guichet/login.go

package main

import (
	"crypto/tls"
	"errors"
	"fmt"
	"net/http"
	"strings"

	garage "git.deuxfleurs.fr/garage-sdk/garage-admin-sdk-golang"
	"github.com/go-ldap/ldap/v3"
)

var (
	ErrNotAuthenticatedSession = fmt.Errorf("User has no session")
	ErrNotAuthenticatedBasic   = fmt.Errorf("User has not sent Authentication Basic information")
	ErrNotAuthenticated        = fmt.Errorf("User is not authenticated")
	ErrWrongLDAPCredentials    = fmt.Errorf("LDAP credentials are wrong")
	ErrLDAPServerUnreachable   = fmt.Errorf("Unable to open the LDAP server")
	ErrLDAPSearchInternalError = fmt.Errorf("LDAP Search of this user failed with an internal error")
	ErrLDAPSearchNotFound      = fmt.Errorf("User is authenticated but its associated data can not be found during search")
)

// --- Login Info ---
type LoginInfo struct {
	Username string
	Password string
}

func NewLoginInfoFromSession(r *http.Request) (*LoginInfo, error) {
	session, err := store.Get(r, SESSION_NAME)
	if err == nil {
		username, ok_user := session.Values["login_username"]
		password, ok_pwd := session.Values["login_password"]

		if ok_user && ok_pwd {
			loginInfo := &LoginInfo{
				Username: username.(string),
				Password: password.(string),
			}
			return loginInfo, nil
		}
	}

	return nil, errors.Join(ErrNotAuthenticatedSession, err)
}

func NewLoginInfoFromBasicAuth(r *http.Request) (*LoginInfo, error) {
	username, password, ok := r.BasicAuth()
	if ok {
		login_info := &LoginInfo{
			Username: username,
			Password: password,
		}

		return login_info, nil
	}
	return nil, ErrNotAuthenticatedBasic
}

func (li *LoginInfo) DN() string {
	user_dn := fmt.Sprintf("%s=%s,%s", config.UserNameAttr, li.Username, config.UserBaseDN)
	if strings.EqualFold(li.Username, config.AdminAccount) {
		user_dn = li.Username
	}

	return user_dn
}

// --- Login Status ---
type LoginStatus struct {
	Info *LoginInfo
	conn *ldap.Conn
}

func NewLoginStatus(r *http.Request, login_info *LoginInfo) (*LoginStatus, error) {
	l, err := NewLdapCon()
	if err != nil {
		return nil, err
	}

	err = l.Bind(login_info.DN(), login_info.Password)
	if err != nil {
		return nil, errors.Join(ErrWrongLDAPCredentials, err)
	}

	loginStatus := &LoginStatus{
		Info: login_info,
		conn: l,
	}
	return loginStatus, nil
}

func NewLdapCon() (*ldap.Conn, error) {
	l, err := ldap.DialURL(config.LdapServerAddr)
	if err != nil {
		return nil, errors.Join(ErrLDAPServerUnreachable, err)
	}

	if config.LdapTLS {
		err = l.StartTLS(&tls.Config{InsecureSkipVerify: true})
		if err != nil {
			return nil, errors.Join(ErrLDAPServerUnreachable, err)
		}
	}

	return l, nil
}

// --- Capabilities ---
type Capabilities struct {
	CanAdmin  bool
	CanInvite bool
}

func NewCapabilities(login *LoginStatus, entry *ldap.Entry) *Capabilities {
	// Initialize
	canAdmin := false
	canInvite := false

	// Special case for the "admin" account that is de-facto admin
	canAdmin = strings.EqualFold(login.Info.DN(), config.AdminAccount)

	// Check if this account is part of a group that give capabilities
	for _, attr := range entry.Attributes {
		if strings.EqualFold(attr.Name, "memberof") {
			for _, group := range attr.Values {
				if config.GroupCanInvite != "" && strings.EqualFold(group, config.GroupCanInvite) {
					canInvite = true
				}
				if config.GroupCanAdmin != "" && strings.EqualFold(group, config.GroupCanAdmin) {
					canAdmin = true
				}
			}
		}
	}

	return &Capabilities{
		CanAdmin:  canAdmin,
		CanInvite: canInvite,
	}
}

// --- Logged User ---
type LoggedUser struct {
	Login        *LoginStatus
	Entry        *ldap.Entry
	Capabilities *Capabilities
	Quota        *UserQuota
	s3key        *garage.KeyInfo
}

func NewLoggedUser(login *LoginStatus) (*LoggedUser, error) {
	requestKind := "(objectClass=organizationalPerson)"
	if strings.EqualFold(login.Info.DN(), config.AdminAccount) {
		requestKind = "(objectclass=*)"
	}

	searchRequest := ldap.NewSearchRequest(
		login.Info.DN(),
		ldap.ScopeBaseObject, ldap.NeverDerefAliases, 0, 0, false,
		requestKind,
		[]string{
			"dn",
			"displayname",
			"givenname",
			"sn",
			"mail",
			"memberof",
			"description",
			"garage_s3_access_key",
			FIELD_NAME_DIRECTORY_VISIBILITY,
			FIELD_NAME_PROFILE_PICTURE,
			FIELD_QUOTA_WEBSITE_SIZE_BURSTED,
			FIELD_QUOTA_WEBSITE_COUNT,
		},
		nil)

	sr, err := login.conn.Search(searchRequest)
	if err != nil {
		return nil, ErrLDAPSearchInternalError
	}

	if len(sr.Entries) != 1 {
		return nil, ErrLDAPSearchNotFound
	}
	entry := sr.Entries[0]

	lu := &LoggedUser{
		Login:        login,
		Entry:        entry,
		Capabilities: NewCapabilities(login, entry),
		Quota:        NewUserQuotaFromEntry(entry),
	}
	return lu, nil
}
func (lu *LoggedUser) WelcomeName() string {
	ret := lu.Entry.GetAttributeValue("givenname")
	if ret == "" {
		ret = lu.Entry.GetAttributeValue("displayname")
	}
	if ret == "" {
		ret = lu.Login.Info.Username
	}
	return ret
}
func (lu *LoggedUser) S3KeyInfo() (*garage.KeyInfo, error) {
	var err error
	var keyPair *garage.KeyInfo

	if lu.s3key == nil {
		keyID := lu.Entry.GetAttributeValue("garage_s3_access_key")
		if keyID == "" {
			// If there is no S3Key in LDAP, generate it...
			keyPair, err = grgCreateKey(lu.Login.Info.Username)
			if err != nil {
				return nil, err
			}
			modify_request := ldap.NewModifyRequest(lu.Login.Info.DN(), nil)
			modify_request.Replace("garage_s3_access_key", []string{*keyPair.AccessKeyId})
			// @FIXME compatibility feature for bagage (SFTP+webdav)
			// you can remove it once bagage will be updated to fetch the key from garage directly
			// or when bottin will be able to dynamically fetch it.
			modify_request.Replace("garage_s3_secret_key", []string{*keyPair.SecretAccessKey})
			err = lu.Login.conn.Modify(modify_request)
			if err != nil {
				return nil, err
			}
		} else {
			// There is an S3 key in LDAP, fetch its descriptor...
			keyPair, err = grgGetKey(keyID)
			if err != nil {
				return nil, err
			}
		}

		// Cache the keypair...
		lu.s3key = keyPair
	}

	return lu.s3key, nil
}

// --- Require User Check
func RequireUser(r *http.Request) (*LoggedUser, error) {
	var login_info *LoginInfo

	if li, err := NewLoginInfoFromSession(r); err == nil {
		login_info = li
	} else if li, err := NewLoginInfoFromBasicAuth(r); err == nil {
		login_info = li
	} else {
		return nil, ErrNotAuthenticated
	}

	loginStatus, err := NewLoginStatus(r, login_info)
	if err != nil {
		return nil, err
	}

	return NewLoggedUser(loginStatus)
}

func RequireUserHtml(w http.ResponseWriter, r *http.Request) *LoggedUser {
	user, err := RequireUser(r)

	if errors.Is(err, ErrNotAuthenticated) || errors.Is(err, ErrWrongLDAPCredentials) {
		http.Redirect(w, r, "/login", http.StatusFound)
		return nil
	}

	if err != nil {
		http.Error(w, err.Error(), http.StatusInternalServerError)
		return nil
	}

	return user
}

func RequireUserApi(w http.ResponseWriter, r *http.Request) *LoggedUser {
	user, err := RequireUser(r)

	if errors.Is(err, ErrNotAuthenticated) || errors.Is(err, ErrWrongLDAPCredentials) {
		http.Error(w, err.Error(), http.StatusUnauthorized)
		return nil
	}

	if err != nil {
		http.Error(w, err.Error(), http.StatusInternalServerError)
		return nil
	}

	return user
}
WIP refactor (broken templates) 2023-09-25 13:35:54 +00:00			`package main`

			`import (`
			`"crypto/tls"`
			`"errors"`
			`"fmt"`
			`"net/http"`
			`"strings"`

			`garage "git.deuxfleurs.fr/garage-sdk/garage-admin-sdk-golang"`
			`"github.com/go-ldap/ldap/v3"`
			`)`

			`var (`
			`ErrNotAuthenticatedSession = fmt.Errorf("User has no session")`
format 2023-09-26 06:40:41 +00:00			`ErrNotAuthenticatedBasic = fmt.Errorf("User has not sent Authentication Basic information")`
			`ErrNotAuthenticated = fmt.Errorf("User is not authenticated")`
			`ErrWrongLDAPCredentials = fmt.Errorf("LDAP credentials are wrong")`
			`ErrLDAPServerUnreachable = fmt.Errorf("Unable to open the LDAP server")`
WIP refactor (broken templates) 2023-09-25 13:35:54 +00:00			`ErrLDAPSearchInternalError = fmt.Errorf("LDAP Search of this user failed with an internal error")`
format 2023-09-26 06:40:41 +00:00			`ErrLDAPSearchNotFound = fmt.Errorf("User is authenticated but its associated data can not be found during search")`
WIP refactor (broken templates) 2023-09-25 13:35:54 +00:00			`)`

			`// --- Login Info ---`
			`type LoginInfo struct {`
			`Username string`
			`Password string`
			`}`

			`func NewLoginInfoFromSession(r http.Request) (LoginInfo, error) {`
			`session, err := store.Get(r, SESSION_NAME)`
			`if err == nil {`
			`username, ok_user := session.Values["login_username"]`
			`password, ok_pwd := session.Values["login_password"]`

			`if ok_user && ok_pwd {`
			`loginInfo := &LoginInfo{`
			`Username: username.(string),`
			`Password: password.(string),`
			`}`
			`return loginInfo, nil`
			`}`
			`}`

			`return nil, errors.Join(ErrNotAuthenticatedSession, err)`
			`}`

			`func NewLoginInfoFromBasicAuth(r http.Request) (LoginInfo, error) {`
			`username, password, ok := r.BasicAuth()`
			`if ok {`
format 2023-09-26 06:40:41 +00:00			`login_info := &LoginInfo{`
			`Username: username,`
			`Password: password,`
			`}`
WIP refactor (broken templates) 2023-09-25 13:35:54 +00:00
			`return login_info, nil`
			`}`
			`return nil, ErrNotAuthenticatedBasic`
			`}`

			`func (li *LoginInfo) DN() string {`
			`user_dn := fmt.Sprintf("%s=%s,%s", config.UserNameAttr, li.Username, config.UserBaseDN)`
			`if strings.EqualFold(li.Username, config.AdminAccount) {`
			`user_dn = li.Username`
			`}`

			`return user_dn`
			`}`

			`// --- Login Status ---`
			`type LoginStatus struct {`
format 2023-09-26 06:40:41 +00:00			`Info *LoginInfo`
			`conn *ldap.Conn`
WIP refactor (broken templates) 2023-09-25 13:35:54 +00:00			`}`

			`func NewLoginStatus(r http.Request, login_info LoginInfo) (*LoginStatus, error) {`
			`l, err := NewLdapCon()`
			`if err != nil {`
			`return nil, err`
			`}`

			`err = l.Bind(login_info.DN(), login_info.Password)`
			`if err != nil {`
			`return nil, errors.Join(ErrWrongLDAPCredentials, err)`
			`}`

			`loginStatus := &LoginStatus{`
			`Info: login_info,`
			`conn: l,`
			`}`
			`return loginStatus, nil`
			`}`

			`func NewLdapCon() (*ldap.Conn, error) {`
			`l, err := ldap.DialURL(config.LdapServerAddr)`
			`if err != nil {`
			`return nil, errors.Join(ErrLDAPServerUnreachable, err)`
			`}`

			`if config.LdapTLS {`
			`err = l.StartTLS(&tls.Config{InsecureSkipVerify: true})`
			`if err != nil {`
			`return nil, errors.Join(ErrLDAPServerUnreachable, err)`
			`}`
			`}`

			`return l, nil`
			`}`

			`// --- Capabilities ---`
			`type Capabilities struct {`
format 2023-09-26 06:40:41 +00:00			`CanAdmin bool`
WIP refactor (broken templates) 2023-09-25 13:35:54 +00:00			`CanInvite bool`
			`}`
format 2023-09-26 06:40:41 +00:00
WIP refactor (broken templates) 2023-09-25 13:35:54 +00:00			`func NewCapabilities(login LoginStatus, entry ldap.Entry) *Capabilities {`
			`// Initialize`
format 2023-09-26 06:40:41 +00:00			`canAdmin := false`
WIP refactor (broken templates) 2023-09-25 13:35:54 +00:00			`canInvite := false`

			`// Special case for the "admin" account that is de-facto admin`
			`canAdmin = strings.EqualFold(login.Info.DN(), config.AdminAccount)`

			`// Check if this account is part of a group that give capabilities`
			`for _, attr := range entry.Attributes {`
			`if strings.EqualFold(attr.Name, "memberof") {`
			`for _, group := range attr.Values {`
			`if config.GroupCanInvite != "" && strings.EqualFold(group, config.GroupCanInvite) {`
			`canInvite = true`
			`}`
			`if config.GroupCanAdmin != "" && strings.EqualFold(group, config.GroupCanAdmin) {`
			`canAdmin = true`
			`}`
			`}`
			`}`
			`}`

			`return &Capabilities{`
format 2023-09-26 06:40:41 +00:00			`CanAdmin: canAdmin,`
WIP refactor (broken templates) 2023-09-25 13:35:54 +00:00			`CanInvite: canInvite,`
			`}`
			`}`

			`// --- Logged User ---`
			`type LoggedUser struct {`
format 2023-09-26 06:40:41 +00:00			`Login *LoginStatus`
WIP refactor (broken templates) 2023-09-25 13:35:54 +00:00			`Entry *ldap.Entry`
			`Capabilities *Capabilities`
format 2023-09-26 06:40:41 +00:00			`Quota *UserQuota`
			`s3key *garage.KeyInfo`
WIP refactor (broken templates) 2023-09-25 13:35:54 +00:00			`}`
format 2023-09-26 06:40:41 +00:00
WIP refactor (broken templates) 2023-09-25 13:35:54 +00:00			`func NewLoggedUser(login LoginStatus) (LoggedUser, error) {`
			`requestKind := "(objectClass=organizationalPerson)"`
			`if strings.EqualFold(login.Info.DN(), config.AdminAccount) {`
			`requestKind = "(objectclass=*)"`
			`}`

			`searchRequest := ldap.NewSearchRequest(`
			`login.Info.DN(),`
			`ldap.ScopeBaseObject, ldap.NeverDerefAliases, 0, 0, false,`
			`requestKind,`
			`[]string{`
			`"dn",`
			`"displayname",`
			`"givenname",`
			`"sn",`
			`"mail",`
			`"memberof",`
			`"description",`
			`"garage_s3_access_key",`
			`FIELD_NAME_DIRECTORY_VISIBILITY,`
			`FIELD_NAME_PROFILE_PICTURE,`
			`FIELD_QUOTA_WEBSITE_SIZE_BURSTED,`
			`FIELD_QUOTA_WEBSITE_COUNT,`
			`},`
			`nil)`

			`sr, err := login.conn.Search(searchRequest)`
			`if err != nil {`
			`return nil, ErrLDAPSearchInternalError`
			`}`

			`if len(sr.Entries) != 1 {`
			`return nil, ErrLDAPSearchNotFound`
			`}`
			`entry := sr.Entries[0]`

format 2023-09-26 06:40:41 +00:00			`lu := &LoggedUser{`
			`Login: login,`
			`Entry: entry,`
WIP refactor (broken templates) 2023-09-25 13:35:54 +00:00			`Capabilities: NewCapabilities(login, entry),`
format 2023-09-26 06:40:41 +00:00			`Quota: NewUserQuotaFromEntry(entry),`
WIP refactor (broken templates) 2023-09-25 13:35:54 +00:00			`}`
			`return lu, nil`
			`}`
			`func (lu *LoggedUser) WelcomeName() string {`
			`ret := lu.Entry.GetAttributeValue("givenname")`
			`if ret == "" {`
			`ret = lu.Entry.GetAttributeValue("displayname")`
			`}`
			`if ret == "" {`
			`ret = lu.Login.Info.Username`
			`}`
			`return ret`
			`}`
			`func (lu LoggedUser) S3KeyInfo() (garage.KeyInfo, error) {`
			`var err error`
			`var keyPair *garage.KeyInfo`

			`if lu.s3key == nil {`
			`keyID := lu.Entry.GetAttributeValue("garage_s3_access_key")`
			`if keyID == "" {`
			`// If there is no S3Key in LDAP, generate it...`
			`keyPair, err = grgCreateKey(lu.Login.Info.Username)`
			`if err != nil {`
			`return nil, err`
			`}`
			`modify_request := ldap.NewModifyRequest(lu.Login.Info.DN(), nil)`
			`modify_request.Replace("garage_s3_access_key", []string{*keyPair.AccessKeyId})`
			`// @FIXME compatibility feature for bagage (SFTP+webdav)`
			`// you can remove it once bagage will be updated to fetch the key from garage directly`
			`// or when bottin will be able to dynamically fetch it.`
			`modify_request.Replace("garage_s3_secret_key", []string{*keyPair.SecretAccessKey})`
			`err = lu.Login.conn.Modify(modify_request)`
			`if err != nil {`
			`return nil, err`
			`}`
			`} else {`
			`// There is an S3 key in LDAP, fetch its descriptor...`
			`keyPair, err = grgGetKey(keyID)`
			`if err != nil {`
			`return nil, err`
			`}`
			`}`

			`// Cache the keypair...`
			`lu.s3key = keyPair`
			`}`

			`return lu.s3key, nil`
			`}`

			`// --- Require User Check`
			`func RequireUser(r http.Request) (LoggedUser, error) {`
			`var login_info *LoginInfo`

			`if li, err := NewLoginInfoFromSession(r); err == nil {`
			`login_info = li`
			`} else if li, err := NewLoginInfoFromBasicAuth(r); err == nil {`
			`login_info = li`
			`} else {`
			`return nil, ErrNotAuthenticated`
			`}`

			`loginStatus, err := NewLoginStatus(r, login_info)`
			`if err != nil {`
			`return nil, err`
			`}`

			`return NewLoggedUser(loginStatus)`
			`}`

			`func RequireUserHtml(w http.ResponseWriter, r http.Request) LoggedUser {`
			`user, err := RequireUser(r)`

			`if errors.Is(err, ErrNotAuthenticated) \|\| errors.Is(err, ErrWrongLDAPCredentials) {`
			`http.Redirect(w, r, "/login", http.StatusFound)`
			`return nil`
			`}`

			`if err != nil {`
			`http.Error(w, err.Error(), http.StatusInternalServerError)`
			`return nil`
			`}`

			`return user`
			`}`

			`func RequireUserApi(w http.ResponseWriter, r http.Request) LoggedUser {`
			`user, err := RequireUser(r)`

			`if errors.Is(err, ErrNotAuthenticated) \|\| errors.Is(err, ErrWrongLDAPCredentials) {`
			`http.Error(w, err.Error(), http.StatusUnauthorized)`
			`return nil`
			`}`

			`if err != nil {`
			`http.Error(w, err.Error(), http.StatusInternalServerError)`
			`return nil`
			`}`

			`return user`
			`}`