From 5e78d7fe12a39e28a6520b023b0df0fc66a826d5 Mon Sep 17 00:00:00 2001 From: Chris Duarte Date: Thu, 4 Jan 2018 09:45:59 -0800 Subject: Add admin update endpoint that can update authservice and authdata (#7842) * add admin update endpoint that can upate authservice and authdata * Control only SystemAdmin access * Refactored AdminUpdate endpoint to only be able to update AuthData, AuthService and Password by User.Id * Refactor to move `PUT /api/v4/users/{user_id}/auth`. Created a struct to hold UserAuth info. --- api4/user.go | 27 ++++++++++++++++++++++++ api4/user_test.go | 63 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ app/user.go | 24 +++++++++++++++++++++ model/client4.go | 10 +++++++++ model/user.go | 26 +++++++++++++++++++++++ 5 files changed, 150 insertions(+) diff --git a/api4/user.go b/api4/user.go index 6cb064f8c..0b07f8dc7 100644 --- a/api4/user.go +++ b/api4/user.go @@ -38,6 +38,8 @@ func (api *API) InitUser() { api.BaseRoutes.Users.Handle("/email/verify", api.ApiHandler(verifyUserEmail)).Methods("POST") api.BaseRoutes.Users.Handle("/email/verify/send", api.ApiHandler(sendVerificationEmail)).Methods("POST") + api.BaseRoutes.User.Handle("/auth", api.ApiSessionRequiredTrustRequester(updateUserAuth)).Methods("PUT") + api.BaseRoutes.Users.Handle("/mfa", api.ApiHandler(checkUserMfa)).Methods("POST") api.BaseRoutes.User.Handle("/mfa", api.ApiSessionRequiredMfa(updateUserMfa)).Methods("PUT") api.BaseRoutes.User.Handle("/mfa/generate", api.ApiSessionRequiredMfa(generateMfaSecret)).Methods("POST") @@ -697,6 +699,31 @@ func updateUserActive(c *Context, w http.ResponseWriter, r *http.Request) { } } +func updateUserAuth(c *Context, w http.ResponseWriter, r *http.Request) { + if !c.IsSystemAdmin() { + c.SetPermissionError(model.PERMISSION_EDIT_OTHER_USERS) + return + } + + c.RequireUserId() + if c.Err != nil { + return + } + + userAuth := model.UserAuthFromJson(r.Body) + if userAuth == nil { + c.SetInvalidParam("user") + return + } + + if user, err := c.App.UpdateUserAuth(c.Params.UserId, userAuth); err != nil { + c.Err = err + } else { + c.LogAuditWithUserId(c.Params.UserId, fmt.Sprintf("updated user auth to service=%v", user.AuthService)) + w.Write([]byte(user.ToJson())) + } +} + func checkUserMfa(c *Context, w http.ResponseWriter, r *http.Request) { props := model.MapFromJson(r.Body) diff --git a/api4/user_test.go b/api4/user_test.go index e3f1935b4..fb9222d8f 100644 --- a/api4/user_test.go +++ b/api4/user_test.go @@ -11,6 +11,7 @@ import ( "time" "github.com/mattermost/mattermost-server/model" + "github.com/mattermost/mattermost-server/store" "github.com/mattermost/mattermost-server/utils" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" @@ -1062,6 +1063,68 @@ func TestPatchUser(t *testing.T) { CheckNoError(t, resp) } +func TestUpdateUserAuth(t *testing.T) { + th := Setup().InitSystemAdmin().InitBasic() + defer th.TearDown() + + Client := th.SystemAdminClient + team := th.CreateTeamWithClient(Client) + + user := th.CreateUser() + + th.LinkUserToTeam(user, team) + store.Must(th.App.Srv.Store.User().VerifyEmail(user.Id)) + + userAuth := &model.UserAuth{} + userAuth.AuthData = user.AuthData + userAuth.AuthService = user.AuthService + userAuth.Password = user.Password + + // Regular user can not use endpoint + if _, err := th.Client.UpdateUserAuth(user.Id, userAuth); err == nil { + t.Fatal("Shouldn't have permissions. Only Admins") + } + + userAuth.AuthData = model.NewString("test@test.com") + userAuth.AuthService = model.USER_AUTH_SERVICE_SAML + userAuth.Password = "newpassword" + ruser, resp := Client.UpdateUserAuth(user.Id, userAuth) + CheckNoError(t, resp) + + // AuthData and AuthService are set, password is set to empty + if *ruser.AuthData != *userAuth.AuthData { + t.Fatal("Should have set the correct AuthData") + } + if ruser.AuthService != model.USER_AUTH_SERVICE_SAML { + t.Fatal("Should have set the correct AuthService") + } + if ruser.Password != "" { + t.Fatal("Password should be empty") + } + + // When AuthData or AuthService are empty, password must be valid + userAuth.AuthData = user.AuthData + userAuth.AuthService = "" + userAuth.Password = "1" + if _, err := Client.UpdateUserAuth(user.Id, userAuth); err == nil { + t.Fatal("Should have errored - user password not valid") + } + + // Regular user can not use endpoint + user2 := th.CreateUser() + th.LinkUserToTeam(user2, team) + store.Must(th.App.Srv.Store.User().VerifyEmail(user2.Id)) + + Client.Login(user2.Email, "passwd1") + + userAuth.AuthData = user.AuthData + userAuth.AuthService = user.AuthService + userAuth.Password = user.Password + if _, err := Client.UpdateUserAuth(user.Id, userAuth); err == nil { + t.Fatal("Should have errored") + } +} + func TestDeleteUser(t *testing.T) { th := Setup().InitBasic().InitSystemAdmin() defer th.TearDown() diff --git a/app/user.go b/app/user.go index 626f6310f..493b391ae 100644 --- a/app/user.go +++ b/app/user.go @@ -969,6 +969,30 @@ func (a *App) PatchUser(userId string, patch *model.UserPatch, asAdmin bool) (*m return updatedUser, nil } +func (a *App) UpdateUserAuth(userId string, userAuth *model.UserAuth) (*model.UserAuth, *model.AppError) { + if userAuth.AuthData == nil || *userAuth.AuthData == "" || userAuth.AuthService == "" { + userAuth.AuthData = nil + userAuth.AuthService = "" + + if err := a.IsPasswordValid(userAuth.Password); err != nil { + return nil, err + } + password := model.HashPassword(userAuth.Password) + + if result := <-a.Srv.Store.User().UpdatePassword(userId, password); result.Err != nil { + return nil, result.Err + } + } else { + userAuth.Password = "" + + if result := <-a.Srv.Store.User().UpdateAuthData(userId, userAuth.AuthService, userAuth.AuthData, "", false); result.Err != nil { + return nil, result.Err + } + } + + return userAuth, nil +} + func (a *App) sendUpdatedUserEvent(user model.User, asAdmin bool) { a.SanitizeProfile(&user, asAdmin) diff --git a/model/client4.go b/model/client4.go index d37fb3b0f..e84a23e5f 100644 --- a/model/client4.go +++ b/model/client4.go @@ -766,6 +766,16 @@ func (c *Client4) PatchUser(userId string, patch *UserPatch) (*User, *Response) } } +// UpdateUserAuth updates a user AuthData (uthData, authService and password) in the system. +func (c *Client4) UpdateUserAuth(userId string, userAuth *UserAuth) (*UserAuth, *Response) { + if r, err := c.DoApiPut(c.GetUserRoute(userId)+"/auth", userAuth.ToJson()); err != nil { + return nil, BuildErrorResponse(r, err) + } else { + defer closeBody(r) + return UserAuthFromJson(r.Body), BuildResponse(r) + } +} + // UpdateUserMfa activates multi-factor authentication for a user if activate // is true and a valid code is provided. If activate is false, then code is not // required and multi-factor authentication is disabled for the user. diff --git a/model/user.go b/model/user.go index 8d8c76c68..7e767fd5c 100644 --- a/model/user.go +++ b/model/user.go @@ -88,6 +88,12 @@ type UserPatch struct { Locale *string `json:"locale"` } +type UserAuth struct { + Password string `json:"password,omitempty"` + AuthData *string `json:"auth_data,omitempty"` + AuthService string `json:"auth_service,omitempty"` +} + // IsValid validates the user and returns an error if it isn't configured // correctly. func (u *User) IsValid() *AppError { @@ -309,6 +315,15 @@ func (u *UserPatch) ToJson() string { } } +func (u *UserAuth) ToJson() string { + b, err := json.Marshal(u) + if err != nil { + return "" + } else { + return string(b) + } +} + // Generate a valid strong etag so the browser can cache the results func (u *User) Etag(showFullName, showEmail bool) string { return Etag(u.Id, u.UpdateAt, showFullName, showEmail) @@ -494,6 +509,17 @@ func UserPatchFromJson(data io.Reader) *UserPatch { } } +func UserAuthFromJson(data io.Reader) *UserAuth { + decoder := json.NewDecoder(data) + var user UserAuth + err := decoder.Decode(&user) + if err == nil { + return &user + } else { + return nil + } +} + func UserMapToJson(u map[string]*User) string { b, err := json.Marshal(u) if err != nil { -- cgit v1.2.3-1-g7c22