        data = get_db.delete_user(opts)
+        set_json_response(data)
+      rescue => e
+        set_error_on_response(e)
+      end
+    }
+  end
+
+end