From 1326ab66a141e73f1ef7d9d39bb86596f56179e0 Mon Sep 17 00:00:00 2001 From: enahum Date: Tue, 30 Aug 2016 21:15:40 -0300 Subject: PLT-3984 Add the ability to regenerate OAuth Client Secret (#3899) --- api/oauth.go | 52 +++++++++++++++++++++++++++++++++++++++++++++++++++- api/oauth_test.go | 24 ++++++++++++++++++++++++ 2 files changed, 75 insertions(+), 1 deletion(-) (limited to 'api') diff --git a/api/oauth.go b/api/oauth.go index d3495895f..7942b0e0c 100644 --- a/api/oauth.go +++ b/api/oauth.go @@ -32,7 +32,8 @@ func InitOAuth() { BaseRoutes.OAuth.Handle("/allow", ApiUserRequired(allowOAuth)).Methods("GET") BaseRoutes.OAuth.Handle("/authorized", ApiUserRequired(getAuthorizedApps)).Methods("GET") BaseRoutes.OAuth.Handle("/delete", ApiUserRequired(deleteOAuthApp)).Methods("POST") - BaseRoutes.OAuth.Handle("/{id:[A-Za-z0-9]+}/deauthorize", AppHandlerIndependent(deauthorizeOAuthApp)).Methods("POST") + BaseRoutes.OAuth.Handle("/{id:[A-Za-z0-9]+}/deauthorize", ApiUserRequired(deauthorizeOAuthApp)).Methods("POST") + BaseRoutes.OAuth.Handle("/{id:[A-Za-z0-9]+}/regen_secret", ApiUserRequired(regenerateOAuthSecret)).Methods("POST") BaseRoutes.OAuth.Handle("/{service:[A-Za-z0-9]+}/complete", AppHandlerIndependent(completeOAuth)).Methods("GET") BaseRoutes.OAuth.Handle("/{service:[A-Za-z0-9]+}/login", AppHandlerIndependent(loginWithOAuth)).Methods("GET") BaseRoutes.OAuth.Handle("/{service:[A-Za-z0-9]+}/signup", AppHandlerIndependent(signupWithOAuth)).Methods("GET") @@ -957,6 +958,55 @@ func deauthorizeOAuthApp(c *Context, w http.ResponseWriter, r *http.Request) { ReturnStatusOK(w) } +func regenerateOAuthSecret(c *Context, w http.ResponseWriter, r *http.Request) { + if !utils.Cfg.ServiceSettings.EnableOAuthServiceProvider { + c.Err = model.NewLocAppError("registerOAuthApp", "api.oauth.register_oauth_app.turn_off.app_error", nil, "") + c.Err.StatusCode = http.StatusNotImplemented + return + } + + isSystemAdmin := c.IsSystemAdmin() + + if *utils.Cfg.ServiceSettings.EnableOnlyAdminIntegrations { + if !isSystemAdmin { + c.Err = model.NewLocAppError("registerOAuthApp", "api.command.admin_only.app_error", nil, "") + c.Err.StatusCode = http.StatusForbidden + return + } + } + + params := mux.Vars(r) + id := params["id"] + + if len(id) == 0 { + c.SetInvalidParam("regenerateOAuthSecret", "id") + return + } + + var app *model.OAuthApp + if result := <-Srv.Store.OAuth().GetApp(id); result.Err != nil { + c.Err = model.NewLocAppError("regenerateOAuthSecret", "api.oauth.allow_oauth.database.app_error", nil, "") + return + } else { + app = result.Data.(*model.OAuthApp) + + //validate that is a System Admin or the same user that registered the app + if !isSystemAdmin && app.CreatorId != c.Session.UserId { + c.Err = model.NewLocAppError("regenerateOAuthSecret", "api.oauth.regenerate_secret.app_error", nil, "") + return + } + + app.ClientSecret = model.NewId() + if update := <-Srv.Store.OAuth().UpdateApp(app); update.Err != nil { + c.Err = update.Err + return + } + + w.Write([]byte(app.ToJson())) + return + } +} + func newSession(appName string, user *model.User) (*model.Session, *model.AppError) { // set new token an session session := &model.Session{UserId: user.Id, Roles: user.Roles, IsOAuth: true} diff --git a/api/oauth_test.go b/api/oauth_test.go index 944b1a95b..a54fbc2c3 100644 --- a/api/oauth_test.go +++ b/api/oauth_test.go @@ -278,6 +278,30 @@ func TestDeauthorizeApp(t *testing.T) { } } +func TestRegenerateOAuthAppSecret(t *testing.T) { + th := Setup().InitSystemAdmin() + AdminClient := th.SystemAdminClient + + utils.Cfg.ServiceSettings.EnableOAuthServiceProvider = true + + app := &model.OAuthApp{Name: "TestApp6" + model.NewId(), Homepage: "https://nowhere.com", Description: "test", CallbackUrls: []string{"https://nowhere.com"}} + + app = AdminClient.Must(AdminClient.RegisterApp(app)).Data.(*model.OAuthApp) + + if regenApp, err := AdminClient.RegenerateOAuthAppSecret(app.Id); err != nil { + t.Fatal(err) + } else { + app2 := regenApp.Data.(*model.OAuthApp) + if app2.Id != app.Id { + t.Fatal("Should have been the same app Id") + } + + if app2.ClientSecret == app.ClientSecret { + t.Fatal("Should have been diferent client Secrets") + } + } +} + func TestOAuthDeleteApp(t *testing.T) { th := Setup().InitBasic().InitSystemAdmin() Client := th.BasicClient -- cgit v1.2.3-1-g7c22