From be9624e2adce7c95039e62fc4ee22538d7fa2d2f Mon Sep 17 00:00:00 2001 From: Joram Wilander Date: Thu, 20 Apr 2017 09:55:02 -0400 Subject: Implement v4 endpoints for OAuth (#6040) * Implement POST /oauth/apps endpoint for APIv4 * Implement GET /oauth/apps endpoint for APIv4 * Implement GET /oauth/apps/{app_id} and /oauth/apps/{app_id}/info endpoints for APIv4 * Refactor API version independent oauth endpoints * Implement DELETE /oauth/apps/{app_id} endpoint for APIv4 * Implement /oauth/apps/{app_id}/regen_secret endpoint for APIv4 * Implement GET /user/{user_id}/oauth/apps/authorized endpoint for APIv4 * Implement POST /oauth/deauthorize endpoint --- api4/oauth.go | 481 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 481 insertions(+) create mode 100644 api4/oauth.go (limited to 'api4/oauth.go') diff --git a/api4/oauth.go b/api4/oauth.go new file mode 100644 index 000000000..3ace501e4 --- /dev/null +++ b/api4/oauth.go @@ -0,0 +1,481 @@ +// Copyright (c) 2017 Mattermost, Inc. All Rights Reserved. +// See License.txt for license information. + +package api4 + +import ( + "net/http" + "net/url" + "strings" + + l4g "github.com/alecthomas/log4go" + "github.com/mattermost/platform/app" + "github.com/mattermost/platform/model" + "github.com/mattermost/platform/utils" +) + +func InitOAuth() { + l4g.Debug(utils.T("api.oauth.init.debug")) + + BaseRoutes.OAuthApps.Handle("", ApiSessionRequired(createOAuthApp)).Methods("POST") + BaseRoutes.OAuthApps.Handle("", ApiSessionRequired(getOAuthApps)).Methods("GET") + BaseRoutes.OAuthApp.Handle("", ApiSessionRequired(getOAuthApp)).Methods("GET") + BaseRoutes.OAuthApp.Handle("/info", ApiSessionRequired(getOAuthAppInfo)).Methods("GET") + BaseRoutes.OAuthApp.Handle("", ApiSessionRequired(deleteOAuthApp)).Methods("DELETE") + BaseRoutes.OAuthApp.Handle("/regen_secret", ApiSessionRequired(regenerateOAuthAppSecret)).Methods("POST") + + BaseRoutes.User.Handle("/oauth/apps/authorized", ApiSessionRequired(getAuthorizedOAuthApps)).Methods("GET") + + // API version independent OAuth 2.0 as a service provider endpoints + BaseRoutes.Root.Handle("/oauth/authorize", ApiHandlerTrustRequester(authorizeOAuthPage)).Methods("GET") + BaseRoutes.Root.Handle("/oauth/authorize", ApiSessionRequired(authorizeOAuthApp)).Methods("POST") + BaseRoutes.Root.Handle("/oauth/deauthorize", ApiSessionRequired(deauthorizeOAuthApp)).Methods("POST") + BaseRoutes.Root.Handle("/oauth/access_token", ApiHandlerTrustRequester(getAccessToken)).Methods("POST") + + // API version independent OAuth as a client endpoints + BaseRoutes.Root.Handle("/oauth/{service:[A-Za-z0-9]+}/complete", ApiHandler(completeOAuth)).Methods("GET") + BaseRoutes.Root.Handle("/oauth/{service:[A-Za-z0-9]+}/login", ApiHandler(loginWithOAuth)).Methods("GET") + BaseRoutes.Root.Handle("/oauth/{service:[A-Za-z0-9]+}/signup", ApiHandler(signupWithOAuth)).Methods("GET") + + // Old endpoints for backwards compatibility, needed to not break SSO for any old setups + BaseRoutes.Root.Handle("/api/v3/oauth/{service:[A-Za-z0-9]+}/complete", ApiHandler(completeOAuth)).Methods("GET") + BaseRoutes.Root.Handle("/signup/{service:[A-Za-z0-9]+}/complete", ApiHandler(completeOAuth)).Methods("GET") + BaseRoutes.Root.Handle("/login/{service:[A-Za-z0-9]+}/complete", ApiHandler(completeOAuth)).Methods("GET") +} + +func createOAuthApp(c *Context, w http.ResponseWriter, r *http.Request) { + oauthApp := model.OAuthAppFromJson(r.Body) + + if oauthApp == nil { + c.SetInvalidParam("oauth_app") + return + } + + if !app.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_OAUTH) { + c.SetPermissionError(model.PERMISSION_MANAGE_OAUTH) + return + } + + oauthApp.CreatorId = c.Session.UserId + + rapp, err := app.CreateOAuthApp(oauthApp) + if err != nil { + c.Err = err + return + } + + c.LogAudit("client_id=" + rapp.Id) + w.WriteHeader(http.StatusCreated) + w.Write([]byte(rapp.ToJson())) +} + +func getOAuthApps(c *Context, w http.ResponseWriter, r *http.Request) { + if !app.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_OAUTH) { + c.Err = model.NewAppError("getOAuthApps", "api.command.admin_only.app_error", nil, "", http.StatusForbidden) + return + } + + var apps []*model.OAuthApp + var err *model.AppError + if app.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_SYSTEM_WIDE_OAUTH) { + apps, err = app.GetOAuthApps(c.Params.Page, c.Params.PerPage) + } else if app.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_OAUTH) { + apps, err = app.GetOAuthAppsByCreator(c.Session.UserId, c.Params.Page, c.Params.PerPage) + } else { + c.SetPermissionError(model.PERMISSION_MANAGE_OAUTH) + return + } + + if err != nil { + c.Err = err + return + } + + w.Write([]byte(model.OAuthAppListToJson(apps))) +} + +func getOAuthApp(c *Context, w http.ResponseWriter, r *http.Request) { + c.RequireAppId() + if c.Err != nil { + return + } + + if !app.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_OAUTH) { + c.SetPermissionError(model.PERMISSION_MANAGE_OAUTH) + return + } + + oauthApp, err := app.GetOAuthApp(c.Params.AppId) + if err != nil { + c.Err = err + return + } + + if oauthApp.CreatorId != c.Session.UserId && !app.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_SYSTEM_WIDE_OAUTH) { + c.SetPermissionError(model.PERMISSION_MANAGE_SYSTEM_WIDE_OAUTH) + return + } + + w.Write([]byte(oauthApp.ToJson())) +} + +func getOAuthAppInfo(c *Context, w http.ResponseWriter, r *http.Request) { + c.RequireAppId() + if c.Err != nil { + return + } + + oauthApp, err := app.GetOAuthApp(c.Params.AppId) + if err != nil { + c.Err = err + return + } + + oauthApp.Sanitize() + w.Write([]byte(oauthApp.ToJson())) +} + +func deleteOAuthApp(c *Context, w http.ResponseWriter, r *http.Request) { + c.RequireAppId() + if c.Err != nil { + return + } + + c.LogAudit("attempt") + + if !app.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_OAUTH) { + c.SetPermissionError(model.PERMISSION_MANAGE_OAUTH) + return + } + + oauthApp, err := app.GetOAuthApp(c.Params.AppId) + if err != nil { + c.Err = err + return + } + + if c.Session.UserId != oauthApp.CreatorId && !app.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_SYSTEM_WIDE_OAUTH) { + c.SetPermissionError(model.PERMISSION_MANAGE_SYSTEM_WIDE_OAUTH) + return + } + + err = app.DeleteOAuthApp(oauthApp.Id) + if err != nil { + c.Err = err + return + } + + c.LogAudit("success") + ReturnStatusOK(w) +} + +func regenerateOAuthAppSecret(c *Context, w http.ResponseWriter, r *http.Request) { + c.RequireAppId() + if c.Err != nil { + return + } + + if !app.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_OAUTH) { + c.SetPermissionError(model.PERMISSION_MANAGE_OAUTH) + return + } + + oauthApp, err := app.GetOAuthApp(c.Params.AppId) + if err != nil { + c.Err = err + return + } + + if oauthApp.CreatorId != c.Session.UserId && !app.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_SYSTEM_WIDE_OAUTH) { + c.SetPermissionError(model.PERMISSION_MANAGE_SYSTEM_WIDE_OAUTH) + return + } + + oauthApp, err = app.RegenerateOAuthAppSecret(oauthApp) + if err != nil { + c.Err = err + return + } + + c.LogAudit("success") + w.Write([]byte(oauthApp.ToJson())) +} + +func getAuthorizedOAuthApps(c *Context, w http.ResponseWriter, r *http.Request) { + c.RequireUserId() + if c.Err != nil { + return + } + + if !app.SessionHasPermissionToUser(c.Session, c.Params.UserId) { + c.SetPermissionError(model.PERMISSION_EDIT_OTHER_USERS) + return + } + + apps, err := app.GetAuthorizedAppsForUser(c.Params.UserId, c.Params.Page, c.Params.PerPage) + if err != nil { + c.Err = err + return + } + + w.Write([]byte(model.OAuthAppListToJson(apps))) +} + +func authorizeOAuthApp(c *Context, w http.ResponseWriter, r *http.Request) { + authRequest := model.AuthorizeRequestFromJson(r.Body) + if authRequest == nil { + c.SetInvalidParam("authorize_request") + } + + if err := authRequest.IsValid(); err != nil { + c.Err = err + return + } + + c.LogAudit("attempt") + + redirectUrl, err := app.AllowOAuthAppAccessToUser(c.Session.UserId, authRequest) + + if err != nil { + c.Err = err + return + } + + c.LogAudit("") + + w.Write([]byte(model.MapToJson(map[string]string{"redirect": redirectUrl}))) +} + +func deauthorizeOAuthApp(c *Context, w http.ResponseWriter, r *http.Request) { + requestData := model.MapFromJson(r.Body) + clientId := requestData["client_id"] + + if len(clientId) != 26 { + c.SetInvalidParam("client_id") + return + } + + err := app.DeauthorizeOAuthAppForUser(c.Session.UserId, clientId) + if err != nil { + c.Err = err + return + } + + c.LogAudit("success") + ReturnStatusOK(w) +} + +func authorizeOAuthPage(c *Context, w http.ResponseWriter, r *http.Request) { + if !utils.Cfg.ServiceSettings.EnableOAuthServiceProvider { + err := model.NewAppError("authorizeOAuth", "api.oauth.authorize_oauth.disabled.app_error", nil, "", http.StatusNotImplemented) + utils.RenderWebError(err, w, r) + return + } + + authRequest := &model.AuthorizeRequest{ + ResponseType: r.URL.Query().Get("response_type"), + ClientId: r.URL.Query().Get("client_id"), + RedirectUri: r.URL.Query().Get("redirect_uri"), + Scope: r.URL.Query().Get("scope"), + State: r.URL.Query().Get("state"), + } + + if err := authRequest.IsValid(); err != nil { + utils.RenderWebError(err, w, r) + return + } + + oauthApp, err := app.GetOAuthApp(authRequest.ClientId) + if err != nil { + utils.RenderWebError(err, w, r) + return + } + + // here we should check if the user is logged in + if len(c.Session.UserId) == 0 { + http.Redirect(w, r, c.GetSiteURLHeader()+"/login?redirect_to="+url.QueryEscape(r.RequestURI), http.StatusFound) + return + } + + isAuthorized := false + + if _, err := app.GetPreferenceByCategoryAndNameForUser(c.Session.UserId, model.PREFERENCE_CATEGORY_AUTHORIZED_OAUTH_APP, authRequest.ClientId); err == nil { + // when we support scopes we should check if the scopes match + isAuthorized = true + } + + // Automatically allow if the app is trusted + if oauthApp.IsTrusted || isAuthorized { + authRequest.ResponseType = model.AUTHCODE_RESPONSE_TYPE + redirectUrl, err := app.AllowOAuthAppAccessToUser(c.Session.UserId, authRequest) + + if err != nil { + utils.RenderWebError(err, w, r) + return + } + + http.Redirect(w, r, redirectUrl, http.StatusFound) + return + } + + w.Header().Set("X-Frame-Options", "SAMEORIGIN") + w.Header().Set("Content-Security-Policy", "frame-ancestors 'self'") + w.Header().Set("Content-Type", "text/html") + w.Header().Set("Cache-Control", "no-cache, max-age=31556926, public") + http.ServeFile(w, r, utils.FindDir(model.CLIENT_DIR)+"root.html") +} + +func getAccessToken(c *Context, w http.ResponseWriter, r *http.Request) { + r.ParseForm() + + code := r.FormValue("code") + refreshToken := r.FormValue("refresh_token") + + grantType := r.FormValue("grant_type") + switch grantType { + case model.ACCESS_TOKEN_GRANT_TYPE: + if len(code) == 0 { + c.Err = model.NewAppError("getAccessToken", "api.oauth.get_access_token.missing_code.app_error", nil, "", http.StatusBadRequest) + return + } + case model.REFRESH_TOKEN_GRANT_TYPE: + if len(refreshToken) == 0 { + c.Err = model.NewAppError("getAccessToken", "api.oauth.get_access_token.missing_refresh_token.app_error", nil, "", http.StatusBadRequest) + return + } + default: + c.Err = model.NewAppError("getAccessToken", "api.oauth.get_access_token.bad_grant.app_error", nil, "", http.StatusBadRequest) + return + } + + clientId := r.FormValue("client_id") + if len(clientId) != 26 { + c.Err = model.NewAppError("getAccessToken", "api.oauth.get_access_token.bad_client_id.app_error", nil, "", http.StatusBadRequest) + return + } + + secret := r.FormValue("client_secret") + if len(secret) == 0 { + c.Err = model.NewAppError("getAccessToken", "api.oauth.get_access_token.bad_client_secret.app_error", nil, "", http.StatusBadRequest) + return + } + + redirectUri := r.FormValue("redirect_uri") + + c.LogAudit("attempt") + + accessRsp, err := app.GetOAuthAccessToken(clientId, grantType, redirectUri, code, secret, refreshToken) + if err != nil { + c.Err = err + return + } + + w.Header().Set("Content-Type", "application/json") + w.Header().Set("Cache-Control", "no-store") + w.Header().Set("Pragma", "no-cache") + + c.LogAudit("success") + + w.Write([]byte(accessRsp.ToJson())) +} + +func completeOAuth(c *Context, w http.ResponseWriter, r *http.Request) { + c.RequireService() + if c.Err != nil { + return + } + + service := c.Params.Service + + code := r.URL.Query().Get("code") + if len(code) == 0 { + c.Err = model.NewAppError("completeOAuth", "api.oauth.complete_oauth.missing_code.app_error", map[string]interface{}{"service": strings.Title(service)}, "URL: "+r.URL.String(), http.StatusBadRequest) + return + } + + state := r.URL.Query().Get("state") + + uri := c.GetSiteURLHeader() + "/signup/" + service + "/complete" + + body, teamId, props, err := app.AuthorizeOAuthUser(service, code, state, uri) + if err != nil { + c.Err = err + return + } + + user, err := app.CompleteOAuth(service, body, teamId, props) + if err != nil { + c.Err = err + return + } + + action := props["action"] + + var redirectUrl string + if action == model.OAUTH_ACTION_EMAIL_TO_SSO { + redirectUrl = c.GetSiteURLHeader() + "/login?extra=signin_change" + } else if action == model.OAUTH_ACTION_SSO_TO_EMAIL { + + redirectUrl = app.GetProtocol(r) + "://" + r.Host + "/claim?email=" + url.QueryEscape(props["email"]) + } else { + session, err := app.DoLogin(w, r, user, "") + if err != nil { + c.Err = err + return + } + + c.Session = *session + + redirectUrl = c.GetSiteURLHeader() + } + + http.Redirect(w, r, redirectUrl, http.StatusTemporaryRedirect) +} + +func loginWithOAuth(c *Context, w http.ResponseWriter, r *http.Request) { + c.RequireService() + if c.Err != nil { + return + } + + loginHint := r.URL.Query().Get("login_hint") + redirectTo := r.URL.Query().Get("redirect_to") + + teamId, err := app.GetTeamIdFromQuery(r.URL.Query()) + if err != nil { + c.Err = err + return + } + + if authUrl, err := app.GetOAuthLoginEndpoint(c.Params.Service, teamId, redirectTo, loginHint); err != nil { + c.Err = err + return + } else { + http.Redirect(w, r, authUrl, http.StatusFound) + } +} + +func signupWithOAuth(c *Context, w http.ResponseWriter, r *http.Request) { + c.RequireService() + if c.Err != nil { + return + } + + if !utils.Cfg.TeamSettings.EnableUserCreation { + c.Err = model.NewAppError("signupWithOAuth", "api.oauth.singup_with_oauth.disabled.app_error", nil, "", http.StatusNotImplemented) + return + } + + teamId, err := app.GetTeamIdFromQuery(r.URL.Query()) + if err != nil { + c.Err = err + return + } + + if authUrl, err := app.GetOAuthSignupEndpoint(c.Params.Service, teamId); err != nil { + c.Err = err + return + } else { + http.Redirect(w, r, authUrl, http.StatusFound) + } +} -- cgit v1.2.3-1-g7c22