summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--api4/user.go27
-rw-r--r--api4/user_test.go63
-rw-r--r--app/user.go24
-rw-r--r--model/client4.go10
-rw-r--r--model/user.go26
5 files changed, 150 insertions, 0 deletions
diff --git a/api4/user.go b/api4/user.go
index 6cb064f8c..0b07f8dc7 100644
--- a/api4/user.go
+++ b/api4/user.go
@@ -38,6 +38,8 @@ func (api *API) InitUser() {
api.BaseRoutes.Users.Handle("/email/verify", api.ApiHandler(verifyUserEmail)).Methods("POST")
api.BaseRoutes.Users.Handle("/email/verify/send", api.ApiHandler(sendVerificationEmail)).Methods("POST")
+ api.BaseRoutes.User.Handle("/auth", api.ApiSessionRequiredTrustRequester(updateUserAuth)).Methods("PUT")
+
api.BaseRoutes.Users.Handle("/mfa", api.ApiHandler(checkUserMfa)).Methods("POST")
api.BaseRoutes.User.Handle("/mfa", api.ApiSessionRequiredMfa(updateUserMfa)).Methods("PUT")
api.BaseRoutes.User.Handle("/mfa/generate", api.ApiSessionRequiredMfa(generateMfaSecret)).Methods("POST")
@@ -697,6 +699,31 @@ func updateUserActive(c *Context, w http.ResponseWriter, r *http.Request) {
}
}
+func updateUserAuth(c *Context, w http.ResponseWriter, r *http.Request) {
+ if !c.IsSystemAdmin() {
+ c.SetPermissionError(model.PERMISSION_EDIT_OTHER_USERS)
+ return
+ }
+
+ c.RequireUserId()
+ if c.Err != nil {
+ return
+ }
+
+ userAuth := model.UserAuthFromJson(r.Body)
+ if userAuth == nil {
+ c.SetInvalidParam("user")
+ return
+ }
+
+ if user, err := c.App.UpdateUserAuth(c.Params.UserId, userAuth); err != nil {
+ c.Err = err
+ } else {
+ c.LogAuditWithUserId(c.Params.UserId, fmt.Sprintf("updated user auth to service=%v", user.AuthService))
+ w.Write([]byte(user.ToJson()))
+ }
+}
+
func checkUserMfa(c *Context, w http.ResponseWriter, r *http.Request) {
props := model.MapFromJson(r.Body)
diff --git a/api4/user_test.go b/api4/user_test.go
index e3f1935b4..fb9222d8f 100644
--- a/api4/user_test.go
+++ b/api4/user_test.go
@@ -11,6 +11,7 @@ import (
"time"
"github.com/mattermost/mattermost-server/model"
+ "github.com/mattermost/mattermost-server/store"
"github.com/mattermost/mattermost-server/utils"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
@@ -1062,6 +1063,68 @@ func TestPatchUser(t *testing.T) {
CheckNoError(t, resp)
}
+func TestUpdateUserAuth(t *testing.T) {
+ th := Setup().InitSystemAdmin().InitBasic()
+ defer th.TearDown()
+
+ Client := th.SystemAdminClient
+ team := th.CreateTeamWithClient(Client)
+
+ user := th.CreateUser()
+
+ th.LinkUserToTeam(user, team)
+ store.Must(th.App.Srv.Store.User().VerifyEmail(user.Id))
+
+ userAuth := &model.UserAuth{}
+ userAuth.AuthData = user.AuthData
+ userAuth.AuthService = user.AuthService
+ userAuth.Password = user.Password
+
+ // Regular user can not use endpoint
+ if _, err := th.Client.UpdateUserAuth(user.Id, userAuth); err == nil {
+ t.Fatal("Shouldn't have permissions. Only Admins")
+ }
+
+ userAuth.AuthData = model.NewString("test@test.com")
+ userAuth.AuthService = model.USER_AUTH_SERVICE_SAML
+ userAuth.Password = "newpassword"
+ ruser, resp := Client.UpdateUserAuth(user.Id, userAuth)
+ CheckNoError(t, resp)
+
+ // AuthData and AuthService are set, password is set to empty
+ if *ruser.AuthData != *userAuth.AuthData {
+ t.Fatal("Should have set the correct AuthData")
+ }
+ if ruser.AuthService != model.USER_AUTH_SERVICE_SAML {
+ t.Fatal("Should have set the correct AuthService")
+ }
+ if ruser.Password != "" {
+ t.Fatal("Password should be empty")
+ }
+
+ // When AuthData or AuthService are empty, password must be valid
+ userAuth.AuthData = user.AuthData
+ userAuth.AuthService = ""
+ userAuth.Password = "1"
+ if _, err := Client.UpdateUserAuth(user.Id, userAuth); err == nil {
+ t.Fatal("Should have errored - user password not valid")
+ }
+
+ // Regular user can not use endpoint
+ user2 := th.CreateUser()
+ th.LinkUserToTeam(user2, team)
+ store.Must(th.App.Srv.Store.User().VerifyEmail(user2.Id))
+
+ Client.Login(user2.Email, "passwd1")
+
+ userAuth.AuthData = user.AuthData
+ userAuth.AuthService = user.AuthService
+ userAuth.Password = user.Password
+ if _, err := Client.UpdateUserAuth(user.Id, userAuth); err == nil {
+ t.Fatal("Should have errored")
+ }
+}
+
func TestDeleteUser(t *testing.T) {
th := Setup().InitBasic().InitSystemAdmin()
defer th.TearDown()
diff --git a/app/user.go b/app/user.go
index 626f6310f..493b391ae 100644
--- a/app/user.go
+++ b/app/user.go
@@ -969,6 +969,30 @@ func (a *App) PatchUser(userId string, patch *model.UserPatch, asAdmin bool) (*m
return updatedUser, nil
}
+func (a *App) UpdateUserAuth(userId string, userAuth *model.UserAuth) (*model.UserAuth, *model.AppError) {
+ if userAuth.AuthData == nil || *userAuth.AuthData == "" || userAuth.AuthService == "" {
+ userAuth.AuthData = nil
+ userAuth.AuthService = ""
+
+ if err := a.IsPasswordValid(userAuth.Password); err != nil {
+ return nil, err
+ }
+ password := model.HashPassword(userAuth.Password)
+
+ if result := <-a.Srv.Store.User().UpdatePassword(userId, password); result.Err != nil {
+ return nil, result.Err
+ }
+ } else {
+ userAuth.Password = ""
+
+ if result := <-a.Srv.Store.User().UpdateAuthData(userId, userAuth.AuthService, userAuth.AuthData, "", false); result.Err != nil {
+ return nil, result.Err
+ }
+ }
+
+ return userAuth, nil
+}
+
func (a *App) sendUpdatedUserEvent(user model.User, asAdmin bool) {
a.SanitizeProfile(&user, asAdmin)
diff --git a/model/client4.go b/model/client4.go
index d37fb3b0f..e84a23e5f 100644
--- a/model/client4.go
+++ b/model/client4.go
@@ -766,6 +766,16 @@ func (c *Client4) PatchUser(userId string, patch *UserPatch) (*User, *Response)
}
}
+// UpdateUserAuth updates a user AuthData (uthData, authService and password) in the system.
+func (c *Client4) UpdateUserAuth(userId string, userAuth *UserAuth) (*UserAuth, *Response) {
+ if r, err := c.DoApiPut(c.GetUserRoute(userId)+"/auth", userAuth.ToJson()); err != nil {
+ return nil, BuildErrorResponse(r, err)
+ } else {
+ defer closeBody(r)
+ return UserAuthFromJson(r.Body), BuildResponse(r)
+ }
+}
+
// UpdateUserMfa activates multi-factor authentication for a user if activate
// is true and a valid code is provided. If activate is false, then code is not
// required and multi-factor authentication is disabled for the user.
diff --git a/model/user.go b/model/user.go
index 8d8c76c68..7e767fd5c 100644
--- a/model/user.go
+++ b/model/user.go
@@ -88,6 +88,12 @@ type UserPatch struct {
Locale *string `json:"locale"`
}
+type UserAuth struct {
+ Password string `json:"password,omitempty"`
+ AuthData *string `json:"auth_data,omitempty"`
+ AuthService string `json:"auth_service,omitempty"`
+}
+
// IsValid validates the user and returns an error if it isn't configured
// correctly.
func (u *User) IsValid() *AppError {
@@ -309,6 +315,15 @@ func (u *UserPatch) ToJson() string {
}
}
+func (u *UserAuth) ToJson() string {
+ b, err := json.Marshal(u)
+ if err != nil {
+ return ""
+ } else {
+ return string(b)
+ }
+}
+
// Generate a valid strong etag so the browser can cache the results
func (u *User) Etag(showFullName, showEmail bool) string {
return Etag(u.Id, u.UpdateAt, showFullName, showEmail)
@@ -494,6 +509,17 @@ func UserPatchFromJson(data io.Reader) *UserPatch {
}
}
+func UserAuthFromJson(data io.Reader) *UserAuth {
+ decoder := json.NewDecoder(data)
+ var user UserAuth
+ err := decoder.Decode(&user)
+ if err == nil {
+ return &user
+ } else {
+ return nil
+ }
+}
+
func UserMapToJson(u map[string]*User) string {
b, err := json.Marshal(u)
if err != nil {
generated by cgit v1.2.3-1-g7c22 (git 2.25.1) at 2024-05-21 20:20:58 +0000