mirror of
https://github.com/mattermost/mattermost.git
synced 2025-02-25 18:55:24 -06:00
6d30b21dd2
* Initial models, API, app, and persistence of groups and group syncing. * Consistent letter casing in ldif. * Moves group-specific migrations into func. * Adds API endpoint to retrieve LDAP groups (and associated MM groups) one tree level at a time. * Adds mattermost group id to SCIMGroup (if available). * Splits user and group creation so that memberOf works. Returns users from ldap interface. * Updates method name. * Returns users IDs instead of User. * Removes non-essential group data. * MM-11807: Add GroupFilter to LDAP config. (#9513) * MM-11807: Add GroupFilter to LDAP config. * Add diagnostic. * Adds new config option for using 'memberOf' overlay. * Adds API endpoint to link a group. * Removes debug statements. * Adds unlink group API endpoint. * Fix to LDAP API. Adds API method to client4 and app. * Adds some missing app methods. Renames API unexported func. * Fixes link/unlink API path to accept valid DNs. * Allow any character for DN portion of path. * Switches from DN to objectGUID or entryUUID as the remote identifier linking LDAP groups to MM groups. * Formatting. * Formatting. * Setting group name field to an ID for phase 1. * Adds an LDAP config field to Setting up configuration for local LDAP. * Changes to LDAP and GroupStore interfaces. * Draft of nesting groups in API response. * Removes unnecessary tree models. * Updates group membershipt create store method to also restore. * Adds new config to test config. * Accept AD format length. * Switches to SetUniqueTogether method. * Updates revert. * Tweaks to syncing queries . * Updates query for pending team and channel memberships. * Removes old GroupSyncableScanner usage. Some formatting and renaming. * Fixes bug setting syncable type in selecting paged. * Adds tests for syncables populator. * Only add users to teams and channels that are not deleted. * Renames method. * Updates test LDAP setup. * Removes memberof config stuff. * Renames. * Updates test data. * Fix for gofmt. * Adds missing license. * Adds missing teardowns. * Test fix. * Adds a cycle to the groups test data. * Changes API to return flat list. * Removes some unused interface and app methods. * Returns empty braces if results are empty. * Adds more LDAP test data. * Fix for test data error. * Adds error. * Moves test groups. * Adds OU for load test data. * Moves load test ou creation to load data. * Adds a new bool flag to SCIMGroups. * Removes SCIMGroup completely. * Removes FULL JOIN because it is not supported in MySQL. * Adds tests for sync queries; renames constant. * Bad merge fix. * Vet fix. * Returning OK on delete ldap group link * Removes foreign key constraints. * Adding total to the ldap getAllGroups api endpoint * Adds get group members page. * Removes pagination from groups syncables list API. * Adding syncable check now that foreign key constraint is removes. * Joins teams and channels to group syncables. * Adds group member count. * Adding GetAllChannels and SearchAllChannels for system admins only * Fix. * Test fix from pagination removal. * Orders groupmembers by createat. * Fixing search of all channels * Test fix after removing pagination. * JSON syntax error fix. * Changing tests (for now) pending investigation. * Adding GetAllChannels and SearchAllChannels tests for the store * Adding GetAllChannels and SearchAllChannels API tests * Omit empty JSON values of group syncables. * Fixing GetAllChannels and SearchAllChannels tests * Fixing GetAllChannels and SearchAllChannels store tests * Fixing GetAllChannels api tests * Adds 'LDAP groups' feature flag. (#9861) * Migrate new client functions to idiomatic error handling * Test fixes. * Simplification of groups api (#9860) * Simplification of groups api * Fixing RequireSyncableType * Test fix. * Update api4/group.go Co-Authored-By: mkraft <martinkraft@gmail.com> * Update api4/group.go Co-Authored-By: mkraft <martinkraft@gmail.com> * Update api4/group.go Co-Authored-By: mkraft <martinkraft@gmail.com> * Update api4/group.go Co-Authored-By: mkraft <martinkraft@gmail.com> * Update api4/group.go Co-Authored-By: mkraft <martinkraft@gmail.com> * Update api4/group.go Co-Authored-By: mkraft <martinkraft@gmail.com> * Update api4/group.go Co-Authored-By: mkraft <martinkraft@gmail.com> * Update api4/group.go Co-Authored-By: mkraft <martinkraft@gmail.com> * Update api4/group.go Co-Authored-By: mkraft <martinkraft@gmail.com> * Update api4/group.go Co-Authored-By: mkraft <martinkraft@gmail.com> * Fix copy/paste error. * Fix copy/paste error. * Adds missing return, changes to correct HTTP status code. * Adds missing return, changes status codes. * Check for license. * Renames variable for new signature. * Adds client method to get a group. * Adds client method and tests for PatchGroup. * Adds more API tests. * Adds groups API tests. * Adds client method and tests for getting group syncables. * Adds tests for patching group teams and channels. * Update to translations. * Removes test. * Fix incorrect conditional. * Removes unnecessary nil check. * Removes unnecessary return. * Updates comment, removes unused variable. * Uses consistent JSON unmarshal pattern. * Uses consistent JSON unmarshal pattern. * Moves const block. * Switches 'already linked' from error to success response. * Removes commented-out code. * Switched to status ok. * Add parens for readability. * Fix copy/paste error. * Unexport some structs. * Removes repeated validity check. * Return without attempting commit if there's a rollback. * Fix incorrect HTTP status code. * Update store/sqlstore/group_supplier.go Co-Authored-By: mkraft <martinkraft@gmail.com> * Adds utility methods for going from groupsyncable to groupteam and groupchannel. * Fixing george suggestions (#9911) * Test fix. * Adds QA data to VC with visualization. * Fixes typo in graph image. * Update display name when re-linking in case it has changed in LDAP. * Adds ability to configure group display name and unique identifier. (#9923) * Adds ability to configure group display name and unique identifier. * Adds some configs to confi-ldap make command. * Fix for move of session. * Exposes method for use by SAML package. * Switches GroupSyncableType from int to string. * Update Jenkins build files. * Removes unused variable assignment. * Removes old unnecessary early return. * Removes unnecessary variable. * Moves param parsing before license and permissions checks. * Removes old code. * Compares agains underlying error rather than error id. * Switches tests to assertions. * Adds more assertions. * Adds missing return. * Adds space after comma for added legibility. * Moves a view model to the api package. * Unexports method. * Uses id validator function. * Fix docker-compose flag. * Typo fix. * Moves index creation to supplier. * Removes bad merge. * Renames parameter. * Re-adds space. * Removes unnecessary transaction. * Escapes the Groups table name with backticks because it is a reserved keyword. * Fix roles cache bug * Removing unnecesiary deserializing function * Switches table name rather than custom SQL everywhere for Postgres without backticks. * Removes redundant check for sql.ErrNoRows. * Removes redundant check for sql.ErrNoRows. * Removes data integrity check and redundant nil conditional. * Removes redundant check for sql.ErrNoRows. * Removes unnecessary query. * Removes ID length validation from persistence tier. * Makes some supplier methods idempotent. * Removes some empty switch defaults. * Renames Group Type field to Source. * Fix for mistaken field name change. * Uses IsValidId function. * Removes comment. * Changes json key name. * Removes test because no longer validating user. * Moves model state validation to app layer. * Don't create Groups.CanLeave column until phase 2. * Removes state validation until properties are used in phase 2. * Removes duplicated check. * Removes state validation until properties are used in phase 2. * Removes some tests until phase 2. * Comment-out a bunch of test related to CanLeave. * Extra unmarshal validation check. Removes more code for CanLeave. * Removes tests for CanLeave. * Explict error msg. * Rewrite queries. * Changes index name. Adds index. * Removes assertion. * Adds experimental feature flag.
163 lines
5.2 KiB
Go
163 lines
5.2 KiB
Go
// Copyright (c) 2016-present Mattermost, Inc. All Rights Reserved.
|
|
// See License.txt for license information.
|
|
|
|
package utils
|
|
|
|
import (
|
|
"crypto"
|
|
"crypto/rsa"
|
|
"crypto/sha512"
|
|
"crypto/x509"
|
|
"encoding/base64"
|
|
"encoding/pem"
|
|
"fmt"
|
|
"io/ioutil"
|
|
"os"
|
|
"path/filepath"
|
|
"strconv"
|
|
"strings"
|
|
|
|
"github.com/mattermost/mattermost-server/mlog"
|
|
"github.com/mattermost/mattermost-server/model"
|
|
"github.com/mattermost/mattermost-server/utils/fileutils"
|
|
)
|
|
|
|
var publicKey []byte = []byte(`-----BEGIN PUBLIC KEY-----
|
|
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyZmShlU8Z8HdG0IWSZ8r
|
|
tSyzyxrXkJjsFUf0Ke7bm/TLtIggRdqOcUF3XEWqQk5RGD5vuq7Rlg1zZqMEBk8N
|
|
EZeRhkxyaZW8pLjxwuBUOnXfJew31+gsTNdKZzRjrvPumKr3EtkleuoxNdoatu4E
|
|
HrKmR/4Yi71EqAvkhk7ZjQFuF0osSWJMEEGGCSUYQnTEqUzcZSh1BhVpkIkeu8Kk
|
|
1wCtptODixvEujgqVe+SrE3UlZjBmPjC/CL+3cYmufpSNgcEJm2mwsdaXp2OPpfn
|
|
a0v85XL6i9ote2P+fLZ3wX9EoioHzgdgB7arOxY50QRJO7OyCqpKFKv6lRWTXuSt
|
|
hwIDAQAB
|
|
-----END PUBLIC KEY-----`)
|
|
|
|
func ValidateLicense(signed []byte) (bool, string) {
|
|
decoded := make([]byte, base64.StdEncoding.DecodedLen(len(signed)))
|
|
|
|
_, err := base64.StdEncoding.Decode(decoded, signed)
|
|
if err != nil {
|
|
mlog.Error(fmt.Sprintf("Encountered error decoding license, err=%v", err.Error()))
|
|
return false, ""
|
|
}
|
|
|
|
if len(decoded) <= 256 {
|
|
mlog.Error("Signed license not long enough")
|
|
return false, ""
|
|
}
|
|
|
|
// remove null terminator
|
|
for decoded[len(decoded)-1] == byte(0) {
|
|
decoded = decoded[:len(decoded)-1]
|
|
}
|
|
|
|
plaintext := decoded[:len(decoded)-256]
|
|
signature := decoded[len(decoded)-256:]
|
|
|
|
block, _ := pem.Decode(publicKey)
|
|
|
|
public, err := x509.ParsePKIXPublicKey(block.Bytes)
|
|
if err != nil {
|
|
mlog.Error(fmt.Sprintf("Encountered error signing license, err=%v", err.Error()))
|
|
return false, ""
|
|
}
|
|
|
|
rsaPublic := public.(*rsa.PublicKey)
|
|
|
|
h := sha512.New()
|
|
h.Write(plaintext)
|
|
d := h.Sum(nil)
|
|
|
|
err = rsa.VerifyPKCS1v15(rsaPublic, crypto.SHA512, d, signature)
|
|
if err != nil {
|
|
mlog.Error(fmt.Sprintf("Invalid signature, err=%v", err.Error()))
|
|
return false, ""
|
|
}
|
|
|
|
return true, string(plaintext)
|
|
}
|
|
|
|
func GetAndValidateLicenseFileFromDisk(location string) (*model.License, []byte) {
|
|
fileName := GetLicenseFileLocation(location)
|
|
|
|
if _, err := os.Stat(fileName); err != nil {
|
|
mlog.Debug(fmt.Sprintf("We could not find the license key in the database or on disk at %v", fileName))
|
|
return nil, nil
|
|
}
|
|
|
|
mlog.Info(fmt.Sprintf("License key has not been uploaded. Loading license key from disk at %v", fileName))
|
|
licenseBytes := GetLicenseFileFromDisk(fileName)
|
|
|
|
if success, licenseStr := ValidateLicense(licenseBytes); !success {
|
|
mlog.Error(fmt.Sprintf("Found license key at %v but it appears to be invalid.", fileName))
|
|
return nil, nil
|
|
} else {
|
|
return model.LicenseFromJson(strings.NewReader(licenseStr)), licenseBytes
|
|
}
|
|
}
|
|
|
|
func GetLicenseFileFromDisk(fileName string) []byte {
|
|
file, err := os.Open(fileName)
|
|
if err != nil {
|
|
mlog.Error(fmt.Sprintf("Failed to open license key from disk at %v err=%v", fileName, err.Error()))
|
|
return nil
|
|
}
|
|
defer file.Close()
|
|
|
|
licenseBytes, err := ioutil.ReadAll(file)
|
|
if err != nil {
|
|
mlog.Error(fmt.Sprintf("Failed to read license key from disk at %v err=%v", fileName, err.Error()))
|
|
return nil
|
|
}
|
|
|
|
return licenseBytes
|
|
}
|
|
|
|
func GetLicenseFileLocation(fileLocation string) string {
|
|
if fileLocation == "" {
|
|
configDir, _ := fileutils.FindDir("config")
|
|
return filepath.Join(configDir, "mattermost.mattermost-license")
|
|
} else {
|
|
return fileLocation
|
|
}
|
|
}
|
|
|
|
func GetClientLicense(l *model.License) map[string]string {
|
|
props := make(map[string]string)
|
|
|
|
props["IsLicensed"] = strconv.FormatBool(l != nil)
|
|
|
|
if l != nil {
|
|
props["Id"] = l.Id
|
|
props["SkuName"] = l.SkuName
|
|
props["SkuShortName"] = l.SkuShortName
|
|
props["Users"] = strconv.Itoa(*l.Features.Users)
|
|
props["LDAP"] = strconv.FormatBool(*l.Features.LDAP)
|
|
props["LDAPGroups"] = strconv.FormatBool(*l.Features.LDAPGroups)
|
|
props["MFA"] = strconv.FormatBool(*l.Features.MFA)
|
|
props["SAML"] = strconv.FormatBool(*l.Features.SAML)
|
|
props["Cluster"] = strconv.FormatBool(*l.Features.Cluster)
|
|
props["Metrics"] = strconv.FormatBool(*l.Features.Metrics)
|
|
props["GoogleOAuth"] = strconv.FormatBool(*l.Features.GoogleOAuth)
|
|
props["Office365OAuth"] = strconv.FormatBool(*l.Features.Office365OAuth)
|
|
props["Compliance"] = strconv.FormatBool(*l.Features.Compliance)
|
|
props["MHPNS"] = strconv.FormatBool(*l.Features.MHPNS)
|
|
props["Announcement"] = strconv.FormatBool(*l.Features.Announcement)
|
|
props["Elasticsearch"] = strconv.FormatBool(*l.Features.Elasticsearch)
|
|
props["DataRetention"] = strconv.FormatBool(*l.Features.DataRetention)
|
|
props["IssuedAt"] = strconv.FormatInt(l.IssuedAt, 10)
|
|
props["StartsAt"] = strconv.FormatInt(l.StartsAt, 10)
|
|
props["ExpiresAt"] = strconv.FormatInt(l.ExpiresAt, 10)
|
|
props["Name"] = l.Customer.Name
|
|
props["Email"] = l.Customer.Email
|
|
props["Company"] = l.Customer.Company
|
|
props["PhoneNumber"] = l.Customer.PhoneNumber
|
|
props["EmailNotificationContents"] = strconv.FormatBool(*l.Features.EmailNotificationContents)
|
|
props["MessageExport"] = strconv.FormatBool(*l.Features.MessageExport)
|
|
props["CustomPermissionsSchemes"] = strconv.FormatBool(*l.Features.CustomPermissionsSchemes)
|
|
props["CustomTermsOfService"] = strconv.FormatBool(*l.Features.CustomTermsOfService)
|
|
}
|
|
|
|
return props
|
|
}
|