Prototype for CBA (#8475)

* Prototype for CBA

* Fixing gofmt issues

* Do not require password if logging in with certificate

* Fixing issues from feedback

* Adding unit tests

* Fixing feedback

1 files changed, 19 insertions, 0 deletions

diff --git a/api4/user.go b/api4/user.go
index 39d2eac61..2b79b19f1 100644
--- a/api4/user.go
+++ b/api4/user.go
@@ -983,8 +983,27 @@ func login(c *Context, w http.ResponseWriter, r *http.Request) {
 	deviceId := props["device_id"]
 	ldapOnly := props["ldap_only"] == "true"
 
+	if *c.App.Config().ExperimentalSettings.ClientSideCertEnable {
+		if license := c.App.License(); license == nil || !*license.Features.SAML {
+			c.Err = model.NewAppError("ClientSideCertNotAllowed", "Attempt to use the experimental feature ClientSideCertEnable without a valid enterprise license", nil, "", http.StatusBadRequest)
+			return
+		} else {
+			certPem, certSubject, certEmail := c.App.CheckForClienSideCert(r)
+			mlog.Debug("Client Cert", mlog.String("cert_subject", certSubject), mlog.String("cert_email", certEmail))
+
+			if len(certPem) == 0 || len(certEmail) == 0 {
+				c.Err = model.NewAppError("ClientSideCertMissing", "Attempted to sign in using the experimental feature ClientSideCert without providing a valid certificate", nil, "", http.StatusBadRequest)
+				return
+			} else if *c.App.Config().ExperimentalSettings.ClientSideCertCheck == model.CLIENT_SIDE_CERT_CHECK_PRIMARY_AUTH {
+				loginId = certEmail
+				password = "certificate"
+			}
+		}
+	}
+
 	c.LogAuditWithUserId(id, "attempt - login_id="+loginId)
 	user, err := c.App.AuthenticateUserForLogin(id, loginId, password, mfaToken, ldapOnly)
+
 	if err != nil {
 		c.LogAuditWithUserId(id, "failure - login_id="+loginId)
 		c.Err = err