ec1f89217a
Full Mattermost server source with integrated Community Enterprise features. Includes vendor directory for offline/air-gapped builds. Structure: - enterprise-impl/: Enterprise feature implementations - enterprise-community/: Init files that register implementations - enterprise/: Bridge imports (community_imports.go) - vendor/: All dependencies for offline builds Build (online): go build ./cmd/mattermost Build (offline/air-gapped): go build -mod=vendor ./cmd/mattermost 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
329 lines
10 KiB
Go
329 lines
10 KiB
Go
// Copyright (c) 2015-present Mattermost, Inc. All Rights Reserved.
|
|
// See LICENSE.txt for license information.
|
|
|
|
package app
|
|
|
|
import (
|
|
"crypto/x509"
|
|
"encoding/pem"
|
|
"encoding/xml"
|
|
"errors"
|
|
"fmt"
|
|
"io"
|
|
"mime/multipart"
|
|
"net/http"
|
|
"strings"
|
|
|
|
"github.com/mattermost/mattermost/server/public/model"
|
|
"github.com/mattermost/mattermost/server/public/shared/request"
|
|
)
|
|
|
|
const (
|
|
SamlPublicCertificateName = "saml-public.crt"
|
|
SamlPrivateKeyName = "saml-private.key"
|
|
SamlIdpCertificateName = "saml-idp.crt"
|
|
)
|
|
|
|
func (a *App) GetSamlMetadata(rctx request.CTX) (string, *model.AppError) {
|
|
if a.Saml() == nil {
|
|
err := model.NewAppError("GetSamlMetadata", "api.admin.saml.not_available.app_error", nil, "", http.StatusNotImplemented)
|
|
return "", err
|
|
}
|
|
|
|
result, err := a.Saml().GetMetadata(rctx)
|
|
if err != nil {
|
|
return "", model.NewAppError("GetSamlMetadata", "api.admin.saml.metadata.app_error", nil, "", err.StatusCode).Wrap(err)
|
|
}
|
|
return result, nil
|
|
}
|
|
|
|
func (a *App) writeSamlFile(filename string, fileData *multipart.FileHeader) *model.AppError {
|
|
file, err := fileData.Open()
|
|
if err != nil {
|
|
return model.NewAppError("AddSamlCertificate", "api.admin.add_certificate.open.app_error", nil, "", http.StatusInternalServerError).Wrap(err)
|
|
}
|
|
defer file.Close()
|
|
|
|
data, err := io.ReadAll(file)
|
|
if err != nil {
|
|
return model.NewAppError("AddSamlCertificate", "api.admin.add_certificate.saving.app_error", nil, "", http.StatusInternalServerError).Wrap(err)
|
|
}
|
|
|
|
err = a.Srv().platform.SetConfigFile(filename, data)
|
|
if err != nil {
|
|
return model.NewAppError("AddSamlCertificate", "api.admin.add_certificate.saving.app_error", nil, "", http.StatusInternalServerError).Wrap(err)
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
func (a *App) AddSamlPublicCertificate(fileData *multipart.FileHeader) *model.AppError {
|
|
if err := a.writeSamlFile(SamlPublicCertificateName, fileData); err != nil {
|
|
return err
|
|
}
|
|
|
|
cfg := a.Config().Clone()
|
|
*cfg.SamlSettings.PublicCertificateFile = SamlPublicCertificateName
|
|
|
|
if err := cfg.IsValid(); err != nil {
|
|
return err
|
|
}
|
|
|
|
a.UpdateConfig(func(dest *model.Config) { *dest = *cfg })
|
|
|
|
return nil
|
|
}
|
|
|
|
func (a *App) AddSamlPrivateCertificate(fileData *multipart.FileHeader) *model.AppError {
|
|
if err := a.writeSamlFile(SamlPrivateKeyName, fileData); err != nil {
|
|
return err
|
|
}
|
|
|
|
cfg := a.Config().Clone()
|
|
*cfg.SamlSettings.PrivateKeyFile = SamlPrivateKeyName
|
|
|
|
if err := cfg.IsValid(); err != nil {
|
|
return err
|
|
}
|
|
|
|
a.UpdateConfig(func(dest *model.Config) { *dest = *cfg })
|
|
|
|
return nil
|
|
}
|
|
|
|
func (a *App) AddSamlIdpCertificate(fileData *multipart.FileHeader) *model.AppError {
|
|
if err := a.writeSamlFile(SamlIdpCertificateName, fileData); err != nil {
|
|
return err
|
|
}
|
|
|
|
cfg := a.Config().Clone()
|
|
*cfg.SamlSettings.IdpCertificateFile = SamlIdpCertificateName
|
|
|
|
if err := cfg.IsValid(); err != nil {
|
|
return err
|
|
}
|
|
|
|
a.UpdateConfig(func(dest *model.Config) { *dest = *cfg })
|
|
|
|
return nil
|
|
}
|
|
|
|
func (a *App) removeSamlFile(filename string) *model.AppError {
|
|
if err := a.Srv().platform.RemoveConfigFile(filename); err != nil {
|
|
return model.NewAppError("RemoveSamlFile", "api.admin.remove_certificate.delete.app_error", map[string]any{"Filename": filename}, "", http.StatusInternalServerError).Wrap(err)
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
func (a *App) RemoveSamlPublicCertificate() *model.AppError {
|
|
if err := a.removeSamlFile(*a.Config().SamlSettings.PublicCertificateFile); err != nil {
|
|
return err
|
|
}
|
|
|
|
cfg := a.Config().Clone()
|
|
*cfg.SamlSettings.PublicCertificateFile = ""
|
|
*cfg.SamlSettings.Encrypt = false
|
|
|
|
if err := cfg.IsValid(); err != nil {
|
|
return err
|
|
}
|
|
|
|
a.UpdateConfig(func(dest *model.Config) { *dest = *cfg })
|
|
|
|
return nil
|
|
}
|
|
|
|
func (a *App) RemoveSamlPrivateCertificate() *model.AppError {
|
|
if err := a.removeSamlFile(*a.Config().SamlSettings.PrivateKeyFile); err != nil {
|
|
return err
|
|
}
|
|
|
|
cfg := a.Config().Clone()
|
|
*cfg.SamlSettings.PrivateKeyFile = ""
|
|
*cfg.SamlSettings.Encrypt = false
|
|
|
|
if err := cfg.IsValid(); err != nil {
|
|
return err
|
|
}
|
|
|
|
a.UpdateConfig(func(dest *model.Config) { *dest = *cfg })
|
|
|
|
return nil
|
|
}
|
|
|
|
func (a *App) RemoveSamlIdpCertificate() *model.AppError {
|
|
if err := a.removeSamlFile(*a.Config().SamlSettings.IdpCertificateFile); err != nil {
|
|
return err
|
|
}
|
|
|
|
cfg := a.Config().Clone()
|
|
*cfg.SamlSettings.IdpCertificateFile = ""
|
|
*cfg.SamlSettings.Enable = false
|
|
|
|
if err := cfg.IsValid(); err != nil {
|
|
return err
|
|
}
|
|
|
|
a.UpdateConfig(func(dest *model.Config) { *dest = *cfg })
|
|
|
|
return nil
|
|
}
|
|
|
|
func (a *App) GetSamlCertificateStatus() *model.SamlCertificateStatus {
|
|
status := &model.SamlCertificateStatus{}
|
|
|
|
status.IdpCertificateFile, _ = a.Srv().platform.HasConfigFile(*a.Config().SamlSettings.IdpCertificateFile)
|
|
status.PrivateKeyFile, _ = a.Srv().platform.HasConfigFile(*a.Config().SamlSettings.PrivateKeyFile)
|
|
status.PublicCertificateFile, _ = a.Srv().platform.HasConfigFile(*a.Config().SamlSettings.PublicCertificateFile)
|
|
|
|
return status
|
|
}
|
|
|
|
func (a *App) GetSamlMetadataFromIdp(idpMetadataURL string) (*model.SamlMetadataResponse, *model.AppError) {
|
|
if a.Saml() == nil {
|
|
err := model.NewAppError("GetSamlMetadataFromIdp", "api.admin.saml.not_available.app_error", nil, "", http.StatusNotImplemented)
|
|
return nil, err
|
|
}
|
|
|
|
if !strings.HasPrefix(idpMetadataURL, "http://") && !strings.HasPrefix(idpMetadataURL, "https://") {
|
|
idpMetadataURL = "https://" + idpMetadataURL
|
|
}
|
|
|
|
idpMetadataRaw, err := a.FetchSamlMetadataFromIdp(idpMetadataURL)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
data, err := a.BuildSamlMetadataObject(idpMetadataRaw)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
return data, nil
|
|
}
|
|
|
|
func (a *App) FetchSamlMetadataFromIdp(url string) ([]byte, *model.AppError) {
|
|
resp, err := a.HTTPService().MakeClient(false).Get(url)
|
|
if err != nil {
|
|
return nil, model.NewAppError("FetchSamlMetadataFromIdp", "app.admin.saml.invalid_response_from_idp.app_error", nil, "", http.StatusBadRequest).Wrap(err)
|
|
}
|
|
|
|
if resp.StatusCode != http.StatusOK {
|
|
return nil, model.NewAppError("FetchSamlMetadataFromIdp", "app.admin.saml.invalid_response_from_idp.app_error", nil, fmt.Sprintf("status_code=%d", resp.StatusCode), http.StatusBadRequest)
|
|
}
|
|
defer resp.Body.Close()
|
|
|
|
bodyXML, err := io.ReadAll(resp.Body)
|
|
if err != nil {
|
|
return nil, model.NewAppError("FetchSamlMetadataFromIdp", "app.admin.saml.failure_read_response_body_from_idp.app_error", nil, "", http.StatusInternalServerError).Wrap(err)
|
|
}
|
|
|
|
return bodyXML, nil
|
|
}
|
|
|
|
func (a *App) BuildSamlMetadataObject(idpMetadata []byte) (*model.SamlMetadataResponse, *model.AppError) {
|
|
entityDescriptor := model.EntityDescriptor{}
|
|
err := xml.Unmarshal(idpMetadata, &entityDescriptor)
|
|
if err != nil {
|
|
return nil, model.NewAppError("BuildSamlMetadataObject", "app.admin.saml.failure_decode_metadata_xml_from_idp.app_error", nil, "", http.StatusInternalServerError).Wrap(err)
|
|
}
|
|
|
|
data := &model.SamlMetadataResponse{}
|
|
data.IdpDescriptorURL = entityDescriptor.EntityID
|
|
|
|
if len(entityDescriptor.IDPSSODescriptors) == 0 {
|
|
err := model.NewAppError("BuildSamlMetadataObject", "api.admin.saml.invalid_xml_missing_idpssodescriptors.app_error", nil, "", http.StatusInternalServerError)
|
|
return nil, err
|
|
}
|
|
|
|
idpSSODescriptor := entityDescriptor.IDPSSODescriptors[0]
|
|
if len(idpSSODescriptor.SingleSignOnServices) == 0 {
|
|
err := model.NewAppError("BuildSamlMetadataObject", "api.admin.saml.invalid_xml_missing_ssoservices.app_error", nil, "", http.StatusInternalServerError)
|
|
return nil, err
|
|
}
|
|
|
|
data.IdpURL = idpSSODescriptor.SingleSignOnServices[0].Location
|
|
if len(idpSSODescriptor.SSODescriptor.RoleDescriptor.KeyDescriptors) == 0 {
|
|
err := model.NewAppError("BuildSamlMetadataObject", "api.admin.saml.invalid_xml_missing_keydescriptor.app_error", nil, "", http.StatusInternalServerError)
|
|
return nil, err
|
|
}
|
|
keyDescriptor := idpSSODescriptor.SSODescriptor.RoleDescriptor.KeyDescriptors[0]
|
|
data.IdpPublicCertificate = keyDescriptor.KeyInfo.X509Data.X509Certificate.Cert
|
|
|
|
return data, nil
|
|
}
|
|
|
|
func (a *App) SetSamlIdpCertificateFromMetadata(data []byte) *model.AppError {
|
|
const certPrefix = "-----BEGIN CERTIFICATE-----\n"
|
|
const certSuffix = "\n-----END CERTIFICATE-----"
|
|
fixedCertTxt := certPrefix + string(data) + certSuffix
|
|
|
|
block, _ := pem.Decode([]byte(fixedCertTxt))
|
|
if _, e := x509.ParseCertificate(block.Bytes); e != nil {
|
|
return model.NewAppError("SetSamlIdpCertificateFromMetadata", "api.admin.saml.failure_parse_idp_certificate.app_error", nil, "", http.StatusInternalServerError).Wrap(e)
|
|
}
|
|
|
|
data = pem.EncodeToMemory(&pem.Block{
|
|
Type: "CERTIFICATE",
|
|
Bytes: block.Bytes,
|
|
})
|
|
|
|
if err := a.Srv().platform.SetConfigFile(SamlIdpCertificateName, data); err != nil {
|
|
return model.NewAppError("SetSamlIdpCertificateFromMetadata", "api.admin.saml.failure_save_idp_certificate_file.app_error", nil, "", http.StatusInternalServerError).Wrap(err)
|
|
}
|
|
|
|
cfg := a.Config().Clone()
|
|
*cfg.SamlSettings.IdpCertificateFile = SamlIdpCertificateName
|
|
|
|
if err := cfg.IsValid(); err != nil {
|
|
return err
|
|
}
|
|
|
|
a.UpdateConfig(func(dest *model.Config) { *dest = *cfg })
|
|
|
|
return nil
|
|
}
|
|
|
|
func (a *App) ResetSamlAuthDataToEmail(includeDeleted bool, dryRun bool, userIDs []string) (numAffected int, appErr *model.AppError) {
|
|
if a.Saml() == nil {
|
|
appErr = model.NewAppError("ResetAuthDataToEmail", "api.admin.saml.not_available.app_error", nil, "", http.StatusNotImplemented)
|
|
return
|
|
}
|
|
numAffected, err := a.Srv().Store().User().ResetAuthDataToEmailForUsers(model.UserAuthServiceSaml, userIDs, includeDeleted, dryRun)
|
|
if err != nil {
|
|
appErr = model.NewAppError("ResetAuthDataToEmail", "api.admin.saml.failure_reset_authdata_to_email.app_error", nil, "", http.StatusInternalServerError).Wrap(err)
|
|
return
|
|
}
|
|
return
|
|
}
|
|
|
|
func (a *App) CreateSamlRelayToken(tokenType string, extra string) (*model.Token, *model.AppError) {
|
|
token := model.NewToken(tokenType, extra)
|
|
|
|
if err := a.Srv().Store().Token().Save(token); err != nil {
|
|
var appErr *model.AppError
|
|
switch {
|
|
case errors.As(err, &appErr):
|
|
return nil, appErr
|
|
default:
|
|
return nil, model.NewAppError("CreateSamlRelayToken", "app.recover.save.app_error", nil, "", http.StatusInternalServerError).Wrap(err)
|
|
}
|
|
}
|
|
|
|
return token, nil
|
|
}
|
|
|
|
func (a *App) GetSamlEmailToken(token string) (*model.Token, *model.AppError) {
|
|
mToken, err := a.Srv().Store().Token().GetByToken(token)
|
|
if err != nil {
|
|
return nil, model.NewAppError("GetSamlEmailToken", "api.saml.invalid_email_token.app_error", nil, "", http.StatusBadRequest).Wrap(err)
|
|
}
|
|
|
|
if mToken.Type != model.TokenTypeSaml {
|
|
return nil, model.NewAppError("GetSamlEmailToken", "api.saml.invalid_email_token.app_error", nil, "", http.StatusBadRequest)
|
|
}
|
|
|
|
return mToken, nil
|
|
}
|