Implement SAML endpoints for APIv4 (#5671)

* Implement SAML endpoints for APIv4

* Fix unit test

* Only disable encryption when removing puplic/private certs

3 files changed, 168 insertions, 5 deletions

diff --git a/model/client4.go b/model/client4.go
index 71d37341d..808ce74e3 100644
--- a/model/client4.go
+++ b/model/client4.go
@@ -150,6 +150,10 @@ func (c *Client4) GetPreferencesRoute(userId string) string {
 	return fmt.Sprintf(c.GetUserRoute(userId) + "/preferences")
 }
 
+func (c *Client4) GetSamlRoute() string {
+	return fmt.Sprintf("/saml")
+}
+
 func (c *Client4) DoApiGet(url string, etag string) (*http.Response, *AppError) {
 	return c.DoApiRequest(http.MethodGet, url, "", etag)
 }
@@ -994,7 +998,7 @@ func (c *Client4) DeleteIncomingWebhook(hookID string) (bool, *Response) {
 
 // Preferences Section
 
-// GetPreferences returns the user's preferences
+// GetPreferences returns the user's preferences.
 func (c *Client4) GetPreferences(userId string) (Preferences, *Response) {
 	if r, err := c.DoApiGet(c.GetPreferencesRoute(userId), ""); err != nil {
 		return nil, &Response{StatusCode: r.StatusCode, Error: err}
@@ -1005,7 +1009,7 @@ func (c *Client4) GetPreferences(userId string) (Preferences, *Response) {
 	}
 }
 
-// UpdatePreferences saves the user's preferences
+// UpdatePreferences saves the user's preferences.
 func (c *Client4) UpdatePreferences(userId string, preferences *Preferences) (bool, *Response) {
 	if r, err := c.DoApiPut(c.GetPreferencesRoute(userId), preferences.ToJson()); err != nil {
 		return false, &Response{StatusCode: r.StatusCode, Error: err}
@@ -1015,7 +1019,7 @@ func (c *Client4) UpdatePreferences(userId string, preferences *Preferences) (bo
 	}
 }
 
-// DeletePreferences deletes the user's preferences
+// DeletePreferences deletes the user's preferences.
 func (c *Client4) DeletePreferences(userId string, preferences *Preferences) (bool, *Response) {
 	if r, err := c.DoApiPost(c.GetPreferencesRoute(userId)+"/delete", preferences.ToJson()); err != nil {
 		return false, &Response{StatusCode: r.StatusCode, Error: err}
@@ -1025,7 +1029,7 @@ func (c *Client4) DeletePreferences(userId string, preferences *Preferences) (bo
 	}
 }
 
-// GetPreferencesByCategory returns the user's preferences from the provided category string
+// GetPreferencesByCategory returns the user's preferences from the provided category string.
 func (c *Client4) GetPreferencesByCategory(userId string, category string) (Preferences, *Response) {
 	url := fmt.Sprintf(c.GetPreferencesRoute(userId)+"/%s", category)
 	if r, err := c.DoApiGet(url, ""); err != nil {
@@ -1037,7 +1041,7 @@ func (c *Client4) GetPreferencesByCategory(userId string, category string) (Pref
 	}
 }
 
-// GetPreferenceByCategoryAndName returns the user's preferences from the provided category and preference name string
+// GetPreferenceByCategoryAndName returns the user's preferences from the provided category and preference name string.
 func (c *Client4) GetPreferenceByCategoryAndName(userId string, category string, preferenceName string) (*Preference, *Response) {
 	url := fmt.Sprintf(c.GetPreferencesRoute(userId)+"/%s/name/%v", category, preferenceName)
 	if r, err := c.DoApiGet(url, ""); err != nil {
@@ -1047,3 +1051,107 @@ func (c *Client4) GetPreferenceByCategoryAndName(userId string, category string,
 		return PreferenceFromJson(r.Body), BuildResponse(r)
 	}
 }
+
+// SAML Section
+
+// GetSamlMetadata returns metadata for the SAML configuration.
+func (c *Client4) GetSamlMetadata() (string, *Response) {
+	if r, err := c.DoApiGet(c.GetSamlRoute()+"/metadata", ""); err != nil {
+		return "", &Response{StatusCode: r.StatusCode, Error: err}
+	} else {
+		defer closeBody(r)
+		buf := new(bytes.Buffer)
+		buf.ReadFrom(r.Body)
+		return buf.String(), BuildResponse(r)
+	}
+}
+
+func samlFileToMultipart(data []byte, filename string) ([]byte, *multipart.Writer, error) {
+	body := &bytes.Buffer{}
+	writer := multipart.NewWriter(body)
+
+	if part, err := writer.CreateFormFile("certificate", filename); err != nil {
+		return nil, nil, err
+	} else if _, err = io.Copy(part, bytes.NewBuffer(data)); err != nil {
+		return nil, nil, err
+	}
+
+	if err := writer.Close(); err != nil {
+		return nil, nil, err
+	}
+
+	return body.Bytes(), writer, nil
+}
+
+// UploadSamlIdpCertificate will upload an IDP certificate for SAML and set the config to use it.
+func (c *Client4) UploadSamlIdpCertificate(data []byte, filename string) (bool, *Response) {
+	body, writer, err := samlFileToMultipart(data, filename)
+	if err != nil {
+		return false, &Response{Error: NewAppError("UploadSamlIdpCertificate", "model.client.upload_saml_cert.app_error", nil, err.Error(), http.StatusBadRequest)}
+	}
+
+	_, resp := c.DoUploadFile(c.GetSamlRoute()+"/certificate/idp", body, writer.FormDataContentType())
+	return resp.Error == nil, resp
+}
+
+// UploadSamlPublicCertificate will upload a public certificate for SAML and set the config to use it.
+func (c *Client4) UploadSamlPublicCertificate(data []byte, filename string) (bool, *Response) {
+	body, writer, err := samlFileToMultipart(data, filename)
+	if err != nil {
+		return false, &Response{Error: NewAppError("UploadSamlPublicCertificate", "model.client.upload_saml_cert.app_error", nil, err.Error(), http.StatusBadRequest)}
+	}
+
+	_, resp := c.DoUploadFile(c.GetSamlRoute()+"/certificate/public", body, writer.FormDataContentType())
+	return resp.Error == nil, resp
+}
+
+// UploadSamlPrivateCertificate will upload a private key for SAML and set the config to use it.
+func (c *Client4) UploadSamlPrivateCertificate(data []byte, filename string) (bool, *Response) {
+	body, writer, err := samlFileToMultipart(data, filename)
+	if err != nil {
+		return false, &Response{Error: NewAppError("UploadSamlPrivateCertificate", "model.client.upload_saml_cert.app_error", nil, err.Error(), http.StatusBadRequest)}
+	}
+
+	_, resp := c.DoUploadFile(c.GetSamlRoute()+"/certificate/private", body, writer.FormDataContentType())
+	return resp.Error == nil, resp
+}
+
+// DeleteSamlIdpCertificate deletes the SAML IDP certificate from the server and updates the config to not use it and disable SAML.
+func (c *Client4) DeleteSamlIdpCertificate() (bool, *Response) {
+	if r, err := c.DoApiDelete(c.GetSamlRoute() + "/certificate/idp"); err != nil {
+		return false, &Response{StatusCode: r.StatusCode, Error: err}
+	} else {
+		defer closeBody(r)
+		return CheckStatusOK(r), BuildResponse(r)
+	}
+}
+
+// DeleteSamlPublicCertificate deletes the SAML IDP certificate from the server and updates the config to not use it and disable SAML.
+func (c *Client4) DeleteSamlPublicCertificate() (bool, *Response) {
+	if r, err := c.DoApiDelete(c.GetSamlRoute() + "/certificate/public"); err != nil {
+		return false, &Response{StatusCode: r.StatusCode, Error: err}
+	} else {
+		defer closeBody(r)
+		return CheckStatusOK(r), BuildResponse(r)
+	}
+}
+
+// DeleteSamlPrivateCertificate deletes the SAML IDP certificate from the server and updates the config to not use it and disable SAML.
+func (c *Client4) DeleteSamlPrivateCertificate() (bool, *Response) {
+	if r, err := c.DoApiDelete(c.GetSamlRoute() + "/certificate/private"); err != nil {
+		return false, &Response{StatusCode: r.StatusCode, Error: err}
+	} else {
+		defer closeBody(r)
+		return CheckStatusOK(r), BuildResponse(r)
+	}
+}
+
+// GetSamlCertificateStatus returns metadata for the SAML configuration.
+func (c *Client4) GetSamlCertificateStatus() (*SamlCertificateStatus, *Response) {
+	if r, err := c.DoApiGet(c.GetSamlRoute()+"/certificate/status", ""); err != nil {
+		return nil, &Response{StatusCode: r.StatusCode, Error: err}
+	} else {
+		defer closeBody(r)
+		return SamlCertificateStatusFromJson(r.Body), BuildResponse(r)
+	}
+}
diff --git a/model/saml.go b/model/saml.go
index 16d3845da..1371c433f 100644
--- a/model/saml.go
+++ b/model/saml.go
@@ -3,6 +3,11 @@
 
 package model
 
+import (
+	"encoding/json"
+	"io"
+)
+
 const (
 	USER_AUTH_SERVICE_SAML      = "saml"
 	USER_AUTH_SERVICE_SAML_TEXT = "With SAML"
@@ -16,3 +21,29 @@ type SamlAuthRequest struct {
 	URL               string
 	RelayState        string
 }
+
+type SamlCertificateStatus struct {
+	IdpCertificateFile    bool `json:"idp_certificate_file"`
+	PrivateKeyFile        bool `json:"private_key_file"`
+	PublicCertificateFile bool `json:"public_certificate_file"`
+}
+
+func (s *SamlCertificateStatus) ToJson() string {
+	b, err := json.Marshal(s)
+	if err != nil {
+		return ""
+	} else {
+		return string(b)
+	}
+}
+
+func SamlCertificateStatusFromJson(data io.Reader) *SamlCertificateStatus {
+	decoder := json.NewDecoder(data)
+	var status SamlCertificateStatus
+	err := decoder.Decode(&status)
+	if err == nil {
+		return &status
+	} else {
+		return nil
+	}
+}
diff --git a/model/saml_test.go b/model/saml_test.go
new file mode 100644
index 000000000..578e78da5
--- /dev/null
+++ b/model/saml_test.go
@@ -0,0 +1,24 @@
+// Copyright (c) 2017 Mattermost, Inc. All Rights Reserved.
+// See License.txt for license information.
+
+package model
+
+import (
+	"strings"
+	"testing"
+)
+
+func TestSamlCertificateStatusJson(t *testing.T) {
+	status := &SamlCertificateStatus{IdpCertificateFile: true, PrivateKeyFile: true, PublicCertificateFile: true}
+	json := status.ToJson()
+	rstatus := SamlCertificateStatusFromJson(strings.NewReader(json))
+
+	if status.IdpCertificateFile != rstatus.IdpCertificateFile {
+		t.Fatal("IdpCertificateFile do not match")
+	}
+
+	rstatus = SamlCertificateStatusFromJson(strings.NewReader("junk"))
+	if rstatus != nil {
+		t.Fatal("should be nil")
+	}
+}