diff options
Diffstat (limited to 'api/authentication.go')
-rw-r--r-- | api/authentication.go | 57 |
1 files changed, 57 insertions, 0 deletions
diff --git a/api/authentication.go b/api/authentication.go index bab83a720..10ed578e1 100644 --- a/api/authentication.go +++ b/api/authentication.go @@ -7,6 +7,8 @@ import ( "github.com/mattermost/platform/einterfaces" "github.com/mattermost/platform/model" "github.com/mattermost/platform/utils" + + "net/http" ) func checkPasswordAndAllCriteria(user *model.User, password string, mfaToken string) *model.AppError { @@ -37,6 +39,32 @@ func checkUserPassword(user *model.User, password string) *model.AppError { } } +func checkLdapUserPasswordAndAllCriteria(ldapId, password, mfaToken string) (*model.User, *model.AppError) { + ldapInterface := einterfaces.GetLdapInterface() + + if ldapInterface == nil { + err := model.NewLocAppError("doLdapAuthentication", "api.user.login_ldap.not_available.app_error", nil, "") + err.StatusCode = http.StatusNotImplemented + return nil, err + } + + var user *model.User + if ldapUser, err := ldapInterface.DoLogin(ldapId, password); err != nil { + err.StatusCode = http.StatusUnauthorized + return nil, err + } else { + user = ldapUser + } + + if err := checkUserAdditionalAuthenticationCriteria(user, mfaToken); err != nil { + err.StatusCode = http.StatusUnauthorized + return user, err + } + + // user successfully authenticated + return user, nil +} + func checkUserAdditionalAuthenticationCriteria(user *model.User, mfaToken string) *model.AppError { if err := checkUserMfa(user, mfaToken); err != nil { return err @@ -97,3 +125,32 @@ func checkUserNotDisabled(user *model.User) *model.AppError { } return nil } + +func authenticateUser(user *model.User, password, mfaToken string) (*model.User, *model.AppError) { + ldapAvailable := *utils.Cfg.LdapSettings.Enable && einterfaces.GetLdapInterface() != nil + + if user.AuthService == model.USER_AUTH_SERVICE_LDAP { + if !ldapAvailable { + err := model.NewLocAppError("login", "api.user.login_ldap.not_available.app_error", nil, "") + err.StatusCode = http.StatusNotImplemented + return user, err + } else if ldapUser, err := checkLdapUserPasswordAndAllCriteria(user.AuthData, password, mfaToken); err != nil { + err.StatusCode = http.StatusUnauthorized + return user, err + } else { + // slightly redundant to get the user again, but we need to get it from the LDAP server + return ldapUser, nil + } + } else if user.AuthService != "" { + err := model.NewLocAppError("login", "api.user.login.use_auth_service.app_error", map[string]interface{}{"AuthService": user.AuthService}, "") + err.StatusCode = http.StatusBadRequest + return user, err + } else { + if err := checkPasswordAndAllCriteria(user, password, mfaToken); err != nil { + err.StatusCode = http.StatusUnauthorized + return user, err + } else { + return user, nil + } + } +} |