From 59992ae4a4638006ec1489dd834151b258c1728c Mon Sep 17 00:00:00 2001 From: Joram Wilander Date: Mon, 31 Jul 2017 12:59:32 -0400 Subject: PLT-6763 Implement user access tokens and new roles (server-side) (#6972) * Implement user access tokens and new roles * Update config.json * Add public post permission to apiv3 * Remove old comment * Fix model unit test * Updates to store per feedback * Updates per feedback from CS --- store/layered_store.go | 4 + store/sql_store.go | 1 + store/sql_supplier.go | 47 +++--- store/sql_user_access_token_store.go | 262 ++++++++++++++++++++++++++++++ store/sql_user_access_token_store_test.go | 86 ++++++++++ store/store.go | 10 ++ 6 files changed, 390 insertions(+), 20 deletions(-) create mode 100644 store/sql_user_access_token_store.go create mode 100644 store/sql_user_access_token_store_test.go (limited to 'store') diff --git a/store/layered_store.go b/store/layered_store.go index 3d3f941e8..4eb908659 100644 --- a/store/layered_store.go +++ b/store/layered_store.go @@ -139,6 +139,10 @@ func (s *LayeredStore) Job() JobStore { return s.DatabaseLayer.Job() } +func (s *LayeredStore) UserAccessToken() UserAccessTokenStore { + return s.DatabaseLayer.UserAccessToken() +} + func (s *LayeredStore) MarkSystemRanUnitTests() { s.DatabaseLayer.MarkSystemRanUnitTests() } diff --git a/store/sql_store.go b/store/sql_store.go index a039401f3..817f3fb0f 100644 --- a/store/sql_store.go +++ b/store/sql_store.go @@ -80,4 +80,5 @@ type SqlStore interface { FileInfo() FileInfoStore Reaction() ReactionStore Job() JobStore + UserAccessToken() UserAccessTokenStore } diff --git a/store/sql_supplier.go b/store/sql_supplier.go index df934f2cb..a5f4f71b6 100644 --- a/store/sql_supplier.go +++ b/store/sql_supplier.go @@ -58,26 +58,27 @@ const ( ) type SqlSupplierOldStores struct { - team TeamStore - channel ChannelStore - post PostStore - user UserStore - audit AuditStore - cluster ClusterDiscoveryStore - compliance ComplianceStore - session SessionStore - oauth OAuthStore - system SystemStore - webhook WebhookStore - command CommandStore - preference PreferenceStore - license LicenseStore - token TokenStore - emoji EmojiStore - status StatusStore - fileInfo FileInfoStore - reaction ReactionStore - job JobStore + team TeamStore + channel ChannelStore + post PostStore + user UserStore + audit AuditStore + cluster ClusterDiscoveryStore + compliance ComplianceStore + session SessionStore + oauth OAuthStore + system SystemStore + webhook WebhookStore + command CommandStore + preference PreferenceStore + license LicenseStore + token TokenStore + emoji EmojiStore + status StatusStore + fileInfo FileInfoStore + reaction ReactionStore + job JobStore + userAccessToken UserAccessTokenStore } type SqlSupplier struct { @@ -117,6 +118,7 @@ func NewSqlSupplier() *SqlSupplier { supplier.oldStores.status = NewSqlStatusStore(supplier) supplier.oldStores.fileInfo = NewSqlFileInfoStore(supplier) supplier.oldStores.job = NewSqlJobStore(supplier) + supplier.oldStores.userAccessToken = NewSqlUserAccessTokenStore(supplier) initSqlSupplierReactions(supplier) @@ -147,6 +149,7 @@ func NewSqlSupplier() *SqlSupplier { supplier.oldStores.status.(*SqlStatusStore).CreateIndexesIfNotExists() supplier.oldStores.fileInfo.(*SqlFileInfoStore).CreateIndexesIfNotExists() supplier.oldStores.job.(*SqlJobStore).CreateIndexesIfNotExists() + supplier.oldStores.userAccessToken.(*SqlUserAccessTokenStore).CreateIndexesIfNotExists() supplier.oldStores.preference.(*SqlPreferenceStore).DeleteUnusedFeatures() @@ -760,6 +763,10 @@ func (ss *SqlSupplier) Job() JobStore { return ss.oldStores.job } +func (ss *SqlSupplier) UserAccessToken() UserAccessTokenStore { + return ss.oldStores.userAccessToken +} + func (ss *SqlSupplier) DropAllTables() { ss.master.TruncateTables() } diff --git a/store/sql_user_access_token_store.go b/store/sql_user_access_token_store.go new file mode 100644 index 000000000..c8a67bbe7 --- /dev/null +++ b/store/sql_user_access_token_store.go @@ -0,0 +1,262 @@ +// Copyright (c) 2017 Mattermost, Inc. All Rights Reserved. +// See License.txt for license information. + +package store + +import ( + "database/sql" + "net/http" + + "github.com/mattermost/gorp" + "github.com/mattermost/platform/model" + "github.com/mattermost/platform/utils" +) + +type SqlUserAccessTokenStore struct { + SqlStore +} + +func NewSqlUserAccessTokenStore(sqlStore SqlStore) UserAccessTokenStore { + s := &SqlUserAccessTokenStore{sqlStore} + + for _, db := range sqlStore.GetAllConns() { + table := db.AddTableWithName(model.UserAccessToken{}, "UserAccessTokens").SetKeys(false, "Id") + table.ColMap("Id").SetMaxSize(26) + table.ColMap("Token").SetMaxSize(26).SetUnique(true) + table.ColMap("UserId").SetMaxSize(26) + table.ColMap("Description").SetMaxSize(512) + } + + return s +} + +func (s SqlUserAccessTokenStore) CreateIndexesIfNotExists() { + s.CreateIndexIfNotExists("idx_user_access_tokens_token", "UserAccessTokens", "Token") + s.CreateIndexIfNotExists("idx_user_access_tokens_user_id", "UserAccessTokens", "UserId") +} + +func (s SqlUserAccessTokenStore) Save(token *model.UserAccessToken) StoreChannel { + + storeChannel := make(StoreChannel, 1) + + go func() { + result := StoreResult{} + + token.PreSave() + + if result.Err = token.IsValid(); result.Err != nil { + storeChannel <- result + close(storeChannel) + return + } + + if err := s.GetMaster().Insert(token); err != nil { + result.Err = model.NewAppError("SqlUserAccessTokenStore.Save", "store.sql_user_access_token.save.app_error", nil, "", http.StatusInternalServerError) + } else { + result.Data = token + } + + storeChannel <- result + close(storeChannel) + }() + + return storeChannel +} + +func (s SqlUserAccessTokenStore) Delete(tokenId string) StoreChannel { + + storeChannel := make(StoreChannel, 1) + + go func() { + result := StoreResult{} + + transaction, err := s.GetMaster().Begin() + if err != nil { + result.Err = model.NewAppError("SqlUserAccessTokenStore.Delete", "store.sql_user_access_token.delete.app_error", nil, err.Error(), http.StatusInternalServerError) + } else { + if extrasResult := s.deleteSessionsAndTokensById(transaction, tokenId); extrasResult.Err != nil { + result = extrasResult + } + + if result.Err == nil { + if err := transaction.Commit(); err != nil { + // don't need to rollback here since the transaction is already closed + result.Err = model.NewAppError("SqlUserAccessTokenStore.Delete", "store.sql_user_access_token.delete.app_error", nil, err.Error(), http.StatusInternalServerError) + } + } else { + if err := transaction.Rollback(); err != nil { + result.Err = model.NewAppError("SqlUserAccessTokenStore.Delete", "store.sql_user_access_token.delete.app_error", nil, err.Error(), http.StatusInternalServerError) + } + } + } + + storeChannel <- result + close(storeChannel) + }() + + return storeChannel +} + +func (s SqlUserAccessTokenStore) deleteSessionsAndTokensById(transaction *gorp.Transaction, tokenId string) StoreResult { + result := StoreResult{} + + query := "" + if utils.Cfg.SqlSettings.DriverName == model.DATABASE_DRIVER_POSTGRES { + query = "DELETE FROM Sessions s USING UserAccessTokens o WHERE o.Token = s.Token AND o.Id = :Id" + } else if utils.Cfg.SqlSettings.DriverName == model.DATABASE_DRIVER_MYSQL { + query = "DELETE s.* FROM Sessions s INNER JOIN UserAccessTokens o ON o.Token = s.Token WHERE o.Id = :Id" + } + + if _, err := transaction.Exec(query, map[string]interface{}{"Id": tokenId}); err != nil { + result.Err = model.NewAppError("SqlUserAccessTokenStore.deleteSessionsById", "store.sql_user_access_token.delete.app_error", nil, "id="+tokenId+", err="+err.Error(), http.StatusInternalServerError) + return result + } + + return s.deleteTokensById(transaction, tokenId) +} + +func (s SqlUserAccessTokenStore) deleteTokensById(transaction *gorp.Transaction, tokenId string) StoreResult { + result := StoreResult{} + + if _, err := transaction.Exec("DELETE FROM UserAccessTokens WHERE Id = :Id", map[string]interface{}{"Id": tokenId}); err != nil { + result.Err = model.NewAppError("SqlUserAccessTokenStore.deleteTokensById", "store.sql_user_access_token.delete.app_error", nil, "", http.StatusInternalServerError) + } + + return result +} + +func (s SqlUserAccessTokenStore) DeleteAllForUser(userId string) StoreChannel { + + storeChannel := make(StoreChannel, 1) + + go func() { + result := StoreResult{} + + transaction, err := s.GetMaster().Begin() + if err != nil { + result.Err = model.NewAppError("SqlUserAccessTokenStore.DeleteAllForUser", "store.sql_user_access_token.delete.app_error", nil, err.Error(), http.StatusInternalServerError) + } else { + if extrasResult := s.deleteSessionsandTokensByUser(transaction, userId); extrasResult.Err != nil { + result = extrasResult + } + + if result.Err == nil { + if err := transaction.Commit(); err != nil { + // don't need to rollback here since the transaction is already closed + result.Err = model.NewAppError("SqlUserAccessTokenStore.DeleteAllForUser", "store.sql_user_access_token.delete.app_error", nil, err.Error(), http.StatusInternalServerError) + } + } else { + if err := transaction.Rollback(); err != nil { + result.Err = model.NewAppError("SqlUserAccessTokenStore.DeleteAllForUser", "store.sql_user_access_token.delete.app_error", nil, err.Error(), http.StatusInternalServerError) + } + } + } + + storeChannel <- result + close(storeChannel) + }() + + return storeChannel +} + +func (s SqlUserAccessTokenStore) deleteSessionsandTokensByUser(transaction *gorp.Transaction, userId string) StoreResult { + result := StoreResult{} + + query := "" + if utils.Cfg.SqlSettings.DriverName == model.DATABASE_DRIVER_POSTGRES { + query = "DELETE FROM Sessions s USING UserAccessTokens o WHERE o.Token = s.Token AND o.UserId = :UserId" + } else if utils.Cfg.SqlSettings.DriverName == model.DATABASE_DRIVER_MYSQL { + query = "DELETE s.* FROM Sessions s INNER JOIN UserAccessTokens o ON o.Token = s.Token WHERE o.UserId = :UserId" + } + + if _, err := transaction.Exec(query, map[string]interface{}{"UserId": userId}); err != nil { + result.Err = model.NewAppError("SqlUserAccessTokenStore.deleteSessionsByUser", "store.sql_user_access_token.delete.app_error", nil, "user_id="+userId+", err="+err.Error(), http.StatusInternalServerError) + return result + } + + return s.deleteTokensByUser(transaction, userId) +} + +func (s SqlUserAccessTokenStore) deleteTokensByUser(transaction *gorp.Transaction, userId string) StoreResult { + result := StoreResult{} + + if _, err := transaction.Exec("DELETE FROM UserAccessTokens WHERE UserId = :UserId", map[string]interface{}{"UserId": userId}); err != nil { + result.Err = model.NewAppError("SqlUserAccessTokenStore.deleteTokensByUser", "store.sql_user_access_token.delete.app_error", nil, "", http.StatusInternalServerError) + } + + return result +} + +func (s SqlUserAccessTokenStore) Get(tokenId string) StoreChannel { + + storeChannel := make(StoreChannel, 1) + + go func() { + result := StoreResult{} + + token := model.UserAccessToken{} + + if err := s.GetReplica().SelectOne(&token, "SELECT * FROM UserAccessTokens WHERE Id = :Id", map[string]interface{}{"Id": tokenId}); err != nil { + if err == sql.ErrNoRows { + result.Err = model.NewAppError("SqlUserAccessTokenStore.Get", "store.sql_user_access_token.get.app_error", nil, err.Error(), http.StatusNotFound) + } else { + result.Err = model.NewAppError("SqlUserAccessTokenStore.Get", "store.sql_user_access_token.get.app_error", nil, err.Error(), http.StatusInternalServerError) + } + } + + result.Data = &token + + storeChannel <- result + close(storeChannel) + }() + + return storeChannel +} + +func (s SqlUserAccessTokenStore) GetByToken(tokenString string) StoreChannel { + + storeChannel := make(StoreChannel, 1) + + go func() { + result := StoreResult{} + + token := model.UserAccessToken{} + + if err := s.GetReplica().SelectOne(&token, "SELECT * FROM UserAccessTokens WHERE Token = :Token", map[string]interface{}{"Token": tokenString}); err != nil { + if err == sql.ErrNoRows { + result.Err = model.NewAppError("SqlUserAccessTokenStore.GetByToken", "store.sql_user_access_token.get_by_token.app_error", nil, err.Error(), http.StatusNotFound) + } else { + result.Err = model.NewAppError("SqlUserAccessTokenStore.GetByToken", "store.sql_user_access_token.get_by_token.app_error", nil, err.Error(), http.StatusInternalServerError) + } + } + + result.Data = &token + + storeChannel <- result + close(storeChannel) + }() + + return storeChannel +} + +func (s SqlUserAccessTokenStore) GetByUser(userId string, offset, limit int) StoreChannel { + + storeChannel := make(StoreChannel, 1) + + go func() { + result := StoreResult{} + + tokens := []*model.UserAccessToken{} + + if _, err := s.GetReplica().Select(&tokens, "SELECT * FROM UserAccessTokens WHERE UserId = :UserId LIMIT :Limit OFFSET :Offset", map[string]interface{}{"UserId": userId, "Offset": offset, "Limit": limit}); err != nil { + result.Err = model.NewAppError("SqlUserAccessTokenStore.GetByUser", "store.sql_user_access_token.get_by_user.app_error", nil, err.Error(), http.StatusInternalServerError) + } + + result.Data = tokens + + storeChannel <- result + close(storeChannel) + }() + + return storeChannel +} diff --git a/store/sql_user_access_token_store_test.go b/store/sql_user_access_token_store_test.go new file mode 100644 index 000000000..db4424991 --- /dev/null +++ b/store/sql_user_access_token_store_test.go @@ -0,0 +1,86 @@ +// Copyright (c) 2017-present Mattermost, Inc. All Rights Reserved. +// See License.txt for license information. + +package store + +import ( + "testing" + + "github.com/mattermost/platform/model" +) + +func TestUserAccessTokenSaveGetDelete(t *testing.T) { + Setup() + + uat := &model.UserAccessToken{ + Token: model.NewId(), + UserId: model.NewId(), + Description: "testtoken", + } + + s1 := model.Session{} + s1.UserId = uat.UserId + s1.Token = uat.Token + + Must(store.Session().Save(&s1)) + + if result := <-store.UserAccessToken().Save(uat); result.Err != nil { + t.Fatal(result.Err) + } + + if result := <-store.UserAccessToken().Get(uat.Id); result.Err != nil { + t.Fatal(result.Err) + } else if received := result.Data.(*model.UserAccessToken); received.Token != uat.Token { + t.Fatal("received incorrect token after save") + } + + if result := <-store.UserAccessToken().GetByToken(uat.Token); result.Err != nil { + t.Fatal(result.Err) + } else if received := result.Data.(*model.UserAccessToken); received.Token != uat.Token { + t.Fatal("received incorrect token after save") + } + + if result := <-store.UserAccessToken().GetByToken("notarealtoken"); result.Err == nil { + t.Fatal("should have failed on bad token") + } + + if result := <-store.UserAccessToken().GetByUser(uat.UserId, 0, 100); result.Err != nil { + t.Fatal(result.Err) + } else if received := result.Data.([]*model.UserAccessToken); len(received) != 1 { + t.Fatal("received incorrect number of tokens after save") + } + + if result := <-store.UserAccessToken().Delete(uat.Id); result.Err != nil { + t.Fatal(result.Err) + } + + if err := (<-store.Session().Get(s1.Token)).Err; err == nil { + t.Fatal("should error - session should be deleted") + } + + if err := (<-store.UserAccessToken().GetByToken(s1.Token)).Err; err == nil { + t.Fatal("should error - access token should be deleted") + } + + s2 := model.Session{} + s2.UserId = uat.UserId + s2.Token = uat.Token + + Must(store.Session().Save(&s2)) + + if result := <-store.UserAccessToken().Save(uat); result.Err != nil { + t.Fatal(result.Err) + } + + if result := <-store.UserAccessToken().DeleteAllForUser(uat.UserId); result.Err != nil { + t.Fatal(result.Err) + } + + if err := (<-store.Session().Get(s2.Token)).Err; err == nil { + t.Fatal("should error - session should be deleted") + } + + if err := (<-store.UserAccessToken().GetByToken(s2.Token)).Err; err == nil { + t.Fatal("should error - access token should be deleted") + } +} diff --git a/store/store.go b/store/store.go index 6d84a0919..d883ea5a2 100644 --- a/store/store.go +++ b/store/store.go @@ -49,6 +49,7 @@ type Store interface { FileInfo() FileInfoStore Reaction() ReactionStore Job() JobStore + UserAccessToken() UserAccessTokenStore MarkSystemRanUnitTests() Close() DropAllTables() @@ -398,3 +399,12 @@ type JobStore interface { GetAllByStatus(status string) StoreChannel Delete(id string) StoreChannel } + +type UserAccessTokenStore interface { + Save(token *model.UserAccessToken) StoreChannel + Delete(tokenId string) StoreChannel + DeleteAllForUser(userId string) StoreChannel + Get(tokenId string) StoreChannel + GetByToken(tokenString string) StoreChannel + GetByUser(userId string, page, perPage int) StoreChannel +} -- cgit v1.2.3-1-g7c22