github.com/vnforks/kid/v5@v5.22.1-0.20200408055009-b89d99c65676/api4/oauth.go (about) 1 // Copyright (c) 2015-present Mattermost, Inc. All Rights Reserved. 2 // See LICENSE.txt for license information. 3 4 package api4 5 6 import ( 7 "net/http" 8 9 "github.com/vnforks/kid/v5/audit" 10 "github.com/vnforks/kid/v5/model" 11 ) 12 13 func (api *API) InitOAuth() { 14 api.BaseRoutes.OAuthApps.Handle("", api.ApiSessionRequired(createOAuthApp)).Methods("POST") 15 api.BaseRoutes.OAuthApp.Handle("", api.ApiSessionRequired(updateOAuthApp)).Methods("PUT") 16 api.BaseRoutes.OAuthApps.Handle("", api.ApiSessionRequired(getOAuthApps)).Methods("GET") 17 api.BaseRoutes.OAuthApp.Handle("", api.ApiSessionRequired(getOAuthApp)).Methods("GET") 18 api.BaseRoutes.OAuthApp.Handle("/info", api.ApiSessionRequired(getOAuthAppInfo)).Methods("GET") 19 api.BaseRoutes.OAuthApp.Handle("", api.ApiSessionRequired(deleteOAuthApp)).Methods("DELETE") 20 api.BaseRoutes.OAuthApp.Handle("/regen_secret", api.ApiSessionRequired(regenerateOAuthAppSecret)).Methods("POST") 21 22 api.BaseRoutes.User.Handle("/oauth/apps/authorized", api.ApiSessionRequired(getAuthorizedOAuthApps)).Methods("GET") 23 } 24 25 func createOAuthApp(c *Context, w http.ResponseWriter, r *http.Request) { 26 oauthApp := model.OAuthAppFromJson(r.Body) 27 28 if oauthApp == nil { 29 c.SetInvalidParam("oauth_app") 30 return 31 } 32 33 auditRec := c.MakeAuditRecord("createOAuthApp", audit.Fail) 34 defer c.LogAuditRec(auditRec) 35 auditRec.AddMeta("oauth_app_name", oauthApp.Name) 36 auditRec.AddMeta("oauth_app_desc", oauthApp.Description) 37 38 if !c.App.SessionHasPermissionTo(*c.App.Session(), model.PERMISSION_MANAGE_OAUTH) { 39 c.SetPermissionError(model.PERMISSION_MANAGE_OAUTH) 40 return 41 } 42 43 if !c.App.SessionHasPermissionTo(*c.App.Session(), model.PERMISSION_MANAGE_SYSTEM) { 44 oauthApp.IsTrusted = false 45 } 46 47 oauthApp.CreatorId = c.App.Session().UserId 48 49 rapp, err := c.App.CreateOAuthApp(oauthApp) 50 if err != nil { 51 c.Err = err 52 return 53 } 54 55 auditRec.Success() 56 auditRec.AddMeta("oauth_app_id", rapp.Id) 57 auditRec.AddMeta("client_id", rapp.Id) 58 c.LogAudit("client_id=" + rapp.Id) 59 60 w.WriteHeader(http.StatusCreated) 61 w.Write([]byte(rapp.ToJson())) 62 } 63 64 func updateOAuthApp(c *Context, w http.ResponseWriter, r *http.Request) { 65 c.RequireAppId() 66 if c.Err != nil { 67 return 68 } 69 70 auditRec := c.MakeAuditRecord("updateOAuthApp", audit.Fail) 71 defer c.LogAuditRec(auditRec) 72 auditRec.AddMeta("oauth_app_id", c.Params.AppId) 73 c.LogAudit("attempt") 74 75 if !c.App.SessionHasPermissionTo(*c.App.Session(), model.PERMISSION_MANAGE_OAUTH) { 76 c.SetPermissionError(model.PERMISSION_MANAGE_OAUTH) 77 return 78 } 79 80 oauthApp := model.OAuthAppFromJson(r.Body) 81 if oauthApp == nil { 82 c.SetInvalidParam("oauth_app") 83 return 84 } 85 auditRec.AddMeta("oauth_app_name", oauthApp.Name) 86 87 // The app being updated in the payload must be the same one as indicated in the URL. 88 if oauthApp.Id != c.Params.AppId { 89 c.SetInvalidParam("app_id") 90 return 91 } 92 93 oldOauthApp, err := c.App.GetOAuthApp(c.Params.AppId) 94 if err != nil { 95 c.Err = err 96 return 97 } 98 99 if c.App.Session().UserId != oldOauthApp.CreatorId && !c.App.SessionHasPermissionTo(*c.App.Session(), model.PERMISSION_MANAGE_SYSTEM_WIDE_OAUTH) { 100 c.SetPermissionError(model.PERMISSION_MANAGE_SYSTEM_WIDE_OAUTH) 101 return 102 } 103 104 if !c.App.SessionHasPermissionTo(*c.App.Session(), model.PERMISSION_MANAGE_SYSTEM) { 105 oauthApp.IsTrusted = oldOauthApp.IsTrusted 106 } 107 108 updatedOauthApp, err := c.App.UpdateOauthApp(oldOauthApp, oauthApp) 109 if err != nil { 110 c.Err = err 111 return 112 } 113 114 auditRec.Success() 115 c.LogAudit("success") 116 117 w.Write([]byte(updatedOauthApp.ToJson())) 118 } 119 120 func getOAuthApps(c *Context, w http.ResponseWriter, r *http.Request) { 121 if !c.App.SessionHasPermissionTo(*c.App.Session(), model.PERMISSION_MANAGE_OAUTH) { 122 c.Err = model.NewAppError("getOAuthApps", "api.command.admin_only.app_error", nil, "", http.StatusForbidden) 123 return 124 } 125 126 var apps []*model.OAuthApp 127 var err *model.AppError 128 if c.App.SessionHasPermissionTo(*c.App.Session(), model.PERMISSION_MANAGE_SYSTEM_WIDE_OAUTH) { 129 apps, err = c.App.GetOAuthApps(c.Params.Page, c.Params.PerPage) 130 } else if c.App.SessionHasPermissionTo(*c.App.Session(), model.PERMISSION_MANAGE_OAUTH) { 131 apps, err = c.App.GetOAuthAppsByCreator(c.App.Session().UserId, c.Params.Page, c.Params.PerPage) 132 } else { 133 c.SetPermissionError(model.PERMISSION_MANAGE_OAUTH) 134 return 135 } 136 137 if err != nil { 138 c.Err = err 139 return 140 } 141 142 w.Write([]byte(model.OAuthAppListToJson(apps))) 143 } 144 145 func getOAuthApp(c *Context, w http.ResponseWriter, r *http.Request) { 146 c.RequireAppId() 147 if c.Err != nil { 148 return 149 } 150 151 if !c.App.SessionHasPermissionTo(*c.App.Session(), model.PERMISSION_MANAGE_OAUTH) { 152 c.SetPermissionError(model.PERMISSION_MANAGE_OAUTH) 153 return 154 } 155 156 oauthApp, err := c.App.GetOAuthApp(c.Params.AppId) 157 if err != nil { 158 c.Err = err 159 return 160 } 161 162 if oauthApp.CreatorId != c.App.Session().UserId && !c.App.SessionHasPermissionTo(*c.App.Session(), model.PERMISSION_MANAGE_SYSTEM_WIDE_OAUTH) { 163 c.SetPermissionError(model.PERMISSION_MANAGE_SYSTEM_WIDE_OAUTH) 164 return 165 } 166 167 w.Write([]byte(oauthApp.ToJson())) 168 } 169 170 func getOAuthAppInfo(c *Context, w http.ResponseWriter, r *http.Request) { 171 c.RequireAppId() 172 if c.Err != nil { 173 return 174 } 175 176 oauthApp, err := c.App.GetOAuthApp(c.Params.AppId) 177 if err != nil { 178 c.Err = err 179 return 180 } 181 182 oauthApp.Sanitize() 183 w.Write([]byte(oauthApp.ToJson())) 184 } 185 186 func deleteOAuthApp(c *Context, w http.ResponseWriter, r *http.Request) { 187 c.RequireAppId() 188 if c.Err != nil { 189 return 190 } 191 192 auditRec := c.MakeAuditRecord("deleteOAuthApp", audit.Fail) 193 defer c.LogAuditRec(auditRec) 194 auditRec.AddMeta("oauth_app_id", c.Params.AppId) 195 c.LogAudit("attempt") 196 197 if !c.App.SessionHasPermissionTo(*c.App.Session(), model.PERMISSION_MANAGE_OAUTH) { 198 c.SetPermissionError(model.PERMISSION_MANAGE_OAUTH) 199 return 200 } 201 202 oauthApp, err := c.App.GetOAuthApp(c.Params.AppId) 203 if err != nil { 204 c.Err = err 205 return 206 } 207 auditRec.AddMeta("oauth_app_name", oauthApp.Name) 208 209 if c.App.Session().UserId != oauthApp.CreatorId && !c.App.SessionHasPermissionTo(*c.App.Session(), model.PERMISSION_MANAGE_SYSTEM_WIDE_OAUTH) { 210 c.SetPermissionError(model.PERMISSION_MANAGE_SYSTEM_WIDE_OAUTH) 211 return 212 } 213 214 err = c.App.DeleteOAuthApp(oauthApp.Id) 215 if err != nil { 216 c.Err = err 217 return 218 } 219 220 auditRec.Success() 221 c.LogAudit("success") 222 223 ReturnStatusOK(w) 224 } 225 226 func regenerateOAuthAppSecret(c *Context, w http.ResponseWriter, r *http.Request) { 227 c.RequireAppId() 228 if c.Err != nil { 229 return 230 } 231 232 auditRec := c.MakeAuditRecord("regenerateOAuthAppSecret", audit.Fail) 233 defer c.LogAuditRec(auditRec) 234 auditRec.AddMeta("oauth_app_id", c.Params.AppId) 235 236 if !c.App.SessionHasPermissionTo(*c.App.Session(), model.PERMISSION_MANAGE_OAUTH) { 237 c.SetPermissionError(model.PERMISSION_MANAGE_OAUTH) 238 return 239 } 240 241 oauthApp, err := c.App.GetOAuthApp(c.Params.AppId) 242 if err != nil { 243 c.Err = err 244 return 245 } 246 auditRec.AddMeta("oauth_app_name", oauthApp.Name) 247 248 if oauthApp.CreatorId != c.App.Session().UserId && !c.App.SessionHasPermissionTo(*c.App.Session(), model.PERMISSION_MANAGE_SYSTEM_WIDE_OAUTH) { 249 c.SetPermissionError(model.PERMISSION_MANAGE_SYSTEM_WIDE_OAUTH) 250 return 251 } 252 253 oauthApp, err = c.App.RegenerateOAuthAppSecret(oauthApp) 254 if err != nil { 255 c.Err = err 256 return 257 } 258 259 auditRec.Success() 260 c.LogAudit("success") 261 262 w.Write([]byte(oauthApp.ToJson())) 263 } 264 265 func getAuthorizedOAuthApps(c *Context, w http.ResponseWriter, r *http.Request) { 266 c.RequireUserId() 267 if c.Err != nil { 268 return 269 } 270 271 if !c.App.SessionHasPermissionToUser(*c.App.Session(), c.Params.UserId) { 272 c.SetPermissionError(model.PERMISSION_EDIT_OTHER_USERS) 273 return 274 } 275 276 apps, err := c.App.GetAuthorizedAppsForUser(c.Params.UserId, c.Params.Page, c.Params.PerPage) 277 if err != nil { 278 c.Err = err 279 return 280 } 281 282 w.Write([]byte(model.OAuthAppListToJson(apps))) 283 }