diff options
-rw-r--r-- | api/command.go | 7 | ||||
-rw-r--r-- | api/post.go | 8 | ||||
-rw-r--r-- | api/user.go | 3 | ||||
-rw-r--r-- | config/config.json | 3 | ||||
-rw-r--r-- | docker/dev/config_docker.json | 1 | ||||
-rw-r--r-- | docker/local/config_docker.json | 1 | ||||
-rw-r--r-- | model/config.go | 48 | ||||
-rw-r--r-- | web/react/components/admin_console/service_settings.jsx | 50 | ||||
-rw-r--r-- | web/static/i18n/en.json | 4 |
9 files changed, 95 insertions, 30 deletions
diff --git a/api/command.go b/api/command.go index a8573cdcc..b22d00dc0 100644 --- a/api/command.go +++ b/api/command.go @@ -4,6 +4,7 @@ package api import ( + "crypto/tls" "fmt" "io/ioutil" "net/http" @@ -172,7 +173,11 @@ func executeCommand(c *Context, w http.ResponseWriter, r *http.Request) { method = "GET" } - client := &http.Client{} + tr := &http.Transport{ + TLSClientConfig: &tls.Config{InsecureSkipVerify: *utils.Cfg.ServiceSettings.EnableInsecureOutgoingConnections}, + } + client := &http.Client{Transport: tr} + req, _ := http.NewRequest(method, cmd.URL, strings.NewReader(p.Encode())) req.Header.Set("Accept", "application/json") if cmd.Method == model.COMMAND_METHOD_POST { diff --git a/api/post.go b/api/post.go index 58f490558..fadabd66e 100644 --- a/api/post.go +++ b/api/post.go @@ -402,9 +402,8 @@ func handleWebhookEventsAndForget(c *Context, post *model.Post, team *model.Team p.Set("text", post.Message) p.Set("trigger_word", firstWord) - // accept any TLS certs tr := &http.Transport{ - TLSClientConfig: &tls.Config{InsecureSkipVerify: true}, + TLSClientConfig: &tls.Config{InsecureSkipVerify: *utils.Cfg.ServiceSettings.EnableInsecureOutgoingConnections}, } client := &http.Client{Transport: tr} @@ -687,7 +686,10 @@ func sendNotifications(c *Context, post *model.Post, team *model.Team, channel * msg.Message = senderName + userLocale("api.post.send_notifications_and_forget.push_mention") + channelName } - httpClient := http.Client{} + tr := &http.Transport{ + TLSClientConfig: &tls.Config{InsecureSkipVerify: *utils.Cfg.ServiceSettings.EnableInsecureOutgoingConnections}, + } + httpClient := &http.Client{Transport: tr} request, _ := http.NewRequest("POST", *utils.Cfg.EmailSettings.PushNotificationServer+"/api/v1/send_push", strings.NewReader(msg.ToJson())) l4g.Debug(utils.T("api.post.send_notifications_and_forget.push_notification.debug"), msg.DeviceId, msg.Message) diff --git a/api/user.go b/api/user.go index aa06fa910..507c83d28 100644 --- a/api/user.go +++ b/api/user.go @@ -1961,9 +1961,8 @@ func AuthorizeOAuthUser(service, code, state, redirectUri string) (io.ReadCloser p.Set("grant_type", model.ACCESS_TOKEN_GRANT_TYPE) p.Set("redirect_uri", redirectUri) - // accept any TLS certs tr := &http.Transport{ - TLSClientConfig: &tls.Config{InsecureSkipVerify: true}, + TLSClientConfig: &tls.Config{InsecureSkipVerify: *utils.Cfg.ServiceSettings.EnableInsecureOutgoingConnections}, } client := &http.Client{Transport: tr} req, _ := http.NewRequest("POST", sso.TokenEndpoint, strings.NewReader(p.Encode())) diff --git a/config/config.json b/config/config.json index 5ed05fecd..2795546f8 100644 --- a/config/config.json +++ b/config/config.json @@ -14,6 +14,7 @@ "EnableTesting": false, "EnableDeveloper": false, "EnableSecurityFixAlert": true, + "EnableInsecureOutgoingConnections": false, "SessionLengthWebInDays": 30, "SessionLengthMobileInDays": 30, "SessionLengthSSOInDays": 30, @@ -112,4 +113,4 @@ "TokenEndpoint": "", "UserApiEndpoint": "" } -}
\ No newline at end of file +} diff --git a/docker/dev/config_docker.json b/docker/dev/config_docker.json index e831bbb3a..6a1290189 100644 --- a/docker/dev/config_docker.json +++ b/docker/dev/config_docker.json @@ -14,6 +14,7 @@ "EnableTesting": false, "EnableDeveloper": false, "EnableSecurityFixAlert": true, + "EnableInsecureOutgoingConnections": false, "SessionLengthWebInDays" : 30, "SessionLengthMobileInDays" : 30, "SessionLengthSSOInDays" : 30, diff --git a/docker/local/config_docker.json b/docker/local/config_docker.json index e831bbb3a..6a1290189 100644 --- a/docker/local/config_docker.json +++ b/docker/local/config_docker.json @@ -14,6 +14,7 @@ "EnableTesting": false, "EnableDeveloper": false, "EnableSecurityFixAlert": true, + "EnableInsecureOutgoingConnections": false, "SessionLengthWebInDays" : 30, "SessionLengthMobileInDays" : 30, "SessionLengthSSOInDays" : 30, diff --git a/model/config.go b/model/config.go index acb525abf..aa3dd3586 100644 --- a/model/config.go +++ b/model/config.go @@ -24,26 +24,27 @@ const ( ) type ServiceSettings struct { - ListenAddress string - MaximumLoginAttempts int - SegmentDeveloperKey string - GoogleDeveloperKey string - EnableOAuthServiceProvider bool - EnableIncomingWebhooks bool - EnableOutgoingWebhooks bool - EnableCommands *bool - EnableOnlyAdminIntegrations *bool - EnablePostUsernameOverride bool - EnablePostIconOverride bool - EnableTesting bool - EnableDeveloper *bool - EnableSecurityFixAlert *bool - SessionLengthWebInDays *int - SessionLengthMobileInDays *int - SessionLengthSSOInDays *int - SessionCacheInMinutes *int - WebsocketSecurePort *int - WebsocketPort *int + ListenAddress string + MaximumLoginAttempts int + SegmentDeveloperKey string + GoogleDeveloperKey string + EnableOAuthServiceProvider bool + EnableIncomingWebhooks bool + EnableOutgoingWebhooks bool + EnableCommands *bool + EnableOnlyAdminIntegrations *bool + EnablePostUsernameOverride bool + EnablePostIconOverride bool + EnableTesting bool + EnableDeveloper *bool + EnableSecurityFixAlert *bool + EnableInsecureOutgoingConnections *bool + SessionLengthWebInDays *int + SessionLengthMobileInDays *int + SessionLengthSSOInDays *int + SessionCacheInMinutes *int + WebsocketSecurePort *int + WebsocketPort *int } type SSOSettings struct { @@ -164,7 +165,7 @@ type LdapSettings struct { UsernameAttribute *string IdAttribute *string - // Advansed + // Advanced QueryTimeout *int } @@ -252,6 +253,11 @@ func (o *Config) SetDefaults() { *o.ServiceSettings.EnableSecurityFixAlert = true } + if o.ServiceSettings.EnableInsecureOutgoingConnections == nil { + o.ServiceSettings.EnableInsecureOutgoingConnections = new(bool) + *o.ServiceSettings.EnableInsecureOutgoingConnections = false + } + if o.TeamSettings.RestrictTeamNames == nil { o.TeamSettings.RestrictTeamNames = new(bool) *o.TeamSettings.RestrictTeamNames = true diff --git a/web/react/components/admin_console/service_settings.jsx b/web/react/components/admin_console/service_settings.jsx index 2cc68d1ed..f232d4633 100644 --- a/web/react/components/admin_console/service_settings.jsx +++ b/web/react/components/admin_console/service_settings.jsx @@ -75,6 +75,7 @@ class ServiceSettings extends React.Component { config.ServiceSettings.EnableTesting = ReactDOM.findDOMNode(this.refs.EnableTesting).checked; config.ServiceSettings.EnableDeveloper = ReactDOM.findDOMNode(this.refs.EnableDeveloper).checked; config.ServiceSettings.EnableSecurityFixAlert = ReactDOM.findDOMNode(this.refs.EnableSecurityFixAlert).checked; + config.ServiceSettings.EnableInsecureOutgoingConnections = ReactDOM.findDOMNode(this.refs.EnableInsecureOutgoingConnections).checked; config.ServiceSettings.EnableCommands = ReactDOM.findDOMNode(this.refs.EnableCommands).checked; config.ServiceSettings.EnableOnlyAdminIntegrations = ReactDOM.findDOMNode(this.refs.EnableOnlyAdminIntegrations).checked; @@ -720,6 +721,53 @@ class ServiceSettings extends React.Component { <div className='form-group'> <label className='control-label col-sm-4' + htmlFor='EnableInsecureOutgoingConnections' + > + <FormattedMessage + id='admin.service.insecureTlsTitle' + defaultMessage='Enable Insecure Outgoing Connections: ' + /> + </label> + <div className='col-sm-8'> + <label className='radio-inline'> + <input + type='radio' + name='EnableInsecureOutgoingConnections' + value='true' + ref='EnableInsecureOutgoingConnections' + defaultChecked={this.props.config.ServiceSettings.EnableInsecureOutgoingConnections} + onChange={this.handleChange} + /> + <FormattedMessage + id='admin.service.true' + defaultMessage='true' + /> + </label> + <label className='radio-inline'> + <input + type='radio' + name='EnableInsecureOutgoingConnections' + value='false' + defaultChecked={!this.props.config.ServiceSettings.EnableInsecureOutgoingConnections} + onChange={this.handleChange} + /> + <FormattedMessage + id='admin.service.false' + defaultMessage='false' + /> + </label> + <p className='help-text'> + <FormattedMessage + id='admin.service.insecureTlsDesc' + defaultMessage='When true, any outgoing HTTPS requests will accept unverified, self-signed certificates. For example, outgoing webhooks to a server with a self-signed TLS certificate, using any domain, will be allowed. Note that this makes these connections susceptible to man-in-the-middle attacks.' + /> + </p> + </div> + </div> + + <div className='form-group'> + <label + className='control-label col-sm-4' htmlFor='SessionLengthWebInDays' > <FormattedMessage @@ -896,4 +944,4 @@ ServiceSettings.propTypes = { config: React.PropTypes.object }; -export default injectIntl(ServiceSettings);
\ No newline at end of file +export default injectIntl(ServiceSettings); diff --git a/web/static/i18n/en.json b/web/static/i18n/en.json index caa4afae3..16985143d 100644 --- a/web/static/i18n/en.json +++ b/web/static/i18n/en.json @@ -365,6 +365,8 @@ "admin.service.developerDesc": "(Developer Option) When true, extra information around errors will be displayed in the UI.", "admin.service.securityTitle": "Enable Security Alerts: ", "admin.service.securityDesc": "When true, System Administrators are notified by email if a relevant security fix alert has been announced in the last 12 hours. Requires email to be enabled.", + "admin.service.insecureTlsTitle": "Enable Insecure Outgoing Connections: ", + "admin.service.insecureTlsDesc": "When true, any outgoing HTTPS requests will accept unverified, self-signed certificates. For example, outgoing webhooks to a server with a self-signed TLS certificate, using any domain, will be allowed. Note that this makes these connections susceptible to man-in-the-middle attacks.", "admin.service.webSessionDays": "Session Length for Web in Days:", "admin.service.webSessionDaysDesc": "The web session will expire after the number of days specified and will require a user to login again.", "admin.service.mobileSessionDays": "Session Length for Mobile Device in Days:", @@ -1263,4 +1265,4 @@ "intro_messages.beginning": "Beginning of {name}", "intro_messages.invite": "Invite others to this {type}", "intro_messages.setHeader": "Set a Header" -}
\ No newline at end of file +} |