IntenseWebs/mattermost
3
0
Fork 0
mirror of https://github.com/mattermost/mattermost.git synced 2025-02-25 18:55:24 -06:00
Code Issues Packages Projects Releases Wiki Activity
Files
3928535456f9fcb025ed86edeb4d258f2c524150
mattermost/api/authentication.go
Corey Hulen 3928535456 PLT-2905 fixing upgrade of SSO accounts (#2962) 
* PLT-2905 fixing upgrade of SSO accounts

* Fixing multiple Auths mapped to different emails
2016-05-11 14:04:30 -04:00

157 lines
4.8 KiB
Go
Raw Blame History

// Copyright (c) 2016 Mattermost, Inc. All Rights Reserved.
// See License.txt for license information.
package api
import (
"github.com/mattermost/platform/einterfaces"
"github.com/mattermost/platform/model"
"github.com/mattermost/platform/utils"
"net/http"
)
func checkPasswordAndAllCriteria(user *model.User, password string, mfaToken string) *model.AppError {
if err := checkUserPassword(user, password); err != nil {
return err
}
if err := checkUserAdditionalAuthenticationCriteria(user, mfaToken); err != nil {
return err
}
return nil
}
func checkUserPassword(user *model.User, password string) *model.AppError {
if !model.ComparePassword(user.Password, password) {
if result := <-Srv.Store.User().UpdateFailedPasswordAttempts(user.Id, user.FailedAttempts+1); result.Err != nil {
return result.Err
}
return model.NewLocAppError("checkUserPassword", "api.user.check_user_password.invalid.app_error", nil, "user_id="+user.Id)
} else {
if result := <-Srv.Store.User().UpdateFailedPasswordAttempts(user.Id, 0); result.Err != nil {
return result.Err
}
return nil
}
}
func checkLdapUserPasswordAndAllCriteria(ldapId *string, password string, mfaToken string) (*model.User, *model.AppError) {
ldapInterface := einterfaces.GetLdapInterface()
if ldapInterface == nil || ldapId == nil {
err := model.NewLocAppError("doLdapAuthentication", "api.user.login_ldap.not_available.app_error", nil, "")
err.StatusCode = http.StatusNotImplemented
return nil, err
}
var user *model.User
if ldapUser, err := ldapInterface.DoLogin(*ldapId, password); err != nil {
err.StatusCode = http.StatusUnauthorized
return nil, err
} else {
user = ldapUser
}
if err := checkUserAdditionalAuthenticationCriteria(user, mfaToken); err != nil {
err.StatusCode = http.StatusUnauthorized
return user, err
}
// user successfully authenticated
return user, nil
}
func checkUserAdditionalAuthenticationCriteria(user *model.User, mfaToken string) *model.AppError {
if err := checkUserMfa(user, mfaToken); err != nil {
return err
}
if err := checkEmailVerified(user); err != nil {
return err
}
if err := checkUserNotDisabled(user); err != nil {
return err
}
if err := checkUserLoginAttempts(user); err != nil {
return err
}
return nil
}
func checkUserMfa(user *model.User, token string) *model.AppError {
if !user.MfaActive || !utils.IsLicensed || !*utils.License.Features.MFA || !*utils.Cfg.ServiceSettings.EnableMultifactorAuthentication {
return nil
}
mfaInterface := einterfaces.GetMfaInterface()
if mfaInterface == nil {
return model.NewLocAppError("checkUserMfa", "api.user.check_user_mfa.not_available.app_error", nil, "")
}
if ok, err := mfaInterface.ValidateToken(user.MfaSecret, token); err != nil {
return err
} else if !ok {
return model.NewLocAppError("checkUserMfa", "api.user.check_user_mfa.bad_code.app_error", nil, "")
}
return nil
}
func checkUserLoginAttempts(user *model.User) *model.AppError {
if user.FailedAttempts >= utils.Cfg.ServiceSettings.MaximumLoginAttempts {
return model.NewLocAppError("checkUserLoginAttempts", "api.user.check_user_login_attempts.too_many.app_error", nil, "user_id="+user.Id)
}
return nil
}
func checkEmailVerified(user *model.User) *model.AppError {
if !user.EmailVerified && utils.Cfg.EmailSettings.RequireEmailVerification {
return model.NewLocAppError("Login", "api.user.login.not_verified.app_error", nil, "user_id="+user.Id)
}
return nil
}
func checkUserNotDisabled(user *model.User) *model.AppError {
if user.DeleteAt > 0 {
return model.NewLocAppError("Login", "api.user.login.inactive.app_error", nil, "user_id="+user.Id)
}
return nil
}
func authenticateUser(user *model.User, password, mfaToken string) (*model.User, *model.AppError) {
ldapAvailable := *utils.Cfg.LdapSettings.Enable && einterfaces.GetLdapInterface() != nil
if user.AuthService == model.USER_AUTH_SERVICE_LDAP {
if !ldapAvailable {
err := model.NewLocAppError("login", "api.user.login_ldap.not_available.app_error", nil, "")
err.StatusCode = http.StatusNotImplemented
return user, err
} else if ldapUser, err := checkLdapUserPasswordAndAllCriteria(user.AuthData, password, mfaToken); err != nil {
err.StatusCode = http.StatusUnauthorized
return user, err
} else {
// slightly redundant to get the user again, but we need to get it from the LDAP server
return ldapUser, nil
}
} else if user.AuthService != "" {
err := model.NewLocAppError("login", "api.user.login.use_auth_service.app_error", map[string]interface{}{"AuthService": user.AuthService}, "")
err.StatusCode = http.StatusBadRequest
return user, err
} else {
if err := checkPasswordAndAllCriteria(user, password, mfaToken); err != nil {
err.StatusCode = http.StatusUnauthorized
return user, err
} else {
return user, nil
}
}
}
Reference in New Issue View Git Blame Copy Permalink