mattermost-community-enterprise/channels/store/sqlstore/oauth_store.go

// Copyright (c) 2015-present Mattermost, Inc. All Rights Reserved.
// See LICENSE.txt for license information.

package sqlstore

import (
	"database/sql"
	"fmt"

	"github.com/pkg/errors"

	"github.com/mattermost/mattermost/server/public/model"
	"github.com/mattermost/mattermost/server/v8/channels/store"
	sq "github.com/mattermost/squirrel"
)

type SqlOAuthStore struct {
	*SqlStore
	oAuthAppsSelectQuery sq.SelectBuilder
	oAuthAccessDataQuery sq.SelectBuilder
	oAuthAuthDataQuery   sq.SelectBuilder
}

func newSqlOAuthStore(sqlStore *SqlStore) store.OAuthStore {
	s := SqlOAuthStore{
		SqlStore: sqlStore,
	}

	s.oAuthAppsSelectQuery = s.getQueryBuilder().
		Select("o.Id", "o.CreatorId", "o.CreateAt", "o.UpdateAt", "o.ClientSecret", "o.Name", "o.Description", "o.IconURL", "o.CallbackUrls", "o.Homepage", "o.IsTrusted", "o.MattermostAppID",
			"o.IsDynamicallyRegistered").
		From("OAuthApps o")

	s.oAuthAccessDataQuery = s.getQueryBuilder().
		Select("ClientId", "UserId", "Token", "RefreshToken", "RedirectUri", "ExpiresAt", "Scope", "Audience").
		From("OAuthAccessData")

	s.oAuthAuthDataQuery = s.getQueryBuilder().
		Select("ClientId", "UserId", "Code", "ExpiresIn", "CreateAt", "RedirectUri", "State", "Scope", "CodeChallenge", "CodeChallengeMethod", "Resource").
		From("OAuthAuthData")

	return &s
}

func (as SqlOAuthStore) SaveApp(app *model.OAuthApp) (*model.OAuthApp, error) {
	if app.Id != "" {
		return nil, store.NewErrInvalidInput("OAuthApp", "Id", app.Id)
	}

	app.PreSave()
	if err := app.IsValid(); err != nil {
		return nil, err
	}

	if _, err := as.GetMaster().NamedExec(`INSERT INTO OAuthApps
		(Id, CreatorId, CreateAt, UpdateAt, ClientSecret, Name, Description, IconURL, CallbackUrls, Homepage, IsTrusted, MattermostAppID,
		 IsDynamicallyRegistered)
		VALUES
		(:Id, :CreatorId, :CreateAt, :UpdateAt, :ClientSecret, :Name, :Description, :IconURL, :CallbackUrls, :Homepage, :IsTrusted, :MattermostAppID,
		 :IsDynamicallyRegistered)`, app); err != nil {
		return nil, errors.Wrap(err, "failed to save OAuthApp")
	}
	return app, nil
}

func (as SqlOAuthStore) UpdateApp(app *model.OAuthApp) (*model.OAuthApp, error) {
	app.PreUpdate()

	if err := app.IsValid(); err != nil {
		return nil, err
	}

	var oldApp model.OAuthApp
	query := as.oAuthAppsSelectQuery.Where(sq.Eq{"o.Id": app.Id})

	err := as.GetReplica().GetBuilder(&oldApp, query)
	if err != nil {
		return nil, errors.Wrapf(err, "failed to get OAuthApp with id=%s", app.Id)
	}
	if oldApp.Id == "" {
		return nil, store.NewErrInvalidInput("OAuthApp", "Id", app.Id)
	}

	app.CreateAt = oldApp.CreateAt
	app.CreatorId = oldApp.CreatorId

	res, err := as.GetMaster().NamedExec(`UPDATE OAuthApps
		SET UpdateAt=:UpdateAt, ClientSecret=:ClientSecret, Name=:Name,
			Description=:Description, IconURL=:IconURL, CallbackUrls=:CallbackUrls,
			Homepage=:Homepage, IsTrusted=:IsTrusted, MattermostAppID=:MattermostAppID,
			IsDynamicallyRegistered=:IsDynamicallyRegistered
		WHERE Id=:Id`, app)
	if err != nil {
		return nil, errors.Wrapf(err, "failed to update OAuthApp with id=%s", app.Id)
	}
	count, err := res.RowsAffected()
	if err != nil {
		return nil, errors.Wrap(err, "error while getting rows_affected")
	}
	if count > 1 {
		return nil, store.NewErrInvalidInput("OAuthApp", "Id", app.Id)
	}
	return app, nil
}

func (as SqlOAuthStore) GetApp(id string) (*model.OAuthApp, error) {
	var app model.OAuthApp
	query := as.oAuthAppsSelectQuery.Where(sq.Eq{"o.Id": id})

	if err := as.GetReplica().GetBuilder(&app, query); err != nil {
		if err == sql.ErrNoRows {
			return nil, store.NewErrNotFound("OAuthApp", id)
		}
		return nil, errors.Wrapf(err, "failed to get OAuthApp with id=%s", id)
	}
	if app.Id == "" {
		return nil, store.NewErrNotFound("OAuthApp", id)
	}

	return &app, nil
}

func (as SqlOAuthStore) GetAppByUser(userId string, offset, limit int) ([]*model.OAuthApp, error) {
	apps := []*model.OAuthApp{}

	query := as.oAuthAppsSelectQuery.Where(sq.Eq{"o.CreatorId": userId}).Limit(uint64(limit)).Offset(uint64(offset))

	if err := as.GetReplica().SelectBuilder(&apps, query); err != nil {
		return nil, errors.Wrapf(err, "failed to find OAuthApps with userId=%s", userId)
	}

	return apps, nil
}

func (as SqlOAuthStore) GetApps(offset, limit int) ([]*model.OAuthApp, error) {
	apps := []*model.OAuthApp{}

	query := as.oAuthAppsSelectQuery.Limit(uint64(limit)).Offset(uint64(offset))

	if err := as.GetReplica().SelectBuilder(&apps, query); err != nil {
		return nil, errors.Wrap(err, "failed to find OAuthApps")
	}

	return apps, nil
}

func (as SqlOAuthStore) GetAuthorizedApps(userId string, offset, limit int) ([]*model.OAuthApp, error) {
	apps := []*model.OAuthApp{}

	query := as.oAuthAppsSelectQuery.
		InnerJoin("Preferences AS p ON p.Name = o.Id AND p.UserId = ?", userId).
		Limit(uint64(limit)).
		Offset(uint64(offset))

	if err := as.GetReplica().SelectBuilder(&apps, query); err != nil {
		return nil, errors.Wrapf(err, "failed to find OAuthApps with userId=%s", userId)
	}

	return apps, nil
}

func (as SqlOAuthStore) DeleteApp(id string) (err error) {
	// wrap in a transaction so that if one fails, everything fails
	transaction, err := as.GetMaster().Beginx()
	if err != nil {
		return errors.Wrap(err, "begin_transaction")
	}
	defer finalizeTransactionX(transaction, &err)

	if err := as.deleteApp(transaction, id); err != nil {
		return err
	}

	if err := transaction.Commit(); err != nil {
		// don't need to rollback here since the transaction is already closed
		return errors.Wrap(err, "commit_transaction")
	}
	return nil
}

func (as SqlOAuthStore) SaveAccessData(accessData *model.AccessData) (*model.AccessData, error) {
	if err := accessData.IsValid(); err != nil {
		return nil, err
	}

	if _, err := as.GetMaster().NamedExec(`INSERT INTO OAuthAccessData
		(ClientId, UserId, Token, RefreshToken, RedirectUri, ExpiresAt, Scope, Audience)
		VALUES
		(:ClientId, :UserId, :Token, :RefreshToken, :RedirectUri, :ExpiresAt, :Scope, :Audience)`, accessData); err != nil {
		return nil, errors.Wrap(err, "failed to save AccessData")
	}
	return accessData, nil
}

func (as SqlOAuthStore) GetAccessData(token string) (*model.AccessData, error) {
	accessData := model.AccessData{}

	query := as.oAuthAccessDataQuery.Where(sq.Eq{"Token": token})

	if err := as.GetReplica().GetBuilder(&accessData, query); err != nil {
		return nil, errors.Wrapf(err, "failed to get OAuthAccessData with token=%s", token)
	}
	return &accessData, nil
}

func (as SqlOAuthStore) GetAccessDataByUserForApp(userID, clientID string) ([]*model.AccessData, error) {
	accessData := []*model.AccessData{}

	query := as.oAuthAccessDataQuery.Where(sq.Eq{"UserId": userID, "ClientId": clientID})

	if err := as.GetReplica().SelectBuilder(&accessData, query); err != nil {
		return nil, errors.Wrapf(err, "failed to delete OAuthAccessData with userId=%s and clientId=%s", userID, clientID)
	}
	return accessData, nil
}

func (as SqlOAuthStore) GetAccessDataByRefreshToken(token string) (*model.AccessData, error) {
	accessData := model.AccessData{}

	query := as.oAuthAccessDataQuery.Where(sq.Eq{"RefreshToken": token})

	if err := as.GetReplica().GetBuilder(&accessData, query); err != nil {
		return nil, errors.Wrapf(err, "failed to find OAuthAccessData with refreshToken=%s", token)
	}
	return &accessData, nil
}

func (as SqlOAuthStore) GetPreviousAccessData(userID, clientID string) (*model.AccessData, error) {
	accessData := model.AccessData{}

	query := as.oAuthAccessDataQuery.Where(sq.Eq{"UserId": userID, "ClientId": clientID}).
		OrderBy("ExpiresAt DESC").Limit(1)

	if err := as.GetReplica().GetBuilder(&accessData, query); err != nil {
		if err == sql.ErrNoRows {
			return nil, nil
		}
		return nil, errors.Wrapf(err, "failed to find OAuthAccessData with userId=%s and clientId=%s", userID, clientID)
	}

	return &accessData, nil
}

func (as SqlOAuthStore) UpdateAccessData(accessData *model.AccessData) (*model.AccessData, error) {
	if err := accessData.IsValid(); err != nil {
		return nil, err
	}

	if _, err := as.GetMaster().NamedExec("UPDATE OAuthAccessData SET Token = :Token, ExpiresAt = :ExpiresAt, RefreshToken = :RefreshToken, Audience = :Audience WHERE ClientId = :ClientId AND UserID = :UserId", accessData); err != nil {
		return nil, errors.Wrapf(err, "failed to update OAuthAccessData with userId=%s and clientId=%s", accessData.UserId, accessData.ClientId)
	}
	return accessData, nil
}

func (as SqlOAuthStore) RemoveAccessData(token string) error {
	if _, err := as.GetMaster().Exec("DELETE FROM OAuthAccessData WHERE Token = ?", token); err != nil {
		return errors.Wrapf(err, "failed to delete OAuthAccessData with token=%s", token)
	}
	return nil
}

func (as SqlOAuthStore) RemoveAllAccessData() error {
	if _, err := as.GetMaster().Exec("DELETE FROM OAuthAccessData"); err != nil {
		return errors.Wrap(err, "failed to delete OAuthAccessData")
	}
	return nil
}

func (as SqlOAuthStore) SaveAuthData(authData *model.AuthData) (*model.AuthData, error) {
	authData.PreSave()
	if err := authData.IsValid(); err != nil {
		return nil, err
	}

	if _, err := as.GetMaster().NamedExec(`INSERT INTO OAuthAuthData
		(ClientId, UserId, Code, ExpiresIn, CreateAt, RedirectUri, State, Scope, CodeChallenge, CodeChallengeMethod, Resource)
		VALUES
		(:ClientId, :UserId, :Code, :ExpiresIn, :CreateAt, :RedirectUri, :State, :Scope, :CodeChallenge, :CodeChallengeMethod, :Resource)`, authData); err != nil {
		return nil, errors.Wrap(err, "failed to save AuthData")
	}
	return authData, nil
}

func (as SqlOAuthStore) GetAuthData(code string) (*model.AuthData, error) {
	var authData model.AuthData

	query := as.oAuthAuthDataQuery.Where(sq.Eq{"Code": code})

	if err := as.GetReplica().GetBuilder(&authData, query); err != nil {
		if err == sql.ErrNoRows {
			return nil, store.NewErrNotFound("AuthData", fmt.Sprintf("code=%s", code))
		}
		return nil, errors.Wrapf(err, "failed to get AuthData with code=%s", code)
	}

	if authData.Code == "" {
		return nil, store.NewErrNotFound("AuthData", fmt.Sprintf("code=%s", code))
	}

	return &authData, nil
}

func (as SqlOAuthStore) RemoveAuthData(code string) error {
	_, err := as.GetMaster().Exec("DELETE FROM OAuthAuthData WHERE Code = ?", code)
	if err != nil {
		return errors.Wrapf(err, "failed to delete AuthData with code=%s", code)
	}
	return nil
}

func (as SqlOAuthStore) RemoveAuthDataByClientId(clientId string, userId string) error {
	_, err := as.GetMaster().Exec("DELETE FROM OAuthAuthData WHERE ClientId = ? and UserId = ?", clientId, userId)
	if err != nil {
		return errors.Wrapf(err, "failed to delete AuthData with clientId=%s and userId=%s", clientId, userId)
	}
	return nil
}

func (as SqlOAuthStore) RemoveAuthDataByUserId(userId string) error {
	_, err := as.GetMaster().Exec("DELETE FROM OAuthAuthData WHERE UserId = ?", userId)
	if err != nil {
		return errors.Wrapf(err, "failed to delete AuthData with userId=%s", userId)
	}
	return nil
}

func (as SqlOAuthStore) PermanentDeleteAuthDataByUser(userId string) error {
	_, err := as.GetMaster().Exec("DELETE FROM OAuthAccessData WHERE UserId = ?", userId)
	if err != nil {
		return errors.Wrapf(err, "failed to delete OAuthAccessData with userId=%s", userId)
	}
	return nil
}

func (as SqlOAuthStore) deleteApp(transaction *sqlxTxWrapper, clientId string) error {
	if _, err := transaction.Exec("DELETE FROM OAuthApps WHERE Id = ?", clientId); err != nil {
		return errors.Wrapf(err, "failed to delete OAuthApp with id=%s", clientId)
	}

	return as.deleteOAuthAppSessions(transaction, clientId)
}

func (as SqlOAuthStore) deleteOAuthAppSessions(transaction *sqlxTxWrapper, clientId string) error {
	query := "DELETE FROM Sessions s USING OAuthAccessData o WHERE o.Token = s.Token AND o.ClientId = ?"

	if _, err := transaction.Exec(query, clientId); err != nil {
		return errors.Wrapf(err, "failed to delete Session with OAuthAccessData.Id=%s", clientId)
	}

	return as.deleteOAuthTokens(transaction, clientId)
}

func (as SqlOAuthStore) deleteOAuthTokens(transaction *sqlxTxWrapper, clientId string) error {
	if _, err := transaction.Exec("DELETE FROM OAuthAccessData WHERE ClientId = ?", clientId); err != nil {
		return errors.Wrapf(err, "failed to delete OAuthAccessData with id=%s", clientId)
	}

	return as.deleteAppExtras(transaction, clientId)
}

func (as SqlOAuthStore) deleteAppExtras(transaction *sqlxTxWrapper, clientId string) error {
	if _, err := transaction.Exec(
		`DELETE FROM
			Preferences
		WHERE
			Category = ?
			AND Name = ?`, model.PreferenceCategoryAuthorizedOAuthApp, clientId); err != nil {
		return errors.Wrapf(err, "failed to delete Preferences with name=%s", clientId)
	}

	return nil
}