MM-10140: API Implementation for Schemes related Endpoints (#8615)

* Implement basic scheme CRUD endpoints.

* Get All Schemes (Paged) Endpoint and store plumbing.

* Add get teams/channels for schemes.

* Fix unit tests.

* Review fixes.

* More review fixes.

5 files changed, 898 insertions, 1 deletions

diff --git a/api4/api.go b/api4/api.go
index d36c3e3ee..f2821b42e 100644
--- a/api4/api.go
+++ b/api4/api.go
@@ -99,7 +99,8 @@ type Routes struct {
 
 	Reactions *mux.Router // 'api/v4/reactions'
 
-	Roles *mux.Router // 'api/v4/roles'
+	Roles   *mux.Router // 'api/v4/roles'
+	Schemes *mux.Router // 'api/v4/schemes'
 
 	Emojis      *mux.Router // 'api/v4/emoji'
 	Emoji       *mux.Router // 'api/v4/emoji/{emoji_id:[A-Za-z0-9]+}'
@@ -200,6 +201,7 @@ func Init(a *app.App, root *mux.Router, full bool) *API {
 	api.BaseRoutes.OpenGraph = api.BaseRoutes.ApiRoot.PathPrefix("/opengraph").Subrouter()
 
 	api.BaseRoutes.Roles = api.BaseRoutes.ApiRoot.PathPrefix("/roles").Subrouter()
+	api.BaseRoutes.Schemes = api.BaseRoutes.ApiRoot.PathPrefix("/schemes").Subrouter()
 
 	api.BaseRoutes.Image = api.BaseRoutes.ApiRoot.PathPrefix("/image").Subrouter()
 
@@ -229,6 +231,7 @@ func Init(a *app.App, root *mux.Router, full bool) *API {
 	api.InitOpenGraph()
 	api.InitPlugin()
 	api.InitRole()
+	api.InitScheme()
 	api.InitImage()
 
 	root.Handle("/api/v4/{anything:.*}", http.HandlerFunc(Handle404))
diff --git a/api4/context.go b/api4/context.go
index c965e1d80..6afb964ce 100644
--- a/api4/context.go
+++ b/api4/context.go
@@ -650,6 +650,17 @@ func (c *Context) RequireRoleId() *Context {
 	return c
 }
 
+func (c *Context) RequireSchemeId() *Context {
+	if c.Err != nil {
+		return c
+	}
+
+	if len(c.Params.SchemeId) != 26 {
+		c.SetInvalidUrlParam("scheme_id")
+	}
+	return c
+}
+
 func (c *Context) RequireRoleName() *Context {
 	if c.Err != nil {
 		return c
diff --git a/api4/params.go b/api4/params.go
index e8e3f25e7..35f21e0ec 100644
--- a/api4/params.go
+++ b/api4/params.go
@@ -47,6 +47,8 @@ type ApiParams struct {
 	ActionId       string
 	RoleId         string
 	RoleName       string
+	SchemeId       string
+	Scope          string
 	Page           int
 	PerPage        int
 	LogsPerPage    int
@@ -167,6 +169,12 @@ func ApiParamsFromRequest(r *http.Request) *ApiParams {
 		params.RoleName = val
 	}
 
+	if val, ok := props["scheme_id"]; ok {
+		params.SchemeId = val
+	}
+
+	params.Scope = query.Get("scope")
+
 	if val, err := strconv.Atoi(query.Get("page")); err != nil || val < 0 {
 		params.Page = PAGE_DEFAULT
 	} else {
diff --git a/api4/scheme.go b/api4/scheme.go
new file mode 100644
index 000000000..bdfe69870
--- /dev/null
+++ b/api4/scheme.go
@@ -0,0 +1,211 @@
+// Copyright (c) 2018-present Mattermost, Inc. All Rights Reserved.
+// See License.txt for license information.
+
+package api4
+
+import (
+	"net/http"
+
+	"github.com/mattermost/mattermost-server/model"
+)
+
+func (api *API) InitScheme() {
+	api.BaseRoutes.Schemes.Handle("", api.ApiSessionRequired(getSchemes)).Methods("GET")
+	api.BaseRoutes.Schemes.Handle("", api.ApiSessionRequired(createScheme)).Methods("POST")
+	api.BaseRoutes.Schemes.Handle("/{scheme_id:[A-Za-z0-9]+}", api.ApiSessionRequired(deleteScheme)).Methods("DELETE")
+	api.BaseRoutes.Schemes.Handle("/{scheme_id:[A-Za-z0-9]+}", api.ApiSessionRequiredTrustRequester(getScheme)).Methods("GET")
+	api.BaseRoutes.Schemes.Handle("/{scheme_id:[A-Za-z0-9]+}/patch", api.ApiSessionRequired(patchScheme)).Methods("PUT")
+	api.BaseRoutes.Schemes.Handle("/{scheme_id:[A-Za-z0-9]+}/teams", api.ApiSessionRequiredTrustRequester(getTeamsForScheme)).Methods("GET")
+	api.BaseRoutes.Schemes.Handle("/{scheme_id:[A-Za-z0-9]+}/channels", api.ApiSessionRequiredTrustRequester(getChannelsForScheme)).Methods("GET")
+}
+
+func createScheme(c *Context, w http.ResponseWriter, r *http.Request) {
+	scheme := model.SchemeFromJson(r.Body)
+	if scheme == nil {
+		c.SetInvalidParam("scheme")
+		return
+	}
+
+	if c.App.License() == nil {
+		c.Err = model.NewAppError("Api4.CreateScheme", "api.scheme.create_scheme.license.error", nil, "", http.StatusNotImplemented)
+		return
+	}
+
+	if !c.App.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_SYSTEM) {
+		c.SetPermissionError(model.PERMISSION_MANAGE_SYSTEM)
+		return
+	}
+
+	var err *model.AppError
+	if scheme, err = c.App.CreateScheme(scheme); err != nil {
+		c.Err = err
+		return
+	} else {
+		w.WriteHeader(http.StatusCreated)
+		w.Write([]byte(scheme.ToJson()))
+	}
+}
+
+func getScheme(c *Context, w http.ResponseWriter, r *http.Request) {
+	c.RequireSchemeId()
+	if c.Err != nil {
+		return
+	}
+
+	if !c.App.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_SYSTEM) {
+		c.SetPermissionError(model.PERMISSION_MANAGE_SYSTEM)
+		return
+	}
+
+	if scheme, err := c.App.GetScheme(c.Params.SchemeId); err != nil {
+		c.Err = err
+		return
+	} else {
+		w.Write([]byte(scheme.ToJson()))
+	}
+}
+
+func getSchemes(c *Context, w http.ResponseWriter, r *http.Request) {
+	if c.Err != nil {
+		return
+	}
+
+	if !c.App.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_SYSTEM) {
+		c.SetPermissionError(model.PERMISSION_MANAGE_SYSTEM)
+		return
+	}
+
+	scope := c.Params.Scope
+	if scope != "" && scope != model.SCHEME_SCOPE_TEAM && scope != model.SCHEME_SCOPE_CHANNEL {
+		c.SetInvalidParam("scope")
+		return
+	}
+
+	if schemes, err := c.App.GetSchemesPage(c.Params.Scope, c.Params.Page, c.Params.PerPage); err != nil {
+		c.Err = err
+		return
+	} else {
+		w.Write([]byte(model.SchemesToJson(schemes)))
+	}
+}
+
+func getTeamsForScheme(c *Context, w http.ResponseWriter, r *http.Request) {
+	c.RequireSchemeId()
+	if c.Err != nil {
+		return
+	}
+
+	if !c.App.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_SYSTEM) {
+		c.SetPermissionError(model.PERMISSION_MANAGE_SYSTEM)
+		return
+	}
+
+	scheme, err := c.App.GetScheme(c.Params.SchemeId)
+	if err != nil {
+		c.Err = err
+		return
+	}
+
+	if scheme.Scope != model.SCHEME_SCOPE_TEAM {
+		c.Err = model.NewAppError("Api4.GetTeamsForScheme", "api.scheme.get_teams_for_scheme.scope.error", nil, "", http.StatusBadRequest)
+		return
+	}
+
+	if teams, err := c.App.GetTeamsForSchemePage(scheme, c.Params.Page, c.Params.PerPage); err != nil {
+		c.Err = err
+		return
+	} else {
+		w.Write([]byte(model.TeamListToJson(teams)))
+	}
+}
+
+func getChannelsForScheme(c *Context, w http.ResponseWriter, r *http.Request) {
+	c.RequireSchemeId()
+	if c.Err != nil {
+		return
+	}
+
+	if !c.App.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_SYSTEM) {
+		c.SetPermissionError(model.PERMISSION_MANAGE_SYSTEM)
+		return
+	}
+
+	scheme, err := c.App.GetScheme(c.Params.SchemeId)
+	if err != nil {
+		c.Err = err
+		return
+	}
+
+	if scheme.Scope != model.SCHEME_SCOPE_CHANNEL {
+		c.Err = model.NewAppError("Api4.GetChannelsForScheme", "api.scheme.get_channels_for_scheme.scope.error", nil, "", http.StatusBadRequest)
+		return
+	}
+
+	if channels, err := c.App.GetChannelsForSchemePage(scheme, c.Params.Page, c.Params.PerPage); err != nil {
+		c.Err = err
+		return
+	} else {
+		w.Write([]byte(channels.ToJson()))
+	}
+}
+
+func patchScheme(c *Context, w http.ResponseWriter, r *http.Request) {
+	c.RequireSchemeId()
+	if c.Err != nil {
+		return
+	}
+
+	patch := model.SchemePatchFromJson(r.Body)
+	if patch == nil {
+		c.SetInvalidParam("scheme")
+		return
+	}
+
+	if c.App.License() == nil {
+		c.Err = model.NewAppError("Api4.PatchScheme", "api.scheme.patch_scheme.license.error", nil, "", http.StatusNotImplemented)
+		return
+	}
+
+	scheme, err := c.App.GetScheme(c.Params.SchemeId)
+	if err != nil {
+		c.Err = err
+		return
+	}
+
+	if !c.App.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_SYSTEM) {
+		c.SetPermissionError(model.PERMISSION_MANAGE_SYSTEM)
+		return
+	}
+
+	if scheme, err = c.App.PatchScheme(scheme, patch); err != nil {
+		c.Err = err
+		return
+	} else {
+		c.LogAudit("")
+		w.Write([]byte(scheme.ToJson()))
+	}
+}
+
+func deleteScheme(c *Context, w http.ResponseWriter, r *http.Request) {
+	c.RequireSchemeId()
+	if c.Err != nil {
+		return
+	}
+
+	if c.App.License() == nil {
+		c.Err = model.NewAppError("Api4.DeleteScheme", "api.scheme.delete_scheme.license.error", nil, "", http.StatusNotImplemented)
+		return
+	}
+
+	if !c.App.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_SYSTEM) {
+		c.SetPermissionError(model.PERMISSION_MANAGE_SYSTEM)
+		return
+	}
+
+	if _, err := c.App.DeleteScheme(c.Params.SchemeId); err != nil {
+		c.Err = err
+		return
+	}
+
+	ReturnStatusOK(w)
+}
diff --git a/api4/scheme_test.go b/api4/scheme_test.go
new file mode 100644
index 000000000..a0ea1e9b0
--- /dev/null
+++ b/api4/scheme_test.go
@@ -0,0 +1,664 @@
+// Copyright (c) 2018-present Mattermost, Inc. All Rights Reserved.
+// See License.txt for license information.
+
+package api4
+
+import (
+	"strings"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+
+	"github.com/mattermost/mattermost-server/model"
+)
+
+func TestCreateScheme(t *testing.T) {
+	th := Setup().InitBasic().InitSystemAdmin()
+	defer th.TearDown()
+
+	th.App.SetLicense(model.NewTestLicense(""))
+
+	// Basic test of creating a team scheme.
+	scheme1 := &model.Scheme{
+		Name:        model.NewId(),
+		Description: model.NewId(),
+		Scope:       model.SCHEME_SCOPE_TEAM,
+	}
+
+	s1, r1 := th.SystemAdminClient.CreateScheme(scheme1)
+	CheckNoError(t, r1)
+
+	assert.Equal(t, s1.Name, scheme1.Name)
+	assert.Equal(t, s1.Description, scheme1.Description)
+	assert.NotZero(t, s1.CreateAt)
+	assert.Equal(t, s1.CreateAt, s1.UpdateAt)
+	assert.Zero(t, s1.DeleteAt)
+	assert.Equal(t, s1.Scope, scheme1.Scope)
+	assert.NotZero(t, len(s1.DefaultTeamAdminRole))
+	assert.NotZero(t, len(s1.DefaultTeamUserRole))
+	assert.NotZero(t, len(s1.DefaultChannelAdminRole))
+	assert.NotZero(t, len(s1.DefaultChannelUserRole))
+
+	// Check the default roles have been created.
+	_, roleRes1 := th.SystemAdminClient.GetRole(s1.DefaultTeamAdminRole)
+	CheckNoError(t, roleRes1)
+	_, roleRes2 := th.SystemAdminClient.GetRole(s1.DefaultTeamUserRole)
+	CheckNoError(t, roleRes2)
+	_, roleRes3 := th.SystemAdminClient.GetRole(s1.DefaultChannelAdminRole)
+	CheckNoError(t, roleRes3)
+	_, roleRes4 := th.SystemAdminClient.GetRole(s1.DefaultChannelUserRole)
+	CheckNoError(t, roleRes4)
+
+	// Basic Test of a Channel scheme.
+	scheme2 := &model.Scheme{
+		Name:        model.NewId(),
+		Description: model.NewId(),
+		Scope:       model.SCHEME_SCOPE_CHANNEL,
+	}
+
+	s2, r2 := th.SystemAdminClient.CreateScheme(scheme2)
+	CheckNoError(t, r2)
+
+	assert.Equal(t, s2.Name, scheme2.Name)
+	assert.Equal(t, s2.Description, scheme2.Description)
+	assert.NotZero(t, s2.CreateAt)
+	assert.Equal(t, s2.CreateAt, s2.UpdateAt)
+	assert.Zero(t, s2.DeleteAt)
+	assert.Equal(t, s2.Scope, scheme2.Scope)
+	assert.Zero(t, len(s2.DefaultTeamAdminRole))
+	assert.Zero(t, len(s2.DefaultTeamUserRole))
+	assert.NotZero(t, len(s2.DefaultChannelAdminRole))
+	assert.NotZero(t, len(s2.DefaultChannelUserRole))
+
+	// Check the default roles have been created.
+	_, roleRes5 := th.SystemAdminClient.GetRole(s2.DefaultChannelAdminRole)
+	CheckNoError(t, roleRes5)
+	_, roleRes6 := th.SystemAdminClient.GetRole(s2.DefaultChannelUserRole)
+	CheckNoError(t, roleRes6)
+
+	// Try and create a scheme with an invalid scope.
+	scheme3 := &model.Scheme{
+		Name:        model.NewId(),
+		Description: model.NewId(),
+		Scope:       model.NewId(),
+	}
+
+	_, r3 := th.SystemAdminClient.CreateScheme(scheme3)
+	CheckBadRequestStatus(t, r3)
+
+	// Try and create a scheme with an invalid name.
+	scheme4 := &model.Scheme{
+		Name:        strings.Repeat(model.NewId(), 100),
+		Description: model.NewId(),
+		Scope:       model.NewId(),
+	}
+	_, r4 := th.SystemAdminClient.CreateScheme(scheme4)
+	CheckBadRequestStatus(t, r4)
+
+	// Try and create a scheme without the appropriate permissions.
+	scheme5 := &model.Scheme{
+		Name:        model.NewId(),
+		Description: model.NewId(),
+		Scope:       model.SCHEME_SCOPE_TEAM,
+	}
+	_, r5 := th.Client.CreateScheme(scheme5)
+	CheckForbiddenStatus(t, r5)
+
+	// Try and create a scheme without a license.
+	th.App.SetLicense(nil)
+	scheme6 := &model.Scheme{
+		Name:        model.NewId(),
+		Description: model.NewId(),
+		Scope:       model.SCHEME_SCOPE_TEAM,
+	}
+	_, r6 := th.SystemAdminClient.CreateScheme(scheme6)
+	CheckNotImplementedStatus(t, r6)
+}
+
+func TestGetScheme(t *testing.T) {
+	th := Setup().InitBasic().InitSystemAdmin()
+	defer th.TearDown()
+
+	th.App.SetLicense(model.NewTestLicense(""))
+
+	// Basic test of creating a team scheme.
+	scheme1 := &model.Scheme{
+		Name:        model.NewId(),
+		Description: model.NewId(),
+		Scope:       model.SCHEME_SCOPE_TEAM,
+	}
+
+	s1, r1 := th.SystemAdminClient.CreateScheme(scheme1)
+	CheckNoError(t, r1)
+
+	assert.Equal(t, s1.Name, scheme1.Name)
+	assert.Equal(t, s1.Description, scheme1.Description)
+	assert.NotZero(t, s1.CreateAt)
+	assert.Equal(t, s1.CreateAt, s1.UpdateAt)
+	assert.Zero(t, s1.DeleteAt)
+	assert.Equal(t, s1.Scope, scheme1.Scope)
+	assert.NotZero(t, len(s1.DefaultTeamAdminRole))
+	assert.NotZero(t, len(s1.DefaultTeamUserRole))
+	assert.NotZero(t, len(s1.DefaultChannelAdminRole))
+	assert.NotZero(t, len(s1.DefaultChannelUserRole))
+
+	s2, r2 := th.SystemAdminClient.GetScheme(s1.Id)
+	CheckNoError(t, r2)
+
+	assert.Equal(t, s1, s2)
+
+	_, r3 := th.SystemAdminClient.GetScheme(model.NewId())
+	CheckNotFoundStatus(t, r3)
+
+	_, r4 := th.SystemAdminClient.GetScheme("12345")
+	CheckBadRequestStatus(t, r4)
+
+	th.SystemAdminClient.Logout()
+	_, r5 := th.SystemAdminClient.GetScheme(s1.Id)
+	CheckUnauthorizedStatus(t, r5)
+
+	th.SystemAdminClient.Login(th.SystemAdminUser.Username, th.SystemAdminUser.Password)
+	th.App.SetLicense(nil)
+	_, r6 := th.SystemAdminClient.GetScheme(s1.Id)
+	CheckNoError(t, r6)
+
+	_, r7 := th.Client.GetScheme(s1.Id)
+	CheckForbiddenStatus(t, r7)
+}
+
+func TestGetSchemes(t *testing.T) {
+	th := Setup().InitBasic().InitSystemAdmin()
+	defer th.TearDown()
+
+	th.App.SetLicense(model.NewTestLicense(""))
+
+	scheme1 := &model.Scheme{
+		Name:        model.NewId(),
+		Description: model.NewId(),
+		Scope:       model.SCHEME_SCOPE_TEAM,
+	}
+
+	scheme2 := &model.Scheme{
+		Name:        model.NewId(),
+		Description: model.NewId(),
+		Scope:       model.SCHEME_SCOPE_CHANNEL,
+	}
+
+	_, r1 := th.SystemAdminClient.CreateScheme(scheme1)
+	CheckNoError(t, r1)
+	_, r2 := th.SystemAdminClient.CreateScheme(scheme2)
+	CheckNoError(t, r2)
+
+	l3, r3 := th.SystemAdminClient.GetSchemes("", 0, 100)
+	CheckNoError(t, r3)
+
+	assert.NotZero(t, len(l3))
+
+	l4, r4 := th.SystemAdminClient.GetSchemes("team", 0, 100)
+	CheckNoError(t, r4)
+
+	for _, s := range l4 {
+		assert.Equal(t, "team", s.Scope)
+	}
+
+	l5, r5 := th.SystemAdminClient.GetSchemes("channel", 0, 100)
+	CheckNoError(t, r5)
+
+	for _, s := range l5 {
+		assert.Equal(t, "channel", s.Scope)
+	}
+
+	_, r6 := th.SystemAdminClient.GetSchemes("asdf", 0, 100)
+	CheckBadRequestStatus(t, r6)
+
+	th.Client.Logout()
+	_, r7 := th.Client.GetSchemes("", 0, 100)
+	CheckUnauthorizedStatus(t, r7)
+
+	th.Client.Login(th.BasicUser.Username, th.BasicUser.Password)
+	_, r8 := th.Client.GetSchemes("", 0, 100)
+	CheckForbiddenStatus(t, r8)
+}
+
+func TestGetTeamsForScheme(t *testing.T) {
+	th := Setup().InitBasic().InitSystemAdmin()
+	defer th.TearDown()
+
+	th.App.SetLicense(model.NewTestLicense(""))
+
+	scheme1 := &model.Scheme{
+		Name:        model.NewId(),
+		Description: model.NewId(),
+		Scope:       model.SCHEME_SCOPE_TEAM,
+	}
+	scheme1, r1 := th.SystemAdminClient.CreateScheme(scheme1)
+	CheckNoError(t, r1)
+
+	team1 := &model.Team{
+		Name:        GenerateTestUsername(),
+		DisplayName: "A Test Team",
+		Type:        model.TEAM_OPEN,
+	}
+
+	result1 := <-th.App.Srv.Store.Team().Save(team1)
+	assert.Nil(t, result1.Err)
+	team1 = result1.Data.(*model.Team)
+
+	l2, r2 := th.SystemAdminClient.GetTeamsForScheme(scheme1.Id, 0, 100)
+	CheckNoError(t, r2)
+	assert.Zero(t, len(l2))
+
+	team1.SchemeId = &scheme1.Id
+	result2 := <-th.App.Srv.Store.Team().Update(team1)
+	assert.Nil(t, result2.Err)
+	team1 = result2.Data.(*model.Team)
+
+	l3, r3 := th.SystemAdminClient.GetTeamsForScheme(scheme1.Id, 0, 100)
+	CheckNoError(t, r3)
+	assert.Len(t, l3, 1)
+	assert.Equal(t, team1.Id, l3[0].Id)
+
+	team2 := &model.Team{
+		Name:        GenerateTestUsername(),
+		DisplayName: "B Test Team",
+		Type:        model.TEAM_OPEN,
+		SchemeId:    &scheme1.Id,
+	}
+	result3 := <-th.App.Srv.Store.Team().Save(team2)
+	assert.Nil(t, result3.Err)
+	team2 = result3.Data.(*model.Team)
+
+	l4, r4 := th.SystemAdminClient.GetTeamsForScheme(scheme1.Id, 0, 100)
+	CheckNoError(t, r4)
+	assert.Len(t, l4, 2)
+	assert.Equal(t, team1.Id, l4[0].Id)
+	assert.Equal(t, team2.Id, l4[1].Id)
+
+	l5, r5 := th.SystemAdminClient.GetTeamsForScheme(scheme1.Id, 1, 1)
+	CheckNoError(t, r5)
+	assert.Len(t, l5, 1)
+	assert.Equal(t, team2.Id, l5[0].Id)
+
+	// Check various error cases.
+	_, ri1 := th.SystemAdminClient.GetTeamsForScheme(model.NewId(), 0, 100)
+	CheckNotFoundStatus(t, ri1)
+
+	_, ri2 := th.SystemAdminClient.GetTeamsForScheme("", 0, 100)
+	CheckBadRequestStatus(t, ri2)
+
+	th.Client.Logout()
+	_, ri3 := th.Client.GetTeamsForScheme(model.NewId(), 0, 100)
+	CheckUnauthorizedStatus(t, ri3)
+
+	th.Client.Login(th.BasicUser.Username, th.BasicUser.Password)
+	_, ri4 := th.Client.GetTeamsForScheme(model.NewId(), 0, 100)
+	CheckForbiddenStatus(t, ri4)
+
+	scheme2 := &model.Scheme{
+		Name:        model.NewId(),
+		Description: model.NewId(),
+		Scope:       model.SCHEME_SCOPE_CHANNEL,
+	}
+	scheme2, rs2 := th.SystemAdminClient.CreateScheme(scheme2)
+	CheckNoError(t, rs2)
+
+	_, ri5 := th.SystemAdminClient.GetTeamsForScheme(scheme2.Id, 0, 100)
+	CheckBadRequestStatus(t, ri5)
+}
+
+func TestGetChannelsForScheme(t *testing.T) {
+	th := Setup().InitBasic().InitSystemAdmin()
+	defer th.TearDown()
+
+	th.App.SetLicense(model.NewTestLicense(""))
+
+	scheme1 := &model.Scheme{
+		Name:        model.NewId(),
+		Description: model.NewId(),
+		Scope:       model.SCHEME_SCOPE_CHANNEL,
+	}
+	scheme1, r1 := th.SystemAdminClient.CreateScheme(scheme1)
+	CheckNoError(t, r1)
+
+	channel1 := &model.Channel{
+		TeamId:      model.NewId(),
+		DisplayName: "A Name",
+		Name:        model.NewId(),
+		Type:        model.CHANNEL_OPEN,
+	}
+
+	result1 := <-th.App.Srv.Store.Channel().Save(channel1, 1000000)
+	assert.Nil(t, result1.Err)
+	channel1 = result1.Data.(*model.Channel)
+
+	l2, r2 := th.SystemAdminClient.GetChannelsForScheme(scheme1.Id, 0, 100)
+	CheckNoError(t, r2)
+	assert.Zero(t, len(l2))
+
+	channel1.SchemeId = &scheme1.Id
+	result2 := <-th.App.Srv.Store.Channel().Update(channel1)
+	assert.Nil(t, result2.Err)
+	channel1 = result2.Data.(*model.Channel)
+
+	l3, r3 := th.SystemAdminClient.GetChannelsForScheme(scheme1.Id, 0, 100)
+	CheckNoError(t, r3)
+	assert.Len(t, l3, 1)
+	assert.Equal(t, channel1.Id, l3[0].Id)
+
+	channel2 := &model.Channel{
+		TeamId:      model.NewId(),
+		DisplayName: "B Name",
+		Name:        model.NewId(),
+		Type:        model.CHANNEL_OPEN,
+		SchemeId:    &scheme1.Id,
+	}
+	result3 := <-th.App.Srv.Store.Channel().Save(channel2, 1000000)
+	assert.Nil(t, result3.Err)
+	channel2 = result3.Data.(*model.Channel)
+
+	l4, r4 := th.SystemAdminClient.GetChannelsForScheme(scheme1.Id, 0, 100)
+	CheckNoError(t, r4)
+	assert.Len(t, l4, 2)
+	assert.Equal(t, channel1.Id, l4[0].Id)
+	assert.Equal(t, channel2.Id, l4[1].Id)
+
+	l5, r5 := th.SystemAdminClient.GetChannelsForScheme(scheme1.Id, 1, 1)
+	CheckNoError(t, r5)
+	assert.Len(t, l5, 1)
+	assert.Equal(t, channel2.Id, l5[0].Id)
+
+	// Check various error cases.
+	_, ri1 := th.SystemAdminClient.GetChannelsForScheme(model.NewId(), 0, 100)
+	CheckNotFoundStatus(t, ri1)
+
+	_, ri2 := th.SystemAdminClient.GetChannelsForScheme("", 0, 100)
+	CheckBadRequestStatus(t, ri2)
+
+	th.Client.Logout()
+	_, ri3 := th.Client.GetChannelsForScheme(model.NewId(), 0, 100)
+	CheckUnauthorizedStatus(t, ri3)
+
+	th.Client.Login(th.BasicUser.Username, th.BasicUser.Password)
+	_, ri4 := th.Client.GetChannelsForScheme(model.NewId(), 0, 100)
+	CheckForbiddenStatus(t, ri4)
+
+	scheme2 := &model.Scheme{
+		Name:        model.NewId(),
+		Description: model.NewId(),
+		Scope:       model.SCHEME_SCOPE_TEAM,
+	}
+	scheme2, rs2 := th.SystemAdminClient.CreateScheme(scheme2)
+	CheckNoError(t, rs2)
+
+	_, ri5 := th.SystemAdminClient.GetChannelsForScheme(scheme2.Id, 0, 100)
+	CheckBadRequestStatus(t, ri5)
+}
+
+func TestPatchScheme(t *testing.T) {
+	th := Setup().InitBasic().InitSystemAdmin()
+	defer th.TearDown()
+
+	th.App.SetLicense(model.NewTestLicense(""))
+
+	// Basic test of creating a team scheme.
+	scheme1 := &model.Scheme{
+		Name:        model.NewId(),
+		Description: model.NewId(),
+		Scope:       model.SCHEME_SCOPE_TEAM,
+	}
+
+	s1, r1 := th.SystemAdminClient.CreateScheme(scheme1)
+	CheckNoError(t, r1)
+
+	assert.Equal(t, s1.Name, scheme1.Name)
+	assert.Equal(t, s1.Description, scheme1.Description)
+	assert.NotZero(t, s1.CreateAt)
+	assert.Equal(t, s1.CreateAt, s1.UpdateAt)
+	assert.Zero(t, s1.DeleteAt)
+	assert.Equal(t, s1.Scope, scheme1.Scope)
+	assert.NotZero(t, len(s1.DefaultTeamAdminRole))
+	assert.NotZero(t, len(s1.DefaultTeamUserRole))
+	assert.NotZero(t, len(s1.DefaultChannelAdminRole))
+	assert.NotZero(t, len(s1.DefaultChannelUserRole))
+
+	s2, r2 := th.SystemAdminClient.GetScheme(s1.Id)
+	CheckNoError(t, r2)
+
+	assert.Equal(t, s1, s2)
+
+	// Test with a valid patch.
+	schemePatch := &model.SchemePatch{
+		Name:        new(string),
+		Description: new(string),
+	}
+	*schemePatch.Name = model.NewId()
+	*schemePatch.Description = model.NewId()
+
+	s3, r3 := th.SystemAdminClient.PatchScheme(s2.Id, schemePatch)
+	CheckNoError(t, r3)
+	assert.Equal(t, s3.Id, s2.Id)
+	assert.Equal(t, s3.Name, *schemePatch.Name)
+	assert.Equal(t, s3.Description, *schemePatch.Description)
+
+	s4, r4 := th.SystemAdminClient.GetScheme(s3.Id)
+	CheckNoError(t, r4)
+	assert.Equal(t, s3, s4)
+
+	// Test with a partial patch.
+	*schemePatch.Name = model.NewId()
+	schemePatch.Description = nil
+
+	s5, r5 := th.SystemAdminClient.PatchScheme(s4.Id, schemePatch)
+	CheckNoError(t, r5)
+	assert.Equal(t, s5.Id, s4.Id)
+	assert.Equal(t, s5.Name, *schemePatch.Name)
+	assert.Equal(t, s5.Description, s4.Description)
+
+	s6, r6 := th.SystemAdminClient.GetScheme(s5.Id)
+	CheckNoError(t, r6)
+	assert.Equal(t, s5, s6)
+
+	// Test with invalid patch.
+	*schemePatch.Name = strings.Repeat(model.NewId(), 20)
+	_, r7 := th.SystemAdminClient.PatchScheme(s6.Id, schemePatch)
+	CheckBadRequestStatus(t, r7)
+
+	// Test with unknown ID.
+	*schemePatch.Name = model.NewId()
+	_, r8 := th.SystemAdminClient.PatchScheme(model.NewId(), schemePatch)
+	CheckNotFoundStatus(t, r8)
+
+	// Test with invalid ID.
+	_, r9 := th.SystemAdminClient.PatchScheme("12345", schemePatch)
+	CheckBadRequestStatus(t, r9)
+
+	// Test without required permissions.
+	_, r10 := th.Client.PatchScheme(s6.Id, schemePatch)
+	CheckForbiddenStatus(t, r10)
+
+	// Test without license.
+	th.App.SetLicense(nil)
+	_, r11 := th.SystemAdminClient.PatchScheme(s6.Id, schemePatch)
+	CheckNotImplementedStatus(t, r11)
+}
+
+func TestDeleteScheme(t *testing.T) {
+	th := Setup().InitBasic().InitSystemAdmin()
+	defer th.TearDown()
+
+	t.Run("ValidTeamScheme", func(t *testing.T) {
+		th.App.SetLicense(model.NewTestLicense(""))
+
+		// Create a team scheme.
+		scheme1 := &model.Scheme{
+			Name:        model.NewId(),
+			Description: model.NewId(),
+			Scope:       model.SCHEME_SCOPE_TEAM,
+		}
+
+		s1, r1 := th.SystemAdminClient.CreateScheme(scheme1)
+		CheckNoError(t, r1)
+
+		// Retrieve the roles and check they are not deleted.
+		role1, roleRes1 := th.SystemAdminClient.GetRole(s1.DefaultTeamAdminRole)
+		CheckNoError(t, roleRes1)
+		role2, roleRes2 := th.SystemAdminClient.GetRole(s1.DefaultTeamUserRole)
+		CheckNoError(t, roleRes2)
+		role3, roleRes3 := th.SystemAdminClient.GetRole(s1.DefaultChannelAdminRole)
+		CheckNoError(t, roleRes3)
+		role4, roleRes4 := th.SystemAdminClient.GetRole(s1.DefaultChannelUserRole)
+		CheckNoError(t, roleRes4)
+
+		assert.Zero(t, role1.DeleteAt)
+		assert.Zero(t, role2.DeleteAt)
+		assert.Zero(t, role3.DeleteAt)
+		assert.Zero(t, role4.DeleteAt)
+
+		// Make sure this scheme is in use by a team.
+		res := <-th.App.Srv.Store.Team().Save(&model.Team{
+			Name:        model.NewId(),
+			DisplayName: model.NewId(),
+			Email:       model.NewId() + "@nowhere.com",
+			Type:        model.TEAM_OPEN,
+			SchemeId:    &s1.Id,
+		})
+		assert.Nil(t, res.Err)
+		team := res.Data.(*model.Team)
+
+		// Try and fail to delete the scheme.
+		_, r2 := th.SystemAdminClient.DeleteScheme(s1.Id)
+		CheckInternalErrorStatus(t, r2)
+
+		role1, roleRes1 = th.SystemAdminClient.GetRole(s1.DefaultTeamAdminRole)
+		CheckNoError(t, roleRes1)
+		role2, roleRes2 = th.SystemAdminClient.GetRole(s1.DefaultTeamUserRole)
+		CheckNoError(t, roleRes2)
+		role3, roleRes3 = th.SystemAdminClient.GetRole(s1.DefaultChannelAdminRole)
+		CheckNoError(t, roleRes3)
+		role4, roleRes4 = th.SystemAdminClient.GetRole(s1.DefaultChannelUserRole)
+		CheckNoError(t, roleRes4)
+
+		assert.Zero(t, role1.DeleteAt)
+		assert.Zero(t, role2.DeleteAt)
+		assert.Zero(t, role3.DeleteAt)
+		assert.Zero(t, role4.DeleteAt)
+
+		// Change the team using it to a different scheme.
+		emptyString := ""
+		team.SchemeId = &emptyString
+		res = <-th.App.Srv.Store.Team().Update(team)
+
+		// Delete the Scheme.
+		_, r3 := th.SystemAdminClient.DeleteScheme(s1.Id)
+		CheckNoError(t, r3)
+
+		// Check the roles were deleted.
+		role1, roleRes1 = th.SystemAdminClient.GetRole(s1.DefaultTeamAdminRole)
+		CheckNoError(t, roleRes1)
+		role2, roleRes2 = th.SystemAdminClient.GetRole(s1.DefaultTeamUserRole)
+		CheckNoError(t, roleRes2)
+		role3, roleRes3 = th.SystemAdminClient.GetRole(s1.DefaultChannelAdminRole)
+		CheckNoError(t, roleRes3)
+		role4, roleRes4 = th.SystemAdminClient.GetRole(s1.DefaultChannelUserRole)
+		CheckNoError(t, roleRes4)
+
+		assert.NotZero(t, role1.DeleteAt)
+		assert.NotZero(t, role2.DeleteAt)
+		assert.NotZero(t, role3.DeleteAt)
+		assert.NotZero(t, role4.DeleteAt)
+	})
+
+	t.Run("ValidChannelScheme", func(t *testing.T) {
+		th.App.SetLicense(model.NewTestLicense(""))
+
+		// Create a channel scheme.
+		scheme1 := &model.Scheme{
+			Name:        model.NewId(),
+			Description: model.NewId(),
+			Scope:       model.SCHEME_SCOPE_CHANNEL,
+		}
+
+		s1, r1 := th.SystemAdminClient.CreateScheme(scheme1)
+		CheckNoError(t, r1)
+
+		// Retrieve the roles and check they are not deleted.
+		role3, roleRes3 := th.SystemAdminClient.GetRole(s1.DefaultChannelAdminRole)
+		CheckNoError(t, roleRes3)
+		role4, roleRes4 := th.SystemAdminClient.GetRole(s1.DefaultChannelUserRole)
+		CheckNoError(t, roleRes4)
+
+		assert.Zero(t, role3.DeleteAt)
+		assert.Zero(t, role4.DeleteAt)
+
+		// Make sure this scheme is in use by a team.
+		res := <-th.App.Srv.Store.Channel().Save(&model.Channel{
+			TeamId:      model.NewId(),
+			DisplayName: model.NewId(),
+			Name:        model.NewId(),
+			Type:        model.CHANNEL_OPEN,
+			SchemeId:    &s1.Id,
+		}, -1)
+		assert.Nil(t, res.Err)
+		channel := res.Data.(*model.Channel)
+
+		// Try and fail to delete the scheme.
+		_, r2 := th.SystemAdminClient.DeleteScheme(s1.Id)
+		CheckInternalErrorStatus(t, r2)
+
+		role3, roleRes3 = th.SystemAdminClient.GetRole(s1.DefaultChannelAdminRole)
+		CheckNoError(t, roleRes3)
+		role4, roleRes4 = th.SystemAdminClient.GetRole(s1.DefaultChannelUserRole)
+		CheckNoError(t, roleRes4)
+
+		assert.Zero(t, role3.DeleteAt)
+		assert.Zero(t, role4.DeleteAt)
+
+		// Change the team using it to a different scheme.
+		emptyString := ""
+		channel.SchemeId = &emptyString
+		res = <-th.App.Srv.Store.Channel().Update(channel)
+
+		// Delete the Scheme.
+		_, r3 := th.SystemAdminClient.DeleteScheme(s1.Id)
+		CheckNoError(t, r3)
+
+		// Check the roles were deleted.
+		role3, roleRes3 = th.SystemAdminClient.GetRole(s1.DefaultChannelAdminRole)
+		CheckNoError(t, roleRes3)
+		role4, roleRes4 = th.SystemAdminClient.GetRole(s1.DefaultChannelUserRole)
+		CheckNoError(t, roleRes4)
+
+		assert.NotZero(t, role3.DeleteAt)
+		assert.NotZero(t, role4.DeleteAt)
+	})
+
+	t.Run("FailureCases", func(t *testing.T) {
+		th.App.SetLicense(model.NewTestLicense(""))
+
+		scheme1 := &model.Scheme{
+			Name:        model.NewId(),
+			Description: model.NewId(),
+			Scope:       model.SCHEME_SCOPE_CHANNEL,
+		}
+
+		s1, r1 := th.SystemAdminClient.CreateScheme(scheme1)
+		CheckNoError(t, r1)
+
+		// Test with unknown ID.
+		_, r2 := th.SystemAdminClient.DeleteScheme(model.NewId())
+		CheckNotFoundStatus(t, r2)
+
+		// Test with invalid ID.
+		_, r3 := th.SystemAdminClient.DeleteScheme("12345")
+		CheckBadRequestStatus(t, r3)
+
+		// Test without required permissions.
+		_, r4 := th.Client.DeleteScheme(s1.Id)
+		CheckForbiddenStatus(t, r4)
+
+		// Test without license.
+		th.App.SetLicense(nil)
+		_, r5 := th.SystemAdminClient.DeleteScheme(s1.Id)
+		CheckNotImplementedStatus(t, r5)
+	})
+}