diff options
| -rw-r--r-- | app/plugin.go | 16 | ||||
| -rw-r--r-- | app/plugin_test.go | 65 |
2 files changed, 76 insertions, 5 deletions
diff --git a/app/plugin.go b/app/plugin.go index 6421e19a6..29031b9d7 100644 --- a/app/plugin.go +++ b/app/plugin.go @@ -414,12 +414,16 @@ func (a *App) ServePluginRequest(w http.ResponseWriter, r *http.Request) { return } + a.servePluginRequest(w, r, a.PluginEnv.Hooks().ServeHTTP) +} + +func (a *App) servePluginRequest(w http.ResponseWriter, r *http.Request, handler http.HandlerFunc) { token := "" authHeader := r.Header.Get(model.HEADER_AUTH) - if strings.HasPrefix(strings.ToUpper(authHeader), model.HEADER_BEARER+":") { + if strings.HasPrefix(strings.ToUpper(authHeader), model.HEADER_BEARER+" ") { token = authHeader[len(model.HEADER_BEARER)+1:] - } else if strings.HasPrefix(strings.ToLower(authHeader), model.HEADER_TOKEN+":") { + } else if strings.HasPrefix(strings.ToLower(authHeader), model.HEADER_TOKEN+" ") { token = authHeader[len(model.HEADER_TOKEN)+1:] } else if cookie, _ := r.Cookie(model.SESSION_COOKIE_TOKEN); cookie != nil && (r.Method == "GET" || r.Header.Get(model.HEADER_REQUESTED_WITH) == model.HEADER_REQUESTED_WITH_XML) { token = cookie.Value @@ -429,7 +433,7 @@ func (a *App) ServePluginRequest(w http.ResponseWriter, r *http.Request) { r.Header.Del("Mattermost-User-Id") if token != "" { - if session, err := a.GetSession(token); err != nil { + if session, err := a.GetSession(token); session != nil && err == nil { r.Header.Set("Mattermost-User-Id", session.UserId) } } @@ -444,12 +448,14 @@ func (a *App) ServePluginRequest(w http.ResponseWriter, r *http.Request) { r.Header.Del(model.HEADER_AUTH) r.Header.Del("Referer") + params := mux.Vars(r) + newQuery := r.URL.Query() newQuery.Del("access_token") r.URL.RawQuery = newQuery.Encode() + r.URL.Path = strings.TrimPrefix(r.URL.Path, "/plugins/"+params["plugin_id"]) - params := mux.Vars(r) - a.PluginEnv.Hooks().ServeHTTP(w, r.WithContext(context.WithValue(r.Context(), "plugin_id", params["plugin_id"]))) + handler(w, r.WithContext(context.WithValue(r.Context(), "plugin_id", params["plugin_id"]))) } func (a *App) ShutDownPlugins() { diff --git a/app/plugin_test.go b/app/plugin_test.go index a9d872401..5c70cbc4f 100644 --- a/app/plugin_test.go +++ b/app/plugin_test.go @@ -4,9 +4,15 @@ package app import ( + "net/http" + "net/http/httptest" "testing" + "github.com/gorilla/mux" "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" + + "github.com/mattermost/mattermost-server/model" ) func TestPluginKeyValueStore(t *testing.T) { @@ -33,3 +39,62 @@ func TestPluginKeyValueStore(t *testing.T) { assert.Nil(t, th.App.DeletePluginKey(pluginId, "postkey")) assert.Nil(t, th.App.DeletePluginKey(pluginId, "notrealkey")) } + +func TestServePluginRequest(t *testing.T) { + th := Setup().InitBasic() + defer th.TearDown() + + th.App.UpdateConfig(func(cfg *model.Config) { *cfg.PluginSettings.Enable = false }) + + w := httptest.NewRecorder() + r := httptest.NewRequest("GET", "/plugins/foo/bar", nil) + th.App.ServePluginRequest(w, r) + assert.Equal(t, http.StatusNotImplemented, w.Result().StatusCode) +} + +func TestHandlePluginRequest(t *testing.T) { + th := Setup().InitBasic() + defer th.TearDown() + + th.App.UpdateConfig(func(cfg *model.Config) { + *cfg.PluginSettings.Enable = false + *cfg.ServiceSettings.EnableUserAccessTokens = true + }) + + token, err := th.App.CreateUserAccessToken(&model.UserAccessToken{ + UserId: th.BasicUser.Id, + }) + require.Nil(t, err) + + var assertions func(*http.Request) + router := mux.NewRouter() + router.HandleFunc("/plugins/{plugin_id:[A-Za-z0-9\\_\\-\\.]+}/{anything:.*}", func(_ http.ResponseWriter, r *http.Request) { + th.App.servePluginRequest(nil, r, func(_ http.ResponseWriter, r *http.Request) { + assertions(r) + }) + }) + + r := httptest.NewRequest("GET", "/plugins/foo/bar", nil) + r.Header.Add("Authorization", "Bearer "+token.Token) + assertions = func(r *http.Request) { + assert.Equal(t, "/bar", r.URL.Path) + assert.Equal(t, th.BasicUser.Id, r.Header.Get("Mattermost-User-Id")) + } + router.ServeHTTP(nil, r) + + r = httptest.NewRequest("GET", "/plugins/foo/bar?a=b&access_token="+token.Token+"&c=d", nil) + assertions = func(r *http.Request) { + assert.Equal(t, "/bar", r.URL.Path) + assert.Equal(t, "a=b&c=d", r.URL.RawQuery) + assert.Equal(t, th.BasicUser.Id, r.Header.Get("Mattermost-User-Id")) + } + router.ServeHTTP(nil, r) + + r = httptest.NewRequest("GET", "/plugins/foo/bar?a=b&access_token=asdf&c=d", nil) + assertions = func(r *http.Request) { + assert.Equal(t, "/bar", r.URL.Path) + assert.Equal(t, "a=b&c=d", r.URL.RawQuery) + assert.Empty(t, r.Header.Get("Mattermost-User-Id")) + } + router.ServeHTTP(nil, r) +} |