diff options
author | Corey Hulen <corey@hulen.com> | 2018-06-12 10:16:39 -0700 |
---|---|---|
committer | Christopher Speller <crspeller@gmail.com> | 2018-06-12 10:16:39 -0700 |
commit | 656c8a62d145fc565e9a98e060329239d2d59fbd (patch) | |
tree | b4922cbf8b14992c353742e9e4225d7736a2e3a3 /api4/user.go | |
parent | 4ea7f6a2f7e61356996a3dfa85169f8db5d4d064 (diff) | |
download | chat-656c8a62d145fc565e9a98e060329239d2d59fbd.tar.gz chat-656c8a62d145fc565e9a98e060329239d2d59fbd.tar.bz2 chat-656c8a62d145fc565e9a98e060329239d2d59fbd.zip |
Prototype for CBA (#8475)
* Prototype for CBA
* Fixing gofmt issues
* Do not require password if logging in with certificate
* Fixing issues from feedback
* Adding unit tests
* Fixing feedback
Diffstat (limited to 'api4/user.go')
-rw-r--r-- | api4/user.go | 19 |
1 files changed, 19 insertions, 0 deletions
diff --git a/api4/user.go b/api4/user.go index 39d2eac61..2b79b19f1 100644 --- a/api4/user.go +++ b/api4/user.go @@ -983,8 +983,27 @@ func login(c *Context, w http.ResponseWriter, r *http.Request) { deviceId := props["device_id"] ldapOnly := props["ldap_only"] == "true" + if *c.App.Config().ExperimentalSettings.ClientSideCertEnable { + if license := c.App.License(); license == nil || !*license.Features.SAML { + c.Err = model.NewAppError("ClientSideCertNotAllowed", "Attempt to use the experimental feature ClientSideCertEnable without a valid enterprise license", nil, "", http.StatusBadRequest) + return + } else { + certPem, certSubject, certEmail := c.App.CheckForClienSideCert(r) + mlog.Debug("Client Cert", mlog.String("cert_subject", certSubject), mlog.String("cert_email", certEmail)) + + if len(certPem) == 0 || len(certEmail) == 0 { + c.Err = model.NewAppError("ClientSideCertMissing", "Attempted to sign in using the experimental feature ClientSideCert without providing a valid certificate", nil, "", http.StatusBadRequest) + return + } else if *c.App.Config().ExperimentalSettings.ClientSideCertCheck == model.CLIENT_SIDE_CERT_CHECK_PRIMARY_AUTH { + loginId = certEmail + password = "certificate" + } + } + } + c.LogAuditWithUserId(id, "attempt - login_id="+loginId) user, err := c.App.AuthenticateUserForLogin(id, loginId, password, mfaToken, ldapOnly) + if err != nil { c.LogAuditWithUserId(id, "failure - login_id="+loginId) c.Err = err |