PLT-6763 Implement user access tokens and new roles (server-side) (#6972)

* Implement user access tokens and new roles * Update config.json * Add public post permission to apiv3 * Remove old comment * Fix model unit test * Updates to store per feedback * Updates per feedback from CS
author: Joram Wilander <jwawilander@gmail.com> 2017-07-31 12:59:32 -0400
committer: GitHub <noreply@github.com> 2017-07-31 12:59:32 -0400
commit: 59992ae4a4638006ec1489dd834151b258c1728c (patch)
tree: 8bc5c0fa8f6a4d6a40026c965bd865c1110af838 /store
parent: ed62660e96528920b0ecb8c755265c6c8d2756c4 (diff)
download: chat-59992ae4a4638006ec1489dd834151b258c1728c.tar.gz
chat-59992ae4a4638006ec1489dd834151b258c1728c.tar.bz2
chat-59992ae4a4638006ec1489dd834151b258c1728c.zip
6 files changed, 390 insertions, 20 deletions
diff --git a/store/layered_store.go b/store/layered_store.go
index 3d3f941e8..4eb908659 100644
--- a/store/layered_store.go
+++ b/store/layered_store.go
@@ -139,6 +139,10 @@ func (s *LayeredStore) Job() JobStore {
 	return s.DatabaseLayer.Job()
 }
 
+func (s *LayeredStore) UserAccessToken() UserAccessTokenStore {
+	return s.DatabaseLayer.UserAccessToken()
+}
+
 func (s *LayeredStore) MarkSystemRanUnitTests() {
 	s.DatabaseLayer.MarkSystemRanUnitTests()
 }
diff --git a/store/sql_store.go b/store/sql_store.go
index a039401f3..817f3fb0f 100644
--- a/store/sql_store.go
+++ b/store/sql_store.go
@@ -80,4 +80,5 @@ type SqlStore interface {
 	FileInfo() FileInfoStore
 	Reaction() ReactionStore
 	Job() JobStore
+	UserAccessToken() UserAccessTokenStore
 }
diff --git a/store/sql_supplier.go b/store/sql_supplier.go
index df934f2cb..a5f4f71b6 100644
--- a/store/sql_supplier.go
+++ b/store/sql_supplier.go
@@ -58,26 +58,27 @@ const (
 )
 
 type SqlSupplierOldStores struct {
-	team       TeamStore
-	channel    ChannelStore
-	post       PostStore
-	user       UserStore
-	audit      AuditStore
-	cluster    ClusterDiscoveryStore
-	compliance ComplianceStore
-	session    SessionStore
-	oauth      OAuthStore
-	system     SystemStore
-	webhook    WebhookStore
-	command    CommandStore
-	preference PreferenceStore
-	license    LicenseStore
-	token      TokenStore
-	emoji      EmojiStore
-	status     StatusStore
-	fileInfo   FileInfoStore
-	reaction   ReactionStore
-	job        JobStore
+	team            TeamStore
+	channel         ChannelStore
+	post            PostStore
+	user            UserStore
+	audit           AuditStore
+	cluster         ClusterDiscoveryStore
+	compliance      ComplianceStore
+	session         SessionStore
+	oauth           OAuthStore
+	system          SystemStore
+	webhook         WebhookStore
+	command         CommandStore
+	preference      PreferenceStore
+	license         LicenseStore
+	token           TokenStore
+	emoji           EmojiStore
+	status          StatusStore
+	fileInfo        FileInfoStore
+	reaction        ReactionStore
+	job             JobStore
+	userAccessToken UserAccessTokenStore
 }
 
 type SqlSupplier struct {
@@ -117,6 +118,7 @@ func NewSqlSupplier() *SqlSupplier {
 	supplier.oldStores.status = NewSqlStatusStore(supplier)
 	supplier.oldStores.fileInfo = NewSqlFileInfoStore(supplier)
 	supplier.oldStores.job = NewSqlJobStore(supplier)
+	supplier.oldStores.userAccessToken = NewSqlUserAccessTokenStore(supplier)
 
 	initSqlSupplierReactions(supplier)
 
@@ -147,6 +149,7 @@ func NewSqlSupplier() *SqlSupplier {
 	supplier.oldStores.status.(*SqlStatusStore).CreateIndexesIfNotExists()
 	supplier.oldStores.fileInfo.(*SqlFileInfoStore).CreateIndexesIfNotExists()
 	supplier.oldStores.job.(*SqlJobStore).CreateIndexesIfNotExists()
+	supplier.oldStores.userAccessToken.(*SqlUserAccessTokenStore).CreateIndexesIfNotExists()
 
 	supplier.oldStores.preference.(*SqlPreferenceStore).DeleteUnusedFeatures()
 
@@ -760,6 +763,10 @@ func (ss *SqlSupplier) Job() JobStore {
 	return ss.oldStores.job
 }
 
+func (ss *SqlSupplier) UserAccessToken() UserAccessTokenStore {
+	return ss.oldStores.userAccessToken
+}
+
 func (ss *SqlSupplier) DropAllTables() {
 	ss.master.TruncateTables()
 }
diff --git a/store/sql_user_access_token_store.go b/store/sql_user_access_token_store.go
new file mode 100644
index 000000000..c8a67bbe7
--- /dev/null
+++ b/store/sql_user_access_token_store.go
@@ -0,0 +1,262 @@
+// Copyright (c) 2017 Mattermost, Inc. All Rights Reserved.
+// See License.txt for license information.
+
+package store
+
+import (
+	"database/sql"
+	"net/http"
+
+	"github.com/mattermost/gorp"
+	"github.com/mattermost/platform/model"
+	"github.com/mattermost/platform/utils"
+)
+
+type SqlUserAccessTokenStore struct {
+	SqlStore
+}
+
+func NewSqlUserAccessTokenStore(sqlStore SqlStore) UserAccessTokenStore {
+	s := &SqlUserAccessTokenStore{sqlStore}
+
+	for _, db := range sqlStore.GetAllConns() {
+		table := db.AddTableWithName(model.UserAccessToken{}, "UserAccessTokens").SetKeys(false, "Id")
+		table.ColMap("Id").SetMaxSize(26)
+		table.ColMap("Token").SetMaxSize(26).SetUnique(true)
+		table.ColMap("UserId").SetMaxSize(26)
+		table.ColMap("Description").SetMaxSize(512)
+	}
+
+	return s
+}
+
+func (s SqlUserAccessTokenStore) CreateIndexesIfNotExists() {
+	s.CreateIndexIfNotExists("idx_user_access_tokens_token", "UserAccessTokens", "Token")
+	s.CreateIndexIfNotExists("idx_user_access_tokens_user_id", "UserAccessTokens", "UserId")
+}
+
+func (s SqlUserAccessTokenStore) Save(token *model.UserAccessToken) StoreChannel {
+
+	storeChannel := make(StoreChannel, 1)
+
+	go func() {
+		result := StoreResult{}
+
+		token.PreSave()
+
+		if result.Err = token.IsValid(); result.Err != nil {
+			storeChannel <- result
+			close(storeChannel)
+			return
+		}
+
+		if err := s.GetMaster().Insert(token); err != nil {
+			result.Err = model.NewAppError("SqlUserAccessTokenStore.Save", "store.sql_user_access_token.save.app_error", nil, "", http.StatusInternalServerError)
+		} else {
+			result.Data = token
+		}
+
+		storeChannel <- result
+		close(storeChannel)
+	}()
+
+	return storeChannel
+}
+
+func (s SqlUserAccessTokenStore) Delete(tokenId string) StoreChannel {
+
+	storeChannel := make(StoreChannel, 1)
+
+	go func() {
+		result := StoreResult{}
+
+		transaction, err := s.GetMaster().Begin()
+		if err != nil {
+			result.Err = model.NewAppError("SqlUserAccessTokenStore.Delete", "store.sql_user_access_token.delete.app_error", nil, err.Error(), http.StatusInternalServerError)
+		} else {
+			if extrasResult := s.deleteSessionsAndTokensById(transaction, tokenId); extrasResult.Err != nil {
+				result = extrasResult
+			}
+
+			if result.Err == nil {
+				if err := transaction.Commit(); err != nil {
+					// don't need to rollback here since the transaction is already closed
+					result.Err = model.NewAppError("SqlUserAccessTokenStore.Delete", "store.sql_user_access_token.delete.app_error", nil, err.Error(), http.StatusInternalServerError)
+				}
+			} else {
+				if err := transaction.Rollback(); err != nil {
+					result.Err = model.NewAppError("SqlUserAccessTokenStore.Delete", "store.sql_user_access_token.delete.app_error", nil, err.Error(), http.StatusInternalServerError)
+				}
+			}
+		}
+
+		storeChannel <- result
+		close(storeChannel)
+	}()
+
+	return storeChannel
+}
+
+func (s SqlUserAccessTokenStore) deleteSessionsAndTokensById(transaction *gorp.Transaction, tokenId string) StoreResult {
+	result := StoreResult{}
+
+	query := ""
+	if utils.Cfg.SqlSettings.DriverName == model.DATABASE_DRIVER_POSTGRES {
+		query = "DELETE FROM Sessions s USING UserAccessTokens o WHERE o.Token = s.Token AND o.Id = :Id"
+	} else if utils.Cfg.SqlSettings.DriverName == model.DATABASE_DRIVER_MYSQL {
+		query = "DELETE s.* FROM Sessions s INNER JOIN UserAccessTokens o ON o.Token = s.Token WHERE o.Id = :Id"
+	}
+
+	if _, err := transaction.Exec(query, map[string]interface{}{"Id": tokenId}); err != nil {
+		result.Err = model.NewAppError("SqlUserAccessTokenStore.deleteSessionsById", "store.sql_user_access_token.delete.app_error", nil, "id="+tokenId+", err="+err.Error(), http.StatusInternalServerError)
+		return result
+	}
+
+	return s.deleteTokensById(transaction, tokenId)
+}
+
+func (s SqlUserAccessTokenStore) deleteTokensById(transaction *gorp.Transaction, tokenId string) StoreResult {
+	result := StoreResult{}
+
+	if _, err := transaction.Exec("DELETE FROM UserAccessTokens WHERE Id = :Id", map[string]interface{}{"Id": tokenId}); err != nil {
+		result.Err = model.NewAppError("SqlUserAccessTokenStore.deleteTokensById", "store.sql_user_access_token.delete.app_error", nil, "", http.StatusInternalServerError)
+	}
+
+	return result
+}
+
+func (s SqlUserAccessTokenStore) DeleteAllForUser(userId string) StoreChannel {
+
+	storeChannel := make(StoreChannel, 1)
+
+	go func() {
+		result := StoreResult{}
+
+		transaction, err := s.GetMaster().Begin()
+		if err != nil {
+			result.Err = model.NewAppError("SqlUserAccessTokenStore.DeleteAllForUser", "store.sql_user_access_token.delete.app_error", nil, err.Error(), http.StatusInternalServerError)
+		} else {
+			if extrasResult := s.deleteSessionsandTokensByUser(transaction, userId); extrasResult.Err != nil {
+				result = extrasResult
+			}
+
+			if result.Err == nil {
+				if err := transaction.Commit(); err != nil {
+					// don't need to rollback here since the transaction is already closed
+					result.Err = model.NewAppError("SqlUserAccessTokenStore.DeleteAllForUser", "store.sql_user_access_token.delete.app_error", nil, err.Error(), http.StatusInternalServerError)
+				}
+			} else {
+				if err := transaction.Rollback(); err != nil {
+					result.Err = model.NewAppError("SqlUserAccessTokenStore.DeleteAllForUser", "store.sql_user_access_token.delete.app_error", nil, err.Error(), http.StatusInternalServerError)
+				}
+			}
+		}
+
+		storeChannel <- result
+		close(storeChannel)
+	}()
+
+	return storeChannel
+}
+
+func (s SqlUserAccessTokenStore) deleteSessionsandTokensByUser(transaction *gorp.Transaction, userId string) StoreResult {
+	result := StoreResult{}
+
+	query := ""
+	if utils.Cfg.SqlSettings.DriverName == model.DATABASE_DRIVER_POSTGRES {
+		query = "DELETE FROM Sessions s USING UserAccessTokens o WHERE o.Token = s.Token AND o.UserId = :UserId"
+	} else if utils.Cfg.SqlSettings.DriverName == model.DATABASE_DRIVER_MYSQL {
+		query = "DELETE s.* FROM Sessions s INNER JOIN UserAccessTokens o ON o.Token = s.Token WHERE o.UserId = :UserId"
+	}
+
+	if _, err := transaction.Exec(query, map[string]interface{}{"UserId": userId}); err != nil {
+		result.Err = model.NewAppError("SqlUserAccessTokenStore.deleteSessionsByUser", "store.sql_user_access_token.delete.app_error", nil, "user_id="+userId+", err="+err.Error(), http.StatusInternalServerError)
+		return result
+	}
+
+	return s.deleteTokensByUser(transaction, userId)
+}
+
+func (s SqlUserAccessTokenStore) deleteTokensByUser(transaction *gorp.Transaction, userId string) StoreResult {
+	result := StoreResult{}
+
+	if _, err := transaction.Exec("DELETE FROM UserAccessTokens WHERE UserId = :UserId", map[string]interface{}{"UserId": userId}); err != nil {
+		result.Err = model.NewAppError("SqlUserAccessTokenStore.deleteTokensByUser", "store.sql_user_access_token.delete.app_error", nil, "", http.StatusInternalServerError)
+	}
+
+	return result
+}
+
+func (s SqlUserAccessTokenStore) Get(tokenId string) StoreChannel {
+
+	storeChannel := make(StoreChannel, 1)
+
+	go func() {
+		result := StoreResult{}
+
+		token := model.UserAccessToken{}
+
+		if err := s.GetReplica().SelectOne(&token, "SELECT * FROM UserAccessTokens WHERE Id = :Id", map[string]interface{}{"Id": tokenId}); err != nil {
+			if err == sql.ErrNoRows {
+				result.Err = model.NewAppError("SqlUserAccessTokenStore.Get", "store.sql_user_access_token.get.app_error", nil, err.Error(), http.StatusNotFound)
+			} else {
+				result.Err = model.NewAppError("SqlUserAccessTokenStore.Get", "store.sql_user_access_token.get.app_error", nil, err.Error(), http.StatusInternalServerError)
+			}
+		}
+
+		result.Data = &token
+
+		storeChannel <- result
+		close(storeChannel)
+	}()
+
+	return storeChannel
+}
+
+func (s SqlUserAccessTokenStore) GetByToken(tokenString string) StoreChannel {
+
+	storeChannel := make(StoreChannel, 1)
+
+	go func() {
+		result := StoreResult{}
+
+		token := model.UserAccessToken{}
+
+		if err := s.GetReplica().SelectOne(&token, "SELECT * FROM UserAccessTokens WHERE Token = :Token", map[string]interface{}{"Token": tokenString}); err != nil {
+			if err == sql.ErrNoRows {
+				result.Err = model.NewAppError("SqlUserAccessTokenStore.GetByToken", "store.sql_user_access_token.get_by_token.app_error", nil, err.Error(), http.StatusNotFound)
+			} else {
+				result.Err = model.NewAppError("SqlUserAccessTokenStore.GetByToken", "store.sql_user_access_token.get_by_token.app_error", nil, err.Error(), http.StatusInternalServerError)
+			}
+		}
+
+		result.Data = &token
+
+		storeChannel <- result
+		close(storeChannel)
+	}()
+
+	return storeChannel
+}
+
+func (s SqlUserAccessTokenStore) GetByUser(userId string, offset, limit int) StoreChannel {
+
+	storeChannel := make(StoreChannel, 1)
+
+	go func() {
+		result := StoreResult{}
+
+		tokens := []*model.UserAccessToken{}
+
+		if _, err := s.GetReplica().Select(&tokens, "SELECT * FROM UserAccessTokens WHERE UserId = :UserId LIMIT :Limit OFFSET :Offset", map[string]interface{}{"UserId": userId, "Offset": offset, "Limit": limit}); err != nil {
+			result.Err = model.NewAppError("SqlUserAccessTokenStore.GetByUser", "store.sql_user_access_token.get_by_user.app_error", nil, err.Error(), http.StatusInternalServerError)
+		}
+
+		result.Data = tokens
+
+		storeChannel <- result
+		close(storeChannel)
+	}()
+
+	return storeChannel
+}
diff --git a/store/sql_user_access_token_store_test.go b/store/sql_user_access_token_store_test.go
new file mode 100644
index 000000000..db4424991
--- /dev/null
+++ b/store/sql_user_access_token_store_test.go
@@ -0,0 +1,86 @@
+// Copyright (c) 2017-present Mattermost, Inc. All Rights Reserved.
+// See License.txt for license information.
+
+package store
+
+import (
+	"testing"
+
+	"github.com/mattermost/platform/model"
+)
+
+func TestUserAccessTokenSaveGetDelete(t *testing.T) {
+	Setup()
+
+	uat := &model.UserAccessToken{
+		Token:       model.NewId(),
+		UserId:      model.NewId(),
+		Description: "testtoken",
+	}
+
+	s1 := model.Session{}
+	s1.UserId = uat.UserId
+	s1.Token = uat.Token
+
+	Must(store.Session().Save(&s1))
+
+	if result := <-store.UserAccessToken().Save(uat); result.Err != nil {
+		t.Fatal(result.Err)
+	}
+
+	if result := <-store.UserAccessToken().Get(uat.Id); result.Err != nil {
+		t.Fatal(result.Err)
+	} else if received := result.Data.(*model.UserAccessToken); received.Token != uat.Token {
+		t.Fatal("received incorrect token after save")
+	}
+
+	if result := <-store.UserAccessToken().GetByToken(uat.Token); result.Err != nil {
+		t.Fatal(result.Err)
+	} else if received := result.Data.(*model.UserAccessToken); received.Token != uat.Token {
+		t.Fatal("received incorrect token after save")
+	}
+
+	if result := <-store.UserAccessToken().GetByToken("notarealtoken"); result.Err == nil {
+		t.Fatal("should have failed on bad token")
+	}
+
+	if result := <-store.UserAccessToken().GetByUser(uat.UserId, 0, 100); result.Err != nil {
+		t.Fatal(result.Err)
+	} else if received := result.Data.([]*model.UserAccessToken); len(received) != 1 {
+		t.Fatal("received incorrect number of tokens after save")
+	}
+
+	if result := <-store.UserAccessToken().Delete(uat.Id); result.Err != nil {
+		t.Fatal(result.Err)
+	}
+
+	if err := (<-store.Session().Get(s1.Token)).Err; err == nil {
+		t.Fatal("should error - session should be deleted")
+	}
+
+	if err := (<-store.UserAccessToken().GetByToken(s1.Token)).Err; err == nil {
+		t.Fatal("should error - access token should be deleted")
+	}
+
+	s2 := model.Session{}
+	s2.UserId = uat.UserId
+	s2.Token = uat.Token
+
+	Must(store.Session().Save(&s2))
+
+	if result := <-store.UserAccessToken().Save(uat); result.Err != nil {
+		t.Fatal(result.Err)
+	}
+
+	if result := <-store.UserAccessToken().DeleteAllForUser(uat.UserId); result.Err != nil {
+		t.Fatal(result.Err)
+	}
+
+	if err := (<-store.Session().Get(s2.Token)).Err; err == nil {
+		t.Fatal("should error - session should be deleted")
+	}
+
+	if err := (<-store.UserAccessToken().GetByToken(s2.Token)).Err; err == nil {
+		t.Fatal("should error - access token should be deleted")
+	}
+}
diff --git a/store/store.go b/store/store.go
index 6d84a0919..d883ea5a2 100644
--- a/store/store.go
+++ b/store/store.go
@@ -49,6 +49,7 @@ type Store interface {
 	FileInfo() FileInfoStore
 	Reaction() ReactionStore
 	Job() JobStore
+	UserAccessToken() UserAccessTokenStore
 	MarkSystemRanUnitTests()
 	Close()
 	DropAllTables()
@@ -398,3 +399,12 @@ type JobStore interface {
 	GetAllByStatus(status string) StoreChannel
 	Delete(id string) StoreChannel
 }
+
+type UserAccessTokenStore interface {
+	Save(token *model.UserAccessToken) StoreChannel
+	Delete(tokenId string) StoreChannel
+	DeleteAllForUser(userId string) StoreChannel
+	Get(tokenId string) StoreChannel
+	GetByToken(tokenString string) StoreChannel
+	GetByUser(userId string, page, perPage int) StoreChannel
+}
author	Joram Wilander <jwawilander@gmail.com>	2017-07-31 12:59:32 -0400
committer	GitHub <noreply@github.com>	2017-07-31 12:59:32 -0400
commit	59992ae4a4638006ec1489dd834151b258c1728c (patch)
tree	8bc5c0fa8f6a4d6a40026c965bd865c1110af838 /store
parent	ed62660e96528920b0ecb8c755265c6c8d2756c4 (diff)
download	chat-59992ae4a4638006ec1489dd834151b258c1728c.tar.gz chat-59992ae4a4638006ec1489dd834151b258c1728c.tar.bz2 chat-59992ae4a4638006ec1489dd834151b258c1728c.zip