* Implement LDAP Certificate
* add diagnostics and translations
* update from code review
* pass pointer to update pict function
* pass object to first function
* remove debug log messages
* update test to add localmode test
* update lint errors
Co-authored-by: Mattermod <mattermod@users.noreply.github.com>
MM-27744 disable Zap for unit tests.
Zap has no concept of shutdown or close. Zap is only shutdown when the app exits. Not a problem for console logging, but when creating a new Zap logger that outputs to files on every unit test, that leaves no easy way to clean up until process exit. Depending on what else is running this can exhaust all file handles and cause unit tests to fail.
Zap is now disabled unit tests and uses Logr instead, regardless of config settings. `make test-server` peak file handle usage dropped from ~5K to less than 100.
* Moving diagnostics into a service
* Fixing golint checks
* Fixing tests
* Renaming from diagnostics to telemetry
* Adding missing files
* Initializing telemetry earlier in the server startup
* Fixing tests
* Adding a log for the telemetryID initialization error
* Addressing PR review comments
* Fixing merge problem
* Removing some extra Diagnostics mentions
* Making tests pass
* Add permission to convert public channel to private
* Rename to PERMISSION_CONVERT_PUBLIC_CHANNEL_TO_PRIVATE
* Fix tests
* Update definitions for roles that have manage_team
* Fix tests
* Add convert private channel to public permission
* Add to channel scoped perms
* Update permission checks on channel privacy endpoint
* Trigger CI
* Cloud token login
This PR adds the capability of activate the cloud token login that
will be used in our Cloud installations to let the customer login
for the first time without using credentials.
* Read CSRF from cookie when is not on the header and we're login with CWS
* Create new CWS login endpoint
- New endpoint created
- We're using the cloud feature from the license instead of the
configuration flag
- Removed the CSRF changes
* Reduce amount of work if cws token is not set
* Removed unused config key
* Now we store the token to detect it was used
If the token is in the token store then we are assuming that the
token was used
* Add tests
* Add i18n strings
* MM-27722 Make sidebar category validation silently reject bad channel IDs
* Call validateSidebarCategories when possible
* Remove blank line
* Stop restarting server between subtests
* Add functionality to update password with password hash
This can be used to update a user's password with a direct password
hash instead of providing the password in plaintext.
* Use test helper for local mode
* MM-23832: Initial set of changes
* MM-23832: further iteration
* MM-23832: further iteration
* MM-23832: further iteration
* MM-23832: Fixes merge.
* create migration for new Roles
* MM-23832: Renames some roles.
* MM-23832: Adds ability to see logs.
* MM-23832: Removes manage roles from restricted admin.
* MM-23832: Make authentication section read-only for restricted admin.
* MM-23832: Allow restricted admin to purge caches.
* MM-23832: Adds ability to recycle DB connections.
* MM-23832: Adds ability to purge indexes.
* MM-23832: Adds ability to test email and S3 config.
* MM-23832: Adds abilituy to read job status.
* MM-23832: Adds ability to read plugin statuses.
* MM-23832: Renames Restricted Admin to System Manager.
* MM-23832: Adds manage team roles to system_user_manager.
* MM-23832: Updates some permissions.
* MM-23832: Allow get all channels and get moderations.
* MM-23832: Adds some permissions to User Manager.
* MM-23832: Remove write users from user manager.
* MM-23832: Changes permissions for the usermanagement > users sysconsole section.
* MM-23832: Removes read_settings and write_settings permissions. Ensures the usermanagement parent permissions encompass the sub-permissions.
* MM-23832: Updates permissions.
* MM-23832: Changes some permissions checks, adds new permissions to roles.
* MM-23832: Adds ability to update a role.
* MM-23832: Permissions updates.
* MM-23832: Removes write access to plugins for system manager.
* MM-23832: Removes read compliance from new roles.
* MM-23832: Adds mock for new roles creation migration.
* MM-23832: Changes to variadic param.
* MM-23832: Removes some duplication in the permissions model. Renames some permissions constants.
* MM-23832: Updates some migrations.
* MM-23832: Removes some unnecessary constants.
* MM-23832: Changes back to old app method name.
* MM-23832: Fixes incorrect permission check.
* MM-23832: Changes write to read permission check.
* MM-23832: Removes the authentication permission from link/unlink group.
* MM-23832: Enable testing LDAP with read permissions.
* MM-23832: Make testing elasticsearch a read permission.
* MM-23832: Warn metrics are associated to any system console read permissions.
* MM-23832: Updates some permissions checks.
* MM-23832: Removes non-systemconsole permissions from roles.
* MM-23832: Update default permission assignment of sysadmin.
* MM-23832: Fixes incorrect permission check. Removes some unused stuff.
* MM-23832: Update permission to check.
* MM-23832: Switches to struct tags.
* MM-23832: Adds some docs for the permissions tag.
* MM-23832: Removes whitespace.
* MM-23832: Combines system admin restricted access with other acess-control tag.
* MM-23832: Fixes some tests.
* MM-23832: Clarifies docs, does not assume prior permission check in '-' access value case.
* MM-23832: Updates to correct access tag value.
* MM-23832: Adds test of the config settings tag access.
* MM-23832: Undoes whitespace change.
* MM-23832: Removes comment.
* MM-23832: Adds the permissions to the new roles rather than using OR conditions on the permissions checks.
* MM-23832: Removes or condition on permission check.
* MM-23832: Updates mapping.
* MM-23832: Typo fix.
* MM-23832: Adds new 'read_jobs' permission.
* MM-23832: Add read_jobs to all roles with manage_jobs.
* MM-23832: Adds new permission read_other_users_teams.
* MM-23832: Adds read filtering of config.
* MM-23932: Change tag value.
* MM-23832: Fixes some tests. Adds test for read config access tag.
* MM-23832: Adds permissions to list teams.
* MM-23832: Removes the '-' tag value. Adds a new permission read_channel_groups. Updates a permission check.
* MM-23832: Removes unnecessary parent permission for user_management. Fixes permission check change error.
* MM-23832: Removes unused parameter to filter/merge function.
* MM-23832: Renames migration name.
* MM-23832: Fix for godoc.
* MM-23832: Fixes tests.
* MM-23832: Only makes a map once rather than every function call. Doesn't require access tag on config field structs. Reverts one test update and fixes another.
* MM-23832: Removes all of the unnecessary uses of (*App).SessionHasPermissionToAny since removing the user_management parent permission.
* MM-23832: Updates constant type.
* MM-23832: Removes unnecessary comment.
* MM-23832: Renames permissions.
* MM-23832: Fix for permission name changes.
* MM-23832: Adds missing config access tags. Adds some requirec ancillary permissions for write_usermanagement_teams.
* MM-23832: Adds local API endpoint for getting config.
* MM-23832: If tag value is blank or restrict_sys_admin_write then don't do the permission check.
* MM-23832: nil check for strings prior to dereferencing.
* MM-23832: Fix for config display logic.
* MM-23832: Updates godoc.
* MM-23832: Delays the unrestricted check for parity with other permissions checks if the channel id does not exist.
* MM-23832: Removes tautology.
* MM-23832: Re-adds status code check.
* MM-23832: Adds new permission to edit brand image.
* MM-23832: Exports variable for use by mmctl.
* MM-23832: Initialize exported map for use by mmctl.
* MM-23832: Accept deprecated permissions as valid.
* MM-23832: Adds missing permissions to archive a channel.
* MM-23832: Adds missing permissions for managing team.
* MM-23832: Properly filters config values in patch and update API responses.
* MM-23832: Fixes license viewing and writing permissions.
* MM-23832: Require license to assign 'new system roles'.
* MM-23832: Adds translation keys.
* MM-23832: Updates translation order.
* MM-27529: Splits read_channel_groups into read_public_channel_groups and read_private_channel_groups.
* MM-23832: Prevent read-only permissions from editing site url test parameter.
* MM-23832: Prevent read permissions from sniffing ports and elastic password.
* MM-23832: Adds missing permission required for write user management channels.
* MM-23832: Allows new roles to search for channels.
* MM-23832: Adds ability for system_manager to manage jobs.
* MM-23832: Cluster status access by sysconsole permission, not manage_system.
* MM-23832: Adds 'add_user_to_team' permission to sysconsole write usermanagement teams.
* MM-23832: Fixes lint.
* MM-23832: Test fix.
* MM-23832: Test fix.
Co-authored-by: Catalin Tomai <catalin.tomai@mattermost.com>
Co-authored-by: Scott Bishel <scott.bishel@mattermost.com>
Co-authored-by: Mattermod <mattermod@users.noreply.github.com>
* Adding Upgrade to Enterprise version feature
* Addressing PR review comments, and adding some minor improvements
* Add tests file
* Addressing PR comments
* fix linter checks
* Storing and exposing the upgraded from TE info
* Fix showing errors on mac
* A more appropiate status code for not-supported upgrade
* Fixing tests
* Handling permissions errors
* More server logging around upgrade failures
* Apply text changes suggested from code review
Co-authored-by: Eric Sadur <57730300+esadur@users.noreply.github.com>
* Address PR review comments
* Only allow to restart the system after an upgrade
* Verify file signature before upgrade
* Adding limit to the downloaded file
* Simplifying the upgrade binary process with backup in memory
* Fixing backup/restore mechanism for the binary file
* Improve file permissions handling
* Askin the permissions for the right place (the parent directory)
* Fixing tests
* Addressing PR review comments
* Fix license headers
* Fixing retry layer
* Making it work on windows builds
* Adding license header
* Fixing 2 tests
* Fixing tests that need UpgradeFromTE System key mock
* Extracting i18n translation
* Apply suggestions from code review
Co-authored-by: Eric Sadur <57730300+esadur@users.noreply.github.com>
* Improving how the errors are written
* Fixing another error text
* Removing unneeded translation
* Fixing upgrade status strings
* Update i18n/en.json
Co-authored-by: Eric Sadur <57730300+esadur@users.noreply.github.com>
* Fixing tests
Co-authored-by: Eric Sadur <57730300+esadur@users.noreply.github.com>
Co-authored-by: Mattermod <mattermod@users.noreply.github.com>
* Add a config for MM User Limit
* Adding graceful errors for if an administrator invites people passed their user limit
* Including changed vendor files
* Adding unit test
* Fix a bug
* Push up working tests (Thanks Joram)
* Add more cases, clean up logs in code
* One more case
* Refactoring based on PR comments
* Updating i18n
* Some changes based on PR review
* Remove a comment
* Bring back some translations that were somehow removed
Co-authored-by: Mattermod <mattermod@users.noreply.github.com>
* MM-27507: Propagate rate limit errors to client
We return an error from SendInviteEmails instead of just logging it
to let the client know that a rate limit error has happened.
The status code is chosen as 413 (entity too large) instead of 429 (too many requests)
because it's not the request which is rate limited, but the payload inside it which is.
Ideally, the email sending should have been implemented by a queue which would just return
an error to the client when full. That is also why we are not returning an X-Retry-After
and X-Reset-After in the headers because that would mix with the actual rate limiting.
A separate header X-Email-Invite-Reset-After might do the job, but it comes at an extra cost
of additional API surface and a clunky API. Instead, that information is contained in the error
response. The web client needs to just surface the error. An API client will have to do
a bit more work to parse the error if it needs to automatically know when to retry. Given that
an email sending client is not a very common use case, we decide to keep the API clean.
This decision can be revisited if it becomes problematic in the future.
https://mattermost.atlassian.net/browse/MM-27507
* Fixing translations
* Added retry_after and reset_after in API response.
Mobile users were having their sessions unexpectedly expired, despite having ServiceSettings.ExtendSessionLengthWithActivity enabled.
Every time a mobile app is opened it called `/api/v4/sessions/device` which calls attachDeviceId which calls `(*Session)SetExpireInDays`. This code above assumed the expiry should be relative to CreateAt which is incorrect when ExtendSessionLengthWithActivity is enabled. Therefore, every time the mobile app was opened, the maximum expiry was set in memory to CreateAt + session_length, even if the session was extended.
(*Session)SetExpireInDays is now deprecated and replaced with (*App)SetSessionExpireInDays which takes into account the ExtendSessionLengthWithActivity setting.
* Add team filters to search teams
Remove unneeded logs
Add team filters to search teams
* Use bool pointers for filters
Re-add include group constrained
Fix lint
Return the union of filters
* Fix direct/group channel false positives
* Move public structures to model package
* Expose CheckIntegrity as a local API method
* Remove extra file
Co-authored-by: Mattermod <mattermod@users.noreply.github.com>
Adds the advanced logging config for audit. Existing support for auditing to a single file remains for E0 and E10 licenses instances, and a new config item ExperimentalAuditSettings.AdvancedLoggingConfig is added that behaves like LogSettings.AdvancedLoggingConfig.
Supported destinations:
- file
- syslog (with out without TLS)
- raw TCP socket (with out without TLS)
ExperimentalAuditSettings.AdvancedLoggingConfig can contain a filespec to a config file, a database DSN, or JSON.
Co-authored-by: Mattermod <mattermod@users.noreply.github.com>
Co-authored-by: Claudio Costa <cstcld91@gmail.com>
* [MM-27170] Migrate verify user by id endpoint to local mode
* Update api4/user_test.go
Co-authored-by: Ibrahim Serdar Acikgoz <serdaracikgoz86@gmail.com>
Co-authored-by: Ibrahim Serdar Acikgoz <serdaracikgoz86@gmail.com>
* MM-26410 Allow moving channels into Favorites when they're favorited in prefs
* MM-26410 Fix management of Favorites category when updating preferences
* MM-26410 Add management of Favorites category when deleting preferences
* Address feedback 1
* Remove WHERE (1=1) from query
* Remove unnecessary sq.Expr
* Rewrite query to use left join
* Remove redundant where statement and add some more tests
* Fix linting issues
* Rename addChannelToFavoritesCategory to addChannelToFavoritesCategory
Summary:
Config option to allow permanent user deletion ServiceSettings.EnableAPIUserDeletion
Expose permanent user deletion through API
Local mode for delete user for use in mmctl
Ticket Link:
Server part of https://mattermost.atlassian.net/browse/MM-25647
