diff options
Diffstat (limited to 'api')
-rw-r--r-- | api/admin.go | 77 | ||||
-rw-r--r-- | api/authentication.go | 7 | ||||
-rw-r--r-- | api/context.go | 7 | ||||
-rw-r--r-- | api/user.go | 106 |
4 files changed, 190 insertions, 7 deletions
diff --git a/api/admin.go b/api/admin.go index f0db5a4af..4d1528104 100644 --- a/api/admin.go +++ b/api/admin.go @@ -5,6 +5,7 @@ package api import ( "bufio" + "io" "io/ioutil" "net/http" "os" @@ -41,6 +42,9 @@ func InitAdmin() { BaseRoutes.Admin.Handle("/reset_mfa", ApiAdminSystemRequired(adminResetMfa)).Methods("POST") BaseRoutes.Admin.Handle("/reset_password", ApiAdminSystemRequired(adminResetPassword)).Methods("POST") BaseRoutes.Admin.Handle("/ldap_sync_now", ApiAdminSystemRequired(ldapSyncNow)).Methods("POST") + BaseRoutes.Admin.Handle("/saml_metadata", ApiAppHandler(samlMetadata)).Methods("GET") + BaseRoutes.Admin.Handle("/add_certificate", ApiAdminSystemRequired(addCertificate)).Methods("POST") + BaseRoutes.Admin.Handle("/remove_certificate", ApiAdminSystemRequired(removeCertificate)).Methods("POST") } func getLogs(c *Context, w http.ResponseWriter, r *http.Request) { @@ -582,3 +586,76 @@ func ldapSyncNow(c *Context, w http.ResponseWriter, r *http.Request) { rdata["status"] = "ok" w.Write([]byte(model.MapToJson(rdata))) } + +func samlMetadata(c *Context, w http.ResponseWriter, r *http.Request) { + samlInterface := einterfaces.GetSamlInterface() + + if samlInterface == nil { + c.Err = model.NewLocAppError("loginWithSaml", "api.admin.saml.not_available.app_error", nil, "") + c.Err.StatusCode = http.StatusFound + return + } + + if result, err := samlInterface.GetMetadata(); err != nil { + c.Err = model.NewLocAppError("loginWithSaml", "api.admin.saml.metadata.app_error", nil, "err="+err.Message) + return + } else { + w.Header().Set("Content-Type", "application/xml") + w.Header().Set("Content-Disposition", "attachment; filename=\"metadata.xml\"") + w.Write([]byte(result)) + } +} + +func addCertificate(c *Context, w http.ResponseWriter, r *http.Request) { + err := r.ParseMultipartForm(*utils.Cfg.FileSettings.MaxFileSize) + if err != nil { + http.Error(w, err.Error(), http.StatusInternalServerError) + return + } + + m := r.MultipartForm + + fileArray, ok := m.File["certificate"] + if !ok { + c.Err = model.NewLocAppError("addCertificate", "api.admin.add_certificate.no_file.app_error", nil, "") + c.Err.StatusCode = http.StatusBadRequest + return + } + + if len(fileArray) <= 0 { + c.Err = model.NewLocAppError("addCertificate", "api.admin.add_certificate.array.app_error", nil, "") + c.Err.StatusCode = http.StatusBadRequest + return + } + + fileData := fileArray[0] + + file, err := fileData.Open() + defer file.Close() + if err != nil { + c.Err = model.NewLocAppError("addCertificate", "api.admin.add_certificate.open.app_error", nil, err.Error()) + return + } + + out, err := os.Create(utils.FindDir("config") + fileData.Filename) + if err != nil { + c.Err = model.NewLocAppError("addCertificate", "api.admin.add_certificate.saving.app_error", nil, err.Error()) + return + } + defer out.Close() + + io.Copy(out, file) + ReturnStatusOK(w) +} + +func removeCertificate(c *Context, w http.ResponseWriter, r *http.Request) { + props := model.MapFromJson(r.Body) + + filename := props["filename"] + if err := os.Remove(utils.FindConfigFile(filename)); err != nil { + c.Err = model.NewLocAppError("removeCertificate", "api.admin.remove_certificate.delete.app_error", + map[string]interface{}{"Filename": filename}, err.Error()) + return + } + ReturnStatusOK(w) +} diff --git a/api/authentication.go b/api/authentication.go index 42a395253..8170f0a8e 100644 --- a/api/authentication.go +++ b/api/authentication.go @@ -9,6 +9,7 @@ import ( "github.com/mattermost/platform/utils" "net/http" + "strings" ) func checkPasswordAndAllCriteria(user *model.User, password string, mfaToken string) *model.AppError { @@ -145,7 +146,11 @@ func authenticateUser(user *model.User, password, mfaToken string) (*model.User, return ldapUser, nil } } else if user.AuthService != "" { - err := model.NewLocAppError("login", "api.user.login.use_auth_service.app_error", map[string]interface{}{"AuthService": user.AuthService}, "") + authService := user.AuthService + if authService == model.USER_AUTH_SERVICE_SAML || authService == model.USER_AUTH_SERVICE_LDAP { + authService = strings.ToUpper(authService) + } + err := model.NewLocAppError("login", "api.user.login.use_auth_service.app_error", map[string]interface{}{"AuthService": authService}, "") err.StatusCode = http.StatusBadRequest return user, err } else { diff --git a/api/context.go b/api/context.go index 1c0dae299..93ff83247 100644 --- a/api/context.go +++ b/api/context.go @@ -477,6 +477,11 @@ func RenderWebError(err *model.AppError, w http.ResponseWriter, r *http.Request) link := "/" linkMessage := T("api.templates.error.link") + status := http.StatusTemporaryRedirect + if err.StatusCode != http.StatusInternalServerError { + status = err.StatusCode + } + http.Redirect( w, r, @@ -485,7 +490,7 @@ func RenderWebError(err *model.AppError, w http.ResponseWriter, r *http.Request) "&details="+url.QueryEscape(details)+ "&link="+url.QueryEscape(link)+ "&linkmessage="+url.QueryEscape(linkMessage), - http.StatusTemporaryRedirect) + status) } func Handle404(w http.ResponseWriter, r *http.Request) { diff --git a/api/user.go b/api/user.go index 2ffda1bc5..47f20f6bf 100644 --- a/api/user.go +++ b/api/user.go @@ -5,6 +5,7 @@ package api import ( "bytes" + b64 "encoding/base64" "fmt" "hash/fnv" "html/template" @@ -71,6 +72,9 @@ func InitUser() { BaseRoutes.NeedUser.Handle("/sessions", ApiUserRequired(getSessions)).Methods("GET") BaseRoutes.NeedUser.Handle("/audits", ApiUserRequired(getAudits)).Methods("GET") BaseRoutes.NeedUser.Handle("/image", ApiUserRequiredTrustRequester(getProfileImage)).Methods("GET") + + BaseRoutes.Root.Handle("/login/sso/saml", AppHandlerIndependent(loginWithSaml)).Methods("GET") + BaseRoutes.Root.Handle("/login/sso/saml", AppHandlerIndependent(completeSaml)).Methods("POST") } func createUser(c *Context, w http.ResponseWriter, r *http.Request) { @@ -2005,12 +2009,16 @@ func emailToOAuth(c *Context, w http.ResponseWriter, r *http.Request) { stateProps["email"] = email m := map[string]string{} - if authUrl, err := GetAuthorizationCode(c, service, stateProps, ""); err != nil { - c.LogAuditWithUserId(user.Id, "fail - oauth issue") - c.Err = err - return + if service == model.USER_AUTH_SERVICE_SAML { + m["follow_link"] = c.GetSiteURL() + "/login/sso/saml?action=" + model.OAUTH_ACTION_EMAIL_TO_SSO + "&email=" + email } else { - m["follow_link"] = authUrl + if authUrl, err := GetAuthorizationCode(c, service, stateProps, ""); err != nil { + c.LogAuditWithUserId(user.Id, "fail - oauth issue") + c.Err = err + return + } else { + m["follow_link"] = authUrl + } } c.LogAuditWithUserId(user.Id, "success") @@ -2419,3 +2427,91 @@ func checkMfa(c *Context, w http.ResponseWriter, r *http.Request) { } w.Write([]byte(model.MapToJson(rdata))) } + +func loginWithSaml(c *Context, w http.ResponseWriter, r *http.Request) { + samlInterface := einterfaces.GetSamlInterface() + + if samlInterface == nil { + c.Err = model.NewLocAppError("loginWithSaml", "api.user.saml.not_available.app_error", nil, "") + c.Err.StatusCode = http.StatusFound + return + } + + teamId, err := getTeamIdFromQuery(r.URL.Query()) + if err != nil { + c.Err = err + return + } + action := r.URL.Query().Get("action") + relayState := "" + + if len(action) != 0 { + relayProps := map[string]string{} + relayProps["team_id"] = teamId + relayProps["action"] = action + if action == model.OAUTH_ACTION_EMAIL_TO_SSO { + relayProps["email"] = r.URL.Query().Get("email") + } + relayState = b64.StdEncoding.EncodeToString([]byte(model.MapToJson(relayProps))) + } + + if data, err := samlInterface.BuildRequest(relayState); err != nil { + c.Err = err + return + } else { + w.Header().Set("Content-Type", "application/x-www-form-urlencoded") + http.Redirect(w, r, data.URL, http.StatusFound) + } +} + +func completeSaml(c *Context, w http.ResponseWriter, r *http.Request) { + samlInterface := einterfaces.GetSamlInterface() + + if samlInterface == nil { + c.Err = model.NewLocAppError("completeSaml", "api.user.saml.not_available.app_error", nil, "") + c.Err.StatusCode = http.StatusFound + return + } + + //Validate that the user is with SAML and all that + encodedXML := r.FormValue("SAMLResponse") + relayState := r.FormValue("RelayState") + + relayProps := make(map[string]string) + if len(relayState) > 0 { + stateStr := "" + if b, err := b64.StdEncoding.DecodeString(relayState); err != nil { + c.Err = model.NewLocAppError("completeSaml", "api.user.authorize_oauth_user.invalid_state.app_error", nil, err.Error()) + c.Err.StatusCode = http.StatusFound + return + } else { + stateStr = string(b) + } + relayProps = model.MapFromJson(strings.NewReader(stateStr)) + } + + if user, err := samlInterface.DoLogin(encodedXML, relayProps); err != nil { + c.Err = err + c.Err.StatusCode = http.StatusFound + return + } else { + if err := checkUserAdditionalAuthenticationCriteria(user, ""); err != nil { + c.Err = err + c.Err.StatusCode = http.StatusFound + return + } + action := relayProps["action"] + switch action { + case model.OAUTH_ACTION_SIGNUP: + teamId := relayProps["team_id"] + go addDirectChannels(teamId, user) + break + case model.OAUTH_ACTION_EMAIL_TO_SSO: + RevokeAllSession(c, user.Id) + go sendSignInChangeEmail(c, user.Email, c.GetSiteURL(), strings.Title(model.USER_AUTH_SERVICE_SAML)+" SSO") + break + } + doLogin(c, w, r, user, "") + http.Redirect(w, r, GetProtocol(r)+"://"+r.Host, http.StatusFound) + } +} |