diff options
50 files changed, 2297 insertions, 1121 deletions
diff --git a/api/context.go b/api/context.go index 6976feb8f..9a2f9b9ea 100644 --- a/api/context.go +++ b/api/context.go @@ -68,6 +68,10 @@ func UserRequired(h func(*Context, http.ResponseWriter, *http.Request)) http.Han return &handler{h, true, false, false, false, false, false} } +func AppHandlerTrustRequester(h func(*Context, http.ResponseWriter, *http.Request)) http.Handler { + return &handler{h, false, false, false, false, false, true} +} + func ApiAdminSystemRequired(h func(*Context, http.ResponseWriter, *http.Request)) http.Handler { return &handler{h, true, true, true, false, false, false} } @@ -102,7 +106,6 @@ func (h handler) ServeHTTP(w http.ResponseWriter, r *http.Request) { c.RequestId = model.NewId() c.IpAddress = GetIpAddress(r) c.TeamId = mux.Vars(r)["team_id"] - h.isApi = IsApiCall(r) token := "" isTokenFromQueryString := false @@ -147,10 +150,10 @@ func (h handler) ServeHTTP(w http.ResponseWriter, r *http.Request) { w.Header().Set(model.HEADER_REQUEST_ID, c.RequestId) w.Header().Set(model.HEADER_VERSION_ID, fmt.Sprintf("%v.%v", model.CurrentVersion, utils.CfgLastModified)) - // Instruct the browser not to display us in an iframe for anti-clickjacking + // Instruct the browser not to display us in an iframe unless is the same origin for anti-clickjacking if !h.isApi { - w.Header().Set("X-Frame-Options", "DENY") - w.Header().Set("Content-Security-Policy", "frame-ancestors 'none'") + w.Header().Set("X-Frame-Options", "SAMEORIGIN") + w.Header().Set("Content-Security-Policy", "frame-ancestors 'self'") } else { // All api response bodies will be JSON formatted by default w.Header().Set("Content-Type", "application/json") diff --git a/api/oauth.go b/api/oauth.go index d41f526b4..e2ea001a0 100644 --- a/api/oauth.go +++ b/api/oauth.go @@ -18,6 +18,7 @@ import ( "github.com/gorilla/mux" "github.com/mattermost/platform/einterfaces" "github.com/mattermost/platform/model" + "github.com/mattermost/platform/store" "github.com/mattermost/platform/utils" ) @@ -25,14 +26,17 @@ func InitOAuth() { l4g.Debug(utils.T("api.oauth.init.debug")) BaseRoutes.OAuth.Handle("/register", ApiUserRequired(registerOAuthApp)).Methods("POST") + BaseRoutes.OAuth.Handle("/list", ApiUserRequired(getOAuthApps)).Methods("GET") + BaseRoutes.OAuth.Handle("/app/{client_id}", ApiUserRequired(getOAuthAppInfo)).Methods("GET") BaseRoutes.OAuth.Handle("/allow", ApiUserRequired(allowOAuth)).Methods("GET") + BaseRoutes.OAuth.Handle("/delete", ApiUserRequired(deleteOAuthApp)).Methods("POST") BaseRoutes.OAuth.Handle("/{service:[A-Za-z0-9]+}/complete", AppHandlerIndependent(completeOAuth)).Methods("GET") BaseRoutes.OAuth.Handle("/{service:[A-Za-z0-9]+}/login", AppHandlerIndependent(loginWithOAuth)).Methods("GET") BaseRoutes.OAuth.Handle("/{service:[A-Za-z0-9]+}/signup", AppHandlerIndependent(signupWithOAuth)).Methods("GET") BaseRoutes.OAuth.Handle("/authorize", ApiUserRequired(authorizeOAuth)).Methods("GET") BaseRoutes.OAuth.Handle("/access_token", ApiAppHandler(getAccessToken)).Methods("POST") - BaseRoutes.Root.Handle("/authorize", ApiUserRequired(authorizeOAuth)).Methods("GET") + BaseRoutes.Root.Handle("/authorize", AppHandlerTrustRequester(authorizeOAuth)).Methods("GET") BaseRoutes.Root.Handle("/access_token", ApiAppHandler(getAccessToken)).Methods("POST") // Handle all the old routes, to be later removed @@ -48,6 +52,14 @@ func registerOAuthApp(c *Context, w http.ResponseWriter, r *http.Request) { return } + if *utils.Cfg.ServiceSettings.EnableOnlyAdminIntegrations { + if !c.IsSystemAdmin() { + c.Err = model.NewLocAppError("registerOAuthApp", "api.command.admin_only.app_error", nil, "") + c.Err.StatusCode = http.StatusForbidden + return + } + } + app := model.OAuthAppFromJson(r.Body) if app == nil { @@ -65,7 +77,6 @@ func registerOAuthApp(c *Context, w http.ResponseWriter, r *http.Request) { return } else { app = result.Data.(*model.OAuthApp) - app.ClientSecret = secret c.LogAudit("client_id=" + app.Id) @@ -75,6 +86,62 @@ func registerOAuthApp(c *Context, w http.ResponseWriter, r *http.Request) { } +func getOAuthApps(c *Context, w http.ResponseWriter, r *http.Request) { + if !utils.Cfg.ServiceSettings.EnableOAuthServiceProvider { + c.Err = model.NewLocAppError("getOAuthAppsByUser", "api.oauth.allow_oauth.turn_off.app_error", nil, "") + c.Err.StatusCode = http.StatusNotImplemented + return + } + + isSystemAdmin := c.IsSystemAdmin() + + if *utils.Cfg.ServiceSettings.EnableOnlyAdminIntegrations { + if !isSystemAdmin { + c.Err = model.NewLocAppError("getOAuthAppsByUser", "api.command.admin_only.app_error", nil, "") + c.Err.StatusCode = http.StatusForbidden + return + } + } + + var ochan store.StoreChannel + if isSystemAdmin { + ochan = Srv.Store.OAuth().GetApps() + } else { + ochan = Srv.Store.OAuth().GetAppByUser(c.Session.UserId) + } + + if result := <-ochan; result.Err != nil { + c.Err = result.Err + return + } else { + apps := result.Data.([]*model.OAuthApp) + w.Write([]byte(model.OAuthAppListToJson(apps))) + } +} + +func getOAuthAppInfo(c *Context, w http.ResponseWriter, r *http.Request) { + if !utils.Cfg.ServiceSettings.EnableOAuthServiceProvider { + c.Err = model.NewLocAppError("getOAuthAppInfo", "api.oauth.allow_oauth.turn_off.app_error", nil, "") + c.Err.StatusCode = http.StatusNotImplemented + return + } + + params := mux.Vars(r) + + clientId := params["client_id"] + + var app *model.OAuthApp + if result := <-Srv.Store.OAuth().GetApp(clientId); result.Err != nil { + c.Err = model.NewLocAppError("getOAuthAppInfo", "api.oauth.allow_oauth.database.app_error", nil, "") + return + } else { + app = result.Data.(*model.OAuthApp) + } + + app.Sanitize() + w.Write([]byte(app.ToJson())) +} + func allowOAuth(c *Context, w http.ResponseWriter, r *http.Request) { if !utils.Cfg.ServiceSettings.EnableOAuthServiceProvider { c.Err = model.NewLocAppError("allowOAuth", "api.oauth.allow_oauth.turn_off.app_error", nil, "") @@ -108,6 +175,10 @@ func allowOAuth(c *Context, w http.ResponseWriter, r *http.Request) { scope := r.URL.Query().Get("scope") state := r.URL.Query().Get("state") + if len(scope) == 0 { + scope = model.DEFAULT_SCOPE + } + var app *model.OAuthApp if result := <-Srv.Store.OAuth().GetApp(clientId); result.Err != nil { c.Err = model.NewLocAppError("allowOAuth", "api.oauth.allow_oauth.database.app_error", nil, "") @@ -131,6 +202,20 @@ func allowOAuth(c *Context, w http.ResponseWriter, r *http.Request) { authData := &model.AuthData{UserId: c.Session.UserId, ClientId: clientId, CreateAt: model.GetMillis(), RedirectUri: redirectUri, State: state, Scope: scope} authData.Code = model.HashPassword(fmt.Sprintf("%v:%v:%v:%v", clientId, redirectUri, authData.CreateAt, c.Session.UserId)) + // this saves the OAuth2 app as authorized + authorizedApp := model.Preference{ + UserId: c.Session.UserId, + Category: model.PREFERENCE_CATEGORY_AUTHORIZED_OAUTH_APP, + Name: clientId, + Value: scope, + } + + if result := <-Srv.Store.Preference().Save(&model.Preferences{authorizedApp}); result.Err != nil { + responseData["redirect"] = redirectUri + "?error=server_error&state=" + state + w.Write([]byte(model.MapToJson(responseData))) + return + } + if result := <-Srv.Store.OAuth().SaveAuthData(authData); result.Err != nil { responseData["redirect"] = redirectUri + "?error=server_error&state=" + state w.Write([]byte(model.MapToJson(responseData))) @@ -140,7 +225,7 @@ func allowOAuth(c *Context, w http.ResponseWriter, r *http.Request) { c.LogAudit("success") responseData["redirect"] = redirectUri + "?code=" + url.QueryEscape(authData.Code) + "&state=" + url.QueryEscape(authData.State) - + w.Header().Set("Content-Type", "application/json") w.Write([]byte(model.MapToJson(responseData))) } @@ -149,24 +234,16 @@ func RevokeAccessToken(token string) *model.AppError { schan := Srv.Store.Session().Remove(token) sessionCache.Remove(token) - var accessData *model.AccessData if result := <-Srv.Store.OAuth().GetAccessData(token); result.Err != nil { return model.NewLocAppError("RevokeAccessToken", "api.oauth.revoke_access_token.get.app_error", nil, "") - } else { - accessData = result.Data.(*model.AccessData) } tchan := Srv.Store.OAuth().RemoveAccessData(token) - cchan := Srv.Store.OAuth().RemoveAuthData(accessData.AuthCode) if result := <-tchan; result.Err != nil { return model.NewLocAppError("RevokeAccessToken", "api.oauth.revoke_access_token.del_token.app_error", nil, "") } - if result := <-cchan; result.Err != nil { - return model.NewLocAppError("RevokeAccessToken", "api.oauth.revoke_access_token.del_code.app_error", nil, "") - } - if result := <-schan; result.Err != nil { return model.NewLocAppError("RevokeAccessToken", "api.oauth.revoke_access_token.del_session.app_error", nil, "") } @@ -215,6 +292,10 @@ func completeOAuth(c *Context, w http.ResponseWriter, r *http.Request) { c.Err = JoinUserToTeamById(teamId, user) } if c.Err == nil { + if val, ok := props["redirect_to"]; ok { + http.Redirect(w, r, c.GetSiteURL()+val, http.StatusTemporaryRedirect) + return + } http.Redirect(w, r, GetProtocol(r)+"://"+r.Host, http.StatusTemporaryRedirect) } break @@ -242,7 +323,7 @@ func completeOAuth(c *Context, w http.ResponseWriter, r *http.Request) { func authorizeOAuth(c *Context, w http.ResponseWriter, r *http.Request) { if !utils.Cfg.ServiceSettings.EnableOAuthServiceProvider { - c.Err = model.NewLocAppError("authorizeOAuth", "web.authorize_oauth.disabled.app_error", nil, "") + c.Err = model.NewLocAppError("authorizeOAuth", "api.oauth.authorize_oauth.disabled.app_error", nil, "") c.Err.StatusCode = http.StatusNotImplemented return } @@ -253,8 +334,12 @@ func authorizeOAuth(c *Context, w http.ResponseWriter, r *http.Request) { scope := r.URL.Query().Get("scope") state := r.URL.Query().Get("state") + if len(scope) == 0 { + scope = model.DEFAULT_SCOPE + } + if len(responseType) == 0 || len(clientId) == 0 || len(redirect) == 0 { - c.Err = model.NewLocAppError("authorizeOAuth", "web.authorize_oauth.missing.app_error", nil, "") + c.Err = model.NewLocAppError("authorizeOAuth", "api.oauth.authorize_oauth.missing.app_error", nil, "") return } @@ -266,31 +351,67 @@ func authorizeOAuth(c *Context, w http.ResponseWriter, r *http.Request) { app = result.Data.(*model.OAuthApp) } - var team *model.Team - if result := <-Srv.Store.Team().Get(c.TeamId); result.Err != nil { - c.Err = result.Err + // here we should check if the user is logged in + if len(c.Session.UserId) == 0 { + http.Redirect(w, r, c.GetSiteURL()+"/login?redirect_to="+url.QueryEscape(r.RequestURI), http.StatusFound) return - } else { - team = result.Data.(*model.Team) } - page := utils.NewHTMLTemplate("authorize", c.Locale) - page.Props["Title"] = c.T("web.authorize_oauth.title") - page.Props["TeamName"] = team.Name - page.Props["AppName"] = app.Name - page.Props["ResponseType"] = responseType - page.Props["ClientId"] = clientId - page.Props["RedirectUri"] = redirect - page.Props["Scope"] = scope - page.Props["State"] = state - if err := page.RenderToWriter(w); err != nil { - c.SetUnknownError(page.TemplateName, err.Error()) + isAuthorized := false + if result := <-Srv.Store.Preference().Get(c.Session.UserId, model.PREFERENCE_CATEGORY_AUTHORIZED_OAUTH_APP, clientId); result.Err == nil { + // when we support scopes we should check if the scopes match + isAuthorized = true } + + // Automatically allow if the app is trusted + if app.IsTrusted || isAuthorized { + closeBody := func(r *http.Response) { + if r.Body != nil { + ioutil.ReadAll(r.Body) + r.Body.Close() + } + } + + doAllow := func() (*http.Response, *model.AppError) { + HttpClient := &http.Client{} + url := c.GetSiteURL() + "/api/v3/oauth/allow?response_type=" + model.AUTHCODE_RESPONSE_TYPE + "&client_id=" + clientId + "&redirect_uri=" + url.QueryEscape(redirect) + "&scope=" + scope + "&state=" + url.QueryEscape(state) + rq, _ := http.NewRequest("GET", url, strings.NewReader("")) + + rq.Header.Set(model.HEADER_AUTH, model.HEADER_BEARER+" "+c.Session.Token) + + if rp, err := HttpClient.Do(rq); err != nil { + return nil, model.NewLocAppError(url, "model.client.connecting.app_error", nil, err.Error()) + } else if rp.StatusCode == 304 { + return rp, nil + } else if rp.StatusCode >= 300 { + defer closeBody(rp) + return rp, model.AppErrorFromJson(rp.Body) + } else { + return rp, nil + } + } + + if result, err := doAllow(); err != nil { + c.Err = err + return + } else { + //defer closeBody(result) + data := model.MapFromJson(result.Body) + redirectTo := data["redirect"] + http.Redirect(w, r, redirectTo, http.StatusFound) + return + } + } + + w.Header().Set("Content-Type", "text/html") + + w.Header().Set("Cache-Control", "no-cache, max-age=31556926, public") + http.ServeFile(w, r, utils.FindDir("webapp/dist")+"root.html") } func getAccessToken(c *Context, w http.ResponseWriter, r *http.Request) { if !utils.Cfg.ServiceSettings.EnableOAuthServiceProvider { - c.Err = model.NewLocAppError("getAccessToken", "web.get_access_token.disabled.app_error", nil, "") + c.Err = model.NewLocAppError("getAccessToken", "api.oauth.get_access_token.disabled.app_error", nil, "") c.Err.StatusCode = http.StatusNotImplemented return } @@ -299,126 +420,167 @@ func getAccessToken(c *Context, w http.ResponseWriter, r *http.Request) { r.ParseForm() + code := r.FormValue("code") + refreshToken := r.FormValue("refresh_token") + grantType := r.FormValue("grant_type") - if grantType != model.ACCESS_TOKEN_GRANT_TYPE { - c.Err = model.NewLocAppError("getAccessToken", "web.get_access_token.bad_grant.app_error", nil, "") + switch grantType { + case model.ACCESS_TOKEN_GRANT_TYPE: + if len(code) == 0 { + c.Err = model.NewLocAppError("getAccessToken", "api.oauth.get_access_token.missing_code.app_error", nil, "") + return + } + case model.REFRESH_TOKEN_GRANT_TYPE: + if len(refreshToken) == 0 { + c.Err = model.NewLocAppError("getAccessToken", "api.oauth.get_access_token.missing_refresh_token.app_error", nil, "") + return + } + default: + c.Err = model.NewLocAppError("getAccessToken", "api.oauth.get_access_token.bad_grant.app_error", nil, "") return } clientId := r.FormValue("client_id") if len(clientId) != 26 { - c.Err = model.NewLocAppError("getAccessToken", "web.get_access_token.bad_client_id.app_error", nil, "") + c.Err = model.NewLocAppError("getAccessToken", "api.oauth.get_access_token.bad_client_id.app_error", nil, "") return } secret := r.FormValue("client_secret") if len(secret) == 0 { - c.Err = model.NewLocAppError("getAccessToken", "web.get_access_token.bad_client_secret.app_error", nil, "") - return - } - - code := r.FormValue("code") - if len(code) == 0 { - c.Err = model.NewLocAppError("getAccessToken", "web.get_access_token.missing_code.app_error", nil, "") - return - } - - redirectUri := r.FormValue("redirect_uri") - - achan := Srv.Store.OAuth().GetApp(clientId) - tchan := Srv.Store.OAuth().GetAccessDataByAuthCode(code) - - authData := GetAuthData(code) - - if authData == nil { - c.LogAudit("fail - invalid auth code") - c.Err = model.NewLocAppError("getAccessToken", "web.get_access_token.expired_code.app_error", nil, "") - return - } - - uchan := Srv.Store.User().Get(authData.UserId) - - if authData.IsExpired() { - c.LogAudit("fail - auth code expired") - c.Err = model.NewLocAppError("getAccessToken", "web.get_access_token.expired_code.app_error", nil, "") - return - } - - if authData.RedirectUri != redirectUri { - c.LogAudit("fail - redirect uri provided did not match previous redirect uri") - c.Err = model.NewLocAppError("getAccessToken", "web.get_access_token.redirect_uri.app_error", nil, "") - return - } - - if !model.ComparePassword(code, fmt.Sprintf("%v:%v:%v:%v", clientId, redirectUri, authData.CreateAt, authData.UserId)) { - c.LogAudit("fail - auth code is invalid") - c.Err = model.NewLocAppError("getAccessToken", "web.get_access_token.expired_code.app_error", nil, "") + c.Err = model.NewLocAppError("getAccessToken", "api.oauth.get_access_token.bad_client_secret.app_error", nil, "") return } var app *model.OAuthApp + achan := Srv.Store.OAuth().GetApp(clientId) if result := <-achan; result.Err != nil { - c.Err = model.NewLocAppError("getAccessToken", "web.get_access_token.credentials.app_error", nil, "") + c.Err = model.NewLocAppError("getAccessToken", "api.oauth.get_access_token.credentials.app_error", nil, "") return } else { app = result.Data.(*model.OAuthApp) } - if !model.ComparePassword(app.ClientSecret, secret) { + if app.ClientSecret != secret { c.LogAudit("fail - invalid client credentials") - c.Err = model.NewLocAppError("getAccessToken", "web.get_access_token.credentials.app_error", nil, "") + c.Err = model.NewLocAppError("getAccessToken", "api.oauth.get_access_token.credentials.app_error", nil, "") return } - callback := redirectUri - if len(callback) == 0 { - callback = app.CallbackUrls[0] - } + var user *model.User + var accessData *model.AccessData + var accessRsp *model.AccessResponse + if grantType == model.ACCESS_TOKEN_GRANT_TYPE { + redirectUri := r.FormValue("redirect_uri") + authData := GetAuthData(code) + + if authData == nil { + c.LogAudit("fail - invalid auth code") + c.Err = model.NewLocAppError("getAccessToken", "api.oauth.get_access_token.expired_code.app_error", nil, "") + return + } - if result := <-tchan; result.Err != nil { - c.Err = model.NewLocAppError("getAccessToken", "web.get_access_token.internal.app_error", nil, "") - return - } else if result.Data != nil { - c.LogAudit("fail - auth code has been used previously") - accessData := result.Data.(*model.AccessData) + if authData.IsExpired() { + <-Srv.Store.OAuth().RemoveAuthData(authData.Code) + c.LogAudit("fail - auth code expired") + c.Err = model.NewLocAppError("getAccessToken", "api.oauth.get_access_token.expired_code.app_error", nil, "") + return + } - // Revoke access token, related auth code, and session from DB as well as from cache - if err := RevokeAccessToken(accessData.Token); err != nil { - l4g.Error(utils.T("web.get_access_token.revoking.error") + err.Message) + if authData.RedirectUri != redirectUri { + c.LogAudit("fail - redirect uri provided did not match previous redirect uri") + c.Err = model.NewLocAppError("getAccessToken", "api.oauth.get_access_token.redirect_uri.app_error", nil, "") + return } - c.Err = model.NewLocAppError("getAccessToken", "web.get_access_token.exchanged.app_error", nil, "") - return - } + if !model.ComparePassword(code, fmt.Sprintf("%v:%v:%v:%v", clientId, redirectUri, authData.CreateAt, authData.UserId)) { + c.LogAudit("fail - auth code is invalid") + c.Err = model.NewLocAppError("getAccessToken", "api.oauth.get_access_token.expired_code.app_error", nil, "") + return + } - var user *model.User - if result := <-uchan; result.Err != nil { - c.Err = model.NewLocAppError("getAccessToken", "web.get_access_token.internal_user.app_error", nil, "") - return - } else { - user = result.Data.(*model.User) - } + uchan := Srv.Store.User().Get(authData.UserId) + if result := <-uchan; result.Err != nil { + c.Err = model.NewLocAppError("getAccessToken", "api.oauth.get_access_token.internal_user.app_error", nil, "") + return + } else { + user = result.Data.(*model.User) + } - session := &model.Session{UserId: user.Id, Roles: user.Roles, IsOAuth: true} + tchan := Srv.Store.OAuth().GetPreviousAccessData(user.Id, clientId) + if result := <-tchan; result.Err != nil { + c.Err = model.NewLocAppError("getAccessToken", "api.oauth.get_access_token.internal.app_error", nil, "") + return + } else if result.Data != nil { + accessData := result.Data.(*model.AccessData) + if accessData.IsExpired() { + if access, err := newSessionUpdateToken(app.Name, accessData, user); err != nil { + c.Err = err + return + } else { + accessRsp = access + } + } else { + //return the same token and no need to create a new session + accessRsp = &model.AccessResponse{ + AccessToken: accessData.Token, + TokenType: model.ACCESS_TOKEN_TYPE, + ExpiresIn: int32((accessData.ExpiresAt - model.GetMillis()) / 1000), + } + } + } else { + // create a new session and return new access token + var session *model.Session + if result, err := newSession(app.Name, user); err != nil { + c.Err = err + return + } else { + session = result + } - if result := <-Srv.Store.Session().Save(session); result.Err != nil { - c.Err = model.NewLocAppError("getAccessToken", "web.get_access_token.internal_session.app_error", nil, "") - return + accessData = &model.AccessData{ClientId: clientId, UserId: user.Id, Token: session.Token, RefreshToken: model.NewId(), RedirectUri: redirectUri, ExpiresAt: session.ExpiresAt} + + if result := <-Srv.Store.OAuth().SaveAccessData(accessData); result.Err != nil { + l4g.Error(result.Err) + c.Err = model.NewLocAppError("getAccessToken", "api.oauth.get_access_token.internal_saving.app_error", nil, "") + return + } + + accessRsp = &model.AccessResponse{ + AccessToken: session.Token, + TokenType: model.ACCESS_TOKEN_TYPE, + RefreshToken: accessData.RefreshToken, + ExpiresIn: int32(*utils.Cfg.ServiceSettings.SessionLengthSSOInDays * 60 * 60 * 24), + } + } + + <-Srv.Store.OAuth().RemoveAuthData(authData.Code) } else { - session = result.Data.(*model.Session) - AddSessionToCache(session) - } + // when grantType is refresh_token + if result := <-Srv.Store.OAuth().GetAccessDataByRefreshToken(refreshToken); result.Err != nil { + c.LogAudit("fail - refresh token is invalid") + c.Err = model.NewLocAppError("getAccessToken", "api.oauth.get_access_token.refresh_token.app_error", nil, "") + return + } else { + accessData = result.Data.(*model.AccessData) + } - accessData := &model.AccessData{AuthCode: authData.Code, Token: session.Token, RedirectUri: callback} + uchan := Srv.Store.User().Get(accessData.UserId) + if result := <-uchan; result.Err != nil { + c.Err = model.NewLocAppError("getAccessToken", "api.oauth.get_access_token.internal_user.app_error", nil, "") + return + } else { + user = result.Data.(*model.User) + } - if result := <-Srv.Store.OAuth().SaveAccessData(accessData); result.Err != nil { - l4g.Error(result.Err) - c.Err = model.NewLocAppError("getAccessToken", "web.get_access_token.internal_saving.app_error", nil, "") - return + if access, err := newSessionUpdateToken(app.Name, accessData, user); err != nil { + c.Err = err + return + } else { + accessRsp = access + } } - accessRsp := &model.AccessResponse{AccessToken: session.Token, TokenType: model.ACCESS_TOKEN_TYPE, ExpiresIn: int32(*utils.Cfg.ServiceSettings.SessionLengthSSOInDays * 60 * 60 * 24)} - w.Header().Set("Content-Type", "application/json") w.Header().Set("Cache-Control", "no-store") w.Header().Set("Pragma", "no-cache") @@ -432,6 +594,7 @@ func loginWithOAuth(c *Context, w http.ResponseWriter, r *http.Request) { params := mux.Vars(r) service := params["service"] loginHint := r.URL.Query().Get("login_hint") + redirectTo := r.URL.Query().Get("redirect_to") teamId, err := getTeamIdFromQuery(r.URL.Query()) if err != nil { @@ -445,6 +608,10 @@ func loginWithOAuth(c *Context, w http.ResponseWriter, r *http.Request) { stateProps["team_id"] = teamId } + if len(redirectTo) != 0 { + stateProps["redirect_to"] = redirectTo + } + if authUrl, err := GetAuthorizationCode(c, service, stateProps, loginHint); err != nil { c.Err = err return @@ -462,12 +629,12 @@ func getTeamIdFromQuery(query url.Values) (string, *model.AppError) { props := model.MapFromJson(strings.NewReader(data)) if !model.ComparePassword(hash, fmt.Sprintf("%v:%v", data, utils.Cfg.EmailSettings.InviteSalt)) { - return "", model.NewLocAppError("getTeamIdFromQuery", "web.singup_with_oauth.invalid_link.app_error", nil, "") + return "", model.NewLocAppError("getTeamIdFromQuery", "api.oauth.singup_with_oauth.invalid_link.app_error", nil, "") } t, err := strconv.ParseInt(props["time"], 10, 64) if err != nil || model.GetMillis()-t > 1000*60*60*48 { // 48 hours - return "", model.NewLocAppError("getTeamIdFromQuery", "web.singup_with_oauth.expired_link.app_error", nil, "") + return "", model.NewLocAppError("getTeamIdFromQuery", "api.oauth.singup_with_oauth.expired_link.app_error", nil, "") } return props["id"], nil @@ -488,7 +655,7 @@ func signupWithOAuth(c *Context, w http.ResponseWriter, r *http.Request) { service := params["service"] if !utils.Cfg.TeamSettings.EnableUserCreation { - c.Err = model.NewLocAppError("signupWithOAuth", "web.singup_with_oauth.disabled.app_error", nil, "") + c.Err = model.NewLocAppError("signupWithOAuth", "api.oauth.singup_with_oauth.disabled.app_error", nil, "") c.Err.StatusCode = http.StatusNotImplemented return } @@ -666,3 +833,93 @@ func CompleteSwitchWithOAuth(c *Context, w http.ResponseWriter, r *http.Request, go sendSignInChangeEmail(c, user.Email, c.GetSiteURL(), strings.Title(service)+" SSO") } + +func deleteOAuthApp(c *Context, w http.ResponseWriter, r *http.Request) { + if !utils.Cfg.ServiceSettings.EnableOAuthServiceProvider { + c.Err = model.NewLocAppError("deleteOAuthApp", "api.oauth.allow_oauth.turn_off.app_error", nil, "") + c.Err.StatusCode = http.StatusNotImplemented + return + } + + isSystemAdmin := c.IsSystemAdmin() + + if *utils.Cfg.ServiceSettings.EnableOnlyAdminIntegrations { + if !isSystemAdmin { + c.Err = model.NewLocAppError("deleteOAuthApp", "api.command.admin_only.app_error", nil, "") + c.Err.StatusCode = http.StatusForbidden + return + } + } + + c.LogAudit("attempt") + + props := model.MapFromJson(r.Body) + + id := props["id"] + if len(id) == 0 { + c.SetInvalidParam("deleteOAuthApp", "id") + return + } + + if result := <-Srv.Store.OAuth().GetApp(id); result.Err != nil { + c.Err = result.Err + return + } else { + if c.Session.UserId != result.Data.(*model.OAuthApp).CreatorId && !isSystemAdmin { + c.LogAudit("fail - inappropriate permissions") + c.Err = model.NewLocAppError("deleteOAuthApp", "api.oauth.delete.permissions.app_error", nil, "user_id="+c.Session.UserId) + return + } + } + + if err := (<-Srv.Store.OAuth().DeleteApp(id)).Err; err != nil { + c.Err = err + return + } + + c.LogAudit("success") + ReturnStatusOK(w) +} + +func newSession(appName string, user *model.User) (*model.Session, *model.AppError) { + // set new token an session + session := &model.Session{UserId: user.Id, Roles: user.Roles, IsOAuth: true} + session.SetExpireInDays(*utils.Cfg.ServiceSettings.SessionLengthSSOInDays) + session.AddProp(model.SESSION_PROP_PLATFORM, appName) + session.AddProp(model.SESSION_PROP_OS, "OAuth2") + session.AddProp(model.SESSION_PROP_BROWSER, "OAuth2") + + if result := <-Srv.Store.Session().Save(session); result.Err != nil { + return nil, model.NewLocAppError("getAccessToken", "api.oauth.get_access_token.internal_session.app_error", nil, "") + } else { + session = result.Data.(*model.Session) + AddSessionToCache(session) + } + + return session, nil +} + +func newSessionUpdateToken(appName string, accessData *model.AccessData, user *model.User) (*model.AccessResponse, *model.AppError) { + var session *model.Session + <-Srv.Store.Session().Remove(accessData.Token) //remove the previous session + + if result, err := newSession(appName, user); err != nil { + return nil, err + } else { + session = result + } + + accessData.Token = session.Token + accessData.ExpiresAt = session.ExpiresAt + if result := <-Srv.Store.OAuth().UpdateAccessData(accessData); result.Err != nil { + l4g.Error(result.Err) + return nil, model.NewLocAppError("getAccessToken", "web.get_access_token.internal_saving.app_error", nil, "") + } + accessRsp := &model.AccessResponse{ + AccessToken: session.Token, + TokenType: model.ACCESS_TOKEN_TYPE, + ExpiresIn: int32(*utils.Cfg.ServiceSettings.SessionLengthSSOInDays * 60 * 60 * 24), + } + + return accessRsp, nil +} diff --git a/api/oauth_test.go b/api/oauth_test.go index aa3c025a7..b719e17cc 100644 --- a/api/oauth_test.go +++ b/api/oauth_test.go @@ -11,131 +11,245 @@ import ( ) func TestRegisterApp(t *testing.T) { - th := Setup().InitBasic() - Client := th.BasicClient + th := Setup().InitBasic().InitSystemAdmin() + Client := th.SystemAdminClient app := &model.OAuthApp{Name: "TestApp" + model.NewId(), Homepage: "https://nowhere.com", Description: "test", CallbackUrls: []string{"https://nowhere.com"}} if !utils.Cfg.ServiceSettings.EnableOAuthServiceProvider { - if _, err := Client.RegisterApp(app); err == nil { t.Fatal("should have failed - oauth providing turned off") } - } else { + } - Client.Logout() + utils.Cfg.ServiceSettings.EnableOAuthServiceProvider = true - if _, err := Client.RegisterApp(app); err == nil { - t.Fatal("not logged in - should have failed") - } + Client.Logout() - th.LoginBasic() + if _, err := Client.RegisterApp(app); err == nil { + t.Fatal("not logged in - should have failed") + } - if result, err := Client.RegisterApp(app); err != nil { - t.Fatal(err) - } else { - rapp := result.Data.(*model.OAuthApp) - if len(rapp.Id) != 26 { - t.Fatal("clientid didn't return properly") - } - if len(rapp.ClientSecret) != 26 { - t.Fatal("client secret didn't return properly") - } - } + th.LoginSystemAdmin() - app = &model.OAuthApp{Name: "", Homepage: "https://nowhere.com", Description: "test", CallbackUrls: []string{"https://nowhere.com"}} - if _, err := Client.RegisterApp(app); err == nil { - t.Fatal("missing name - should have failed") + if result, err := Client.RegisterApp(app); err != nil { + t.Fatal(err) + } else { + rapp := result.Data.(*model.OAuthApp) + if len(rapp.Id) != 26 { + t.Fatal("clientid didn't return properly") } - - app = &model.OAuthApp{Name: "TestApp" + model.NewId(), Homepage: "", Description: "test", CallbackUrls: []string{"https://nowhere.com"}} - if _, err := Client.RegisterApp(app); err == nil { - t.Fatal("missing homepage - should have failed") + if len(rapp.ClientSecret) != 26 { + t.Fatal("client secret didn't return properly") } + } - app = &model.OAuthApp{Name: "TestApp" + model.NewId(), Homepage: "https://nowhere.com", Description: "test", CallbackUrls: []string{}} - if _, err := Client.RegisterApp(app); err == nil { - t.Fatal("missing callback url - should have failed") - } + app = &model.OAuthApp{Name: "", Homepage: "https://nowhere.com", Description: "test", CallbackUrls: []string{"https://nowhere.com"}} + if _, err := Client.RegisterApp(app); err == nil { + t.Fatal("missing name - should have failed") + } + + app = &model.OAuthApp{Name: "TestApp" + model.NewId(), Homepage: "", Description: "test", CallbackUrls: []string{"https://nowhere.com"}} + if _, err := Client.RegisterApp(app); err == nil { + t.Fatal("missing homepage - should have failed") + } + + app = &model.OAuthApp{Name: "TestApp" + model.NewId(), Homepage: "https://nowhere.com", Description: "test", CallbackUrls: []string{}} + if _, err := Client.RegisterApp(app); err == nil { + t.Fatal("missing callback url - should have failed") } } func TestAllowOAuth(t *testing.T) { - th := Setup().InitBasic() + th := Setup().InitBasic().InitSystemAdmin() Client := th.BasicClient + AdminClient := th.SystemAdminClient + utils.Cfg.ServiceSettings.EnableOAuthServiceProvider = true app := &model.OAuthApp{Name: "TestApp" + model.NewId(), Homepage: "https://nowhere.com", Description: "test", CallbackUrls: []string{"https://nowhere.com"}} + app = AdminClient.Must(AdminClient.RegisterApp(app)).Data.(*model.OAuthApp) state := "123" - if !utils.Cfg.ServiceSettings.EnableOAuthServiceProvider { - if _, err := Client.AllowOAuth(model.AUTHCODE_RESPONSE_TYPE, "12345678901234567890123456", app.CallbackUrls[0], "all", state); err == nil { - t.Fatal("should have failed - oauth service providing turned off") - } + utils.Cfg.ServiceSettings.EnableOAuthServiceProvider = false + if _, err := Client.AllowOAuth(model.AUTHCODE_RESPONSE_TYPE, app.Id, app.CallbackUrls[0], "all", state); err == nil { + t.Fatal("should have failed - oauth providing turned off") + } + + utils.Cfg.ServiceSettings.EnableOAuthServiceProvider = true + + if result, err := Client.AllowOAuth(model.AUTHCODE_RESPONSE_TYPE, app.Id, app.CallbackUrls[0], "all", state); err != nil { + t.Fatal(err) } else { - app = Client.Must(Client.RegisterApp(app)).Data.(*model.OAuthApp) + redirect := result.Data.(map[string]string)["redirect"] + if len(redirect) == 0 { + t.Fatal("redirect url should be set") + } - if result, err := Client.AllowOAuth(model.AUTHCODE_RESPONSE_TYPE, app.Id, app.CallbackUrls[0], "all", state); err != nil { - t.Fatal(err) + ru, _ := url.Parse(redirect) + if ru == nil { + t.Fatal("redirect url unparseable") } else { - redirect := result.Data.(map[string]string)["redirect"] - if len(redirect) == 0 { - t.Fatal("redirect url should be set") + if len(ru.Query().Get("code")) == 0 { + t.Fatal("authorization code not returned") } - - ru, _ := url.Parse(redirect) - if ru == nil { - t.Fatal("redirect url unparseable") - } else { - if len(ru.Query().Get("code")) == 0 { - t.Fatal("authorization code not returned") - } - if ru.Query().Get("state") != state { - t.Fatal("returned state doesn't match") - } + if ru.Query().Get("state") != state { + t.Fatal("returned state doesn't match") } } + } - if _, err := Client.AllowOAuth(model.AUTHCODE_RESPONSE_TYPE, app.Id, "", "all", state); err == nil { - t.Fatal("should have failed - no redirect_url given") - } + if _, err := Client.AllowOAuth(model.AUTHCODE_RESPONSE_TYPE, app.Id, "", "all", state); err == nil { + t.Fatal("should have failed - no redirect_url given") + } - if _, err := Client.AllowOAuth(model.AUTHCODE_RESPONSE_TYPE, app.Id, "", "", state); err == nil { - t.Fatal("should have failed - no redirect_url given") + if _, err := Client.AllowOAuth(model.AUTHCODE_RESPONSE_TYPE, app.Id, "", "", state); err == nil { + t.Fatal("should have failed - no redirect_url given") + } + + if result, err := Client.AllowOAuth("junk", app.Id, app.CallbackUrls[0], "all", state); err != nil { + t.Fatal(err) + } else { + redirect := result.Data.(map[string]string)["redirect"] + if len(redirect) == 0 { + t.Fatal("redirect url should be set") } - if result, err := Client.AllowOAuth("junk", app.Id, app.CallbackUrls[0], "all", state); err != nil { - t.Fatal(err) + ru, _ := url.Parse(redirect) + if ru == nil { + t.Fatal("redirect url unparseable") } else { - redirect := result.Data.(map[string]string)["redirect"] - if len(redirect) == 0 { - t.Fatal("redirect url should be set") + if ru.Query().Get("error") != "unsupported_response_type" { + t.Fatal("wrong error returned") } - - ru, _ := url.Parse(redirect) - if ru == nil { - t.Fatal("redirect url unparseable") - } else { - if ru.Query().Get("error") != "unsupported_response_type" { - t.Fatal("wrong error returned") - } - if ru.Query().Get("state") != state { - t.Fatal("returned state doesn't match") - } + if ru.Query().Get("state") != state { + t.Fatal("returned state doesn't match") } } + } - if _, err := Client.AllowOAuth(model.AUTHCODE_RESPONSE_TYPE, "", app.CallbackUrls[0], "all", state); err == nil { - t.Fatal("should have failed - empty client id") + if _, err := Client.AllowOAuth(model.AUTHCODE_RESPONSE_TYPE, "", app.CallbackUrls[0], "all", state); err == nil { + t.Fatal("should have failed - empty client id") + } + + if _, err := Client.AllowOAuth(model.AUTHCODE_RESPONSE_TYPE, "junk", app.CallbackUrls[0], "all", state); err == nil { + t.Fatal("should have failed - bad client id") + } + + if _, err := Client.AllowOAuth(model.AUTHCODE_RESPONSE_TYPE, app.Id, "https://somewhereelse.com", "all", state); err == nil { + t.Fatal("should have failed - redirect uri host does not match app host") + } +} + +func TestGetOAuthAppsByUser(t *testing.T) { + th := Setup().InitBasic().InitSystemAdmin() + Client := th.BasicClient + AdminClient := th.SystemAdminClient + + if !utils.Cfg.ServiceSettings.EnableOAuthServiceProvider { + if _, err := Client.GetOAuthAppsByUser(); err == nil { + t.Fatal("should have failed - oauth providing turned off") } - if _, err := Client.AllowOAuth(model.AUTHCODE_RESPONSE_TYPE, "junk", app.CallbackUrls[0], "all", state); err == nil { - t.Fatal("should have failed - bad client id") + } + + utils.Cfg.ServiceSettings.EnableOAuthServiceProvider = true + + if _, err := Client.GetOAuthAppsByUser(); err == nil { + t.Fatal("Should have failed. only admin is permitted") + } + + *utils.Cfg.ServiceSettings.EnableOnlyAdminIntegrations = false + + if result, err := Client.GetOAuthAppsByUser(); err != nil { + t.Fatal(err) + } else { + apps := result.Data.([]*model.OAuthApp) + + if len(apps) != 0 { + t.Fatal("incorrect number of apps should have been 0") } + } - if _, err := Client.AllowOAuth(model.AUTHCODE_RESPONSE_TYPE, app.Id, "https://somewhereelse.com", "all", state); err == nil { - t.Fatal("should have failed - redirect uri host does not match app host") + app := &model.OAuthApp{Name: "TestApp" + model.NewId(), Homepage: "https://nowhere.com", Description: "test", CallbackUrls: []string{"https://nowhere.com"}} + app = Client.Must(Client.RegisterApp(app)).Data.(*model.OAuthApp) + + if result, err := Client.GetOAuthAppsByUser(); err != nil { + t.Fatal(err) + } else { + apps := result.Data.([]*model.OAuthApp) + + if len(apps) != 1 { + t.Fatal("incorrect number of apps should have been 1") + } + } + + app = &model.OAuthApp{Name: "TestApp4" + model.NewId(), Homepage: "https://nowhere.com", Description: "test", CallbackUrls: []string{"https://nowhere.com"}} + app = AdminClient.Must(Client.RegisterApp(app)).Data.(*model.OAuthApp) + + if result, err := AdminClient.GetOAuthAppsByUser(); err != nil { + t.Fatal(err) + } else { + apps := result.Data.([]*model.OAuthApp) + + if len(apps) != 4 { + t.Fatal("incorrect number of apps should have been 4") + } + } +} + +func TestGetOAuthAppInfo(t *testing.T) { + th := Setup().InitBasic().InitSystemAdmin() + Client := th.BasicClient + AdminClient := th.SystemAdminClient + + if !utils.Cfg.ServiceSettings.EnableOAuthServiceProvider { + if _, err := Client.GetOAuthAppInfo("fakeId"); err == nil { + t.Fatal("should have failed - oauth providing turned off") } + + } + + utils.Cfg.ServiceSettings.EnableOAuthServiceProvider = true + + app := &model.OAuthApp{Name: "TestApp5" + model.NewId(), Homepage: "https://nowhere.com", Description: "test", CallbackUrls: []string{"https://nowhere.com"}} + + app = AdminClient.Must(AdminClient.RegisterApp(app)).Data.(*model.OAuthApp) + + if _, err := Client.GetOAuthAppInfo(app.Id); err != nil { + t.Fatal(err) + } +} + +func TestOAuthDeleteApp(t *testing.T) { + th := Setup().InitBasic().InitSystemAdmin() + Client := th.BasicClient + AdminClient := th.SystemAdminClient + + if !utils.Cfg.ServiceSettings.EnableOAuthServiceProvider { + if _, err := Client.DeleteOAuthApp("fakeId"); err == nil { + t.Fatal("should have failed - oauth providing turned off") + } + + } + + utils.Cfg.ServiceSettings.EnableOAuthServiceProvider = true + *utils.Cfg.ServiceSettings.EnableOnlyAdminIntegrations = false + + app := &model.OAuthApp{Name: "TestApp5" + model.NewId(), Homepage: "https://nowhere.com", Description: "test", CallbackUrls: []string{"https://nowhere.com"}} + + app = Client.Must(Client.RegisterApp(app)).Data.(*model.OAuthApp) + + if _, err := Client.DeleteOAuthApp(app.Id); err != nil { + t.Fatal(err) + } + + app = &model.OAuthApp{Name: "TestApp5" + model.NewId(), Homepage: "https://nowhere.com", Description: "test", CallbackUrls: []string{"https://nowhere.com"}} + + app = Client.Must(Client.RegisterApp(app)).Data.(*model.OAuthApp) + + if _, err := AdminClient.DeleteOAuthApp(app.Id); err != nil { + t.Fatal(err) } } diff --git a/api/user.go b/api/user.go index 506c0ba44..5f3060b1e 100644 --- a/api/user.go +++ b/api/user.go @@ -2484,15 +2484,23 @@ func loginWithSaml(c *Context, w http.ResponseWriter, r *http.Request) { return } action := r.URL.Query().Get("action") + redirectTo := r.URL.Query().Get("redirect_to") + relayProps := map[string]string{} relayState := "" if len(action) != 0 { - relayProps := map[string]string{} relayProps["team_id"] = teamId relayProps["action"] = action if action == model.OAUTH_ACTION_EMAIL_TO_SSO { relayProps["email"] = r.URL.Query().Get("email") } + } + + if len(redirectTo) != 0 { + relayProps["redirect_to"] = redirectTo + } + + if len(relayProps) > 0 { relayState = b64.StdEncoding.EncodeToString([]byte(model.MapToJson(relayProps))) } @@ -2555,6 +2563,11 @@ func completeSaml(c *Context, w http.ResponseWriter, r *http.Request) { break } doLogin(c, w, r, user, "") + + if val, ok := relayProps["redirect_to"]; ok { + http.Redirect(w, r, c.GetSiteURL()+val, http.StatusFound) + return + } http.Redirect(w, r, GetProtocol(r)+"://"+r.Host, http.StatusFound) } } diff --git a/i18n/en.json b/i18n/en.json index 34c435b82..17c136f7f 100644 --- a/i18n/en.json +++ b/i18n/en.json @@ -889,7 +889,75 @@ }, { "id": "api.oauth.allow_oauth.turn_off.app_error", - "translation": "The system admin has turned off OAuth service providing." + "translation": "The system admin has turned off OAuth2 Service Provider." + }, + { + "id": "api.oauth.authorize_oauth.disabled.app_error", + "translation": "The system admin has turned off OAuth2 Service Provider." + }, + { + "id": "api.oauth.authorize_oauth.missing.app_error", + "translation": "Missing one or more of response_type, client_id, or redirect_uri" + }, + { + "id": "api.oauth.delete.permissions.app_error", + "translation": "Inappropriate permissions to delete the OAuth2 App" + }, + { + "id": "api.oauth.get_access_token.bad_client_id.app_error", + "translation": "invalid_request: Bad client_id" + }, + { + "id": "api.oauth.get_access_token.bad_client_secret.app_error", + "translation": "invalid_request: Missing client_secret" + }, + { + "id": "api.oauth.get_access_token.bad_grant.app_error", + "translation": "invalid_request: Bad grant_type" + }, + { + "id": "api.oauth.get_access_token.credentials.app_error", + "translation": "invalid_client: Invalid client credentials" + }, + { + "id": "api.oauth.get_access_token.disabled.app_error", + "translation": "The system admin has turned off OAuth2 Service Provider." + }, + { + "id": "api.oauth.get_access_token.expired_code.app_error", + "translation": "invalid_grant: Invalid or expired authorization code" + }, + { + "id": "api.oauth.get_access_token.internal.app_error", + "translation": "server_error: Encountered internal server error while accessing database" + }, + { + "id": "api.oauth.get_access_token.internal_saving.app_error", + "translation": "server_error: Encountered internal server error while saving access token to database" + }, + { + "id": "api.oauth.get_access_token.internal_session.app_error", + "translation": "server_error: Encountered internal server error while saving session to database" + }, + { + "id": "api.oauth.get_access_token.internal_user.app_error", + "translation": "server_error: Encountered internal server error while pulling user from database" + }, + { + "id": "api.oauth.get_access_token.missing_code.app_error", + "translation": "invalid_request: Missing code" + }, + { + "id": "api.oauth.get_access_token.missing_refresh_token.app_error", + "translation": "invalid_request: Missing refresh_token" + }, + { + "id": "api.oauth.get_access_token.redirect_uri.app_error", + "translation": "invalid_request: Supplied redirect_uri does not match authorization code redirect_uri" + }, + { + "id": "api.oauth.get_access_token.refresh_token.app_error", + "translation": "invalid_grant: Invalid refresh token" }, { "id": "api.oauth.get_auth_data.find.error", @@ -901,11 +969,7 @@ }, { "id": "api.oauth.register_oauth_app.turn_off.app_error", - "translation": "The system admin has turned off OAuth service providing." - }, - { - "id": "api.oauth.revoke_access_token.del_code.app_error", - "translation": "Error deleting authorization code from DB" + "translation": "The system admin has turned off OAuth2 Service Provider." }, { "id": "api.oauth.revoke_access_token.del_session.app_error", @@ -920,6 +984,18 @@ "translation": "Error getting access token from DB before deletion" }, { + "id": "api.oauth.singup_with_oauth.disabled.app_error", + "translation": "User sign-up is disabled." + }, + { + "id": "api.oauth.singup_with_oauth.expired_link.app_error", + "translation": "The signup link has expired" + }, + { + "id": "api.oauth.singup_with_oauth.invalid_link.app_error", + "translation": "The signup link does not appear to be valid" + }, + { "id": "api.post.check_for_out_of_channel_mentions.message.multiple", "translation": "{{.Usernames}} and {{.LastUsername}} were mentioned, but they did not receive notifications because they do not belong to this channel." }, @@ -2440,8 +2516,8 @@ "translation": "Invalid access token" }, { - "id": "model.access.is_valid.auth_code.app_error", - "translation": "Invalid auth code" + "id": "model.access.is_valid.client_id.app_error", + "translation": "Invalid client id" }, { "id": "model.access.is_valid.redirect_uri.app_error", @@ -2452,6 +2528,10 @@ "translation": "Invalid refresh token" }, { + "id": "model.access.is_valid.user_id.app_error", + "translation": "Invalid user id" + }, + { "id": "model.authorize.is_valid.auth_code.app_error", "translation": "Invalid authorization code" }, @@ -2901,7 +2981,7 @@ }, { "id": "model.oauth.is_valid.callback.app_error", - "translation": "Invalid callback urls" + "translation": "Callback URL must be a valid URL and start with http:// or https://." }, { "id": "model.oauth.is_valid.client_secret.app_error", @@ -2921,7 +3001,11 @@ }, { "id": "model.oauth.is_valid.homepage.app_error", - "translation": "Invalid homepage" + "translation": "Homepage must be a valid URL and start with http:// or https://." + }, + { + "id": "model.oauth.is_valid.icon_url.app_error", + "translation": "Icon URL must be a valid URL and start with http:// or https://." }, { "id": "model.oauth.is_valid.name.app_error", @@ -3656,16 +3740,28 @@ "translation": "We encountered an error saving the license" }, { - "id": "store.sql_oauth.get_access_data.app_error", - "translation": "We encountered an error finding the access token" + "id": "store.sql_oauth.delete.commit_transaction.app_error", + "translation": "Unable to commit transaction" }, { - "id": "store.sql_oauth.get_access_data_by_code.app_error", + "id": "store.sql_oauth.delete.open_transaction.app_error", + "translation": "Unable to open transaction to delete the OAuth2 app" + }, + { + "id": "store.sql_oauth.delete.rollback_transaction.app_error", + "translation": "Unable to rollback transaction to delete the OAuth2 App" + }, + { + "id": "store.sql_oauth.delete_app.app_error", + "translation": "An error occurred while deleting the OAuth2 App" + }, + { + "id": "store.sql_oauth.get_access_data.app_error", "translation": "We encountered an error finding the access token" }, { "id": "store.sql_oauth.get_app.find.app_error", - "translation": "We couldn't find the existing app" + "translation": "We couldn't find the requested app" }, { "id": "store.sql_oauth.get_app.finding.app_error", @@ -3676,6 +3772,10 @@ "translation": "We couldn't find any existing apps" }, { + "id": "store.sql_oauth.get_apps.find.app_error", + "translation": "An error occurred while finding the OAuth2 Apps" + }, + { "id": "store.sql_oauth.get_auth_data.find.app_error", "translation": "We couldn't find the existing authorization code" }, @@ -3684,6 +3784,10 @@ "translation": "We encountered an error finding the authorization code" }, { + "id": "store.sql_oauth.get_previous_access_data.app_error", + "translation": "We encountered an error finding the access token" + }, + { "id": "store.sql_oauth.permanent_delete_auth_data_by_user.app_error", "translation": "We couldn't remove the authorization code" }, @@ -3712,6 +3816,10 @@ "translation": "We couldn't save the authorization code." }, { + "id": "store.sql_oauth.update_access_data.app_error", + "translation": "We encountered an error updating the access token" + }, + { "id": "store.sql_oauth.update_app.find.app_error", "translation": "We couldn't find the existing app to update" }, @@ -4408,14 +4516,6 @@ "translation": "Admin Console" }, { - "id": "web.authorize_oauth.disabled.app_error", - "translation": "The system admin has turned off OAuth service providing." - }, - { - "id": "web.authorize_oauth.missing.app_error", - "translation": "Missing one or more of response_type, client_id, or redirect_uri" - }, - { "id": "web.authorize_oauth.title", "translation": "Authorize Application" }, @@ -4460,62 +4560,6 @@ "translation": "Find Team" }, { - "id": "web.get_access_token.bad_client_id.app_error", - "translation": "invalid_request: Bad client_id" - }, - { - "id": "web.get_access_token.bad_client_secret.app_error", - "translation": "invalid_request: Missing client_secret" - }, - { - "id": "web.get_access_token.bad_grant.app_error", - "translation": "invalid_request: Bad grant_type" - }, - { - "id": "web.get_access_token.credentials.app_error", - "translation": "invalid_client: Invalid client credentials" - }, - { - "id": "web.get_access_token.disabled.app_error", - "translation": "The system admin has turned off OAuth service providing." - }, - { - "id": "web.get_access_token.exchanged.app_error", - "translation": "invalid_grant: Authorization code already exchanged for an access token" - }, - { - "id": "web.get_access_token.expired_code.app_error", - "translation": "invalid_grant: Invalid or expired authorization code" - }, - { - "id": "web.get_access_token.internal.app_error", - "translation": "server_error: Encountered internal server error while accessing database" - }, - { - "id": "web.get_access_token.internal_saving.app_error", - "translation": "server_error: Encountered internal server error while saving access token to database" - }, - { - "id": "web.get_access_token.internal_session.app_error", - "translation": "server_error: Encountered internal server error while saving session to database" - }, - { - "id": "web.get_access_token.internal_user.app_error", - "translation": "server_error: Encountered internal server error while pulling user from database" - }, - { - "id": "web.get_access_token.missing_code.app_error", - "translation": "invalid_request: Missing code" - }, - { - "id": "web.get_access_token.redirect_uri.app_error", - "translation": "invalid_request: Supplied redirect_uri does not match authorization code redirect_uri" - }, - { - "id": "web.get_access_token.revoking.error", - "translation": "Encountered an error revoking an access token, err=" - }, - { "id": "web.header.back", "translation": "Back" }, @@ -4628,18 +4672,6 @@ "translation": "Complete User Sign Up" }, { - "id": "web.singup_with_oauth.disabled.app_error", - "translation": "User sign-up is disabled." - }, - { - "id": "web.singup_with_oauth.expired_link.app_error", - "translation": "The signup link has expired" - }, - { - "id": "web.singup_with_oauth.invalid_link.app_error", - "translation": "The signup link does not appear to be valid" - }, - { "id": "web.singup_with_oauth.invalid_team.app_error", "translation": "Invalid team name" }, diff --git a/model/access.go b/model/access.go index 877b3c4f0..85417fce9 100644 --- a/model/access.go +++ b/model/access.go @@ -15,10 +15,12 @@ const ( ) type AccessData struct { - AuthCode string `json:"auth_code"` + ClientId string `json:"client_id"` + UserId string `json:"user_id"` Token string `json:"token"` RefreshToken string `json:"refresh_token"` RedirectUri string `json:"redirect_uri"` + ExpiresAt int64 `json:"expires_at"` } type AccessResponse struct { @@ -33,8 +35,12 @@ type AccessResponse struct { // correctly. func (ad *AccessData) IsValid() *AppError { - if len(ad.AuthCode) == 0 || len(ad.AuthCode) > 128 { - return NewLocAppError("AccessData.IsValid", "model.access.is_valid.auth_code.app_error", nil, "") + if len(ad.ClientId) == 0 || len(ad.ClientId) > 26 { + return NewLocAppError("AccessData.IsValid", "model.access.is_valid.client_id.app_error", nil, "") + } + + if len(ad.UserId) == 0 || len(ad.UserId) > 26 { + return NewLocAppError("AccessData.IsValid", "model.access.is_valid.user_id.app_error", nil, "") } if len(ad.Token) != 26 { @@ -52,6 +58,19 @@ func (ad *AccessData) IsValid() *AppError { return nil } +func (me *AccessData) IsExpired() bool { + + if me.ExpiresAt <= 0 { + return false + } + + if GetMillis() > me.ExpiresAt { + return true + } + + return false +} + func (ad *AccessData) ToJson() string { b, err := json.Marshal(ad) if err != nil { diff --git a/model/access_test.go b/model/access_test.go index a018a2919..0eca302ba 100644 --- a/model/access_test.go +++ b/model/access_test.go @@ -10,7 +10,8 @@ import ( func TestAccessJson(t *testing.T) { a1 := AccessData{} - a1.AuthCode = NewId() + a1.ClientId = NewId() + a1.UserId = NewId() a1.Token = NewId() a1.RefreshToken = NewId() @@ -29,7 +30,12 @@ func TestAccessIsValid(t *testing.T) { t.Fatal("should have failed") } - ad.AuthCode = NewId() + ad.ClientId = NewId() + if err := ad.IsValid(); err == nil { + t.Fatal("should have failed") + } + + ad.UserId = NewId() if err := ad.IsValid(); err == nil { t.Fatal("should have failed") } diff --git a/model/authorize.go b/model/authorize.go index e0d665bae..2b4017e9c 100644 --- a/model/authorize.go +++ b/model/authorize.go @@ -11,6 +11,7 @@ import ( const ( AUTHCODE_EXPIRE_TIME = 60 * 10 // 10 minutes AUTHCODE_RESPONSE_TYPE = "code" + DEFAULT_SCOPE = "user" ) type AuthData struct { @@ -71,6 +72,10 @@ func (ad *AuthData) PreSave() { if ad.CreateAt == 0 { ad.CreateAt = GetMillis() } + + if len(ad.Scope) == 0 { + ad.Scope = DEFAULT_SCOPE + } } func (ad *AuthData) ToJson() string { diff --git a/model/client.go b/model/client.go index 23648050f..cad551613 100644 --- a/model/client.go +++ b/model/client.go @@ -1446,6 +1446,8 @@ func (c *Client) GetTeamMembers(teamId string) (*Result, *AppError) { } } +// RegisterApp creates a new OAuth2 app to be used with the OAuth2 Provider. On success +// it returns the created app. Must be authenticated as a user. func (c *Client) RegisterApp(app *OAuthApp) (*Result, *AppError) { if r, err := c.DoApiPost("/oauth/register", app.ToJson()); err != nil { return nil, err @@ -1456,6 +1458,9 @@ func (c *Client) RegisterApp(app *OAuthApp) (*Result, *AppError) { } } +// AllowOAuth allows a new session by an OAuth2 App. On success +// it returns the url to be redirected back to the app which initiated the oauth2 flow. +// Must be authenticated as a user. func (c *Client) AllowOAuth(rspType, clientId, redirect, scope, state string) (*Result, *AppError) { if r, err := c.DoApiGet("/oauth/allow?response_type="+rspType+"&client_id="+clientId+"&redirect_uri="+url.QueryEscape(redirect)+"&scope="+scope+"&state="+url.QueryEscape(state), "", ""); err != nil { return nil, err @@ -1466,8 +1471,47 @@ func (c *Client) AllowOAuth(rspType, clientId, redirect, scope, state string) (* } } +// GetOAuthAppsByUser returns the OAuth2 Apps registered by the user. On success +// it returns a list of OAuth2 Apps from the same user or all the registered apps if the user +// is a System Administrator. Must be authenticated as a user. +func (c *Client) GetOAuthAppsByUser() (*Result, *AppError) { + if r, err := c.DoApiGet("/oauth/list", "", ""); err != nil { + return nil, err + } else { + defer closeBody(r) + return &Result{r.Header.Get(HEADER_REQUEST_ID), + r.Header.Get(HEADER_ETAG_SERVER), OAuthAppListFromJson(r.Body)}, nil + } +} + +// GetOAuthAppInfo lookup an OAuth2 App using the client_id. On success +// it returns a Sanitized OAuth2 App. Must be authenticated as a user. +func (c *Client) GetOAuthAppInfo(clientId string) (*Result, *AppError) { + if r, err := c.DoApiGet("/oauth/app/"+clientId, "", ""); err != nil { + return nil, err + } else { + defer closeBody(r) + return &Result{r.Header.Get(HEADER_REQUEST_ID), + r.Header.Get(HEADER_ETAG_SERVER), OAuthAppFromJson(r.Body)}, nil + } +} + +// DeleteOAuthApp deletes an OAuth2 app, the app must be deleted by the same user who created it or +// a System Administrator. On success returs Status OK. Must be authenticated as a user. +func (c *Client) DeleteOAuthApp(id string) (*Result, *AppError) { + data := make(map[string]string) + data["id"] = id + if r, err := c.DoApiPost("/oauth/delete", MapToJson(data)); err != nil { + return nil, err + } else { + defer closeBody(r) + return &Result{r.Header.Get(HEADER_REQUEST_ID), + r.Header.Get(HEADER_ETAG_SERVER), MapFromJson(r.Body)}, nil + } +} + func (c *Client) GetAccessToken(data url.Values) (*Result, *AppError) { - if r, err := c.DoApiPost("/oauth/access_token", data.Encode()); err != nil { + if r, err := c.DoPost(API_URL_SUFFIX+"/oauth/access_token", data.Encode(), "application/x-www-form-urlencoded"); err != nil { return nil, err } else { defer closeBody(r) diff --git a/model/oauth.go b/model/oauth.go index c54df107c..cfe643c9a 100644 --- a/model/oauth.go +++ b/model/oauth.go @@ -25,8 +25,10 @@ type OAuthApp struct { ClientSecret string `json:"client_secret"` Name string `json:"name"` Description string `json:"description"` + IconURL string `json:"icon_url"` CallbackUrls StringArray `json:"callback_urls"` Homepage string `json:"homepage"` + IsTrusted bool `json:"is_trusted"` } // IsValid validates the app and returns an error if it isn't configured @@ -61,7 +63,13 @@ func (a *OAuthApp) IsValid() *AppError { return NewLocAppError("OAuthApp.IsValid", "model.oauth.is_valid.callback.app_error", nil, "app_id="+a.Id) } - if len(a.Homepage) == 0 || len(a.Homepage) > 256 { + for _, callback := range a.CallbackUrls { + if !IsValidHttpUrl(callback) { + return NewLocAppError("OAuthApp.IsValid", "model.oauth.is_valid.callback.app_error", nil, "") + } + } + + if len(a.Homepage) == 0 || len(a.Homepage) > 256 || !IsValidHttpUrl(a.Homepage) { return NewLocAppError("OAuthApp.IsValid", "model.oauth.is_valid.homepage.app_error", nil, "app_id="+a.Id) } @@ -69,6 +77,12 @@ func (a *OAuthApp) IsValid() *AppError { return NewLocAppError("OAuthApp.IsValid", "model.oauth.is_valid.description.app_error", nil, "app_id="+a.Id) } + if len(a.IconURL) > 0 { + if len(a.IconURL) > 512 || !IsValidHttpUrl(a.IconURL) { + return NewLocAppError("OAuthApp.IsValid", "model.oauth.is_valid.icon_url.app_error", nil, "app_id="+a.Id) + } + } + return nil } @@ -85,10 +99,6 @@ func (a *OAuthApp) PreSave() { a.CreateAt = GetMillis() a.UpdateAt = a.CreateAt - - if len(a.ClientSecret) > 0 { - a.ClientSecret = HashPassword(a.ClientSecret) - } } // PreUpdate should be run before updating the app in the db. @@ -157,3 +167,23 @@ func OAuthAppMapFromJson(data io.Reader) map[string]*OAuthApp { return nil } } + +func OAuthAppListToJson(l []*OAuthApp) string { + b, err := json.Marshal(l) + if err != nil { + return "" + } else { + return string(b) + } +} + +func OAuthAppListFromJson(data io.Reader) []*OAuthApp { + decoder := json.NewDecoder(data) + var o []*OAuthApp + err := decoder.Decode(&o) + if err == nil { + return o + } else { + return nil + } +} diff --git a/model/oauth_test.go b/model/oauth_test.go index 2ba36666c..e1f88a993 100644 --- a/model/oauth_test.go +++ b/model/oauth_test.go @@ -14,6 +14,7 @@ func TestOAuthAppJson(t *testing.T) { a1.Name = "TestOAuthApp" + NewId() a1.CallbackUrls = []string{"https://nowhere.com"} a1.Homepage = "https://nowhere.com" + a1.IconURL = "https://nowhere.com/icon_image.png" a1.ClientSecret = NewId() json := a1.ToJson() @@ -30,6 +31,7 @@ func TestOAuthAppPreSave(t *testing.T) { a1.Name = "TestOAuthApp" + NewId() a1.CallbackUrls = []string{"https://nowhere.com"} a1.Homepage = "https://nowhere.com" + a1.IconURL = "https://nowhere.com/icon_image.png" a1.ClientSecret = NewId() a1.PreSave() a1.Etag() @@ -42,6 +44,7 @@ func TestOAuthAppPreUpdate(t *testing.T) { a1.Name = "TestOAuthApp" + NewId() a1.CallbackUrls = []string{"https://nowhere.com"} a1.Homepage = "https://nowhere.com" + a1.IconURL = "https://nowhere.com/icon_image.png" a1.ClientSecret = NewId() a1.PreUpdate() } @@ -92,4 +95,9 @@ func TestOAuthAppIsValid(t *testing.T) { if err := app.IsValid(); err != nil { t.Fatal() } + + app.IconURL = "https://nowhere.com/icon_image.png" + if err := app.IsValid(); err != nil { + t.Fatal() + } } diff --git a/model/preference.go b/model/preference.go index 779c41e50..b74e25d81 100644 --- a/model/preference.go +++ b/model/preference.go @@ -22,6 +22,9 @@ const ( PREFERENCE_CATEGORY_THEME = "theme" // the name for theme props is the team id + PREFERENCE_CATEGORY_AUTHORIZED_OAUTH_APP = "oauth_app" + // the name for oauth_app is the client_id and value is the current scope + PREFERENCE_CATEGORY_LAST = "last" PREFERENCE_NAME_LAST_CHANNEL = "channel" ) diff --git a/store/sql_oauth_store.go b/store/sql_oauth_store.go index e41f584a6..6db54bd4a 100644 --- a/store/sql_oauth_store.go +++ b/store/sql_oauth_store.go @@ -4,6 +4,7 @@ package store import ( + "github.com/go-gorp/gorp" "github.com/mattermost/platform/model" "strings" ) @@ -24,6 +25,7 @@ func NewSqlOAuthStore(sqlStore *SqlStore) OAuthStore { table.ColMap("Description").SetMaxSize(512) table.ColMap("CallbackUrls").SetMaxSize(1024) table.ColMap("Homepage").SetMaxSize(256) + table.ColMap("IconURL").SetMaxSize(512) tableAuth := db.AddTableWithName(model.AuthData{}, "OAuthAuthData").SetKeys(false, "Code") tableAuth.ColMap("UserId").SetMaxSize(26) @@ -34,21 +36,36 @@ func NewSqlOAuthStore(sqlStore *SqlStore) OAuthStore { tableAuth.ColMap("Scope").SetMaxSize(128) tableAccess := db.AddTableWithName(model.AccessData{}, "OAuthAccessData").SetKeys(false, "Token") - tableAccess.ColMap("AuthCode").SetMaxSize(128) + tableAccess.ColMap("ClientId").SetMaxSize(26) + tableAccess.ColMap("UserId").SetMaxSize(26) tableAccess.ColMap("Token").SetMaxSize(26) tableAccess.ColMap("RefreshToken").SetMaxSize(26) tableAccess.ColMap("RedirectUri").SetMaxSize(256) + tableAccess.SetUniqueTogether("ClientId", "UserId") } return as } func (as SqlOAuthStore) UpgradeSchemaIfNeeded() { + as.CreateColumnIfNotExists("OAuthApps", "IsTrusted", "tinyint(1)", "boolean", "0") + as.CreateColumnIfNotExists("OAuthApps", "IconURL", "varchar(512)", "varchar(512)", "") + as.CreateColumnIfNotExists("OAuthAccessData", "ClientId", "varchar(26)", "varchar(26)", "") + as.CreateColumnIfNotExists("OAuthAccessData", "UserId", "varchar(26)", "varchar(26)", "") + as.CreateColumnIfNotExists("OAuthAccessData", "ExpiresAt", "bigint", "bigint", "0") + + // ADDED for 3.3 REMOVE for 3.7 + if as.DoesColumnExist("OAuthAccessData", "AuthCode") { + as.RemoveIndexIfExists("idx_oauthaccessdata_auth_code", "OAuthAccessData") + as.RemoveColumnIfExists("OAuthAccessData", "AuthCode") + } } func (as SqlOAuthStore) CreateIndexesIfNotExists() { as.CreateIndexIfNotExists("idx_oauthapps_creator_id", "OAuthApps", "CreatorId") - as.CreateIndexIfNotExists("idx_oauthaccessdata_auth_code", "OAuthAccessData", "AuthCode") + as.CreateIndexIfNotExists("idx_oauthaccessdata_client_id", "OAuthAccessData", "ClientId") + as.CreateIndexIfNotExists("idx_oauthaccessdata_user_id", "OAuthAccessData", "UserId") + as.CreateIndexIfNotExists("idx_oauthaccessdata_refresh_token", "OAuthAccessData", "RefreshToken") as.CreateIndexIfNotExists("idx_oauthauthdata_client_id", "OAuthAuthData", "Code") } @@ -172,6 +189,62 @@ func (as SqlOAuthStore) GetAppByUser(userId string) StoreChannel { return storeChannel } +func (as SqlOAuthStore) GetApps() StoreChannel { + + storeChannel := make(StoreChannel) + + go func() { + result := StoreResult{} + + var apps []*model.OAuthApp + + if _, err := as.GetReplica().Select(&apps, "SELECT * FROM OAuthApps"); err != nil { + result.Err = model.NewLocAppError("SqlOAuthStore.GetAppByUser", "store.sql_oauth.get_apps.find.app_error", nil, "err="+err.Error()) + } + + result.Data = apps + + storeChannel <- result + close(storeChannel) + }() + + return storeChannel +} + +func (as SqlOAuthStore) DeleteApp(id string) StoreChannel { + storeChannel := make(StoreChannel) + + go func() { + result := StoreResult{} + + // wrap in a transaction so that if one fails, everything fails + transaction, err := as.GetMaster().Begin() + if err != nil { + result.Err = model.NewLocAppError("SqlOAuthStore.DeleteApp", "store.sql_oauth.delete.open_transaction.app_error", nil, err.Error()) + } else { + if extrasResult := as.deleteApp(transaction, id); extrasResult.Err != nil { + result = extrasResult + } + + if result.Err == nil { + if err := transaction.Commit(); err != nil { + // don't need to rollback here since the transaction is already closed + result.Err = model.NewLocAppError("SqlOAuthStore.DeleteApp", "store.sql_oauth.delete.commit_transaction.app_error", nil, err.Error()) + } + } else { + if err := transaction.Rollback(); err != nil { + result.Err = model.NewLocAppError("SqlOAuthStore.DeleteApp", "store.sql_oauth.delete.rollback_transaction.app_error", nil, err.Error()) + } + } + } + + storeChannel <- result + close(storeChannel) + }() + + return storeChannel +} + func (as SqlOAuthStore) SaveAccessData(accessData *model.AccessData) StoreChannel { storeChannel := make(StoreChannel) @@ -221,7 +294,7 @@ func (as SqlOAuthStore) GetAccessData(token string) StoreChannel { return storeChannel } -func (as SqlOAuthStore) GetAccessDataByAuthCode(authCode string) StoreChannel { +func (as SqlOAuthStore) GetAccessDataByRefreshToken(token string) StoreChannel { storeChannel := make(StoreChannel) @@ -230,11 +303,35 @@ func (as SqlOAuthStore) GetAccessDataByAuthCode(authCode string) StoreChannel { accessData := model.AccessData{} - if err := as.GetReplica().SelectOne(&accessData, "SELECT * FROM OAuthAccessData WHERE AuthCode = :AuthCode", map[string]interface{}{"AuthCode": authCode}); err != nil { + if err := as.GetReplica().SelectOne(&accessData, "SELECT * FROM OAuthAccessData WHERE RefreshToken = :Token", map[string]interface{}{"Token": token}); err != nil { + result.Err = model.NewLocAppError("SqlOAuthStore.GetAccessData", "store.sql_oauth.get_access_data.app_error", nil, err.Error()) + } else { + result.Data = &accessData + } + + storeChannel <- result + close(storeChannel) + + }() + + return storeChannel +} + +func (as SqlOAuthStore) GetPreviousAccessData(userId, clientId string) StoreChannel { + + storeChannel := make(StoreChannel) + + go func() { + result := StoreResult{} + + accessData := model.AccessData{} + + if err := as.GetReplica().SelectOne(&accessData, "SELECT * FROM OAuthAccessData WHERE ClientId = :ClientId AND UserId = :UserId", + map[string]interface{}{"ClientId": clientId, "UserId": userId}); err != nil { if strings.Contains(err.Error(), "no rows") { result.Data = nil } else { - result.Err = model.NewLocAppError("SqlOAuthStore.GetAccessDataByAuthCode", "store.sql_oauth.get_access_data_by_code.app_error", nil, err.Error()) + result.Err = model.NewLocAppError("SqlOAuthStore.GetPreviousAccessData", "store.sql_oauth.get_previous_access_data.app_error", nil, err.Error()) } } else { result.Data = &accessData @@ -248,6 +345,27 @@ func (as SqlOAuthStore) GetAccessDataByAuthCode(authCode string) StoreChannel { return storeChannel } +func (as SqlOAuthStore) UpdateAccessData(accessData *model.AccessData) StoreChannel { + storeChannel := make(StoreChannel) + + go func() { + result := StoreResult{} + + if _, err := as.GetMaster().Exec("UPDATE OAuthAccessData SET Token = :Token, ExpiresAt = :ExpiresAt WHERE ClientId = :ClientId AND UserID = :UserId", + map[string]interface{}{"Token": accessData.Token, "ExpiresAt": accessData.ExpiresAt, "ClientId": accessData.ClientId, "UserId": accessData.UserId}); err != nil { + result.Err = model.NewLocAppError("SqlOAuthStore.Update", "store.sql_oauth.update_access_data.app_error", nil, + "clientId="+accessData.ClientId+",userId="+accessData.UserId+", "+err.Error()) + } else { + result.Data = accessData + } + + storeChannel <- result + close(storeChannel) + }() + + return storeChannel +} + func (as SqlOAuthStore) RemoveAccessData(token string) StoreChannel { storeChannel := make(StoreChannel) @@ -339,7 +457,7 @@ func (as SqlOAuthStore) PermanentDeleteAuthDataByUser(userId string) StoreChanne go func() { result := StoreResult{} - _, err := as.GetMaster().Exec("DELETE FROM OAuthAuthData WHERE UserId = :UserId", map[string]interface{}{"UserId": userId}) + _, err := as.GetMaster().Exec("DELETE FROM OAuthAccessData WHERE UserId = :UserId", map[string]interface{}{"UserId": userId}) if err != nil { result.Err = model.NewLocAppError("SqlOAuthStore.RemoveAuthDataByUserId", "store.sql_oauth.permanent_delete_auth_data_by_user.app_error", nil, "err="+err.Error()) } @@ -350,3 +468,41 @@ func (as SqlOAuthStore) PermanentDeleteAuthDataByUser(userId string) StoreChanne return storeChannel } + +func (as SqlOAuthStore) deleteApp(transaction *gorp.Transaction, clientId string) StoreResult { + result := StoreResult{} + + if _, err := transaction.Exec("DELETE FROM OAuthApps WHERE Id = :Id", map[string]interface{}{"Id": clientId}); err != nil { + result.Err = model.NewLocAppError("SqlOAuthStore.DeleteApp", "store.sql_oauth.delete_app.app_error", nil, "id="+clientId+", err="+err.Error()) + return result + } + + return as.deleteOAuthTokens(transaction, clientId) +} + +func (as SqlOAuthStore) deleteOAuthTokens(transaction *gorp.Transaction, clientId string) StoreResult { + result := StoreResult{} + + if _, err := transaction.Exec("DELETE FROM OAuthAccessData WHERE ClientId = :Id", map[string]interface{}{"Id": clientId}); err != nil { + result.Err = model.NewLocAppError("SqlOAuthStore.DeleteApp", "store.sql_oauth.delete_app.app_error", nil, "id="+clientId+", err="+err.Error()) + return result + } + + return as.deleteAppExtras(transaction, clientId) +} + +func (as SqlOAuthStore) deleteAppExtras(transaction *gorp.Transaction, clientId string) StoreResult { + result := StoreResult{} + + if _, err := transaction.Exec( + `DELETE FROM + Preferences + WHERE + Category = :Category + AND Name = :Name`, map[string]interface{}{"Category": model.PREFERENCE_CATEGORY_AUTHORIZED_OAUTH_APP, "Name": clientId}); err != nil { + result.Err = model.NewLocAppError("SqlOAuthStore.DeleteApp", "store.sql_preference.delete.app_error", nil, err.Error()) + return result + } + + return result +} diff --git a/store/sql_oauth_store_test.go b/store/sql_oauth_store_test.go index c3f6ea7ac..a88b0ea48 100644 --- a/store/sql_oauth_store_test.go +++ b/store/sql_oauth_store_test.go @@ -39,6 +39,10 @@ func TestOAuthStoreGetApp(t *testing.T) { if err := (<-store.OAuth().GetAppByUser(a1.CreatorId)).Err; err != nil { t.Fatal(err) } + + if err := (<-store.OAuth().GetApps()).Err; err != nil { + t.Fatal(err) + } } func TestOAuthStoreUpdateApp(t *testing.T) { @@ -78,7 +82,8 @@ func TestOAuthStoreSaveAccessData(t *testing.T) { Setup() a1 := model.AccessData{} - a1.AuthCode = model.NewId() + a1.ClientId = model.NewId() + a1.UserId = model.NewId() a1.Token = model.NewId() a1.RefreshToken = model.NewId() @@ -91,9 +96,11 @@ func TestOAuthStoreGetAccessData(t *testing.T) { Setup() a1 := model.AccessData{} - a1.AuthCode = model.NewId() + a1.ClientId = model.NewId() + a1.UserId = model.NewId() a1.Token = model.NewId() a1.RefreshToken = model.NewId() + a1.ExpiresAt = model.GetMillis() Must(store.OAuth().SaveAccessData(&a1)) if result := <-store.OAuth().GetAccessData(a1.Token); result.Err != nil { @@ -105,11 +112,11 @@ func TestOAuthStoreGetAccessData(t *testing.T) { } } - if err := (<-store.OAuth().GetAccessDataByAuthCode(a1.AuthCode)).Err; err != nil { + if err := (<-store.OAuth().GetPreviousAccessData(a1.UserId, a1.ClientId)).Err; err != nil { t.Fatal(err) } - if err := (<-store.OAuth().GetAccessDataByAuthCode("junk")).Err; err != nil { + if err := (<-store.OAuth().GetPreviousAccessData("user", "junk")).Err; err != nil { t.Fatal(err) } } @@ -118,7 +125,8 @@ func TestOAuthStoreRemoveAccessData(t *testing.T) { Setup() a1 := model.AccessData{} - a1.AuthCode = model.NewId() + a1.ClientId = model.NewId() + a1.UserId = model.NewId() a1.Token = model.NewId() a1.RefreshToken = model.NewId() Must(store.OAuth().SaveAccessData(&a1)) @@ -127,8 +135,7 @@ func TestOAuthStoreRemoveAccessData(t *testing.T) { t.Fatal(err) } - if result := <-store.OAuth().GetAccessDataByAuthCode(a1.AuthCode); result.Err != nil { - t.Fatal(result.Err) + if result := (<-store.OAuth().GetPreviousAccessData(a1.UserId, a1.ClientId)); result.Err != nil { } else { if result.Data != nil { t.Fatal("did not delete access token") @@ -194,3 +201,16 @@ func TestOAuthStoreRemoveAuthDataByUser(t *testing.T) { t.Fatal(err) } } + +func TestOAuthStoreDeleteApp(t *testing.T) { + a1 := model.OAuthApp{} + a1.CreatorId = model.NewId() + a1.Name = "TestApp" + model.NewId() + a1.CallbackUrls = []string{"https://nowhere.com"} + a1.Homepage = "https://nowhere.com" + Must(store.OAuth().SaveApp(&a1)) + + if err := (<-store.OAuth().DeleteApp(a1.Id)).Err; err != nil { + t.Fatal(err) + } +} diff --git a/store/store.go b/store/store.go index ac424a944..66cc05214 100644 --- a/store/store.go +++ b/store/store.go @@ -186,13 +186,17 @@ type OAuthStore interface { UpdateApp(app *model.OAuthApp) StoreChannel GetApp(id string) StoreChannel GetAppByUser(userId string) StoreChannel + GetApps() StoreChannel + DeleteApp(id string) StoreChannel SaveAuthData(authData *model.AuthData) StoreChannel GetAuthData(code string) StoreChannel RemoveAuthData(code string) StoreChannel PermanentDeleteAuthDataByUser(userId string) StoreChannel SaveAccessData(accessData *model.AccessData) StoreChannel + UpdateAccessData(accessData *model.AccessData) StoreChannel GetAccessData(token string) StoreChannel - GetAccessDataByAuthCode(authCode string) StoreChannel + GetAccessDataByRefreshToken(token string) StoreChannel + GetPreviousAccessData(userId, clientId string) StoreChannel RemoveAccessData(token string) StoreChannel } diff --git a/templates/authorize.html b/templates/authorize.html deleted file mode 100644 index 0fa36b0ab..000000000 --- a/templates/authorize.html +++ /dev/null @@ -1,12 +0,0 @@ -{{define "authorize"}} -<html> -{{template "head" . }} -<body> - <div id="authorize"> - </div> - <script> - window.setup_authorize_page({{.Props}}); - </script> -</body> -</html> -{{end}} diff --git a/web/web_test.go b/web/web_test.go index 40eba5ff2..5f74430fa 100644 --- a/web/web_test.go +++ b/web/web_test.go @@ -72,122 +72,125 @@ func TestGetAccessToken(t *testing.T) { app := &model.OAuthApp{Name: "TestApp" + model.NewId(), Homepage: "https://nowhere.com", Description: "test", CallbackUrls: []string{"https://nowhere.com"}} - if !utils.Cfg.ServiceSettings.EnableOAuthServiceProvider { - data := url.Values{"grant_type": []string{"junk"}, "client_id": []string{"12345678901234567890123456"}, "client_secret": []string{"12345678901234567890123456"}, "code": []string{"junk"}, "redirect_uri": []string{app.CallbackUrls[0]}} + utils.Cfg.ServiceSettings.EnableOAuthServiceProvider = false + data := url.Values{"grant_type": []string{"junk"}, "client_id": []string{"12345678901234567890123456"}, "client_secret": []string{"12345678901234567890123456"}, "code": []string{"junk"}, "redirect_uri": []string{app.CallbackUrls[0]}} - if _, err := ApiClient.GetAccessToken(data); err == nil { - t.Fatal("should have failed - oauth providing turned off") - } - } else { + if _, err := ApiClient.GetAccessToken(data); err == nil { + t.Fatal("should have failed - oauth providing turned off") + } + utils.Cfg.ServiceSettings.EnableOAuthServiceProvider = true - ApiClient.Must(ApiClient.LoginById(ruser.Id, "passwd1")) - ApiClient.SetTeamId(rteam.Data.(*model.Team).Id) - app = ApiClient.Must(ApiClient.RegisterApp(app)).Data.(*model.OAuthApp) + ApiClient.Must(ApiClient.LoginById(ruser.Id, "passwd1")) + ApiClient.SetTeamId(rteam.Data.(*model.Team).Id) + *utils.Cfg.ServiceSettings.EnableOnlyAdminIntegrations = false + app = ApiClient.Must(ApiClient.RegisterApp(app)).Data.(*model.OAuthApp) + *utils.Cfg.ServiceSettings.EnableOnlyAdminIntegrations = true - redirect := ApiClient.Must(ApiClient.AllowOAuth(model.AUTHCODE_RESPONSE_TYPE, app.Id, app.CallbackUrls[0], "all", "123")).Data.(map[string]string)["redirect"] - rurl, _ := url.Parse(redirect) + redirect := ApiClient.Must(ApiClient.AllowOAuth(model.AUTHCODE_RESPONSE_TYPE, app.Id, app.CallbackUrls[0], "all", "123")).Data.(map[string]string)["redirect"] + rurl, _ := url.Parse(redirect) - ApiClient.Logout() + teamId := rteam.Data.(*model.Team).Id - data := url.Values{"grant_type": []string{"junk"}, "client_id": []string{app.Id}, "client_secret": []string{app.ClientSecret}, "code": []string{rurl.Query().Get("code")}, "redirect_uri": []string{app.CallbackUrls[0]}} + ApiClient.Logout() - if _, err := ApiClient.GetAccessToken(data); err == nil { - t.Fatal("should have failed - bad grant type") - } + data = url.Values{"grant_type": []string{"junk"}, "client_id": []string{app.Id}, "client_secret": []string{app.ClientSecret}, "code": []string{rurl.Query().Get("code")}, "redirect_uri": []string{app.CallbackUrls[0]}} - data.Set("grant_type", model.ACCESS_TOKEN_GRANT_TYPE) - data.Set("client_id", "") - if _, err := ApiClient.GetAccessToken(data); err == nil { - t.Fatal("should have failed - missing client id") - } - data.Set("client_id", "junk") - if _, err := ApiClient.GetAccessToken(data); err == nil { - t.Fatal("should have failed - bad client id") - } + if _, err := ApiClient.GetAccessToken(data); err == nil { + t.Fatal("should have failed - bad grant type") + } - data.Set("client_id", app.Id) - data.Set("client_secret", "") - if _, err := ApiClient.GetAccessToken(data); err == nil { - t.Fatal("should have failed - missing client secret") - } + data.Set("grant_type", model.ACCESS_TOKEN_GRANT_TYPE) + data.Set("client_id", "") + if _, err := ApiClient.GetAccessToken(data); err == nil { + t.Fatal("should have failed - missing client id") + } + data.Set("client_id", "junk") + if _, err := ApiClient.GetAccessToken(data); err == nil { + t.Fatal("should have failed - bad client id") + } - data.Set("client_secret", "junk") - if _, err := ApiClient.GetAccessToken(data); err == nil { - t.Fatal("should have failed - bad client secret") - } + data.Set("client_id", app.Id) + data.Set("client_secret", "") + if _, err := ApiClient.GetAccessToken(data); err == nil { + t.Fatal("should have failed - missing client secret") + } - data.Set("client_secret", app.ClientSecret) - data.Set("code", "") - if _, err := ApiClient.GetAccessToken(data); err == nil { - t.Fatal("should have failed - missing code") - } + data.Set("client_secret", "junk") + if _, err := ApiClient.GetAccessToken(data); err == nil { + t.Fatal("should have failed - bad client secret") + } - data.Set("code", "junk") - if _, err := ApiClient.GetAccessToken(data); err == nil { - t.Fatal("should have failed - bad code") - } + data.Set("client_secret", app.ClientSecret) + data.Set("code", "") + if _, err := ApiClient.GetAccessToken(data); err == nil { + t.Fatal("should have failed - missing code") + } - data.Set("code", rurl.Query().Get("code")) - data.Set("redirect_uri", "junk") - if _, err := ApiClient.GetAccessToken(data); err == nil { - t.Fatal("should have failed - non-matching redirect uri") - } + data.Set("code", "junk") + if _, err := ApiClient.GetAccessToken(data); err == nil { + t.Fatal("should have failed - bad code") + } - // reset data for successful request - data.Set("grant_type", model.ACCESS_TOKEN_GRANT_TYPE) - data.Set("client_id", app.Id) - data.Set("client_secret", app.ClientSecret) - data.Set("code", rurl.Query().Get("code")) - data.Set("redirect_uri", app.CallbackUrls[0]) + data.Set("code", rurl.Query().Get("code")) + data.Set("redirect_uri", "junk") + if _, err := ApiClient.GetAccessToken(data); err == nil { + t.Fatal("should have failed - non-matching redirect uri") + } - token := "" - if result, err := ApiClient.GetAccessToken(data); err != nil { - t.Fatal(err) - } else { - rsp := result.Data.(*model.AccessResponse) - if len(rsp.AccessToken) == 0 { - t.Fatal("access token not returned") - } else { - token = rsp.AccessToken - } - if rsp.TokenType != model.ACCESS_TOKEN_TYPE { - t.Fatal("access token type incorrect") - } - } + // reset data for successful request + data.Set("grant_type", model.ACCESS_TOKEN_GRANT_TYPE) + data.Set("client_id", app.Id) + data.Set("client_secret", app.ClientSecret) + data.Set("code", rurl.Query().Get("code")) + data.Set("redirect_uri", app.CallbackUrls[0]) - if result, err := ApiClient.DoApiGet("/users/profiles?access_token="+token, "", ""); err != nil { - t.Fatal(err) + token := "" + if result, err := ApiClient.GetAccessToken(data); err != nil { + t.Fatal(err) + } else { + rsp := result.Data.(*model.AccessResponse) + if len(rsp.AccessToken) == 0 { + t.Fatal("access token not returned") } else { - userMap := model.UserMapFromJson(result.Body) - if len(userMap) == 0 { - t.Fatal("user map empty - did not get results correctly") - } + token = rsp.AccessToken } - - if _, err := ApiClient.DoApiGet("/users/profiles", "", ""); err == nil { - t.Fatal("should have failed - no access token provided") + if rsp.TokenType != model.ACCESS_TOKEN_TYPE { + t.Fatal("access token type incorrect") } + } - if _, err := ApiClient.DoApiGet("/users/profiles?access_token=junk", "", ""); err == nil { - t.Fatal("should have failed - bad access token provided") + if result, err := ApiClient.DoApiGet("/users/profiles/"+teamId+"?access_token="+token, "", ""); err != nil { + t.Fatal(err) + } else { + userMap := model.UserMapFromJson(result.Body) + if len(userMap) == 0 { + t.Fatal("user map empty - did not get results correctly") } + } - ApiClient.SetOAuthToken(token) - if result, err := ApiClient.DoApiGet("/users/profiles", "", ""); err != nil { - t.Fatal(err) - } else { - userMap := model.UserMapFromJson(result.Body) - if len(userMap) == 0 { - t.Fatal("user map empty - did not get results correctly") - } - } + if _, err := ApiClient.DoApiGet("/users/profiles/"+teamId, "", ""); err == nil { + t.Fatal("should have failed - no access token provided") + } - if _, err := ApiClient.GetAccessToken(data); err == nil { - t.Fatal("should have failed - tried to reuse auth code") + if _, err := ApiClient.DoApiGet("/users/profiles/"+teamId+"?access_token=junk", "", ""); err == nil { + t.Fatal("should have failed - bad access token provided") + } + + ApiClient.SetOAuthToken(token) + if result, err := ApiClient.DoApiGet("/users/profiles/"+teamId, "", ""); err != nil { + t.Fatal(err) + } else { + userMap := model.UserMapFromJson(result.Body) + if len(userMap) == 0 { + t.Fatal("user map empty - did not get results correctly") } + } - ApiClient.ClearOAuthToken() + if _, err := ApiClient.GetAccessToken(data); err == nil { + t.Fatal("should have failed - tried to reuse auth code") } + + ApiClient.ClearOAuthToken() } func TestIncomingWebhook(t *testing.T) { diff --git a/webapp/actions/global_actions.jsx b/webapp/actions/global_actions.jsx index ba92255ce..829424c1f 100644 --- a/webapp/actions/global_actions.jsx +++ b/webapp/actions/global_actions.jsx @@ -308,13 +308,6 @@ export function showLeaveTeamModal() { }); } -export function showRegisterAppModal() { - AppDispatcher.handleViewAction({ - type: ActionTypes.TOGGLE_REGISTER_APP_MODAL, - value: true - }); -} - export function emitSuggestionPretextChanged(suggestionId, pretext) { AppDispatcher.handleViewAction({ type: ActionTypes.SUGGESTION_PRETEXT_CHANGED, diff --git a/webapp/actions/oauth_actions.jsx b/webapp/actions/oauth_actions.jsx new file mode 100644 index 000000000..d2e5b0c98 --- /dev/null +++ b/webapp/actions/oauth_actions.jsx @@ -0,0 +1,60 @@ +// Copyright (c) 2016 Mattermost, Inc. All Rights Reserved. +// See License.txt for license information. + +import Client from 'client/web_client.jsx'; +import AppDispatcher from '../dispatcher/app_dispatcher.jsx'; +import Constants from 'utils/constants.jsx'; + +const ActionTypes = Constants.ActionTypes; + +export function listOAuthApps(userId, onSuccess, onError) { + Client.listOAuthApps( + (data) => { + AppDispatcher.handleServerAction({ + type: ActionTypes.RECEIVED_OAUTHAPPS, + userId, + oauthApps: data + }); + + if (onSuccess) { + onSuccess(data); + } + }, + onError + ); +} + +export function deleteOAuthApp(id, userId, onSuccess, onError) { + Client.deleteOAuthApp( + id, + () => { + AppDispatcher.handleServerAction({ + type: ActionTypes.REMOVED_OAUTHAPP, + userId, + id + }); + + if (onSuccess) { + onSuccess(); + } + }, + onError + ); +} + +export function registerOAuthApp(app, onSuccess, onError) { + Client.registerOAuthApp( + app, + (data) => { + AppDispatcher.handleServerAction({ + type: ActionTypes.RECEIVED_OAUTHAPP, + oauthApp: data + }); + + if (onSuccess) { + onSuccess(); + } + }, + onError + ); +}
\ No newline at end of file diff --git a/webapp/client/client.jsx b/webapp/client/client.jsx index cf015bc84..b200b2379 100644 --- a/webapp/client/client.jsx +++ b/webapp/client/client.jsx @@ -1498,6 +1498,36 @@ export default class Client { end(this.handleResponse.bind(this, 'allowOAuth2', success, error)); } + listOAuthApps(success, error) { + request. + get(`${this.getOAuthRoute()}/list`). + set(this.defaultHeaders). + type('application/json'). + accept('application/json'). + send(). + end(this.handleResponse.bind(this, 'getOAuthApps', success, error)); + } + + deleteOAuthApp(id, success, error) { + request. + post(`${this.getOAuthRoute()}/delete`). + set(this.defaultHeaders). + type('application/json'). + accept('application/json'). + send({id}). + end(this.handleResponse.bind(this, 'deleteOAuthApp', success, error)); + } + + getOAuthAppInfo(id, success, error) { + request. + get(`${this.getOAuthRoute()}/app/${id}`). + set(this.defaultHeaders). + type('application/json'). + accept('application/json'). + send(). + end(this.handleResponse.bind(this, 'getOAuthAppInfo', success, error)); + } + // Routes for Hooks addIncomingHook(hook, success, error) { diff --git a/webapp/components/admin_console/admin_settings.jsx b/webapp/components/admin_console/admin_settings.jsx index d670d599d..8601722eb 100644 --- a/webapp/components/admin_console/admin_settings.jsx +++ b/webapp/components/admin_console/admin_settings.jsx @@ -8,7 +8,6 @@ import Client from 'client/web_client.jsx'; import FormError from 'components/form_error.jsx'; import SaveButton from 'components/admin_console/save_button.jsx'; -import Constants from 'utils/constants.jsx'; export default class AdminSettings extends React.Component { static get propTypes() { @@ -22,7 +21,6 @@ export default class AdminSettings extends React.Component { this.handleChange = this.handleChange.bind(this); this.handleSubmit = this.handleSubmit.bind(this); - this.onKeyDown = this.onKeyDown.bind(this); this.state = Object.assign(this.getStateFromConfig(props.config), { saveNeeded: false, @@ -38,20 +36,6 @@ export default class AdminSettings extends React.Component { }); } - componentDidMount() { - document.addEventListener('keydown', this.onKeyDown); - } - - componentWillUnmount() { - document.removeEventListener('keydown', this.onKeyDown); - } - - onKeyDown(e) { - if (e.keyCode === Constants.KeyCodes.ENTER) { - this.handleSubmit(e); - } - } - handleSubmit(e) { e.preventDefault(); @@ -118,6 +102,7 @@ export default class AdminSettings extends React.Component { <form className='form-horizontal' role='form' + onSubmit={this.handleSubmit} > {this.renderSettings()} <div className='form-group'> diff --git a/webapp/components/admin_console/admin_sidebar.jsx b/webapp/components/admin_console/admin_sidebar.jsx index d812b83fd..6634d4ac6 100644 --- a/webapp/components/admin_console/admin_sidebar.jsx +++ b/webapp/components/admin_console/admin_sidebar.jsx @@ -521,11 +521,11 @@ export default class AdminSidebar extends React.Component { } > <AdminSidebarSection - name='webhooks' + name='custom' title={ <FormattedMessage - id='admin.sidebar.webhooks' - defaultMessage='Webhooks and Commands' + id='admin.sidebar.customIntegrations' + defaultMessage='Custom Integrations' /> } /> diff --git a/webapp/components/admin_console/webhook_settings.jsx b/webapp/components/admin_console/custom_integrations_settings.jsx index ba2443442..cfa1a30ae 100644 --- a/webapp/components/admin_console/webhook_settings.jsx +++ b/webapp/components/admin_console/custom_integrations_settings.jsx @@ -24,6 +24,7 @@ export default class WebhookSettings extends AdminSettings { config.ServiceSettings.EnableOnlyAdminIntegrations = this.state.enableOnlyAdminIntegrations; config.ServiceSettings.EnablePostUsernameOverride = this.state.enablePostUsernameOverride; config.ServiceSettings.EnablePostIconOverride = this.state.enablePostIconOverride; + config.ServiceSettings.EnableOAuthServiceProvider = this.state.enableOAuthServiceProvider; return config; } @@ -35,7 +36,8 @@ export default class WebhookSettings extends AdminSettings { enableCommands: config.ServiceSettings.EnableCommands, enableOnlyAdminIntegrations: config.ServiceSettings.EnableOnlyAdminIntegrations, enablePostUsernameOverride: config.ServiceSettings.EnablePostUsernameOverride, - enablePostIconOverride: config.ServiceSettings.EnablePostIconOverride + enablePostIconOverride: config.ServiceSettings.EnablePostIconOverride, + enableOAuthServiceProvider: config.ServiceSettings.EnableOAuthServiceProvider }; } @@ -43,8 +45,8 @@ export default class WebhookSettings extends AdminSettings { return ( <h3> <FormattedMessage - id='admin.integrations.webhook' - defaultMessage='Webhooks and Commands' + id='admin.integrations.custom' + defaultMessage='Custom Integrations' /> </h3> ); @@ -105,6 +107,23 @@ export default class WebhookSettings extends AdminSettings { onChange={this.handleChange} /> <BooleanSetting + id='enableOAuthServiceProvider' + label={ + <FormattedMessage + id='admin.oauth.providerTitle' + defaultMessage='Enable OAuth 2.0 Service Provider: ' + /> + } + helpText={ + <FormattedMessage + id='admin.oauth.providerDescription' + defaultMessage='When true, Mattermost can act as an OAuth 2.0 service provider allowing external applications to authorize API requests to Mattermost.' + /> + } + value={this.state.enableOAuthServiceProvider} + onChange={this.handleChange} + /> + <BooleanSetting id='enableOnlyAdminIntegrations' label={ <FormattedMessage diff --git a/webapp/components/authorize.jsx b/webapp/components/authorize.jsx index 49ca0f36b..354b51ede 100644 --- a/webapp/components/authorize.jsx +++ b/webapp/components/authorize.jsx @@ -10,6 +10,13 @@ import React from 'react'; import icon50 from 'images/icon50x50.png'; export default class Authorize extends React.Component { + static get propTypes() { + return { + location: React.PropTypes.object.isRequired, + params: React.PropTypes.object.isRequired + }; + } + constructor(props) { super(props); @@ -18,17 +25,31 @@ export default class Authorize extends React.Component { this.state = {}; } + + componentWillMount() { + Client.getOAuthAppInfo( + this.props.location.query.client_id, + (app) => { + this.setState({app}); + } + ); + } + + componentDidMount() { + // if we get to this point remove the antiClickjack blocker + const blocker = document.getElementById('antiClickjack'); + if (blocker) { + blocker.parentNode.removeChild(blocker); + } + } + handleAllow() { - const responseType = this.props.responseType; - const clientId = this.props.clientId; - const redirectUri = this.props.redirectUri; - const state = this.props.state; - const scope = this.props.scope; + const params = this.props.location.query; - Client.allowOAuth2(responseType, clientId, redirectUri, state, scope, + Client.allowOAuth2(params.response_type, params.client_id, params.redirect_uri, params.state, params.scope, (data) => { if (data.redirect) { - window.location.replace(data.redirect); + window.location.href = data.redirect; } }, () => { @@ -36,28 +57,42 @@ export default class Authorize extends React.Component { } ); } + handleDeny() { - window.location.replace(this.props.redirectUri + '?error=access_denied'); + window.location.replace(this.props.location.query.redirect_uri + '?error=access_denied'); } + render() { + const app = this.state.app; + if (!app) { + return null; + } + + let icon; + if (app.icon_url) { + icon = app.icon_url; + } else { + icon = icon50; + } + return ( <div className='container-fluid'> <div className='prompt'> <div className='prompt__heading'> <div className='prompt__app-icon'> <img - src={icon50} + src={icon} width='50' height='50' alt='' /> </div> <div className='text'> - <FormattedMessage + <FormattedHTMLMessage id='authorize.title' - defaultMessage='An application would like to connect to your {teamName} account' + defaultMessage='<strong>{appName}</strong> would like to connect to your <strong>Mattermost</strong> user account' values={{ - teamName: this.props.teamName + appName: app.name }} /> </div> @@ -67,7 +102,7 @@ export default class Authorize extends React.Component { id='authorize.app' defaultMessage='The app <strong>{appName}</strong> would like the ability to access and modify your basic information.' values={{ - appName: this.props.appName + appName: app.name }} /> </p> @@ -76,14 +111,14 @@ export default class Authorize extends React.Component { id='authorize.access' defaultMessage='Allow <strong>{appName}</strong> access?' values={{ - appName: this.props.appName + appName: app.name }} /> </h2> <div className='prompt__buttons'> <button type='submit' - className='btn authorize-btn' + className='btn btn-link authorize-btn' onClick={this.handleDeny} > <FormattedMessage @@ -107,13 +142,3 @@ export default class Authorize extends React.Component { ); } } - -Authorize.propTypes = { - appName: React.PropTypes.string, - teamName: React.PropTypes.string, - responseType: React.PropTypes.string, - clientId: React.PropTypes.string, - redirectUri: React.PropTypes.string, - state: React.PropTypes.string, - scope: React.PropTypes.string -}; diff --git a/webapp/components/backstage/components/backstage_sidebar.jsx b/webapp/components/backstage/components/backstage_sidebar.jsx index 3434b315a..554e3043e 100644 --- a/webapp/components/backstage/components/backstage_sidebar.jsx +++ b/webapp/components/backstage/components/backstage_sidebar.jsx @@ -39,20 +39,22 @@ export default class BackstageSidebar extends React.Component { } renderIntegrations() { - if (window.mm_config.EnableIncomingWebhooks !== 'true' && - window.mm_config.EnableOutgoingWebhooks !== 'true' && - window.mm_config.EnableCommands !== 'true') { + const config = window.mm_config; + if (config.EnableIncomingWebhooks !== 'true' && + config.EnableOutgoingWebhooks !== 'true' && + config.EnableCommands !== 'true' && + config.EnableOAuthServiceProvider !== 'true') { return null; } - if (window.mm_config.EnableOnlyAdminIntegrations !== 'false' && + if (config.EnableOnlyAdminIntegrations !== 'false' && !Utils.isSystemAdmin(this.props.user.roles) && !TeamStore.isTeamAdmin(this.props.user.id, this.props.team.id)) { return null; } let incomingWebhooks = null; - if (window.mm_config.EnableIncomingWebhooks === 'true') { + if (config.EnableIncomingWebhooks === 'true') { incomingWebhooks = ( <BackstageSection name='incoming_webhooks' @@ -67,7 +69,7 @@ export default class BackstageSidebar extends React.Component { } let outgoingWebhooks = null; - if (window.mm_config.EnableOutgoingWebhooks === 'true') { + if (config.EnableOutgoingWebhooks === 'true') { outgoingWebhooks = ( <BackstageSection name='outgoing_webhooks' @@ -82,7 +84,7 @@ export default class BackstageSidebar extends React.Component { } let commands = null; - if (window.mm_config.EnableCommands === 'true') { + if (config.EnableCommands === 'true') { commands = ( <BackstageSection name='commands' @@ -96,6 +98,21 @@ export default class BackstageSidebar extends React.Component { ); } + let oauthApps = null; + if (config.EnableOAuthServiceProvider === 'true') { + oauthApps = ( + <BackstageSection + name='oauth2-apps' + title={ + <FormattedMessage + id='backstage_sidebar.integrations.oauthApps' + defaultMessage='OAuth 2.0 Applications' + /> + } + /> + ); + } + return ( <BackstageCategory name='integrations' @@ -111,6 +128,7 @@ export default class BackstageSidebar extends React.Component { {incomingWebhooks} {outgoingWebhooks} {commands} + {oauthApps} </BackstageCategory> ); } diff --git a/webapp/components/integrations/components/add_oauth_app.jsx b/webapp/components/integrations/components/add_oauth_app.jsx new file mode 100644 index 000000000..7e56aea8f --- /dev/null +++ b/webapp/components/integrations/components/add_oauth_app.jsx @@ -0,0 +1,435 @@ +// Copyright (c) 2016 Mattermost, Inc. All Rights Reserved. +// See License.txt for license information. + +import React from 'react'; + +import * as OAuthActions from 'actions/oauth_actions.jsx'; + +import BackstageHeader from 'components/backstage/components/backstage_header.jsx'; +import {FormattedMessage} from 'react-intl'; +import FormError from 'components/form_error.jsx'; +import {browserHistory, Link} from 'react-router/es6'; +import SpinnerButton from 'components/spinner_button.jsx'; + +export default class AddOAuthApp extends React.Component { + static get propTypes() { + return { + team: React.propTypes.object.isRequired + }; + } + + constructor(props) { + super(props); + + this.handleSubmit = this.handleSubmit.bind(this); + + this.updateName = this.updateName.bind(this); + this.updateTrusted = this.updateTrusted.bind(this); + this.updateDescription = this.updateDescription.bind(this); + this.updateHomepage = this.updateHomepage.bind(this); + this.updateIconUrl = this.updateIconUrl.bind(this); + this.updateCallbackUrls = this.updateCallbackUrls.bind(this); + + this.imageLoaded = this.imageLoaded.bind(this); + this.image = new Image(); + this.image.onload = this.imageLoaded; + + this.state = { + name: '', + description: '', + homepage: '', + icon_url: '', + callbackUrls: '', + is_trusted: false, + has_icon: false, + saving: false, + serverError: '', + clientError: null + }; + } + + imageLoaded() { + this.setState({ + has_icon: true, + icon_url: this.refs.icon_url.value + }); + } + + handleSubmit(e) { + e.preventDefault(); + + if (this.state.saving) { + return; + } + + this.setState({ + saving: true, + serverError: '', + clientError: '' + }); + + if (!this.state.name) { + this.setState({ + saving: false, + clientError: ( + <FormattedMessage + id='add_oauth_app.nameRequired' + defaultMessage='Name for the OAuth 2.0 application is required.' + /> + ) + }); + + return; + } + + if (!this.state.description) { + this.setState({ + saving: false, + clientError: ( + <FormattedMessage + id='add_oauth_app.descriptionRequired' + defaultMessage='Description for the OAuth 2.0 application is required.' + /> + ) + }); + + return; + } + + if (!this.state.homepage) { + this.setState({ + saving: false, + clientError: ( + <FormattedMessage + id='add_oauth_app.homepageRequired' + defaultMessage='Homepage for the OAuth 2.0 application is required.' + /> + ) + }); + + return; + } + + const callbackUrls = []; + for (let callbackUrl of this.state.callbackUrls.split('\n')) { + callbackUrl = callbackUrl.trim(); + + if (callbackUrl.length > 0) { + callbackUrls.push(callbackUrl); + } + } + + if (callbackUrls.length === 0) { + this.setState({ + saving: false, + clientError: ( + <FormattedMessage + id='add_oauth_app.callbackUrlsRequired' + defaultMessage='One or more callback URLs are required.' + /> + ) + }); + + return; + } + + const app = { + name: this.state.name, + callback_urls: callbackUrls, + homepage: this.state.homepage, + description: this.state.description, + is_trusted: this.state.is_trusted, + icon_url: this.state.icon_url + }; + + OAuthActions.registerOAuthApp( + app, + () => { + browserHistory.push('/' + this.props.team.name + '/integrations/oauth2-apps'); + }, + (err) => { + this.setState({ + saving: false, + serverError: err.message + }); + } + ); + } + + updateName(e) { + this.setState({ + name: e.target.value + }); + } + + updateTrusted(e) { + this.setState({ + is_trusted: e.target.value === 'true' + }); + } + + updateDescription(e) { + this.setState({ + description: e.target.value + }); + } + + updateHomepage(e) { + this.setState({ + homepage: e.target.value + }); + } + + updateIconUrl(e) { + this.setState({ + has_icon: false, + icon_url: '' + }); + this.image.src = e.target.value; + } + + updateCallbackUrls(e) { + this.setState({ + callbackUrls: e.target.value + }); + } + + render() { + let icon; + if (this.state.has_icon) { + icon = ( + <div className='integration__icon'> + <img src={this.state.icon_url}/> + </div> + ); + } + + return ( + <div className='backstage-content'> + <BackstageHeader> + <Link to={'/' + this.props.team.name + '/integrations/oauth2-apps'}> + <FormattedMessage + id='installed_oauth_apps.header' + defaultMessage='Installed OAuth2 Apps' + /> + </Link> + <FormattedMessage + id='add_oauth_app.header' + defaultMessage='Add' + /> + </BackstageHeader> + <div className='backstage-form'> + {icon} + <form className='form-horizontal'> + <div className='form-group'> + <label + className='control-label col-sm-4' + htmlFor='is_trusted' + > + <FormattedMessage + id='installed_oauth_apps.trusted' + defaultMessage='Is Trusted' + /> + </label> + <div className='col-md-5 col-sm-8'> + <label className='radio-inline'> + <input + type='radio' + value='true' + name='is_trusted' + checked={this.state.is_trusted} + onChange={this.updateTrusted} + /> + <FormattedMessage + id='installed_oauth_apps.trusted.yes' + defaultMessage='Yes' + /> + </label> + <label className='radio-inline'> + <input + type='radio' + value='false' + name='is_trusted' + checked={!this.state.is_trusted} + onChange={this.updateTrusted} + /> + <FormattedMessage + id='installed_oauth_apps.trusted.no' + defaultMessage='No' + /> + </label> + <div className='form__help'> + <FormattedMessage + id='add_oauth_app.trusted.help' + defaultMessage="When true, the OAuth 2.0 application is considered trusted by the Mattermost server and doesn't require the user to accept authorization. When false, an additional window will appear, asking the user to accept or deny the authorization." + /> + </div> + </div> + </div> + <div className='form-group'> + <label + className='control-label col-sm-4' + htmlFor='name' + > + <FormattedMessage + id='installed_oauth_apps.name' + defaultMessage='Display Name' + /> + </label> + <div className='col-md-5 col-sm-8'> + <input + id='name' + type='text' + maxLength='64' + className='form-control' + value={this.state.name} + onChange={this.updateName} + /> + <div className='form__help'> + <FormattedMessage + id='add_oauth_app.name.help' + defaultMessage='Display name for your OAuth 2.0 application made of up to 64 characters.' + /> + </div> + </div> + </div> + <div className='form-group'> + <label + className='control-label col-sm-4' + htmlFor='description' + > + <FormattedMessage + id='installed_oauth_apps.description' + defaultMessage='Description' + /> + </label> + <div className='col-md-5 col-sm-8'> + <input + id='description' + type='text' + maxLength='512' + className='form-control' + value={this.state.description} + onChange={this.updateDescription} + /> + <div className='form__help'> + <FormattedMessage + id='add_oauth_app.description.help' + defaultMessage='Description for your OAuth 2.0 application.' + /> + </div> + </div> + </div> + <div className='form-group'> + <label + className='control-label col-sm-4' + htmlFor='homepage' + > + <FormattedMessage + id='installed_oauth_apps.homepage' + defaultMessage='Homepage' + /> + </label> + <div className='col-md-5 col-sm-8'> + <input + id='homepage' + type='url' + maxLength='256' + className='form-control' + value={this.state.homepage} + onChange={this.updateHomepage} + /> + <div className='form__help'> + <FormattedMessage + id='add_oauth_app.homepage.help' + defaultMessage='The URL for the homepage of the OAuth 2.0 application. Make sure you use HTTP or HTTPS in your URL depending on your server configuration.' + /> + </div> + </div> + </div> + <div className='form-group'> + <label + className='control-label col-sm-4' + htmlFor='icon_url' + > + <FormattedMessage + id='installed_oauth_apps.iconUrl' + defaultMessage='Icon URL' + /> + </label> + <div className='col-md-5 col-sm-8'> + <input + id='icon_url' + ref='icon_url' + type='url' + maxLength='512' + className='form-control' + onChange={this.updateIconUrl} + /> + <div className='form__help'> + <FormattedMessage + id='add_oauth_app.icon.help' + defaultMessage='The URL for the homepage of the OAuth 2.0 application. Make sure you use HTTP or HTTPS in your URL depending on your server configuration.' + /> + </div> + </div> + </div> + <div className='form-group'> + <label + className='control-label col-sm-4' + htmlFor='callbackUrls' + > + <FormattedMessage + id='installed_oauth_apps.callbackUrls' + defaultMessage='Callback URLs (One Per Line)' + /> + </label> + <div className='col-md-5 col-sm-8'> + <textarea + id='callbackUrls' + rows='3' + maxLength='1024' + className='form-control' + value={this.state.callbackUrls} + onChange={this.updateCallbackUrls} + /> + <div className='form__help'> + <FormattedMessage + id='add_oauth_app.callbackUrls.help' + defaultMessage='The redirect URIs to which the service will redirect users after accepting or denying authorization of your application, and which will handle authorization codes or access tokens. Must be a valid URL and start with http:// or https://.' + /> + </div> + </div> + </div> + <div className='backstage-form__footer'> + <FormError + type='backstage' + errors={[this.state.serverError, this.state.clientError]} + /> + <Link + className='btn btn-sm' + to={'/' + this.props.team.name + '/integrations/oauth2-apps'} + > + <FormattedMessage + id='installed_oauth_apps.cancel' + defaultMessage='Cancel' + /> + </Link> + <SpinnerButton + className='btn btn-primary' + type='submit' + spinning={this.state.saving} + onClick={this.handleSubmit} + > + <FormattedMessage + id='installed_oauth_apps.save' + defaultMessage='Save' + /> + </SpinnerButton> + </div> + </form> + </div> + </div> + ); + } +} diff --git a/webapp/components/integrations/components/installed_oauth_app.jsx b/webapp/components/integrations/components/installed_oauth_app.jsx new file mode 100644 index 000000000..37fc061f7 --- /dev/null +++ b/webapp/components/integrations/components/installed_oauth_app.jsx @@ -0,0 +1,219 @@ +// Copyright (c) 2016 Mattermost, Inc. All Rights Reserved. +// See License.txt for license information. + +import React from 'react'; + +import * as Utils from 'utils/utils.jsx'; + +import {FormattedMessage, FormattedHTMLMessage} from 'react-intl'; + +const FAKE_SECRET = '***************'; + +export default class InstalledOAuthApp extends React.Component { + static get propTypes() { + return { + oauthApp: React.PropTypes.object.isRequired, + onDelete: React.PropTypes.func.isRequired, + filter: React.PropTypes.string + }; + } + + constructor(props) { + super(props); + + this.handleShowClientSecret = this.handleShowClientSecret.bind(this); + this.handleHideClientScret = this.handleHideClientScret.bind(this); + this.handleDelete = this.handleDelete.bind(this); + + this.matchesFilter = this.matchesFilter.bind(this); + + this.state = { + clientSecret: FAKE_SECRET + }; + } + + handleShowClientSecret(e) { + e.preventDefault(); + this.setState({clientSecret: this.props.oauthApp.client_secret}); + } + + handleHideClientScret(e) { + e.preventDefault(); + this.setState({clientSecret: FAKE_SECRET}); + } + + handleDelete(e) { + e.preventDefault(); + + this.props.onDelete(this.props.oauthApp); + } + + matchesFilter(oauthApp, filter) { + if (!filter) { + return true; + } + + return oauthApp.name.toLowerCase().indexOf(filter) !== -1; + } + + render() { + const oauthApp = this.props.oauthApp; + + if (!this.matchesFilter(oauthApp, this.props.filter)) { + return null; + } + + let name; + if (oauthApp.name) { + name = oauthApp.name; + } else { + name = ( + <FormattedMessage + id='installed_integrations.unnamed_oauth_app' + defaultMessage='Unnamed OAuth 2.0 Application' + /> + ); + } + + let description; + if (oauthApp.description) { + description = ( + <div className='item-details__row'> + <span className='item-details__description'> + {oauthApp.description} + </span> + </div> + ); + } + + const urls = ( + <div className='item-details__row'> + <span className='item-details__url'> + <FormattedMessage + id='installed_integrations.callback_urls' + defaultMessage='Callback URLs: {urls}' + values={{ + urls: oauthApp.callback_urls.join(', ') + }} + /> + </span> + </div> + ); + + let isTrusted; + if (oauthApp.is_trusted) { + isTrusted = Utils.localizeMessage('installed_oauth_apps.trusted.yes', 'Yes'); + } else { + isTrusted = Utils.localizeMessage('installed_oauth_apps.trusted.no', 'No'); + } + + let action; + if (this.state.clientSecret === FAKE_SECRET) { + action = ( + <a + href='#' + onClick={this.handleShowClientSecret} + > + <FormattedMessage + id='installed_integrations.showSecret' + defaultMessage='Show Secret' + /> + </a> + ); + } else { + action = ( + <a + href='#' + onClick={this.handleHideClientScret} + > + <FormattedMessage + id='installed_integrations.hideSecret' + defaultMessage='Hide Secret' + /> + </a> + ); + } + + let icon; + if (oauthApp.icon_url) { + icon = ( + <div className='integration__icon integration-list__icon'> + <img src={oauthApp.icon_url}/> + </div> + ); + } + + return ( + <div className='backstage-list__item'> + {icon} + <div className='item-details'> + <div className='item-details__row'> + <span className='item-details__name'> + {name} + </span> + </div> + {description} + <div className='item-details__row'> + <span className='item-details__url'> + <FormattedHTMLMessage + id='installed_oauth_apps.is_trusted' + defaultMessage='Is Trusted: <strong>{isTrusted}</strong>' + values={{ + isTrusted + }} + /> + </span> + </div> + <div className='item-details__row'> + <span className='item-details__token'> + <FormattedHTMLMessage + id='installed_integrations.client_id' + defaultMessage='Client ID: <strong>{clientId}</strong>' + values={{ + clientId: oauthApp.id + }} + /> + </span> + </div> + <div className='item-details__row'> + <span className='item-details__token'> + <FormattedHTMLMessage + id='installed_integrations.client_secret' + defaultMessage='Client Secret: <strong>{clientSecret}</strong>' + values={{ + clientSecret: this.state.clientSecret + }} + /> + </span> + </div> + {urls} + <div className='item-details__row'> + <span className='item-details__creation'> + <FormattedMessage + id='installed_integrations.creation' + defaultMessage='Created by {creator} on {createAt, date, full}' + values={{ + creator: Utils.displayUsername(oauthApp.creator_id), + createAt: oauthApp.create_at + }} + /> + </span> + </div> + </div> + <div className='item-actions'> + {action} + {' - '} + <a + href='#' + onClick={this.handleDelete} + > + <FormattedMessage + id='installed_integrations.delete' + defaultMessage='Delete' + /> + </a> + </div> + </div> + ); + } +} diff --git a/webapp/components/integrations/components/installed_oauth_apps.jsx b/webapp/components/integrations/components/installed_oauth_apps.jsx new file mode 100644 index 000000000..7a3b512dd --- /dev/null +++ b/webapp/components/integrations/components/installed_oauth_apps.jsx @@ -0,0 +1,108 @@ +// Copyright (c) 2016 Mattermost, Inc. All Rights Reserved. +// See License.txt for license information. + +import React from 'react'; + +import UserStore from 'stores/user_store.jsx'; +import IntegrationStore from 'stores/integration_store.jsx'; +import * as OAuthActions from 'actions/oauth_actions.jsx'; +import {localizeMessage} from 'utils/utils.jsx'; + +import BackstageList from 'components/backstage/components/backstage_list.jsx'; +import {FormattedMessage} from 'react-intl'; +import InstalledOAuthApp from './installed_oauth_app.jsx'; + +export default class InstalledOAuthApps extends React.Component { + static get propTypes() { + return { + team: React.propTypes.object.isRequired + }; + } + + constructor(props) { + super(props); + + this.handleIntegrationChange = this.handleIntegrationChange.bind(this); + + this.deleteOAuthApp = this.deleteOAuthApp.bind(this); + + const userId = UserStore.getCurrentId(); + + this.state = { + oauthApps: IntegrationStore.getOAuthApps(userId), + loading: !IntegrationStore.hasReceivedOAuthApps(userId) + }; + } + + componentDidMount() { + IntegrationStore.addChangeListener(this.handleIntegrationChange); + + if (window.mm_config.EnableOAuthServiceProvider === 'true') { + OAuthActions.listOAuthApps(UserStore.getCurrentId()); + } + } + + componentWillUnmount() { + IntegrationStore.removeChangeListener(this.handleIntegrationChange); + } + + handleIntegrationChange() { + const userId = UserStore.getCurrentId(); + + this.setState({ + oauthApps: IntegrationStore.getOAuthApps(userId), + loading: !IntegrationStore.hasReceivedOAuthApps(userId) + }); + } + + deleteOAuthApp(app) { + const userId = UserStore.getCurrentId(); + OAuthActions.deleteOAuthApp(app.id, userId); + } + + render() { + const oauthApps = this.state.oauthApps.map((app) => { + return ( + <InstalledOAuthApp + key={app.id} + oauthApp={app} + onDelete={this.deleteOAuthApp} + /> + ); + }); + + return ( + <BackstageList + header={ + <FormattedMessage + id='installed_oauth_apps.header' + defaultMessage='OAuth 2.0 Applications' + /> + } + helpText={ + <FormattedMessage + id='installed_oauth_apps.help' + defaultMessage='OAuth 2.0 Applications are available to everyone on your server.' + /> + } + addText={ + <FormattedMessage + id='installed_oauth_apps.add' + defaultMessage='Add OAuth 2.0 Application' + /> + } + addLink={'/' + this.props.team.name + '/integrations/oauth2-apps/add'} + emptyText={ + <FormattedMessage + id='installed_oauth_apps.empty' + defaultMessage='No OAuth 2.0 Applications found' + /> + } + searchPlaceholder={localizeMessage('installed_oauth_apps.search', 'Search OAuth 2.0 Applications')} + loading={this.state.loading} + > + {oauthApps} + </BackstageList> + ); + } +} diff --git a/webapp/components/integrations/components/integrations.jsx b/webapp/components/integrations/components/integrations.jsx index 7894ced5d..ec923c4f0 100644 --- a/webapp/components/integrations/components/integrations.jsx +++ b/webapp/components/integrations/components/integrations.jsx @@ -7,6 +7,7 @@ import {FormattedMessage} from 'react-intl'; import IntegrationOption from './integration_option.jsx'; import WebhookIcon from 'images/webhook_icon.jpg'; +import AppIcon from 'images/oauth_icon.png'; export default class Integrations extends React.Component { static get propTypes() { @@ -17,8 +18,9 @@ export default class Integrations extends React.Component { render() { const options = []; + const config = window.mm_config; - if (window.mm_config.EnableIncomingWebhooks === 'true') { + if (config.EnableIncomingWebhooks === 'true') { options.push( <IntegrationOption key='incomingWebhook' @@ -40,7 +42,7 @@ export default class Integrations extends React.Component { ); } - if (window.mm_config.EnableOutgoingWebhooks === 'true') { + if (config.EnableOutgoingWebhooks === 'true') { options.push( <IntegrationOption key='outgoingWebhook' @@ -62,7 +64,7 @@ export default class Integrations extends React.Component { ); } - if (window.mm_config.EnableCommands === 'true') { + if (config.EnableCommands === 'true') { options.push( <IntegrationOption key='command' @@ -84,6 +86,28 @@ export default class Integrations extends React.Component { ); } + if (config.EnableOAuthServiceProvider === 'true') { + options.push( + <IntegrationOption + key='oauth2Apps' + image={AppIcon} + title={ + <FormattedMessage + id='integrations.oauthApps.title' + defaultMessage='OAuth 2.0 Applications' + /> + } + description={ + <FormattedMessage + id='integrations.oauthApps.description' + defaultMessage='Auth 2.0 allows external applications to make authorized requests to the Mattermost API.' + /> + } + link={'/' + this.props.team.name + '/integrations/oauth2-apps'} + /> + ); + } + return ( <div className='backstage-content row'> <div className='backstage-header'> diff --git a/webapp/components/login/login_controller.jsx b/webapp/components/login/login_controller.jsx index 69981cfd6..f84c30d51 100644 --- a/webapp/components/login/login_controller.jsx +++ b/webapp/components/login/login_controller.jsx @@ -146,11 +146,12 @@ export default class LoginController extends React.Component { token, () => { // check for query params brought over from signup_user_complete - if (this.props.location.query.id || this.props.location.query.h) { + const query = this.props.location.query; + if (query.id || query.h) { Client.addUserToTeamFromInvite( - this.props.location.query.d, - this.props.location.query.h, - this.props.location.query.id, + query.d, + query.h, + query.id, () => { this.finishSignin(); }, @@ -200,8 +201,13 @@ export default class LoginController extends React.Component { finishSignin() { GlobalActions.emitInitialLoad( () => { + const query = this.props.location.query; GlobalActions.loadDefaultLocale(); - browserHistory.push('/select_team'); + if (query.redirect_to) { + browserHistory.push(query.redirect_to); + } else { + browserHistory.push('/select_team'); + } } ); } @@ -401,7 +407,7 @@ export default class LoginController extends React.Component { defaultMessage="Don't have an account? " /> <Link - to={'/signup_user_complete'} + to={'/signup_user_complete' + this.props.location.search} className='signup-team-login' > <FormattedMessage diff --git a/webapp/components/navbar_dropdown.jsx b/webapp/components/navbar_dropdown.jsx index f82bd564e..39bd6b159 100644 --- a/webapp/components/navbar_dropdown.jsx +++ b/webapp/components/navbar_dropdown.jsx @@ -99,6 +99,7 @@ export default class NavbarDropdown extends React.Component { } render() { + const config = global.window.mm_config; var teamLink = ''; var inviteLink = ''; var manageLink = ''; @@ -131,7 +132,7 @@ export default class NavbarDropdown extends React.Component { </li> ); - if (this.props.teamType === Constants.OPEN_TEAM && global.window.mm_config.EnableUserCreation === 'true') { + if (this.props.teamType === Constants.OPEN_TEAM && config.EnableUserCreation === 'true') { teamLink = ( <li> <a @@ -148,10 +149,10 @@ export default class NavbarDropdown extends React.Component { } if (global.window.mm_license.IsLicensed === 'true') { - if (global.window.mm_config.RestrictTeamInvite === Constants.PERMISSIONS_SYSTEM_ADMIN && !isSystemAdmin) { + if (config.RestrictTeamInvite === Constants.PERMISSIONS_SYSTEM_ADMIN && !isSystemAdmin) { teamLink = null; inviteLink = null; - } else if (global.window.mm_config.RestrictTeamInvite === Constants.PERMISSIONS_TEAM_ADMIN && !isAdmin) { + } else if (config.RestrictTeamInvite === Constants.PERMISSIONS_TEAM_ADMIN && !isAdmin) { teamLink = null; inviteLink = null; } @@ -201,10 +202,11 @@ export default class NavbarDropdown extends React.Component { ); const integrationsEnabled = - window.mm_config.EnableIncomingWebhooks === 'true' || - window.mm_config.EnableOutgoingWebhooks === 'true' || - window.mm_config.EnableCommands === 'true'; - if (integrationsEnabled && (isAdmin || window.mm_config.EnableOnlyAdminIntegrations !== 'true')) { + config.EnableIncomingWebhooks === 'true' || + config.EnableOutgoingWebhooks === 'true' || + config.EnableCommands === 'true' || + config.EnableOAuthServiceProvider === 'true'; + if (integrationsEnabled && (isAdmin || config.EnableOnlyAdminIntegrations !== 'true')) { integrationsLink = ( <li> <Link to={'/' + this.props.teamName + '/integrations'}> @@ -234,7 +236,7 @@ export default class NavbarDropdown extends React.Component { var teams = []; - if (global.window.mm_config.EnableTeamCreation === 'true') { + if (config.EnableTeamCreation === 'true') { teams.push( <li key='newTeam_li'> <Link @@ -297,13 +299,13 @@ export default class NavbarDropdown extends React.Component { } let helpLink = null; - if (global.window.mm_config.HelpLink) { + if (config.HelpLink) { helpLink = ( <li> <Link target='_blank' rel='noopener noreferrer' - to={global.window.mm_config.HelpLink} + to={config.HelpLink} > <FormattedMessage id='navbar_dropdown.help' @@ -315,13 +317,13 @@ export default class NavbarDropdown extends React.Component { } let reportLink = null; - if (global.window.mm_config.ReportAProblemLink) { + if (config.ReportAProblemLink) { reportLink = ( <li> <Link target='_blank' rel='noopener noreferrer' - to={global.window.mm_config.ReportAProblemLink} + to={config.ReportAProblemLink} > <FormattedMessage id='navbar_dropdown.report' diff --git a/webapp/components/needs_team.jsx b/webapp/components/needs_team.jsx index 27951db0f..6c023d497 100644 --- a/webapp/components/needs_team.jsx +++ b/webapp/components/needs_team.jsx @@ -31,7 +31,6 @@ import DeletePostModal from 'components/delete_post_modal.jsx'; import MoreChannelsModal from 'components/more_channels.jsx'; import TeamSettingsModal from 'components/team_settings_modal.jsx'; import RemovedFromChannelModal from 'components/removed_from_channel_modal.jsx'; -import RegisterAppModal from 'components/register_app_modal.jsx'; import ImportThemeModal from 'components/user_settings/import_theme_modal.jsx'; import InviteMemberModal from 'components/invite_member_modal.jsx'; import LeaveTeamModal from 'components/leave_team_modal.jsx'; @@ -162,7 +161,6 @@ export default class NeedsTeam extends React.Component { <EditPostModal/> <DeletePostModal/> <RemovedFromChannelModal/> - <RegisterAppModal/> <SelectTeamModal/> </div> </div> diff --git a/webapp/components/register_app_modal.jsx b/webapp/components/register_app_modal.jsx deleted file mode 100644 index b9523c3ed..000000000 --- a/webapp/components/register_app_modal.jsx +++ /dev/null @@ -1,411 +0,0 @@ -// Copyright (c) 2015 Mattermost, Inc. All Rights Reserved. -// See License.txt for license information. - -import Client from 'client/web_client.jsx'; -import ModalStore from 'stores/modal_store.jsx'; - -import {Modal} from 'react-bootstrap'; - -import Constants from 'utils/constants.jsx'; -import {intlShape, injectIntl, defineMessages, FormattedMessage} from 'react-intl'; - -const ActionTypes = Constants.ActionTypes; - -const holders = defineMessages({ - required: { - id: 'register_app.required', - defaultMessage: 'Required' - }, - optional: { - id: 'register_app.optional', - defaultMessage: 'Optional' - } -}); - -import React from 'react'; - -class RegisterAppModal extends React.Component { - constructor() { - super(); - - this.handleSubmit = this.handleSubmit.bind(this); - this.onHide = this.onHide.bind(this); - this.save = this.save.bind(this); - this.updateShow = this.updateShow.bind(this); - - this.state = { - clientId: '', - clientSecret: '', - saved: false, - show: false - }; - } - componentDidMount() { - ModalStore.addModalListener(ActionTypes.TOGGLE_REGISTER_APP_MODAL, this.updateShow); - } - componentWillUnmount() { - ModalStore.removeModalListener(ActionTypes.TOGGLE_REGISTER_APP_MODAL, this.updateShow); - } - updateShow(show) { - if (!show) { - if (this.state.clientId !== '' && !this.state.saved) { - return; - } - - this.setState({ - clientId: '', - clientSecret: '', - saved: false, - homepageError: null, - callbackError: null, - serverError: null, - nameError: null - }); - } - - this.setState({show}); - } - handleSubmit(e) { - e.preventDefault(); - - var state = this.state; - state.serverError = null; - - var app = {}; - - var name = this.refs.name.value; - if (!name || name.length === 0) { - state.nameError = true; - this.setState(state); - return; - } - state.nameError = null; - app.name = name; - - var homepage = this.refs.homepage.value; - if (!homepage || homepage.length === 0) { - state.homepageError = true; - this.setState(state); - return; - } - state.homepageError = null; - app.homepage = homepage; - - var desc = this.refs.desc.value; - app.description = desc; - - var rawCallbacks = this.refs.callback.value.trim(); - if (!rawCallbacks || rawCallbacks.length === 0) { - state.callbackError = true; - this.setState(state); - return; - } - state.callbackError = null; - app.callback_urls = rawCallbacks.split('\n'); - - Client.registerOAuthApp(app, - (data) => { - state.clientId = data.id; - state.clientSecret = data.client_secret; - this.setState(state); - }, - (err) => { - state.serverError = err.message; - this.setState(state); - } - ); - } - onHide(e) { - if (!this.state.saved && this.state.clientId !== '') { - e.preventDefault(); - return; - } - - this.setState({clientId: '', clientSecret: '', saved: false}); - } - save() { - this.setState({saved: this.refs.save.checked}); - } - render() { - const {formatMessage} = this.props.intl; - var nameError; - if (this.state.nameError) { - nameError = ( - <div className='form-group has-error'> - <label className='control-label'> - <FormattedMessage - id='register_app.nameError' - defaultMessage='Application name must be filled in.' - /> - </label> - </div> - ); - } - var homepageError; - if (this.state.homepageError) { - homepageError = ( - <div className='form-group has-error'> - <label className='control-label'> - <FormattedMessage - id='register_app.homepageError' - defaultMessage='Homepage must be filled in.' - /> - </label> - </div> - ); - } - var callbackError; - if (this.state.callbackError) { - callbackError = ( - <div className='form-group has-error'> - <label className='control-label'> - <FormattedMessage - id='register_app.callbackError' - defaultMessage='At least one callback URL must be filled in.' - /> - </label> - </div> - ); - } - var serverError; - if (this.state.serverError) { - serverError = <div className='form-group has-error'><label className='control-label'>{this.state.serverError}</label></div>; - } - - var body = ''; - var footer = ''; - if (this.state.clientId === '') { - body = ( - <div className='settings-modal'> - <div className='form-horizontal user-settings'> - <h4 className='padding-bottom x3'> - <FormattedMessage - id='register_app.title' - defaultMessage='Register a New Application' - /> - </h4> - <div className='row'> - <label className='col-sm-4 control-label'> - <FormattedMessage - id='register_app.name' - defaultMessage='Application Name' - /> - </label> - <div className='col-sm-7'> - <input - ref='name' - className='form-control' - type='text' - placeholder={formatMessage(holders.required)} - /> - {nameError} - </div> - </div> - <div className='row padding-top x2'> - <label className='col-sm-4 control-label'> - <FormattedMessage - id='register_app.homepage' - defaultMessage='Homepage URL' - /> - </label> - <div className='col-sm-7'> - <input - ref='homepage' - className='form-control' - type='text' - placeholder={formatMessage(holders.required)} - /> - {homepageError} - </div> - </div> - <div className='row padding-top x2'> - <label className='col-sm-4 control-label'> - <FormattedMessage - id='register_app.description' - defaultMessage='Description' - /> - </label> - <div className='col-sm-7'> - <input - ref='desc' - className='form-control' - type='text' - placeholder={formatMessage(holders.optional)} - /> - </div> - </div> - <div className='row padding-top padding-bottom x2'> - <label className='col-sm-4 control-label'> - <FormattedMessage - id='register_app.callback' - defaultMessage='Callback URL' - /> - </label> - <div className='col-sm-7'> - <textarea - ref='callback' - className='form-control' - type='text' - placeholder={formatMessage(holders.required)} - rows='5' - /> - {callbackError} - </div> - </div> - {serverError} - </div> - </div> - ); - - footer = ( - <div> - <button - type='button' - className='btn btn-default' - onClick={() => this.updateShow(false)} - > - <FormattedMessage - id='register_app.cancel' - defaultMessage='Cancel' - /> - </button> - <button - onClick={this.handleSubmit} - type='submit' - className='btn btn-primary' - tabIndex='3' - > - <FormattedMessage - id='register_app.register' - defaultMessage='Register' - /> - </button> - </div> - ); - } else { - var btnClass = ' disabled'; - if (this.state.saved) { - btnClass = ''; - } - - body = ( - <div className='form-horizontal user-settings'> - <h4 className='padding-bottom x3'> - <FormattedMessage - id='register_app.credentialsTitle' - defaultMessage='Your Application Credentials' - /> - </h4> - <br/> - <div className='row'> - <label className='col-sm-4 control-label'> - <FormattedMessage - id='register_app.clientId' - defaultMessage='Client ID' - /> - </label> - <div className='col-sm-7'> - <input - className='form-control' - type='text' - value={this.state.clientId} - readOnly='true' - /> - </div> - </div> - <br/> - <div className='row padding-top x2'> - <label className='col-sm-4 control-label'> - <FormattedMessage - id='register_app.clientSecret' - defaultMessage='Client Secret' - /></label> - <div className='col-sm-7'> - <input - className='form-control' - type='text' - value={this.state.clientSecret} - readOnly='true' - /> - </div> - </div> - <br/> - <br/> - <strong> - <FormattedMessage - id='register_app.credentialsDescription' - defaultMessage="Save these somewhere SAFE and SECURE. Treat your Client ID as your app's username and your Client Secret as the app's password." - /> - </strong> - <br/> - <br/> - <div className='checkbox'> - <label> - <input - ref='save' - type='checkbox' - checked={this.state.saved} - onChange={this.save} - /> - <FormattedMessage - id='register_app.credentialsSave' - defaultMessage='I have saved both my Client Id and Client Secret somewhere safe' - /> - </label> - </div> - </div> - ); - - footer = ( - <a - className={'btn btn-sm btn-primary pull-right' + btnClass} - href='#' - onClick={(e) => { - e.preventDefault(); - this.updateShow(false); - }} - > - <FormattedMessage - id='register_app.close' - defaultMessage='Close' - /> - </a> - ); - } - - return ( - <span> - <Modal - show={this.state.show} - onHide={() => this.updateShow(false)} - > - <Modal.Header closeButton={true}> - <Modal.Title> - <FormattedMessage - id='register_app.dev' - defaultMessage='Developer Applications' - /> - </Modal.Title> - </Modal.Header> - <form - role='form' - className='form-horizontal' - > - <Modal.Body> - {body} - </Modal.Body> - <Modal.Footer> - {footer} - </Modal.Footer> - </form> - </Modal> - </span> - ); - } -} - -RegisterAppModal.propTypes = { - intl: intlShape.isRequired -}; - -export default injectIntl(RegisterAppModal); diff --git a/webapp/components/signup_user_complete.jsx b/webapp/components/signup_user_complete.jsx index 167b41ea1..23e115124 100644 --- a/webapp/components/signup_user_complete.jsx +++ b/webapp/components/signup_user_complete.jsx @@ -231,8 +231,13 @@ export default class SignupUserComplete extends React.Component { finishSignup() { GlobalActions.emitInitialLoad( () => { + const query = this.props.location.query; GlobalActions.loadDefaultLocale(); - browserHistory.push('/select_team'); + if (query.redirect_to) { + browserHistory.push(query.redirect_to); + } else { + browserHistory.push('/select_team'); + } } ); } @@ -250,7 +255,12 @@ export default class SignupUserComplete extends React.Component { GlobalActions.emitInitialLoad( () => { - browserHistory.push('/select_team'); + const query = this.props.location.query; + if (query.redirect_to) { + browserHistory.push(query.redirect_to); + } else { + browserHistory.push('/select_team'); + } } ); }, diff --git a/webapp/components/user_settings/user_settings.jsx b/webapp/components/user_settings/user_settings.jsx index cf69a564f..99a7ec93b 100644 --- a/webapp/components/user_settings/user_settings.jsx +++ b/webapp/components/user_settings/user_settings.jsx @@ -6,7 +6,6 @@ import * as utils from 'utils/utils.jsx'; import NotificationsTab from './user_settings_notifications.jsx'; import SecurityTab from './user_settings_security.jsx'; import GeneralTab from './user_settings_general.jsx'; -import DeveloperTab from './user_settings_developer.jsx'; import DisplayTab from './user_settings_display.jsx'; import AdvancedTab from './user_settings_advanced.jsx'; @@ -77,17 +76,6 @@ export default class UserSettings extends React.Component { /> </div> ); - } else if (this.props.activeTab === 'developer') { - return ( - <div> - <DeveloperTab - activeSection={this.props.activeSection} - updateSection={this.props.updateSection} - closeModal={this.props.closeModal} - collapseModal={this.props.collapseModal} - /> - </div> - ); } else if (this.props.activeTab === 'display') { return ( <div> diff --git a/webapp/components/user_settings/user_settings_developer.jsx b/webapp/components/user_settings/user_settings_developer.jsx deleted file mode 100644 index ae6d60362..000000000 --- a/webapp/components/user_settings/user_settings_developer.jsx +++ /dev/null @@ -1,138 +0,0 @@ -// Copyright (c) 2015 Mattermost, Inc. All Rights Reserved. -// See License.txt for license information. - -import SettingItemMin from '../setting_item_min.jsx'; -import SettingItemMax from '../setting_item_max.jsx'; -import * as GlobalActions from 'actions/global_actions.jsx'; - -import {intlShape, injectIntl, defineMessages, FormattedMessage} from 'react-intl'; - -const holders = defineMessages({ - applicationsPreview: { - id: 'user.settings.developer.applicationsPreview', - defaultMessage: 'Applications (Preview)' - }, - thirdParty: { - id: 'user.settings.developer.thirdParty', - defaultMessage: 'Open to register a new third-party application' - } -}); - -import React from 'react'; - -class DeveloperTab extends React.Component { - constructor(props) { - super(props); - - this.register = this.register.bind(this); - - this.state = {}; - } - register() { - this.props.closeModal(); - GlobalActions.showRegisterAppModal(); - } - render() { - var appSection; - var self = this; - const {formatMessage} = this.props.intl; - if (this.props.activeSection === 'app') { - var inputs = []; - - inputs.push( - <div - key='registerbtn' - className='form-group' - > - <div className='col-sm-7'> - <a - className='btn btn-sm btn-primary' - onClick={this.register} - > - <FormattedMessage - id='user.settings.developer.register' - defaultMessage='Register New Application' - /> - </a> - </div> - </div> - ); - - appSection = ( - <SettingItemMax - title={formatMessage(holders.applicationsPreview)} - inputs={inputs} - updateSection={function updateSection(e) { - self.props.updateSection(''); - e.preventDefault(); - }} - /> - ); - } else { - appSection = ( - <SettingItemMin - title={formatMessage(holders.applicationsPreview)} - describe={formatMessage(holders.thirdParty)} - updateSection={function updateSection() { - self.props.updateSection('app'); - }} - /> - ); - } - - return ( - <div> - <div className='modal-header'> - <button - type='button' - className='close' - data-dismiss='modal' - aria-label='Close' - onClick={this.props.closeModal} - > - <span aria-hidden='true'>{'×'}</span> - </button> - <h4 - className='modal-title' - ref='title' - > - <div className='modal-back'> - <i - className='fa fa-angle-left' - onClick={this.props.collapseModal} - /> - </div> - <FormattedMessage - id='user.settings.developer.title' - defaultMessage='Developer Settings' - /> - </h4> - </div> - <div className='user-settings'> - <h3 className='tab-header'> - <FormattedMessage - id='user.settings.developer.title' - defaultMessage='Developer Settings' - /> - </h3> - <div className='divider-dark first'/> - {appSection} - <div className='divider-dark'/> - </div> - </div> - ); - } -} - -DeveloperTab.defaultProps = { - activeSection: '' -}; -DeveloperTab.propTypes = { - intl: intlShape.isRequired, - activeSection: React.PropTypes.string, - updateSection: React.PropTypes.func, - closeModal: React.PropTypes.func.isRequired, - collapseModal: React.PropTypes.func.isRequired -}; - -export default injectIntl(DeveloperTab); diff --git a/webapp/components/user_settings/user_settings_modal.jsx b/webapp/components/user_settings/user_settings_modal.jsx index de4745aac..9112f8711 100644 --- a/webapp/components/user_settings/user_settings_modal.jsx +++ b/webapp/components/user_settings/user_settings_modal.jsx @@ -27,10 +27,6 @@ const holders = defineMessages({ id: 'user.settings.modal.notifications', defaultMessage: 'Notifications' }, - developer: { - id: 'user.settings.modal.developer', - defaultMessage: 'Developer' - }, display: { id: 'user.settings.modal.display', defaultMessage: 'Display' @@ -214,10 +210,6 @@ class UserSettingsModal extends React.Component { tabs.push({name: 'general', uiName: formatMessage(holders.general), icon: 'icon fa fa-gear'}); tabs.push({name: 'security', uiName: formatMessage(holders.security), icon: 'icon fa fa-lock'}); tabs.push({name: 'notifications', uiName: formatMessage(holders.notifications), icon: 'icon fa fa-exclamation-circle'}); - if (global.window.mm_config.EnableOAuthServiceProvider === 'true') { - tabs.push({name: 'developer', uiName: formatMessage(holders.developer), icon: 'icon fa fa-th'}); - } - tabs.push({name: 'display', uiName: formatMessage(holders.display), icon: 'icon fa fa-eye'}); tabs.push({name: 'advanced', uiName: formatMessage(holders.advanced), icon: 'icon fa fa-list-alt'}); diff --git a/webapp/i18n/en.json b/webapp/i18n/en.json index d77c9e2d8..a512a9e74 100644 --- a/webapp/i18n/en.json +++ b/webapp/i18n/en.json @@ -93,6 +93,17 @@ "add_incoming_webhook.header": "Add", "add_incoming_webhook.name": "Name", "add_incoming_webhook.save": "Save", + "add_oauth_app.callbackUrls.help": "The redirect URIs to which the service will redirect users after accepting or denying authorization of your application, and which will handle authorization codes or access tokens. Must be a valid URL and start with http:// or https://.", + "add_oauth_app.callbackUrlsRequired": "One or more callback URLs are required", + "add_oauth_app.description.help": "Description for your OAuth 2.0 application.", + "add_oauth_app.descriptionRequired": "Description for the OAuth 2.0 application is required.", + "add_oauth_app.header": "Add", + "add_oauth_app.homepage.help": "The URL for the homepage of the OAuth 2.0 application. Make sure you use HTTP or HTTPS in your URL depending on your server configuration.", + "add_oauth_app.homepageRequired": "Homepage for the OAuth 2.0 application is required.", + "add_oauth_app.icon.help": "(Optional) The URL of the image used for your OAuth 2.0 application. Make sure you use HTTP or HTTPS in your URL.", + "add_oauth_app.name.help": "Display name for your OAuth 2.0 application made of up to 64 characters.", + "add_oauth_app.nameRequired": "Name for the OAuth 2.0 application is required.", + "add_oauth_app.trusted.help": "When true, the OAuth 2.0 application is considered trusted by the Mattermost server and doesn't require the user to accept authorization. When false, an additional window will appear, asking the user to accept or deny the authorization.", "add_outgoing_webhook.callbackUrls": "Callback URLs (One Per Line)", "add_outgoing_webhook.callbackUrls.help": "The URL that messages will be sent to.", "add_outgoing_webhook.callbackUrlsRequired": "One or more callback URLs are required", @@ -360,8 +371,8 @@ "admin.image.thumbWidthDescription": "Width of thumbnails generated from uploaded images. Updating this value changes how thumbnail images render in future, but does not change images created in the past.", "admin.image.thumbWidthExample": "Ex \"120\"", "admin.image.thumbWidthTitle": "Attachment Thumbnail Width:", + "admin.integrations.custom": "Custom Integrations", "admin.integrations.external": "External Services", - "admin.integrations.webhook": "Webhooks and Commands", "admin.ldap.baseDesc": "The Base DN is the Distinguished Name of the location where Mattermost should start its search for users in the LDAP tree.", "admin.ldap.baseEx": "Ex \"ou=Unit Name,dc=corp,dc=example,dc=com\"", "admin.ldap.baseTitle": "BaseDN:", @@ -459,6 +470,8 @@ "admin.notifications.email": "Email", "admin.notifications.push": "Mobile Push", "admin.notifications.title": "Notification Settings", + "admin.oauth.providerDescription": "When true, Mattermost can act as an OAuth 2.0 service provider allowing external applications to authorize API requests to Mattermost.", + "admin.oauth.providerTitle": "Enable OAuth 2.0 Service Provider: ", "admin.password.lowercase": "At least one lowercase letter", "admin.password.minimumLength": "Minimum Password Length:", "admin.password.minimumLengthDescription": "Minimum number of characters required for a valid password. Must be a whole number greater than or equal to {min} and less than or equal to {max}.", @@ -625,6 +638,7 @@ "admin.sidebar.connections": "Connections", "admin.sidebar.customBrand": "Custom Branding", "admin.sidebar.customEmoji": "Custom Emoji", + "admin.sidebar.customIntegrations": "Custom Integrations", "admin.sidebar.customization": "Customization", "admin.sidebar.database": "Database", "admin.sidebar.developer": "Developer", @@ -666,7 +680,6 @@ "admin.sidebar.users": "Users", "admin.sidebar.usersAndTeams": "Users and Teams", "admin.sidebar.view_statistics": "Site Statistics", - "admin.sidebar.webhooks": "Webhooks and Commands", "admin.sidebarHeader.systemConsole": "System Console", "admin.sql.dataSource": "Data Source:", "admin.sql.driverName": "Driver Name:", @@ -861,12 +874,13 @@ "authorize.allow": "Allow", "authorize.app": "The app <strong>{appName}</strong> would like the ability to access and modify your basic information.", "authorize.deny": "Deny", - "authorize.title": "An application would like to connect to your {teamName} account", + "authorize.title": "<strong>{appName}</strong> would like to connect to your <strong>Mattermost</strong> user account", "backstage_list.search": "Search", "backstage_navbar.backToMattermost": "Back to {siteName}", "backstage_sidebar.integrations": "Integrations", "backstage_sidebar.integrations.commands": "Slash Commands", "backstage_sidebar.integrations.incoming_webhooks": "Incoming Webhooks", + "backstage_sidebar.integrations.oauthApps": "OAuth 2.0 Applications", "backstage_sidebar.integrations.outgoing_webhooks": "Outgoing Webhooks", "center_panel.recent": "Click here to jump to recent messages. ", "chanel_header.addMembers": "Add Members", @@ -1161,14 +1175,35 @@ "installed_incoming_webhooks.search": "Search Incoming Webhooks", "installed_incoming_webhooks.unknown_channel": "A Private Webhook", "installed_integrations.callback_urls": "Callback URLs: {urls}", + "installed_integrations.client_id": "Client ID: <strong>{clientId}</strong>", + "installed_integrations.client_secret": "Client Secret: <strong>{clientSecret}</strong>", "installed_integrations.content_type": "Content-Type: {contentType}", "installed_integrations.creation": "Created by {creator} on {createAt, date, full}", "installed_integrations.delete": "Delete", + "installed_integrations.hideSecret": "Hide Secret", "installed_integrations.regenToken": "Regenerate Token", + "installed_integrations.showSecret": "Show Secret", "installed_integrations.token": "Token: {token}", "installed_integrations.triggerWords": "Trigger Words: {triggerWords}", "installed_integrations.triggerWhen": "Trigger When: {triggerWhen}", + "installed_integrations.unnamed_oauth_app": "Unnamed OAuth 2.0 Application", "installed_integrations.url": "URL: {url}", + "installed_oauth_apps.add": "Add OAuth 2.0 Application", + "installed_oauth_apps.callbackUrls": "Callback URLs (One Per Line)", + "installed_oauth_apps.cancel": "Cancel", + "installed_oauth_apps.description": "Description", + "installed_oauth_apps.empty": "No OAuth 2.0 Applications found", + "installed_oauth_apps.header": "OAuth 2.0 Applications", + "installed_oauth_apps.help": "OAuth 2.0 Applications are available to everyone on your server.", + "installed_oauth_apps.homepage": "Homepage", + "installed_oauth_apps.iconUrl": "Icon URL", + "installed_oauth_apps.is_trusted": "Is Trusted: <strong>{isTrusted}</strong>", + "installed_oauth_apps.name": "Display Name", + "installed_oauth_apps.save": "Save", + "installed_oauth_apps.search": "Search OAuth 2.0 Applications", + "installed_oauth_apps.trusted": "Is Trusted", + "installed_oauth_apps.trusted.no": "No", + "installed_oauth_apps.trusted.yes": "Yes", "installed_outgoing_webhooks.add": "Add Outgoing Webhook", "installed_outgoing_webhooks.empty": "No outgoing webhooks found", "installed_outgoing_webhooks.header": "Outgoing Webhooks", @@ -1181,6 +1216,8 @@ "integrations.header": "Integrations", "integrations.incomingWebhook.description": "Incoming webhooks allow external integrations to send messages", "integrations.incomingWebhook.title": "Incoming Webhook", + "integrations.oauthApps.description": "OAuth 2.0 allows external applications to make authorized requests to the Mattermost API.", + "integrations.oauthApps.title": "OAuth 2.0 Applications", "integrations.outgoingWebhook.description": "Outgoing webhooks allow external integrations to receive and respond to messages", "integrations.outgoingWebhook.title": "Outgoing Webhook", "intro_messages.DM": "This is the start of your direct message history with {teammate}.<br />Direct messages and files shared here are not shown to people outside this area.", @@ -1338,25 +1375,6 @@ "post_info.reply": "Reply", "posts_view.loadMore": "Load more messages", "posts_view.newMsg": "New Messages", - "register_app.callback": "Callback URL", - "register_app.callbackError": "At least one callback URL must be filled in.", - "register_app.cancel": "Cancel", - "register_app.clientId": "Client ID", - "register_app.clientSecret": "Client Secret", - "register_app.close": "Close", - "register_app.credentialsDescription": "Save these somewhere SAFE and SECURE. Treat your Client ID as your app's username and your Client Secret as the app's password.", - "register_app.credentialsSave": "I have saved both my Client Id and Client Secret somewhere safe", - "register_app.credentialsTitle": "Your Application Credentials", - "register_app.description": "Description", - "register_app.dev": "Developer Applications", - "register_app.homepage": "Homepage URL", - "register_app.homepageError": "Homepage must be filled in.", - "register_app.name": "Application Name", - "register_app.nameError": "Application name must be filled in.", - "register_app.optional": "Optional", - "register_app.register": "Register", - "register_app.required": "Required", - "register_app.title": "Register a New Application", "removed_channel.channelName": "the channel", "removed_channel.from": "Removed from ", "removed_channel.okay": "Okay", @@ -1581,10 +1599,6 @@ "user.settings.custom_theme.sidebarTextHoverBg": "Sidebar Text Hover BG", "user.settings.custom_theme.sidebarTitle": "Sidebar Styles", "user.settings.custom_theme.sidebarUnreadText": "Sidebar Unread Text", - "user.settings.developer.applicationsPreview": "Applications (Preview)", - "user.settings.developer.register": "Register New Application", - "user.settings.developer.thirdParty": "Open to register a new third-party application", - "user.settings.developer.title": "Developer Settings", "user.settings.display.channelDisplayTitle": "Channel Display Mode", "user.settings.display.channeldisplaymode": "Select the width of the center channel.", "user.settings.display.clockDisplay": "Clock Display", @@ -1679,7 +1693,6 @@ "user.settings.modal.confirmBtns": "Yes, Discard", "user.settings.modal.confirmMsg": "You have unsaved changes, are you sure you want to discard them?", "user.settings.modal.confirmTitle": "Discard Changes?", - "user.settings.modal.developer": "Developer", "user.settings.modal.display": "Display", "user.settings.modal.general": "General", "user.settings.modal.notifications": "Notifications", diff --git a/webapp/images/oauth_icon.png b/webapp/images/oauth_icon.png Binary files differnew file mode 100644 index 000000000..69078b3a5 --- /dev/null +++ b/webapp/images/oauth_icon.png diff --git a/webapp/images/webhook_icon.jpg b/webapp/images/webhook_icon.jpg Binary files differindex af5303421..80f0b1cb6 100644 --- a/webapp/images/webhook_icon.jpg +++ b/webapp/images/webhook_icon.jpg diff --git a/webapp/root.html b/webapp/root.html index 7cead1c59..7987a52fc 100644 --- a/webapp/root.html +++ b/webapp/root.html @@ -34,20 +34,13 @@ <!-- CSS Should always go first --> <link rel='stylesheet' class='code_theme'> - <style id='antiClickjack'>body{display:none !important;}</style> - <script type='text/javascript'> - if (self === top) { - var blocker = document.getElementById('antiClickjack'); - blocker.parentNode.removeChild(blocker); - } - </script> </head> <body> <div id='root'> <div class='loading-screen' - style='relative' + style='position: relative' > <div class='loading__content'> <div class='round round-1'></div> diff --git a/webapp/routes/route_admin_console.jsx b/webapp/routes/route_admin_console.jsx index 291ba65f8..2db29e83b 100644 --- a/webapp/routes/route_admin_console.jsx +++ b/webapp/routes/route_admin_console.jsx @@ -24,7 +24,7 @@ import SessionSettings from 'components/admin_console/session_settings.jsx'; import ConnectionSettings from 'components/admin_console/connection_settings.jsx'; import EmailSettings from 'components/admin_console/email_settings.jsx'; import PushSettings from 'components/admin_console/push_settings.jsx'; -import WebhookSettings from 'components/admin_console/webhook_settings.jsx'; +import CustomIntegrationsSettings from 'components/admin_console/custom_integrations_settings.jsx'; import ExternalServiceSettings from 'components/admin_console/external_service_settings.jsx'; import DatabaseSettings from 'components/admin_console/database_settings.jsx'; import StorageSettings from 'components/admin_console/storage_settings.jsx'; @@ -137,10 +137,10 @@ export default ( /> </Route> <Route path='integrations'> - <IndexRedirect to='webhooks'/> + <IndexRedirect to='custom'/> <Route - path='webhooks' - component={WebhookSettings} + path='custom' + component={CustomIntegrationsSettings} /> <Route path='external' diff --git a/webapp/routes/route_integrations.jsx b/webapp/routes/route_integrations.jsx index fdfb5d947..a9d86a5e2 100644 --- a/webapp/routes/route_integrations.jsx +++ b/webapp/routes/route_integrations.jsx @@ -61,6 +61,22 @@ export default { } } ] + }, + { + path: 'oauth2-apps', + indexRoute: { + getComponents: (location, callback) => { + System.import('components/integrations/components/installed_oauth_apps.jsx').then(RouteUtils.importComponentSuccess(callback)); + } + }, + childRoutes: [ + { + path: 'add', + getComponents: (location, callback) => { + System.import('components/integrations/components/add_oauth_app.jsx').then(RouteUtils.importComponentSuccess(callback)); + } + } + ] } ] }; diff --git a/webapp/routes/route_root.jsx b/webapp/routes/route_root.jsx index 88c94b54b..aeca1da72 100644 --- a/webapp/routes/route_root.jsx +++ b/webapp/routes/route_root.jsx @@ -130,6 +130,12 @@ export default { System.import('components/select_team/select_team.jsx').then(RouteUtils.importComponentSuccess(callback)); } }, + { + path: '*authorize', + getComponents: (location, callback) => { + System.import('components/authorize.jsx').then(RouteUtils.importComponentSuccess(callback)); + } + }, createTeamRoute ] ) diff --git a/webapp/sass/components/_oauth.scss b/webapp/sass/components/_oauth.scss index 04840457c..2b4f2f9c9 100644 --- a/webapp/sass/components/_oauth.scss +++ b/webapp/sass/components/_oauth.scss @@ -10,14 +10,19 @@ .prompt__heading { display: table; - font-size: em(20px); + font-size: em(18px); line-height: normal; margin: 1em 0; + table-layout: fixed; width: 100%; > div { display: table-cell; vertical-align: top; + + &:first-child { + width: 70px; + } } img { @@ -26,12 +31,12 @@ } .prompt__allow { - font-size: em(24px); + font-size: em(20px); margin: 1em 0; } .prompt__buttons { - border-top: 1px solid $dark-gray; + border-top: 1px solid $light-gray; padding: 1.5em 0; text-align: right; } diff --git a/webapp/sass/responsive/_mobile.scss b/webapp/sass/responsive/_mobile.scss index 53a9f6c7d..df615aa13 100644 --- a/webapp/sass/responsive/_mobile.scss +++ b/webapp/sass/responsive/_mobile.scss @@ -1,6 +1,19 @@ @charset 'UTF-8'; @media screen and (max-width: 768px) { + .prompt { + .prompt__heading { + display: block; + + > div { + &:first-child { + display: block; + margin: 0 0 1em; + } + } + } + } + .scrollbar--view { margin-right: 0 !important; } @@ -1092,6 +1105,10 @@ @include translate3d(260px, 0, 0); } } + + .integration__icon { + display: none; + } } @media screen and (max-height: 640px) { diff --git a/webapp/sass/routes/_backstage.scss b/webapp/sass/routes/_backstage.scss index 4b8c6ff6c..7bcafd4c1 100644 --- a/webapp/sass/routes/_backstage.scss +++ b/webapp/sass/routes/_backstage.scss @@ -40,7 +40,7 @@ .backstage-content { background-color: $bg--gray; margin: 46px auto; - max-width: 960px; + max-width: 1200px; padding-left: 135px; vertical-align: top; } @@ -216,6 +216,7 @@ border-bottom: 1px solid $light-gray; display: flex; padding: 20px 15px; + position: relative; &:last-child { border: none; @@ -276,6 +277,7 @@ background-color: $white; border: 1px solid $light-gray; padding: 40px 30px 30px; + position: relative; label { font-weight: normal; @@ -323,16 +325,27 @@ } } +.integration__icon { + position: absolute; + height: 100px; + width: 100px; + right: 20px; + + &.integration-list__icon { + top: 50px; + } +} + .integration-option { background-color: $white; border: 1px solid $light-gray; display: inline-block; - height: 210px; margin: 0 30px 30px 0; + min-height: 230px; padding: 20px; text-align: center; vertical-align: top; - width: 250px; + width: 290px; &:last-child { margin-right: 0; @@ -346,6 +359,7 @@ .integration-option__image { height: 80px; + margin: .5em 0 .7em; width: 80px; } diff --git a/webapp/stores/integration_store.jsx b/webapp/stores/integration_store.jsx index 454e6290b..a23b9d206 100644 --- a/webapp/stores/integration_store.jsx +++ b/webapp/stores/integration_store.jsx @@ -20,6 +20,8 @@ class IntegrationStore extends EventEmitter { this.outgoingWebhooks = new Map(); this.commands = new Map(); + + this.oauthApps = new Map(); } addChangeListener(callback) { @@ -149,6 +151,35 @@ class IntegrationStore extends EventEmitter { this.setCommands(teamId, commands); } + hasReceivedOAuthApps(userId) { + return this.oauthApps.has(userId); + } + + getOAuthApps(userId) { + return this.oauthApps.get(userId) || []; + } + + setOAuthApps(userId, oauthApps) { + this.oauthApps.set(userId, oauthApps); + } + + addOAuthApp(oauthApp) { + const userId = oauthApp.creator_id; + const oauthApps = this.getOAuthApps(userId); + + oauthApps.push(oauthApp); + + this.setOAuthApps(userId, oauthApps); + } + + removeOAuthApp(userId, id) { + let apps = this.getOAuthApps(userId); + + apps = apps.filter((app) => app.id !== id); + + this.setOAuthApps(userId, apps); + } + handleEventPayload(payload) { const action = payload.action; @@ -197,6 +228,18 @@ class IntegrationStore extends EventEmitter { this.removeCommand(action.teamId, action.id); this.emitChange(); break; + case ActionTypes.RECEIVED_OAUTHAPPS: + this.setOAuthApps(action.userId, action.oauthApps); + this.emitChange(); + break; + case ActionTypes.RECEIVED_OAUTHAPP: + this.addOAuthApp(action.oauthApp); + this.emitChange(); + break; + case ActionTypes.REMOVED_OAUTHAPP: + this.removeOAuthApp(action.userId, action.id); + this.emitChange(); + break; } } } diff --git a/webapp/stores/modal_store.jsx b/webapp/stores/modal_store.jsx index 0209f3993..9961475b2 100644 --- a/webapp/stores/modal_store.jsx +++ b/webapp/stores/modal_store.jsx @@ -37,7 +37,6 @@ class ModalStoreClass extends EventEmitter { case ActionTypes.TOGGLE_DELETE_POST_MODAL: case ActionTypes.TOGGLE_GET_POST_LINK_MODAL: case ActionTypes.TOGGLE_GET_TEAM_INVITE_LINK_MODAL: - case ActionTypes.TOGGLE_REGISTER_APP_MODAL: case ActionTypes.TOGGLE_GET_PUBLIC_LINK_MODAL: this.emit(type, value, args); break; diff --git a/webapp/utils/constants.jsx b/webapp/utils/constants.jsx index 6c0014ac7..812796ebb 100644 --- a/webapp/utils/constants.jsx +++ b/webapp/utils/constants.jsx @@ -106,6 +106,9 @@ export const ActionTypes = keyMirror({ RECEIVED_COMMAND: null, UPDATED_COMMAND: null, REMOVED_COMMAND: null, + RECEIVED_OAUTHAPPS: null, + RECEIVED_OAUTHAPP: null, + REMOVED_OAUTHAPP: null, RECEIVED_CUSTOM_EMOJIS: null, RECEIVED_CUSTOM_EMOJI: null, @@ -138,7 +141,6 @@ export const ActionTypes = keyMirror({ TOGGLE_DELETE_POST_MODAL: null, TOGGLE_GET_POST_LINK_MODAL: null, TOGGLE_GET_TEAM_INVITE_LINK_MODAL: null, - TOGGLE_REGISTER_APP_MODAL: null, TOGGLE_GET_PUBLIC_LINK_MODAL: null, SUGGESTION_PRETEXT_CHANGED: null, |
