Modification du mot de passe fonctionnel

- Ajout de jeton anti CSRF dans les formulaires de login/profile
2019-05-22 14:24:53 +02:00
parent 08e10f1d47
commit eba02717cf
15 changed files with 1002 additions and 39 deletions
--- a/cmd/server/config/config.go
+++ b/cmd/server/config/config.go
@ -21,7 +21,6 @@ type LDAPConfig struct {
 	URL                     string
 	BaseDN                  string
 	UserSearchFilterPattern string
-	EditableAttributes      []string `ini:",allowshadow"`
 }

 // NewFromFile retrieves the configuration from the given file
@ -48,10 +47,6 @@ func NewDefault() *Config {
 			URL:                     "ldap://127.0.0.1:389",
 			BaseDN:                  "o=org,c=fr",
 			UserSearchFilterPattern: "(&(objectClass=person)(uid=%s))",
-			EditableAttributes: []string{
-				"displayname",
-				"mail",
-			},
 		},
 	}
 }
--- a/cmd/server/container.go
+++ b/cmd/server/container.go
@ -18,7 +18,7 @@ func getServiceContainer(conf *config.Config) (*service.Container, error) {
 	ctn := service.NewContainer()

 	// Create and initialize HTTP session service provider
-	cookieStore, err := gorilla.CreateCookieSessionStore(32, 64, &sessions.Options{
+	cookieStore, err := gorilla.CreateCookieSessionStore(64, 32, &sessions.Options{
 		Path:     "/",
 		HttpOnly: true,
 	})
--- a/cmd/server/route.go
+++ b/cmd/server/route.go
@ -1,6 +1,7 @@
 package main

 import (
+	"crypto/rand"
 	"log"
 	"net/http"

@ -12,19 +13,35 @@ import (
 	"forge.cadoles.com/wpetit/goweb/static"
 	"forge.cadoles.com/wpetit/goweb/template/html"
 	"github.com/go-chi/chi"
+	"github.com/gorilla/csrf"
 	"github.com/pkg/errors"
 	ldapv3 "gopkg.in/ldap.v3"
 )

 func mountRoutes(r *chi.Mux, config *config.Config) {
+
+	csrfSecret, err := generateRandomBytes(32)
+	if err != nil {
+		panic(errors.Wrap(err, "error while generating CSRF secret"))
+	}
+	csrfMiddleware := csrf.Protect(
+		csrfSecret,
+		csrf.Secure(false),
+	)
+
+	r.Use(csrfMiddleware)
+
 	r.Get("/login", serveLoginPage)
 	r.Post("/login", handleLoginForm)
+
 	r.Get("/logout", handleLogout)
 	r.Group(func(r chi.Router) {
 		r.Use(authMiddleware)
 		r.Get("/", serveHomePage)
 		r.Get("/profile", serveProfilePage)
+		r.Post("/profile/password", handlePasswordChange)
 	})
+
 	r.Get("/*", static.Dir(config.HTTP.PublicDir, "", r.NotFoundHandler()))
 }

@ -35,7 +52,10 @@ func serveHomePage(w http.ResponseWriter, r *http.Request) {
 func serveLoginPage(w http.ResponseWriter, r *http.Request) {
 	ctn := container.Must(r.Context())
 	tmpl := template.Must(ctn)
-	if err := tmpl.RenderPage(w, "login.html.tmpl", nil); err != nil {
+	data := template.Data{
+		csrf.TemplateTag: csrf.TemplateField(r),
+	}
+	if err := tmpl.RenderPage(w, "login.html.tmpl", data); err != nil {
 		panic(errors.Wrap(err, "error while rendering page"))
 	}
 }
@ -74,13 +94,19 @@ func handleLoginForm(w http.ResponseWriter, r *http.Request) {
 	renderInvalidCredentials := func() {
 		sess.AddFlash(session.FlashError, "Identifiants invalides.")
 		data := extendTemplateData(w, r, template.Data{
-			"Username": username,
+			"Username":       username,
+			csrf.TemplateTag: csrf.TemplateField(r),
 		})
 		if err := tmplSrv.RenderPage(w, "login.html.tmpl", data); err != nil {
 			panic(errors.Wrap(err, "error while rendering page"))
 		}
 	}

+	if username == "" || password == "" {
+		renderInvalidCredentials()
+		return
+	}
+
 	results, err := ldapSrv.Search(
 		ldap.EscapeFilter(conf.LDAP.UserSearchFilterPattern, username),
 		ldap.WithBaseDN(conf.LDAP.BaseDN),
@ -155,14 +181,11 @@ func serveProfilePage(w http.ResponseWriter, r *http.Request) {
 		panic(errors.Wrap(err, "error while binding ldap connection"))
 	}

-	conf := config.Must(ctn)
-
 	results, err := ldapSrv.Search(
 		"(&)",
 		ldap.WithBaseDN(userDN),
 		ldap.WithScope(ldapv3.ScopeBaseObject),
 		ldap.WithSizeLimit(1),
-		ldap.WithAttributes(conf.LDAP.EditableAttributes...),
 	)
 	if err != nil {
 		panic(errors.Wrap(err, "error while searching ldap entry"))
@ -176,6 +199,7 @@ func serveProfilePage(w http.ResponseWriter, r *http.Request) {

 	data := extendTemplateData(w, r, template.Data{
 		"EntryAttributes": results.Entries[0].Attributes,
+		csrf.TemplateTag:  csrf.TemplateField(r),
 	})

 	if err := tmpl.RenderPage(w, "profile.html.tmpl", data); err != nil {
@ -183,6 +207,90 @@ func serveProfilePage(w http.ResponseWriter, r *http.Request) {
 	}
 }

+func handlePasswordChange(w http.ResponseWriter, r *http.Request) {
+
+	ctn := container.Must(r.Context())
+	tmpl := template.Must(ctn)
+
+	sess, err := session.Must(ctn).Get(w, r)
+	if err != nil {
+		panic(errors.Wrap(err, "error while retrieving session"))
+	}
+
+	renderError := func(message string) {
+		sess.AddFlash(session.FlashError, message)
+		data := extendTemplateData(w, r, template.Data{
+			csrf.TemplateTag: csrf.TemplateField(r),
+		})
+		if err := tmpl.RenderPage(w, "profile.html.tmpl", data); err != nil {
+			panic(errors.Wrap(err, "error while rendering page"))
+		}
+	}
+
+	if err := r.ParseForm(); err != nil {
+		panic(errors.Wrap(err, "error while parsing form"))
+	}
+
+	currentPassword := r.Form.Get("currentPassword")
+
+	if currentPassword == "" {
+		renderError("Vous devez renseigner votre mot de passe actuel.")
+		return
+	}
+
+	if currentPassword == "" {
+		renderError("Vous devez renseigner votre mot de passe actuel.")
+		return
+	}
+
+	password := sess.Get("password").(string)
+	if currentPassword != password {
+		renderError("Votre mot de passe est invalide.")
+		return
+	}
+
+	newPassword := r.Form.Get("newPassword")
+	newPasswordConfirm := r.Form.Get("newPasswordConfirm")
+
+	if newPassword == "" {
+		renderError("Vous devez renseigner un nouveau mot de passe.")
+		return
+	}
+
+	if newPassword != newPasswordConfirm {
+		renderError("La confirmation de votre mot de passe n'est pas identique à votre nouveau mot de passe.")
+		return
+	}
+
+	ldapSrv := ldap.Must(ctn)
+
+	conn, err := ldapSrv.Connect()
+	if err != nil {
+		panic(errors.Wrap(err, "error while connecting to ldap server"))
+	}
+	defer conn.Close()
+
+	userDN := sess.Get("dn").(string)
+
+	if err := ldapSrv.BindConn(conn, userDN, password); err != nil {
+		panic(errors.Wrap(err, "error while binding ldap connection"))
+	}
+
+	if err := ldapSrv.ModifyPasswordConn(conn, userDN, password, newPassword); err != nil {
+		panic(errors.Wrap(err, "error while modifying password"))
+	}
+
+	sess.Set("password", newPassword)
+	sess.AddFlash(session.FlashSuccess, "Votre mot de passe a été modifié.")
+
+	if err := sess.Save(w, r); err != nil {
+		panic(errors.Wrap(err, "error while saving session"))
+	}
+
+	http.Redirect(w, r, "/profile", http.StatusSeeOther)
+
+}
+
 func authMiddleware(next http.Handler) http.Handler {
 	fn := func(w http.ResponseWriter, r *http.Request) {
 		ctn := container.Must(r.Context())
@ -210,3 +318,12 @@ func extendTemplateData(w http.ResponseWriter, r *http.Request, data template.Da
 	}
 	return data
 }
+
+func generateRandomBytes(n int) ([]byte, error) {
+	b := make([]byte, n)
+	_, err := rand.Read(b)
+	if err != nil {
+		return nil, err
+	}
+	return b, nil
+}
--- a/cmd/server/templates/layouts/login.html.tmpl
+++ b/cmd/server/templates/layouts/login.html.tmpl
@ -1,4 +1,4 @@
-{{define "title"}}LDAP Profile - Authentification{{end}}
+{{define "title"}}Gestionnaire de profil - Cadoles{{end}}
 {{define "head_style"}}
 <link rel="stylesheet" href="/css/login.css" />
 {{end}}
@ -13,22 +13,26 @@
            <figure class="avatar">
              <img src="/img/logo.svg" width="128" height="128">
            </figure>
+            <h4 class="title is-4">Gestionnaire de profil</h4>
            <form method="POST">
              <div class="field">
                <div class="control">
                  <input class="input is-normal"
                    name="username" type="text"
                    value="{{ .Username }}"
+                    autocomplete="username"
                    placeholder="Votre identifiant" autofocus="">
                </div>
              </div>
              <div class="field">
              <div class="control">
                <input class="input is-normal" 
-                  name="password" type="password" 
+                  name="password" type="password"
+                  autocomplete="current-password"
                  placeholder="Votre mot de passe">
              </div>
              </div>
+              {{ .csrfField }}
              <button class="button is-block is-info is-normal is-fullwidth">S'identifier</button>
            </form>
          </div>
--- a/cmd/server/templates/layouts/profile.html.tmpl
+++ b/cmd/server/templates/layouts/profile.html.tmpl
@ -5,38 +5,50 @@
 {{define "body"}}
 <section class="is-fullheight profile">
  <div class="container">
-    <div class="column is-8 is-offset-2">
+    <div class="column is-10 is-offset-1">
      {{template "flash" .}}
      <div class="has-text-right">
        <a href="/logout" class="button is-warning">Se déconnecter</a>
      </div>
      <div class="has-margin-top-small">
        <div class="box">
-          <h2 class="title is-2">Votre profil</h2>
-          <form method="POST">
-            {{range .EntryAttributes}}
-              <label class="label">{{ .Name }}</label>
-              {{ $name := .Name }}
-              {{range .Values}}
-                <div class="field has-addons">
-                  <div class="control is-expanded">
-                    <input class="input" type="text" value="{{ . }}" name="{{ $name }}">
-                  </div>
+          <div class="columns">
+            <div class="column">
+              <h3 class="title is-3">Informations personnelles</h3>
+              <div class="message is-info">
+                <div class="message-body">
+                   Fonctionnalité prochainement disponible :-)
+                </div>
+              </div>
+            </div>
+            <div class="column">
+              <h3 class="title is-3">Mot de passe</h3>
+              <form method="POST" action="/profile/password">
+                <div class="field">
+                  <label class="label">Mot de passe actuel</label>
                  <div class="control">
-                    <a class="button is-danger">
-                      -
-                    </a>
+                    <input class="input" autocomplete="current-password" name="currentPassword" type="password">
                  </div>
                </div>
-              {{end}}
-              <div class="has-text-right">
-                <button data-attribute-name="{{ $name }}" class="button is-primary">+</button>
-              </div>
-            {{end}}
-            <div class="has-text-right has-margin-top-small">
-              <button class="button is-medium is-success">Enregistrer</button>
+                <div class="field">
+                  <label class="label">Nouveau mot de passe</label>
+                  <div class="control">
+                    <input class="input" autocomplete="new-password" name="newPassword" type="password">
+                  </div>
+                </div>
+                <div class="field">
+                  <label class="label">Confirmation du nouveau mot de passe</label>
+                  <div class="control">
+                    <input class="input" autocomplete="new-password" name="newPasswordConfirm" type="password">
+                  </div>
+                </div>
+                {{ .csrfField }}
+                <div class="has-text-right has-margin-top-small">
+                  <button class="button is-normal is-success">Enregistrer</button>
+                </div>
+              </form>
            </div>
-          </form>
+          </div>
        </div>
      </div>
    </div>