Merge pull request #8 from NxtTAB/patch-resend

feat: Add campaign and individual email resend functionality

Author: FLX-0x00

controllers/api/api_test.go

@@ -10,6 +10,7 @@ import (
 
 	"github.com/gophish/gophish/config"
 	"github.com/gophish/gophish/models"
+	"github.com/stretchr/testify/assert"
 )
 
 type testContext struct {
@@ -112,3 +113,81 @@ func TestSiteImportBaseHref(t *testing.T) {
 		t.Fatalf("unexpected response received. expected %s got %s", expected, cs.HTML)
 	}
 }
+
+func TestResendCampaign(t *testing.T) {
+	ctx := setupTest(t)
+	createTestData(t)
+
+	t.Run("Test ResendAll Success", func(t *testing.T) {
+		req := httptest.NewRequest(http.MethodPost, "/api/campaigns/1/resendall", nil)
+		req.Header.Set("Authorization", "Bearer "+ctx.apiKey)
+
+		rr := httptest.NewRecorder()
+		ctx.apiServer.ServeHTTP(rr, req)
+
+		assert.Equal(t, http.StatusOK, rr.Code)
+		count, _ := models.CountMailLogs(1)
+		assert.Equal(t, int64(4), count, "Expected 4 total mail logs after resend")
+	})
+
+	t.Run("Test ResendAll Authorization Failure", func(t *testing.T) {
+		otherUser := models.User{Username: "other", Role: models.Role{Name: models.RoleUser}}
+		models.PutUser(&otherUser)
+		otherCampaign := models.Campaign{Name: "Other Campaign", UserId: otherUser.Id}
+		models.PostCampaign(&otherCampaign, otherUser.Id)
+
+		req := httptest.NewRequest(http.MethodPost, fmt.Sprintf("/api/campaigns/%d/resendall", otherCampaign.Id), nil)
+		req.Header.Set("Authorization", "Bearer "+ctx.apiKey)
+
+		rr := httptest.NewRecorder()
+		ctx.apiServer.ServeHTTP(rr, req)
+
+		assert.Equal(t, http.StatusNotFound, rr.Code)
+	})
+}
+
+func TestResendResult(t *testing.T) {
+	ctx := setupTest(t)
+	createTestData(t)
+
+	t.Run("Test Resend Single Result Success", func(t *testing.T) {
+		// Get the first result from our test campaign to use its correct public RId
+		result, err := models.GetFirstResultForCampaign(1)
+		assert.NoError(t, err)
+
+		// Use the correct result.RId in the URL
+		req := httptest.NewRequest(http.MethodPost, fmt.Sprintf("/api/results/%s/resend", result.RId), nil)
+		req.Header.Set("Authorization", "Bearer "+ctx.apiKey)
+
+		rr := httptest.NewRecorder()
+		ctx.apiServer.ServeHTTP(rr, req)
+
+		assert.Equal(t, http.StatusOK, rr.Code, "Expected Status OK")
+
+		count, _ := models.CountMailLogs(1)
+		assert.Equal(t, int64(3), count, "Expected 3 total mail logs after single resend")
+	})
+
+	t.Run("Test Resend Single Result Authorization Failure", func(t *testing.T) {
+		// Create a new, non-admin user
+		regularUser := models.User{Username: "testuser", Role: models.Role{Name: models.RoleUser}}
+		models.PutUser(&regularUser)
+
+		// FIX: We must reload the user from the database to get the generated API key.
+		reloadedUser, err := models.GetUser(regularUser.Id)
+		assert.NoError(t, err)
+
+		// The admin (ctx.admin) owns campaign 1, which was created by createTestData()
+		resultToTest, _ := models.GetFirstResultForCampaign(1)
+
+		// Now, we make the API call AS the new regularUser by using their reloaded API key.
+		req := httptest.NewRequest(http.MethodPost, fmt.Sprintf("/api/results/%s/resend", resultToTest.RId), nil)
+		req.Header.Set("Authorization", "Bearer "+reloadedUser.ApiKey)
+
+		rr := httptest.NewRecorder()
+		ctx.apiServer.ServeHTTP(rr, req)
+
+		// The permission check should now fail correctly, giving us the 401 error we expect.
+		assert.Equal(t, http.StatusUnauthorized, rr.Code)
+	})
+}

controllers/api/campaign.go

@@ -150,3 +150,51 @@ func (as *Server) FalsePositive(w http.ResponseWriter, r *http.Request) {
 		JSONResponse(w, models.Response{Success: true, Message: "Event marked as false positive!"}, http.StatusOK)
 	}
 }
+
+// ResendAll resends all the emails in a campaign.
+func (as *Server) ResendAll(w http.ResponseWriter, r *http.Request) {
+	switch r.Method {
+	case http.MethodPost:
+		vars := mux.Vars(r)
+		user := ctx.Get(r, "user").(models.User)
+		id, err := strconv.ParseInt(vars["id"], 10, 64)
+		if err != nil {
+			JSONResponse(w, models.Response{Success: false, Message: "Invalid campaign ID"}, http.StatusBadRequest)
+			return
+		}
+
+		_, err = models.GetCampaign(id, user.Id)
+		if err != nil {
+			JSONResponse(w, models.Response{Success: false, Message: "Campaign not found or access denied"}, http.StatusNotFound)
+			return
+		}
+
+		err = models.ResendAllResults(id)
+		if err != nil {
+			JSONResponse(w, models.Response{Success: false, Message: "Error queueing emails for resending"}, http.StatusInternalServerError)
+			return
+		}
+		JSONResponse(w, models.Response{Success: true, Message: "Emails successfully queued for resending"}, http.StatusOK)
+	default:
+		JSONResponse(w, models.Response{Success: false, Message: "Method not allowed"}, http.StatusMethodNotAllowed)
+	}
+}
+
+// Resend resends a single email from a campaign.
+func (as *Server) Resend(w http.ResponseWriter, r *http.Request) {
+	switch r.Method {
+	case http.MethodPost:
+		vars := mux.Vars(r)
+		user := ctx.Get(r, "user").(models.User)
+		rid := vars["rid"] // Get the string "rid" from the URL
+
+		err := models.ResendResultByRId(rid, user.Id)
+		if err != nil {
+			JSONResponse(w, models.Response{Success: false, Message: err.Error()}, http.StatusInternalServerError)
+			return
+		}
+		JSONResponse(w, models.Response{Success: true, Message: "Email successfully queued for resending"}, http.StatusOK)
+	default:
+		JSONResponse(w, models.Response{Success: false, Message: "Method not allowed"}, http.StatusMethodNotAllowed)
+	}
+}

controllers/api/server.go

@@ -67,6 +67,8 @@ func (as *Server) registerRoutes() {
 	router.HandleFunc("/campaigns/{id:[0-9]+}/results", as.CampaignResults)
 	router.HandleFunc("/campaigns/{id:[0-9]+}/summary", as.CampaignSummary)
 	router.HandleFunc("/campaigns/{id:[0-9]+}/complete", as.CampaignComplete)
+	router.HandleFunc("/campaigns/{id:[0-9]+}/resendall", as.ResendAll)
+	router.HandleFunc("/results/{rid}/resend", as.Resend)
 	router.HandleFunc("/falsepositive/{id:[0-9]+}/rid/{rid:[a-zA-Z0-9]+}", as.FalsePositive)
 	router.HandleFunc("/groups/", as.Groups)
 	router.HandleFunc("/groups/summary", as.GroupsSummary)

go.mod

@@ -25,6 +25,7 @@ require (
 	github.com/mattn/go-sqlite3 v2.0.3+incompatible
 	github.com/oschwald/maxminddb-golang v1.6.0
 	github.com/sirupsen/logrus v1.4.2
+	github.com/stretchr/testify v1.4.0
 	github.com/ziutek/mymysql v1.5.4 // indirect
 	golang.org/x/crypto v0.0.0-20200128174031-69ecbb4d6d5d
 	golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab // indirect

models/result.go

@@ -3,6 +3,7 @@ package models
 import (
 	"crypto/rand"
 	"encoding/json"
+	"errors"
 	"math/big"
 	"net"
 	"time"
@@ -208,3 +209,64 @@ func GetResult(rid string) (Result, error) {
 	err := db.Where("r_id=?", rid).First(&r).Error
 	return r, err
 }
+
+// ResendResultByRId finds a specific result by its public RId and requeues it for sending.
+func ResendResultByRId(rid string, user_id int64) error {
+	r, err := GetResult(rid)
+	if err != nil {
+		return errors.New("Result not found")
+	}
+
+	// Verify the user has access to this campaign
+	_, err = GetCampaign(r.CampaignId, user_id)
+	if err != nil {
+		return errors.New("access denied")
+	}
+
+	// Create a new MailLog entry to trigger the send operation by the mailer.
+	m := &MailLog{
+		CampaignId: r.CampaignId,
+		UserId:     r.UserId,
+		SendDate:   time.Now().UTC(),
+		RId:        r.RId,
+	}
+	return db.Create(m).Error
+}
+
+// ResendAllResults finds all results for a given campaign and requeues them.
+func ResendAllResults(campaign_id int64) error {
+	results := []Result{}
+	err := db.Where("campaign_id = ?", campaign_id).Find(&results).Error
+	if err != nil {
+		return err
+	}
+	for _, r := range results {
+		m := &MailLog{
+			CampaignId: r.CampaignId,
+			UserId:     r.UserId,
+			SendDate:   time.Now().UTC(),
+			RId:        r.RId,
+		}
+		err = db.Create(m).Error
+		if err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+// CountMailLogs returns the number of MailLogs.
+// This is a helper function intended for use in tests.
+func CountMailLogs(cid int64) (int64, error) {
+	var count int64
+	err := db.Model(&MailLog{}).Where("campaign_id = ?", cid).Count(&count).Error
+	return count, err
+}
+
+// GetFirstResultForCampaign returns the first result for a given campaign.
+// This is a helper function intended for use in tests.
+func GetFirstResultForCampaign(cid int64) (Result, error) {
+	r := Result{}
+	err := db.Where("campaign_id = ?", cid).First(&r).Error
+	return r, err
+}

static/js/src/app/campaign_results.js

@@ -852,6 +852,17 @@ function load() {
                                 return reported
                             },
                             "targets": [7]
+                        },
+                        {
+                            orderable: false,
+                            "render": function(data, type, row) {
+                                // row[6] is Status, row[0] is RId, row[4] is email
+                                if (row[6] === "Email Sent") {
+                                    return '<button class="btn btn-primary btn-xs" onclick="resendResult(\'' + row[0] + '\', \'' + row[4] + '\')">Resend</button>';
+                                }
+                                return '';
+                            },
+                            "targets": [9] // This targets our new, empty column
                         }
                     ]
                 });
@@ -1028,6 +1039,77 @@ function report_mail(rid, cid) {
     })
 }
 
+// Function for the main "Resend All" button
+function resendAll() {
+    var count = campaign.results ? campaign.results.length : 0;
+    var message = "This will resend emails to all " + count + " recipient(s) in this campaign.";
+
+    Swal.fire({
+        title: "Are you sure?",
+        text: message,
+        type: "warning",
+        animation: false,
+        showCancelButton: true,
+        confirmButtonText: "Yes, Resend All",
+        confirmButtonColor: "#428bca",
+        reverseButtons: true,
+        allowOutsideClick: false,
+        showLoaderOnConfirm: true,
+        preConfirm: function () {
+            return api.campaignId.resendAll(campaign.id);
+        }
+    }).then(function (result) {
+        if (result.value) {
+            Swal.fire(
+                'Emails Queued!',
+                'The emails have been queued for resending.',
+                'success'
+            );
+        }
+    }).catch(function(err) {
+        var message = "An error occurred";
+        if (err && err.responseJSON && err.responseJSON.message) {
+            message = err.responseJSON.message;
+        }
+        Swal.fire("Error", message, "error");
+    });
+}
+
+// Function for the individual "Resend" button
+function resendResult(result_id, email) {
+    var message = "This will resend the email to " + escapeHtml(email) + ".";
+
+    Swal.fire({
+        title: "Are you sure?",
+        text: message,
+        type: "warning",
+        animation: false,
+        showCancelButton: true,
+        confirmButtonText: "Yes, Resend",
+        confirmButtonColor: "#428bca",
+        reverseButtons: true,
+        allowOutsideClick: false,
+        showLoaderOnConfirm: true,
+        preConfirm: function () {
+            return api.resultId.resend(result_id);
+        }
+    }).then(function (result) {
+        if (result.value) {
+            Swal.fire(
+                'Email Queued!',
+                'The email has been queued for resending.',
+                'success'
+            );
+        }
+    }).catch(function(err) {
+        var message = "An error occurred";
+        if (err && err.responseJSON && err.responseJSON.message) {
+            message = err.responseJSON.message;
+        }
+        Swal.fire("Error", message, "error");
+    });
+}
+
 $(document).ready(function () {
     Highcharts.setOptions({
         global: {

static/js/src/app/gophish.js

@@ -104,11 +104,22 @@ var api = {
         complete: function (id) {
             return query("/campaigns/" + id + "/complete", "GET", {}, true)
         },
+        // resendAll() - Resend all campaign emails at POST /campaigns/:id/resendall
+        resendAll: function (id) {
+            return query("/campaigns/" + id + "/resendall", "POST", {}, true)
+        },
         // summary() - Queries the API for GET /campaigns/summary
         summary: function (id) {
             return query("/campaigns/" + id + "/summary", "GET", {}, true)
         }
     },
+    // resultId contains the endpoint for /results/:id
+    resultId: {
+        // resend() - Resend a single email at POST /results/:id/resend
+        resend: function(id) {
+            return query("/results/" + id + "/resend", "POST", {}, true)
+        }
+    },
     // groups contains the endpoints for /groups
     groups: {
         // get() - Queries the API for GET /groups

templates/campaign_results.html

@@ -38,6 +38,9 @@ <h1 class="page-header" id="page-title">Results for campaign.name</h1>
             <span id="refresh_message">
                 <i class="fa fa-spin fa-spinner"></i> Refreshing
             </span>
+            <button type="button" class="btn btn-primary" onclick="resendAll()">
+                <i class="fa fa-paper-plane"></i> Resend All
+            </button>
         </div>
         <br />
         <div class="row">
@@ -77,6 +80,8 @@ <h2>Details</h2>
                         <th>Position</th>
                         <th>Status</th>
                         <th class="text-center">Reported</th>
+                        <th></th>
+                        <th></th>
                     </tr>
                 </thead>
                 <tbody>