Commit 47250c66 authored by Joram Wilander's avatar Joram Wilander Committed by GitHub

Refactor context out of API packages (#8755)

* Refactor context out of API packages

* Update function names per feedback

* Move webhook handlers to web and fix web tests

* Move more webhook tests out of api package

* Fix static handler
parent 7e7c5519
......@@ -4,8 +4,6 @@
package api
import (
"fmt"
"net/http"
"testing"
"github.com/mattermost/mattermost-server/model"
......@@ -968,155 +966,3 @@ func TestRegenOutgoingHookToken(t *testing.T) {
t.Fatal("should have errored - webhooks turned off")
}
}
func TestIncomingWebhooks(t *testing.T) {
th := Setup().InitBasic().InitSystemAdmin()
defer th.TearDown()
Client := th.SystemAdminClient
team := th.SystemAdminTeam
channel1 := th.CreateChannel(Client, team)
user2 := th.CreateUser(Client)
th.LinkUserToTeam(user2, team)
th.App.UpdateConfig(func(cfg *model.Config) { cfg.ServiceSettings.EnableIncomingWebhooks = true })
hook := &model.IncomingWebhook{ChannelId: channel1.Id}
hook = Client.Must(Client.CreateIncomingWebhook(hook)).Data.(*model.IncomingWebhook)
url := "/hooks/" + hook.Id
text := `this is a \"test\"
that contains a newline and a tab`
if _, err := Client.DoPost(url, "{\"text\":\"this is a test\"}", "application/json"); err != nil {
t.Fatal(err)
}
if _, err := Client.DoPost(url, "{\"text\":\""+text+"\"}", "application/json"); err != nil {
t.Fatal(err)
}
if _, err := Client.DoPost(url, fmt.Sprintf("{\"text\":\"this is a test\", \"channel\":\"%s\"}", channel1.Name), "application/json"); err != nil {
t.Fatal(err)
}
if _, err := Client.DoPost(url, fmt.Sprintf("{\"text\":\"this is a test\", \"channel\":\"#%s\"}", channel1.Name), "application/json"); err != nil {
t.Fatal(err)
}
if _, err := Client.DoPost(url, fmt.Sprintf("{\"text\":\"this is a test\", \"channel\":\"@%s\"}", user2.Username), "application/json"); err != nil {
t.Fatal(err)
}
if _, err := Client.DoPost(url, "payload={\"text\":\"this is a test\"}", "application/x-www-form-urlencoded"); err != nil {
t.Fatal(err)
}
if _, err := Client.DoPost(url, "payload={\"text\":\""+text+"\"}", "application/x-www-form-urlencoded"); err != nil {
t.Fatal(err)
}
if _, err := th.BasicClient.DoPost(url, fmt.Sprintf("{\"text\":\"this is a test\", \"channel\":\"%s\"}", model.DEFAULT_CHANNEL), "application/json"); err != nil {
t.Fatal("should not have failed -- ExperimentalTownSquareIsReadOnly is false and it's not a read only channel")
}
th.App.UpdateConfig(func(cfg *model.Config) { *cfg.TeamSettings.ExperimentalTownSquareIsReadOnly = true })
th.App.SetLicense(model.NewTestLicense())
if _, err := th.BasicClient.DoPost(url, fmt.Sprintf("{\"text\":\"this is a test\", \"channel\":\"%s\"}", model.DEFAULT_CHANNEL), "application/json"); err == nil {
t.Fatal("should have failed -- ExperimentalTownSquareIsReadOnly is true and it's a read only channel")
}
attachmentPayload := `{
"text": "this is a test",
"attachments": [
{
"fallback": "Required plain-text summary of the attachment.",
"color": "#36a64f",
"pretext": "Optional text that appears above the attachment block",
"author_name": "Bobby Tables",
"author_link": "http://flickr.com/bobby/",
"author_icon": "http://flickr.com/icons/bobby.jpg",
"title": "Slack API Documentation",
"title_link": "https://api.slack.com/",
"text": "Optional text that appears within the attachment",
"fields": [
{
"title": "Priority",
"value": "High",
"short": false
}
],
"image_url": "http://my-website.com/path/to/image.jpg",
"thumb_url": "http://example.com/path/to/thumb.png"
}
]
}`
if _, err := Client.DoPost(url, attachmentPayload, "application/json"); err != nil {
t.Fatal(err)
}
if _, err := Client.DoPost(url, "{\"text\":\"\"}", "application/json"); err == nil || err.StatusCode != http.StatusBadRequest {
t.Fatal("should have failed - no text")
}
tooLongText := ""
for i := 0; i < 8200; i++ {
tooLongText += "a"
}
if _, err := Client.DoPost(url, "{\"text\":\""+tooLongText+"\"}", "application/json"); err != nil {
t.Fatal(err)
}
attachmentPayload = `{
"text": "this is a test",
"attachments": [
{
"fallback": "Required plain-text summary of the attachment.",
"color": "#36a64f",
"pretext": "Optional text that appears above the attachment block",
"author_name": "Bobby Tables",
"author_link": "http://flickr.com/bobby/",
"author_icon": "http://flickr.com/icons/bobby.jpg",
"title": "Slack API Documentation",
"title_link": "https://api.slack.com/",
"text": "` + tooLongText + `",
"fields": [
{
"title": "Priority",
"value": "High",
"short": false
}
],
"image_url": "http://my-website.com/path/to/image.jpg",
"thumb_url": "http://example.com/path/to/thumb.png"
}
]
}`
if _, err := Client.DoPost(url, attachmentPayload, "application/json"); err != nil {
t.Fatal(err)
}
th.App.UpdateConfig(func(cfg *model.Config) { cfg.ServiceSettings.EnableIncomingWebhooks = false })
if _, err := Client.DoPost(url, "{\"text\":\"this is a test\"}", "application/json"); err == nil {
t.Fatal("should have failed - webhooks turned off")
}
}
......@@ -4,14 +4,12 @@
package api4
import (
"fmt"
"net/http"
"github.com/gorilla/mux"
"github.com/mattermost/mattermost-server/app"
"github.com/mattermost/mattermost-server/mlog"
"github.com/mattermost/mattermost-server/model"
"github.com/mattermost/mattermost-server/utils"
"github.com/mattermost/mattermost-server/web"
_ "github.com/nicksnyder/go-i18n/i18n"
)
......@@ -231,7 +229,7 @@ func Init(a *app.App, root *mux.Router, full bool) *API {
api.InitRole()
api.InitImage()
root.Handle("/api/v4/{anything:.*}", http.HandlerFunc(Handle404))
root.Handle("/api/v4/{anything:.*}", http.HandlerFunc(api.Handle404))
// REMOVE CONDITION WHEN APIv3 REMOVED
if full {
......@@ -241,14 +239,8 @@ func Init(a *app.App, root *mux.Router, full bool) *API {
return api
}
func Handle404(w http.ResponseWriter, r *http.Request) {
err := model.NewAppError("Handle404", "api.context.404.app_error", nil, "", http.StatusNotFound)
mlog.Debug(fmt.Sprintf("%v: code=404 ip=%v", r.URL.Path, utils.GetIpAddress(r)))
w.WriteHeader(err.StatusCode)
err.DetailedError = "There doesn't appear to be an api call for the url='" + r.URL.Path + "'."
w.Write([]byte(err.ToJson()))
func (api *API) Handle404(w http.ResponseWriter, r *http.Request) {
web.Handle404(api.App, w, r)
}
func ReturnStatusOK(w http.ResponseWriter) {
......
......@@ -9,6 +9,7 @@ import (
"github.com/mattermost/mattermost-server/app"
"github.com/mattermost/mattermost-server/model"
"github.com/mattermost/mattermost-server/web"
)
const (
......@@ -197,7 +198,7 @@ func searchEmojis(c *Context, w http.ResponseWriter, r *http.Request) {
return
}
emojis, err := c.App.SearchEmoji(emojiSearch.Term, emojiSearch.PrefixOnly, PER_PAGE_MAXIMUM)
emojis, err := c.App.SearchEmoji(emojiSearch.Term, emojiSearch.PrefixOnly, web.PER_PAGE_MAXIMUM)
if err != nil {
c.Err = err
return
......
// Copyright (c) 2017-present Mattermost, Inc. All Rights Reserved.
// See License.txt for license information.
package api4
import (
"net/http"
"github.com/mattermost/mattermost-server/web"
)
type Context = web.Context
func (api *API) ApiHandler(h func(*Context, http.ResponseWriter, *http.Request)) http.Handler {
return &web.Handler{
App: api.App,
HandleFunc: h,
RequireSession: false,
TrustRequester: false,
RequireMfa: false,
IsStatic: false,
}
}
func (api *API) ApiSessionRequired(h func(*Context, http.ResponseWriter, *http.Request)) http.Handler {
return &web.Handler{
App: api.App,
HandleFunc: h,
RequireSession: true,
TrustRequester: false,
RequireMfa: true,
IsStatic: false,
}
}
func (api *API) ApiSessionRequiredMfa(h func(*Context, http.ResponseWriter, *http.Request)) http.Handler {
return &web.Handler{
App: api.App,
HandleFunc: h,
RequireSession: true,
TrustRequester: false,
RequireMfa: false,
IsStatic: false,
}
}
func (api *API) ApiHandlerTrustRequester(h func(*Context, http.ResponseWriter, *http.Request)) http.Handler {
return &web.Handler{
App: api.App,
HandleFunc: h,
RequireSession: false,
TrustRequester: true,
RequireMfa: false,
IsStatic: false,
}
}
func (api *API) ApiSessionRequiredTrustRequester(h func(*Context, http.ResponseWriter, *http.Request)) http.Handler {
return &web.Handler{
App: api.App,
HandleFunc: h,
RequireSession: true,
TrustRequester: true,
RequireMfa: true,
IsStatic: false,
}
}
......@@ -4,14 +4,8 @@
package api4
import (
"fmt"
"io"
"net/http"
"strings"
"github.com/gorilla/mux"
"github.com/gorilla/schema"
"github.com/mattermost/mattermost-server/mlog"
"github.com/mattermost/mattermost-server/model"
)
......@@ -28,12 +22,6 @@ func (api *API) InitWebhook() {
api.BaseRoutes.OutgoingHook.Handle("", api.ApiSessionRequired(updateOutgoingHook)).Methods("PUT")
api.BaseRoutes.OutgoingHook.Handle("", api.ApiSessionRequired(deleteOutgoingHook)).Methods("DELETE")
api.BaseRoutes.OutgoingHook.Handle("/regen_token", api.ApiSessionRequired(regenOutgoingHookToken)).Methods("POST")
api.BaseRoutes.Root.Handle("/hooks/commands/{id:[A-Za-z0-9]+}", api.ApiHandler(commandWebhook)).Methods("POST")
api.BaseRoutes.Root.Handle("/hooks/{id:[A-Za-z0-9]+}", api.ApiHandler(incomingWebhook)).Methods("POST")
// Old endpoint for backwards compatibility
api.BaseRoutes.Root.Handle("/api/v3/teams/{team_id:[A-Za-z0-9]+}/hooks/{id:[A-Za-z0-9]+}", api.ApiHandler(incomingWebhook)).Methods("POST")
}
func createIncomingHook(c *Context, w http.ResponseWriter, r *http.Request) {
......@@ -454,82 +442,3 @@ func deleteOutgoingHook(c *Context, w http.ResponseWriter, r *http.Request) {
c.LogAudit("success")
ReturnStatusOK(w)
}
func incomingWebhook(c *Context, w http.ResponseWriter, r *http.Request) {
params := mux.Vars(r)
id := params["id"]
r.ParseForm()
var err *model.AppError
incomingWebhookPayload := &model.IncomingWebhookRequest{}
contentType := r.Header.Get("Content-Type")
if strings.Split(contentType, "; ")[0] == "application/x-www-form-urlencoded" {
payload := strings.NewReader(r.FormValue("payload"))
incomingWebhookPayload, err = decodePayload(payload)
if err != nil {
c.Err = err
return
}
} else if strings.HasPrefix(contentType, "multipart/form-data") {
r.ParseMultipartForm(0)
decoder := schema.NewDecoder()
err := decoder.Decode(incomingWebhookPayload, r.PostForm)
if err != nil {
c.Err = model.NewAppError("incomingWebhook", "api.webhook.incoming.error", nil, err.Error(), http.StatusBadRequest)
return
}
} else {
incomingWebhookPayload, err = decodePayload(r.Body)
if err != nil {
c.Err = err
return
}
}
if c.App.Config().LogSettings.EnableWebhookDebugging {
mlog.Debug(fmt.Sprint("Incoming webhook received. Content=", incomingWebhookPayload.ToJson()))
}
err = c.App.HandleIncomingWebhook(id, incomingWebhookPayload)
if err != nil {
c.Err = err
return
}
w.Header().Set("Content-Type", "text/plain")
w.Write([]byte("ok"))
}
func commandWebhook(c *Context, w http.ResponseWriter, r *http.Request) {
params := mux.Vars(r)
id := params["id"]
response, err := model.CommandResponseFromHTTPBody(r.Header.Get("Content-Type"), r.Body)
if err != nil {
c.Err = model.NewAppError("commandWebhook", "web.command_webhook.parse.app_error", nil, err.Error(), http.StatusBadRequest)
return
}
appErr := c.App.HandleCommandWebhook(id, response)
if appErr != nil {
c.Err = appErr
return
}
w.Header().Set("Content-Type", "text/plain")
w.Write([]byte("ok"))
}
func decodePayload(payload io.Reader) (*model.IncomingWebhookRequest, *model.AppError) {
incomingWebhookPayload, decodeError := model.IncomingWebhookRequestFromJson(payload)
if decodeError != nil {
return nil, decodeError
}
return incomingWebhookPayload, nil
}
......@@ -4,8 +4,6 @@
package api4
import (
"bytes"
"net/http"
"testing"
"github.com/stretchr/testify/assert"
......@@ -892,46 +890,3 @@ func TestDeleteOutgoingHook(t *testing.T) {
CheckForbiddenStatus(t, resp)
})
}
func TestCommandWebhooks(t *testing.T) {
th := Setup().InitBasic().InitSystemAdmin()
defer th.TearDown()
Client := th.SystemAdminClient
cmd := &model.Command{
CreatorId: th.BasicUser.Id,
TeamId: th.BasicTeam.Id,
URL: "http://nowhere.com",
Method: model.COMMAND_METHOD_POST,
Trigger: "delayed"}
cmd, _ = Client.CreateCommand(cmd)
args := &model.CommandArgs{
TeamId: th.BasicTeam.Id,
UserId: th.BasicUser.Id,
ChannelId: th.BasicChannel.Id,
}
hook, err := th.App.CreateCommandWebhook(cmd.Id, args)
if err != nil {
t.Fatal(err)
}
if resp, _ := http.Post(Client.Url+"/hooks/commands/123123123123", "application/json", bytes.NewBufferString(`{"text":"this is a test"}`)); resp.StatusCode != http.StatusNotFound {
t.Fatal("expected not-found for non-existent hook")
}
if resp, err := http.Post(Client.Url+"/hooks/commands/"+hook.Id, "application/json", bytes.NewBufferString(`{"text":"invalid`)); err != nil || resp.StatusCode != http.StatusBadRequest {
t.Fatal(err)
}
for i := 0; i < 5; i++ {
if resp, err := http.Post(Client.Url+"/hooks/commands/"+hook.Id, "application/json", bytes.NewBufferString(`{"text":"this is a test"}`)); err != nil || resp.StatusCode != http.StatusOK {
t.Fatal(err)
}
}
if resp, _ := http.Post(Client.Url+"/hooks/commands/"+hook.Id, "application/json", bytes.NewBufferString(`{"text":"this is a test"}`)); resp.StatusCode != http.StatusBadRequest {
t.Fatal("expected error for sixth usage")
}
}
......@@ -107,7 +107,7 @@ func runServer(configFileLocation string, disableConfigWatch bool, interruptChan
api4.Init(a, a.Srv.Router, false)
api3 := api.Init(a, a.Srv.Router)
wsapi.Init(a, a.Srv.WebSocketRouter)
web.Init(api3)
web.NewWeb(a, a.Srv.Router)
license := a.License()
......
// Copyright (c) 2017-present Mattermost, Inc. All Rights Reserved.
// Copyright (c) 2015-present Mattermost, Inc. All Rights Reserved.
// See License.txt for license information.
package api4
package web
import (
"fmt"
"net/http"
"regexp"
"strings"
"time"
goi18n "github.com/nicksnyder/go-i18n/i18n"
......@@ -21,7 +20,7 @@ import (
type Context struct {
App *app.App
Session model.Session
Params *ApiParams
Params *Params
Err *model.AppError
T goi18n.TranslateFunc
RequestId string
......@@ -30,169 +29,6 @@ type Context struct {
siteURLHeader string
}
func (api *API) ApiHandler(h func(*Context, http.ResponseWriter, *http.Request)) http.Handler {
return &handler{
app: api.App,
handleFunc: h,
requireSession: false,
trustRequester: false,
requireMfa: false,
}
}
func (api *API) ApiSessionRequired(h func(*Context, http.ResponseWriter, *http.Request)) http.Handler {
return &handler{
app: api.App,
handleFunc: h,
requireSession: true,
trustRequester: false,
requireMfa: true,
}
}
func (api *API) ApiSessionRequiredMfa(h func(*Context, http.ResponseWriter, *http.Request)) http.Handler {
return &handler{
app: api.App,
handleFunc: h,
requireSession: true,
trustRequester: false,
requireMfa: false,
}
}
func (api *API) ApiHandlerTrustRequester(h func(*Context, http.ResponseWriter, *http.Request)) http.Handler {
return &handler{
app: api.App,
handleFunc: h,
requireSession: false,
trustRequester: true,
requireMfa: false,
}
}
func (api *API) ApiSessionRequiredTrustRequester(h func(*Context, http.ResponseWriter, *http.Request)) http.Handler {
return &handler{
app: api.App,
handleFunc: h,
requireSession: true,
trustRequester: true,
requireMfa: true,
}
}
type handler struct {
app *app.App
handleFunc func(*Context, http.ResponseWriter, *http.Request)
requireSession bool
trustRequester bool
requireMfa bool
}
func (h handler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
now := time.Now()
mlog.Debug(fmt.Sprintf("%v - %v", r.Method, r.URL.Path))
c := &Context{}
c.App = h.app
c.T, _ = utils.GetTranslationsAndLocale(w, r)
c.RequestId = model.NewId()
c.IpAddress = utils.GetIpAddress(r)
c.Params = ApiParamsFromRequest(r)
token, tokenLocation := app.ParseAuthTokenFromRequest(r)
// CSRF Check
if tokenLocation == app.TokenLocationCookie && h.requireSession && !h.trustRequester {
if r.Header.Get(model.HEADER_REQUESTED_WITH) != model.HEADER_REQUESTED_WITH_XML {
c.Err = model.NewAppError("ServeHTTP", "api.context.session_expired.app_error", nil, "token="+token+" Appears to be a CSRF attempt", http.StatusUnauthorized)
token = ""
}
}
c.SetSiteURLHeader(app.GetProtocol(r) + "://" + r.Host)
w.Header().Set(model.HEADER_REQUEST_ID, c.RequestId)
w.Header().Set(model.HEADER_VERSION_ID, fmt.Sprintf("%v.%v.%v.%v", model.CurrentVersion, model.BuildNumber, c.App.ClientConfigHash(), c.App.License() != nil))
w.Header().Set("Content-Type", "application/json")
if r.Method == "GET" {
w.Header().Set("Expires", "0")
}
if len(token) != 0 {
session, err := c.App.GetSession(token)
if err != nil {
mlog.Info(fmt.Sprintf("Invalid session err=%v", err.Error()))
if err.StatusCode == http.StatusInternalServerError {
c.Err = err
} else if h.requireSession {
c.RemoveSessionCookie(w, r)
c.Err = model.NewAppError("ServeHTTP", "api.context.session_expired.app_error", nil, "token="+token, http.StatusUnauthorized)
}
} else if !session.IsOAuth && tokenLocation == app.TokenLocationQueryString {
c.Err = model.NewAppError("ServeHTTP", "api.context.token_provided.app_error", nil, "token="+token, http.StatusUnauthorized)
} else {
c.Session = *session
}
// Rate limit by UserID
if c.App.Srv.RateLimiter != nil && c.App.Srv.RateLimiter.UserIdRateLimit(c.Session.UserId, w) {
return
}
}
c.Path = r.URL.Path
if c.Err == nil && h.requireSession {
c.SessionRequired()
}
if c.Err == nil && h.requireMfa {
c.MfaRequired()
}
if c.Err == nil {
h.handleFunc(c, w, r)
}
// Handle errors that have occurred
if c.Err != nil {
c.Err.Translate(c.T)
c.Err.RequestId = c.RequestId
if c.Err.Id == "api.context.session_expired.app_error" {
c.LogInfo(c.Err)
} else {
c.LogError(c.Err)
}
c.Err.Where = r.URL.Path
// Block out detailed error when not in developer mode
if !*c.App.Config().ServiceSettings.EnableDeveloper {
c.Err.DetailedError = ""
}
w.WriteHeader(c.Err.StatusCode)
w.Write([]byte(c.Err.ToJson()))
if c.App.Metrics != nil {
c.App.Metrics.IncrementHttpError()
}
}
if c.App.Metrics != nil {
c.App.Metrics.IncrementHttpRequest()
if r.URL.Path != model.API_URL_SUFFIX+"/websocket" {
elapsed := float64(time.Since(now)) / float64(time.Second)
c.App.Metrics.ObserveHttpRequestDuration(elapsed)
}
}
}
func (c *Context) LogAudit(extraInfo string) {
audit := &model.Audit{UserId: c.Session.UserId, IpAddress: c.IpAddress, Action: c.Path, ExtraInfo: extraInfo, SessionId: c.Session.Id}
if r := <-c.App.Srv.Store.Audit().Save(audit); r.Err != nil {
......
package api4
package web
import (
"net/http"
......@@ -8,7 +8,7 @@ import (
func TestRequireHookId(t *testing.T) {
c := &Context{}
t.Run("WhenHookIdIsValid", func(t *testing.T) {
c.Params = &ApiParams{HookId: "abcdefghijklmnopqrstuvwxyz"}
c.Params = &Params{HookId: "abcdefghijklmnopqrstuvwxyz"}
c.RequireHookId()
if c.Err != nil {
......@@ -17,7 +17,7 @@ func TestRequireHookId(t *testing.T) {
})
t.Run("WhenHookIdIsInvalid", func(t *testing.T) {
c.Params = &ApiParams{HookId: "abc"}
c.Params = &Params{HookId: "abc"}
c.RequireHookId()
if c.Err == nil {
......
// Copyright (c) 2015-present Mattermost, Inc. All Rights Reserved.
// See License.txt for license information.
package web
import (
"fmt"
"net/http"
"time"
"github.com/mattermost/mattermost-server/app"
"github.com/mattermost/mattermost-server/mlog"
"github.com/mattermost/mattermost-server/model"
"github.com/mattermost/mattermost-server/utils"
)
func (w *Web) NewHandler(h func(*Context, http.ResponseWriter, *http.Request)) http.Handler {
return &Handler{
App: w.App,
HandleFunc: h,
RequireSession: false,
TrustRequester: false,
RequireMfa: false,
IsStatic: false,
}
}
func (w *Web) NewStaticHandler(h func(*Context, http.ResponseWriter, *http.Request)) http.Handler {
return &Handler{
App: w.App,
HandleFunc: h,
RequireSession: false,
TrustRequester: false,
RequireMfa: false,
IsStatic: true,
}
}
type Handler struct {
App *app.App
HandleFunc func(*Context, http.ResponseWriter, *http.Request)