diff options
Diffstat (limited to 'utils')
-rw-r--r-- | utils/authorization.go | 43 | ||||
-rw-r--r-- | utils/authorization_test.go | 133 | ||||
-rw-r--r-- | utils/config.go | 2 | ||||
-rw-r--r-- | utils/policies-roles-mapping.json | 532 |
4 files changed, 693 insertions, 17 deletions
diff --git a/utils/authorization.go b/utils/authorization.go index 42815b807..16f33bc1a 100644 --- a/utils/authorization.go +++ b/utils/authorization.go @@ -7,14 +7,7 @@ import ( "github.com/mattermost/mattermost-server/model" ) -func DefaultRolesBasedOnConfig(cfg *model.Config, isLicensed bool) map[string]*model.Role { - roles := make(map[string]*model.Role) - for id, role := range model.DefaultRoles { - copy := &model.Role{} - *copy = *role - roles[id] = copy - } - +func SetRolePermissionsFromConfig(roles map[string]*model.Role, cfg *model.Config, isLicensed bool) map[string]*model.Role { if isLicensed { switch *cfg.TeamSettings.RestrictPublicChannelCreation { case model.PERMISSIONS_ALL: @@ -222,8 +215,8 @@ func DefaultRolesBasedOnConfig(cfg *model.Config, isLicensed bool) map[string]*m model.PERMISSION_ADD_USER_TO_TEAM.Id, ) } else if *cfg.TeamSettings.RestrictTeamInvite == model.PERMISSIONS_ALL { - roles[model.SYSTEM_USER_ROLE_ID].Permissions = append( - roles[model.SYSTEM_USER_ROLE_ID].Permissions, + roles[model.TEAM_USER_ROLE_ID].Permissions = append( + roles[model.TEAM_USER_ROLE_ID].Permissions, model.PERMISSION_INVITE_USER.Id, model.PERMISSION_ADD_USER_TO_TEAM.Id, ) @@ -243,11 +236,6 @@ func DefaultRolesBasedOnConfig(cfg *model.Config, isLicensed bool) map[string]*m roles[model.CHANNEL_USER_ROLE_ID].Permissions, model.PERMISSION_DELETE_POST.Id, ) - roles[model.CHANNEL_ADMIN_ROLE_ID].Permissions = append( - roles[model.CHANNEL_ADMIN_ROLE_ID].Permissions, - model.PERMISSION_DELETE_POST.Id, - model.PERMISSION_DELETE_OTHERS_POSTS.Id, - ) roles[model.TEAM_ADMIN_ROLE_ID].Permissions = append( roles[model.TEAM_ADMIN_ROLE_ID].Permissions, model.PERMISSION_DELETE_POST.Id, @@ -272,12 +260,35 @@ func DefaultRolesBasedOnConfig(cfg *model.Config, isLicensed bool) map[string]*m ) } - if cfg.TeamSettings.EnableTeamCreation { + if *cfg.TeamSettings.EnableTeamCreation { roles[model.SYSTEM_USER_ROLE_ID].Permissions = append( roles[model.SYSTEM_USER_ROLE_ID].Permissions, model.PERMISSION_CREATE_TEAM.Id, ) } + if isLicensed { + switch *cfg.ServiceSettings.AllowEditPost { + case model.ALLOW_EDIT_POST_ALWAYS, model.ALLOW_EDIT_POST_TIME_LIMIT: + roles[model.CHANNEL_USER_ROLE_ID].Permissions = append( + roles[model.CHANNEL_USER_ROLE_ID].Permissions, + model.PERMISSION_EDIT_POST.Id, + ) + roles[model.SYSTEM_ADMIN_ROLE_ID].Permissions = append( + roles[model.SYSTEM_ADMIN_ROLE_ID].Permissions, + model.PERMISSION_EDIT_POST.Id, + ) + } + } else { + roles[model.CHANNEL_USER_ROLE_ID].Permissions = append( + roles[model.CHANNEL_USER_ROLE_ID].Permissions, + model.PERMISSION_EDIT_POST.Id, + ) + roles[model.SYSTEM_ADMIN_ROLE_ID].Permissions = append( + roles[model.SYSTEM_ADMIN_ROLE_ID].Permissions, + model.PERMISSION_EDIT_POST.Id, + ) + } + return roles } diff --git a/utils/authorization_test.go b/utils/authorization_test.go new file mode 100644 index 000000000..8c78dcbda --- /dev/null +++ b/utils/authorization_test.go @@ -0,0 +1,133 @@ +// Copyright (c) 2018-present Mattermost, Inc. All Rights Reserved. +// See License.txt for license information. + +package utils + +import ( + "encoding/json" + "fmt" + "io/ioutil" + "reflect" + "strconv" + "strings" + "testing" + + "github.com/stretchr/testify/require" + + "github.com/mattermost/mattermost-server/model" +) + +type RoleState struct { + RoleName string `json:"roleName"` + Permission string `json:"permission"` + ShouldHave bool `json:"shouldHave"` +} + +func mockConfig() *model.Config { + config := model.Config{} + config.SetDefaults() + return &config +} + +func mapping() (map[string]map[string][]RoleState, error) { + + policiesRolesMapping := make(map[string]map[string][]RoleState) + + raw, err := ioutil.ReadFile("./policies-roles-mapping.json") + if err != nil { + return policiesRolesMapping, err + } + + var f map[string]interface{} + err = json.Unmarshal(raw, &f) + if err != nil { + return policiesRolesMapping, err + } + + for policyName, value := range f { + + capitalizedName := fmt.Sprintf("%v%v", strings.ToUpper(policyName[:1]), policyName[1:]) + policiesRolesMapping[capitalizedName] = make(map[string][]RoleState) + + for policyValue, roleStatesMappings := range value.(map[string]interface{}) { + + var roleStates []RoleState + for _, roleStateMapping := range roleStatesMappings.([]interface{}) { + + roleStateMappingJSON, _ := json.Marshal(roleStateMapping) + var roleState RoleState + _ = json.Unmarshal(roleStateMappingJSON, &roleState) + + roleStates = append(roleStates, roleState) + + } + + policiesRolesMapping[capitalizedName][policyValue] = roleStates + + } + + } + + return policiesRolesMapping, nil +} + +func TestSetRolePermissionsFromConfig(t *testing.T) { + + mapping, err := mapping() + if err != nil { + require.NoError(t, err) + } + + for policyName, v := range mapping { + for policyValue, rolesMappings := range v { + + config := mockConfig() + updateConfig(config, policyName, policyValue) + roles := model.MakeDefaultRoles() + SetRolePermissionsFromConfig(roles, config, true) + + for _, roleMappingItem := range rolesMappings { + role := roles[roleMappingItem.RoleName] + + permission := roleMappingItem.Permission + hasPermission := roleHasPermission(role, permission) + + if (roleMappingItem.ShouldHave && !hasPermission) || (!roleMappingItem.ShouldHave && hasPermission) { + wording := "not to" + if roleMappingItem.ShouldHave { + wording = "to" + } + t.Errorf("Expected '%v' %v have '%v' permission when '%v' is set to '%v'.", role.Name, wording, permission, policyName, policyValue) + } + + } + + } + } +} + +func updateConfig(config *model.Config, key string, value string) { + v := reflect.ValueOf(config.ServiceSettings) + field := v.FieldByName(key) + if !field.IsValid() { + v = reflect.ValueOf(config.TeamSettings) + field = v.FieldByName(key) + } + + switch value { + case "true", "false": + b, _ := strconv.ParseBool(value) + field.Elem().SetBool(b) + default: + field.Elem().SetString(value) + } +} + +func roleHasPermission(role *model.Role, permission string) bool { + for _, p := range role.Permissions { + if p == permission { + return true + } + } + return false +} diff --git a/utils/config.go b/utils/config.go index 679e5f62c..b28cf918d 100644 --- a/utils/config.go +++ b/utils/config.go @@ -346,8 +346,8 @@ func GenerateClientConfig(c *model.Config, diagnosticId string, license *model.L props["SiteURL"] = strings.TrimRight(*c.ServiceSettings.SiteURL, "/") props["WebsocketURL"] = strings.TrimRight(*c.ServiceSettings.WebsocketURL, "/") props["SiteName"] = c.TeamSettings.SiteName + props["EnableTeamCreation"] = strconv.FormatBool(*c.TeamSettings.EnableTeamCreation) props["EnableAPIv3"] = strconv.FormatBool(*c.ServiceSettings.EnableAPIv3) - props["EnableTeamCreation"] = strconv.FormatBool(c.TeamSettings.EnableTeamCreation) props["EnableUserCreation"] = strconv.FormatBool(c.TeamSettings.EnableUserCreation) props["EnableOpenServer"] = strconv.FormatBool(*c.TeamSettings.EnableOpenServer) props["RestrictDirectMessage"] = *c.TeamSettings.RestrictDirectMessage diff --git a/utils/policies-roles-mapping.json b/utils/policies-roles-mapping.json new file mode 100644 index 000000000..6b09c6c72 --- /dev/null +++ b/utils/policies-roles-mapping.json @@ -0,0 +1,532 @@ +{ + "restrictTeamInvite": { + "all": [ + { + "roleName": "team_user", + "permission": "invite_user", + "shouldHave": true + } + ], + "team_admin": [ + { + "roleName": "team_user", + "permission": "invite_user", + "shouldHave": false + }, + { + "roleName": "team_admin", + "permission": "invite_user", + "shouldHave": true + } + ], + "system_admin": [ + { + "roleName": "team_user", + "permission": "invite_user", + "shouldHave": false + }, + { + "roleName": "team_admin", + "permission": "invite_user", + "shouldHave": false + } + ] + }, + "restrictPublicChannelCreation": { + "all": [ + { + "roleName": "team_user", + "permission": "create_public_channel", + "shouldHave": true + } + ], + "team_admin": [ + { + "roleName": "team_user", + "permission": "create_public_channel", + "shouldHave": false + }, + { + "roleName": "team_admin", + "permission": "create_public_channel", + "shouldHave": true + } + ], + "system_admin": [ + { + "roleName": "team_user", + "permission": "create_public_channel", + "shouldHave": false + }, + { + "roleName": "team_admin", + "permission": "create_public_channel", + "shouldHave": false + } + ] + }, + "restrictPrivateChannelCreation": { + "all": [ + { + "roleName": "team_user", + "permission": "create_private_channel", + "shouldHave": true + } + ], + "team_admin": [ + { + "roleName": "team_user", + "permission": "create_private_channel", + "shouldHave": false + }, + { + "roleName": "team_admin", + "permission": "create_private_channel", + "shouldHave": true + } + ], + "system_admin": [ + { + "roleName": "team_user", + "permission": "create_private_channel", + "shouldHave": false + }, + { + "roleName": "team_admin", + "permission": "create_private_channel", + "shouldHave": false + } + ] + }, + "restrictPublicChannelManagement": { + "all": [ + { + "roleName": "team_user", + "permission": "manage_public_channel_properties", + "shouldHave": true + } + ], + "channel_admin": [ + { + "roleName": "team_user", + "permission": "manage_public_channel_properties", + "shouldHave": false + }, + { + "roleName": "channel_admin", + "permission": "manage_public_channel_properties", + "shouldHave": true + }, + { + "roleName": "team_admin", + "permission": "manage_public_channel_properties", + "shouldHave": true + } + ], + "team_admin": [ + { + "roleName": "team_user", + "permission": "manage_public_channel_properties", + "shouldHave": false + }, + { + "roleName": "channel_admin", + "permission": "manage_public_channel_properties", + "shouldHave": false + }, + { + "roleName": "team_admin", + "permission": "manage_public_channel_properties", + "shouldHave": true + } + ], + "system_admin": [ + { + "roleName": "team_user", + "permission": "manage_public_channel_properties", + "shouldHave": false + }, + { + "roleName": "channel_admin", + "permission": "manage_public_channel_properties", + "shouldHave": false + }, + { + "roleName": "team_admin", + "permission": "manage_public_channel_properties", + "shouldHave": false + } + ] + }, + "restrictPublicChannelDeletion": { + "all": [ + { + "roleName": "team_user", + "permission": "delete_public_channel", + "shouldHave": true + } + ], + "channel_admin": [ + { + "roleName": "team_user", + "permission": "delete_public_channel", + "shouldHave": false + }, + { + "roleName": "channel_admin", + "permission": "delete_public_channel", + "shouldHave": true + }, + { + "roleName": "team_admin", + "permission": "delete_public_channel", + "shouldHave": true + } + ], + "team_admin": [ + { + "roleName": "team_user", + "permission": "delete_public_channel", + "shouldHave": false + }, + { + "roleName": "channel_admin", + "permission": "delete_public_channel", + "shouldHave": false + }, + { + "roleName": "team_admin", + "permission": "delete_public_channel", + "shouldHave": true + } + ], + "system_admin": [ + { + "roleName": "team_user", + "permission": "delete_public_channel", + "shouldHave": false + }, + { + "roleName": "channel_admin", + "permission": "delete_public_channel", + "shouldHave": false + }, + { + "roleName": "team_admin", + "permission": "delete_public_channel", + "shouldHave": false + } + ] + }, + "restrictPrivateChannelManagement": { + "all": [ + { + "roleName": "team_user", + "permission": "manage_private_channel_properties", + "shouldHave": true + } + ], + "channel_admin": [ + { + "roleName": "team_user", + "permission": "manage_private_channel_properties", + "shouldHave": false + }, + { + "roleName": "channel_admin", + "permission": "manage_private_channel_properties", + "shouldHave": true + }, + { + "roleName": "team_admin", + "permission": "manage_private_channel_properties", + "shouldHave": true + } + ], + "team_admin": [ + { + "roleName": "team_user", + "permission": "manage_private_channel_properties", + "shouldHave": false + }, + { + "roleName": "channel_admin", + "permission": "manage_private_channel_properties", + "shouldHave": false + }, + { + "roleName": "team_admin", + "permission": "manage_private_channel_properties", + "shouldHave": true + } + ], + "system_admin": [ + { + "roleName": "team_user", + "permission": "manage_private_channel_properties", + "shouldHave": false + }, + { + "roleName": "channel_admin", + "permission": "manage_private_channel_properties", + "shouldHave": false + }, + { + "roleName": "team_admin", + "permission": "manage_private_channel_properties", + "shouldHave": false + } + ] + }, + "restrictPrivateChannelManageMembers": { + "all": [ + { + "roleName": "channel_user", + "permission": "manage_private_channel_members", + "shouldHave": true + } + ], + "channel_admin": [ + { + "roleName": "channel_user", + "permission": "manage_private_channel_members", + "shouldHave": false + }, + { + "roleName": "channel_admin", + "permission": "manage_private_channel_members", + "shouldHave": true + }, + { + "roleName": "team_admin", + "permission": "manage_private_channel_members", + "shouldHave": true + } + ], + "team_admin": [ + { + "roleName": "channel_user", + "permission": "manage_private_channel_members", + "shouldHave": false + }, + { + "roleName": "channel_admin", + "permission": "manage_private_channel_members", + "shouldHave": false + }, + { + "roleName": "team_admin", + "permission": "manage_private_channel_members", + "shouldHave": true + } + ], + "system_admin": [ + { + "roleName": "channel_user", + "permission": "manage_private_channel_members", + "shouldHave": false + }, + { + "roleName": "channel_admin", + "permission": "manage_private_channel_members", + "shouldHave": false + }, + { + "roleName": "team_admin", + "permission": "manage_private_channel_members", + "shouldHave": false + } + ] + }, + "restrictPrivateChannelDeletion": { + "all": [ + { + "roleName": "team_user", + "permission": "delete_private_channel", + "shouldHave": true + } + ], + "channel_admin": [ + { + "roleName": "team_user", + "permission": "delete_private_channel", + "shouldHave": false + }, + { + "roleName": "channel_admin", + "permission": "delete_private_channel", + "shouldHave": true + }, + { + "roleName": "team_admin", + "permission": "delete_private_channel", + "shouldHave": true + } + ], + "team_admin": [ + { + "roleName": "team_user", + "permission": "delete_private_channel", + "shouldHave": false + }, + { + "roleName": "channel_admin", + "permission": "delete_private_channel", + "shouldHave": false + }, + { + "roleName": "team_admin", + "permission": "delete_private_channel", + "shouldHave": true + } + ], + "system_admin": [ + { + "roleName": "team_user", + "permission": "delete_private_channel", + "shouldHave": false + }, + { + "roleName": "channel_admin", + "permission": "delete_private_channel", + "shouldHave": false + }, + { + "roleName": "team_admin", + "permission": "delete_private_channel", + "shouldHave": false + } + ] + }, + "allowEditPost": { + "always": [ + { + "roleName": "channel_user", + "permission": "edit_post", + "shouldHave": true + }, + { + "roleName": "system_admin", + "permission": "edit_post", + "shouldHave": true + } + ], + "never": [ + { + "roleName": "channel_user", + "permission": "edit_post", + "shouldHave": false + }, + { + "roleName": "system_admin", + "permission": "edit_post", + "shouldHave": false + } + ] + }, + "restrictPostDelete": { + "all": [ + { + "roleName": "channel_user", + "permission": "delete_post", + "shouldHave": true + }, + { + "roleName": "team_admin", + "permission": "delete_post", + "shouldHave": true + }, + { + "roleName": "team_admin", + "permission": "delete_others_posts", + "shouldHave": true + } + ], + "team_admin": [ + { + "roleName": "channel_user", + "permission": "delete_post", + "shouldHave": false + }, + { + "roleName": "team_admin", + "permission": "delete_post", + "shouldHave": true + }, + { + "roleName": "team_admin", + "permission": "delete_others_posts", + "shouldHave": true + } + ], + "system_admin": [ + { + "roleName": "channel_user", + "permission": "delete_post", + "shouldHave": false + }, + { + "roleName": "team_admin", + "permission": "delete_post", + "shouldHave": false + }, + { + "roleName": "team_admin", + "permission": "delete_others_posts", + "shouldHave": false + } + ] + }, + "enableTeamCreation": { + "true": [ + { + "roleName": "system_user", + "permission": "create_team", + "shouldHave": true + } + ], + "false": [ + { + "roleName": "system_user", + "permission": "create_team", + "shouldHave": false + } + ] + }, + "enableOnlyAdminIntegrations": { + "true": [ + { + "roleName": "team_user", + "permission": "manage_webhooks", + "shouldHave": false + }, + { + "roleName": "team_user", + "permission": "manage_slash_commands", + "shouldHave": false + }, + { + "roleName": "system_user", + "permission": "manage_oauth", + "shouldHave": false + } + ], + "false": [ + { + "roleName": "team_user", + "permission": "manage_webhooks", + "shouldHave": true + }, + { + "roleName": "team_user", + "permission": "manage_slash_commands", + "shouldHave": true + }, + { + "roleName": "system_user", + "permission": "manage_oauth", + "shouldHave": true + } + ] + } +} |