diff options
author | Joram Wilander <jwawilander@gmail.com> | 2017-04-20 09:55:02 -0400 |
---|---|---|
committer | GitHub <noreply@github.com> | 2017-04-20 09:55:02 -0400 |
commit | be9624e2adce7c95039e62fc4ee22538d7fa2d2f (patch) | |
tree | 318179b4d3a4cb5114f887797a5a4c836e5255d7 /api4 | |
parent | 1a0f8d1b3c7451eac43bfdc5971de060caabf441 (diff) | |
download | chat-be9624e2adce7c95039e62fc4ee22538d7fa2d2f.tar.gz chat-be9624e2adce7c95039e62fc4ee22538d7fa2d2f.tar.bz2 chat-be9624e2adce7c95039e62fc4ee22538d7fa2d2f.zip |
Implement v4 endpoints for OAuth (#6040)
* Implement POST /oauth/apps endpoint for APIv4
* Implement GET /oauth/apps endpoint for APIv4
* Implement GET /oauth/apps/{app_id} and /oauth/apps/{app_id}/info endpoints for APIv4
* Refactor API version independent oauth endpoints
* Implement DELETE /oauth/apps/{app_id} endpoint for APIv4
* Implement /oauth/apps/{app_id}/regen_secret endpoint for APIv4
* Implement GET /user/{user_id}/oauth/apps/authorized endpoint for APIv4
* Implement POST /oauth/deauthorize endpoint
Diffstat (limited to 'api4')
-rw-r--r-- | api4/api.go | 12 | ||||
-rw-r--r-- | api4/apitestlib.go | 75 | ||||
-rw-r--r-- | api4/context.go | 23 | ||||
-rw-r--r-- | api4/oauth.go | 481 | ||||
-rw-r--r-- | api4/oauth_test.go | 611 | ||||
-rw-r--r-- | api4/params.go | 10 |
6 files changed, 1187 insertions, 25 deletions
diff --git a/api4/api.go b/api4/api.go index 8d03d91d1..fd9b679d2 100644 --- a/api4/api.go +++ b/api4/api.go @@ -64,8 +64,10 @@ type Routes struct { OutgoingHooks *mux.Router // 'api/v4/hooks/outgoing' OutgoingHook *mux.Router // 'api/v4/hooks/outgoing/{hook_id:[A-Za-z0-9]+}' - Admin *mux.Router // 'api/v4/admin' - OAuth *mux.Router // 'api/v4/oauth' + OAuth *mux.Router // 'api/v4/oauth' + OAuthApps *mux.Router // 'api/v4/oauth/apps' + OAuthApp *mux.Router // 'api/v4/oauth/apps/{app_id:[A-Za-z0-9]+}' + SAML *mux.Router // 'api/v4/saml' Compliance *mux.Router // 'api/v4/compliance' Cluster *mux.Router // 'api/v4/cluster' @@ -146,8 +148,11 @@ func InitApi(full bool) { BaseRoutes.OutgoingHook = BaseRoutes.OutgoingHooks.PathPrefix("/{hook_id:[A-Za-z0-9]+}").Subrouter() BaseRoutes.SAML = BaseRoutes.ApiRoot.PathPrefix("/saml").Subrouter() + BaseRoutes.OAuth = BaseRoutes.ApiRoot.PathPrefix("/oauth").Subrouter() - BaseRoutes.Admin = BaseRoutes.ApiRoot.PathPrefix("/admin").Subrouter() + BaseRoutes.OAuthApps = BaseRoutes.OAuth.PathPrefix("/apps").Subrouter() + BaseRoutes.OAuthApp = BaseRoutes.OAuthApps.PathPrefix("/{app_id:[A-Za-z0-9]+}").Subrouter() + BaseRoutes.Compliance = BaseRoutes.ApiRoot.PathPrefix("/compliance").Subrouter() BaseRoutes.Cluster = BaseRoutes.ApiRoot.PathPrefix("/cluster").Subrouter() BaseRoutes.LDAP = BaseRoutes.ApiRoot.PathPrefix("/ldap").Subrouter() @@ -180,6 +185,7 @@ func InitApi(full bool) { InitStatus() InitWebSocket() InitEmoji() + InitOAuth() InitReaction() InitWebrtc() diff --git a/api4/apitestlib.go b/api4/apitestlib.go index 81a9ca311..e6b4fb0c8 100644 --- a/api4/apitestlib.go +++ b/api4/apitestlib.go @@ -12,6 +12,7 @@ import ( "runtime/debug" "strconv" "strings" + "sync" "testing" "time" @@ -107,31 +108,57 @@ func Setup() *TestHelper { func TearDown() { utils.DisableDebugLogForTest() - options := map[string]bool{} - options[store.USER_SEARCH_OPTION_NAMES_ONLY_NO_FULL_NAME] = true - if result := <-app.Srv.Store.User().Search("", "fakeuser", options); result.Err != nil { - l4g.Error("Error tearing down test users") - } else { - users := result.Data.([]*model.User) - - for _, u := range users { - if err := app.PermanentDeleteUser(u); err != nil { - l4g.Error(err.Error()) + var wg sync.WaitGroup + wg.Add(3) + + go func() { + defer wg.Done() + options := map[string]bool{} + options[store.USER_SEARCH_OPTION_NAMES_ONLY_NO_FULL_NAME] = true + if result := <-app.Srv.Store.User().Search("", "fakeuser", options); result.Err != nil { + l4g.Error("Error tearing down test users") + } else { + users := result.Data.([]*model.User) + + for _, u := range users { + if err := app.PermanentDeleteUser(u); err != nil { + l4g.Error(err.Error()) + } } } - } - - if result := <-app.Srv.Store.Team().SearchByName("faketeam"); result.Err != nil { - l4g.Error("Error tearing down test teams") - } else { - teams := result.Data.([]*model.Team) - - for _, t := range teams { - if err := app.PermanentDeleteTeam(t); err != nil { - l4g.Error(err.Error()) + }() + + go func() { + defer wg.Done() + if result := <-app.Srv.Store.Team().SearchByName("faketeam"); result.Err != nil { + l4g.Error("Error tearing down test teams") + } else { + teams := result.Data.([]*model.Team) + + for _, t := range teams { + if err := app.PermanentDeleteTeam(t); err != nil { + l4g.Error(err.Error()) + } } } - } + }() + + go func() { + defer wg.Done() + if result := <-app.Srv.Store.OAuth().GetApps(0, 1000); result.Err != nil { + l4g.Error("Error tearing down test oauth apps") + } else { + apps := result.Data.([]*model.OAuthApp) + + for _, a := range apps { + if strings.HasPrefix(a.Name, "fakeoauthapp") { + <-app.Srv.Store.OAuth().DeleteApp(a.Id) + } + } + } + }() + + wg.Wait() utils.EnableDebugLogForTest() } @@ -378,7 +405,7 @@ func GenerateTestEmail() string { } func GenerateTestUsername() string { - return "fakeuser" + model.NewRandomString(13) + return "fakeuser" + model.NewRandomString(10) } func GenerateTestTeamName() string { @@ -389,6 +416,10 @@ func GenerateTestChannelName() string { return "fakechannel" + model.NewRandomString(10) } +func GenerateTestAppName() string { + return "fakeoauthapp" + model.NewRandomString(10) +} + func GenerateTestId() string { return model.NewId() } diff --git a/api4/context.go b/api4/context.go index 847a8d55f..f492f2b99 100644 --- a/api4/context.go +++ b/api4/context.go @@ -382,6 +382,17 @@ func (c *Context) RequirePostId() *Context { return c } +func (c *Context) RequireAppId() *Context { + if c.Err != nil { + return c + } + + if len(c.Params.AppId) != 26 { + c.SetInvalidUrlParam("app_id") + } + return c +} + func (c *Context) RequireFileId() *Context { if c.Err != nil { return c @@ -464,6 +475,18 @@ func (c *Context) RequireCategory() *Context { return c } +func (c *Context) RequireService() *Context { + if c.Err != nil { + return c + } + + if len(c.Params.Service) == 0 { + c.SetInvalidUrlParam("service") + } + + return c +} + func (c *Context) RequirePreferenceName() *Context { if c.Err != nil { return c diff --git a/api4/oauth.go b/api4/oauth.go new file mode 100644 index 000000000..3ace501e4 --- /dev/null +++ b/api4/oauth.go @@ -0,0 +1,481 @@ +// Copyright (c) 2017 Mattermost, Inc. All Rights Reserved. +// See License.txt for license information. + +package api4 + +import ( + "net/http" + "net/url" + "strings" + + l4g "github.com/alecthomas/log4go" + "github.com/mattermost/platform/app" + "github.com/mattermost/platform/model" + "github.com/mattermost/platform/utils" +) + +func InitOAuth() { + l4g.Debug(utils.T("api.oauth.init.debug")) + + BaseRoutes.OAuthApps.Handle("", ApiSessionRequired(createOAuthApp)).Methods("POST") + BaseRoutes.OAuthApps.Handle("", ApiSessionRequired(getOAuthApps)).Methods("GET") + BaseRoutes.OAuthApp.Handle("", ApiSessionRequired(getOAuthApp)).Methods("GET") + BaseRoutes.OAuthApp.Handle("/info", ApiSessionRequired(getOAuthAppInfo)).Methods("GET") + BaseRoutes.OAuthApp.Handle("", ApiSessionRequired(deleteOAuthApp)).Methods("DELETE") + BaseRoutes.OAuthApp.Handle("/regen_secret", ApiSessionRequired(regenerateOAuthAppSecret)).Methods("POST") + + BaseRoutes.User.Handle("/oauth/apps/authorized", ApiSessionRequired(getAuthorizedOAuthApps)).Methods("GET") + + // API version independent OAuth 2.0 as a service provider endpoints + BaseRoutes.Root.Handle("/oauth/authorize", ApiHandlerTrustRequester(authorizeOAuthPage)).Methods("GET") + BaseRoutes.Root.Handle("/oauth/authorize", ApiSessionRequired(authorizeOAuthApp)).Methods("POST") + BaseRoutes.Root.Handle("/oauth/deauthorize", ApiSessionRequired(deauthorizeOAuthApp)).Methods("POST") + BaseRoutes.Root.Handle("/oauth/access_token", ApiHandlerTrustRequester(getAccessToken)).Methods("POST") + + // API version independent OAuth as a client endpoints + BaseRoutes.Root.Handle("/oauth/{service:[A-Za-z0-9]+}/complete", ApiHandler(completeOAuth)).Methods("GET") + BaseRoutes.Root.Handle("/oauth/{service:[A-Za-z0-9]+}/login", ApiHandler(loginWithOAuth)).Methods("GET") + BaseRoutes.Root.Handle("/oauth/{service:[A-Za-z0-9]+}/signup", ApiHandler(signupWithOAuth)).Methods("GET") + + // Old endpoints for backwards compatibility, needed to not break SSO for any old setups + BaseRoutes.Root.Handle("/api/v3/oauth/{service:[A-Za-z0-9]+}/complete", ApiHandler(completeOAuth)).Methods("GET") + BaseRoutes.Root.Handle("/signup/{service:[A-Za-z0-9]+}/complete", ApiHandler(completeOAuth)).Methods("GET") + BaseRoutes.Root.Handle("/login/{service:[A-Za-z0-9]+}/complete", ApiHandler(completeOAuth)).Methods("GET") +} + +func createOAuthApp(c *Context, w http.ResponseWriter, r *http.Request) { + oauthApp := model.OAuthAppFromJson(r.Body) + + if oauthApp == nil { + c.SetInvalidParam("oauth_app") + return + } + + if !app.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_OAUTH) { + c.SetPermissionError(model.PERMISSION_MANAGE_OAUTH) + return + } + + oauthApp.CreatorId = c.Session.UserId + + rapp, err := app.CreateOAuthApp(oauthApp) + if err != nil { + c.Err = err + return + } + + c.LogAudit("client_id=" + rapp.Id) + w.WriteHeader(http.StatusCreated) + w.Write([]byte(rapp.ToJson())) +} + +func getOAuthApps(c *Context, w http.ResponseWriter, r *http.Request) { + if !app.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_OAUTH) { + c.Err = model.NewAppError("getOAuthApps", "api.command.admin_only.app_error", nil, "", http.StatusForbidden) + return + } + + var apps []*model.OAuthApp + var err *model.AppError + if app.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_SYSTEM_WIDE_OAUTH) { + apps, err = app.GetOAuthApps(c.Params.Page, c.Params.PerPage) + } else if app.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_OAUTH) { + apps, err = app.GetOAuthAppsByCreator(c.Session.UserId, c.Params.Page, c.Params.PerPage) + } else { + c.SetPermissionError(model.PERMISSION_MANAGE_OAUTH) + return + } + + if err != nil { + c.Err = err + return + } + + w.Write([]byte(model.OAuthAppListToJson(apps))) +} + +func getOAuthApp(c *Context, w http.ResponseWriter, r *http.Request) { + c.RequireAppId() + if c.Err != nil { + return + } + + if !app.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_OAUTH) { + c.SetPermissionError(model.PERMISSION_MANAGE_OAUTH) + return + } + + oauthApp, err := app.GetOAuthApp(c.Params.AppId) + if err != nil { + c.Err = err + return + } + + if oauthApp.CreatorId != c.Session.UserId && !app.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_SYSTEM_WIDE_OAUTH) { + c.SetPermissionError(model.PERMISSION_MANAGE_SYSTEM_WIDE_OAUTH) + return + } + + w.Write([]byte(oauthApp.ToJson())) +} + +func getOAuthAppInfo(c *Context, w http.ResponseWriter, r *http.Request) { + c.RequireAppId() + if c.Err != nil { + return + } + + oauthApp, err := app.GetOAuthApp(c.Params.AppId) + if err != nil { + c.Err = err + return + } + + oauthApp.Sanitize() + w.Write([]byte(oauthApp.ToJson())) +} + +func deleteOAuthApp(c *Context, w http.ResponseWriter, r *http.Request) { + c.RequireAppId() + if c.Err != nil { + return + } + + c.LogAudit("attempt") + + if !app.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_OAUTH) { + c.SetPermissionError(model.PERMISSION_MANAGE_OAUTH) + return + } + + oauthApp, err := app.GetOAuthApp(c.Params.AppId) + if err != nil { + c.Err = err + return + } + + if c.Session.UserId != oauthApp.CreatorId && !app.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_SYSTEM_WIDE_OAUTH) { + c.SetPermissionError(model.PERMISSION_MANAGE_SYSTEM_WIDE_OAUTH) + return + } + + err = app.DeleteOAuthApp(oauthApp.Id) + if err != nil { + c.Err = err + return + } + + c.LogAudit("success") + ReturnStatusOK(w) +} + +func regenerateOAuthAppSecret(c *Context, w http.ResponseWriter, r *http.Request) { + c.RequireAppId() + if c.Err != nil { + return + } + + if !app.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_OAUTH) { + c.SetPermissionError(model.PERMISSION_MANAGE_OAUTH) + return + } + + oauthApp, err := app.GetOAuthApp(c.Params.AppId) + if err != nil { + c.Err = err + return + } + + if oauthApp.CreatorId != c.Session.UserId && !app.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_SYSTEM_WIDE_OAUTH) { + c.SetPermissionError(model.PERMISSION_MANAGE_SYSTEM_WIDE_OAUTH) + return + } + + oauthApp, err = app.RegenerateOAuthAppSecret(oauthApp) + if err != nil { + c.Err = err + return + } + + c.LogAudit("success") + w.Write([]byte(oauthApp.ToJson())) +} + +func getAuthorizedOAuthApps(c *Context, w http.ResponseWriter, r *http.Request) { + c.RequireUserId() + if c.Err != nil { + return + } + + if !app.SessionHasPermissionToUser(c.Session, c.Params.UserId) { + c.SetPermissionError(model.PERMISSION_EDIT_OTHER_USERS) + return + } + + apps, err := app.GetAuthorizedAppsForUser(c.Params.UserId, c.Params.Page, c.Params.PerPage) + if err != nil { + c.Err = err + return + } + + w.Write([]byte(model.OAuthAppListToJson(apps))) +} + +func authorizeOAuthApp(c *Context, w http.ResponseWriter, r *http.Request) { + authRequest := model.AuthorizeRequestFromJson(r.Body) + if authRequest == nil { + c.SetInvalidParam("authorize_request") + } + + if err := authRequest.IsValid(); err != nil { + c.Err = err + return + } + + c.LogAudit("attempt") + + redirectUrl, err := app.AllowOAuthAppAccessToUser(c.Session.UserId, authRequest) + + if err != nil { + c.Err = err + return + } + + c.LogAudit("") + + w.Write([]byte(model.MapToJson(map[string]string{"redirect": redirectUrl}))) +} + +func deauthorizeOAuthApp(c *Context, w http.ResponseWriter, r *http.Request) { + requestData := model.MapFromJson(r.Body) + clientId := requestData["client_id"] + + if len(clientId) != 26 { + c.SetInvalidParam("client_id") + return + } + + err := app.DeauthorizeOAuthAppForUser(c.Session.UserId, clientId) + if err != nil { + c.Err = err + return + } + + c.LogAudit("success") + ReturnStatusOK(w) +} + +func authorizeOAuthPage(c *Context, w http.ResponseWriter, r *http.Request) { + if !utils.Cfg.ServiceSettings.EnableOAuthServiceProvider { + err := model.NewAppError("authorizeOAuth", "api.oauth.authorize_oauth.disabled.app_error", nil, "", http.StatusNotImplemented) + utils.RenderWebError(err, w, r) + return + } + + authRequest := &model.AuthorizeRequest{ + ResponseType: r.URL.Query().Get("response_type"), + ClientId: r.URL.Query().Get("client_id"), + RedirectUri: r.URL.Query().Get("redirect_uri"), + Scope: r.URL.Query().Get("scope"), + State: r.URL.Query().Get("state"), + } + + if err := authRequest.IsValid(); err != nil { + utils.RenderWebError(err, w, r) + return + } + + oauthApp, err := app.GetOAuthApp(authRequest.ClientId) + if err != nil { + utils.RenderWebError(err, w, r) + return + } + + // here we should check if the user is logged in + if len(c.Session.UserId) == 0 { + http.Redirect(w, r, c.GetSiteURLHeader()+"/login?redirect_to="+url.QueryEscape(r.RequestURI), http.StatusFound) + return + } + + isAuthorized := false + + if _, err := app.GetPreferenceByCategoryAndNameForUser(c.Session.UserId, model.PREFERENCE_CATEGORY_AUTHORIZED_OAUTH_APP, authRequest.ClientId); err == nil { + // when we support scopes we should check if the scopes match + isAuthorized = true + } + + // Automatically allow if the app is trusted + if oauthApp.IsTrusted || isAuthorized { + authRequest.ResponseType = model.AUTHCODE_RESPONSE_TYPE + redirectUrl, err := app.AllowOAuthAppAccessToUser(c.Session.UserId, authRequest) + + if err != nil { + utils.RenderWebError(err, w, r) + return + } + + http.Redirect(w, r, redirectUrl, http.StatusFound) + return + } + + w.Header().Set("X-Frame-Options", "SAMEORIGIN") + w.Header().Set("Content-Security-Policy", "frame-ancestors 'self'") + w.Header().Set("Content-Type", "text/html") + w.Header().Set("Cache-Control", "no-cache, max-age=31556926, public") + http.ServeFile(w, r, utils.FindDir(model.CLIENT_DIR)+"root.html") +} + +func getAccessToken(c *Context, w http.ResponseWriter, r *http.Request) { + r.ParseForm() + + code := r.FormValue("code") + refreshToken := r.FormValue("refresh_token") + + grantType := r.FormValue("grant_type") + switch grantType { + case model.ACCESS_TOKEN_GRANT_TYPE: + if len(code) == 0 { + c.Err = model.NewAppError("getAccessToken", "api.oauth.get_access_token.missing_code.app_error", nil, "", http.StatusBadRequest) + return + } + case model.REFRESH_TOKEN_GRANT_TYPE: + if len(refreshToken) == 0 { + c.Err = model.NewAppError("getAccessToken", "api.oauth.get_access_token.missing_refresh_token.app_error", nil, "", http.StatusBadRequest) + return + } + default: + c.Err = model.NewAppError("getAccessToken", "api.oauth.get_access_token.bad_grant.app_error", nil, "", http.StatusBadRequest) + return + } + + clientId := r.FormValue("client_id") + if len(clientId) != 26 { + c.Err = model.NewAppError("getAccessToken", "api.oauth.get_access_token.bad_client_id.app_error", nil, "", http.StatusBadRequest) + return + } + + secret := r.FormValue("client_secret") + if len(secret) == 0 { + c.Err = model.NewAppError("getAccessToken", "api.oauth.get_access_token.bad_client_secret.app_error", nil, "", http.StatusBadRequest) + return + } + + redirectUri := r.FormValue("redirect_uri") + + c.LogAudit("attempt") + + accessRsp, err := app.GetOAuthAccessToken(clientId, grantType, redirectUri, code, secret, refreshToken) + if err != nil { + c.Err = err + return + } + + w.Header().Set("Content-Type", "application/json") + w.Header().Set("Cache-Control", "no-store") + w.Header().Set("Pragma", "no-cache") + + c.LogAudit("success") + + w.Write([]byte(accessRsp.ToJson())) +} + +func completeOAuth(c *Context, w http.ResponseWriter, r *http.Request) { + c.RequireService() + if c.Err != nil { + return + } + + service := c.Params.Service + + code := r.URL.Query().Get("code") + if len(code) == 0 { + c.Err = model.NewAppError("completeOAuth", "api.oauth.complete_oauth.missing_code.app_error", map[string]interface{}{"service": strings.Title(service)}, "URL: "+r.URL.String(), http.StatusBadRequest) + return + } + + state := r.URL.Query().Get("state") + + uri := c.GetSiteURLHeader() + "/signup/" + service + "/complete" + + body, teamId, props, err := app.AuthorizeOAuthUser(service, code, state, uri) + if err != nil { + c.Err = err + return + } + + user, err := app.CompleteOAuth(service, body, teamId, props) + if err != nil { + c.Err = err + return + } + + action := props["action"] + + var redirectUrl string + if action == model.OAUTH_ACTION_EMAIL_TO_SSO { + redirectUrl = c.GetSiteURLHeader() + "/login?extra=signin_change" + } else if action == model.OAUTH_ACTION_SSO_TO_EMAIL { + + redirectUrl = app.GetProtocol(r) + "://" + r.Host + "/claim?email=" + url.QueryEscape(props["email"]) + } else { + session, err := app.DoLogin(w, r, user, "") + if err != nil { + c.Err = err + return + } + + c.Session = *session + + redirectUrl = c.GetSiteURLHeader() + } + + http.Redirect(w, r, redirectUrl, http.StatusTemporaryRedirect) +} + +func loginWithOAuth(c *Context, w http.ResponseWriter, r *http.Request) { + c.RequireService() + if c.Err != nil { + return + } + + loginHint := r.URL.Query().Get("login_hint") + redirectTo := r.URL.Query().Get("redirect_to") + + teamId, err := app.GetTeamIdFromQuery(r.URL.Query()) + if err != nil { + c.Err = err + return + } + + if authUrl, err := app.GetOAuthLoginEndpoint(c.Params.Service, teamId, redirectTo, loginHint); err != nil { + c.Err = err + return + } else { + http.Redirect(w, r, authUrl, http.StatusFound) + } +} + +func signupWithOAuth(c *Context, w http.ResponseWriter, r *http.Request) { + c.RequireService() + if c.Err != nil { + return + } + + if !utils.Cfg.TeamSettings.EnableUserCreation { + c.Err = model.NewAppError("signupWithOAuth", "api.oauth.singup_with_oauth.disabled.app_error", nil, "", http.StatusNotImplemented) + return + } + + teamId, err := app.GetTeamIdFromQuery(r.URL.Query()) + if err != nil { + c.Err = err + return + } + + if authUrl, err := app.GetOAuthSignupEndpoint(c.Params.Service, teamId); err != nil { + c.Err = err + return + } else { + http.Redirect(w, r, authUrl, http.StatusFound) + } +} diff --git a/api4/oauth_test.go b/api4/oauth_test.go new file mode 100644 index 000000000..963cd43c3 --- /dev/null +++ b/api4/oauth_test.go @@ -0,0 +1,611 @@ +// Copyright (c) 2017 Mattermost, Inc. All Rights Reserved. +// See License.txt for license information. + +package api4 + +import ( + "net/http" + "net/url" + "strconv" + "testing" + + "github.com/mattermost/platform/model" + "github.com/mattermost/platform/utils" +) + +func TestCreateOAuthApp(t *testing.T) { + th := Setup().InitBasic().InitSystemAdmin() + defer TearDown() + Client := th.Client + AdminClient := th.SystemAdminClient + + enableOAuth := utils.Cfg.ServiceSettings.EnableOAuthServiceProvider + adminOnly := *utils.Cfg.ServiceSettings.EnableOnlyAdminIntegrations + defer func() { + utils.Cfg.ServiceSettings.EnableOAuthServiceProvider = enableOAuth + *utils.Cfg.ServiceSettings.EnableOnlyAdminIntegrations = adminOnly + }() + utils.Cfg.ServiceSettings.EnableOAuthServiceProvider = true + utils.SetDefaultRolesBasedOnConfig() + + oapp := &model.OAuthApp{Name: GenerateTestAppName(), Homepage: "https://nowhere.com", Description: "test", CallbackUrls: []string{"https://nowhere.com"}} + + rapp, resp := AdminClient.CreateOAuthApp(oapp) + CheckNoError(t, resp) + CheckCreatedStatus(t, resp) + + if rapp.Name != oapp.Name { + t.Fatal("names did not match") + } + + *utils.Cfg.ServiceSettings.EnableOnlyAdminIntegrations = true + utils.SetDefaultRolesBasedOnConfig() + _, resp = Client.CreateOAuthApp(oapp) + CheckForbiddenStatus(t, resp) + + *utils.Cfg.ServiceSettings.EnableOnlyAdminIntegrations = false + utils.SetDefaultRolesBasedOnConfig() + _, resp = Client.CreateOAuthApp(oapp) + CheckNoError(t, resp) + CheckCreatedStatus(t, resp) + + oapp.Name = "" + _, resp = AdminClient.CreateOAuthApp(oapp) + CheckBadRequestStatus(t, resp) + + if r, err := Client.DoApiPost("/oauth/apps", "garbage"); err == nil { + t.Fatal("should have failed") + } else { + if r.StatusCode != http.StatusBadRequest { + t.Log("actual: " + strconv.Itoa(r.StatusCode)) + t.Log("expected: " + strconv.Itoa(http.StatusBadRequest)) + t.Fatal("wrong status code") + } + } + + Client.Logout() + _, resp = Client.CreateOAuthApp(oapp) + CheckUnauthorizedStatus(t, resp) + + utils.Cfg.ServiceSettings.EnableOAuthServiceProvider = false + oapp.Name = GenerateTestAppName() + _, resp = AdminClient.CreateOAuthApp(oapp) + CheckNotImplementedStatus(t, resp) +} + +func TestGetOAuthApps(t *testing.T) { + th := Setup().InitBasic().InitSystemAdmin() + defer TearDown() + Client := th.Client + AdminClient := th.SystemAdminClient + + enableOAuth := utils.Cfg.ServiceSettings.EnableOAuthServiceProvider + adminOnly := *utils.Cfg.ServiceSettings.EnableOnlyAdminIntegrations + defer func() { + utils.Cfg.ServiceSettings.EnableOAuthServiceProvider = enableOAuth + *utils.Cfg.ServiceSettings.EnableOnlyAdminIntegrations = adminOnly + }() + utils.Cfg.ServiceSettings.EnableOAuthServiceProvider = true + *utils.Cfg.ServiceSettings.EnableOnlyAdminIntegrations = false + utils.SetDefaultRolesBasedOnConfig() + + oapp := &model.OAuthApp{Name: GenerateTestAppName(), Homepage: "https://nowhere.com", Description: "test", CallbackUrls: []string{"https://nowhere.com"}} + + rapp, resp := AdminClient.CreateOAuthApp(oapp) + CheckNoError(t, resp) + + oapp.Name = GenerateTestAppName() + rapp2, resp := Client.CreateOAuthApp(oapp) + CheckNoError(t, resp) + + apps, resp := AdminClient.GetOAuthApps(0, 1000) + CheckNoError(t, resp) + + found1 := false + found2 := false + for _, a := range apps { + if a.Id == rapp.Id { + found1 = true + } + if a.Id == rapp2.Id { + found2 = true + } + } + + if !found1 || !found2 { + t.Fatal("missing oauth app") + } + + apps, resp = AdminClient.GetOAuthApps(1, 1) + CheckNoError(t, resp) + + if len(apps) != 1 { + t.Fatal("paging failed") + } + + apps, resp = Client.GetOAuthApps(0, 1000) + CheckNoError(t, resp) + + if len(apps) != 1 && apps[0].Id != rapp2.Id { + t.Fatal("wrong apps returned") + } + + *utils.Cfg.ServiceSettings.EnableOnlyAdminIntegrations = true + utils.SetDefaultRolesBasedOnConfig() + + _, resp = Client.GetOAuthApps(0, 1000) + CheckForbiddenStatus(t, resp) + + Client.Logout() + + _, resp = Client.GetOAuthApps(0, 1000) + CheckUnauthorizedStatus(t, resp) + + utils.Cfg.ServiceSettings.EnableOAuthServiceProvider = false + _, resp = AdminClient.GetOAuthApps(0, 1000) + CheckNotImplementedStatus(t, resp) +} + +func TestGetOAuthApp(t *testing.T) { + th := Setup().InitBasic().InitSystemAdmin() + defer TearDown() + Client := th.Client + AdminClient := th.SystemAdminClient + + enableOAuth := utils.Cfg.ServiceSettings.EnableOAuthServiceProvider + adminOnly := *utils.Cfg.ServiceSettings.EnableOnlyAdminIntegrations + defer func() { + utils.Cfg.ServiceSettings.EnableOAuthServiceProvider = enableOAuth + *utils.Cfg.ServiceSettings.EnableOnlyAdminIntegrations = adminOnly + }() + utils.Cfg.ServiceSettings.EnableOAuthServiceProvider = true + *utils.Cfg.ServiceSettings.EnableOnlyAdminIntegrations = false + utils.SetDefaultRolesBasedOnConfig() + + oapp := &model.OAuthApp{Name: GenerateTestAppName(), Homepage: "https://nowhere.com", Description: "test", CallbackUrls: []string{"https://nowhere.com"}} + + rapp, resp := AdminClient.CreateOAuthApp(oapp) + CheckNoError(t, resp) + + oapp.Name = GenerateTestAppName() + rapp2, resp := Client.CreateOAuthApp(oapp) + CheckNoError(t, resp) + + rrapp, resp := AdminClient.GetOAuthApp(rapp.Id) + CheckNoError(t, resp) + + if rapp.Id != rrapp.Id { + t.Fatal("wrong app") + } + + if rrapp.ClientSecret == "" { + t.Fatal("should not be sanitized") + } + + rrapp2, resp := AdminClient.GetOAuthApp(rapp2.Id) + CheckNoError(t, resp) + + if rapp2.Id != rrapp2.Id { + t.Fatal("wrong app") + } + + if rrapp2.ClientSecret == "" { + t.Fatal("should not be sanitized") + } + + _, resp = Client.GetOAuthApp(rapp2.Id) + CheckNoError(t, resp) + + _, resp = Client.GetOAuthApp(rapp.Id) + CheckForbiddenStatus(t, resp) + + *utils.Cfg.ServiceSettings.EnableOnlyAdminIntegrations = true + utils.SetDefaultRolesBasedOnConfig() + + _, resp = Client.GetOAuthApp(rapp2.Id) + CheckForbiddenStatus(t, resp) + + Client.Logout() + + _, resp = Client.GetOAuthApp(rapp2.Id) + CheckUnauthorizedStatus(t, resp) + + _, resp = AdminClient.GetOAuthApp("junk") + CheckBadRequestStatus(t, resp) + + _, resp = AdminClient.GetOAuthApp(model.NewId()) + CheckNotFoundStatus(t, resp) + + utils.Cfg.ServiceSettings.EnableOAuthServiceProvider = false + _, resp = AdminClient.GetOAuthApp(rapp.Id) + CheckNotImplementedStatus(t, resp) +} + +func TestGetOAuthAppInfo(t *testing.T) { + th := Setup().InitBasic().InitSystemAdmin() + defer TearDown() + Client := th.Client + AdminClient := th.SystemAdminClient + + enableOAuth := utils.Cfg.ServiceSettings.EnableOAuthServiceProvider + adminOnly := *utils.Cfg.ServiceSettings.EnableOnlyAdminIntegrations + defer func() { + utils.Cfg.ServiceSettings.EnableOAuthServiceProvider = enableOAuth + *utils.Cfg.ServiceSettings.EnableOnlyAdminIntegrations = adminOnly + }() + utils.Cfg.ServiceSettings.EnableOAuthServiceProvider = true + *utils.Cfg.ServiceSettings.EnableOnlyAdminIntegrations = false + utils.SetDefaultRolesBasedOnConfig() + + oapp := &model.OAuthApp{Name: GenerateTestAppName(), Homepage: "https://nowhere.com", Description: "test", CallbackUrls: []string{"https://nowhere.com"}} + + rapp, resp := AdminClient.CreateOAuthApp(oapp) + CheckNoError(t, resp) + + oapp.Name = GenerateTestAppName() + rapp2, resp := Client.CreateOAuthApp(oapp) + CheckNoError(t, resp) + + rrapp, resp := AdminClient.GetOAuthAppInfo(rapp.Id) + CheckNoError(t, resp) + + if rapp.Id != rrapp.Id { + t.Fatal("wrong app") + } + + if rrapp.ClientSecret != "" { + t.Fatal("should be sanitized") + } + + rrapp2, resp := AdminClient.GetOAuthAppInfo(rapp2.Id) + CheckNoError(t, resp) + + if rapp2.Id != rrapp2.Id { + t.Fatal("wrong app") + } + + if rrapp2.ClientSecret != "" { + t.Fatal("should be sanitized") + } + + _, resp = Client.GetOAuthAppInfo(rapp2.Id) + CheckNoError(t, resp) + + _, resp = Client.GetOAuthAppInfo(rapp.Id) + CheckNoError(t, resp) + + *utils.Cfg.ServiceSettings.EnableOnlyAdminIntegrations = true + utils.SetDefaultRolesBasedOnConfig() + + _, resp = Client.GetOAuthAppInfo(rapp2.Id) + CheckNoError(t, resp) + + Client.Logout() + + _, resp = Client.GetOAuthAppInfo(rapp2.Id) + CheckUnauthorizedStatus(t, resp) + + _, resp = AdminClient.GetOAuthAppInfo("junk") + CheckBadRequestStatus(t, resp) + + _, resp = AdminClient.GetOAuthAppInfo(model.NewId()) + CheckNotFoundStatus(t, resp) + + utils.Cfg.ServiceSettings.EnableOAuthServiceProvider = false + _, resp = AdminClient.GetOAuthAppInfo(rapp.Id) + CheckNotImplementedStatus(t, resp) +} + +func TestDeleteOAuthApp(t *testing.T) { + th := Setup().InitBasic().InitSystemAdmin() + defer TearDown() + Client := th.Client + AdminClient := th.SystemAdminClient + + enableOAuth := utils.Cfg.ServiceSettings.EnableOAuthServiceProvider + adminOnly := *utils.Cfg.ServiceSettings.EnableOnlyAdminIntegrations + defer func() { + utils.Cfg.ServiceSettings.EnableOAuthServiceProvider = enableOAuth + *utils.Cfg.ServiceSettings.EnableOnlyAdminIntegrations = adminOnly + }() + utils.Cfg.ServiceSettings.EnableOAuthServiceProvider = true + *utils.Cfg.ServiceSettings.EnableOnlyAdminIntegrations = false + utils.SetDefaultRolesBasedOnConfig() + + oapp := &model.OAuthApp{Name: GenerateTestAppName(), Homepage: "https://nowhere.com", Description: "test", CallbackUrls: []string{"https://nowhere.com"}} + + rapp, resp := AdminClient.CreateOAuthApp(oapp) + CheckNoError(t, resp) + + oapp.Name = GenerateTestAppName() + rapp2, resp := Client.CreateOAuthApp(oapp) + CheckNoError(t, resp) + + pass, resp := AdminClient.DeleteOAuthApp(rapp.Id) + CheckNoError(t, resp) + + if !pass { + t.Fatal("should have passed") + } + + _, resp = AdminClient.DeleteOAuthApp(rapp2.Id) + CheckNoError(t, resp) + + rapp, resp = AdminClient.CreateOAuthApp(oapp) + CheckNoError(t, resp) + + oapp.Name = GenerateTestAppName() + rapp2, resp = Client.CreateOAuthApp(oapp) + CheckNoError(t, resp) + + _, resp = Client.DeleteOAuthApp(rapp.Id) + CheckForbiddenStatus(t, resp) + + _, resp = Client.DeleteOAuthApp(rapp2.Id) + CheckNoError(t, resp) + + *utils.Cfg.ServiceSettings.EnableOnlyAdminIntegrations = false + utils.SetDefaultRolesBasedOnConfig() + _, resp = Client.DeleteOAuthApp(rapp.Id) + CheckForbiddenStatus(t, resp) + + Client.Logout() + _, resp = Client.DeleteOAuthApp(rapp.Id) + CheckUnauthorizedStatus(t, resp) + + _, resp = AdminClient.DeleteOAuthApp("junk") + CheckBadRequestStatus(t, resp) + + _, resp = AdminClient.DeleteOAuthApp(model.NewId()) + CheckNotFoundStatus(t, resp) + + utils.Cfg.ServiceSettings.EnableOAuthServiceProvider = false + _, resp = AdminClient.DeleteOAuthApp(rapp.Id) + CheckNotImplementedStatus(t, resp) +} + +func TestRegenerateOAuthAppSecret(t *testing.T) { + th := Setup().InitBasic().InitSystemAdmin() + defer TearDown() + Client := th.Client + AdminClient := th.SystemAdminClient + + enableOAuth := utils.Cfg.ServiceSettings.EnableOAuthServiceProvider + adminOnly := *utils.Cfg.ServiceSettings.EnableOnlyAdminIntegrations + defer func() { + utils.Cfg.ServiceSettings.EnableOAuthServiceProvider = enableOAuth + *utils.Cfg.ServiceSettings.EnableOnlyAdminIntegrations = adminOnly + }() + utils.Cfg.ServiceSettings.EnableOAuthServiceProvider = true + *utils.Cfg.ServiceSettings.EnableOnlyAdminIntegrations = false + utils.SetDefaultRolesBasedOnConfig() + + oapp := &model.OAuthApp{Name: GenerateTestAppName(), Homepage: "https://nowhere.com", Description: "test", CallbackUrls: []string{"https://nowhere.com"}} + + rapp, resp := AdminClient.CreateOAuthApp(oapp) + CheckNoError(t, resp) + + oapp.Name = GenerateTestAppName() + rapp2, resp := Client.CreateOAuthApp(oapp) + CheckNoError(t, resp) + + rrapp, resp := AdminClient.RegenerateOAuthAppSecret(rapp.Id) + CheckNoError(t, resp) + + if rrapp.Id != rapp.Id { + t.Fatal("wrong app") + } + + if rrapp.ClientSecret == rapp.ClientSecret { + t.Fatal("secret didn't change") + } + + _, resp = AdminClient.RegenerateOAuthAppSecret(rapp2.Id) + CheckNoError(t, resp) + + rapp, resp = AdminClient.CreateOAuthApp(oapp) + CheckNoError(t, resp) + + oapp.Name = GenerateTestAppName() + rapp2, resp = Client.CreateOAuthApp(oapp) + CheckNoError(t, resp) + + _, resp = Client.RegenerateOAuthAppSecret(rapp.Id) + CheckForbiddenStatus(t, resp) + + _, resp = Client.RegenerateOAuthAppSecret(rapp2.Id) + CheckNoError(t, resp) + + *utils.Cfg.ServiceSettings.EnableOnlyAdminIntegrations = false + utils.SetDefaultRolesBasedOnConfig() + _, resp = Client.RegenerateOAuthAppSecret(rapp.Id) + CheckForbiddenStatus(t, resp) + + Client.Logout() + _, resp = Client.RegenerateOAuthAppSecret(rapp.Id) + CheckUnauthorizedStatus(t, resp) + + _, resp = AdminClient.RegenerateOAuthAppSecret("junk") + CheckBadRequestStatus(t, resp) + + _, resp = AdminClient.RegenerateOAuthAppSecret(model.NewId()) + CheckNotFoundStatus(t, resp) + + utils.Cfg.ServiceSettings.EnableOAuthServiceProvider = false + _, resp = AdminClient.RegenerateOAuthAppSecret(rapp.Id) + CheckNotImplementedStatus(t, resp) +} + +func TestGetAuthorizedOAuthAppsForUser(t *testing.T) { + th := Setup().InitBasic().InitSystemAdmin() + defer TearDown() + Client := th.Client + AdminClient := th.SystemAdminClient + + enableOAuth := utils.Cfg.ServiceSettings.EnableOAuthServiceProvider + defer func() { + utils.Cfg.ServiceSettings.EnableOAuthServiceProvider = enableOAuth + }() + utils.Cfg.ServiceSettings.EnableOAuthServiceProvider = true + + oapp := &model.OAuthApp{Name: GenerateTestAppName(), Homepage: "https://nowhere.com", Description: "test", CallbackUrls: []string{"https://nowhere.com"}} + + rapp, resp := AdminClient.CreateOAuthApp(oapp) + CheckNoError(t, resp) + + authRequest := &model.AuthorizeRequest{ + ResponseType: model.AUTHCODE_RESPONSE_TYPE, + ClientId: rapp.Id, + RedirectUri: rapp.CallbackUrls[0], + Scope: "", + State: "123", + } + + _, resp = Client.AuthorizeOAuthApp(authRequest) + CheckNoError(t, resp) + + apps, resp := Client.GetAuthorizedOAuthAppsForUser(th.BasicUser.Id, 0, 1000) + CheckNoError(t, resp) + + found := false + for _, a := range apps { + if a.Id == rapp.Id { + found = true + } + + if a.ClientSecret != "" { + t.Fatal("not sanitized") + } + } + + if !found { + t.Fatal("missing app") + } + + _, resp = Client.GetAuthorizedOAuthAppsForUser(th.BasicUser2.Id, 0, 1000) + CheckForbiddenStatus(t, resp) + + _, resp = Client.GetAuthorizedOAuthAppsForUser("junk", 0, 1000) + CheckBadRequestStatus(t, resp) + + Client.Logout() + _, resp = Client.GetAuthorizedOAuthAppsForUser(th.BasicUser.Id, 0, 1000) + CheckUnauthorizedStatus(t, resp) + + _, resp = AdminClient.GetAuthorizedOAuthAppsForUser(th.BasicUser.Id, 0, 1000) + CheckNoError(t, resp) +} + +func TestAuthorizeOAuthApp(t *testing.T) { + th := Setup().InitBasic().InitSystemAdmin() + defer TearDown() + Client := th.Client + AdminClient := th.SystemAdminClient + + enableOAuth := utils.Cfg.ServiceSettings.EnableOAuthServiceProvider + defer func() { + utils.Cfg.ServiceSettings.EnableOAuthServiceProvider = enableOAuth + }() + utils.Cfg.ServiceSettings.EnableOAuthServiceProvider = true + utils.SetDefaultRolesBasedOnConfig() + + oapp := &model.OAuthApp{Name: GenerateTestAppName(), Homepage: "https://nowhere.com", Description: "test", CallbackUrls: []string{"https://nowhere.com"}} + + rapp, resp := AdminClient.CreateOAuthApp(oapp) + CheckNoError(t, resp) + + authRequest := &model.AuthorizeRequest{ + ResponseType: model.AUTHCODE_RESPONSE_TYPE, + ClientId: rapp.Id, + RedirectUri: rapp.CallbackUrls[0], + Scope: "", + State: "123", + } + + ruri, resp := Client.AuthorizeOAuthApp(authRequest) + CheckNoError(t, resp) + + if len(ruri) == 0 { + t.Fatal("redirect url should be set") + } + + ru, _ := url.Parse(ruri) + if ru == nil { + t.Fatal("redirect url unparseable") + } else { + if len(ru.Query().Get("code")) == 0 { + t.Fatal("authorization code not returned") + } + if ru.Query().Get("state") != authRequest.State { + t.Fatal("returned state doesn't match") + } + } + + authRequest.RedirectUri = "" + _, resp = Client.AuthorizeOAuthApp(authRequest) + CheckBadRequestStatus(t, resp) + + authRequest.RedirectUri = "http://somewhereelse.com" + _, resp = Client.AuthorizeOAuthApp(authRequest) + CheckBadRequestStatus(t, resp) + + authRequest.RedirectUri = rapp.CallbackUrls[0] + authRequest.ResponseType = "" + _, resp = Client.AuthorizeOAuthApp(authRequest) + CheckBadRequestStatus(t, resp) + + authRequest.ResponseType = model.AUTHCODE_RESPONSE_TYPE + authRequest.ClientId = "" + _, resp = Client.AuthorizeOAuthApp(authRequest) + CheckBadRequestStatus(t, resp) + + authRequest.ClientId = model.NewId() + _, resp = Client.AuthorizeOAuthApp(authRequest) + CheckNotFoundStatus(t, resp) +} + +func TestDeauthorizeOAuthApp(t *testing.T) { + th := Setup().InitBasic().InitSystemAdmin() + defer TearDown() + Client := th.Client + AdminClient := th.SystemAdminClient + + enableOAuth := utils.Cfg.ServiceSettings.EnableOAuthServiceProvider + defer func() { + utils.Cfg.ServiceSettings.EnableOAuthServiceProvider = enableOAuth + }() + utils.Cfg.ServiceSettings.EnableOAuthServiceProvider = true + + oapp := &model.OAuthApp{Name: GenerateTestAppName(), Homepage: "https://nowhere.com", Description: "test", CallbackUrls: []string{"https://nowhere.com"}} + + rapp, resp := AdminClient.CreateOAuthApp(oapp) + CheckNoError(t, resp) + + authRequest := &model.AuthorizeRequest{ + ResponseType: model.AUTHCODE_RESPONSE_TYPE, + ClientId: rapp.Id, + RedirectUri: rapp.CallbackUrls[0], + Scope: "", + State: "123", + } + + _, resp = Client.AuthorizeOAuthApp(authRequest) + CheckNoError(t, resp) + + pass, resp := Client.DeauthorizeOAuthApp(rapp.Id) + CheckNoError(t, resp) + + if !pass { + t.Fatal("should have passed") + } + + _, resp = Client.DeauthorizeOAuthApp("junk") + CheckBadRequestStatus(t, resp) + + _, resp = Client.DeauthorizeOAuthApp(model.NewId()) + CheckNoError(t, resp) + + Client.Logout() + _, resp = Client.DeauthorizeOAuthApp(rapp.Id) + CheckUnauthorizedStatus(t, resp) +} diff --git a/api4/params.go b/api4/params.go index fa5d96d88..a1c829f1c 100644 --- a/api4/params.go +++ b/api4/params.go @@ -26,12 +26,14 @@ type ApiParams struct { HookId string ReportId string EmojiId string + AppId string Email string Username string TeamName string ChannelName string PreferenceName string Category string + Service string Page int PerPage int } @@ -77,6 +79,10 @@ func ApiParamsFromRequest(r *http.Request) *ApiParams { params.EmojiId = val } + if val, ok := props["app_id"]; ok { + params.AppId = val + } + if val, ok := props["email"]; ok { params.Email = val } @@ -97,6 +103,10 @@ func ApiParamsFromRequest(r *http.Request) *ApiParams { params.Category = val } + if val, ok := props["service"]; ok { + params.Category = val + } + if val, ok := props["preference_name"]; ok { params.PreferenceName = val } |