From 3fbbe61a460b8d5415b61de505b4ac1ab8692b25 Mon Sep 17 00:00:00 2001
From: Alex Auvolat <alex@adnab.me>
Date: Wed, 12 Feb 2020 00:13:24 +0100
Subject: [PATCH] Refactor is_admin check

---
 admin.go            | 16 ++--------------
 guichet.hcl.example |  2 +-
 main.go             | 40 +++++++++++++++++++---------------------
 templates/home.html |  4 ++--
 4 files changed, 24 insertions(+), 38 deletions(-)

diff --git a/admin.go b/admin.go
index ccfbe31..b480507 100644
--- a/admin.go
+++ b/admin.go
@@ -18,20 +18,8 @@ func checkAdminLogin(w http.ResponseWriter, r *http.Request) *LoginStatus {
 		return nil
 	}
 
-	can_admin := (login.Info.DN == config.AdminAccount)
-	fmt.Printf("%#v", login.UserEntry)
-	for _, attr := range login.UserEntry.Attributes {
-		if strings.EqualFold(attr.Name, "memberof") {
-			for _, group := range attr.Values {
-				if config.GroupCanAdmin != "" && group == config.GroupCanAdmin {
-					can_admin = true
-				}
-			}
-		}
-	}
-
-	if !can_admin {
-		http.Redirect(w, r, "/", http.StatusFound)
+	if !login.CanAdmin {
+		http.Error(w, "Not authorized to perform administrative operations.", http.StatusUnauthorized)
 		return nil
 	}
 
diff --git a/guichet.hcl.example b/guichet.hcl.example
index e2f1791..7c702ae 100644
--- a/guichet.hcl.example
+++ b/guichet.hcl.example
@@ -12,7 +12,7 @@ job "guichet" {
     task "server" {
       driver = "docker"
       config {
-        image = "lxpz/guichet_amd64:3"
+        image = "lxpz/guichet_amd64:4"
         readonly_rootfs = true
         port_map {
           web_port = 9991
diff --git a/main.go b/main.go
index 574ea21..da59552 100644
--- a/main.go
+++ b/main.go
@@ -136,6 +136,8 @@ type LoginStatus struct {
 	Info      *LoginInfo
 	conn      *ldap.Conn
 	UserEntry *ldap.Entry
+	CanAdmin  bool
+	CanInvite bool
 }
 
 func logRequest(handler http.Handler) http.Handler {
@@ -195,7 +197,7 @@ func checkLogin(w http.ResponseWriter, r *http.Request) *LoginStatus {
 	}
 
 	requestKind := "(objectClass=organizationalPerson)"
-	if login_info.DN == config.AdminAccount {
+	if strings.EqualFold(login_info.DN, config.AdminAccount) {
 		requestKind = "(objectclass=*)"
 	}
 	searchRequest := ldap.NewSearchRequest(
@@ -218,6 +220,21 @@ func checkLogin(w http.ResponseWriter, r *http.Request) *LoginStatus {
 
 	loginStatus.UserEntry = sr.Entries[0]
 
+	loginStatus.CanAdmin = strings.EqualFold(loginStatus.Info.DN, config.AdminAccount)
+	loginStatus.CanInvite = false
+	for _, attr := range loginStatus.UserEntry.Attributes {
+		if strings.EqualFold(attr.Name, "memberof") {
+			for _, group := range attr.Values {
+				if config.GroupCanInvite != "" && strings.EqualFold(group, config.GroupCanInvite) {
+					loginStatus.CanInvite = true
+				}
+				if config.GroupCanAdmin != "" && strings.EqualFold(group, config.GroupCanAdmin) {
+					loginStatus.CanAdmin = true
+				}
+			}
+		}
+	}
+
 	return loginStatus
 }
 
@@ -244,8 +261,6 @@ func ldapOpen(w http.ResponseWriter) *ldap.Conn {
 type HomePageData struct {
 	Login       *LoginStatus
 	WelcomeName string
-	CanAdmin    bool
-	CanInvite   bool
 	BaseDN      string
 }
 
@@ -257,25 +272,8 @@ func handleHome(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	can_admin := (login.Info.DN == config.AdminAccount)
-	can_invite := false
-	for _, attr := range login.UserEntry.Attributes {
-		if strings.EqualFold(attr.Name, "memberof") {
-			for _, group := range attr.Values {
-				if config.GroupCanInvite != "" && group == config.GroupCanInvite {
-					can_invite = true
-				}
-				if config.GroupCanAdmin != "" && group == config.GroupCanAdmin {
-					can_admin = true
-				}
-			}
-		}
-	}
-
 	data := &HomePageData{
 		Login:       login,
-		CanAdmin:    can_admin,
-		CanInvite:   can_invite,
 		BaseDN:      config.BaseDN,
 		WelcomeName: login.UserEntry.GetAttributeValue("givenname"),
 	}
@@ -326,7 +324,7 @@ func handleLogin(w http.ResponseWriter, r *http.Request) *LoginInfo {
 		username := strings.Join(r.Form["username"], "")
 		password := strings.Join(r.Form["password"], "")
 		user_dn := fmt.Sprintf("%s=%s,%s", config.UserNameAttr, username, config.UserBaseDN)
-		if username == config.AdminAccount {
+		if strings.EqualFold(username, config.AdminAccount) {
 			user_dn = username
 		}
 
diff --git a/templates/home.html b/templates/home.html
index 9a9773a..7f227e6 100644
--- a/templates/home.html
+++ b/templates/home.html
@@ -16,13 +16,13 @@
   <div class="list-group list-group-flush">
     <a class="list-group-item list-group-item-action" href="/profile">Modifier mon profil</a>
     <a class="list-group-item list-group-item-action" href="/passwd">Modifier mon mot de passe</a>
-    {{if .CanInvite}}
+    {{if .Login.CanInvite}}
       <a class="list-group-item list-group-item-action" href="/invite">Inviter quelqu'un</a>
     {{end}}
   </div>
 </div>
 
-{{if .CanAdmin}}
+{{if .Login.CanAdmin}}
   <div class="card mt-3">
     <div class="card-header">
       Administration