Add /v4/image api (#8230)

* add image api

* i suppose i should add a test...

* only redirect to image proxy

4 files changed, 82 insertions, 0 deletions

diff --git a/api4/api.go b/api4/api.go
index 580bd8c58..871dca0ac 100644
--- a/api4/api.go
+++ b/api4/api.go
@@ -76,6 +76,8 @@ type Routes struct {
 	Compliance *mux.Router // 'api/v4/compliance'
 	Cluster    *mux.Router // 'api/v4/cluster'
 
+	Image *mux.Router // 'api/v4/image'
+
 	LDAP *mux.Router // 'api/v4/ldap'
 
 	Elasticsearch *mux.Router // 'api/v4/elasticsearch'
@@ -194,6 +196,8 @@ func Init(a *app.App, root *mux.Router, full bool) *API {
 
 	api.BaseRoutes.OpenGraph = api.BaseRoutes.ApiRoot.PathPrefix("/opengraph").Subrouter()
 
+	api.BaseRoutes.Image = api.BaseRoutes.ApiRoot.PathPrefix("/image").Subrouter()
+
 	api.InitUser()
 	api.InitTeam()
 	api.InitChannel()
@@ -219,6 +223,7 @@ func Init(a *app.App, root *mux.Router, full bool) *API {
 	api.InitWebrtc()
 	api.InitOpenGraph()
 	api.InitPlugin()
+	api.InitImage()
 
 	root.Handle("/api/v4/{anything:.*}", http.HandlerFunc(Handle404))
 
diff --git a/api4/image.go b/api4/image.go
new file mode 100644
index 000000000..4589de204
--- /dev/null
+++ b/api4/image.go
@@ -0,0 +1,22 @@
+// Copyright (c) 2017-present Mattermost, Inc. All Rights Reserved.
+// See License.txt for license information.
+
+package api4
+
+import (
+	"net/http"
+)
+
+func (api *API) InitImage() {
+	api.BaseRoutes.Image.Handle("", api.ApiSessionRequiredTrustRequester(getImage)).Methods("GET")
+}
+
+func getImage(c *Context, w http.ResponseWriter, r *http.Request) {
+	// Only redirect to our image proxy if one is enabled. Arbitrary redirects are not allowed for
+	// security reasons.
+	if transform := c.App.ImageProxyAdder(); transform != nil {
+		http.Redirect(w, r, transform(r.URL.Query().Get("url")), http.StatusFound)
+	} else {
+		http.NotFound(w, r)
+	}
+}
diff --git a/api4/image_test.go b/api4/image_test.go
new file mode 100644
index 000000000..236d5785d
--- /dev/null
+++ b/api4/image_test.go
@@ -0,0 +1,52 @@
+// Copyright (c) 2017-present Mattermost, Inc. All Rights Reserved.
+// See License.txt for license information.
+
+package api4
+
+import (
+	"net/http"
+	"net/url"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	"github.com/mattermost/mattermost-server/model"
+)
+
+func TestGetImage(t *testing.T) {
+	th := Setup().InitBasic()
+	defer th.TearDown()
+
+	th.Client.HttpClient.CheckRedirect = func(*http.Request, []*http.Request) error {
+		return http.ErrUseLastResponse
+	}
+
+	originURL := "http://foo.bar/baz.gif"
+
+	r, err := http.NewRequest("GET", th.Client.ApiUrl+"/image?url="+url.QueryEscape(originURL), nil)
+	require.NoError(t, err)
+	r.Header.Set(model.HEADER_AUTH, th.Client.AuthType+" "+th.Client.AuthToken)
+
+	th.App.UpdateConfig(func(cfg *model.Config) {
+		cfg.ServiceSettings.ImageProxyType = nil
+	})
+
+	resp, err := th.Client.HttpClient.Do(r)
+	require.NoError(t, err)
+	assert.Equal(t, http.StatusNotFound, resp.StatusCode)
+
+	th.App.UpdateConfig(func(cfg *model.Config) {
+		cfg.ServiceSettings.ImageProxyType = model.NewString("willnorris/imageproxy")
+		cfg.ServiceSettings.ImageProxyURL = model.NewString("https://proxy.foo.bar")
+	})
+
+	r, err = http.NewRequest("GET", th.Client.ApiUrl+"/image?url="+originURL, nil)
+	require.NoError(t, err)
+	r.Header.Set(model.HEADER_AUTH, th.Client.AuthType+" "+th.Client.AuthToken)
+
+	resp, err = th.Client.HttpClient.Do(r)
+	require.NoError(t, err)
+	assert.Equal(t, http.StatusFound, resp.StatusCode)
+	assert.Equal(t, "https://proxy.foo.bar//"+originURL, resp.Header.Get("Location"))
+}
diff --git a/utils/config.go b/utils/config.go
index 9e962eef4..87ebee693 100644
--- a/utils/config.go
+++ b/utils/config.go
@@ -456,6 +456,9 @@ func GenerateClientConfig(c *model.Config, diagnosticId string) map[string]strin
 
 	props["PluginsEnabled"] = strconv.FormatBool(*c.PluginSettings.Enable)
 
+	hasImageProxy := c.ServiceSettings.ImageProxyType != nil && *c.ServiceSettings.ImageProxyType != "" && c.ServiceSettings.ImageProxyURL != nil && *c.ServiceSettings.ImageProxyURL != ""
+	props["HasImageProxy"] = strconv.FormatBool(hasImageProxy)
+
 	if IsLicensed() {
 		License := License()
 		props["ExperimentalTownSquareIsReadOnly"] = strconv.FormatBool(*c.TeamSettings.ExperimentalTownSquareIsReadOnly)