cadoles-profile/cmd/server/route.go

package main

import (
	"crypto/rand"
	"log"
	"net/http"

	"forge.cadoles.com/Cadoles/cadoles-profile/cmd/server/config"
	"forge.cadoles.com/Cadoles/cadoles-profile/ldap"
	"forge.cadoles.com/wpetit/goweb/middleware/container"
	"forge.cadoles.com/wpetit/goweb/service/session"
	"forge.cadoles.com/wpetit/goweb/service/template"
	"forge.cadoles.com/wpetit/goweb/static"
	"forge.cadoles.com/wpetit/goweb/template/html"
	"github.com/go-chi/chi"
	"github.com/gorilla/csrf"
	"github.com/pkg/errors"
	ldapv3 "gopkg.in/ldap.v3"
)

func mountRoutes(r *chi.Mux, config *config.Config) {

	csrfSecret, err := generateRandomBytes(32)
	if err != nil {
		panic(errors.Wrap(err, "error while generating CSRF secret"))
	}
	csrfMiddleware := csrf.Protect(
		csrfSecret,
		csrf.Secure(false),
	)

	r.Use(csrfMiddleware)

	r.Get("/login", serveLoginPage)
	r.Post("/login", handleLoginForm)

	r.Get("/logout", handleLogout)
	r.Group(func(r chi.Router) {
		r.Use(authMiddleware)
		r.Get("/", serveHomePage)
		r.Get("/profile", serveProfilePage)
		r.Post("/profile/password", handlePasswordChange)
	})

	r.Get("/*", static.Dir(config.HTTP.PublicDir, "", r.NotFoundHandler()))
}

func serveHomePage(w http.ResponseWriter, r *http.Request) {
	http.Redirect(w, r, "/profile", http.StatusTemporaryRedirect)
}

func serveLoginPage(w http.ResponseWriter, r *http.Request) {
	ctn := container.Must(r.Context())
	tmpl := template.Must(ctn)
	data := template.Data{
		csrf.TemplateTag: csrf.TemplateField(r),
	}
	if err := tmpl.RenderPage(w, "login.html.tmpl", data); err != nil {
		panic(errors.Wrap(err, "error while rendering page"))
	}
}

func handleLogout(w http.ResponseWriter, r *http.Request) {
	ctn := container.Must(r.Context())
	sess, err := session.Must(ctn).Get(w, r)
	if err != nil {
		panic(errors.Wrap(err, "error while retrieving session"))
	}
	if err := sess.Delete(w, r); err != nil {
		panic(errors.Wrap(err, "error while deleting session"))
	}
	http.Redirect(w, r, "/", http.StatusTemporaryRedirect)
}

func handleLoginForm(w http.ResponseWriter, r *http.Request) {

	if err := r.ParseForm(); err != nil {
		panic(errors.Wrap(err, "error while parsing form"))
	}

	username := r.Form.Get("username")
	password := r.Form.Get("password")

	ctn := container.Must(r.Context())
	ldapSrv := ldap.Must(ctn)
	tmplSrv := template.Must(ctn)
	conf := config.Must(ctn)

	sess, err := session.Must(ctn).Get(w, r)
	if err != nil {
		panic(errors.Wrap(err, "error while retrieving session"))
	}

	renderInvalidCredentials := func() {
		sess.AddFlash(session.FlashError, "Identifiants invalides.")
		data := extendTemplateData(w, r, template.Data{
			"Username":       username,
			csrf.TemplateTag: csrf.TemplateField(r),
		})
		if err := tmplSrv.RenderPage(w, "login.html.tmpl", data); err != nil {
			panic(errors.Wrap(err, "error while rendering page"))
		}
	}

	if username == "" || password == "" {
		renderInvalidCredentials()
		return
	}

	results, err := ldapSrv.Search(
		ldap.EscapeFilter(conf.LDAP.UserSearchFilterPattern, username),
		ldap.WithBaseDN(conf.LDAP.BaseDN),
		ldap.WithScope(ldapv3.ScopeWholeSubtree),
		ldap.WithSizeLimit(1),
		ldap.WithAttributes("dn"),
	)
	if err != nil {
		panic(errors.Wrap(err, "error while searching ldap entry"))
	}

	if len(results.Entries) == 0 {
		renderInvalidCredentials()
		return
	}

	userDN := results.Entries[0].DN

	log.Printf("authenticating user '%s' with DN '%s'", username, userDN)

	if err := ldapSrv.Bind(userDN, password); err != nil {

		// If the provided credentials are invalid, add flash message and rerender
		// the page
		if ldapv3.IsErrorWithCode(errors.Cause(err), ldapv3.LDAPResultInvalidCredentials) {
			renderInvalidCredentials()
			return
		}

		if ldapv3.IsErrorWithCode(errors.Cause(err), ldapv3.LDAPResultNoSuchObject) {
			renderInvalidCredentials()
			return
		}

		panic(errors.Wrap(err, "error while binding ldap connection"))
	}

	log.Printf("successful authentication for user with DN '%s'", userDN)

	sess.Set("password", password)
	sess.Set("dn", userDN)
	sess.AddFlash(session.FlashSuccess, "Bienvenue !")

	if err := sess.Save(w, r); err != nil {
		panic(errors.Wrap(err, "error while saving session"))
	}

	http.Redirect(w, r, "/", http.StatusSeeOther)

}

func serveProfilePage(w http.ResponseWriter, r *http.Request) {
	ctn := container.Must(r.Context())

	sess, err := session.Must(ctn).Get(w, r)
	if err != nil {
		panic(errors.Wrap(err, "error while retrieving session"))
	}

	ldapSrv := ldap.Must(ctn)

	conn, err := ldapSrv.Connect()
	if err != nil {
		panic(errors.Wrap(err, "error while connecting to ldap server"))
	}
	defer conn.Close()

	userDN := sess.Get("dn").(string)
	password := sess.Get("password").(string)

	if err := ldapSrv.BindConn(conn, userDN, password); err != nil {
		panic(errors.Wrap(err, "error while binding ldap connection"))
	}

	results, err := ldapSrv.Search(
		"(&)",
		ldap.WithBaseDN(userDN),
		ldap.WithScope(ldapv3.ScopeBaseObject),
		ldap.WithSizeLimit(1),
	)
	if err != nil {
		panic(errors.Wrap(err, "error while searching ldap entry"))
	}

	if len(results.Entries) == 0 {
		panic(errors.Errorf("could not retrieve ldap entry '%s'", userDN))
	}

	tmpl := template.Must(ctn)
	config := config.Must(ctn)

	data := extendTemplateData(w, r, template.Data{
		"EntryAttributes": results.Entries[0].Attributes,
		csrf.TemplateTag:  csrf.TemplateField(r),
		"Contact":         config.Contact,
	})

	if err := tmpl.RenderPage(w, "profile.html.tmpl", data); err != nil {
		panic(errors.Wrap(err, "error while rendering page"))
	}
}

func handlePasswordChange(w http.ResponseWriter, r *http.Request) {

	ctn := container.Must(r.Context())
	tmpl := template.Must(ctn)

	sess, err := session.Must(ctn).Get(w, r)
	if err != nil {
		panic(errors.Wrap(err, "error while retrieving session"))
	}

	renderError := func(message string) {
		sess.AddFlash(session.FlashError, message)
		data := extendTemplateData(w, r, template.Data{
			csrf.TemplateTag: csrf.TemplateField(r),
		})
		if err := tmpl.RenderPage(w, "profile.html.tmpl", data); err != nil {
			panic(errors.Wrap(err, "error while rendering page"))
		}
	}

	if err := r.ParseForm(); err != nil {
		panic(errors.Wrap(err, "error while parsing form"))
	}

	currentPassword := r.Form.Get("currentPassword")

	if currentPassword == "" {
		renderError("Vous devez renseigner votre mot de passe actuel.")
		return
	}

	if currentPassword == "" {
		renderError("Vous devez renseigner votre mot de passe actuel.")
		return
	}

	password := sess.Get("password").(string)
	if currentPassword != password {
		renderError("Votre mot de passe est invalide.")
		return
	}

	newPassword := r.Form.Get("newPassword")
	newPasswordConfirm := r.Form.Get("newPasswordConfirm")

	if newPassword == "" {
		renderError("Vous devez renseigner un nouveau mot de passe.")
		return
	}

	if newPassword != newPasswordConfirm {
		renderError("La confirmation de votre mot de passe n'est pas identique à votre nouveau mot de passe.")
		return
	}

	ldapSrv := ldap.Must(ctn)

	conn, err := ldapSrv.Connect()
	if err != nil {
		panic(errors.Wrap(err, "error while connecting to ldap server"))
	}
	defer conn.Close()

	userDN := sess.Get("dn").(string)

	if err := ldapSrv.BindConn(conn, userDN, password); err != nil {
		panic(errors.Wrap(err, "error while binding ldap connection"))
	}

	if err := ldapSrv.ModifyPasswordConn(conn, userDN, password, newPassword); err != nil {
		panic(errors.Wrap(err, "error while modifying password"))
	}

	sess.Set("password", newPassword)
	sess.AddFlash(session.FlashSuccess, "Votre mot de passe a été modifié.")

	if err := sess.Save(w, r); err != nil {
		panic(errors.Wrap(err, "error while saving session"))
	}

	http.Redirect(w, r, "/profile", http.StatusSeeOther)

}

func authMiddleware(next http.Handler) http.Handler {
	fn := func(w http.ResponseWriter, r *http.Request) {
		ctn := container.Must(r.Context())
		sess, err := session.Must(ctn).Get(w, r)
		if err != nil {
			panic(errors.Wrap(err, "error while retrieving session"))
		}
		dn, ok := sess.Get("dn").(string)
		if !ok || dn == "" {
			http.Redirect(w, r, "/login", http.StatusTemporaryRedirect)
			return
		}
		next.ServeHTTP(w, r)
	}
	return http.HandlerFunc(fn)
}

func extendTemplateData(w http.ResponseWriter, r *http.Request, data template.Data) template.Data {
	ctn := container.Must(r.Context())
	data, err := template.Extend(data,
		html.WithFlashes(w, r, ctn),
	)
	if err != nil {
		panic(errors.Wrap(err, "error while extending template data"))
	}
	return data
}

func generateRandomBytes(n int) ([]byte, error) {
	b := make([]byte, n)
	_, err := rand.Read(b)
	if err != nil {
		return nil, err
	}
	return b, nil
}