github.com/vnforks/kid/v5@v5.22.1-0.20200408055009-b89d99c65676/api4/oauth.go

github.com/vnforks/kid/v5@v5.22.1-0.20200408055009-b89d99c65676/api4/oauth.go (about)

     1  // Copyright (c) 2015-present Mattermost, Inc. All Rights Reserved.
     2  // See LICENSE.txt for license information.
     3  
     4  package api4
     5  
     6  import (
     7  	"net/http"
     8  
     9  	"github.com/vnforks/kid/v5/audit"
    10  	"github.com/vnforks/kid/v5/model"
    11  )
    12  
    13  func (api *API) InitOAuth() {
    14  	api.BaseRoutes.OAuthApps.Handle("", api.ApiSessionRequired(createOAuthApp)).Methods("POST")
    15  	api.BaseRoutes.OAuthApp.Handle("", api.ApiSessionRequired(updateOAuthApp)).Methods("PUT")
    16  	api.BaseRoutes.OAuthApps.Handle("", api.ApiSessionRequired(getOAuthApps)).Methods("GET")
    17  	api.BaseRoutes.OAuthApp.Handle("", api.ApiSessionRequired(getOAuthApp)).Methods("GET")
    18  	api.BaseRoutes.OAuthApp.Handle("/info", api.ApiSessionRequired(getOAuthAppInfo)).Methods("GET")
    19  	api.BaseRoutes.OAuthApp.Handle("", api.ApiSessionRequired(deleteOAuthApp)).Methods("DELETE")
    20  	api.BaseRoutes.OAuthApp.Handle("/regen_secret", api.ApiSessionRequired(regenerateOAuthAppSecret)).Methods("POST")
    21  
    22  	api.BaseRoutes.User.Handle("/oauth/apps/authorized", api.ApiSessionRequired(getAuthorizedOAuthApps)).Methods("GET")
    23  }
    24  
    25  func createOAuthApp(c *Context, w http.ResponseWriter, r *http.Request) {
    26  	oauthApp := model.OAuthAppFromJson(r.Body)
    27  
    28  	if oauthApp == nil {
    29  		c.SetInvalidParam("oauth_app")
    30  		return
    31  	}
    32  
    33  	auditRec := c.MakeAuditRecord("createOAuthApp", audit.Fail)
    34  	defer c.LogAuditRec(auditRec)
    35  	auditRec.AddMeta("oauth_app_name", oauthApp.Name)
    36  	auditRec.AddMeta("oauth_app_desc", oauthApp.Description)
    37  
    38  	if !c.App.SessionHasPermissionTo(*c.App.Session(), model.PERMISSION_MANAGE_OAUTH) {
    39  		c.SetPermissionError(model.PERMISSION_MANAGE_OAUTH)
    40  		return
    41  	}
    42  
    43  	if !c.App.SessionHasPermissionTo(*c.App.Session(), model.PERMISSION_MANAGE_SYSTEM) {
    44  		oauthApp.IsTrusted = false
    45  	}
    46  
    47  	oauthApp.CreatorId = c.App.Session().UserId
    48  
    49  	rapp, err := c.App.CreateOAuthApp(oauthApp)
    50  	if err != nil {
    51  		c.Err = err
    52  		return
    53  	}
    54  
    55  	auditRec.Success()
    56  	auditRec.AddMeta("oauth_app_id", rapp.Id)
    57  	auditRec.AddMeta("client_id", rapp.Id)
    58  	c.LogAudit("client_id=" + rapp.Id)
    59  
    60  	w.WriteHeader(http.StatusCreated)
    61  	w.Write([]byte(rapp.ToJson()))
    62  }
    63  
    64  func updateOAuthApp(c *Context, w http.ResponseWriter, r *http.Request) {
    65  	c.RequireAppId()
    66  	if c.Err != nil {
    67  		return
    68  	}
    69  
    70  	auditRec := c.MakeAuditRecord("updateOAuthApp", audit.Fail)
    71  	defer c.LogAuditRec(auditRec)
    72  	auditRec.AddMeta("oauth_app_id", c.Params.AppId)
    73  	c.LogAudit("attempt")
    74  
    75  	if !c.App.SessionHasPermissionTo(*c.App.Session(), model.PERMISSION_MANAGE_OAUTH) {
    76  		c.SetPermissionError(model.PERMISSION_MANAGE_OAUTH)
    77  		return
    78  	}
    79  
    80  	oauthApp := model.OAuthAppFromJson(r.Body)
    81  	if oauthApp == nil {
    82  		c.SetInvalidParam("oauth_app")
    83  		return
    84  	}
    85  	auditRec.AddMeta("oauth_app_name", oauthApp.Name)
    86  
    87  	// The app being updated in the payload must be the same one as indicated in the URL.
    88  	if oauthApp.Id != c.Params.AppId {
    89  		c.SetInvalidParam("app_id")
    90  		return
    91  	}
    92  
    93  	oldOauthApp, err := c.App.GetOAuthApp(c.Params.AppId)
    94  	if err != nil {
    95  		c.Err = err
    96  		return
    97  	}
    98  
    99  	if c.App.Session().UserId != oldOauthApp.CreatorId && !c.App.SessionHasPermissionTo(*c.App.Session(), model.PERMISSION_MANAGE_SYSTEM_WIDE_OAUTH) {
   100  		c.SetPermissionError(model.PERMISSION_MANAGE_SYSTEM_WIDE_OAUTH)
   101  		return
   102  	}
   103  
   104  	if !c.App.SessionHasPermissionTo(*c.App.Session(), model.PERMISSION_MANAGE_SYSTEM) {
   105  		oauthApp.IsTrusted = oldOauthApp.IsTrusted
   106  	}
   107  
   108  	updatedOauthApp, err := c.App.UpdateOauthApp(oldOauthApp, oauthApp)
   109  	if err != nil {
   110  		c.Err = err
   111  		return
   112  	}
   113  
   114  	auditRec.Success()
   115  	c.LogAudit("success")
   116  
   117  	w.Write([]byte(updatedOauthApp.ToJson()))
   118  }
   119  
   120  func getOAuthApps(c *Context, w http.ResponseWriter, r *http.Request) {
   121  	if !c.App.SessionHasPermissionTo(*c.App.Session(), model.PERMISSION_MANAGE_OAUTH) {
   122  		c.Err = model.NewAppError("getOAuthApps", "api.command.admin_only.app_error", nil, "", http.StatusForbidden)
   123  		return
   124  	}
   125  
   126  	var apps []*model.OAuthApp
   127  	var err *model.AppError
   128  	if c.App.SessionHasPermissionTo(*c.App.Session(), model.PERMISSION_MANAGE_SYSTEM_WIDE_OAUTH) {
   129  		apps, err = c.App.GetOAuthApps(c.Params.Page, c.Params.PerPage)
   130  	} else if c.App.SessionHasPermissionTo(*c.App.Session(), model.PERMISSION_MANAGE_OAUTH) {
   131  		apps, err = c.App.GetOAuthAppsByCreator(c.App.Session().UserId, c.Params.Page, c.Params.PerPage)
   132  	} else {
   133  		c.SetPermissionError(model.PERMISSION_MANAGE_OAUTH)
   134  		return
   135  	}
   136  
   137  	if err != nil {
   138  		c.Err = err
   139  		return
   140  	}
   141  
   142  	w.Write([]byte(model.OAuthAppListToJson(apps)))
   143  }
   144  
   145  func getOAuthApp(c *Context, w http.ResponseWriter, r *http.Request) {
   146  	c.RequireAppId()
   147  	if c.Err != nil {
   148  		return
   149  	}
   150  
   151  	if !c.App.SessionHasPermissionTo(*c.App.Session(), model.PERMISSION_MANAGE_OAUTH) {
   152  		c.SetPermissionError(model.PERMISSION_MANAGE_OAUTH)
   153  		return
   154  	}
   155  
   156  	oauthApp, err := c.App.GetOAuthApp(c.Params.AppId)
   157  	if err != nil {
   158  		c.Err = err
   159  		return
   160  	}
   161  
   162  	if oauthApp.CreatorId != c.App.Session().UserId && !c.App.SessionHasPermissionTo(*c.App.Session(), model.PERMISSION_MANAGE_SYSTEM_WIDE_OAUTH) {
   163  		c.SetPermissionError(model.PERMISSION_MANAGE_SYSTEM_WIDE_OAUTH)
   164  		return
   165  	}
   166  
   167  	w.Write([]byte(oauthApp.ToJson()))
   168  }
   169  
   170  func getOAuthAppInfo(c *Context, w http.ResponseWriter, r *http.Request) {
   171  	c.RequireAppId()
   172  	if c.Err != nil {
   173  		return
   174  	}
   175  
   176  	oauthApp, err := c.App.GetOAuthApp(c.Params.AppId)
   177  	if err != nil {
   178  		c.Err = err
   179  		return
   180  	}
   181  
   182  	oauthApp.Sanitize()
   183  	w.Write([]byte(oauthApp.ToJson()))
   184  }
   185  
   186  func deleteOAuthApp(c *Context, w http.ResponseWriter, r *http.Request) {
   187  	c.RequireAppId()
   188  	if c.Err != nil {
   189  		return
   190  	}
   191  
   192  	auditRec := c.MakeAuditRecord("deleteOAuthApp", audit.Fail)
   193  	defer c.LogAuditRec(auditRec)
   194  	auditRec.AddMeta("oauth_app_id", c.Params.AppId)
   195  	c.LogAudit("attempt")
   196  
   197  	if !c.App.SessionHasPermissionTo(*c.App.Session(), model.PERMISSION_MANAGE_OAUTH) {
   198  		c.SetPermissionError(model.PERMISSION_MANAGE_OAUTH)
   199  		return
   200  	}
   201  
   202  	oauthApp, err := c.App.GetOAuthApp(c.Params.AppId)
   203  	if err != nil {
   204  		c.Err = err
   205  		return
   206  	}
   207  	auditRec.AddMeta("oauth_app_name", oauthApp.Name)
   208  
   209  	if c.App.Session().UserId != oauthApp.CreatorId && !c.App.SessionHasPermissionTo(*c.App.Session(), model.PERMISSION_MANAGE_SYSTEM_WIDE_OAUTH) {
   210  		c.SetPermissionError(model.PERMISSION_MANAGE_SYSTEM_WIDE_OAUTH)
   211  		return
   212  	}
   213  
   214  	err = c.App.DeleteOAuthApp(oauthApp.Id)
   215  	if err != nil {
   216  		c.Err = err
   217  		return
   218  	}
   219  
   220  	auditRec.Success()
   221  	c.LogAudit("success")
   222  
   223  	ReturnStatusOK(w)
   224  }
   225  
   226  func regenerateOAuthAppSecret(c *Context, w http.ResponseWriter, r *http.Request) {
   227  	c.RequireAppId()
   228  	if c.Err != nil {
   229  		return
   230  	}
   231  
   232  	auditRec := c.MakeAuditRecord("regenerateOAuthAppSecret", audit.Fail)
   233  	defer c.LogAuditRec(auditRec)
   234  	auditRec.AddMeta("oauth_app_id", c.Params.AppId)
   235  
   236  	if !c.App.SessionHasPermissionTo(*c.App.Session(), model.PERMISSION_MANAGE_OAUTH) {
   237  		c.SetPermissionError(model.PERMISSION_MANAGE_OAUTH)
   238  		return
   239  	}
   240  
   241  	oauthApp, err := c.App.GetOAuthApp(c.Params.AppId)
   242  	if err != nil {
   243  		c.Err = err
   244  		return
   245  	}
   246  	auditRec.AddMeta("oauth_app_name", oauthApp.Name)
   247  
   248  	if oauthApp.CreatorId != c.App.Session().UserId && !c.App.SessionHasPermissionTo(*c.App.Session(), model.PERMISSION_MANAGE_SYSTEM_WIDE_OAUTH) {
   249  		c.SetPermissionError(model.PERMISSION_MANAGE_SYSTEM_WIDE_OAUTH)
   250  		return
   251  	}
   252  
   253  	oauthApp, err = c.App.RegenerateOAuthAppSecret(oauthApp)
   254  	if err != nil {
   255  		c.Err = err
   256  		return
   257  	}
   258  
   259  	auditRec.Success()
   260  	c.LogAudit("success")
   261  
   262  	w.Write([]byte(oauthApp.ToJson()))
   263  }
   264  
   265  func getAuthorizedOAuthApps(c *Context, w http.ResponseWriter, r *http.Request) {
   266  	c.RequireUserId()
   267  	if c.Err != nil {
   268  		return
   269  	}
   270  
   271  	if !c.App.SessionHasPermissionToUser(*c.App.Session(), c.Params.UserId) {
   272  		c.SetPermissionError(model.PERMISSION_EDIT_OTHER_USERS)
   273  		return
   274  	}
   275  
   276  	apps, err := c.App.GetAuthorizedAppsForUser(c.Params.UserId, c.Params.Page, c.Params.PerPage)
   277  	if err != nil {
   278  		c.Err = err
   279  		return
   280  	}
   281  
   282  	w.Write([]byte(model.OAuthAppListToJson(apps)))
   283  }