Merge branch 'zj-mattermost-session' into 'master'

Mattermost session

This branch is based of tag v8.14.4 so I could test on an instance better.

But stuck on the tests, as setting up the whole doorkeeper stuff doesn't seem to be supported for testing.

See merge request !8033

config/gitlab.yml.example

@@ -153,6 +153,12 @@ production: &base
     # The location where LFS objects are stored (default: shared/lfs-objects).
     # storage_path: shared/lfs-objects
 
+  ## Mattermost
+  ## For enabling Add to Mattermost button
+  mattermost:
+    enabled: false
+    host: 'https://mattermost.example.com'
+
   ## Gravatar
   ## For Libravatar see: http://doc.gitlab.com/ce/customization/libravatar.html
   gravatar:

config/initializers/1_settings.rb

@@ -261,6 +261,13 @@ Settings['lfs'] ||= Settingslogic.new({})
 Settings.lfs['enabled']      = true if Settings.lfs['enabled'].nil?
 Settings.lfs['storage_path'] = File.expand_path(Settings.lfs['storage_path'] || File.join(Settings.shared['path'], "lfs-objects"), Rails.root)
 
+#
+# Mattermost
+#
+Settings['mattermost'] ||= Settingslogic.new({})
+Settings.mattermost['enabled'] = false if Settings.mattermost['enabled'].nil?
+Settings.mattermost['host'] = nil unless Settings.mattermost.enabled
+
 #
 # Gravatar
 #

lib/mattermost/session.rb

+module Mattermost
+  class NoSessionError < StandardError; end
+  # This class' prime objective is to obtain a session token on a Mattermost
+  # instance with SSO configured where this GitLab instance is the provider.
+  #
+  # The process depends on OAuth, but skips a step in the authentication cycle.
+  # For example, usually a user would click the 'login in GitLab' button on
+  # Mattermost, which would yield a 302 status code and redirects you to GitLab
+  # to approve the use of your account on Mattermost. Which would trigger a
+  # callback so Mattermost knows this request is approved and gets the required
+  # data to create the user account etc.
+  #
+  # This class however skips the button click, and also the approval phase to
+  # speed up the process and keep it without manual action and get a session
+  # going.
+  class Session
+    include Doorkeeper::Helpers::Controller
+    include HTTParty
+
+    base_uri Settings.mattermost.host
+
+    attr_accessor :current_resource_owner, :token
+
+    def initialize(current_user)
+      @current_resource_owner = current_user
+    end
+
+    def with_session
+      raise NoSessionError unless create
+
+      begin
+        yield self
+      ensure
+        destroy
+      end
+    end
+
+    # Next methods are needed for Doorkeeper
+    def pre_auth
+      @pre_auth ||= Doorkeeper::OAuth::PreAuthorization.new(
+        Doorkeeper.configuration, server.client_via_uid, params)
+    end
+
+    def authorization
+      @authorization ||= strategy.request
+    end
+
+    def strategy
+      @strategy ||= server.authorization_request(pre_auth.response_type)
+    end
+
+    def request
+      @request ||= OpenStruct.new(parameters: params)
+    end
+
+    def params
+      Rack::Utils.parse_query(oauth_uri.query).symbolize_keys
+    end
+
+    def get(path, options = {})
+      self.class.get(path, options.merge(headers: @headers))
+    end
+
+    def post(path, options = {})
+      self.class.post(path, options.merge(headers: @headers))
+    end
+
+    private
+
+    def create
+      return unless oauth_uri
+      return unless token_uri
+
+      @token = request_token
+      @headers = {
+        Authorization: "Bearer #{@token}"
+      }
+
+      @token
+    end
+
+    def destroy
+      post('/api/v3/users/logout')
+    end
+
+    def oauth_uri
+      return @oauth_uri if defined?(@oauth_uri)
+
+      @oauth_uri = nil
+
+      response = get("/api/v3/oauth/gitlab/login", follow_redirects: false)
+      return unless 300 <= response.code && response.code < 400
+
+      redirect_uri = response.headers['location']
+      return unless redirect_uri
+
+      @oauth_uri = URI.parse(redirect_uri)
+    end
+
+    def token_uri
+      @token_uri ||=
+        if oauth_uri
+          authorization.authorize.redirect_uri if pre_auth.authorizable?
+        end
+    end
+
+    def request_token
+      response = get(token_uri, follow_redirects: false)
+
+      if 200 <= response.code && response.code < 400
+        response.headers['token']
+      end
+    end
+  end
+end

spec/lib/mattermost/session_spec.rb

+require 'spec_helper'
+
+describe Mattermost::Session, type: :request do
+  let(:user) { create(:user) }
+
+  let(:gitlab_url) { "http://gitlab.com" }
+  let(:mattermost_url) { "http://mattermost.com" }
+
+  subject { described_class.new(user) }
+
+  # Needed for doorkeeper to function
+  it { is_expected.to respond_to(:current_resource_owner) }
+  it { is_expected.to respond_to(:request) }
+  it { is_expected.to respond_to(:authorization) }
+  it { is_expected.to respond_to(:strategy) }
+
+  before do
+    described_class.base_uri(mattermost_url)
+  end
+
+  describe '#with session' do
+    let(:location) { 'http://location.tld' }
+    let!(:stub) do
+      WebMock.stub_request(:get, "#{mattermost_url}/api/v3/oauth/gitlab/login").
+        to_return(headers: { 'location' => location }, status: 307)
+    end
+
+    context 'without oauth uri' do
+      it 'makes a request to the oauth uri' do
+        expect { subject.with_session }.to raise_error(Mattermost::NoSessionError)
+      end
+    end
+
+    context 'with oauth_uri' do
+      let!(:doorkeeper) do
+        Doorkeeper::Application.create(
+          name: "GitLab Mattermost",
+          redirect_uri: "#{mattermost_url}/signup/gitlab/complete\n#{mattermost_url}/login/gitlab/complete",
+          scopes: "")
+      end
+
+      context 'without token_uri' do
+        it 'can not create a session' do
+          expect do
+            subject.with_session
+          end.to raise_error(Mattermost::NoSessionError)
+        end
+      end
+
+      context 'with token_uri' do
+        let(:state) { "state" }
+        let(:params) do
+          { response_type: "code",
+            client_id: doorkeeper.uid,
+            redirect_uri: "#{mattermost_url}/signup/gitlab/complete",
+            state: state }
+        end
+        let(:location) do
+          "#{gitlab_url}/oauth/authorize?#{URI.encode_www_form(params)}"
+        end
+
+        before do
+          WebMock.stub_request(:get, "#{mattermost_url}/signup/gitlab/complete").
+            with(query: hash_including({ 'state' => state })).
+            to_return do |request|
+              post "/oauth/token",
+                client_id: doorkeeper.uid,
+                client_secret: doorkeeper.secret,
+                redirect_uri: params[:redirect_uri],
+                grant_type: 'authorization_code',
+                code: request.uri.query_values['code']
+
+              if response.status == 200
+                { headers: { 'token' => 'thisworksnow' }, status: 202 }
+              end
+            end
+
+          WebMock.stub_request(:post, "#{mattermost_url}/api/v3/users/logout").
+            to_return(headers: { Authorization: 'token thisworksnow' }, status: 200)
+        end
+
+        it 'can setup a session' do
+          subject.with_session do |session|
+          end
+
+          expect(subject.token).not_to be_nil
+        end
+
+        it 'returns the value of the block' do
+          result = subject.with_session do |session|
+            "value"
+          end
+
+          expect(result).to eq("value")
+        end
+      end
+    end
+  end
+end