ec1f89217a
Full Mattermost server source with integrated Community Enterprise features. Includes vendor directory for offline/air-gapped builds. Structure: - enterprise-impl/: Enterprise feature implementations - enterprise-community/: Init files that register implementations - enterprise/: Bridge imports (community_imports.go) - vendor/: All dependencies for offline builds Build (online): go build ./cmd/mattermost Build (offline/air-gapped): go build -mod=vendor ./cmd/mattermost 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
231 lines
7.9 KiB
Go
231 lines
7.9 KiB
Go
// Copyright (c) 2015-present Mattermost, Inc. All Rights Reserved.
|
|
// See LICENSE.txt for license information.
|
|
|
|
package model
|
|
|
|
import (
|
|
"fmt"
|
|
"net/http"
|
|
"net/url"
|
|
"unicode/utf8"
|
|
)
|
|
|
|
type OutgoingOAuthConnectionGrantType string
|
|
|
|
func (gt OutgoingOAuthConnectionGrantType) IsValid() bool {
|
|
return gt == OutgoingOAuthConnectionGrantTypeClientCredentials || gt == OutgoingOAuthConnectionGrantTypePassword
|
|
}
|
|
|
|
const (
|
|
OutgoingOAuthConnectionGrantTypeClientCredentials OutgoingOAuthConnectionGrantType = "client_credentials"
|
|
OutgoingOAuthConnectionGrantTypePassword OutgoingOAuthConnectionGrantType = "password"
|
|
|
|
defaultGetConnectionsLimit = 50
|
|
)
|
|
|
|
type OutgoingOAuthConnection struct {
|
|
Id string `json:"id"`
|
|
CreatorId string `json:"creator_id"`
|
|
CreateAt int64 `json:"create_at"`
|
|
UpdateAt int64 `json:"update_at"`
|
|
Name string `json:"name"`
|
|
ClientId string `json:"client_id,omitempty"`
|
|
ClientSecret string `json:"client_secret,omitempty"`
|
|
CredentialsUsername *string `json:"credentials_username,omitempty"`
|
|
CredentialsPassword *string `json:"credentials_password,omitempty"`
|
|
OAuthTokenURL string `json:"oauth_token_url"`
|
|
GrantType OutgoingOAuthConnectionGrantType `json:"grant_type"`
|
|
Audiences StringArray `json:"audiences"`
|
|
}
|
|
|
|
func (oa *OutgoingOAuthConnection) Auditable() map[string]any {
|
|
return map[string]any{
|
|
"id": oa.Id,
|
|
"creator_id": oa.CreatorId,
|
|
"create_at": oa.CreateAt,
|
|
"update_at": oa.UpdateAt,
|
|
"name": oa.Name,
|
|
"grant_type": oa.GrantType,
|
|
}
|
|
}
|
|
|
|
// Sanitize removes any sensitive fields from the OutgoingOAuthConnection object.
|
|
func (oa *OutgoingOAuthConnection) Sanitize() {
|
|
oa.ClientSecret = ""
|
|
oa.CredentialsPassword = nil
|
|
}
|
|
|
|
// Patch updates the OutgoingOAuthConnection object with the non-empty fields from the given connection.
|
|
func (oa *OutgoingOAuthConnection) Patch(conn *OutgoingOAuthConnection) {
|
|
if conn == nil {
|
|
return
|
|
}
|
|
|
|
if conn.Name != "" {
|
|
oa.Name = conn.Name
|
|
}
|
|
if conn.ClientId != "" {
|
|
oa.ClientId = conn.ClientId
|
|
}
|
|
if conn.ClientSecret != "" {
|
|
oa.ClientSecret = conn.ClientSecret
|
|
}
|
|
if conn.OAuthTokenURL != "" {
|
|
oa.OAuthTokenURL = conn.OAuthTokenURL
|
|
}
|
|
if conn.GrantType != "" {
|
|
oa.GrantType = conn.GrantType
|
|
}
|
|
if len(conn.Audiences) > 0 {
|
|
oa.Audiences = conn.Audiences
|
|
}
|
|
if conn.CredentialsUsername != nil {
|
|
oa.CredentialsUsername = conn.CredentialsUsername
|
|
}
|
|
if conn.CredentialsPassword != nil {
|
|
oa.CredentialsPassword = conn.CredentialsPassword
|
|
}
|
|
}
|
|
|
|
// IsValid validates the object and returns an error if it isn't properly configured
|
|
func (oa *OutgoingOAuthConnection) IsValid() *AppError {
|
|
if !IsValidId(oa.Id) {
|
|
return NewAppError("OutgoingOAuthConnection.IsValid", "model.outgoing_oauth_connection.is_valid.id.error", nil, "", http.StatusBadRequest)
|
|
}
|
|
|
|
if oa.CreateAt == 0 {
|
|
return NewAppError("OutgoingOAuthConnection.IsValid", "model.outgoing_oauth_connection.is_valid.create_at.error", nil, "id="+oa.Id, http.StatusBadRequest)
|
|
}
|
|
|
|
if oa.UpdateAt == 0 {
|
|
return NewAppError("OutgoingOAuthConnection.IsValid", "model.outgoing_oauth_connection.is_valid.update_at.error", nil, "id="+oa.Id, http.StatusBadRequest)
|
|
}
|
|
|
|
if !IsValidId(oa.CreatorId) {
|
|
return NewAppError("OutgoingOAuthConnection.IsValid", "model.outgoing_oauth_connection.is_valid.creator_id.error", nil, "id="+oa.Id, http.StatusBadRequest)
|
|
}
|
|
|
|
if oa.Name == "" || utf8.RuneCountInString(oa.Name) > 64 {
|
|
return NewAppError("OutgoingOAuthConnection.IsValid", "model.outgoing_oauth_connection.is_valid.name.error", nil, "id="+oa.Id, http.StatusBadRequest)
|
|
}
|
|
|
|
if oa.ClientId == "" || utf8.RuneCountInString(oa.ClientId) > 255 {
|
|
return NewAppError("OutgoingOAuthConnection.IsValid", "model.outgoing_oauth_connection.is_valid.client_id.error", nil, "id="+oa.Id, http.StatusBadRequest)
|
|
}
|
|
|
|
if oa.ClientSecret == "" || utf8.RuneCountInString(oa.ClientSecret) > 255 {
|
|
return NewAppError("OutgoingOAuthConnection.IsValid", "model.outgoing_oauth_connection.is_valid.client_secret.error", nil, "id="+oa.Id, http.StatusBadRequest)
|
|
}
|
|
|
|
if !IsValidHTTPURL(oa.OAuthTokenURL) || utf8.RuneCountInString(oa.OAuthTokenURL) > 256 {
|
|
return NewAppError("OutgoingOAuthConnection.IsValid", "model.outgoing_oauth_connection.is_valid.oauth_token_url.error", nil, "id="+oa.Id, http.StatusBadRequest)
|
|
}
|
|
|
|
if err := oa.HasValidGrantType(); err != nil {
|
|
return err
|
|
}
|
|
|
|
if len(oa.Audiences) == 0 {
|
|
return NewAppError("OutgoingOAuthConnection.IsValid", "model.outgoing_oauth_connection.is_valid.audience.empty", nil, "id="+oa.Id, http.StatusBadRequest)
|
|
}
|
|
|
|
if len(oa.Audiences) > 0 {
|
|
for _, audience := range oa.Audiences {
|
|
if !IsValidHTTPURL(audience) {
|
|
return NewAppError("OutgoingOAuthConnection.IsValid", "model.outgoing_oauth_connection.is_valid.audience.error", map[string]any{"Url": audience}, "id="+oa.Id, http.StatusBadRequest)
|
|
}
|
|
}
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
// HasValidGrantType validates the grant type and its parameters returning an error if it isn't properly configured
|
|
func (oa *OutgoingOAuthConnection) HasValidGrantType() *AppError {
|
|
if !oa.GrantType.IsValid() {
|
|
return NewAppError("OutgoingOAuthConnection.IsValid", "model.outgoing_oauth_connection.is_valid.grant_type.error", nil, "id="+oa.Id, http.StatusBadRequest)
|
|
}
|
|
|
|
if oa.GrantType == OutgoingOAuthConnectionGrantTypePassword && (oa.CredentialsUsername == nil || oa.CredentialsPassword == nil) {
|
|
return NewAppError("OutgoingOAuthConnection.IsValid", "model.outgoing_oauth_connection.is_valid.password_credentials.error", nil, "id="+oa.Id, http.StatusBadRequest)
|
|
}
|
|
|
|
if oa.GrantType == OutgoingOAuthConnectionGrantTypePassword && (*oa.CredentialsUsername == "" || *oa.CredentialsPassword == "") {
|
|
return NewAppError("OutgoingOAuthConnection.IsValid", "model.outgoing_oauth_connection.is_valid.password_credentials.error", nil, "id="+oa.Id, http.StatusBadRequest)
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
// PreSave will set the Id if empty, ensuring the object has one and the create/update times.
|
|
func (oa *OutgoingOAuthConnection) PreSave() {
|
|
if oa.Id == "" {
|
|
oa.Id = NewId()
|
|
}
|
|
|
|
oa.CreateAt = GetMillis()
|
|
oa.UpdateAt = oa.CreateAt
|
|
}
|
|
|
|
// PreUpdate will set the update time to now.
|
|
func (oa *OutgoingOAuthConnection) PreUpdate() {
|
|
oa.UpdateAt = GetMillis()
|
|
}
|
|
|
|
// Etag returns the ETag for the cache.
|
|
func (oa *OutgoingOAuthConnection) Etag() string {
|
|
return Etag(oa.Id, oa.UpdateAt)
|
|
}
|
|
|
|
// OutgoingOAuthConnectionGetConnectionsFilter is used to filter outgoing connections
|
|
type OutgoingOAuthConnectionGetConnectionsFilter struct {
|
|
OffsetId string
|
|
Limit int
|
|
Audience string
|
|
|
|
// TeamId is not used as a filter but as a way to check if the current user has permission to
|
|
// access the outgoing oauth connection for the given team in order to use them in the slash
|
|
// commands and outgoing webhooks.
|
|
TeamId string
|
|
}
|
|
|
|
// SetDefaults sets the default values for the filter
|
|
func (oaf *OutgoingOAuthConnectionGetConnectionsFilter) SetDefaults() {
|
|
if oaf.Limit == 0 {
|
|
oaf.Limit = defaultGetConnectionsLimit
|
|
}
|
|
}
|
|
|
|
// ToURLValues converts the filter to url.Values
|
|
func (oaf *OutgoingOAuthConnectionGetConnectionsFilter) ToURLValues() url.Values {
|
|
v := url.Values{}
|
|
|
|
if oaf.Limit > 0 {
|
|
v.Set("limit", fmt.Sprintf("%d", oaf.Limit))
|
|
}
|
|
|
|
if oaf.OffsetId != "" {
|
|
v.Set("offset_id", oaf.OffsetId)
|
|
}
|
|
|
|
if oaf.Audience != "" {
|
|
v.Set("audience", oaf.Audience)
|
|
}
|
|
|
|
if oaf.TeamId != "" {
|
|
v.Set("team_id", oaf.TeamId)
|
|
}
|
|
return v
|
|
}
|
|
|
|
// OutgoingOAuthConnectionToken is used to return the token for an outgoing connection oauth
|
|
// authentication request
|
|
type OutgoingOAuthConnectionToken struct {
|
|
AccessToken string
|
|
TokenType string
|
|
}
|
|
|
|
func (ooct *OutgoingOAuthConnectionToken) AsHeaderValue() string {
|
|
return ooct.TokenType + " " + ooct.AccessToken
|
|
}
|