diff options
-rw-r--r-- | api/command.go | 7 | ||||
-rw-r--r-- | api/post.go | 11 | ||||
-rw-r--r-- | api/user.go | 6 | ||||
-rw-r--r-- | api/webhook.go | 2 | ||||
-rw-r--r-- | config/config.json | 3 | ||||
-rw-r--r-- | docker/dev/config_docker.json | 1 | ||||
-rw-r--r-- | docker/local/config_docker.json | 1 | ||||
-rw-r--r-- | model/config.go | 48 | ||||
-rw-r--r-- | web/react/components/admin_console/service_settings.jsx | 50 | ||||
-rw-r--r-- | web/static/i18n/en.json | 4 |
10 files changed, 104 insertions, 29 deletions
diff --git a/api/command.go b/api/command.go index 49d9e84f1..bebe6629c 100644 --- a/api/command.go +++ b/api/command.go @@ -4,6 +4,7 @@ package api import ( + "crypto/tls" "fmt" "io/ioutil" "net/http" @@ -173,7 +174,11 @@ func executeCommand(c *Context, w http.ResponseWriter, r *http.Request) { method = "GET" } - client := &http.Client{} + tr := &http.Transport{ + TLSClientConfig: &tls.Config{InsecureSkipVerify: *utils.Cfg.ServiceSettings.EnableInsecureOutgoingConnections}, + } + client := &http.Client{Transport: tr} + req, _ := http.NewRequest(method, cmd.URL, strings.NewReader(p.Encode())) req.Header.Set("Accept", "application/json") if cmd.Method == model.COMMAND_METHOD_POST { diff --git a/api/post.go b/api/post.go index c17da262f..fadabd66e 100644 --- a/api/post.go +++ b/api/post.go @@ -4,6 +4,7 @@ package api import ( + "crypto/tls" "fmt" l4g "github.com/alecthomas/log4go" "github.com/gorilla/mux" @@ -401,7 +402,10 @@ func handleWebhookEventsAndForget(c *Context, post *model.Post, team *model.Team p.Set("text", post.Message) p.Set("trigger_word", firstWord) - client := &http.Client{} + tr := &http.Transport{ + TLSClientConfig: &tls.Config{InsecureSkipVerify: *utils.Cfg.ServiceSettings.EnableInsecureOutgoingConnections}, + } + client := &http.Client{Transport: tr} for _, url := range hook.CallbackURLs { go func(url string) { @@ -682,7 +686,10 @@ func sendNotifications(c *Context, post *model.Post, team *model.Team, channel * msg.Message = senderName + userLocale("api.post.send_notifications_and_forget.push_mention") + channelName } - httpClient := http.Client{} + tr := &http.Transport{ + TLSClientConfig: &tls.Config{InsecureSkipVerify: *utils.Cfg.ServiceSettings.EnableInsecureOutgoingConnections}, + } + httpClient := &http.Client{Transport: tr} request, _ := http.NewRequest("POST", *utils.Cfg.EmailSettings.PushNotificationServer+"/api/v1/send_push", strings.NewReader(msg.ToJson())) l4g.Debug(utils.T("api.post.send_notifications_and_forget.push_notification.debug"), msg.DeviceId, msg.Message) diff --git a/api/user.go b/api/user.go index 9926f3ff3..507c83d28 100644 --- a/api/user.go +++ b/api/user.go @@ -5,6 +5,7 @@ package api import ( "bytes" + "crypto/tls" b64 "encoding/base64" "fmt" l4g "github.com/alecthomas/log4go" @@ -1960,7 +1961,10 @@ func AuthorizeOAuthUser(service, code, state, redirectUri string) (io.ReadCloser p.Set("grant_type", model.ACCESS_TOKEN_GRANT_TYPE) p.Set("redirect_uri", redirectUri) - client := &http.Client{} + tr := &http.Transport{ + TLSClientConfig: &tls.Config{InsecureSkipVerify: *utils.Cfg.ServiceSettings.EnableInsecureOutgoingConnections}, + } + client := &http.Client{Transport: tr} req, _ := http.NewRequest("POST", sso.TokenEndpoint, strings.NewReader(p.Encode())) req.Header.Set("Content-Type", "application/x-www-form-urlencoded") diff --git a/api/webhook.go b/api/webhook.go index 3906d09be..c0f8ea506 100644 --- a/api/webhook.go +++ b/api/webhook.go @@ -238,7 +238,7 @@ func getOutgoingHooks(c *Context, w http.ResponseWriter, r *http.Request) { } func deleteOutgoingHook(c *Context, w http.ResponseWriter, r *http.Request) { - if !utils.Cfg.ServiceSettings.EnableIncomingWebhooks { + if !utils.Cfg.ServiceSettings.EnableOutgoingWebhooks { c.Err = model.NewLocAppError("deleteOutgoingHook", "api.webhook.delete_outgoing.disabled.app_error", nil, "") c.Err.StatusCode = http.StatusNotImplemented return diff --git a/config/config.json b/config/config.json index 5ed05fecd..2795546f8 100644 --- a/config/config.json +++ b/config/config.json @@ -14,6 +14,7 @@ "EnableTesting": false, "EnableDeveloper": false, "EnableSecurityFixAlert": true, + "EnableInsecureOutgoingConnections": false, "SessionLengthWebInDays": 30, "SessionLengthMobileInDays": 30, "SessionLengthSSOInDays": 30, @@ -112,4 +113,4 @@ "TokenEndpoint": "", "UserApiEndpoint": "" } -}
\ No newline at end of file +} diff --git a/docker/dev/config_docker.json b/docker/dev/config_docker.json index e831bbb3a..6a1290189 100644 --- a/docker/dev/config_docker.json +++ b/docker/dev/config_docker.json @@ -14,6 +14,7 @@ "EnableTesting": false, "EnableDeveloper": false, "EnableSecurityFixAlert": true, + "EnableInsecureOutgoingConnections": false, "SessionLengthWebInDays" : 30, "SessionLengthMobileInDays" : 30, "SessionLengthSSOInDays" : 30, diff --git a/docker/local/config_docker.json b/docker/local/config_docker.json index e831bbb3a..6a1290189 100644 --- a/docker/local/config_docker.json +++ b/docker/local/config_docker.json @@ -14,6 +14,7 @@ "EnableTesting": false, "EnableDeveloper": false, "EnableSecurityFixAlert": true, + "EnableInsecureOutgoingConnections": false, "SessionLengthWebInDays" : 30, "SessionLengthMobileInDays" : 30, "SessionLengthSSOInDays" : 30, diff --git a/model/config.go b/model/config.go index acb525abf..aa3dd3586 100644 --- a/model/config.go +++ b/model/config.go @@ -24,26 +24,27 @@ const ( ) type ServiceSettings struct { - ListenAddress string - MaximumLoginAttempts int - SegmentDeveloperKey string - GoogleDeveloperKey string - EnableOAuthServiceProvider bool - EnableIncomingWebhooks bool - EnableOutgoingWebhooks bool - EnableCommands *bool - EnableOnlyAdminIntegrations *bool - EnablePostUsernameOverride bool - EnablePostIconOverride bool - EnableTesting bool - EnableDeveloper *bool - EnableSecurityFixAlert *bool - SessionLengthWebInDays *int - SessionLengthMobileInDays *int - SessionLengthSSOInDays *int - SessionCacheInMinutes *int - WebsocketSecurePort *int - WebsocketPort *int + ListenAddress string + MaximumLoginAttempts int + SegmentDeveloperKey string + GoogleDeveloperKey string + EnableOAuthServiceProvider bool + EnableIncomingWebhooks bool + EnableOutgoingWebhooks bool + EnableCommands *bool + EnableOnlyAdminIntegrations *bool + EnablePostUsernameOverride bool + EnablePostIconOverride bool + EnableTesting bool + EnableDeveloper *bool + EnableSecurityFixAlert *bool + EnableInsecureOutgoingConnections *bool + SessionLengthWebInDays *int + SessionLengthMobileInDays *int + SessionLengthSSOInDays *int + SessionCacheInMinutes *int + WebsocketSecurePort *int + WebsocketPort *int } type SSOSettings struct { @@ -164,7 +165,7 @@ type LdapSettings struct { UsernameAttribute *string IdAttribute *string - // Advansed + // Advanced QueryTimeout *int } @@ -252,6 +253,11 @@ func (o *Config) SetDefaults() { *o.ServiceSettings.EnableSecurityFixAlert = true } + if o.ServiceSettings.EnableInsecureOutgoingConnections == nil { + o.ServiceSettings.EnableInsecureOutgoingConnections = new(bool) + *o.ServiceSettings.EnableInsecureOutgoingConnections = false + } + if o.TeamSettings.RestrictTeamNames == nil { o.TeamSettings.RestrictTeamNames = new(bool) *o.TeamSettings.RestrictTeamNames = true diff --git a/web/react/components/admin_console/service_settings.jsx b/web/react/components/admin_console/service_settings.jsx index 2cc68d1ed..f232d4633 100644 --- a/web/react/components/admin_console/service_settings.jsx +++ b/web/react/components/admin_console/service_settings.jsx @@ -75,6 +75,7 @@ class ServiceSettings extends React.Component { config.ServiceSettings.EnableTesting = ReactDOM.findDOMNode(this.refs.EnableTesting).checked; config.ServiceSettings.EnableDeveloper = ReactDOM.findDOMNode(this.refs.EnableDeveloper).checked; config.ServiceSettings.EnableSecurityFixAlert = ReactDOM.findDOMNode(this.refs.EnableSecurityFixAlert).checked; + config.ServiceSettings.EnableInsecureOutgoingConnections = ReactDOM.findDOMNode(this.refs.EnableInsecureOutgoingConnections).checked; config.ServiceSettings.EnableCommands = ReactDOM.findDOMNode(this.refs.EnableCommands).checked; config.ServiceSettings.EnableOnlyAdminIntegrations = ReactDOM.findDOMNode(this.refs.EnableOnlyAdminIntegrations).checked; @@ -720,6 +721,53 @@ class ServiceSettings extends React.Component { <div className='form-group'> <label className='control-label col-sm-4' + htmlFor='EnableInsecureOutgoingConnections' + > + <FormattedMessage + id='admin.service.insecureTlsTitle' + defaultMessage='Enable Insecure Outgoing Connections: ' + /> + </label> + <div className='col-sm-8'> + <label className='radio-inline'> + <input + type='radio' + name='EnableInsecureOutgoingConnections' + value='true' + ref='EnableInsecureOutgoingConnections' + defaultChecked={this.props.config.ServiceSettings.EnableInsecureOutgoingConnections} + onChange={this.handleChange} + /> + <FormattedMessage + id='admin.service.true' + defaultMessage='true' + /> + </label> + <label className='radio-inline'> + <input + type='radio' + name='EnableInsecureOutgoingConnections' + value='false' + defaultChecked={!this.props.config.ServiceSettings.EnableInsecureOutgoingConnections} + onChange={this.handleChange} + /> + <FormattedMessage + id='admin.service.false' + defaultMessage='false' + /> + </label> + <p className='help-text'> + <FormattedMessage + id='admin.service.insecureTlsDesc' + defaultMessage='When true, any outgoing HTTPS requests will accept unverified, self-signed certificates. For example, outgoing webhooks to a server with a self-signed TLS certificate, using any domain, will be allowed. Note that this makes these connections susceptible to man-in-the-middle attacks.' + /> + </p> + </div> + </div> + + <div className='form-group'> + <label + className='control-label col-sm-4' htmlFor='SessionLengthWebInDays' > <FormattedMessage @@ -896,4 +944,4 @@ ServiceSettings.propTypes = { config: React.PropTypes.object }; -export default injectIntl(ServiceSettings);
\ No newline at end of file +export default injectIntl(ServiceSettings); diff --git a/web/static/i18n/en.json b/web/static/i18n/en.json index 0bb238a90..0ce679a27 100644 --- a/web/static/i18n/en.json +++ b/web/static/i18n/en.json @@ -365,6 +365,8 @@ "admin.service.developerDesc": "(Developer Option) When true, extra information around errors will be displayed in the UI.", "admin.service.securityTitle": "Enable Security Alerts: ", "admin.service.securityDesc": "When true, System Administrators are notified by email if a relevant security fix alert has been announced in the last 12 hours. Requires email to be enabled.", + "admin.service.insecureTlsTitle": "Enable Insecure Outgoing Connections: ", + "admin.service.insecureTlsDesc": "When true, any outgoing HTTPS requests will accept unverified, self-signed certificates. For example, outgoing webhooks to a server with a self-signed TLS certificate, using any domain, will be allowed. Note that this makes these connections susceptible to man-in-the-middle attacks.", "admin.service.webSessionDays": "Session Length for Web in Days:", "admin.service.webSessionDaysDesc": "The web session will expire after the number of days specified and will require a user to login again.", "admin.service.mobileSessionDays": "Session Length for Mobile Device in Days:", @@ -1262,4 +1264,4 @@ "intro_messages.beginning": "Beginning of {name}", "intro_messages.invite": "Invite others to this {type}", "intro_messages.setHeader": "Set a Header" -}
\ No newline at end of file +} |