From 3559fb7959cf008b038239f2e7c43e604c44cd31 Mon Sep 17 00:00:00 2001 From: Joram Wilander Date: Mon, 13 Mar 2017 08:26:23 -0400 Subject: Implement SAML endpoints for APIv4 (#5671) * Implement SAML endpoints for APIv4 * Fix unit test * Only disable encryption when removing puplic/private certs --- api/admin.go | 12 +++- api/apitestlib.go | 2 + api4/api.go | 4 ++ api4/apitestlib.go | 31 ++++++++++ api4/saml.go | 171 +++++++++++++++++++++++++++++++++++++++++++++++++++++ api4/saml_test.go | 19 ++++++ app/saml.go | 143 ++++++++++++++++++++++++++++++++++++++++---- i18n/en.json | 4 ++ model/client4.go | 118 ++++++++++++++++++++++++++++++++++-- model/saml.go | 31 ++++++++++ model/saml_test.go | 24 ++++++++ 11 files changed, 540 insertions(+), 19 deletions(-) create mode 100644 api4/saml.go create mode 100644 api4/saml_test.go create mode 100644 model/saml_test.go diff --git a/api/admin.go b/api/admin.go index 3aa1dc67d..785b8bf24 100644 --- a/api/admin.go +++ b/api/admin.go @@ -383,7 +383,7 @@ func addCertificate(c *Context, w http.ResponseWriter, r *http.Request) { fileData := fileArray[0] - if err := app.AddSamlCertificate(fileData); err != nil { + if err := app.WriteSamlFile(fileData); err != nil { c.Err = err return } @@ -393,7 +393,7 @@ func addCertificate(c *Context, w http.ResponseWriter, r *http.Request) { func removeCertificate(c *Context, w http.ResponseWriter, r *http.Request) { props := model.MapFromJson(r.Body) - if err := app.RemoveSamlCertificate(props["filename"]); err != nil { + if err := app.RemoveSamlFile(props["filename"]); err != nil { c.Err = err return } @@ -403,7 +403,13 @@ func removeCertificate(c *Context, w http.ResponseWriter, r *http.Request) { func samlCertificateStatus(c *Context, w http.ResponseWriter, r *http.Request) { status := app.GetSamlCertificateStatus() - w.Write([]byte(model.StringInterfaceToJson(status))) + + statusMap := map[string]interface{}{} + statusMap["IdpCertificateFile"] = status.IdpCertificateFile + statusMap["PrivateKeyFile"] = status.PrivateKeyFile + statusMap["PublicCertificateFile"] = status.PublicCertificateFile + + w.Write([]byte(model.StringInterfaceToJson(statusMap))) } func getRecentlyActiveUsers(c *Context, w http.ResponseWriter, r *http.Request) { diff --git a/api/apitestlib.go b/api/apitestlib.go index df5ac5d26..4206d033e 100644 --- a/api/apitestlib.go +++ b/api/apitestlib.go @@ -6,6 +6,7 @@ package api import ( "time" + "github.com/mattermost/platform/api4" "github.com/mattermost/platform/app" "github.com/mattermost/platform/model" "github.com/mattermost/platform/store" @@ -43,6 +44,7 @@ func SetupEnterprise() *TestHelper { InitRouter() app.StartServer() utils.InitHTML() + api4.InitApi(false) InitApi() utils.EnableDebugLogForTest() app.Srv.Store.MarkSystemRanUnitTests() diff --git a/api4/api.go b/api4/api.go index c8c0e170b..71dfbcdf3 100644 --- a/api4/api.go +++ b/api4/api.go @@ -60,6 +60,8 @@ type Routes struct { OAuth *mux.Router // 'api/v4/oauth' + SAML *mux.Router // 'api/v4/saml' + Admin *mux.Router // 'api/v4/admin' System *mux.Router // 'api/v4/system' @@ -127,6 +129,7 @@ func InitApi(full bool) { BaseRoutes.OutgoingHooks = BaseRoutes.Hooks.PathPrefix("/outgoing").Subrouter() BaseRoutes.OutgoingHook = BaseRoutes.OutgoingHooks.PathPrefix("/{hook_id:[A-Za-z0-9]+}").Subrouter() + BaseRoutes.SAML = BaseRoutes.ApiRoot.PathPrefix("/saml").Subrouter() BaseRoutes.OAuth = BaseRoutes.ApiRoot.PathPrefix("/oauth").Subrouter() BaseRoutes.Admin = BaseRoutes.ApiRoot.PathPrefix("/admin").Subrouter() BaseRoutes.System = BaseRoutes.ApiRoot.PathPrefix("/system").Subrouter() @@ -147,6 +150,7 @@ func InitApi(full bool) { InitSystem() InitWebhook() InitPreference() + InitSaml() app.Srv.Router.Handle("/api/v4/{anything:.*}", http.HandlerFunc(Handle404)) diff --git a/api4/apitestlib.go b/api4/apitestlib.go index 3d2feaf6e..30dbfadae 100644 --- a/api4/apitestlib.go +++ b/api4/apitestlib.go @@ -38,6 +38,37 @@ type TestHelper struct { SystemAdminUser *model.User } +func SetupEnterprise() *TestHelper { + if app.Srv == nil { + utils.TranslationsPreInit() + utils.LoadConfig("config.json") + utils.InitTranslations(utils.Cfg.LocalizationSettings) + utils.Cfg.TeamSettings.MaxUsersPerTeam = 50 + *utils.Cfg.RateLimitSettings.Enable = false + utils.Cfg.EmailSettings.SendEmailNotifications = true + utils.Cfg.EmailSettings.SMTPServer = "dockerhost" + utils.Cfg.EmailSettings.SMTPPort = "2500" + utils.Cfg.EmailSettings.FeedbackEmail = "test@example.com" + utils.DisableDebugLogForTest() + utils.License.Features.SetDefaults() + app.NewServer() + app.InitStores() + InitRouter() + app.StartServer() + utils.InitHTML() + InitApi(true) + utils.EnableDebugLogForTest() + app.Srv.Store.MarkSystemRanUnitTests() + + *utils.Cfg.TeamSettings.EnableOpenServer = true + } + + th := &TestHelper{} + th.Client = th.CreateClient() + th.SystemAdminClient = th.CreateClient() + return th +} + func Setup() *TestHelper { if app.Srv == nil { utils.TranslationsPreInit() diff --git a/api4/saml.go b/api4/saml.go new file mode 100644 index 000000000..e2c35f30d --- /dev/null +++ b/api4/saml.go @@ -0,0 +1,171 @@ +// Copyright (c) 2017 Mattermost, Inc. All Rights Reserved. +// See License.txt for license information. + +package api4 + +import ( + "mime/multipart" + "net/http" + + l4g "github.com/alecthomas/log4go" + "github.com/mattermost/platform/app" + "github.com/mattermost/platform/model" + "github.com/mattermost/platform/utils" +) + +func InitSaml() { + l4g.Debug(utils.T("api.saml.init.debug")) + + BaseRoutes.SAML.Handle("/metadata", ApiHandler(getSamlMetadata)).Methods("GET") + + BaseRoutes.SAML.Handle("/certificate/public", ApiSessionRequired(addSamlPublicCertificate)).Methods("POST") + BaseRoutes.SAML.Handle("/certificate/private", ApiSessionRequired(addSamlPrivateCertificate)).Methods("POST") + BaseRoutes.SAML.Handle("/certificate/idp", ApiSessionRequired(addSamlIdpCertificate)).Methods("POST") + + BaseRoutes.SAML.Handle("/certificate/public", ApiSessionRequired(removeSamlPublicCertificate)).Methods("DELETE") + BaseRoutes.SAML.Handle("/certificate/private", ApiSessionRequired(removeSamlPrivateCertificate)).Methods("DELETE") + BaseRoutes.SAML.Handle("/certificate/idp", ApiSessionRequired(removeSamlIdpCertificate)).Methods("DELETE") + + BaseRoutes.SAML.Handle("/certificate/status", ApiSessionRequired(getSamlCertificateStatus)).Methods("GET") +} + +func getSamlMetadata(c *Context, w http.ResponseWriter, r *http.Request) { + metadata, err := app.GetSamlMetadata() + if err != nil { + c.Err = err + return + } + + w.Header().Set("Content-Type", "application/xml") + w.Header().Set("Content-Disposition", "attachment; filename=\"metadata.xml\"") + w.Write([]byte(metadata)) +} + +func parseSamlCertificateRequest(r *http.Request) (*multipart.FileHeader, *model.AppError) { + err := r.ParseMultipartForm(*utils.Cfg.FileSettings.MaxFileSize) + if err != nil { + return nil, model.NewAppError("addSamlCertificate", "api.admin.add_certificate.no_file.app_error", nil, err.Error(), http.StatusBadRequest) + } + + m := r.MultipartForm + + fileArray, ok := m.File["certificate"] + if !ok { + return nil, model.NewAppError("addSamlCertificate", "api.admin.add_certificate.no_file.app_error", nil, "", http.StatusBadRequest) + } + + if len(fileArray) <= 0 { + return nil, model.NewAppError("addSamlCertificate", "api.admin.add_certificate.array.app_error", nil, "", http.StatusBadRequest) + } + + return fileArray[0], nil +} + +func addSamlPublicCertificate(c *Context, w http.ResponseWriter, r *http.Request) { + if !app.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_SYSTEM) { + c.SetPermissionError(model.PERMISSION_MANAGE_SYSTEM) + return + } + + fileData, err := parseSamlCertificateRequest(r) + if err != nil { + c.Err = err + return + } + + if err := app.AddSamlPublicCertificate(fileData); err != nil { + c.Err = err + return + } + ReturnStatusOK(w) +} + +func addSamlPrivateCertificate(c *Context, w http.ResponseWriter, r *http.Request) { + if !app.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_SYSTEM) { + c.SetPermissionError(model.PERMISSION_MANAGE_SYSTEM) + return + } + + fileData, err := parseSamlCertificateRequest(r) + if err != nil { + c.Err = err + return + } + + if err := app.AddSamlPrivateCertificate(fileData); err != nil { + c.Err = err + return + } + ReturnStatusOK(w) +} + +func addSamlIdpCertificate(c *Context, w http.ResponseWriter, r *http.Request) { + if !app.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_SYSTEM) { + c.SetPermissionError(model.PERMISSION_MANAGE_SYSTEM) + return + } + + fileData, err := parseSamlCertificateRequest(r) + if err != nil { + c.Err = err + return + } + + if err := app.AddSamlIdpCertificate(fileData); err != nil { + c.Err = err + return + } + ReturnStatusOK(w) +} + +func removeSamlPublicCertificate(c *Context, w http.ResponseWriter, r *http.Request) { + if !app.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_SYSTEM) { + c.SetPermissionError(model.PERMISSION_MANAGE_SYSTEM) + return + } + + if err := app.RemoveSamlPublicCertificate(); err != nil { + c.Err = err + return + } + + ReturnStatusOK(w) +} + +func removeSamlPrivateCertificate(c *Context, w http.ResponseWriter, r *http.Request) { + if !app.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_SYSTEM) { + c.SetPermissionError(model.PERMISSION_MANAGE_SYSTEM) + return + } + + if err := app.RemoveSamlPrivateCertificate(); err != nil { + c.Err = err + return + } + + ReturnStatusOK(w) +} + +func removeSamlIdpCertificate(c *Context, w http.ResponseWriter, r *http.Request) { + if !app.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_SYSTEM) { + c.SetPermissionError(model.PERMISSION_MANAGE_SYSTEM) + return + } + + if err := app.RemoveSamlIdpCertificate(); err != nil { + c.Err = err + return + } + + ReturnStatusOK(w) +} + +func getSamlCertificateStatus(c *Context, w http.ResponseWriter, r *http.Request) { + if !app.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_SYSTEM) { + c.SetPermissionError(model.PERMISSION_MANAGE_SYSTEM) + return + } + + status := app.GetSamlCertificateStatus() + w.Write([]byte(status.ToJson())) +} diff --git a/api4/saml_test.go b/api4/saml_test.go new file mode 100644 index 000000000..7e4722a3b --- /dev/null +++ b/api4/saml_test.go @@ -0,0 +1,19 @@ +// Copyright (c) 2017 Mattermost, Inc. All Rights Reserved. +// See License.txt for license information. + +package api4 + +import ( + "testing" +) + +func TestGetSamlMetadata(t *testing.T) { + th := Setup().InitBasic().InitSystemAdmin() + defer TearDown() + Client := th.Client + + _, resp := Client.GetSamlMetadata() + CheckNotImplementedStatus(t, resp) + + // Rest is tested by enterprise tests +} diff --git a/app/saml.go b/app/saml.go index cc39d4540..444214302 100644 --- a/app/saml.go +++ b/app/saml.go @@ -16,21 +16,19 @@ import ( func GetSamlMetadata() (string, *model.AppError) { samlInterface := einterfaces.GetSamlInterface() - if samlInterface == nil { - err := model.NewLocAppError("GetSamlMetadata", "api.admin.saml.not_available.app_error", nil, "") - err.StatusCode = http.StatusNotImplemented + err := model.NewAppError("GetSamlMetadata", "api.admin.saml.not_available.app_error", nil, "", http.StatusNotImplemented) return "", err } if result, err := samlInterface.GetMetadata(); err != nil { - return "", model.NewLocAppError("GetSamlMetadata", "api.admin.saml.metadata.app_error", nil, "err="+err.Message) + return "", model.NewAppError("GetSamlMetadata", "api.admin.saml.metadata.app_error", nil, "err="+err.Message, http.StatusInternalServerError) } else { return result, nil } } -func AddSamlCertificate(fileData *multipart.FileHeader) *model.AppError { +func WriteSamlFile(fileData *multipart.FileHeader) *model.AppError { file, err := fileData.Open() defer file.Close() if err != nil { @@ -47,7 +45,67 @@ func AddSamlCertificate(fileData *multipart.FileHeader) *model.AppError { return nil } -func RemoveSamlCertificate(filename string) *model.AppError { +func AddSamlPublicCertificate(fileData *multipart.FileHeader) *model.AppError { + if err := WriteSamlFile(fileData); err != nil { + return err + } + + cfg := &model.Config{} + *cfg = *utils.Cfg + + *cfg.SamlSettings.PublicCertificateFile = fileData.Filename + + if err := cfg.IsValid(); err != nil { + return err + } + + utils.SaveConfig(utils.CfgFileName, cfg) + utils.LoadConfig(utils.CfgFileName) + + return nil +} + +func AddSamlPrivateCertificate(fileData *multipart.FileHeader) *model.AppError { + if err := WriteSamlFile(fileData); err != nil { + return err + } + + cfg := &model.Config{} + *cfg = *utils.Cfg + + *cfg.SamlSettings.PrivateKeyFile = fileData.Filename + + if err := cfg.IsValid(); err != nil { + return err + } + + utils.SaveConfig(utils.CfgFileName, cfg) + utils.LoadConfig(utils.CfgFileName) + + return nil +} + +func AddSamlIdpCertificate(fileData *multipart.FileHeader) *model.AppError { + if err := WriteSamlFile(fileData); err != nil { + return err + } + + cfg := &model.Config{} + *cfg = *utils.Cfg + + *cfg.SamlSettings.IdpCertificateFile = fileData.Filename + + if err := cfg.IsValid(); err != nil { + return err + } + + utils.SaveConfig(utils.CfgFileName, cfg) + utils.LoadConfig(utils.CfgFileName) + + return nil +} + +func RemoveSamlFile(filename string) *model.AppError { if err := os.Remove(utils.FindConfigFile(filename)); err != nil { return model.NewLocAppError("removeCertificate", "api.admin.remove_certificate.delete.app_error", map[string]interface{}{"Filename": filename}, err.Error()) @@ -56,12 +114,75 @@ func RemoveSamlCertificate(filename string) *model.AppError { return nil } -func GetSamlCertificateStatus() map[string]interface{} { - status := make(map[string]interface{}) +func RemoveSamlPublicCertificate() *model.AppError { + if err := RemoveSamlFile(*utils.Cfg.SamlSettings.PublicCertificateFile); err != nil { + return err + } + + cfg := &model.Config{} + *cfg = *utils.Cfg + + *cfg.SamlSettings.PublicCertificateFile = "" + *cfg.SamlSettings.Encrypt = false + + if err := cfg.IsValid(); err != nil { + return err + } + + utils.SaveConfig(utils.CfgFileName, cfg) + utils.LoadConfig(utils.CfgFileName) + + return nil +} + +func RemoveSamlPrivateCertificate() *model.AppError { + if err := RemoveSamlFile(*utils.Cfg.SamlSettings.PrivateKeyFile); err != nil { + return err + } + + cfg := &model.Config{} + *cfg = *utils.Cfg + + *cfg.SamlSettings.PrivateKeyFile = "" + *cfg.SamlSettings.Encrypt = false + + if err := cfg.IsValid(); err != nil { + return err + } + + utils.SaveConfig(utils.CfgFileName, cfg) + utils.LoadConfig(utils.CfgFileName) + + return nil +} + +func RemoveSamlIdpCertificate() *model.AppError { + if err := RemoveSamlFile(*utils.Cfg.SamlSettings.IdpCertificateFile); err != nil { + return err + } + + cfg := &model.Config{} + *cfg = *utils.Cfg + + *cfg.SamlSettings.IdpCertificateFile = "" + *cfg.SamlSettings.Enable = false + + if err := cfg.IsValid(); err != nil { + return err + } + + utils.SaveConfig(utils.CfgFileName, cfg) + utils.LoadConfig(utils.CfgFileName) + + return nil +} + +func GetSamlCertificateStatus() *model.SamlCertificateStatus { + status := &model.SamlCertificateStatus{} - status["IdpCertificateFile"] = utils.FileExistsInConfigFolder(*utils.Cfg.SamlSettings.IdpCertificateFile) - status["PrivateKeyFile"] = utils.FileExistsInConfigFolder(*utils.Cfg.SamlSettings.PrivateKeyFile) - status["PublicCertificateFile"] = utils.FileExistsInConfigFolder(*utils.Cfg.SamlSettings.PublicCertificateFile) + status.IdpCertificateFile = utils.FileExistsInConfigFolder(*utils.Cfg.SamlSettings.IdpCertificateFile) + status.PrivateKeyFile = utils.FileExistsInConfigFolder(*utils.Cfg.SamlSettings.PrivateKeyFile) + status.PublicCertificateFile = utils.FileExistsInConfigFolder(*utils.Cfg.SamlSettings.PublicCertificateFile) return status } diff --git a/i18n/en.json b/i18n/en.json index 77660a840..24ade54d5 100644 --- a/i18n/en.json +++ b/i18n/en.json @@ -7,6 +7,10 @@ "id": "api.post.link_preview_disabled.app_error", "translation": "Link previews have been disabled by the system administrator." }, + { + "id": "model.client.upload_saml_cert.app_error", + "translation": "Error creating SAML certificate multipart form request" + }, { "id": "August", "translation": "August" diff --git a/model/client4.go b/model/client4.go index 71d37341d..808ce74e3 100644 --- a/model/client4.go +++ b/model/client4.go @@ -150,6 +150,10 @@ func (c *Client4) GetPreferencesRoute(userId string) string { return fmt.Sprintf(c.GetUserRoute(userId) + "/preferences") } +func (c *Client4) GetSamlRoute() string { + return fmt.Sprintf("/saml") +} + func (c *Client4) DoApiGet(url string, etag string) (*http.Response, *AppError) { return c.DoApiRequest(http.MethodGet, url, "", etag) } @@ -994,7 +998,7 @@ func (c *Client4) DeleteIncomingWebhook(hookID string) (bool, *Response) { // Preferences Section -// GetPreferences returns the user's preferences +// GetPreferences returns the user's preferences. func (c *Client4) GetPreferences(userId string) (Preferences, *Response) { if r, err := c.DoApiGet(c.GetPreferencesRoute(userId), ""); err != nil { return nil, &Response{StatusCode: r.StatusCode, Error: err} @@ -1005,7 +1009,7 @@ func (c *Client4) GetPreferences(userId string) (Preferences, *Response) { } } -// UpdatePreferences saves the user's preferences +// UpdatePreferences saves the user's preferences. func (c *Client4) UpdatePreferences(userId string, preferences *Preferences) (bool, *Response) { if r, err := c.DoApiPut(c.GetPreferencesRoute(userId), preferences.ToJson()); err != nil { return false, &Response{StatusCode: r.StatusCode, Error: err} @@ -1015,7 +1019,7 @@ func (c *Client4) UpdatePreferences(userId string, preferences *Preferences) (bo } } -// DeletePreferences deletes the user's preferences +// DeletePreferences deletes the user's preferences. func (c *Client4) DeletePreferences(userId string, preferences *Preferences) (bool, *Response) { if r, err := c.DoApiPost(c.GetPreferencesRoute(userId)+"/delete", preferences.ToJson()); err != nil { return false, &Response{StatusCode: r.StatusCode, Error: err} @@ -1025,7 +1029,7 @@ func (c *Client4) DeletePreferences(userId string, preferences *Preferences) (bo } } -// GetPreferencesByCategory returns the user's preferences from the provided category string +// GetPreferencesByCategory returns the user's preferences from the provided category string. func (c *Client4) GetPreferencesByCategory(userId string, category string) (Preferences, *Response) { url := fmt.Sprintf(c.GetPreferencesRoute(userId)+"/%s", category) if r, err := c.DoApiGet(url, ""); err != nil { @@ -1037,7 +1041,7 @@ func (c *Client4) GetPreferencesByCategory(userId string, category string) (Pref } } -// GetPreferenceByCategoryAndName returns the user's preferences from the provided category and preference name string +// GetPreferenceByCategoryAndName returns the user's preferences from the provided category and preference name string. func (c *Client4) GetPreferenceByCategoryAndName(userId string, category string, preferenceName string) (*Preference, *Response) { url := fmt.Sprintf(c.GetPreferencesRoute(userId)+"/%s/name/%v", category, preferenceName) if r, err := c.DoApiGet(url, ""); err != nil { @@ -1047,3 +1051,107 @@ func (c *Client4) GetPreferenceByCategoryAndName(userId string, category string, return PreferenceFromJson(r.Body), BuildResponse(r) } } + +// SAML Section + +// GetSamlMetadata returns metadata for the SAML configuration. +func (c *Client4) GetSamlMetadata() (string, *Response) { + if r, err := c.DoApiGet(c.GetSamlRoute()+"/metadata", ""); err != nil { + return "", &Response{StatusCode: r.StatusCode, Error: err} + } else { + defer closeBody(r) + buf := new(bytes.Buffer) + buf.ReadFrom(r.Body) + return buf.String(), BuildResponse(r) + } +} + +func samlFileToMultipart(data []byte, filename string) ([]byte, *multipart.Writer, error) { + body := &bytes.Buffer{} + writer := multipart.NewWriter(body) + + if part, err := writer.CreateFormFile("certificate", filename); err != nil { + return nil, nil, err + } else if _, err = io.Copy(part, bytes.NewBuffer(data)); err != nil { + return nil, nil, err + } + + if err := writer.Close(); err != nil { + return nil, nil, err + } + + return body.Bytes(), writer, nil +} + +// UploadSamlIdpCertificate will upload an IDP certificate for SAML and set the config to use it. +func (c *Client4) UploadSamlIdpCertificate(data []byte, filename string) (bool, *Response) { + body, writer, err := samlFileToMultipart(data, filename) + if err != nil { + return false, &Response{Error: NewAppError("UploadSamlIdpCertificate", "model.client.upload_saml_cert.app_error", nil, err.Error(), http.StatusBadRequest)} + } + + _, resp := c.DoUploadFile(c.GetSamlRoute()+"/certificate/idp", body, writer.FormDataContentType()) + return resp.Error == nil, resp +} + +// UploadSamlPublicCertificate will upload a public certificate for SAML and set the config to use it. +func (c *Client4) UploadSamlPublicCertificate(data []byte, filename string) (bool, *Response) { + body, writer, err := samlFileToMultipart(data, filename) + if err != nil { + return false, &Response{Error: NewAppError("UploadSamlPublicCertificate", "model.client.upload_saml_cert.app_error", nil, err.Error(), http.StatusBadRequest)} + } + + _, resp := c.DoUploadFile(c.GetSamlRoute()+"/certificate/public", body, writer.FormDataContentType()) + return resp.Error == nil, resp +} + +// UploadSamlPrivateCertificate will upload a private key for SAML and set the config to use it. +func (c *Client4) UploadSamlPrivateCertificate(data []byte, filename string) (bool, *Response) { + body, writer, err := samlFileToMultipart(data, filename) + if err != nil { + return false, &Response{Error: NewAppError("UploadSamlPrivateCertificate", "model.client.upload_saml_cert.app_error", nil, err.Error(), http.StatusBadRequest)} + } + + _, resp := c.DoUploadFile(c.GetSamlRoute()+"/certificate/private", body, writer.FormDataContentType()) + return resp.Error == nil, resp +} + +// DeleteSamlIdpCertificate deletes the SAML IDP certificate from the server and updates the config to not use it and disable SAML. +func (c *Client4) DeleteSamlIdpCertificate() (bool, *Response) { + if r, err := c.DoApiDelete(c.GetSamlRoute() + "/certificate/idp"); err != nil { + return false, &Response{StatusCode: r.StatusCode, Error: err} + } else { + defer closeBody(r) + return CheckStatusOK(r), BuildResponse(r) + } +} + +// DeleteSamlPublicCertificate deletes the SAML IDP certificate from the server and updates the config to not use it and disable SAML. +func (c *Client4) DeleteSamlPublicCertificate() (bool, *Response) { + if r, err := c.DoApiDelete(c.GetSamlRoute() + "/certificate/public"); err != nil { + return false, &Response{StatusCode: r.StatusCode, Error: err} + } else { + defer closeBody(r) + return CheckStatusOK(r), BuildResponse(r) + } +} + +// DeleteSamlPrivateCertificate deletes the SAML IDP certificate from the server and updates the config to not use it and disable SAML. +func (c *Client4) DeleteSamlPrivateCertificate() (bool, *Response) { + if r, err := c.DoApiDelete(c.GetSamlRoute() + "/certificate/private"); err != nil { + return false, &Response{StatusCode: r.StatusCode, Error: err} + } else { + defer closeBody(r) + return CheckStatusOK(r), BuildResponse(r) + } +} + +// GetSamlCertificateStatus returns metadata for the SAML configuration. +func (c *Client4) GetSamlCertificateStatus() (*SamlCertificateStatus, *Response) { + if r, err := c.DoApiGet(c.GetSamlRoute()+"/certificate/status", ""); err != nil { + return nil, &Response{StatusCode: r.StatusCode, Error: err} + } else { + defer closeBody(r) + return SamlCertificateStatusFromJson(r.Body), BuildResponse(r) + } +} diff --git a/model/saml.go b/model/saml.go index 16d3845da..1371c433f 100644 --- a/model/saml.go +++ b/model/saml.go @@ -3,6 +3,11 @@ package model +import ( + "encoding/json" + "io" +) + const ( USER_AUTH_SERVICE_SAML = "saml" USER_AUTH_SERVICE_SAML_TEXT = "With SAML" @@ -16,3 +21,29 @@ type SamlAuthRequest struct { URL string RelayState string } + +type SamlCertificateStatus struct { + IdpCertificateFile bool `json:"idp_certificate_file"` + PrivateKeyFile bool `json:"private_key_file"` + PublicCertificateFile bool `json:"public_certificate_file"` +} + +func (s *SamlCertificateStatus) ToJson() string { + b, err := json.Marshal(s) + if err != nil { + return "" + } else { + return string(b) + } +} + +func SamlCertificateStatusFromJson(data io.Reader) *SamlCertificateStatus { + decoder := json.NewDecoder(data) + var status SamlCertificateStatus + err := decoder.Decode(&status) + if err == nil { + return &status + } else { + return nil + } +} diff --git a/model/saml_test.go b/model/saml_test.go new file mode 100644 index 000000000..578e78da5 --- /dev/null +++ b/model/saml_test.go @@ -0,0 +1,24 @@ +// Copyright (c) 2017 Mattermost, Inc. All Rights Reserved. +// See License.txt for license information. + +package model + +import ( + "strings" + "testing" +) + +func TestSamlCertificateStatusJson(t *testing.T) { + status := &SamlCertificateStatus{IdpCertificateFile: true, PrivateKeyFile: true, PublicCertificateFile: true} + json := status.ToJson() + rstatus := SamlCertificateStatusFromJson(strings.NewReader(json)) + + if status.IdpCertificateFile != rstatus.IdpCertificateFile { + t.Fatal("IdpCertificateFile do not match") + } + + rstatus = SamlCertificateStatusFromJson(strings.NewReader("junk")) + if rstatus != nil { + t.Fatal("should be nil") + } +} -- cgit v1.2.3-1-g7c22