fleet/server/service/service_invites.go

package service

import (
	"context"
	"encoding/base64"
	"github.com/fleetdm/fleet/v4/server"
	"html/template"

	"github.com/fleetdm/fleet/v4/server/contexts/viewer"
	"github.com/fleetdm/fleet/v4/server/fleet"
	"github.com/fleetdm/fleet/v4/server/mail"
	"github.com/pkg/errors"
)

func (svc Service) InviteNewUser(ctx context.Context, payload fleet.InvitePayload) (*fleet.Invite, error) {
	if err := svc.authz.Authorize(ctx, &fleet.Invite{}, fleet.ActionWrite); err != nil {
		return nil, err
	}

	// verify that the user with the given email does not already exist
	_, err := svc.ds.UserByEmail(*payload.Email)
	if err == nil {
		return nil, fleet.NewInvalidArgumentError("email", "a user with this account already exists")
	}
	if _, ok := err.(fleet.NotFoundError); !ok {
		return nil, err
	}

	// find the user who created the invite
	v, ok := viewer.FromContext(ctx)
	if !ok {
		return nil, errors.New("missing viewer context for create invite")
	}
	inviter := v.User

	random, err := server.GenerateRandomText(svc.config.App.TokenKeySize)
	if err != nil {
		return nil, err
	}
	token := base64.URLEncoding.EncodeToString([]byte(random))

	invite := &fleet.Invite{
		Email:      *payload.Email,
		InvitedBy:  inviter.ID,
		Token:      token,
		GlobalRole: payload.GlobalRole,
		Teams:      payload.Teams,
	}
	if payload.Position != nil {
		invite.Position = *payload.Position
	}
	if payload.Name != nil {
		invite.Name = *payload.Name
	}
	if payload.SSOEnabled != nil {
		invite.SSOEnabled = *payload.SSOEnabled
	}

	invite, err = svc.ds.NewInvite(invite)
	if err != nil {
		return nil, err
	}

	config, err := svc.AppConfig(ctx)
	if err != nil {
		return nil, err
	}

	invitedBy := inviter.Name
	if invitedBy == "" {
		invitedBy = inviter.Email
	}
	inviteEmail := fleet.Email{
		Subject: "You are Invited to Fleet",
		To:      []string{invite.Email},
		Config:  config,
		Mailer: &mail.InviteMailer{
			Invite:    invite,
			BaseURL:   template.URL(config.ServerURL + svc.config.Server.URLPrefix),
			AssetURL:  getAssetURL(),
			OrgName:   config.OrgName,
			InvitedBy: invitedBy,
		},
	}

	err = svc.mailService.SendEmail(inviteEmail)
	if err != nil {
		return nil, err
	}
	return invite, nil
}

func (svc *Service) ListInvites(ctx context.Context, opt fleet.ListOptions) ([]*fleet.Invite, error) {
	if err := svc.authz.Authorize(ctx, &fleet.Invite{}, fleet.ActionRead); err != nil {
		return nil, err
	}
	return svc.ds.ListInvites(opt)
}

func (svc *Service) VerifyInvite(ctx context.Context, token string) (*fleet.Invite, error) {
	// skipauth: There is no viewer context at this point. We rely on verifying
	// the invite for authNZ.
	svc.authz.SkipAuthorization(ctx)

	invite, err := svc.ds.InviteByToken(token)
	if err != nil {
		return nil, err
	}

	if invite.Token != token {
		return nil, fleet.NewInvalidArgumentError("invite_token", "Invite Token does not match Email Address.")
	}

	expiresAt := invite.CreatedAt.Add(svc.config.App.InviteTokenValidityPeriod)
	if svc.clock.Now().After(expiresAt) {
		return nil, fleet.NewInvalidArgumentError("invite_token", "Invite token has expired.")
	}

	return invite, nil

}

func (svc *Service) DeleteInvite(ctx context.Context, id uint) error {
	if err := svc.authz.Authorize(ctx, &fleet.Invite{}, fleet.ActionWrite); err != nil {
		return err
	}
	return svc.ds.DeleteInvite(id)
}
Adds endpoints to invite new users to the application. (#235) User service checks that tokens are valid on new user signups. Closes #230 2016-09-29 02:44:05 +00:00			`package service`

			`import (`
Update go-kit to 0.4.0 (#1411) Notable refactoring: - Use stdlib "context" in place of "golang.org/x/net/context" - Go-kit no longer wraps errors, so we remove the unwrap in transport_error.go - Use MakeHandler when setting up endpoint tests (fixes test bug caught during this refactoring) Closes #1411. 2017-03-15 15:55:30 +00:00			`"context"`
use random string instead of JWT for tokens. (#584) uses a random URL encoded base64 string as the token for password reset and invites. 2016-12-07 15:42:58 +00:00			`"encoding/base64"`
Issue 1278 select leader (#1367) * Add leader selection * remove comment * Address review comments * Add changes file * Simplify implementation * Simplify further * Whoops, removed a little too much 2021-07-19 18:08:41 +00:00			`"github.com/fleetdm/fleet/v4/server"`
Add invite email template and use the new invite mailer pattern (#711) Closes #693 Closes #581 2016-12-28 16:55:03 +00:00			`"html/template"`
Adds endpoints to invite new users to the application. (#235) User service checks that tokens are valid on new user signups. Closes #230 2016-09-29 02:44:05 +00:00
Add v4 suffix in go.mod (#1224) 2021-06-26 04:46:51 +00:00			`"github.com/fleetdm/fleet/v4/server/contexts/viewer"`
			`"github.com/fleetdm/fleet/v4/server/fleet"`
			`"github.com/fleetdm/fleet/v4/server/mail"`
Remove invited_by from invite parameters (#591) Instead, use the value extracted from the viewer context. 2021-04-05 20:28:43 +00:00			`"github.com/pkg/errors"`
Adds endpoints to invite new users to the application. (#235) User service checks that tokens are valid on new user signups. Closes #230 2016-09-29 02:44:05 +00:00			`)`

Remove kolide types and packages from backend (#974) Generally renamed `kolide` -> `fleet` 2021-06-06 22:07:29 +00:00			`func (svc Service) InviteNewUser(ctx context.Context, payload fleet.InvitePayload) (*fleet.Invite, error) {`
			`if err := svc.authz.Authorize(ctx, &fleet.Invite{}, fleet.ActionWrite); err != nil {`
Add authorization checks in service (#938) - Add policy.rego file defining authorization policies. - Add Go integrations to evaluate Rego policies (via OPA). - Add middleware to ensure requests without authorization check are rejected (guard against programmer error). - Add authorization checks to most service endpoints. 2021-06-03 23:24:15 +00:00			`return nil, err`
			`}`

Adds endpoints to invite new users to the application. (#235) User service checks that tokens are valid on new user signups. Closes #230 2016-09-29 02:44:05 +00:00			`// verify that the user with the given email does not already exist`
			`_, err := svc.ds.UserByEmail(*payload.Email)`
			`if err == nil {`
Remove kolide types and packages from backend (#974) Generally renamed `kolide` -> `fleet` 2021-06-06 22:07:29 +00:00			`return nil, fleet.NewInvalidArgumentError("email", "a user with this account already exists")`
Adds endpoints to invite new users to the application. (#235) User service checks that tokens are valid on new user signups. Closes #230 2016-09-29 02:44:05 +00:00			`}`
Remove kolide types and packages from backend (#974) Generally renamed `kolide` -> `fleet` 2021-06-06 22:07:29 +00:00			`if _, ok := err.(fleet.NotFoundError); !ok {`
Adds endpoints to invite new users to the application. (#235) User service checks that tokens are valid on new user signups. Closes #230 2016-09-29 02:44:05 +00:00			`return nil, err`
			`}`

			`// find the user who created the invite`
Remove invited_by from invite parameters (#591) Instead, use the value extracted from the viewer context. 2021-04-05 20:28:43 +00:00			`v, ok := viewer.FromContext(ctx)`
			`if !ok {`
			`return nil, errors.New("missing viewer context for create invite")`
Adds endpoints to invite new users to the application. (#235) User service checks that tokens are valid on new user signups. Closes #230 2016-09-29 02:44:05 +00:00			`}`
Remove invited_by from invite parameters (#591) Instead, use the value extracted from the viewer context. 2021-04-05 20:28:43 +00:00			`inviter := v.User`
Adds endpoints to invite new users to the application. (#235) User service checks that tokens are valid on new user signups. Closes #230 2016-09-29 02:44:05 +00:00
Issue 1278 select leader (#1367) * Add leader selection * remove comment * Address review comments * Add changes file * Simplify implementation * Simplify further * Whoops, removed a little too much 2021-07-19 18:08:41 +00:00			`random, err := server.GenerateRandomText(svc.config.App.TokenKeySize)`
Adds endpoints to invite new users to the application. (#235) User service checks that tokens are valid on new user signups. Closes #230 2016-09-29 02:44:05 +00:00			`if err != nil {`
			`return nil, err`
			`}`
use random string instead of JWT for tokens. (#584) uses a random URL encoded base64 string as the token for password reset and invites. 2016-12-07 15:42:58 +00:00			`token := base64.URLEncoding.EncodeToString([]byte(random))`
Adds endpoints to invite new users to the application. (#235) User service checks that tokens are valid on new user signups. Closes #230 2016-09-29 02:44:05 +00:00
Remove kolide types and packages from backend (#974) Generally renamed `kolide` -> `fleet` 2021-06-06 22:07:29 +00:00			`invite := &fleet.Invite{`
Migrate old admin field to new global role (#609) - Migrate old admins to global admins - Migrate old non-admins to global maintainers - Remove old admin column - Give initial user global admin privilege - Comment out some tests (to be refactored for new permissions model later) 2021-04-07 01:27:10 +00:00			`Email: *payload.Email,`
			`InvitedBy: inviter.ID,`
			`Token: token,`
			`GlobalRole: payload.GlobalRole,`
Fix saving of teams in invitations (#632) 2021-04-12 16:51:05 +00:00			`Teams: payload.Teams,`
Adds endpoints to invite new users to the application. (#235) User service checks that tokens are valid on new user signups. Closes #230 2016-09-29 02:44:05 +00:00			`}`
			`if payload.Position != nil {`
			`invite.Position = *payload.Position`
			`}`
			`if payload.Name != nil {`
			`invite.Name = *payload.Name`
			`}`
Add SSO support to new user activation (#1504) Closes #1502. This PR adds support for SSO to the new user creation process. An admin now has the option to select SSO when creating a new user. When the confirmation form is submitted, the user is automatically authenticated with the IDP, and if successful, is redirected to the Kolide home page. Password authentication, password change and password reset are not allowed for an SSO user. 2017-05-10 16:26:05 +00:00			`if payload.SSOEnabled != nil {`
			`invite.SSOEnabled = *payload.SSOEnabled`
			`}`
Adds endpoints to invite new users to the application. (#235) User service checks that tokens are valid on new user signups. Closes #230 2016-09-29 02:44:05 +00:00
			`invite, err = svc.ds.NewInvite(invite)`
			`if err != nil {`
			`return nil, err`
			`}`

App Settings - /admin/settings #363 (#590) 2016-12-20 21:54:30 +00:00			`config, err := svc.AppConfig(ctx)`
			`if err != nil {`
			`return nil, err`
			`}`

fallback to username if Name field is not set (#996) * fallback to username if Name field is not set * add orgname field to invite emails 2017-01-17 21:37:00 +00:00			`invitedBy := inviter.Name`
			`if invitedBy == "" {`
Remove username from UI (#1168) * Remove username from UI code * Remove username from tests * Remove username from database * Modify server endpoints for removing username * Implement backend aspects of removing username * Update API docs * Add name to fleetctl 2021-06-24 20:42:29 +00:00			`invitedBy = inviter.Email`
fallback to username if Name field is not set (#996) * fallback to username if Name field is not set * add orgname field to invite emails 2017-01-17 21:37:00 +00:00			`}`
Remove kolide types and packages from backend (#974) Generally renamed `kolide` -> `fleet` 2021-06-06 22:07:29 +00:00			`inviteEmail := fleet.Email{`
Update email contents and subjects (#2023) - Refer to "Kolide" as "Fleet" - Fix link to documentation - Remove suggestion to email support@kolide.co 2019-04-04 22:56:15 +00:00			`Subject: "You are Invited to Fleet",`
App Settings - /admin/settings #363 (#590) 2016-12-20 21:54:30 +00:00			`To: []string{invite.Email},`
			`Config: config,`
Allow import of github.com/kolide/fleet (#2213) Previously a Go package attempting to import Fleet packages would run into an error like "server/kolide/emails.go:93:23: undefined: Asset". This commit refactors bindata asset handling to allow importing Fleet as a library without changing the typical developer experience. 2020-03-30 02:22:04 +00:00			`Mailer: &mail.InviteMailer{`
Remove username from UI (#1168) * Remove username from UI code * Remove username from tests * Remove username from database * Modify server endpoints for removing username * Implement backend aspects of removing username * Update API docs * Add name to fleetctl 2021-06-24 20:42:29 +00:00			`Invite: invite,`
			`BaseURL: template.URL(config.ServerURL + svc.config.Server.URLPrefix),`
			`AssetURL: getAssetURL(),`
			`OrgName: config.OrgName,`
			`InvitedBy: invitedBy,`
Add invite email template and use the new invite mailer pattern (#711) Closes #693 Closes #581 2016-12-28 16:55:03 +00:00			`},`
Adds endpoints to invite new users to the application. (#235) User service checks that tokens are valid on new user signups. Closes #230 2016-09-29 02:44:05 +00:00			`}`
App Settings - /admin/settings #363 (#590) 2016-12-20 21:54:30 +00:00
Adds endpoints to invite new users to the application. (#235) User service checks that tokens are valid on new user signups. Closes #230 2016-09-29 02:44:05 +00:00			`err = svc.mailService.SendEmail(inviteEmail)`
			`if err != nil {`
			`return nil, err`
			`}`
			`return invite, nil`
			`}`

Remove kolide types and packages from backend (#974) Generally renamed `kolide` -> `fleet` 2021-06-06 22:07:29 +00:00			`func (svc Service) ListInvites(ctx context.Context, opt fleet.ListOptions) ([]fleet.Invite, error) {`
			`if err := svc.authz.Authorize(ctx, &fleet.Invite{}, fleet.ActionRead); err != nil {`
Add authorization checks in service (#938) - Add policy.rego file defining authorization policies. - Add Go integrations to evaluate Rego policies (via OPA). - Add middleware to ensure requests without authorization check are rejected (guard against programmer error). - Add authorization checks to most service endpoints. 2021-06-03 23:24:15 +00:00			`return nil, err`
			`}`
Apply consistent naming conventions across server files (#310) 2016-10-14 15:59:27 +00:00			`return svc.ds.ListInvites(opt)`
Adds endpoints to invite new users to the application. (#235) User service checks that tokens are valid on new user signups. Closes #230 2016-09-29 02:44:05 +00:00			`}`

Remove kolide types and packages from backend (#974) Generally renamed `kolide` -> `fleet` 2021-06-06 22:07:29 +00:00			`func (svc Service) VerifyInvite(ctx context.Context, token string) (fleet.Invite, error) {`
Add authorization checks in service (#938) - Add policy.rego file defining authorization policies. - Add Go integrations to evaluate Rego policies (via OPA). - Add middleware to ensure requests without authorization check are rejected (guard against programmer error). - Add authorization checks to most service endpoints. 2021-06-03 23:24:15 +00:00			`// skipauth: There is no viewer context at this point. We rely on verifying`
			`// the invite for authNZ.`
			`svc.authz.SkipAuthorization(ctx)`

Add endpoint to retrieve an invite with the invite token. (#719) Closes #579 2016-12-30 01:58:12 +00:00			`invite, err := svc.ds.InviteByToken(token)`
Adds endpoints to invite new users to the application. (#235) User service checks that tokens are valid on new user signups. Closes #230 2016-09-29 02:44:05 +00:00			`if err != nil {`
Add endpoint to retrieve an invite with the invite token. (#719) Closes #579 2016-12-30 01:58:12 +00:00			`return nil, err`
Adds endpoints to invite new users to the application. (#235) User service checks that tokens are valid on new user signups. Closes #230 2016-09-29 02:44:05 +00:00			`}`

			`if invite.Token != token {`
Remove kolide types and packages from backend (#974) Generally renamed `kolide` -> `fleet` 2021-06-06 22:07:29 +00:00			`return nil, fleet.NewInvalidArgumentError("invite_token", "Invite Token does not match Email Address.")`
Adds endpoints to invite new users to the application. (#235) User service checks that tokens are valid on new user signups. Closes #230 2016-09-29 02:44:05 +00:00			`}`

			`expiresAt := invite.CreatedAt.Add(svc.config.App.InviteTokenValidityPeriod)`
			`if svc.clock.Now().After(expiresAt) {`
Remove kolide types and packages from backend (#974) Generally renamed `kolide` -> `fleet` 2021-06-06 22:07:29 +00:00			`return nil, fleet.NewInvalidArgumentError("invite_token", "Invite token has expired.")`
Adds endpoints to invite new users to the application. (#235) User service checks that tokens are valid on new user signups. Closes #230 2016-09-29 02:44:05 +00:00			`}`

Add endpoint to retrieve an invite with the invite token. (#719) Closes #579 2016-12-30 01:58:12 +00:00			`return invite, nil`
Adds endpoints to invite new users to the application. (#235) User service checks that tokens are valid on new user signups. Closes #230 2016-09-29 02:44:05 +00:00
			`}`

Refactor teams service methods (#910) - Move team-related service methods to `ee/server/service`. - Instantiate different service on startup based on license key. - Refactor service errors into separate package. - Add support for running E2E tests in both Core and Basic tiers. 2021-06-01 00:07:51 +00:00			`func (svc *Service) DeleteInvite(ctx context.Context, id uint) error {`
Remove kolide types and packages from backend (#974) Generally renamed `kolide` -> `fleet` 2021-06-06 22:07:29 +00:00			`if err := svc.authz.Authorize(ctx, &fleet.Invite{}, fleet.ActionWrite); err != nil {`
Add authorization checks in service (#938) - Add policy.rego file defining authorization policies. - Add Go integrations to evaluate Rego policies (via OPA). - Add middleware to ensure requests without authorization check are rejected (guard against programmer error). - Add authorization checks to most service endpoints. 2021-06-03 23:24:15 +00:00			`return err`
			`}`
consolidate delete operations in mysql store (#746) Adds a helper method which soft deletes entities from the database. 2017-01-04 18:18:21 +00:00			`return svc.ds.DeleteInvite(id)`
Adds endpoints to invite new users to the application. (#235) User service checks that tokens are valid on new user signups. Closes #230 2016-09-29 02:44:05 +00:00			`}`