Prototype for CBA (#8475)

* Prototype for CBA * Fixing gofmt issues * Do not require password if logging in with certificate * Fixing issues from feedback * Adding unit tests * Fixing feedback
author: Corey Hulen <corey@hulen.com> 2018-06-12 10:16:39 -0700
committer: Christopher Speller <crspeller@gmail.com> 2018-06-12 10:16:39 -0700
commit: 656c8a62d145fc565e9a98e060329239d2d59fbd (patch)
tree: b4922cbf8b14992c353742e9e4225d7736a2e3a3 /api4
parent: 4ea7f6a2f7e61356996a3dfa85169f8db5d4d064 (diff)
download: chat-656c8a62d145fc565e9a98e060329239d2d59fbd.tar.gz
chat-656c8a62d145fc565e9a98e060329239d2d59fbd.tar.bz2
chat-656c8a62d145fc565e9a98e060329239d2d59fbd.zip
2 files changed, 71 insertions, 0 deletions
diff --git a/api4/user.go b/api4/user.go
index 39d2eac61..2b79b19f1 100644
--- a/api4/user.go
+++ b/api4/user.go
@@ -983,8 +983,27 @@ func login(c *Context, w http.ResponseWriter, r *http.Request) {
 	deviceId := props["device_id"]
 	ldapOnly := props["ldap_only"] == "true"
 
+	if *c.App.Config().ExperimentalSettings.ClientSideCertEnable {
+		if license := c.App.License(); license == nil || !*license.Features.SAML {
+			c.Err = model.NewAppError("ClientSideCertNotAllowed", "Attempt to use the experimental feature ClientSideCertEnable without a valid enterprise license", nil, "", http.StatusBadRequest)
+			return
+		} else {
+			certPem, certSubject, certEmail := c.App.CheckForClienSideCert(r)
+			mlog.Debug("Client Cert", mlog.String("cert_subject", certSubject), mlog.String("cert_email", certEmail))
+
+			if len(certPem) == 0 || len(certEmail) == 0 {
+				c.Err = model.NewAppError("ClientSideCertMissing", "Attempted to sign in using the experimental feature ClientSideCert without providing a valid certificate", nil, "", http.StatusBadRequest)
+				return
+			} else if *c.App.Config().ExperimentalSettings.ClientSideCertCheck == model.CLIENT_SIDE_CERT_CHECK_PRIMARY_AUTH {
+				loginId = certEmail
+				password = "certificate"
+			}
+		}
+	}
+
 	c.LogAuditWithUserId(id, "attempt - login_id="+loginId)
 	user, err := c.App.AuthenticateUserForLogin(id, loginId, password, mfaToken, ldapOnly)
+
 	if err != nil {
 		c.LogAuditWithUserId(id, "failure - login_id="+loginId)
 		c.Err = err
diff --git a/api4/user_test.go b/api4/user_test.go
index 10f65e766..96aa55d5f 100644
--- a/api4/user_test.go
+++ b/api4/user_test.go
@@ -2235,6 +2235,58 @@ func TestSetProfileImage(t *testing.T) {
 		t.Fatal(err)
 	}
 }
+func TestCBALogin(t *testing.T) {
+	th := Setup().InitBasic()
+	defer th.TearDown()
+	Client := th.Client
+	Client.Logout()
+
+	th.App.SetLicense(model.NewTestLicense("saml"))
+	th.App.UpdateConfig(func(cfg *model.Config) {
+		*cfg.ExperimentalSettings.ClientSideCertEnable = true
+		*cfg.ExperimentalSettings.ClientSideCertCheck = model.CLIENT_SIDE_CERT_CHECK_PRIMARY_AUTH
+	})
+
+	user, resp := Client.Login(th.BasicUser.Email, th.BasicUser.Password)
+	if resp.Error.StatusCode != 400 && user == nil {
+		t.Fatal("Should have failed because it's missing the cert header")
+	}
+
+	Client.HttpHeader["X-SSL-Client-Cert"] = "valid_cert_fake"
+	user, resp = Client.Login(th.BasicUser.Email, th.BasicUser.Password)
+	if resp.Error.StatusCode != 400 && user == nil {
+		t.Fatal("Should have failed because it's missing the cert subject")
+	}
+
+	Client.HttpHeader["X-SSL-Client-Cert-Subject-DN"] = "C=US, ST=Maryland, L=Pasadena, O=Brent Baccala, OU=FreeSoft, CN=www.freesoft.org/emailAddress=mis_match" + th.BasicUser.Email
+	user, resp = Client.Login(th.BasicUser.Email, "")
+	if resp.Error.StatusCode != 400 && user == nil {
+		t.Fatal("Should have failed because the emails mismatch")
+	}
+
+	Client.HttpHeader["X-SSL-Client-Cert-Subject-DN"] = "C=US, ST=Maryland, L=Pasadena, O=Brent Baccala, OU=FreeSoft, CN=www.freesoft.org/emailAddress=" + th.BasicUser.Email
+	user, resp = Client.Login(th.BasicUser.Email, "")
+	if !(user != nil && user.Email == th.BasicUser.Email) {
+		t.Fatal("Should have been able to login")
+	}
+
+	th.App.UpdateConfig(func(cfg *model.Config) {
+		*cfg.ExperimentalSettings.ClientSideCertEnable = true
+		*cfg.ExperimentalSettings.ClientSideCertCheck = model.CLIENT_SIDE_CERT_CHECK_SECONDARY_AUTH
+	})
+
+	Client.HttpHeader["X-SSL-Client-Cert-Subject-DN"] = "C=US, ST=Maryland, L=Pasadena, O=Brent Baccala, OU=FreeSoft, CN=www.freesoft.org/emailAddress=" + th.BasicUser.Email
+	user, resp = Client.Login(th.BasicUser.Email, "")
+	if resp.Error.StatusCode != 400 && user == nil {
+		t.Fatal("Should have failed because password is required")
+	}
+
+	Client.HttpHeader["X-SSL-Client-Cert-Subject-DN"] = "C=US, ST=Maryland, L=Pasadena, O=Brent Baccala, OU=FreeSoft, CN=www.freesoft.org/emailAddress=" + th.BasicUser.Email
+	user, resp = Client.Login(th.BasicUser.Email, th.BasicUser.Password)
+	if !(user != nil && user.Email == th.BasicUser.Email) {
+		t.Fatal("Should have been able to login")
+	}
+}
 
 func TestSwitchAccount(t *testing.T) {
 	th := Setup().InitBasic().InitSystemAdmin()
author	Corey Hulen <corey@hulen.com>	2018-06-12 10:16:39 -0700
committer	Christopher Speller <crspeller@gmail.com>	2018-06-12 10:16:39 -0700
commit	656c8a62d145fc565e9a98e060329239d2d59fbd (patch)
tree	b4922cbf8b14992c353742e9e4225d7736a2e3a3 /api4
parent	4ea7f6a2f7e61356996a3dfa85169f8db5d4d064 (diff)
download	chat-656c8a62d145fc565e9a98e060329239d2d59fbd.tar.gz chat-656c8a62d145fc565e9a98e060329239d2d59fbd.tar.bz2 chat-656c8a62d145fc565e9a98e060329239d2d59fbd.zip