github.com/mad-app/mattermost-server@v5.11.1+incompatible/api4/oauth_test.go (about)

     1  // Copyright (c) 2017 Mattermost, Inc. All Rights Reserved.
     2  // See License.txt for license information.
     3  
     4  package api4
     5  
     6  import (
     7  	"encoding/base64"
     8  	"io"
     9  	"io/ioutil"
    10  	"net/http"
    11  	"net/http/httptest"
    12  	"net/url"
    13  	"strconv"
    14  	"testing"
    15  
    16  	"github.com/stretchr/testify/assert"
    17  	"github.com/stretchr/testify/require"
    18  
    19  	"github.com/mattermost/mattermost-server/einterfaces"
    20  	"github.com/mattermost/mattermost-server/model"
    21  	"github.com/mattermost/mattermost-server/utils"
    22  	"github.com/mattermost/mattermost-server/web"
    23  )
    24  
    25  func TestCreateOAuthApp(t *testing.T) {
    26  	th := Setup().InitBasic()
    27  	defer th.TearDown()
    28  	Client := th.Client
    29  	AdminClient := th.SystemAdminClient
    30  
    31  	defaultRolePermissions := th.SaveDefaultRolePermissions()
    32  	enableOAuthServiceProvider := th.App.Config().ServiceSettings.EnableOAuthServiceProvider
    33  	defer func() {
    34  		th.RestoreDefaultRolePermissions(defaultRolePermissions)
    35  		th.App.UpdateConfig(func(cfg *model.Config) { cfg.ServiceSettings.EnableOAuthServiceProvider = enableOAuthServiceProvider })
    36  	}()
    37  
    38  	// Grant permission to regular users.
    39  	th.AddPermissionToRole(model.PERMISSION_MANAGE_OAUTH.Id, model.SYSTEM_USER_ROLE_ID)
    40  
    41  	th.App.UpdateConfig(func(cfg *model.Config) { *cfg.ServiceSettings.EnableOAuthServiceProvider = true })
    42  
    43  	oapp := &model.OAuthApp{Name: GenerateTestAppName(), Homepage: "https://nowhere.com", Description: "test", CallbackUrls: []string{"https://nowhere.com"}, IsTrusted: true}
    44  
    45  	rapp, resp := AdminClient.CreateOAuthApp(oapp)
    46  	CheckNoError(t, resp)
    47  	CheckCreatedStatus(t, resp)
    48  
    49  	if rapp.Name != oapp.Name {
    50  		t.Fatal("names did not match")
    51  	}
    52  
    53  	if rapp.IsTrusted != oapp.IsTrusted {
    54  		t.Fatal("trusted did no match")
    55  	}
    56  
    57  	// Revoke permission from regular users.
    58  	th.RemovePermissionFromRole(model.PERMISSION_MANAGE_OAUTH.Id, model.SYSTEM_USER_ROLE_ID)
    59  
    60  	_, resp = Client.CreateOAuthApp(oapp)
    61  	CheckForbiddenStatus(t, resp)
    62  
    63  	// Grant permission to regular users.
    64  	th.AddPermissionToRole(model.PERMISSION_MANAGE_OAUTH.Id, model.SYSTEM_USER_ROLE_ID)
    65  
    66  	rapp, resp = Client.CreateOAuthApp(oapp)
    67  	CheckNoError(t, resp)
    68  	CheckCreatedStatus(t, resp)
    69  
    70  	if rapp.IsTrusted {
    71  		t.Fatal("trusted should be false - created by non admin")
    72  	}
    73  
    74  	oapp.Name = ""
    75  	_, resp = AdminClient.CreateOAuthApp(oapp)
    76  	CheckBadRequestStatus(t, resp)
    77  
    78  	if r, err := Client.DoApiPost("/oauth/apps", "garbage"); err == nil {
    79  		t.Fatal("should have failed")
    80  	} else {
    81  		if r.StatusCode != http.StatusBadRequest {
    82  			t.Log("actual: " + strconv.Itoa(r.StatusCode))
    83  			t.Log("expected: " + strconv.Itoa(http.StatusBadRequest))
    84  			t.Fatal("wrong status code")
    85  		}
    86  	}
    87  
    88  	Client.Logout()
    89  	_, resp = Client.CreateOAuthApp(oapp)
    90  	CheckUnauthorizedStatus(t, resp)
    91  
    92  	th.App.UpdateConfig(func(cfg *model.Config) { *cfg.ServiceSettings.EnableOAuthServiceProvider = false })
    93  	oapp.Name = GenerateTestAppName()
    94  	_, resp = AdminClient.CreateOAuthApp(oapp)
    95  	CheckNotImplementedStatus(t, resp)
    96  }
    97  
    98  func TestUpdateOAuthApp(t *testing.T) {
    99  	th := Setup().InitBasic()
   100  	defer th.TearDown()
   101  	Client := th.Client
   102  	AdminClient := th.SystemAdminClient
   103  
   104  	defaultRolePermissions := th.SaveDefaultRolePermissions()
   105  	enableOAuthServiceProvider := th.App.Config().ServiceSettings.EnableOAuthServiceProvider
   106  	defer func() {
   107  		th.RestoreDefaultRolePermissions(defaultRolePermissions)
   108  		th.App.UpdateConfig(func(cfg *model.Config) { cfg.ServiceSettings.EnableOAuthServiceProvider = enableOAuthServiceProvider })
   109  	}()
   110  
   111  	// Grant permission to regular users.
   112  	th.AddPermissionToRole(model.PERMISSION_MANAGE_OAUTH.Id, model.SYSTEM_USER_ROLE_ID)
   113  	th.App.UpdateConfig(func(cfg *model.Config) { *cfg.ServiceSettings.EnableOAuthServiceProvider = true })
   114  
   115  	oapp := &model.OAuthApp{
   116  		Name:         "oapp",
   117  		IsTrusted:    false,
   118  		IconURL:      "https://nowhere.com/img",
   119  		Homepage:     "https://nowhere.com",
   120  		Description:  "test",
   121  		CallbackUrls: []string{"https://callback.com"},
   122  	}
   123  
   124  	oapp, _ = AdminClient.CreateOAuthApp(oapp)
   125  
   126  	oapp.Name = "oapp_update"
   127  	oapp.IsTrusted = true
   128  	oapp.IconURL = "https://nowhere.com/img_update"
   129  	oapp.Homepage = "https://nowhere_update.com"
   130  	oapp.Description = "test_update"
   131  	oapp.CallbackUrls = []string{"https://callback_update.com", "https://another_callback.com"}
   132  
   133  	updatedApp, resp := AdminClient.UpdateOAuthApp(oapp)
   134  	CheckNoError(t, resp)
   135  
   136  	if updatedApp.Id != oapp.Id {
   137  		t.Fatal("Id should have not updated")
   138  	}
   139  
   140  	if updatedApp.CreatorId != oapp.CreatorId {
   141  		t.Fatal("CreatorId should have not updated")
   142  	}
   143  
   144  	if updatedApp.CreateAt != oapp.CreateAt {
   145  		t.Fatal("CreateAt should have not updated")
   146  	}
   147  
   148  	if updatedApp.UpdateAt == oapp.UpdateAt {
   149  		t.Fatal("UpdateAt should have updated")
   150  	}
   151  
   152  	if updatedApp.ClientSecret != oapp.ClientSecret {
   153  		t.Fatal("ClientSecret should have not updated")
   154  	}
   155  
   156  	if updatedApp.Name != oapp.Name {
   157  		t.Fatal("Name should have updated")
   158  	}
   159  
   160  	if updatedApp.Description != oapp.Description {
   161  		t.Fatal("Description should have updated")
   162  	}
   163  
   164  	if updatedApp.IconURL != oapp.IconURL {
   165  		t.Fatal("IconURL should have updated")
   166  	}
   167  
   168  	if len(updatedApp.CallbackUrls) == len(oapp.CallbackUrls) {
   169  		for i, callbackUrl := range updatedApp.CallbackUrls {
   170  			if callbackUrl != oapp.CallbackUrls[i] {
   171  				t.Fatal("Description should have updated")
   172  			}
   173  		}
   174  	}
   175  
   176  	if updatedApp.Homepage != oapp.Homepage {
   177  		t.Fatal("Homepage should have updated")
   178  	}
   179  
   180  	if updatedApp.IsTrusted != oapp.IsTrusted {
   181  		t.Fatal("IsTrusted should have updated")
   182  	}
   183  
   184  	th.LoginBasic2()
   185  	updatedApp.CreatorId = th.BasicUser2.Id
   186  	_, resp = Client.UpdateOAuthApp(oapp)
   187  	CheckForbiddenStatus(t, resp)
   188  
   189  	th.LoginBasic()
   190  
   191  	// Revoke permission from regular users.
   192  	th.RemovePermissionFromRole(model.PERMISSION_MANAGE_OAUTH.Id, model.SYSTEM_USER_ROLE_ID)
   193  
   194  	_, resp = Client.UpdateOAuthApp(oapp)
   195  	CheckForbiddenStatus(t, resp)
   196  
   197  	oapp.Id = "zhk9d1ggatrqz236c7h87im7bc"
   198  	_, resp = AdminClient.UpdateOAuthApp(oapp)
   199  	CheckNotFoundStatus(t, resp)
   200  
   201  	th.App.UpdateConfig(func(cfg *model.Config) { *cfg.ServiceSettings.EnableOAuthServiceProvider = false })
   202  
   203  	_, resp = AdminClient.UpdateOAuthApp(oapp)
   204  	CheckNotImplementedStatus(t, resp)
   205  
   206  	Client.Logout()
   207  	_, resp = Client.UpdateOAuthApp(oapp)
   208  	CheckUnauthorizedStatus(t, resp)
   209  
   210  	oapp.Id = "junk"
   211  	_, resp = AdminClient.UpdateOAuthApp(oapp)
   212  	CheckBadRequestStatus(t, resp)
   213  }
   214  
   215  func TestGetOAuthApps(t *testing.T) {
   216  	th := Setup().InitBasic()
   217  	defer th.TearDown()
   218  	Client := th.Client
   219  	AdminClient := th.SystemAdminClient
   220  
   221  	defaultRolePermissions := th.SaveDefaultRolePermissions()
   222  	enableOAuthServiceProvider := th.App.Config().ServiceSettings.EnableOAuthServiceProvider
   223  	defer func() {
   224  		th.RestoreDefaultRolePermissions(defaultRolePermissions)
   225  		th.App.UpdateConfig(func(cfg *model.Config) { cfg.ServiceSettings.EnableOAuthServiceProvider = enableOAuthServiceProvider })
   226  	}()
   227  
   228  	// Grant permission to regular users.
   229  	th.AddPermissionToRole(model.PERMISSION_MANAGE_OAUTH.Id, model.SYSTEM_USER_ROLE_ID)
   230  	th.App.UpdateConfig(func(cfg *model.Config) { *cfg.ServiceSettings.EnableOAuthServiceProvider = true })
   231  
   232  	oapp := &model.OAuthApp{Name: GenerateTestAppName(), Homepage: "https://nowhere.com", Description: "test", CallbackUrls: []string{"https://nowhere.com"}}
   233  
   234  	rapp, resp := AdminClient.CreateOAuthApp(oapp)
   235  	CheckNoError(t, resp)
   236  
   237  	oapp.Name = GenerateTestAppName()
   238  	rapp2, resp := Client.CreateOAuthApp(oapp)
   239  	CheckNoError(t, resp)
   240  
   241  	apps, resp := AdminClient.GetOAuthApps(0, 1000)
   242  	CheckNoError(t, resp)
   243  
   244  	found1 := false
   245  	found2 := false
   246  	for _, a := range apps {
   247  		if a.Id == rapp.Id {
   248  			found1 = true
   249  		}
   250  		if a.Id == rapp2.Id {
   251  			found2 = true
   252  		}
   253  	}
   254  
   255  	if !found1 || !found2 {
   256  		t.Fatal("missing oauth app")
   257  	}
   258  
   259  	apps, resp = AdminClient.GetOAuthApps(1, 1)
   260  	CheckNoError(t, resp)
   261  
   262  	if len(apps) != 1 {
   263  		t.Fatal("paging failed")
   264  	}
   265  
   266  	apps, resp = Client.GetOAuthApps(0, 1000)
   267  	CheckNoError(t, resp)
   268  
   269  	if len(apps) != 1 && apps[0].Id != rapp2.Id {
   270  		t.Fatal("wrong apps returned")
   271  	}
   272  
   273  	// Revoke permission from regular users.
   274  	th.RemovePermissionFromRole(model.PERMISSION_MANAGE_OAUTH.Id, model.SYSTEM_USER_ROLE_ID)
   275  
   276  	_, resp = Client.GetOAuthApps(0, 1000)
   277  	CheckForbiddenStatus(t, resp)
   278  
   279  	Client.Logout()
   280  
   281  	_, resp = Client.GetOAuthApps(0, 1000)
   282  	CheckUnauthorizedStatus(t, resp)
   283  
   284  	th.App.UpdateConfig(func(cfg *model.Config) { *cfg.ServiceSettings.EnableOAuthServiceProvider = false })
   285  	_, resp = AdminClient.GetOAuthApps(0, 1000)
   286  	CheckNotImplementedStatus(t, resp)
   287  }
   288  
   289  func TestGetOAuthApp(t *testing.T) {
   290  	th := Setup().InitBasic()
   291  	defer th.TearDown()
   292  	Client := th.Client
   293  	AdminClient := th.SystemAdminClient
   294  
   295  	defaultRolePermissions := th.SaveDefaultRolePermissions()
   296  	enableOAuthServiceProvider := th.App.Config().ServiceSettings.EnableOAuthServiceProvider
   297  	defer func() {
   298  		th.RestoreDefaultRolePermissions(defaultRolePermissions)
   299  		th.App.UpdateConfig(func(cfg *model.Config) { cfg.ServiceSettings.EnableOAuthServiceProvider = enableOAuthServiceProvider })
   300  	}()
   301  
   302  	// Grant permission to regular users.
   303  	th.AddPermissionToRole(model.PERMISSION_MANAGE_OAUTH.Id, model.SYSTEM_USER_ROLE_ID)
   304  	th.App.UpdateConfig(func(cfg *model.Config) { *cfg.ServiceSettings.EnableOAuthServiceProvider = true })
   305  
   306  	oapp := &model.OAuthApp{Name: GenerateTestAppName(), Homepage: "https://nowhere.com", Description: "test", CallbackUrls: []string{"https://nowhere.com"}}
   307  
   308  	rapp, resp := AdminClient.CreateOAuthApp(oapp)
   309  	CheckNoError(t, resp)
   310  
   311  	oapp.Name = GenerateTestAppName()
   312  	rapp2, resp := Client.CreateOAuthApp(oapp)
   313  	CheckNoError(t, resp)
   314  
   315  	rrapp, resp := AdminClient.GetOAuthApp(rapp.Id)
   316  	CheckNoError(t, resp)
   317  
   318  	if rapp.Id != rrapp.Id {
   319  		t.Fatal("wrong app")
   320  	}
   321  
   322  	if rrapp.ClientSecret == "" {
   323  		t.Fatal("should not be sanitized")
   324  	}
   325  
   326  	rrapp2, resp := AdminClient.GetOAuthApp(rapp2.Id)
   327  	CheckNoError(t, resp)
   328  
   329  	if rapp2.Id != rrapp2.Id {
   330  		t.Fatal("wrong app")
   331  	}
   332  
   333  	if rrapp2.ClientSecret == "" {
   334  		t.Fatal("should not be sanitized")
   335  	}
   336  
   337  	_, resp = Client.GetOAuthApp(rapp2.Id)
   338  	CheckNoError(t, resp)
   339  
   340  	_, resp = Client.GetOAuthApp(rapp.Id)
   341  	CheckForbiddenStatus(t, resp)
   342  
   343  	// Revoke permission from regular users.
   344  	th.RemovePermissionFromRole(model.PERMISSION_MANAGE_OAUTH.Id, model.SYSTEM_USER_ROLE_ID)
   345  
   346  	_, resp = Client.GetOAuthApp(rapp2.Id)
   347  	CheckForbiddenStatus(t, resp)
   348  
   349  	Client.Logout()
   350  
   351  	_, resp = Client.GetOAuthApp(rapp2.Id)
   352  	CheckUnauthorizedStatus(t, resp)
   353  
   354  	_, resp = AdminClient.GetOAuthApp("junk")
   355  	CheckBadRequestStatus(t, resp)
   356  
   357  	_, resp = AdminClient.GetOAuthApp(model.NewId())
   358  	CheckNotFoundStatus(t, resp)
   359  
   360  	th.App.UpdateConfig(func(cfg *model.Config) { *cfg.ServiceSettings.EnableOAuthServiceProvider = false })
   361  	_, resp = AdminClient.GetOAuthApp(rapp.Id)
   362  	CheckNotImplementedStatus(t, resp)
   363  }
   364  
   365  func TestGetOAuthAppInfo(t *testing.T) {
   366  	th := Setup().InitBasic()
   367  	defer th.TearDown()
   368  	Client := th.Client
   369  	AdminClient := th.SystemAdminClient
   370  
   371  	defaultRolePermissions := th.SaveDefaultRolePermissions()
   372  	enableOAuthServiceProvider := th.App.Config().ServiceSettings.EnableOAuthServiceProvider
   373  	defer func() {
   374  		th.RestoreDefaultRolePermissions(defaultRolePermissions)
   375  		th.App.UpdateConfig(func(cfg *model.Config) { cfg.ServiceSettings.EnableOAuthServiceProvider = enableOAuthServiceProvider })
   376  	}()
   377  
   378  	// Grant permission to regular users.
   379  	th.AddPermissionToRole(model.PERMISSION_MANAGE_OAUTH.Id, model.SYSTEM_USER_ROLE_ID)
   380  	th.App.UpdateConfig(func(cfg *model.Config) { *cfg.ServiceSettings.EnableOAuthServiceProvider = true })
   381  
   382  	oapp := &model.OAuthApp{Name: GenerateTestAppName(), Homepage: "https://nowhere.com", Description: "test", CallbackUrls: []string{"https://nowhere.com"}}
   383  
   384  	rapp, resp := AdminClient.CreateOAuthApp(oapp)
   385  	CheckNoError(t, resp)
   386  
   387  	oapp.Name = GenerateTestAppName()
   388  	rapp2, resp := Client.CreateOAuthApp(oapp)
   389  	CheckNoError(t, resp)
   390  
   391  	rrapp, resp := AdminClient.GetOAuthAppInfo(rapp.Id)
   392  	CheckNoError(t, resp)
   393  
   394  	if rapp.Id != rrapp.Id {
   395  		t.Fatal("wrong app")
   396  	}
   397  
   398  	if rrapp.ClientSecret != "" {
   399  		t.Fatal("should be sanitized")
   400  	}
   401  
   402  	rrapp2, resp := AdminClient.GetOAuthAppInfo(rapp2.Id)
   403  	CheckNoError(t, resp)
   404  
   405  	if rapp2.Id != rrapp2.Id {
   406  		t.Fatal("wrong app")
   407  	}
   408  
   409  	if rrapp2.ClientSecret != "" {
   410  		t.Fatal("should be sanitized")
   411  	}
   412  
   413  	_, resp = Client.GetOAuthAppInfo(rapp2.Id)
   414  	CheckNoError(t, resp)
   415  
   416  	_, resp = Client.GetOAuthAppInfo(rapp.Id)
   417  	CheckNoError(t, resp)
   418  
   419  	// Revoke permission from regular users.
   420  	th.RemovePermissionFromRole(model.PERMISSION_MANAGE_OAUTH.Id, model.SYSTEM_USER_ROLE_ID)
   421  
   422  	_, resp = Client.GetOAuthAppInfo(rapp2.Id)
   423  	CheckNoError(t, resp)
   424  
   425  	Client.Logout()
   426  
   427  	_, resp = Client.GetOAuthAppInfo(rapp2.Id)
   428  	CheckUnauthorizedStatus(t, resp)
   429  
   430  	_, resp = AdminClient.GetOAuthAppInfo("junk")
   431  	CheckBadRequestStatus(t, resp)
   432  
   433  	_, resp = AdminClient.GetOAuthAppInfo(model.NewId())
   434  	CheckNotFoundStatus(t, resp)
   435  
   436  	th.App.UpdateConfig(func(cfg *model.Config) { *cfg.ServiceSettings.EnableOAuthServiceProvider = false })
   437  	_, resp = AdminClient.GetOAuthAppInfo(rapp.Id)
   438  	CheckNotImplementedStatus(t, resp)
   439  }
   440  
   441  func TestDeleteOAuthApp(t *testing.T) {
   442  	th := Setup().InitBasic()
   443  	defer th.TearDown()
   444  	Client := th.Client
   445  	AdminClient := th.SystemAdminClient
   446  
   447  	defaultRolePermissions := th.SaveDefaultRolePermissions()
   448  	enableOAuthServiceProvider := th.App.Config().ServiceSettings.EnableOAuthServiceProvider
   449  	defer func() {
   450  		th.RestoreDefaultRolePermissions(defaultRolePermissions)
   451  		th.App.UpdateConfig(func(cfg *model.Config) { cfg.ServiceSettings.EnableOAuthServiceProvider = enableOAuthServiceProvider })
   452  	}()
   453  
   454  	// Grant permission to regular users.
   455  	th.AddPermissionToRole(model.PERMISSION_MANAGE_OAUTH.Id, model.SYSTEM_USER_ROLE_ID)
   456  	th.App.UpdateConfig(func(cfg *model.Config) { *cfg.ServiceSettings.EnableOAuthServiceProvider = true })
   457  
   458  	oapp := &model.OAuthApp{Name: GenerateTestAppName(), Homepage: "https://nowhere.com", Description: "test", CallbackUrls: []string{"https://nowhere.com"}}
   459  
   460  	rapp, resp := AdminClient.CreateOAuthApp(oapp)
   461  	CheckNoError(t, resp)
   462  
   463  	oapp.Name = GenerateTestAppName()
   464  	rapp2, resp := Client.CreateOAuthApp(oapp)
   465  	CheckNoError(t, resp)
   466  
   467  	pass, resp := AdminClient.DeleteOAuthApp(rapp.Id)
   468  	CheckNoError(t, resp)
   469  
   470  	if !pass {
   471  		t.Fatal("should have passed")
   472  	}
   473  
   474  	_, resp = AdminClient.DeleteOAuthApp(rapp2.Id)
   475  	CheckNoError(t, resp)
   476  
   477  	rapp, resp = AdminClient.CreateOAuthApp(oapp)
   478  	CheckNoError(t, resp)
   479  
   480  	oapp.Name = GenerateTestAppName()
   481  	rapp2, resp = Client.CreateOAuthApp(oapp)
   482  	CheckNoError(t, resp)
   483  
   484  	_, resp = Client.DeleteOAuthApp(rapp.Id)
   485  	CheckForbiddenStatus(t, resp)
   486  
   487  	_, resp = Client.DeleteOAuthApp(rapp2.Id)
   488  	CheckNoError(t, resp)
   489  
   490  	// Revoke permission from regular users.
   491  	th.RemovePermissionFromRole(model.PERMISSION_MANAGE_OAUTH.Id, model.SYSTEM_USER_ROLE_ID)
   492  
   493  	_, resp = Client.DeleteOAuthApp(rapp.Id)
   494  	CheckForbiddenStatus(t, resp)
   495  
   496  	Client.Logout()
   497  	_, resp = Client.DeleteOAuthApp(rapp.Id)
   498  	CheckUnauthorizedStatus(t, resp)
   499  
   500  	_, resp = AdminClient.DeleteOAuthApp("junk")
   501  	CheckBadRequestStatus(t, resp)
   502  
   503  	_, resp = AdminClient.DeleteOAuthApp(model.NewId())
   504  	CheckNotFoundStatus(t, resp)
   505  
   506  	th.App.UpdateConfig(func(cfg *model.Config) { *cfg.ServiceSettings.EnableOAuthServiceProvider = false })
   507  	_, resp = AdminClient.DeleteOAuthApp(rapp.Id)
   508  	CheckNotImplementedStatus(t, resp)
   509  }
   510  
   511  func TestRegenerateOAuthAppSecret(t *testing.T) {
   512  	th := Setup().InitBasic()
   513  	defer th.TearDown()
   514  	Client := th.Client
   515  	AdminClient := th.SystemAdminClient
   516  
   517  	defaultRolePermissions := th.SaveDefaultRolePermissions()
   518  	enableOAuthServiceProvider := th.App.Config().ServiceSettings.EnableOAuthServiceProvider
   519  	defer func() {
   520  		th.RestoreDefaultRolePermissions(defaultRolePermissions)
   521  		th.App.UpdateConfig(func(cfg *model.Config) { cfg.ServiceSettings.EnableOAuthServiceProvider = enableOAuthServiceProvider })
   522  	}()
   523  
   524  	// Grant permission to regular users.
   525  	th.AddPermissionToRole(model.PERMISSION_MANAGE_OAUTH.Id, model.SYSTEM_USER_ROLE_ID)
   526  	th.App.UpdateConfig(func(cfg *model.Config) { *cfg.ServiceSettings.EnableOAuthServiceProvider = true })
   527  
   528  	oapp := &model.OAuthApp{Name: GenerateTestAppName(), Homepage: "https://nowhere.com", Description: "test", CallbackUrls: []string{"https://nowhere.com"}}
   529  
   530  	rapp, resp := AdminClient.CreateOAuthApp(oapp)
   531  	CheckNoError(t, resp)
   532  
   533  	oapp.Name = GenerateTestAppName()
   534  	rapp2, resp := Client.CreateOAuthApp(oapp)
   535  	CheckNoError(t, resp)
   536  
   537  	rrapp, resp := AdminClient.RegenerateOAuthAppSecret(rapp.Id)
   538  	CheckNoError(t, resp)
   539  
   540  	if rrapp.Id != rapp.Id {
   541  		t.Fatal("wrong app")
   542  	}
   543  
   544  	if rrapp.ClientSecret == rapp.ClientSecret {
   545  		t.Fatal("secret didn't change")
   546  	}
   547  
   548  	_, resp = AdminClient.RegenerateOAuthAppSecret(rapp2.Id)
   549  	CheckNoError(t, resp)
   550  
   551  	rapp, resp = AdminClient.CreateOAuthApp(oapp)
   552  	CheckNoError(t, resp)
   553  
   554  	oapp.Name = GenerateTestAppName()
   555  	rapp2, resp = Client.CreateOAuthApp(oapp)
   556  	CheckNoError(t, resp)
   557  
   558  	_, resp = Client.RegenerateOAuthAppSecret(rapp.Id)
   559  	CheckForbiddenStatus(t, resp)
   560  
   561  	_, resp = Client.RegenerateOAuthAppSecret(rapp2.Id)
   562  	CheckNoError(t, resp)
   563  
   564  	// Revoke permission from regular users.
   565  	th.RemovePermissionFromRole(model.PERMISSION_MANAGE_OAUTH.Id, model.SYSTEM_USER_ROLE_ID)
   566  
   567  	_, resp = Client.RegenerateOAuthAppSecret(rapp.Id)
   568  	CheckForbiddenStatus(t, resp)
   569  
   570  	Client.Logout()
   571  	_, resp = Client.RegenerateOAuthAppSecret(rapp.Id)
   572  	CheckUnauthorizedStatus(t, resp)
   573  
   574  	_, resp = AdminClient.RegenerateOAuthAppSecret("junk")
   575  	CheckBadRequestStatus(t, resp)
   576  
   577  	_, resp = AdminClient.RegenerateOAuthAppSecret(model.NewId())
   578  	CheckNotFoundStatus(t, resp)
   579  
   580  	th.App.UpdateConfig(func(cfg *model.Config) { *cfg.ServiceSettings.EnableOAuthServiceProvider = false })
   581  	_, resp = AdminClient.RegenerateOAuthAppSecret(rapp.Id)
   582  	CheckNotImplementedStatus(t, resp)
   583  }
   584  
   585  func TestGetAuthorizedOAuthAppsForUser(t *testing.T) {
   586  	th := Setup().InitBasic()
   587  	defer th.TearDown()
   588  	Client := th.Client
   589  	AdminClient := th.SystemAdminClient
   590  
   591  	enableOAuth := th.App.Config().ServiceSettings.EnableOAuthServiceProvider
   592  	defer func() {
   593  		th.App.UpdateConfig(func(cfg *model.Config) { cfg.ServiceSettings.EnableOAuthServiceProvider = enableOAuth })
   594  	}()
   595  	th.App.UpdateConfig(func(cfg *model.Config) { *cfg.ServiceSettings.EnableOAuthServiceProvider = true })
   596  
   597  	oapp := &model.OAuthApp{Name: GenerateTestAppName(), Homepage: "https://nowhere.com", Description: "test", CallbackUrls: []string{"https://nowhere.com"}}
   598  
   599  	rapp, resp := AdminClient.CreateOAuthApp(oapp)
   600  	CheckNoError(t, resp)
   601  
   602  	authRequest := &model.AuthorizeRequest{
   603  		ResponseType: model.AUTHCODE_RESPONSE_TYPE,
   604  		ClientId:     rapp.Id,
   605  		RedirectUri:  rapp.CallbackUrls[0],
   606  		Scope:        "",
   607  		State:        "123",
   608  	}
   609  
   610  	_, resp = Client.AuthorizeOAuthApp(authRequest)
   611  	CheckNoError(t, resp)
   612  
   613  	apps, resp := Client.GetAuthorizedOAuthAppsForUser(th.BasicUser.Id, 0, 1000)
   614  	CheckNoError(t, resp)
   615  
   616  	found := false
   617  	for _, a := range apps {
   618  		if a.Id == rapp.Id {
   619  			found = true
   620  		}
   621  
   622  		if a.ClientSecret != "" {
   623  			t.Fatal("not sanitized")
   624  		}
   625  	}
   626  
   627  	if !found {
   628  		t.Fatal("missing app")
   629  	}
   630  
   631  	_, resp = Client.GetAuthorizedOAuthAppsForUser(th.BasicUser2.Id, 0, 1000)
   632  	CheckForbiddenStatus(t, resp)
   633  
   634  	_, resp = Client.GetAuthorizedOAuthAppsForUser("junk", 0, 1000)
   635  	CheckBadRequestStatus(t, resp)
   636  
   637  	Client.Logout()
   638  	_, resp = Client.GetAuthorizedOAuthAppsForUser(th.BasicUser.Id, 0, 1000)
   639  	CheckUnauthorizedStatus(t, resp)
   640  
   641  	_, resp = AdminClient.GetAuthorizedOAuthAppsForUser(th.BasicUser.Id, 0, 1000)
   642  	CheckNoError(t, resp)
   643  }
   644  
   645  func TestAuthorizeOAuthApp(t *testing.T) {
   646  	th := Setup().InitBasic()
   647  	defer th.TearDown()
   648  	Client := th.Client
   649  	AdminClient := th.SystemAdminClient
   650  
   651  	enableOAuth := *th.App.Config().ServiceSettings.EnableOAuthServiceProvider
   652  	defer func() {
   653  		th.App.UpdateConfig(func(cfg *model.Config) { *cfg.ServiceSettings.EnableOAuthServiceProvider = enableOAuth })
   654  	}()
   655  
   656  	th.App.UpdateConfig(func(cfg *model.Config) { *cfg.ServiceSettings.EnableOAuthServiceProvider = true })
   657  
   658  	oapp := &model.OAuthApp{Name: GenerateTestAppName(), Homepage: "https://nowhere.com", Description: "test", CallbackUrls: []string{"https://nowhere.com"}}
   659  
   660  	rapp, resp := AdminClient.CreateOAuthApp(oapp)
   661  	CheckNoError(t, resp)
   662  
   663  	authRequest := &model.AuthorizeRequest{
   664  		ResponseType: model.AUTHCODE_RESPONSE_TYPE,
   665  		ClientId:     rapp.Id,
   666  		RedirectUri:  rapp.CallbackUrls[0],
   667  		Scope:        "",
   668  		State:        "123",
   669  	}
   670  
   671  	// Test auth code flow
   672  	ruri, resp := Client.AuthorizeOAuthApp(authRequest)
   673  	CheckNoError(t, resp)
   674  
   675  	if len(ruri) == 0 {
   676  		t.Fatal("redirect url should be set")
   677  	}
   678  
   679  	ru, _ := url.Parse(ruri)
   680  	if ru == nil {
   681  		t.Fatal("redirect url unparseable")
   682  	} else {
   683  		if len(ru.Query().Get("code")) == 0 {
   684  			t.Fatal("authorization code not returned")
   685  		}
   686  		if ru.Query().Get("state") != authRequest.State {
   687  			t.Fatal("returned state doesn't match")
   688  		}
   689  	}
   690  
   691  	// Test implicit flow
   692  	authRequest.ResponseType = model.IMPLICIT_RESPONSE_TYPE
   693  	ruri, resp = Client.AuthorizeOAuthApp(authRequest)
   694  	CheckNoError(t, resp)
   695  	require.False(t, len(ruri) == 0, "redirect url should be set")
   696  
   697  	ru, _ = url.Parse(ruri)
   698  	require.NotNil(t, ru, "redirect url unparseable")
   699  	values, err := url.ParseQuery(ru.Fragment)
   700  	require.Nil(t, err)
   701  	assert.False(t, len(values.Get("access_token")) == 0, "access_token not returned")
   702  	assert.Equal(t, authRequest.State, values.Get("state"), "returned state doesn't match")
   703  
   704  	oldToken := Client.AuthToken
   705  	Client.AuthToken = values.Get("access_token")
   706  	_, resp = Client.AuthorizeOAuthApp(authRequest)
   707  	CheckForbiddenStatus(t, resp)
   708  
   709  	Client.AuthToken = oldToken
   710  
   711  	authRequest.RedirectUri = ""
   712  	_, resp = Client.AuthorizeOAuthApp(authRequest)
   713  	CheckBadRequestStatus(t, resp)
   714  
   715  	authRequest.RedirectUri = "http://somewhereelse.com"
   716  	_, resp = Client.AuthorizeOAuthApp(authRequest)
   717  	CheckBadRequestStatus(t, resp)
   718  
   719  	authRequest.RedirectUri = rapp.CallbackUrls[0]
   720  	authRequest.ResponseType = ""
   721  	_, resp = Client.AuthorizeOAuthApp(authRequest)
   722  	CheckBadRequestStatus(t, resp)
   723  
   724  	authRequest.ResponseType = model.AUTHCODE_RESPONSE_TYPE
   725  	authRequest.ClientId = ""
   726  	_, resp = Client.AuthorizeOAuthApp(authRequest)
   727  	CheckBadRequestStatus(t, resp)
   728  
   729  	authRequest.ClientId = model.NewId()
   730  	_, resp = Client.AuthorizeOAuthApp(authRequest)
   731  	CheckNotFoundStatus(t, resp)
   732  }
   733  
   734  func TestDeauthorizeOAuthApp(t *testing.T) {
   735  	th := Setup().InitBasic()
   736  	defer th.TearDown()
   737  	Client := th.Client
   738  	AdminClient := th.SystemAdminClient
   739  
   740  	enableOAuth := th.App.Config().ServiceSettings.EnableOAuthServiceProvider
   741  	defer func() {
   742  		th.App.UpdateConfig(func(cfg *model.Config) { cfg.ServiceSettings.EnableOAuthServiceProvider = enableOAuth })
   743  	}()
   744  	th.App.UpdateConfig(func(cfg *model.Config) { *cfg.ServiceSettings.EnableOAuthServiceProvider = true })
   745  
   746  	oapp := &model.OAuthApp{Name: GenerateTestAppName(), Homepage: "https://nowhere.com", Description: "test", CallbackUrls: []string{"https://nowhere.com"}}
   747  
   748  	rapp, resp := AdminClient.CreateOAuthApp(oapp)
   749  	CheckNoError(t, resp)
   750  
   751  	authRequest := &model.AuthorizeRequest{
   752  		ResponseType: model.AUTHCODE_RESPONSE_TYPE,
   753  		ClientId:     rapp.Id,
   754  		RedirectUri:  rapp.CallbackUrls[0],
   755  		Scope:        "",
   756  		State:        "123",
   757  	}
   758  
   759  	_, resp = Client.AuthorizeOAuthApp(authRequest)
   760  	CheckNoError(t, resp)
   761  
   762  	pass, resp := Client.DeauthorizeOAuthApp(rapp.Id)
   763  	CheckNoError(t, resp)
   764  
   765  	if !pass {
   766  		t.Fatal("should have passed")
   767  	}
   768  
   769  	_, resp = Client.DeauthorizeOAuthApp("junk")
   770  	CheckBadRequestStatus(t, resp)
   771  
   772  	_, resp = Client.DeauthorizeOAuthApp(model.NewId())
   773  	CheckNoError(t, resp)
   774  
   775  	Client.Logout()
   776  	_, resp = Client.DeauthorizeOAuthApp(rapp.Id)
   777  	CheckUnauthorizedStatus(t, resp)
   778  }
   779  
   780  func TestOAuthAccessToken(t *testing.T) {
   781  	if testing.Short() {
   782  		t.SkipNow()
   783  	}
   784  
   785  	th := Setup().InitBasic()
   786  	defer th.TearDown()
   787  
   788  	Client := th.Client
   789  
   790  	enableOAuth := th.App.Config().ServiceSettings.EnableOAuthServiceProvider
   791  	defer func() {
   792  		th.App.UpdateConfig(func(cfg *model.Config) { cfg.ServiceSettings.EnableOAuthServiceProvider = enableOAuth })
   793  	}()
   794  	th.App.UpdateConfig(func(cfg *model.Config) { *cfg.ServiceSettings.EnableOAuthServiceProvider = true })
   795  
   796  	defaultRolePermissions := th.SaveDefaultRolePermissions()
   797  	defer func() {
   798  		th.RestoreDefaultRolePermissions(defaultRolePermissions)
   799  	}()
   800  	th.AddPermissionToRole(model.PERMISSION_MANAGE_OAUTH.Id, model.TEAM_USER_ROLE_ID)
   801  	th.AddPermissionToRole(model.PERMISSION_MANAGE_OAUTH.Id, model.SYSTEM_USER_ROLE_ID)
   802  
   803  	oauthApp := &model.OAuthApp{Name: "TestApp5" + model.NewId(), Homepage: "https://nowhere.com", Description: "test", CallbackUrls: []string{"https://nowhere.com"}}
   804  	oauthApp = Client.Must(Client.CreateOAuthApp(oauthApp)).(*model.OAuthApp)
   805  
   806  	th.App.UpdateConfig(func(cfg *model.Config) { *cfg.ServiceSettings.EnableOAuthServiceProvider = false })
   807  	data := url.Values{"grant_type": []string{"junk"}, "client_id": []string{"12345678901234567890123456"}, "client_secret": []string{"12345678901234567890123456"}, "code": []string{"junk"}, "redirect_uri": []string{oauthApp.CallbackUrls[0]}}
   808  
   809  	if _, resp := Client.GetOAuthAccessToken(data); resp.Error == nil {
   810  		t.Log(resp.StatusCode)
   811  		t.Fatal("should have failed - oauth providing turned off")
   812  	}
   813  	th.App.UpdateConfig(func(cfg *model.Config) { *cfg.ServiceSettings.EnableOAuthServiceProvider = true })
   814  
   815  	authRequest := &model.AuthorizeRequest{
   816  		ResponseType: model.AUTHCODE_RESPONSE_TYPE,
   817  		ClientId:     oauthApp.Id,
   818  		RedirectUri:  oauthApp.CallbackUrls[0],
   819  		Scope:        "all",
   820  		State:        "123",
   821  	}
   822  
   823  	redirect, resp := Client.AuthorizeOAuthApp(authRequest)
   824  	CheckNoError(t, resp)
   825  	rurl, _ := url.Parse(redirect)
   826  
   827  	Client.Logout()
   828  
   829  	data = url.Values{"grant_type": []string{"junk"}, "client_id": []string{oauthApp.Id}, "client_secret": []string{oauthApp.ClientSecret}, "code": []string{rurl.Query().Get("code")}, "redirect_uri": []string{oauthApp.CallbackUrls[0]}}
   830  
   831  	if _, resp := Client.GetOAuthAccessToken(data); resp.Error == nil {
   832  		t.Fatal("should have failed - bad grant type")
   833  	}
   834  
   835  	data.Set("grant_type", model.ACCESS_TOKEN_GRANT_TYPE)
   836  	data.Set("client_id", "")
   837  	if _, resp := Client.GetOAuthAccessToken(data); resp.Error == nil {
   838  		t.Fatal("should have failed - missing client id")
   839  	}
   840  	data.Set("client_id", "junk")
   841  	if _, resp := Client.GetOAuthAccessToken(data); resp.Error == nil {
   842  		t.Fatal("should have failed - bad client id")
   843  	}
   844  
   845  	data.Set("client_id", oauthApp.Id)
   846  	data.Set("client_secret", "")
   847  	if _, resp := Client.GetOAuthAccessToken(data); resp.Error == nil {
   848  		t.Fatal("should have failed - missing client secret")
   849  	}
   850  
   851  	data.Set("client_secret", "junk")
   852  	if _, resp := Client.GetOAuthAccessToken(data); resp.Error == nil {
   853  		t.Fatal("should have failed - bad client secret")
   854  	}
   855  
   856  	data.Set("client_secret", oauthApp.ClientSecret)
   857  	data.Set("code", "")
   858  	if _, resp := Client.GetOAuthAccessToken(data); resp.Error == nil {
   859  		t.Fatal("should have failed - missing code")
   860  	}
   861  
   862  	data.Set("code", "junk")
   863  	if _, resp := Client.GetOAuthAccessToken(data); resp.Error == nil {
   864  		t.Fatal("should have failed - bad code")
   865  	}
   866  
   867  	data.Set("code", rurl.Query().Get("code"))
   868  	data.Set("redirect_uri", "junk")
   869  	if _, resp := Client.GetOAuthAccessToken(data); resp.Error == nil {
   870  		t.Fatal("should have failed - non-matching redirect uri")
   871  	}
   872  
   873  	// reset data for successful request
   874  	data.Set("grant_type", model.ACCESS_TOKEN_GRANT_TYPE)
   875  	data.Set("client_id", oauthApp.Id)
   876  	data.Set("client_secret", oauthApp.ClientSecret)
   877  	data.Set("code", rurl.Query().Get("code"))
   878  	data.Set("redirect_uri", oauthApp.CallbackUrls[0])
   879  
   880  	token := ""
   881  	refreshToken := ""
   882  	if rsp, resp := Client.GetOAuthAccessToken(data); resp.Error != nil {
   883  		t.Fatal(resp.Error)
   884  	} else {
   885  		if len(rsp.AccessToken) == 0 {
   886  			t.Fatal("access token not returned")
   887  		} else if len(rsp.RefreshToken) == 0 {
   888  			t.Fatal("refresh token not returned")
   889  		} else {
   890  			token = rsp.AccessToken
   891  			refreshToken = rsp.RefreshToken
   892  		}
   893  		if rsp.TokenType != model.ACCESS_TOKEN_TYPE {
   894  			t.Fatal("access token type incorrect")
   895  		}
   896  	}
   897  
   898  	if _, err := Client.DoApiGet("/users?page=0&per_page=100&access_token="+token, ""); err != nil {
   899  		t.Fatal(err)
   900  	}
   901  
   902  	if _, resp := Client.GetUsers(0, 100, ""); resp.Error == nil {
   903  		t.Fatal("should have failed - no access token provided")
   904  	}
   905  
   906  	if _, resp := Client.GetUsers(0, 100, ""); resp.Error == nil {
   907  		t.Fatal("should have failed - bad access token provided")
   908  	}
   909  
   910  	Client.SetOAuthToken(token)
   911  	if users, resp := Client.GetUsers(0, 100, ""); resp.Error != nil {
   912  		t.Fatal(resp.Error)
   913  	} else {
   914  		if len(users) == 0 {
   915  			t.Fatal("users empty - did not get results correctly")
   916  		}
   917  	}
   918  
   919  	if _, resp := Client.GetOAuthAccessToken(data); resp.Error == nil {
   920  		t.Fatal("should have failed - tried to reuse auth code")
   921  	}
   922  
   923  	data.Set("grant_type", model.REFRESH_TOKEN_GRANT_TYPE)
   924  	data.Set("client_id", oauthApp.Id)
   925  	data.Set("client_secret", oauthApp.ClientSecret)
   926  	data.Set("refresh_token", "")
   927  	data.Set("redirect_uri", oauthApp.CallbackUrls[0])
   928  	data.Del("code")
   929  	if _, resp := Client.GetOAuthAccessToken(data); resp.Error == nil {
   930  		t.Fatal("Should have failed - refresh token empty")
   931  	}
   932  
   933  	data.Set("refresh_token", refreshToken)
   934  	if rsp, resp := Client.GetOAuthAccessToken(data); resp.Error != nil {
   935  		t.Fatal(resp.Error)
   936  	} else {
   937  		if len(rsp.AccessToken) == 0 {
   938  			t.Fatal("access token not returned")
   939  		} else if len(rsp.RefreshToken) == 0 {
   940  			t.Fatal("refresh token not returned")
   941  		} else if rsp.RefreshToken == refreshToken {
   942  			t.Fatal("refresh token did not update")
   943  		}
   944  
   945  		if rsp.TokenType != model.ACCESS_TOKEN_TYPE {
   946  			t.Fatal("access token type incorrect")
   947  		}
   948  		Client.SetOAuthToken(rsp.AccessToken)
   949  		_, resp = Client.GetMe("")
   950  		if resp.Error != nil {
   951  			t.Fatal(resp.Error)
   952  		}
   953  
   954  		data.Set("refresh_token", rsp.RefreshToken)
   955  	}
   956  
   957  	if rsp, resp := Client.GetOAuthAccessToken(data); resp.Error != nil {
   958  		t.Fatal(resp.Error)
   959  	} else {
   960  		if len(rsp.AccessToken) == 0 {
   961  			t.Fatal("access token not returned")
   962  		} else if len(rsp.RefreshToken) == 0 {
   963  			t.Fatal("refresh token not returned")
   964  		} else if rsp.RefreshToken == refreshToken {
   965  			t.Fatal("refresh token did not update")
   966  		}
   967  
   968  		if rsp.TokenType != model.ACCESS_TOKEN_TYPE {
   969  			t.Fatal("access token type incorrect")
   970  		}
   971  		Client.SetOAuthToken(rsp.AccessToken)
   972  		_, resp = Client.GetMe("")
   973  		if resp.Error != nil {
   974  			t.Fatal(resp.Error)
   975  		}
   976  	}
   977  
   978  	authData := &model.AuthData{ClientId: oauthApp.Id, RedirectUri: oauthApp.CallbackUrls[0], UserId: th.BasicUser.Id, Code: model.NewId(), ExpiresIn: -1}
   979  	<-th.App.Srv.Store.OAuth().SaveAuthData(authData)
   980  
   981  	data.Set("grant_type", model.ACCESS_TOKEN_GRANT_TYPE)
   982  	data.Set("client_id", oauthApp.Id)
   983  	data.Set("client_secret", oauthApp.ClientSecret)
   984  	data.Set("redirect_uri", oauthApp.CallbackUrls[0])
   985  	data.Set("code", authData.Code)
   986  	data.Del("refresh_token")
   987  	if _, resp := Client.GetOAuthAccessToken(data); resp.Error == nil {
   988  		t.Fatal("Should have failed - code is expired")
   989  	}
   990  
   991  	Client.ClearOAuthToken()
   992  }
   993  
   994  func TestOAuthComplete(t *testing.T) {
   995  	if testing.Short() {
   996  		t.SkipNow()
   997  	}
   998  
   999  	th := Setup().InitBasic()
  1000  	defer th.TearDown()
  1001  
  1002  	Client := th.Client
  1003  
  1004  	gitLabSettingsEnable := th.App.Config().GitLabSettings.Enable
  1005  	gitLabSettingsAuthEndpoint := th.App.Config().GitLabSettings.AuthEndpoint
  1006  	gitLabSettingsId := th.App.Config().GitLabSettings.Id
  1007  	gitLabSettingsSecret := th.App.Config().GitLabSettings.Secret
  1008  	gitLabSettingsTokenEndpoint := th.App.Config().GitLabSettings.TokenEndpoint
  1009  	gitLabSettingsUserApiEndpoint := th.App.Config().GitLabSettings.UserApiEndpoint
  1010  	enableOAuthServiceProvider := th.App.Config().ServiceSettings.EnableOAuthServiceProvider
  1011  	defer func() {
  1012  		th.App.UpdateConfig(func(cfg *model.Config) { cfg.GitLabSettings.Enable = gitLabSettingsEnable })
  1013  		th.App.UpdateConfig(func(cfg *model.Config) { cfg.GitLabSettings.AuthEndpoint = gitLabSettingsAuthEndpoint })
  1014  		th.App.UpdateConfig(func(cfg *model.Config) { cfg.GitLabSettings.Id = gitLabSettingsId })
  1015  		th.App.UpdateConfig(func(cfg *model.Config) { cfg.GitLabSettings.Secret = gitLabSettingsSecret })
  1016  		th.App.UpdateConfig(func(cfg *model.Config) { cfg.GitLabSettings.TokenEndpoint = gitLabSettingsTokenEndpoint })
  1017  		th.App.UpdateConfig(func(cfg *model.Config) { cfg.GitLabSettings.UserApiEndpoint = gitLabSettingsUserApiEndpoint })
  1018  		th.App.UpdateConfig(func(cfg *model.Config) { cfg.ServiceSettings.EnableOAuthServiceProvider = enableOAuthServiceProvider })
  1019  	}()
  1020  
  1021  	r, err := HttpGet(Client.Url+"/login/gitlab/complete?code=123", Client.HttpClient, "", true)
  1022  	assert.NotNil(t, err)
  1023  	closeBody(r)
  1024  
  1025  	th.App.UpdateConfig(func(cfg *model.Config) { *cfg.GitLabSettings.Enable = true })
  1026  	r, err = HttpGet(Client.Url+"/login/gitlab/complete?code=123&state=!#$#F@#Yˆ&~ñ", Client.HttpClient, "", true)
  1027  	assert.NotNil(t, err)
  1028  	closeBody(r)
  1029  
  1030  	th.App.UpdateConfig(func(cfg *model.Config) { *cfg.GitLabSettings.AuthEndpoint = Client.Url + "/oauth/authorize" })
  1031  	th.App.UpdateConfig(func(cfg *model.Config) { *cfg.GitLabSettings.Id = model.NewId() })
  1032  
  1033  	stateProps := map[string]string{}
  1034  	stateProps["action"] = model.OAUTH_ACTION_LOGIN
  1035  	stateProps["team_id"] = th.BasicTeam.Id
  1036  	stateProps["redirect_to"] = *th.App.Config().GitLabSettings.AuthEndpoint
  1037  
  1038  	state := base64.StdEncoding.EncodeToString([]byte(model.MapToJson(stateProps)))
  1039  	r, err = HttpGet(Client.Url+"/login/gitlab/complete?code=123&state="+url.QueryEscape(state), Client.HttpClient, "", true)
  1040  	assert.NotNil(t, err)
  1041  	closeBody(r)
  1042  
  1043  	stateProps["hash"] = utils.HashSha256(*th.App.Config().GitLabSettings.Id)
  1044  	state = base64.StdEncoding.EncodeToString([]byte(model.MapToJson(stateProps)))
  1045  	r, err = HttpGet(Client.Url+"/login/gitlab/complete?code=123&state="+url.QueryEscape(state), Client.HttpClient, "", true)
  1046  	assert.NotNil(t, err)
  1047  	closeBody(r)
  1048  
  1049  	// We are going to use mattermost as the provider emulating gitlab
  1050  	th.App.UpdateConfig(func(cfg *model.Config) { *cfg.ServiceSettings.EnableOAuthServiceProvider = true })
  1051  
  1052  	defaultRolePermissions := th.SaveDefaultRolePermissions()
  1053  	defer func() {
  1054  		th.RestoreDefaultRolePermissions(defaultRolePermissions)
  1055  	}()
  1056  	th.AddPermissionToRole(model.PERMISSION_MANAGE_OAUTH.Id, model.TEAM_USER_ROLE_ID)
  1057  	th.AddPermissionToRole(model.PERMISSION_MANAGE_OAUTH.Id, model.SYSTEM_USER_ROLE_ID)
  1058  
  1059  	oauthApp := &model.OAuthApp{
  1060  		Name:        "TestApp5" + model.NewId(),
  1061  		Homepage:    "https://nowhere.com",
  1062  		Description: "test",
  1063  		CallbackUrls: []string{
  1064  			Client.Url + "/signup/" + model.SERVICE_GITLAB + "/complete",
  1065  			Client.Url + "/login/" + model.SERVICE_GITLAB + "/complete",
  1066  		},
  1067  		IsTrusted: true,
  1068  	}
  1069  	oauthApp = Client.Must(Client.CreateOAuthApp(oauthApp)).(*model.OAuthApp)
  1070  
  1071  	th.App.UpdateConfig(func(cfg *model.Config) { *cfg.GitLabSettings.Id = oauthApp.Id })
  1072  	th.App.UpdateConfig(func(cfg *model.Config) { *cfg.GitLabSettings.Secret = oauthApp.ClientSecret })
  1073  	th.App.UpdateConfig(func(cfg *model.Config) { *cfg.GitLabSettings.AuthEndpoint = Client.Url + "/oauth/authorize" })
  1074  	th.App.UpdateConfig(func(cfg *model.Config) { *cfg.GitLabSettings.TokenEndpoint = Client.Url + "/oauth/access_token" })
  1075  	th.App.UpdateConfig(func(cfg *model.Config) { *cfg.GitLabSettings.UserApiEndpoint = Client.ApiUrl + "/users/me" })
  1076  
  1077  	provider := &MattermostTestProvider{}
  1078  
  1079  	authRequest := &model.AuthorizeRequest{
  1080  		ResponseType: model.AUTHCODE_RESPONSE_TYPE,
  1081  		ClientId:     oauthApp.Id,
  1082  		RedirectUri:  oauthApp.CallbackUrls[0],
  1083  		Scope:        "all",
  1084  		State:        "123",
  1085  	}
  1086  
  1087  	redirect, resp := Client.AuthorizeOAuthApp(authRequest)
  1088  	CheckNoError(t, resp)
  1089  	rurl, _ := url.Parse(redirect)
  1090  
  1091  	code := rurl.Query().Get("code")
  1092  	stateProps["action"] = model.OAUTH_ACTION_EMAIL_TO_SSO
  1093  	delete(stateProps, "team_id")
  1094  	stateProps["redirect_to"] = *th.App.Config().GitLabSettings.AuthEndpoint
  1095  	stateProps["hash"] = utils.HashSha256(*th.App.Config().GitLabSettings.Id)
  1096  	stateProps["redirect_to"] = "/oauth/authorize"
  1097  	state = base64.StdEncoding.EncodeToString([]byte(model.MapToJson(stateProps)))
  1098  	if r, err := HttpGet(Client.Url+"/login/"+model.SERVICE_GITLAB+"/complete?code="+url.QueryEscape(code)+"&state="+url.QueryEscape(state), Client.HttpClient, "", false); err == nil {
  1099  		closeBody(r)
  1100  	}
  1101  
  1102  	einterfaces.RegisterOauthProvider(model.SERVICE_GITLAB, provider)
  1103  
  1104  	redirect, resp = Client.AuthorizeOAuthApp(authRequest)
  1105  	CheckNoError(t, resp)
  1106  	rurl, _ = url.Parse(redirect)
  1107  
  1108  	code = rurl.Query().Get("code")
  1109  	if r, err := HttpGet(Client.Url+"/login/"+model.SERVICE_GITLAB+"/complete?code="+url.QueryEscape(code)+"&state="+url.QueryEscape(state), Client.HttpClient, "", false); err == nil {
  1110  		closeBody(r)
  1111  	}
  1112  
  1113  	if result := <-th.App.Srv.Store.User().UpdateAuthData(
  1114  		th.BasicUser.Id, model.SERVICE_GITLAB, &th.BasicUser.Email, th.BasicUser.Email, true); result.Err != nil {
  1115  		t.Fatal(result.Err)
  1116  	}
  1117  
  1118  	redirect, resp = Client.AuthorizeOAuthApp(authRequest)
  1119  	CheckNoError(t, resp)
  1120  	rurl, _ = url.Parse(redirect)
  1121  
  1122  	code = rurl.Query().Get("code")
  1123  	stateProps["action"] = model.OAUTH_ACTION_LOGIN
  1124  	state = base64.StdEncoding.EncodeToString([]byte(model.MapToJson(stateProps)))
  1125  	if r, err := HttpGet(Client.Url+"/login/"+model.SERVICE_GITLAB+"/complete?code="+url.QueryEscape(code)+"&state="+url.QueryEscape(state), Client.HttpClient, "", false); err == nil {
  1126  		closeBody(r)
  1127  	}
  1128  
  1129  	redirect, resp = Client.AuthorizeOAuthApp(authRequest)
  1130  	CheckNoError(t, resp)
  1131  	rurl, _ = url.Parse(redirect)
  1132  
  1133  	code = rurl.Query().Get("code")
  1134  	delete(stateProps, "action")
  1135  	state = base64.StdEncoding.EncodeToString([]byte(model.MapToJson(stateProps)))
  1136  	if r, err := HttpGet(Client.Url+"/login/"+model.SERVICE_GITLAB+"/complete?code="+url.QueryEscape(code)+"&state="+url.QueryEscape(state), Client.HttpClient, "", false); err == nil {
  1137  		closeBody(r)
  1138  	}
  1139  
  1140  	redirect, resp = Client.AuthorizeOAuthApp(authRequest)
  1141  	CheckNoError(t, resp)
  1142  	rurl, _ = url.Parse(redirect)
  1143  
  1144  	code = rurl.Query().Get("code")
  1145  	stateProps["action"] = model.OAUTH_ACTION_SIGNUP
  1146  	state = base64.StdEncoding.EncodeToString([]byte(model.MapToJson(stateProps)))
  1147  	if r, err := HttpGet(Client.Url+"/login/"+model.SERVICE_GITLAB+"/complete?code="+url.QueryEscape(code)+"&state="+url.QueryEscape(state), Client.HttpClient, "", false); err == nil {
  1148  		closeBody(r)
  1149  	}
  1150  }
  1151  
  1152  func TestOAuthComplete_AccessDenied(t *testing.T) {
  1153  	th := Setup().InitBasic()
  1154  	defer th.TearDown()
  1155  
  1156  	c := &Context{
  1157  		App: th.App,
  1158  		Params: &web.Params{
  1159  			Service: "TestService",
  1160  		},
  1161  	}
  1162  	responseWriter := httptest.NewRecorder()
  1163  	request, _ := http.NewRequest(http.MethodGet, th.App.GetSiteURL()+"/signup/TestService/complete?error=access_denied", nil)
  1164  
  1165  	completeOAuth(c, responseWriter, request)
  1166  
  1167  	response := responseWriter.Result()
  1168  
  1169  	assert.Equal(t, http.StatusTemporaryRedirect, response.StatusCode)
  1170  
  1171  	location, _ := url.Parse(response.Header.Get("Location"))
  1172  	assert.Equal(t, "oauth_access_denied", location.Query().Get("type"))
  1173  	assert.Equal(t, "TestService", location.Query().Get("service"))
  1174  }
  1175  
  1176  func HttpGet(url string, httpClient *http.Client, authToken string, followRedirect bool) (*http.Response, *model.AppError) {
  1177  	rq, _ := http.NewRequest("GET", url, nil)
  1178  	rq.Close = true
  1179  
  1180  	if len(authToken) > 0 {
  1181  		rq.Header.Set(model.HEADER_AUTH, authToken)
  1182  	}
  1183  
  1184  	if !followRedirect {
  1185  		httpClient.CheckRedirect = func(req *http.Request, via []*http.Request) error {
  1186  			return http.ErrUseLastResponse
  1187  		}
  1188  	}
  1189  
  1190  	if rp, err := httpClient.Do(rq); err != nil {
  1191  		return nil, model.NewAppError(url, "model.client.connecting.app_error", nil, err.Error(), 0)
  1192  	} else if rp.StatusCode == 304 {
  1193  		return rp, nil
  1194  	} else if rp.StatusCode == 307 {
  1195  		return rp, nil
  1196  	} else if rp.StatusCode >= 300 {
  1197  		defer closeBody(rp)
  1198  		return rp, model.AppErrorFromJson(rp.Body)
  1199  	} else {
  1200  		return rp, nil
  1201  	}
  1202  }
  1203  
  1204  func closeBody(r *http.Response) {
  1205  	if r != nil && r.Body != nil {
  1206  		ioutil.ReadAll(r.Body)
  1207  		r.Body.Close()
  1208  	}
  1209  }
  1210  
  1211  type MattermostTestProvider struct {
  1212  }
  1213  
  1214  func (m *MattermostTestProvider) GetUserFromJson(data io.Reader) *model.User {
  1215  	user := model.UserFromJson(data)
  1216  	user.AuthData = &user.Email
  1217  	return user
  1218  }