Prototype for CBA (#8475)

* Prototype for CBA

* Fixing gofmt issues

* Do not require password if logging in with certificate

* Fixing issues from feedback

* Adding unit tests

* Fixing feedback

8 files changed, 170 insertions, 1 deletions

diff --git a/api4/user.go b/api4/user.go
index 39d2eac61..2b79b19f1 100644
--- a/api4/user.go
+++ b/api4/user.go
@@ -983,8 +983,27 @@ func login(c *Context, w http.ResponseWriter, r *http.Request) {
 	deviceId := props["device_id"]
 	ldapOnly := props["ldap_only"] == "true"
 
+	if *c.App.Config().ExperimentalSettings.ClientSideCertEnable {
+		if license := c.App.License(); license == nil || !*license.Features.SAML {
+			c.Err = model.NewAppError("ClientSideCertNotAllowed", "Attempt to use the experimental feature ClientSideCertEnable without a valid enterprise license", nil, "", http.StatusBadRequest)
+			return
+		} else {
+			certPem, certSubject, certEmail := c.App.CheckForClienSideCert(r)
+			mlog.Debug("Client Cert", mlog.String("cert_subject", certSubject), mlog.String("cert_email", certEmail))
+
+			if len(certPem) == 0 || len(certEmail) == 0 {
+				c.Err = model.NewAppError("ClientSideCertMissing", "Attempted to sign in using the experimental feature ClientSideCert without providing a valid certificate", nil, "", http.StatusBadRequest)
+				return
+			} else if *c.App.Config().ExperimentalSettings.ClientSideCertCheck == model.CLIENT_SIDE_CERT_CHECK_PRIMARY_AUTH {
+				loginId = certEmail
+				password = "certificate"
+			}
+		}
+	}
+
 	c.LogAuditWithUserId(id, "attempt - login_id="+loginId)
 	user, err := c.App.AuthenticateUserForLogin(id, loginId, password, mfaToken, ldapOnly)
+
 	if err != nil {
 		c.LogAuditWithUserId(id, "failure - login_id="+loginId)
 		c.Err = err
diff --git a/api4/user_test.go b/api4/user_test.go
index 10f65e766..96aa55d5f 100644
--- a/api4/user_test.go
+++ b/api4/user_test.go
@@ -2235,6 +2235,58 @@ func TestSetProfileImage(t *testing.T) {
 		t.Fatal(err)
 	}
 }
+func TestCBALogin(t *testing.T) {
+	th := Setup().InitBasic()
+	defer th.TearDown()
+	Client := th.Client
+	Client.Logout()
+
+	th.App.SetLicense(model.NewTestLicense("saml"))
+	th.App.UpdateConfig(func(cfg *model.Config) {
+		*cfg.ExperimentalSettings.ClientSideCertEnable = true
+		*cfg.ExperimentalSettings.ClientSideCertCheck = model.CLIENT_SIDE_CERT_CHECK_PRIMARY_AUTH
+	})
+
+	user, resp := Client.Login(th.BasicUser.Email, th.BasicUser.Password)
+	if resp.Error.StatusCode != 400 && user == nil {
+		t.Fatal("Should have failed because it's missing the cert header")
+	}
+
+	Client.HttpHeader["X-SSL-Client-Cert"] = "valid_cert_fake"
+	user, resp = Client.Login(th.BasicUser.Email, th.BasicUser.Password)
+	if resp.Error.StatusCode != 400 && user == nil {
+		t.Fatal("Should have failed because it's missing the cert subject")
+	}
+
+	Client.HttpHeader["X-SSL-Client-Cert-Subject-DN"] = "C=US, ST=Maryland, L=Pasadena, O=Brent Baccala, OU=FreeSoft, CN=www.freesoft.org/emailAddress=mis_match" + th.BasicUser.Email
+	user, resp = Client.Login(th.BasicUser.Email, "")
+	if resp.Error.StatusCode != 400 && user == nil {
+		t.Fatal("Should have failed because the emails mismatch")
+	}
+
+	Client.HttpHeader["X-SSL-Client-Cert-Subject-DN"] = "C=US, ST=Maryland, L=Pasadena, O=Brent Baccala, OU=FreeSoft, CN=www.freesoft.org/emailAddress=" + th.BasicUser.Email
+	user, resp = Client.Login(th.BasicUser.Email, "")
+	if !(user != nil && user.Email == th.BasicUser.Email) {
+		t.Fatal("Should have been able to login")
+	}
+
+	th.App.UpdateConfig(func(cfg *model.Config) {
+		*cfg.ExperimentalSettings.ClientSideCertEnable = true
+		*cfg.ExperimentalSettings.ClientSideCertCheck = model.CLIENT_SIDE_CERT_CHECK_SECONDARY_AUTH
+	})
+
+	Client.HttpHeader["X-SSL-Client-Cert-Subject-DN"] = "C=US, ST=Maryland, L=Pasadena, O=Brent Baccala, OU=FreeSoft, CN=www.freesoft.org/emailAddress=" + th.BasicUser.Email
+	user, resp = Client.Login(th.BasicUser.Email, "")
+	if resp.Error.StatusCode != 400 && user == nil {
+		t.Fatal("Should have failed because password is required")
+	}
+
+	Client.HttpHeader["X-SSL-Client-Cert-Subject-DN"] = "C=US, ST=Maryland, L=Pasadena, O=Brent Baccala, OU=FreeSoft, CN=www.freesoft.org/emailAddress=" + th.BasicUser.Email
+	user, resp = Client.Login(th.BasicUser.Email, th.BasicUser.Password)
+	if !(user != nil && user.Email == th.BasicUser.Email) {
+		t.Fatal("Should have been able to login")
+	}
+}
 
 func TestSwitchAccount(t *testing.T) {
 	th := Setup().InitBasic().InitSystemAdmin()
diff --git a/app/login.go b/app/login.go
index 3001e1f4d..d3d2a423e 100644
--- a/app/login.go
+++ b/app/login.go
@@ -6,6 +6,7 @@ package app
 import (
 	"fmt"
 	"net/http"
+	"strings"
 	"time"
 
 	"github.com/avct/uasurfer"
@@ -13,6 +14,23 @@ import (
 	"github.com/mattermost/mattermost-server/store"
 )
 
+func (a *App) CheckForClienSideCert(r *http.Request) (string, string, string) {
+	pem := r.Header.Get("X-SSL-Client-Cert")                // mapped to $ssl_client_cert from nginx
+	subject := r.Header.Get("X-SSL-Client-Cert-Subject-DN") // mapped to $ssl_client_s_dn from nginx
+	email := ""
+
+	if len(subject) > 0 {
+		for _, v := range strings.Split(subject, "/") {
+			kv := strings.Split(v, "=")
+			if len(kv) == 2 && kv[0] == "emailAddress" {
+				email = kv[1]
+			}
+		}
+	}
+
+	return pem, subject, email
+}
+
 func (a *App) AuthenticateUserForLogin(id, loginId, password, mfaToken string, ldapOnly bool) (user *model.User, err *model.AppError) {
 	// Do statistics
 	defer func() {
@@ -35,6 +53,13 @@ func (a *App) AuthenticateUserForLogin(id, loginId, password, mfaToken string, l
 		return nil, err
 	}
 
+	// If client side cert is enable and it's checking as a primary source
+	// then trust the proxy and cert that the correct user is supplied and allow
+	// them access
+	if *a.Config().ExperimentalSettings.ClientSideCertEnable && *a.Config().ExperimentalSettings.ClientSideCertCheck == model.CLIENT_SIDE_CERT_CHECK_PRIMARY_AUTH {
+		return user, nil
+	}
+
 	// and then authenticate them
 	if user, err = a.authenticateUser(user, password, mfaToken); err != nil {
 		return nil, err
diff --git a/app/login_test.go b/app/login_test.go
new file mode 100644
index 000000000..db92f1d7d
--- /dev/null
+++ b/app/login_test.go
@@ -0,0 +1,37 @@
+// Copyright (c) 2016-present Mattermost, Inc. All Rights Reserved.
+// See License.txt for license information.
+
+package app
+
+import (
+	"net/http"
+	"testing"
+)
+
+func TestCheckForClienSideCert(t *testing.T) {
+	th := Setup()
+	defer th.TearDown()
+
+	var tests = []struct {
+		pem           string
+		subject       string
+		expectedEmail string
+	}{
+		{"blah", "blah", ""},
+		{"blah", "C=US, ST=Maryland, L=Pasadena, O=Brent Baccala, OU=FreeSoft, CN=www.freesoft.org/emailAddress=test@test.com", "test@test.com"},
+		{"blah", "C=US, ST=Maryland, L=Pasadena, O=Brent Baccala, OU=FreeSoft, CN=www.freesoft.org/EmailAddress=test@test.com", ""},
+		{"blah", "CN=www.freesoft.org/EmailAddress=test@test.com, C=US, ST=Maryland, L=Pasadena, O=Brent Baccala, OU=FreeSoft", ""},
+	}
+
+	for _, tt := range tests {
+		r := &http.Request{Header: http.Header{}}
+		r.Header.Add("X-SSL-Client-Cert", tt.pem)
+		r.Header.Add("X-SSL-Client-Cert-Subject-DN", tt.subject)
+
+		_, _, actualEmail := th.App.CheckForClienSideCert(r)
+
+		if actualEmail != tt.expectedEmail {
+			t.Fatalf("CheckForClienSideCert(%v): expected %v, actual %v", tt.subject, tt.expectedEmail, actualEmail)
+		}
+	}
+}
diff --git a/config/default.json b/config/default.json
index 67c1220bb..30c8f282f 100644
--- a/config/default.json
+++ b/config/default.json
@@ -337,6 +337,10 @@
         "BlockProfileRate": 0,
         "ListenAddress": ":8067"
     },
+    "ExperimentalSettings": {
+        "ClientSideCertEnable": false,
+        "ClientSideCertCheck": "secondary"
+    },
     "AnalyticsSettings": {
         "MaxUsersForStatistics": 2500
     },
diff --git a/model/client4.go b/model/client4.go
index 8096b2364..f5a856835 100644
--- a/model/client4.go
+++ b/model/client4.go
@@ -57,6 +57,7 @@ type Client4 struct {
 	HttpClient *http.Client // The http client
 	AuthToken  string
 	AuthType   string
+	HttpHeader map[string]string // Headers to be copied over for each request
 }
 
 func closeBody(r *http.Response) {
@@ -78,7 +79,7 @@ func (c *Client4) Must(result interface{}, resp *Response) interface{} {
 }
 
 func NewAPIv4Client(url string) *Client4 {
-	return &Client4{url, url + API_URL_SUFFIX, &http.Client{}, "", ""}
+	return &Client4{url, url + API_URL_SUFFIX, &http.Client{}, "", "", map[string]string{}}
 }
 
 func BuildErrorResponse(r *http.Response, err *AppError) *Response {
@@ -423,6 +424,13 @@ func (c *Client4) DoApiRequest(method, url, data, etag string) (*http.Response,
 		rq.Header.Set(HEADER_AUTH, c.AuthType+" "+c.AuthToken)
 	}
 
+	if c.HttpHeader != nil && len(c.HttpHeader) > 0 {
+
+		for k, v := range c.HttpHeader {
+			rq.Header.Set(k, v)
+		}
+	}
+
 	if rp, err := c.HttpClient.Do(rq); err != nil || rp == nil {
 		return nil, NewAppError(url, "model.client.connecting.app_error", nil, err.Error(), 0)
 	} else if rp.StatusCode == 304 {
diff --git a/model/config.go b/model/config.go
index f2bebf03b..47e2f68a4 100644
--- a/model/config.go
+++ b/model/config.go
@@ -160,6 +160,9 @@ const (
 	COMPLIANCE_EXPORT_TYPE_GLOBALRELAY = "globalrelay"
 	GLOBALRELAY_CUSTOMER_TYPE_A9       = "A9"
 	GLOBALRELAY_CUSTOMER_TYPE_A10      = "A10"
+
+	CLIENT_SIDE_CERT_CHECK_PRIMARY_AUTH   = "primary"
+	CLIENT_SIDE_CERT_CHECK_SECONDARY_AUTH = "secondary"
 )
 
 type ServiceSettings struct {
@@ -545,6 +548,21 @@ func (s *MetricsSettings) SetDefaults() {
 	}
 }
 
+type ExperimentalSettings struct {
+	ClientSideCertEnable *bool
+	ClientSideCertCheck  *string
+}
+
+func (s *ExperimentalSettings) SetDefaults() {
+	if s.ClientSideCertEnable == nil {
+		s.ClientSideCertEnable = NewBool(false)
+	}
+
+	if s.ClientSideCertCheck == nil {
+		s.ClientSideCertCheck = NewString(CLIENT_SIDE_CERT_CHECK_SECONDARY_AUTH)
+	}
+}
+
 type AnalyticsSettings struct {
 	MaxUsersForStatistics *int
 }
@@ -1829,6 +1847,7 @@ type Config struct {
 	NativeAppSettings     NativeAppSettings
 	ClusterSettings       ClusterSettings
 	MetricsSettings       MetricsSettings
+	ExperimentalSettings  ExperimentalSettings
 	AnalyticsSettings     AnalyticsSettings
 	WebrtcSettings        WebrtcSettings
 	ElasticsearchSettings ElasticsearchSettings
@@ -1891,6 +1910,7 @@ func (o *Config) SetDefaults() {
 	o.PasswordSettings.SetDefaults()
 	o.TeamSettings.SetDefaults()
 	o.MetricsSettings.SetDefaults()
+	o.ExperimentalSettings.SetDefaults()
 	o.SupportSettings.SetDefaults()
 	o.AnnouncementSettings.SetDefaults()
 	o.ThemeSettings.SetDefaults()
diff --git a/utils/config.go b/utils/config.go
index 2fb6e689f..80673cba6 100644
--- a/utils/config.go
+++ b/utils/config.go
@@ -712,6 +712,10 @@ func GenerateClientConfig(c *model.Config, diagnosticId string, license *model.L
 			props["SamlLoginButtonColor"] = *c.SamlSettings.LoginButtonColor
 			props["SamlLoginButtonBorderColor"] = *c.SamlSettings.LoginButtonBorderColor
 			props["SamlLoginButtonTextColor"] = *c.SamlSettings.LoginButtonTextColor
+
+			// do this under the correct licensed feature
+			props["ExperimentalClientSideCertEnable"] = strconv.FormatBool(*c.ExperimentalSettings.ClientSideCertEnable)
+			props["ExperimentalClientSideCertCheck"] = *c.ExperimentalSettings.ClientSideCertCheck
 		}
 
 		if *license.Features.Cluster {