mirror of
https://github.com/mattermost/mattermost.git
synced 2025-02-25 18:55:24 -06:00
daec0b3201
* initial
* Revert "initial"
This reverts commit 3d631aeecd.
* [MM-32352] Add Experimental Subsections BACKEND (#16887)
Automatic Merge
* update appiface
* Fix app layers
* Ancillary Permissions on backend (#17061)
Automatic Merge
* [MM-32799] Add About Section (#17015)
* Add About Section
* add mock key
* Update role.go
* Update role.go
Co-authored-by: Mattermod <mattermod@users.noreply.github.com>
* [MM-33437] Fix config access tags for experimental settings (#17111)
Automatic Merge
* [MM-32794] Reporting Sub Section (#17035)
* test
* revert
* add permissions
* add new permission stuff
* add store mock
* fix bad merge
* gofmt fix
Co-authored-by: Mattermod <mattermod@users.noreply.github.com>
* [MM-32343] Environment SubSection (#17054)
* pre-checkout commit
* fix permission for testSiteURL
* pre-merge commit
* increase size of Permissions column in Roles table
* add entry for ENVIRONMENT to testlib/store.go
* use TEXT for Permissions column in Roles table
* use environment subsection permissions for API endpoints
* use subsections permissions for /config/environment
* add suggestions from hahmadia
* update tests to use subsection permissions
* add permissions column back in
* comment out code in upgradeDatabaseToVersion534
Co-authored-by: Mattermod <mattermod@users.noreply.github.com>
Co-authored-by: Scott Bishel <scott.bishel@mattermost.com>
* MM-32351: Add Compliance Subsections (#17023)
* add subsections for compliance sectin
* add to mock functions
* updates for read job
* fixes
* fix test
* update tests
* update tests
* another test fix
* some cleanup
* update mlog
* fix linting
* Fix bad merges
Co-authored-by: Mattermod <mattermod@users.noreply.github.com>
Co-authored-by: Hossein <hahmadia@users.noreply.github.com>
Co-authored-by: Hossein Ahmadian-Yazdi <hyazdi1997@gmail.com>
* MM-32347 Site Subsections (#17095)
* Init
* Added migration key in testlib store
* Fix syntax error
* fix bad merge
* fix lint
Co-authored-by: Mattermod <mattermod@users.noreply.github.com>
Co-authored-by: Scott Bishel <scott.bishel@mattermost.com>
* MM-32350 Integrations (#17097)
* implement server subsections
* fix tests
* update test
* go fmt
Co-authored-by: Hossein Ahmadian-Yazdi <hyazdi1997@gmail.com>
* patch forgotten endpoints
* Adding subsection permissions for Authentication (#17087)
* adding new permissions, migrations to do
* permission migrations and ancilary permissions
* running make app-layers
* fixing tests and lint
* adding permissions to saml
* ldap write permissions
* running make app-layers
* fixing conflict
* making app layers
* clean up and fix tests
* change job type
* fix js error, if site url not returned
Co-authored-by: Benjamin Cooke <benjamincooke@Benjamins-MacBook-Pro.local>
Co-authored-by: Hossein Ahmadian-Yazdi <hyazdi1997@gmail.com>
Co-authored-by: Mattermod <mattermod@users.noreply.github.com>
Co-authored-by: Scott Bishel <scott.bishel@mattermost.com>
* Update permissions_migrations.go
* gofmt
* upgrade to 535
* gofmt
Co-authored-by: Mattermod <mattermod@users.noreply.github.com>
Co-authored-by: Max Erenberg <max.erenberg@mattermost.com>
Co-authored-by: Scott Bishel <scott.bishel@mattermost.com>
Co-authored-by: Anurag Shivarathri <anurag6713@gmail.com>
Co-authored-by: Ben Cooke <benkcooke@gmail.com>
Co-authored-by: Benjamin Cooke <benjamincooke@Benjamins-MacBook-Pro.local>
250 lines
7.8 KiB
Go
250 lines
7.8 KiB
Go
// Copyright (c) 2015-present Mattermost, Inc. All Rights Reserved.
|
|
// See LICENSE.txt for license information.
|
|
|
|
package api4
|
|
|
|
import (
|
|
"io/ioutil"
|
|
"mime"
|
|
"mime/multipart"
|
|
"net/http"
|
|
|
|
"github.com/mattermost/mattermost-server/v5/audit"
|
|
"github.com/mattermost/mattermost-server/v5/model"
|
|
)
|
|
|
|
func (api *API) InitSaml() {
|
|
api.BaseRoutes.SAML.Handle("/metadata", api.ApiHandler(getSamlMetadata)).Methods("GET")
|
|
|
|
api.BaseRoutes.SAML.Handle("/certificate/public", api.ApiSessionRequired(addSamlPublicCertificate)).Methods("POST")
|
|
api.BaseRoutes.SAML.Handle("/certificate/private", api.ApiSessionRequired(addSamlPrivateCertificate)).Methods("POST")
|
|
api.BaseRoutes.SAML.Handle("/certificate/idp", api.ApiSessionRequired(addSamlIdpCertificate)).Methods("POST")
|
|
|
|
api.BaseRoutes.SAML.Handle("/certificate/public", api.ApiSessionRequired(removeSamlPublicCertificate)).Methods("DELETE")
|
|
api.BaseRoutes.SAML.Handle("/certificate/private", api.ApiSessionRequired(removeSamlPrivateCertificate)).Methods("DELETE")
|
|
api.BaseRoutes.SAML.Handle("/certificate/idp", api.ApiSessionRequired(removeSamlIdpCertificate)).Methods("DELETE")
|
|
|
|
api.BaseRoutes.SAML.Handle("/certificate/status", api.ApiSessionRequired(getSamlCertificateStatus)).Methods("GET")
|
|
|
|
api.BaseRoutes.SAML.Handle("/metadatafromidp", api.ApiHandler(getSamlMetadataFromIdp)).Methods("POST")
|
|
}
|
|
|
|
func getSamlMetadata(c *Context, w http.ResponseWriter, r *http.Request) {
|
|
metadata, err := c.App.GetSamlMetadata()
|
|
if err != nil {
|
|
c.Err = err
|
|
return
|
|
}
|
|
|
|
w.Header().Set("Content-Type", "application/xml")
|
|
w.Header().Set("Content-Disposition", "attachment; filename=\"metadata.xml\"")
|
|
w.Write([]byte(metadata))
|
|
}
|
|
|
|
func parseSamlCertificateRequest(r *http.Request, maxFileSize int64) (*multipart.FileHeader, *model.AppError) {
|
|
err := r.ParseMultipartForm(maxFileSize)
|
|
if err != nil {
|
|
return nil, model.NewAppError("addSamlCertificate", "api.admin.add_certificate.no_file.app_error", nil, err.Error(), http.StatusBadRequest)
|
|
}
|
|
|
|
m := r.MultipartForm
|
|
|
|
fileArray, ok := m.File["certificate"]
|
|
if !ok {
|
|
return nil, model.NewAppError("addSamlCertificate", "api.admin.add_certificate.no_file.app_error", nil, "", http.StatusBadRequest)
|
|
}
|
|
|
|
if len(fileArray) <= 0 {
|
|
return nil, model.NewAppError("addSamlCertificate", "api.admin.add_certificate.array.app_error", nil, "", http.StatusBadRequest)
|
|
}
|
|
|
|
return fileArray[0], nil
|
|
}
|
|
|
|
func addSamlPublicCertificate(c *Context, w http.ResponseWriter, r *http.Request) {
|
|
if !c.App.SessionHasPermissionTo(*c.App.Session(), model.PERMISSION_ADD_SAML_PUBLIC_CERT) {
|
|
c.SetPermissionError(model.PERMISSION_ADD_SAML_PUBLIC_CERT)
|
|
return
|
|
}
|
|
|
|
fileData, err := parseSamlCertificateRequest(r, *c.App.Config().FileSettings.MaxFileSize)
|
|
if err != nil {
|
|
c.Err = err
|
|
return
|
|
}
|
|
|
|
auditRec := c.MakeAuditRecord("addSamlPublicCertificate", audit.Fail)
|
|
defer c.LogAuditRec(auditRec)
|
|
auditRec.AddMeta("filename", fileData.Filename)
|
|
|
|
if err := c.App.AddSamlPublicCertificate(fileData); err != nil {
|
|
c.Err = err
|
|
return
|
|
}
|
|
auditRec.Success()
|
|
ReturnStatusOK(w)
|
|
}
|
|
|
|
func addSamlPrivateCertificate(c *Context, w http.ResponseWriter, r *http.Request) {
|
|
if !c.App.SessionHasPermissionTo(*c.App.Session(), model.PERMISSION_ADD_SAML_PRIVATE_CERT) {
|
|
c.SetPermissionError(model.PERMISSION_ADD_SAML_PRIVATE_CERT)
|
|
return
|
|
}
|
|
|
|
fileData, err := parseSamlCertificateRequest(r, *c.App.Config().FileSettings.MaxFileSize)
|
|
if err != nil {
|
|
c.Err = err
|
|
return
|
|
}
|
|
|
|
auditRec := c.MakeAuditRecord("addSamlPrivateCertificate", audit.Fail)
|
|
defer c.LogAuditRec(auditRec)
|
|
auditRec.AddMeta("filename", fileData.Filename)
|
|
|
|
if err := c.App.AddSamlPrivateCertificate(fileData); err != nil {
|
|
c.Err = err
|
|
return
|
|
}
|
|
auditRec.Success()
|
|
ReturnStatusOK(w)
|
|
}
|
|
|
|
func addSamlIdpCertificate(c *Context, w http.ResponseWriter, r *http.Request) {
|
|
if !c.App.SessionHasPermissionTo(*c.App.Session(), model.PERMISSION_ADD_SAML_IDP_CERT) {
|
|
c.SetPermissionError(model.PERMISSION_ADD_SAML_IDP_CERT)
|
|
return
|
|
}
|
|
|
|
v := r.Header.Get("Content-Type")
|
|
if v == "" {
|
|
c.Err = model.NewAppError("addSamlIdpCertificate", "api.admin.saml.set_certificate_from_metadata.missing_content_type.app_error", nil, "", http.StatusBadRequest)
|
|
return
|
|
}
|
|
d, _, err := mime.ParseMediaType(v)
|
|
if err != nil {
|
|
c.Err = model.NewAppError("addSamlIdpCertificate", "api.admin.saml.set_certificate_from_metadata.invalid_content_type.app_error", nil, err.Error(), http.StatusBadRequest)
|
|
return
|
|
}
|
|
|
|
auditRec := c.MakeAuditRecord("addSamlIdpCertificate", audit.Fail)
|
|
defer c.LogAuditRec(auditRec)
|
|
auditRec.AddMeta("type", d)
|
|
|
|
if d == "application/x-pem-file" {
|
|
body, err := ioutil.ReadAll(r.Body)
|
|
if err != nil {
|
|
c.Err = model.NewAppError("addSamlIdpCertificate", "api.admin.saml.set_certificate_from_metadata.invalid_body.app_error", nil, err.Error(), http.StatusBadRequest)
|
|
return
|
|
}
|
|
|
|
if err := c.App.SetSamlIdpCertificateFromMetadata(body); err != nil {
|
|
c.Err = err
|
|
return
|
|
}
|
|
} else if d == "multipart/form-data" {
|
|
fileData, err := parseSamlCertificateRequest(r, *c.App.Config().FileSettings.MaxFileSize)
|
|
if err != nil {
|
|
c.Err = err
|
|
return
|
|
}
|
|
auditRec.AddMeta("filename", fileData.Filename)
|
|
|
|
if err := c.App.AddSamlIdpCertificate(fileData); err != nil {
|
|
c.Err = err
|
|
return
|
|
}
|
|
} else {
|
|
c.Err = model.NewAppError("addSamlIdpCertificate", "api.admin.saml.set_certificate_from_metadata.invalid_content_type.app_error", nil, "", http.StatusBadRequest)
|
|
return
|
|
}
|
|
|
|
auditRec.Success()
|
|
ReturnStatusOK(w)
|
|
}
|
|
|
|
func removeSamlPublicCertificate(c *Context, w http.ResponseWriter, r *http.Request) {
|
|
if !c.App.SessionHasPermissionTo(*c.App.Session(), model.PERMISSION_REMOVE_SAML_PUBLIC_CERT) {
|
|
c.SetPermissionError(model.PERMISSION_REMOVE_SAML_PUBLIC_CERT)
|
|
return
|
|
}
|
|
|
|
auditRec := c.MakeAuditRecord("removeSamlPublicCertificate", audit.Fail)
|
|
defer c.LogAuditRec(auditRec)
|
|
|
|
if err := c.App.RemoveSamlPublicCertificate(); err != nil {
|
|
c.Err = err
|
|
return
|
|
}
|
|
|
|
auditRec.Success()
|
|
ReturnStatusOK(w)
|
|
}
|
|
|
|
func removeSamlPrivateCertificate(c *Context, w http.ResponseWriter, r *http.Request) {
|
|
if !c.App.SessionHasPermissionTo(*c.App.Session(), model.PERMISSION_REMOVE_SAML_PRIVATE_CERT) {
|
|
c.SetPermissionError(model.PERMISSION_REMOVE_SAML_PRIVATE_CERT)
|
|
return
|
|
}
|
|
|
|
auditRec := c.MakeAuditRecord("removeSamlPrivateCertificate", audit.Fail)
|
|
defer c.LogAuditRec(auditRec)
|
|
|
|
if err := c.App.RemoveSamlPrivateCertificate(); err != nil {
|
|
c.Err = err
|
|
return
|
|
}
|
|
|
|
auditRec.Success()
|
|
ReturnStatusOK(w)
|
|
}
|
|
|
|
func removeSamlIdpCertificate(c *Context, w http.ResponseWriter, r *http.Request) {
|
|
if !c.App.SessionHasPermissionTo(*c.App.Session(), model.PERMISSION_REMOVE_SAML_IDP_CERT) {
|
|
c.SetPermissionError(model.PERMISSION_REMOVE_SAML_IDP_CERT)
|
|
return
|
|
}
|
|
|
|
auditRec := c.MakeAuditRecord("removeSamlIdpCertificate", audit.Fail)
|
|
defer c.LogAuditRec(auditRec)
|
|
|
|
if err := c.App.RemoveSamlIdpCertificate(); err != nil {
|
|
c.Err = err
|
|
return
|
|
}
|
|
|
|
auditRec.Success()
|
|
ReturnStatusOK(w)
|
|
}
|
|
|
|
func getSamlCertificateStatus(c *Context, w http.ResponseWriter, r *http.Request) {
|
|
if !c.App.SessionHasPermissionTo(*c.App.Session(), model.PERMISSION_GET_SAML_CERT_STATUS) {
|
|
c.SetPermissionError(model.PERMISSION_GET_SAML_CERT_STATUS)
|
|
return
|
|
}
|
|
|
|
status := c.App.GetSamlCertificateStatus()
|
|
w.Write([]byte(status.ToJson()))
|
|
}
|
|
|
|
func getSamlMetadataFromIdp(c *Context, w http.ResponseWriter, r *http.Request) {
|
|
if !c.App.SessionHasPermissionTo(*c.App.Session(), model.PERMISSION_GET_SAML_METADATA_FROM_IDP) {
|
|
c.SetPermissionError(model.PERMISSION_GET_SAML_METADATA_FROM_IDP)
|
|
return
|
|
}
|
|
|
|
props := model.MapFromJson(r.Body)
|
|
url := props["saml_metadata_url"]
|
|
if url == "" {
|
|
c.SetInvalidParam("saml_metadata_url")
|
|
return
|
|
}
|
|
|
|
metadata, err := c.App.GetSamlMetadataFromIdp(url)
|
|
if err != nil {
|
|
c.Err = model.NewAppError("getSamlMetadataFromIdp", "api.admin.saml.failure_get_metadata_from_idp.app_error", nil, err.Error(), http.StatusBadRequest)
|
|
return
|
|
}
|
|
|
|
w.Write([]byte(metadata.ToJson()))
|
|
}
|