From 6a9aa855d1c862e4d39f8c00c6b7425405e7a612 Mon Sep 17 00:00:00 2001
From: Joram Wilander <jwawilander@gmail.com>
Date: Mon, 14 May 2018 11:27:30 -0400
Subject: Move SAML endpoints out of api package (#8780)

---
 api/user.go | 131 ------------------------------------------------------------
 1 file changed, 131 deletions(-)

(limited to 'api/user.go')

diff --git a/api/user.go b/api/user.go
index 5931eac1e..7592d1119 100644
--- a/api/user.go
+++ b/api/user.go
@@ -4,11 +4,9 @@
 package api
 
 import (
-	b64 "encoding/base64"
 	"fmt"
 	"net/http"
 	"strconv"
-	"strings"
 	"time"
 
 	"github.com/gorilla/mux"
@@ -62,9 +60,6 @@ func (api *API) InitUser() {
 	api.BaseRoutes.NeedUser.Handle("/audits", api.ApiUserRequired(getAudits)).Methods("GET")
 	api.BaseRoutes.NeedUser.Handle("/image", api.ApiUserRequiredTrustRequester(getProfileImage)).Methods("GET")
 	api.BaseRoutes.NeedUser.Handle("/update_roles", api.ApiUserRequired(updateRoles)).Methods("POST")
-
-	api.BaseRoutes.Root.Handle("/login/sso/saml", api.AppHandlerIndependent(loginWithSaml)).Methods("GET")
-	api.BaseRoutes.Root.Handle("/login/sso/saml", api.AppHandlerIndependent(completeSaml)).Methods("POST")
 }
 
 func createUser(c *Context, w http.ResponseWriter, r *http.Request) {
@@ -1080,132 +1075,6 @@ func checkMfa(c *Context, w http.ResponseWriter, r *http.Request) {
 	w.Write([]byte(model.MapToJson(rdata)))
 }
 
-func loginWithSaml(c *Context, w http.ResponseWriter, r *http.Request) {
-	samlInterface := c.App.Saml
-
-	if samlInterface == nil {
-		c.Err = model.NewAppError("loginWithSaml", "api.user.saml.not_available.app_error", nil, "", http.StatusFound)
-		return
-	}
-
-	teamId, err := c.App.GetTeamIdFromQuery(r.URL.Query())
-	if err != nil {
-		c.Err = err
-		return
-	}
-	action := r.URL.Query().Get("action")
-	redirectTo := r.URL.Query().Get("redirect_to")
-	relayProps := map[string]string{}
-	relayState := ""
-
-	if len(action) != 0 {
-		relayProps["team_id"] = teamId
-		relayProps["action"] = action
-		if action == model.OAUTH_ACTION_EMAIL_TO_SSO {
-			relayProps["email"] = r.URL.Query().Get("email")
-		}
-	}
-
-	if len(redirectTo) != 0 {
-		relayProps["redirect_to"] = redirectTo
-	}
-
-	if len(relayProps) > 0 {
-		relayState = b64.StdEncoding.EncodeToString([]byte(model.MapToJson(relayProps)))
-	}
-
-	if data, err := samlInterface.BuildRequest(relayState); err != nil {
-		c.Err = err
-		return
-	} else {
-		w.Header().Set("Content-Type", "application/x-www-form-urlencoded")
-		http.Redirect(w, r, data.URL, http.StatusFound)
-	}
-}
-
-func completeSaml(c *Context, w http.ResponseWriter, r *http.Request) {
-	samlInterface := c.App.Saml
-
-	if samlInterface == nil {
-		c.Err = model.NewAppError("completeSaml", "api.user.saml.not_available.app_error", nil, "", http.StatusFound)
-		return
-	}
-
-	//Validate that the user is with SAML and all that
-	encodedXML := r.FormValue("SAMLResponse")
-	relayState := r.FormValue("RelayState")
-
-	relayProps := make(map[string]string)
-	if len(relayState) > 0 {
-		stateStr := ""
-		if b, err := b64.StdEncoding.DecodeString(relayState); err != nil {
-			c.Err = model.NewAppError("completeSaml", "api.user.authorize_oauth_user.invalid_state.app_error", nil, err.Error(), http.StatusFound)
-			return
-		} else {
-			stateStr = string(b)
-		}
-		relayProps = model.MapFromJson(strings.NewReader(stateStr))
-	}
-
-	action := relayProps["action"]
-	if user, err := samlInterface.DoLogin(encodedXML, relayProps); err != nil {
-		if action == model.OAUTH_ACTION_MOBILE {
-			err.Translate(c.T)
-			w.Write([]byte(err.ToJson()))
-		} else {
-			c.Err = err
-			c.Err.StatusCode = http.StatusFound
-		}
-		return
-	} else {
-		if err := c.App.CheckUserAllAuthenticationCriteria(user, ""); err != nil {
-			c.Err = err
-			c.Err.StatusCode = http.StatusFound
-			return
-		}
-
-		switch action {
-		case model.OAUTH_ACTION_SIGNUP:
-			teamId := relayProps["team_id"]
-			if len(teamId) > 0 {
-				c.App.Go(func() {
-					if err := c.App.AddUserToTeamByTeamId(teamId, user); err != nil {
-						mlog.Error(err.Error())
-					} else {
-						c.App.AddDirectChannels(teamId, user)
-					}
-				})
-			}
-		case model.OAUTH_ACTION_EMAIL_TO_SSO:
-			if err := c.App.RevokeAllSessions(user.Id); err != nil {
-				c.Err = err
-				return
-			}
-			c.LogAuditWithUserId(user.Id, "Revoked all sessions for user")
-			c.App.Go(func() {
-				if err := c.App.SendSignInChangeEmail(user.Email, strings.Title(model.USER_AUTH_SERVICE_SAML)+" SSO", user.Locale, c.App.GetSiteURL()); err != nil {
-					mlog.Error(err.Error())
-				}
-			})
-		}
-		doLogin(c, w, r, user, "")
-		if c.Err != nil {
-			return
-		}
-
-		if val, ok := relayProps["redirect_to"]; ok {
-			http.Redirect(w, r, c.GetSiteURLHeader()+val, http.StatusFound)
-			return
-		}
-
-		if action == model.OAUTH_ACTION_MOBILE {
-			ReturnStatusOK(w)
-		} else {
-			http.Redirect(w, r, app.GetProtocol(r)+"://"+r.Host, http.StatusFound)
-		}
-	}
-}
-
 func sanitizeProfile(c *Context, user *model.User) *model.User {
 	options := c.App.Config().GetSanitizeOptions()
 
-- 
cgit v1.2.3-1-g7c22