From 3559fb7959cf008b038239f2e7c43e604c44cd31 Mon Sep 17 00:00:00 2001 From: Joram Wilander Date: Mon, 13 Mar 2017 08:26:23 -0400 Subject: Implement SAML endpoints for APIv4 (#5671) * Implement SAML endpoints for APIv4 * Fix unit test * Only disable encryption when removing puplic/private certs --- api4/api.go | 4 ++ api4/apitestlib.go | 31 ++++++++++ api4/saml.go | 171 +++++++++++++++++++++++++++++++++++++++++++++++++++++ api4/saml_test.go | 19 ++++++ 4 files changed, 225 insertions(+) create mode 100644 api4/saml.go create mode 100644 api4/saml_test.go (limited to 'api4') diff --git a/api4/api.go b/api4/api.go index c8c0e170b..71dfbcdf3 100644 --- a/api4/api.go +++ b/api4/api.go @@ -60,6 +60,8 @@ type Routes struct { OAuth *mux.Router // 'api/v4/oauth' + SAML *mux.Router // 'api/v4/saml' + Admin *mux.Router // 'api/v4/admin' System *mux.Router // 'api/v4/system' @@ -127,6 +129,7 @@ func InitApi(full bool) { BaseRoutes.OutgoingHooks = BaseRoutes.Hooks.PathPrefix("/outgoing").Subrouter() BaseRoutes.OutgoingHook = BaseRoutes.OutgoingHooks.PathPrefix("/{hook_id:[A-Za-z0-9]+}").Subrouter() + BaseRoutes.SAML = BaseRoutes.ApiRoot.PathPrefix("/saml").Subrouter() BaseRoutes.OAuth = BaseRoutes.ApiRoot.PathPrefix("/oauth").Subrouter() BaseRoutes.Admin = BaseRoutes.ApiRoot.PathPrefix("/admin").Subrouter() BaseRoutes.System = BaseRoutes.ApiRoot.PathPrefix("/system").Subrouter() @@ -147,6 +150,7 @@ func InitApi(full bool) { InitSystem() InitWebhook() InitPreference() + InitSaml() app.Srv.Router.Handle("/api/v4/{anything:.*}", http.HandlerFunc(Handle404)) diff --git a/api4/apitestlib.go b/api4/apitestlib.go index 3d2feaf6e..30dbfadae 100644 --- a/api4/apitestlib.go +++ b/api4/apitestlib.go @@ -38,6 +38,37 @@ type TestHelper struct { SystemAdminUser *model.User } +func SetupEnterprise() *TestHelper { + if app.Srv == nil { + utils.TranslationsPreInit() + utils.LoadConfig("config.json") + utils.InitTranslations(utils.Cfg.LocalizationSettings) + utils.Cfg.TeamSettings.MaxUsersPerTeam = 50 + *utils.Cfg.RateLimitSettings.Enable = false + utils.Cfg.EmailSettings.SendEmailNotifications = true + utils.Cfg.EmailSettings.SMTPServer = "dockerhost" + utils.Cfg.EmailSettings.SMTPPort = "2500" + utils.Cfg.EmailSettings.FeedbackEmail = "test@example.com" + utils.DisableDebugLogForTest() + utils.License.Features.SetDefaults() + app.NewServer() + app.InitStores() + InitRouter() + app.StartServer() + utils.InitHTML() + InitApi(true) + utils.EnableDebugLogForTest() + app.Srv.Store.MarkSystemRanUnitTests() + + *utils.Cfg.TeamSettings.EnableOpenServer = true + } + + th := &TestHelper{} + th.Client = th.CreateClient() + th.SystemAdminClient = th.CreateClient() + return th +} + func Setup() *TestHelper { if app.Srv == nil { utils.TranslationsPreInit() diff --git a/api4/saml.go b/api4/saml.go new file mode 100644 index 000000000..e2c35f30d --- /dev/null +++ b/api4/saml.go @@ -0,0 +1,171 @@ +// Copyright (c) 2017 Mattermost, Inc. All Rights Reserved. +// See License.txt for license information. + +package api4 + +import ( + "mime/multipart" + "net/http" + + l4g "github.com/alecthomas/log4go" + "github.com/mattermost/platform/app" + "github.com/mattermost/platform/model" + "github.com/mattermost/platform/utils" +) + +func InitSaml() { + l4g.Debug(utils.T("api.saml.init.debug")) + + BaseRoutes.SAML.Handle("/metadata", ApiHandler(getSamlMetadata)).Methods("GET") + + BaseRoutes.SAML.Handle("/certificate/public", ApiSessionRequired(addSamlPublicCertificate)).Methods("POST") + BaseRoutes.SAML.Handle("/certificate/private", ApiSessionRequired(addSamlPrivateCertificate)).Methods("POST") + BaseRoutes.SAML.Handle("/certificate/idp", ApiSessionRequired(addSamlIdpCertificate)).Methods("POST") + + BaseRoutes.SAML.Handle("/certificate/public", ApiSessionRequired(removeSamlPublicCertificate)).Methods("DELETE") + BaseRoutes.SAML.Handle("/certificate/private", ApiSessionRequired(removeSamlPrivateCertificate)).Methods("DELETE") + BaseRoutes.SAML.Handle("/certificate/idp", ApiSessionRequired(removeSamlIdpCertificate)).Methods("DELETE") + + BaseRoutes.SAML.Handle("/certificate/status", ApiSessionRequired(getSamlCertificateStatus)).Methods("GET") +} + +func getSamlMetadata(c *Context, w http.ResponseWriter, r *http.Request) { + metadata, err := app.GetSamlMetadata() + if err != nil { + c.Err = err + return + } + + w.Header().Set("Content-Type", "application/xml") + w.Header().Set("Content-Disposition", "attachment; filename=\"metadata.xml\"") + w.Write([]byte(metadata)) +} + +func parseSamlCertificateRequest(r *http.Request) (*multipart.FileHeader, *model.AppError) { + err := r.ParseMultipartForm(*utils.Cfg.FileSettings.MaxFileSize) + if err != nil { + return nil, model.NewAppError("addSamlCertificate", "api.admin.add_certificate.no_file.app_error", nil, err.Error(), http.StatusBadRequest) + } + + m := r.MultipartForm + + fileArray, ok := m.File["certificate"] + if !ok { + return nil, model.NewAppError("addSamlCertificate", "api.admin.add_certificate.no_file.app_error", nil, "", http.StatusBadRequest) + } + + if len(fileArray) <= 0 { + return nil, model.NewAppError("addSamlCertificate", "api.admin.add_certificate.array.app_error", nil, "", http.StatusBadRequest) + } + + return fileArray[0], nil +} + +func addSamlPublicCertificate(c *Context, w http.ResponseWriter, r *http.Request) { + if !app.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_SYSTEM) { + c.SetPermissionError(model.PERMISSION_MANAGE_SYSTEM) + return + } + + fileData, err := parseSamlCertificateRequest(r) + if err != nil { + c.Err = err + return + } + + if err := app.AddSamlPublicCertificate(fileData); err != nil { + c.Err = err + return + } + ReturnStatusOK(w) +} + +func addSamlPrivateCertificate(c *Context, w http.ResponseWriter, r *http.Request) { + if !app.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_SYSTEM) { + c.SetPermissionError(model.PERMISSION_MANAGE_SYSTEM) + return + } + + fileData, err := parseSamlCertificateRequest(r) + if err != nil { + c.Err = err + return + } + + if err := app.AddSamlPrivateCertificate(fileData); err != nil { + c.Err = err + return + } + ReturnStatusOK(w) +} + +func addSamlIdpCertificate(c *Context, w http.ResponseWriter, r *http.Request) { + if !app.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_SYSTEM) { + c.SetPermissionError(model.PERMISSION_MANAGE_SYSTEM) + return + } + + fileData, err := parseSamlCertificateRequest(r) + if err != nil { + c.Err = err + return + } + + if err := app.AddSamlIdpCertificate(fileData); err != nil { + c.Err = err + return + } + ReturnStatusOK(w) +} + +func removeSamlPublicCertificate(c *Context, w http.ResponseWriter, r *http.Request) { + if !app.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_SYSTEM) { + c.SetPermissionError(model.PERMISSION_MANAGE_SYSTEM) + return + } + + if err := app.RemoveSamlPublicCertificate(); err != nil { + c.Err = err + return + } + + ReturnStatusOK(w) +} + +func removeSamlPrivateCertificate(c *Context, w http.ResponseWriter, r *http.Request) { + if !app.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_SYSTEM) { + c.SetPermissionError(model.PERMISSION_MANAGE_SYSTEM) + return + } + + if err := app.RemoveSamlPrivateCertificate(); err != nil { + c.Err = err + return + } + + ReturnStatusOK(w) +} + +func removeSamlIdpCertificate(c *Context, w http.ResponseWriter, r *http.Request) { + if !app.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_SYSTEM) { + c.SetPermissionError(model.PERMISSION_MANAGE_SYSTEM) + return + } + + if err := app.RemoveSamlIdpCertificate(); err != nil { + c.Err = err + return + } + + ReturnStatusOK(w) +} + +func getSamlCertificateStatus(c *Context, w http.ResponseWriter, r *http.Request) { + if !app.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_SYSTEM) { + c.SetPermissionError(model.PERMISSION_MANAGE_SYSTEM) + return + } + + status := app.GetSamlCertificateStatus() + w.Write([]byte(status.ToJson())) +} diff --git a/api4/saml_test.go b/api4/saml_test.go new file mode 100644 index 000000000..7e4722a3b --- /dev/null +++ b/api4/saml_test.go @@ -0,0 +1,19 @@ +// Copyright (c) 2017 Mattermost, Inc. All Rights Reserved. +// See License.txt for license information. + +package api4 + +import ( + "testing" +) + +func TestGetSamlMetadata(t *testing.T) { + th := Setup().InitBasic().InitSystemAdmin() + defer TearDown() + Client := th.Client + + _, resp := Client.GetSamlMetadata() + CheckNotImplementedStatus(t, resp) + + // Rest is tested by enterprise tests +} -- cgit v1.2.3-1-g7c22