feat: transform circuitbreaker layer in authn-network layer

internal/proxy/director/layer/authn/layer.go

@@ -1,12 +1,15 @@
 package authn
 
 import (
+	"html/template"
 	"net/http"
+	"path/filepath"
 
 	"forge.cadoles.com/Cadoles/go-proxy"
 	"forge.cadoles.com/Cadoles/go-proxy/wildcard"
 	"forge.cadoles.com/cadoles/bouncer/internal/proxy/director"
 	"forge.cadoles.com/cadoles/bouncer/internal/store"
+	"github.com/Masterminds/sprig/v3"
 	"github.com/pkg/errors"
 	"gitlab.com/wpetit/goweb/logger"
 )
@@ -14,6 +17,8 @@ import (
 type Layer struct {
 	layerType store.LayerType
 	auth      Authenticator
+
+	templateDir string
 }
 
 func (l *Layer) Middleware(layer *store.Layer) proxy.Middleware {
@@ -55,6 +60,11 @@ func (l *Layer) Middleware(layer *store.Layer) proxy.Middleware {
 					return
 				}
 
+				if errors.Is(err, ErrForbidden) {
+					l.renderForbiddenPage(w, r, layer, options, user)
+					return
+				}
+
 				logger.Error(ctx, "could not authenticate user", logger.E(errors.WithStack(err)))
 				http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
 
@@ -62,6 +72,11 @@ func (l *Layer) Middleware(layer *store.Layer) proxy.Middleware {
 			}
 
 			if err := l.injectHeaders(r, options, user); err != nil {
+				if errors.Is(err, ErrForbidden) {
+					l.renderForbiddenPage(w, r, layer, options, user)
+					return
+				}
+
 				logger.Error(ctx, "could not inject headers", logger.E(errors.WithStack(err)))
 				http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
 
@@ -74,6 +89,11 @@ func (l *Layer) Middleware(layer *store.Layer) proxy.Middleware {
 						return
 					}
 
+					if errors.Is(err, ErrForbidden) {
+						l.renderForbiddenPage(w, r, layer, options, user)
+						return
+					}
+
 					logger.Error(ctx, "could not execute post-auth hook", logger.E(errors.WithStack(err)))
 					http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
 
@@ -88,15 +108,58 @@ func (l *Layer) Middleware(layer *store.Layer) proxy.Middleware {
 	}
 }
 
+func (l *Layer) renderForbiddenPage(w http.ResponseWriter, r *http.Request, layer *store.Layer, options *LayerOptions, user *User) {
+	w.WriteHeader(http.StatusForbidden)
+	l.renderPage(w, r, layer, "forbidden", options.Templates.Forbidden.Block, user)
+}
+
+func (l *Layer) renderPage(w http.ResponseWriter, r *http.Request, layer *store.Layer, page string, block string, user *User) {
+	ctx := r.Context()
+
+	pattern := filepath.Join(l.templateDir, page+".gohtml")
+
+	logger.Info(ctx, "loading authn templates", logger.F("pattern", pattern))
+
+	tmpl, err := template.New("").Funcs(sprig.FuncMap()).ParseGlob(pattern)
+	if err != nil {
+		logger.Error(ctx, "could not load authn templates", logger.E(errors.WithStack(err)))
+		http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
+
+		return
+	}
+
+	templateData := struct {
+		Layer *store.Layer
+		User  *User
+	}{
+		Layer: layer,
+		User:  user,
+	}
+
+	w.Header().Add("Cache-Control", "no-cache")
+
+	w.WriteHeader(http.StatusOK)
+
+	if err := tmpl.ExecuteTemplate(w, block, templateData); err != nil {
+		logger.Error(ctx, "could not render authn page", logger.E(errors.WithStack(err)))
+		http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
+
+		return
+	}
+}
+
 // LayerType implements director.MiddlewareLayer
 func (l *Layer) LayerType() store.LayerType {
 	return l.layerType
 }
 
-func NewLayer(layerType store.LayerType, auth Authenticator) *Layer {
+func NewLayer(layerType store.LayerType, auth Authenticator, funcs ...OptionFunc) *Layer {
+	opts := NewOptions(funcs...)
+
 	return &Layer{
-		layerType: layerType,
-		auth:      auth,
+		layerType:   layerType,
+		auth:        auth,
+		templateDir: opts.TemplateDir,
 	}
 }