From e0390632b3c941670671d968b8828bcefbf71581 Mon Sep 17 00:00:00 2001 From: Martin Kraft Date: Thu, 17 May 2018 11:37:00 -0400 Subject: MM-10264: Adds CLI command to import and export permissions. (#8787) * MM-10264: Adds CLI command to import and export permissions. * MM-10264: Changes Scheme Name to DisplayName and adds Name slug field. * MM-10264: Changes display name max size. * MM-10264: Another merge fix. * MM-10264: Changes for more Schemes methods checking for migration. * MM-10264: More updates for Schemes migration checking. --- api4/channel_test.go | 6 +- api4/scheme_test.go | 41 +++++- api4/team_test.go | 6 +- app/apptestlib.go | 34 +++++ app/permissions.go | 143 +++++++++++++++++++++ app/permissions_test.go | 253 ++++++++++++++++++++++++++++++++++++++ app/scheme.go | 16 ++- cmd/commands/permissions.go | 65 ++++++++++ cmd/commands/permissions_test.go | 40 ++++++ model/scheme.go | 53 +++++++- store/sqlstore/scheme_supplier.go | 5 +- store/storetest/channel_store.go | 2 + store/storetest/scheme_store.go | 18 +++ store/storetest/team_store.go | 2 + 14 files changed, 670 insertions(+), 14 deletions(-) create mode 100644 app/permissions_test.go create mode 100644 cmd/commands/permissions_test.go diff --git a/api4/channel_test.go b/api4/channel_test.go index 551a1a484..f871e66ea 100644 --- a/api4/channel_test.go +++ b/api4/channel_test.go @@ -1924,13 +1924,15 @@ func TestUpdateChannelScheme(t *testing.T) { channel, _ = th.SystemAdminClient.CreateChannel(channel) channelScheme := &model.Scheme{ - Name: "Name", + DisplayName: "DisplayName", + Name: model.NewId(), Description: "Some description", Scope: model.SCHEME_SCOPE_CHANNEL, } channelScheme, _ = th.SystemAdminClient.CreateScheme(channelScheme) teamScheme := &model.Scheme{ - Name: "Name", + DisplayName: "DisplayName", + Name: model.NewId(), Description: "Some description", Scope: model.SCHEME_SCOPE_TEAM, } diff --git a/api4/scheme_test.go b/api4/scheme_test.go index 9e5ed1aca..461b03421 100644 --- a/api4/scheme_test.go +++ b/api4/scheme_test.go @@ -25,6 +25,7 @@ func TestCreateScheme(t *testing.T) { // Basic test of creating a team scheme. scheme1 := &model.Scheme{ + DisplayName: model.NewId(), Name: model.NewId(), Description: model.NewId(), Scope: model.SCHEME_SCOPE_TEAM, @@ -33,6 +34,7 @@ func TestCreateScheme(t *testing.T) { s1, r1 := th.SystemAdminClient.CreateScheme(scheme1) CheckNoError(t, r1) + assert.Equal(t, s1.DisplayName, scheme1.DisplayName) assert.Equal(t, s1.Name, scheme1.Name) assert.Equal(t, s1.Description, scheme1.Description) assert.NotZero(t, s1.CreateAt) @@ -56,6 +58,7 @@ func TestCreateScheme(t *testing.T) { // Basic Test of a Channel scheme. scheme2 := &model.Scheme{ + DisplayName: model.NewId(), Name: model.NewId(), Description: model.NewId(), Scope: model.SCHEME_SCOPE_CHANNEL, @@ -64,6 +67,7 @@ func TestCreateScheme(t *testing.T) { s2, r2 := th.SystemAdminClient.CreateScheme(scheme2) CheckNoError(t, r2) + assert.Equal(t, s2.DisplayName, scheme2.DisplayName) assert.Equal(t, s2.Name, scheme2.Name) assert.Equal(t, s2.Description, scheme2.Description) assert.NotZero(t, s2.CreateAt) @@ -83,6 +87,7 @@ func TestCreateScheme(t *testing.T) { // Try and create a scheme with an invalid scope. scheme3 := &model.Scheme{ + DisplayName: model.NewId(), Name: model.NewId(), Description: model.NewId(), Scope: model.NewId(), @@ -91,17 +96,29 @@ func TestCreateScheme(t *testing.T) { _, r3 := th.SystemAdminClient.CreateScheme(scheme3) CheckBadRequestStatus(t, r3) - // Try and create a scheme with an invalid name. + // Try and create a scheme with an invalid display name. scheme4 := &model.Scheme{ - Name: strings.Repeat(model.NewId(), 100), + DisplayName: strings.Repeat(model.NewId(), 100), + Name: "Name", Description: model.NewId(), Scope: model.NewId(), } _, r4 := th.SystemAdminClient.CreateScheme(scheme4) CheckBadRequestStatus(t, r4) + // Try and create a scheme with an invalid name. + scheme8 := &model.Scheme{ + DisplayName: "DisplayName", + Name: strings.Repeat(model.NewId(), 100), + Description: model.NewId(), + Scope: model.NewId(), + } + _, r8 := th.SystemAdminClient.CreateScheme(scheme8) + CheckBadRequestStatus(t, r8) + // Try and create a scheme without the appropriate permissions. scheme5 := &model.Scheme{ + DisplayName: model.NewId(), Name: model.NewId(), Description: model.NewId(), Scope: model.SCHEME_SCOPE_TEAM, @@ -112,6 +129,7 @@ func TestCreateScheme(t *testing.T) { // Try and create a scheme without a license. th.App.SetLicense(nil) scheme6 := &model.Scheme{ + DisplayName: model.NewId(), Name: model.NewId(), Description: model.NewId(), Scope: model.SCHEME_SCOPE_TEAM, @@ -127,6 +145,7 @@ func TestCreateScheme(t *testing.T) { th.App.SetLicense(model.NewTestLicense("custom_permissions_schemes")) scheme7 := &model.Scheme{ + DisplayName: model.NewId(), Name: model.NewId(), Description: model.NewId(), Scope: model.SCHEME_SCOPE_TEAM, @@ -143,6 +162,7 @@ func TestGetScheme(t *testing.T) { // Basic test of creating a team scheme. scheme1 := &model.Scheme{ + DisplayName: model.NewId(), Name: model.NewId(), Description: model.NewId(), Scope: model.SCHEME_SCOPE_TEAM, @@ -155,6 +175,7 @@ func TestGetScheme(t *testing.T) { s1, r1 := th.SystemAdminClient.CreateScheme(scheme1) CheckNoError(t, r1) + assert.Equal(t, s1.DisplayName, scheme1.DisplayName) assert.Equal(t, s1.Name, scheme1.Name) assert.Equal(t, s1.Description, scheme1.Description) assert.NotZero(t, s1.CreateAt) @@ -204,12 +225,14 @@ func TestGetSchemes(t *testing.T) { th.App.SetLicense(model.NewTestLicense("custom_permissions_schemes")) scheme1 := &model.Scheme{ + DisplayName: model.NewId(), Name: model.NewId(), Description: model.NewId(), Scope: model.SCHEME_SCOPE_TEAM, } scheme2 := &model.Scheme{ + DisplayName: model.NewId(), Name: model.NewId(), Description: model.NewId(), Scope: model.SCHEME_SCOPE_CHANNEL, @@ -273,6 +296,7 @@ func TestGetTeamsForScheme(t *testing.T) { assert.Nil(t, res.Err) scheme1 := &model.Scheme{ + DisplayName: model.NewId(), Name: model.NewId(), Description: model.NewId(), Scope: model.SCHEME_SCOPE_TEAM, @@ -341,6 +365,7 @@ func TestGetTeamsForScheme(t *testing.T) { CheckForbiddenStatus(t, ri4) scheme2 := &model.Scheme{ + DisplayName: model.NewId(), Name: model.NewId(), Description: model.NewId(), Scope: model.SCHEME_SCOPE_CHANNEL, @@ -370,6 +395,7 @@ func TestGetChannelsForScheme(t *testing.T) { assert.Nil(t, res.Err) scheme1 := &model.Scheme{ + DisplayName: model.NewId(), Name: model.NewId(), Description: model.NewId(), Scope: model.SCHEME_SCOPE_CHANNEL, @@ -440,6 +466,7 @@ func TestGetChannelsForScheme(t *testing.T) { CheckForbiddenStatus(t, ri4) scheme2 := &model.Scheme{ + DisplayName: model.NewId(), Name: model.NewId(), Description: model.NewId(), Scope: model.SCHEME_SCOPE_TEAM, @@ -471,6 +498,7 @@ func TestPatchScheme(t *testing.T) { // Basic test of creating a team scheme. scheme1 := &model.Scheme{ + DisplayName: model.NewId(), Name: model.NewId(), Description: model.NewId(), Scope: model.SCHEME_SCOPE_TEAM, @@ -479,6 +507,7 @@ func TestPatchScheme(t *testing.T) { s1, r1 := th.SystemAdminClient.CreateScheme(scheme1) CheckNoError(t, r1) + assert.Equal(t, s1.DisplayName, scheme1.DisplayName) assert.Equal(t, s1.Name, scheme1.Name) assert.Equal(t, s1.Description, scheme1.Description) assert.NotZero(t, s1.CreateAt) @@ -497,15 +526,18 @@ func TestPatchScheme(t *testing.T) { // Test with a valid patch. schemePatch := &model.SchemePatch{ + DisplayName: new(string), Name: new(string), Description: new(string), } + *schemePatch.DisplayName = model.NewId() *schemePatch.Name = model.NewId() *schemePatch.Description = model.NewId() s3, r3 := th.SystemAdminClient.PatchScheme(s2.Id, schemePatch) CheckNoError(t, r3) assert.Equal(t, s3.Id, s2.Id) + assert.Equal(t, s3.DisplayName, *schemePatch.DisplayName) assert.Equal(t, s3.Name, *schemePatch.Name) assert.Equal(t, s3.Description, *schemePatch.Description) @@ -515,11 +547,13 @@ func TestPatchScheme(t *testing.T) { // Test with a partial patch. *schemePatch.Name = model.NewId() + *schemePatch.DisplayName = model.NewId() schemePatch.Description = nil s5, r5 := th.SystemAdminClient.PatchScheme(s4.Id, schemePatch) CheckNoError(t, r5) assert.Equal(t, s5.Id, s4.Id) + assert.Equal(t, s5.DisplayName, *schemePatch.DisplayName) assert.Equal(t, s5.Name, *schemePatch.Name) assert.Equal(t, s5.Description, s4.Description) @@ -581,6 +615,7 @@ func TestDeleteScheme(t *testing.T) { // Create a team scheme. scheme1 := &model.Scheme{ + DisplayName: model.NewId(), Name: model.NewId(), Description: model.NewId(), Scope: model.SCHEME_SCOPE_TEAM, @@ -656,6 +691,7 @@ func TestDeleteScheme(t *testing.T) { // Create a channel scheme. scheme1 := &model.Scheme{ + DisplayName: model.NewId(), Name: model.NewId(), Description: model.NewId(), Scope: model.SCHEME_SCOPE_CHANNEL, @@ -712,6 +748,7 @@ func TestDeleteScheme(t *testing.T) { assert.Nil(t, res.Err) scheme1 := &model.Scheme{ + DisplayName: model.NewId(), Name: model.NewId(), Description: model.NewId(), Scope: model.SCHEME_SCOPE_CHANNEL, diff --git a/api4/team_test.go b/api4/team_test.go index 45d8e8f08..a3f4af0cf 100644 --- a/api4/team_test.go +++ b/api4/team_test.go @@ -2083,13 +2083,15 @@ func TestUpdateTeamScheme(t *testing.T) { team, _ = th.SystemAdminClient.CreateTeam(team) teamScheme := &model.Scheme{ - Name: "Name", + DisplayName: "DisplayName", + Name: model.NewId(), Description: "Some description", Scope: model.SCHEME_SCOPE_TEAM, } teamScheme, _ = th.SystemAdminClient.CreateScheme(teamScheme) channelScheme := &model.Scheme{ - Name: "Name", + DisplayName: "DisplayName", + Name: model.NewId(), Description: "Some description", Scope: model.SCHEME_SCOPE_CHANNEL, } diff --git a/app/apptestlib.go b/app/apptestlib.go index b245ddabf..ffd1da055 100644 --- a/app/apptestlib.go +++ b/app/apptestlib.go @@ -316,6 +316,40 @@ func (me *TestHelper) AddUserToChannel(user *model.User, channel *model.Channel) return member } +func (me *TestHelper) CreateScheme() (*model.Scheme, []*model.Role) { + utils.DisableDebugLogForTest() + + scheme, err := me.App.CreateScheme(&model.Scheme{ + DisplayName: "Test Scheme Display Name", + Name: model.NewId(), + Description: "Test scheme description", + Scope: model.SCHEME_SCOPE_TEAM, + }) + if err != nil { + panic(err) + } + + roleIDs := []string{ + scheme.DefaultTeamAdminRole, + scheme.DefaultTeamUserRole, + scheme.DefaultChannelAdminRole, + scheme.DefaultChannelUserRole, + } + + var roles []*model.Role + for _, roleID := range roleIDs { + role, err := me.App.GetRole(roleID) + if err != nil { + panic(err) + } + roles = append(roles, role) + } + + utils.EnableDebugLogForTest() + + return scheme, roles +} + func (me *TestHelper) TearDown() { me.App.Shutdown() os.Remove(me.tempConfigPath) diff --git a/app/permissions.go b/app/permissions.go index 75aa2ecf9..70b8cc689 100644 --- a/app/permissions.go +++ b/app/permissions.go @@ -4,9 +4,17 @@ package app import ( + "bufio" + "encoding/json" + "fmt" + "io" + "github.com/mattermost/mattermost-server/model" + "github.com/pkg/errors" ) +const permissionsExportBatchSize = 100 + func (a *App) ResetPermissionsSystem() *model.AppError { // Reset all Teams to not have a scheme. if result := <-a.Srv.Store.Team().ResetAllTeamSchemes(); result.Err != nil { @@ -38,3 +46,138 @@ func (a *App) ResetPermissionsSystem() *model.AppError { return nil } + +func (a *App) ExportPermissions(w io.Writer) error { + + next := a.SchemesIterator(permissionsExportBatchSize) + var schemeBatch []*model.Scheme + + for schemeBatch = next(); len(schemeBatch) > 0; schemeBatch = next() { + + for _, scheme := range schemeBatch { + + roleIDs := []string{ + scheme.DefaultTeamAdminRole, + scheme.DefaultTeamUserRole, + scheme.DefaultChannelAdminRole, + scheme.DefaultChannelUserRole, + } + + roles := []*model.Role{} + for _, roleID := range roleIDs { + if len(roleID) == 0 { + continue + } + role, err := a.GetRole(roleID) + if err != nil { + return err + } + roles = append(roles, role) + } + + schemeExport, err := json.Marshal(&model.SchemeConveyor{ + Name: scheme.Name, + DisplayName: scheme.DisplayName, + Description: scheme.Description, + Scope: scheme.Scope, + TeamAdmin: scheme.DefaultTeamAdminRole, + TeamUser: scheme.DefaultTeamUserRole, + ChannelAdmin: scheme.DefaultChannelAdminRole, + ChannelUser: scheme.DefaultChannelUserRole, + Roles: roles, + }) + if err != nil { + return err + } + + schemeExport = append(schemeExport, []byte("\n")...) + + _, err = w.Write(schemeExport) + if err != nil { + return err + } + } + + } + + return nil +} + +func (a *App) ImportPermissions(jsonl io.Reader) error { + createdSchemeIDs := []string{} + + scanner := bufio.NewScanner(jsonl) + + for scanner.Scan() { + var schemeConveyor *model.SchemeConveyor + err := json.Unmarshal(scanner.Bytes(), &schemeConveyor) + if err != nil { + return err + } + + // Create the new Scheme. The new Roles are created automatically. + var appErr *model.AppError + schemeCreated, appErr := a.CreateScheme(schemeConveyor.Scheme()) + if appErr != nil { + return errors.New(appErr.Message) + } + createdSchemeIDs = append(createdSchemeIDs, schemeCreated.Id) + + schemeIn := schemeConveyor.Scheme() + roleIDTuples := [][]string{ + {schemeCreated.DefaultTeamAdminRole, schemeIn.DefaultTeamAdminRole}, + {schemeCreated.DefaultTeamUserRole, schemeIn.DefaultTeamUserRole}, + {schemeCreated.DefaultChannelAdminRole, schemeIn.DefaultChannelAdminRole}, + {schemeCreated.DefaultChannelUserRole, schemeIn.DefaultChannelUserRole}, + } + for _, roleIDTuple := range roleIDTuples { + if len(roleIDTuple[0]) == 0 || len(roleIDTuple[1]) == 0 { + continue + } + + err = updateRole(a, schemeConveyor, roleIDTuple[0], roleIDTuple[1]) + if err != nil { + // Delete the new Schemes. The new Roles are deleted automatically. + for _, schemeID := range createdSchemeIDs { + a.DeleteScheme(schemeID) + } + return err + } + } + } + + if err := scanner.Err(); err != nil { + return err + } + + return nil +} + +func updateRole(a *App, sc *model.SchemeConveyor, roleCreatedID, defaultRoleID string) error { + var err *model.AppError + + roleCreated, err := a.GetRole(roleCreatedID) + if err != nil { + return errors.New(err.Message) + } + + var roleIn *model.Role + for _, role := range sc.Roles { + if role.Id == defaultRoleID { + roleIn = role + break + } + } + + roleCreated.Name = roleIn.Name + roleCreated.DisplayName = roleIn.DisplayName + roleCreated.Description = roleIn.Description + roleCreated.Permissions = roleIn.Permissions + + _, err = a.UpdateRole(roleCreated) + if err != nil { + return errors.New(fmt.Sprintf("%v: %v\n", err.Message, err.DetailedError)) + } + + return nil +} diff --git a/app/permissions_test.go b/app/permissions_test.go new file mode 100644 index 000000000..575e21429 --- /dev/null +++ b/app/permissions_test.go @@ -0,0 +1,253 @@ +package app + +import ( + "encoding/json" + "fmt" + "strings" + "testing" + + "github.com/mattermost/mattermost-server/model" +) + +type testWriter struct { + write func(p []byte) (int, error) +} + +func (tw testWriter) Write(p []byte) (int, error) { + return tw.write(p) +} + +func TestExportPermissions(t *testing.T) { + th := Setup().InitBasic() + defer th.TearDown() + + var scheme *model.Scheme + var roles []*model.Role + withMigrationMarkedComplete(th, func() { + scheme, roles = th.CreateScheme() + }) + + results := [][]byte{} + + tw := testWriter{ + write: func(p []byte) (int, error) { + results = append(results, p) + return len(p), nil + }, + } + + err := th.App.ExportPermissions(tw) + if err != nil { + t.Error(err) + } + + if len(results) == 0 { + t.Error("Expected export to have returned something.") + } + + firstResult := results[0] + + var row map[string]interface{} + err = json.Unmarshal(firstResult, &row) + if err != nil { + t.Error(err) + } + + getRoleByID := func(id string) string { + for _, role := range roles { + if role.Id == id { + return role.Id + } + } + return "" + } + + expectations := map[string]func(str string) string{ + scheme.DisplayName: func(str string) string { return row["display_name"].(string) }, + scheme.Name: func(str string) string { return row["name"].(string) }, + scheme.Description: func(str string) string { return row["description"].(string) }, + scheme.Scope: func(str string) string { return row["scope"].(string) }, + scheme.DefaultTeamAdminRole: func(str string) string { return getRoleByID(str) }, + scheme.DefaultTeamUserRole: func(str string) string { return getRoleByID(str) }, + scheme.DefaultChannelAdminRole: func(str string) string { return getRoleByID(str) }, + scheme.DefaultChannelUserRole: func(str string) string { return getRoleByID(str) }, + } + + for key, valF := range expectations { + expected := key + actual := valF(key) + if actual != expected { + t.Errorf("Expected %v but got %v.", expected, actual) + } + } + +} + +func TestImportPermissions(t *testing.T) { + th := Setup().InitBasic() + defer th.TearDown() + + name := model.NewId() + displayName := model.NewId() + description := "my test description" + scope := model.SCHEME_SCOPE_CHANNEL + roleName1 := model.NewId() + roleName2 := model.NewId() + + var results []*model.Scheme + var beforeCount int + withMigrationMarkedComplete(th, func() { + + var appErr *model.AppError + results, appErr = th.App.GetSchemes(scope, 0, 100) + if appErr != nil { + panic(appErr) + } + beforeCount = len(results) + + json := fmt.Sprintf(`{"display_name":"%v","name":"%v","description":"%v","scope":"%v","default_team_admin_role":"","default_team_user_role":"","default_channel_admin_role":"yzfx3g9xjjfw8cqo6bpn33xr7o","default_channel_user_role":"a7s3cp4n33dfxbsrmyh9djao3a","roles":[{"id":"yzfx3g9xjjfw8cqo6bpn33xr7o","name":"%v","display_name":"Channel Admin Role for Scheme my_scheme_1526475590","description":"","create_at":1526475589687,"update_at":1526475589687,"delete_at":0,"permissions":["manage_channel_roles"],"scheme_managed":true,"built_in":false},{"id":"a7s3cp4n33dfxbsrmyh9djao3a","name":"%v","display_name":"Channel User Role for Scheme my_scheme_1526475590","description":"","create_at":1526475589688,"update_at":1526475589688,"delete_at":0,"permissions":["read_channel","add_reaction","remove_reaction","manage_public_channel_members","upload_file","get_public_link","create_post","use_slash_commands","manage_private_channel_members","delete_post","edit_post"],"scheme_managed":true,"built_in":false}]}`, displayName, name, description, scope, roleName1, roleName2) + r := strings.NewReader(json) + + err := th.App.ImportPermissions(r) + if err != nil { + t.Error(err) + } + results, appErr = th.App.GetSchemes(scope, 0, 100) + if appErr != nil { + panic(appErr) + } + + }) + + actual := len(results) + expected := beforeCount + 1 + if actual != expected { + t.Errorf("Expected %v roles but got %v.", expected, actual) + } + + newScheme := results[0] + + channelAdminRole, appErr := th.App.GetRole(newScheme.DefaultChannelAdminRole) + if appErr != nil { + t.Error(appErr) + } + + channelUserRole, appErr := th.App.GetRole(newScheme.DefaultChannelUserRole) + if appErr != nil { + t.Error(appErr) + } + + expectations := map[string]string{ + newScheme.DisplayName: displayName, + newScheme.Name: name, + newScheme.Description: description, + newScheme.Scope: scope, + newScheme.DefaultTeamAdminRole: "", + newScheme.DefaultTeamUserRole: "", + channelAdminRole.Name: roleName1, + channelUserRole.Name: roleName2, + } + + for actual, expected := range expectations { + if actual != expected { + t.Errorf("Expected %v but got %v.", expected, actual) + } + } + +} + +func TestImportPermissions_idempotentScheme(t *testing.T) { + th := Setup().InitBasic() + defer th.TearDown() + + name := model.NewId() + displayName := model.NewId() + description := "my test description" + scope := model.SCHEME_SCOPE_CHANNEL + roleName1 := model.NewId() + roleName2 := model.NewId() + + json := fmt.Sprintf(`{"display_name":"%v","name":"%v","description":"%v","scope":"%v","default_team_admin_role":"","default_team_user_role":"","default_channel_admin_role":"yzfx3g9xjjfw8cqo6bpn33xr7o","default_channel_user_role":"a7s3cp4n33dfxbsrmyh9djao3a","roles":[{"id":"yzfx3g9xjjfw8cqo6bpn33xr7o","name":"%v","display_name":"Channel Admin Role for Scheme my_scheme_1526475590","description":"","create_at":1526475589687,"update_at":1526475589687,"delete_at":0,"permissions":["manage_channel_roles"],"scheme_managed":true,"built_in":false},{"id":"a7s3cp4n33dfxbsrmyh9djao3a","name":"%v","display_name":"Channel User Role for Scheme my_scheme_1526475590","description":"","create_at":1526475589688,"update_at":1526475589688,"delete_at":0,"permissions":["read_channel","add_reaction","remove_reaction","manage_public_channel_members","upload_file","get_public_link","create_post","use_slash_commands","manage_private_channel_members","delete_post","edit_post"],"scheme_managed":true,"built_in":false}]}`, displayName, name, description, scope, roleName1, roleName2) + jsonl := strings.Repeat(json+"\n", 4) + r := strings.NewReader(jsonl) + + var results []*model.Scheme + var expected int + withMigrationMarkedComplete(th, func() { + var appErr *model.AppError + results, appErr = th.App.GetSchemes(model.SCHEME_SCOPE_CHANNEL, 0, 100) + if appErr != nil { + panic(appErr) + } + expected = len(results) + 1 + + err := th.App.ImportPermissions(r) + if err == nil { + t.Error(err) + } + + results, appErr = th.App.GetSchemes(model.SCHEME_SCOPE_CHANNEL, 0, 100) + if appErr != nil { + panic(appErr) + } + }) + actual := len(results) + + if expected != actual { + t.Errorf("Expected count to be %v but got %v", expected, actual) + } + +} + +func TestImportPermissions_schemeDeletedOnRoleFailure(t *testing.T) { + th := Setup().InitBasic() + defer th.TearDown() + + name := model.NewId() + displayName := model.NewId() + description := "my test description" + scope := model.SCHEME_SCOPE_CHANNEL + roleName1 := model.NewId() + roleName2 := "some invalid role name" + + jsonl := fmt.Sprintf(`{"display_name":"%v","name":"%v","description":"%v","scope":"%v","default_team_admin_role":"","default_team_user_role":"","default_channel_admin_role":"yzfx3g9xjjfw8cqo6bpn33xr7o","default_channel_user_role":"a7s3cp4n33dfxbsrmyh9djao3a","roles":[{"id":"yzfx3g9xjjfw8cqo6bpn33xr7o","name":"%v","display_name":"Channel Admin Role for Scheme my_scheme_1526475590","description":"","create_at":1526475589687,"update_at":1526475589687,"delete_at":0,"permissions":["manage_channel_roles"],"scheme_managed":true,"built_in":false},{"id":"a7s3cp4n33dfxbsrmyh9djao3a","name":"%v","display_name":"Channel User Role for Scheme my_scheme_1526475590","description":"","create_at":1526475589688,"update_at":1526475589688,"delete_at":0,"permissions":["read_channel","add_reaction","remove_reaction","manage_public_channel_members","upload_file","get_public_link","create_post","use_slash_commands","manage_private_channel_members","delete_post","edit_post"],"scheme_managed":true,"built_in":false}]}`, displayName, name, description, scope, roleName1, roleName2) + r := strings.NewReader(jsonl) + + var results []*model.Scheme + var expected int + withMigrationMarkedComplete(th, func() { + var appErr *model.AppError + results, appErr = th.App.GetSchemes(model.SCHEME_SCOPE_CHANNEL, 0, 100) + if appErr != nil { + panic(appErr) + } + expected = len(results) + + err := th.App.ImportPermissions(r) + if err == nil { + t.Error(err) + } + + results, appErr = th.App.GetSchemes(model.SCHEME_SCOPE_CHANNEL, 0, 100) + if appErr != nil { + panic(appErr) + } + }) + actual := len(results) + + if expected != actual { + t.Errorf("Expected count to be %v but got %v", expected, actual) + } + +} + +func withMigrationMarkedComplete(th *TestHelper, f func()) { + // Mark the migration as done. + <-th.App.Srv.Store.System().PermanentDeleteByName(model.MIGRATION_KEY_ADVANCED_PERMISSIONS_PHASE_2) + <-th.App.Srv.Store.System().Save(&model.System{Name: model.MIGRATION_KEY_ADVANCED_PERMISSIONS_PHASE_2, Value: "true"}) + // Un-mark the migration at the end of the test. + defer func() { + <-th.App.Srv.Store.System().PermanentDeleteByName(model.MIGRATION_KEY_ADVANCED_PERMISSIONS_PHASE_2) + }() + f() +} diff --git a/app/scheme.go b/app/scheme.go index f1dc256b2..c44690954 100644 --- a/app/scheme.go +++ b/app/scheme.go @@ -4,8 +4,10 @@ package app import ( - "github.com/mattermost/mattermost-server/model" "net/http" + + "github.com/mattermost/mattermost-server/model" + "github.com/mattermost/mattermost-server/store" ) func (a *App) GetScheme(id string) (*model.Scheme, *model.AppError) { @@ -146,3 +148,15 @@ func (a *App) IsPhase2MigrationCompleted() *model.AppError { return nil } + +func (a *App) SchemesIterator(batchSize int) func() []*model.Scheme { + offset := 0 + return func() []*model.Scheme { + var result store.StoreResult + if result = <-a.Srv.Store.Scheme().GetAllPage("", offset, batchSize); result.Err != nil { + return []*model.Scheme{} + } + offset += batchSize + return result.Data.([]*model.Scheme) + } +} diff --git a/cmd/commands/permissions.go b/cmd/commands/permissions.go index 33c255a31..e8f862547 100644 --- a/cmd/commands/permissions.go +++ b/cmd/commands/permissions.go @@ -6,10 +6,12 @@ package commands import ( "errors" "fmt" + "os" "github.com/spf13/cobra" "github.com/mattermost/mattermost-server/cmd" + "github.com/mattermost/mattermost-server/utils" ) var PermissionsCmd = &cobra.Command{ @@ -25,11 +27,32 @@ var ResetPermissionsCmd = &cobra.Command{ RunE: resetPermissionsCmdF, } +var ExportPermissionsCmd = &cobra.Command{ + Use: "export", + Short: "Export permissions data", + Long: "Export Roles and Schemes to JSONL for use by Mattermost permissions import.", + Example: " permissions export > export.jsonl", + RunE: exportPermissionsCmdF, + PreRun: func(cmd *cobra.Command, args []string) { + os.Setenv("MM_LOGSETTINGS_CONSOLELEVEL", "error") + }, +} + +var ImportPermissionsCmd = &cobra.Command{ + Use: "import [file]", + Short: "Import permissions data", + Long: "Import Roles and Schemes JSONL data as created by the Mattermost permissions export.", + Example: " permissions import export.jsonl", + RunE: importPermissionsCmdF, +} + func init() { ResetPermissionsCmd.Flags().Bool("confirm", false, "Confirm you really want to reset the permissions system and a database backup has been performed.") PermissionsCmd.AddCommand( ResetPermissionsCmd, + ExportPermissionsCmd, + ImportPermissionsCmd, ) cmd.RootCmd.AddCommand(PermissionsCmd) } @@ -64,3 +87,45 @@ func resetPermissionsCmdF(command *cobra.Command, args []string) error { return nil } + +func exportPermissionsCmdF(command *cobra.Command, args []string) error { + a, err := cmd.InitDBCommandContextCobra(command) + if err != nil { + return err + } + defer a.Shutdown() + + if license := a.License(); license == nil { + return errors.New(utils.T("cli.license.critical")) + } + + if err = a.ExportPermissions(os.Stdout); err != nil { + return errors.New(err.Error()) + } + + return nil +} + +func importPermissionsCmdF(command *cobra.Command, args []string) error { + a, err := cmd.InitDBCommandContextCobra(command) + if err != nil { + return err + } + defer a.Shutdown() + + if license := a.License(); license == nil { + return errors.New(utils.T("cli.license.critical")) + } + + file, err := os.Open(args[0]) + if err != nil { + return err + } + defer file.Close() + + if err := a.ImportPermissions(file); err != nil { + return err + } + + return nil +} diff --git a/cmd/commands/permissions_test.go b/cmd/commands/permissions_test.go new file mode 100644 index 000000000..eeaa17109 --- /dev/null +++ b/cmd/commands/permissions_test.go @@ -0,0 +1,40 @@ +// Copyright (c) 2018-present Mattermost, Inc. All Rights Reserved. +// See License.txt for license information. + +package commands + +import ( + "os" + "os/exec" + "strings" + "testing" + + "github.com/mattermost/mattermost-server/api4" + "github.com/mattermost/mattermost-server/utils" +) + +func TestPermissionsExport_rejectsUnlicensed(t *testing.T) { + permissionsLicenseRequiredTest(t, "export") +} + +func TestPermissionsImport_rejectsUnlicensed(t *testing.T) { + permissionsLicenseRequiredTest(t, "import") +} + +func permissionsLicenseRequiredTest(t *testing.T, subcommand string) { + th := api4.Setup().InitBasic() + defer th.TearDown() + + path, err := os.Executable() + if err != nil { + t.Fail() + } + args := []string{"-test.run", "ExecCommand", "--", "--disableconfigwatch", "permissions", subcommand} + output, err := exec.Command(path, args...).CombinedOutput() + + actual := string(output) + expected := utils.T("cli.license.critical") + if !strings.Contains(actual, expected) { + t.Errorf("Expected '%v' but got '%v'.", expected, actual) + } +} diff --git a/model/scheme.go b/model/scheme.go index f949d9122..959b80c24 100644 --- a/model/scheme.go +++ b/model/scheme.go @@ -5,19 +5,23 @@ package model import ( "encoding/json" + "fmt" "io" + "regexp" ) const ( - SCHEME_NAME_MAX_LENGTH = 64 - SCHEME_DESCRIPTION_MAX_LENGTH = 1024 - SCHEME_SCOPE_TEAM = "team" - SCHEME_SCOPE_CHANNEL = "channel" + SCHEME_DISPLAY_NAME_MAX_LENGTH = 128 + SCHEME_NAME_MAX_LENGTH = 64 + SCHEME_DESCRIPTION_MAX_LENGTH = 1024 + SCHEME_SCOPE_TEAM = "team" + SCHEME_SCOPE_CHANNEL = "channel" ) type Scheme struct { Id string `json:"id"` Name string `json:"name"` + DisplayName string `json:"display_name"` Description string `json:"description"` CreateAt int64 `json:"create_at"` UpdateAt int64 `json:"update_at"` @@ -31,6 +35,7 @@ type Scheme struct { type SchemePatch struct { Name *string `json:"name"` + DisplayName *string `json:"display_name"` Description *string `json:"description"` } @@ -38,6 +43,32 @@ type SchemeIDPatch struct { SchemeID *string `json:"scheme_id"` } +// SchemeConveyor is used for importing and exporting a Scheme and its associated Roles. +type SchemeConveyor struct { + Name string `json:"name"` + DisplayName string `json:"display_name"` + Description string `json:"description"` + Scope string `json:"scope"` + TeamAdmin string `json:"default_team_admin_role"` + TeamUser string `json:"default_team_user_role"` + ChannelAdmin string `json:"default_channel_admin_role"` + ChannelUser string `json:"default_channel_user_role"` + Roles []*Role `json:"roles"` +} + +func (sc *SchemeConveyor) Scheme() *Scheme { + return &Scheme{ + DisplayName: sc.DisplayName, + Name: sc.Name, + Description: sc.Description, + Scope: sc.Scope, + DefaultTeamAdminRole: sc.TeamAdmin, + DefaultTeamUserRole: sc.TeamUser, + DefaultChannelAdminRole: sc.ChannelAdmin, + DefaultChannelUserRole: sc.ChannelUser, + } +} + func (scheme *Scheme) ToJson() string { b, _ := json.Marshal(scheme) return string(b) @@ -72,7 +103,11 @@ func (scheme *Scheme) IsValid() bool { } func (scheme *Scheme) IsValidForCreate() bool { - if len(scheme.Name) == 0 || len(scheme.Name) > SCHEME_NAME_MAX_LENGTH { + if len(scheme.DisplayName) == 0 || len(scheme.DisplayName) > SCHEME_DISPLAY_NAME_MAX_LENGTH { + return false + } + + if !IsValidSchemeName(scheme.Name) { return false } @@ -118,6 +153,9 @@ func (scheme *Scheme) IsValidForCreate() bool { } func (scheme *Scheme) Patch(patch *SchemePatch) { + if patch.DisplayName != nil { + scheme.DisplayName = *patch.DisplayName + } if patch.Name != nil { scheme.Name = *patch.Name } @@ -147,3 +185,8 @@ func (p *SchemeIDPatch) ToJson() string { b, _ := json.Marshal(p) return string(b) } + +func IsValidSchemeName(name string) bool { + re := regexp.MustCompile(fmt.Sprintf("^[a-z0-9_]{0,%d}$", SCHEME_NAME_MAX_LENGTH)) + return re.MatchString(name) +} diff --git a/store/sqlstore/scheme_supplier.go b/store/sqlstore/scheme_supplier.go index e15bb3629..776ca9130 100644 --- a/store/sqlstore/scheme_supplier.go +++ b/store/sqlstore/scheme_supplier.go @@ -20,8 +20,9 @@ func initSqlSupplierSchemes(sqlStore SqlStore) { for _, db := range sqlStore.GetAllConns() { table := db.AddTableWithName(model.Scheme{}, "Schemes").SetKeys(false, "Id") table.ColMap("Id").SetMaxSize(26) - table.ColMap("Name").SetMaxSize(64) - table.ColMap("Description").SetMaxSize(1024) + table.ColMap("Name").SetMaxSize(model.SCHEME_NAME_MAX_LENGTH).SetUnique(true) + table.ColMap("DisplayName").SetMaxSize(model.SCHEME_DISPLAY_NAME_MAX_LENGTH) + table.ColMap("Description").SetMaxSize(model.SCHEME_DESCRIPTION_MAX_LENGTH) table.ColMap("Scope").SetMaxSize(32) table.ColMap("DefaultTeamAdminRole").SetMaxSize(64) table.ColMap("DefaultTeamUserRole").SetMaxSize(64) diff --git a/store/storetest/channel_store.go b/store/storetest/channel_store.go index 21db7eb91..d70046d19 100644 --- a/store/storetest/channel_store.go +++ b/store/storetest/channel_store.go @@ -2164,12 +2164,14 @@ func testChannelStoreMaxChannelsPerTeam(t *testing.T, ss store.Store) { func testChannelStoreGetChannelsByScheme(t *testing.T, ss store.Store) { // Create some schemes. s1 := &model.Scheme{ + DisplayName: model.NewId(), Name: model.NewId(), Description: model.NewId(), Scope: model.SCHEME_SCOPE_CHANNEL, } s2 := &model.Scheme{ + DisplayName: model.NewId(), Name: model.NewId(), Description: model.NewId(), Scope: model.SCHEME_SCOPE_CHANNEL, diff --git a/store/storetest/scheme_store.go b/store/storetest/scheme_store.go index 636000953..30a63d4c1 100644 --- a/store/storetest/scheme_store.go +++ b/store/storetest/scheme_store.go @@ -63,6 +63,7 @@ func createDefaultRoles(t *testing.T, ss store.Store) { func testSchemeStoreSave(t *testing.T, ss store.Store) { // Save a new scheme. s1 := &model.Scheme{ + DisplayName: model.NewId(), Name: model.NewId(), Description: model.NewId(), Scope: model.SCHEME_SCOPE_TEAM, @@ -73,6 +74,7 @@ func testSchemeStoreSave(t *testing.T, ss store.Store) { assert.Nil(t, res1.Err) d1 := res1.Data.(*model.Scheme) assert.Len(t, d1.Id, 26) + assert.Equal(t, s1.DisplayName, d1.DisplayName) assert.Equal(t, s1.Name, d1.Name) assert.Equal(t, s1.Description, d1.Description) assert.NotZero(t, d1.CreateAt) @@ -116,6 +118,7 @@ func testSchemeStoreSave(t *testing.T, ss store.Store) { assert.Nil(t, res2.Err) d2 := res2.Data.(*model.Scheme) assert.Equal(t, d1.Id, d2.Id) + assert.Equal(t, s1.DisplayName, d2.DisplayName) assert.Equal(t, s1.Name, d2.Name) assert.Equal(t, d1.Description, d2.Description) assert.NotZero(t, d2.CreateAt) @@ -130,6 +133,7 @@ func testSchemeStoreSave(t *testing.T, ss store.Store) { // Try saving one with an invalid ID set. s3 := &model.Scheme{ Id: model.NewId(), + DisplayName: model.NewId(), Name: model.NewId(), Description: model.NewId(), Scope: model.SCHEME_SCOPE_TEAM, @@ -142,6 +146,7 @@ func testSchemeStoreSave(t *testing.T, ss store.Store) { func testSchemeStoreGet(t *testing.T, ss store.Store) { // Save a scheme to test with. s1 := &model.Scheme{ + DisplayName: model.NewId(), Name: model.NewId(), Description: model.NewId(), Scope: model.SCHEME_SCOPE_TEAM, @@ -157,6 +162,7 @@ func testSchemeStoreGet(t *testing.T, ss store.Store) { assert.Nil(t, res2.Err) d2 := res1.Data.(*model.Scheme) assert.Equal(t, d1.Id, d2.Id) + assert.Equal(t, s1.DisplayName, d2.DisplayName) assert.Equal(t, s1.Name, d2.Name) assert.Equal(t, d1.Description, d2.Description) assert.NotZero(t, d2.CreateAt) @@ -177,21 +183,25 @@ func testSchemeStoreGetAllPage(t *testing.T, ss store.Store) { // Save a scheme to test with. schemes := []*model.Scheme{ { + DisplayName: model.NewId(), Name: model.NewId(), Description: model.NewId(), Scope: model.SCHEME_SCOPE_TEAM, }, { + DisplayName: model.NewId(), Name: model.NewId(), Description: model.NewId(), Scope: model.SCHEME_SCOPE_CHANNEL, }, { + DisplayName: model.NewId(), Name: model.NewId(), Description: model.NewId(), Scope: model.SCHEME_SCOPE_TEAM, }, { + DisplayName: model.NewId(), Name: model.NewId(), Description: model.NewId(), Scope: model.SCHEME_SCOPE_CHANNEL, @@ -211,6 +221,10 @@ func testSchemeStoreGetAllPage(t *testing.T, ss store.Store) { assert.Nil(t, r2.Err) s2 := r2.Data.([]*model.Scheme) assert.Len(t, s2, 2) + assert.NotEqual(t, s1[0].DisplayName, s2[0].DisplayName) + assert.NotEqual(t, s1[0].DisplayName, s2[1].DisplayName) + assert.NotEqual(t, s1[1].DisplayName, s2[0].DisplayName) + assert.NotEqual(t, s1[1].DisplayName, s2[1].DisplayName) assert.NotEqual(t, s1[0].Name, s2[0].Name) assert.NotEqual(t, s1[0].Name, s2[1].Name) assert.NotEqual(t, s1[1].Name, s2[0].Name) @@ -236,6 +250,7 @@ func testSchemeStoreGetAllPage(t *testing.T, ss store.Store) { func testSchemeStoreDelete(t *testing.T, ss store.Store) { // Save a new scheme. s1 := &model.Scheme{ + DisplayName: model.NewId(), Name: model.NewId(), Description: model.NewId(), Scope: model.SCHEME_SCOPE_TEAM, @@ -246,6 +261,7 @@ func testSchemeStoreDelete(t *testing.T, ss store.Store) { assert.Nil(t, res1.Err) d1 := res1.Data.(*model.Scheme) assert.Len(t, d1.Id, 26) + assert.Equal(t, s1.DisplayName, d1.DisplayName) assert.Equal(t, s1.Name, d1.Name) assert.Equal(t, s1.Description, d1.Description) assert.NotZero(t, d1.CreateAt) @@ -317,6 +333,7 @@ func testSchemeStoreDelete(t *testing.T, ss store.Store) { // Try deleting a team scheme that's in use. s4 := &model.Scheme{ + DisplayName: model.NewId(), Name: model.NewId(), Description: model.NewId(), Scope: model.SCHEME_SCOPE_TEAM, @@ -346,6 +363,7 @@ func testSchemeStoreDelete(t *testing.T, ss store.Store) { // Try deleting a channel scheme that's in use. s5 := &model.Scheme{ + DisplayName: model.NewId(), Name: model.NewId(), Description: model.NewId(), Scope: model.SCHEME_SCOPE_CHANNEL, diff --git a/store/storetest/team_store.go b/store/storetest/team_store.go index 996f8fd8f..72c6f89f1 100644 --- a/store/storetest/team_store.go +++ b/store/storetest/team_store.go @@ -1041,12 +1041,14 @@ func testUpdateLastTeamIconUpdate(t *testing.T, ss store.Store) { func testGetTeamsByScheme(t *testing.T, ss store.Store) { // Create some schemes. s1 := &model.Scheme{ + DisplayName: model.NewId(), Name: model.NewId(), Description: model.NewId(), Scope: model.SCHEME_SCOPE_TEAM, } s2 := &model.Scheme{ + DisplayName: model.NewId(), Name: model.NewId(), Description: model.NewId(), Scope: model.SCHEME_SCOPE_TEAM, -- cgit v1.2.3-1-g7c22