feat: initial commit

2023-11-15 20:38:25 +01:00
commit e199fe3d26
67 changed files with 4152 additions and 0 deletions
--- a/internal/route/hydra/consent.go
+++ b/internal/route/hydra/consent.go
@ -0,0 +1,50 @@
+package hydra
+
+import (
+	"net/http"
+
+	"forge.cadoles.com/wpetit/hydra-webauthn/internal/hydra"
+	"github.com/pkg/errors"
+	"gitlab.com/wpetit/goweb/middleware/container"
+)
+
+func serveConsentPage(w http.ResponseWriter, r *http.Request) {
+	ctn := container.Must(r.Context())
+	hydr := hydra.Must(ctn)
+
+	challenge, err := hydr.ConsentChallenge(r)
+	if err != nil {
+		if err == hydra.ErrChallengeNotFound {
+			http.Error(w, http.StatusText(http.StatusBadRequest), http.StatusBadRequest)
+
+			return
+		}
+
+		panic(errors.Wrap(err, "could not retrieve consent challenge"))
+	}
+
+	consentRes, err := hydr.ConsentRequest(challenge)
+	if err != nil {
+		panic(errors.Wrap(err, "could not retrieve hydra consent response"))
+	}
+
+	userAttributes, ok := consentRes.Context["userAttributes"].(map[string]any)
+	if !ok {
+		userAttributes = make(map[string]any)
+	}
+
+	acceptConsentReq := &hydra.AcceptConsentRequest{
+		GrantScope:               consentRes.RequestedScope,
+		GrantAccessTokenAudience: consentRes.RequestedAccessTokenAudience,
+		Session: hydra.AcceptConsentSession{
+			IDToken: userAttributes,
+		},
+	}
+
+	acceptRes, err := hydr.AcceptConsentRequest(challenge, acceptConsentReq)
+	if err != nil {
+		panic(errors.Wrap(err, "could not accept hydra consent request"))
+	}
+
+	http.Redirect(w, r, acceptRes.RedirectTo, http.StatusTemporaryRedirect)
+}
--- a/internal/route/hydra/login.go
+++ b/internal/route/hydra/login.go
@ -0,0 +1,272 @@
+package hydra
+
+import (
+	"encoding/base64"
+	"encoding/gob"
+	"encoding/json"
+	"net/http"
+
+	"forge.cadoles.com/wpetit/hydra-webauthn/internal/config"
+	"forge.cadoles.com/wpetit/hydra-webauthn/internal/hydra"
+	"forge.cadoles.com/wpetit/hydra-webauthn/internal/route/common"
+	"forge.cadoles.com/wpetit/hydra-webauthn/internal/storage"
+	"forge.cadoles.com/wpetit/hydra-webauthn/internal/webauthn"
+	"github.com/getsentry/sentry-go"
+	"github.com/go-webauthn/webauthn/protocol"
+	"github.com/gorilla/csrf"
+	"github.com/pkg/errors"
+	"gitlab.com/wpetit/goweb/logger"
+	"gitlab.com/wpetit/goweb/middleware/container"
+	"gitlab.com/wpetit/goweb/service/session"
+	"gitlab.com/wpetit/goweb/service/template"
+)
+
+func init() {
+	gob.Register(&webauthn.SessionData{})
+}
+
+func serveLoginPage(w http.ResponseWriter, r *http.Request) {
+	ctn := container.Must(r.Context())
+	hydr := hydra.Must(ctn)
+
+	challenge, err := hydr.LoginChallenge(r)
+	if err != nil {
+		if errors.Is(err, hydra.ErrChallengeNotFound) {
+			err := common.RenderErrorPage(
+				w, r,
+				http.StatusBadRequest,
+				"Requête invalide",
+				"Certaines informations requises afin de réaliser votre requête sont absentes.",
+			)
+			if err != nil {
+				panic(errors.Wrapf(err, "could not render '%s' page", r.URL.Path))
+			}
+
+			return
+		}
+
+		panic(errors.Wrap(err, "could not retrieve login challenge"))
+	}
+
+	res, err := hydr.LoginRequest(challenge)
+	if err != nil {
+		panic(errors.Wrap(err, "could not retrieve hydra login response"))
+	}
+
+	if res.Skip {
+		accept := &hydra.AcceptLoginRequest{
+			Subject: res.Subject,
+			Context: map[string]interface{}{
+				"username": res.Subject,
+			},
+		}
+
+		res, err := hydr.AcceptLoginRequest(challenge, accept)
+		if err != nil {
+			panic(errors.Wrap(err, "could not retrieve hydra accept response"))
+		}
+
+		http.Redirect(w, r, res.RedirectTo, http.StatusSeeOther)
+
+		return
+	}
+
+	tmpl := template.Must(ctn)
+
+	data := common.ExtendTemplateData(w, r, template.Data{
+		csrf.TemplateTag:      csrf.TemplateField(r),
+		"LoginChallenge":      challenge,
+		"ClientName":          res.Client.ClientName,
+		"ClientURI":           res.Client.ClientURI,
+		"Username":            "",
+		"RememberMe":          "",
+		"CredentialAssertion": nil,
+	})
+
+	if err := tmpl.RenderPage(w, "login.html.tmpl", data); err != nil {
+		panic(errors.Wrapf(err, "could not render '%s' page", r.URL.Path))
+	}
+}
+
+func handleLoginForm(w http.ResponseWriter, r *http.Request) {
+	ctx := r.Context()
+	ctn := container.Must(ctx)
+	tmpl := template.Must(ctn)
+	hydr := hydra.Must(ctn)
+	strg := storage.Must(ctn)
+	conf := config.Must(ctn)
+	wbth := webauthn.Must(ctn)
+	sesn := session.Must(ctn)
+
+	if err := r.ParseForm(); err != nil {
+		http.Error(w, http.StatusText(http.StatusBadRequest), http.StatusBadRequest)
+
+		return
+	}
+
+	challenge := r.Form.Get("challenge")
+
+	if challenge == "" {
+		err := common.RenderErrorPage(
+			w, r,
+			http.StatusBadRequest,
+			"Requête invalide",
+			"Certaines informations requises sont manquantes pour pouvoir réaliser votre requête.",
+		)
+		if err != nil {
+			panic(errors.Wrapf(err, "could not render '%s' page", r.URL.Path))
+		}
+
+		return
+	}
+
+	res, err := hydr.LoginRequest(challenge)
+	if err != nil {
+		panic(errors.Wrap(err, "could not retrieve hydra login response"))
+	}
+
+	username := r.Form.Get("username")
+	rememberMe := r.Form.Get("rememberme") == "on"
+
+	renderPage := func(assertionRequest *protocol.CredentialAssertion) {
+		data := common.ExtendTemplateData(w, r, template.Data{
+			csrf.TemplateTag:   csrf.TemplateField(r),
+			"LoginChallenge":   challenge,
+			"Username":         username,
+			"RememberMe":       rememberMe,
+			"AssertionRequest": assertionRequest,
+			"ClientName":       res.Client.ClientName,
+			"ClientURI":        res.Client.ClientURI,
+		})
+
+		if err := tmpl.RenderPage(w, "login.html.tmpl", data); err != nil {
+			panic(errors.Wrapf(err, "could not render '%s' page", r.URL.Path))
+		}
+	}
+
+	sess, err := sesn.Get(w, r)
+	if err != nil {
+		panic(errors.Wrap(err, "could not retrieve session"))
+	}
+
+	renderFlashError := func(message string) {
+		sess.AddFlash(session.FlashError, message)
+
+		if err := sess.Save(w, r); err != nil {
+			panic(errors.Wrap(err, "could not save session"))
+		}
+
+		renderPage(nil)
+	}
+
+	user, err := strg.User().FindUserByUsername(ctx, username)
+	if err != nil {
+		if errors.Is(err, storage.ErrNotFound) {
+			renderFlashError("Impossible de trouver un compte associé à ce nom d'utilisateur.")
+
+			return
+		}
+
+		panic(errors.Wrap(err, "could not find user"))
+	}
+
+	if !r.Form.Has("assertion") {
+		if len(user.WebAuthnCredentials()) == 0 {
+			renderFlashError("Aucune clé n'est encore associée à ce compte. Contactez votre administrateur.")
+
+			return
+		}
+
+		assertionRequest, webAuthnSessionData, err := wbth.BeginLogin(user)
+		if err != nil {
+			panic(errors.Wrap(err, "could not begin webauthn login"))
+		}
+
+		sess.Set("webauthn", webAuthnSessionData)
+
+		if err := sess.Save(w, r); err != nil {
+			panic(errors.Wrap(err, "could not save session"))
+		}
+
+		renderPage(assertionRequest)
+
+		return
+	}
+
+	webAuthnSessionData, ok := sess.Get("webauthn").(*webauthn.SessionData)
+	if !ok {
+		panic(errors.New("could not retrieve webauthn session data"))
+	}
+
+	base64Assertion := r.Form.Get("assertion")
+	if base64Assertion == "" {
+		renderFlashError("Authentification échouée.")
+
+		return
+	}
+
+	rawAssertion, err := base64.RawURLEncoding.DecodeString(base64Assertion)
+	if err != nil {
+		logger.Error(ctx, "could not parse base64 encoded assertion", logger.E(errors.WithStack(err)))
+		http.Error(w, http.StatusText(http.StatusBadRequest), http.StatusBadRequest)
+
+		return
+	}
+
+	var car protocol.CredentialAssertionResponse
+	if err := json.Unmarshal(rawAssertion, &car); err != nil {
+		logger.Error(ctx, "could not parse credential assertion response", logger.E(errors.WithStack(err)))
+		http.Error(w, http.StatusText(http.StatusBadRequest), http.StatusBadRequest)
+
+		return
+	}
+
+	parsedResponse, err := car.Parse()
+	if err != nil {
+		logger.Error(ctx, "could not parse credential assertion response", logger.E(errors.WithStack(err)))
+		http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
+
+		return
+	}
+
+	if _, err := wbth.ValidateLogin(user, *webAuthnSessionData, parsedResponse); err != nil {
+		logger.Error(ctx, "could not authenticate user", logger.E(errors.WithStack(err)))
+		renderFlashError("Authentification échouée.")
+
+		return
+	}
+
+	rememberFor := conf.Session.DefaultDuration
+	if rememberMe {
+		rememberFor = conf.Session.RememberMeDuration
+	}
+
+	accept := &hydra.AcceptLoginRequest{
+		Subject:     user.Username,
+		Remember:    rememberMe,
+		RememberFor: rememberFor,
+		Context: map[string]any{
+			"userAttributes": user.Attributes,
+		},
+	}
+
+	loginRes, err := hydr.AcceptLoginRequest(challenge, accept)
+	if err != nil {
+		sentry.CaptureException(err)
+		logger.Error(ctx, "could not retrieve hydra accept response", logger.E(err))
+
+		err := common.RenderErrorPage(
+			w, r,
+			http.StatusBadRequest,
+			"Lien invalide",
+			"Le lien de connexion utilisé est invalide ou a expiré.",
+		)
+		if err != nil {
+			panic(errors.Wrapf(err, "could not render '%s' page", r.URL.Path))
+		}
+
+		return
+	}
+
+	http.Redirect(w, r, loginRes.RedirectTo, http.StatusSeeOther)
+}
--- a/internal/route/hydra/logout.go
+++ b/internal/route/hydra/logout.go
@ -0,0 +1,47 @@
+package hydra
+
+import (
+	"net/http"
+
+	"forge.cadoles.com/wpetit/hydra-webauthn/internal/hydra"
+	"github.com/pkg/errors"
+	"gitlab.com/wpetit/goweb/middleware/container"
+	"gitlab.com/wpetit/goweb/service/session"
+)
+
+func serveLogoutPage(w http.ResponseWriter, r *http.Request) {
+	ctn := container.Must(r.Context())
+	hydr := hydra.Must(ctn)
+
+	challenge, err := hydr.LogoutChallenge(r)
+	if err != nil {
+		if errors.Is(err, hydra.ErrChallengeNotFound) {
+			http.Error(w, http.StatusText(http.StatusBadRequest), http.StatusBadRequest)
+
+			return
+		}
+
+		panic(errors.Wrap(err, "could not retrieve logout challenge"))
+	}
+
+	_, err = hydr.LogoutRequest(challenge)
+	if err != nil {
+		panic(errors.Wrap(err, "could not retrieve hydra logout response"))
+	}
+
+	acceptRes, err := hydr.AcceptLogoutRequest(challenge)
+	if err != nil {
+		panic(errors.Wrap(err, "could not retrieve hydra accept logout response"))
+	}
+
+	sess, err := session.Must(ctn).Get(w, r)
+	if err != nil {
+		panic(errors.Wrap(err, "could not retrieve session"))
+	}
+
+	if err := sess.Delete(w, r); err != nil {
+		panic(errors.Wrap(err, "could not delete session"))
+	}
+
+	http.Redirect(w, r, acceptRes.RedirectTo, http.StatusSeeOther)
+}
--- a/internal/route/hydra/mount.go
+++ b/internal/route/hydra/mount.go
@ -0,0 +1,34 @@
+package hydra
+
+import (
+	"forge.cadoles.com/wpetit/hydra-webauthn/internal/config"
+
+	"github.com/go-chi/chi"
+	"github.com/gorilla/csrf"
+	"github.com/pkg/errors"
+	"gitlab.com/wpetit/goweb/session/gorilla"
+)
+
+func Mount(r *chi.Mux, config *config.Config) error {
+	csrfSecret, err := gorilla.GenerateRandomBytes(32)
+	if err != nil {
+		return errors.Wrap(err, "could not generate CSRF secret")
+	}
+
+	csrfMiddleware := csrf.Protect(
+		csrfSecret,
+		csrf.Secure(false),
+	)
+
+	r.Group(func(r chi.Router) {
+		r.Use(csrfMiddleware)
+		r.Get("/login", serveLoginPage)
+		r.Post("/login", handleLoginForm)
+		r.Get("/logout", serveLogoutPage)
+		r.Get("/consent", serveConsentPage)
+		r.Get("/register/{token}", serveRegisterPage)
+		r.Post("/register/{token}", handleRegisterForm)
+	})
+
+	return nil
+}
--- a/internal/route/hydra/register.go
+++ b/internal/route/hydra/register.go
@ -0,0 +1,171 @@
+package hydra
+
+import (
+	"encoding/base64"
+	"encoding/json"
+	"net/http"
+
+	"forge.cadoles.com/wpetit/hydra-webauthn/internal/route/common"
+	"forge.cadoles.com/wpetit/hydra-webauthn/internal/storage"
+	"forge.cadoles.com/wpetit/hydra-webauthn/internal/webauthn"
+	"github.com/go-chi/chi"
+	"github.com/go-webauthn/webauthn/protocol"
+	"github.com/gorilla/csrf"
+	"github.com/pkg/errors"
+	"gitlab.com/wpetit/goweb/logger"
+	"gitlab.com/wpetit/goweb/middleware/container"
+	"gitlab.com/wpetit/goweb/service/session"
+	"gitlab.com/wpetit/goweb/service/template"
+)
+
+func serveRegisterPage(w http.ResponseWriter, r *http.Request) {
+	ctx := r.Context()
+	ctn := container.Must(ctx)
+	tmpl := template.Must(ctn)
+	webAuthn := webauthn.Must(ctn)
+	session := session.Must(ctn)
+	storageSrv := storage.Must(ctn)
+
+	token := chi.URLParam(r, "token")
+	registrationLink, err := storageSrv.User().GetRegistrationLinkByToken(ctx, token)
+	if err != nil {
+		if errors.Is(err, storage.ErrNotFound) {
+			logger.Warn(ctx, "registration link not found", logger.E(errors.WithStack(err)))
+			http.Error(w, http.StatusText(http.StatusNotFound), http.StatusNotFound)
+
+			return
+		}
+
+		panic(errors.Wrap(err, "could not retrieve registration link"))
+	}
+
+	user, err := storageSrv.User().FindUserByID(ctx, registrationLink.UserID)
+	if err != nil {
+		if errors.Is(err, storage.ErrNotFound) {
+			logger.Warn(ctx, "user not found", logger.E(errors.WithStack(err)))
+			http.Error(w, http.StatusText(http.StatusNotFound), http.StatusNotFound)
+
+			return
+		}
+
+		panic(errors.Wrap(err, "could not retrieve user"))
+	}
+
+	webAuthnOptions, webAuthnSessionData, err := webAuthn.BeginRegistration(user)
+	if err != nil {
+		panic(errors.Wrap(err, "could not begin discoverable login"))
+	}
+
+	sess, err := session.Get(w, r)
+	if err != nil {
+		panic(errors.Wrap(err, "could not retrieve session"))
+	}
+
+	sess.Set("webauthn", webAuthnSessionData)
+
+	if err := sess.Save(w, r); err != nil {
+		panic(errors.Wrap(err, "could not save session"))
+	}
+
+	data := common.ExtendTemplateData(w, r, template.Data{
+		csrf.TemplateTag:  csrf.TemplateField(r),
+		"WebAuthnOptions": webAuthnOptions,
+		"Token":           registrationLink.Token,
+	})
+
+	if err := tmpl.RenderPage(w, "register.html.tmpl", data); err != nil {
+		panic(errors.Wrapf(err, "could not render '%s' page", r.URL.Path))
+	}
+}
+
+func handleRegisterForm(w http.ResponseWriter, r *http.Request) {
+	ctx := r.Context()
+	serviceContainer := container.Must(ctx)
+	webAuthnService := webauthn.Must(serviceContainer)
+	sessionService := session.Must(serviceContainer)
+	storageSrv := storage.Must(serviceContainer)
+
+	token := chi.URLParam(r, "token")
+	registrationLink, err := storageSrv.User().GetRegistrationLinkByToken(ctx, token)
+	if err != nil {
+		if errors.Is(err, storage.ErrNotFound) {
+			logger.Warn(ctx, "registration link not found", logger.E(errors.WithStack(err)))
+			http.Error(w, http.StatusText(http.StatusNotFound), http.StatusNotFound)
+
+			return
+		}
+
+		panic(errors.Wrap(err, "could not retrieve registration link"))
+	}
+
+	user, err := storageSrv.User().FindUserByID(ctx, registrationLink.UserID)
+	if err != nil {
+		if errors.Is(err, storage.ErrNotFound) {
+			logger.Warn(ctx, "user not found", logger.E(errors.WithStack(err)))
+			http.Error(w, http.StatusText(http.StatusNotFound), http.StatusNotFound)
+
+			return
+		}
+
+		panic(errors.Wrap(err, "could not retrieve user"))
+	}
+
+	if err := r.ParseForm(); err != nil {
+		http.Error(w, http.StatusText(http.StatusBadRequest), http.StatusBadRequest)
+
+		return
+	}
+
+	base64Credentials := r.Form.Get("credentials")
+
+	rawCredentials, err := base64.RawURLEncoding.DecodeString(base64Credentials)
+	if err != nil {
+		logger.Error(ctx, "could not parse base64 encoded credentials", logger.E(errors.WithStack(err)))
+		http.Error(w, http.StatusText(http.StatusBadRequest), http.StatusBadRequest)
+
+		return
+	}
+
+	var ccr protocol.CredentialCreationResponse
+	if err := json.Unmarshal(rawCredentials, &ccr); err != nil {
+		logger.Error(ctx, "could not parse credential creation response", logger.E(errors.WithStack(err)))
+		http.Error(w, http.StatusText(http.StatusBadRequest), http.StatusBadRequest)
+
+		return
+	}
+
+	parsedResponse, err := ccr.Parse()
+	if err != nil {
+		logger.Error(ctx, "could not parse credential creation response", logger.E(errors.WithStack(err)))
+		http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
+
+		return
+	}
+
+	sess, err := sessionService.Get(w, r)
+	if err != nil {
+		logger.Error(ctx, "could not retrieve session", logger.E(errors.WithStack(err)))
+		http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
+
+		return
+	}
+
+	webAuthnSessionData := sess.Get("webauthn").(*webauthn.SessionData)
+
+	credential, err := webAuthnService.CreateCredential(user, *webAuthnSessionData, parsedResponse)
+	if err != nil {
+		logger.Error(ctx, "could not create user credential", logger.E(errors.WithStack(err)))
+		http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
+
+		return
+	}
+
+	if _, err := storageSrv.User().AddUserCredential(ctx, user.ID, credential); err != nil {
+		logger.Error(ctx, "could not add credential", logger.E(errors.WithStack(err)))
+		http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
+
+		return
+	}
+
+	http.Redirect(w, r, "/registered", http.StatusSeeOther)
+}