From 8c505e7b5cb8138e53b71ed7e0465665654a596b Mon Sep 17 00:00:00 2001
From: JoramWilander <jwawilander@gmail.com>
Date: Fri, 5 Feb 2016 08:21:15 -0500
Subject: Accept unsigned TLS certs for SSO and outgoing hooks, also fix delete
 hooks bug

---
 api/post.go    | 7 ++++++-
 api/user.go    | 7 ++++++-
 api/webhook.go | 2 +-
 3 files changed, 13 insertions(+), 3 deletions(-)

diff --git a/api/post.go b/api/post.go
index c17da262f..58f490558 100644
--- a/api/post.go
+++ b/api/post.go
@@ -4,6 +4,7 @@
 package api
 
 import (
+	"crypto/tls"
 	"fmt"
 	l4g "github.com/alecthomas/log4go"
 	"github.com/gorilla/mux"
@@ -401,7 +402,11 @@ func handleWebhookEventsAndForget(c *Context, post *model.Post, team *model.Team
 				p.Set("text", post.Message)
 				p.Set("trigger_word", firstWord)
 
-				client := &http.Client{}
+				// accept any TLS certs
+				tr := &http.Transport{
+					TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
+				}
+				client := &http.Client{Transport: tr}
 
 				for _, url := range hook.CallbackURLs {
 					go func(url string) {
diff --git a/api/user.go b/api/user.go
index 9926f3ff3..aa06fa910 100644
--- a/api/user.go
+++ b/api/user.go
@@ -5,6 +5,7 @@ package api
 
 import (
 	"bytes"
+	"crypto/tls"
 	b64 "encoding/base64"
 	"fmt"
 	l4g "github.com/alecthomas/log4go"
@@ -1960,7 +1961,11 @@ func AuthorizeOAuthUser(service, code, state, redirectUri string) (io.ReadCloser
 	p.Set("grant_type", model.ACCESS_TOKEN_GRANT_TYPE)
 	p.Set("redirect_uri", redirectUri)
 
-	client := &http.Client{}
+	// accept any TLS certs
+	tr := &http.Transport{
+		TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
+	}
+	client := &http.Client{Transport: tr}
 	req, _ := http.NewRequest("POST", sso.TokenEndpoint, strings.NewReader(p.Encode()))
 
 	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
diff --git a/api/webhook.go b/api/webhook.go
index 3906d09be..c0f8ea506 100644
--- a/api/webhook.go
+++ b/api/webhook.go
@@ -238,7 +238,7 @@ func getOutgoingHooks(c *Context, w http.ResponseWriter, r *http.Request) {
 }
 
 func deleteOutgoingHook(c *Context, w http.ResponseWriter, r *http.Request) {
-	if !utils.Cfg.ServiceSettings.EnableIncomingWebhooks {
+	if !utils.Cfg.ServiceSettings.EnableOutgoingWebhooks {
 		c.Err = model.NewLocAppError("deleteOutgoingHook", "api.webhook.delete_outgoing.disabled.app_error", nil, "")
 		c.Err.StatusCode = http.StatusNotImplemented
 		return
-- 
cgit v1.2.3-1-g7c22


From 9f5f18a93a6db2b9c1089862fb68c2ee33e634ca Mon Sep 17 00:00:00 2001
From: JoramWilander <jwawilander@gmail.com>
Date: Fri, 5 Feb 2016 12:40:32 -0500
Subject: Make insecure TLS connections configurable

---
 api/command.go                                     |  7 ++-
 api/post.go                                        |  8 ++--
 api/user.go                                        |  3 +-
 config/config.json                                 |  3 +-
 docker/dev/config_docker.json                      |  1 +
 docker/local/config_docker.json                    |  1 +
 model/config.go                                    | 48 ++++++++++++---------
 .../components/admin_console/service_settings.jsx  | 50 +++++++++++++++++++++-
 web/static/i18n/en.json                            |  4 +-
 9 files changed, 95 insertions(+), 30 deletions(-)

diff --git a/api/command.go b/api/command.go
index a8573cdcc..b22d00dc0 100644
--- a/api/command.go
+++ b/api/command.go
@@ -4,6 +4,7 @@
 package api
 
 import (
+	"crypto/tls"
 	"fmt"
 	"io/ioutil"
 	"net/http"
@@ -172,7 +173,11 @@ func executeCommand(c *Context, w http.ResponseWriter, r *http.Request) {
 						method = "GET"
 					}
 
-					client := &http.Client{}
+					tr := &http.Transport{
+						TLSClientConfig: &tls.Config{InsecureSkipVerify: *utils.Cfg.ServiceSettings.EnableInsecureOutgoingConnections},
+					}
+					client := &http.Client{Transport: tr}
+
 					req, _ := http.NewRequest(method, cmd.URL, strings.NewReader(p.Encode()))
 					req.Header.Set("Accept", "application/json")
 					if cmd.Method == model.COMMAND_METHOD_POST {
diff --git a/api/post.go b/api/post.go
index 58f490558..fadabd66e 100644
--- a/api/post.go
+++ b/api/post.go
@@ -402,9 +402,8 @@ func handleWebhookEventsAndForget(c *Context, post *model.Post, team *model.Team
 				p.Set("text", post.Message)
 				p.Set("trigger_word", firstWord)
 
-				// accept any TLS certs
 				tr := &http.Transport{
-					TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
+					TLSClientConfig: &tls.Config{InsecureSkipVerify: *utils.Cfg.ServiceSettings.EnableInsecureOutgoingConnections},
 				}
 				client := &http.Client{Transport: tr}
 
@@ -687,7 +686,10 @@ func sendNotifications(c *Context, post *model.Post, team *model.Team, channel *
 								msg.Message = senderName + userLocale("api.post.send_notifications_and_forget.push_mention") + channelName
 							}
 
-							httpClient := http.Client{}
+							tr := &http.Transport{
+								TLSClientConfig: &tls.Config{InsecureSkipVerify: *utils.Cfg.ServiceSettings.EnableInsecureOutgoingConnections},
+							}
+							httpClient := &http.Client{Transport: tr}
 							request, _ := http.NewRequest("POST", *utils.Cfg.EmailSettings.PushNotificationServer+"/api/v1/send_push", strings.NewReader(msg.ToJson()))
 
 							l4g.Debug(utils.T("api.post.send_notifications_and_forget.push_notification.debug"), msg.DeviceId, msg.Message)
diff --git a/api/user.go b/api/user.go
index aa06fa910..507c83d28 100644
--- a/api/user.go
+++ b/api/user.go
@@ -1961,9 +1961,8 @@ func AuthorizeOAuthUser(service, code, state, redirectUri string) (io.ReadCloser
 	p.Set("grant_type", model.ACCESS_TOKEN_GRANT_TYPE)
 	p.Set("redirect_uri", redirectUri)
 
-	// accept any TLS certs
 	tr := &http.Transport{
-		TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
+		TLSClientConfig: &tls.Config{InsecureSkipVerify: *utils.Cfg.ServiceSettings.EnableInsecureOutgoingConnections},
 	}
 	client := &http.Client{Transport: tr}
 	req, _ := http.NewRequest("POST", sso.TokenEndpoint, strings.NewReader(p.Encode()))
diff --git a/config/config.json b/config/config.json
index 5ed05fecd..2795546f8 100644
--- a/config/config.json
+++ b/config/config.json
@@ -14,6 +14,7 @@
         "EnableTesting": false,
         "EnableDeveloper": false,
         "EnableSecurityFixAlert": true,
+        "EnableInsecureOutgoingConnections": false,
         "SessionLengthWebInDays": 30,
         "SessionLengthMobileInDays": 30,
         "SessionLengthSSOInDays": 30,
@@ -112,4 +113,4 @@
         "TokenEndpoint": "",
         "UserApiEndpoint": ""
     }
-}
\ No newline at end of file
+}
diff --git a/docker/dev/config_docker.json b/docker/dev/config_docker.json
index e831bbb3a..6a1290189 100644
--- a/docker/dev/config_docker.json
+++ b/docker/dev/config_docker.json
@@ -14,6 +14,7 @@
         "EnableTesting": false,
         "EnableDeveloper": false,
         "EnableSecurityFixAlert": true,
+        "EnableInsecureOutgoingConnections": false,
         "SessionLengthWebInDays" : 30,
         "SessionLengthMobileInDays" : 30,
         "SessionLengthSSOInDays" : 30,
diff --git a/docker/local/config_docker.json b/docker/local/config_docker.json
index e831bbb3a..6a1290189 100644
--- a/docker/local/config_docker.json
+++ b/docker/local/config_docker.json
@@ -14,6 +14,7 @@
         "EnableTesting": false,
         "EnableDeveloper": false,
         "EnableSecurityFixAlert": true,
+        "EnableInsecureOutgoingConnections": false,
         "SessionLengthWebInDays" : 30,
         "SessionLengthMobileInDays" : 30,
         "SessionLengthSSOInDays" : 30,
diff --git a/model/config.go b/model/config.go
index acb525abf..aa3dd3586 100644
--- a/model/config.go
+++ b/model/config.go
@@ -24,26 +24,27 @@ const (
 )
 
 type ServiceSettings struct {
-	ListenAddress               string
-	MaximumLoginAttempts        int
-	SegmentDeveloperKey         string
-	GoogleDeveloperKey          string
-	EnableOAuthServiceProvider  bool
-	EnableIncomingWebhooks      bool
-	EnableOutgoingWebhooks      bool
-	EnableCommands              *bool
-	EnableOnlyAdminIntegrations *bool
-	EnablePostUsernameOverride  bool
-	EnablePostIconOverride      bool
-	EnableTesting               bool
-	EnableDeveloper             *bool
-	EnableSecurityFixAlert      *bool
-	SessionLengthWebInDays      *int
-	SessionLengthMobileInDays   *int
-	SessionLengthSSOInDays      *int
-	SessionCacheInMinutes       *int
-	WebsocketSecurePort         *int
-	WebsocketPort               *int
+	ListenAddress                     string
+	MaximumLoginAttempts              int
+	SegmentDeveloperKey               string
+	GoogleDeveloperKey                string
+	EnableOAuthServiceProvider        bool
+	EnableIncomingWebhooks            bool
+	EnableOutgoingWebhooks            bool
+	EnableCommands                    *bool
+	EnableOnlyAdminIntegrations       *bool
+	EnablePostUsernameOverride        bool
+	EnablePostIconOverride            bool
+	EnableTesting                     bool
+	EnableDeveloper                   *bool
+	EnableSecurityFixAlert            *bool
+	EnableInsecureOutgoingConnections *bool
+	SessionLengthWebInDays            *int
+	SessionLengthMobileInDays         *int
+	SessionLengthSSOInDays            *int
+	SessionCacheInMinutes             *int
+	WebsocketSecurePort               *int
+	WebsocketPort                     *int
 }
 
 type SSOSettings struct {
@@ -164,7 +165,7 @@ type LdapSettings struct {
 	UsernameAttribute  *string
 	IdAttribute        *string
 
-	// Advansed
+	// Advanced
 	QueryTimeout *int
 }
 
@@ -252,6 +253,11 @@ func (o *Config) SetDefaults() {
 		*o.ServiceSettings.EnableSecurityFixAlert = true
 	}
 
+	if o.ServiceSettings.EnableInsecureOutgoingConnections == nil {
+		o.ServiceSettings.EnableInsecureOutgoingConnections = new(bool)
+		*o.ServiceSettings.EnableInsecureOutgoingConnections = false
+	}
+
 	if o.TeamSettings.RestrictTeamNames == nil {
 		o.TeamSettings.RestrictTeamNames = new(bool)
 		*o.TeamSettings.RestrictTeamNames = true
diff --git a/web/react/components/admin_console/service_settings.jsx b/web/react/components/admin_console/service_settings.jsx
index 2cc68d1ed..f232d4633 100644
--- a/web/react/components/admin_console/service_settings.jsx
+++ b/web/react/components/admin_console/service_settings.jsx
@@ -75,6 +75,7 @@ class ServiceSettings extends React.Component {
         config.ServiceSettings.EnableTesting = ReactDOM.findDOMNode(this.refs.EnableTesting).checked;
         config.ServiceSettings.EnableDeveloper = ReactDOM.findDOMNode(this.refs.EnableDeveloper).checked;
         config.ServiceSettings.EnableSecurityFixAlert = ReactDOM.findDOMNode(this.refs.EnableSecurityFixAlert).checked;
+        config.ServiceSettings.EnableInsecureOutgoingConnections = ReactDOM.findDOMNode(this.refs.EnableInsecureOutgoingConnections).checked;
         config.ServiceSettings.EnableCommands = ReactDOM.findDOMNode(this.refs.EnableCommands).checked;
         config.ServiceSettings.EnableOnlyAdminIntegrations = ReactDOM.findDOMNode(this.refs.EnableOnlyAdminIntegrations).checked;
 
@@ -717,6 +718,53 @@ class ServiceSettings extends React.Component {
                         </div>
                     </div>
 
+                    <div className='form-group'>
+                        <label
+                            className='control-label col-sm-4'
+                            htmlFor='EnableInsecureOutgoingConnections'
+                        >
+                            <FormattedMessage
+                                id='admin.service.insecureTlsTitle'
+                                defaultMessage='Enable Insecure Outgoing Connections: '
+                            />
+                        </label>
+                        <div className='col-sm-8'>
+                            <label className='radio-inline'>
+                                <input
+                                    type='radio'
+                                    name='EnableInsecureOutgoingConnections'
+                                    value='true'
+                                    ref='EnableInsecureOutgoingConnections'
+                                    defaultChecked={this.props.config.ServiceSettings.EnableInsecureOutgoingConnections}
+                                    onChange={this.handleChange}
+                                />
+                                    <FormattedMessage
+                                        id='admin.service.true'
+                                        defaultMessage='true'
+                                    />
+                            </label>
+                            <label className='radio-inline'>
+                                <input
+                                    type='radio'
+                                    name='EnableInsecureOutgoingConnections'
+                                    value='false'
+                                    defaultChecked={!this.props.config.ServiceSettings.EnableInsecureOutgoingConnections}
+                                    onChange={this.handleChange}
+                                />
+                                    <FormattedMessage
+                                        id='admin.service.false'
+                                        defaultMessage='false'
+                                    />
+                            </label>
+                            <p className='help-text'>
+                                <FormattedMessage
+                                    id='admin.service.insecureTlsDesc'
+                                    defaultMessage='When true, any outgoing HTTPS requests will accept unverified, self-signed certificates. For example, outgoing webhooks to a server with a self-signed TLS certificate, using any domain, will be allowed. Note that this makes these connections susceptible to man-in-the-middle attacks.'
+                                />
+                            </p>
+                        </div>
+                    </div>
+
                     <div className='form-group'>
                         <label
                             className='control-label col-sm-4'
@@ -896,4 +944,4 @@ ServiceSettings.propTypes = {
     config: React.PropTypes.object
 };
 
-export default injectIntl(ServiceSettings);
\ No newline at end of file
+export default injectIntl(ServiceSettings);
diff --git a/web/static/i18n/en.json b/web/static/i18n/en.json
index caa4afae3..16985143d 100644
--- a/web/static/i18n/en.json
+++ b/web/static/i18n/en.json
@@ -365,6 +365,8 @@
   "admin.service.developerDesc": "(Developer Option) When true, extra information around errors will be displayed in the UI.",
   "admin.service.securityTitle": "Enable Security Alerts: ",
   "admin.service.securityDesc": "When true, System Administrators are notified by email if a relevant security fix alert has been announced in the last 12 hours. Requires email to be enabled.",
+  "admin.service.insecureTlsTitle": "Enable Insecure Outgoing Connections: ",
+  "admin.service.insecureTlsDesc": "When true, any outgoing HTTPS requests will accept unverified, self-signed certificates. For example, outgoing webhooks to a server with a self-signed TLS certificate, using any domain, will be allowed. Note that this makes these connections susceptible to man-in-the-middle attacks.",
   "admin.service.webSessionDays": "Session Length for Web in Days:",
   "admin.service.webSessionDaysDesc": "The web session will expire after the number of days specified and will require a user to login again.",
   "admin.service.mobileSessionDays": "Session Length for Mobile Device in Days:",
@@ -1263,4 +1265,4 @@
   "intro_messages.beginning": "Beginning of {name}",
   "intro_messages.invite": "Invite others to this {type}",
   "intro_messages.setHeader": "Set a Header"
-}
\ No newline at end of file
+}
-- 
cgit v1.2.3-1-g7c22