Implement SAML endpoints for APIv4 (#5671)

* Implement SAML endpoints for APIv4

* Fix unit test

* Only disable encryption when removing puplic/private certs

4 files changed, 225 insertions, 0 deletions

diff --git a/api4/api.go b/api4/api.go
index c8c0e170b..71dfbcdf3 100644
--- a/api4/api.go
+++ b/api4/api.go
@@ -60,6 +60,8 @@ type Routes struct {
 
 	OAuth *mux.Router // 'api/v4/oauth'
 
+	SAML *mux.Router // 'api/v4/saml'
+
 	Admin *mux.Router // 'api/v4/admin'
 
 	System *mux.Router // 'api/v4/system'
@@ -127,6 +129,7 @@ func InitApi(full bool) {
 	BaseRoutes.OutgoingHooks = BaseRoutes.Hooks.PathPrefix("/outgoing").Subrouter()
 	BaseRoutes.OutgoingHook = BaseRoutes.OutgoingHooks.PathPrefix("/{hook_id:[A-Za-z0-9]+}").Subrouter()
 
+	BaseRoutes.SAML = BaseRoutes.ApiRoot.PathPrefix("/saml").Subrouter()
 	BaseRoutes.OAuth = BaseRoutes.ApiRoot.PathPrefix("/oauth").Subrouter()
 	BaseRoutes.Admin = BaseRoutes.ApiRoot.PathPrefix("/admin").Subrouter()
 	BaseRoutes.System = BaseRoutes.ApiRoot.PathPrefix("/system").Subrouter()
@@ -147,6 +150,7 @@ func InitApi(full bool) {
 	InitSystem()
 	InitWebhook()
 	InitPreference()
+	InitSaml()
 
 	app.Srv.Router.Handle("/api/v4/{anything:.*}", http.HandlerFunc(Handle404))
 
diff --git a/api4/apitestlib.go b/api4/apitestlib.go
index 3d2feaf6e..30dbfadae 100644
--- a/api4/apitestlib.go
+++ b/api4/apitestlib.go
@@ -38,6 +38,37 @@ type TestHelper struct {
 	SystemAdminUser   *model.User
 }
 
+func SetupEnterprise() *TestHelper {
+	if app.Srv == nil {
+		utils.TranslationsPreInit()
+		utils.LoadConfig("config.json")
+		utils.InitTranslations(utils.Cfg.LocalizationSettings)
+		utils.Cfg.TeamSettings.MaxUsersPerTeam = 50
+		*utils.Cfg.RateLimitSettings.Enable = false
+		utils.Cfg.EmailSettings.SendEmailNotifications = true
+		utils.Cfg.EmailSettings.SMTPServer = "dockerhost"
+		utils.Cfg.EmailSettings.SMTPPort = "2500"
+		utils.Cfg.EmailSettings.FeedbackEmail = "test@example.com"
+		utils.DisableDebugLogForTest()
+		utils.License.Features.SetDefaults()
+		app.NewServer()
+		app.InitStores()
+		InitRouter()
+		app.StartServer()
+		utils.InitHTML()
+		InitApi(true)
+		utils.EnableDebugLogForTest()
+		app.Srv.Store.MarkSystemRanUnitTests()
+
+		*utils.Cfg.TeamSettings.EnableOpenServer = true
+	}
+
+	th := &TestHelper{}
+	th.Client = th.CreateClient()
+	th.SystemAdminClient = th.CreateClient()
+	return th
+}
+
 func Setup() *TestHelper {
 	if app.Srv == nil {
 		utils.TranslationsPreInit()
diff --git a/api4/saml.go b/api4/saml.go
new file mode 100644
index 000000000..e2c35f30d
--- /dev/null
+++ b/api4/saml.go
@@ -0,0 +1,171 @@
+// Copyright (c) 2017 Mattermost, Inc. All Rights Reserved.
+// See License.txt for license information.
+
+package api4
+
+import (
+	"mime/multipart"
+	"net/http"
+
+	l4g "github.com/alecthomas/log4go"
+	"github.com/mattermost/platform/app"
+	"github.com/mattermost/platform/model"
+	"github.com/mattermost/platform/utils"
+)
+
+func InitSaml() {
+	l4g.Debug(utils.T("api.saml.init.debug"))
+
+	BaseRoutes.SAML.Handle("/metadata", ApiHandler(getSamlMetadata)).Methods("GET")
+
+	BaseRoutes.SAML.Handle("/certificate/public", ApiSessionRequired(addSamlPublicCertificate)).Methods("POST")
+	BaseRoutes.SAML.Handle("/certificate/private", ApiSessionRequired(addSamlPrivateCertificate)).Methods("POST")
+	BaseRoutes.SAML.Handle("/certificate/idp", ApiSessionRequired(addSamlIdpCertificate)).Methods("POST")
+
+	BaseRoutes.SAML.Handle("/certificate/public", ApiSessionRequired(removeSamlPublicCertificate)).Methods("DELETE")
+	BaseRoutes.SAML.Handle("/certificate/private", ApiSessionRequired(removeSamlPrivateCertificate)).Methods("DELETE")
+	BaseRoutes.SAML.Handle("/certificate/idp", ApiSessionRequired(removeSamlIdpCertificate)).Methods("DELETE")
+
+	BaseRoutes.SAML.Handle("/certificate/status", ApiSessionRequired(getSamlCertificateStatus)).Methods("GET")
+}
+
+func getSamlMetadata(c *Context, w http.ResponseWriter, r *http.Request) {
+	metadata, err := app.GetSamlMetadata()
+	if err != nil {
+		c.Err = err
+		return
+	}
+
+	w.Header().Set("Content-Type", "application/xml")
+	w.Header().Set("Content-Disposition", "attachment; filename=\"metadata.xml\"")
+	w.Write([]byte(metadata))
+}
+
+func parseSamlCertificateRequest(r *http.Request) (*multipart.FileHeader, *model.AppError) {
+	err := r.ParseMultipartForm(*utils.Cfg.FileSettings.MaxFileSize)
+	if err != nil {
+		return nil, model.NewAppError("addSamlCertificate", "api.admin.add_certificate.no_file.app_error", nil, err.Error(), http.StatusBadRequest)
+	}
+
+	m := r.MultipartForm
+
+	fileArray, ok := m.File["certificate"]
+	if !ok {
+		return nil, model.NewAppError("addSamlCertificate", "api.admin.add_certificate.no_file.app_error", nil, "", http.StatusBadRequest)
+	}
+
+	if len(fileArray) <= 0 {
+		return nil, model.NewAppError("addSamlCertificate", "api.admin.add_certificate.array.app_error", nil, "", http.StatusBadRequest)
+	}
+
+	return fileArray[0], nil
+}
+
+func addSamlPublicCertificate(c *Context, w http.ResponseWriter, r *http.Request) {
+	if !app.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_SYSTEM) {
+		c.SetPermissionError(model.PERMISSION_MANAGE_SYSTEM)
+		return
+	}
+
+	fileData, err := parseSamlCertificateRequest(r)
+	if err != nil {
+		c.Err = err
+		return
+	}
+
+	if err := app.AddSamlPublicCertificate(fileData); err != nil {
+		c.Err = err
+		return
+	}
+	ReturnStatusOK(w)
+}
+
+func addSamlPrivateCertificate(c *Context, w http.ResponseWriter, r *http.Request) {
+	if !app.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_SYSTEM) {
+		c.SetPermissionError(model.PERMISSION_MANAGE_SYSTEM)
+		return
+	}
+
+	fileData, err := parseSamlCertificateRequest(r)
+	if err != nil {
+		c.Err = err
+		return
+	}
+
+	if err := app.AddSamlPrivateCertificate(fileData); err != nil {
+		c.Err = err
+		return
+	}
+	ReturnStatusOK(w)
+}
+
+func addSamlIdpCertificate(c *Context, w http.ResponseWriter, r *http.Request) {
+	if !app.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_SYSTEM) {
+		c.SetPermissionError(model.PERMISSION_MANAGE_SYSTEM)
+		return
+	}
+
+	fileData, err := parseSamlCertificateRequest(r)
+	if err != nil {
+		c.Err = err
+		return
+	}
+
+	if err := app.AddSamlIdpCertificate(fileData); err != nil {
+		c.Err = err
+		return
+	}
+	ReturnStatusOK(w)
+}
+
+func removeSamlPublicCertificate(c *Context, w http.ResponseWriter, r *http.Request) {
+	if !app.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_SYSTEM) {
+		c.SetPermissionError(model.PERMISSION_MANAGE_SYSTEM)
+		return
+	}
+
+	if err := app.RemoveSamlPublicCertificate(); err != nil {
+		c.Err = err
+		return
+	}
+
+	ReturnStatusOK(w)
+}
+
+func removeSamlPrivateCertificate(c *Context, w http.ResponseWriter, r *http.Request) {
+	if !app.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_SYSTEM) {
+		c.SetPermissionError(model.PERMISSION_MANAGE_SYSTEM)
+		return
+	}
+
+	if err := app.RemoveSamlPrivateCertificate(); err != nil {
+		c.Err = err
+		return
+	}
+
+	ReturnStatusOK(w)
+}
+
+func removeSamlIdpCertificate(c *Context, w http.ResponseWriter, r *http.Request) {
+	if !app.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_SYSTEM) {
+		c.SetPermissionError(model.PERMISSION_MANAGE_SYSTEM)
+		return
+	}
+
+	if err := app.RemoveSamlIdpCertificate(); err != nil {
+		c.Err = err
+		return
+	}
+
+	ReturnStatusOK(w)
+}
+
+func getSamlCertificateStatus(c *Context, w http.ResponseWriter, r *http.Request) {
+	if !app.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_SYSTEM) {
+		c.SetPermissionError(model.PERMISSION_MANAGE_SYSTEM)
+		return
+	}
+
+	status := app.GetSamlCertificateStatus()
+	w.Write([]byte(status.ToJson()))
+}
diff --git a/api4/saml_test.go b/api4/saml_test.go
new file mode 100644
index 000000000..7e4722a3b
--- /dev/null
+++ b/api4/saml_test.go
@@ -0,0 +1,19 @@
+// Copyright (c) 2017 Mattermost, Inc. All Rights Reserved.
+// See License.txt for license information.
+
+package api4
+
+import (
+	"testing"
+)
+
+func TestGetSamlMetadata(t *testing.T) {
+	th := Setup().InitBasic().InitSystemAdmin()
+	defer TearDown()
+	Client := th.Client
+
+	_, resp := Client.GetSamlMetadata()
+	CheckNotImplementedStatus(t, resp)
+
+	// Rest is tested by enterprise tests
+}