diff options
author | Joram Wilander <jwawilander@gmail.com> | 2017-03-13 08:26:23 -0400 |
---|---|---|
committer | George Goldberg <george@gberg.me> | 2017-03-13 12:26:23 +0000 |
commit | 3559fb7959cf008b038239f2e7c43e604c44cd31 (patch) | |
tree | 159fdbb16a169926e0d142aa17d6086fcded62c4 /api4 | |
parent | fe38d6d5bb36e18ddefbe490cc21f48f4f4c8d81 (diff) | |
download | chat-3559fb7959cf008b038239f2e7c43e604c44cd31.tar.gz chat-3559fb7959cf008b038239f2e7c43e604c44cd31.tar.bz2 chat-3559fb7959cf008b038239f2e7c43e604c44cd31.zip |
Implement SAML endpoints for APIv4 (#5671)
* Implement SAML endpoints for APIv4
* Fix unit test
* Only disable encryption when removing puplic/private certs
Diffstat (limited to 'api4')
-rw-r--r-- | api4/api.go | 4 | ||||
-rw-r--r-- | api4/apitestlib.go | 31 | ||||
-rw-r--r-- | api4/saml.go | 171 | ||||
-rw-r--r-- | api4/saml_test.go | 19 |
4 files changed, 225 insertions, 0 deletions
diff --git a/api4/api.go b/api4/api.go index c8c0e170b..71dfbcdf3 100644 --- a/api4/api.go +++ b/api4/api.go @@ -60,6 +60,8 @@ type Routes struct { OAuth *mux.Router // 'api/v4/oauth' + SAML *mux.Router // 'api/v4/saml' + Admin *mux.Router // 'api/v4/admin' System *mux.Router // 'api/v4/system' @@ -127,6 +129,7 @@ func InitApi(full bool) { BaseRoutes.OutgoingHooks = BaseRoutes.Hooks.PathPrefix("/outgoing").Subrouter() BaseRoutes.OutgoingHook = BaseRoutes.OutgoingHooks.PathPrefix("/{hook_id:[A-Za-z0-9]+}").Subrouter() + BaseRoutes.SAML = BaseRoutes.ApiRoot.PathPrefix("/saml").Subrouter() BaseRoutes.OAuth = BaseRoutes.ApiRoot.PathPrefix("/oauth").Subrouter() BaseRoutes.Admin = BaseRoutes.ApiRoot.PathPrefix("/admin").Subrouter() BaseRoutes.System = BaseRoutes.ApiRoot.PathPrefix("/system").Subrouter() @@ -147,6 +150,7 @@ func InitApi(full bool) { InitSystem() InitWebhook() InitPreference() + InitSaml() app.Srv.Router.Handle("/api/v4/{anything:.*}", http.HandlerFunc(Handle404)) diff --git a/api4/apitestlib.go b/api4/apitestlib.go index 3d2feaf6e..30dbfadae 100644 --- a/api4/apitestlib.go +++ b/api4/apitestlib.go @@ -38,6 +38,37 @@ type TestHelper struct { SystemAdminUser *model.User } +func SetupEnterprise() *TestHelper { + if app.Srv == nil { + utils.TranslationsPreInit() + utils.LoadConfig("config.json") + utils.InitTranslations(utils.Cfg.LocalizationSettings) + utils.Cfg.TeamSettings.MaxUsersPerTeam = 50 + *utils.Cfg.RateLimitSettings.Enable = false + utils.Cfg.EmailSettings.SendEmailNotifications = true + utils.Cfg.EmailSettings.SMTPServer = "dockerhost" + utils.Cfg.EmailSettings.SMTPPort = "2500" + utils.Cfg.EmailSettings.FeedbackEmail = "test@example.com" + utils.DisableDebugLogForTest() + utils.License.Features.SetDefaults() + app.NewServer() + app.InitStores() + InitRouter() + app.StartServer() + utils.InitHTML() + InitApi(true) + utils.EnableDebugLogForTest() + app.Srv.Store.MarkSystemRanUnitTests() + + *utils.Cfg.TeamSettings.EnableOpenServer = true + } + + th := &TestHelper{} + th.Client = th.CreateClient() + th.SystemAdminClient = th.CreateClient() + return th +} + func Setup() *TestHelper { if app.Srv == nil { utils.TranslationsPreInit() diff --git a/api4/saml.go b/api4/saml.go new file mode 100644 index 000000000..e2c35f30d --- /dev/null +++ b/api4/saml.go @@ -0,0 +1,171 @@ +// Copyright (c) 2017 Mattermost, Inc. All Rights Reserved. +// See License.txt for license information. + +package api4 + +import ( + "mime/multipart" + "net/http" + + l4g "github.com/alecthomas/log4go" + "github.com/mattermost/platform/app" + "github.com/mattermost/platform/model" + "github.com/mattermost/platform/utils" +) + +func InitSaml() { + l4g.Debug(utils.T("api.saml.init.debug")) + + BaseRoutes.SAML.Handle("/metadata", ApiHandler(getSamlMetadata)).Methods("GET") + + BaseRoutes.SAML.Handle("/certificate/public", ApiSessionRequired(addSamlPublicCertificate)).Methods("POST") + BaseRoutes.SAML.Handle("/certificate/private", ApiSessionRequired(addSamlPrivateCertificate)).Methods("POST") + BaseRoutes.SAML.Handle("/certificate/idp", ApiSessionRequired(addSamlIdpCertificate)).Methods("POST") + + BaseRoutes.SAML.Handle("/certificate/public", ApiSessionRequired(removeSamlPublicCertificate)).Methods("DELETE") + BaseRoutes.SAML.Handle("/certificate/private", ApiSessionRequired(removeSamlPrivateCertificate)).Methods("DELETE") + BaseRoutes.SAML.Handle("/certificate/idp", ApiSessionRequired(removeSamlIdpCertificate)).Methods("DELETE") + + BaseRoutes.SAML.Handle("/certificate/status", ApiSessionRequired(getSamlCertificateStatus)).Methods("GET") +} + +func getSamlMetadata(c *Context, w http.ResponseWriter, r *http.Request) { + metadata, err := app.GetSamlMetadata() + if err != nil { + c.Err = err + return + } + + w.Header().Set("Content-Type", "application/xml") + w.Header().Set("Content-Disposition", "attachment; filename=\"metadata.xml\"") + w.Write([]byte(metadata)) +} + +func parseSamlCertificateRequest(r *http.Request) (*multipart.FileHeader, *model.AppError) { + err := r.ParseMultipartForm(*utils.Cfg.FileSettings.MaxFileSize) + if err != nil { + return nil, model.NewAppError("addSamlCertificate", "api.admin.add_certificate.no_file.app_error", nil, err.Error(), http.StatusBadRequest) + } + + m := r.MultipartForm + + fileArray, ok := m.File["certificate"] + if !ok { + return nil, model.NewAppError("addSamlCertificate", "api.admin.add_certificate.no_file.app_error", nil, "", http.StatusBadRequest) + } + + if len(fileArray) <= 0 { + return nil, model.NewAppError("addSamlCertificate", "api.admin.add_certificate.array.app_error", nil, "", http.StatusBadRequest) + } + + return fileArray[0], nil +} + +func addSamlPublicCertificate(c *Context, w http.ResponseWriter, r *http.Request) { + if !app.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_SYSTEM) { + c.SetPermissionError(model.PERMISSION_MANAGE_SYSTEM) + return + } + + fileData, err := parseSamlCertificateRequest(r) + if err != nil { + c.Err = err + return + } + + if err := app.AddSamlPublicCertificate(fileData); err != nil { + c.Err = err + return + } + ReturnStatusOK(w) +} + +func addSamlPrivateCertificate(c *Context, w http.ResponseWriter, r *http.Request) { + if !app.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_SYSTEM) { + c.SetPermissionError(model.PERMISSION_MANAGE_SYSTEM) + return + } + + fileData, err := parseSamlCertificateRequest(r) + if err != nil { + c.Err = err + return + } + + if err := app.AddSamlPrivateCertificate(fileData); err != nil { + c.Err = err + return + } + ReturnStatusOK(w) +} + +func addSamlIdpCertificate(c *Context, w http.ResponseWriter, r *http.Request) { + if !app.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_SYSTEM) { + c.SetPermissionError(model.PERMISSION_MANAGE_SYSTEM) + return + } + + fileData, err := parseSamlCertificateRequest(r) + if err != nil { + c.Err = err + return + } + + if err := app.AddSamlIdpCertificate(fileData); err != nil { + c.Err = err + return + } + ReturnStatusOK(w) +} + +func removeSamlPublicCertificate(c *Context, w http.ResponseWriter, r *http.Request) { + if !app.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_SYSTEM) { + c.SetPermissionError(model.PERMISSION_MANAGE_SYSTEM) + return + } + + if err := app.RemoveSamlPublicCertificate(); err != nil { + c.Err = err + return + } + + ReturnStatusOK(w) +} + +func removeSamlPrivateCertificate(c *Context, w http.ResponseWriter, r *http.Request) { + if !app.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_SYSTEM) { + c.SetPermissionError(model.PERMISSION_MANAGE_SYSTEM) + return + } + + if err := app.RemoveSamlPrivateCertificate(); err != nil { + c.Err = err + return + } + + ReturnStatusOK(w) +} + +func removeSamlIdpCertificate(c *Context, w http.ResponseWriter, r *http.Request) { + if !app.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_SYSTEM) { + c.SetPermissionError(model.PERMISSION_MANAGE_SYSTEM) + return + } + + if err := app.RemoveSamlIdpCertificate(); err != nil { + c.Err = err + return + } + + ReturnStatusOK(w) +} + +func getSamlCertificateStatus(c *Context, w http.ResponseWriter, r *http.Request) { + if !app.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_SYSTEM) { + c.SetPermissionError(model.PERMISSION_MANAGE_SYSTEM) + return + } + + status := app.GetSamlCertificateStatus() + w.Write([]byte(status.ToJson())) +} diff --git a/api4/saml_test.go b/api4/saml_test.go new file mode 100644 index 000000000..7e4722a3b --- /dev/null +++ b/api4/saml_test.go @@ -0,0 +1,19 @@ +// Copyright (c) 2017 Mattermost, Inc. All Rights Reserved. +// See License.txt for license information. + +package api4 + +import ( + "testing" +) + +func TestGetSamlMetadata(t *testing.T) { + th := Setup().InitBasic().InitSystemAdmin() + defer TearDown() + Client := th.Client + + _, resp := Client.GetSamlMetadata() + CheckNotImplementedStatus(t, resp) + + // Rest is tested by enterprise tests +} |