From d8dd271e43550ab043c2db36c274092d7819fcab Mon Sep 17 00:00:00 2001
From: Christopher Speller <crspeller@gmail.com>
Date: Thu, 10 May 2018 09:46:09 -0700
Subject: MM-4998 Adding LoginIdAttribute to allow LDAP users to change their
 login ID without losing their account (#8756)

* Adding LoginIdAttribute

* Modifying LDAP to use loginIDAttribute.

* Adding IDAttribute migration and AD objectGUID support.

* Removing unused idea.

* Fix typo.
---
 app/ldap.go  |  6 +++---
 app/login.go | 70 +++++++++++++++++++++++++++++++++++++++---------------------
 app/user.go  | 32 ---------------------------
 3 files changed, 49 insertions(+), 59 deletions(-)

(limited to 'app')

diff --git a/app/ldap.go b/app/ldap.go
index 22c3b746b..544905b70 100644
--- a/app/ldap.go
+++ b/app/ldap.go
@@ -40,7 +40,7 @@ func (a *App) TestLdap() *model.AppError {
 	return nil
 }
 
-func (a *App) SwitchEmailToLdap(email, password, code, ldapId, ldapPassword string) (string, *model.AppError) {
+func (a *App) SwitchEmailToLdap(email, password, code, ldapLoginId, ldapPassword string) (string, *model.AppError) {
 	if a.License() != nil && !*a.Config().ServiceSettings.ExperimentalEnableAuthenticationTransfer {
 		return "", model.NewAppError("emailToLdap", "api.user.email_to_ldap.not_available.app_error", nil, "", http.StatusForbidden)
 	}
@@ -63,7 +63,7 @@ func (a *App) SwitchEmailToLdap(email, password, code, ldapId, ldapPassword stri
 		return "", model.NewAppError("SwitchEmailToLdap", "api.user.email_to_ldap.not_available.app_error", nil, "", http.StatusNotImplemented)
 	}
 
-	if err := ldapInterface.SwitchToLdap(user.Id, ldapId, ldapPassword); err != nil {
+	if err := ldapInterface.SwitchToLdap(user.Id, ldapLoginId, ldapPassword); err != nil {
 		return "", err
 	}
 
@@ -95,7 +95,7 @@ func (a *App) SwitchLdapToEmail(ldapPassword, code, email, newPassword string) (
 		return "", model.NewAppError("SwitchLdapToEmail", "api.user.ldap_to_email.not_available.app_error", nil, "", http.StatusNotImplemented)
 	}
 
-	if err := ldapInterface.CheckPassword(*user.AuthData, ldapPassword); err != nil {
+	if err := ldapInterface.CheckPasswordAuthData(*user.AuthData, ldapPassword); err != nil {
 		return "", err
 	}
 
diff --git a/app/login.go b/app/login.go
index 43b022749..529e4cb21 100644
--- a/app/login.go
+++ b/app/login.go
@@ -11,47 +11,69 @@ import (
 
 	"github.com/avct/uasurfer"
 	"github.com/mattermost/mattermost-server/model"
+	"github.com/mattermost/mattermost-server/store"
 )
 
-func (a *App) AuthenticateUserForLogin(id, loginId, password, mfaToken, deviceId string, ldapOnly bool) (*model.User, *model.AppError) {
+func (a *App) AuthenticateUserForLogin(id, loginId, password, mfaToken string, ldapOnly bool) (user *model.User, err *model.AppError) {
+	// Do statistics
+	defer func() {
+		if a.Metrics != nil {
+			if user == nil || err != nil {
+				a.Metrics.IncrementLoginFail()
+			} else {
+				a.Metrics.IncrementLogin()
+			}
+		}
+	}()
+
 	if len(password) == 0 {
 		err := model.NewAppError("AuthenticateUserForLogin", "api.user.login.blank_pwd.app_error", nil, "", http.StatusBadRequest)
 		return nil, err
 	}
 
-	var user *model.User
-	var err *model.AppError
+	// Get the MM user we are trying to login
+	if user, err = a.GetUserForLogin(id, loginId); err != nil {
+		return nil, err
+	}
+
+	// and then authenticate them
+	if user, err = a.authenticateUser(user, password, mfaToken); err != nil {
+		return nil, err
+	}
+
+	return user, nil
+}
+
+func (a *App) GetUserForLogin(id, loginId string) (*model.User, *model.AppError) {
+	enableUsername := *a.Config().EmailSettings.EnableSignInWithUsername
+	enableEmail := *a.Config().EmailSettings.EnableSignInWithEmail
 
+	// If we are given a userID then fail if we can't find a user with that ID
 	if len(id) != 0 {
-		if user, err = a.GetUser(id); err != nil {
-			err.StatusCode = http.StatusBadRequest
-			if a.Metrics != nil {
-				a.Metrics.IncrementLoginFail()
+		if user, err := a.GetUser(id); err != nil {
+			if err.Id != store.MISSING_ACCOUNT_ERROR {
+				err.StatusCode = http.StatusInternalServerError
+				return nil, err
+			} else {
+				err.StatusCode = http.StatusBadRequest
+				return nil, err
 			}
-			return nil, err
-		}
-	} else {
-		if user, err = a.GetUserForLogin(loginId, ldapOnly); err != nil {
-			if a.Metrics != nil {
-				a.Metrics.IncrementLoginFail()
-			}
-			return nil, err
+		} else {
+			return user, nil
 		}
 	}
 
-	// and then authenticate them
-	if user, err = a.authenticateUser(user, password, mfaToken); err != nil {
-		if a.Metrics != nil {
-			a.Metrics.IncrementLoginFail()
-		}
-		return nil, err
+	// Try to get the user by username/email
+	if result := <-a.Srv.Store.User().GetForLogin(loginId, enableUsername, enableEmail); result.Err == nil {
+		return result.Data.(*model.User), nil
 	}
 
-	if a.Metrics != nil {
-		a.Metrics.IncrementLogin()
+	// Try to get the user with LDAP
+	if user, err := a.Ldap.GetUser(loginId); err == nil {
+		return user, nil
 	}
 
-	return user, nil
+	return nil, model.NewAppError("GetUserForLogin", "store.sql_user.get_for_login.app_error", nil, "", http.StatusBadRequest)
 }
 
 func (a *App) DoLogin(w http.ResponseWriter, r *http.Request, user *model.User, deviceId string) (*model.Session, *model.AppError) {
diff --git a/app/user.go b/app/user.go
index fd8b6b377..2b0442e75 100644
--- a/app/user.go
+++ b/app/user.go
@@ -382,38 +382,6 @@ func (a *App) GetUserByAuth(authData *string, authService string) (*model.User,
 	}
 }
 
-func (a *App) GetUserForLogin(loginId string, onlyLdap bool) (*model.User, *model.AppError) {
-	license := a.License()
-	ldapAvailable := *a.Config().LdapSettings.Enable && a.Ldap != nil && license != nil && *license.Features.LDAP
-
-	if result := <-a.Srv.Store.User().GetForLogin(
-		loginId,
-		*a.Config().EmailSettings.EnableSignInWithUsername && !onlyLdap,
-		*a.Config().EmailSettings.EnableSignInWithEmail && !onlyLdap,
-		ldapAvailable,
-	); result.Err != nil && result.Err.Id == "store.sql_user.get_for_login.multiple_users" {
-		// don't fall back to LDAP in this case since we already know there's an LDAP user, but that it shouldn't work
-		result.Err.StatusCode = http.StatusBadRequest
-		return nil, result.Err
-	} else if result.Err != nil {
-		if !ldapAvailable {
-			// failed to find user and no LDAP server to fall back on
-			result.Err.StatusCode = http.StatusBadRequest
-			return nil, result.Err
-		}
-
-		// fall back to LDAP server to see if we can find a user
-		if ldapUser, ldapErr := a.Ldap.GetUser(loginId); ldapErr != nil {
-			ldapErr.StatusCode = http.StatusBadRequest
-			return nil, ldapErr
-		} else {
-			return ldapUser, nil
-		}
-	} else {
-		return result.Data.(*model.User), nil
-	}
-}
-
 func (a *App) GetUsers(offset int, limit int) ([]*model.User, *model.AppError) {
 	if result := <-a.Srv.Store.User().GetAllProfiles(offset, limit); result.Err != nil {
 		return nil, result.Err
-- 
cgit v1.2.3-1-g7c22