Add admin update endpoint that can update authservice and authdata (#7842)

* add admin update endpoint that can upate authservice and authdata

* Control only SystemAdmin access

* Refactored AdminUpdate endpoint to only be able to update AuthData, AuthService and Password by User.Id

* Refactor to move `PUT /api/v4/users/{user_id}/auth`. Created a struct to hold UserAuth info.

1 files changed, 27 insertions, 0 deletions

diff --git a/api4/user.go b/api4/user.go
index 6cb064f8c..0b07f8dc7 100644
--- a/api4/user.go
+++ b/api4/user.go
@@ -38,6 +38,8 @@ func (api *API) InitUser() {
 	api.BaseRoutes.Users.Handle("/email/verify", api.ApiHandler(verifyUserEmail)).Methods("POST")
 	api.BaseRoutes.Users.Handle("/email/verify/send", api.ApiHandler(sendVerificationEmail)).Methods("POST")
 
+	api.BaseRoutes.User.Handle("/auth", api.ApiSessionRequiredTrustRequester(updateUserAuth)).Methods("PUT")
+
 	api.BaseRoutes.Users.Handle("/mfa", api.ApiHandler(checkUserMfa)).Methods("POST")
 	api.BaseRoutes.User.Handle("/mfa", api.ApiSessionRequiredMfa(updateUserMfa)).Methods("PUT")
 	api.BaseRoutes.User.Handle("/mfa/generate", api.ApiSessionRequiredMfa(generateMfaSecret)).Methods("POST")
@@ -697,6 +699,31 @@ func updateUserActive(c *Context, w http.ResponseWriter, r *http.Request) {
 	}
 }
 
+func updateUserAuth(c *Context, w http.ResponseWriter, r *http.Request) {
+	if !c.IsSystemAdmin() {
+		c.SetPermissionError(model.PERMISSION_EDIT_OTHER_USERS)
+		return
+	}
+
+	c.RequireUserId()
+	if c.Err != nil {
+		return
+	}
+
+	userAuth := model.UserAuthFromJson(r.Body)
+	if userAuth == nil {
+		c.SetInvalidParam("user")
+		return
+	}
+
+	if user, err := c.App.UpdateUserAuth(c.Params.UserId, userAuth); err != nil {
+		c.Err = err
+	} else {
+		c.LogAuditWithUserId(c.Params.UserId, fmt.Sprintf("updated user auth to service=%v", user.AuthService))
+		w.Write([]byte(user.ToJson()))
+	}
+}
+
 func checkUserMfa(c *Context, w http.ResponseWriter, r *http.Request) {
 	props := model.MapFromJson(r.Body)