MM-10264: Adds CLI command to import and export permissions. (#8787)

* MM-10264: Adds CLI command to import and export permissions.

* MM-10264: Changes Scheme Name to DisplayName and adds Name slug field.

* MM-10264: Changes display name max size.

* MM-10264: Another merge fix.

* MM-10264: Changes for more Schemes methods checking for migration.

* MM-10264: More updates for Schemes migration checking.

4 files changed, 445 insertions, 1 deletions

diff --git a/app/apptestlib.go b/app/apptestlib.go
index b245ddabf..ffd1da055 100644
--- a/app/apptestlib.go
+++ b/app/apptestlib.go
@@ -316,6 +316,40 @@ func (me *TestHelper) AddUserToChannel(user *model.User, channel *model.Channel)
 	return member
 }
 
+func (me *TestHelper) CreateScheme() (*model.Scheme, []*model.Role) {
+	utils.DisableDebugLogForTest()
+
+	scheme, err := me.App.CreateScheme(&model.Scheme{
+		DisplayName: "Test Scheme Display Name",
+		Name:        model.NewId(),
+		Description: "Test scheme description",
+		Scope:       model.SCHEME_SCOPE_TEAM,
+	})
+	if err != nil {
+		panic(err)
+	}
+
+	roleIDs := []string{
+		scheme.DefaultTeamAdminRole,
+		scheme.DefaultTeamUserRole,
+		scheme.DefaultChannelAdminRole,
+		scheme.DefaultChannelUserRole,
+	}
+
+	var roles []*model.Role
+	for _, roleID := range roleIDs {
+		role, err := me.App.GetRole(roleID)
+		if err != nil {
+			panic(err)
+		}
+		roles = append(roles, role)
+	}
+
+	utils.EnableDebugLogForTest()
+
+	return scheme, roles
+}
+
 func (me *TestHelper) TearDown() {
 	me.App.Shutdown()
 	os.Remove(me.tempConfigPath)
diff --git a/app/permissions.go b/app/permissions.go
index 75aa2ecf9..70b8cc689 100644
--- a/app/permissions.go
+++ b/app/permissions.go
@@ -4,9 +4,17 @@
 package app
 
 import (
+	"bufio"
+	"encoding/json"
+	"fmt"
+	"io"
+
 	"github.com/mattermost/mattermost-server/model"
+	"github.com/pkg/errors"
 )
 
+const permissionsExportBatchSize = 100
+
 func (a *App) ResetPermissionsSystem() *model.AppError {
 	// Reset all Teams to not have a scheme.
 	if result := <-a.Srv.Store.Team().ResetAllTeamSchemes(); result.Err != nil {
@@ -38,3 +46,138 @@ func (a *App) ResetPermissionsSystem() *model.AppError {
 
 	return nil
 }
+
+func (a *App) ExportPermissions(w io.Writer) error {
+
+	next := a.SchemesIterator(permissionsExportBatchSize)
+	var schemeBatch []*model.Scheme
+
+	for schemeBatch = next(); len(schemeBatch) > 0; schemeBatch = next() {
+
+		for _, scheme := range schemeBatch {
+
+			roleIDs := []string{
+				scheme.DefaultTeamAdminRole,
+				scheme.DefaultTeamUserRole,
+				scheme.DefaultChannelAdminRole,
+				scheme.DefaultChannelUserRole,
+			}
+
+			roles := []*model.Role{}
+			for _, roleID := range roleIDs {
+				if len(roleID) == 0 {
+					continue
+				}
+				role, err := a.GetRole(roleID)
+				if err != nil {
+					return err
+				}
+				roles = append(roles, role)
+			}
+
+			schemeExport, err := json.Marshal(&model.SchemeConveyor{
+				Name:         scheme.Name,
+				DisplayName:  scheme.DisplayName,
+				Description:  scheme.Description,
+				Scope:        scheme.Scope,
+				TeamAdmin:    scheme.DefaultTeamAdminRole,
+				TeamUser:     scheme.DefaultTeamUserRole,
+				ChannelAdmin: scheme.DefaultChannelAdminRole,
+				ChannelUser:  scheme.DefaultChannelUserRole,
+				Roles:        roles,
+			})
+			if err != nil {
+				return err
+			}
+
+			schemeExport = append(schemeExport, []byte("\n")...)
+
+			_, err = w.Write(schemeExport)
+			if err != nil {
+				return err
+			}
+		}
+
+	}
+
+	return nil
+}
+
+func (a *App) ImportPermissions(jsonl io.Reader) error {
+	createdSchemeIDs := []string{}
+
+	scanner := bufio.NewScanner(jsonl)
+
+	for scanner.Scan() {
+		var schemeConveyor *model.SchemeConveyor
+		err := json.Unmarshal(scanner.Bytes(), &schemeConveyor)
+		if err != nil {
+			return err
+		}
+
+		// Create the new Scheme. The new Roles are created automatically.
+		var appErr *model.AppError
+		schemeCreated, appErr := a.CreateScheme(schemeConveyor.Scheme())
+		if appErr != nil {
+			return errors.New(appErr.Message)
+		}
+		createdSchemeIDs = append(createdSchemeIDs, schemeCreated.Id)
+
+		schemeIn := schemeConveyor.Scheme()
+		roleIDTuples := [][]string{
+			{schemeCreated.DefaultTeamAdminRole, schemeIn.DefaultTeamAdminRole},
+			{schemeCreated.DefaultTeamUserRole, schemeIn.DefaultTeamUserRole},
+			{schemeCreated.DefaultChannelAdminRole, schemeIn.DefaultChannelAdminRole},
+			{schemeCreated.DefaultChannelUserRole, schemeIn.DefaultChannelUserRole},
+		}
+		for _, roleIDTuple := range roleIDTuples {
+			if len(roleIDTuple[0]) == 0 || len(roleIDTuple[1]) == 0 {
+				continue
+			}
+
+			err = updateRole(a, schemeConveyor, roleIDTuple[0], roleIDTuple[1])
+			if err != nil {
+				// Delete the new Schemes. The new Roles are deleted automatically.
+				for _, schemeID := range createdSchemeIDs {
+					a.DeleteScheme(schemeID)
+				}
+				return err
+			}
+		}
+	}
+
+	if err := scanner.Err(); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func updateRole(a *App, sc *model.SchemeConveyor, roleCreatedID, defaultRoleID string) error {
+	var err *model.AppError
+
+	roleCreated, err := a.GetRole(roleCreatedID)
+	if err != nil {
+		return errors.New(err.Message)
+	}
+
+	var roleIn *model.Role
+	for _, role := range sc.Roles {
+		if role.Id == defaultRoleID {
+			roleIn = role
+			break
+		}
+	}
+
+	roleCreated.Name = roleIn.Name
+	roleCreated.DisplayName = roleIn.DisplayName
+	roleCreated.Description = roleIn.Description
+	roleCreated.Permissions = roleIn.Permissions
+
+	_, err = a.UpdateRole(roleCreated)
+	if err != nil {
+		return errors.New(fmt.Sprintf("%v: %v\n", err.Message, err.DetailedError))
+	}
+
+	return nil
+}
diff --git a/app/permissions_test.go b/app/permissions_test.go
new file mode 100644
index 000000000..575e21429
--- /dev/null
+++ b/app/permissions_test.go
@@ -0,0 +1,253 @@
+package app
+
+import (
+	"encoding/json"
+	"fmt"
+	"strings"
+	"testing"
+
+	"github.com/mattermost/mattermost-server/model"
+)
+
+type testWriter struct {
+	write func(p []byte) (int, error)
+}
+
+func (tw testWriter) Write(p []byte) (int, error) {
+	return tw.write(p)
+}
+
+func TestExportPermissions(t *testing.T) {
+	th := Setup().InitBasic()
+	defer th.TearDown()
+
+	var scheme *model.Scheme
+	var roles []*model.Role
+	withMigrationMarkedComplete(th, func() {
+		scheme, roles = th.CreateScheme()
+	})
+
+	results := [][]byte{}
+
+	tw := testWriter{
+		write: func(p []byte) (int, error) {
+			results = append(results, p)
+			return len(p), nil
+		},
+	}
+
+	err := th.App.ExportPermissions(tw)
+	if err != nil {
+		t.Error(err)
+	}
+
+	if len(results) == 0 {
+		t.Error("Expected export to have returned something.")
+	}
+
+	firstResult := results[0]
+
+	var row map[string]interface{}
+	err = json.Unmarshal(firstResult, &row)
+	if err != nil {
+		t.Error(err)
+	}
+
+	getRoleByID := func(id string) string {
+		for _, role := range roles {
+			if role.Id == id {
+				return role.Id
+			}
+		}
+		return ""
+	}
+
+	expectations := map[string]func(str string) string{
+		scheme.DisplayName:             func(str string) string { return row["display_name"].(string) },
+		scheme.Name:                    func(str string) string { return row["name"].(string) },
+		scheme.Description:             func(str string) string { return row["description"].(string) },
+		scheme.Scope:                   func(str string) string { return row["scope"].(string) },
+		scheme.DefaultTeamAdminRole:    func(str string) string { return getRoleByID(str) },
+		scheme.DefaultTeamUserRole:     func(str string) string { return getRoleByID(str) },
+		scheme.DefaultChannelAdminRole: func(str string) string { return getRoleByID(str) },
+		scheme.DefaultChannelUserRole:  func(str string) string { return getRoleByID(str) },
+	}
+
+	for key, valF := range expectations {
+		expected := key
+		actual := valF(key)
+		if actual != expected {
+			t.Errorf("Expected %v but got %v.", expected, actual)
+		}
+	}
+
+}
+
+func TestImportPermissions(t *testing.T) {
+	th := Setup().InitBasic()
+	defer th.TearDown()
+
+	name := model.NewId()
+	displayName := model.NewId()
+	description := "my test description"
+	scope := model.SCHEME_SCOPE_CHANNEL
+	roleName1 := model.NewId()
+	roleName2 := model.NewId()
+
+	var results []*model.Scheme
+	var beforeCount int
+	withMigrationMarkedComplete(th, func() {
+
+		var appErr *model.AppError
+		results, appErr = th.App.GetSchemes(scope, 0, 100)
+		if appErr != nil {
+			panic(appErr)
+		}
+		beforeCount = len(results)
+
+		json := fmt.Sprintf(`{"display_name":"%v","name":"%v","description":"%v","scope":"%v","default_team_admin_role":"","default_team_user_role":"","default_channel_admin_role":"yzfx3g9xjjfw8cqo6bpn33xr7o","default_channel_user_role":"a7s3cp4n33dfxbsrmyh9djao3a","roles":[{"id":"yzfx3g9xjjfw8cqo6bpn33xr7o","name":"%v","display_name":"Channel Admin Role for Scheme my_scheme_1526475590","description":"","create_at":1526475589687,"update_at":1526475589687,"delete_at":0,"permissions":["manage_channel_roles"],"scheme_managed":true,"built_in":false},{"id":"a7s3cp4n33dfxbsrmyh9djao3a","name":"%v","display_name":"Channel User Role for Scheme my_scheme_1526475590","description":"","create_at":1526475589688,"update_at":1526475589688,"delete_at":0,"permissions":["read_channel","add_reaction","remove_reaction","manage_public_channel_members","upload_file","get_public_link","create_post","use_slash_commands","manage_private_channel_members","delete_post","edit_post"],"scheme_managed":true,"built_in":false}]}`, displayName, name, description, scope, roleName1, roleName2)
+		r := strings.NewReader(json)
+
+		err := th.App.ImportPermissions(r)
+		if err != nil {
+			t.Error(err)
+		}
+		results, appErr = th.App.GetSchemes(scope, 0, 100)
+		if appErr != nil {
+			panic(appErr)
+		}
+
+	})
+
+	actual := len(results)
+	expected := beforeCount + 1
+	if actual != expected {
+		t.Errorf("Expected %v roles but got %v.", expected, actual)
+	}
+
+	newScheme := results[0]
+
+	channelAdminRole, appErr := th.App.GetRole(newScheme.DefaultChannelAdminRole)
+	if appErr != nil {
+		t.Error(appErr)
+	}
+
+	channelUserRole, appErr := th.App.GetRole(newScheme.DefaultChannelUserRole)
+	if appErr != nil {
+		t.Error(appErr)
+	}
+
+	expectations := map[string]string{
+		newScheme.DisplayName:          displayName,
+		newScheme.Name:                 name,
+		newScheme.Description:          description,
+		newScheme.Scope:                scope,
+		newScheme.DefaultTeamAdminRole: "",
+		newScheme.DefaultTeamUserRole:  "",
+		channelAdminRole.Name:          roleName1,
+		channelUserRole.Name:           roleName2,
+	}
+
+	for actual, expected := range expectations {
+		if actual != expected {
+			t.Errorf("Expected %v but got %v.", expected, actual)
+		}
+	}
+
+}
+
+func TestImportPermissions_idempotentScheme(t *testing.T) {
+	th := Setup().InitBasic()
+	defer th.TearDown()
+
+	name := model.NewId()
+	displayName := model.NewId()
+	description := "my test description"
+	scope := model.SCHEME_SCOPE_CHANNEL
+	roleName1 := model.NewId()
+	roleName2 := model.NewId()
+
+	json := fmt.Sprintf(`{"display_name":"%v","name":"%v","description":"%v","scope":"%v","default_team_admin_role":"","default_team_user_role":"","default_channel_admin_role":"yzfx3g9xjjfw8cqo6bpn33xr7o","default_channel_user_role":"a7s3cp4n33dfxbsrmyh9djao3a","roles":[{"id":"yzfx3g9xjjfw8cqo6bpn33xr7o","name":"%v","display_name":"Channel Admin Role for Scheme my_scheme_1526475590","description":"","create_at":1526475589687,"update_at":1526475589687,"delete_at":0,"permissions":["manage_channel_roles"],"scheme_managed":true,"built_in":false},{"id":"a7s3cp4n33dfxbsrmyh9djao3a","name":"%v","display_name":"Channel User Role for Scheme my_scheme_1526475590","description":"","create_at":1526475589688,"update_at":1526475589688,"delete_at":0,"permissions":["read_channel","add_reaction","remove_reaction","manage_public_channel_members","upload_file","get_public_link","create_post","use_slash_commands","manage_private_channel_members","delete_post","edit_post"],"scheme_managed":true,"built_in":false}]}`, displayName, name, description, scope, roleName1, roleName2)
+	jsonl := strings.Repeat(json+"\n", 4)
+	r := strings.NewReader(jsonl)
+
+	var results []*model.Scheme
+	var expected int
+	withMigrationMarkedComplete(th, func() {
+		var appErr *model.AppError
+		results, appErr = th.App.GetSchemes(model.SCHEME_SCOPE_CHANNEL, 0, 100)
+		if appErr != nil {
+			panic(appErr)
+		}
+		expected = len(results) + 1
+
+		err := th.App.ImportPermissions(r)
+		if err == nil {
+			t.Error(err)
+		}
+
+		results, appErr = th.App.GetSchemes(model.SCHEME_SCOPE_CHANNEL, 0, 100)
+		if appErr != nil {
+			panic(appErr)
+		}
+	})
+	actual := len(results)
+
+	if expected != actual {
+		t.Errorf("Expected count to be %v but got %v", expected, actual)
+	}
+
+}
+
+func TestImportPermissions_schemeDeletedOnRoleFailure(t *testing.T) {
+	th := Setup().InitBasic()
+	defer th.TearDown()
+
+	name := model.NewId()
+	displayName := model.NewId()
+	description := "my test description"
+	scope := model.SCHEME_SCOPE_CHANNEL
+	roleName1 := model.NewId()
+	roleName2 := "some invalid role name"
+
+	jsonl := fmt.Sprintf(`{"display_name":"%v","name":"%v","description":"%v","scope":"%v","default_team_admin_role":"","default_team_user_role":"","default_channel_admin_role":"yzfx3g9xjjfw8cqo6bpn33xr7o","default_channel_user_role":"a7s3cp4n33dfxbsrmyh9djao3a","roles":[{"id":"yzfx3g9xjjfw8cqo6bpn33xr7o","name":"%v","display_name":"Channel Admin Role for Scheme my_scheme_1526475590","description":"","create_at":1526475589687,"update_at":1526475589687,"delete_at":0,"permissions":["manage_channel_roles"],"scheme_managed":true,"built_in":false},{"id":"a7s3cp4n33dfxbsrmyh9djao3a","name":"%v","display_name":"Channel User Role for Scheme my_scheme_1526475590","description":"","create_at":1526475589688,"update_at":1526475589688,"delete_at":0,"permissions":["read_channel","add_reaction","remove_reaction","manage_public_channel_members","upload_file","get_public_link","create_post","use_slash_commands","manage_private_channel_members","delete_post","edit_post"],"scheme_managed":true,"built_in":false}]}`, displayName, name, description, scope, roleName1, roleName2)
+	r := strings.NewReader(jsonl)
+
+	var results []*model.Scheme
+	var expected int
+	withMigrationMarkedComplete(th, func() {
+		var appErr *model.AppError
+		results, appErr = th.App.GetSchemes(model.SCHEME_SCOPE_CHANNEL, 0, 100)
+		if appErr != nil {
+			panic(appErr)
+		}
+		expected = len(results)
+
+		err := th.App.ImportPermissions(r)
+		if err == nil {
+			t.Error(err)
+		}
+
+		results, appErr = th.App.GetSchemes(model.SCHEME_SCOPE_CHANNEL, 0, 100)
+		if appErr != nil {
+			panic(appErr)
+		}
+	})
+	actual := len(results)
+
+	if expected != actual {
+		t.Errorf("Expected count to be %v but got %v", expected, actual)
+	}
+
+}
+
+func withMigrationMarkedComplete(th *TestHelper, f func()) {
+	// Mark the migration as done.
+	<-th.App.Srv.Store.System().PermanentDeleteByName(model.MIGRATION_KEY_ADVANCED_PERMISSIONS_PHASE_2)
+	<-th.App.Srv.Store.System().Save(&model.System{Name: model.MIGRATION_KEY_ADVANCED_PERMISSIONS_PHASE_2, Value: "true"})
+	// Un-mark the migration at the end of the test.
+	defer func() {
+		<-th.App.Srv.Store.System().PermanentDeleteByName(model.MIGRATION_KEY_ADVANCED_PERMISSIONS_PHASE_2)
+	}()
+	f()
+}
diff --git a/app/scheme.go b/app/scheme.go
index f1dc256b2..c44690954 100644
--- a/app/scheme.go
+++ b/app/scheme.go
@@ -4,8 +4,10 @@
 package app
 
 import (
-	"github.com/mattermost/mattermost-server/model"
 	"net/http"
+
+	"github.com/mattermost/mattermost-server/model"
+	"github.com/mattermost/mattermost-server/store"
 )
 
 func (a *App) GetScheme(id string) (*model.Scheme, *model.AppError) {
@@ -146,3 +148,15 @@ func (a *App) IsPhase2MigrationCompleted() *model.AppError {
 
 	return nil
 }
+
+func (a *App) SchemesIterator(batchSize int) func() []*model.Scheme {
+	offset := 0
+	return func() []*model.Scheme {
+		var result store.StoreResult
+		if result = <-a.Srv.Store.Scheme().GetAllPage("", offset, batchSize); result.Err != nil {
+			return []*model.Scheme{}
+		}
+		offset += batchSize
+		return result.Data.([]*model.Scheme)
+	}
+}