Merge branch 'master' into mm-1420

author: =Corey Hulen <corey@hulen.com> 2015-07-23 09:22:17 -0800
committer: =Corey Hulen <corey@hulen.com> 2015-07-23 09:22:17 -0800
commit: 8d9449c068902f51a97e7a6605cd226bf4a26f2e (patch)
tree: eade41f7f9138de4f156016af9476486c227abec /api
parent: c277a98b5d88c81df39f8e33ef1286f72ac04014 (diff)
parent: a9d48ff994cd2d03f8e1b2438e50fc6dd0d9bdc2 (diff)
download: chat-8d9449c068902f51a97e7a6605cd226bf4a26f2e.tar.gz
chat-8d9449c068902f51a97e7a6605cd226bf4a26f2e.tar.bz2
chat-8d9449c068902f51a97e7a6605cd226bf4a26f2e.zip
2 files changed, 188 insertions, 78 deletions
diff --git a/api/templates/post_body.html b/api/templates/post_body.html
index 41a29d020..c0f4375d8 100644
--- a/api/templates/post_body.html
+++ b/api/templates/post_body.html
@@ -18,7 +18,7 @@
                                         <tr>
                                             <td style="border-bottom: 1px solid #ddd; padding: 0 0 20px;">
                                                 <h2 style="font-weight: normal; margin-top: 10px;">You were mentioned</h2>
-                                                <p>CHANNEL: {{.Props.ChannelName}}<br>{{.Props.SenderName}} - {{.Props.Hour}}:{{.Props.Minute}} GMT, {{.Props.Month}} {{.Props.Day}}<br><pre style="text-align:left;font-family: 'Lato', sans-serif;">{{.Props.PostMessage}}</pre></p>
+                                                <p>CHANNEL: {{.Props.ChannelName}}<br>{{.Props.SenderName}} - {{.Props.Hour}}:{{.Props.Minute}} GMT, {{.Props.Month}} {{.Props.Day}}<br><pre style="text-align:left;font-family: 'Lato', sans-serif; white-space: pre-wrap; white-space: -moz-pre-wrap; white-space: -pre-wrap; white-space: -o-pre-wrap; word-wrap: break-word;">{{.Props.PostMessage}}</pre></p>
                                                 <p style="margin: 20px 0 15px">
                                                     <a href="{{.Props.TeamLink}}" style="background: #2389D7; display: inline-block; border-radius: 3px; color: #fff; border: none; outline: none; min-width: 170px; padding: 15px 25px; font-size: 14px; font-family: inherit; cursor: pointer; -webkit-appearance: none;text-decoration: none;">Go To Channel</a>
                                                 </p>
diff --git a/api/user.go b/api/user.go
index 7035613ea..e1d5e83dd 100644
--- a/api/user.go
+++ b/api/user.go
@@ -20,6 +20,7 @@ import (
 	_ "image/gif"
 	_ "image/jpeg"
 	"image/png"
+	"io"
 	"net/http"
 	"net/url"
 	"strconv"
@@ -80,36 +81,7 @@ func createUser(c *Context, w http.ResponseWriter, r *http.Request) {
 
 	hash := r.URL.Query().Get("h")
 
-	shouldVerifyHash := true
-
-	if team.Type == model.TEAM_INVITE && len(team.AllowedDomains) > 0 && len(hash) == 0 {
-		domains := strings.Fields(strings.TrimSpace(strings.ToLower(strings.Replace(strings.Replace(team.AllowedDomains, "@", " ", -1), ",", " ", -1))))
-
-		matched := false
-		for _, d := range domains {
-			if strings.HasSuffix(user.Email, "@"+d) {
-				matched = true
-				break
-			}
-		}
-
-		if matched {
-			shouldVerifyHash = false
-		} else {
-			c.Err = model.NewAppError("createUser", "The signup link does not appear to be valid", "allowed domains failed")
-			return
-		}
-	}
-
-	if team.Type == model.TEAM_OPEN {
-		shouldVerifyHash = false
-	}
-
-	if len(hash) > 0 {
-		shouldVerifyHash = true
-	}
-
-	if shouldVerifyHash {
+	if IsVerifyHashRequired(user, team, hash) {
 		data := r.URL.Query().Get("d")
 		props := model.MapFromJson(strings.NewReader(data))
 
@@ -133,6 +105,10 @@ func createUser(c *Context, w http.ResponseWriter, r *http.Request) {
 		user.EmailVerified = true
 	}
 
+	if len(user.AuthData) > 0 && len(user.AuthService) > 0 {
+		user.EmailVerified = true
+	}
+
 	ruser := CreateUser(c, team, user)
 	if c.Err != nil {
 		return
@@ -142,6 +118,38 @@ func createUser(c *Context, w http.ResponseWriter, r *http.Request) {
 
 }
 
+func IsVerifyHashRequired(user *model.User, team *model.Team, hash string) bool {
+	shouldVerifyHash := true
+
+	if team.Type == model.TEAM_INVITE && len(team.AllowedDomains) > 0 && len(hash) == 0 && user != nil {
+		domains := strings.Fields(strings.TrimSpace(strings.ToLower(strings.Replace(strings.Replace(team.AllowedDomains, "@", " ", -1), ",", " ", -1))))
+
+		matched := false
+		for _, d := range domains {
+			if strings.HasSuffix(user.Email, "@"+d) {
+				matched = true
+				break
+			}
+		}
+
+		if matched {
+			shouldVerifyHash = false
+		} else {
+			return true
+		}
+	}
+
+	if team.Type == model.TEAM_OPEN {
+		shouldVerifyHash = false
+	}
+
+	if len(hash) > 0 {
+		shouldVerifyHash = true
+	}
+
+	return shouldVerifyHash
+}
+
 func CreateValet(c *Context, team *model.Team) *model.User {
 	valet := &model.User{}
 	valet.TeamId = team.Id
@@ -233,80 +241,77 @@ func FireAndForgetVerifyEmail(userId, name, email, teamDisplayName, teamURL stri
 	}()
 }
 
-func login(c *Context, w http.ResponseWriter, r *http.Request) {
-	props := model.MapFromJson(r.Body)
-
-	extraInfo := ""
-	var result store.StoreResult
-
-	if len(props["id"]) != 0 {
-		extraInfo = props["id"]
-		if result = <-Srv.Store.User().Get(props["id"]); result.Err != nil {
-			c.Err = result.Err
-			return
+func LoginById(c *Context, w http.ResponseWriter, r *http.Request, userId, password, deviceId string) *model.User {
+	if result := <-Srv.Store.User().Get(userId); result.Err != nil {
+		c.Err = result.Err
+		return nil
+	} else {
+		user := result.Data.(*model.User)
+		if checkUserPassword(c, user, password) {
+			Login(c, w, r, user, deviceId)
+			return user
 		}
 	}
 
-	var team *model.Team
-	if result.Data == nil && len(props["email"]) != 0 && len(props["name"]) != 0 {
-		extraInfo = props["email"] + " in " + props["name"]
-
-		if nr := <-Srv.Store.Team().GetByName(props["name"]); nr.Err != nil {
-			c.Err = nr.Err
-			return
-		} else {
-			team = nr.Data.(*model.Team)
+	return nil
+}
 
-			if result = <-Srv.Store.User().GetByEmail(team.Id, props["email"]); result.Err != nil {
-				c.Err = result.Err
-				return
-			}
-		}
-	}
+func LoginByEmail(c *Context, w http.ResponseWriter, r *http.Request, email, name, password, deviceId string) *model.User {
+	var team *model.Team
 
-	if result.Data == nil {
-		c.Err = model.NewAppError("login", "Login failed because we couldn't find a valid account", extraInfo)
-		c.Err.StatusCode = http.StatusBadRequest
-		return
+	if result := <-Srv.Store.Team().GetByName(name); result.Err != nil {
+		c.Err = result.Err
+		return nil
+	} else {
+		team = result.Data.(*model.Team)
 	}
 
-	user := result.Data.(*model.User)
+	if result := <-Srv.Store.User().GetByEmail(team.Id, email); result.Err != nil {
+		c.Err = result.Err
+		return nil
+	} else {
+		user := result.Data.(*model.User)
 
-	if team == nil {
-		if tResult := <-Srv.Store.Team().Get(user.TeamId); tResult.Err != nil {
-			c.Err = tResult.Err
-			return
-		} else {
-			team = tResult.Data.(*model.Team)
+		if checkUserPassword(c, user, password) {
+			Login(c, w, r, user, deviceId)
+			return user
 		}
 	}
 
-	c.LogAuditWithUserId(user.Id, "attempt")
+	return nil
+}
 
-	if !model.ComparePassword(user.Password, props["password"]) {
+func checkUserPassword(c *Context, user *model.User, password string) bool {
+	if !model.ComparePassword(user.Password, password) {
 		c.LogAuditWithUserId(user.Id, "fail")
-		c.Err = model.NewAppError("login", "Login failed because of invalid password", extraInfo)
+		c.Err = model.NewAppError("checkUserPassword", "Login failed because of invalid password", "user_id="+user.Id)
 		c.Err.StatusCode = http.StatusForbidden
-		return
+		return false
 	}
+	return true
+}
+
+// User MUST be validated before calling Login
+func Login(c *Context, w http.ResponseWriter, r *http.Request, user *model.User, deviceId string) {
+	c.LogAuditWithUserId(user.Id, "attempt")
 
 	if !user.EmailVerified && !utils.Cfg.EmailSettings.ByPassEmail {
-		c.Err = model.NewAppError("login", "Login failed because email address has not been verified", extraInfo)
+		c.Err = model.NewAppError("Login", "Login failed because email address has not been verified", "user_id="+user.Id)
 		c.Err.StatusCode = http.StatusForbidden
 		return
 	}
 
 	if user.DeleteAt > 0 {
-		c.Err = model.NewAppError("login", "Login failed because your account has been set to inactive.  Please contact an administrator.", extraInfo)
+		c.Err = model.NewAppError("Login", "Login failed because your account has been set to inactive.  Please contact an administrator.", "user_id="+user.Id)
 		c.Err.StatusCode = http.StatusForbidden
 		return
 	}
 
-	session := &model.Session{UserId: user.Id, TeamId: team.Id, Roles: user.Roles, DeviceId: props["device_id"]}
+	session := &model.Session{UserId: user.Id, TeamId: user.TeamId, Roles: user.Roles, DeviceId: deviceId}
 
 	maxAge := model.SESSION_TIME_WEB_IN_SECS
 
-	if len(props["device_id"]) > 0 {
+	if len(deviceId) > 0 {
 		session.SetExpireInDays(model.SESSION_TIME_MOBILE_IN_DAYS)
 		maxAge = model.SESSION_TIME_MOBILE_IN_SECS
 	} else {
@@ -357,12 +362,41 @@ func login(c *Context, w http.ResponseWriter, r *http.Request) {
 	}
 
 	http.SetCookie(w, sessionCookie)
-	user.Sanitize(map[string]bool{})
 
 	c.Session = *session
 	c.LogAuditWithUserId(user.Id, "success")
+}
+
+func login(c *Context, w http.ResponseWriter, r *http.Request) {
+	props := model.MapFromJson(r.Body)
+
+	if len(props["password"]) == 0 {
+		c.Err = model.NewAppError("login", "Password field must not be blank", "")
+		c.Err.StatusCode = http.StatusForbidden
+		return
+	}
+
+	var user *model.User
+	if len(props["id"]) != 0 {
+		user = LoginById(c, w, r, props["id"], props["password"], props["device_id"])
+	} else if len(props["email"]) != 0 && len(props["name"]) != 0 {
+		user = LoginByEmail(c, w, r, props["email"], props["name"], props["password"], props["device_id"])
+	} else {
+		c.Err = model.NewAppError("login", "Either user id or team name and user email must be provided", "")
+		c.Err.StatusCode = http.StatusForbidden
+		return
+	}
 
-	w.Write([]byte(result.Data.(*model.User).ToJson()))
+	if c.Err != nil {
+		return
+	}
+
+	if user != nil {
+		user.Sanitize(map[string]bool{})
+	} else {
+		user = &model.User{}
+	}
+	w.Write([]byte(user.ToJson()))
 }
 
 func revokeSession(c *Context, w http.ResponseWriter, r *http.Request) {
@@ -793,6 +827,13 @@ func updatePassword(c *Context, w http.ResponseWriter, r *http.Request) {
 
 	tchan := Srv.Store.Team().Get(user.TeamId)
 
+	if user.AuthData != "" {
+		c.LogAudit("failed - tried to update user password who was logged in through oauth")
+		c.Err = model.NewAppError("updatePassword", "Update password failed because the user is logged in through an OAuth service", "auth_service="+user.AuthService)
+		c.Err.StatusCode = http.StatusForbidden
+		return
+	}
+
 	if !model.ComparePassword(user.Password, currentPassword) {
 		c.Err = model.NewAppError("updatePassword", "Update password failed because of invalid password", "")
 		c.Err.StatusCode = http.StatusForbidden
@@ -1212,3 +1253,72 @@ func getStatuses(c *Context, w http.ResponseWriter, r *http.Request) {
 		return
 	}
 }
+
+func GetAuthorizationCode(c *Context, w http.ResponseWriter, r *http.Request, teamName, service, redirectUri string) {
+
+	if s, ok := utils.Cfg.SSOSettings[service]; !ok || !s.Allow {
+		c.Err = model.NewAppError("GetAuthorizationCode", "Unsupported OAuth service provider", "service="+service)
+		c.Err.StatusCode = http.StatusBadRequest
+		return
+	}
+
+	clientId := utils.Cfg.SSOSettings[service].Id
+	endpoint := utils.Cfg.SSOSettings[service].AuthEndpoint
+	state := model.HashPassword(clientId)
+
+	authUrl := endpoint + "?response_type=code&client_id=" + clientId + "&redirect_uri=" + url.QueryEscape(redirectUri+"?team="+teamName) + "&state=" + url.QueryEscape(state)
+	http.Redirect(w, r, authUrl, http.StatusFound)
+}
+
+func AuthorizeOAuthUser(service, code, state, redirectUri string) (io.ReadCloser, *model.AppError) {
+	if s, ok := utils.Cfg.SSOSettings[service]; !ok || !s.Allow {
+		return nil, model.NewAppError("AuthorizeOAuthUser", "Unsupported OAuth service provider", "service="+service)
+	}
+
+	if !model.ComparePassword(state, utils.Cfg.SSOSettings[service].Id) {
+		return nil, model.NewAppError("AuthorizeOAuthUser", "Invalid state", "")
+	}
+
+	p := url.Values{}
+	p.Set("client_id", utils.Cfg.SSOSettings[service].Id)
+	p.Set("client_secret", utils.Cfg.SSOSettings[service].Secret)
+	p.Set("code", code)
+	p.Set("grant_type", model.ACCESS_TOKEN_GRANT_TYPE)
+	p.Set("redirect_uri", redirectUri)
+
+	client := &http.Client{}
+	req, _ := http.NewRequest("POST", utils.Cfg.SSOSettings[service].TokenEndpoint, strings.NewReader(p.Encode()))
+
+	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+	req.Header.Set("Accept", "application/json")
+
+	var ar *model.AccessResponse
+	if resp, err := client.Do(req); err != nil {
+		return nil, model.NewAppError("AuthorizeOAuthUser", "Token request failed", err.Error())
+	} else {
+		ar = model.AccessResponseFromJson(resp.Body)
+	}
+
+	if ar.TokenType != model.ACCESS_TOKEN_TYPE {
+		return nil, model.NewAppError("AuthorizeOAuthUser", "Bad token type", "token_type="+ar.TokenType)
+	}
+
+	if len(ar.AccessToken) == 0 {
+		return nil, model.NewAppError("AuthorizeOAuthUser", "Missing access token", "")
+	}
+
+	p = url.Values{}
+	p.Set("access_token", ar.AccessToken)
+	req, _ = http.NewRequest("GET", utils.Cfg.SSOSettings[service].UserApiEndpoint, strings.NewReader(""))
+
+	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+	req.Header.Set("Accept", "application/json")
+	req.Header.Set("Authorization", "Bearer "+ar.AccessToken)
+
+	if resp, err := client.Do(req); err != nil {
+		return nil, model.NewAppError("AuthorizeOAuthUser", "Token request to "+service+" failed", err.Error())
+	} else {
+		return resp.Body, nil
+	}
+
+}
author	=Corey Hulen <corey@hulen.com>	2015-07-23 09:22:17 -0800
committer	=Corey Hulen <corey@hulen.com>	2015-07-23 09:22:17 -0800
commit	8d9449c068902f51a97e7a6605cd226bf4a26f2e (patch)
tree	eade41f7f9138de4f156016af9476486c227abec /api
parent	c277a98b5d88c81df39f8e33ef1286f72ac04014 (diff)
parent	a9d48ff994cd2d03f8e1b2438e50fc6dd0d9bdc2 (diff)
download	chat-8d9449c068902f51a97e7a6605cd226bf4a26f2e.tar.gz chat-8d9449c068902f51a97e7a6605cd226bf4a26f2e.tar.bz2 chat-8d9449c068902f51a97e7a6605cd226bf4a26f2e.zip