Mattermost-server: Create Plugin helper method for installing a plugin through a URL
Plugins should be able to install new plugins by providing a url for the server to download from a remote source. To accomplish this add an InstallPluginFromUrl(url string, replace bool) (*model.Manifest, *model.AppError) method to the plugin helpers API that internally uses InstallPlugin from the pending work being done in https://mattermost.atlassian.net/browse/MM-14190. The replace argument signals to the server to overwrite a potentially existing plugin if it shares the same id as the new plugin, simplifying upgrades.
Note that there is currently a REST API endpoint that can install a plugin through a provided download url pointing to a plugin tar.gz file. The PR introducing the change to the API is here: https://github.com/mattermost/mattermost-server/pull/11372 We want to support this functionality through the Plugin API, to allow a plugin to install and update other plugins.
One pending nuance is the planned addition of plugin signing to the API. Coordinate with @ali-farooq0 and @iomodo before finalizing implementation.
If you're interested please comment here and come join our "Contributors" community channel on our daily build server, where you can discuss questions with community members and the Mattermost core team. For technical advice or questions, please join our "Developers" community channel.
New contributors please see our Developer's Guide.
mattermod
All 12 comments
@lieut-data I would like to contribute to it.
RajatVaryani
on 29 Sep 2019
Thanks, @RajatVaryani!
lieut-data
on 30 Sep 2019
Hi. Just want to clarify. So I have to add a plugin_api similar to work being done in https://mattermost.atlassian.net/browse/MM-14190. Just the difference is the source from which the plugin is downloaded from, right?
RajatVaryani
on 7 Oct 2019
@RajatVaryani, right: the idea with the RPC API is to expose the low-level io.Reader interface, and the helper to build on that to pipe an HTTP request through it. One could imagine other helpers in the future enabling loading from other io.Readers.
lieut-data
on 9 Oct 2019
Hey @RajatVaryani,
Just wanted to check if you questions got answered. Do you have any outstanding ones?
hanzei
on 27 Oct 2019
@hanzei There are no blockers as of now. I will start working on it shortly.
RajatVaryani
on 27 Oct 2019
@hanzei I have few questions:
- What is plugin signing to the API?
- Which of the checks should be done in the helper method?
Following checks are done in https://github.com/mattermost/mattermost-server/blob/3701a393e57f48208cbdf81d61735df800637e1a/api4/plugin.go#L95-L122.
- Checking if plugins are enabled via config.
- Sanity check for http url. (I think this needs to be done)
- Checking if downloading via insecure source is allowed once again via config?
RajatVaryani
on 28 Oct 2019
@lieut-data Can you please answer the above questions?
RajatVaryani
on 28 Oct 2019
@RajatVaryani, I think only the last one should be checked. Installing a plugin from a plugin doesn't need to be gated on whether plugins are enabled, since the plugin wouldn't be running anyway. The net/http URI ought to enforce an invalid URL, and I'd be more worried about rejecting a perfectly good URL by accident.
For plugin signing, I'd suggest coordinating with @ali-farooq0 and @iomodo.
lieut-data
on 28 Oct 2019
@hanzei Can you please review this to give early feedback?
RajatVaryani
on 3 Nov 2019
Sure, will comment on this PR :+1:
hanzei
on 3 Nov 2019
Thanks again, @RajatVaryani!
lieut-data
on 8 Jan 2020
Related issues
esethna
路
3Comments
esethna
路
3Comments
tumbl3w33d
路
3Comments
clarfonthey
路
3Comments
esethna
路
3Comments