.gitignore

@@ -1,5 +0,0 @@
-/bin
-/dist
-/tools
-/.trivy
-.mktools/

.travis.yml

@@ -56,7 +56,7 @@ before_deploy:
 deploy:
   - provider: releases
     api_key:
-      secure: X0diTlyWbycImd8x1ce1VHC9IcaPD9f0Pl9ynYHoV0BNw4KrgGD6OdiOM7Z7fiZA8jly0jh81orxdm3o7hIAlX02BA2kg8BFi83dcm01pcwW5vZZq0w/XMMtw644O8CAImPr58YKUjBb7c1+RENjPqjIZrdjVDzeRu0k5oOaDpk94016B1j1OB9XtkXzPzgP+KTx5gCmfeipQ6LxbL8wzXEqJWGF6+5B/7bqkzSw7vIvDtYlYgM7jf5NZslxiKlVr7pkRik6KlfRjtt/pi4ZJwpcu4AHdnNZoXkcmQwz21yd1lVFUbqNi8qGJyilOQB+p1RvZ/c5Q7a+FHN9anUM06DtfL/bMII+Kqt429M4sk9mA3rEp61SkDML1o9lJ8iiEKXPxMNtWKv1I/ixrZWYPE3g75fTaoyBusBS1bxNtOgAUf2dIr0JCO+p2NTaCyd0vOr87/KMVnJTeLzOnisMY0DOjQ3FhYmXSRPtyJF72jDxh338YX7hHK5DcwL9aVKOA5t7VbM2RW6VdavH5kHUPDEbZaDFlsUcncHJnzD1QtX7ODJh7EgFteE32fmJFBcE2BAWDIvYy68sCNU64Wwh2yBCbnMzLhET/nLm3Jj4U6Jl3VqAT2ff0UQBgugW0OpxO7JBW4b3dNwmKKA6WE5+WitO8EzE8sA09tnIEIe7YT8=
+      secure: f3KYUKsrtYRKcttPfWmHWGCFT2ugas1fgbBACGCTFp/ir6AAfHt16FYHgyfXc8+V9IajNkwqL6TrDjQFfLSI0qx38s+wLK6FIicjvMzVWXe/lCHByr4kAZuN2BOynrKiE8rkEcXHGjX2adrrvETNwUCp+oIxQtdIAVvE1Fjkb+MdnCs7Ed9beggqNOJksGVJ44X17ezarCc8/L4ULIXY/OBLnUnwH6UwMrSIPuwvMJAZlhyJWOv4ro8Z3D2f5vfD91MNit8rCkXkYPKnw1/rIpBbaoARLQ95bN97NsLkfeNlSgoAXhy00i+Jz78PgD3TvTPecdlTPwBNNnHaXBtQZjB+qHpr4lW/NP2+IJ6Aku8JY2X+Srd/BYD8hh4Nqzp3UiymsQS61++jfZmi3xUu5nhFkd+MavVW8Xy0/8vnREqHuwCQ8+oo1GHqDnKgdeRMm29AwTTx/FyUSPlzWzQIC1PVFtS3/YYqAn7sooS6l5MuSENk05IYOM1ApXOGb6tNW8wDGTD8QP8KvJjfARg8365wwhEAP6gdrW6VotSjY5XZM37ge0uKfKBvw8BVNfbn/R4/12KIuqPsEmbVfFJx18DQzz3b+9UfPZQwuxZvgNnngplUbzP2q/cKYNSMHKzZ53EVPPr5wtdDWm5pnbLtWbrN5d+y2FoS+YBrCrL09C8=
     file:
       - bin/werther_linux_386.tar.gz
       - bin/werther_linux_amd64.tar.gz

Dockerfile

@@ -3,7 +3,7 @@
 # This source code is licensed under the MIT license found in the
 # LICENSE file in the root directory of this source tree.
 
-FROM golang:1.21-alpine AS build
+FROM golang:1.12-alpine AS build
 
 ARG VERSION
 ARG GOPROXY

Jenkinsfile

@@ -1,29 +0,0 @@
-@Library('cadoles') _
-
-// Utilisation du pipeline "standard"
-// Voir https://forge.cadoles.com/Cadoles/Jenkins/src/branch/master/doc/tutorials/standard-make-pipeline.md
-standardMakePipeline([
-    'dockerfileExtension': '''
-    RUN apt-get update \
-        && apt-get install -y zip jq
-
-    RUN wget https://go.dev/dl/go1.21.5.linux-amd64.tar.gz \
-        && rm -rf /usr/local/go \
-        && tar -C /usr/local -xzf go1.21.5.linux-amd64.tar.gz
-
-    ENV PATH="${PATH}:/usr/local/go/bin"
-    ''',
-    'hooks': [
-        'pre-release': {
-            // Login into docker registry
-            sh '''
-            make .mktools
-            echo "$MKT_GITEA_RELEASE_PASSWORD" | docker login --username "$MKT_GITEA_RELEASE_USERNAME" --password-stdin reg.cadoles.com
-            '''
-        }
-    ],
-    // Use credentials to push images to registry and pubish gitea release
-    'credentials': [
-        usernamePassword(credentialsId: 'kipp-credentials', usernameVariable: 'MKT_GITEA_RELEASE_USERNAME', passwordVariable: 'MKT_GITEA_RELEASE_PASSWORD')
-    ]
-])

Makefile

@@ -1,86 +0,0 @@
-SHELL := /bin/bash
-
-IMAGE_NAME := reg.cadoles.com/cadoles/hydra-werther
-
-NFPM_VERSION ?= 2.20.0
-NFPM_PACKAGERS ?= deb rpm
-
-MKT_GITEA_RELEASE_ORG ?= Cadoles
-MKT_GITEA_RELEASE_PROJECT ?= hydra-werther
-MKT_GITEA_RELEASE_VERSION ?= $(MKT_PROJECT_VERSION)
-
-define MKT_GITEA_RELEASE_BODY
-## Docker usage
-
-```
-docker pull $(IMAGE_NAME):$(MKT_PROJECT_VERSION)
-```
-endef
-export MKT_GITEA_RELEASE_BODY
-
-build: build-bin build-image
-
-build-bin: clean generate
-	CGO_ENABLED=0 misc/script/build
-
-test: scan
-
-generate:
-	go generate ./...
-
-clean:
-	rm -rf bin dist
-
-dist:
-	mkdir -p dist
-
-package: clean build-bin $(foreach p,$(NFPM_PACKAGERS), package-$(p))
-
-package-%: dist tools/nfpm/bin/nfpm
-	PACKAGE_VERSION=$(MKT_PROJECT_VERSION) \
-		tools/nfpm/bin/nfpm package \
-			--config misc/packaging/nfpm.yml \
-			--target ./dist \
-			--packager $*
-
-tools/nfpm/bin/nfpm:
-	mkdir -p tools/nfpm/bin
-	curl -L --output tools/nfpm/nfpm_$(NFPM_VERSION)_Linux_x86_64.tar.gz https://github.com/goreleaser/nfpm/releases/download/v$(NFPM_VERSION)/nfpm_$(NFPM_VERSION)_Linux_x86_64.tar.gz \
-        && tar -xzf tools/nfpm/nfpm_$(NFPM_VERSION)_Linux_x86_64.tar.gz -C tools/nfpm/bin \
-        && chmod +x tools/nfpm/bin/nfpm \
-		&& rm -f tools/nfpm/nfpm_$(NFPM_VERSION)_Linux_x86_64.tar.gz
-
-build-image:
-	docker build \
-		-t "${IMAGE_NAME}:latest" \
-		.	
-
-scan: build-image tools/trivy/bin/trivy
-	mkdir -p .trivy
-	tools/trivy/bin/trivy --cache-dir .trivy/.cache image --ignorefile .trivyignore.yaml $(TRIVY_ARGS) $(IMAGE_NAME):latest
-	
-tools/trivy/bin/trivy:
-	mkdir -p tools/trivy/bin
-	curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b ./tools/trivy/bin v0.47.0
-
-release: release-image release-gitea
-
-release-gitea: .mktools package
-	@[ ! -z "$(MKT_PROJECT_VERSION)" ] || ( echo "Just downloaded mktools. Please re-run command."; exit 1 )
-	$(MAKE) MKT_GITEA_RELEASE_ATTACHMENTS="$$(find dist/* -type f -printf '%p ')" mkt-gitea-release
-
-release-image: .mktools
-	@[ ! -z "$(MKT_PROJECT_VERSION)" ] || ( echo "Just downloaded mktools. Please re-run command."; exit 1 )
-	docker tag "${IMAGE_NAME}:latest" "${IMAGE_NAME}:$(MKT_PROJECT_VERSION)"
-	docker tag "${IMAGE_NAME}:latest" "${IMAGE_NAME}:$(MKT_PROJECT_SHORT_VERSION)"
-	docker tag "${IMAGE_NAME}:latest" "${IMAGE_NAME}:$(MKT_PROJECT_VERSION_CHANNEL)-latest"
-	
-	docker push "${IMAGE_NAME}:$(MKT_PROJECT_VERSION)"
-	docker push "${IMAGE_NAME}:$(MKT_PROJECT_SHORT_VERSION)"
-	docker push "${IMAGE_NAME}:$(MKT_PROJECT_VERSION_CHANNEL)-latest"
-
-.mktools:
-	rm -rf .mktools
-	curl -q https://forge.cadoles.com/Cadoles/mktools/raw/branch/master/install.sh | TASKS="version gitea" $(SHELL)
-
--include .mktools/*.mk

README.md

@@ -166,96 +166,13 @@ After that you should set the directory path to the environment variable `WERTHE
 
 ### Custom login page
 
-A login page's template must be a Go template. The template has access to data conforming the next JSON-schema:
-
-```yaml
-type: object
-properties:
-  - WebBasePath:
-      description: The base path of the login page
-      type: string
-  - LangPrefs:
-      description: The user language preferences (the parsed value of the header Accept-Language)
-      type: array
-      items:
-        type: object
-        properties:
-          - Lang:
-              description: The language canonical name.
-              type: string
-          - Weight:
-              description: The language weight.
-              type: number
-        required:
-          - Lang
-          - Weight
-  - Data:
-      type: object
-      properties:
-        - CSRFToken:
-            description: A CSRF token.
-            type: string
-        - Challenge:
-            description: A login challenge ID.
-            type: string
-        - LoginURL:
-            description: An endpoint that finishes the login process.
-            type: string
-        - IsInvalidCredentials:
-            description: Specifies that a user types an invalid username or password.
-            type: boolean
-        - IsInternalError:
-            description: Specifies that an internal server error happens when finishing the login process.
-            type: boolean
-      required:
-        - CSRFToken
-        - Challenge
-        - LoginURL
-        - IsInvalidCredentials
-        - IsInternalError
-required:
-  - WebBasePath
-  - LangPrefs
-  - Data
-```
-
-When a login page's template contains static resources (like styles, scripts, and images)
-they must be placed in a subdirectory called `static`.
-
-For a full example of a login page's template see [source code](internal/web/templates).
-
-### Custom login page (old format)
-
-*The old template format is also supported but it will be removed in the future major release.*
-
 A login page's template should contains blocks `title`, `style`, `script`, `content`.
-Each block has access to data conforming the next JSON-schema:
-
-```yaml
-type: object
-properties:
-  - CSRFToken:
-    description: A CSRF token.
-    type: string
-  - Challenge:
-    description: A login challenge ID.
-    type: string
-  - LoginURL:
-    description: An endpoint that finishes the login process.
-    type: string
-  - IsInvalidCredentials:
-    description: Specifies that a user types an invalid username or password.
-    type: boolean
-  - IsInternalError:
-    description: Specifies that an internal server error happens when finishing the login process.
-    type: boolean
-required:
-  - CSRFToken
-  - Challenge
-  - LoginURL
-  - IsInvalidCredentials
-  - IsInternalError
-```
+Each block has access to data that is an object with the next properties:
+- `CSRFToken` (string) - a CSRF token;
+- `Challenge` (string) - a login challenge ID;
+- `LoginURL` (string) - an endpoint that finishes the login process;
+- `IsInvalidCredentials` (bool) - specifies that a user types an invalid username or password;
+- `IsInternalError` (bool) specifies that an internal server error happens when finishing the login process.
 
 When a login page's template contains static resources (like styles, scripts, and images)
 they must be placed in a subdirectory called `static`.
@@ -313,7 +230,7 @@ For a full example of a login page's template see [source code](internal/web/tem
                 - --grant-types
                 - implicit
                 - --scope
-                - openid,profile,email,roles
+                - openid,profile,email
                 - --callbacks
                 - http://localhost:3000
                 - --post-logout-callbacks
@@ -338,8 +255,8 @@ For a full example of a login page's template see [source code](internal/web/tem
                 URLS_LOGIN: http://localhost:8080/auth/login
                 URLS_CONSENT: http://localhost:8080/auth/consent
                 URLS_LOGOUT: http://localhost:8080/auth/logout
-                WEBFINGER_OIDC_DISCOVERY_SUPPORTED_SCOPES: profile,email,phone,roles
-                WEBFINGER_OIDC_DISCOVERY_SUPPORTED_CLAIMS: name,family_name,given_name,nickname,email,phone_number,https://github.com/i-core/werther/claims/roles
+                WEBFINGER_OIDC_DISCOVERY_SUPPORTED_SCOPES: profile,email,phone
+                WEBFINGER_OIDC_DISCOVERY_SUPPORTED_CLAIMS: name,family_name,given_name,nickname,email,phone_number
                 DSN: memory
             command: serve all --dangerous-force-http
             networks:
@@ -353,7 +270,7 @@ For a full example of a login page's template see [source code](internal/web/tem
             depends_on:
                 - werther
         werther:
-            image: icoreru/werther:v1.1.1
+            image: icoreru/werther:v1.0.0
             environment:
                 WERTHER_IDENTP_HYDRA_URL: http://hydra:4445
                 WERTHER_LDAP_ENDPOINTS: ldap:389
@@ -390,7 +307,7 @@ For a full example of a login page's template see [source code](internal/web/tem
     docker stack deploy -c docker-compose.yml auth
     ```
 
-4. Open the browser with http://localhost:4444/oauth2/auth?client_id=test-client&response_type=token&scope=openid%20profile%20email%20roles&state=12345678.
+4. Open the browser with http://localhost:4444/oauth2/auth?client_id=test-client&response_type=token&scope=openid%20profile%20email&state=12345678.
 
 ## Resources
 

cmd/werther/main.go

@@ -14,8 +14,6 @@ import (
 	"net/url"
 	"os"
 
-	"crypto/tls"
-
 	"github.com/i-core/rlog"
 	"github.com/i-core/routegroup"
 	"github.com/i-core/werther/internal/identp"
@@ -32,12 +30,11 @@ var version = ""
 
 // Config is a server's configuration.
 type Config struct {
-	DevMode            bool   `envconfig:"dev_mode" default:"false" desc:"Enable development mode"`
-	Listen             string `default:":8080" desc:"a host and port to listen on (<host>:<port>)"`
-	InsecureSkipVerify bool   `envconfig:"insecure_skip_verify" default:"false" desc:"Disable TLS verification on Hydra connection"`
-	Identp             identp.Config
-	LDAP               ldapclient.Config
-	Web                web.Config
+	DevMode bool   `envconfig:"dev_mode" default:"false" desc:"a development mode"`
+	Listen  string `default:":8080" desc:"a host and port to listen on (<host>:<port>)"`
+	Identp  identp.Config
+	LDAP    ldapclient.Config
+	Web     web.Config
 }
 
 func main() {
@@ -83,11 +80,6 @@ func main() {
 		os.Exit(1)
 	}
 
-	if cnf.InsecureSkipVerify {
-		log.Warn("All ssl verifications are disabled !")
-		http.DefaultTransport.(*http.Transport).TLSClientConfig = &tls.Config{InsecureSkipVerify: true}
-	}
-
 	ldap := ldapclient.New(cnf.LDAP)
 
 	router := routegroup.NewRouter(nosurf.NewPure, rlog.NewMiddleware(log))

conf/hydra-werther.conf

@@ -1,131 +0,0 @@
-#WERTHER_DEV_MODE=
-  # [description] a development mode
-  # [type]        True or False
-  # [default]     false
-  # [required]
-
-#WERTHER_LISTEN=
-  # [description] a host and port to listen on (<host>:<port>)
-  # [type]        String
-  # [default]     :8080
-  # [required]
-
-WERTHER_IDENTP_HYDRA_URL=http://localhost:4445/
-  # [description] an admin URL of ORY Hydra Server
-  # [type]        String
-  # [default]     
-  # [required]    true
-
-#WERTHER_IDENTP_SESSION_TTL=
-  # [description] a user session's TTL
-  # [type]        Duration
-  # [default]     24h
-  # [required]    
-
-#WERTHER_IDENTP_CLAIM_SCOPES=
-  # [description] a mapping of OpenID Connect claims to scopes (all claims are URL encoded)
-  # [type]        Comma-separated list of String:String pairs
-  # [default]     name:profile,family_name:profile,given_name:profile,email:email,https%3A%2F%2Fgithub.com%2Fi-core%2Fwerther%2Fclaims%2Froles:roles
-  # [required]    
-
-WERTHER_LDAP_ENDPOINTS=localhost:389
-  # [description] a LDAP's server URLs as "<address>:<port>"
-  # [type]        Comma-separated list of String
-  # [default]     
-  # [required]    true
-
-WERTHER_LDAP_BINDDN=
-  # [description] a LDAP bind DN
-  # [type]        String
-  # [default]     
-  # [required]    
-
-WERTHER_LDAP_BINDPW=
-  # [description] a LDAP bind password
-  # [type]        String
-  # [default]     
-  # [required]    
-
-WERTHER_LDAP_BASEDN=ou=users,dc=myorg,dc=com
-  # [description] a LDAP base DN for searching users
-  # [type]        String
-  # [default]     
-  # [required]    true
-
-#WERTHER_LDAP_USER_SEARCH_QUERY=
-  # [description] the user search query
-  # [type]        String
-  # [default]     (&(|(objectClass=organizationalPerson)(objectClass=inetOrgPerson))(|(uid=%[1]s)(mail=%[1]s)(userPrincipalName=%[1]s)(sAMAccountName=%[1]s)))
-  # [required]
-
-#WERTHER_LDAP_ATTR_CLAIMS=
-  # [description] a mapping of LDAP attributes to OpenID connect claims
-  # [type]        Comma-separated list of String:String pairs
-  # [default]     name:name,sn:family_name,givenName:given_name,mail:email
-  # [required]    
-
-WERTHER_LDAP_ROLE_BASEDN=ou=groups,dc=myorg,dc=com
-  # [description] a LDAP base DN for searching roles
-  # [type]        String
-  # [default]     
-  # [required]    true
-
-#WERTHER_LDAP_ROLE_SEARCH_QUERY=
-  # [description] the role search query
-  # [type]        String
-  # [default]     (|(&(|(objectClass=group)(objectClass=groupOfNames))(member=%[1]s))(&(objectClass=groupOfUniqueNames)(uniqueMember=%[1]s)))
-  # [required] 
-
-#WERTHER_LDAP_ROLE_ATTR=
-  # [description] a LDAP group's attribute that contains a role's name
-  # [type]        String
-  # [default]     description
-  # [required]    
-
-#WERTHER_LDAP_ROLE_CLAIM=
-  # [description] a name of an OpenID Connect claim that contains user roles
-  # [type]        String
-  # [default]     https://github.com/i-core/werther/claims/roles
-  # [required]    
-
-#WERTHER_LDAP_CACHE_SIZE=
-  # [description] a user info cache's size in KiB
-  # [type]        Integer
-  # [default]     512
-  # [required]    
-
-#WERTHER_LDAP_CACHE_TTL=
-  # [description] a user info cache TTL
-  # [type]        Duration
-  # [default]     30m
-  # [required]    
-
-#WERTHER_LDAP_IS_TLS=
-  # [description] should LDAP connection be established via TLS
-  # [type]        True or False
-  # [default]     false
-  # [required]    
-
-#WERTHER_WEB_DIR=
-  # [description] a path to an external web directory
-  # [type]        String
-  # [default]     
-  # [required]    
-
-#WERTHER_WEB_BASE_PATH=
-  # [description] a base path of web pages
-  # [type]        String
-  # [default]     /
-  # [required]
-
-#WERTHER_LDAP_CONNECTION_TIMEOUT=
-  # [description] LDAP server connection timeout
-  # [type]        Duration
-  # [default]     60s
-  # [required]
-
-# WERTHER_INSECURE_SKIP_VERIFY=
-#   [description] Disable TLS verification on Hydra connection
-#   [type]        True or False
-#   [default]     false
-#   [required]

debian/compat

@@ -1 +0,0 @@
-9

debian/control

@@ -1,14 +0,0 @@
-Source: hydra-werther
-Section: unknown
-Priority: optional
-Maintainer: Cadoles <contact@cadoles.com>
-Build-Depends: debhelper (>= 8.0.0), wget, ca-certificates, tar
-Standards-Version: 3.9.4
-Homepage: http://forge.cadoles.com/Cadoles/hydra-werther
-Vcs-Git: http://forge.cadoles.com/Cadoles/hydra-werther.git
-Vcs-Browser: http://forge.cadoles.com/Cadoles/hydra-werther
-
-Package: hydra-werther
-Architecture: amd64
-Depends: ${shlibs:Depends}, ${misc:Depends}, ssl-cert
-Description: Hydra identity provider backed by LDAP compatible server

debian/hydra-werther.service

@@ -1,12 +0,0 @@
-[Unit]
-Description=Run Hydra Werther login/consent/logout app
-After=network-online.target
-
-[Service]
-Type=simple
-EnvironmentFile=/etc/hydra-werther/hydra-werther.conf
-ExecStart=/usr/bin/hydra-werther
-Restart=on-failure
-
-[Install]
-WantedBy=multi-user.target

debian/rules

@@ -1,40 +0,0 @@
-#!/usr/bin/make -f
-# -*- makefile -*-
-
-# Uncomment this to turn on verbose mode.
-export DH_VERBOSE=1
-
-GO_VERSION := 1.17.1
-OS := linux
-ARCH := amd64
-GOPATH=$(HOME)/go
-
-ifeq (, $(shell which go 2>/dev/null))
-override_dh_auto_build: install-go
-endif
-
-%:
-	dh $@ --with systemd
-
-install-go:
-	wget https://dl.google.com/go/go$(GO_VERSION).$(OS)-$(ARCH).tar.gz
-	tar -C /usr/local -xzf go$(GO_VERSION).$(OS)-$(ARCH).tar.gz
-
-override_dh_auto_build: $(GOPATH)
-	GOPATH=$(GOPATH) PATH="$(PATH):/usr/local/go/bin:$(GOPATH)/bin" DISTS=$(OS)/$(ARCH) make
-
-$(GOPATH):
-	mkdir -p $(GOPATH)
-
-override_dh_auto_install:
-	mkdir -p debian/hydra-werther/usr/bin
-	mkdir -p debian/hydra-werther/etc/hydra-werther
-
-	cp bin/werther_$(OS)_$(ARCH) debian/hydra-werther/usr/bin/hydra-werther
-	cp conf/hydra-werther.conf debian/hydra-werther/etc/hydra-werther
-
-	install -d debian/hydra-werther
-
-override_dh_strip:
-
-override_dh_auto_test:

debian/source/format

@@ -1 +0,0 @@
-3.0 (native)

go.mod

@@ -1,34 +1,21 @@
 module github.com/i-core/werther
 
 require (
+	github.com/OneOfOne/xxhash v1.2.2 // indirect
 	github.com/andreyvit/diff v0.0.0-20170406064948-c7f18ee00883
+	github.com/cespare/xxhash v1.0.0 // indirect
 	github.com/coocood/freecache v1.0.1
+	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/elazarl/go-bindata-assetfs v1.0.0
-	github.com/go-ldap/ldap/v3 v3.2.3
 	github.com/i-core/rlog v1.0.0
 	github.com/i-core/routegroup v1.0.0
 	github.com/justinas/nosurf v0.0.0-20171023064657-7182011986c4
 	github.com/kelseyhightower/envconfig v1.3.0
 	github.com/kevinburke/go-bindata v3.13.0+incompatible
 	github.com/pkg/errors v0.8.1
-	go.uber.org/zap v1.10.0
-	golang.org/x/text v0.3.2
-)
-
-require (
-	github.com/Azure/go-ntlmssp v0.0.0-20200615164410-66371956d46c // indirect
-	github.com/OneOfOne/xxhash v1.2.2 // indirect
-	github.com/cespare/xxhash v1.0.0 // indirect
-	github.com/davecgh/go-spew v1.1.1 // indirect
-	github.com/go-asn1-ber/asn1-ber v1.5.1 // indirect
-	github.com/gofrs/uuid v3.2.0+incompatible // indirect
-	github.com/julienschmidt/httprouter v1.2.0 // indirect
-	github.com/justinas/alice v0.0.0-20171023064455-03f45bd4b7da // indirect
 	github.com/sergi/go-diff v1.0.0 // indirect
 	github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72 // indirect
-	go.uber.org/atomic v1.4.0 // indirect
-	go.uber.org/multierr v1.1.0 // indirect
-	golang.org/x/crypto v0.0.0-20200604202706-70a84ac30bf9 // indirect
+	go.uber.org/zap v1.10.0
+	gopkg.in/asn1-ber.v1 v1.0.0-20170511165959-379148ca0225 // indirect
+	gopkg.in/ldap.v2 v2.5.1
 )
-
-go 1.21

go.sum

@@ -1,5 +1,3 @@
-github.com/Azure/go-ntlmssp v0.0.0-20200615164410-66371956d46c h1:/IBSNwUN8+eKzUzbJPqhK839ygXJ82sde8x3ogr6R28=
-github.com/Azure/go-ntlmssp v0.0.0-20200615164410-66371956d46c/go.mod h1:chxPXzSsl7ZWRAuOIE23GDNzjWuZquvFlgA8xmpunjU=
 github.com/OneOfOne/xxhash v1.2.2 h1:KMrpdQIwFcEqXDklaen+P1axHaj9BSKzvpUUfnHldSE=
 github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU=
 github.com/andreyvit/diff v0.0.0-20170406064948-c7f18ee00883 h1:bvNMNQO63//z+xNgfBlViaCIJKLlCJ6/fmUseuG0wVQ=
@@ -13,10 +11,6 @@ github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/elazarl/go-bindata-assetfs v1.0.0 h1:G/bYguwHIzWq9ZoyUQqrjTmJbbYn3j3CKKpKinvZLFk=
 github.com/elazarl/go-bindata-assetfs v1.0.0/go.mod h1:v+YaWX3bdea5J/mo8dSETolEo7R71Vk1u8bnjau5yw4=
-github.com/go-asn1-ber/asn1-ber v1.5.1 h1:pDbRAunXzIUXfx4CB2QJFv5IuPiuoW+sWvr/Us009o8=
-github.com/go-asn1-ber/asn1-ber v1.5.1/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkProFKoKdwZRWMe0=
-github.com/go-ldap/ldap/v3 v3.2.3 h1:FBt+5w3q/vPVPb4eYMQSn+pOiz4zewPamYhlGMmc7yM=
-github.com/go-ldap/ldap/v3 v3.2.3/go.mod h1:iYS1MdmrmceOJ1QOTnRXrIs7i3kloqtmGQjRvjKpyMg=
 github.com/gofrs/uuid v3.2.0+incompatible h1:y12jRkkFxsd7GpqdSZ+/KCs/fJbqpEXSGd4+jfEaewE=
 github.com/gofrs/uuid v3.2.0+incompatible/go.mod h1:b2aQJv3Z4Fp6yNu3cdSllBxTCLRxnplIgP/c0N/04lM=
 github.com/i-core/rlog v1.0.0 h1:8CY2rsqvm3Z9cfl3hroppn8LTBwbtL45+ho79JTz8Jg=
@@ -50,13 +44,7 @@ go.uber.org/multierr v1.1.0 h1:HoEmRHQPVSqub6w2z2d2EOVs2fjyFRGyofhKuyDq0QI=
 go.uber.org/multierr v1.1.0/go.mod h1:wR5kodmAFQ0UK8QlbwjlSNy0Z68gJhDJUG5sjR94q/0=
 go.uber.org/zap v1.10.0 h1:ORx85nbTijNz8ljznvCMR1ZBIPKFn3jQrag10X2AsuM=
 go.uber.org/zap v1.10.0/go.mod h1:vwi/ZaCAaUcBkycHslxD9B2zi4UTXhF60s6SWpuDF0Q=
-golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
-golang.org/x/crypto v0.0.0-20200604202706-70a84ac30bf9 h1:vEg9joUBmeBcK9iSJftGNf3coIG4HqZElCPehJsfAYM=
-golang.org/x/crypto v0.0.0-20200604202706-70a84ac30bf9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
-golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
-golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
-golang.org/x/text v0.3.2 h1:tW2bmiBqwgJj/UpqtC8EpXEZVYOwU0yG4iWbprSVAcs=
-golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
-golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+gopkg.in/asn1-ber.v1 v1.0.0-20170511165959-379148ca0225 h1:JBwmEvLfCqgPcIq8MjVMQxsF3LVL4XG/HH0qiG0+IFY=
+gopkg.in/asn1-ber.v1 v1.0.0-20170511165959-379148ca0225/go.mod h1:cuepJuh7vyXfUyUwEgHQXw849cJrilpS5NeIjOWESAw=
+gopkg.in/ldap.v2 v2.5.1 h1:wiu0okdNfjlBzg6UWvd1Hn8Y+Ux17/u/4nlk4CQr6tU=
+gopkg.in/ldap.v2 v2.5.1/go.mod h1:oI0cpe/D7HRtBQl8aTg+ZmzFUAvu4lsv3eLXMLGFxWk=

internal/hydra/consent.go

@@ -13,19 +13,18 @@ import (
 
 // ConsentReqDoer fetches information on the OAuth2 request and then accept or reject the requested authentication process.
 type ConsentReqDoer struct {
-	hydraURL           string
-	fakeTLSTermination bool
-	rememberFor        int
+	hydraURL    string
+	rememberFor int
 }
 
 // NewConsentReqDoer creates a ConsentRequest.
-func NewConsentReqDoer(hydraURL string, fakeTLSTermination bool, rememberFor int) *ConsentReqDoer {
-	return &ConsentReqDoer{hydraURL: hydraURL, fakeTLSTermination: fakeTLSTermination, rememberFor: rememberFor}
+func NewConsentReqDoer(hydraURL string, rememberFor int) *ConsentReqDoer {
+	return &ConsentReqDoer{hydraURL: hydraURL, rememberFor: rememberFor}
 }
 
 // InitiateRequest fetches information on the OAuth2 request.
 func (crd *ConsentReqDoer) InitiateRequest(challenge string) (*ReqInfo, error) {
-	ri, err := initiateRequest(consent, crd.hydraURL, crd.fakeTLSTermination, challenge)
+	ri, err := initiateRequest(consent, crd.hydraURL, challenge)
 	return ri, errors.Wrap(err, "failed to initiate consent request")
 }
 
@@ -47,6 +46,6 @@ func (crd *ConsentReqDoer) AcceptConsentRequest(challenge string, remember bool,
 			IDToken: idToken,
 		},
 	}
-	redirectURI, err := acceptRequest(consent, crd.hydraURL, crd.fakeTLSTermination, challenge, data)
+	redirectURI, err := acceptRequest(consent, crd.hydraURL, challenge, data)
 	return redirectURI, errors.Wrap(err, "failed to accept consent request")
 }

internal/hydra/consent_test.go

@@ -55,7 +55,7 @@ func TestInitiateConsentRequest(t *testing.T) {
 			h := &testInitiateConsentHandler{reqInfo: tc.reqInfo, status: tc.status}
 			srv := httptest.NewServer(h)
 			defer srv.Close()
-			ldr := hydra.NewConsentReqDoer(srv.URL, false, tc.rememberFor)
+			ldr := hydra.NewConsentReqDoer(srv.URL, tc.rememberFor)
 
 			reqInfo, err := ldr.InitiateRequest(tc.challenge)
 
@@ -149,7 +149,7 @@ func TestAcceptConsentRequest(t *testing.T) {
 			h := &testAcceptConsentHandler{challenge: tc.challenge, status: tc.status, redirect: tc.redirect}
 			srv := httptest.NewServer(h)
 			defer srv.Close()
-			ldr := hydra.NewConsentReqDoer(srv.URL, false, tc.rememberFor)
+			ldr := hydra.NewConsentReqDoer(srv.URL, tc.rememberFor)
 
 			var grantScope []string
 			for _, v := range tc.grantScope {

internal/hydra/hydra.go

@@ -26,8 +26,6 @@ var (
 	ErrChallengeNotFound = errors.New("challenge not found")
 	// ErrChallengeExpired is an error that happens when a challenge is already used.
 	ErrChallengeExpired = errors.New("challenge expired")
-	//ErrServiceUnavailable is an error that happens when the hydra admin service is unavailable
-	ErrServiceUnavailable = errors.New("hydra service unavailable")
 )
 
 type reqType string
@@ -46,7 +44,7 @@ type ReqInfo struct {
 	Subject         string   `json:"subject"`
 }
 
-func initiateRequest(typ reqType, hydraURL string, fakeTLSTermination bool, challenge string) (*ReqInfo, error) {
+func initiateRequest(typ reqType, hydraURL, challenge string) (*ReqInfo, error) {
 	if challenge == "" {
 		return nil, ErrChallengeMissed
 	}
@@ -54,23 +52,13 @@ func initiateRequest(typ reqType, hydraURL string, fakeTLSTermination bool, chal
 	if err != nil {
 		return nil, err
 	}
-
 	u, err := parseURL(hydraURL)
 	if err != nil {
 		return nil, err
 	}
 	u = u.ResolveReference(ref)
 
-	req, err := http.NewRequest("GET", u.String(), nil)
-	if err != nil {
-		return nil, err
-	}
-	if fakeTLSTermination {
-		req.Header.Add("X-Forwarded-Proto", "https")
-	}
-
-	client := &http.Client{}
-	resp, err := client.Do(req)
+	resp, err := http.Get(u.String())
 	if err != nil {
 		return nil, err
 	}
@@ -88,7 +76,7 @@ func initiateRequest(typ reqType, hydraURL string, fakeTLSTermination bool, chal
 	return &ri, nil
 }
 
-func acceptRequest(typ reqType, hydraURL string, fakeTLSTermination bool, challenge string, data interface{}) (string, error) {
+func acceptRequest(typ reqType, hydraURL, challenge string, data interface{}) (string, error) {
 	if challenge == "" {
 		return "", ErrChallengeMissed
 	}
@@ -113,10 +101,6 @@ func acceptRequest(typ reqType, hydraURL string, fakeTLSTermination bool, challe
 	if err != nil {
 		return "", err
 	}
-	if fakeTLSTermination {
-		r.Header.Add("X-Forwarded-Proto", "https")
-	}
-
 	r.Header.Set("Content-Type", "application/json")
 	resp, err := http.DefaultClient.Do(r)
 	if err != nil {
@@ -148,8 +132,6 @@ func checkResponse(resp *http.Response) error {
 		return ErrChallengeNotFound
 	case 409:
 		return ErrChallengeExpired
-	case 503:
-		return ErrServiceUnavailable
 	default:
 		var rs struct {
 			Message string `json:"error"`

internal/hydra/login.go

@@ -13,19 +13,18 @@ import (
 
 // LoginReqDoer fetches information on the OAuth2 request and then accept or reject the requested authentication process.
 type LoginReqDoer struct {
-	hydraURL           string
-	fakeTLSTermination bool
-	rememberFor        int
+	hydraURL    string
+	rememberFor int
 }
 
 // NewLoginReqDoer creates a LoginRequest.
-func NewLoginReqDoer(hydraURL string, fakeTLSTermination bool, rememberFor int) *LoginReqDoer {
-	return &LoginReqDoer{hydraURL: hydraURL, fakeTLSTermination: fakeTLSTermination, rememberFor: rememberFor}
+func NewLoginReqDoer(hydraURL string, rememberFor int) *LoginReqDoer {
+	return &LoginReqDoer{hydraURL: hydraURL, rememberFor: rememberFor}
 }
 
 // InitiateRequest fetches information on the OAuth2 request.
 func (lrd *LoginReqDoer) InitiateRequest(challenge string) (*ReqInfo, error) {
-	ri, err := initiateRequest(login, lrd.hydraURL, lrd.fakeTLSTermination, challenge)
+	ri, err := initiateRequest(login, lrd.hydraURL, challenge)
 	return ri, errors.Wrap(err, "failed to initiate login request")
 }
 
@@ -40,6 +39,6 @@ func (lrd *LoginReqDoer) AcceptLoginRequest(challenge string, remember bool, sub
 		RememberFor: lrd.rememberFor,
 		Subject:     subject,
 	}
-	redirectURI, err := acceptRequest(login, lrd.hydraURL, lrd.fakeTLSTermination, challenge, data)
+	redirectURI, err := acceptRequest(login, lrd.hydraURL, challenge, data)
 	return redirectURI, errors.Wrap(err, "failed to accept login request")
 }

internal/hydra/login_test.go

@@ -60,7 +60,7 @@ func TestInitiateLoginRequest(t *testing.T) {
 			h := &testInitiateLoginHandler{reqInfo: tc.reqInfo, status: tc.status}
 			srv := httptest.NewServer(h)
 			defer srv.Close()
-			ldr := hydra.NewLoginReqDoer(srv.URL, false, 0)
+			ldr := hydra.NewLoginReqDoer(srv.URL, 0)
 
 			reqInfo, err := ldr.InitiateRequest(tc.challenge)
 
@@ -160,7 +160,7 @@ func TestAcceptLoginRequest(t *testing.T) {
 			h := &testAcceptLoginHandler{challenge: tc.challenge, status: tc.status, redirect: tc.redirect}
 			srv := httptest.NewServer(h)
 			defer srv.Close()
-			ldr := hydra.NewLoginReqDoer(srv.URL, false, tc.rememberFor)
+			ldr := hydra.NewLoginReqDoer(srv.URL, tc.rememberFor)
 
 			redirect, err := ldr.AcceptLoginRequest(tc.challenge, tc.remember, tc.subject)
 

internal/hydra/logout.go

@@ -13,23 +13,22 @@ import (
 
 // LogoutReqDoer fetches information on the OAuth2 request and then accepts or rejects the requested logout process.
 type LogoutReqDoer struct {
-	hydraURL           string
-	fakeTLSTermination bool
+	hydraURL string
 }
 
 // NewLogoutReqDoer creates a LogoutRequest.
-func NewLogoutReqDoer(hydraURL string, fakeTLSTermination bool) *LogoutReqDoer {
-	return &LogoutReqDoer{hydraURL: hydraURL, fakeTLSTermination: fakeTLSTermination}
+func NewLogoutReqDoer(hydraURL string) *LogoutReqDoer {
+	return &LogoutReqDoer{hydraURL: hydraURL}
 }
 
 // InitiateRequest fetches information on the OAuth2 request.
 func (lrd *LogoutReqDoer) InitiateRequest(challenge string) (*ReqInfo, error) {
-	ri, err := initiateRequest(logout, lrd.hydraURL, lrd.fakeTLSTermination, challenge)
+	ri, err := initiateRequest(logout, lrd.hydraURL, challenge)
 	return ri, errors.Wrap(err, "failed to initiate logout request")
 }
 
 // AcceptLogoutRequest accepts the requested logout process, and returns redirect URI.
 func (lrd *LogoutReqDoer) AcceptLogoutRequest(challenge string) (string, error) {
-	redirectURI, err := acceptRequest(logout, lrd.hydraURL, lrd.fakeTLSTermination, challenge, nil)
+	redirectURI, err := acceptRequest(logout, lrd.hydraURL, challenge, nil)
 	return redirectURI, errors.Wrap(err, "failed to accept logout request")
 }

internal/hydra/logout_test.go

@@ -44,7 +44,7 @@ func TestInitiateLogoutRequest(t *testing.T) {
 			h := &testInitiateLogoutHandler{reqInfo: tc.reqInfo, status: tc.status}
 			srv := httptest.NewServer(h)
 			defer srv.Close()
-			ldr := hydra.NewLogoutReqDoer(srv.URL, false)
+			ldr := hydra.NewLogoutReqDoer(srv.URL)
 
 			reqInfo, err := ldr.InitiateRequest(tc.challenge)
 
@@ -126,7 +126,7 @@ func TestAcceptLogoutRequest(t *testing.T) {
 			h := &testAcceptLogoutHandler{challenge: tc.challenge, status: tc.status, redirect: tc.redirect}
 			srv := httptest.NewServer(h)
 			defer srv.Close()
-			ldr := hydra.NewLogoutReqDoer(srv.URL, false)
+			ldr := hydra.NewLogoutReqDoer(srv.URL)
 
 			redirect, err := ldr.AcceptLogoutRequest(tc.challenge)
 

internal/identp/identp.go

@@ -11,7 +11,6 @@ package identp
 
 import (
 	"context"
-	"fmt"
 	"net/http"
 	"net/url"
 	"strings"
@@ -28,10 +27,9 @@ const loginTmplName = "login.tmpl"
 
 // Config is a Hydra configuration.
 type Config struct {
-	HydraURL           string            `envconfig:"hydra_url" required:"true" desc:"an admin URL of ORY Hydra Server"`
-	SessionTTL         time.Duration     `envconfig:"session_ttl" default:"24h" desc:"a user session's TTL"`
-	ClaimScopes        map[string]string `envconfig:"claim_scopes" default:"name:profile,family_name:profile,given_name:profile,email:email,https%3A%2F%2Fgithub.com%2Fi-core%2Fwerther%2Fclaims%2Froles:roles" desc:"a mapping of OpenID Connect claims to scopes (all claims are URL encoded)"`
-	FakeTLSTermination bool              `envconfig:"fake_tls_termination" default:"false" desc:"Fake tls termination by adding \"X-Forwarded-Proto: https\" to http headers "`
+	HydraURL    string            `envconfig:"hydra_url" required:"true" desc:"an admin URL of ORY Hydra Server"`
+	SessionTTL  time.Duration     `envconfig:"session_ttl" default:"24h" desc:"a user session's TTL"`
+	ClaimScopes map[string]string `envconfig:"claim_scopes" default:"name:profile,family_name:profile,given_name:profile,email:email,https%3A%2F%2Fgithub.com%2Fi-core%2Fwerther%2Fclaims%2Froles:roles" desc:"a mapping of OpenID Connect claims to scopes (all claims are URL encoded)"`
 }
 
 // UserManager is an interface that is used for authentication and providing user's claims.
@@ -54,7 +52,7 @@ type oidcClaimsFinder interface {
 
 // TemplateRenderer renders a template with data and writes it to a http.ResponseWriter.
 type TemplateRenderer interface {
-	RenderTemplate(w http.ResponseWriter, r *http.Request, name string, data interface{}) error
+	RenderTemplate(w http.ResponseWriter, name string, data interface{}) error
 }
 
 // LoginTmplData is a data that is needed for rendering the login page.
@@ -85,10 +83,10 @@ func NewHandler(cnf Config, um UserManager, tr TemplateRenderer) *Handler {
 // AddRoutes registers all required routes for Login & Consent Provider.
 func (h *Handler) AddRoutes(apply func(m, p string, h http.Handler, mws ...func(http.Handler) http.Handler)) {
 	sessionTTL := int(h.SessionTTL.Seconds())
-	apply(http.MethodGet, "/login", newLoginStartHandler(hydra.NewLoginReqDoer(h.HydraURL, h.FakeTLSTermination, 0), h.tr))
-	apply(http.MethodPost, "/login", newLoginEndHandler(hydra.NewLoginReqDoer(h.HydraURL, h.FakeTLSTermination, sessionTTL), h.um, h.tr))
-	apply(http.MethodGet, "/consent", newConsentHandler(hydra.NewConsentReqDoer(h.HydraURL, h.FakeTLSTermination, sessionTTL), h.um, h.ClaimScopes))
-	apply(http.MethodGet, "/logout", newLogoutHandler(hydra.NewLogoutReqDoer(h.HydraURL, h.FakeTLSTermination)))
+	apply(http.MethodGet, "/login", newLoginStartHandler(hydra.NewLoginReqDoer(h.HydraURL, 0), h.tr))
+	apply(http.MethodPost, "/login", newLoginEndHandler(hydra.NewLoginReqDoer(h.HydraURL, sessionTTL), h.um, h.tr))
+	apply(http.MethodGet, "/consent", newConsentHandler(hydra.NewConsentReqDoer(h.HydraURL, sessionTTL), h.um, h.ClaimScopes))
+	apply(http.MethodGet, "/logout", newLogoutHandler(hydra.NewLogoutReqDoer(h.HydraURL)))
 }
 
 // oa2LoginReqAcceptor is an interface that is used for accepting an OAuth2 login request.
@@ -128,8 +126,7 @@ func newLoginStartHandler(rproc oa2LoginReqProcessor, tmplRenderer TemplateRende
 				return
 			}
 			log.Infow("Failed to initiate an OAuth2 login request", zap.Error(err), "challenge", challenge)
-			errMsg := fmt.Sprintf("%s - %s - %s", http.StatusText(http.StatusInternalServerError), err, errors.Cause(err))
-			http.Error(w, errMsg, http.StatusInternalServerError)
+			http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
 			return
 		}
 		log.Infow("A login request is initiated", "challenge", challenge, "username", ri.Subject)
@@ -150,7 +147,7 @@ func newLoginStartHandler(rproc oa2LoginReqProcessor, tmplRenderer TemplateRende
 			Challenge: challenge,
 			LoginURL:  strings.TrimPrefix(r.URL.String(), "/"),
 		}
-		if err := tmplRenderer.RenderTemplate(w, r, loginTmplName, data); err != nil {
+		if err := tmplRenderer.RenderTemplate(w, loginTmplName, data); err != nil {
 			log.Infow("Failed to render a login page template", zap.Error(err))
 			http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
 			return
@@ -173,7 +170,7 @@ func newLoginEndHandler(ra oa2LoginReqAcceptor, auther authenticator, tmplRender
 		data := LoginTmplData{
 			CSRFToken: nosurf.Token(r),
 			Challenge: challenge,
-			LoginURL:  strings.TrimPrefix(r.URL.String(), "/"),
+			LoginURL:  r.URL.String(),
 		}
 
 		username, password := r.Form.Get("username"), r.Form.Get("password")
@@ -183,7 +180,7 @@ func newLoginEndHandler(ra oa2LoginReqAcceptor, auther authenticator, tmplRender
 			data.IsInternalError = true
 			log.Infow("Failed to authenticate a login request via the OAuth2 provider",
 				zap.Error(err), "challenge", challenge, "username", username)
-			if err = tmplRenderer.RenderTemplate(w, r, loginTmplName, data); err != nil {
+			if err = tmplRenderer.RenderTemplate(w, loginTmplName, data); err != nil {
 				log.Infow("Failed to render a login page template", zap.Error(err))
 				http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
 			}
@@ -191,7 +188,7 @@ func newLoginEndHandler(ra oa2LoginReqAcceptor, auther authenticator, tmplRender
 		case !ok:
 			data.IsInvalidCredentials = true
 			log.Debugw("Invalid credentials", zap.Error(err), "challenge", challenge, "username", username)
-			if err = tmplRenderer.RenderTemplate(w, r, loginTmplName, data); err != nil {
+			if err = tmplRenderer.RenderTemplate(w, loginTmplName, data); err != nil {
 				log.Infow("Failed to render a login page template", zap.Error(err))
 				http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
 			}
@@ -204,7 +201,7 @@ func newLoginEndHandler(ra oa2LoginReqAcceptor, auther authenticator, tmplRender
 		if err != nil {
 			data.IsInternalError = true
 			log.Infow("Failed to accept a login request via the OAuth2 provider", zap.Error(err))
-			if err := tmplRenderer.RenderTemplate(w, r, loginTmplName, data); err != nil {
+			if err := tmplRenderer.RenderTemplate(w, loginTmplName, data); err != nil {
 				log.Infow("Failed to render a login page template", zap.Error(err))
 				http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
 			}

internal/identp/identp_test.go

@@ -98,7 +98,7 @@ func TestHandleLoginStart(t *testing.T) {
 			rr := httptest.NewRecorder()
 
 			tmplRenderer := &testTemplateRenderer{
-				renderTmplFunc: func(w http.ResponseWriter, r *http.Request, name string, data interface{}) error {
+				renderTmplFunc: func(w http.ResponseWriter, name string, data interface{}) error {
 					if name != "login.tmpl" {
 						t.Fatalf("wrong template name: got %q; want \"login.tmpl\"", name)
 					}
@@ -264,7 +264,7 @@ func TestHandleLoginEnd(t *testing.T) {
 			rr := httptest.NewRecorder()
 
 			tmplRenderer := &testTemplateRenderer{
-				renderTmplFunc: func(w http.ResponseWriter, r *http.Request, name string, data interface{}) error {
+				renderTmplFunc: func(w http.ResponseWriter, name string, data interface{}) error {
 					if name != "login.tmpl" {
 						t.Fatalf("wrong template name: got %q; want \"login.tmpl\"", name)
 					}
@@ -327,11 +327,11 @@ func TestHandleLoginEnd(t *testing.T) {
 }
 
 type testTemplateRenderer struct {
-	renderTmplFunc func(w http.ResponseWriter, r *http.Request, name string, data interface{}) error
+	renderTmplFunc func(w http.ResponseWriter, name string, data interface{}) error
 }
 
-func (tl *testTemplateRenderer) RenderTemplate(w http.ResponseWriter, r *http.Request, name string, data interface{}) error {
-	return tl.renderTmplFunc(w, r, name, data)
+func (tl *testTemplateRenderer) RenderTemplate(w http.ResponseWriter, name string, data interface{}) error {
+	return tl.renderTmplFunc(w, name, data)
 }
 
 type testAuthenticator struct {

internal/ldapclient/ldapclient.go

@@ -9,7 +9,6 @@ package ldapclient
 
 import (
 	"context"
-	"crypto/tls"
 	"encoding/json"
 	"fmt"
 	"net"
@@ -18,10 +17,10 @@ import (
 	"time"
 
 	"github.com/coocood/freecache"
-	"github.com/go-ldap/ldap/v3"
 	"github.com/i-core/rlog"
 	"github.com/pkg/errors"
 	"go.uber.org/zap"
+	ldap "gopkg.in/ldap.v2"
 )
 
 var (
@@ -48,20 +47,16 @@ type connector interface {
 
 // Config is a LDAP configuration.
 type Config struct {
-	Endpoints         []string          `envconfig:"endpoints" required:"true" desc:"a LDAP's server URLs as \"<address>:<port>\""`
-	BindDN            string            `envconfig:"binddn" desc:"a LDAP bind DN"`
-	BindPass          string            `envconfig:"bindpw" json:"-" desc:"a LDAP bind password"`
-	BaseDN            string            `envconfig:"basedn" required:"true" desc:"a LDAP base DN for searching users"`
-	UserSearchQuery   string            `envconfig:"user_search_query" desc:"the user search query" default:"(&(|(objectClass=organizationalPerson)(objectClass=inetOrgPerson))(|(uid=%[1]s)(mail=%[1]s)(userPrincipalName=%[1]s)(sAMAccountName=%[1]s)))"`
-	AttrClaims        map[string]string `envconfig:"attr_claims" default:"name:name,sn:family_name,givenName:given_name,mail:email" desc:"a mapping of LDAP attributes to OpenID connect claims"`
-	RoleBaseDN        string            `envconfig:"role_basedn" required:"true" desc:"a LDAP base DN for searching roles"`
-	RoleSearchQuery   string            `envconfig:"role_search_query" desc:"the role search query" default:"(|(&(|(objectClass=group)(objectClass=groupOfNames))(member=%[1]s))(&(objectClass=groupOfUniqueNames)(uniqueMember=%[1]s)))"`
-	RoleAttr          string            `envconfig:"role_attr" default:"description" desc:"a LDAP group's attribute that contains a role's name"`
-	RoleClaim         string            `envconfig:"role_claim" default:"https://github.com/i-core/werther/claims/roles" desc:"a name of an OpenID Connect claim that contains user roles"`
-	CacheSize         int               `envconfig:"cache_size" default:"512" desc:"a user info cache's size in KiB"`
-	CacheTTL          time.Duration     `envconfig:"cache_ttl" default:"30m" desc:"a user info cache TTL"`
-	IsTLS             bool              `envconfig:"is_tls" default:"false" desc:"should LDAP connection be established via TLS"`
-	ConnectionTimeout time.Duration     `envconfig:"connection_timeout" default:"60s" desc:"LDAP server connection timeout"`
+	Endpoints  []string          `envconfig:"endpoints" required:"true" desc:"a LDAP's server URLs as \"<address>:<port>\""`
+	BindDN     string            `envconfig:"binddn" desc:"a LDAP bind DN"`
+	BindPass   string            `envconfig:"bindpw" json:"-" desc:"a LDAP bind password"`
+	BaseDN     string            `envconfig:"basedn" required:"true" desc:"a LDAP base DN for searching users"`
+	AttrClaims map[string]string `envconfig:"attr_claims" default:"name:name,sn:family_name,givenName:given_name,mail:email" desc:"a mapping of LDAP attributes to OpenID connect claims"`
+	RoleBaseDN string            `envconfig:"role_basedn" required:"true" desc:"a LDAP base DN for searching roles"`
+	RoleAttr   string            `envconfig:"role_attr" default:"description" desc:"a LDAP group's attribute that contains a role's name"`
+	RoleClaim  string            `envconfig:"role_claim" default:"https://github.com/i-core/werther/claims/roles" desc:"a name of an OpenID Connect claim that contains user roles"`
+	CacheSize  int               `envconfig:"cache_size" default:"512" desc:"a user info cache's size in KiB"`
+	CacheTTL   time.Duration     `envconfig:"cache_ttl" default:"30m" desc:"a user info cache TTL"`
 }
 
 // Client is a LDAP client (compatible with Active Directory).
@@ -74,16 +69,9 @@ type Client struct {
 // New creates a new LDAP client.
 func New(cnf Config) *Client {
 	return &Client{
-		Config: cnf,
-		connector: &ldapConnector{
-			BaseDN:            cnf.BaseDN,
-			UserSearchQuery:   cnf.UserSearchQuery,
-			RoleBaseDN:        cnf.RoleBaseDN,
-			IsTLS:             cnf.IsTLS,
-			RoleSearchQuery:   cnf.RoleSearchQuery,
-			ConnectionTimeout: cnf.ConnectionTimeout,
-		},
-		cache: freecache.NewCache(cnf.CacheSize * 1024),
+		Config:    cnf,
+		connector: &ldapConnector{BaseDN: cnf.BaseDN, RoleBaseDN: cnf.RoleBaseDN},
+		cache:     freecache.NewCache(cnf.CacheSize * 1024),
 	}
 }
 
@@ -195,7 +183,7 @@ func (cli *Client) FindOIDCClaims(ctx context.Context, username string) (map[str
 		return nil, err
 	}
 
-	roles := make([]map[string]interface{}, 0)
+	roles := make(map[string]interface{})
 	for _, entry := range entries {
 		roleDN, ok := entry["dn"].(string)
 		if !ok || roleDN == "" {
@@ -213,8 +201,21 @@ func (cli *Client) FindOIDCClaims(ctx context.Context, username string) (map[str
 		if n < k || !strings.EqualFold(roleDN[n-k:], cli.RoleBaseDN) {
 			panic("You should never see that")
 		}
+		// The DN without the role's base DN must contain a CN and OU
+		// where the CN is for uniqueness only, and the OU is an application id.
+		path := strings.Split(roleDN[:n-k-1], ",")
+		if len(path) != 2 {
+			log.Infow("A role's DN without the role's base DN must contain two nodes only",
+				"roleBaseDN", cli.RoleBaseDN, "roleDN", roleDN)
+			continue
+		}
+		appID := path[1][len("OU="):]
 
-		roles = append(roles, entry)
+		var appRoles []interface{}
+		if v := roles[appID]; v != nil {
+			appRoles = v.([]interface{})
+		}
+		roles[appID] = append(appRoles, entry[cli.RoleAttr])
 	}
 	claims[cli.RoleClaim] = roles
 
@@ -293,47 +294,25 @@ func (cli *Client) findBasicUserDetails(cn conn, username string, attrs []string
 }
 
 type ldapConnector struct {
-	BaseDN            string
-	RoleBaseDN        string
-	IsTLS             bool
-	UserSearchQuery   string
-	RoleSearchQuery   string
-	ConnectionTimeout time.Duration
+	BaseDN     string
+	RoleBaseDN string
 }
 
 func (c *ldapConnector) Connect(ctx context.Context, addr string) (conn, error) {
-	d := net.Dialer{Timeout: c.ConnectionTimeout}
+	d := net.Dialer{Timeout: ldap.DefaultTimeout}
 	tcpcn, err := d.DialContext(ctx, "tcp", addr)
 	if err != nil {
 		return nil, err
 	}
-
-	if c.IsTLS {
-		tlscn, err := tls.DialWithDialer(&d, "tcp", addr, nil)
-		if err != nil {
-			return nil, err
-		}
-		tcpcn = tlscn
-	}
-
-	ldapcn := ldap.NewConn(tcpcn, c.IsTLS)
-
+	ldapcn := ldap.NewConn(tcpcn, false)
 	ldapcn.Start()
-	return &ldapConn{
-		Conn:            ldapcn,
-		BaseDN:          c.BaseDN,
-		UserSearchQuery: c.UserSearchQuery,
-		RoleBaseDN:      c.RoleBaseDN,
-		RoleSearchQuery: c.RoleSearchQuery,
-	}, nil
+	return &ldapConn{Conn: ldapcn, BaseDN: c.BaseDN, RoleBaseDN: c.RoleBaseDN}, nil
 }
 
 type ldapConn struct {
 	*ldap.Conn
-	BaseDN          string
-	RoleBaseDN      string
-	UserSearchQuery string
-	RoleSearchQuery string
+	BaseDN     string
+	RoleBaseDN string
 }
 
 func (c *ldapConn) Bind(bindDN, password string) error {
@@ -345,12 +324,14 @@ func (c *ldapConn) Bind(bindDN, password string) error {
 }
 
 func (c *ldapConn) SearchUser(user string, attrs ...string) ([]map[string]interface{}, error) {
-	query := fmt.Sprintf(c.UserSearchQuery, user)
+	query := fmt.Sprintf(
+		"(&(|(objectClass=organizationalPerson)(objectClass=inetOrgPerson))"+
+			"(|(uid=%[1]s)(mail=%[1]s)(userPrincipalName=%[1]s)(sAMAccountName=%[1]s)))", user)
 	return c.searchEntries(c.BaseDN, query, attrs)
 }
 
 func (c *ldapConn) SearchUserRoles(user string, attrs ...string) ([]map[string]interface{}, error) {
-	query := fmt.Sprintf(c.RoleSearchQuery, user)
+	query := fmt.Sprintf("(&(objectClass=group)(member=%s))", user)
 	return c.searchEntries(c.RoleBaseDN, query, attrs)
 }
 

internal/web/templates/login.tmpl

@@ -1,43 +1,45 @@
-<!DOCTYPE html>
-<html lang="{{ (index .LangPrefs 0).Lang }}">
-	<head>
-		<meta name="viewport" content="width=device-width, initial-scale=1">
-		<title>Login Provider Werther</title>
-		<base href="{{ .WebBasePath }}">
-		<link rel="stylesheet" href="static/style.css">
-	</head>
-	<body>
-		<div class="login-page">
-			<div class="form">
-				<p class="message">
-				{{ if .Data.IsInvalidCredentials }}
-					Invalid username or password
-				{{ else if .Data.IsInternalError }}
-					Internal server error
-				{{ else }}
-					&nbsp;
-				{{ end }}
-				</p>
-				<form class="login-form" action="{{ .Data.LoginURL }}" method="POST">
-					<input type="hidden" name="csrf_token" value="{{ .Data.CSRFToken }}">
-					<input type="hidden" name="login_challenge" value="{{ .Data.Challenge }}">
+{{ define "title" }}
+	Login Provider Werther
+{{ end }}
 
-					<input type="text" placeholder="username" name="username"/>
-					<input type="password" placeholder="password" name="password"/>
+{{ define "style" }}
+	<link rel="stylesheet" href="static/style.css">
+{{ end }}
 
-					<div class="checkbox remember-container">
-						<div class="checkbox-overlay">
-							<input type="checkbox" name="remember" />
-							<div class="checkbox-container">
-								<div class="checkbox-checkmark"></div>
-							</div>
-							<label for="remember">Remember me</label>
+{{ define "js" }}
+	<script type="text/javascript" src="static/script.js"></script>
+{{ end }}
+
+{{ define "content" }}
+	<div class="login-page">
+		<div class="form">
+			<p class="message">
+			{{ if .IsInvalidCredentials }}
+				Invalid username or password
+			{{ else if .IsInternalError }}
+				Internal server error
+			{{ else }}
+				&nbsp;
+			{{ end }}
+			</p>
+			<form class="login-form" action="{{ .LoginURL }}" method="POST">
+				<input type="hidden" name="csrf_token" value={{ .CSRFToken }}>
+				<input type="hidden" name="login_challenge" value={{ .Challenge }}>
+
+				<input type="text" placeholder="username" name="username"/>
+				<input type="password" placeholder="password" name="password"/>
+
+				<div class="checkbox remember-container">
+					<div class="checkbox-overlay">
+						<input type="checkbox" name="remember" />
+						<div class="checkbox-container">
+							<div class="checkbox-checkmark"></div>
 						</div>
+						<label for="remember">Remember me</label>
 					</div>
-					<button type="submit">login</button>
-				</form>
-			</div>
+				</div>
+				<button type="submit">login</button>
+			</form>
 		</div>
-		<script type="text/javascript" src="static/script.js"></script>
-	</body>
-</html>
+	</div>
+{{ end }}

internal/web/templates/static/style.css

@@ -1,40 +1,4 @@
-/* cyrillic-ext */
-@font-face {
-    font-family: 'Roboto';
-    font-style: normal;
-    font-weight: 400;
-    src: local('Roboto Light'), local('Roboto-Light'), url('./fonts/Roboto-Light.ttf') format('ttf'),
-        url('./fonts/Roboto-Light.woff') format('woff'), url('./fonts/Roboto-Light.woff2') format('woff2');
-    unicode-range: U+0460-052F, U+1C80-1C88, U+20B4, U+2DE0-2DFF, U+A640-A69F, U+FE2E-FE2F;
-}
-/* cyrillic */
-@font-face {
-    font-family: 'Roboto';
-    font-style: normal;
-    font-weight: 400;
-    src: local('Roboto Light'), local('Roboto-Light'), url('./fonts/Roboto-Light.ttf') format('ttf'),
-        url('./fonts/Roboto-Light.woff') format('woff'), url('./fonts/Roboto-Light.woff2') format('woff2');
-    unicode-range: U+0400-045F, U+0490-0491, U+04B0-04B1, U+2116;
-}
-/* latin-ext */
-@font-face {
-    font-family: 'Roboto';
-    font-style: normal;
-    font-weight: 400;
-    src: local('Roboto Light'), local('Roboto-Light'), url('./fonts/Roboto-Light.ttf') format('ttf'),
-        url('./fonts/Roboto-Light.woff') format('woff'), url('./fonts/Roboto-Light.woff2') format('woff2');
-    unicode-range: U+0100-024F, U+0259, U+1E00-1EFF, U+2020, U+20A0-20AB, U+20AD-20CF, U+2113, U+2C60-2C7F, U+A720-A7FF;
-}
-/* latin */
-@font-face {
-    font-family: 'Roboto';
-    font-style: normal;
-    font-weight: 400;
-    src: local('Roboto Light'), local('Roboto-Light'), url('./fonts/Roboto-Light.ttf') format('ttf'),
-        url('./fonts/Roboto-Light.woff') format('woff'), url('./fonts/Roboto-Light.woff2') format('woff2');
-    unicode-range: U+0000-00FF, U+0131, U+0152-0153, U+02BB-02BC, U+02C6, U+02DA, U+02DC, U+2000-206F, U+2074, U+20AC,
-        U+2122, U+2191, U+2193, U+2212, U+2215, U+FEFF, U+FFFD;
-}
+@import url(https://fonts.googleapis.com/css?family=Roboto:300);
 
 html {
   box-sizing: border-box;
@@ -124,7 +88,7 @@ html {
 }
 
 .form button:active {
-  background: #2384a3;
+  background: #2384a3; 
 }
 
 .form .message {

internal/web/testdata/TestHTMLRenderer/external_template_happy_path/golden.file

@@ -1,10 +1,32 @@
 external template
 WebBasePath: testBasePath;
 
-Langs:
-ru-RU;q=1,ru;q=0.9,en-US;q=0.8,en;q=0.7,
+Title:
+
+CSRFToken: testCSRFToken;
+Challenge: testChalenge;
+LoginURL: testLoginURL;
+IsInvalidCredentials: true;
+IsInternalError: true;
+
+Style:
+
+CSRFToken: testCSRFToken;
+Challenge: testChalenge;
+LoginURL: testLoginURL;
+IsInvalidCredentials: true;
+IsInternalError: true;
+
+Js:
+
+CSRFToken: testCSRFToken;
+Challenge: testChalenge;
+LoginURL: testLoginURL;
+IsInvalidCredentials: true;
+IsInternalError: true;
+
+Content:
 
-Data:
 CSRFToken: testCSRFToken;
 Challenge: testChalenge;
 LoginURL: testLoginURL;

internal/web/testdata/TestHTMLRenderer/external_template_happy_path/login.tmpl

@@ -1,13 +1,31 @@
-{{- define "main" }}external template
-WebBasePath: {{ .WebBasePath }};
+{{- define "title" }}
+CSRFToken: {{ .CSRFToken }};
+Challenge: {{ .Challenge }};
+LoginURL: {{ .LoginURL }};
+IsInvalidCredentials: {{ .IsInvalidCredentials }};
+IsInternalError: {{ .IsInternalError }};
+{{- end }}
 
-Langs:
-{{ range .LangPrefs }}{{ .Lang }};q={{ .Weight }},{{ end }}
+{{- define "style" }}
+CSRFToken: {{ .CSRFToken }};
+Challenge: {{ .Challenge }};
+LoginURL: {{ .LoginURL }};
+IsInvalidCredentials: {{ .IsInvalidCredentials }};
+IsInternalError: {{ .IsInternalError }};
+{{- end }}
 
-Data:
-CSRFToken: {{ .Data.CSRFToken }};
-Challenge: {{ .Data.Challenge }};
-LoginURL: {{ .Data.LoginURL }};
-IsInvalidCredentials: {{ .Data.IsInvalidCredentials }};
-IsInternalError: {{ .Data.IsInternalError }};
+{{- define "js" }}
+CSRFToken: {{ .CSRFToken }};
+Challenge: {{ .Challenge }};
+LoginURL: {{ .LoginURL }};
+IsInvalidCredentials: {{ .IsInvalidCredentials }};
+IsInternalError: {{ .IsInternalError }};
+{{- end }}
+
+{{- define "content" }}
+CSRFToken: {{ .CSRFToken }};
+Challenge: {{ .Challenge }};
+LoginURL: {{ .LoginURL }};
+IsInvalidCredentials: {{ .IsInvalidCredentials }};
+IsInternalError: {{ .IsInternalError }};
 {{- end }}

internal/web/testdata/TestHTMLRenderer/external_template_happy_path/main.tmpl

@@ -1,9 +1,6 @@
 {{- define "main" }}external template
 WebBasePath: {{ .WebBasePath }};
 
-Langs:
-{{ range .LangPrefs }}{{ .Lang }};q={{ .Weight }},{{ end }}
-
 Title:
 {{ block "title" .Data }}{{ end }}
 

internal/web/testdata/TestHTMLRenderer/internal_template_happy_path/golden.file

@@ -1,10 +1,32 @@
 internal template
 WebBasePath: testBasePath;
 
-Langs:
-ru-RU;q=1,ru;q=0.9,en-US;q=0.8,en;q=0.7,
+Title:
+
+CSRFToken: testCSRFToken;
+Challenge: testChalenge;
+LoginURL: testLoginURL;
+IsInvalidCredentials: true;
+IsInternalError: true;
+
+Style:
+
+CSRFToken: testCSRFToken;
+Challenge: testChalenge;
+LoginURL: testLoginURL;
+IsInvalidCredentials: true;
+IsInternalError: true;
+
+Js:
+
+CSRFToken: testCSRFToken;
+Challenge: testChalenge;
+LoginURL: testLoginURL;
+IsInvalidCredentials: true;
+IsInternalError: true;
+
+Content:
 
-Data:
 CSRFToken: testCSRFToken;
 Challenge: testChalenge;
 LoginURL: testLoginURL;

internal/web/testdata/TestHTMLRenderer/internal_template_happy_path/login.tmpl

@@ -1,13 +1,31 @@
-{{- define "main" }}internal template
-WebBasePath: {{ .WebBasePath }};
+{{- define "title" }}
+CSRFToken: {{ .CSRFToken }};
+Challenge: {{ .Challenge }};
+LoginURL: {{ .LoginURL }};
+IsInvalidCredentials: {{ .IsInvalidCredentials }};
+IsInternalError: {{ .IsInternalError }};
+{{- end }}
 
-Langs:
-{{ range .LangPrefs }}{{ .Lang }};q={{ .Weight }},{{ end }}
+{{- define "style" }}
+CSRFToken: {{ .CSRFToken }};
+Challenge: {{ .Challenge }};
+LoginURL: {{ .LoginURL }};
+IsInvalidCredentials: {{ .IsInvalidCredentials }};
+IsInternalError: {{ .IsInternalError }};
+{{- end }}
 
-Data:
-CSRFToken: {{ .Data.CSRFToken }};
-Challenge: {{ .Data.Challenge }};
-LoginURL: {{ .Data.LoginURL }};
-IsInvalidCredentials: {{ .Data.IsInvalidCredentials }};
-IsInternalError: {{ .Data.IsInternalError }};
+{{- define "js" }}
+CSRFToken: {{ .CSRFToken }};
+Challenge: {{ .Challenge }};
+LoginURL: {{ .LoginURL }};
+IsInvalidCredentials: {{ .IsInvalidCredentials }};
+IsInternalError: {{ .IsInternalError }};
+{{- end }}
+
+{{- define "content" }}
+CSRFToken: {{ .CSRFToken }};
+Challenge: {{ .Challenge }};
+LoginURL: {{ .LoginURL }};
+IsInvalidCredentials: {{ .IsInvalidCredentials }};
+IsInternalError: {{ .IsInternalError }};
 {{- end }}

internal/web/testdata/TestHTMLRenderer/internal_template_happy_path/main.tmpl

@@ -1,9 +1,6 @@
 {{- define "main" }}internal template
 WebBasePath: {{ .WebBasePath }};
 
-Langs:
-{{ range .LangPrefs }}{{ .Lang }};q={{ .Weight }},{{ end }}
-
 Title:
 {{ block "title" .Data }}{{ end }}
 

internal/web/testdata/TestHTMLRenderer/old_style_external_template_happy_path/golden.file

@@ -1,37 +0,0 @@
-external template
-WebBasePath: testBasePath;
-
-Langs:
-ru-RU;q=1,ru;q=0.9,en-US;q=0.8,en;q=0.7,
-
-Title:
-
-CSRFToken: testCSRFToken;
-Challenge: testChalenge;
-LoginURL: testLoginURL;
-IsInvalidCredentials: true;
-IsInternalError: true;
-
-Style:
-
-CSRFToken: testCSRFToken;
-Challenge: testChalenge;
-LoginURL: testLoginURL;
-IsInvalidCredentials: true;
-IsInternalError: true;
-
-Js:
-
-CSRFToken: testCSRFToken;
-Challenge: testChalenge;
-LoginURL: testLoginURL;
-IsInvalidCredentials: true;
-IsInternalError: true;
-
-Content:
-
-CSRFToken: testCSRFToken;
-Challenge: testChalenge;
-LoginURL: testLoginURL;
-IsInvalidCredentials: true;
-IsInternalError: true;

internal/web/testdata/TestHTMLRenderer/old_style_external_template_happy_path/login.tmpl

@@ -1,31 +0,0 @@
-{{- define "title" }}
-CSRFToken: {{ .CSRFToken }};
-Challenge: {{ .Challenge }};
-LoginURL: {{ .LoginURL }};
-IsInvalidCredentials: {{ .IsInvalidCredentials }};
-IsInternalError: {{ .IsInternalError }};
-{{- end }}
-
-{{- define "style" }}
-CSRFToken: {{ .CSRFToken }};
-Challenge: {{ .Challenge }};
-LoginURL: {{ .LoginURL }};
-IsInvalidCredentials: {{ .IsInvalidCredentials }};
-IsInternalError: {{ .IsInternalError }};
-{{- end }}
-
-{{- define "js" }}
-CSRFToken: {{ .CSRFToken }};
-Challenge: {{ .Challenge }};
-LoginURL: {{ .LoginURL }};
-IsInvalidCredentials: {{ .IsInvalidCredentials }};
-IsInternalError: {{ .IsInternalError }};
-{{- end }}
-
-{{- define "content" }}
-CSRFToken: {{ .CSRFToken }};
-Challenge: {{ .Challenge }};
-LoginURL: {{ .LoginURL }};
-IsInvalidCredentials: {{ .IsInvalidCredentials }};
-IsInternalError: {{ .IsInternalError }};
-{{- end }}

internal/web/testdata/TestHTMLRenderer/old_style_internal_template_happy_path/golden.file

@@ -1,37 +0,0 @@
-internal template
-WebBasePath: testBasePath;
-
-Langs:
-ru-RU;q=1,ru;q=0.9,en-US;q=0.8,en;q=0.7,
-
-Title:
-
-CSRFToken: testCSRFToken;
-Challenge: testChalenge;
-LoginURL: testLoginURL;
-IsInvalidCredentials: true;
-IsInternalError: true;
-
-Style:
-
-CSRFToken: testCSRFToken;
-Challenge: testChalenge;
-LoginURL: testLoginURL;
-IsInvalidCredentials: true;
-IsInternalError: true;
-
-Js:
-
-CSRFToken: testCSRFToken;
-Challenge: testChalenge;
-LoginURL: testLoginURL;
-IsInvalidCredentials: true;
-IsInternalError: true;
-
-Content:
-
-CSRFToken: testCSRFToken;
-Challenge: testChalenge;
-LoginURL: testLoginURL;
-IsInvalidCredentials: true;
-IsInternalError: true;

internal/web/testdata/TestHTMLRenderer/old_style_internal_template_happy_path/login.tmpl

@@ -1,31 +0,0 @@
-{{- define "title" }}
-CSRFToken: {{ .CSRFToken }};
-Challenge: {{ .Challenge }};
-LoginURL: {{ .LoginURL }};
-IsInvalidCredentials: {{ .IsInvalidCredentials }};
-IsInternalError: {{ .IsInternalError }};
-{{- end }}
-
-{{- define "style" }}
-CSRFToken: {{ .CSRFToken }};
-Challenge: {{ .Challenge }};
-LoginURL: {{ .LoginURL }};
-IsInvalidCredentials: {{ .IsInvalidCredentials }};
-IsInternalError: {{ .IsInternalError }};
-{{- end }}
-
-{{- define "js" }}
-CSRFToken: {{ .CSRFToken }};
-Challenge: {{ .Challenge }};
-LoginURL: {{ .LoginURL }};
-IsInvalidCredentials: {{ .IsInvalidCredentials }};
-IsInternalError: {{ .IsInternalError }};
-{{- end }}
-
-{{- define "content" }}
-CSRFToken: {{ .CSRFToken }};
-Challenge: {{ .Challenge }};
-LoginURL: {{ .LoginURL }};
-IsInvalidCredentials: {{ .IsInvalidCredentials }};
-IsInternalError: {{ .IsInternalError }};
-{{- end }}

internal/web/web.go

@@ -22,7 +22,6 @@ import (
 	assetfs "github.com/elazarl/go-bindata-assetfs"
 	"github.com/i-core/routegroup"
 	"github.com/pkg/errors"
-	"golang.org/x/text/language"
 )
 
 // The file systems provide templates and their resources that are stored in the application's internal assets.
@@ -75,14 +74,8 @@ func NewHTMLRenderer(cnf Config) (*HTMLRenderer, error) {
 	return &HTMLRenderer{Config: cnf, mainTmpl: mainTmpl, fs: fs}, nil
 }
 
-type langPref struct {
-	Lang   string
-	Weight float32
-}
-
 // RenderTemplate renders a HTML page from a template with the specified name using the specified data.
-func (r *HTMLRenderer) RenderTemplate(w http.ResponseWriter, req *http.Request, name string, data interface{}) error {
-	// Read and parse the requested template.
+func (r *HTMLRenderer) RenderTemplate(w http.ResponseWriter, name string, data interface{}) error {
 	f, err := r.fs.Open(name)
 	if err != nil {
 		if v, ok := err.(*os.PathError); ok {
@@ -96,56 +89,20 @@ func (r *HTMLRenderer) RenderTemplate(w http.ResponseWriter, req *http.Request,
 	if err != nil {
 		return fmt.Errorf("failed to read template %q: %s", name, err)
 	}
-	root, err := template.New("main").Parse(string(b))
+	t, err := r.mainTmpl.Clone()
+	if err != nil {
+		return errors.Wrapf(err, "failed to clone the main template for template %q: %s", name, err)
+	}
+	t, err = t.Parse(string(b))
 	if err != nil {
 		return errors.Wrapf(err, "failed to parse template %q: %s", name, err)
 	}
 
-	// The old-style template of a web page showed itself as not flexible.
-	// It was changed with a new template that allows overriding the whole page.
-	// The old-style template left for backward compatibility
-	// and will be deprecated in the future major release.
-	if isOldStyleUserTemplate(root) {
-		var wrapper *template.Template
-		wrapper, err = r.mainTmpl.Clone()
-		if err != nil {
-			return errors.Wrapf(err, "failed to clone the main template for template %q: %s", name, err)
-		}
-		root, err = root.AddParseTree("main", wrapper.Tree)
-		if err != nil {
-			return errors.Wrapf(err, "failed to create the main template for template %q: %s", name, err)
-		}
-	}
-
-	// Prepare template data.
-	basePath := r.BasePath
-	if basePath == "" {
-		basePath = "/"
-	}
-
-	var langPrefs []langPref
-	if acceptLang := req.Header.Get(http.CanonicalHeaderKey("Accept-Language")); acceptLang != "" {
-		var tags []language.Tag
-		var weights []float32
-		tags, weights, err = language.ParseAcceptLanguage(acceptLang)
-		if err != nil {
-			return errors.Wrapf(err, "failed to parse the header \"Accept-Language\": %s", err)
-		}
-		for i, tag := range tags {
-			langPrefs = append(langPrefs, langPref{Lang: tag.String(), Weight: weights[i]})
-		}
-	} else {
-		langPrefs = []langPref{{Lang: "en", Weight: 1}}
-	}
-
-	tmplData := map[string]interface{}{"WebBasePath": basePath, "LangPrefs": langPrefs, "Data": data}
-
-	// Render the template.
 	var (
 		buf bytes.Buffer
 		bw  = bufio.NewWriter(&buf)
 	)
-	if err = root.Execute(bw, tmplData); err != nil {
+	if err = t.Execute(bw, map[string]interface{}{"WebBasePath": r.BasePath, "Data": data}); err != nil {
 		return err
 	}
 	if err = bw.Flush(); err != nil {
@@ -154,38 +111,16 @@ func (r *HTMLRenderer) RenderTemplate(w http.ResponseWriter, req *http.Request,
 	w.Header().Set("Content-Type", "text/html; charset=utf-8")
 	_, err = buf.WriteTo(w)
 	return err
-}
 
-// Returns true if a template is the old-style template.
-//
-// A template is considered as the old-style template
-// if it contains four blocks for customizing the page title,
-// styles, markup, and scripts.
-//
-// See https://github.com/i-core/werther/issues/11.
-func isOldStyleUserTemplate(root *template.Template) bool {
-	var tmpls []string
-	for _, tmpl := range root.Templates() {
-		tmpls = append(tmpls, tmpl.Name())
-	}
-	contains := func(arr []string, tgt string) bool {
-		for _, item := range arr {
-			if item == tgt {
-				return true
-			}
-		}
-		return false
-	}
-	return contains(tmpls, "title") && contains(tmpls, "style") && contains(tmpls, "js") && contains(tmpls, "content")
 }
 
 var mainT = `{{ define "main" }}
 <!DOCTYPE html>
-<html lang="{{ (index .LangPrefs 0).Lang }}">
+<html>
 	<head>
 		<meta name="viewport" content="width=device-width, initial-scale=1">
 		<title>{{ block "title" .Data }}{{ end }}</title>
-		<base href="{{ .WebBasePath }}">
+		<base href={{ .WebBasePath }}>
 		{{ block "style" .Data }}{{ end }}
 	</head>
 	<body>

internal/web/web_test.go

@@ -60,64 +60,23 @@ func TestHTMLRenderer(t *testing.T) {
 				"IsInternalError":      true,
 			},
 		},
-
-		{
-			name:    "old style internal template not found",
-			wantErr: fmt.Errorf(`the template "login.tmpl" does not exist`),
-		},
-		{
-			name:     "old style internal template happy path",
-			basePath: "testBasePath",
-			data: map[string]interface{}{
-				"CSRFToken":            "testCSRFToken",
-				"Challenge":            "testChalenge",
-				"LoginURL":             "testLoginURL",
-				"IsInvalidCredentials": true,
-				"IsInternalError":      true,
-			},
-		},
-		{
-			name:    "old style external template not found",
-			ext:     true,
-			wantErr: fmt.Errorf(`the template "login.tmpl" does not exist`),
-		},
-		{
-			name:     "old style external template happy path",
-			ext:      true,
-			basePath: "testBasePath",
-			data: map[string]interface{}{
-				"CSRFToken":            "testCSRFToken",
-				"Challenge":            "testChalenge",
-				"LoginURL":             "testLoginURL",
-				"IsInvalidCredentials": true,
-				"IsInternalError":      true,
-			},
-		},
 	}
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
 			tstDir := path.Join("testdata", t.Name())
 
+			// Read the main template.
 			var originMainT = mainT
 			defer func() { mainT = originMainT }()
-
-			// Read the main template if it is exist.
-			fpath := path.Join(tstDir, "main.tmpl")
-			stat, err := os.Stat(fpath)
-			if err != nil && !os.IsNotExist(err) {
+			f, err := os.Open(path.Join(tstDir, "main.tmpl"))
+			if err != nil {
 				t.Fatalf("failed to open main template: %s", err)
 			}
-			if stat != nil {
-				var f *os.File
-				if f, err = os.Open(fpath); err != nil {
-					t.Fatalf("failed to open main template: %s", err)
-				}
-				var fc []byte
-				if fc, err = ioutil.ReadAll(f); err != nil {
-					t.Fatalf("failed to read main template: %s", err)
-				}
-				mainT = string(fc)
+			fc, err := ioutil.ReadAll(f)
+			if err != nil {
+				t.Fatalf("failed to read main template: %s", err)
 			}
+			mainT = string(fc)
 
 			// Create the template renderer.
 			cnf := Config{BasePath: tc.basePath}
@@ -134,9 +93,7 @@ func TestHTMLRenderer(t *testing.T) {
 			}
 
 			rr := httptest.NewRecorder()
-			req := httptest.NewRequest(http.MethodGet, "http://localhost", nil)
-			req.Header.Set(http.CanonicalHeaderKey("Accept-Language"), "ru-RU,ru;q=0.9,en-US;q=0.8,en;q=0.7")
-			err = r.RenderTemplate(rr, req, "login.tmpl", tc.data)
+			err = r.RenderTemplate(rr, "login.tmpl", tc.data)
 
 			if tc.wantErr != nil {
 				if err == nil {
@@ -150,11 +107,11 @@ func TestHTMLRenderer(t *testing.T) {
 			if err != nil {
 				t.Fatalf("\ngot error\n\t%s\nwant no errors", err)
 			}
-			f, err := os.Open(path.Join(tstDir, "golden.file"))
+			f, err = os.Open(path.Join(tstDir, "golden.file"))
 			if err != nil {
 				t.Fatalf("failed to open golden file: %s", err)
 			}
-			fc, err := ioutil.ReadAll(f)
+			fc, err = ioutil.ReadAll(f)
 			if err != nil {
 				t.Fatalf("failed to read golden file: %s", err)
 			}

misc/packaging/nfpm.yml

@@ -1,22 +0,0 @@
-name: "hydra-werther"
-arch: "amd64"
-platform: "linux"
-version: "${PACKAGE_VERSION}"
-section: "default"
-priority: "extra"
-maintainer: "Cadoles <contact@cadoles.com>"
-description: |
-  PostgreSQL automated backup scripts
-vendor: "Cadoles"
-homepage: "https://forge.cadoles.com/Cadoles/postgres-backup"
-license: "AGPL-3.0"
-version_schema: none
-contents:
-  - src: bin/werther_linux_amd64
-    dst: /usr/bin/hydra-werther
-  - src: conf/hydra-werther.conf
-    dst: /etc/hydra-werther/hydra-werther.conf
-  - src: misc/packaging/systemd/hydra-werther.service
-    dst: /usr/lib/systemd/system/hydra-werther.service
-
-    

misc/packaging/systemd/hydra-werther.service

@@ -1,12 +0,0 @@
-[Unit]
-Description=Run Hydra Werther login/consent/logout app
-After=network-online.target
-
-[Service]
-Type=simple
-EnvironmentFile=/etc/hydra-werther/hydra-werther.conf
-ExecStart=/usr/bin/hydra-werther
-Restart=on-failure
-
-[Install]
-WantedBy=multi-user.target

misc/script/build

@@ -1,21 +0,0 @@
-#!/bin/bash
-
-set -e
-
-DISTS=${DISTS:-linux/386 linux/amd64 windows/amd64 darwin/amd64}
-
-for dist in $DISTS
-do
-    os=`echo $dist | cut -d'/' -f1`
-    arch=`echo $dist | cut -d'/' -f2`
-    
-    env GOOS=$os GOARCH=$arch go build -o bin/werther_${os}_${arch} -ldflags "-w -s -X main.version=$(git describe --tags)" ./cmd/werther
-    
-    if [[ "$os" = "windows" ]]; then
-        zip -r bin/werther_${os}_${arch}.zip bin/werther_${os}_${arch}
-    else
-        tar cvzf bin/werther_${os}_${arch}.tar.gz bin/werther_${os}_${arch}
-    fi
-done
-
-(cd bin && sha256sum *.{tar.gz,zip} > werther_checksums.txt || exit 0)