1
0
mirror of https://github.com/mattermost/focalboard.git synced 2024-12-21 13:38:56 +02:00
focalboard/server/api/api.go

1340 lines
34 KiB
Go
Raw Normal View History

package api
2020-10-16 11:41:56 +02:00
import (
"encoding/json"
2021-03-26 20:01:54 +02:00
"errors"
2020-10-16 11:41:56 +02:00
"fmt"
"io/ioutil"
"net/http"
"path/filepath"
2020-11-12 20:16:59 +02:00
"strconv"
2020-10-16 11:41:56 +02:00
"strings"
2020-12-07 21:40:16 +02:00
"time"
2020-10-16 11:41:56 +02:00
"github.com/gorilla/mux"
2021-01-27 00:13:46 +02:00
"github.com/mattermost/focalboard/server/app"
"github.com/mattermost/focalboard/server/model"
"github.com/mattermost/focalboard/server/services/audit"
"github.com/mattermost/focalboard/server/services/mlog"
2021-03-26 20:01:54 +02:00
"github.com/mattermost/focalboard/server/services/store"
2021-01-27 00:13:46 +02:00
"github.com/mattermost/focalboard/server/utils"
2020-10-16 11:41:56 +02:00
)
const (
HeaderRequestedWith = "X-Requested-With"
HeaderRequestedWithXML = "XMLHttpRequest"
SingleUser = "single-user"
)
2021-03-26 20:01:54 +02:00
const (
ErrorNoWorkspaceCode = 1000
ErrorNoWorkspaceMessage = "No workspace"
2021-03-26 20:01:54 +02:00
)
2020-10-16 11:41:56 +02:00
// ----------------------------------------------------------------------------------------------------
// REST APIs
2020-10-16 16:21:42 +02:00
type API struct {
app *app.App
authService string
singleUserToken string
MattermostAuth bool
logger *mlog.Logger
audit *audit.Audit
2020-10-16 16:21:42 +02:00
}
func NewAPI(app *app.App, singleUserToken string, authService string, logger *mlog.Logger, audit *audit.Audit) *API {
2021-02-09 22:27:34 +02:00
return &API{
app: app,
2021-02-09 22:27:34 +02:00
singleUserToken: singleUserToken,
2021-03-26 20:01:54 +02:00
authService: authService,
logger: logger,
audit: audit,
2021-02-09 22:27:34 +02:00
}
2020-10-16 16:21:42 +02:00
}
2020-10-16 11:41:56 +02:00
func (a *API) RegisterRoutes(r *mux.Router) {
2021-02-05 20:28:52 +02:00
apiv1 := r.PathPrefix("/api/v1").Subrouter()
apiv1.Use(a.requireCSRFToken)
2020-12-07 21:40:16 +02:00
2021-03-26 20:01:54 +02:00
apiv1.HandleFunc("/workspaces/{workspaceID}/blocks", a.sessionRequired(a.handleGetBlocks)).Methods("GET")
apiv1.HandleFunc("/workspaces/{workspaceID}/blocks", a.sessionRequired(a.handlePostBlocks)).Methods("POST")
apiv1.HandleFunc("/workspaces/{workspaceID}/blocks/{blockID}", a.sessionRequired(a.handleDeleteBlock)).Methods("DELETE")
apiv1.HandleFunc("/workspaces/{workspaceID}/blocks/{blockID}/subtree", a.attachSession(a.handleGetSubTree, false)).Methods("GET")
apiv1.HandleFunc("/workspaces/{workspaceID}/blocks/export", a.sessionRequired(a.handleExport)).Methods("GET")
apiv1.HandleFunc("/workspaces/{workspaceID}/blocks/import", a.sessionRequired(a.handleImport)).Methods("POST")
apiv1.HandleFunc("/workspaces/{workspaceID}/sharing/{rootID}", a.sessionRequired(a.handlePostSharing)).Methods("POST")
apiv1.HandleFunc("/workspaces/{workspaceID}/sharing/{rootID}", a.sessionRequired(a.handleGetSharing)).Methods("GET")
apiv1.HandleFunc("/workspaces/{workspaceID}", a.sessionRequired(a.handleGetWorkspace)).Methods("GET")
apiv1.HandleFunc("/workspaces/{workspaceID}/regenerate_signup_token", a.sessionRequired(a.handlePostWorkspaceRegenerateSignupToken)).Methods("POST")
apiv1.HandleFunc("/workspaces/{workspaceID}/users", a.sessionRequired(a.getWorkspaceUsers)).Methods("GET")
2020-10-16 11:41:56 +02:00
2021-03-26 20:01:54 +02:00
// User APIs
2021-02-05 20:28:52 +02:00
apiv1.HandleFunc("/users/me", a.sessionRequired(a.handleGetMe)).Methods("GET")
apiv1.HandleFunc("/users/{userID}", a.sessionRequired(a.handleGetUser)).Methods("GET")
apiv1.HandleFunc("/users/{userID}/changepassword", a.sessionRequired(a.handleChangePassword)).Methods("POST")
2020-11-06 17:46:35 +02:00
2021-02-05 20:28:52 +02:00
apiv1.HandleFunc("/login", a.handleLogin).Methods("POST")
apiv1.HandleFunc("/register", a.handleRegister).Methods("POST")
2020-10-16 11:41:56 +02:00
apiv1.HandleFunc("/workspaces/{workspaceID}/{rootID}/files", a.sessionRequired(a.handleUploadFile)).Methods("POST")
2021-02-05 20:45:28 +02:00
// Get Files API
2021-02-05 20:28:52 +02:00
2021-02-05 21:22:56 +02:00
files := r.PathPrefix("/files").Subrouter()
files.HandleFunc("/workspaces/{workspaceID}/{rootID}/{filename}", a.attachSession(a.handleServeFile, false)).Methods("GET")
2020-10-16 11:41:56 +02:00
}
func (a *API) RegisterAdminRoutes(r *mux.Router) {
2021-01-23 00:14:12 +02:00
r.HandleFunc("/api/v1/admin/users/{username}/password", a.adminRequired(a.handleAdminSetPassword)).Methods("POST")
}
2021-02-05 20:28:52 +02:00
func (a *API) requireCSRFToken(next http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
if !a.checkCSRFToken(r) {
a.logger.Error("checkCSRFToken FAILED")
a.errorResponse(w, http.StatusBadRequest, "", nil)
return
}
2021-02-05 20:28:52 +02:00
next.ServeHTTP(w, r)
})
}
func (a *API) checkCSRFToken(r *http.Request) bool {
token := r.Header.Get(HeaderRequestedWith)
return token == HeaderRequestedWithXML
}
func (a *API) hasValidReadTokenForBlock(r *http.Request, container store.Container, blockID string) bool {
query := r.URL.Query()
readToken := query.Get("read_token")
if len(readToken) < 1 {
return false
}
isValid, err := a.app.IsValidReadToken(container, blockID, readToken)
if err != nil {
a.logger.Error("IsValidReadToken ERROR", mlog.Err(err))
return false
}
return isValid
}
2021-03-29 19:41:27 +02:00
func (a *API) getContainerAllowingReadTokenForBlock(r *http.Request, blockID string) (*store.Container, error) {
ctx := r.Context()
session, _ := ctx.Value("session").(*model.Session)
if a.MattermostAuth {
// Workspace auth
vars := mux.Vars(r)
workspaceID := vars["workspaceID"]
2021-03-26 20:01:54 +02:00
container := store.Container{
WorkspaceID: workspaceID,
2021-03-26 20:01:54 +02:00
}
if workspaceID == "0" {
return &container, nil
}
// Has session and access to workspace
if session != nil && a.app.DoesUserHaveWorkspaceAccess(session.UserID, container.WorkspaceID) {
return &container, nil
}
// No session, but has valid read token (read-only mode)
if len(blockID) > 0 && a.hasValidReadTokenForBlock(r, container, blockID) {
return &container, nil
}
return nil, errors.New("access denied to workspace")
2021-03-26 20:01:54 +02:00
}
// Native auth: always use root workspace
2021-03-26 20:01:54 +02:00
container := store.Container{
WorkspaceID: "0",
2021-03-26 20:01:54 +02:00
}
// Has session
if session != nil {
return &container, nil
}
2021-03-29 19:41:27 +02:00
// No session, but has valid read token (read-only mode)
if len(blockID) > 0 && a.hasValidReadTokenForBlock(r, container, blockID) {
return &container, nil
2021-03-29 19:41:27 +02:00
}
return nil, errors.New("access denied to workspace")
2021-03-26 20:01:54 +02:00
}
2021-03-29 19:41:27 +02:00
func (a *API) getContainer(r *http.Request) (*store.Container, error) {
return a.getContainerAllowingReadTokenForBlock(r, "")
}
2020-10-16 11:41:56 +02:00
func (a *API) handleGetBlocks(w http.ResponseWriter, r *http.Request) {
2021-03-26 20:01:54 +02:00
// swagger:operation GET /api/v1/workspaces/{workspaceID}/blocks getBlocks
2021-02-17 21:29:20 +02:00
//
// Returns blocks
//
// ---
// produces:
// - application/json
// parameters:
2021-03-26 20:01:54 +02:00
// - name: workspaceID
// in: path
// description: Workspace ID
// required: true
// type: string
2021-02-17 21:29:20 +02:00
// - name: parent_id
// in: query
// description: ID of parent block, omit to specify all blocks
// required: false
// type: string
// - name: type
// in: query
// description: Type of blocks to return, omit to specify all types
// required: false
// type: string
// security:
// - BearerAuth: []
// responses:
// '200':
// description: success
// schema:
// type: array
// items:
// "$ref": "#/definitions/Block"
// default:
// description: internal error
// schema:
// "$ref": "#/definitions/ErrorResponse"
2020-10-16 11:41:56 +02:00
query := r.URL.Query()
parentID := query.Get("parent_id")
blockType := query.Get("type")
2021-03-26 20:01:54 +02:00
container, err := a.getContainer(r)
if err != nil {
a.noContainerErrorResponse(w, err)
2021-03-26 20:01:54 +02:00
return
}
2020-10-16 11:41:56 +02:00
auditRec := a.makeAuditRecord(r, "getBlocks", audit.Fail)
defer a.audit.LogRecord(audit.LevelRead, auditRec)
auditRec.AddMeta("parentID", parentID)
auditRec.AddMeta("blockType", blockType)
blocks, err := a.app.GetBlocks(*container, parentID, blockType)
2020-10-16 16:21:42 +02:00
if err != nil {
a.errorResponse(w, http.StatusInternalServerError, "", err)
2020-10-16 16:21:42 +02:00
return
2020-10-16 11:41:56 +02:00
}
a.logger.Debug("GetBlocks",
mlog.String("parentID", parentID),
mlog.String("blockType", blockType),
mlog.Int("block_count", len(blocks)),
)
2020-10-16 11:41:56 +02:00
json, err := json.Marshal(blocks)
if err != nil {
a.errorResponse(w, http.StatusInternalServerError, "", err)
2020-10-16 11:41:56 +02:00
return
}
jsonBytesResponse(w, http.StatusOK, json)
auditRec.AddMeta("blockCount", len(blocks))
auditRec.Success()
2020-10-16 11:41:56 +02:00
}
func stampModificationMetadata(r *http.Request, blocks []model.Block, auditRec *audit.Record) {
2021-01-12 04:53:08 +02:00
ctx := r.Context()
session := ctx.Value("session").(*model.Session)
userID := session.UserID
if userID == SingleUser {
2021-01-12 04:53:08 +02:00
userID = ""
}
now := utils.GetMillis()
2021-01-12 04:53:08 +02:00
for i := range blocks {
blocks[i].ModifiedBy = userID
blocks[i].UpdateAt = now
if auditRec != nil {
auditRec.AddMeta("block_"+strconv.FormatInt(int64(i), 10), blocks[i])
}
2021-01-12 04:53:08 +02:00
}
}
2020-10-16 11:41:56 +02:00
func (a *API) handlePostBlocks(w http.ResponseWriter, r *http.Request) {
2021-03-26 20:01:54 +02:00
// swagger:operation POST /api/v1/workspaces/{workspaceID}/blocks updateBlocks
2021-02-17 21:29:20 +02:00
//
// Insert or update blocks
//
// ---
// produces:
// - application/json
// parameters:
2021-03-26 20:01:54 +02:00
// - name: workspaceID
// in: path
// description: Workspace ID
// required: true
// type: string
2021-02-17 21:29:20 +02:00
// - name: Body
// in: body
// description: array of blocks to insert or update
// required: true
// schema:
// type: array
// items:
// "$ref": "#/definitions/Block"
// security:
// - BearerAuth: []
// responses:
// '200':
// description: success
// default:
// description: internal error
// schema:
// "$ref": "#/definitions/ErrorResponse"
2021-03-26 20:01:54 +02:00
container, err := a.getContainer(r)
if err != nil {
a.noContainerErrorResponse(w, err)
2021-03-26 20:01:54 +02:00
return
}
2020-10-16 11:41:56 +02:00
requestBody, err := ioutil.ReadAll(r.Body)
if err != nil {
a.errorResponse(w, http.StatusInternalServerError, "", err)
2020-10-16 11:41:56 +02:00
return
}
var blocks []model.Block
err = json.Unmarshal(requestBody, &blocks)
2020-10-16 11:41:56 +02:00
if err != nil {
a.errorResponse(w, http.StatusInternalServerError, "", err)
2020-10-16 11:41:56 +02:00
return
}
for _, block := range blocks {
// Error checking
if len(block.Type) < 1 {
2021-02-17 21:29:20 +02:00
message := fmt.Sprintf("missing type for block id %s", block.ID)
a.errorResponse(w, http.StatusBadRequest, message, nil)
2020-10-16 11:41:56 +02:00
return
}
2020-10-16 11:41:56 +02:00
if block.CreateAt < 1 {
2021-02-17 21:29:20 +02:00
message := fmt.Sprintf("invalid createAt for block id %s", block.ID)
a.errorResponse(w, http.StatusBadRequest, message, nil)
2020-10-16 11:41:56 +02:00
return
}
2020-10-16 11:41:56 +02:00
if block.UpdateAt < 1 {
2021-02-17 21:29:20 +02:00
message := fmt.Sprintf("invalid UpdateAt for block id %s", block.ID)
a.errorResponse(w, http.StatusBadRequest, message, nil)
2020-10-16 11:41:56 +02:00
return
}
}
auditRec := a.makeAuditRecord(r, "postBlocks", audit.Fail)
defer a.audit.LogRecord(audit.LevelModify, auditRec)
stampModificationMetadata(r, blocks, auditRec)
2021-01-12 04:53:08 +02:00
ctx := r.Context()
session := ctx.Value("session").(*model.Session)
err = a.app.InsertBlocks(*container, blocks, session.UserID)
2020-10-16 16:21:42 +02:00
if err != nil {
a.errorResponse(w, http.StatusInternalServerError, "", err)
2020-10-16 16:21:42 +02:00
return
}
2020-10-16 11:41:56 +02:00
a.logger.Debug("POST Blocks", mlog.Int("block_count", len(blocks)))
2020-10-16 11:41:56 +02:00
jsonStringResponse(w, http.StatusOK, "{}")
auditRec.AddMeta("blockCount", len(blocks))
auditRec.Success()
2020-10-16 11:41:56 +02:00
}
2020-12-07 21:40:16 +02:00
func (a *API) handleGetUser(w http.ResponseWriter, r *http.Request) {
2021-02-17 21:29:20 +02:00
// swagger:operation GET /api/v1/users/{userID} getUser
//
// Returns a user
//
// ---
// produces:
// - application/json
// parameters:
// - name: userID
// in: path
// description: User ID
// required: true
// type: string
// security:
// - BearerAuth: []
// responses:
// '200':
// description: success
// schema:
// "$ref": "#/definitions/User"
// default:
// description: internal error
// schema:
// "$ref": "#/definitions/ErrorResponse"
2020-12-07 21:40:16 +02:00
vars := mux.Vars(r)
userID := vars["userID"]
auditRec := a.makeAuditRecord(r, "postBlocks", audit.Fail)
defer a.audit.LogRecord(audit.LevelRead, auditRec)
auditRec.AddMeta("userID", userID)
user, err := a.app.GetUser(userID)
2020-12-07 21:40:16 +02:00
if err != nil {
a.errorResponse(w, http.StatusInternalServerError, "", err)
2020-12-07 21:40:16 +02:00
return
}
userData, err := json.Marshal(user)
if err != nil {
a.errorResponse(w, http.StatusInternalServerError, "", err)
2020-12-07 21:40:16 +02:00
return
}
2021-02-17 21:29:20 +02:00
jsonBytesResponse(w, http.StatusOK, userData)
auditRec.Success()
2020-12-07 21:40:16 +02:00
}
func (a *API) handleGetMe(w http.ResponseWriter, r *http.Request) {
2021-02-17 21:29:20 +02:00
// swagger:operation GET /api/v1/users/me getMe
//
// Returns the currently logged-in user
//
// ---
// produces:
// - application/json
// security:
// - BearerAuth: []
// responses:
// '200':
// description: success
// schema:
// "$ref": "#/definitions/User"
// default:
// description: internal error
// schema:
// "$ref": "#/definitions/ErrorResponse"
2020-12-07 21:40:16 +02:00
ctx := r.Context()
session := ctx.Value("session").(*model.Session)
var user *model.User
var err error
auditRec := a.makeAuditRecord(r, "getMe", audit.Fail)
defer a.audit.LogRecord(audit.LevelRead, auditRec)
if session.UserID == SingleUser {
2020-12-07 21:40:16 +02:00
now := time.Now().Unix()
user = &model.User{
ID: SingleUser,
Username: SingleUser,
Email: SingleUser,
2020-12-07 21:40:16 +02:00
CreateAt: now,
UpdateAt: now,
}
} else {
user, err = a.app.GetUser(session.UserID)
2020-12-07 21:40:16 +02:00
if err != nil {
a.errorResponse(w, http.StatusInternalServerError, "", err)
2020-12-07 21:40:16 +02:00
return
}
}
userData, err := json.Marshal(user)
if err != nil {
a.errorResponse(w, http.StatusInternalServerError, "", err)
2020-12-07 21:40:16 +02:00
return
}
2021-02-17 21:29:20 +02:00
jsonBytesResponse(w, http.StatusOK, userData)
auditRec.AddMeta("userID", user.ID)
auditRec.Success()
2020-12-07 21:40:16 +02:00
}
2020-10-16 11:41:56 +02:00
func (a *API) handleDeleteBlock(w http.ResponseWriter, r *http.Request) {
2021-03-26 20:01:54 +02:00
// swagger:operation DELETE /api/v1/workspaces/{workspaceID}/blocks/{blockID} deleteBlock
2021-02-17 21:29:20 +02:00
//
// Deletes a block
//
// ---
// produces:
// - application/json
// parameters:
2021-03-26 20:01:54 +02:00
// - name: workspaceID
// in: path
// description: Workspace ID
// required: true
// type: string
2021-02-17 21:29:20 +02:00
// - name: blockID
// in: path
// description: ID of block to delete
// required: true
// type: string
// security:
// - BearerAuth: []
// responses:
// '200':
// description: success
// default:
// description: internal error
// schema:
// "$ref": "#/definitions/ErrorResponse"
2021-01-12 21:16:25 +02:00
ctx := r.Context()
session := ctx.Value("session").(*model.Session)
userID := session.UserID
2020-10-16 11:41:56 +02:00
vars := mux.Vars(r)
blockID := vars["blockID"]
2021-03-26 20:01:54 +02:00
container, err := a.getContainer(r)
if err != nil {
a.noContainerErrorResponse(w, err)
2021-03-26 20:01:54 +02:00
return
}
auditRec := a.makeAuditRecord(r, "deleteBlock", audit.Fail)
defer a.audit.LogRecord(audit.LevelModify, auditRec)
auditRec.AddMeta("blockID", blockID)
err = a.app.DeleteBlock(*container, blockID, userID)
2020-10-16 16:21:42 +02:00
if err != nil {
a.errorResponse(w, http.StatusInternalServerError, "", err)
2020-10-16 16:21:42 +02:00
return
2020-10-16 11:41:56 +02:00
}
a.logger.Debug("DELETE Block", mlog.String("blockID", blockID))
2020-10-16 11:41:56 +02:00
jsonStringResponse(w, http.StatusOK, "{}")
auditRec.Success()
2020-10-16 11:41:56 +02:00
}
func (a *API) handleGetSubTree(w http.ResponseWriter, r *http.Request) {
2021-03-26 20:01:54 +02:00
// swagger:operation GET /api/v1/workspaces/{workspaceID}/blocks/{blockID}/subtree getSubTree
2021-02-17 21:29:20 +02:00
//
// Returns the blocks of a subtree
//
// ---
// produces:
// - application/json
// parameters:
2021-03-26 20:01:54 +02:00
// - name: workspaceID
// in: path
// description: Workspace ID
// required: true
// type: string
2021-02-17 21:29:20 +02:00
// - name: blockID
// in: path
// description: The ID of the root block of the subtree
// required: true
// type: string
// - name: l
// in: query
// description: The number of levels to return. 2 or 3. Defaults to 2.
// required: false
// type: integer
// minimum: 2
// maximum: 3
// security:
// - BearerAuth: []
// responses:
// '200':
// description: success
// schema:
// type: array
// items:
// "$ref": "#/definitions/Block"
// default:
// description: internal error
// schema:
// "$ref": "#/definitions/ErrorResponse"
2020-10-16 11:41:56 +02:00
vars := mux.Vars(r)
blockID := vars["blockID"]
2021-03-29 19:41:27 +02:00
container, err := a.getContainerAllowingReadTokenForBlock(r, blockID)
2021-03-26 20:01:54 +02:00
if err != nil {
a.noContainerErrorResponse(w, err)
2021-03-26 20:01:54 +02:00
return
}
2020-11-12 20:16:59 +02:00
query := r.URL.Query()
levels, err := strconv.ParseInt(query.Get("l"), 10, 32)
if err != nil {
levels = 2
}
if levels != 2 && levels != 3 {
a.logger.Error("Invalid levels", mlog.Int64("levels", levels))
a.errorResponse(w, http.StatusBadRequest, "invalid levels", nil)
2020-11-12 20:16:59 +02:00
return
}
auditRec := a.makeAuditRecord(r, "getSubTree", audit.Fail)
defer a.audit.LogRecord(audit.LevelRead, auditRec)
auditRec.AddMeta("blockID", blockID)
blocks, err := a.app.GetSubTree(*container, blockID, int(levels))
2020-10-16 16:21:42 +02:00
if err != nil {
a.errorResponse(w, http.StatusInternalServerError, "", err)
2020-10-16 16:21:42 +02:00
return
}
2020-10-16 11:41:56 +02:00
a.logger.Debug("GetSubTree",
mlog.Int64("levels", levels),
mlog.String("blockID", blockID),
mlog.Int("block_count", len(blocks)),
)
2020-10-16 11:41:56 +02:00
json, err := json.Marshal(blocks)
if err != nil {
a.errorResponse(w, http.StatusInternalServerError, "", err)
2020-10-16 11:41:56 +02:00
return
}
jsonBytesResponse(w, http.StatusOK, json)
auditRec.AddMeta("blockCount", len(blocks))
auditRec.Success()
2020-10-16 11:41:56 +02:00
}
func (a *API) handleExport(w http.ResponseWriter, r *http.Request) {
2021-03-26 20:01:54 +02:00
// swagger:operation GET /api/v1/workspaces/{workspaceID}/blocks/export exportBlocks
2021-02-17 21:29:20 +02:00
//
// Returns all blocks
//
// ---
// produces:
// - application/json
2021-03-26 20:01:54 +02:00
// parameters:
// - name: workspaceID
// in: path
// description: Workspace ID
// required: true
// type: string
2021-02-17 21:29:20 +02:00
// security:
// - BearerAuth: []
// responses:
// '200':
// description: success
// schema:
// type: array
// items:
// "$ref": "#/definitions/Block"
// default:
// description: internal error
// schema:
// "$ref": "#/definitions/ErrorResponse"
query := r.URL.Query()
rootID := query.Get("root_id")
2021-03-26 20:01:54 +02:00
container, err := a.getContainer(r)
if err != nil {
a.noContainerErrorResponse(w, err)
2021-03-26 20:01:54 +02:00
return
}
auditRec := a.makeAuditRecord(r, "export", audit.Fail)
defer a.audit.LogRecord(audit.LevelRead, auditRec)
auditRec.AddMeta("rootID", rootID)
var blocks []model.Block
if rootID == "" {
blocks, err = a.app.GetAllBlocks(*container)
} else {
blocks, err = a.app.GetBlocksWithRootID(*container, rootID)
2020-10-16 16:21:42 +02:00
}
if err != nil {
a.errorResponse(w, http.StatusInternalServerError, "", err)
return
}
2020-10-16 11:41:56 +02:00
a.logger.Debug("raw blocks", mlog.Int("block_count", len(blocks)))
auditRec.AddMeta("rawCount", len(blocks))
2020-12-10 22:39:09 +02:00
blocks = filterOrphanBlocks(blocks)
a.logger.Debug("EXPORT filtered blocks", mlog.Int("block_count", len(blocks)))
auditRec.AddMeta("filteredCount", len(blocks))
2020-10-16 11:41:56 +02:00
json, err := json.Marshal(blocks)
if err != nil {
a.errorResponse(w, http.StatusInternalServerError, "", err)
2020-10-16 11:41:56 +02:00
return
}
jsonBytesResponse(w, http.StatusOK, json)
auditRec.Success()
2020-10-16 11:41:56 +02:00
}
2020-12-10 22:39:09 +02:00
func filterOrphanBlocks(blocks []model.Block) (ret []model.Block) {
2020-12-14 21:24:38 +02:00
queue := make([]model.Block, 0)
2021-03-21 10:28:26 +02:00
childrenOfBlockWithID := make(map[string]*[]model.Block)
2020-12-14 21:24:38 +02:00
// Build the trees from nodes
2020-12-10 22:39:09 +02:00
for _, block := range blocks {
2020-12-14 21:24:38 +02:00
if len(block.ParentID) == 0 {
// Queue root blocks to process first
queue = append(queue, block)
} else {
siblings := childrenOfBlockWithID[block.ParentID]
if siblings != nil {
*siblings = append(*siblings, block)
} else {
siblings := []model.Block{block}
childrenOfBlockWithID[block.ParentID] = &siblings
}
2020-12-10 22:39:09 +02:00
}
}
2020-12-14 21:24:38 +02:00
// Map the trees to an array, which skips orphaned nodes
blocks = make([]model.Block, 0)
for len(queue) > 0 {
block := queue[0]
queue = queue[1:] // dequeue
blocks = append(blocks, block)
children := childrenOfBlockWithID[block.ID]
if children != nil {
queue = append(queue, (*children)...)
}
}
return blocks
2020-12-10 22:39:09 +02:00
}
2020-10-16 11:41:56 +02:00
func (a *API) handleImport(w http.ResponseWriter, r *http.Request) {
2021-03-26 20:01:54 +02:00
// swagger:operation POST /api/v1/workspaces/{workspaceID}/blocks/import importBlocks
2021-02-17 21:29:20 +02:00
//
// Import blocks
//
// ---
// produces:
// - application/json
// parameters:
2021-03-26 20:01:54 +02:00
// - name: workspaceID
// in: path
// description: Workspace ID
// required: true
// type: string
2021-02-17 21:29:20 +02:00
// - name: Body
// in: body
// description: array of blocks to import
// required: true
// schema:
// type: array
// items:
// "$ref": "#/definitions/Block"
// security:
// - BearerAuth: []
// responses:
// '200':
// description: success
// default:
// description: internal error
// schema:
// "$ref": "#/definitions/ErrorResponse"
2021-03-26 20:01:54 +02:00
container, err := a.getContainer(r)
if err != nil {
a.noContainerErrorResponse(w, err)
2021-03-26 20:01:54 +02:00
return
}
2020-10-16 11:41:56 +02:00
requestBody, err := ioutil.ReadAll(r.Body)
if err != nil {
a.errorResponse(w, http.StatusInternalServerError, "", err)
2020-10-16 11:41:56 +02:00
return
}
var blocks []model.Block
err = json.Unmarshal(requestBody, &blocks)
2020-10-16 11:41:56 +02:00
if err != nil {
a.errorResponse(w, http.StatusInternalServerError, "", err)
2020-10-16 11:41:56 +02:00
return
}
auditRec := a.makeAuditRecord(r, "import", audit.Fail)
defer a.audit.LogRecord(audit.LevelModify, auditRec)
stampModificationMetadata(r, blocks, auditRec)
2021-01-12 04:53:08 +02:00
ctx := r.Context()
session := ctx.Value("session").(*model.Session)
err = a.app.InsertBlocks(*container, blocks, session.UserID)
if err != nil {
a.errorResponse(w, http.StatusInternalServerError, "", err)
return
2020-10-16 11:41:56 +02:00
}
jsonStringResponse(w, http.StatusOK, "{}")
a.logger.Debug("IMPORT Blocks", mlog.Int("block_count", len(blocks)))
auditRec.AddMeta("blockCount", len(blocks))
auditRec.Success()
2020-10-16 11:41:56 +02:00
}
2021-01-13 01:35:30 +02:00
// Sharing
func (a *API) handleGetSharing(w http.ResponseWriter, r *http.Request) {
2021-03-26 20:01:54 +02:00
// swagger:operation GET /api/v1/workspaces/{workspaceID}/sharing/{rootID} getSharing
2021-02-17 21:29:20 +02:00
//
// Returns sharing information for a root block
//
// ---
// produces:
// - application/json
// parameters:
2021-03-26 20:01:54 +02:00
// - name: workspaceID
// in: path
// description: Workspace ID
// required: true
// type: string
2021-02-17 21:29:20 +02:00
// - name: rootID
// in: path
// description: ID of the root block
// required: true
// type: string
// security:
// - BearerAuth: []
// responses:
// '200':
// description: success
// schema:
// "$ref": "#/definitions/Sharing"
// default:
// description: internal error
// schema:
// "$ref": "#/definitions/ErrorResponse"
2021-01-13 01:35:30 +02:00
vars := mux.Vars(r)
rootID := vars["rootID"]
2021-03-26 20:01:54 +02:00
container, err := a.getContainer(r)
if err != nil {
a.noContainerErrorResponse(w, err)
2021-03-26 20:01:54 +02:00
return
}
auditRec := a.makeAuditRecord(r, "getSharing", audit.Fail)
defer a.audit.LogRecord(audit.LevelRead, auditRec)
auditRec.AddMeta("rootID", rootID)
sharing, err := a.app.GetSharing(*container, rootID)
2021-01-13 01:35:30 +02:00
if err != nil {
a.errorResponse(w, http.StatusInternalServerError, "", err)
2021-01-13 01:35:30 +02:00
return
}
sharingData, err := json.Marshal(sharing)
if err != nil {
a.errorResponse(w, http.StatusInternalServerError, "", err)
2021-01-13 01:35:30 +02:00
return
}
2021-02-17 21:29:20 +02:00
jsonBytesResponse(w, http.StatusOK, sharingData)
if sharing == nil {
sharing = &model.Sharing{}
}
a.logger.Debug("GET sharing",
mlog.String("rootID", rootID),
mlog.String("shareID", sharing.ID),
mlog.Bool("enabled", sharing.Enabled),
)
auditRec.AddMeta("shareID", sharing.ID)
auditRec.AddMeta("enabled", sharing.Enabled)
auditRec.Success()
2021-01-13 01:35:30 +02:00
}
func (a *API) handlePostSharing(w http.ResponseWriter, r *http.Request) {
2021-03-26 20:01:54 +02:00
// swagger:operation POST /api/v1/workspaces/{workspaceID}/sharing/{rootID} postSharing
2021-02-17 21:29:20 +02:00
//
// Sets sharing information for a root block
//
// ---
// produces:
// - application/json
// parameters:
2021-03-26 20:01:54 +02:00
// - name: workspaceID
// in: path
// description: Workspace ID
// required: true
// type: string
2021-02-17 21:29:20 +02:00
// - name: rootID
// in: path
// description: ID of the root block
// required: true
// type: string
// - name: Body
// in: body
// description: sharing information for a root block
// required: true
// schema:
// "$ref": "#/definitions/Sharing"
// security:
// - BearerAuth: []
// responses:
// '200':
// description: success
// default:
// description: internal error
// schema:
// "$ref": "#/definitions/ErrorResponse"
2021-03-26 20:01:54 +02:00
container, err := a.getContainer(r)
if err != nil {
a.noContainerErrorResponse(w, err)
2021-03-26 20:01:54 +02:00
return
}
2021-01-13 01:35:30 +02:00
requestBody, err := ioutil.ReadAll(r.Body)
if err != nil {
a.errorResponse(w, http.StatusInternalServerError, "", err)
2021-01-13 01:35:30 +02:00
return
}
var sharing model.Sharing
err = json.Unmarshal(requestBody, &sharing)
if err != nil {
a.errorResponse(w, http.StatusInternalServerError, "", err)
2021-01-13 01:35:30 +02:00
return
}
auditRec := a.makeAuditRecord(r, "postSharing", audit.Fail)
defer a.audit.LogRecord(audit.LevelModify, auditRec)
auditRec.AddMeta("shareID", sharing.ID)
auditRec.AddMeta("enabled", sharing.Enabled)
2021-01-13 01:35:30 +02:00
// Stamp ModifiedBy
ctx := r.Context()
session := ctx.Value("session").(*model.Session)
userID := session.UserID
if userID == SingleUser {
2021-01-13 01:35:30 +02:00
userID = ""
}
sharing.ModifiedBy = userID
err = a.app.UpsertSharing(*container, sharing)
2021-01-13 01:35:30 +02:00
if err != nil {
a.errorResponse(w, http.StatusInternalServerError, "", err)
2021-01-13 01:35:30 +02:00
return
}
jsonStringResponse(w, http.StatusOK, "{}")
a.logger.Debug("POST sharing", mlog.String("sharingID", sharing.ID))
auditRec.Success()
2021-01-13 01:35:30 +02:00
}
2021-01-14 02:56:01 +02:00
// Workspace
func (a *API) handleGetWorkspace(w http.ResponseWriter, r *http.Request) {
2021-03-26 20:01:54 +02:00
// swagger:operation GET /api/v1/workspaces/{workspaceID} getWorkspace
2021-02-17 21:29:20 +02:00
//
// Returns information of the root workspace
//
// ---
// produces:
// - application/json
2021-03-26 20:01:54 +02:00
// parameters:
// - name: workspaceID
// in: path
// description: Workspace ID
// required: true
// type: string
2021-02-17 21:29:20 +02:00
// security:
// - BearerAuth: []
// responses:
// '200':
// description: success
// schema:
// "$ref": "#/definitions/Workspace"
// default:
// description: internal error
// schema:
// "$ref": "#/definitions/ErrorResponse"
2021-03-26 20:01:54 +02:00
var workspace *model.Workspace
var err error
if a.MattermostAuth {
2021-03-26 20:01:54 +02:00
vars := mux.Vars(r)
workspaceID := vars["workspaceID"]
ctx := r.Context()
session := ctx.Value("session").(*model.Session)
if !a.app.DoesUserHaveWorkspaceAccess(session.UserID, workspaceID) {
a.errorResponse(w, http.StatusUnauthorized, "", nil)
2021-03-26 20:01:54 +02:00
return
}
2021-03-31 00:25:16 +02:00
workspace, err = a.app.GetWorkspace(workspaceID)
if err != nil {
a.errorResponse(w, http.StatusInternalServerError, "", err)
}
2021-03-31 00:25:16 +02:00
if workspace == nil {
a.errorResponse(w, http.StatusUnauthorized, "", nil)
2021-03-31 00:25:16 +02:00
return
2021-03-26 20:01:54 +02:00
}
} else {
workspace, err = a.app.GetRootWorkspace()
2021-03-26 20:01:54 +02:00
if err != nil {
a.errorResponse(w, http.StatusInternalServerError, "", err)
2021-03-26 20:01:54 +02:00
return
}
2021-01-14 02:56:01 +02:00
}
auditRec := a.makeAuditRecord(r, "getWorkspace", audit.Fail)
defer a.audit.LogRecord(audit.LevelRead, auditRec)
auditRec.AddMeta("resultWorkspaceID", workspace.ID)
2021-01-14 02:56:01 +02:00
workspaceData, err := json.Marshal(workspace)
if err != nil {
a.errorResponse(w, http.StatusInternalServerError, "", err)
2021-01-14 02:56:01 +02:00
return
}
2021-02-17 21:29:20 +02:00
jsonBytesResponse(w, http.StatusOK, workspaceData)
auditRec.Success()
2021-01-14 02:56:01 +02:00
}
func (a *API) handlePostWorkspaceRegenerateSignupToken(w http.ResponseWriter, r *http.Request) {
2021-03-26 20:01:54 +02:00
// swagger:operation POST /api/v1/workspaces/{workspaceID}/regenerate_signup_token regenerateSignupToken
2021-02-17 21:29:20 +02:00
//
// Regenerates the signup token for the root workspace
//
// ---
// produces:
// - application/json
2021-03-26 20:01:54 +02:00
// parameters:
// - name: workspaceID
// in: path
// description: Workspace ID
// required: true
// type: string
2021-02-17 21:29:20 +02:00
// security:
// - BearerAuth: []
// responses:
// '200':
// description: success
// default:
// description: internal error
// schema:
// "$ref": "#/definitions/ErrorResponse"
workspace, err := a.app.GetRootWorkspace()
2021-01-14 02:56:01 +02:00
if err != nil {
a.errorResponse(w, http.StatusInternalServerError, "", err)
2021-01-14 02:56:01 +02:00
return
}
auditRec := a.makeAuditRecord(r, "regenerateSignupToken", audit.Fail)
defer a.audit.LogRecord(audit.LevelModify, auditRec)
2021-01-14 02:56:01 +02:00
workspace.SignupToken = utils.CreateGUID()
err = a.app.UpsertWorkspaceSignupToken(*workspace)
2021-01-14 02:56:01 +02:00
if err != nil {
a.errorResponse(w, http.StatusInternalServerError, "", err)
2021-01-14 02:56:01 +02:00
return
}
jsonStringResponse(w, http.StatusOK, "{}")
auditRec.Success()
2021-01-14 02:56:01 +02:00
}
2020-10-16 11:41:56 +02:00
// File upload
func (a *API) handleServeFile(w http.ResponseWriter, r *http.Request) {
// swagger:operation GET /workspaces/{workspaceID}/{rootID}/{fileID} getFile
2021-02-17 21:29:20 +02:00
//
// Returns the contents of an uploaded file
//
// ---
// produces:
// - application/json
// - image/jpg
// - image/png
// parameters:
// - name: workspaceID
// in: path
// description: Workspace ID
// required: true
// type: string
// - name: rootID
// in: path
// description: ID of the root block
// required: true
// type: string
2021-02-17 21:29:20 +02:00
// - name: fileID
// in: path
// description: ID of the file
// required: true
// type: string
// security:
// - BearerAuth: []
// responses:
// '200':
// description: success
// default:
// description: internal error
// schema:
// "$ref": "#/definitions/ErrorResponse"
2020-10-16 11:41:56 +02:00
vars := mux.Vars(r)
workspaceID := vars["workspaceID"]
rootID := vars["rootID"]
2020-10-16 11:41:56 +02:00
filename := vars["filename"]
// Caller must have access to the root block's container
_, err := a.getContainerAllowingReadTokenForBlock(r, rootID)
if err != nil {
a.noContainerErrorResponse(w, err)
return
}
auditRec := a.makeAuditRecord(r, "getFile", audit.Fail)
defer a.audit.LogRecord(audit.LevelRead, auditRec)
auditRec.AddMeta("rootID", rootID)
auditRec.AddMeta("filename", filename)
2020-10-16 11:41:56 +02:00
contentType := "image/jpg"
2020-10-16 11:41:56 +02:00
fileExtension := strings.ToLower(filepath.Ext(filename))
if fileExtension == "png" {
contentType = "image/png"
}
w.Header().Set("Content-Type", contentType)
fileReader, err := a.app.GetFileReader(workspaceID, rootID, filename)
if err != nil {
a.errorResponse(w, http.StatusInternalServerError, "", err)
return
}
defer fileReader.Close()
http.ServeContent(w, r, filename, time.Now(), fileReader)
auditRec.Success()
2020-10-16 11:41:56 +02:00
}
2021-02-17 21:29:20 +02:00
// FileUploadResponse is the response to a file upload
// swagger:model
type FileUploadResponse struct {
// The FileID to retrieve the uploaded file
2021-02-17 21:29:20 +02:00
// required: true
FileID string `json:"fileId"`
2021-02-17 21:29:20 +02:00
}
2020-10-16 11:41:56 +02:00
func (a *API) handleUploadFile(w http.ResponseWriter, r *http.Request) {
// swagger:operation POST /api/v1/workspaces/{workspaceID}/{rootID}/files uploadFile
2021-02-17 21:29:20 +02:00
//
// Upload a binary file, attached to a root block
2021-02-17 21:29:20 +02:00
//
// ---
// consumes:
// - multipart/form-data
// produces:
// - application/json
// parameters:
// - name: workspaceID
// in: path
// description: Workspace ID
// required: true
// type: string
// - name: rootID
// in: path
// description: ID of the root block
// required: true
// type: string
2021-02-17 21:29:20 +02:00
// - name: uploaded file
// in: formData
// type: file
// description: The file to upload
// security:
// - BearerAuth: []
// responses:
// '200':
// description: success
// schema:
// "$ref": "#/definitions/FileUploadResponse"
// default:
// description: internal error
// schema:
// "$ref": "#/definitions/ErrorResponse"
vars := mux.Vars(r)
workspaceID := vars["workspaceID"]
rootID := vars["rootID"]
// Caller must have access to the root block's container
_, err := a.getContainerAllowingReadTokenForBlock(r, rootID)
if err != nil {
a.noContainerErrorResponse(w, err)
return
}
2020-10-16 11:41:56 +02:00
file, handle, err := r.FormFile("file")
if err != nil {
fmt.Fprintf(w, "%v", err)
2020-10-16 11:41:56 +02:00
return
}
defer file.Close()
auditRec := a.makeAuditRecord(r, "uploadFile", audit.Fail)
defer a.audit.LogRecord(audit.LevelModify, auditRec)
auditRec.AddMeta("rootID", rootID)
auditRec.AddMeta("filename", handle.Filename)
fileID, err := a.app.SaveFile(file, workspaceID, rootID, handle.Filename)
2020-10-16 11:41:56 +02:00
if err != nil {
a.errorResponse(w, http.StatusInternalServerError, "", err)
2021-02-17 21:29:20 +02:00
return
}
a.logger.Debug("uploadFile",
mlog.String("filename", handle.Filename),
mlog.String("fileID", fileID),
)
data, err := json.Marshal(FileUploadResponse{FileID: fileID})
2021-02-17 21:29:20 +02:00
if err != nil {
a.errorResponse(w, http.StatusInternalServerError, "", err)
2020-10-16 11:41:56 +02:00
return
}
2021-02-17 21:29:20 +02:00
jsonBytesResponse(w, http.StatusOK, data)
auditRec.AddMeta("fileID", fileID)
auditRec.Success()
2020-10-16 11:41:56 +02:00
}
func (a *API) getWorkspaceUsers(w http.ResponseWriter, r *http.Request) {
// swagger:operation GET /api/v1/workspaces/{workspaceID}/users getWorkspaceUsers
//
// Returns workspace users
//
// ---
// produces:
// - application/json
// parameters:
// - name: workspaceID
// in: path
// description: Workspace ID
// required: true
// type: string
// security:
// - BearerAuth: []
// responses:
// '200':
// description: success
// schema:
// type: array
// items:
// "$ref": "#/definitions/User"
// default:
// description: internal error
// schema:
// "$ref": "#/definitions/ErrorResponse"
vars := mux.Vars(r)
workspaceID := vars["workspaceID"]
ctx := r.Context()
session := ctx.Value("session").(*model.Session)
if !a.app.DoesUserHaveWorkspaceAccess(session.UserID, workspaceID) {
a.errorResponse(w, http.StatusForbidden, "Access denied to workspace", errors.New("access denied to workspace"))
return
}
auditRec := a.makeAuditRecord(r, "getUsers", audit.Fail)
defer a.audit.LogRecord(audit.LevelRead, auditRec)
users, err := a.app.GetWorkspaceUsers(workspaceID)
if err != nil {
a.errorResponse(w, http.StatusInternalServerError, "", err)
return
}
data, err := json.Marshal(users)
if err != nil {
a.errorResponse(w, http.StatusInternalServerError, "", err)
return
}
jsonBytesResponse(w, http.StatusOK, data)
auditRec.AddMeta("userCount", len(users))
auditRec.Success()
}
2020-10-16 11:41:56 +02:00
// Response helpers
func (a *API) errorResponse(w http.ResponseWriter, code int, message string, sourceError error) {
a.logger.Error("API ERROR",
mlog.Int("code", code),
mlog.Err(sourceError),
)
2020-11-17 16:43:56 +02:00
w.Header().Set("Content-Type", "application/json")
2021-03-26 20:01:54 +02:00
data, err := json.Marshal(model.ErrorResponse{Error: message, ErrorCode: code})
if err != nil {
data = []byte("{}")
}
2020-10-16 11:41:56 +02:00
w.WriteHeader(code)
_, _ = w.Write(data)
2020-10-16 11:41:56 +02:00
}
2020-10-16 16:21:42 +02:00
func (a *API) errorResponseWithCode(w http.ResponseWriter, statusCode int, errorCode int, message string, sourceError error) {
a.logger.Error("API ERROR",
mlog.Int("status", statusCode),
mlog.Int("code", errorCode),
mlog.Err(sourceError),
)
2021-03-26 20:01:54 +02:00
w.Header().Set("Content-Type", "application/json")
data, err := json.Marshal(model.ErrorResponse{Error: message, ErrorCode: errorCode})
if err != nil {
data = []byte("{}")
}
w.WriteHeader(statusCode)
_, _ = w.Write(data)
2021-03-26 20:01:54 +02:00
}
func (a *API) noContainerErrorResponse(w http.ResponseWriter, sourceError error) {
a.errorResponseWithCode(w, http.StatusBadRequest, ErrorNoWorkspaceCode, ErrorNoWorkspaceMessage, sourceError)
}
func jsonStringResponse(w http.ResponseWriter, code int, message string) { //nolint:unparam
w.Header().Set("Content-Type", "application/json")
w.WriteHeader(code)
fmt.Fprint(w, message)
}
func jsonBytesResponse(w http.ResponseWriter, code int, json []byte) { //nolint:unparam
w.Header().Set("Content-Type", "application/json")
w.WriteHeader(code)
_, _ = w.Write(json)
2020-10-16 16:21:42 +02:00
}